The Silobreaker Weekly Geopolitical Risk Briefs

Download Report

Weekly Cyber Round-up

Intelligence Report

May 15, 2025

APT37 spear phishing campaign targets South Korean activists with RoKRAT

Genians researchers detailed a spear phishing campaign, dubbed Operation ToyBox Story and attributed to the North Korea-linked advanced persistent threat group, APT37, that delivered RoKRAT to activists based in South Korea. The emails contained a Dropbox link, which directed victims to a compressed archive containing malicious LNK files that activated malware containing the word ‘toy. The first observed attack occurred on March 8th, 2025, followed by a further attack on March 11th, 2025. Executing the LNK file launched a decoy HWP file, created three hidden files, and executed a BAT file. The PowerShell in the BAT file loads a DAT file, which loads a second DAT file to ultimately deliver a PE file containing shellcode for RoKRAT. RoKRAT collects system information from the infected host before executing its core malicious routines via WinMain.

Get the alert delivered directly to your inbox

Phishing campaign impersonates payroll, HR, and benefits platforms

Malwarebytes researchers discovered a phishing campaign, likely ongoing since July 2024, impersonating payroll, human resources (HR), and benefits platforms to steal banking information and funds. The campaign was initially detected in mid-April 2025, after the researchers discovered a malicious Google Search ad for the payroll and HR company Deel, which redirected victims to a phishing website impersonating the company. The phishing page prompts the user to enter their login credentials, after which they are tricked into entering a security code sent to their email address, allowing the attackers to bypass two-factor authentication.The campaign involves the use of a new phishing kit that aims to not only steal credentials but also commit wire fraud. Using a fully authenticated web worker, the phishing kit uses a legitimately hosted web service called Pusher with the intent of manipulating sensitive data fields related to banking and payment information. 

Meta Mirage phishing campaign steals data and browser cookies from Meta Business Suite

CTM360 researchers discovered a global phishing operation, dubbed ‘Meta Mirage’, leveraging distinct phishing templates to compromise the high-value business assets of Meta Business Suite users. In total, 24 templates have been observed which are designed to mimic specific Meta communications and deceive users into providing their credentials, session cookies, or personal information. Over 14,000 phishing URLs have been observed, with 78% of the identified active URLs still unblocked. Messages are delivered via email or Meta Messenger and feature links that redirect to a specific phishing page. Users are then instructed to enter their personal information, Facebook account passwordand a one-time password. The attackers deliberately trigger a series of fake error messages, causing the victim to re-enter their details. A separate technique attempts to harvest victims’ browser cookies. The attackers have exploited 14 hosting platforms, such as Vercel, GitHub Pages, and Netlify, to deploy the phishing kits.

Fake AI tools deliver Noodlophile Stealer to harvest data and deploy XWorm

Morphisec researchers detailed a campaign leveraging fraudulent custom artificial intelligence (AI)-themed platforms promoting free AI tools to deliver a new infostealer, dubbed Noodlophile Stealer. The threat actors advertise their AI platforms on seemingly legitimate Facebook groups and viral social media campaigns. Upon installation, Noodlophile harvests browser credentials, cryptocurrency wallets, and sensitive data, and, in many cases, has been used to deploy remote access trojans like XWorm to establish deeper control over infected systems. The fake Facebook groups encourage visitors to click on links that redirect to a fake AI-powered content creation website, where they are prompted to upload their images or videos for AI editing. The site then claims that the ‘processed’ content is ready to download, delivering Noodlophile, often alongside XWorm, to the targeted system. A Telegram bot is used for exfiltrating stolen information. 

Phishing emails and AutoIt leveraged in attack chain to deliver DarkCloud Stealer

In January 2025, Palo Alto Unit 42 Networks researchers identified a series of attacks deploying DarkCloud Stealer, with the latest attack chain leveraging AutoIt for detection evasion and a file-sharing server to host the malware. The attacks have primarily targeted federal, state, and local government entities, but have also been observed targeting the high technology, finance, manufacturing, and media and entertainment industries. The United States and Brazil are the most targeted countries. The attack chain begins with a phishing email containing an RAR archive or a PDF. The PDF attachment informs the recipient that their Adobe Flash Player is out of date, prompting them to download the RAR archive disguised as the update from a filesharing serviceThe RAR archive contains a malicious AutoIt compiled PE file featuring the AutoIt script and two encrypted data files, one of which is an encrypted shellcode and the other an XORed payload. The AutoIt script then builds and runs the final DarkCloud Stealer payload from the two data files.

Ransomware

How Interlock Ransomware Affects the Defense Industrial Base Supply ChainResecurity – May 13 2025DragonForce RansomwareIntel471 Blog – May 12 2025Moldova arrests suspect linked to DoppelPaymer ransomware attacksBleeping Computer – May 12 2025Ransomware Reloaded: Why 2025 Is the Most Dangerous Year YetCheck Point Blog – May 12 2025Anti-Ransomware Day 2025: 10 Years of RaaS and the Making of a Billion-Dollar BusinessSentinelOne – May 12 2025Inside LockBit: Defense Lessons from the Leaked LockBit NegotiationsQualys Blog – May 08 2025

Financial Services

Xinbi: The $8 Billion Colorado-Incorporated Marketplace for Pig-Butchering Scammers and North Korean HackersElliptic.co – May 13 2025Banking update glitch allowed users to view each other’s accounts – CybernewsCyberNews – May 13 2025FreeDrain Unmasked | Uncovering an Industrial-Scale Crypto Theft NetworkSentinelLabs – May 08 2025Weaponizing Facebook Ads: Inside the Multi-Stage Malware Campaign Exploiting Cryptocurrency BrandsBitdefender – May 08 2025RedisRaider: Weaponizing misconfigured Redis to mine cryptocurrency at scaleDatadog Security Labs – May 07 2025

Geopolitics

TA406 Pivots to the FrontProofpoint US Blog – May 13 2025Earth Ammit Disrupts Drone Supply Chains Through Coordinated Multi-Wave Attacks in Taiwan Trend Micro – May 13 2025Marbled Dust leverages zero-day in Output Messenger for regional espionageWindows Security blog – May 12 2025Escalating Hacktivist Attacks Amidst India-Pakistan TensionsThreat Reports – Radware – May 07 2025Pro-Russian hackers claim to have targeted several UK websitesThe Guardian – May 07 2025

High Priority Vulnerabilities

name Software Base
Score		 Temp
Score
CVE-2025-30400 Windows 7.8 7.5
Related: Microsoft patches five actively exploited zero-day flaws
CVE-2025-32756 FortiCamera 9.8 9.4
Related: Critical zero-day flaw actively exploited in FortiVoice
CVE-2025-31324 NetWeaver 9.8 9.4
Related: Additional exploitation of maximum severity NetWeaver flaw observed
CVE-2025-32819 SMA100 8.8 5.4
Related: Possible Zero-Day Patched in SonicWall SMA Appliances
CVE-2025-27007 SureTriggers Plugin 9.8 6.6
Related: Critical OttoKit WordPress plugin flaw actively exploited

Get the full report
delivered to your inbox​

By filling out and submitting this request you give us your consent to use and store the information  you have provided for the purpose set out above or in connection with it. For more information, see our Privacy Policy.