Mass exploitation campaign targets ISPs with infostealers and cryptominers
Splunk researchers discovered a mass exploitation campaign targeting internet service provider (ISP) infrastructure on the West Coast of the United States and China. The campaign originates from Eastern Europe and aims to deploy information stealers and cryptocurrency miners like XMRig on compromised hosts. To date, over 4,000 IP addresses have been specifically targeted. The attacks involve brute force attacks against weak credentials for initial access, after which multiple binaries are dropped. The binaries include executable files that serve as infostealers or cryptominers, in addition to being used to perform SSH connections. The delivered infostealers are capable of capturing screenshots and stealing clipboard data, specifically searching for cryptocurrency wallet addresses.
Space Pirates targets Russian IT firms with LuckyStrike Agent for espionage and credential theft
Solar researchers detailed an espionage campaign, attributed to the threat actor Space Pirates, targeting Russian IT organisations. The campaign delivers a new multi-functional .NET backdoor, dubbed LuckyStrike Agent, which uses Microsoft OneDrive for C2 purposes. Other tools leveraged as part of the campaign include Deed RAT and a modified version of Stowaway. LuckyStrike Agent was first identified in November 2024, though initial access to the targeted organisation occurred before March 2023. Throughout this time, Space Pirates slowly spread across the victim’s systems and modified their tools, possibly to remove existing detection signatures. For example, the modified Stowaway variant retains only its proxy functionality alongside using LZ4 as a compression algorithm and XXTEA as an encryption algorithm.
Dark Caracal uses PocoRAT to target Spanish-speaking victims in Latin America
Throughout 2024, Positive Technologies researchers observed a phishing campaign delivering a new remote access trojan (RAT), dubbed Poco RAT, to Spanish-speaking victims in Latin America. The campaign involves phishing emails containing a decoy PDF document disguised as financial notifications, often referencing unpaid invoices or tax documents. Once the PDF is opened, the file redirects the victim to a link that automatically downloads a REV archive, hosted either on Google Drive or Dropbox, or on a content delivery network directory named after the impersonated company. The REV archive contains a Poco RAT dropper that injects itself into a legitimate process. The campaign is believed to be an extension of a campaign by threat actor Dark Caracal that began in 2022 and delivered Bandook RAT.
Phishing campaign combines ClickFix and multi-stage malware to deploy Havoc Demon Agent
Fortinet researchers discovered a phishing campaign that combines ClickFix and multi-stage malware to deploy a modified version of Havoc Demon. The threat actors hide each stage of the malware behind a SharePoint site, using the modified Havoc Demon alongside Microsoft Graph API to obscure C2 communications within well-known services. The initial infection vector is via a phishing email containing an attached HTML file, which is a ClickFix attack that deceives users into copying and pasting a PowerShell command into their terminal. A GitHub shellcode loader KaynLdr is then used to execute the Havoc Demon DLL. Exploitation of the modified Havoc Demon allows threat actors to gather information about the target, file operations, execute commands and payloads, manipulate tokens, and conduct Kerberos attacks.
BB2DOOR installed on low-cost consumer devices as part of BADBOX 2.0 fraud operation
HUMAN researchers discovered an expansive fraud operation, dubbed BADBOX 2.0, which infects low-cost consumer devices with a new backdoor, dubbed BB2DOOR. The backdoored devices become part of a botnet that can be used for programmatic ad fraud, click fraud, as well as residential proxy services that could enable account takeover attacks, fake account creation, distributed denial-of-service attacks, malware distribution, and one-time password theft. Over 1 million infected devices were identified, with BADBOX 2.0 deemed to be the largest botnet of infected connected TV (CTV) devices to date. BADBOX 2.0 is believed to be linked to the same actors behind BADBOX, with BB2DOOR similarly infecting devices as soon as they are turned on. BB2DOOR is also likely associated with the Vo1d malware. The researchers additionally identified four threat actor groups linked to BADBOX 2.0, namely SalesTracker Group, MoYu Group, Lemon Group, and LongTV.
Ransomware
Ransomware Spotlight: Water OuroborosTrend Micro – Security News – Mar 05 2025Snail Mail Fail: Fake Ransom Note Campaign Preys on FearGuidePoint Security – Mar 04 2025Microsoft signed a dodgy driver and now ransomware scum are exploiting itTheRegister.com – Mar 04 2025Black Basta and Cactus Ransomware Groups Add BackConnect Malware to Their ArsenalTrend Micro Research News Perspectives – Mar 03 2025DragonForce Ransomware Group is Targeting Saudi ArabiaResecurity – Feb 27 2025
Financial Services
Bank Australia Warns of Phone Porting Scams Amid Rising Digital Fraud ThreatsMobile ID World – Mar 06 2025New PyPI Malware ‘set-utils’ Exfiltrates Ethereum Private Keys Through Blockchain TransactionsSocket – Mar 05 2025Lazarus Group successfully launders $1.5B in stolen Bybit funds using THORChainCryptoCompass – Mar 05 2025 PayPal scam abuses Docusign API to spread phishy emails Malwarebytes Labs Blog – Mar 04 2025Hackers Exploit Kuwaiti Shopping Sites to Drain Bank AccountsArab Times – Mar 04 2025
Geopolitics
Justice Department Charges 12 Chinese Contract Hackers and Law Enforcement Officers in Global Computer Intrusion CampaignsUnited States Department of Justice – Mar 05 2025Silk Typhoon targeting IT supply chainMicrosoft Security Blog – Mar 05 2025Likely DPRK Network Backstops on GitHub, Targets Companies GloballyThreat Reports – NISOS – Mar 04 2025US Cyber Command reportedly pauses cyberattacks on RussiaThe Register – Security – Mar 03 2025Doppelgänger: New disinformation campaigns spreading on social media through Russian networksIntrinsec – Feb 27 2025
High Priority Vulnerabilities
| Name | name | Software | Base Score |
Temp Score |
|---|---|---|---|---|
| CVE-2025-22225 | Telco Cloud Infrastructure | 8.2 | 6.4 | |
| Related: Critical and high-severity VMware flaws under active exploitation | ||||
| CVE-2024-50302 | Kernel | 5.5 | 5.3 | |
| Related: Google fixes Android zero-day exploited by Serbian authorities | ||||
| CVE-2024-4885 | WhatsUp Gold | 9.8 | 8.8 | |
| Related: Multiple critical and high-severity flaws marked as exploited by CISA | ||||
| CVE-2023-32434 | iPadOS | 7.8 | 7.8 | |
| Related: New iOS kernel exploit Trigon leverages flaw used in Operation Triangulation | ||||
| CVE-2019-0708 (BlueKeep) | Windows | 9.8 | 9.8 | |
| Related: Larva-24005 exploits BlueKeep flaw for phishing attacks against North Korea researchers | ||||