SalmonSlalom campaign delivers FatalRAT to APAC industrial and governmental organisations
Kaspersky researchers identified an ongoing campaign, dubbed SalmonSlalom, that is targeting industrial and governmental organisations in the Asia-Pacific (APAC) region, specifically Chinese-speaking victims. The campaign leverages the Chinese cloud content delivery network (CDN) myqcloud and the Youdao Cloud Notes service to deploy FatalRAT. The malware is delivered via a phishing email or WeChat and Telegram communications containing ZIP archives disguised as invoices or legitimate tax filing applications. The archives contain the first-stage loader for FatalRAT, which makes a HTTP request to Youdao Cloud Notes to download a list of links to configurators and second-stage loaders. The final payload is injected into legitimate process memory using the DLL sideloading technique. FatalRAT collects various system information, including external IP addresses, the installed operating system, information about installed security solutions, and more.
GitVenom campaign exploitsGitHub repositories to distribute malware and steal cryptocurrency
Kaspersky researchers discovered a new campaign, dubbed GitVenom, exploiting GitHub repositories to spread malware and stealcryptocurrency. The campaign has created hundreds of repositories on GitHub that contain fake projects with malicious code, which are used to install further payloads such as a Node[.]js stealer, AsyncRAT, the Quasar backdoor, and a clipboard hijacker. Infection attempts related to GitVenom have been observed worldwide, with the majority targeting Russia, Brazil, and Turkey. The fake projects are available in multiple programming languages, including Python, JavaScript, C, C++, and C#, and often promise functionalities like automation tools for social media or cryptocurrencymanagement. The fake projects also contained MD files, possibly generated by artificial intelligence, which contained information about the projects and instructions for users on how to compile their code.
Deceptive Development campaign uses fake job lures to target software developers
ESET researchers identified an ongoing campaign, dubbed DeceptiveDevelopment, that has been targeting freelance software developers involved in cryptocurrency and decentralised finance projects since November 2023. The campaign leverages spearphishing techniques to deliver BeaverTail and an updated version of InvisibleFerret. The malware is used to steal cryptocurrency wallets and login information, with a secondary objective of espionage. DeceptiveDevelopment operators pose as recruiters on social media to lure victims and initiate the job interview process, either by directly approaching individuals or by posting fake job listings on sites. The most common compromise vector is via a fake recruiter asking the victim to complete a project where the interviewee has to ‘fix’ a bug.
Massive botnet uses password spraying attacks to target Microsoft 365 accounts
SecurityScorecard researchers identified a botnet comprised of over 130,000 compromised devices that has been conducting large-scale password spraying attacks against Microsoft 365 users since December 2024. The attacks exploit non-interactive sign-ins with Basic Authentication, enabling logins without multi-factor authentication. Attackers are leveraging stolen credentials from infostealer logs to simultaneously target multiple accounts with one password. The researchers identified recurring IP addresses involved in communication to all attackers’ IP addresses, including one hosted at SharkTech that saw ‘rampant’ activity. In total, six C2 servers were identified, all with similar open ports and using two primary hosting providers based in China, namely CDSC-AS1 and UCLOUD HK. The campaign has been attributed to a likely Chinese-affiliated group.
Silver Fox APT targets healthcare sector with fake Philips DICOM viewers to deliver ValleyRAT
Forescout researchers identified 29 malware samples purporting to be Philips DICOM Viewer instances. The samples deploy ValleyRAT, a backdoor malware used by the China-based advanced persistent threat (APT) actor Silver Fox. Numerous samples were submitted from the United States and Canada, suggesting an expansion in targeting by Silver Fox. The malware appears to have been updated regularly since July 2024, with the latest samples from January 2025 including multiple layers of PowerShell commands for advanced evasion. The latest samples also masquerade as the EmEditor or system drivers, in addition to Philips DICOM viewers. The compromised devices were also infected with a keylogger and cryptominer, which is behaviour not previously associated with Silver Fox.
Ransomware
Is that Ra? Nope, it is RaaS – DLS emerges for New Extortion Group AnubisCyjax – Feb 25 2025LCRYX Ransomware: How a VB Ransomware Locks Your SystemK7 Computing – Lab Blog – Feb 24 2025Confluence Exploit Leads to LockBit RansomwareThe DFIR Report – Blog – Feb 24 2025Check Point Research Explains Shadow Pad, NailaoLocker, and its Protection Check Point Blog – Feb 21 2025Black Basta ransomware gang’s internal chat logs leak onlineBleeping Computer – Feb 20 2025
Financial Services
RustDoor and Koi Stealer for macOS Used by North Korea-Linked Threat Actor to Target the Cryptocurrency SectorUnit 42 – Palo Alto Networks Blog – Feb 26 2025Russia warns financial sector of major IT service provider hackBleeping Computer – Feb 24 2025Investigators Link $1.4B Bybit Hack to North Korea’s Lazarus GroupHackRead – Feb 23 2025Beware: PayPal “New Address” feature abused to send phishing emailsBleeping Computer – Feb 22 2025SPYLEND: The Android App Available on Google Play Store: Enabling Financial Cyber Crime & Extortion CYFIRMA – Feb 21 2025
Geopolitics
Cybercriminal Group UAC-0173 Targets Ukrainian Notaries with DCRAT and XWORM StealerTechNadu – Feb 26 2025Chinese APT Target Royal Thai Police in Malware CampaignCado Security – Feb 25 2025Russia’s Sandworm APT targets critical infrastructure in UkraineCyberSecurity Help – Feb 25 2025Ghostwriter | New Campaign Targets Ukrainian Government and Belarusian OppositionSentinelLabs – Feb 25 2025North Korean APT-C-28 Launches Sophisticated RokRat Fileless Malware CampaignTechNadu – Feb 20 2025
High Priority Vulnerabilities
| Name | name | Software | Base Score |
Temp Score |
|---|---|---|---|---|
| CVE-2025-23209 | CMS | 8.0 | 4.8 | |
| Related: Craft CMS and Palo Alto Networks PAN-OS flaws actively exploited | ||||
| CVE-2024-49035 | Partner Center | 8.8 | 8.4 | |
| Related: CISA Adds Microsoft and Zimbra Flaws to KEV Catalog Amid Active Exploitation | ||||
| CVE-2024-34331 | Desktop | 9.8 | 9.8 | |
| Related: Zero-day vulnerability discovered in Parallels | ||||
| CVE-2023-20118 | RV325 | 7.2 | 6.9 | |
| Related: PolarEdge exploits Cisco router flaw to deploy TLS backdoor on edge devices | ||||
| CVE-2024-23113 | FortiOS | 9.8 | 9.4 | |
| Related: Black Basta prioritises vulnerabilities with known exploits for initial access | ||||