Cyber Threat Intelligence 22 May 2025

NCSA_THAICERT

Industrial Sector

Up To 25% Of Internet-Exposed ICS Are Honeypots: Researchers
"An analysis conducted by researchers at the Norwegian University of Science and Technology Gjøvik and the Delft University of Technology in the Netherlands showed that a significant percentage of the industrial control system (ICS) instances detected by internet scans are actually honeypots. The researchers used the Censys search engine to identify internet-exposed ICS. They targeted 17 widely used industrial control protocols and discovered roughly 150,000 devices across 175 countries. The researchers then applied various criteria to determine how many of those ICS instances were real and how many were likely or possibly honeypots, decoy systems designed to attract threat actors in an effort to obtain valuable information on attacker tactics, techniques, and procedures (TTPs)."
https://www.securityweek.com/up-to-25-of-internet-exposed-ics-are-honeypots-researchers/
https://gsmaragd.github.io/publications/EuroSP2025-ICS/EuroSP2025-ICS.pdf
Dragos Industrial Ransomware Analysis: Q1 2025
"Our recent blog highlighting the latest Dragos Knowledge Pack explored critical advancements in ransomware detection capabilities for the Dragos Platform, designed to help industrial organizations proactively defend against evolving cyber threats. These continuously updated detections are crucial, especially as ransomware incidents affecting critical and industrial infrastructure increase frequency and impact. Today’s ransomware threat actors demonstrate persistent targeting, deliberate operational impacts, and strategic approaches, underscoring the heightened risk posed to industrial organizations globally. This quarterly ransomware threat landscape report provides deeper insights into these ongoing threats, revealing significant trends, geographic impacts, and sector-specific vulnerabilities identified by Dragos WorldView threat intelligence."
https://www.dragos.com/blog/dragos-industrial-ransomware-analysis-q1-2025/
https://www.darkreading.com/ics-ot-security/unimicron-presto-attacks-industrial-ransomware-surge

Vulnerabilities

CVE-2025-47949 Reveals Flaw In Samlify That Opens Door To SAML Single Sign-On Bypass
"A new critical vulnerability popped up concerning samlify, a widely adopted Node.js library for implementing SAML 2.0 Single Sign-On. So, what exactly do you need to know about this? This post will break down the flaw, its potential impact on applications using samlify, and most importantly, guide you on how to secure your systems. Understanding this vulnerability is crucial for anyone involved in managing SAML-based authentication."
https://www.endorlabs.com/learn/cve-2025-47949-reveals-flaw-in-samlify-that-opens-door-to-saml-single-sign-on-bypass
https://nvd.nist.gov/vuln/detail/CVE-2025-47949
https://www.bleepingcomputer.com/news/security/critical-samlify-sso-flaw-lets-attackers-log-in-as-admin/
BadSuccessor: Abusing dMSA To Escalate Privileges In Active Directory
"In Windows Server 2025, Microsoft introduced delegated Managed Service Accounts (dMSAs). A dMSA is a new type of service account in Active Directory (AD) that expands on the capabilities of group Managed Service Accounts (gMSAs). One key feature of dMSAs is the ability to migrate existing nonmanaged service accounts by seamlessly converting them into dMSAs. While poking around the inner workings of AD’s dMSAs, we stumbled upon something interesting. At first glance, the migration mechanism looked like a clean and well-designed solution. But something about how it worked under the hood caught our attention."
https://www.akamai.com/blog/security-research/abusing-dmsa-for-privilege-escalation-in-active-directory
https://www.darkreading.com/vulnerabilities-threats/unpatched-windows-server-flaw-threatens-active-directory-users
CVE-2025-40775: DNS Message With Invalid TSIG Causes An Assertion Failure
"When an incoming DNS protocol message includes a Transaction Signature (TSIG), BIND always checks it. If the TSIG contains an invalid value in the algorithm field, BIND immediately aborts with an assertion failure."
https://kb.isc.org/docs/cve-2025-40775

Malware

Disrupting Lumma Stealer: Microsoft Leads Global Action Against Favored Cybercrime Tool
"Microsoft’s Digital Crimes Unit (DCU) and international partners are disrupting the leading tool used to indiscriminately steal sensitive personal and organizational information to facilitate cybercrime. On Tuesday, May 13, Microsoft’s DCU filed a legal action against Lumma Stealer (“Lumma”), which is the favored info-stealing malware used by hundreds of cyber threat actors. Lumma steals passwords, credit cards, bank accounts, and cryptocurrency wallets and has enabled criminals to hold schools for ransom, empty bank accounts, and disrupt critical services."
https://blogs.microsoft.com/on-the-issues/2025/05/21/microsoft-leads-global-action-against-favored-cybercrime-tool/
https://www.justice.gov/opa/pr/justice-department-seizes-domains-behind-major-information-stealing-malware-operation
https://www.bleepingcomputer.com/news/security/lumma-infostealer-malware-operation-disrupted-2-300-domains-seized/
https://www.darkreading.com/cybersecurity-operations/lumma-stealer-takedown-sprawling-operation
https://therecord.media/lumma-infostealer-malware-takedown-microsoft-fbi
https://www.bankinfosecurity.com/police-operation-microsoft-take-down-lumma-infostealer-a-28450
https://cyberscoop.com/lumma-stealer-infostealer-takedown/
https://www.helpnetsecurity.com/2025/05/21/lumma-stealer-malware-as-a-service-operation-disrupted/
https://www.securityweek.com/microsoft-sinkholes-domains-disrupts-notorious-lumma-stealer-malware-operation/
https://www.theregister.com/2025/05/21/lumma_infostealer_service_busted/
https://hackread.com/microsoft-dismantle-lumma-stealer-domain-seized/
PyBitmessage Backdoor Malware Installed With CoinMiner
"The AhnLab SEcurity intelligence Center (ASEC) has recently detected a new type of backdoor malware being distributed alongside the Monero coin miner. This blog post covers malware that utilizes the PyBitmessage library to perform communications on a P2P (Peer to Peer) network and encrypt the communication content between endpoints, instead of using traditional HTTP communications and IP connect methods. This allows the malware to conceal traces left by a central server and attempt to evade detection by antivirus products and network security solutions."
https://asec.ahnlab.com/en/88109/
Threat Actors Target U.S. Critical Infrastructure With LummaC2 Malware
"Today, CISA and the Federal Bureau of Investigation released a joint Cybersecurity Advisory, LummaC2 Malware Targeting U.S. Critical Infrastructure Sectors. This advisory details the tactics, techniques, and procedures, and indicators of compromise (IOCs) linked to threat actors deploying LummaC2 malware. This malware poses a serious threat, capable of infiltrating networks and exfiltrating sensitive information, to vulnerable individuals’ and organizations’ computer networks across U.S. critical infrastructure sectors."
https://www.cisa.gov/news-events/alerts/2025/05/21/threat-actors-target-us-critical-infrastructure-lummac2-malware
https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-141b
https://cyberscoop.com/lumma-infostealer-widespread-victims/
Russian GRU Cyber Actors Targeting Western Logistics Entities And Tech Companies
"Today, CISA, the National Security Agency, the Federal Bureau of Investigation, and other U.S. and international partners released a joint Cybersecurity Advisory, Russian GRU Targeting Western Logistics Entities and Technology Companies. This advisory details a Russian state-sponsored cyber espionage-oriented campaign targeting technology companies and logistics entities, including those involved in the coordination, transport, and delivery of foreign assistance to Ukraine."
https://www.cisa.gov/news-events/alerts/2025/05/21/russian-gru-cyber-actors-targeting-western-logistics-entities-and-tech-companies
https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-141a
https://media.defense.gov/2025/May/21/2003719846/-1/-1/0/CSA_RUSSIAN_GRU_TARGET_LOGISTICS.PDF
https://therecord.media/western-intelligence-alert-russia-hackers-logistics-fancy-bear-apt28
https://www.bleepingcomputer.com/news/security/russian-hackers-breach-orgs-to-track-aid-routes-to-ukraine/
https://thehackernews.com/2025/05/russian-hackers-exploit-email-and-vpn.html
https://www.bankinfosecurity.com/russian-intelligence-hackers-stalk-western-logistics-firms-a-28449
https://cyberscoop.com/russian-apt28-cyberattacks-target-western-logistics-ukraine/
https://www.securityweek.com/cisa-says-russian-hackers-targeting-western-supply-lines-to-ukraine/
https://www.theregister.com/2025/05/21/russias_fancy_bear_alert/
A Familiar Playbook With a Twist: 3AM Ransomware Actors Dropped Virtual Machine With Vishing And Quick Assist
"Ransomware is usually a crime of opportunity. Attackers typically strike through an easily-discovered vulnerability or security weakness— unpatched Internet-facing software, vulnerable network edge devices or exposed inbound virtual private network ports lacking multifactor authentication are among the most common points of initial compromise. However, some attacks appear much more targeted and include significant pre-attack reconnaissance and identification of specific organization employees as targets."
https://news.sophos.com/en-us/2025/05/20/a-familiar-playbook-with-a-twist-3am-ransomware-actors-dropped-virtual-machine-with-vishing-and-quick-assist/
https://www.bleepingcomputer.com/news/security/3am-ransomware-uses-spoofed-it-calls-email-bombing-to-breach-networks/
Copyright Phishing Lures Leading To Rhadamanthys Stealer Now Targeting Europe
"Cybereason Security Services has observed a phishing campaign using a copyright infringement lure targeting central and eastern Europe involving variants of the Rhadamantys stealer delivered via DLL side-loading technique. The threat actors exploit the DLL loading behavior of a legitimate PDF reader to hijack execution flow and achieve stealthy code execution within a trusted process. In this report we detail the scope of the observed renewed campaign and analyze the Rhadamanthys loader"
https://www.cybereason.com/blog/rhadamanthys-stealer-europe
Genesis Market - Malicious Browser Extension
"Genesis Market, which debuted in March 2018, has facilitated access to data from around 1.5 million compromised computers worldwide, offering over 80 million stolen account access credentials. The credentials for sale on Genesis Market include those linked to the financial sector, critical infrastructure, and various levels of government. Genesis Market has supplied the kind of access that ransomware attackers have used to target many organizations in the U.S., along with private sector organizations."
https://www.cybereason.com/blog/threat-alert-genesis-market
New Weapon Of Choice - How Threat Actors Hijack Legitimate Remote Access Tools
"Threat actors often abuse legitimate remote access tools (RATs) for malicious deployments on unsuspecting victims. These legitimate RATs are different from remote access trojans (also abbreviated as RAT) because they are software originally intended for legitimate use. Threat actors can abuse trust in RATs because the software is technically legitimate and often designed for enterprise use. Once a RAT's agent is installed onto a victim’s machine, threat actors could quickly pivot to delivering additional malicious payloads or monitoring for sensitive information such as credentials or confidential business information."
https://cofense.com/blog/new-weapon-of-choice-how-threat-actors-hijack-legitimate-remote-access-tools
The Obfuscation Game: MUT-9332 Targets Solidity Developers Via Malicious VS Code Extensions
"Over the past few years, Visual Studio Code (VS Code) has become the most common choice of integrated development environment (IDE), with 74% of developers reporting that they use it as their primary code editor. A significant factor in VS Code’s success is its extensibility; it features a wide range of extensions available for installation from the official VS Code Marketplace. Extensions can modify the appearance or functionality of the VS Code editor, changing the editor theme, registering new editor commands, running language server protocols or AI code assistants, and much more. At time of writing, more than 72,000 extensions were active and installable via the Marketplace."
https://securitylabs.datadoghq.com/articles/mut-9332-malicious-solidity-vscode-extensions/
https://www.helpnetsecurity.com/2025/05/21/data-stealing-vs-code-extensions-removed-from-official-marketplace/
Dero Miner Zombies Biting Through Docker APIs To Build a Cryptojacking Horde
"Imagine a container zombie outbreak where a single infected container scans the internet for an exposed Docker API, and bites exploits it by creating new malicious containers and compromising the running ones, thus transforming them into new “zombies” that will mine for Dero currency and continue “biting” new victims. No command-and-control server is required for the delivery, just an exponentially growing number of victims that are automatically infecting new ones. That’s exactly what the new Dero mining campaign does."
https://securelist.com/dero-miner-infects-containers-through-docker-api/116546/
PureRAT Malware Spikes 4x In 2025, Deploying PureLogs To Target Russian Firms
"Russian organizations have become the target of a phishing campaign that distributes malware called PureRAT, according to new findings from Kaspersky. "The campaign aimed at Russian business began back in March 2023, but in the first third of 2025 the number of attacks quadrupled compared to the same period in 2024," the cybersecurity vendor said. The attack chains, which have not been attributed to any specific threat actor, commence with a phishing email that contains a RAR file attachment or a link to the archive that masquerades as a Microsoft Word or a PDF document by making use of double extensions ("doc_054_[redacted].pdf.rar")."
https://thehackernews.com/2025/05/purerat-malware-spikes-4x-in-2025.html
Chinese Adult Content Scam Targets Mobile Users Through PWA Injection
"We’ve identified a fresh injection campaign abusing third-party JavaScript to redirect mobile users to a Chinese adult-content PWA scam. Example (NSFW): hxxps://xjdm166[.]com/html/#/i/home While the payload itself is nothing new (yet another adult gambling scam), the delivery method stands out. The malicious landing page is a full-blown Progressive Web App (PWA), likely aiming to retain users longer and bypass basic browser protections."
https://cside.dev/blog/chinese-adult-content-scam-targets-mobile-users-through-pwa-injection
https://thehackernews.com/2025/05/researchers-expose-pwa-javascript.html
More_Eggs? A Venom Spider Backdoor Targeting HR
"The More_Eggs malware, operated by the financially motivated Venom Spider (aka Golden Chickens) group, is a potent JavaScript backdoor sold as Malware-as-a-Service (MaaS) to threat actors like FIN6 and Cobalt Group. Known for targeting human resources (HR) departments, it exploits the trust in job application emails to deliver malicious payloads. This blog analyzes a recent More_Eggs sample, Sebastian Hall.zip, which contains a decoy image and a malicious Windows shortcut (LNK) file."
https://denwp.com/more-eggs-venom-spider-phishing-campaign/
Saja DPRK Employment Scam Network
"Nisos is tracking an IT worker employment scam network posing as Polish and US nationals with the goal of obtaining employment in remote engineering and full-stack blockchain developer roles. Threat actors in this network are using GitHub accounts, portfolio websites, freelancer accounts, and a global freelance software development company, Inspiration With Digital Living (IWDL), to trick companies into hiring them for full-time remote positions and project-based freelance jobs. This network is the first indication that possibly DPRK-affiliated IT workers are setting up fake freelance software development companies with legitimate looking websites to gain freelancer work."
https://nisos.com/research/saja-dprk-employment-scam/
Another Confluence Bites The Dust: Falling To ELPACO-Team Ransomware
"In late June 2024, an unpatched Confluence server was compromised via CVE-2023-22527, a template injection vulnerability, first from IP address 45.227.254[.]124, which just ran whoami and exited. Shortly thereafter, a different IP address used the same exploit, running curl to deploy a Metasploit payload (Meterpreter) and establish a C2 channel to 91.191.209[.]46. The same IP address that delivered the initial Confluence exploit (used to run whoami) was later used to establish a direct AnyDesk connection."
https://thedfirreport.com/2025/05/19/another-confluence-bites-the-dust-falling-to-elpaco-team-ransomware/

Breaches/Hacks/Leaks

Coinbase Says Recent Data Breach Impacts 69,461 Customers
"Coinbase, a cryptocurrency exchange with over 100 million customers, revealed that a recent data breach in which cybercriminals stole customer and corporate data affected 69,461 individuals. In data breach notifications filed with the Office of Maine's Attorney General, Coinbase said, "a small number of individuals, performing services for Coinbase at our overseas retail support locations, improperly accessed customer information.""
https://www.bleepingcomputer.com/news/security/coinbase-says-recent-data-breach-impacts-69-461-customers/
https://www.darkreading.com/threat-intelligence/coinbase-breach-compromises-70k-customers
https://therecord.media/nearly-70000-impacted-coinbase-breach
https://www.securityweek.com/coinbase-says-rogue-contractor-data-breach-affects-69461-users/
https://securityaffairs.com/178151/data-breach/coinbase-data-breach-impacted-69461-individuals.html
https://www.theregister.com/2025/05/21/coinbase_confirms_insider_breach_affects/
Threat Actor Selling 1.2 Billion Facebook Records, But Details Don’t Add Up
"Threat actor ‘ByteBreaker’ claims to sell 1.2B Facebook records scraped via API abuse, but inconsistencies in data size and identity raise doubts."
https://hackread.com/threat-actor-selling-1-2-billion-facebook-records/
‘Deep Concern’ For Domestic Abuse Survivors As Cybercriminals Expected To Publish Confidential Refuge Addresses
"Sensitive information about women and girls who have survived domestic abuse is now expected to be exposed through a data extortion incident impacting the British government’s Legal Aid Agency, potentially revealing their locations to abusers and in some cases requiring them to move homes. The government confirmed the incident on Monday, saying everyone who applied for aid using the service’s online platform since 2010 is believed to be affected."
https://therecord.media/concern-domestic-survivors-breach-london

General News

What Good Threat Intelligence Looks Like In Practice
"In this Help Net Security interview, Anuj Goel, CEO of Cyware, discusses how threat intelligence is no longer a nice to have, it’s a core cyber defense requirement. But turning intelligence into action remains a challenge for many organizations. The path forward lies in integration, automation, and collaboration across technical and executive teams. With the right strategy, threat intelligence can become not just a source of awareness, but a driver of speed, precision, and resilience."
https://www.helpnetsecurity.com/2025/05/21/anuj-goel-cyware-good-threat-intelligence/
Scattered Spider Snared Financial Orgs Before Targeting Shops In Britain, America
"Scattered Spider snared financial services organizations in its web before its recent spate of retail attacks in the UK and US, according to Palo Alto Networks' Unit 42. "We saw several instances in the financial services space, and now we're starting to see instances in the retail-oriented, customer-facing space," Unit 42 principal threat researcher Kristopher Russo told The Register. Russo declined to name the victim companies, but noted that all of the organizations that brought in Unit 42's incident-response team were English-speaking."
https://www.theregister.com/2025/05/21/scattered_spider_snared_financial_orgs/
European Union Sanctions Stark Industries For Enabling Cyberattacks
"The European Union has imposed strict sanctions against web-hosting provider Stark Industries and the two individuals running it, CEO Iurie Neculiti and owner Ivan Neculiti, for enabling “destabilising activities” against the Union. The action is part of the European Council’s effort to protect against Russian hybrid threats. It affects 21 individuals and six entities behind activities that supported or promoted Russia’s foreign policy interests and distributed pro-Russian propaganda through media outlets. Web-hosting service Stark Industries stands out in the Council’s updated list of sanctions."
https://www.bleepingcomputer.com/news/security/european-union-sanctions-stark-industries-for-enabling-cyberattacks/
A House Full Of Open Windows: Why Telecoms May Never Purge Their Networks Of Salt Typhoon
"When the news broke that a Chinese hacking group known as Salt Typhoon had penetrated multiple U.S. telecommunications networks, gained access to the phones of a presidential campaign, and collected geolocation data on high-value targets around Washington D.C., one of the first questions on the minds of executives and U.S. officials was how long it would take to kick them out."
https://cyberscoop.com/salt-typhoon-chinese-hackers-us-telecom-breach/
CrowdStrike 2025 Latin America Threat Landscape Report: A Deep Dive Into An Evolving Region
"Latin America has quickly become a hotspot for cyber activity. The region’s rapid digitalization, expanding cloud adoption, and evolving geopolitical friction have drawn the attention of both financially motivated eCrime actors and strategic nation-state adversaries. The CrowdStrike 2025 Latin America Threat Landscape Report provides key insights into cyber activity across Central and South America, Mexico, and the Caribbean. In its pages, CrowdStrike Counter Adversary Operations team details the eCrime activity, targeted intrusions, hacktivist disruptions, and cyber espionage targeting organizations in the region."
https://www.crowdstrike.com/en-us/blog/2025-latam-threat-landscape-report-deep-dive/
https://www.darkreading.com/cyber-risk/pandas-galore-chinese-hackers-attacks-latin-america
Dark Reading Confidential: The Day I Found An APT Group In The Most Unlikely Place
"Hello and welcome to Dark Reading Confidential. It's a podcast from the editors of Dark Reading focused on bringing you real stories straight from the cyber trenches. My name is Becky Bracken. I'm your host and editor for Dark Reading. I'm joined today by Dark Reading's editor-in-chief, Kelly Jackson Higgins and Jim Donahue, who is Dark Reading's managing editor of content operations. Today, we are very pleased to bring you a fascinating conversation that we are calling, “The Day I Found an APT Group in the Most Unlikely Place.”"
https://www.darkreading.com/threat-intelligence/the-day-i-found-an-apt-group-in-the-most-unlikely-place
How Do Cybercriminals Launder Cryptocurrency?
"The worst possible outcome has occurred. A ransomware attack has broken through multiple layers of security and encrypted mission-critical data. Either no backup exists for this data, or the data backups are also encrypted. No documented fix will allow you to reverse the encryption. Given no other choice, you pay the ransom. On aggregate, the global ransomware industry accrued hundreds of millions of dollars in various cryptocurrencies in 2024 alone. But the story of that money doesn’t stop there. It needs to be laundered — converted from illegal winnings into an apparently legitimate income stream. How do cybercriminals transform their ransom payments into money they can spend without fear of arrest?"
https://blog.barracuda.com/2025/05/21/cybercriminals-launder-cryptocurrency
Russian Hybrid Threats: EU Lists Further 21 Individuals And 6 Entities And Introduces Sectoral Measures In Response To Destabilising Activities Against The EU, Its Member States And International Partners
"The Council today decided to impose additional restrictive measures against 21 individuals and 6 entities responsible for Russia’s destabilising actions abroad. The Council has also broadened the scope to allow the EU to target tangible assets linked to Russia’s destabilising activities, such as vessels, aircraft, real estate, and physical elements of digital and communication networks, as well as transactions of credit institutions, financial institutions and entities providing crypto-assets services that directly or indirectly facilitate Russia’s destabilising activities."
https://www.consilium.europa.eu/en/press/press-releases/2025/05/20/russian-hybrid-threats-eu-lists-further-21-individuals-and-6-entities-and-introduces-sectoral-measures-in-response-to-destabilising-activities-against-the-eu-its-member-states-and-international-partners/
https://therecord.media/eu-sanctions-orgs-individuals-tied-to-russia-disinformation

อ้างอิง
Electronic Transactions Development Agency(ETDA)