Cyber Threat Intelligence 22 April 2025

NCSA_THAICERT

New Tooling

Hawk Eye: Open-Source Scanner Uncovers Secrets And PII Across Platforms
"Hawk Eye is an open-source tool that helps find sensitive data before it leaks. It runs from the command line and checks many types of storage for PII and secrets: passwords, API keys, and personal information. “Unlike most open-source tools that only scan cloud buckets for PII, this solution is designed for deep integration across your entire ecosystem. It supports 350+ file types (including videos, images, and documents), uses advanced OCR, and ensures complete data privacy by running entirely on-prem. No data ever leaves your environment,” Rohit Kumar, the developer of Hawk Eye, told Help Net Security."
https://www.helpnetsecurity.com/2025/04/21/hawk-eye-open-source-scanner/
https://github.com/rohitcoder/hawk-eye

Malware

Phishing Attacks Leveraging HTML Code Inside SVG Files
"With each passing year, phishing attacks feature more and more elaborate techniques designed to trick users and evade security measures. Attackers employ deceptive URL redirection tactics, such as appending malicious website addresses to seemingly safe links, embed links in PDFs, and send HTML attachments that either host the entire phishing site or use JavaScript to launch it. Lately, we have noticed a new trend where attackers are distributing attachments in SVG format, the kind normally used for storing images."
https://securelist.com/svg-phishing/116256/
Proton66 Part 1: Mass Scanning And Exploit Campaigns
"In this two-part series, SpiderLabs explores the malicious traffic associated with Proton66, revealing the extent and nature of these attacks. The first part of the series focuses on mass scanning and exploit activities, highlighting a specific IP address connected to SuperBlack ransomware operators, found to distribute some of the latest critical priority exploits. The second part delves into a range of malware campaigns linked to Proton66, including compromised WordPress websites redirecting Android devices to fake Google Play stores, an XWorm campaign targeting Korean-speaking chat room users, and the WeaXor Ransomware."
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/proton66-part-1-mass-scanning-and-exploit-campaigns/
https://thehackernews.com/2025/04/hackers-abuse-russian-bulletproof-host.html
FOG Ransomware Spread By Cybercriminals Claiming Ties To DOGE
"During our monitoring of the ransomware threat landscape, we discovered samples with infection chain characteristics and payloads that can be attributed to FOG ransomware. A total of nine samples were uploaded to VirusTotal between March 27 and April 2, which we recently discovered were multiple ransomware binaries with .flocked extension and readme.txt notes. We observed that these samples initially dropped a note containing key names related to the Department of Government Efficiency (DOGE), an initiative of the current US administration that has been making headlines, recently about a member who allegedly assisted a cybercrime group involved in data theft and cyberstalking an agent of the Federal Bureau of Investigation (FBI). The note also contains instructions to spread the ransomware payload to other computers by pasting the provided code in the note. "
https://www.trendmicro.com/en_us/research/25/d/fog-ransomware-concealed-within-binary-loaders-linking-themselve.html
https://www.darkreading.com/cyberattacks-data-breaches/fog-hackers-doge-ransom-notes
Phishers Abuse Google OAuth To Spoof Google In DKIM Replay Attack
"In a rather clever attack, hackers leveraged a weakness that allowed them to send a fake email that seemed delivered from Google’s systems, passing all verifications but pointing to a fraudulent page that collected logins. The attacker leveraged Google’s infrastructure to trick recipients into accessing a legitimate-looking “support portal” that asks for Google account credentials. The fraudulent message appeared to come from “no-reply@google.com” and passed the DomainKeys Identified Mail (DKIM) authentication method but the real sender was different."
https://www.bleepingcomputer.com/news/security/phishers-abuse-google-oauth-to-spoof-google-in-dkim-replay-attack/
https://threadreaderapp.com/thread/1912439023982834120.html
New Rust Botnet "RustoBot" Is Routed Via Routers
"FortiGuard Labs recently discovered a new botnet propagating through TOTOLINK devices. Unlike previous malware targeting these devices, this variant is written in Rust—a programming language introduced by Mozilla in 2010. Due to its Rust-based implementation, we’ve named the malware “RustoBot.”"
https://www.fortinet.com/blog/threat-research/new-rust-botnet-rustobot-is-routed-via-routers
Booking.com Phishing Scam Uses Fake CAPTCHA To Install AsyncRAT
"Fake Booking.com emails trick hotel staff into running AsyncRAT malware via fake CAPTCHA, targeting systems with remote access trojan. A new phishing campaign is targeting hotel staff with fake Booking.com emails, tricking victims into executing malicious commands on their own systems. The scam appears well-planned, combining social engineering with the end aim to infect and compromise hotel networks with AsyncRAT."
https://hackread.com/booking-com-phishing-scam-fake-captcha-asyncrat/
Lumma Stealer – Tracking Distribution Channels
"The evolution of Malware-as-a-Service (MaaS) has significantly lowered the barriers to entry for cybercriminals, with information stealers becoming one of the most commercially successful categories in this underground economy. Among these threats, Lumma Stealer has emerged as a particularly sophisticated player since its introduction in 2022 by the threat actor known as Lumma. Initially marketed as LummaC2, this information stealer quickly gained traction in underground forums, with prices starting at $250. As of March 2025, its presence on dark web marketplaces and Telegram channels continues to grow, with over a thousand active subscribers."
https://securelist.com/lumma-fake-captcha-attacks-analysis/116274/
Mitigating ELUSIVE COMET Zoom Remote Control Attacks
"When our CEO received an invitation to appear on “Bloomberg Crypto,” he immediately recognized the hallmarks of a sophisticated social engineering campaign. What appeared to be a legitimate media opportunity was, in fact, the latest operation by ELUSIVE COMET—a threat actor responsible for millions in cryptocurrency theft through carefully constructed social engineering attacks. This post details our encounter with ELUSIVE COMET, explains their attack methodology targeting the Zoom remote control feature, and provides concrete defensive measures organizations can implement to protect themselves."
https://blog.trailofbits.com/2025/04/17/mitigating-elusive-comet-zoom-remote-control-attacks/
https://www.securityweek.com/north-korean-cryptocurrency-thieves-caught-hijacking-zoom-remote-control-feature/
Japan Warns Of Hundreds Of Millions Of Dollars In Unauthorized Trades From Hacked Accounts
"Japanese regulators published an urgent warning about hundreds of millions of dollars worth of unauthorized trades being conducted on hacked brokerage accounts in the country. Japan’s Financial Services Agency (FSA) said on Friday that there has been a “sharp increase in the number of cases of unauthorized access and unauthorized trading” through online trading services. The trend was occurring, according to the agency, because of stolen customer information obtained through phishing websites “disguised as websites of real securities companies.”"
https://therecord.media/japan-warns-of-unauthorized-trades-hacked-accounts
AgeoStealer: How Social Engineering Targets Gamers
"Infostealers have proven to be a gold mine for threat actors, responsible for stealing 75%—or 2.1 billion—of 2024’s 3.2 billion total credentials, fueling a constant cycle of account takeover attacks, ransomware, and high-profile data breaches. In our 2025 Global Threat Intelligence Report, we detailed their meteoric rise as a primary threat vector, with our analysts tracking over 24 unique stealer strains—such as RedLine, RisePro, and Lumma Stealer—being listed for sale on illicit marketplaces. Now, organizations will need to add AgeoStealer to their watch list as cybercriminals exploit the immense popularity of gaming."
https://flashpoint.io/blog/ageostealer-how-social-engineering-targets-gamers/
False Face: Unit 42 Demonstrates The Alarming Ease Of Synthetic Identity Creation
"Evidence suggests that North Korean IT workers are using real-time deepfake technology to infiltrate organizations through remote work positions, which poses significant security, legal and compliance risks. The detection strategies we outline in this report provide security and HR teams with practical guidance to strengthen their hiring processes against this threat."
https://unit42.paloaltonetworks.com/north-korean-synthetic-identity-creation/
Pirate Ships As a Service: Scallywag And Enabling Digital Piracy
"It’s hard to monetize digital piracy. Advertisers don’t want their brands associated with illicit activity, after all. As a result, threat actors have to get crafty with finding revenue sources to cash out and make the risks of sailing the high seas worth it for them. HUMAN’s Satori Threat Intelligence and Research team has disrupted Scallywag, a sophisticated ad fraud operation using a collection of WordPress extensions to monetize digital piracy with hundreds of cashout domains and URL shortening. Scallywag generates revenue for bad actors by inserting intermediary pages between a piracy catalog site and the actual streaming pirated content."
https://www.humansecurity.com/scallywag-open-redirectors/
https://www.humansecurity.com/learn/blog/satori-disruption-scallywag/
https://www.bleepingcomputer.com/news/security/scallywag-ad-fraud-operation-generated-14-billion-ad-requests-per-day/
KeyPlug-Linked Server Briefly Exposes Fortinet Exploits, Webshells, And Recon Activity Targeting a Major Japanese Company
"A briefly exposed directory on infrastructure tied to KeyPlug malware revealed tooling likely used in active operations. The server, live for less than a day, exposed Fortinet firewall and VPN-targeting exploit scripts, a PHP-based webshell, and network reconnaissance scripts targeting authentication and internal portals associated with a major Japanese company. While short-lived, the exposure provides an unfettered view into a likely advanced adversary's operational staging and planning."
https://hunt.io/blog/keyplug-server-exposes-fortinet-exploits-webshells

Breaches/Hacks/Leaks

Texas City Takes Systems Offline After Cyberattack
"The government of Abilene, Texas, has shut down some of its systems due to a cyberattack. City officials said they became aware of the incident on Friday when they received reports of unresponsive servers within the city’s internal network. IT staff immediately began disconnecting the affected systems and cybersecurity experts have been hired to investigate the issue. “Out of an abundance of caution, certain systems have been taken offline. However, emergency services are still up and running with the continued ability to timely assist, and no unidentified financial activity has been detected,” the city said on Monday."
https://therecord.media/texas-abilene-offline-cyberattack-systems

General News

Cybercriminals Blend AI And Social Engineering To Bypass Detection
"Attackers are focusing more on stealing identities. Because of this, companies need to use zero trust principles. They should also verify user identities more carefully, says DirectDefense. Researchers analyzed thousands of alerts, mapping them to the MITRE ATT&CK framework, a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations."
https://www.helpnetsecurity.com/2025/04/21/adversaries-cybercrime-techniques/
Cyber Threats Now a Daily Reality For One In Three Businesses
"Businesses are losing out on an average of $98.5 million a year as a consequence of cyber threats, fraud, regulatory hurdles and operational inefficiencies, according to research from FIS and Oxford Economics. The cost of disharmony is highest among technology companies, followed by insurance, financial services and fintech respondents."
https://www.helpnetsecurity.com/2025/04/21/businesses-fraud-consequence/
Why CISOs Are Watching The GenAI Supply Chain Shift Closely
"In supply chain operations, GenAI is gaining traction. But according to Logility’s Supply Chain Horizons 2025 report, many security leaders remain uneasy about what that means for data protection, legacy tech, and trust in automation. The survey of 500 global supply chain leaders shows that 97% are already using some form of GenAI. But only a third are using tools designed specifically for supply chain tasks. And nearly half (43%) say they worry about how their data is used or shared when applying GenAI. Another 40% don’t trust the answers it gives."
https://www.helpnetsecurity.com/2025/04/21/ciso-genai-supply-chain/
Microsoft Dominates As Top Target For Imitation, Mastercard Makes a Comeback
"Phishing attacks are one of the primary intrusion points for cyber criminals. As we examine the phishing threat landscape through the first quarter of 2025, cyber criminals continue to leverage trusted names to deceive unsuspecting users. Here’s a closer look at the trends, top brands targeted, and most notable incidents we’ve observed thus far in 2025."
https://blog.checkpoint.com/research/microsoft-dominates-as-top-target-for-imitation-mastercard-makes-a-comeback/
Thinking Of Smishing Your Employees? Think Twice.
"With the pervasiveness of SMS-based phishing, often referred to as “smishing,” to target consumers’ personal devices, more organizations are considering deploying smishing simulations on employees’ mobile phones. These efforts stem from concerns over potential corporate breaches and compliance requirements. However, this approach is fraught with its own risks and can open organizations to legal liability and regulatory fines – not to mention the damage it can do to employee morale."
https://cofense.com/blog/thinking-of-smishing-your-employees-think-twice
The Sophos Annual Threat Report: Cybercrime On Main Street 2025
"Small businesses are a prime target for cybercrime, as we highlighted in our last annual report. Many of the criminal threats we covered in that report remained a major menace in 2024, including ransomware–which remains a primary existential cyber threat to small and midsized organizations. Ransomware cases accounted for 70 percent of Sophos Incident Response cases for small business customers in 2024—and over 90 percent for midsized organizations (from 500 to 5000 employees). Ransomware and data theft attempts accounted for nearly 30 percent of all Sophos Managed Detection and Response (MDR) tracked incidents (in which malicious activity of any sort was detected) for small and midsized businesses."
https://news.sophos.com/en-us/2025/04/16/the-sophos-annual-threat-report-cybercrime-on-main-street-2025/
https://www.darkreading.com/threat-intelligence/nation-state-threats-smb
Can Cybersecurity Weather The Current Economic Chaos?
"As the Trump administration continues to pursue a chaotic tariff policy — announcing steep tariffs on the United States' major trading partners, only to pause most of the import taxes for 90 days — economists are increasingly predicting a recession in the next 12 months, as business decision-makers pare back plans for the future amid increasing inflation and uncertainty."
https://www.darkreading.com/cloud-security/cybersecurity-weather-current-economic-chaos
The Global AI Race: Balancing Innovation And Security
"We are, without question, in a global AI race. Every organization, supplier, and government is rushing to realize AI's benefits before their competitors do. The stakes are massive — not just in terms of business competition but in shaping the future balance of power across industries and nations. This validates AI's power and usefulness — it's considered existential to "get there first," as those who successfully leverage AI (especially artificial general intelligence and superintelligence) expect to become uncatchable."
https://www.darkreading.com/vulnerabilities-threats/global-ai-race-balancing-innovation-security
Countries Shore Up Their Digital Defenses As Global Tensions Raise The Threat Of Cyberwarfare
"Hackers linked to Russia’s government launched a cyberattack last spring against municipal water plants in rural Texas. At one plant in Muleshoe, population 5,000, water began to overflow. Officials had to unplug the system and run the plant manually. The hackers weren’t trying to taint the water supply. They didn’t ask for a ransom. Authorities determined the intrusion was designed to test the vulnerabilities of America’s public infrastructure. It was also a warning: In the 21st century, it takes more than oceans and an army to keep the United States safe."
https://www.securityweek.com/countries-shore-up-their-digital-defenses-as-global-tensions-raise-the-threat-of-cyberwarfare/
Cyberfraud In The Mekong Reaches Inflection Point, UNODC Reveals
"Transnational organized crime groups in East and Southeast Asia are hedging beyond the region as crack-down pressure increases, a new report by the UN Office on Drugs and Crime (UNODC) shows. Amidst heightened awareness and enforcement action, Asian crime syndicates are expanding operations deeper into many of the most remote, vulnerable, underprepared parts of the region — and beyond."
https://www.unodc.org/roseap/en/2025/04/cyberfraud-mekong-inflection-point/story.html
https://therecord.media/southeast-asia-cyber-fraud-at-inflection-point

อ้างอิง
Electronic Transactions Development Agency(ETDA)