AI, Cloud Exposures, and Evolving Malware Techniques
A lot is happening in the threat landscape, and we’re here to bring you the most relevant updates for CTI teams. From advanced anti-analysis techniques to AI-related risks and cloud misconfigurations, attackers continue to evolve their methods. Stay ahead with this week’s key highlights. Let's dive in!
Google Report: Threat Actors Use AI to Boost Sandbox Evasion and Recon
Google Threat Intelligence Group (GTIG) highlights how threat actors, including a North Korean APT group, are leveraging Google’s AI-powered assistant, Gemini, across multiple attack phases. For example, Gemini assisted in developing sandbox-evasion code, providing C++ snippets to detect VM environments and Hyper-V machines. The report emphasizes that while actors are gaining productivity boosts, they aren’t yet creating novel capabilities.
Gemini has been used by APTs to research infrastructure, hosting providers, vulnerabilities, payloads, and to generate scripts for evasion and recon, underscoring its role in supporting various stages of the attack lifecycle.
Explore Google’s report for insights on the evolving role of generative AI in cyber operations. https://cloud.google.com/blog/topics/threat-intelligence/adversarial-misuse-generative-ai
Watchtowr: Abandoned S3 Buckets—The Next SolarWinds-Style Supply Chain Risk?
Watchtowr’s latest research sheds light on the critical security risks posed by abandoned S3 buckets—an often-overlooked weakness with massive supply chain implications. Poor security hygiene has allowed access to sensitive infrastructure belonging to governments, Fortune 500 companies, major antivirus and SSL VPN vendors, and key open-source projects.
The root cause? The “easy come, easy go” mindset around Internet resources, where acquiring and abandoning critical assets like S3 buckets, domains, and IP addresses happens without long-term accountability. Threat intel teams managing digital assets should take note, as these missteps could lead to severe breaches in software updates, build pipelines, and more.
Explore Watchtowr’s full research for actionable takeaways. https://labs.watchtowr.com/8-million-requests-later-we-made-the-solarwinds-supply-chain-attack-look-amateur/
?
Fully Undetected macOS Shell Script Drops Atomic Stealer, AI-Generated Indicators Found
VMRay Labs discovered a malicious DMG file containing a shell script that remained fully undetected on VirusTotal for two days, downloading and executing Atomic Stealer on macOS. The shell script, likely AI-generated based on its structured comments, error handling, and logging, applies basic obfuscation and targets both x86 and ARM-based systems.
Key highlights include sandbox evasion through checks for known usernames (maria, run, jackiemac, bruno) and a multi-stage infection chain: DMG → Shell Script → Mach-O Binary → AppleScript → Atomic Stealer. With macOS being a common choice for organizations prioritizing security, this campaign is worth checking for both threat intel and malware analysis teams.
Explore VMRay’s report for full technical details. https://www.vmray.com/fully-undetected-shell-script-dropping-macos-atomic-stealer/
ClickFix Technique in Malvertising Campaign Delivers DarkGate Malware
Malwarebytes uncovered a malvertising campaign leveraging the ClickFix technique, where fake CAPTCHA or validation pages trick users into pasting and executing malicious code. Unlike traditional phishing, these attacks rely on direct interaction and have become more common through Google ads. A recent campaign targeting Notion seems to be running A/B tests—some victims downloaded fake installers, while others were tricked using ClickFix, suggesting threat actors are optimizing their methods for higher success rates.
The campaign ultimately delivered the DarkGate malware loader, with sandboxing reports from VMRay providing additional insights. As this technique grows, CTI teams should be on alert.
Explore Malwarebytes’ research and VMRay sandbox reports for details. https://www.malwarebytes.com/blog/news/2025/01/clickfix-vs-traditional-download-in-new-darkgate-campaign
Sample analysis report from VMRay Threat Feed: https://www.vmray.com/analyses/_vt/6b6676267c70/report/overview.html
Sample analysis report from VMRay Threat Feed:
Coyote Banking Trojan Targets Brazil with Multi-Staged LNK Delivery
FortiGuard Labs has uncovered the Coyote banking trojan targeting over 70 financial apps and 1,000+ websites, primarily in Brazil. Delivered via LNK files containing PowerShell commands, Coyote seeks to harvest sensitive financial information. The malware employs anti-analysis techniques, including username checks for test/sandbox names (e.g., Johnson, Bruno, Sandbox, malware), and scans for virtual management tools in “C:\Windows\System32” to evade detection such as qemu-ga, netkvm.sys.
Its expanded target list includes popular sites like mercadobitcoin.com.br and bitcointrade.com.br, making this campaign a significant threat for finance sector.
Check FortiGuard Labs’ full report for mitigation and detection insights. https://www.fortinet.com/blog/threat-research/coyote-banking-trojan-a-stealthy-attack-via-lnk-files
Wiz Research Finds Major Data Exposure at DeepSeek, ChatGPT’s Cheaper Competitor
Wiz Research discovered a publicly accessible ClickHouse database belonging to Chinese AI startup DeepSeek, exposing over 1 million log entries with sensitive information. The database allowed full control over operations, including access to chat history, API keys, backend details, and operational metadata. Logs dating from January 2025 contained details on internal API endpoints, chatbot metadata, and directory structures, posing a significant risk to both the company and its users.
As AI technologies rapidly evolve, incidents like this underscore the growing importance of securing AI infrastructure and sensitive data.
Explore Wiz Research’s full report for details. https://www.wiz.io/blog/wiz-research-uncovers-exposed-deepseek-database-leak
FREE FROM COMMUNITY
The Cyber Yeti - Learn Core Malware Analysis Skills
Dr. Josh Stroschein, the creator of The Cyber Yeti community, has shared a treasure trove of resources for learning essential malware analysis skills. With episodes of the "Malware Mondays" live stream, free exercise files, and practical coverage of tools like CAPA, FLOSS, and Suricata, this is a must-visit for both beginners and experienced analysts.
All content is freely available on YouTube, making it a fantastic resource to boost your malware analysis expertise.
Check out this great resource here.? https://www.thecyberyeti.com/malware-mondays
Latest Picks from VMRay Threat Feed?
In-depth malware analysis reports