The Cybersecurity Dossier - February 3, 2025

Threat Actor in Focus - PlushDaemon infiltrates the supply chain of a Korean VPN? service.

Recently, a sophisticated supply-chain attack was identified targeting a South Korean VPN provider. Attackers compromised the VPN’s installer, embedding a malicious backdoor alongside the legitimate software. This backdoor, known as SlowStepper, is a feature-rich tool with over 30 components designed for extensive cyberespionage activities. The initial infection vector involved users downloading a ZIP archive containing the compromised installer from the VPN provider’s official website. Upon execution, the installer deployed both the legitimate VPN application and the SlowStepper backdoor. Persistence was achieved by adding a registry entry, ensuring the backdoor’s execution upon system startup. SlowStepper operates through a multistage command-and-control (C&C) protocol utilizing DNS. It has the capability to download and execute numerous additional modules, primarily written in Python and Go, enhancing its espionage functionalities. READ MORE

CYFIRMA ANNUAL INDUSTRIES REPORT : PART 3

Welcome to the CYFIRMA Infographic Industry Report, where we examine the external threat landscape across 13 industries over the past year. Through clear, data-driven visuals and expert insights, we present concise analyses of attack campaigns, phishing telemetry, and ransomware incidents affecting organizations worldwide. Leveraging our cutting-edge platform telemetry and the deep expertise of our analysts, this report covers detailed industry-specific breakdowns along with cross-industry trends and year-over-year changes published in Part 1. Our goal is to equip you with actionable intelligence that helps you stay ahead in the ever-evolving cybersecurity landscape. This is Part 3 of the report covers only the second half of individual industry breakdowns. If you would like to access the full report, it is available exclusively on our website. READ MORE

ASTRAL STEALER ANALYSIS

The “Astral Stealer” is an advanced malware tool designed to steal sensitive information, evade detection, and maintain persistence on compromised systems. Written in Python, C#, and JavaScript, it incorporates techniques like credential dumping, browser injection, and data exfiltration via webhooks, and is publicly available on GitHub, allowing attackers to exploit features, such as anti-VM detection, registry modifications, and system information discovery. Astral Stealer also offers advanced capabilities that can be enabled for an additional payment, such as viewing backup codes, auto-changing email, and an anti-delete system that reinstalls after Discord uninstallation or updates. It also supports reinstallation of Discord injections, logs newly added credit cards and passwords, and extracts data from VPNs, cryptocurrency extensions, and other targeted platforms. Astral Stealer developer has used Guna.UI DLL-driven tools to design the builder which is highly customizable, visually appealing, and user-friendly with multiple selection options. READ MORE

WINDOWS LOCKER RANSOMWARE

A newly identified ransomware strain, “Windows Locker or XDS ” was first observed in December 2024, and has since been widely seen on GitHub. Written in .NET, this sophisticated malware targets victims by encrypting files and appending the .winlocker extension to the compromised files. Upon infection, it drops a ransom note titled Readme.txt, which provides instructions on how to contact the attacker or designated administrator for payment and decryption. To maintain persistence, “Windows Locker” modifies registry keys, ensuring that it remains active on the compromised system even after a reboot. Additionally, the ransomware employs tactics to delete shadow copies, effectively preventing victims from using system restore points or other standard recovery methods to retrieve their encrypted files. The Windows Locker Ransomware exhibits a sophisticated and multifaceted approach to compromising systems and extorting victims. Its primary function is to encrypt user files using the AES algorithm with a 256-bit key, rendering them inaccessible without a decryption key. READ MORE

CYFIRMA INDUSTRY REPORT : REAL ESTATE & CONSTRUCTION

Welcome to the CYFIRMA infographic industry report, where we delve into the external threat landscape of the real estate & construction industry over the past three months. This report provides valuable insights and data-driven statistics, delivering a concise analysis of attack campaigns, phishing telemetry, and ransomware incidents targeting the real estate & construction industry. We aim to present an industry-specific overview in a convenient, engaging, and informative format. Leveraging our cutting-edge platform telemetry and the expertise of our analysts, we bring you actionable intelligence to stay ahead in the cybersecurity landscape. CYFIRMA provides cyber threat intelligence and external threat landscape management platforms, DeCYFIR and DeTCT, which utilize artificial intelligence and machine learning to ingest and process relevant data, complemented by manual CTI research. For the purpose of these reports, we leverage the following data from our platform. These are data processed by AI and ML automation, based on both human research input and automated ingestions. READ MORE

Ransomware of the Week

CYFIRMA Research and Advisory Team has found Hyena Ransomware while monitoring various underground forums as part of our Threat Discovery Process. Researchers have identified a new ransomware strain named Hyena, linked to the MedusaLocker family. Hyena encrypts files, appending the “.hyena111” extension, and leaves a ransom note titled “READ_NOTE.html” while altering the desktop wallpaper. The ransom note informs victims that their network has been breached, and critical files are encrypted using RSA and AES algorithms. It warns against using third-party tools for file recovery, claiming such actions could lead to permanent data loss. The attackers also threaten to leak or sell confidential data if the ransom is not paid. Victims are offered the chance to decrypt 2–3 non-essential files for free and are instructed to contact the attackers via provided email addresses or a Tor-based chat for negotiations. The note emphasizes that the ransom price will increase after 72 hours. This ransomware specifically targets the widely used Windows Operating System. READ MORE

Trending Malware of the Week

This week “Lumma Stealer” is trending. Researchers have identified a global malware campaign leveraging fake CAPTCHAs to deliver Lumma Stealer, a malware-as-a-service (MaaS) threat active since 2022. This campaign targets victims across industries such as telecom, healthcare, banking, and marketing, with notable activity in countries like the United States, Argentina, Colombia, and the Philippines. The attackers utilize various delivery methods, such as cracked software, Discord’s CDN, and fake CAPTCHA pages. The infection chain employs diverse techniques, including process hollowing and PowerShell one-liners. The campaign introduces new payloads, malicious websites leveraging malvertising, and sophisticated strategies to bypass security controls. Notably, attackers instruct victims to execute commands via the Windows Run command, effectively evading browser-based defenses. Additionally, the use of open-source snippets to bypass the Windows Antimalware Scan Interface (AMSI) further enhances the malware’s ability to remain undetected. READ MORE

CYFIRMA is a?threat?discovery?and cyber-intelligence company with the world’s first platform that can deliver predictive cyber-intelligence. We combine cyber-intelligence with attack surface discovery and digital risk protection to deliver early warning, personalized, contextual, outside-in, and multi-layered insights. We have built the next generation of AI-powered threat intelligence platform called External Threat Landscape Management (ETLM) to provide cyber defenders with the hacker’s view to help clients prepare for impending attacks.

SCHEDULE A DEMO HERE

Visit www.cyfirma.com

Message sent by CYFIRMA at 16 Raffles Quay #09-01 S(048581), Singapore, Singapore.