CEOs and business owners received personal, customized ransomware threats in a series of letters sent in the mail through USPS.

Business owners and CEOs across the United States received customized ransomware threats this month from the most unusual of places—letters in the mail.

The letters, which were first reported by multiple cybersecurity researchers, claim to come from a ransomware group called BianLian. But since Malwarebytes first started tracking BianLian nearly one year ago, our intelligence analysts have never seen the cybercriminal gang resort to sending physical letters to make their ransom demands, suggesting that the latest snail mail campaign could be the work of copycats.

The threat, however, is still quite real, especially for small business owners who rely either on themselves or contracted IT services to investigate any technical problems.

According to multiple examples discovered by researchers, the letters in this likely hollow threat were sent through the US Postal Service. The envelopes containing the letters are stamped with the words “TIME SENSITIVE READ IMMEDIATELY” and have the following return address listed:

> BianLian Group  
> 24 Federal St, Suite 100  
> Boston, MA, 02110

The letters themselves lobby a variety of urgent threats to their recipients: Their corporate network has been compromised, sensitive customer and employee data has been stolen, and there is immediately a 10-day deadline to pay a cryptocurrency ransom before the cybercriminals leak the stolen data online.

These threats are standard for ransomware groups today, especially those that have pivoted to not only encrypting a company’s data, but stealing it in the process of an attack to use as further leverage to extort a ransom payment. In fact last year, Malwarebytes wrote about BianLian abusing a common Microsoft tool to avoid cybersecurity detection while storing massive quantities of stolen data from victims.

But the similarities between the threats included in the letter and the recorded actions of BianLian end there. The letter senders claim that they “no longer negotiate with victims,” which is a rarity from ransomware gangs. In fact, the practice is so normalized that a cottage industry of ransomware “negotiators” has popped up to help victims caught in an attack. The letters themselves, researchers said, also include few grammatical errors and better sentence structure than a typical BianLian ransomware note.

One of the letters, in full, begins:

> Dear \[REDACTED\]
> 
> I regret to inform you that we have gained access to \[REDACTED\] systems and over the past several weeks have exported thousands of data files, including customer order and contact information, employee information with IDs, SSNs, payroll reports, and other sensitive HR documents, company financial documents, legal documents, investor and shareholder information, invoices, and tax documents.

Interestingly, researchers noticed that some of the letters were customized based on their recipient. If a letter was sent to a healthcare CEO, for instance, the letter warned about the theft of patient data; if the letter was sent to a CEO of a product maker, the letter warned about breached customer orders and employee data.

The amounts demanded by the letters varied reportedly from $250,000 to $350,000.

While a “physical” cyberthreat may sound silly, these letters could cause significant harm to small and growing businesses.

These personalized letters convincingly threaten network compromise, password abuse, employee exploitation, and data theft, which can be difficult to verify for any lean organization. Think about it this way: If an everyday person would struggle to check whether their home router had been compromised, many small business owners would struggle to do the same regarding their corporate infrastructure, and that’s through no fault of their own.

If you receive one of these letters in the mail, notify your IT or security team immediately. They can provide the investigation necessary to verify the security of your business.

Whether you have dedicated IT staff or not, you can protect your small business with Malwarebytes Teams, which prevents malware attacks and notifies you about suspicious activity on your network.

 Ransomware threat mailed in letters to business owners 

Cisco Talos has discovered an active exploitation of CVE-2024-4577 by an attacker in order to gain access to the victim's machines and carry out post-exploitation activities.

Unmasking the new persistent attacks on Japan

Microsoft warns that Chinese espionage group Silk Typhoon now exploits IT tools like remote management apps and cloud services to breach networks.

Cybersecurity researchers at Microsoft Threat Intelligence have observed that Silk Typhoon aka HAFNIUM, a Chinese espionage group known for its technical skill, is now using common IT solutions as a gateway into networks. Instead of solely relying on highly critical security vulnerabilities in major systems, the group is turning its attention to everyday tools like remote management applications and cloud services.

The shift in tactics aligns with changes adopted by other sophisticated espionage groups worldwide. This trend was first reported in May 2024, highlighting how Russian hackers are moving away from custom payloads in favour of readily available malware. A similar shift was observed in Iran, as reported in August 2024, where Iranian hackers were found collaborating with ransomware gangs in attacks against the United States.

**Exploiting Vulnerabilities**

Traditionally, Silk Typhoon took advantage of rare zero-day vulnerabilities by scanning for weak public-facing devices such as firewalls and VPNs. Some of its known exploitation includes CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. However, recent activity indicates that the group is now also targeting widely used solutions that many organizations rely on, including remote management tools and cloud applications.

While Microsoft confirms its own cloud services haven’t been directly targeted _yet_, Silk Typhoon is taking advantage of unpatched applications to breach systems. The group is known for misusing stolen keys and login details to compromise a targeted system and then using the access to reach into other systems, including those used by Microsoft particularly looking for information related to US government policy and legal matters.

****Changing Tactics****

The group’s change in tactics affects several sectors starting from government and healthcare to IT services and education. By attacking common IT tools, Silk Typhoon will take advantage of the fact that many organizations, including those with updated security measures, may overlook these everyday applications. Once inside, they will make use of various techniques to move across networks, access sensitive data, and even tamper with email and data storage services.

Therefore, Microsoft recommends a few key steps to secure yourself from the Silk Typhoon. First, keep all systems and software updated, as unpatched vulnerabilities are often the easiest entry points for attackers. Strong authentication practices, such as multi-factor authentication (MFA) and unique passwords, add an extra layer of security against unauthorized access.

For system administrators; monitoring network activity can also help detect unusual behaviour, like unexpected administrative changes, which could signal a breach. Additionally, organizations should carefully manage API keys and service credentials, restricting access wherever possible to prevent attackers from exploiting them.

Chinese Silk Typhoon Group Targets IT Tools for Network Breaches

The Justice Department claims 10 alleged hackers and two Chinese government officials took part in a wave of cyberattacks around the globe that included breaching the US Treasury Department and more.

Only rarely does the West get a glimpse inside the vast hacker-for-hire contractor ecosystem that enables China's digital intrusion campaigns worldwide. Now a new set of criminal charges against a dozen Chinese nationals, including two government officials, accuses them of a vast espionage campaign that included breaching the US Treasury, and goes as far as revealing the internal communications of some of those alleged hackers, their tools, and their business relationships.

The US Department of Justice on Wednesday announced the indictment of 12 Chinese individuals accused of more than a decade of hacker intrusions around the world, including eight staffers for the contractor i-Soon, two officials at China's Ministry of Public Security who allegedly worked with them, and two other alleged hackers who are said to be part of the Chinese hacker group APT27, or Silk Typhoon, which prosecutors say was involved in the US Treasury breach late last year.

“Today, we are exposing the Chinese government agents directing and fostering indiscriminate and reckless attacks against computers and networks worldwide, as well as the enabling companies and individual hackers that they have unleashed." Sue Bai, who leads the Justice Department’s National Security Division, wrote in a statement, “The Department of Justice will relentlessly pursue those who threaten our cybersecurity by stealing from our government and our people.”

According to prosecutors, the group as a whole has targeted US state and federal agencies, foreign ministries of countries across Asia, Chinese dissidents, US-based media outlets that have criticized the Chinese government, and most recently the US Treasury, which was breached between September and December of last year. An internal Treasury report obtained by Bloomberg News found that hackers had penetrated at least 400 of the agency’s PCs and stole more than 3,000 files in that intrusion.

The indictments highlight how, in some cases, the hackers operated with a surprising degree of autonomy, even choosing targets on their own before selling stolen information to Chinese government clients. The indictment against Yin Kecheng, who was previously sanctioned by the Treasury Department in January for his involvement in the Treasury breach, quotes from his communications with a colleague in which he notes his personal preference for hacking American targets and how he’s seeking to "break into a big target," which he hoped would allow him to make enough money to buy a car.

At one point, Yin notes that “anything within the top 100” of defense contractors would be a preferable target, according to the indictment. When his colleague suggests that he look for victims beyond the US, he replies, “I just like the Americans, nothing else is as good.”

In some cases, Yin and the other alleged hackers sold stolen information directly to Chinese government agencies, according to US officials, while in others they brokered the sale through secondary firms. The hackers’ independence in choosing targets reveals just how loose China’s hacker-for-hire ecosystem can be in some cases, according to one senior DOJ official who asked to remain unnamed because they were only authorized to speak on background.

“The contractors and companies will hack more or less speculatively, motivated by profit to cast a wide net,” the DOJ official says. China, the official says, “is fostering reckless and indiscriminate targeting of vulnerable computers worldwide, even if it doesn’t task or obtain the fruits of those hacks. This leads to a less secure and more vulnerable environment.”

Shanghai-based firm i-Soon, a contractor to China’s Ministry of State Security (MSS) and Ministry of Public Security (MPS) that the DOJ says employed eight of the alleged hackers, charged its Chinese government customers in some cases based on how many email inboxes it was able to breach, earning between $10,000 and $75,000 per inbox, according to prosecutors. The company, which has over 100 employees, earned tens of millions of dollars in revenue in some years, and its executives projected it would have revenue of about $75 million by 2025, according to the indictment. Prosecutors also note that the company worked with 43 different bureaus of the MSS and MPS across 31 provinces of China, which operated independently and often purchased the same products from i-Soon.

i-Soon, whose alleged hacker-for-hire operations were previously revealed in a leak of its internal documents and communications last year, offered its clients a “zero-day vulnerability arsenal” of unpatched, hackable flaws, according to the indictment. It also allegedly sold password-cracking tools and euphemistically named “penetration testing” products—which were, prosecutors says, in fact intended to be used on unwitting victims—which allegedly included targeted phishing tool kits as well as tools for embedding malware in file attachments.

The company also allegedly carried out its own targeting of victims, which the DOJ says included specific media outlets, dissidents, religious leaders, and researchers who had been critical of the Chinese government, as well as the New York State Assembly, one of whose representatives had received an email from members of an unnamed religious group that is banned in China.

Yin Kecheng and Zhou Shuai, an alleged associate in the APT27, or Silk Typhoon, group, are accused of hacking a wide variety of defense contractors, think tanks, a law firm, a managed communications service provider company, and other victims. In December, software contractor firm BeyondTrust alerted the US Treasury that the department had been breached due to an intrusion on BeyondTrust’s network—an operation that was later attributed to Silk Typhoon. In conjunction with the Justice Department’s charges today, Microsoft also released a guide to Silk Typhoon’s operating techniques, highlighting how it seeks to exploit the IT supply chain.

In Yin’s communications with a colleague included in the indictment against him, the colleague suggests that rather than go after large victim organizations directly, they target their subsidiaries, noting that “they are the same and easier to attack.” Yin responds, agreeing that strategy is “correct.”

All of the 12 Chinese nationals charged in the indictments remain at large—and, chances are, will never see the inside of a US courtroom. But the State Department announced rewards for information leading to their arrest between $2 million and $10 million each.

“To those who choose to aid the CCP in its unlawful cyber activities,” Bryan Vorndran, assistant director of the FBI’s Cyber Division, writes in a statement, using the term CCP to refer to the Chinese Communist Party, “these charges should demonstrate that we will use all available tools to identify you, indict you, and expose your malicious activity for all the world to see.”

US Charges 12 Alleged Spies in China’s Freewheeling Hacker-for-Hire Ecosystem

The China-lined threat actor behind the zero-day exploitation of security flaws in Microsoft Exchange servers in January 2021 has shifted its tactics to target the information technology (IT) supply chain as a means to obtain initial access to corporate networks.
That's according to new findings from the Microsoft Threat Intelligence team, which said the Silk Typhoon (formerly Hafnium) hacking

China-Linked Silk Typhoon Expands Cyber Attacks to IT Supply Chains for Initial Access

Veriti Research reveals 40% of networks allow ‘any/any’ cloud access, exposing critical vulnerabilities. Learn how malware like XWorm…

Veriti Research reveals 40% of networks allow ‘any/any’ cloud access, exposing critical vulnerabilities. Learn how malware like XWorm and Sliver C2 exploit cloud misconfigurations.

Recent research conducted by Veriti shared with Hackread.com, sheds light on the alarming trend of cybercriminals exploiting cloud infrastructure for malicious purposes. The study reveals that cloud platforms are increasingly being used not only to host and deliver malware payloads but also to serve as command-and-control centres.  

A particularly concerning finding is that over 40% of networks permit unrestricted communication with at least one major cloud provider. This “any/any” configuration creates a significant security vulnerability, allowing attackers to easily exfiltrate data and deploy malware from seemingly trusted cloud sources. 

Veriti’s research highlighted specific instances of malware campaigns leveraging cloud storage. The most noteworthy instances include the XWorm malware’s utilization of Amazon Web Services (AWS) S3 storage to distribute its malicious executables. Similarly, a Remcos campaign employed malicious RTF files, exploiting known vulnerabilities, with payloads also hosted on AWS S3.

Beyond malware distribution, cloud platforms are being actively used as command-and-control (C2) servers. Various malware families, including Havoc, NetSupportManager, Unam Miner, Mythic, Pupy RAT, Caldera, HookBot and Brutal Ratel, were observed utilizing infrastructure from major cloud providers like AWS, Google Cloud, Microsoft Azure, and Alibaba Cloud for C2 operations.

Cloud services and the type of malware being spread through them (Screenshot credit: Veriti)

Researchers also documented malware strains commonly found in cloud-based attacks, such as Mirai and njRAT, further emphasizing the growing abuse of cloud environments. Another concerning development is the increasing use of Sliver C2, which is being weaponized by Advanced Persistent Threat (APT) groups for stealthy C2 operations and post-exploitation tactics, Veriti’s report revealed.

For your information, Sliver C2 is an open-source command-and-control framework, initially developed for penetration testing but is now being weaponized by threat actors. It is often used with Rust-based malware to establish backdoors and exploits zero-day vulnerabilities, including recent Ivanti Connect Secure and Policy Secure vulnerabilities.

Furthermore, the study revealed critical vulnerabilities affecting cloud-hosted services across AWS, Azure, and Alibaba Cloud. These vulnerabilities, identified by CVE numbers, highlight the need for organizations to adopt a proactive approach to cloud security. 

The increasing abuse of cloud services demands a shift towards a _security-first approach_ to protect against these evolving threats, researchers noted.

“Veriti Research’s findings emphasize the critical need for organizations to rethink cloud security strategies. The increasing abuse of cloud services for malware hosting, C2 operations, and exploitation calls for a proactive, security-first approach,” the report read.

This should include restricting “any/any” network rules, implementing cloud-native security solutions for threat monitoring, and enforcing stronger cloud security policies.

Hackers Exploit Cloud Misconfigurations to Spread Malware

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added five security flaws impacting software from Cisco, Hitachi Vantara, Microsoft Windows, and Progress WhatsUp Gold to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation.
The list of vulnerabilities is as follows -

CVE-2023-20118 (CVSS score: 6.5) - A command injection

Cisco, Hitachi, Microsoft, and Progress Flaws Actively Exploited—CISA Sounds Alarm

Cybercriminals pose as IT support, using fake calls and Microsoft Teams messages to trick users into installing ransomware through email floods and remote access.

Cybersecurity researchers at Trend Micro are warning about a new scam where cybercriminals pose as tech support to gain access to victims’ computers. But this isn’t just another spam email scheme; attackers are flooding inboxes and even reaching out through Microsoft Teams to trick people into letting them in. Once inside, they deploy ransomware from groups like Black Basta and Cactus.

****Here’s how it works:****

Victims first get bombarded with a flood of emails. Shortly after, someone claiming to be from the IT department contacts them through Microsoft Teams or even a phone call. This “helper” then convinces the user to grant them remote access to their computer, often using a legitimate program called Quick Assist, which is built into Windows to allow remote tech support.

Once inside, the scammer downloads files that seem harmless at first but are secretly combined and unpacked to install a backdoor called BackConnect. Hidden in OneDrive, this backdoor gives attackers full control over the infected system.

It’s worth noting that the Black Basta gang was previously flagged in December 2024 for a similar modus operandi, using email bombing to target Microsoft Teams users. However, at that time, the group was deploying Zbot and DarkGate malware instead.

According to Trend Micro’s latest technical report, recent incidents analyzed by the company show a strong connection between this BackConnect malware and the notorious Black Basta ransomware group, which reportedly made over $100 million from victims in 2023. There’s even evidence suggesting some members of Black Basta have moved over to another ransomware gang called Cactus, as the methods used in recent Cactus attacks are strikingly similar.

These attacks have been particularly active since October 2024, primarily hitting organizations in North America, with the United States suffering the most. The manufacturing sector, followed by finance, investment consulting, and real estate, have been frequent targets for Black Basta.

Screenshot of the email address used by the attacker (Via Trend Micro)

In some cases, after establishing their backdoor, attackers have been seen using more advanced methods to spread through a network, even targeting specialized systems like ESXi hosts used for running virtual machines. They use tools like WinSCP to move files around and have been caught preparing to encrypt files before being stopped. Leaked internal chats from Black Basta reveal the group sees security tools like Trend Micro as a significant hurdle, showing they are actively trying to find ways around them.

> BlackBasta’s internal chats just got exposed, proving once again that cybercriminals are their own worst enemies. Keep burning our intelligence sources, we don’t mind. 😉 pic.twitter.com/6So7dl7xXn
> 
> — PRODAFT (@PRODAFT) February 20, 2025

What makes these attacks effective is not necessarily the complexity of the software used, but the way attackers manipulate people. By mixing social engineering with the abuse of genuine software and cloud services, they make their malicious actions look like normal computer activity. It highlights that cybersecurity isn’t just about having the right software, but also about being aware of how criminals try to deceive people.

****What You Should and Should NOT Do!****

If you’re a Microsoft Teams user, don’t panic if you suddenly get flooded with emails. Instead, contact your system administrator to ensure these emails are blocked immediately and your device is scanned regularly. Report any suspicious emails or calls from unknown third parties posing as “helpers” to your cybersecurity team.

Remember, you don’t need a helper if you never asked for one; especially when the ‘helper’ is the one who caused the problem in the first place.

Fake IT Support Calls Trick Microsoft Teams Users into Installing Ransomware

FortiGuard Labs discovers an advanced attack using modified Havoc Demon and SharePoint. Explore the attack's evasion techniques and security measures.

A new cyberattack campaign discovered by FortiGuard Labs, Fortinet’s threat intelligence and research unit, leverages a combination of social engineering, multi-stage malware, and the manipulation of trusted cloud services to achieve control over compromised systems.

According to FortiGuard’s investigation, shared with Hackread.com ahead of its publishing on Monday, the campaign targets Microsoft Windows users and has a high severity level. Their most crucial observation is that the attackers have innovated by integrating a modified version of the Havoc framework, Havoc Demon Agent, with the Microsoft Graph API, effectively hiding their malicious communications within the legitimate traffic of well-known cloud services.

For your information, Havoc is an open-source post-exploitation command and control framework used in red teaming exercises and attack campaigns to obtain full control of the target system.

The initial point of entry for this attack is a carefully crafted phishing email, which contains an HTML attachment designed to deceive the recipient into executing a malicious PowerShell command.

The Phishing Email (Source: FortiGuard Labs)

Through a technique known as “ClickFix,” in which users are tricked into executing malicious commands, the attachment presents a fake error message, prompting the recipient to copy and paste a seemingly harmless command into their system’s terminal. However, this command initiates a chain of events that leads to the downloading/execution of further malicious scripts, which are strategically hosted on a SharePoint site, probably to obscure the malicious operation within a trusted cloud environment.

The initial PowerShell script performs checks to evade sandbox detection and then proceeds to download/execute a Python script, also hosted on SharePoint. This Python script acts as a shellcode loader and injects and executes a malicious DLL, KaynLdr, which reflectively loads an embedded DLL, and further complicates analysis by using API hashing.

The core of the attacker’s C2 infrastructure relies on the modified version of the Havoc Demon DLL as it leverages the Microsoft Graph API to establish communication channels that blend seamlessly with legitimate cloud traffic. The “SharePointC2Init” function within the DLL obtains access tokens for the Microsoft Graph API and creates two files within the victim’s SharePoint document library, each named with a unique identifier derived from the compromised system.

These files act as channels for transmitting victim information and receiving C2 commands, while the entire communication is handled by the modified “TransportSend” function and encrypted using AES-256 in CTR mode. The agent then parses and executes these commands, which include a wide range of post-exploitation capabilities, such as information gathering, file operations, and token manipulation.

FortiGuard Labs’s discovery highlights the evolution of open-source C2 frameworks to create new, difficult-to-detect attacks and the growing need for adopting advanced security measures against such attacks.

“In addition to staying alert for phishing emails, guided messages that encourage opening a terminal or PowerShell must be handled with extra caution to prevent inadvertently downloading and executing malicious commands,” FortiGuard’s researchers concluded.

The attack Flow (Source: FortiGuard Labs)

In a comment to Hackread.com, Thomas Richards, Principal Consultant and Network and Red Team Practice Director at Black Duck, a Burlington, Massachusetts-based application security provider, noted that hackers are using trusted Microsoft services to evade detection, showing a high level of sophistication, but what stands out is that their attack method requires more manual action from the victim than usual.

_“_These bad actor groups aim for obfuscation so they can achieve their goals. It’s not unusual to see them use open-source frameworks, however, the use of legitimate Microsoft services shows a level of sophistication that is concerning. Using those services allows them to hide in plain sight and have the benefits of being trusted servers,_“_ Thomas explained. _“_What is surprising about this is the level of manual intervention needed on the victim for the attack to be a success. Usually with these campaigns, the bad actors want as little interaction as possible on the victim’s part aside from clicking on a link._“_

New Malware Campaign Exploits Microsoft Graph API to Infect Windows

Cybersecurity researchers are calling attention to a new phishing campaign that employs the ClickFix technique to deliver an open-source command-and-control (C2) framework called Havoc.
"The threat actor hides each malware stage behind a SharePoint site and uses a modified version of Havoc Demon in conjunction with the Microsoft Graph API to obscure C2 communications within trusted, well-known

Tag

#microsoft