This week’s briefing covers:

00:00 - Intro and Situational Awareness

CL0P Update
The group’s post reads as follows, "DEAR COMPANIES THIS IS THE NEXT LIST WHICH WE HAVE CLOSED FOR THE TIME BEING AND DO NOT SHOW THE NAMES IN FULL IF YOU DO NOT GET IN TOUCH ASAP THE LIST WILL BE OPEN” and continues with the listed victim organizations and ways for the companies to contact the group.

CVE-2025-0411 - 7-Zip MotW Bypass POC Released
Researchers have published a POC for CVE-2025-0411 a Mark-of-the-Web Bypass vulnerability which allows remote attackers to bypass the protection mechanism for downloaded archives on affected 7-Zip installations. The POC uses shellcode and injection to create a malicious payload capable of bypassing checks and executing directly with no user warnings.

3:24 – Threat Actors Impersonate Homebrew Using Google Ads to Deploy ATOMICSTEALER
Key Takeaways

• Threat actors continue to exploit Google Search advertisements to conduct phishing and malware distribution campaigns.
• Attackers are leveraging legitimate-looking domains to impersonate popular tools, this time specifically macOS devices, using ATOMICSTEALER.
• Kroll has reported on this trend for many years, and it continues to be an effective initial infection vector.

6:00 – DNS Misconfiguration Enables Malware Delivery by a Russian Botnet
Key Takeaways

• A recently identified botnet is delivering malware via spam campaigns, exploiting misconfigured DNS records to bypass email protections.
• The botnet comprises over 13,000 compromised MikroTik devices, using them as proxies to send malicious emails.
• The campaign involved spoofed sender domains and delivered trojan malware, with broader implications for various malicious activities.
• The attack highlights the critical importance of correctly configured DNS TXT records, including SPF, DKIM and DMARC.

8:27 – Murdoc Botnet Exploiting IOT for DDoS
Key Takeaways

• There have been several recent campaigns containing variants of the Mirai botnet, exploiting vulnerabilities to infect devices and then causing DDoS attacks.
• Mirai was also recently observed causing the largest DDoS attack on record at 5.6Tbps originating from 13,000 infected devices.
• It is recommended to continue assessing your DDoS defense strategy to help detect, prevent and reduce the effects of a DDoS attack.

10:39 – Malware Spotlight: PNGPLUG
A new loader named PNGPlug has been seen delivering ValleyRAT in attacks suspected to be performed by KTA405 (aka “Silver Fox”).

Ransomware Roundup

12:49 – Ransomware groups conducting Microsoft Teams phishing attacks
Ransomware groups are continuingly using Microsoft Teams to pose as IT support in various phishing attacks. Researchers have identified the groups as STAC5143 and STAC5777. These groups initiate contact by bombarding victim employees with spam emails and then follow up with a Teams call.

Dive deeper:

Kroll’s Monthly Threat Intelligence Spotlight Report: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports/cti-spotlight-trends-report

Kroll’s Q2 2024 Threat Landscape Report: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports/q2-2024-threat-landscape-report-threat-actors-ransomware-cloud-risks-accelerate

Playlist of Kroll's Weekly Cyber Threat Intelligence Briefings: Cyber Threat Intelligence Briefings

Kroll Cyber Blog: https://www.kroll.com/en/insights/publications/cyber

Kroll Cyber Threat Intelligence: https://www.kroll.com/en/services/cyber-risk/managed-security/threat-intelligence-services

Kroll Threat Intelligence Reports: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports

Kroll Responder MDR: https://www.kroll.com/en/services/cyber-risk/managed-security/kroll-responder

#krollcyber #threatintelligence #cyberthreats