F5 Threat Report - November 12th, 2025
New LandFall Spyware Exploited Samsung Zero-Day via WhatsApp Messages
A previously unknown spyware, "LandFall," exploited a critical zero-day vulnerability (CVE-2025-21042) in Samsung's Android image processing library (`libimagecodec.quram.so`) to target select Samsung Galaxy users in the Middle East. Active since at least July 2024, the spyware was delivered via malicious .DNG raw images with appended .ZIP archives sent over WhatsApp, leveraging an out-of-bounds write flaw that allowed remote arbitrary code execution. The LandFall spyware, likely a commercial surveillance framework, targets Galaxy S22, S23, S24 series, Z Fold 4, and Z Flip 4 devices, enabling extensive data exfiltration including microphone and call recordings, location tracking, and access to photos, contacts, SMS, call logs, files, and browsing history. Its components include a loader (`b.so`) and a SELinux policy manipulator (`l.so`) for persistence and privilege escalation, and it can fingerprint devices using hardware and SIM IDs. While C2 infrastructure shows similarities to Stealth Falcon operations and component naming conventions resemble those of NSO Group and other vendors, a definitive attribution remains unconfirmed. Samsung patched the vulnerability in April 2025, and users are advised to apply security updates, disable automatic media downloading in messaging apps, and consider advanced protection features.
Severity: Critical
Sources
- https://buaq.net/go-374181.html
- https://cyberpress.org/landfall-android-malware/
- https://meterpreter.org/landfall-spyware-zero-click-image-exploit-spied-on-samsung-phones-for-a-year/
- https://www.bleepingcomputer.com/news/security/new-landfall-spyware-exploited-samsung-zero-day-via-whatsapp-messages/
- https://www.hendryadrian.com/new-landfall-spyware-exploited-samsung-zero-day-via-whatsapp-messages/
- https://www.newsbytesapp.com/news/science/landfall-android-spyware-targeted-samsung-galaxy-phones-for-a-year/story
- https://www.securityweek.com/landfall-android-spyware-targeted-samsung-phones-via-zero-day/
Threat Details and IOCs
| Malware: | Deadglyph, Landfall, LandFall, LANDFALL |
| CVEs: | CVE-2025-21042, CVE-2025-21043, CVE-2025-43300, CVE-2025-55177 |
| Technologies: | Apple iOS, Google Android, Samsung Galaxy, Samsung One UI, WhatsApp |
| Threat Actors: | Cytrox, FruityArmor, Intellexa, LANDFALL, NSO, NSOGroup, StealthFalcon |
| Attacker Countries: | Israel, Spain, United Arab Emirates |
| Attacker IPs: | 192.36.57.56, 194.76.224.127, 45.155.250.158, 46.246.28.75, 91.132.92.35, 92.243.65.240 |
| Attacker Domains: | brightvideodesigns.com, healthyeatingontherun.com, hotelsitereview.com, projectmanagerskills.com |
| Attacker URLs: | https://brightvideodesigns.com/is/, https://healthyeatingontherun.com/is/, https://hotelsitereview.com/is/, https://projectmanagerskills.com/is/ |
| Attacker Hashes: | 211311468f3673f005031d5f77d4d716e80cbf3c1f0bb1f148f2200920513261, 2425f15eb542fca82892fd107ac19d63d4d112ddbfe698650f0c25acf6f8d78a, 29882a3c426273a7302e852aa77662e168b6d44dcebfca53757e29a9cdf02483, 384f073d3d51e0f2e1586b6050af62de886ff448735d963dfc026580096d81bd, 69cf56ac6f3888efa7a1306977f431fd1edb369a5fd4591ce37b72b7e01955ee, 9297888746158e38d320b05b27b0032b2cc29231be8990d87bc46f1e06456f93, a62a2400bf93ed84ebadf22b441924f904d3fcda7d1507ba309a4b1801d44495, b06dec10e8ad0005ebb9da24204c96cb2e297bd8d418bc1c8983d066c0997756, b45817ffb0355badcc89f2d7d48eecf00ebdf2b966ac986514f9d971f6c57d18, b975b499baa3119ac5c2b3379306d4e50b9610e9bba3e56de7dfd3927a96032d, c0f30c2a2d6f95b57128e78dc0b7180e69315057e62809de1926b75f86516b2e, d2fafc7100f33a11089e98b660a85bd479eab761b137cca83b1f6d19629dd3b0, ffeeb0356abb56c5084756a5ab0a39002832403bca5290bb6d794d14b642ffe2 |
| Victim Industries: | Digital Media, Government, Information Technology, Technology Hardware, Telecommunications |
| Victim Countries: | Iran, Iraq, Morocco, Saudi Arabia, South Korea, Turkey, United Arab Emirates |
Mitigation Advice
- Update all corporate-managed Samsung Galaxy S22, S23, S24, Z Fold 4, and Z Flip 4 devices to the April 2025 security patch level or a later version to remediate CVE-2025-21042.
- Issue a directive for all employees to disable automatic media downloading within their WhatsApp application settings on both corporate and personal devices used for work.
- Instruct users of corporate Android devices to enable the 'Advanced Protection' feature in their device's security settings for enhanced protection against novel spyware.
- Obtain the indicators of compromise (IOCs) for the six LandFall C2 servers from the Unit 42 report and add them to the network firewall and DNS blocklists.
Compliance Best Practices
- Implement and enforce a Mobile Device Management (MDM) policy to mandate and automate the installation of critical OS security updates on all managed mobile devices within a 72-hour window of their release.
- Develop and deploy a mandatory, recurring security awareness training program that specifically addresses mobile-based social engineering, the risks of unsolicited attachments from unknown contacts, and safe practices for messaging apps like WhatsApp.
- Evaluate and deploy a Mobile Threat Defense (MTD) solution on corporate devices to actively monitor for and alert on suspicious activities indicative of spyware, such as permission escalation, use of recording hardware, and anomalous network connections.
- Establish and enforce a hardened security configuration baseline for all corporate mobile devices that enables high-security features, such as Android's 'Advanced Protection' or iOS's 'Lockdown Mode', by default.
Whisper Leak: A Novel Side-Channel Attack on Remote Language Models
A novel side-channel attack, termed "Whisper Leak," has been identified, enabling adversaries to infer language model conversation topics from encrypted network traffic by analyzing packet sizes and timings, despite Transport Layer Security (TLS) encryption. This attack exploits the token-by-token, streaming nature of large language model (LLM) responses, allowing network observers (e.g., internet service providers, local network attackers) to compromise user privacy, particularly for sensitive subjects like political dissent. Researchers demonstrated this by training a binary classifier on network traffic patterns for a specific topic ("legality of money laundering"), achieving over 98% accuracy (AUPRC). A simulated real-world scenario involving 10,000 conversations showed the attack could achieve 100% precision in identifying sensitive topics, even with low recall (5-50%), with effectiveness improving as more training data is collected. To mitigate this vulnerability, LLM providers like OpenAI and Azure have implemented "obfuscation" by adding random variable-length text to responses, while Mistral introduced a similar "p" parameter, significantly reducing attack effectiveness. Users can further protect their privacy by avoiding sensitive discussions on untrusted networks, utilizing VPN services, selecting providers with implemented mitigations, and opting for non-streaming models. The source code and a detailed technical report are publicly available.
Severity: Critical
Sources
- https://gbhackers.com/whisper-based-attack/
- https://securityonline.info/whisper-leak-attack-infers-encrypted-ai-chat-topics-with-98-accuracy/
- https://thehackernews.com/2025/11/microsoft-uncovers-whisper-leak-attack.html
- https://www.microsoft.com/en-us/security/blog/2025/11/07/whisper-leak-a-novel-side-channel-cyberattack-on-remote-language-models/
Threat Details and IOCs
| Malware: | LANDFALL, PrimeCache, PROMPTFLUX, SesameOp, Veaty, Whisper |
| Technologies: | Alibaba Cloud Large Language Models, DeepSeek Large Language Model, Google Large Language Models, Meta Large Language Models, Microsoft Azure, Microsoft Azure AI Services, Mistral AI Mistral, OpenAI, xAI, xAI Large Language Models, Zhipu AI Large Language Models |
| Attacker URLs: | http://github.com/yo-yo-yo-jbo/whisper_leak |
| Victim Industries: | Digital Media, Financial Services, Government, Healthcare, Health Care Technology, Information Technology, Legal Services, Media and Entertainment, Technology Hardware, Telecommunications |
| Victim Countries: | China, France, United States |
Mitigation Advice
- Require all employees to use the corporate VPN when accessing AI services from untrusted networks, such as public Wi-Fi, to add a layer of traffic encryption and obfuscation.
- Distribute a security advisory to all staff, prohibiting the use of public or corporate AI chatbots for processing sensitive, confidential, or proprietary business data.
- Audit all currently used third-party AI services to confirm they have implemented mitigations against traffic analysis attacks. Prioritize and approve the use of services that have deployed such protections.
- Instruct all teams using LLM APIs to disable 'streaming' mode in their applications and configurations where the feature is not essential for the user experience.
Compliance Best Practices
- Develop and implement a formal Acceptable Use Policy (AUP) for AI tools, defining approved platforms, data sensitivity classifications, and prohibited use cases to govern their safe adoption.
- Update the third-party risk management program to include specific security requirements for AI vendors, mandating they provide evidence of mitigations against side-channel attacks like traffic analysis.
- Initiate a research project to evaluate the cost, security benefits, and feasibility of deploying a private LLM for internal use cases involving sensitive company data.
Malicious NuGet Packages Plant Time Bomb Malware in Industrial Systems, Siemens S7 PLCs
Malicious NuGet packages, published by the user shanhai666 between 2023 and 2024, were discovered by Socket's researchers, containing destructive code designed to activate years in the future. Nine of the twelve packages, downloaded nearly 10,000 times, included payloads that were 99% benign to evade detection and build trust. Several packages targeted major database providers like SQL Server, PostgreSQL, and SQLite, with their malicious logic set to trigger on specific dates in 2027 and 2028. Upon activation, these packages introduce a 20 percent probability of terminating the host application process during database queries. The most critical package, Sharp7Extend, used typosquatting to mimic the legitimate Sharp7 library and targeted Siemens S7 Programmable Logic Controllers (PLCs) widely used in manufacturing. Unlike the database-targeting malware, Sharp7Extend activates immediately upon installation, though its malicious functions cease after June 6, 2028. It employs two mechanisms: a 20 percent chance of terminating the application during Siemens S7 communication operations, and after an initial 30-90 minute grace period, it causes 80 percent of critical commands to fail, potentially leading to safety system failures and data corruption in industrial settings. All identified malicious packages have since been removed from NuGet, and organizations are advised to immediately audit their dependencies for these compromised packages.
Severity: Critical
Sources
- https://buaq.net/go-374596.html
- https://gbhackers.com/nuget-supply-chain/
- https://securityonline.info/nuget-sabotage-time-delayed-logic-in-9-packages-risks-total-app-destruction-on-hardcoded-dates/
- https://thehackernews.com/2025/11/hidden-logic-bombs-in-malware-laced.html
- https://www.bleepingcomputer.com/news/security/malicious-nuget-packages-drop-disruptive-time-bombs/
- https://www.esecurityplanet.com/threats/malicious-nuget-packages-hide-time-delayed-sabotage-code/
- https://www.hendryadrian.com/9-malicious-nuget-packages-deliver-time-delayed-destructive-payloads/
- https://www.theregister.com/2025/11/07/cybercriminals_plant_destructive_time_bomb/
Threat Details and IOCs
| Malware: | Sharp7Extend |
| Technologies: | Microsoft .NET Framework, Microsoft NuGet, Microsoft SQL Server, NuGet, PostgreSQL, Sharp7, Siemens S7, Siemens SIMATIC S7, SQLite |
| Threat Actors: | Shanhai666 |
| Attacker Countries: | China |
| Attacker Domains: | hendryadrian.com |
| Victim Industries: | Automotive, Chemical, Energy, Financial Services, Healthcare, Health Care Technology, Industrial Control Systems, Industrials, Information Technology, Logistics, Manufacturing, Retail |
| Victim Countries: | Germany |
Mitigation Advice
- Scan all .NET project dependencies to identify if any of the following malicious NuGet packages are present: Sharp7Extend, MyDbRepository, MCDbRepository, SqlDbRepository, SqlRepository, SqlUnicornCoreTest, SqlUnicornCore, SqlUnicorn.Core, or SqlLiteRepository.
- If any of the malicious NuGet packages are found on a system, immediately isolate that system from the network to begin incident response procedures.
- Configure your NuGet package manager sources to explicitly block any packages published by the user 'shanhai666'.
- Immediately investigate any systems using Siemens S7 PLCs for unexplained application crashes or communication failures, as these may be symptoms of the Sharp7Extend malware.
Compliance Best Practices
- Establish a formal policy and process for vetting and approving all third-party software dependencies, including NuGet packages, before they are permitted for use in production code.
- Implement a private, internal package repository to host only vetted and approved third-party dependencies, and configure developer environments to use this repository as the primary source.
- Implement tooling and processes to generate and maintain a Software Bill of Materials (SBOM) for all developed and deployed applications to enable rapid dependency auditing.
- Develop and implement a recurring security training program for all developers focusing on software supply chain risks, including how to identify typosquatting and vet open-source package publishers.
- Review and enhance network segmentation to ensure that Operational Technology (OT) networks, especially those with PLCs, are isolated from the corporate IT network to prevent cross-domain compromises.
MUT-4831 Deploys Vidar Infostealer via 17 Malicious npm Packages Targeting Windows
A sophisticated supply chain attack, attributed to the MUT-4831 threat actor cluster, targeted the npm ecosystem with 17 malicious packages across 23 releases, designed to deploy the Vidar v2 infostealer malware on Windows systems. Discovered by Datadog Security Research on October 21, 2025, these packages, masquerading as legitimate SDKs and libraries, remained active for approximately two weeks, accumulating over 2,240 downloads, with `react-icon-pkg` alone accounting for 503. The attack chain involved postinstall scripts downloading an encrypted ZIP archive from `bullethost[.]cloud`, decrypting it, and executing a Windows PE binary named `bridle.exe`. This Go-compiled Vidar variant aggressively harvests sensitive data, including browser credentials, cookies, and cryptocurrency wallets, exfiltrating it after dynamically discovering command-and-control servers via hardcoded Telegram and Steam accounts, then deleting all traces from the compromised system.
Severity: Critical
Sources
- https://buaq.net/go-374147.html
- https://cyberinsider.com/vidar-stealer-2-0-marks-major-evolution-in-infostealer-landscape/
- https://cyberpress.org/vidar-malware-analysis/
- https://cyberpress.org/weaponized-npm-packages/
- https://gbhackers.com/malicious-npm-packages/
- https://www.techradar.com/pro/point-of-use-theft-vidars-shift-to-api-level-interception
- https://www.trendmicro.com/en_us/research/25/j/how-vidar-stealer-2-upgrades-infostealer-capabilities.html
Threat Details and IOCs
| Malware: | Arkei, Arkei Stealer, ArkeiStealer, Lumma, LummaC2, Lumma Stealer, Mohazo, Raccoon Stealer, Racealer, RedLine, RedLine Stealer, Spyware.Vidar, StealC, Vidar, Vidar Stealer |
| CVEs: | CVE-2023-20118, CVE-2025-34090 |
| Technologies: | Amazon Web Services, Apple macOS, Discord, FileZilla, Google Chrome, Microsoft 365, Microsoft Azure, Microsoft Edge, Microsoft Visual Studio, Microsoft Windows, Monero, Mozilla Firefox, Node.js, npm, Opera, Pale Moon, React, Steam, Telegram, Vivaldi, Waterfox, WinSCP |
| Threat Actors: | AngryLikho, Bitter, Loadbaks, MUT4831, Storm-2477, WaterKurita |
| Attacker Countries: | Azerbaijan, Moldova, Russia |
| Attacker IPs: | 65.100.80.190, 65.108.80.90 |
| Attacker Emails: | aartrabens@gmail.com, saliii229911@gmail.com |
| Attacker Domains: | a.t.rizbegadget.shop, bullethost.cloud, cvt.technicalprorj.xyz, files.catbox.moe, ftp.nadimgadget.shop, gor.technicalprorj.xyz, gra.khabeir.com, gra.nadimgadget.shop, gz.technicalprorj.xyz, iu.server24x.com, mas.to, nv.d.khabeir.com, p.x.rizbegadget.shop, steamcommunity.com, stg.mistonecorp.net, stg.server24.com, stg.server24x.com, telegram.me, t.y.server24x.com, upload.bullethost.cloud |
| Attacker URLs: | https://files.catbox.moe/awktpw.zip, https://nv.d.khabeir.com, https://steamcommunity.com/profiles/76561198777118079, https://telegram.me/s/sre22qe, https://upload.bullethost.cloud/download/68f5503834645ddd64ba3e17, https://upload.bullethost.cloud/download/68f55d7834645ddd64ba3e3e, https://upload.bullethost.cloud/download/68f775f734645ddd64ba99f4, https://upload.bullethost.cloud/download/68f77d1134645ddd64ba9a5e, https://upload.bullethost.cloud/download/68f7b14734645ddd64ba9b6e, https://upload.bullethost.cloud/download/68f7c68a34645ddd64ba9b9d, https://upload.bullethost.cloud/download/68f7de3834645ddd64ba9c00, hxxp://mas.to/@oleg98, hxxps://steamcommunity.com/profiles/76561198780411257 |
| Attacker Hashes: | 0e90c63363265f75f8637c1a3e9ec277a1ea1a8436dd7561fff59cfb722c6612, 1230f3382910e84d542d64e859fb3064958b47bc50508045cbb5b597b987c65b, 12934992bb65953861b4dfd7a67d3256eae8da19ee86609aa29b68fb77258e98, 1eff512c9b003b08464e071774bd85e43464cce6ad1373463b1f67683d03b956, 288ecc39cdde51783dbb171758ec760652bb929ad17d239a43629449a22429c1, 29b6a1c08e96ce714f9e1f54a4edde3f5e6b41477db5f89f1bd41d931508bdbf, 37d62d7983f7e0012f88e81ba28ad02a839b4d8804851a401b19058ca8cc2cf4, 3dc09740ded920e5899a5386c6731de0c89d6bd182fb89073e910b619980899f, 5f68157e486413ab276fad629d7af21a53b399c5fa8b1a0cfbd37851ceca0381, 8934056f93516a33c4e9eeb2f50aea160860cf229ca6f6ec302bd2c404ebfe59, 95368954efa9618c586bdd8978f41f465450caf268d07ca316cf6975f6e15848, aa49d14ddd6c0c24febab8dce52ce3835eb1c9280738978da70b1eae0d718925, bcf8a6911bf4033cf4d55caf22d7da9d97275bbb3b0f8fefd1129e86bd4b49f8 |
| Victim Industries: | Business Services, Cloud Infrastructure, Cryptocurrency, Education, Financial Services, Gaming, Government, Healthcare, Information Technology, Manufacturing, Real Estate, Retail, Social Media, Software, Sports and Entertainment, Technology Hardware, Utilities |
Mitigation Advice
- Add the domain `bullethost[.]cloud` to the network firewall and DNS blocklists to prevent connections to the malware distribution server.
- Use EDR or system scanning tools to search all Windows endpoints and servers for the file `bridle.exe` to identify potential infections.
- Instruct developers to immediately audit all project `package.json` and lock files for dependencies named `custom-tg-bot-plan`, `react-icon-pkg`, or any packages published by npm users `aartje` and `saliii229911`.
- Review network logs for unusual outbound connections from developer workstations or build servers to Telegram or Steam APIs, as this is a C2 channel used by this Vidar variant.
Compliance Best Practices
- Establish a new security policy to disable automatic execution of npm `postinstall` scripts by default using the `--ignore-scripts` flag, and create a process to vet and explicitly allow scripts only for trusted packages.
- Deploy a private npm registry or a caching proxy, such as Sonatype Nexus or JFrog Artifactory, to host only vetted and approved third-party packages for internal developer use.
- Integrate a Software Composition Analysis (SCA) tool into the CI/CD pipeline to automatically scan npm packages for known vulnerabilities and malicious code signatures on every build.
- Enforce a policy requiring all projects to use lockfiles (e.g., `package-lock.json`) and mandate the use of `npm ci` instead of `npm install` in all automated build environments to ensure reproducible and vetted dependency installation.
- On all Windows developer workstations and build servers, enable PowerShell Script Block Logging and Module Logging and forward logs to your SIEM for analysis.
- Configure the PowerShell execution policy on all Windows developer workstations and build servers to `RemoteSigned` or stricter via Group Policy to prevent the execution of unsigned, untrusted scripts.
Sandworm (GRU) Wiper Attacks Target Ukraine's Critical Infrastructure
Russian state-controlled Sandworm, identified as part of the GRU, has consistently deployed destructive wiper malware against Ukraine, with recent attacks reported in April, June, and September. These attacks targeted a Ukrainian university with Sting and Zerlot wipers, and later expanded to critical infrastructure, including government, energy, logistics, and notably, the grain industry, aiming to weaken the country's war economy. This continues a pattern of Russian cyber warfare, which previously included the NotPetya worm in 2012, attacks on Ukraine's electricity grid in 2016-2017, and 2022 incidents affecting satellite modems and a Kyiv TV station, alongside other wipers like WhisperGate. Other Russian-aligned groups like RomCom, which exploited a WinRar zero-day, and Gamaredon have also conducted wiper attacks, with UAC-0099 sometimes providing initial access through spear phishing, underscoring wipers' enduring role as a preferred tool for Russian threat actors.
Severity: Critical
Sources
- https://arstechnica.com/security/2025/11/wipers-from-russias-most-cut-throat-hackers-rain-destruction-on-ukraine/
- https://buaq.net/go-372169.html
- https://buaq.net/go-372777.html
- https://buaq.net/go-373967.html
- https://cyberpress.org/russian-hackers-2/
- https://cyberpress.org/weaponized-zip-documents/
- https://gbhackers.com/living-off-the-land-tactics/
- https://gbhackers.com/ssh-tor-backdoor/
- https://industrialcyber.co/ransomware/sandworm-linked-webshell-and-lotl-tactics-found-in-russian-cyberattacks-targeting-ukrainian-networks/
- https://securityonline.info/russian-apts-exploit-lotl-techniques-in-ukraine-cyber-attacks-deploying-sandworm-linked-webshell-and-credential-dumping/
- https://securityonline.info/sandworm-apt-attacks-belarus-military-with-lnk-exploit-and-openssh-over-tor-obfs4-backdoor/
- https://socprime.com/blog/russian-hackers-target-ukrainian-organizations/
- https://thehackernews.com/2025/10/russian-hackers-target-ukrainian.html
- https://thehackernews.com/2025/11/trojanized-eset-installers-drop.html
- https://www.bleepingcomputer.com/news/security/sandworm-hackers-use-data-wipers-to-disrupt-ukraines-grain-sector/
- https://www.esecurityplanet.com/threats/russian-linked-cyberattacks-continue-to-target-ukrainian-organizations/
- https://www.helpnetsecurity.com/2025/11/03/russian-belarusian-military-spear-phishing/
- https://www.hendryadrian.com/living-off-the-land-allowed-russia-linked-group-to-breach-ukrainian-entities-this-summer/
- https://www.hendryadrian.com/ukrainian-organizations-still-heavily-targeted-by-russian-attacks/
- https://www.metacurity.com/cisa-plans-to-fire-54-employees-despite-court-injunction/
- https://www.securityweek.com/destructive-russian-cyberattacks-on-ukraine-expand-to-grain-sector/
Threat Details and IOCs
| Malware: | Acid Pour, AcidPour, AcidRain, BACKORDER, BE2, BE3, Black Energy, BlackEnergy, Blakken, BPFDoor, CaddyWiper, Chisel, CRASHOVERRIDE, Diskcoder.C, EternalPetya, ExPetr, FoxBlade, FruitShell, GoldenEye, GootKit Loader, GootLoader, HermeticWiper, Industroyer, IsaacWiper, Kalambur, KillDisk, LAMEHUG, Localolive, LocalOlive, NEARMISS, NotPetya, Nyetna, Nyetya, NyetYa, PathWiper, PEAPOD, Petna, Petya 2.0, Petya.A, Pnyetya, PromptSteal, Pterodo, PteroPSDoor, PteroVDoor, QuietVault, RomCom, RomCom RAT, RomCom RAT 5.0, RustyClaw, SingleCamper, SnipBot, Sting, SUMBUR, VPNFilter, WhisperGate, Zerlot, Zerolot, ZeroLot, ZEROLOT |
| CVEs: | CVE-2013-3906, CVE-2014-4114, CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0147, CVE-2017-0148, CVE-2017-0199, CVE-2019-10149, CVE-2021-32648, CVE-2021-34473, CVE-2022-41352, CVE-2023-23397, CVE-2023-32315, CVE-2023-32784, CVE-2023-42793, CVE-2023-48788, CVE-2024-1709, CVE-2025-53770, CVE-2025-8088 |
| Technologies: | ESET Endpoint Security, KeePass, Linux, Microsoft Active Directory, Microsoft Internet Information Services, Microsoft Windows, MikroTik RouterOS, MikroTik WinBox, OpenSSH, Python, RARLAB WinRAR, SonicWall Secure Mobile Access, Tor |
| Threat Actors: | Actinium, AngryLikho, APT28, APT44, AquaBlizzard, Armageddon, AwakenLikho, BlackEnergy, CoreWerewolf, DEV-0861, EarthBluecrow, ELECTRUM, FROZENBARENTS, Gamaredon, InedibleOchotense, IRIDIUM, IronTilden, IRONVIKING, MuddyWater, PrimitiveBear, Quedagh, RedMenshen, RomCom, Sandworm, SeashellBlizzard, Shuckworm, StickyWerewolf, Storm-0978, Storm0978, TA450, TA453, TA455, Telebots, TridentUrsa, TropicalScorpius, Turla, UAC0002, UAC-0010, UAC0010, UAC-0082, UAC0082, UAC-0099, UAC0113, UAC-0125, UAC0125, Uac0145, UNC2565, UNC2596, UNC530, Unit74455, UNKSmudgedSerpent, VoidRabisu, VoodooBear, Winterflounder |
| Attacker Countries: | China, Iran, Myanmar, North Korea, Russia |
| Attacker IPs: | 156.67.24.239, 185.145.245.209, 77.20.116.133 |
| Attacker Domains: | ciscoheartbeat.com, eliteheirs.org, esetremover.com, esetscanner.com, esetsmart.com, melamorri.com, taibdsgqlwvnizgipp4sn7xee72qys3pufih3rjzhx3e5b5t245kafid.onion, yuknkap4im65njr3tlprnpqwj4h7aal4hrn2tdieg75rpp6fx25hqbyd.onion |
| Attacker URLs: | 185.145.245.209:22065/service.aspx |
| Attacker Hashes: | 08db5bb9812f49f9394fd724b9196c7dc2f61b5ba1644da65db95ab6e430c92b, 30a5df544f4a838f9c7ce34377ed2668e0ba22cc39d1e26b303781153808a2c4, 44b1f3f06607cd3ee16517d31b30208910ce678cb69ba7a0514546dff183dfce, 5d3a6340691840d1a87bfab543faec77b4a9d457991dd938834de820a99685f7, 636e04f0618dd578d107f440b1cf6c910502d160130adae5e415b2dd2b36abcb, 70a5492db39585ec18de512058a5389c9a4043fba13ca8ad7d057ead66298626, 710e8c96875d6a3c1b4f08f4b2094c800658551065b20ef3fd450b210dcc7b9a, 7269b4bc6b3036e5a2f8c2a7908a439202cee9c8b9e50b67c786c39f2500df8f, 7946a2275c1c232eebed6ead95ea4723285950175586db1f95354b910b0a3cce, 821362a484908e93f8ba748b600665ae6444303d, 8c07c37ac84d4c6fd76de3d966e26b65e401bc641a845baf6f73ad0d6a10fc6b, 99ec6437f74eec19e33c1a0b4ac8826bcc44848f87cd1a1c2b379fae9df62de9, 9f3d8252e8f3169751a705151bdf675ac194bfd8457cbe08e1f3c17d7e9e9be2, a0eed0e1ef8fc4129f630e6f68c29c357c717df0fe352961e92e7f8c93e5371b, a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92, b701272e20db5e485fe8b4f480ed05bcdba88c386d44dc4a17fe9a7b6b9c026b, ba5f7e2fa9be1cb3fc7ae113f41c36e4f2c464b6, c853d91501111a873a027bd3b9b4dab9dd940e89fcfec51efbb6f0db0ba6687b, cbb94dd87c3ce335c75e57621412eedce013fcc77ac92ec57f7e74ac70dde119, cf8e09f013fcb5f34c8c274bf07d9047956ba441dabf2d3de87ea025e14058b7, e03b8c54ac916b363f956e4e4e04a19eb4119455d8006c92e9328e16a8cee52f |
| Victim Industries: | Agriculture, Automotive, Business Services, Critical Manufacturing, Defense, Digital Media, Education, Energy, Engineering, Financial Services, Government, Hospitality, Information Technology, Legal and Professional Services, Logistics, Manufacturing, Professional Services, Retail, Telecommunications, Transportation, Transportation & Logistics, Utilities |
| Victim Countries: | Austria, Belarus, Belgium, Bulgaria, Canada, China, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Israel, Italy, Latvia, Lithuania, Luxembourg, Malta, Myanmar, Netherlands, Norway, Poland, Portugal, Romania, Russia, Slovakia, Slovenia, South Korea, Spain, Sweden, Ukraine, United States |
Mitigation Advice
- Use endpoint management or scripting tools to scan all Windows systems for a scheduled task named "DavaniGulyashaSdeshka" and alert on or remove any findings.
- Identify all installations of WinRar in the environment and ensure they are updated to a version that is not vulnerable to the zero-day exploit mentioned.
- Configure email security gateways to block or quarantine emails from external sources that contain executable files or compressed archives like .rar and .zip.
- Scan the network to identify all systems running SMBv1 and disable the protocol wherever it is not essential for business operations.
Compliance Best Practices
- Implement and regularly test a 3-2-1 backup strategy, ensuring at least one copy of critical data is stored offline, air-gapped, or in an immutable storage repository to protect it from wiper malware.
- Develop and roll out a continuous security awareness training program that includes phishing simulations to educate employees on how to identify and report suspicious emails.
- Implement network segmentation to create isolated zones for critical servers and services, restricting communication paths from user workstations to limit the lateral movement of malware.
- Deploy an application control or allowlisting solution on endpoints, particularly servers, to restrict software execution to only known and approved applications.
Employee