Threat Research & Intelligence

Canary Shares Canary shares are decoy network file shares strategically deployed across an enterprise environment to detect unauthorized network reconnaissance and lateral movement. These honeypot shares are configured with enticing names like "Finance," "Backups," "HR_Documents," or "IT_Admin" and populated with bait files (credentials.xlsx, passwords.txt, database_backup.sql) that appear valuable to attackers but serve no legitimate business function. When adversaries gain initial access to a network, one of their first actions is typically share enumeration to identify accessible resources containing sensitive data, credentials, or pathways to high-value targets. Attackers commonly use built-in Windows commands like net view, net share, and dir \\server\share, as well as offensive tools such as PowerView (Invoke-ShareFinder, Find-InterestingFile), SharpShares

Canary Files Canary files are decoy documents placed in strategic locations to detect unauthorized file access, data exfiltration attempts, or ransomware activity. Besides creating these files manually in your network, Blue Teams can use free online tools like Thinkst Canary Tokens to even get an email when the token is opened or used - with the offenders IP address! How cool is that!? We’ll go over more techniques in the rest of this series. For now, here’s the strategy and some ideas for building your Canary Files manually: File Naming StrategyCreate files with names that attract attackers:passwords.xlsxcredentials.txtemployee_ssn.csvfinancial_records_2024.xlsxadmin_passwords.docx

A state-sponsored supply chain attack compromised Notepad++'s update infrastructure from June to December 2025, Ampcus Cyber enabling Chinese APT group Lotus Blossom Securelist (aka Billbug, Lotus Panda, Raspberry Typhoon) to deliver malicious payloads to targeted victims. The Hacker News The attackers deployed three distinct infection chains Securelist featuring rotating C2 infrastructure, a custom backdoor called Chrysalis,

Introduction Cyber deception is a proactive defense strategy that deploys decoy assets (canaries, honeypots, honeytokens) throughout your environment to detect adversary presence. Unlike traditional security tools that rely on signatures or known malicious behavior, deception techniques detect attackers by monitoring access to resources that have no legitimate business purpose.Key Principle: Any interaction with a canary asset is inherently suspicious because legitimate users and processes have no reason to access them. Why Cyber Deception? Limitations of Traditional Security Tools Traditional Tool Limitation Antivirus/EDR Relies on signatures; can be bypassed with custom malware Firewalls Cannot detect lateral movement within trusted networks IDS/IPS

The Interlock ransomware group has weaponized a gaming anti-cheat driver vulnerability (CVE-2025-61155) in a sophisticated BYOVD attack chain to disable endpoint security tools before encryption. This novel technique emerged in campaigns targeting healthcare, defense, and education sectors across North America and Europe, with 60+ victims claimed since September 2024. The vulnerability's moderate severity rating obscures its actual danger when combined with ransomware operations. The vulnerability hiding in plain sightCVE-2025-61155 affects GameDriverX64.sys, a signed kernel-mode anti-cheat driver developed by Hotta Studio for the game "Tower of Fantasy." Published in the NVD on October 28, 2025, this vulnerability allows local attackers to crash arbitrary processes by sending specially crafted IOCTL requests—no administrative privileges required. Attribute    ValueCVSS v3.1    5.5 (Medium)Vector    CVSS:3.1/AV:L/AC:L

The 2024 funding crisis exposed a fundamental truth: we've built critical infrastructure without critical infrastructure protection.CVE IDs are now the universal language of vulnerability management. Every major vendor uses them. Every scanner depends on them. Compliance frameworks like PCI-DSS, HIPAA and SOC 2 mandate them. Procurement requirements reference them. They're embedded in automated security tooling across every sector.Yet this entire system runs on year-to-year government contracts.When MITRE's funding faced renewal uncertainty, the global vulnerability identification system nearly collapsed. Not because the program was flawed, but because we treat essential internet infrastructure like a discretionary line item.The market must understand: CVE operates without statutory protection, dedicated long-term appropriations or formal governance that could survive agency reorganizations or budget cuts. We've created a single point of failure for globa

Beyond patching for VMware vCenter Server's DCERPC protocol, I HIGHLY recommend incorporating Sysmon and Sysmon For Linux into any security stack. And here's why. From a Sysmon telemetry perspective, detecting exploitation attempts and post-compromise activity related to CVE-2024-37079 requires monitoring several key event types that reveal both the initial attack vector and subsequent adversary behavior. Event ID 1 (Process Creation) becomes the cornerstone for identifying post-exploitation activity, particularly when monitoring for unusual child processes spawned from vCenter-related parent processes such as vpxd.exe, vws.exe, or other VMware services running on the compromised system. Attackers who successfully exploit the DCERPC heap overflow to achieve remote code execution will inevitably spawn command interpreters like cmd.exe, powershell.exe, or pwsh.exe to establish their foothold and begin reconnaissance operations. Detection logic should zero in on process creation events

Last year in October, phishing statistics show a tactical evolution with 40% of business-targeted phishing emails now AI-generated, producing perfectly personalized, grammatically flawless attacks that eliminate traditional detection markers. Attackers are weaponizing legitimate platforms: Figma for credential theft (49% linked to Storm-1747), fake Google Careers pages, and ClickUp redirect chains to bypass email filters and URL reputation checks. PDF-based QR code phishing has surged as the primary attack vector, replacing direct email QR codes to push victims toward mobile devices lacking enterprise security controls. The TyKit phishing kit demonstrates the new baseline: SVG-embedded obfuscated JavaScript, Cloudflare Turnstile CAPTCHA chains, and multi-stage verification pages designed to evade security bots, while revived calendar injection attacks add malicious events directly to corporate calendars, triggering phishing attempts through meeting reminders even when users ignore t

The STR Team was presented with the following questions: What are the most recent toolchain improvements that you see **Kimsuky** developing and deploying? What are the most recent toolchain improvements that you see **Lazarus** developing and deploying? Overall, what weaknesses are APT attackers trying to overcome in their toolsets with their latest developments? Will these updates make it more likely that the attackers can bypass reasonable antivirus defenses? What should defenders make sure they are doing to protect against these variants and future variants of these tools? Our response to these questions were sited by Dark Reading here:https://www.darkreading.com/vulnerabilities-threats/kimsuky-httptroy-backdoor-south-korea-users Ho

This is, in my opinion, only the beginning of what we will see in the future of "AI Powered" everything. As new innovations land in the hands of cyber professionals and criminals, both sides will find ways to enhance their playbook to maximize their potential and effectiveness. Part of the process for making improvements is testing - this attack, I think, is just that. GTIG noted back in January they we're starting to see integrations of AI into threat actor's toolkits with a recent update in November siting malware strains such as FRUITSHELL, PROMPTFLUX, PROMPTLOCK, PROMPTSTEAL, and QUIETVAULT experimenting with LLMs to achieve dynamic obfuscation. My question is, and has been for some time, who is moving faster - us or them? Threat actors don't have to deal with compliance, ticket queues, reports, metrics, buzzwords, or even laws. Defenders are almost completely reactive in their craft and have to deal with all of the things threat actors don't have to... which costs us time. Time

The XWiki CVE-2025-24893 exploitation campaign demonstrates a rapidly evolving multi-faceted attack landscape where threat actors leverage unauthenticated remote code execution through Groovy code injection in the SolrSearch macro. Attackers employ a diverse toolkit ranging from automated botnet operations (RondoDox) to sophisticated two-stage payload delivery mechanisms that stage downloaders in the /tmp/ directory before executing cryptocurrency miners 20+ minutes later. The attack chains include reverse shell establishment using BusyBox netcat and bash TCP redirections to attacker-controlled infrastructure, with some operations originating from compromised QNAP devices and legitimate AWS IP addresses. Reconnaissance efforts span from Nuclei-based scanning executing cat /etc/passwd for validation to custom OAST callback mechanisms, while payload delivery leverages standard Linux utilities (wget, curl) to retrieve obfuscated base64-encoded scripts from DynamicDNS d

India's Sanchar Saathi - The Premature MandateIndia's attempt to mandate the Sanchar Saathi app represents, in my opinion, what happens when governments prioritize deployment speed over trust-building. The app itself had legitimate fraud-prevention features—device tracking, IMEI verification, suspicious call reporting—but the execution was fundamentally flawed. Requiring pre-installation on every device with system-level access that "cannot be disabled or restricted" essentially converted smartphones into mandatory government monitoring endpoints. The backlash was swift and appropriate: opposition parties, digital rights groups, and even Apple pushed back hard. What bothers me most about this approach is that the government had a potentially useful tool and completely squandered public trust by making it mandatory instead of voluntary. My question is, why rush to force adoption when you haven't built the transparency framework first? The WORST thing governm

In today’s multi-vendor firewall landscape—SonicWall, Cisco, Palo Alto, Fortinet, you name it—the real challenge isn’t the volume of alerts, it’s the fact that defenders are drowning in vendor-defined noise while adversaries move with zero friction. Attackers don’t care which firewall brand you use; they probe them all the same way, exploiting whatever CVE is easiest, chaining behaviors across edges, VPNs, and segmentation layers faster than most teams can triage a single ticket. That means security organizations must break out of the old model of blindly trusting each vendor’s severity ratings and instead normalize everything into a unified risk framework driven by asset criticality, exploitability, and real-world threat intel. The teams who win will be the ones who correlate signals across all their firewalls, prioritize based on behavior and KEV-level urgency, and automate the enrichment so analysts aren’t stuck babysitting logs. This isn’t about choosing which vendor screams th

Ransomware payments remain astronomically high despite year-over-year declines because threat actors have shifted from volume-based spray-and-pray attacks to highly selective, intelligence-driven operations against organizations they've researched and know can pay. The RaaS ecosystem has matured significantly with initial access brokers, data exfiltration specialists, and professional negotiators optimizing the entire kill chain to maximize payment extraction from fewer, higher-value targets. While organizations HAVE improved with better backups, incident response plans, and EDR/XDR adoption, I'd argue the bigger factor driving declining payment numbers is shifting attacker tactics rather than defender resilience. We're seeing ransomware groups evolve beyond traditional encryption to data-only extortion, incremental staged payments and hybrid attacks combining ransomware with DDoS and supplier targeting. These sophisticated extortion models often don't get categorized as "ransomware

Amazon's threat intelligence team dropped research on a years-long Russian GRU campaign (Sandworm/APT44) targeting Western critical infrastructure, and the headline finding should make every security team think twice about their priorities. Between 2021-2024, these actors burned through CVE-2022-26318 (WatchGuard), CVE-2021-26084 and CVE-2023-22518 (Confluence), and CVE-2023-27532 (Veeam) like they were going out of style. But in 2025? Sharp decline in vulnerability exploitation activity, replaced almost entirely by targeting misconfigured customer network edge devices with exposed management interfaces. Here's what's actually happening: security teams have gotten dramatically better at vulnerability management, patch cycles have compressed from months to weeks, EDR and SIEM platforms now catch exploitation artifacts reliably - but still bypassable by skilled threat actors, and threat intelligence sharing means exploits have shorter useful lifespans before defenders adapt. The resul

The PHALT#BLYX campaign exemplifies a well-established pattern where threat actors utilize European markets as operational proving grounds before targeting North American organizations. While Europe maintains robust regulatory frameworks like GDPR and NIS2, the practical security posture varies significantly across member states, particularly among small-to-medium hospitality businesses that often rely on basic perimeter defenses rather than mature SOC operations and EDR deployments common in US enterprises. Russian-speaking threat actors, evidenced by Cyrillic debug strings and DCRat usage in this campaign, deliberately test TTPs in lower-risk environments to refine detection evasion techniques against European security vendors before facing US-dominant solutions like CrowdStrike and Microsoft Defender for Endpoint. The use of Euro-denominated lures (€1,004.38 charges) demonstrates targeted geographic focus, allowing attackers to validate psychological manipulation tactics, infrast

Analyzing PHALT#BLYX: How Fake BSODs and Trusted Build Tools Are Used to Construct a Malware InfectionBy Securonix Threat Research: Shikha Sangwan, Akshay Gaikwad, Aaron BeardsleeJanuary 5, 2025 tldr:Securonix threat researchers have been tracking a stealthy campaign targeting the hospitality sector using click-fix social engineering, fake captcha and fake blue screen of death to trick users into pasting malicious code. It leverages a trusted MSBuid.exe tool to bypass defenses and deploys a stealthy, Russian-linked DCRat payload for full remote access and the ability to drop secondary payloads. An ongoing malware campaign tracked as PHALT#BLYX has been identified as a multi-stage infection chain that begins with the click-fix and fake captcha social engineering tactic and deploys a customized DCRat payload. For initia

Greetings Securonix Connect Members,We are pleased to share the December 2025 Autonomous Threat Sweeper (ATS) Monthly Digest.During December, ATS tracked 141 emerging threats identified in the wild and performed corresponding sweeps across customer environments to assess potential exposure and validate detection coverage. This monthly digest provides insight into the evolving threat landscape, highlighting key trends, active threat actors, and commonly observed MITRE ATT&CK techniques.Emerging Threat TrendsSeveral recurring themes were observed throughout the month’s activity: Exploitation of public-facing applications remained one of the most common initial access vectors. React2Shell / CVE-2025-55182 was exploited by multiple threat actors, often for persistence or cryptomining payloads.

Securonix Threat Research (STR) Monthly Newsletter– November 2025 Edition – Welcome back to another newsletter by the Securonix Threat Research Team!November has been a month of a LOT of reverse engineering. The team has been grabbing malware samples from multiple sources to find novel and interesting techniques and indicators to share with the community. Our team has also been featured and seen this month during the FS-ISAC EMEA webinar where Shikha Sangwan presented her findings for CHAMELEON#NET. We provided commentary on the latest Kimsuky & Lazarus Tooling, Evolving ClickFix Attacks, the recent Government Compromise, CISA 2015 Reauthorization, Chinese using Claude to “AutoAttack”,  XWiki CVE-2025-24893, and Legacy Firewall Attacks. We also now have Securonix Connect to share these ideas and updates in a more streamlined way! Oftentimes, news outlets summarize a lot of our commentary but now we h