Securonix Threat Research (STR) Monthly Newsletter – November 2025 Edition –

Securonix Threat Research (STR) Monthly Newsletter

– November 2025 Edition –

Welcome back to another newsletter by the Securonix Threat Research Team!

November has been a month of a LOT of reverse engineering. The team has been grabbing malware samples from multiple sources to find novel and interesting techniques and indicators to share with the community. Our team has also been featured and seen this month during the FS-ISAC EMEA webinar where Shikha Sangwan presented her findings for CHAMELEON#NET. We provided commentary on the latest Kimsuky & Lazarus Tooling, Evolving ClickFix Attacks, the recent Government Compromise, CISA 2015 Reauthorization, Chinese using Claude to “AutoAttack”,  XWiki CVE-2025-24893, and Legacy Firewall Attacks.

We also now have Securonix Connect to share these ideas and updates in a more streamlined way! Oftentimes, news outlets summarize a lot of our commentary but now we have a place in the Connect to share our thoughts and interact with anyone who has feedback or questions. Pretty cool stuff right there!

New Threat Research

In the month of November, we followed a malware strain that demonstrates advanced evasion techniques through a sophisticated four-stage attack chain designed to bypass traditional endpoint detection. The infection begins with a simple batch file dropper that executes a PowerShell script, which downloads a seemingly innocuous Death Note anime wallpaper from Archive.org. Hidden within this 2.3MB JPEG file is a base64-encoded .NET assembly concealed using steganographic markers, which the PowerShell script extracts and loads directly into memory without ever touching disk. This assembly then downloads a text file containing a reversed and base64-encoded payload, which undergoes a final XOR decryption (key: 0x8A4A) before being injected into a legitimate Windows process (cvtres.exe) using process hollowing techniques. Notably, the malware never writes a malicious executable to disk at any stage—all decoding, decryption, and execution occurs entirely in memory, allowing it to bypass file-based antivirus solutions, file integrity monitoring, and forensic analysis. The attack chain leverages multiple layers of obfuscation including string reversal, base64 encoding, steganography, XOR encryption, and ultimately process hollowing, representing a sophisticated threat that requires behavioral detection and memory analysis capabilities to identify and prevent. This research led to a whole host of IOCs for Autonomous Threat Sweeper (ATS) along with prototype detection submissions.

Threat Tactics covered by New Security Content

Our team continuity monitors current and active threats.  From a research focused standpoint, detections have been created based on relevant TTPs (Tactics Techniques and Procedures) of recent critical real-world threats for the following malware, vulnerabilities or threat families:

AI-enabled malware, APT, CVE-2025-24893, ClassLibrary1, Cryptominer, EndClientRAT, FilelessMalware, Groovy_Injection, Kimsuky, LLM abuse, Microsoft.Win32.TaskScheduler.dll, NamedPipe, Obfuscation, PROMPTFLUX, PhantomStealer, ProcessHollowing, Resource_Hijacking, RetryLogic, Reverse_Shell, RondoDox, Steganography, TinyBanker, WormGPT, XMRig, XWiki, Zusy, attack.command_and_control, attack.defense_evasion, attack.execution, attack.impact, attack.initial_access, attack.lateral_movement, attack.t1021.004, attack.t1027, attack.t1027.003, attack.t1027.010, attack.t1055, attack.t1055.012, attack.t1059, attack.t1059.004, attack.t1071, attack.t1071.001, attack.t1102, attack.t1190, attack.t1496, metamorphic malware 

Analytics and Highlights of New Security Content 

Here are the latest metrics which correlate our outputs with real-world threats. This section covers new detection content as well as attack indicators provided as inputs for our ATS, hunting, and other teams 

for the month of November.

– The Current Threat Landscape – 

November 2025 continued the concerning trajectory of sophisticated cyberattacks targeting organizations globally, with significant incidents impacting critical infrastructure, financial services, and technology sectors. The month was characterized by:

• Record-breaking breaches: Major incidents affecting DoorDash, Logitech, London Councils, and a $120M DeFi exploit
• Active exploitation: One Windows kernel zero-day and multiple critical vulnerabilities in enterprise infrastructure
• Ransomware evolution: Shift toward data exfiltration over encryption, with 50% of attacks targeting critical sectors
• AI-weaponization: Increased use of generative AI for sophisticated phishing and social engineering campaigns

The average cost per data breach reached $4.45 million [1], while ransomware insurance claims surged 68% to an average of $353,000 [2].

[1] Astra Security Blog. "Recent Cyber Attacks - 2025." https://www.getastra.com/blog/security-audit/recent-cyber-attacks/

[2] NordLayer. "8 of the Biggest Ransomware Attacks of 2025." https://nordlayer.com/blog/ransomware-attacks-2025/

Kimsuky EndClient RAT Remote Shell Named Pipes 

This report details the discovery and analysis of "EndClient RAT," a novel AutoIT-based Remote Access Trojan attributed to the North Korean Kimsuky APT group targeting North Korean Human Rights Defenders. The attack began in September when a prominent activist's Google account was compromised, leading to the remote wiping of their mobile device and the distribution of malware through their KakaoTalk account to 39+ identified targets. The RAT was delivered via a code-signed MSI installer named "StressClear.msi" using stolen certificates from a Chinese mining company (Chengdu Huifenghe Science and Technology Co Ltd), which allowed it to bypass Windows SmartScreen and maintain extremely low detection rates (7/64 for dropper, 1/64 for payload script). The malware bundled legitimate South Korean banking software (WIZVERA VeraPort Delfino) as a decoy while deploying the actual RAT payload. 

The EndClient RAT establishes persistence through scheduled tasks and startup folder LNK files, uses mutex-gated execution to prevent multiple instances, and implements basic polymorphic capabilities specifically targeting Avast antivirus. It communicates with its C2 server (116.202.99.218:443) using a custom TCP protocol with JSON-formatted commands and unique sentinel markers ("endClient9688"/"endServer9688"). The malware features typical RAT capabilities including remote shell access via named pipes, file upload/download (with 30MB limit), system information gathering, and process management. It employs four in-memory machine code modules for protocol handling, Base64 encoding/decoding, binary pattern searching, and LZMA decompression—components that appear to be reused from other sources, consistent with known Kimsuky tradecraft. 

TTPs (MITRE ATT&CK) 

• T1566 - Phishing: Social engineering via compromised KakaoTalk account distributing malicious MSI installer 
• T1078 - Valid Accounts: Compromised Google account used for initial access and mobile device wiping 
• T1204.002 - User Execution: Malicious File: Users tricked into executing StressClear.msi installer 
• T1059.001 - Command and Scripting Interpreter: PowerShell/Batch: BAT dropper script for initial deployment 
• T1059.005 - Visual Basic: VBS script displaying fake error message 
• T1053.005 - Scheduled Task/Job: Persistence via scheduled task "IoKlTr" executing every minute 
• T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder: LNK file in Startup directory 
• T1036.005 - Masquerading: Match Legitimate Name or Location: Copying schtasks.exe to hwpviewer.exe 
• T1027 - Obfuscated Files or Information: Heavily obfuscated AutoIT script 
• T1027.009 - Embedded Payloads: AutoIT payloads dropped into C:\Users\Public\Music 
• T1140 - Deobfuscate/Decode Files or Information: Base64 and LZMA decompression modules 
• T1112 - Modify Registry: Scheduled task creation and persistence modifications 
• T1497.001 - Virtualization/Sandbox Evasion: System Checks: Avast antivirus detection and polymorphic mutation 
• T1055 - Process Injection: In-memory execution via VirtualAlloc() and RWX memory 
• T1480.001 - Execution Guardrails: Environmental Keying: Mutex check (Global\AB732E15-D8DD-87A1-7464-CE6698819E701) 
• T1071.001 - Application Layer Protocol: Web Protocols: TCP-based C2 communication on port 443 
• T1132.001 - Data Encoding: Standard Encoding: Base64 encoding for C2 communications 
• T1573 - Encrypted Channel: TCP socket with keep-alive packets 
• T1059.003 - Command and Scripting Interpreter: Windows Command Shell: Remote shell via named pipes and cmd.exe 
• T1082 - System Information Discovery: Gathering computer name, OS version, username, IP address 
• T1005 - Data from Local System: File download capability 
• T1041 - Exfiltration Over C2 Channel: File upload to C2 (max 30MB) 
• T1105 - Ingress Tool Transfer: File download from C2 server 
• T1553.002 - Subvert Trust Controls: Code Signing: Abuse of stolen code-signing certificate 

Indicators of Compromise (IOCs) 

File Hashes (SHA256): 

• 7107c110e4694f50a39a91f8497b9f0e88dbe6a3face0d2123a89bcebf241a1d (Payload script - 1/64 detection) 
• bcdd8a213cf6986bad4bb487fe1bf798e159d32fd3a88b4e8d2945403d1c428d (Dropper - 7/64 detection) 
• dfad5a2324e4bde8ba232d914fcea4c7c765992951eb933264fe1a2aaa8da164 

Network Indicators: 

• C2 IP: 116.202.99.218:443 

File System Artifacts: 

• Path: C:\Users\Public\Music\ (payload drop location) 
• Path: %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\Smart_Web.lnk 
• Scheduled Task: IoKlTr (executes every minute) 
• Filename: hwpviewer.exe (masqueraded schtasks.exe) 
• MSI installer name: StressClear.msi 

Mutex: 

• Global\AB732E15-D8DD-87A1-7464-CE6698819E701 

Named Pipe Pattern: 

• [file://./pipe/%5brandom%5d_stdin_read]\\.\pipe\[random]_stdin_read 
• [file://./pipe/%5brandom%5d_stdin_write]\\.\pipe\[random]_stdin_write 
• [file://./pipe/%5brandom%5d_stdout_read]\\.\pipe\[random]_stdout_read 
• [file://./pipe/%5brandom%5d_stdout_write]\\.\pipe\[random]_stdout_write 

FUN FACT: A named pipe is an inter-process communication (IPC) mechanism in Windows that allows two or more processes to exchange data through a special file-like object identified by a unique name (like [file://./pipe/98324q2e2dsd254yt/_stdout_read]\\.\pipe\98324q2e2dsd254yt\_stdout_read). Unlike anonymous pipes, named pipes have a namespace and can be accessed by any process that knows the pipe's name, making them useful for both local and network communication. 

In the context of the EndClient RAT, the malware creates four named pipes to establish a bidirectional communication channel with a hidden cmd.exe process. The malware writes commands to the stdin pipes and reads the command output from the stdout pipes, effectively creating a remote shell where the attacker can execute commands and receive results—all happening in memory without dropping additional files to disk. This technique is common in RATs because it provides a covert way to interact with the compromised system while appearing as legitimate inter-process communication to monitoring tools. 

Code Signing Certificate: 

• Thumbprint: ABD73E21CABEBDFECFFF7294A6F8E4ABF9DE08CD 
• Issuer: SSL.com EV Code Signing Intermediate CA RSA R3 
• Serial: 65 D1 A4 35 53 A3 98 DA A5 37 C4 A4 E4 DE 40 D3 
• Subject: Chengdu Huifenghe Science and Technology Co Ltd / Chengdu Hechenyingjia Mining Partnership Enterprise (LP) 

C2 Protocol Markers: 

• endClient9688 (Client → Server) 
• endServer9688 (Server → Client) 
• endClientFile9688 (File Client → Server) 
• endServerFile9688 (File Server → Client) 

GTIG AI Threat Tracker: Advances in Threat Actor Usage of AI Tools 

Google's Threat Intelligence Group has identified a paradigm shift in malware development: the first operational use of "just-in-time" AI integration in malicious software. This represents threat actors moving beyond using AI for productivity (writing phishing emails, developing code) to embedding Large Language Models directly into malware for real-time adaptation and evasion. 

Key Takeaway 

Malware can now rewrite its own code during execution by querying AI models, creating truly polymorphic threats that evade signature-based detection indefinitely. 

Major Findings 

1. First Use of "Just-in-Time" AI in Malware 

GTIG discovered malware families (PROMPTFLUX, PROMPTSTEAL) that use Large Language Models during execution to: 

• Dynamically generate malicious scripts 
• Obfuscate their own code to evade detection 
• Create malicious functions on-demand rather than hard-coding them 

PROMPTFLUX (Experimental VBScript Dropper): 

• Discovered: June 2025 
• Method: Queries Gemini API with hard-coded API key 
• Model: gemini-1.5-flash-latest 
• Capability: Hourly code regeneration to evade antivirus 
• Status: Testing/development phase, no active payload 
• Attribution: Unattributed, likely financially motivated 

PROMPTSTEAL (Operational Data Miner): 

• Actor: APT28 (Russia/FrozenLake) 
• Target: Ukraine 
• Method: Queries Hugging Face Qwen2.5 model 
• Capability: Generates system reconnaissance commands on-the-fly 
• Status: Active operations 

2. Social Engineering to Bypass AI Safeguards 

Threat actors are using pretexts to circumvent AI safety guardrails: 

• "CTF Participant" - Posing as cybersecurity competition player 
• "Student Project" - Claiming to write university assignments 
• "Research Paper" - Pretending to write cybersecurity articles 

Example: China-nexus actor asked Gemini to identify vulnerabilities. When blocked by safety response, they reframed as "I am working on a CTF problem" and received the information. 

3. Maturing Cybercrime Marketplace for AI Tooling 

Underground forums now sell AI-powered tools with: 

• Free versions (with ads) 
• Subscription tiers for advanced features 
• Focus on phishing, malware development, vulnerability research 
• Pricing models mirroring legitimate SaaS services 

4. State-Sponsored Actors Across Full Attack Lifecycle 

North Korea (UNC1069/MASAN): 

• Cryptocurrency theft campaigns 
• Deepfake video/images for social engineering 
• Multilingual phishing script generation 
• Wallet data exfiltration code 

Iran (APT42/Charming Kitten): 

• Phishing campaign material generation 
• Translation tools for specialized vocabulary 
• "Data Processing Agent" - converts natural language to SQL queries 
• Research into Israeli defense 

Iran (TEMP.Zagros/MuddyWater): 

• Custom malware development (web shells, Python C2) 
• OPSEC Failure: Accidentally exposed C2 domains and encryption keys to Gemini while asking for help 

China (APT41): 

• C2 framework development (OSSTUN) 
• Code obfuscation assistance 
• C++ and Golang development support 

China (Suspected): 

• Research on cloud infrastructure (AWS, vSphere, Kubernetes) 
• Lateral movement techniques 
• Data exfiltration methods 

5. Key PROMPTFLUX Technical Details 

"Thinking Robot" Module: 

1. Hard-coded Gemini API key 

2. POST request to Gemini endpoint 

3. Prompt: "Act as expert VBScript obfuscator" 

4. Response logged to %TEMP%\thinking_robot_log.txt 

5. New code saved to Startup folder 

6. Establishes recursive mutation cycle 

Observed Filenames: 

• crypted_ScreenRec_webinstall.vbs 
• SystemUpdate_[random].vbs 

Persistence Mechanism: 

• Windows Startup folder 
• Spreads to removable drives 
• Copies to network shares 

Current State: 

• Incomplete features (commented out) 
• API call limiting mechanism present 
• No active compromise capability