Cisco Talos uncovered two new variants of the Sagerunex backdoor, which were detected during attacks on telecommunications and media companies, as well as many Sagerunex variants persistent in the government and manufacturing industries.

Cisco Talos discovered an ongoing malicious campaign operated by a financially motivated threat actor since as early as July 2024 targeting users, predominantly in Poland and Germany, based on the phishing email language.

Cisco Talos has identified a phishing campaign targeting Facebook business users in Taiwan, using emails disguised as legal notices to trick recipients into downloading malware.

The campaign involves modular infection chains requiring the victim's interaction, with the malware being delivered through Maldoc or HTML-based methods. The phishing emails use the Russian language, fake Yandex Disk links, and spoofed VK pages.

UAT-5647 has advanced its tooling to include downloaders RustClaw and MeltingClaw, a Rust backdoor DustyHammock, and a C++ backdoor ShadyHammock. The threat actor attempted to compromise edge devices to evade detection during lateral movement.

BabyLockerKZ has expanded its reach to different continents, shifting from Europe to South America in early 2023. It has distinct features compared to MedusaLocker, such as unique storage keys and differences between Windows and Linux versions.

By exploiting web app services, the attackers deploy a web shell to launch malware and gather credentials, compromising IIS servers to spread the BadIIS malware. The malware facilitates proxy ware and SEO fraud by manipulating search engine rankings.

Malicious actors potentially utilized the MacroPack red-teaming framework to distribute harmful payloads like Brute Ratel and Havoc tools, as well as a new version of the PhantomCore remote access trojan.

The latest encryptor variant identified by researchers at Cisco Talos appends the file extension ‘blackbytent_h’ to encrypted files. This variant also includes the deployment of four vulnerable drivers, an increase from previous reports.

MoonPeak is an evolved form of the Xeno RAT malware previously used by North Korean actors and is capable of loading plugins, launching processes, and communicating with a command-and-control (C2) server.