Securelist

PipeMagic in 2025: How the backdoor operators’ tactics have changed

PipeMagic is a backdoor first detected in December 2022 while researchers were investigating a malicious campaign involving RansomExx. The victims were industrial companies in Southeast Asia.

Efimer Trojan delivered via email and hacked WordPress websites

A new malware campaign involving the Efimer Trojan has been observed targeting cryptocurrency users and WordPress site administrators. Efimer is a ClipBanker-type Trojan that steals and replaces cryptocurrency wallet addresses.

Targeted attacks leverage accounts on popular online platforms as C2 servers

A sophisticated cyberattack campaign active from late 2024 to April 2025 targeted Russian IT firms and international entities using Cobalt Strike Beacon. The attackers employed spear phishing, DLL hijacking, and social media-based payload delivery.

GhostContainer backdoor for Exchange servers

A newly discovered backdoor malware dubbed GhostContainer is targeting Microsoft Exchange servers in high-value organizations across Asia. The malware is a .NET-based PE32 executable that leverages open-source tools and exploits CVE-2020-0688.

Zanubis Android Banking Trojan Evolves with Silent Installation and Credential Theft Capabilities

Zanubis is a sophisticated Android banking Trojan active since 2022, targeting Peruvian financial institutions. It masquerades as legitimate apps to trick users into granting accessibility permissions, enabling full device control.

Outlaw botnet detected in an incident contained by Kaspersky

Outlaw (also known as “Dota”) is a Perl-based crypto mining botnet that typically takes advantage of weak or default SSH credentials for its operations. Telemetry data showed victims across the US, Germany, Italy, Thailand, and more.

GOFFEE’s recent attacks: new tools and techniques

GOFFEE continued to launch targeted attacks against organizations in Russia, utilizing PowerTaskel, a non-public Mythic agent written in PowerShell, and introducing a new implant that researchers dubbed “PowerModul”.

Minas — a multi-stage cryptocurrency miner infection

In June 2022, Kaspersky researchers found a suspicious shellcode running in the memory of a system process. Based on their reconstruction of the infection chain, they determined that it originated from running an encoded PowerShell script as a task.

Analysis of the CloudWizard framework by Bad Magic APT

A newly discovered campaign related to the Bad Magic APT involved use of a modular framework dubbed CloudWizard. Its features include taking screenshots, microphone recording, keylogging, and more.

Tomiris called, they want their Turla malware back

The threat actor targets government and diplomatic entities in the CIS. The few victims discovered in other regions (Middle East or Southeast Asia) turn out to be foreign representations of CIS countries, illustrating Tomiris’s narrow focus.

Defend Against Threats with Cyber Fusion

Cyware is the leading provider of cyber fusion solutions that power threat intelligence sharing , end-to-end automation and 360-degree threat response.

Trending Tags