{ "id": "a5de9074-d1c8-4d37-98b3-e27267fb3e04", "created_at": "2026-04-06T00:16:22.597111Z", "updated_at": "2026-04-10T03:36:47.989646Z", "deleted_at": null, "sha1_hash": "94a0d686474c24bc8ffae9951c46ecfab0bc4156", "title": "Weekly Intelligence Report – 12 December 2025 - CYFIRMA", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3107905, "plain_text": "Weekly Intelligence Report – 12 December 2025 - CYFIRMA\r\nArchived: 2026-04-05 15:33:51 UTC\r\nPublished On : 2025-12-12\r\nRansomware of the week\r\nCYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while\r\nmonitoring various forums. This covers a variety of topics that can be pertinent to your company, including\r\ntechnology, geography, and industries.\r\nType: Ransomware\r\nTarget Technologies: Windows\r\nTargeted Countries: United States, India, Turkey, Peru, Mexico\r\nTargeted Industries: Manufacturing, Technology, Financial Services, Public Sector, Business Services\r\nIntroduction\r\nCYFIRMA Research and Advisory Team has found Black Shrantac Ransomware while monitoring various\r\nhttps://www.cyfirma.com/news/weekly-intelligence-report-12-december-2025/#:~:text=well%2Dstructured%20operations.-,7.%20Data%20Leaks,-Bank%20Mandiri%20Data\r\nPage 1 of 39\n\nunderground forums as part of our Threat Discovery Process.\r\nBlack Shrantac Ransomware\r\nResearchers have identified Black Shrantac as a ransomware strain that encrypts files, alters their names, and\r\nleaves victims unable to access their data. In testing, it was observed that the malware replaces original filenames\r\nwith random character strings and appends the “.shrt” extension, ex., converting “1.jpg” into something like\r\n“0WeRZQJSTkOAnYP4.shrt.” After completing encryption, Black Shrantac changes the desktop wallpaper and\r\ngenerates a ransom message titled “shrt.readme.txt,” signaling that the victim’s data has been both encrypted and\r\nextracted from the system.\r\nScreenshot of files encrypted by ransomware (Source: Surface Web)\r\nThe ransom note states that the attackers seek payment in Bitcoin and presents the extortion as a “business\r\ntransaction.” Victims are told they may submit a few small, non-critical files to verify the attackers’ ability to\r\ndecrypt. The message includes Tor- based communication portals, Tox contact information, and explicit warnings\r\nnot to rename files or reboot systems, claiming such actions could cause irreversible damage. It also threatens to\r\nleak or sell stolen data if no contact is made, while emphasizing that access to negotiation credentials is required\r\nto proceed.\r\nhttps://www.cyfirma.com/news/weekly-intelligence-report-12-december-2025/#:~:text=well%2Dstructured%20operations.-,7.%20Data%20Leaks,-Bank%20Mandiri%20Data\r\nPage 2 of 39\n\nThe appearance of Black Shrantac ‘s ransom note (shrt.readme.txt) (Source: Surface Web)\r\nThe appearance of Black Shrantac’s data leak site (Source: Surface Web)\r\nThe following are the TTPs based on the MITRE Attack Framework\r\nhttps://www.cyfirma.com/news/weekly-intelligence-report-12-december-2025/#:~:text=well%2Dstructured%20operations.-,7.%20Data%20Leaks,-Bank%20Mandiri%20Data\r\nPage 3 of 39\n\nTactic Technique ID Technique Name\r\nExecution T1053 Scheduled Task/Job\r\nExecution T1059 Command and Scripting Interpreter\r\nExecution T1129 Shared Modules\r\nPersistence T1053 Scheduled Task/Job\r\nPersistence T1112 Modify Registry\r\nPrivilege Escalation T1053 Scheduled Task/Job\r\nPrivilege Escalation T1134 Access Token Manipulation\r\nDefense Evasion T1027 Obfuscated Files or Information\r\nDefense Evasion T1036 Masquerading\r\nDefense Evasion T1070 Indicator Removal\r\nDefense Evasion T1112 Modify Registry\r\nDefense Evasion T1134 Access Token Manipulation\r\nDefense Evasion T1202 Indirect Command Execution\r\nCredential Access T1003 OS Credential Dumping\r\nCredential Access T1552.001 Unsecured Credentials: Credentials In Files\r\nDiscovery T1057 Process Discovery\r\nDiscovery T1082 System Information Discovery\r\nDiscovery T1083 File and Directory Discovery\r\nDiscovery T1614 System Location Discovery\r\nCollection T1005 Data from Local System\r\nCollection T1114 Email Collection\r\nCommand and Control T1071 Application Layer Protocol\r\nCommand and Control T1090 Proxy\r\nImpact T1486 Data Encrypted for Impact\r\nRelevancy and Insights:\r\nhttps://www.cyfirma.com/news/weekly-intelligence-report-12-december-2025/#:~:text=well%2Dstructured%20operations.-,7.%20Data%20Leaks,-Bank%20Mandiri%20Data\r\nPage 4 of 39\n\nThe ransomware primarily affects the Windows operating system, which is commonly utilized in enterprise\r\nenvironments across multiple industries.\r\nThe ransomware maintains a long-term presence on the system by creating and modifying Windows\r\nscheduled tasks, which allow it to automatically execute even after restarts or user logins. It sets tasks to\r\nrun with SYSTEM-level privileges and uses recurring triggers such as hourly or logon events. By doing so,\r\nthe malware ensures its payload is consistently launched, enabling it to finish encryption, re-establish\r\ncontrol, or run additional malicious actions without relying on user interaction.\r\nDetect-debug-environment: The ransomware technique is used to determine if it is being monitored in\r\nenvironments such as sandboxes, virtual machines, or under debugging tools. To perform this check, the\r\nmalware may look for specific processes, drivers, or artifacts linked to analysis tools, measure timing to\r\nspot inconsistencies, or scan for system traits uncommon in real user machines. When such conditions are\r\nidentified, the malicious program can modify its behavior, such as pausing execution, shutting down, or\r\nwithholding key payload actions to avoid detection and make detailed analysis more difficult.\r\nETLM Assessment:\r\nCYFIRMA’s assessment indicates that Black Shrantac is currently a capable and structured ransomware strain,\r\nfeaturing strong file-encryption behavior, randomized filename rewriting, data theft, scheduled-task persistence,\r\nand multi-channel communication through TOR and Tox. Its ransom delivery methods, wallpaper replacement,\r\nand extortion approach closely align with modern double-extortion families, showing that it already operates with\r\na mature set of features designed for disruption and financial gain. Given this foundation, its evolution is likely to\r\nfocus on strengthening its resilience, expanding its reach, and improving its ability to evade security controls.\r\nAs it evolves, Black Shrantac could adopt more effective anti-analysis strategies, incorporate automated lateral-movement techniques, and enhance its data- exfiltration processes to increase the pressure placed on victims.\r\nFuture variants may introduce cloud-targeting capabilities, broader system-recovery destruction, and more robust\r\nencryption or obfuscation layers to hinder forensic investigation. By integrating modular components or adapting\r\nits infrastructure, the ransomware could become more scalable, harder to detect, and increasingly difficult for\r\ndefenders to contain across enterprise environments.\r\nSigma rule:\r\ntitle: Suspicious Schtasks Schedule Types tags:\r\n– attack.privilege-escalation\r\n– attack.persistence\r\n– attack.execution\r\n– attack.t1053.005 logsource:\r\nproduct: windows category: process_creation\r\ndetection: selection_img:\r\n– Image|endswith: ‘\\schtasks.exe’\r\n– OriginalFileName: ‘schtasks.exe’ selection_time:\r\nCommandLine|contains:\r\n– ‘ ONLOGON ‘\r\n– ‘ ONSTART ‘\r\n– ‘ ONCE ‘\r\nhttps://www.cyfirma.com/news/weekly-intelligence-report-12-december-2025/#:~:text=well%2Dstructured%20operations.-,7.%20Data%20Leaks,-Bank%20Mandiri%20Data\r\nPage 5 of 39\n\n– ‘ ONIDLE ‘\r\nfilter_privs: CommandLine|contains:\r\n– ‘NT AUT’ # This covers the usual NT AUTHORITY\\SYSTEM\r\n– ‘ SYSTEM’ # SYSTEM is a valid value for schtasks hence it gets it’s own value with\r\nspace\r\n– ‘HIGHEST’\r\ncondition: all of selection_* and not 1 of filter_* falsepositives:\r\n– Legitimate processes that run at logon. Filter according to your environment level: high\r\n(Source: Surface Web)\r\nIOCs:\r\nKindly refer to the IOCs section to exercise control of your security systems.\r\nRECOMMENDATIONS\r\nSTRATEGIC RECOMMENDATIONS\r\nImplement competent security protocols and encryption, authentication, or access credentials\r\nconfigurations to access critical systems in your cloud and local environments.\r\nEnsure that backups of critical systems are maintained, which can be used to restore data in case a need\r\narises.\r\nMANAGEMENT RECOMMENDATIONS\r\nA data breach prevention plan must be developed considering, (a) the type of data being managed by the\r\ncompany; (b) the remediation process; (c) where and how the data is stored; (d) if there is an obligation to\r\nnotify the local authority.\r\nTo reduce the risk of credentials being compromised, enable multifactor authentication (MFA) and zero-trust architecture.\r\nFoster a culture of cybersecurity, where you encourage and invest in employee training so that security is\r\nan integral part of your organization.\r\nTACTICAL RECOMMENDATIONS\r\nUpdate all applications/software regularly with the latest versions and security patches alike.\r\nIncorporate the Sigma rule for threat detection and monitoring, which will assist in identifying and tracking\r\nsuspicious activity as well as detecting anomalies in log events.\r\nBuild and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence\r\nbased on the tactical intelligence provided.\r\nTrending Malware of the Week\r\nType: Remote Access Trojan (RAT) | Objectives: Espionage \u0026 Credential Theft | Target Technology: Windows OS\r\n| Target Geography: Global\r\nhttps://www.cyfirma.com/news/weekly-intelligence-report-12-december-2025/#:~:text=well%2Dstructured%20operations.-,7.%20Data%20Leaks,-Bank%20Mandiri%20Data\r\nPage 6 of 39\n\nCYFIRMA collects data from various forums, based on which the trend is ascertained. We identified a few\r\npopular malwares that were found to be distributed in the wild to launch cyberattacks on organizations or\r\nindividuals.\r\nActive Malware of the week\r\nThis week, “CastleRAT” is trending.\r\nOverview of CastleRAT Malware\r\nCastleRAT is a newly observed remote access trojan that surfaced in early 2025 and has quickly gained attention\r\nfor its flexible design and wide applicability across different attack campaigns. Distributed in both lightweight\r\nPython builds and more robust C- compiled versions, the malware is built to give attackers a discreet entry into\r\nWindows systems while avoiding common security controls. Its creators have designed CastleRAT to blend into\r\nnormal system behavior, enabling it to operate quietly while establishing communication with remote servers\r\ncontrolled by the attacker.\r\nOnce active on a device, CastleRAT collects essential system details and maintains constant communication with\r\nits operator, allowing remote actions to be executed without the user’s awareness. It can capture on-screen\r\ninformation, monitor typed input, and access clipboard contents, activities that can reveal credentials, financial\r\ndetails, or other sensitive data. The malware also supports the delivery of additional tools from the attacker’s\r\nserver and can open a hidden command interface, enabling further manipulation of the compromised system. Its\r\nability to disguise itself as legitimate software components further strengthens its persistence.\r\nThe progression of CastleRAT demonstrates how contemporary adversaries are shifting toward highly flexible and\r\nlow-visibility tooling to broaden their operational reach. Its preference for masked system activity, quietly re-launched browsers, and subtle data exchange methods reveal a clear focus on avoiding conventional security\r\ncontrols. For enterprise environments, this underscores the growing need to scrutinize irregular workstation\r\nbehavior, enhance endpoint observability, and maintain well-rehearsed incident response procedures. In an era\r\nwhere intrusion techniques are becoming more seamless and unobtrusive, CastleRAT represents the kind of\r\nstreamlined yet impactful threat that reinforces the critical role of early anomaly detection and behavior-driven\r\ndefensive measures.\r\nAttack Method\r\nWhile the initial access method remains unclear, upon activation, CastleRAT performs an initial reconnaissance\r\nroutine, collecting key host identifiers such as system metadata, user information, machine-specific GUIDs, and\r\npublic IP details retrieved from an external lookup service. This data is transmitted to the command-and-control\r\ninfrastructure as part of its periodic beaconing cycle. Subsequently, the malware launches multiple internal\r\nthreads, each responsible for executing a distinct malicious function. Notably, early-stage tasks include the\r\ncontinuous monitoring of clipboard activity, enabling the silent acquisition of copied credentials, cryptocurrency\r\ninformation, and other sensitive artefacts that naturally pass through clipboard use.\r\nAs the intrusion progresses, CastleRAT shifts from passive surveillance to covert interactive manipulation. It\r\nintercepts clipboard operations and synthesizes paste actions to route harvested data through trusted user-facing\r\napplications, thereby embedding exfiltration within normal device behavior. In parallel, it employs RC4-based\r\nencryption to secure its communication with the C2 server, downloading DLL-based modular components and\r\nhttps://www.cyfirma.com/news/weekly-intelligence-report-12-december-2025/#:~:text=well%2Dstructured%20operations.-,7.%20Data%20Leaks,-Bank%20Mandiri%20Data\r\nPage 7 of 39\n\nexecuting them through legitimate Windows utilities, granting the operator a concealed remote shell environment.\r\nThis shell is constructed through redirected inter-process communication pipes, allowing commands to be issued\r\nand responses retrieved without displaying any visible terminal window or generating conspicuous user-side\r\nactivity.\r\nCastleRAT further strengthens its presence by enabling a range of persistent surveillance and privilege-access\r\nfeatures. It configures system-level hooks to capture keystrokes, stores intercepted input within temporary files\r\nprior to encryption and exfiltration, and periodically captures screenshots of the active desktop. Malware also\r\nmanipulates browser behavior by terminating active sessions and silently spawning Chromium-based instances\r\nwith audio-restrictive parameters, facilitating visual or auditory monitoring while minimizing user alerts. To\r\nensure continued operation across system restarts, it registers a scheduled task that reinstates the malware at\r\nstartup, thereby establishing durable persistence.\r\nIn its later operational phase, the malware expands its communication flexibility by leveraging legitimate web\r\nplatforms as dead-drop locations for secondary configuration and tasking. Additionally, it employs an advanced\r\nprivilege-escalation technique that abuses service-level behavior to identify privileged process handles, duplicate\r\nthem, and integrate them into newly spawned malware instances. This handle-stealing approach enables elevated\r\naccess and in-memory manipulation with limited on-disk evidence, complicating detection and forensic\r\nreconstruction. Collectively, these behaviors reflect a methodical attack methodology designed to maintain long-term, covert control through a combination of surveillance, stealthy system manipulation, and resilient\r\ncommunication mechanisms.\r\nThe following are the TTPs based on the MITRE Attack Framework for Enterprise\r\nTactic (ID)\r\nTechnique\r\nID\r\nTechnique Name\r\nExecution T1559 Inter-Process Communication\r\nPersistence T1053.005 Scheduled Task/Job: Scheduled Task\r\nPrivilege Escalation T1548.002\r\nAbuse Elevation Control Mechanism: Bypass User Account\r\nControl\r\nDefense Evasion T1036 Masquerading\r\nDefense Evasion T1218.011 System Binary Proxy Execution: Rundll32\r\nCredential Access T1056.001 Input Capture: Keylogging\r\nDiscovery T1082 System Information Discovery\r\nCollection T1115 Clipboard Data\r\nCollection T1185 Browser Session Hijacking\r\nCollection T1125 Video Capture\r\nhttps://www.cyfirma.com/news/weekly-intelligence-report-12-december-2025/#:~:text=well%2Dstructured%20operations.-,7.%20Data%20Leaks,-Bank%20Mandiri%20Data\r\nPage 8 of 39\n\nCollection T1113 Screen Capture\r\nCommand and\r\ncontrol\r\nT1105 Ingress Tool Transfer\r\nCommand and\r\ncontrol\r\nT1102.001 Web Service: Dead Drop Resolver\r\nINSIGHTS\r\nEvolving Tradecraft in Covert Intrusions\r\nCastleRAT highlights how modern threat groups increasingly prioritize quiet, embedded operations over loud or\r\ndisruptive attacks. Instead of relying on flashy techniques, the malware’s workflow is designed to mimic the\r\nnatural rhythm of a host system, allowing malicious activity to blend with routine behavior. This shift shows how\r\nattackers are refining their methods to maintain uninterrupted access by shaping their tools around subtlety,\r\npatience, and operational camouflage.\r\nBlending Surveillance with Everyday User Interactions\r\nOne notable aspect of CastleRAT’s behavior is the way it aligns its data-gathering and system-interaction\r\ncapabilities with actions that users commonly perform. By structuring its monitoring functions to mirror ordinary\r\ndigital tasks, it reduces the likelihood of drawing attention or triggering suspicion. This integration demonstrates a\r\ngrowing trend toward threats that study and replicate the flow of user activity, turning familiar interactions into\r\nwindows for silent observation.\r\nLeveraging Legitimate System Pathways for Credibility\r\nCastleRAT’s reliance on native components and standard system mechanisms reflects a broader pattern in threat\r\noperations: the use of trusted pathways to maintain legitimacy. Rather than introducing unfamiliar tools, the\r\nmalware anchors itself to processes and utilities that already exist on the device, making its presence appear\r\nroutine. This strategic piggybacking on built-in system behavior underscores how contemporary attackers\r\nincreasingly depend on the credibility of the host environment itself to maintain persistence and avoid scrutiny.\r\nETLM ASSESSMENT\r\nFrom an ETLM perspective, CYFIRMA assesses that the emergence of Castle RAT indicates a future in which\r\ntraditional desktop environments will require markedly stronger scrutiny. As organizational workflows become\r\nmore dependent on continuous workstation usage for communication, remote access, and integrated business\r\napplications, adversaries are likely to advance techniques that blend malicious activity into routine user behavior.\r\nThis evolution will make it increasingly difficult for enterprises to determine whether system actions originate\r\nfrom legitimate employees or from an attacker operating unobtrusively within the same environment.\r\nConsequently, organizations may be compelled to adopt more rigorous validation mechanisms for ordinary\r\nworkstation interactions and re-evaluate long-standing assumptions regarding endpoint trust. As professional\r\necosystems grow more interconnected, campaigns resembling Castle RAT may gradually reshape confidence in\r\nday-to-day desktop activity, prompting both users and security teams to approach familiar system behavior with\r\nheightened caution.\r\nhttps://www.cyfirma.com/news/weekly-intelligence-report-12-december-2025/#:~:text=well%2Dstructured%20operations.-,7.%20Data%20Leaks,-Bank%20Mandiri%20Data\r\nPage 9 of 39\n\nIOCs:\r\nKindly refer to the IOCs Section to exercise controls on your security systems.\r\nYARA Rules\r\nrule CastleRAT_IOC_Only\r\n{\r\nmeta:\r\nauthor = “CYFIRMA” date = “2025-12-08”\r\ndescription = “IOC-only YARA rule for detecting CastleRAT samples”\r\nsha256_1 = “963c012d56c62093d105ab5044517fdcce4ab826f7782b3e377932da1df6896d”\r\nsha256_2 = “f2ff4cbcd6d015af20e4e858b0f216c077ec6d146d3b2e0cbe68b56b3db7a0be”\r\nsha256_3 = “4ef63fa536134ad296e83e37f9d323beb45087f7d306debdc3e096fed8357395”\r\nsha256_4 = “282fa3476294e2b57aa9a8ab4bc1cc00f334197298e4afb2aae812b77e755207”\r\nstrings:\r\n// Dummy byte patterns to keep rule valid – modify as needed\r\n$a = { 00 }\r\ncondition: any of them\r\n}\r\nRecommendations:\r\nSTRATEGIC RECOMMENDATIONS\r\nStrengthen Endpoint Visibility and Control: Establish an enterprise-wide strategy that prioritizes\r\ncontinuous monitoring of desktop endpoints, focusing on behavioral anomalies rather than signature-based\r\ndetection. This includes integrating telemetry from EDR, SIEM, and identity systems to create a unified\r\nvisibility layer.\r\nAdopt Zero-Trust for Workstation Interactions: Implement a long-term shift toward authentication models\r\nthat verify each action, not just user identity. This includes device posture validation, contextual access\r\ndecisions, and mandatory verification for sensitive transactions initiated from workstations.\r\nPrioritize Secure Remote Access Architecture: Reassess remote access pathways and privileged\r\nworkstation operations, ensuring that attackers exploiting Castle RAT–like capabilities cannot pivot\r\nlaterally. This may require segmentation of administrative workstations, hardened remote sessions, and\r\nisolation of critical functions.\r\nInvest in Threat Intelligence Integration: Incorporate structured threat intelligence feeds that track RAT\r\nevolution, affiliate behaviors, and distribution trends. This supports proactive risk modeling and informs\r\nstrategic readiness for emerging variants.\r\nMANAGEMENT RECOMMENDATIONS\r\nEnhance User Activity Validation Processes: Introduce verification workflows for high-risk or finance-related actions performed on desktops, reducing the likelihood of fraudulent transactions executed through\r\ncovert remote-control modules.\r\nhttps://www.cyfirma.com/news/weekly-intelligence-report-12-december-2025/#:~:text=well%2Dstructured%20operations.-,7.%20Data%20Leaks,-Bank%20Mandiri%20Data\r\nPage 10 of 39\n\nImplement Rigorous Workstation Hardening Policies: Enforce policies that restrict unnecessary\r\nexecutables, disable unused services, and limit installation privileges. Routine audits should be scheduled\r\nto validate compliance across departments.\r\nStrengthen Monitoring of Remote Interaction Indicators: Equip security teams with alerting mechanisms\r\nthat flag suspicious screen-control activity, unauthorized command execution, or unusual process behavior\r\nthat could indicate RAT-driven manipulation.\r\nDevelop Workforce Awareness for Endpoint Deception Tactics: Provide management- driven training\r\nprograms that help employees recognize subtle signs of system manipulation, unexpected interface\r\nbehavior, or unexplained performance shifts that may accompany covert RAT activity.\r\nRegularly Test Incident Response Preparedness: Conduct periodic tabletop and technical exercises centered\r\naround RAT compromise scenarios. These exercises should validate escalation paths, containment\r\nprocedures, and communication protocols across management layers.\r\nTACTICAL RECOMMENDATIONS\r\nDeploy EDR Rules for Remote-Control Behavior: Configure detection logic for patterns such as\r\nunauthorized screen-capture calls, simulated input events, hidden window creation, and abnormal\r\npersistence mechanisms commonly linked to RAT activity.\r\nHarden PowerShell and Scripting Environments: Enforce constrained language mode, disable unapproved\r\nmodules, and log all script block activity. Many RATs rely on script- based loaders, making this a critical\r\nlayer of defense.\r\nBlock Untrusted Binary Execution Paths: Apply application control policies (AppLocker/WDAC) to\r\nprevent execution from user directories, temp folders, and uncommon system paths often leveraged by\r\ndroppers and loaders.\r\nMonitor for Suspicious Parent–Child Process Chains: Set alerts for anomalous process relationships, such\r\nas browsers launching unknown executables or system utilities spawning network-enabled processes.\r\nEnforce Network-Level Isolation for Compromised Hosts: Create automated playbooks in SOAR to\r\nquarantine endpoints that exhibit command-and-control–like traffic, unexpected beacons, or encrypted\r\noutbound connections to untrusted domains.\r\nInspect Outbound Traffic for Behavioral IoCs: Implement rules for unusual DNS patterns, long-lived\r\nHTTP sessions, unidentified TLS certificates, and low-frequency beaconing intervals that may signal RAT\r\ncommunication.\r\nRegularly Validate Integrity of Critical System Files: Conduct automated hash- checking and file integrity\r\nmonitoring on key directories to detect unauthorized modification or stealthy persistence methods.\r\nImplement Least-Privilege Local Access Controls: Remove local admin rights from standard employees,\r\nrestrict the creation of scheduled tasks, and prevent unauthorized registry changes that RATs often exploit\r\nfor persistence.\r\nIncrease Logging Granularity for Input/Interaction Events: Enable enhanced logging for keyboard, mouse,\r\nand accessibility feature toggles to identify abnormal remote manipulation activity.\r\nCreate SOC Playbooks for RAT Containment: Prepare rapid-action procedures that include isolating the\r\nhost, collecting volatile memory, extracting network indicators, validating credential exposure, and\r\ninitiating forensic triage to prevent lateral spread.\r\nhttps://www.cyfirma.com/news/weekly-intelligence-report-12-december-2025/#:~:text=well%2Dstructured%20operations.-,7.%20Data%20Leaks,-Bank%20Mandiri%20Data\r\nPage 11 of 39\n\nWeekly Intelligence Trends/Advisory\r\n1. Weekly Attack Types and Trends\r\nKey Intelligence Signals:\r\nAttack Type: Ransomware Attacks, Spear-phishing, Vulnerabilities \u0026 Exploits, Data Leaks.\r\nObjective: Unauthorized Access, Data Theft, Data Encryption, Financial Gains, Espionage.\r\nBusiness Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property,\r\nOperational Disruption.\r\nRansomware – INC Ransomware, Lynx Ransomware| Malware – CastleRAT\r\nINC Ransomware – One of the ransomware groups.\r\nLynx Ransomware – One of the ransomware groups.\r\nPlease refer to the trending malware advisory for details on the following:\r\nMalware – CastleRAT\r\nBehavior – Most of these malwares use phishing and social engineering techniques as their initial attack\r\nvectors. Apart from these techniques, exploitation of vulnerabilities, defense evasion, and persistence\r\ntactics are being observed\r\n2. Threat Actor in Focus\r\nIranian Threat Actor MuddyWater – Expanding Attack Surface\r\nThreat Actor: MuddyWater\r\nAttack Type: Connection Proxy, Credential Dumping, Exploitation of Vulnerabilities, Spear-phishing,\r\nLiving off the Land (LOTL).\r\nObjective: Information theft, Espionage\r\nSuspected Target Technology: Office Suites Software, Operating System, Web Application, Huawei\r\nSuspected Target Geography: Austria, Azerbaijan, Bahrain, Belarus, Central Asia, Egypt, Georgia, India,\r\nIran, Islamic Republic of Iraq, Islamic Republic of Israel, Jordan, Korea, Mali, Middle East, Pakistan,\r\nRepublic of Russia, Saudi Arabia, Southwest Asia, Tajikistan, Turkey, Ukraine, United Arab Emirates,\r\nUnited States\r\nSuspected Target Industries: Aerospace \u0026 Defense, Agriculture, Capital Goods, Consumer Services,\r\nEnergy Equipment \u0026 Services, Finance, Food, Gaming, High Tech, IT Service Providers, Individuals,\r\nMedia \u0026 Entertainment, Military, NGO, Natural Resources, Oil \u0026 Gas, Politics, Telecommunication\r\nServices, Transportation, Construction, Cryptocurrency, Education, Engineering, Government, Healthcare,\r\nMetals.\r\nBusiness Impact: Data Theft, Operational Disruption, Reputational Damage\r\nAbout the Threat Actor\r\nMuddyWater is an APT group that primarily targets victims in the Middle East, employing in-memory attack\r\ntechniques via PowerShell. Their operations fall under the “Living off the Land” category, as they avoid creating\r\nnew binaries on the victim’s system, which helps maintain a low detection profile and minimal forensic footprint.\r\nhttps://www.cyfirma.com/news/weekly-intelligence-report-12-december-2025/#:~:text=well%2Dstructured%20operations.-,7.%20Data%20Leaks,-Bank%20Mandiri%20Data\r\nPage 12 of 39\n\nThe threat actor continues to expand its attack surface by diversifying its tooling, initial access vectors, and\r\nregional targeting.\r\nDetails on Exploited Vulnerabilities\r\nCVE ID Affected Products CVSS Score Exploit Links\r\nCVE-2017- 0199 Microsoft Office 7.8 link1, link2, link3\r\nCVE-2017- 8759 Microsoft .NET Framework 7.8 link\r\nCVE-2017-11882 Microsoft Office 7.8 link\r\nCVE-2017-17215 Huawei HG532 8.8 –\r\nCVE-2020- 0688 Microsoft Exchange software 8.8 link1, link2\r\nTTPs based on MITRE ATT\u0026CK Framework\r\nTactic ID Technique\r\nResource\r\nDevelopment\r\nT1588.002 Obtain Capabilities: Tool\r\nResource\r\nDevelopment\r\nT1583.006 Acquire Infrastructure: Web Services\r\nInitial Access T1566.001 Phishing: Spear phishing Attachment\r\nInitial Access T1190 Exploit Public-Facing Application\r\nInitial Access T1566.002 Phishing: Spear phishing Link\r\nExecution T1059.001 Command and Scripting Interpreter: PowerShell\r\nExecution T1059.003 Command and Scripting Interpreter: Windows Command Shell\r\nExecution T1059.005 Command and Scripting Interpreter: Visual Basic\r\nExecution T1059.006 Command and Scripting Interpreter: Python\r\nExecution T1059.007 Command and Scripting Interpreter: JavaScript\r\nExecution T1047 Windows Management Instrumentation\r\nExecution T1204.001 User Execution: Malicious Link\r\nExecution T1204.002 User Execution: Malicious File\r\nExecution T1203 Exploitation for Client Execution\r\nhttps://www.cyfirma.com/news/weekly-intelligence-report-12-december-2025/#:~:text=well%2Dstructured%20operations.-,7.%20Data%20Leaks,-Bank%20Mandiri%20Data\r\nPage 13 of 39\n\nExecution T1053.005 Scheduled Task/Job: Scheduled Task\r\nExecution T1559.001 Inter-Process Communication: Component Object Model\r\nExecution T1559.002 Inter-Process Communication: Dynamic Data Exchange\r\nPersistence T1547.001\r\nBoot or Logon Autostart Execution: Registry Run Keys / Startup\r\nFolder\r\nPersistence T1574.001 Hijack Execution Flow: DLL\r\nPersistence T1137.001 Office Application Startup: Office Template Macros\r\nPersistence T1053.005 Scheduled Task/Job: Scheduled Task\r\nPrivilege Escalation T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control\r\nPrivilege Escalation T1547.001\r\nBoot or Logon Autostart Execution: Registry Run Keys / Startup\r\nFolder\r\nPrivilege Escalation T1574.001 Hijack Execution Flow: DLL\r\nPrivilege Escalation T1053.005 Scheduled Task/Job: Scheduled Task\r\nDefense Evasion T1218.003 System Binary Proxy Execution: CMSTP\r\nDefense Evasion T1218.005 System Binary Proxy Execution: Mshta\r\nDefense Evasion T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control\r\nDefense Evasion T1140 Deobfuscate/Decode Files or Information\r\nDefense Evasion T1574.001 Hijack Execution Flow: DLL\r\nDefense Evasion T1562.001 Impair Defenses: Disable or Modify Tools\r\nDefense Evasion T1036.005 Masquerading: Match Legitimate Resource Name or Location\r\nDefense Evasion T1027.010 Obfuscated Files or Information: Command Obfuscation\r\nDefense Evasion T1027.003 Obfuscated Files or Information: Steganography\r\nDefense Evasion T1027.004 Obfuscated Files or Information: Compile After Delivery\r\nDefense Evasion T1218.011 System Binary Proxy Execution: Rundll32\r\nCredential Access T1555 Credentials from Password Stores\r\nCredential Access T1555.003 Credentials from Password Stores: Credentials from Web Browsers\r\nCredential Access T1003.001 OS Credential Dumping: LSASS Memory\r\nhttps://www.cyfirma.com/news/weekly-intelligence-report-12-december-2025/#:~:text=well%2Dstructured%20operations.-,7.%20Data%20Leaks,-Bank%20Mandiri%20Data\r\nPage 14 of 39\n\nCredential Access T1003.004 OS Credential Dumping: LSA Secrets\r\nCredential Access T1003.005 OS Credential Dumping: Cached Domain Credentials\r\nCredential Access T1552.001 Unsecured Credentials: Credentials In Files\r\nDiscovery T1083 File and Directory Discovery\r\nDiscovery T1057 Process Discovery\r\nDiscovery T1033 System Owner/User Discovery\r\nDiscovery T1049 System Network Connections Discovery\r\nDiscovery T1016 System Network Configuration Discovery\r\nDiscovery T1087.002 Account Discovery: Domain Account\r\nDiscovery T1082 System Information Discovery\r\nDiscovery T1518 Software Discovery\r\nDiscovery T1518.001 Software Discovery: Security Software Discovery\r\nLateral Movement T1210 Exploitation of Remote Services\r\nCollection T1113 Screen Capture\r\nCollection T1560.001 Archive Collected Data: Archive via Utility\r\nCollection T1074.001 Data Staged: Local Data Staging\r\nCommand and\r\nControl\r\nT1071.001 Application Layer Protocol: Web Protocols\r\nCommand and\r\nControl\r\nT1132.001 Data Encoding: Standard Encoding\r\nCommand and\r\nControl\r\nT1573.001 Encrypted Channel: Symmetric Cryptography\r\nCommand and\r\nControl\r\nT1105 Ingress Tool Transfer\r\nCommand and\r\nControl\r\nT1104 Multi-Stage Channels\r\nCommand and\r\nControl\r\nT1090.002 Proxy: External Proxy\r\nhttps://www.cyfirma.com/news/weekly-intelligence-report-12-december-2025/#:~:text=well%2Dstructured%20operations.-,7.%20Data%20Leaks,-Bank%20Mandiri%20Data\r\nPage 15 of 39\n\nCommand and\r\nControl\r\nT1219 Remote Access Tools\r\nCommand and\r\nControl\r\nT1102.002 Web Service: Bidirectional Communication\r\nExfiltration T1041 Exfiltration Over C2 Channel\r\nLatest Developments Observed\r\nThe threat actor is suspected of targeting organizations in Israel and Egypt, leveraging a custom Fooder loader\r\ndesigned to deploy the MuddyViper backdoor. The campaign appears to focus on enhancing defense evasion and\r\nmaintaining long-term persistence within compromised environments. Once deployed, the MuddyViper backdoor\r\nenables extensive post-compromise activity, including system information collection, execution of files and shell\r\ncommands, file transfer operations, and the exfiltration of Windows login credentials and browser-stored data.\r\nETLM Insights\r\nMuddyWater, a well-established Iranian threat actor, continues to demonstrate increasing operational maturity,\r\nwith recent insights showing expanded regional targeting, greater use of custom loaders, and a growing reliance\r\non compromised credentials and exposed services for initial access. Their campaigns frequently combine living-off-the-land techniques with modular backdoors to maintain persistence, evade detection, and enable long-term\r\nespionage activities. Overall, the threat actor represents a persistent, adaptive, and geopolitically motivated cyber-espionage threat.\r\nThe actor’s primary objectives center on information theft and strategic intelligence collection, including:\r\nSustaining long-term access to government and critical infrastructure networks.\r\nGathering political, military, and strategic intelligence.\r\nMonitoring and surveillance of energy, telecommunications, and high- technology ecosystems.\r\nIOCs:\r\nKindly refer to the IOCs section to exercise control of your security systems.\r\nYARA Rules\r\nrule APT_MuddyWater_Generic\r\n{\r\nmeta:\r\ndescription = “Generic detection for MuddyWater malware families (PowGoop, MuddyViper, loaders)”\r\nauthor = “CYFIRMA”\r\nthreat_actor = “MuddyWater (Iran)” date = “2025-01-01”\r\nstrings:\r\n// Common MuddyWater PowerShell patterns\r\n$ps1 = “IEX (New-Object Net.WebClient).DownloadString” nocase\r\n$ps2 = “FromBase64String” nocase\r\n$ps3 = “Invoke-Expression” nocase\r\n$ps4 = “System.Net.WebRequest” nocase\r\nhttps://www.cyfirma.com/news/weekly-intelligence-report-12-december-2025/#:~:text=well%2Dstructured%20operations.-,7.%20Data%20Leaks,-Bank%20Mandiri%20Data\r\nPage 16 of 39\n\n// MuddyViper / Fooder loader artifacts (publicly documented)\r\n$mv1 = “MuddyViper” wide ascii\r\n$mv2 = “FooderLoader” wide ascii\r\n$mv3 = “viper_execute” ascii\r\n// Known C2-related patterns (genericized)\r\n$c2_1 = “/gate.php” ascii\r\n$c2_2 = “/index.php?id=” ascii\r\n// MuddyWater obfuscation markers\r\n$obf1 = “PowerShell -ExecutionPolicy Bypass” nocase\r\n$obf2 = “Add-Type -TypeDefinition” nocase\r\n// DLL loader characteristics\r\n$dll1 = “ExportedFunction” ascii\r\n$dll2 = “LoadLibraryA” ascii condition:\r\n(uint16(0) == 0x5A4D) and 3 of ($ps*) and\r\n1 of ($mv* or $dll* or $obf* or $c2_*)\r\n}\r\nRecommendations Strategic\r\nIncorporate Digital Risk Protection (DRP) as part of the overall security posture to proactively defend\r\nagainst impersonations and phishing attacks.\r\nAssess and deploy alternatives for an advanced endpoint protection solution that provides\r\ndetection/prevention for malware and malicious activities that do not rely on signature-based detection\r\nmethods.\r\nManagement\r\nLook for email security solutions that use ML- and AI-based anti-phishing technology for BEC protection\r\nto analyze conversation history to detect anomalies, as well as computer vision to analyze suspect links\r\nwithin emails.\r\nRegularly reinforce awareness of unauthorized attempts with end-users across the environment and\r\nemphasize the human weakness in mandatory information security training sessions.\r\nTactical\r\nBuild and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defence\r\nbased on the tactical intelligence provided.\r\nFor better protection coverage against email attacks (like spear phishing, business email compromise, or\r\ncredential phishing attacks), organizations should augment built-in email security with layers that take a\r\nmaterially different approach to threat detection.\r\nProtect accounts with multi-factor authentication. Exert caution when opening email attachments or\r\nclicking on embedded links supplied via email communications, SMS, or messaging.\r\nPatch software/applications as soon as updates are available. Where feasible, automated remediation\r\nshould be deployed since vulnerabilities are one of the top attack vectors.\r\nhttps://www.cyfirma.com/news/weekly-intelligence-report-12-december-2025/#:~:text=well%2Dstructured%20operations.-,7.%20Data%20Leaks,-Bank%20Mandiri%20Data\r\nPage 17 of 39\n\nAdd the YARA rule for threat detection and monitoring, which will help to detect anomalies in log events,\r\nidentify and monitor suspicious activities.\r\n3. Major Geopolitical Developments in Cybersecurity\r\nUS and Canadian intelligence agencies outline a Chinese hacking campaign\r\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the\r\nCanadian Centre for Cyber Security have jointly released a report on a Chinese state-sponsored malware\r\ncampaign dubbed BRICKSTORM. BRICKSTORM is a sophisticated backdoor that targets both VMware vSphere\r\nenvironments (primarily vCenter servers and ESXi hosts) and Windows systems. Once attackers gain access to a\r\ncompromised vCenter management console, they can steal cloned virtual machine snapshots to extract credentials\r\noffline and deploy hidden, rogue virtual machines for persistent access and further operations.\r\nETLM Assessment:\r\nNo specific APT designation (e.g., Volt Typhoon) has been publicly tied to the campaign yet, but it aligns with\r\nbroader Chinese campaigns against critical infrastructure and especially accessing government entities and their\r\nclassified data. The campaign highlights ongoing Chinese efforts to compromise virtualization infrastructure for\r\nespionage and long-term network persistence.\r\n4. Rise in Malware/Ransomware and Phishing\r\nINC Ransomware Impacts YAZAKI Corp\r\nAttack Type: Ransomware\r\nTarget Industry: Manufacturing\r\nTarget Geography: Japan\r\nRansomware: INC Ransomware\r\nObjective: Data Theft, Data Encryption, Financial Gains\r\nBusiness Impact: Financial Loss, Data Loss, Reputational Damage\r\nSummary:\r\nCYFIRMA observed in an underground forum that a company from Japan, YAZAKI Corp\r\n(https[:]//www[.]yazaki-group[.]com/), was compromised by INC Ransomware. The Yazaki Group is a global\r\ncompany best known for being a leading supplier of automotive wire harnesses, but it also produces other\r\nproducts like environmental systems and instrumentation equipment. The compromised dataset includes a wide\r\nrange of sensitive information, such as confidential documents, client data, non-disclosure agreements (NDAs),\r\nfinancial and operational records, corporate and HR data (including employee medical records), business\r\nagreements, development materials, technical drawings, technological production requirements, and complete\r\ndocumentation related to the manufacturing of parts for various clients. The total volume of exposed data is\r\nestimated to be approximately 350 GB.\r\nhttps://www.cyfirma.com/news/weekly-intelligence-report-12-december-2025/#:~:text=well%2Dstructured%20operations.-,7.%20Data%20Leaks,-Bank%20Mandiri%20Data\r\nPage 18 of 39\n\nSource: Dark Web\r\nRelevancy \u0026 Insights:\r\nINC Ransomware, also known as Incransom, is a cyber threat that emerged in mid-2023. Incransom uses\r\nstrong encryption algorithms to lock files, making recovery without the decryption key virtually\r\nimpossible. The ransomware typically appends specific file extensions to encrypted files, signalling that\r\nthey have been compromised.\r\nIncransom is commonly distributed through:\r\nPhishing emails: Containing malicious attachments or links that, when opened, deploy the ransomware.\r\nMalicious downloads: From compromised websites or software packages.\r\nThe INC Ransomware group primarily targets countries such as the United States of America, Canada,\r\nGermany, Australia, and the United Kingdom.\r\nThe INC Ransomware group primarily targets industries, such as Healthcare, Government \u0026 Civic,\r\nProfessional Goods \u0026 Services, Information Technology, and Consumer Goods \u0026 Services.\r\nBased on the INC Ransomware victims list from 1st Jan 2025 to 09th December 2025, the top 5 Target\r\nCountries are as follows:\r\nhttps://www.cyfirma.com/news/weekly-intelligence-report-12-december-2025/#:~:text=well%2Dstructured%20operations.-,7.%20Data%20Leaks,-Bank%20Mandiri%20Data\r\nPage 19 of 39\n\nThe Top 10 Industries most affected by the INC Ransomware victims list from 1st Jan 2025 to 09th\r\nDecember 2025 are as follows:\r\nhttps://www.cyfirma.com/news/weekly-intelligence-report-12-december-2025/#:~:text=well%2Dstructured%20operations.-,7.%20Data%20Leaks,-Bank%20Mandiri%20Data\r\nPage 20 of 39\n\nETLM Assessment:\r\nBased on recent assessments by CYFIRMA, INC Ransomware represents a significant threat within the evolving\r\nlandscape of ransomware attacks. Its use of strong encryption methods and double extortion tactics highlights the\r\nincreasing sophistication of cybercriminal operations. Organizations are advised to enhance their cybersecurity\r\nmeasures by implementing robust defenses against phishing attacks, maintaining updated security protocols, and\r\nmonitoring for unusual network activity to mitigate risks associated with this and other ransomware variants.\r\nContinuous vigilance is essential to protect against the threats posed by emerging ransomware groups like INC\r\nRansomware.\r\nLynx Ransomware Impacts TOC Co., Ltd\r\nAttack Type: Ransomware\r\nTarget Industry: Real Estate, Transportation and Logistics\r\nTarget Geography: Japan\r\nRansomware: Lynx Ransomware\r\nObjective: Data Theft, Data Encryption, Financial Gains\r\nBusiness Impact: Financial Loss, Data Loss, Reputational Damage\r\nSummary:\r\nCYFIRMA observed in an underground forum that a company from Japan, TOC Co., Ltd (www[.]toc[.]co[.]jp),\r\nhttps://www.cyfirma.com/news/weekly-intelligence-report-12-december-2025/#:~:text=well%2Dstructured%20operations.-,7.%20Data%20Leaks,-Bank%20Mandiri%20Data\r\nPage 21 of 39\n\nwas compromised by Lynx Ransomware. The TOC Building is a commercial facility that provides a\r\ncomprehensive floor guide, event information, and tenant details for visitors. The building hosts a variety of shops\r\nand services, including clothing stores, kitchenware, and cafes. It aims to attract a diverse clientele, including\r\nfamilies and individuals looking for shopping and entertainment options. The compromised data contains\r\nconfidential and sensitive information belonging to the organization.\r\nSource: Dark Web\r\nRelevancy \u0026 Insights:\r\nThe Lynx Ransomware is confirmed to use a hybrid encryption approach, with AES-128 in CTR mode for\r\nfast file encryption and Curve25519 Donna for robust asymmetric key exchange, ensuring files are only\r\nrecoverable with the attacker’s private key.\r\nLynx provides a comprehensive platform for affiliates, including tools for managing victims, negotiating\r\nransoms, and sharing access with sub-affiliates.\r\nhttps://www.cyfirma.com/news/weekly-intelligence-report-12-december-2025/#:~:text=well%2Dstructured%20operations.-,7.%20Data%20Leaks,-Bank%20Mandiri%20Data\r\nPage 22 of 39\n\nThe Lynx Ransomware group primarily targets countries such as the United States of America, Germany,\r\nCanada, the United Kingdom, and Singapore.\r\nThe Lynx Ransomware group primarily targets industries, including Professional Goods \u0026 Services,\r\nManufacturing, Consumer Goods \u0026 Services, Information Technology, and Real Estate \u0026 Construction.\r\nBased on the Lynx Ransomware victims list from 1st Jan 2025 to 09th December 2025, the top 5 Target\r\nCountries are as follows:\r\nThe Top 10 Industries most affected by the Lynx Ransomware victims list from 1st Jan 2025 to 09th\r\nDecember 2025 are as follows:\r\nhttps://www.cyfirma.com/news/weekly-intelligence-report-12-december-2025/#:~:text=well%2Dstructured%20operations.-,7.%20Data%20Leaks,-Bank%20Mandiri%20Data\r\nPage 23 of 39\n\nETLM Assessment:\r\nAccording to CYFIRMA’s assessment, Lynx ransomware has emerged as a significant threat in the cybersecurity\r\nlandscape, leveraging advanced encryption and double extortion tactics to target small and medium-sized\r\nbusinesses. Its structured affiliate program and versatile ransomware toolkit make it a formidable force in the\r\nRaaS ecosystem.\r\n5. Vulnerabilities and Exploits\r\nVulnerability in PgBouncer\r\nAttack Type: Vulnerabilities \u0026 Exploits\r\nTarget Technology: Server application\r\nVulnerability: CVE-2025-12819\r\nCVSS Base Score: 7.5 Source\r\nVulnerability Type: Untrusted Search Path\r\nSummary: The vulnerability allows a remote attacker to execute arbitrary SQL commands.\r\nRelevancy \u0026 Insights:\r\nThe vulnerability exists due to the usage of an untrusted search path passed via the search_path parameter in the\r\nStartupMessage.\r\nImpact:\r\nA remote non-authenticated attacker can send a specially crafted request during authentication and execute\r\narbitrary SQL commands in the database.\r\nhttps://www.cyfirma.com/news/weekly-intelligence-report-12-december-2025/#:~:text=well%2Dstructured%20operations.-,7.%20Data%20Leaks,-Bank%20Mandiri%20Data\r\nPage 24 of 39\n\nAffected Products:\r\nhttps[:]//www[.]pgbouncer[.]org/changelog.html#pgbouncer- 125x\r\nRecommendations:\r\nMonitoring and Detection: Implement monitoring and detection mechanisms to identify unusual system behavior\r\nthat might indicate an attempted exploitation of this vulnerability.\r\nTOP 5 AFFECTED TECHNOLOGIES OF THE WEEK\r\nThis week, CYFIRMA researchers have observed significant impacts on various technologies due to a range of\r\nvulnerabilities. The following are the top 5 most affected technologies.\r\nETLM Assessment\r\nVulnerability in PgBouncer can pose significant threats to user privacy and database security. This can impact\r\nvarious industries globally, including technology, finance, healthcare, and enterprise IT. Ensuring the security of\r\nPgBouncer is crucial for maintaining the integrity and protection of PostgreSQL database connections worldwide.\r\nTherefore, addressing these vulnerabilities is essential to safeguarding connection pooling, authentication\r\nmechanisms, and database performance management across different geographic regions and sectors.\r\n6. Latest Cyber-Attacks, Incidents, and Breaches\r\nNightSpire Ransomware attacked and published the data of Pioneer Ocean Freight Co., Ltd.\r\nThreat Actor: NightSpire Ransomware\r\nAttack Type: Ransomware\r\nObjective: Data Leak, Financial Gains\r\nTarget Technology: Web Applications\r\nTarget Industry: Transportation and Logistics\r\nTarget Geography: Thailand\r\nBusiness Impact: Operational Disruption, Data Loss, Financial Loss, Potential Reputational Damage\r\nhttps://www.cyfirma.com/news/weekly-intelligence-report-12-december-2025/#:~:text=well%2Dstructured%20operations.-,7.%20Data%20Leaks,-Bank%20Mandiri%20Data\r\nPage 25 of 39\n\nSummary:\r\nRecently, we observed that NightSpire Ransomware attacked and published the data of Pioneer Ocean Freight Co.,\r\nLtd (https[:]//pioneergroup[.]in[.]th/) on its dark web website. Pioneer Group is a freight-forwarding and logistics\r\ncompany based in Thailand, providing sea-air freight forwarding, customs brokerage, inland \u0026 heavy- cargo\r\ntransport, warehousing, packaging, and project-cargo services. The data leak resulting from the ransomware attack\r\nincludes billing information (both incoming and outgoing), employee data, financial records, and other sensitive\r\nand confidential information. The total size of the compromised data is approximately 5 GB.\r\nhttps://www.cyfirma.com/news/weekly-intelligence-report-12-december-2025/#:~:text=well%2Dstructured%20operations.-,7.%20Data%20Leaks,-Bank%20Mandiri%20Data\r\nPage 26 of 39\n\nSource: Dark Web\r\nRelevancy \u0026 Insights:\r\nhttps://www.cyfirma.com/news/weekly-intelligence-report-12-december-2025/#:~:text=well%2Dstructured%20operations.-,7.%20Data%20Leaks,-Bank%20Mandiri%20Data\r\nPage 27 of 39\n\nNightSpire employs a double extortion strategy, encrypting data and threatening to leak stolen information\r\nunless a ransom is paid. This approach is typical of modern ransomware groups and adds pressure on\r\nvictims to comply with demands.\r\nNightSpire’s operations show strong influences from existing Ransomware-as-a- Service (RaaS) models,\r\nsuggesting they might be an emerging group or a rebrand of an existing actor.\r\nETLM Assessment:\r\nAccording to CYFIRMA’s assessment, NightSpire is a new ransomware group that emerged in early 2025,\r\nmarking itself as a formidable player in the rapidly evolving ransomware landscape. Despite its recent appearance,\r\nNightSpire has already gained attention for its aggressive tactics and well-structured operations.\r\n7. Data Leaks\r\nBank Mandiri Data Advertised on a Leak Site\r\nAttack Type: Data leak\r\nTarget Industry: Financial Services\r\nTarget Geography: Indonesia\r\nObjective: Financial Gains\r\nBusiness Impact: Data Loss, Reputational Damage\r\nSummary: The CYFIRMA research team has identified claims from a threat actor operating under the name\r\n“BreachLaboratory,” who alleges responsibility for compromising Bank Mandiri.\r\nBank Mandiri is Indonesia’s largest bank by assets, providing a broad range of banking and financial services to\r\nboth corporate clients and individual customers across the country.\r\nAccording to the threat actor’s claims, more than 18,000 financial records were leaked. The exposed data\r\nreportedly includes:\r\nPersonal customer information\r\nSWIFT code: BMRIIDJA\r\nAccount setup and configuration details\r\nAccount balance information\r\nFee-related data\r\nDebit card usage records\r\nThese allegations suggest a significant exposure of sensitive financial and customer- related information.Top of\r\nFormBottom of Form\r\nThe authenticity of this breach remains unverified at the time of reporting, as the claim originates solely from the\r\nthreat actor.\r\nhttps://www.cyfirma.com/news/weekly-intelligence-report-12-december-2025/#:~:text=well%2Dstructured%20operations.-,7.%20Data%20Leaks,-Bank%20Mandiri%20Data\r\nPage 28 of 39\n\nSource: Underground Forums\r\nThankQCamping Data Advertised on a Leak Site\r\nAttack Type: Data leak\r\nTarget Industry: Outdoor Recreation and Travel\r\nTarget Geography: South Korea\r\nObjective: Data Theft, Financial Gains\r\nBusiness Impact: Data Loss, Reputational Damage\r\nSummary:\r\nThe CYFIRMA Research team has observed claims made by a threat actor identified as “888,” who alleges\r\nresponsibility for a cybersecurity breach involving ThankQCamping. ThankQCamping is a well-known camping\r\nservice platform in South Korea, reportedly serving over one million users nationwide. According to the threat\r\nactor, the incident took place in December 2025.\r\nThe actor claims that unauthorized access to ThankQCamping’s systems resulted in the theft of proprietary\r\ninformation, specifically the company’s source code. At the time of this report, there is no independent\r\nconfirmation of the incident. The details shared are based solely on the threat actor’s statements, and the\r\nauthenticity of the breach has not yet been verified.\r\nhttps://www.cyfirma.com/news/weekly-intelligence-report-12-december-2025/#:~:text=well%2Dstructured%20operations.-,7.%20Data%20Leaks,-Bank%20Mandiri%20Data\r\nPage 29 of 39\n\nSource: Underground Forums\r\nRelevancy \u0026 Insights:\r\nFinancially motivated cybercriminals are continuously looking for exposed and vulnerable systems and\r\napplications to exploit. A significant number of these malicious actors congregate within underground forums,\r\nwhere they discuss cybercrime and trade stolen digital assets. Operating discreetly, these opportunistic attackers\r\ntarget unpatched systems or vulnerabilities in applications to gain access and steal valuable data. Subsequently, the\r\nstolen data is advertised for sale within underground markets, where it can be acquired, repurposed, and utilized\r\nby other malicious actors in further illicit activities.\r\nETLM Assessment:\r\nThe threat actor known as “888” is a highly active and sophisticated group specializing in data-leak operations.\r\nMultiple credible reports link the group to a series of security breaches involving unauthorized system access and\r\nthe sale of stolen data across dark web marketplaces. Their activities reflect the persistent and rapidly evolving\r\ncyber threats emerging from underground communities. These incidents reinforce the need for organizations to\r\nstrengthen their cybersecurity posture through continuous monitoring, advanced threat-intelligence capabilities,\r\nand proactive defense measures to safeguard sensitive data and critical infrastructure.\r\nRecommendations: Enhance the cybersecurity posture by:\r\n1. Updating all software products to their latest versions is essential to mitigate the risk of vulnerabilities\r\nbeing exploited.\r\n2. Ensure proper database configuration to mitigate the risk of database-related attacks.\r\n3. Establish robust password management policies, incorporating multi-factor authentication and role-based\r\naccess to fortify credential security and prevent unauthorized access.\r\n8. Other Observations\r\nhttps://www.cyfirma.com/news/weekly-intelligence-report-12-december-2025/#:~:text=well%2Dstructured%20operations.-,7.%20Data%20Leaks,-Bank%20Mandiri%20Data\r\nPage 30 of 39\n\nThe CYFIRMA Research team observed that SuKarne, a Mexican multinational corporation and a major player in\r\nthe global meat processing industry with reported revenues of $6.8 billion, has allegedly been compromised. A\r\nthreat actor attempting to sell data on a dark web forum claims to have exported a database containing over 1\r\nmillion rows of user and business information. The dataset is currently listed for sale for $1,000.\r\nAccording to the actor, the compromised data includes 300,000+ unique mobile numbers and 34,000+ unique\r\nemail addresses. Based on the sample logs provided, the exposed fields appear to cover:\r\nFull names (Nombre, Apellidos)\r\nPhysical addresses (Street, City, State, Zip Code)\r\nEmail addresses (Personal and corporate)\r\nPhone and mobile numbers\r\nDates of birth\r\nTax IDs (RFC) and National Identity Codes (CURP)\r\nBank account numbers and financial keys (No. Cuenta Bancaria, Clave de Banco)\r\nJob titles and department details\r\nAnnual revenue figures and credit limits\r\nThe authenticity of this breach remains unverified at the time of reporting, as the claim originates solely from the\r\nthreat actor.\r\nSource: Underground Forums\r\nThe CYFIRMA Research team has identified claims from a threat actor alleging a data breach involving\r\nVolkswagen Mandi, which the actor describes as the target of a cyber incident in December 2025. The claim was\r\nposted on a cybercrime forum, where the threat actor asserts that a large database was exfiltrated from the affected\r\nentity. Although the actor explicitly references “Volkswagen Mandi”— potentially pointing to a dealership located\r\nin Mandi, Himachal Pradesh, or an internally labeled database—the breadth of the sample data raises concerns of\r\na much wider impact. Data samples reportedly contain addresses from multiple Indian states, including\r\nhttps://www.cyfirma.com/news/weekly-intelligence-report-12-december-2025/#:~:text=well%2Dstructured%20operations.-,7.%20Data%20Leaks,-Bank%20Mandiri%20Data\r\nPage 31 of 39\n\nMaharashtra, Tamil Nadu, Madhya Pradesh, and Kerala, indicating that the breach may involve a centralized CRM\r\nor lead management system connected to Volkswagen operations across India.\r\nAccording to the threat actor, the allegedly compromised dataset consists of more than 2.5 million records,\r\nencompassing approximately 1.7 million unique phone numbers and 2.1 million unique email addresses. The\r\nstructure and identifiers present in the data suggest it may originate from a Customer Relationship Management\r\n(CRM) platform, with references to systems such as Salesforce and Zoho. If accurate, the exposure could have\r\nsignificant implications due to the volume and sensitivity of the information involved.\r\nThe data allegedly exposed in the breach includes the following categories:\r\nIdentity Information:\r\nSalutations, first and last names, titles, and other personal identifiers.\r\nContact Details:\r\nMobile numbers, landline phone numbers, fax numbers, and both business and personal email addresses.\r\nPhysical Address Information:\r\nComplete mailing, billing, and shipping addresses, including street details, cities, states/provinces, postal/ZIP\r\ncodes, and countries.\r\nVehicle-Related Information:\r\nVehicle Identification Numbers (VINs), vehicle details, registration numbers, and test drive history.\r\nAccount and Dealer Data:\r\nAccount IDs, account owners, dealer codes, dealer city information, and system identifiers such as Zoho IDs and\r\nData.com keys.\r\nInternal and Operational Records:\r\nLead source information, purchase agreements, warranty details, service manager names, customer feedback, and\r\nservice-related logs.\r\nAt the time of reporting, these claims remain unverified and are based solely on assertions made by the threat\r\nactor. Further validation is required to confirm the authenticity, scope, and impact of the alleged breach.\r\nhttps://www.cyfirma.com/news/weekly-intelligence-report-12-december-2025/#:~:text=well%2Dstructured%20operations.-,7.%20Data%20Leaks,-Bank%20Mandiri%20Data\r\nPage 32 of 39\n\nSource: Underground Forums\r\nSTRATEGIC RECOMMENDATIONS\r\nAttack Surface Management should be adopted by organisations, ensuring that a continuous closed-loop\r\nprocess is created between attack surface monitoring and security testing.\r\nDelay a unified threat management strategy – including malware detection, deep learning neural networks,\r\nand anti-exploit technology – combined with vulnerability and risk mitigation processes.\r\nIncorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence\r\nagainst external threats targeting unsuspecting customers.\r\nImplement a holistic security strategy that includes controls for attack surface reduction, effective patch\r\nmanagement, and active network monitoring, through next-generation security solutions and a ready-to-go\r\nincident response plan.\r\nCreate risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk\r\nscore based on the type of vulnerability and criticality of the asset to help ensure that the most severe and\r\ndangerous vulnerabilities are dealt with first.\r\nMANAGEMENT RECOMMENDATIONS\r\nTake advantage of global Cyber Intelligence, providing valuable insights on threat actor activity, detection,\r\nand mitigation techniques.\r\nProactively monitor the effectiveness of risk-based information security strategy, the security controls\r\napplied, and the proper implementation of security technologies, followed by corrective actions,\r\nremediations, and lessons learned.\r\nConsider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR)\r\nsecurity systems to compensate for the shortcomings of EDR and SIEM solutions.\r\nhttps://www.cyfirma.com/news/weekly-intelligence-report-12-december-2025/#:~:text=well%2Dstructured%20operations.-,7.%20Data%20Leaks,-Bank%20Mandiri%20Data\r\nPage 33 of 39\n\nDetection processes are tested to ensure awareness of anomalous events. Timely communication of\r\nanomalies and continuously evolved to keep up with refined ransomware threats.\r\nTACTICAL RECOMMENDATIONS\r\nPatch software/applications as soon as updates are available. Where feasible, automated remediation\r\nshould be deployed since vulnerabilities are one of the top attack vectors.\r\nConsider using security automation to speed up threat detection, improved incident response, increased the\r\nvisibility of security metrics, and rapid execution of security checklists.\r\nBuild and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defences\r\nbased on the tactical intelligence provided.\r\nDeploy detection technologies that are behavioral anomaly-based to detect ransomware attacks and help to\r\ntake appropriate measures.\r\nImplement a combination of security control such as reCAPTCHA (completely Automated Public Turing\r\ntest to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and\r\nAccount lockout to thwart automated brute-force attacks.\r\nEnsure email and web content filtering uses real-time blocklists, reputation services, and other similar\r\nmechanisms to avoid accepting content from known and potentially malicious sources.\r\nSituational Awareness – Cyber News\r\nPlease find the Geography-Wise and Industry-Wise breakup of cyber news for the last 5 days as part of the\r\nsituational awareness pillar.\r\nhttps://www.cyfirma.com/news/weekly-intelligence-report-12-december-2025/#:~:text=well%2Dstructured%20operations.-,7.%20Data%20Leaks,-Bank%20Mandiri%20Data\r\nPage 34 of 39\n\nhttps://www.cyfirma.com/news/weekly-intelligence-report-12-december-2025/#:~:text=well%2Dstructured%20operations.-,7.%20Data%20Leaks,-Bank%20Mandiri%20Data\r\nPage 35 of 39\n\nhttps://www.cyfirma.com/news/weekly-intelligence-report-12-december-2025/#:~:text=well%2Dstructured%20operations.-,7.%20Data%20Leaks,-Bank%20Mandiri%20Data\r\nPage 36 of 39\n\nhttps://www.cyfirma.com/news/weekly-intelligence-report-12-december-2025/#:~:text=well%2Dstructured%20operations.-,7.%20Data%20Leaks,-Bank%20Mandiri%20Data\r\nPage 37 of 39\n\nhttps://www.cyfirma.com/news/weekly-intelligence-report-12-december-2025/#:~:text=well%2Dstructured%20operations.-,7.%20Data%20Leaks,-Bank%20Mandiri%20Data\r\nPage 38 of 39\n\nFor situational awareness intelligence and specific insights mapped to your organisation’s geography, industry, and\r\ntechnology, please access DeCYFIR.\r\nSource: https://www.cyfirma.com/news/weekly-intelligence-report-12-december-2025/#:~:text=well%2Dstructured%20operations.-,7.%20Dat\r\na%20Leaks,-Bank%20Mandiri%20Data\r\nhttps://www.cyfirma.com/news/weekly-intelligence-report-12-december-2025/#:~:text=well%2Dstructured%20operations.-,7.%20Data%20Leaks,-Bank%20Mandiri%20Data\r\nPage 39 of 39", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.cyfirma.com/news/weekly-intelligence-report-12-december-2025/#:~:text=well%2Dstructured%20operations.-,7.%20Data%20Leaks,-Bank%20Mandiri%20Data" ], "report_names": [ "#:~:text=well%2Dstructured%20operations.-,7.%20Data%20Leaks,-Bank%20Mandiri%20Data" ], "threat_actors": [ { "id": "846522d7-29cb-4a0c-8ebe-ffba7429e2d7", "created_at": "2023-06-23T02:04:34.793629Z", "updated_at": "2026-04-10T02:00:04.971054Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Bronze Silhouette", "Dev-0391", "Insidious Taurus", "Redfly", "Storm-0391", "UAT-5918", "UAT-7237", "UNC3236", "VOLTZITE", "Vanguard Panda" ], "source_name": "ETDA:Volt Typhoon", "tools": [ "FRP", "Fast Reverse Proxy", "Impacket", "LOLBAS", "LOLBins", "Living off the Land" ], "source_id": "ETDA", "reports": null }, { "id": "02e1c2df-8abd-49b1-91d1-61bc733cf96b", "created_at": "2022-10-25T15:50:23.308924Z", "updated_at": "2026-04-10T02:00:05.298591Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "MuddyWater", "Earth Vetala", "Static Kitten", "Seedworm", "TEMP.Zagros", "Mango Sandstorm", "TA450" ], "source_name": "MITRE:MuddyWater", "tools": [ "STARWHALE", "POWERSTATS", "Out1", "PowerSploit", "Small Sieve", "Mori", "Mimikatz", "LaZagne", "PowGoop", "CrackMapExec", "ConnectWise", "SHARPSTATS", "RemoteUtilities", "Koadic" ], "source_id": "MITRE", "reports": null }, { "id": "9f101d9c-05ea-48b9-b6f1-168cd6d06d12", "created_at": "2023-01-06T13:46:39.396409Z", "updated_at": "2026-04-10T02:00:03.312816Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "CHROMIUM", "ControlX", "TAG-22", "BRONZE UNIVERSITY", "AQUATIC PANDA", "RedHotel", "Charcoal Typhoon", "Red Scylla", "Red Dev 10", "BountyGlad" ], "source_name": "MISPGALAXY:Earth Lusca", "tools": [ "RouterGod", "SprySOCKS", "ShadowPad", "POISONPLUG", "Barlaiy", "Spyder", "FunnySwitch" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "1a76ed30-4daf-4817-98ae-87c667364464", "created_at": "2022-10-25T16:47:55.891029Z", "updated_at": "2026-04-10T02:00:03.646466Z", "deleted_at": null, "main_name": "IRON LIBERTY", "aliases": [ "ALLANITE ", "ATK6 ", "BROMINE ", "CASTLE ", "Crouching Yeti ", "DYMALLOY ", "Dragonfly ", "Energetic Bear / Berserk Bear ", "Ghost Blizzard ", "TEMP.Isotope ", "TG-4192 " ], "source_name": "Secureworks:IRON LIBERTY", "tools": [ "ClientX", "Ddex Loader", "Havex", "Karagany", "Loek", "MCMD", "Sysmain", "xfrost" ], "source_id": "Secureworks", "reports": null }, { "id": "a88747e2-ffed-45d8-b847-8464361b2254", "created_at": "2023-11-01T02:01:06.605663Z", "updated_at": "2026-04-10T02:00:05.289908Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Volt Typhoon", "BRONZE SILHOUETTE", "Vanguard Panda", "DEV-0391", "UNC3236", "Voltzite", "Insidious Taurus" ], "source_name": "MITRE:Volt Typhoon", "tools": [ "netsh", "PsExec", "ipconfig", "Wevtutil", "VersaMem", "Tasklist", "Mimikatz", "Impacket", "Systeminfo", "netstat", "Nltest", "certutil", "FRP", "cmd" ], "source_id": "MITRE", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "49b3063e-a96c-4a43-b28b-1c380ae6a64b", "created_at": "2025-08-07T02:03:24.661509Z", "updated_at": "2026-04-10T02:00:03.644548Z", "deleted_at": null, "main_name": "BRONZE SILHOUETTE", "aliases": [ "Dev-0391 ", "Insidious Taurus ", "UNC3236 ", "Vanguard Panda ", "Volt Typhoon ", "Voltzite " ], "source_name": "Secureworks:BRONZE SILHOUETTE", "tools": [ "Living-off-the-land binaries", "Web shells" ], "source_id": "Secureworks", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null }, { "id": "18a7b52d-a1cd-43a3-8982-7324e3e676b7", "created_at": "2025-08-07T02:03:24.688416Z", "updated_at": "2026-04-10T02:00:03.734754Z", "deleted_at": null, "main_name": "BRONZE UNIVERSITY", "aliases": [ "Aquatic Panda", "Aquatic Panda ", "CHROMIUM", "CHROMIUM ", "Charcoal Typhoon", "Charcoal Typhoon ", "Earth Lusca", "Earth Lusca ", "FISHMONGER ", "Red Dev 10", "Red Dev 10 ", "Red Scylla", "Red Scylla ", "RedHotel", "RedHotel ", "Tag-22", "Tag-22 " ], "source_name": "Secureworks:BRONZE UNIVERSITY", "tools": [ "Cobalt Strike", "Fishmaster", "FunnySwitch", "Spyder", "njRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "4ed2b20c-7523-4852-833b-cebee8029f55", "created_at": "2023-05-26T02:02:03.524749Z", "updated_at": "2026-04-10T02:00:03.366175Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "BRONZE SILHOUETTE", "VANGUARD PANDA", "UNC3236", "Insidious Taurus", "VOLTZITE", "Dev-0391", "Storm-0391" ], "source_name": "MISPGALAXY:Volt Typhoon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6abcc917-035c-4e9b-a53f-eaee636749c3", "created_at": "2022-10-25T16:07:23.565337Z", "updated_at": "2026-04-10T02:00:04.668393Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Bronze University", "Charcoal Typhoon", "Chromium", "G1006", "Red Dev 10", "Red Scylla" ], "source_name": "ETDA:Earth Lusca", "tools": [ "Agentemis", "AntSword", "BIOPASS", "BIOPASS RAT", "BadPotato", "Behinder", "BleDoor", "Cobalt Strike", "CobaltStrike", "Doraemon", "FRP", "Fast Reverse Proxy", "FunnySwitch", "HUC Port Banner Scanner", "KTLVdoor", "Mimikatz", "NBTscan", "POISONPLUG.SHADOW", "PipeMon", "RbDoor", "RibDoor", "RouterGod", "SAMRID", "ShadowPad Winnti", "SprySOCKS", "WinRAR", "Winnti", "XShellGhost", "cobeacon", "fscan", "lcx", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "4e593873-e92e-491e-a371-605aa1831f4d", "created_at": "2026-02-03T02:00:03.4495Z", "updated_at": "2026-04-10T02:00:03.946372Z", "deleted_at": null, "main_name": "BreachLaboratory", "aliases": [], "source_name": "MISPGALAXY:BreachLaboratory", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d53593c3-2819-4af3-bf16-0c39edc64920", "created_at": "2022-10-27T08:27:13.212301Z", "updated_at": "2026-04-10T02:00:05.272802Z", "deleted_at": null, "main_name": "Earth Lusca", "aliases": [ "Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX" ], "source_name": "MITRE:Earth Lusca", "tools": [ "Mimikatz", "PowerSploit", "Tasklist", "certutil", "Cobalt Strike", "Winnti for Linux", "Nltest", "NBTscan", "ShadowPad" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434582, "ts_updated_at": 1775792207, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/94a0d686474c24bc8ffae9951c46ecfab0bc4156.pdf", "text": "https://archive.orkl.eu/94a0d686474c24bc8ffae9951c46ecfab0bc4156.txt", "img": "https://archive.orkl.eu/94a0d686474c24bc8ffae9951c46ecfab0bc4156.jpg" } }