Threat Intel

01flip: Multi-Platform Ransomware Written in Rust unit42.paloaltonetworks.com/new-ranso…

In June 2025, we observed a new ransomware family named 01flip targeting a limited set of victims in the Asia-Pacific region. 01flip ransomware is fully written in the Rust programming language and supports multi-platform architectures by leveraging the cross-compilation feature of Rust.

These financially motivated attackers likely carried this out through manual means. We have confirmed an alleged data leak from an affected organization on a dark web forum shortly after the attack. We are currently tracking this activity as CL-CRI-1036, signifying a cluster of malicious activity that is likely related to cybercrime.

Our key findings are: Financially motivated attackers behind CL-CRI-1036 use 01flip ransomware, a newly observed ransomware family purely written in Rust This ransomware supports multi-platform architecture, including Windows and Linux A threat actor potentially associated with CL-CRI-1036 is offering data for sale on dark web forums (likely stolen with 01flip ransomware)

Cracking ValleyRAT: From Builder Secrets to Kernel Rootkits research.checkpoint.com/2025/crac…

Check Point Research (CPR) presents a full dissection of the widely used ValleyRAT backdoor, also known as Winos/Winos4.0, covering its modular architecture and plugin system. By analyzing the publicly leaked builder and development structure (Visual Studio solutions and project files, without source code), we were able to accurately correlate artifacts and reverse engineer the functionality of all “main” plugins. The analysis reveals the advanced skills of the developers behind ValleyRAT, demonstrating deep knowledge of Windows kernel and user-mode internals, and consistent coding patterns suggesting a small, specialized team.

The “Driver Plugin” contains an embedded kernel-mode rootkit that, in some cases, retains valid signatures and remains loadable on fully updated Windows 11 systems, bypassing built-in protection features. Through detailed reverse engineering, previously unknown capabilities were uncovered, including stealthy driver installation, user-mode shellcode injection via APCs, and forceful deletion of AV/EDR drivers.

The detection statistics for ValleyRAT plugins in the wild (ITW), derived from carefully crafted detection rules and verified using both internal telemetry and public services, highlight the recent surge in ValleyRAT usage, with approximately 85% of detected samples appearing in the last six months, coinciding with the public release of the builder.

The research underscores the growing accessibility of the ValleyRAT builder and development artifacts, emphasizing that future usage cannot be easily attributed to specific Chinese-speaking threat actors, such as Silver Fox.

EFF Launches Age Verification Hub as Resource Against Misguided Laws www.eff.org/press/rel…

With ill-advised and dangerous age verification laws proliferating across the United States and around the world, creating surveillance and censorship regimes that will be used to harm both youth and adults, the Electronic Frontier Foundation has launched a new resource hub that will sort through the mess and help people fight back.

Ransomware Victim Warning: The Streisand Effect May Apply www.databreachtoday.com/ransomwar…

Paying off ransomware hackers to avoid notoriety is a losing proposition, finds a study of LockBit victims that identified a correlation between unwanted attention and succumbing to extortionists, as opposed to standing firm. “It seems that paying the ransom doesn’t at all appear to reduce public exposure - if anything, it increases it,” Max Smeets, co-director of Virtual Routes - formerly known as the European Cyber Conflict Research Initiative - said in a keynote presentation at the Black Hat Europe conference in London. Smeets holds research positions at ETH Zurich and Stanford University.

Russia’s flagship airline hacked through little-known tech vendor, according to new report therecord.media/russia-fl…

A cyberattack that forced Russia’s flagship airline to cancel dozens of flights this summer was linked to a little-known Moscow software developer that had maintained access to the carrier’s internal systems, according to a new investigation.

The report by the independent outlet The Bell, which is designated a “foreign agent” in Russia, is based on interviews with anonymous sources close to the company and involved in the incident’s investigation. It offers the most detailed account to date of what has become one of the largest cyberattacks in Russia since the full-scale invasion of Ukraine began.

The breach, which was claimed by the pro-Ukrainian hacker collective Silent Crow and the allied Belarusian Cyber-Partisans, paralyzed Aeroflot’s operations […]. Recorded Future News can not independently verify the report from The Bell, which was founded in 2017 by Russian journalists.

Thousands of Exposed Secrets Found on Docker Hub, Putting Organizations at Risk https://flare.io/learn/resources/docker-hub-secrets-exposed/

For years, there’s been a saying in the security world: hackers don’t need to hack anymore – the keys are handed to them on a silver platter. But is that really true? That question is what sparked our research into exposed secrets on Docker Hub. We designed a methodology to analyze leaked credentials, validate which were real, and investigate their origin:

who they belonged to
the environments they granted access to
the potential blast radius to both the affected organizations and the

wider ecosystem

The findings confirm a new attack paradigm: attackers don’t hack in – they authenticate in – using keys that companies accidentally publish themselves.

HTTPS certificate industry phasing out less secure domain validation methods security.googleblog.com/2025/12/h…

Secure connections are the backbone of the modern web, but a certificate is only as trustworthy as the validation process and issuance practices behind it. Recently, the Chrome Root Program and the CA/Browser Forum have taken decisive steps toward a more secure internet by adopting new security requirements for HTTPS certificate issuers.

These initiatives, driven by Ballots SC-080, SC-090, and SC-091, will sunset 11 legacy methods for Domain Control Validation. By retiring these outdated practices, which rely on weaker verification signals like physical mail, phone calls, or emails, we are closing potential loopholes for attackers and pushing the ecosystem toward automated, cryptographically verifiable security.

To allow affected website operators to transition smoothly, the deprecation will be phased in, with its full security value realized by March 2028.

Microsoft won’t fix .NET RCE bug affecting slew of enterprise apps, researchers say www.theregister.com/2025/12/1…

Security researchers have revealed a .NET security flaw thought to affect a host of enterprise-grade products that they say Microsoft refuses to fix.

Piotr Bazydło, principal vulnerability researcher at watchTowr, unveiled the findings at Black Hat Europe on Wednesday, claiming that several vendor and in-house solutions could be vulnerable to remote code execution (RCE) attacks due to errors in the way applications built on Microsoft’s .NET framework handle Simple Object Access Protocol (SOAP) messages.

The researcher identified the SoapHttpClientProtocol class as the primary culprit, explaining that it can be exploited in different ways to achieve an attacker’s goals. If an attacker can set the target URL to a file system instead of an HTTP web address, the class will ignore the error and then write the SOAP request (which uses the POST method) directly into the file. Bazydło wrote: “Wait, what. Why should a SOAP proxy be able to ‘send’ SOAP requests to a local file? Nobody on this planet expects to receive a valid SOAP response from the filesystem.”

DOJ, CISA warn of Russia-linked attacks targeting meat processing plants, nuclear regulatory entities and other critical infrastructure therecord.media/doj-cisa-…

U.S. agencies warned critical infrastructure organizations this week of attacks launched by multiple Russian groups backed financially by the country’s government. The Cybersecurity and Infrastructure Security Agency (CISA), alongside several other U.S. and international agencies, released an advisory covering the cyberattacks launched by CyberArmyofRussia_Reborn (CARR), NoName057(16) and several related groups.

The advisory covers the tactics the groups have used since 2022 to target the water, energy and food sectors. The advisory said the groups have a “low level” of technical knowledge and frequently misunderstand the processes they aim to disrupt. The group’s actions often result in “haphazard attacks where actors intend to cause physical damage but cannot accurately anticipate actual impact.”

New DroidLock malware locks Android devices and demands a ransom www.bleepingcomputer.com/news/secu…

A newly discovered Android malware dubbed DroidLock can lock victims’ screens for ransom and access text messages, call logs, contacts, audio recordings, or even erase data. DroidLLock allows its operator to take complete control of the device via the VNC sharing system and can steal the device lock pattern by placing an overlay on the screen.

According to researchers at mobile security company Zimperium, the malware targets Spanish-speaking users and is distributed through malicious websites promoting fake applications that impersonate legitimate packages. In a report today, Zimperium says that the “infection starts with a dropper that deceives the user into installing the secondary payload that contains the actual malware.”

Some of the actions it can take are wiping the device, locking it, changing the PIN, password, or biometric data to prevent the user from accessing the device. Zimperium clarifies that DroidLock does not encrypt files, but by threatening to destroy them unless a ransom is paid, the same purpose is achieved. Additionally, the threat actor can deny access to the device by changing the lock code. DroidLock can steal the lock pattern through another overlay loaded from the malicious APK’s assets. When the user draws the pattern on the cloned interface, they send it directly to the attacker. The purpose of this feature is to allow remote access to the device through VNC at idle times.

700+ self-hosted Gits battered in 0-day attacks with no fix imminent www.theregister.com/2025/12/1…

Attackers are actively exploiting a zero-day bug in Gogs, a popular self-hosted Git service, and the open source project doesn’t yet have a fix. More than half of internet-exposed instances are already compromised.

Uncovering Hidden Forensic Evidence in Windows: The Mystery of AutoLogger-Diagtrack-Listener.etl www.fortinet.com/blog/thre…

During a recent incident response engagement, FortiGuard IR services (FGIR) responded to a ransomware attack where the threat actor heavily used anti forensic techniques to cover their tracks and to avoid their malware getting into the hands of researchers. They attempted to achieve this by deleting files and folders they had created, clearing logs and obfuscating malware.

While analyzing a disk image of a compromised Windows Server 2016 system, FGIR was able to identify historical evidence of deleted malware and tools used by the threat actor, inside an obscure ETL file called AutoLogger-Diagtrack-Listener.etl. ETL files are generated by the Windows ETW (Event Tracing for Windows) infrastructure.

Inside Shanya, a packer-as-a-service fueling modern attacks news.sophos.com/en-us/202…

We have covered packer-as-a-service offerings from the computer underworld in the past, previously dissecting impersonation campaigns and the rise of HeartCrypt, both popular among ransomware groups. However, it is a fast-changing landscape, and now we are watching a new incarnation of the same type of service: the Shanya crypter — already favored by ransomware groups and taking over (to some degree) the role that HeartCrypt has played in the ransomware toolkit. We’ll look at its apparent origins, unpack the code, and examine a targeted infection leveraging this tool.

To give a sense of how this packer manifests in the wild, we’ll look briefly at a malware distribution campaign that utilized Shanya, in this case to target hotels. The final payload here has been identified by RecordedFuture as CastleRAT.

GrayBravo’s CastleLoader Activity Clusters Target Multiple Industries www.recordedfuture.com/research/…

Insikt Group continues to monitor GrayBravo (formerly tracked as TAG-150), a technically sophisticated and rapidly evolving threat actor first identified in September 2025. GrayBravo demonstrates strong adaptability, responsiveness to public exposure, and operates a large-scale, multi-layered infrastructure. Recent analysis of GrayBravo’s ecosystem uncovered four distinct activity clusters leveraging the group’s CastleLoader malware, each defined by unique tactics, techniques, and victim profiles. These findings reinforce the assessment that GrayBravo operates a malware-as-a-service (MaaS) model.

For example, one cluster, tracked as TAG-160, impersonates global logistics firms, using phishing lures and the ClickFix technique to distribute CastleLoader while spoofing legitimate emails and exploiting freight-matching platforms to target victims. Another cluster, tracked as TAG-161, impersonates Booking.com, also employing ClickFix to deliver CastleLoader and Matanbuchus and novel phishing email management tools. Further investigation through historical panel analysis linked the online persona “Sparja”, a user active on Exploit Forums, to potential GrayBravo-associated activities, based on the alias’s distinctiveness and related discussion topics.

Infostealer has entered the chat www.kaspersky.com/blog/shar…

A new wave of ClickFix attacks spreading a macOS infostealer are posting malicious user guides on the official ChatGPT website by piggybacking the chatbot’s chat-sharing feature.

To attract victims, the malicious actors place paid search ads on Google. Clicking the ad does indeed open chatgpt.com, and the victim sees a brief installation guide for the “Atlas browser”. The careful user will immediately realize this is simply some anonymous visitor’s conversation with ChatGPT, which the author made public using the Share feature. However, a less careful or just less AI-savvy visitor might take the guide at face value — especially since it’s neatly formatted and published on a trustworthy-looking site.

Notably, the malicious actors used prompt engineering to get ChatGPT to produce the exact guide they needed, and were then able to clean up their preceding dialog to avoid raising suspicion.

To install the “Atlas browser”, users are instructed to copy a single line of code from the chat, open Terminal on their Macs, paste and execute the command, and then grant all required permissions. If the user falls for the ruse, a common infostealer known as AMOS (Atomic macOS Stealer) will launch on their computer.

Goodbye, dark Telegram: Blocks are pushing the underground out https://securelist.com/goodbye-dark-telegram/118286/

Telegram has won over users worldwide, and cybercriminals are no exception. While the average user chooses a messaging app based on convenience, user experience and stability (and perhaps, cool stickers), cybercriminals evaluate platforms through a different lens.

When it comes to anonymity, privacy and application independence – essential criteria for a shadow messaging app – Telegram is not as strong as its direct competitors.

It lacks default end-to-end (E2E) encryption for chats.
It has a centralized infrastructure: users cannot set up their own servers

for communication. Its server-side code is closed: users cannot verify what it does.

Key findings: The median lifespan of a shadow Telegram channel increased from five months in 2021–2022 to nine months in 2023–2024. The frequency of blocking cybercrime channels has been growing since October 2024. Cybercriminals have been migrating to other messaging services due to frequent blocks by Telegram.

Ransomware IAB abuses EDR for stealthy malware execution www.bleepingcomputer.com/news/secu…

An initial access broker tracked as Storm-0249 is abusing endpoint detection and response solutions and trusted Microsoft Windows utilities to load malware, establish communication, and persistence in preparation for ransomware attacks. In one attack analyzed by researchers at cybersecurity company ReliaQuest, Storm-0249 leveraged the SentinelOne EDR components to hide malicious activity. However, researchers say that the same method works with other EDR products, as well.

ReliaQuest says that the Storm-0249 attack started with ClickFix social engineering that tricked users into pasting and executing curl commands in the Windows Run dialog to download a malicious MSI package with SYSTEM privileges. Once the attacker gains access, they use the SentinelOne component to collect system identifiers through legitimate Windows utilities like reg.exe and findstr.exe, and to funnel encrypted HTTPS command-and-control (C2) traffic. The abuse of trusted, signed EDR processes bypasses nearly all traditional monitoring.

ReliaQuest explains that the compromised systems are profiled using ‘MachineGuid,’ a unique hardware-based identifier that ransomware groups like LockBit and ALPHV use for binding encryption keys to specific victims. This suggests that Storm-0249 conducts initial access compromises tailored to the needs of its typical customers, ransomware affiliates.

Malicious VSCode extensions on Microsoft’s registry drop infostealers www.bleepingcomputer.com/news/secu…

Two malicious extensions on Microsoft’s Visual Studio Code Marketplace infect developers' machines with information-stealing malware that can take screenshots, steal credentials, crypto wallets, and hijack browser sessions.

The two malicious extensions, called Bitcoin Black and Codo AI, masquerade as a color theme and an AI assistant, respectively, and were published under the developer name ‘BigBlack.’ At the time of writing, Codo AI was still present in the marketplace, although it counted fewer than 30 downloads. Bitcoin Black’s counter showed only one install.