< Back
Modern buildings

Tags:

Threat intelligence
21 August 2025

Weekly Summary Cyberattacks Aug 14-20

GodRAT – New RAT Targeting Financial Institutions   

Security researchers have discovered an ongoing cyber campaign targeting financial institutions, specifically trading and brokerage firms, through the deployment of a new remote access Trojan (RAT) known as GodRAT. The campaign, active since at least September 2024, distributes malicious .scr (screensaver) and .pif (program information file) executable files disguised as financial documents, mainly via Skype Messenger. The malware is a sophisticated evolution of the old Gh0st RAT code base and bears striking similarities to AwesomePuppet RAT, which was previously attributed to the Winnti APT group. The attackers use steganography techniques, embedding shell code in images that, once decoded, download and execute GodRAT from remote command and control (C2) servers. The infection chains also leverage legitimate binaries such as Valve.exe and loaders such as SDL2.dll, both signed with expired digital certificates, to execute hidden shellcode and establish persistence through registry modifications. Once operational, GodRAT communicates with its C2 servers using custom encrypted and compressed packets, transmitting information about the victim's system, such as the operating system version, host name, process IDs, the presence of antivirus software, and user credentials.

Cryptomining Group Kinsing Expands Operations to Russia, Researchers Warn   

According to information dated August 18, 2025, Russian cybersecurity researchers have reported that the cryptomining group Kinsing has expanded its operations to Russia in a large-scale campaign targeting vulnerable systems for cryptocurrency mining. The Russia-based cybersecurity firm F6 stated that the attacks began in April and involved infections with Kinsing and XMRig malware, both widely used to mine the cryptocurrency Monero (XMR). While F6 did not disclose which companies were affected, it confirmed that attackers exploited CVE-2017-9841, a critical remote code execution vulnerability in the PHP testing framework PHPUnit. The flaw, patched in 2017 but still exploitable on outdated systems, enabled the hackers to take full control of compromised servers. Kinsing, also known as H2Miner or Resourceful Wolf, has been active since 2019 and is considered one of the most prolific cryptojacking groups. Instead of relying on phishing, the group typically scans networks for software vulnerabilities to deploy malicious code. While most of its attacks have previously been observed in North America, Western Europe, and Asia, this is the first large-scale campaign confirmed in Russia. 

PhantomCard: New NFC-Driven Android Malware Emerging in Brazil   

Cybersecurity analysts from ThreatFabric have identified a new Android banking Trojan named PhantomCard, currently targeting users in Brazil and potentially expanding worldwide. PhantomCard is an NFC-based malware designed to relay data from victims' banking cards directly to cybercriminals' devices, enabling fraudulent transactions at ATMs or POS terminals as if the criminal physically possessed the victim's card. The malware is distributed through fake Google Play webpages masquerading as legitimate apps called "Proteção Cartões" (Card Protection), supported by fabricated positive reviews to gain victims' trust. Once installed, the malware requests victims to tap their banking cards against the infected phone. PhantomCard captures the card's ISO-DEP (ISO 14443-4) NFC data, transmits it via a relay server under criminal control, and even prompts victims to enter their PIN codes. This enables attackers to authenticate transactions in real time while physically using the relayed card data at a POS terminal or ATM. Videos posted by the operator show the seamless relay: the victim taps their card on the infected device, and the attacker immediately completes a payment using the cloned relay. Analysis revealed PhantomCard's origins in a Chinese Malware-as-a-Service (MaaS) platform called NFU Pay, which specializes in NFC relay fraud. PhantomCard's reseller, a Brazilian-based actor known as Go1ano developer, customized NFU Pay for the local market and is promoting it as GHOST NFC CARD. The campaign is tailored to Brazil, with indicators such as a C2 server endpoint named /baxi/b (Baxi being the Chinese word for Brazil). However, the reseller explicitly markets PhantomCard as a global-ready tool, suggesting adaptations for other regions are possible.

Fictitious Law Firms Targeting Cryptocurrency Scam Victims   

According to information dated August 13, 2025, the FBI has issued an updated Public Service Announcement (PSA) warning about fictitious law firms targeting victims of cryptocurrency scams with fraudulent offers to recover lost funds. This scheme builds upon a pattern first highlighted in June 2024 and August 2023, and combines multiple exploitation tactics to further defraud victims, particularly the elderly and financially vulnerable. Criminals impersonate legitimate lawyers and law firms, use forged legal documents with authentic-looking letterheads, and falsely claim affiliation with U.S. and foreign government agencies. In some cases, they invent entirely fictitious regulatory bodies, such as the so-called “International Financial Trading Commission (INTFTC).” These scammers may possess detailed knowledge of the victim’s previous wire transfers and associated third-party companies, exploiting that information to appear credible. Victims are often told they are on a government-compiled list of scam victims eligible for recovery and are referred to fake “crypto recovery law firms.” Fraudsters frequently instruct victims to register accounts with foreign banks—websites that appear legitimate but are in fact fraudulent platforms controlled by the scammers, and may place them in WhatsApp or other messaging app group chats, claiming it is for secrecy and safety. Here, supposed foreign bank processors and attorneys request payment of fees in cryptocurrency or prepaid gift cards to “verify identity” before funds can be released. They often refuse to provide credentials, avoid appearing on camera, and decline video meetings. Victims are sometimes told to send payments to third-party entities to maintain secrecy. The FBI notes that there are no law firms officially authorized to partner with U.S. Government agencies and warns that legitimate law enforcement agencies never request payment for investigative services. Between February 2023 and February 2024, victims of these fictitious law firm scams reported additional losses exceeding $9.9 million. The advisory recommends adopting a “Zero Trust” approach, being wary of unsolicited legal offers, demanding verifiable credentials, confirming alleged government affiliations directly with official agencies, and keeping thorough records of interactions. The FBI urges anyone suspecting they have been targeted to report to their local FBI field office and the Internet Crime Complaint Center (IC3).  

Cybercrime Groups ShinyHunters, Scattered Spider Join Forces in Extortion Attacks on Businesses   

The ShinyHunters and Scattered Spider threat groups appear to be collaborating on a data extortion campaign targeting Salesforce customers, with indications that they may soon target financial and technology service providers. ShinyHunters has evolved from credential theft and database exploitation to Scattered Spider techniques: highly targeted vishing, social engineering, disguised malicious apps, Okta-themed phishing pages, and the use of VPNs for data exfiltration. Since 2020, ShinyHunters has been monetizing breaches through RaidForums and BreachForums and has relaunched BreachForums several times between 2023 and 2025. Recently, French authorities arrested four people allegedly linked to BreachForums and ShinyHunters, although the group claims the arrests are false. On August 8, 2025, a new Telegram channel, “scattered lapsu$ hunters,” emerged, combining the ShinyHunters, Scattered Spider, and LAPSUS$ brands and announcing a RaaS called ShinySp1d3r to compete with LockBit and DragonForce. Telegram removed the channel within three days. Analysts point to tactical overlap, shared attack patterns, and accounts such as “Sp1d3rHunters” linked to previous ShinyHunters breaches, suggesting long-term collaboration. ShinyHunters announced that BreachForums is under the control of French authorities and the FBI, warning that any future reappearance would be a trap.