< Back
Background with dots
05 March 2025

Weekly Summary Cyberattacks Feb 27- March 05

New method to identify keyloggers based on keyboard shortcuts developed   

Cybersecurity researchers have developed a new technique for detecting keyloggers that use keyboard shortcuts in Windows. These malware intercept keystrokes by registering them as global shortcuts, thus avoiding traditional detection methods. The proposed method is based on analyzing an internal Windows kernel structure called gphkHashTable, which stores information about registered shortcuts. By reverse engineering, the researchers discovered how to access this table and scan it for suspicious patterns, such as the assignment of all alphanumeric keys as global shortcuts, indicating the possible presence of a keylogger. To implement this technique, a device driver was developed to access the kernel memory and analyze the keyboard shortcut logs in real time. The resulting tool was presented at NULLCON Goa 2025 and is now available for use, offering a new approach to strengthening security on Windows systems.  

Black Basta and Cactus ransomware groups add BackConnect malware to their arsenal   

The Black Basta and Cactus ransomware groups have begun using BackConnect malware to maintain persistent control over compromised machines and exfiltrate sensitive data. These attacks are initiated through social engineering, where attackers impersonate technical support personnel to gain remote access to victims' systems, using tools such as Microsoft Teams and Quick Assist. Once inside, they abuse cloud services and legitimate tools, such as OneDrive, to distribute malware. BackConnect allows attackers to execute commands and steal sensitive information. As of October 2024, most incidents have been reported in North America and Europe. The use of BackConnect, related to QakBot, helps cybercriminals maintain their presence on affected systems. While the attackers' tactics are not innovative, their ability to blend malicious activity into normal corporate workflows makes them more difficult to detect.  

Digital evidence discovered in macOS attacks using Rosetta 2   

Mandiant researchers have detected that threat actors are exploiting Rosetta 2, Apple's technology that allows applications designed for Intel processors to run on the new Apple Silicon chips. By running x86-64 binaries on macOS, Rosetta 2 generates translation (AOT) files, which can serve as evidence in forensic analysis of cyberattacks. It has been observed that cybercriminals use malware compiled on x86-64 due to its higher compatibility and lower execution restrictions compared to ARM64 binaries. Although attackers delete malicious files after compromising systems, AOT files can reveal details about malicious activity, allowing intrusions to be reconstructed. In addition, analysis of system logs and file system events (FSEvents) helps track the execution of these binaries, even when other traces have been removed. Researchers have identified the use of this technique in attacks targeting cryptocurrency organizations. Mandiant warns that, although it has not detected actual cases, modifying AOT files could be a new avenue of attack in the future.  

Lotus Blossom cyber espionage group targets multiple industries with new malware variants   

Cybersecurity researchers have identified several cyber espionage campaigns targeting the government, manufacturing, telecommunications and media sectors. These attacks have been attributed to the Lotus Blossom group, active since 2012, which employs the Sagerunex malware and other tools to maintain prolonged access to compromised systems. New variants of Sagerunex use traditional command-and-control servers, but also resort to legitimate services such as Dropbox, Twitter and Zimbra to hide their activities. Lotus Blossom implements advanced techniques to ensure its persistence on attacked systems, including modifications to the Windows registry and the execution of commands to steal credentials and sensitive data. Researchers have identified multiple malicious tools used by the group, including cookie stealers, custom proxies and archiving programs to exfiltrate information. The attacks have had particular impact in the Asia-Pacific region, affecting countries such as the Philippines, Vietnam, Hong Kong and Taiwan.  

EncryptHub compromises 618 organizations   

A cybercriminal group known as EncryptHub, also identified as Larva-208, has managed to infiltrate at least 618 organizations globally since June 2024 through social engineering and phishing attacks. According to the report, attackers use techniques such as fake tech support messages and fraudulent login sites to steal credentials and authentication tokens. Once inside systems, they install remote access software such as AnyDesk and TeamViewer, subsequently deploying infostealer malware, such as Stealc and Rhadamanthys, and in many cases, ransomware. EncryptHub has been identified as maintaining links to groups such as RansomHub and BlackSuit, using its own PowerShell-based encryptor to lock files and demand cryptocurrency ransoms.