< Back
A Trojan Horse 2.0

Tags:

Threat intelligence
30 July 2025

Weekly Summary Cyberattacks July 24-30

Gunra Ransomware Group Unveils Efficient Linux Variant

According to information dated July 29, 2025, a newly uncovered Linux variant of the Gunra ransomware significantly broadens the threat group's cross-platform capabilities, marking a strategic expansion beyond its original targeting of Windows systems. First observed in April 2025, Gunra ransomware has already impacted organizations in various countries, including Brazil, Japan, Canada, Turkey, South Korea, Taiwan, and the United States, affecting sectors such as healthcare, manufacturing, IT, agriculture, legal, and consulting. The Linux variant demonstrates advanced features that emphasize speed, configurability, and stealth. It supports up to 100 concurrent encryption threads, far exceeding the capacity seen in other ransomware like BERT, which caps at 50. Unlike its Windows counterpart, this Linux variant does not drop a ransom note, focusing purely on stealthy and configurable encryption. Encrypted files are renamed with the .ENCRT extension, and no direct communication or demands are made on the infected system. This suggests a strategy where ransom negotiations and extortion may occur through other channels, such as leak sites. Trend's threat intelligence links Gunra's activities to previously observed Conti ransomware techniques. The group allegedly leaked 40 terabytes of data from a Dubai hospital in May 2025 and has claimed 14 victims so far on its leak site. These include government organizations and companies in critical infrastructure sectors such as healthcare and transportation. 

ToxicPanda: The Android Banking Trojan Targeting Europe 

According to information dated July 28, 2025, a rapidly evolving Android banking malware named ToxicPanda has been identified as a growing threat across Europe, particularly in Portugal and Spain, after initially targeting Southeast Asia and Italy. First uncovered by Trend Micro in 2022 and later detailed by Cleafy and TRACE, ToxicPanda is a sophisticated banking trojan engineered to steal credentials, bypass two-factor authentication, and perform unauthorized transactions through the abuse of Android accessibility features. The malware uses phishing overlays that mimic real banking apps and captures sensitive data through custom-designed WebViews, enabling full control of infected devices via accessibility permissions. In 2025, infections spiked to 4,500 devices at their peak, with 3,000 in Portugal and 1,000 in Spain, collectively accounting for over 85% of observed global infections. Samsung, Xiaomi, and Oppo devices (especially mid-range series like Galaxy A and Redmi) make up the majority of cases, though newer models like Samsung's S23 have also been compromised. Evidence within the malware's source code hints at Chinese origins, including residual Mandarin-language strings. The evolving toolset and infrastructure, along with TAG-124's shared malware delivery platform, strongly suggest that ToxicPanda is not a one-off campaign. 

Hackers Use Weaponized .HTA Files to Infect Victims with Red Ransomware   

CloudSEK's TRIAD team has uncovered an ongoing global campaign leveraging the Epsilon Red ransomware. Threat actors are exploiting fake ClickFix verification pages to lure users into executing .HTA files via ActiveX controls, which results in the silent download and execution of ransomware payloads. This campaign, which has been active since at least July 2025, employs social engineering tactics that mimic well-known platforms, including Discord, Twitch, Kick, OnlyFans, and romance/dating services, to increase credibility and deceive victims. Instead of merely copying commands to the clipboard, as in earlier variants, this campaign redirects users to a secondary page where shell commands are executed silently through ActiveX objects, such as WScript.Shell. Once activated, the script downloads and executes a malicious binary from the attacker's infrastructure. This payload is associated with Epsilon Red ransomware, which encrypts the victim's files. Additionally, the attacker infrastructure includes domains impersonating trusted brands to reduce suspicion. The malware delivery method exploits legacy Windows scripting technologies (ActiveX and WSH), allowing the execution of commands directly from the browser and bypassing standard protections. Fake verification messages and amateurish typos are used to make the attack appear less threatening, thereby increasing the likelihood of user compliance. The threat actors appear to maintain persistent, themed infrastructure, indicating long-term operational planning. 

BlackSuit Ransomware Sites Seized in Operation Checkmate

The dark web extortion sites of the BlackSuit ransomware operation, which has targeted and breached the networks of hundreds of organizations worldwide over the past several years, were seized by law enforcement. The seized sites include the dark web data leak blogs and negotiation sites used to extort victims into paying a ransom demand. The takedown was confirmed by the U.S. Department of Justice and was part of a joint international investigation codenamed Operation Checkmate. Operation Checkmate included other law enforcement authorities such as the U.S. Secret Service, the Dutch National Police, the German State Criminal Police Office, the U.K. National Crime Agency, the Frankfurt General Prosecutor's Office, the Justice Department, the Ukrainian Cyber Police, Europol, and others. Other researchers have reportedly found evidence suggesting the BlackSuit ransomware gang is likely to rebrand itself once again as Chaos ransomware.  

NPM Package Compromised in Supply-Chain Attack   

According to information dated July 23, 2025, the NPM package 'is' has been compromised in a supply chain attack that injected backdoor malware, giving attackers full access to compromised devices. The 'is' package is a JavaScript utility library that provides a wide variety of type checking and value validation functions. The package has seen over 2.8 million weekly downloads and was compromised in a supply chain attack after the maintainers' accounts were hijacked via phishing using a fake domain (npnjs[.]com). The phishing campaign led to unauthorized owner changes that went unnoticed for several hours, potentially compromising many developers who downloaded the new releases. On July 19, 2025, it was announced that versions 3.3.1 through 5.0.0 contained malware and were removed roughly 6 hours after threat actors submitted them to npm. The malicious versions included a cross-platform JavaScript malware loader that opens a WebSocket-based backdoor, collecting system info and environment variables, and allowing attackers to execute arbitrary JavaScript remotely. Other packages, compromised in the same attack, were also confirmed to be pushing malware. These also carried a Windows infostealer named Scavanger, designed to steal browser-stored credentials and sensitive data, featuring evasion techniques such as encrypted C2 and indirect syscalls. Researchers warn that the threat actors may have compromised additional maintainer credentials and could be preparing to experiment with stealthier payloads on new software packages.