< Back
world map background

Tags:

Threat intelligence
28 August 2025

Weekly Summary Cyberattacks August 21-27

Phishing Campaign Targeting Companies via UpCrypter

Researchers from FortiGuard Labs have identified an ongoing phishing campaign delivering the UpCrypter malware through fake voicemails and fraudulent purchase orders. The campaign specifically targets Microsoft Windows environments and leverages highly personalized phishing emails that contain malicious HTML attachments. These attachments redirect users to spoofed websites customized with the victim’s domain and logo to enhance credibility. The ultimate objective is to trick victims into downloading a ZIP archive that contains heavily obfuscated JavaScript droppers. The JavaScript droppers decode and execute PowerShell commands in stealth mode, bypassing execution policies and launching an MSIL loader in memory. This loader incorporates multiple layers of anti-analysis and anti-virtualization techniques, including checks for forensic tools, sandbox environments, virtual machine artifacts, and debugging utilities. If suspicious conditions are detected, the malware forces a system restart to disrupt analysis. Once operational, the loader retrieves further payloads from multiple attacker-controlled domains, often disguising malicious code in plain text or embedded within images using steganography. The loader deploys additional malware in memory through obfuscated PowerShell scripts and .NET reflection, avoiding disk-based indicators. Persistence is achieved by modifying registry Run keys to ensure execution upon system startup. Ultimately, the campaign delivers several Remote Access Tools (RATs), including PureHVNC, DCRat, and Babylon RAT, which grant attackers full remote control over compromised systems. These capabilities enable long-term persistence, data theft, lateral movement, and further exploitation of corporate networks. Telemetry data suggests that the campaign is global in scope and rapidly expanding, with detection counts doubling in two weeks. Affected industries include manufacturing, technology, healthcare, construction, and retail/hospitality. The sophistication of UpCrypter as a loader framework, continuously updated and actively demonstrated by its developer Pjoao1578, underscores its role as a central tool in this evolving threat ecosystem. This campaign highlights a dangerous evolution from basic phishing attempts to complete, multi-stage intrusion operations capable of sustained compromise across diverse environments.

New Variant of the Hook Android Banking Trojan Uncovered   

A new variant of the Hook Android banking trojan was identified, labeled as Version 3, which incorporates some of the most advanced malicious functionalities ever observed in this malware family. The trojan introduces ransomware-style overlays designed to extort victims, fake NFC scanning overlays to capture sensitive information, deceptive lock screen overlays to steal PINs and patterns, transparent gesture-capturing overlays, and real-time screen streaming capabilities for attackers to monitor victims directly. This latest release expands Hook’s remote command set to 107, with 38 new instructions that enable attackers to hijack sessions, steal data, and bypass multiple security controls. Researchers highlight that the malware is not only being distributed through phishing campaigns but is also increasingly spread via GitHub repositories, where adversaries host malicious APKs disguised as legitimate applications. Other malware families such as Ermac, Brokewell, and various SMS spyware are also being disseminated in the same way, indicating a broader trend of threat actors exploiting open platforms for distribution. Hook v3 continues to rely on Android Accessibility Services to automate actions, but the expanded command set provides attackers with powerful new tools. These include ransomware overlays triggered by remote commands, fraudulent card-phishing overlays mimicking Google Pay, and the ability to bypass lock screens by simulating PIN or pattern entry. The malware also integrates functions to steal cookies, session tokens, device accounts, photos, contacts, SMS, call logs, and clipboard data, as well as to initiate calls, forward SMS messages, capture audio, and remotely control the device through HVNC and VNC streaming sessions.

Cryptojacking Campaign by TA-NATALSTATUS Escalating Globally in 2025   

A highly sophisticated cryptojacking campaign attributed to the threat actor group TA-NATALSTATUS was identified, active since 2020 and now expanding globally. The group exploits exposed Redis servers to gain root-level access, install cryptocurrency miners, disable defenses, eliminate competing malware, and establish persistent control over compromised infrastructure. Unlike typical "smash-and-grab" mining campaigns, TA-NATALSTATUS has developed a disciplined, long-term strategy, turning vulnerable servers into durable assets for mining Monero. The operation leverages widespread server misconfigurations. Data shows a striking percentage of Redis servers remain exposed worldwide: 41% in Finland, 39% in Russia, 33% in Germany, 29% in India, 27% in the UK, and 17% in the United States. Tens of thousands of servers globally are at risk, with exploitation based on legitimate Redis commands rather than zero-day vulnerabilities. TA-NATALSTATUS has evolved considerably since its early campaigns in 2020.

UAC-0057 Keeps Applying Pressure on Ukraine and Poland 

Cybersecurity researchers have identified new malicious campaigns attributed to the threat actor UAC-0057, also known as UNC1151, Ghostwriter, or FrostyNeighbor, that have been targeting Ukraine and Poland since April 2025. The activity is characterized by the use of spearphishing-delivered compressed archives containing weaponized Excel spreadsheets with VBA macros designed to drop obfuscated DLL implants. These implants collect system information, maintain persistence, and retrieve further malicious payloads from a network of command-and-control servers. In Ukraine, campaigns were observed between May and July 2025, leveraging XLS files with evolving execution chains. Some samples dropped DLLs directly, while others used cabinet files and LNK shortcuts to execute the malware. In Poland, campaigns observed in April and May 2025 deployed similar malicious XLS files, also using MacroPack obfuscation. First-stage DLLs written in C# or C++ collected similar system profiling data, with variants sending exfiltrated information to C2 servers over Slack webhooks or via disguised image files hosted on impersonated domains. Some implants used scheduled tasks for persistence, while others were single-execution downloaders.

Salty 2FA: Undetected PhaaS from Storm-1575 Hitting US and EU Industries   

A new Phishing-as-a-Service (PhaaS) framework dubbed Salty 2FA was identified, targeting organizations across the US and Europe. Unlike established PhaaS platforms such as Tycoon2FA, EvilProxy, and Sneaky2FA, this framework employs a distinctive multi-stage execution chain, novel domain patterns, and evasion techniques designed to bypass detection while stealing Microsoft 365 credentials and intercepting multi-factor authentication (MFA) methods. Salty 2FA primarily spreads via phishing emails themed around lures such as fake voice messages, payroll amendments, billing statements, and bid invitations. The campaigns are characterized by their unusual infrastructure: compound domains in .com zones (such as *.com.de or *.it.com) paired with *.ru domains, combined with obfuscated JavaScript payloads and encrypted data exchanges. Victim credentials and one-time codes are exfiltrated via PHP endpoints on Russian domains, with the communication obfuscated using a Base64 + XOR routine tied to session identifiers. The phishing kit executes in multiple stages.