< Back
view of an integrated circuit (chipset)

Tags:

Threat intelligence
02 October 2025

Weekly summary cyber attacks Sept 25 - Oct 01

Klopatra: New Android Banking RAT with Turkish Links Targets Spain and Italy 

Klopatra, a previously undocumented and highly sophisticated Android Remote-Access/Banking Trojan that is actively compromising devices in targeted campaigns was discovered. Cleafy identified two primary botnets linked to Klopatra (together exceeding 3,000 infected devices), with a campaign focus on financial targets in Spain and Italy. The operation appears to be run by a Turkish-speaking criminal group. Klopatra's infection chain begins with a dropper masquerading as an IPTV app (e.g., "Mobdro Pro IP TV + VPN"). The dropper utilizes a "JSON Packer" to conceal the actual payload and coerces the user into granting the REQUEST_INSTALL_PACKAGES permission. Once the main payload is installed, Klopatra requests Accessibility Services and a broad set of permissions. Through Accessibility, it achieves near-total device control, including screen monitoring, keystroke/input capture, simulated taps/gestures, and autonomous navigation. 

Lunar Spider Enables Nearly Two-Month Intrusion via Single Click   

The DFIR Report documented a sophisticated intrusion campaign attributed to the Lunar Spider threat group, which persisted for nearly two months and demonstrated how a single phishing click led to extensive compromise. The intrusion began with a JavaScript file disguised as a tax form, which, when executed, launched an MSI installer deploying a Brute Ratel loader. The loader injected Latrodectus malware into explorer.exe, establishing a command-and-control connection via the BackConnect infrastructure and domains proxied through Cloudflare. The data was stolen but not recovered, and while no ransomware was deployed, the group's positioning suggested capability for full network encryption. The campaign highlights the layered approach of Lunar Spider, which involves initial access via phishing, stealthy persistence through loaders and backdoors, exploitation of critical vulnerabilities, credential theft from multiple sources, and sustained data theft over a prolonged dwell time.  

DeceptiveDevelopment: From Primitive Crypto Theft to Sophisticated AI-Based Deception  

Researchers have revealed new details about DeceptiveDevelopment, a North Korea-aligned threat group that has been active since at least 2023 and is closely linked to the activities of covert North Korean IT workers. The group specializes in large-scale social engineering campaigns that target software developers, especially those working in cryptocurrency and Web3 projects, with the ultimate goal of financial theft and broader infiltration. DeceptiveDevelopment operators pose as recruiters on platforms such as LinkedIn, Upwork, Freelancer, and Crypto Jobs List, luring victims with fake job opportunities. Once victims engage, they are directed to download trojanized coding challenges or interact with fraudulent job interview websites. One notable trick, dubbed ClickFix, manipulates applicants into copying terminal commands that secretly download and execute malware. 

RedNovember Targets Government, Defense, and Technology Organizations   

The Chinese state-sponsored threat activity group tracked as RedNovember—previously known as TAG-100 and overlapping with Storm-2077—has conducted a series of extensive cyber-espionage operations between June 2024 and July 2025 against high-profile government, defense, technology, and private sector organizations worldwide. The group has relied heavily on the Go-based backdoor Pantegana, Cobalt Strike, and SparkRAT, in addition to opportunistic exploitation of vulnerabilities in edge devices. RedNovember demonstrates a strategy of weaponizing publicly available proof-of-concept (PoC) exploits in combination with widely used offensive security tools, allowing for rapid scaling of operations while reducing development costs and complicating attribution. 

Another BRICKSTORM: Stealthy Backdoor Enabling Espionage into Tech and Legal Sectors   

Google's Threat Intelligence Group (GTIG) and Mandiant Consulting are tracking a sophisticated espionage campaign leveraging the BRICKSTORM backdoor. The activity has been attributed to the China-linked threat cluster UNC5221, which has been conducting long-term intrusions in the United States since at least March 2025. Primary victims include organizations in the legal, technology, SaaS, and business process outsourcing sectors. Unlike typical espionage operations, this campaign is designed not only to extract sensitive data but also to gain footholds for developing zero-day exploits and expanding into downstream victims. BRICKSTORM, written in Go, supports cross-platform deployment and includes SOCKS proxy functionality, allowing stealthy persistence in environments where endpoint detection and response (EDR) is not viable. Variants demonstrate ongoing development, including obfuscation, delayed activation, and masquerading as legitimate processes.