< Back
Mysterious elephant

Tags:

Threat intelligence
24 October 2025

Weekly Summary Cyberattacks October 16-22

PassiveNeuron: A Sophisticated Campaign Targeting Servers of High-Profile Organizations  

New insights into the PassiveNeuron cyber-espionage campaign, an ongoing, sophisticated operation targeting the servers of high-profile organizations across Asia, Africa, and Latin America were uncovered. First detected in June 2024, PassiveNeuron initially involved the deployment of previously unknown custom implants, Neursite and NeuralExecutor, on government servers. After a six-month hiatus, a new infection wave began in December 2024 and persisted until August 2025, broadening its scope to include government, financial, and industrial entities. The campaign used a multi-stage DLL loader architecture with Phantom DLL Hijacking for persistence. The campaign's focus on internet-exposed servers and its advanced multi-stage design underline a significant espionage threat. 

New Malware Attributed to Russian State-Sponsored COLDRIVER   

Researchers from Google's Threat Intelligence Group (GTIG) have attributed a new malware suite to the Russian state-sponsored group COLDRIVER (also tracked as UNC4057, Star Blizzard, and Callisto). Following the public exposure of its previous malware LOSTKEYS in May 2025, the threat actor retooled its operations within only five days, unveiling a completely new infection chain centred on multiple related malware families: NOROBOT, YESROBOT, and MAYBEROBOT. The campaigns mark a sharp escalation in COLDRIVER's technical sophistication and development pace. The group shifted from traditional credential-phishing to malware-based intelligence collection. 

Tracking Malware and Attack Expansion: A Hacker Group’s Journey across Asia   

A coordinated series of phishing and malware campaigns spreading across Asia, revealing the continuous evolution of a hacker group’s operations from China to Taiwan, Japan, and most recently Malaysia, was identified. The campaigns, which began surfacing in early 2024 and intensified throughout 2025, target users through fraudulent emails distributing malicious PDF, Word, and HTML attachments disguised as official communications from government bodies such as ministries of finance and tax authorities. These lures ultimately deliver variants of the HoldingHands and Winos 4.0 malware families, both of which enable remote access and information theft. 

Operation Silk Lure: Scheduled Tasks Weaponized for DLL Side-Loading   

An ongoing cyber-espionage operation named Operation Silk Lure, which leverages scheduled tasks and DLL side-loading to deploy the ValleyRAT malware was discovered. The campaign targets Chinese individuals and firms (particularly those in the FinTech, cryptocurrency exchange, and trading platform sectors) through highly targeted spear-phishing emails impersonating job seekers. These emails contain malicious Windows shortcut (.LNK) files disguised as résumés or portfolios. The operation demonstrates an organized, technically capable threat actor conducting targeted espionage or credential theft campaigns against Chinese organizations in sensitive financial and blockchain industries.  

Mysterious Elephant: A Growing Threat   

Cybersecurity researchers have documented the continued evolution of Mysterious Elephant, an advanced persistent threat (APT) group first identified in 2023. This group is now conducting a new campaign across South Asia. The group has been observed employing increasingly sophisticated tradecraft, including new custom-built and open-source malware tools. Initially resembling operations attributed to Confucius and Origami Elephant, Mysterious Elephant has since distinguished itself by incorporating and evolving legacy code from multiple APT ecosystems. This suggests active collaboration or code sharing among regional threat actors such as Confucius, Origami Elephant, and SideWinder.