Weekly Summary Cyberattacks January 16th-22th

PNGPlug Loader Delivers ValleyRAT Malware Through Fake Software Installers   

A threat actor backed by an unknown nation-state is using a loader known as PNGPlug to deliver a malware called ValleyRAT to targets in Southeast Asia as part of an ongoing cyberespionage campaign. According to cybersecurity researchers, ValleyRAT is a backdoor written in C++ that has many typical capabilities such as screen capture, keystroke logging, remote command execution, and more. The actor behind this campaign also used phishing emails as an initial attack vector. The malware is distributed using malicious documents embedded with macros. ValleyRAT's capabilities allow attackers to gain persistent access and perform espionage. These capabilities include executing arbitrary commands, manipulating processes and windows, monitoring the system, and collecting sensitive information.  

Gootloader Malware Employs Blackhat SEO Techniques To Attack Victims   

A variant of the Gootloader malware is using black hat search engine optimisation (SEO) techniques to manipulate search results and lure unsuspecting victims into downloading malicious software. According to researchers, the group behind Gootloader has manipulated search results by positioning compromised websites that are designed to appear as legitimate sources of business documents, such as contract templates and agreements. When users access these compromised sites and download the offered files, they are infected with the Gootloader malware, which includes malicious scripts embedded in compressed documents. Once the malware executes on the victim's system, it connects to a command and control server to download additional payloads. These payloads can range from ransomware to spying tools designed to steal credentials and sensitive data.  

IoT Botnet Linked to Large-scale DDoS Attacks Since the End of 2024   

Cybersecurity researchers have identified an Internet of Things (IoT) botnet that has been conducting large-scale distributed denial-of-service attacks since late 2024. This botnet compromises vulnerable IoT devices, such as IP cameras, digital video recorders (DVRs) and routers, by exploiting known vulnerabilities and misconfigurations. Once compromised, these devices are integrated into the botnet and used to launch DDoS attacks that can disrupt online services and cause significant financial losses. Botnet operators employ advanced techniques to evade detection and maintain control of infected devices. IoT device owners are advised to regularly update firmware, change default passwords and implement appropriate security measures to protect against these threats.  

Cyber-attacks target WhatsApp accounts via spear-phishing   

Russian cyber-espionage group Star Blizzard has modified its tactics, using WhatsApp for the first time as an attack vector in a spear-phishing campaign detected by Microsoft Threat Intelligence in November 2024. The attack primarily targets diplomats, researchers and organizations related to defense policy and aid to Ukraine. Using emails pretending to come from U.S. government officials, the attackers invite to join a purported WhatsApp group to support Ukrainian initiatives. The included links redirect to fake pages that connect victims' WhatsApp accounts to devices controlled by the attackers, allowing access to their messages.

Lazarus targets developers using fake LinkedIn profiles  

North Korea-linked threat group Lazarus has launched a campaign known as “Operation 99” targeting Web3 and cryptocurrency developers, using fake LinkedIn profiles to lure victims. The attackers pose as recruiters, offering project testing and code reviews that end up redirecting developers to malicious repositories on GitLab. Once the infected code is cloned, it connects to command and control (C2) servers, enabling the deployment of malware designed to steal sensitive data, such as cryptocurrency keys, source code and development environment secrets. Victims have been located primarily in Italy, but also in countries such as Argentina, Mexico, France, and the United States. The campaign, discovered on January 9, 2025, uses similar tactics to previous attacks by the group, such as “Operation Dream Job,” but adds sophistication with fake profiles and spoofed projects to deceive its targets.