CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Lazarus Group Deploys Multiple RATs in DeFi Sector Campaign

First reported
Last updated
4 unique sources, 5 articles

Summary

Hide ▲

The Lazarus Group, a North Korea-linked threat actor, has expanded its operations to target European defense companies in 2025, leveraging a coordinated Operation DreamJob campaign. The attack involved fake recruitment lures and the deployment of various malware, including the ScoringMathTea RAT. This campaign follows earlier attacks on a decentralized finance (DeFi) organization in 2024, where the group deployed multiple cross-platform malware variants, including PondRAT, ThemeForestRAT, and RemotePE. The initial 2024 attack began with social engineering on Telegram and fake scheduling websites, leading to the compromise of an employee's system. The attackers used various tools for discovery, credential harvesting, and proxy connections, eventually transitioning to stealthier RATs. The impact of the attack includes the compromise of employee systems and potential data exfiltration. The use of multiple RATs indicates a sophisticated and multi-stage attack strategy aimed at high-value targets. The 2025 campaign targeted three European firms involved in drone development, using trojanized open-source applications and manipulated GitHub projects to deliver malware. The attacks coincide with North Korean support for Russian operations in Ukraine, suggesting an effort to gather intelligence on Western-made drones. The campaign began in late March 2025 and involved the use of a trojanized PDF reader to deliver malware. The campaign could be focused on collecting information on weapon systems deployed in Ukraine, as well as gathering information to perfect designs and processes. At least two of the victims are heavily involved in the development of UAV technology, with one making critical drone components and the other building UAV-related software.

Timeline

  1. 23.10.2025 15:38 4 articles · 2d ago

    Lazarus Group Targets European Defense Companies in Operation DreamJob

    The campaign began in late March 2025. The attackers used a trojanized PDF reader to deliver malware. The campaign exhibits overlaps with clusters tracked as DeathNote, NukeSped, Operation In(ter)ception, and Operation North Star. The campaign could be focused on collecting information on weapon systems deployed in Ukraine, as well as gathering information to perfect designs and processes. At least two of the victims are heavily involved in the development of UAV technology, with one making critical drone components and the other building UAV-related software.

    Show sources
    Open in new tab
  2. 02.09.2025 19:39 2 articles · 1mo ago

    Lazarus Group Deploys Multiple RATs in DeFi Sector Campaign

    In 2024, the Lazarus Group targeted a DeFi organization using a social engineering campaign. The attack involved the deployment of PondRAT, ThemeForestRAT, and RemotePE. The attackers used various tools for discovery, credential harvesting, and proxy connections, eventually transitioning to stealthier RATs for more complex tasks. The campaign began with impersonation on Telegram and fake scheduling websites, leading to the compromise of an employee's system.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Flax Typhoon APT Group Exploits ArcGIS for Persistent Access

The Flax Typhoon APT group, also tracked as Ethereal Panda and RedJuliett, exploited a legitimate ArcGIS application to establish a persistent backdoor for over a year. The attack involved modifying the ArcGIS server’s Java server object extension (SOE) to function as a web shell, enabling command execution, lateral movement, and data exfiltration. The malicious SOE persisted even after remediation and patching, highlighting the need for proactive threat hunting and treating all public-facing applications as high-risk assets. The group targeted a public-facing ArcGIS server connected to an internal server, compromising a portal administrator account and deploying a malicious SOE. They used a base64-encoded payload and a hardcoded key to execute commands and upload a renamed SoftEther VPN executable for long-term access. The attack targeted IT staff workstations within the scanned subnet, demonstrating the potential for significant operational disruption and data exposure. The attackers used a public-facing ArcGIS server connected to a private, internal ArcGIS server for backend computations, a common default configuration. They sent disguised commands to the portal server, creating a hidden system directory that became Flax Typhoon's private workspace. The attackers ensured the compromised component was included in system backups, turning the organization's own recovery plan into a guaranteed method of reinfection. ReliaQuest worked with the customer organization and Esri to fully evict Flax Typhoon actors from the environment, which included rebuilding the entire server stack and deploying custom detections for the threat activity. ReliaQuest urged organizations to treat all public-facing applications as high-risk assets and recommended security teams audit and harden such applications. The researchers also highlighted the need for behavioral analytics to complement signature-based detection, as Flax Typhoon did not use any malware or known malicious files. Strong credential hygiene was emphasized, noting that a weak administrator password gave the attackers a foothold in the organization's network. ReliaQuest recommended implementing multifactor authentication and practicing the principle of least privilege to enhance security. The ArcGIS geographic information system (GIS) is developed by Esri and supports server object extensions (SOE) that can extend basic functionality. The software is used by municipalities, utilities, and infrastructure operators to manage spatial and geographic data through maps. Researchers at cybersecurity company ReliaQuest have moderate confidence that the threat actor is Flax Typhoon. The attackers used valid administrator credentials to log into a public-facing ArcGIS server linked to a private, internal ArcGIS server. The malicious SOE accepted base64-encoded commands through a REST API parameter (layer) and executed them on the internal ArcGIS server. The exchange was protected by a hardcoded secret key, ensuring only the attackers had access to this backdoor. The attackers downloaded and installed SoftEther VPN Bridge, registering it as a Windows service that started automatically. The VPN established an outbound HTTPS tunnel to the attacker's server at 172.86.113[.]142, linking the victim's internal network to the threat actor's machine. The VPN used normal HTTPS traffic on port 443, blending with legitimate traffic, and remained active even if the SOE was detected and deleted. The attackers scanned the local network, moved laterally, accessed internal hosts, dumped credentials, or exfiltrated data using the VPN connection. The attackers targeted two workstations belonging to the target organization's IT staff, attempting to dump the Security Account Manager (SAM) database, security registry keys, and LSA secrets. Flax Typhoon is known for espionage campaigns to establish long-term, stealthy access through legitimate software. The FBI linked Flax Typhoon to the massive "Raptor Train" botnet, impacting the U.S. The Treasury's Office of Foreign Assets Control (OFAC) sanctioned companies that supported the state-sponsored hackers. Esri confirmed this is the first time an SOE has been used this way and will update their documentation to warn users of the risk of malicious SOEs. The attackers used the JavaSimpleRESTSOE ArcGIS extension to invoke a REST operation to run commands on the internal server via the public portal. The attackers specifically targeted two workstations belonging to IT personnel to obtain credentials and further burrow into the network. The attackers reset the password of the administrative account.

Open in new tab

Velociraptor DFIR Tool Abused in LockBit and Babuk Ransomware Campaigns

Threat actors, assessed to be China-based Storm-2603, have started using the Velociraptor digital forensics and incident response (DFIR) tool in ransomware attacks deploying LockBit and Babuk ransomware. The attackers exploited a privilege escalation vulnerability in an outdated version of Velociraptor to gain persistent access and control over virtual machines. The campaign involved creating local admin accounts, disabling security features, and using fileless PowerShell encryptors for data exfiltration and encryption. The ransomware deployed on Windows systems was identified as LockBit, while a Linux binary detected as Babuk ransomware was found on VMware ESXi systems. Storm-2603 initially exploited SharePoint vulnerabilities in July 2025 and deployed Warlock, LockBit, and Babuk ransomware on VMware ESXi servers in August 2025. Sophos CTU researchers first documented Velociraptor abuse by Storm-2603 on August 5, 2025. Storm-2603 used the ToolShell exploit to gain initial access and deployed an outdated version of Velociraptor (version 0.73.4.0) that is susceptible to a privilege escalation vulnerability (CVE-2025-6264) to enable arbitrary command execution and endpoint takeover. The group also used Smbexec to remotely launch programs using the SMB protocol and modified Active Directory (AD) Group Policy Objects (GPOs) to disable real-time protection. Storm-2603 established the infrastructure for the AK47 C2 framework in March 2025 and created the first prototype of the tool the next month. The group pivoted from LockBit-only deployment to dual LockBit/Warlock deployment in April 2025 and used the ToolShell exploit as a zero-day in July 2025. Storm-2603 demonstrated operational flexibility and sophisticated builder expertise using leaked and open-source ransomware frameworks.

Open in new tab

Confucius Targets Pakistan with WooperStealer and Anondoor Malware

The threat actor Confucius has launched a new phishing campaign targeting Pakistan, deploying WooperStealer and Anondoor malware. The campaign has targeted government agencies, military organizations, defense contractors, and critical industries since at least December 2024. The attacks use spear-phishing and malicious documents to deliver malware that steals sensitive data and exfiltrates device information. Confucius has shifted from document-focused stealers to more advanced Python-based backdoors like Anondoor, which provides long-term persistence and command execution capabilities. The group employs DLL side-loading, obfuscated PowerShell scripts, scheduled tasks, and stealthy exfiltration routines to achieve persistence and evade detection. Anondoor is capable of full host profiling, collecting system details, geolocating public IPs, and inventoring disk volumes before receiving tasking from its command-and-control (C2) servers.

Open in new tab

Clop extortion campaign targets Oracle E-Business Suite

The Clop ransomware gang has been exploiting multiple vulnerabilities in Oracle E-Business Suite since at least August 2025, including the zero-day vulnerability CVE-2025-61882. The gang has been sending extortion emails to executives at multiple organizations, claiming to have stolen sensitive data. The campaign involves a high-volume email blast from hundreds of compromised accounts, some previously linked to the FIN11 threat group. The emails contain contact addresses known to be listed on the Clop ransomware gang's data leak site. CrowdStrike attributes the exploitation of CVE-2025-61882 to the Cl0p ransomware gang with moderate confidence, and the first known exploitation occurred on August 9, 2025. The exploit involves an HTTP request to /OA_HTML/SyncServlet, resulting in an authentication bypass. Oracle has released an emergency patch for the zero-day vulnerability and shared indicators of compromise. The exploit was leaked by a group called Scattered Lapsus$ Hunters, raising questions about their potential collaboration with Clop. Envoy Air, a subsidiary of American Airlines, confirms that data was compromised from its Oracle E-Business Suite application after the Clop extortion gang listed American Airlines on its data leak site. Envoy Air stated that no sensitive or customer data was affected, but a limited amount of business information and commercial contact details may have been compromised. The Clop gang is also extorting Harvard University, with the university confirming that the incident impacts a limited number of parties associated with a small administrative unit. Oracle has confirmed that known vulnerabilities in its E-Business Suite, patched in July 2025, may have been exploited in these attacks. The July 2025 Critical Patch Update addressed 309 vulnerabilities across Oracle's product range, including nine for E-Business Suite. Three of these vulnerabilities are critical and three others are exploitable remotely without authentication. The extortion emails are part of a broader campaign, with the attackers sending messages from compromised accounts, some previously associated with the FIN11 threat group. The emails contain contact addresses known to be listed on the Clop ransomware gang's data leak site. Mandiant and GTIG are investigating the claims and recommend that organizations receiving these emails investigate their environments for unusual access or compromise in their Oracle E-Business Suite platforms. The UK’s National Cyber Security Centre (NCSC) has advised Oracle EBS customers to patch the critical vulnerability CVE-2025-61882, which is being exploited by the Clop ransomware group. The NCSC has urged customers to apply an emergency security update from Oracle, published over the weekend, to address the zero-day vulnerability CVE-2025-61882. The vulnerability impacts Oracle EBS versions 12.2.3-12.2.14 and allows unauthenticated attackers to send specially crafted HTTP requests to the affected component, resulting in full system compromise. The NCSC has warned that the Scattered Lapsus$ Hunters group has leaked the exploit used by the Clop gang, increasing the risk of opportunistic attacks on Oracle customers. Rapid7 has advised customers of affected Oracle EBS instances to conduct threat hunting to detect any potential malicious activity, given that exploitation in-the-wild may have occurred since August 2025. CISA has added CVE-2025-61882 to the Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to apply the fixes by October 27, 2025. WatchTowr Labs warns of potential mass, indiscriminate exploitation from multiple groups within days.

Open in new tab

ArcaneDoor Campaign Exploits Cisco Zero-Day Vulnerabilities

A threat cluster dubbed ArcaneDoor has been exploiting two zero-day vulnerabilities in Cisco firewalls to deliver previously undocumented malware families, RayInitiator and LINE VIPER. These vulnerabilities, CVE-2025-20362 and CVE-2025-20333, allow attackers to bypass authentication and execute malicious code on susceptible appliances. The campaign is linked to a suspected China-linked hacking group known as UAT4356 (aka Storm-1849). The malware families represent a significant evolution in sophistication and evasion capabilities compared to previous campaigns. The attacks have been ongoing since at least September 2025, targeting organizations in various sectors. The exploitation of these vulnerabilities underscores the need for immediate patching and enhanced security measures for Cisco firewalls.

Open in new tab