CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

SectopRAT and Betruger Malware Linked to Play, RansomHub, and DragonForce Ransomware Operations

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

A September 2024 intrusion involved SectopRAT and Betruger malware, linked to Play, RansomHub, and DragonForce ransomware operations. The attack began with a malicious JavaScript payload disguised as a legitimate browser update, leading to extensive reconnaissance, credential theft, and data exfiltration. The threat actor used multiple tools and techniques to evade detection and prepare for ransomware deployment. The attack started with a malicious file, deploying SectopRAT malware. The threat actor established persistence, created an admin account, and used various tools for reconnaissance and credential theft. They deployed SystemBC, Betruger, and other tools to facilitate their operations. The final goal was ransomware deployment, but no encryption occurred; data was archived and exfiltrated via FTP. The threat actor used multiple defense evasion techniques, including process injection, timestomping, and disabling security features. The tools used in the attack link the threat actor to Play, RansomHub, and DragonForce ransomware operations.

Timeline

  1. 11.11.2025 17:01 1 articles · 23h ago

    RansomHub Affiliates Use Multi-Stage Encrypted Payloads and AzCopy for Exfiltration

    The threat actor used a multi-stage encrypted payload with 10 layers of encryption for persistence. The final payload was a SOCKS proxy facilitating communication between attacker endpoints and internal network infrastructure. The threat actor manipulated email signatures to embed a malicious image reference for credential harvesting. The attack involved extensive reconnaissance, credential theft, and data exfiltration using AzCopy, which caused a CPU spike that alerted the customer. The threat actor rapidly escalated privileges using misconfigured certificates in Active Directory Certificate Services (AD CS) and targeted domain admin laptops.

    Show sources
    Open in new tab
  2. 09.09.2025 13:36 2 articles · 2mo ago

    SectopRAT and Betruger Malware Deployed in September 2024 Intrusion

    In September 2024, a threat actor used SectopRAT and Betruger malware in an intrusion that involved extensive reconnaissance, credential theft, and data exfiltration. The attack began with a malicious JavaScript payload disguised as a legitimate browser update and used multiple tools and techniques to evade detection. The final goal was ransomware deployment, but data was archived and exfiltrated via FTP instead. The tools used in the attack link the threat actor to Play, RansomHub, and DragonForce ransomware operations. The threat actor used various tools for discovery and mapping, including AdFind, PowerShell Cmdlets, SharpHound, and SoftPerfect NetScan. They also used PsExec for privilege escalation, Grixba for data gathering, and modified registry keys to disable Windows Defender. The attack involved manipulating email signatures for credential harvesting and using Microsoft Office utilities to gather information.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

SesameOp malware leverages OpenAI Assistants API for command-and-control

A new backdoor malware, SesameOp, uses the OpenAI Assistants API as a covert command-and-control channel. The malware was discovered during an investigation into a July 2025 cyberattack. It allowed attackers to gain persistent access to compromised environments and remotely manage backdoored devices for several months. The attackers leveraged legitimate cloud services, avoiding detection and traditional incident response measures. The malware employs a combination of symmetric and asymmetric encryption to secure communications. It uses a heavily obfuscated loader and a .NET-based backdoor deployed through .NET AppDomainManager injection into Microsoft Visual Studio utilities. The attack chain includes internal web shells and malicious processes designed for long-term espionage. The malware uses a loader component named "Netapi64.dll" and a .NET-based backdoor named "OpenAIAgent.Netapi64". The malware supports three types of values in the description field of the Assistants list retrieved from OpenAI: SLEEP, Payload, and Result. Microsoft and OpenAI collaborated to investigate the abuse of the API, leading to the disabling of the account and API key used in the attacks. The malware does not exploit a vulnerability in OpenAI's platform but misuses built-in capabilities of the Assistants API. The OpenAI Assistants API is scheduled for deprecation in August 2026 and will be replaced by a new Responses API.

Open in new tab

Chinese State-Sponsored Group Exploits Windows Zero-Day in Espionage Campaign Against European Diplomats

A China-linked hacking group, UNC6384 (Mustang Panda), is exploiting a Windows zero-day vulnerability (CVE-2025-9491) to target European diplomats in Hungary, Belgium, Italy, the Netherlands, and Serbian government agencies. The campaign involves spearphishing emails with malicious LNK files to deploy the PlugX RAT and gain persistence on compromised systems. The attacks have broadened in scope to include diplomatic entities from Italy and the Netherlands. The zero-day vulnerability allows for remote code execution on targeted Windows systems, enabling the group to monitor diplomatic communications and steal sensitive data. Microsoft has not yet released a patch for this vulnerability, which has been heavily exploited by multiple state-sponsored groups and cybercrime gangs since March 2025. The campaign began with spear phishing emails themed around diplomatic meetings and conferences. The malicious LNK files exploit ZDI-CAN-25373, a Windows shortcut vulnerability disclosed in March 2025. The LNK file invokes PowerShell with an obfuscated command that decodes a tar archive file named rjnlzlkfe.ta. The tar archive contains three critical files that enable the attack chain through DLL side-loading. The malware includes a legitimate Canon printer assistant utility with an expired digital signature. The second file, cnmpaui.dll, serves as a lightweight loader designed to decrypt and execute the PlugX payload. PlugX is a RAT that provides comprehensive remote access capabilities including command execution, keylogging, file upload and download operations, persistence establishment, and extensive system reconnaissance functions.

Open in new tab

XCSSET macOS Malware Targets Xcode Developers with Enhanced Features

A new variant of the XCSSET macOS malware has been detected, targeting Xcode developers with enhanced features. This variant includes improved browser targeting, clipboard hijacking, and persistence mechanisms. The malware spreads by infecting Xcode projects, stealing cryptocurrency, and browser data from infected devices. The malware uses run-only compiled AppleScripts for stealthy execution and employs sophisticated encryption and obfuscation techniques. It incorporates new modules for data exfiltration, persistence, and clipboard monitoring. The malware has been observed in limited attacks, with Microsoft sharing findings with Apple and GitHub to mitigate the threat. Developers are advised to keep macOS and apps up to date and inspect Xcode projects before building them.

Open in new tab

ForcedLeak Vulnerability in Salesforce Agentforce Exploited via AI Prompt Injection

A critical vulnerability in Salesforce Agentforce, named ForcedLeak, allowed attackers to exfiltrate sensitive CRM data through indirect prompt injection. The flaw affected organizations using Salesforce Agentforce with Web-to-Lead functionality enabled. The vulnerability was discovered and reported by Noma Security on July 28, 2025. Salesforce has since patched the issue and implemented additional security measures, including regaining control of an expired domain and preventing AI agent output from being sent to untrusted domains. The exploit involved manipulating the Description field in Web-to-Lead forms to execute malicious instructions, leading to data leakage. Salesforce has enforced a Trusted URL allowlist to mitigate the risk of similar attacks in the future. The ForcedLeak vulnerability is a critical vulnerability chain with a CVSS score of 9.4, described as a cross-site scripting (XSS) play for the AI era. The exploit involves embedding a malicious prompt in a Web-to-Lead form, which the AI agent processes, leading to data leakage. The attack could potentially lead to the exfiltration of internal communications, business strategy insights, and detailed customer information. Salesforce is addressing the root cause of the vulnerability by implementing more robust layers of defense for their models and agents.

Open in new tab

CISA Emergency Directive 25-03: Mitigation of Cisco ASA Zero-Day Vulnerabilities

The Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 25-03 in September 2025, mandating federal agencies to mitigate zero-day vulnerabilities in Cisco Adaptive Security Appliances (ASA) and Firewall Threat Defense (FTD) devices exploited by the state-sponsored ArcaneDoor campaign. The directive required agencies to account for all affected devices, collect forensic data, and upgrade or disconnect end-of-support devices by September 26, 2025. The vulnerabilities (CVE-2025-20333, CVE-2025-20362, CVE-2025-20363, and CVE-2025-20352) enabled unauthenticated remote code execution, unauthorized access, and denial-of-service (DoS) attacks, with exploitation linked to the ArcaneDoor group. New developments reveal that the same or related threat actors also exploited **CVE-2025-5777 (Citrix Bleed 2)** in NetScaler ADC and Gateway and **CVE-2025-20337** in Cisco Identity Service Engine (ISE) as zero-days prior to public disclosure. Amazon’s threat intelligence team detected these attacks via their MadPot honeypot service, identifying a custom web shell ('IdentityAuditAction') deployed on compromised Cisco ISE devices. The web shell used advanced evasion techniques, including DES encryption and Java reflection, to maintain persistence and avoid detection. While the tactics suggest a highly resourced actor, the indiscriminate targeting deviates from typical APT behavior. Earlier phases of the campaign involved the ArcaneDoor group exploiting ASA and FTD zero-days to deploy malware like RayInitiator and LINE VIPER, manipulate ROM for persistence, and force devices into reboot loops. Nearly 50,000 vulnerable ASA and FTD appliances were identified globally, with CISA and allied cybersecurity agencies urging immediate patching and mitigation. The latest findings expand the scope of the threat actor’s operations beyond Cisco ASA/FTD devices to include Cisco ISE and Citrix infrastructure, underscoring the group’s broad and evolving attack surface. Amazon’s latest report confirms the threat actor’s use of **custom-built malware** targeting Cisco ISE environments, employing advanced techniques such as in-memory operation, Tomcat thread injection, and non-standard encryption. The campaign’s indiscriminate nature, combined with the exploitation of multiple zero-days, suggests a highly capable adversary with access to sophisticated tools and potentially non-public vulnerability intelligence.

Open in new tab