Bloody Wolf APT Expands Operations in Central Asia Using NetSupport RAT

Threat actors continue to use ClickFix-style social engineering lures to distribute loaders for NetSupport RAT. This RAT is a legitimate Remote Monitoring and Management (RMM) tool that is misused for unauthorized remote control of compromised machines. The campaign coincides with an increase in phishing efforts distributing fileless versions of Remcos RAT, another tool advertised as legitimate but frequently used in hacking campaigns. The NetSupport RAT campaign is notable for its use of deceptive tactics to gain initial access, leveraging the trust associated with legitimate software to evade detection. The ongoing distribution of these RATs highlights the persistent threat posed by social engineering and the misuse of legitimate tools for malicious purposes.

Russian threat actors, specifically the Sandworm group, have targeted Ukrainian organizations, including a business services firm, a local government entity, and the grain sector, using living-off-the-land (LotL) tactics and dual-use tools to maintain persistent access and exfiltrate sensitive data. The attacks, which began in June 2025, involved minimal malware to reduce detection and included the use of web shells and legitimate tools for reconnaissance and data theft. The threat actors exploited unpatched vulnerabilities to deploy web shells on public-facing servers, gaining initial access. They then used various tactics, including PowerShell commands, scheduled tasks, and legitimate software, to evade detection and perform reconnaissance. The attacks were characterized by the use of legitimate tools and minimal malware, demonstrating the actors' deep knowledge of Windows native tools. In addition to LotL tactics, Sandworm deployed multiple data-wiping malware families in June and September 2025, targeting Ukraine's education, government, and grain sectors. The grain sector, a vital economic sector, was targeted to disrupt Ukraine's war economy. The data-wiping malware used included ZeroLot and Sting, with initial access achieved by UAC-0099, who then transferred access to APT44 for wiper deployment. The activity is confirmed to be of Russian origin, with specific attribution to the Sandworm group. A new Russia-aligned threat activity cluster, InedibleOchotense, impersonated ESET in phishing attacks targeting Ukrainian entities starting in May 2025. This campaign involved sending spear-phishing emails and Signal text messages containing links to trojanized ESET installers, which delivered the Kalambur backdoor. InedibleOchotense is linked to the Sandworm (APT44) hacking group and has been observed conducting destructive campaigns in Ukraine, including the deployment of wiper malware ZEROLOT and Sting. Another Russia-aligned threat actor, RomCom, launched spear-phishing campaigns in mid-July 2025 exploiting a WinRAR vulnerability (CVE-2025-8088) targeting various sectors in Europe and Canada. RomCom also targeted a U.S.-based civil engineering company via a JavaScript loader dubbed SocGholish to deliver the Mythic Agent. The activity has been attributed with medium-to-high confidence to Unit 29155 of Russia's Main Directorate of the General Staff of the Armed Forces of the Russian Federation, also known as GRU. The targeted entity had worked for a city with close ties to Ukraine in the past. The ESET report noted that other Russian-aligned APT groups also maintained their focus on Ukraine and countries with strategic ties to Ukraine, while also expanding their operations to European entities. Gamaredon remained the most active APT group targeting Ukraine, with a noticeable increase in intensity and frequency of its operations during the reported period. Gamaredon selectively deployed one of Turla’s backdoors, indicating a rare instance of cooperation between Russia-aligned APT groups. Gamaredon’s toolset continued to evolve, incorporating new file stealers or tunneling services.

UNC6384, a China-nexus threat actor, has been targeting diplomats in Southeast Asia and other entities globally to advance Beijing's strategic interests. The group employs a multi-stage attack chain leveraging advanced social engineering, valid code signing certificates, adversary-in-the-middle (AitM) attacks, and indirect execution techniques to evade detection. The campaign, detected in March 2025, uses captive portal redirections to deliver a PlugX variant called SOGU.SEC. The attacks involve redirecting web traffic through a captive portal to a threat actor-controlled website, downloading a digitally signed downloader (STATICPLUGIN), and deploying the SOGU.SEC backdoor in memory. The malware supports commands to exfiltrate files, log keystrokes, and launch remote command shells. The campaign highlights the sophistication of PRC-nexus threat actors and their evolving operational capabilities. The campaign targeted around two dozen victims, primarily Southeast Asian diplomats, between March and July 2025. The attack chain involved compromised edge devices intercepting captive portal checks and redirecting users to a malicious website. The malicious website used a valid TLS/SSL certificate issued by Let's Encrypt to avoid browser security warnings. The first-stage malware, STATICPLUGIN, dropped a launcher called CANONSTAGER, which used unconventional techniques to hide its activities. The final payload was a variant of the PlugX backdoor, tracked by Google as SOGU.SEC. In September 2025, new information revealed that the PlugX variant overlaps with RainyDay and Turian backdoors, targeting telecommunications and manufacturing sectors in Central and South Asia. The campaign is linked to Mustang Panda, which also uses Bookworm malware. Bookworm has been used since 2015 and includes capabilities to execute commands, upload/download files, exfiltrate data, and establish persistent access.

The ClickFix malware campaign has evolved to include multi-OS support and video tutorials that guide victims through the self-infection process. The campaign, which uses fake Cloudflare CAPTCHA pages and malicious PowerShell scripts, has been observed deploying various payloads, including information stealers and backdoors. The FileFix attack, a variant of the ClickFix family, impersonates Meta account suspension warnings to trick users into installing the StealC infostealer malware. The campaign has evolved over two weeks with different payloads, domains, and lures, indicating an attacker testing and adapting their infrastructure. The FileFix technique, created by red team researcher mr. d0x, uses the address bar in File Explorer to execute malicious commands. The campaign employs steganography to hide a second-stage PowerShell script and encrypted executables inside a JPG image, which is believed to be AI-generated. The StealC malware targets credentials from various applications, cryptocurrency wallets, and cloud services, and can take screenshots of the active desktop. The FileFix attack uses a multilingual phishing site to trick users into executing a malicious command via the File Explorer address bar. The attack leverages Bitbucket to host the malicious components, abusing a legitimate source code hosting platform to bypass detection. The attack involves a multi-stage PowerShell script that downloads an image, decodes it into the next-stage payload, and runs a Go-based loader to launch StealC. The attack uses advanced obfuscation techniques, including junk code and fragmentation, to hinder analysis efforts. The FileFix attack is more likely to be detected by security products due to the payload being executed by the web browser used by the victim. The FileFix attack demonstrates significant investment in tradecraft, with carefully engineered phishing infrastructure, payload delivery, and supporting elements to maximize evasion and impact. The MetaStealer attack, a variant of the ClickFix family, uses a fake Cloudflare Turnstile lure and an MSI package disguised as a PDF to deploy the MetaStealer infostealer malware. The attack involves a multi-stage infection chain that includes a DLL sideloading technique using a legitimate SentinelOne executable. The MetaStealer attack targets crypto wallets and other sensitive information, using a combination of social engineering and technical evasion techniques to deploy malware. Recently, threat actors have been abusing the decades-old Finger protocol to retrieve and execute remote commands on Windows devices. The Finger protocol is used to deliver commands that create a random-named path, download a zip archive disguised as a PDF, and extract a Python malware package. The Python program is executed using pythonw.exe __init__.py, and a callback is made to the attacker's server to confirm execution. A related batch file indicates that the Python package is an infostealer. Another campaign uses the Finger protocol to retrieve and run commands that look for malware research tools and exit if found. If no malware analysis tools are found, the commands download a zip archive disguised as PDF files and extract the NetSupport Manager RAT package. The commands configure a scheduled task to launch the remote access malware when the user logs in. The Finger protocol abuse appears to be carried out by a single threat actor conducting ClickFix attacks. A new EVALUSION ClickFix campaign has been discovered, delivering Amatera Stealer and NetSupport RAT. Amatera Stealer, an evolution of ACR Stealer, is available under a malware-as-a-service (MaaS) model and targets crypto-wallets, browsers, messaging applications, FTP clients, and email services. It employs advanced evasion techniques such as WoW64 SysCalls and is packed using PureCrypter. The stealer is injected into the MSBuild.exe process to harvest sensitive data and contact an external server to execute a PowerShell command to fetch and run NetSupport RAT. The campaign also involves phishing attacks using various malware families and phishing kits named Cephas and Tycoon 2FA. Tycoon 2FA is a phishing kit that bypasses multi-factor authentication (MFA) and authentication apps by intercepting usernames, passwords, session cookies, and MFA flows in real-time. It has been used in over 64,000 attacks this year, primarily targeting Microsoft 365 and Gmail. Tycoon 2FA includes anti-detection layers and can lead to total session takeover, allowing attackers to move laterally into various enterprise systems. Legacy MFA methods are vulnerable to Tycoon 2FA, and phishing-proof MFA solutions like Token Ring and Token BioStick are recommended to prevent such attacks. A new operation embedding StealC V2 inside Blender project files has been observed targeting victims for at least six months. The attackers placed manipulated .blend files on platforms such as CGTrader, where users downloaded them as routine 3D assets. When opened with Blender’s Auto Run feature enabled, the files executed concealed Python scripts that launched a multistage infection. The infection chain began with a tampered Rig_Ui.py script embedded inside the .blend file. This script fetched a loader from a remote workers.dev domain, which then downloaded a PowerShell stage and two ZIP archives containing Python-based stealers. Once extracted into the Windows temp directory, the malware created LNK files to secure persistence, then used Pyramid C2 channels to retrieve encrypted payloads. StealC V2, promoted on underground forums since April 2025, has rapidly expanded its feature set. It now targets more than 23 browsers, over 100 plugins, more than 15 desktop wallets, and a range of messaging, VPN and mail clients. Its pricing, from $200 per month to $800 for 6 months, has made it accessible to low-tier cybercriminals seeking ready-to-use tools. ClickFix attack variants have been observed using a realistic-looking Windows Update animation in a full-screen browser page to trick users into executing malicious commands. The new ClickFix variants drop the LummaC2 and Rhadamanthys information stealers. The attack uses steganography to encode the final malware payload inside an image. The process involves multiple stages that use PowerShell code and a .NET assembly (the Stego Loader) responsible for reconstructing the final payload embedded inside a PNG file in an encrypted state. The shellcode holding the infostealer samples is packed using the Donut tool. The Rhadamanthys variant that used the Windows Update lure was first spotted by researchers back in October, before Operation Endgame took down parts of its infrastructure on November 13. A new campaign codenamed JackFix leverages fake adult websites (xHamster, PornHub clones) as its phishing mechanism, likely distributed via malvertising. The JackFix campaign displays highly convincing fake Windows update screens in an attempt to get the victim to run malicious code. The attack heavily leans on obfuscation to conceal ClickFix-related code and blocks users from escaping the full-screen alert by disabling the Escape and F11 buttons, along with F5 and F12 keys. The initial command executed is an MSHTA payload that's launched using the legitimate mshta.exe binary, which contains JavaScript designed to run a PowerShell command to retrieve another PowerShell script from a remote server. The PowerShell script attempts to elevate privileges and creates Microsoft Defender Antivirus exclusions for command-and-control (C2) addresses and paths where the payloads are staged. The PowerShell script serves up to eight different payloads, including Rhadamanthys Stealer, Vidar Stealer 2.0, RedLine Stealer, Amadey, and other unspecified loaders and RATs. The threat actor often changes the URI used to host the first mshta.exe stage and has been observed moving from hosting the second stage on the domain securitysettings.live to xoiiasdpsdoasdpojas.com, although both point to the same IP address 141.98.80.175.

Iranian state-sponsored or affiliated cyber threat actors are actively targeting U.S. critical infrastructure and conducting global phishing campaigns against diplomatic entities. These actors exploit known vulnerabilities in unpatched or outdated software, compromise internet-connected accounts and devices with weak passwords, and collaborate with ransomware groups to encrypt, steal, and leak sensitive information. A recent coordinated multi-wave spear-phishing campaign targeted embassies and consulates globally, using compromised email accounts to deploy malware. The campaign, attributed to Iranian-aligned operators connected to Homeland Justice, involved sending spear-phishing emails disguised as legitimate diplomatic communications to deploy malware via VBA macros. The phishing emails were sent from 104 unique compromised addresses, including a hacked mailbox from the Oman Ministry of Foreign Affairs. The targeted regions included the Middle East, Africa, Europe, Asia, and the Americas, with a focus on European embassies and African organizations. The campaign is assessed to have likely concluded just days after it began, as the attackers' command-and-control (C2) infrastructure appears to be inactive. In addition, Iranian state-sponsored threat actors, known as Subtle Snail, have conducted a new campaign targeting European telecommunications companies, successfully infiltrating 34 devices across 11 organizations. This group, also known as UNC1549, operates by posing as HR representatives from legitimate entities to engage employees and then compromises them through the deployment of a MINIBIKE backdoor variant. The targeted companies are located in Canada, France, the United Arab Emirates, the United Kingdom, and the United States. The group's primary motivation involves infiltrating telecommunications entities while maintaining interest in aerospace and defense organizations to establish long-term persistence and exfiltrate sensitive data for strategic espionage purposes. The attacks involve extensive reconnaissance on platforms like LinkedIn to identify key personnel within target organizations, specifically focusing on researchers, developers, and IT administrators with elevated access to critical systems and developer environments. The campaign is characterized by the meticulous efforts of Subtle Snail operators to tailor the attack for each victim, using job-themed lures and spear-phishing emails to validate email addresses and collect additional information. The malware used in the campaign includes a web browser stealer that incorporates a publicly available tool called Chrome-App-Bound-Encryption-Decryption to bypass app-bound encryption protections rolled out by Google. MINIBIKE is a fully-featured, modular backdoor with support for 12 distinct commands to facilitate C2 communication, allowing it to enumerate files and directories, list running processes, terminate specific ones, upload files in chunks, and run various payloads. The malware makes Windows Registry modifications such that it's automatically loaded after system startup and features anti-debugging and anti-sandbox techniques to hinder analysis. The group uses predefined paths to guide their searches and focus on stealing emails, VPN configurations, and other information that helps them maintain control, as well as hunting for confidential files stored in shared folders. Furthermore, the Iran-linked cyber-espionage group Nimbus Manticore, also known as UNC1549 and Smoke Sandstorm, has expanded its operations to target critical infrastructure organizations across Western Europe, including Denmark, Portugal, and Sweden. The group uses sophisticated malware variants, including MiniJunk and MiniBrowse, to gain persistent access to infected systems and steal credentials from Chrome and Edge browsers. MiniJunk is an advanced version of the Minibike backdoor, featuring improved obfuscation techniques, code signing, and multiple C2 servers to evade detection. The malware employs multi-stage sideloading to install and establish persistence on victim systems, leveraging fake job-related login pages and tailored spear-phishing emails. Nimbus Manticore has been active since at least 2022, targeting aerospace and defense sectors in Israel and the Middle East, and is associated with the Iranian Revolutionary Guard Corps (IRGC). Additionally, the Iranian state-sponsored threat actor known as APT42 has been observed targeting individuals and organizations of interest to the IRGC as part of a new espionage-focused campaign codenamed SpearSpecter. The campaign, detected in early September 2025 and assessed to be ongoing, systematically targets high-value senior defense and government officials using personalized social engineering tactics. The campaign extends to the targets' family members, creating a broader attack surface that exerts more pressure on the primary targets. APT42 is known for its ability to mount convincing social engineering campaigns that can run for days or weeks to build trust with the targets before sending a malicious payload or tricking them into clicking on booby-trapped links. The SpearSpecter campaign is carried out by cluster D of APT42, which focuses more on malware-based operations, while another campaign detailed by Check Point was carried out by cluster B of the same group, which focuses more on credential harvesting. The campaign involves impersonating trusted WhatsApp contacts to send a malicious link to a supposed required document for an upcoming meeting or conference. When the link is clicked, it initiates a redirect chain to serve a WebDAV-hosted Windows shortcut (LNK) masquerading as a PDF file by taking advantage of the "search-ms:" protocol handler. The LNK file establishes contact with a Cloudflare Workers subdomain to retrieve a batch script that functions as a loader for TAMECAT, a known PowerShell backdoor. TAMECAT employs various modular components to facilitate data exfiltration and remote control, using HTTPS, Discord, and Telegram for command-and-control (C2). The PowerShell framework uses three distinct channels for C2, suggesting the threat actor's goal of maintaining persistent access to compromised hosts even if one pathway gets detected and blocked. TAMECAT comes equipped with features to conduct reconnaissance, harvest files matching certain extensions, steal data from web browsers like Google Chrome and Microsoft Edge, collect Outlook mailboxes, and take screenshots at 15-second intervals. The data is exfiltrated over HTTPS or FTP, and the malware adopts various stealthy techniques to evade detection and resist analysis efforts. Additionally, UNC1549 (aka Nimbus Manticore or Subtle Snail) has been observed deploying backdoors like TWOSTROKE and DEEPROOT in attacks targeting aerospace, aviation, and defense industries in the Middle East. The group has been active since late 2023 through 2025, employing sophisticated initial access vectors including abuse of third-party relationships, VDI breakouts, and highly targeted phishing. The group uses a combination of phishing campaigns and leveraging trusted relationships with third-party suppliers and partners to gain initial access. UNC1549 abuses credentials associated with services like Citrix, VMWare, and Azure Virtual Desktop and Application (VDA) to establish an initial foothold and break out of virtualized sessions. The group targets IT staff and administrators to obtain credentials with elevated privileges for deeper network access. Post-exploitation activities include reconnaissance, credential harvesting, lateral movement, defense evasion, and information theft, focusing on network/IT documentation, intellectual property, and emails. Custom tools used by UNC1549 include MINIBIKE, TWOSTROKE, DEEPROOT, LIGHTRAIL, GHOSTLINE, POLLBLEND, DCSYNCER.SLICK, CRASHPAD, SIGHTGRAB, and TRUSTTRAP. The group uses publicly available programs like AD Explorer, Atelier Web Remote Commander (AWRC), and SCCMVNC for remote control and reconnaissance. UNC1549 maintains stealth and command-and-control (C2) using extensive reverse SSH shells and domains mimicking the victim's industry. The group plants backdoors that beacon silently for months, only activating them to regain access after the victim has attempted eradication. Furthermore, Iranian threat actors engaged in cyber warfare to facilitate and enhance physical, real-world attacks, a trend known as cyber-enabled kinetic targeting. Imperial Kitten, an Iranian-affiliated hacking group, conducted digital reconnaissance targeting a ship's Automatic Identification System (AIS) platform between December 2021 and January 2024. Imperial Kitten attacked additional maritime vessel platforms, gaining access to CCTV cameras on a maritime vessel for real-time visual intelligence. On January 27, 2024, Imperial Kitten carried out targeted searches for AIS location data for a specific shipping vessel, which was later targeted by an unsuccessful missile strike by Iranian-backed Houthi militants. MuddyWater, an Iranian threat actor, established infrastructure for a cyber network operation in May 2025 and used it to access live CCTV streams from Jerusalem to gather real-time visual intelligence. Iranian threat actors routed their traffic through anonymizing VPN services to obscure their origins and complicate attribution efforts.