The Internet of Medical Things (IoMT)

Italy targeted by multiple adversaries, new APT operations, latest developments in cybercrime

 View all
Threat Intelligence, News

APT operational developments, malware families and variants, new cybercrime ecosystems, and methods of compromise

Weekly Threats hor Telsy

APT: new toolkits and TTPs from state-sponsored adversaries

In the state-sponsored landscape, this week saw new tactics and tools from various APTs. The Indian Bitter sent phishing emails targeting diplomatic institutions in South Asia, particularly in Pakistan, Bangladesh, and Sri Lanka. Using PowerShell scripts and legitimate system administration tools, it compromised target hosts by distributing a new reverse shell, called BabShell, which employs new MemLoader HidenDesk and MemLoader Edge modules. In addition, the group implemented exfiltration tools with specific functionality for WhatsApp in order to target what was shared via the application and obtain sensitive information. Secondly, a North Korean adversary tracked under the UNC5342 cluster – presumably linked to the Lazarus Group – adopted the EtherHiding technique as part of the Contagious Interview social engineering campaign to distribute a new downloader called JADESNOW and deliver a JavaScript variant of InvisibleFerret, which led to numerous thefts of digital assets. The Iranian MuddyWater group, on the other hand, targeted more than 100 government organizations in the Middle East and North Africa (MENA) region, particularly embassies, foreign ministries, consulates, international organizations, and telecommunications companies, with version 4 of a custom backdoor called Phoenix. During the analysis of this operation, a custom tool was identified in addition to several remote monitoring and management (RMM) utilities, such as: Chromium_Stealer, a tool for stealing browser credentials disguised as a calculator application; Action1, an RMM tool; and PDQ RMM. China accused the US National Security Agency (NSA) of conducting a cyberattack for espionage purposes against the National Time Service Center (NTSC). Finally, security researchers observed that in July 2025, a few days after the release of Microsoft patches, Chinese adversaries exploited vulnerability CVE-2025-53770—part of the ToolShell exploit chain—to compromise a telecommunications company in the Middle East, as well as two government departments in the same African country. Further evidence indicates that the same campaign also involved a state technology agency in Africa, a ministry in the Middle East, and a European financial company. 

 

Malware: updates on threats and campaigns in the wild

This week, security researchers reported new malicious tools and updates to known malware families. In a transnational phishing campaign that spread from China and Taiwan to Japan and, more recently, to Malaysia, the adversary first spread Winos solely against users in Taiwan, then moved on to broader operations that include HoldingHands RAT. The payload of the latter remains largely unchanged from previous versions, with one significant addition: a new C2 command that allows the server IP address to be updated via a registry key, enabling the attacker to change infrastructure without redistributing the malware. Meanwhile, in a campaign targeting Indian users, GhostBat RAT was used to steal sensitive information. This new Trojan, which masquerades as an official application from the Indian Regional Transport Office (RTO) called mParivahan, is distributed via various vectors: WhatsApp messages, SMS messages with shortened URLs that link to APK files hosted on GitHub, and compromised websites. The RAT also uses native libraries (.so) that decrypt and dynamically load APIs into memory via JNI to execute payloads such as a cryptominer and an infostealer aimed at stealing bank credentials. Another new development concerns an ongoing Brazilian Loader-as-a-Service (LaaS) operation that has distributed a wide range of payloads and infostealers such as Remcos, XWorm, and Katz Stealer. Targeting victims in various sectors in South America, Africa, and Eastern Europe, with confirmed victims in Brazil, South Africa, Ukraine, and Poland, the new malware in question is a .NET loader nicknamed Caminho Loader, which uses Least Significant Bit (LSB) steganography to hide .NET payloads in image files hosted on legitimate platforms. Finally, security researchers have observed version 2.0 of Nocturnal Stealer (aka Vidar), an infostealer designed to steal sensitive data from compromised systems. Among its innovations are: the migration of code from C++ to C; the adoption of a multithreaded architecture to perform parallel collection of credentials, cookies, wallet keys, and sensitive files; and advanced evasion techniques and anti-analysis controls. Nocturnal Stealer 2.0 has also expanded the range of information it can steal and its collection methods to bypass Chrome’s AppBound encryption. 

 

Cybercrime: evolution of infrastructure and access techniques

Analysts have detected a new Phishing-as-a-Service infrastructure called Tykit, which primarily targets Microsoft 365 credentials in sectors such as finance, construction, IT, and government on a global scale. Tykit’s attack technique consists of several linked stages: the first starts with the delivery of the payload via a malicious SVG image; immediately afterwards, there is a redirection to a URL, which then displays a Cloudflare Turnstile CAPTCHA anti-bot mechanism (anti-automation); finally, once the check has been passed, a fake Microsoft 365 login page is loaded with a form for entering a username and password. Microsoft 365 features were also used in a campaign called Jingle Thief, conducted by a financially motivated adversary operating from Morocco, who exploits the use of gift cards during the holiday season to commit fraud. The activity, tracked under the cluster CL-CRI-1032, overlaps with publicly tracked groups such as Atlas Lion and STORM-0539, primarily targeting global companies in the retail and consumer services sectors that rely on cloud-based services and infrastructure. Once inside a target company, the adversary seeks to obtain the type and level of access necessary to issue unauthorized gift cards, exploiting Microsoft 365 features to conduct reconnaissance and ensure persistence. Another new development concerns attacks based on OAuth, an authorization protocol that allows an application to access a user’s resources by issuing temporary access tokens. The attacker uses a combination of techniques to gain initial access to cloud user accounts and, once inside, creates a second-party OAuth application in the organization’s tenant, configuring it with elevated permissions. The malicious app, equipped with a long-lived cryptographic “client secret,” obtains various OAuth tokens (access tokens, refresh tokens, and ID tokens) through which it can maintain access autonomously. It can then continue to exfiltrate data and move laterally within the environment without being easily detected, as it will appear as a legitimate internal application in the administration consoles. The app maintains persistent access that can only be interrupted by manually removing it and revoking the client secret.  

 

 

Weekly Threats Report is Telsy’s weekly update on the latest developments regarding cyberattacks and threat actors worldwide, produced by our Threat Intelligence & Response team.

The team is made up of security analysts and researchers with both technical and investigative expertise, as well as recognized international experience.

Through continuous monitoring of cyber threats and geopolitical events, it produces and provides organizations with valuable information to anticipate attacks and understand their impact, while ensuring a reliable partner in the event of a cyber incident.

Discover more about our Cyber Threat Intelligence solution.