VulnHub

A cybercriminal group known as Bloody Wolf is targeting organizations in Uzbekistan and Russia with a spear-phishing campaign designed to deploy a remote access trojan called NetSupport RAT. This group, which has been active since at least 2023, is focusing its attacks on the manufacturing, finance, and IT sectors. Kaspersky, a cybersecurity firm, is tracking this activity under the name Stan Ghouls. The use of spear-phishing indicates that the attackers are likely customizing their messages to trick specific individuals or organizations into downloading the malicious software. This type of threat can lead to significant data breaches and operational disruptions for the affected companies, making it crucial for them to enhance their email security and user awareness training.

On January 20, Kaspersky detected malware associated with a supply chain attack targeting eScan antivirus software. This incident suggests that attackers compromised the update mechanism of eScan, potentially allowing them to distribute malicious updates to users. Companies using eScan antivirus are at risk, as the malware could lead to unauthorized access or data breaches. Users of the software should be vigilant and consider immediate actions to protect their systems. Kaspersky has provided indicators of compromise and mitigation strategies for affected users to follow in order to secure their environments.

Kaspersky researchers have identified updates to the CoolClient backdoor and the deployment of new tools associated with the HoneyMyte group, also known as Mustang Panda or Bronze President. This group is known for its advanced persistent threat (APT) campaigns, which have now introduced three variants of a browser data stealer. These updates suggest an ongoing effort by attackers to enhance their capabilities and target sensitive data from users. The implications are significant, as organizations and individuals could be at risk of having their personal and financial information stolen. Users are encouraged to remain vigilant and ensure their systems are protected against these evolving threats.

Kaspersky has reported on a new campaign from the HoneyMyte APT group, also known as Mustang Panda or Bronze President, which has evolved to use a sophisticated kernel-mode rootkit. This rootkit is designed to deploy and secure a backdoor known as ToneShell, which allows attackers to maintain persistent access to compromised systems. The implications of this development are significant, as it enhances the group’s ability to infiltrate networks and evade detection. Organizations need to be vigilant against these advanced tactics to protect sensitive data and maintain system integrity. This campaign highlights the ongoing threats posed by state-sponsored hacking groups and the need for robust cybersecurity measures.

A Chinese cyberespionage group known as Evasive Panda has been using a technique called DNS poisoning to install a backdoor known as MgBot on targeted systems in Türkiye, China, and India. Kaspersky researchers identified this campaign, which shows the group's focus on espionage activities against specific entities in these countries. DNS poisoning allows attackers to redirect victims to malicious servers without their knowledge, facilitating the installation of the backdoor. This incident raises concerns about the security of sensitive information, as the MgBot backdoor can provide attackers with ongoing access to compromised systems. Organizations in the affected regions should be vigilant and strengthen their cybersecurity measures to protect against such sophisticated attacks.

Kaspersky's GReAT team has released findings on a sophisticated attack by a group known as Evasive Panda APT. This group employs a technique that poisons DNS requests to deploy a malicious implant called MgBot. The attack chain includes the use of shellcode that is encrypted with DPAPI and RC5, making it harder to detect. This method poses a significant risk as it can compromise systems and networks by redirecting legitimate traffic to malicious sites. Organizations need to be aware of these tactics to prevent potential breaches and protect their infrastructure.

Kaspersky researchers have reported on the recent activities of the Cloud Atlas advanced persistent threat (APT) group in early 2025. This group has updated their arsenal with new malicious tools, including backdoors known as VBShower, VBCloud, PowerShower, and CloudAtlas. These implants are designed to infiltrate and control targeted systems, which typically include government and corporate networks. The evolving tactics of Cloud Atlas highlight the ongoing risks to organizations, particularly those in sensitive sectors. Companies need to remain vigilant and enhance their cybersecurity measures to defend against these sophisticated threats.

In October 2025, Kaspersky reported a new wave of phishing attacks linked to a group known as Operation ForumTroll, specifically targeting Russian scholars. These attackers are using fake emails that appear to come from a legitimate eLibrary service to lure victims into providing sensitive information. This shift from targeting organizations in the spring to focusing on individuals in the fall raises concerns about the attackers' evolving strategies. The origins of the threat actor remain unclear, but the targeted approach suggests a calculated effort to exploit the academic community. Such incidents can lead to significant data breaches and have serious implications for both personal and institutional security.

Kaspersky's GReAT team has reported an increase in cyberattacks from the ForumTroll APT group, which is specifically targeting Russian political scientists. The attackers are using a tool known as the Tuoni framework to infiltrate their devices. This situation is concerning as it shows a focused attempt to compromise the devices of individuals involved in political research, potentially to gather sensitive information or disrupt their work. The targeting of political scientists indicates a strategic move to influence or monitor political discourse in Russia. These incidents serve as a reminder of the ongoing risks faced by academics and researchers in politically sensitive environments.

The Tsundere botnet, targeting Windows users, is expanding and capable of executing arbitrary JavaScript code from a command-and-control server. This poses a significant threat to users, as the botnet's propagation methods remain unclear, indicating a potential for widespread exploitation.

Kaspersky GReAT experts have identified the Tsundere botnet, which utilizes Node.js-based bots to exploit web3 smart contracts. The campaign poses a significant cybersecurity threat as it spreads through MSI installers and PowerShell scripts, indicating a sophisticated method of propagation.