Ransomware In Focus
CYFIRMA Research and Advisory Team would like to highlight ransomware trends and insights gathered while monitoring various forums. This includes multiple industries, geography, and technology that could be relevant to your organization.
Type: Ransomware
Target Technologies: Windows OS
Target Countries: Brazil, India, Paraguay, Turkey
Target Industries: Financial Services, Manufacturing, Retail & E-Commerce, Technology
Introduction:
CYFIRMA Research and Advisory Team has found Doommageddon Ransomware while monitoring various underground forums as part of our Threat Discovery Process.
Doommageddon Ransomware
Doommageddon is a ransomware family that encrypts files on compromised systems using asymmetric cryptographic algorithms and appends a new extension to each affected file while preserving the original filename. After encryption is complete, it creates a text-based ransom note claiming that the files can only be recovered with a unique private key controlled by the attackers. The note instructs victims to establish contact through a secure communication channel, provide an assigned victim identifier, and avoid modifying encrypted files or attempting recovery through third-party utilities. Top of Form Bottom of Form

Screenshot: File encrypted by the ransomware (Source: Surface Web)
Ransomware drops a ransom note named README_DECRYPT.txt, which informs victims that their files have been encrypted and claims that recovery is only possible with a private decryption key controlled by the attackers. The note instructs victims to establish contact through a secure communication channel, provide a unique victim identifier, and warns against modifying encrypted files or attempting recovery with third-party tools, stating that such actions may permanently damage the encrypted data.

Screenshot: The appearance of Doommageddon’s ransom note (README_DECRYPT.txt) (Source: Surface Web)

Screenshot: The appearance of Doommageddon’s DLS site
Beyond file encryption, Doommageddon employs a double-extortion model by leveraging a hidden data leak portal to pressure victims into paying a ransom. The portal categorizes victims according to the progress of negotiations or data disclosure and displays information such as countdown timers and the volume of compromised files. This approach combines data encryption with the threat of exposing stolen information, increasing the operational and reputational impact on affected organizations. Removing Doommageddon from an infected system is necessary to prevent further encryption activity or potential lateral movement across connected environments, although malware removal alone does not restore encrypted data. Recovery generally depends on the availability of clean offline or remote backups, as encrypted files cannot typically be recovered without the corresponding decryption key.
The following are the TTPs based on the MITRE ATT&CK Framework
| Tactic | Technique ID | Technique Name |
| Execution | T1059 | Command and Scripting Interpreter |
| Execution | T1129 | Shared Modules |
| Execution | T1574 | Hijack Execution Flow |
| Persistence | T1543.003 | Create or Modify System Process: Windows Service |
Privilege Escalation | T1055 | Process Injection |
Privilege Escalation | T1543.003 | Create or Modify System Process: Windows Service |
Privilege Escalation | T1548 | Abuse Elevation Control Mechanism |
Credential Access | T1003 | OS Credential Dumping |
| Discovery | T1007 | System Service Discovery |
| Discovery | T1012 | Query Registry |
| Discovery | T1033 | System Owner/User Discovery |
| Discovery | T1057 | Process Discovery |
| Discovery | T1082 | System Information Discovery |
| Discovery | T1083 | File and Directory Discovery |
| Discovery | T1135 | Network Share Discovery |
| Discovery | T1497 | Virtualization/Sandbox Evasion |
| Discovery | T1518 | Software Discovery |
| Collection | T1005 | Data from Local System |
Command and Control | T1090 | Proxy |
| Impact | T1489 | Service Stop |
| Stealth | T1027 | Obfuscated Files or Information |
| Stealth | T1036 | Masquerading |
| Stealth | T1055 | Process Injection |
| Stealth | T1070.004 | Indicator Removal: File Deletion |
| Stealth | T1497 | Virtualization/Sandbox Evasion |
| Stealth | T1564.003 | Hide Artifacts: Hidden Window |
| Stealth | T1574 | Hijack Execution Flow |
Relevancy and Insights:
- The ransomware primarily affects the Windows operating system, which is commonly utilized in enterprise environments across multiple industries.
- The ransomware terminates processes such as vssadmin.exe Delete Shadows /all /quiet and wmic shadowcopy delete /nointeractive to delete Volume Shadow Copies, which are used by Windows for backup and restore. By removing these shadow copies, the malware ensures that victims cannot recover their files via system restore points or backup utilities.
- Detect-debug-environment: The ransomware technique is used to determine if it is being monitored in environments such as sandboxes, virtual machines, or under debugging tools. To perform this check, the malware may look for specific processes, drivers, or artifacts linked to analysis tools, measure timing to spot inconsistencies, or scan for system traits uncommon in real user machines. When such conditions are identified, the malicious program can modify its behavior, such as pausing execution, shutting down, or withholding key payload actions, to avoid detection and make detailed analysis more difficult.
- Long Sleep Delays: Implements extended sleep intervals during execution, a common anti-analysis technique used to evade automated sandbox detection and behavioral monitoring.
ETLM Assessment:
CYFIRMA assesses that Doommageddon is likely to continue maturing as a ransomware operation by enhancing both its technical capabilities and operational efficiency. Future variants may incorporate improved defense-evasion techniques, stronger persistence mechanisms, and greater automation to accelerate encryption and reduce the time between initial compromise and payload execution. The operators may also refine their deployment methods to better support attacks across diverse enterprise environments, increasing the scale and effectiveness of campaigns while minimizing opportunities for early detection and response.
The group’s apparent reliance on combining data theft with file encryption suggests that future campaigns could further strengthen their double-extortion strategy through more sophisticated victim management and expanded leak-site functionality. This may include more structured negotiation workflows, enhanced presentation of stolen data, and additional methods of applying pressure throughout the extortion process. As the ransomware landscape continues to evolve, operations of this nature are expected to become more organized, adaptable, and operationally resilient, enabling threat actors to conduct campaigns with greater consistency while maximizing disruption and increasing the likelihood of successful extortion.
Sigma rules:
title: Shadow Copies Deletion Using Operating Systems Utilities tags:
– attack.impact
– attack.stealth logsource:
category: process_creation product: windows
detection: selection1_img:
– Image|endswith:
– ‘\powershell.exe’
– ‘\pwsh.exe’
– ‘\wmic.exe’
– ‘\vssadmin.exe’
– ‘\diskshadow.exe’
– OriginalFileName:
– ‘PowerShell.EXE’
– ‘pwsh.dll’
– ‘wmic.exe’
– ‘VSSADMIN.EXE’
– ‘diskshadow.exe’ selection1_cli:
CommandLine|contains|all:
– ‘shadow’ # will match “delete shadows” and “shadowcopy delete” and “shadowstorage”
– ‘delete’ selection2_img:
– Image|endswith: ‘\wbadmin.exe’
– OriginalFileName: ‘WBADMIN.EXE’ selection2_cli:
CommandLine|contains|all:
– ‘delete’
– ‘catalog’
– ‘quiet’ # will match -quiet or /quiet selection3_img:
– Image|endswith: ‘\vssadmin.exe’
– OriginalFileName: ‘VSSADMIN.EXE’ selection3_cli:
CommandLine|contains|all:
– ‘resize’
– ‘shadowstorage’ CommandLine|contains:
– ‘unbounded’
– ‘/MaxSize=’
condition: (all of selection1*) or (all of selection2*) or (all of selection3*) falsepositives:
– Legitimate Administrator deletes Shadow Copies using operating systems utilities for legitimate reason
– LANDesk LDClient Ivanti-PSModule (PS EncodedCommand) level: high
(Source: Surface Web)
IOCs:
Kindly refer to the IOCs section to exercise control of your security systems. (Source: Surface Web)
RECOMMENDATIONS
STRATEGIC RECOMMENDATIONS
- Implement competent security protocols and encryption, authentication, or access credentials configurations to access critical systems in your cloud and local environments.
- Ensure that backups of critical systems are maintained, which can be used to restore data in case a need arises.
MANAGEMENT RECOMMENDATIONS
- A data breach prevention plan must be developed considering (a) the type of data being managed by the company; (b) the remediation process; (c) where and how the data is stored; (d) if there is an obligation to notify the local authority.
- Implement a zero-trust security model alongside multifactor authentication (MFA) to reduce the risk of credential compromise.
- Foster a culture of cybersecurity, where you encourage and invest in employee training so that security is an integral part of your organization.
TACTICAL RECOMMENDATIONS
- Update all applications/software regularly with the latest versions and security patches alike.
- Add the Sigma rules for threat detection and monitoring, which will help to detect anomalies in log events and identify and monitor suspicious activities.
- Establish and implement protective controls by actively monitoring and blocking identified indicators of compromise (IoCs) and reinforcing defensive measures based on the provided tactical intelligence.
Active Malware of the Week
Type: Trojan
Objectives: Espionage
Target Technology: Windows
Target Geography: Global
CYFIRMA collects data from various forums, based on which the trend is ascertained. We identified a few popular malwares that were found to be distributed in the wild to launch cyberattacks on organizations or individuals.
Active Malware of the week
This week, “BrunoStealer” is in focus.
Overview of the operation BrunoStealer Malware
The analyzed BrunoStealer malware sample exhibits multiple characteristics commonly associated with a Trojan and demonstrates a combination of execution, reconnaissance, defense evasion, and network communication capabilities. Rather than performing overtly destructive actions immediately, the malware appears to focus on establishing execution, gathering system intelligence, and preparing the environment for potential follow-on activities. This behavior indicates a well-structured threat designed to operate discreetly while minimizing the likelihood of early detection. During execution, the malware leveraged legitimate Windows components to load and execute its malicious payload, a technique frequently used to blend malicious activity with normal system operations. It also employed obfuscation and software packing mechanisms, along with environment-awareness checks, to complicate static and dynamic analysis. These capabilities highlight an emphasis on evading security controls and delaying detection during execution.
The sample conducted extensive host reconnaissance by collecting information about the operating system, user accounts, network configuration, file system, and installed security-related components. Such discovery activities enable the malware to better understand the compromised environment, identify valuable targets, and determine appropriate actions based on the characteristics of the infected host. This intelligence-gathering phase is often a precursor to additional malicious activities.
In addition, the malware established outbound network communication over HTTP and accessed external services to obtain host-related information, including public IP and geolocation data. The observed communication capabilities indicate support for exchanging data with remote infrastructure, suggesting the potential for command-and-control interactions. Taken together, execution, evasion, reconnaissance, and communication behaviors demonstrate that the sample poses a significant security risk and should be considered a credible threat requiring immediate containment and remediation.
Attack Method
The infection begins with the execution of a malicious DLL through the Windows utility rundll32.exe, allowing the payload to run under the context of a trusted Microsoft binary. The sample also invokes loaddll64.exe during execution, indicating an additional stage for loading or testing the DLL. By relying on legitimate Windows executables instead of a standalone malicious process, the malware reduces its behavioral footprint and attempts to evade security products that primarily monitor unknown binaries. The use of runtime linking and shared modules further obscures its execution flow and complicates reverse engineering.
Once active, the malware performs a comprehensive reconnaissance phase to profile the compromised host. It enumerates operating system details, hostname, logged-in user, network configuration, available memory, file attributes, directory contents, and installed security-related components. The sample also queries multiple registry locations associated with Windows configuration, compatibility settings, and execution policies. These discovery operations enable malware to identify the characteristics of the target environment, determine whether it is running inside an analysis platform, and tailor its subsequent behavior accordingly.
To resist detection, the malware incorporates multiple defense evasion mechanisms. The executable is protected using software packing and obfuscation techniques, while also performing virtualization and sandbox detection checks before continuing execution. It references analysis tool strings, checks for known sandbox usernames or hostnames, and dynamically resolves Windows API functions at runtime instead of relying solely on static imports. These techniques collectively reduce the visibility of the malware during both static inspection and automated behavioral analysis, increasing the likelihood of successful execution on a victim system.
Following host profiling, the malware establishes outbound HTTP communication using the WinINet API. It creates HTTP requests, connects to remote servers, and supports both data transmission and response retrieval, enabling two-way communication with external infrastructure. During execution, the sample was observed querying an external IP geolocation service to obtain the victim’s public IP address and geographic information, while also containing a hardcoded Discord webhook URL that can facilitate remote data exfiltration or operator notifications. The combination of trusted process execution, extensive reconnaissance, anti-analysis capabilities, and external communication demonstrates a structured attack chain designed to support persistent command-and-control operations and the delivery of malicious activities.
The following are the TTPs based on the MITRE ATT&CK Framework for Enterprises
| Tactic | Technique ID | Technique Name |
| Execution | T1129 | Shared Modules |
| T1574 | Hijack Execution Flow | |
| Stealth | T1027 | Obfuscated Files or Information |
| T1027.002 | Obfuscated Files or Information: Software Packing | |
| T1218 | System Binary Proxy Execution | |
| T1497 | Virtualization/Sandbox Evasion | |
| Discovery | T1016 | System Network Configuration Discovery |
| T1033 | System Owner/User Discovery | |
| T1518.001 | Software Discovery: Security Software Discovery | |
| T1082 | System Information Discovery | |
| T1083 | File and Directory Discovery | |
| T1087 | Account Discovery | |
| T1614 | System Location Discovery | |
| Command and control | T1071 | Application Layer Protocol |
INSIGHTS
The malware demonstrates a deliberate emphasis on remaining inconspicuous rather than exhibiting immediate destructive behavior. Instead of triggering actions that would quickly attract attention, it prioritizes understanding of the host environment and operating within the context of legitimate Windows processes. This measured approach reflects an objective of maintaining a low operational profile while carrying out its activities.
Another notable aspect is the malware’s reliance on native operating system functionality instead of introducing numerous custom components onto the compromised system. By utilizing built-in Windows mechanisms for execution and communication, the sample minimizes the number of artifacts it leaves behind. This approach makes malicious activity appear more consistent with normal system behavior, increasing the challenge of distinguishing legitimate operations from malicious ones during routine monitoring.
The overall activity observed during execution suggests a modular design in which individual capabilities, including execution, host profiling, evasion, and network communication, are integrated into a coordinated workflow. Rather than relying on a single malicious capability, the sample combines multiple functions to achieve its objectives while maintaining operational flexibility. This layered behavior highlights the importance of evaluating malware based on the complete sequence of actions instead of isolated indicators or individual events.
ETLM ASSESSMENT
For ETLM, prospects indicate that malware employing stealth-oriented execution and trusted system components is likely to remain a persistent threat as organizations continue adopting hybrid work environments, cloud-based services, and increasingly interconnected enterprise infrastructures. Future campaigns are expected to focus on maintaining a low operational profile while gathering valuable organizational information and establishing covert communication channels that can support broader malicious objectives. As a result, enterprises may face increased risks of unauthorized access, data compromise, and operational disruption that are difficult to detect during the early stages of an intrusion, while employees could become more frequent targets through seemingly legitimate files and applications that exploit routine business activities to gain an initial foothold within corporate environments.
IOCs:
Kindly refer to the IOCs Section to exercise controls on your security systems. (Source: Surface Web)
YARA Rules
rule Trojan_DLL_Discord_Webhook_IPAPI
{
meta:
description = “Detects a DLL-based Trojan using Discord webhook and IP-API for host profiling”
author = “CYFIRMA” date = “2026-07-06”
strings:
/* Sample Hash */
$hash1 =
“c8525c9380f5c3d9d5c66e101120fee50c3e4a80d0981507d300b33a6cafb208”
/* Network Indicators */
$s1 = “discord.com/api/webhooks/”
$s2 = “ip-api.com/line/?fields=query”
$s3 = “discord.com”
$s4 = “ip-api.com”
/* Windows Execution */
$s5 = “rundll32.exe”
$s6 = “loaddll64.exe”
$s7 = “WININET.dll”
/* WinINet APIs */
$api1 = “InternetConnect”
$api2 = “HttpOpenRequest”
$api3 = “HttpSendRequest”
$api4 = “InternetReadFile”
/* Anti-analysis */
$anti1 = “VirtualBox”
$anti2 = “VMware”
$anti3 = “sandbox”
condition:
uint16(0) == 0x5A4D and (
$hash1 or
(all of ($s1, $s2) and 2 of ($api*)) or (3 of ($s*) and 2 of ($api*)) or
(2 of ($anti*) and 2 of ($api*))
)
}
Recommendations
Strategic Recommendations
- Implement a defense-in-depth security strategy that combines endpoint protection, network monitoring, email security, and threat intelligence to improve overall resilience against Trojan-based attacks.
- Strengthen application control policies to restrict the execution of unauthorized DLLs and reduce the misuse of legitimate Windows utilities such as rundll32.exe.
- Establish continuous threat hunting and behavioral monitoring programs to identify stealthy malware that blends with normal system activity.
- Conduct regular security awareness training to educate employees about malicious attachments, suspicious downloads, and other common malware delivery methods.
Management Recommendations
- Enforce a robust patch and vulnerability management program to minimize the attack surface across enterprise systems.
- Ensure Endpoint Detection and Response (EDR) solutions are deployed and configured to monitor abnormal process execution, DLL loading, and outbound network communications.
- Develop and periodically test incident response procedures to ensure rapid containment and recovery from malware incidents.
- Maintain centralized logging and continuous monitoring of endpoints, servers, and network devices to improve incident investigation and forensic capabilities.
Tactical Recommendations
- Monitor for suspicious execution of rundll32.exe, loaddll64.exe, and other trusted Windows binaries launching DLLs from user-writable or temporary directories.
- Detect and investigate outbound HTTP/HTTPS connections to untrusted domains, particularly those associated with public IP lookup services or webhook-based communication platforms.
- Configure endpoint security solutions to identify software packing, obfuscation, anti-analysis behavior, and unusual runtime API resolution techniques.
- Block malicious Indicators of Compromise (IOCs), including identified file hashes, domains, IP addresses, and URLs, and continuously update detection signatures such as YARA, Sigma, IDS, and EDR detection rules.
- Monitor for abnormal file system and registry modifications, especially those involving Windows Error Reporting (WER), temporary directories, and execution-related registry keys that may indicate malware activity or persistence attempts.
CYFIRMA’s Weekly Insights
1. Weekly Attack Types and Trends
Key Intelligence Signals:
- Attack Type: Ransomware Attacks, Vulnerabilities & Exploits, Data Leaks.
- Objective: Unauthorized Access, Data Theft, Data Encryption, Financial Gains, Espionage.
- Business Impact: Data Loss, Financial Loss, Reputational Damage, Loss of Intellectual Property, Operational Disruption.
- Ransomware – Krybit Ransomware, The Gentlemen Ransomware| Malware – BrunoStealer
- Krybit Ransomware– One of the ransomware groups.
- The Gentlemen Ransomware – One of the ransomware groups. Please refer to the trending malware advisory for details on the following:
- Malware – BrunoStealer
Behavior – Most of these malwares use phishing and social engineering techniques as their initial attack vectors. Apart from these techniques, exploitation of vulnerabilities, defense evasion, and persistence tactics are being observed.
2. Threat Actor in Focus
North Korean Threat Actor Broadens Supply Chain Operations
- Threat Actor: Famous Chollima aka Lazarus Group
- Attack Type: Botnet Operations, Malware Implant, DLL Injection Attacks, Direct IP-based C2 Communication, Impersonation, Obfuscation, Open Proxy Usage, Credential Stealing, Social Engineering Attack, Supply Chain Attacks, Ransomware Attacks, Cryptocurrency theft, Exploitation of Vulnerabilities.
- Objective: Information theft, Espionage, Financial Gains, Credential Theft.
- Suspected Target Technology: Windows, macOS, Linux, SAP Systems, Cryptocurrency Exchanges, Financial Platforms (including SWIFT), JetBrains TeamCity, Oracle Products, Dell Systems, Atlassian Confluence, Citrix NetScaler ADC/Gateway, GitHub and GitLab repositories, Microsoft Visual Studio Code.
- Suspected Target Geography: Australia, Brazil, Brunei, Canada, Chile, China, Darussalam, Democratic People’s Republic of Korea, France, Germany, Guatemala, Hong Kong, India, Indonesia, Islamic Republic of Iran, Japan, Myanmar, Philippines, Poland, Republic of Korea, Russia, Thailand, United Kingdom, United States, Vietnam, Bangladesh.
- Suspected Target Industries: Aerospace & Defense, Capital Markets, Consumer Finance, Cryptocurrency, Diversified Financial Services, Energy, Entertainment, Government, Hotels, Investment Trusts (REITs), Media, NGO, Real Estate, Restaurants & Leisure, Technology, Telecommunications, Thrifts and Mortgage, Banks, Software, Developer Environments, Open-Source Software.
- Business Impact: Financial Loss, Data Theft, Operational Disruption, Reputational Damage.
About the Threat Actor
Lazarus Group is a sophisticated North Korean state-sponsored threat actor that has been active since at least 2009 and is widely believed to operate on behalf of the DPRK government. Known as Hidden Cobra by the U.S. government, the group is reportedly associated with Lab 110, a unit of North Korean military intelligence. Lazarus is recognized for its advanced malware development capabilities, continuously evolving its tools and techniques to support cyber espionage and financially motivated operations, particularly targeting cryptocurrency organizations in recent years. The group has conducted high-profile attacks against the South Korean government and politically significant organizations, Bangladesh Bank, Sony Pictures Entertainment, and various U.S.-based entities. It is believed to comprise multiple subgroups, including Andariel, which primarily targets the South Korean government and organizations, and Bluenoroff, which focuses on financial theft and global espionage campaigns. Lazarus has been linked to several notable operations, including Operation Troy, DarkSeoul, the Sony Pictures attack, SWIFT-related bank heists, and WannaCry. Furthermore, UNC1069 is suspected of sharing infrastructure overlaps with Bluenoroff, a sub-affiliate of the Lazarus Group.
TTPs based on MITRE ATT&CK Framework

TTPs based on the MITRE ATT&CK Framework
| Tactic | ID | Technique |
| Reconnaissance | T1591 | Gather Victim Org Information |
| Reconnaissance | T1591.004 | Gather Victim Org Information: Identify Roles |
| Reconnaissance | T1589.002 | Gather Victim Identity Information: Email Addresses |
| Reconnaissance | T1593.001 | Search Open Websites/Domains: Social Media |
| Resource Development | T1587.001 | Develop Capabilities: Malware |
| Resource Development | T1587.002 | Develop Capabilities: Code Signing Certificates |
| Resource Development | T1583.001 | Acquire Infrastructure: Domains |
| Resource Development | T1583.004 | Acquire Infrastructure: Server |
| Resource Development | T1583.006 | Acquire Infrastructure: Web Services |
| Resource Development | T1584.001 | Compromise Infrastructure: Domains |
| Resource Development | T1584.004 | Compromise Infrastructure: Server |
| ResourceDevelopment | T1585.001 | Establish Accounts: Social Media Accounts |
| ResourceDevelopment | T1585.002 | Establish Accounts: Email Accounts |
| ResourceDevelopment | T1588.002 | Obtain Capabilities: Tool |
| ResourceDevelopment | T1588.003 | Obtain Capabilities: Code Signing Certificates |
| ResourceDevelopment | T1588.004 | Obtain Capabilities: Digital Certificates |
| Initial Access | T1189 | Drive-by Compromise |
| Initial Access | T1566.001 | Phishing: Spear phishing Attachment |
| Initial Access | T1566.002 | Phishing: Spear phishing Link |
| Initial Access | T1078 | Valid Accounts |
| Initial Access | T0865 | Spear phishing Attachment |
| Initial Access | T1566.003 | Phishing: Spear phishing via Service |
| Execution | T1059.001 | Command and Scripting Interpreter: PowerShell |
| Execution | T1053.005 | Scheduled Task/Job: Scheduled Task |
| Execution | T1106 | Native API |
| Execution | T1204.001 | User Execution: Malicious Link |
| Execution | T1204.002 | User Execution: Malicious File |
| Execution | T1203 | Exploitation for Client Execution |
| Execution | T1059.003 | Command and Scripting Interpreter: Windows Command Shell |
| Execution | T1047 | Windows Management Instrumentation |
| Execution | T1059.005 | Command and Scripting Interpreter: Visual Basic |
| Execution | T1574.001 | Hijack Execution Flow: DLL |
| Execution | T1574.013 | Hijack Execution Flow: KernelCallbackTable |
| Persistence | T1505.004 | Server Software Component: IIS Components |
| Persistence | T1542.003 | Pre-OS Boot: Bootkit |
| Persistence | T1543.003 | Create or Modify System Process: Windows Service |
| Persistence | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
| Persistence | T1078 | Valid Accounts |
| Persistence | T1098 | Account Manipulation |
| Persistence | T1547.009 | Boot or Logon Autostart Execution: Shortcut Modification |
| Privilege Escalation | T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
| Privilege Escalation | T1098 | Account Manipulation |
| Privilege Escalation | T1547.009 | Boot or Logon Autostart Execution: Shortcut Modification |
| Privilege Escalation | T1543.003 | Create or Modify System Process: Windows Service |
| Privilege Escalation | T1055.001 | Process Injection: Dynamic-link Library Injection |
| Privilege Escalation | T1078 | Valid Accounts |
| Privilege Escalation | T1134.002 | Access Token Manipulation: Create Process with Token |
| Stealth | T1134.002 | Access Token Manipulation: Create Process with Token |
| Stealth | T1218 | System Binary Proxy Execution |
| Stealth | T1218.005 | System Binary Proxy Execution: Mshta |
| Stealth | T1218.010 | System Binary Proxy Execution: Regsvr32 |
| Stealth | T1218.011 | System Binary Proxy Execution: Rundll32 |
| Stealth | T1620 | Reflective Code Loading |
| Stealth | T1070 | Indicator Removal |
| Stealth | T1070.003 | Indicator Removal: Clear Command History |
| Stealth | T1070.004 | Indicator Removal: File Deletion |
| Stealth | T1202 | Indirect Command Execution |
| Stealth | T1036.003 | Masquerading: Rename Legitimate Utilities |
| Stealth | T1036.004 | Masquerading: Masquerade Task or Service |
| Stealth | T1036.005 | Masquerading: Match Legitimate Resource Name or Location |
| Stealth | T1036.008 | Masquerading: Masquerade File Type |
| Stealth | T1027.002 | Obfuscated Files or Information: Software Packing |
| Stealth | T1027.007 | Obfuscated Files or Information: Dynamic API Resolution |
| Stealth | T1027.009 | Obfuscated Files or Information: Embedded Payloads |
| Stealth | T1027.013 | Obfuscated Files or Information: Encrypted/Encoded File |
| Stealth | T1220 | XSL Script Processing |
| Stealth | T1497.003 | Virtualization/Sandbox Evasion: Time-Based Evasion |
| Stealth | T1622 | Debugger Evasion |
| Stealth | T1140 | Deobfuscate/Decode Files or Information |
| Stealth | T1564.001 | Hide Artifacts: Hidden Files and Directories |
| Stealth | T1684.001 | Social Engineering: Impersonation |
| Stealth | T1221 | Template Injection Authentication Process: Conditional Access Policies |
| Stealth | T1574.001 | Hijack Execution Flow: DLL |
| Stealth | T1574.013 | Hijack Execution Flow: KernelCallbackTable |
| Stealth | T1497.001 | Virtualization/Sandbox Evasion: System Checks |
| Stealth | T1078 | Valid Accounts |
| DefenseImpairment | T1686.003 | Disable or Modify System Firewall: Windows Host Firewall |
| DefenseImpairment | T1685 | Disable or Modify Tools |
| Credential Access | T1056.001 | Input Capture: Keylogging |
| Credential Access | T1110.003 | Brute Force: Password Spraying |
| Credential Access | T1557.001 | Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay |
| Discovery | T1083 | File and Directory Discovery |
| Discovery | T1057 | Process Discovery |
| Discovery | T1497.001 | Virtualization/Sandbox Evasion: System Checks |
| Discovery | T1497.003 | Virtualization/Sandbox Evasion: Time-Based Evasion |
| Discovery | T1087.002 | Account Discovery: Domain Account |
| Discovery | T1010 | Application Window Discovery |
| Discovery | T1046 | Network Service Discovery |
| Discovery | T1622 | Debugger Evasion |
| Discovery | T1082 | System Information Discovery |
| Discovery | T1012 | Query Registry |
| Discovery | T1614.001 | System Location Discovery: System Language Discovery |
| Discovery | T1016 | System Network Configuration Discovery |
| Discovery | T1049 | System Network Connections Discovery |
| Discovery | T1033 | System Owner/User Discovery |
| Discovery | T1680 | Local Storage Discovery |
| Discovery | T1124 | System Time Discovery |
| LateralMovement | T1021.002 | Remote Services: SMB/Windows Admin Shares |
| LateralMovement | T1021.001 | Remote Services: Remote Desktop Protocol |
| LateralMovement | T1021.004 | Remote Services: SSH |
| LateralMovement | T1534 | Internal Spear phishing |
| Collection | T1056.001 | Input Capture: Keylogging |
| Collection | T1560 | Archive Collected Data |
| Collection | T1560.001 | Archive Collected Data: Archive via Utility |
| Collection | T1560.002 | Archive Collected Data: Archive via Library |
| Collection | T1560.003 | Archive Collected Data: Archive via Custom Method |
| Collection | T1557.001 | Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay |
| Collection | T1005 | Data from Local System |
| Collection | T1074.001 | Data Staged: Local Data Staging |
| Command and Control | T1071.001 | Application Layer Protocol: Web Protocols |
| Command and Control | T1571 | Non-Standard Port |
| Command and Control | T1132.001 | Data Encoding: Standard Encoding |
| Command and Control | T1001.003 | Data Obfuscation: Protocol or Service Impersonation |
| Command and Control | T1573.001 | Encrypted Channel: Symmetric Cryptography |
| Command and Control | T1090.001 | Proxy: Internal Proxy |
| Command and Control | T1090.002 | Proxy: External Proxy |
| Command and Control | T1104 | Multi-Stage Channels |
| Command and Control | T1008 | Fallback Channels |
| Command and Control | T1105 | Ingress Tool Transfer |
| Command and Control | T1102.002 | Web Service: Bidirectional Communication |
| Exfiltration | T1041 | Exfiltration Over C2 Channel |
| Exfiltration | T1567.002 | Exfiltration Over Web Service: Exfiltration to Cloud Storage |
| Exfiltration | T1048.003 | Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol |
| Impact | T1561.001 | Disk Wipe: Disk Content Wipe |
| Impact | T1561.002 | Disk Wipe: Disk Structure Wipe |
| Impact | T1489 | Service Stop |
| Impact | T1485 | Data Destruction |
| Impact | T1529 | System Shutdown/Reboot |
| Impact | T1491.001 | Defacement: Internal Defacement |
Latest Developments Observed
The threat actor is suspected of expanding the PolinRider supply chain campaign beyond npm into Go Modules, Packagist, and Chrome extensions by compromising legitimate GitHub repositories and maintainer accounts. The campaign appears aimed at compromising developer environments to deliver malware and steal credentials, browser data, and cryptocurrency wallet information.
ETLM Insights
Lazarus Group continues to exhibit a mature and adaptive operational model centered on exploiting trusted software development ecosystems to facilitate strategic access, intelligence collection, and financially motivated operations. The group’s evolving tradecraft reflects a deliberate emphasis on abusing trusted software supply chains and legitimate development infrastructure to achieve scalable downstream compromise while preserving operational stealth and resilience.
The threat actor’s operations reflect:
- Strategic exploitation of trusted software development and distribution ecosystems.
- Sustained access through compromised developer infrastructure and legitimate identities.
- Flexible malware delivery enabled by modular tooling and advanced defense evasion techniques.
- Broad downstream compromise through the abuse of trusted software dependencies and distribution channels.
Looking ahead, Lazarus Group is expected to further mature its software supply chain capabilities by strengthening operational resilience, expanding abuse of trusted development platforms, and refining stealth-oriented intrusion methodologies. This continued evolution reinforces the group’s ability to conduct large-scale compromises through trusted software ecosystems, posing a sustained threat to organizations that depend on open-source software, modern DevOps practices, and interconnected software supply chains.
YARA Rules
rule Lazarus_PolinRider_Generic_Hunt
{
meta:
author = “CYFIRMA”
description = “Generic hunting rule for Lazarus PolinRider campaign” date = “2026-07-07”
threat_actor = “Lazarus Group” campaign = “PolinRider” confidence = “Low”
strings:
$s1 = “nwv3u.exe” ascii nocase
$s2 = “/scratch/zoo/2026/0522/” ascii
$s3 = “check02id.com” ascii nocase
$s4 = “uti98.com” ascii nocase
$s5 = “2no.co” ascii nocase
$s6 = “uw04webzoom.us” ascii nocase
$s7 = “tronracing.com” ascii nocase
$ip1 = “208.91.197.27” ascii
$ip2 = “94.191.24.214” ascii
$ip3 = “139.59.27.154” ascii
$ip4 = “104.223.98.2” ascii
$ip5 = “104.223.97.2” ascii
condition:
uint16(0) == 0x5A4D and 3 of ($s*) and
any of ($ip*)
}
Recommendations
Strategic Recommendations
- Incorporate Digital Risk Protection (DRP) as part of the overall security posture to proactively defend against impersonations and phishing attacks.
- Assess and deploy alternatives for an advanced endpoint protection solution that provides detection/prevention for malware and malicious activities that do not rely on signature-based detection methods.
- Block exploit-like behaviour. Monitor endpoints memory to find behavioural patterns that are typically exploited, including unusual process handle requests. These patterns are features of most exploits, whether known or new. This will be able to provide effective protection against zero-day/critical exploits and more by identifying such patterns.
Management Recommendations
- Invest in user education and implement standard operating procedures for the handling of financial and sensitive data transactions commonly targeted by impersonation attacks. Reinforce this training with context-aware banners and in-line prompts to help educate users.
- Develop a cyber threat remediation program and encourage employee training to detect anomalies proactively.
Tactical Recommendations
- For better protection coverage against email attacks (like spear phishing, business email compromise, or credential phishing attacks), organizations should augment built-in email security with layers that take a materially different approach to threat detection.
- Protect accounts with multi-factor authentication. Exert caution when opening email attachments or clicking on embedded links supplied via email communications, SMS, or messaging.
- Apply security measures to detect unauthorized activities, protect sensitive production and process control systems from cyberattacks.
- Add the YARA rules for threat detection and monitoring, which will help to detect anomalies in log events and identify and monitor suspicious activities.
3. Major Geopolitical Developments in Cybersecurity
US Homeland Security Hacked
The U.S. Department of Homeland Security (DHS) is investigating a recent cyberattack on its Homeland Security Information Network (HSIN). The breached platform is a critical database used to share sensitive data among federal, state, local, and private-sector partners. The intruders supposedly targeted both HSIN servers and a collaborative SharePoint system sometime between late May and early June.
ETLM Assessment:
While the identity and affiliation of the hackers remain unknown, the operation would coincide with previous Chinese and Russian efforts. The focus on the HSIN – a database built specifically for unclassified but highly sensitive cross-agency coordination – mirrors previous state-sponsored campaigns aimed at gathering strategic intelligence rather than just causing immediate chaos. This campaign aligns with long-standing espionage efforts designed to map out vulnerability networks, response procedures, and interagency friction points. Accessing these collaborative systems provides adversaries with a blueprint of Western defensive readiness, similar to past DNS hijacking and sophisticated backdoor campaigns (such as those utilizing POWERSTATS or RustyWater).
4. Rise in Malware/Ransomware and Phishing
Krybit Ransomware Impacts a Retail — Furniture and Home Furnishings Company from Malaysia
- Attack Type: Ransomware
- Target Industry: Retail — Furniture and Home Furnishings
- Target Geography: Malaysia
- Ransomware: Krybit Ransomware
- Objective: Data Theft, Data Encryption, Financial Gains
- Business Impact: Financial Loss, Data Loss, Reputational Damage
Summary:
CYFIRMA observed on a ransomware data leak site (DLS) on the dark web that a company from Malaysia was compromised by Krybit Ransomware. The Compromised company is a Malaysian furniture retailer and home lifestyle solutions provider that offers a broad range of residential and commercial furniture, home décor, and interior design services. The company has evolved from a traditional furniture retailer into a one-stop furniture megamall with both physical showrooms and an online store. The compromised data includes confidential and sensitive information belonging to the organization. The total size of the compromised data is approximately 400 GB.

Source: Dark Web
Relevancy & Insights:
- Krybit Ransomware is a financially motivated cybercriminal group that operates a dedicated data leak site (DLS) to extort victims by encrypting systems and threatening to publish stolen data unless a ransom is paid.
- The Krybit Ransomware group primarily targets countries such as Brazil, Spain, Taiwan, the United States of America, and Thailand.
- The Krybit Ransomware group primarily targets industries, including Professional Goods & Services, Manufacturing, Government & Civic, Consumer Goods & Services, and Information Technology.
- Based on the Krybit Ransomware victims list from 1st March 2026 to 07th July 2026, the top 5 Target Countries are as follows:

- The Top 10 Industries most affected by the Krybit Ransomware group victims list from 1st March 2026 to 07th July 2026 are as follows:

ETLM Assessment:
According to CYFIRMA’s assessment, Krybit represents a persistent, financially motivated Ransomware-as-a-Service (RaaS) and data extortion threat that leverages an opportunistic affiliate-driven operational model to maximize pressure on victims. Although the group functions via external threat actors incentivized by lucrative profit-sharing structures, its targeted deployment of custom malware suites across corporate environments highlights the critical importance of robust identity security, continuous network monitoring, timely vulnerability remediation, and rigorous data loss prevention measures to detect, contain, and mitigate potential ransomware extortion attacks.
The Gentlemen Ransomware Impacts a Consumer Goods – Health & Beauty company from Japan
- Attack Type: Ransomware
- Target Industry: Consumer Goods – Health & Beauty
- Target Geography: Japan
- Ransomware: The Gentlemen Ransomware
- Objective: Data Theft, Data Encryption, Financial Gains
- Business Impact: Financial Loss, Data Loss, Reputational Damage
Summary: CYFIRMA observed on a ransomware data leak site (DLS) in the dark web that a company from Japan was compromised by The Gentlemen Ransomware. The compromised company is a major Japanese health and beauty company renowned for its dietary supplements, skincare, and cosmetics. The brand is especially famous for its olive oil-based beauty products and high-quality, affordable nutritional supplements. The company serves as a primary hub for consumers to purchase their popular health, wellness, and beauty essentials. The data, which has been breached, has not yet appeared on the leak site, indicating that negotiations between the affected party and the ransomware group may be underway. The compromised data includes confidential and sensitive information belonging to the organization.

Source: Dark Web
Relevancy & Insights:
- The Gentlemen is a relatively highly sophisticated ransomware-as-a-service (RaaS) group that emerged in mid-2025.
- The Gentlemen Ransomware group primarily targets countries such as the United States of America, Thailand, France, Brazil, and India.
- The Gentlemen Ransomware group primarily targets industries, including Manufacturing. Professional Goods & Services, Consumer Goods & Services, Healthcare, and Information Technology.
- Based on the Gentlemen Ransomware victims list from 1st Jan 2025 to 07th July 2026, the top 5 Target Countries are as follows:

- The Top 10 Industries most affected by the Gentlemen Ransomware victims list from 1st Jan 2025 to 07th July 2026 are as follows:

ETLM Assessment:
According to CYFIRMA’s assessment, the Gentlemen Ransomware is a highly adaptive and globally active threat that leverages dual-extortion tactics, combining data theft with file encryption. The group employs advanced evasion and persistence techniques, supports cross-platform and scalable ransomware deployment, and conducts targeted attacks across multiple industries and geographic regions. This combination of capabilities makes it a significant risk to enterprise cybersecurity defenses, particularly for organizations with limited detection and incident-response maturity.
5. Vulnerabilities and Exploits
Vulnerability in BIOVIA Workbook
- Attack Type: Vulnerabilities & Exploits
- Target Technology: Scientific Data Management / Laboratory Information Management Software
- Vulnerability: CVE-2026-5120
- CVSS Base Score: 8.1 Source
- Vulnerability Type: Race Condition
- Summary: The vulnerability allows a remote user to gain access to sensitive information.
Relevancy & Insights:
The vulnerability exists due to a race condition
Impact:
A remote user can exploit the race and gain unauthorized access to sensitive information of other application users.
Affected Products:
https[:]//www[.]3ds[.]com/trust-center/security/security-advisories/cve-2026-5120
Recommendations:
Monitoring and Detection: Implement monitoring and detection mechanisms to identify unusual system behavior that might indicate an attempted exploitation of this vulnerability.
TOP 5 AFFECTED TECHNOLOGIES OF THE WEEK
This week, CYFIRMA researchers have observed significant impacts on various technologies due to a range of vulnerabilities. The following are the top 5 most affected technologies.

ETLM Assessment
Vulnerability in BIOVIA Workbook introduces significant risks to organizations that rely on scientific data management and laboratory informatics platforms to support research, development, and regulated laboratory operations. As BIOVIA Workbook is widely used across pharmaceutical, biotechnology, chemical, and life sciences organizations to manage experimental data, research workflows, and laboratory records, exploitation of this vulnerability could allow unauthorized access to sensitive scientific information belonging to other users. A successful attack may expose confidential research data, compromise intellectual property, and impact the integrity of laboratory operations and collaborative research environments. Organizations leveraging BIOVIA Workbook should ensure timely application of security updates, continuously monitor user activities, and implement robust access control and auditing mechanisms to reduce the risk of unauthorized data access. Addressing this vulnerability is essential to maintaining the confidentiality, integrity, and security of scientific research data and enterprise laboratory management environments.
6. Latest Cyber-Attacks, Incidents, and Breaches
Qilin Ransomware attacked and published the data of a Food & Beverage company from Thailand
- Threat Actor: Qilin Ransomware
- Attack Type: Ransomware
- Objective: Data Leak, Financial Gains
- Target Technology: Web Applications
- Target Industry: Food & Beverage
- Target Geography: Thailand
- Business Impact: Operational Disruption, Data Loss, Financial Loss, Potential Reputational Damage
Summary:
Recently, we observed that Qilin Ransomware attacked and published the data of a Food & Beverage company from Thailand on its dark web website. The compromised company is a Thailand-based food and beverage company. The company specializes in the production, marketing, and distribution of edible oils, palm oil-based products, margarine, shortening, specialty fats, and processed food products for both retail consumers and industrial customers. Based on the preview shown in the image, the ransomware attack appears to have compromised internal corporate documents, including business forms, financial records, invoices, accounting statements, operational documents, and other confidential organizational records.

Source: Dark Web
Relevancy & Insights:
- The Qilin Ransomware group operates a Ransomware-as-a-Service (RaaS) model, allowing affiliates to carry out attacks while Qilin provides infrastructure and malware tools.
- The Qilin Ransomware group primarily targets industries, including Professional Goods & Services, Manufacturing, Consumer Goods & Services, Real Estate & Construction, and Healthcare.
ETLM Assessment:
According to CYFIRMA’s assessment, Qilin ransomware poses a significant threat to organizations of all sizes. Its evolving tactics, including double extortion (data encryption and leak threats), cross-platform capabilities (Windows and Linux, including VMware ESXi), and a focus on speed and evasion, make it a particularly dangerous actor.
7. Data Leaks
Unauthorised Manufacturing Database Advertised on a Leak Site
- Attack Type: Data Leak
- Target Industry: Manufacturing (Energy Storage Systems & Automotive Components)
- Target Geography: South Korea
- Objective: Financial Gain
- Business Impact: Exposure of Sensitive Corporate Data, Intellectual Property Risks, Operational Information Disclosure, Regulatory Compliance Concerns, Financial Loss, Reputational Damage.
Summary: The CYFIRMA research team identified a post on a dark web forum advertising the sale of a large volume of data allegedly originating from a South Korean manufacturing organization operating in the energy storage systems (ESS) and automotive components sector. According to the advertisement, the seller claims to possess multiple recent system backups, database dumps, and human resources-related files extracted from the organization’s internal environment.
Based on the information shared in the forum post, the allegedly exposed data may include:
- Full enterprise backup files
- Oracle database dumps
- Quality Management System (QMS) database
- Human Resources (HR) records
- Internal backup archives
- Enterprise application backup files
- Operational and business database information
- Employee-related information
- Internal system configuration data
- Business process records
- Manufacturing and operational data
- Organizational documentation
- Database metadata and structured records
- Additional enterprise backup repositories
According to the advertisement, sample files and screenshots have been published as proof of possession, while the complete dataset is being offered for sale on a cybercrime forum. The post claims that the data consists of multiple backup archives and database dumps collected from internal enterprise systems.
If verified, exposure of this information could significantly impact the affected organization. Threat actors may exploit the leaked data to conduct targeted phishing campaigns, business email compromise (BEC), identity-based attacks, industrial espionage, unauthorized access to corporate systems, credential harvesting, extortion, and follow-on cyberattacks. Exposure of internal databases, HR information, and operational records may also facilitate supply chain attacks, intellectual property theft, and further compromise of critical business infrastructure.
This incident highlights the continued risk posed by unauthorized exposure of enterprise backup repositories and internal databases. Organizations should strengthen privileged access management, enforce multi-factor authentication, secure backup infrastructure, encrypt sensitive data at rest, continuously monitor privileged accounts, implement network segmentation, conduct regular security assessments, and maintain proactive threat intelligence capabilities to reduce the likelihood and impact of similar incidents.
The authenticity of the alleged dataset remains unverified at the time of reporting. This assessment is based solely on information published in the forum advertisement and has not been independently confirmed.

Source: Underground Forums
Relevancy & Insights:
Financially motivated cybercriminals are continuously looking for exposed and vulnerable systems and applications to exploit. A significant number of these malicious actors congregate within underground forums, where they discuss cybercrime and trade stolen digital assets. Operating discreetly, these opportunistic attackers target unpatched systems or vulnerabilities in applications to gain access and steal valuable data. Subsequently, the stolen data is advertised for sale within underground markets, where it can be acquired, repurposed, and utilized by other malicious actors in further illicit activities.
ETLM Assessment:
The threat actor known is assessed to be a recently emerged but highly active and capable entity, primarily engaged in data-leak operations. The group’s activity highlights the persistent and fast-evolving cyber threat landscape, driven by underground criminal ecosystems. This development underscores the urgent need for organizations to reinforce their cybersecurity posture through continuous monitoring, improved threat intelligence capabilities, and proactive defensive strategies to protect sensitive information and critical infrastructure.
Recommendations: Enhance the cybersecurity posture by:
- Updating all software products to their latest versions is essential to mitigate the risk of vulnerabilities being exploited.
- Ensure proper database configuration to mitigate the risk of database-related attacks.
- Establish robust password management policies, incorporating multi-factor authentication and role-based access to fortify credential security and prevent unauthorized access.
8. Other Observations
The CYFIRMA research team identified a post on a dark web forum advertising the sale of a large database allegedly originating from a healthcare organization in India. According to the forum advertisement, the seller claims to possess separate patient and employee databases containing millions of healthcare records and organizational information. The advertisement states that sample records have been published as proof of possession, while the complete dataset is being offered for sale through an escrow-based transaction.
Based on the information shared in the forum post, the allegedly exposed dataset may contain the following information:
- Patient identification numbers
- Medical record numbers (MRN)
- Patient names
- Employee identifiers
- Registration details
- First, middle, and last names
- Date of birth (DOB)
- Age and gender information
- Contact details
- Residential addresses
- Civil and marital status
- Guardian information
- Religion and demographic details
- Department and hospital visit information
- Admission and encounter records
- Referral information
- Patient status and treatment records
- Medical and administrative remarks
- Employee database records
- Additional healthcare administrative information
According to the advertisement, the seller claims the patient database contains over 2 million records, with a sample consisting of approximately 1.09 million entries, while the employee database reportedly contains approximately 10,000 records. The complete dataset is advertised for sale through an escrow service, with sample data made available to demonstrate authenticity.
If verified, the exposure of this information could present significant risks to affected individuals and the organization. Cybercriminals may leverage the disclosed data to conduct identity theft, medical identity fraud, targeted phishing campaigns, social engineering attacks, insurance fraud, business email compromise (BEC), credential-based attacks, and other malicious activities. The compromise of employee information may further facilitate unauthorized access attempts, insider targeting, and follow-on attacks against healthcare infrastructure.
This incident highlights the ongoing risks associated with unauthorized exposure of healthcare databases containing sensitive patient and employee information. Organizations should strengthen identity and access management, implement multi-factor authentication, encrypt sensitive medical records, continuously monitor privileged accounts, conduct regular security assessments, deploy network segmentation, maintain secure backup practices, and enhance threat intelligence capabilities to reduce the likelihood and impact of similar incidents. Protecting healthcare information remains critical for ensuring patient privacy, regulatory compliance, and operational resilience.
The authenticity of the alleged dataset remains unverified at the time of reporting. This assessment is based solely on information published in the forum advertisement and has not been independently confirmed.

Source: Underground Forums
RECOMMENDATIONS
STRATEGIC RECOMMENDATIONS
- Attack Surface Management should be adopted by organisations, ensuring that a continuous closed-loop process is created between attack surface monitoring and security testing.
- Deploy a unified threat management strategy – including malware detection, deep learning neural networks, and anti-exploit technology – combined with vulnerability and risk mitigation processes.
- Incorporate Digital Risk Protection (DRP) in the overall security posture that acts as a proactive defence against external threats targeting unsuspecting customers.
- Implement a holistic security strategy that includes controls for attack surface reduction, effective patch management, and active network monitoring through next-generation security solutions and a ready-to-go incident response plan.
- Create risk-based vulnerability management with deep knowledge about each asset. Assign a triaged risk score based on the type of vulnerability and criticality of the asset to help ensure that the most severe and dangerous vulnerabilities are dealt with first.
MANAGEMENT RECOMMENDATIONS
- Take advantage of global Cyber Intelligence, providing valuable insights on threat actor activity, detection, and mitigation techniques.
- Proactively monitor the effectiveness of risk-based information security strategy, the security controls applied, and the proper implementation of security technologies, followed by corrective actions, remediations, and lessons learned.
- Consider implementing Network Traffic Analysis (NTA) and Network Detection and Response (NDR) security systems to compensate for the shortcomings of EDR and SIEM solutions.
- Ensure that detection processes are tested to ensure awareness of anomalous events. Timely communication of anomalies should be continuously evolved to keep up with refined ransomware threats.
TACTICAL RECOMMENDATIONS
- Patch software/applications as soon as updates are available. Where feasible, automated remediation should be deployed since vulnerabilities are one of the top attack vectors.
- Consider using security automation to speed up threat detection, improved incident response, increased the visibility of security metrics, and rapid execution of security checklists.
- Build and undertake safeguarding measures by monitoring/ blocking the IOCs and strengthening defences based on the tactical intelligence provided.
- Deploy detection technologies that are behavioral anomaly-based to detect ransomware attacks and help to take appropriate measures.
- Implement a combination of security controls, such as reCAPTCHA (completely Automated Public Turing test to tell Computers and Humans Apart), Device fingerprinting, IP backlisting, Rate-limiting, and Account lockout to thwart automated brute-force attacks.
- Ensure email and web content filtering uses real-time blocklists, reputation services, and other similar mechanisms to avoid accepting content from known and potentially malicious sources.
Situational Awareness – Cyber News
Please find the Geography-Wise and Industry-Wise breakup of cyber news for the last 5 days as part of the situational awareness pillar.





For situational awareness intelligence and specific insights mapped to your organisation’s geography, industry, and technology, please access DeCYFIR.




