Phorpiex Botnet Distributes LockBit Ransomware Via Compromised Websites
(TLP: CLEAR) GitLab has
(TLP: CLEAR) Comments: Malicious
(TLP: CLEAR) Recommended best practices/regulations: PCI-DSS V4.0 Section 6.4.2: “For public-facing web applications, an automated technical solution is deployed that continually detects and prevents web-based attacks, with at least the following:
- Is installed in front of public-facing web applications and is configured to detect and prevent web-based attacks.
- Actively running and up to date as applicable.
- Generating audit logs.
- Configured to either block web-based attacks or generate an alert that is immediately investigated.
(TLP: CLEAR) Vercara: Vercara’s Web Application Firewall, UltraWAF, helps prevent common exploits of vulnerabilities in web applications that could lead to the insertion of malware. Signatures for new vulnerabilities are constantly updated, along with granular input validation controls and traffic filtering measures for flexibility. UltraWAF includes a number of tools for managing both benign and malicious bot,s including bot signatures and device fingerprinting. UltraWAF can also prevent some layer 7 DDoS attacks.
Source: https://cybersecuritynews.com/patch-for-xss-vulnerability-in-file-rendering/
DeepSeek’s Popularity Exploited to Push Malicious Packages via PyPI
(TLP: CLEAR) Back on January 29, 2025, intelligence reporting indicated that unknown threat actors deployed two malicious Python packages, deepseeek and deepseekai, to the PyPI repository, disguising them as legitimate DeepSeek AI API libraries. These compromised packages remained publicly accessible for approximately 30 minutes before removal, accumulating 36 downloads from developers across various regions. Despite masquerading as legitimate APIs, the packages were designed to extract system metadata, environment variables, and sensitive credentials, including API keys, database login information, and authentication tokens. Additionally, security analysts later revealed that in order to host and facilitate stolen data exfiltration, the threat actors exploited Pipedream, a serverless automation platform commonly used by developers to connect APIs, automate workflows, and process data without managing infrastructure. Further analysis of the indicators of compromise (IoCs) embedded within the compromised packages revealed evidence of AI-assisted generation, with auto-generated comments explaining portions of the code. As the default package repository for many widely used Python package managers, PyPI remains a prime target for adversaries seeking to distribute malicious packages at a large scale. Its widespread adoption makes it an ideal vector for supply chain attacks, enabling threat actors to maximize reach and impact with minimal effort. Security analysts further emphasized the importance of rigorous dependency verification to mitigate the growing risks associated with software supply chain attacks, warning that threat actors continue to exploit trust in open-source ecosystems in order to deploy malicious malware.
(TLP: CLEAR) Comments: In order to reduce the risk of software supply chain attacks, it is recommend that code be thoroughly reviewed prior to execution and that trusted system should be prioritized. As threat actors increasingly exploit the reliance of open-source ecosystems, adopting proactive security measures is critical in preventing malicious package infiltration. Organizations should also remain vigilant when installing newly released packages, particularly those promising integrations with popular AI services.
(TLP: CLEAR) Recommended best practices/regulations: OWASP PCI-DSS V4.0 Section 5.2: “Malicious software (malware) is prevented or detected and addressed. An anti-malware solution(s) is deployed on all system components, except for those system components identified in periodic evaluations per Requirement 5.2.3 that concludes the system components are not at risk from malware. The deployed anti-malware solution(s):
- Detects all known types of malware.
- Removes, blocks, or contains all known types of malware.
Any system components that are not at risk for malware are evaluated periodically to include the following:
- A documented list of all system components not at risk for malware.
- Identification and evaluation of evolving malware threats for those system components.
- Confirmation whether such system components continue to not require anti-malware protection.
The frequency of periodic evaluations of system components identified as not at risk for malware is defined in the entity’s targeted risk analysis, which is performed according to all elements specified in Requirement 12.3.1. Section 5.2 lays out requirements for malware detection and blocking across all devices in the Cardholder Data Environment. Every device inside of the CDE should have malware protection that is updated, monitored, and actions taken when an infection is detected.
(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), supports four distinct detection engines to provide Defense in Depth against malware, phishing, and other abuses:
- The Lists Engine allows UltraDDR customers the ability to bring their own block lists and allowlists for FQDNs, domains, IP addresses, CIDR blocks, and registrars.
- The Categories Engine uses Vercara-provided Cyber Threat Intelligence feeds in 17 categories. Administrators can enable blocking on a category with just one button click.
- The Decision Engine uses a multi-petabyte adversarial infrastructure data lake and artificial intelligence techniques to determine if a previously unseen or recently changed domain is malicious in nature.
- The Ruleset Engine allows administrators the ability to build custom rules to augment and extend the other engines of UltraDDR.
AsyncRAT Campaign Uses Python Payloads & TryCloudflare Tunnels for Attacks
(TLP: CLEAR) Recent reporting sheds light on a sophisticated AsyncRAT malware campaign that exploits TryCloudflare quick tunnels and malicious Python packages to evade detection. The attack chain begins with a phishing email containing a Dropbox link, leading to the download of a ZIP archive. Embedded within the zip file, an internet shortcut (.URL file) serves as the initial execution point, triggering a sequence of scripted actions. This includes the launch of a .LNK file, followed by a JavaScript file that calls a batch script, ultimately retrieving another ZIP file. This second archive contains a Python script designed to deploy AsyncRAT, a remote access trojan granting adversaries full control over infected systems. The malware enables data exfiltration, remote command execution, and persistent access while leveraging asynchronous communication for stealth. Furthermore, security analysts have observed that when users interact with the .LNK file, it initiates a PowerShell command designed to retrieve a JavaScript payload from a TryCloudflare tunnel. The script is hosted within a separate directory on the same site, allowing attackers to obscure their infrastructure while maintaining persistence. This technique not only complicates detection capabilities but also leverages trusted platforms to bypass security controls, reinforcing the need for enhanced behavioural monitoring and network traffic analysis.
(TLP: CLEAR) Comments: Primarily designed for testing and development, TryCloudflare is a Cloudflare service that provides a way to deploy temporary web access without modifying firewall rules. However, threat actors have increasingly exploited TryCloudflare to establish covert command-and-control (C2) channels, conceal malicious infrastructure, and bypass traditional security measures. The latest campaigns demonstrate how adversaries abuse this trusted service to evade detection, reinforcing the need for enhanced monitoring of cloud-based tunnels and anomalous outbound connections.
(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) DE.CM-01: “Networks and network services are monitored to find potentially adverse events”. One of the ways to detect phishing, malware droppers, and command and control (C2) is at the network level. Intrusion Detection Systems (IDS), Intrusion Detection Systems (IPS), and next-generation firewalls can be used with a protective DNS solution to detect these malicious activities as they traverse the network, even if the initial infection occurs via physical media or on another network such as a hotel or airport.
Critical Infrastructure and Security Agency (CISA), FBI, and Multi-State ISAC publication “Understanding and Responding to Distributed Denial-of-Service Attacks”: “Enroll in a DDoS protection service. Many internet service providers (ISPs) have DDoS protections, but a dedicated DDoS protection service may have more robust protections against larger or more advanced DDoS attacks. Protect systems and services by enrolling in a DDoS protection service that can monitor network traffic, confirm the presence of an attack, identify the source, and mitigate the situation by rerouting malicious traffic away from your network.”
(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response),
filters internal DNS responses from users as well as machines using both defined categories, including botnet Command and Control (C2,) as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation.
Source: https://thehackernews.com/2025/02/asyncrat-campaign-uses-python-payloads.html
Cybercriminals Use Go Resty and Node Fetch in Password Spraying Attacks
(TLP: CLEAR) Recent intelligence reporting has identified a significant uptick in threat actors exploiting legitimate HTTP client tools, notably Axios and Node Fetch, in order to orchestrate account takeover attacks targeting Microsoft 365 environments. These tools, commonly sourced from public repositories like GitHub, are being repurposed to execute sophisticated cyber-attacks such as Adversary-in-the-Middle (AiTM) attacks and brute-force methods. According to reporting, the growing trend of utilizing HTTP client tools for brute-force attacks dates back to at least February 2018, with initial campaigns employing OkHttp clients to compromise Microsoft 365 accounts. By early 2024, this TTP (tactics, techniques, and procedures) had evolved to include a broader array of HTTP clients. Notably, by March 2024, 78% of Microsoft 365 tenants had experienced at least one account takeover attempt leveraging the aforementioned tools, underlining the widespread nature of this threat. Concurrently, a massive password spraying campaign employing the Node Fetch and Go Resty HTTP clients has been observed, recording over 13 million login attempts since June 9, 2024, averaging more than 66,000 malicious attempts daily. Despite the large scale, the success rate of these attacks remains relatively low, affecting only 2% of targeted organizations. Educational institutions have been particularly targeted, with attackers focusing on student accounts that are often less protected and can be exploited for further malicious activities or sold to other threat actors.
(TLP: CLEAR) Comments: Threat actors are constantly advancing their TTPs and software functionality, leveraging an expanding arsenal of HTTP client tools to exploit APIs in order to manipulate authentication mechanisms with greater efficiency. These tools provide scalability, automation, and evasiveness, making account takeover attacks increasingly effective and harder to detect.
(TLP: CLEAR) Recommended best practices/regulations: OWASP Web Application Firewall: “A ‘web application firewall (WAF)’ is an application firewall for HTTP applications. It applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as Cross-site Scripting (XSS) and SQL Injection. “While proxies generally protect clients, WAFs protect servers. A WAF is deployed to protect a specific web application or set of web applications. A WAF can be considered a reverse proxy. “WAFs may come in the form of an appliance, server plugin, or filter, and may be customized to an application. The effort to perform this customization can be significant and needs to be maintained as the application is modified.”
(TLP: CLEAR) Vercara: Vercara’s Web Application Firewall, UltraWAF, protects your applications from data breaches, defacements, malicious bots, and other web application-layer attacks. By protecting your applications no matter where they are hosted, UltraWAF simplifies your operations through consistently configured rules with no provider restrictions or hardware requirements.
Source: https://thehackernews.com/2025/02/cybercriminals-use-axios-and-node-fetch.html
Global Law Enforcement Shuts Down Two of the Largest Cybercrime Forums
(TLP: CLEAR) The following reporting highlights a major blow to the cybercrime underworld. Europol, in a coordinated effort composed of law enforcement from various countries, has successfully dismantled Cracked and Nulled, two of the largest illicit online forums. These platforms, with a combined user base exceeding 10 million, operated as a marketplace and hub for stolen credentials, malware, hacking tools, and other illegal merchandise. Furthermore, Cracked[.]io and Nulled[.]io significantly lowered the bar to entry for cybercriminals, enabling even low-skilled threat actors to execute attacks with minimal effort. These forums served as breeding grounds for cybercrime, providing a vast repository of exploits, security vulnerabilities, and step-by-step tutorials on crafting malware and conducting illicit activities. Beyond knowledge-sharing, they also facilitated the use of AI-driven tools and automated scripts, allowing adversaries to streamline vulnerability scanning, exploit development, and attack execution with unprecedented efficiency. Additionally, reporting indicates that the international takedown, executed sometime between January 28 and 30 2025, led to the arrest of two individuals, raids at seven locations, and the seizure of 17 servers, over 50 electronic devices, and a significant amount of USD and cryptocurrency. Additionally, authorities took down 12 domains tied to Cracked and Nulled, along with critical services supporting their operations. Among them was Sellix, a financial processing platform used to facilitate illicit transactions, and StarkRDP, a hosting service actively promoted on both forums and allegedly managed by the same individuals.
(TLP: CLEAR) Comments: The aforementioned operation involved law enforcement agencies from Australia, France, Germany, Greece, Italy, Romania, Spain, and the United States. While the recent takedown marks a significant victory for law enforcement, it is unlikely to dismantle the cybercrime-as-a-service ecosystem entirely. Although the recent takedown marks a significant victory for law enforcement, it will unlikely cease the cybercrime-as-a-service ecosystem entirely. Threat actors have a proven track record of quickly rebuilding infrastructure, creating alternative forums, and leveraging encrypted channels to continue their operations.
(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) DE.CM-01: “Networks and network services are monitored to find potentially adverse events”. One of the ways to detect phishing, malware droppers, and command and control (C2) is at the network level. Intrusion Detection Systems (IDS), Intrusion Detection Systems (IPS), and next-generation firewalls can be used with a protective DNS solution to detect these malicious activities as they traverse the network, even if the initial infection occurs via physical media or on another network such as a hotel or airport.
(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses a multi-petabyte data lake filled with DNS query history and indicators of compromise from multiple Cyber Threat Intelligence (CTI) data feeds to correlate an incoming DNS query in real-time with previously observed malicious activity. This ensures that users and devices only go to safe, policy- compliant Internet locations.
Source: https://www.secureworld.io/industry-news/law-cracks-down-cybercrime-forums