March 2025
Latest Threat Intelligence News
BlackBasta Internal Chats Leaked
One of the most active Ransomware-as-a-Service (RaaS) platforms last year, BlackBasta, seems to undergo internal conflict. During the month of February, a year’s worth of its internal Matrix chat logs starting from September 2023 were leaked on the dark web. The origin of the dispute appears to be an attack on a Russian bank by the group. The leaked chat logs include references to 62 unique CVEs discussed between the RaaS operators. Out of those 62 CVEs, 44 are present in CISA's Known Exploited Vulnerabilities Catalog.
The leak comes three years after a very similar case when one of the Conti operators leaked Conti's internal communication for a year timespan after the group announced their "full support" for Russia in the Ukraine war.
Sandworm APT Targets Cracked Windows Users in Ukraine
Analysts have reported that Sandworm (APT44), a Russian threat actor, is actively attacking Ukrainian Windows users. Sandworm leverages pirated Microsoft Key Management Service (KMS) activators and fake Windows updates to deliver a new version of BACKORDER, a loader previously associated with the group. BACKORDER ultimately deploys Dark Crystal RAT (DcRAT), enabling attackers to exfiltrate sensitive data and conduct cyber espionage.
Ukraine’s heavy reliance on cracked software, including within government institutions, creates a major attack surface. It is not the first time Ukraine companies have been hacked with malware bundled with cracked software.
ElectricIQ claimed the attribution is backed by the recurring use of ProtonMail accounts in WHOIS records, overlapping infrastructure, and consistent Tactics, Techniques and Procedures (TTPs). Additionally, the reuse of BACKORDER, DcRAT, and TOR network mechanisms, along with debug symbols referencing a Russian-language build environment, further reinforce confidence in Sandworm’s involvement.
GhostSocks and Lumma, Partners in Crime
Infrawatch has released an analysis on GhostSocks, a Golang-based SOCKS5 backconnect proxy malware. The report analyzes GhostSocks' integration with LummaC2 and its command-and-control infrastructure. The integration of the proxy with Lumma allows threat actors to maximize the monetization obtained from infected victims, and there are substantial discounts in GhostSocks for holders of a Lumma license.
The alliance between infostealers and proxyware improves performance while luring users through discounts, which can only lead to a double threat to residential users.
