Threat Intelligence News from LevelBlue SpiderLabs May 2025

May 2025

Latest Headlines

LevelBlue SpiderLabs in RSAC

Last Tuesday April 29th, LevelBlue SpiderLabs made a significant impact at the RSA Conference in San Francisco, with team members Santiago Cortes and Fernando Martinez leading a session on the usage of residential proxies by cybercriminals.

Their presentation, titled "Residential Proxies — Why Is My Cell Phone for Sale on the Dark Web?" delved into how these proxies are used to mask malicious activities and bypass security measures. By examining recent campaigns such as NSOCKS and ProxyNation, Santiago and Fernando provided attendees with a comprehensive understanding of the sophisticated techniques employed to hijack devices and expand proxy networks.

The insights shared by the LevelBlue SpiderLabs team underscored the importance of staying ahead in the ever-changing landscape of cybersecurity, and how we might be part of these botnets through the use of free applications. This session was a testament to LevelBlue SpiderLabs' commitment to advancing cybersecurity knowledge and protecting digital environments from emerging threats.

ClickFix Becomes Viral

In recent months, the ClickFix social engineering technique has gained significant traction among cybercriminals and state-sponsored actors alike.

First observed in March 2024 by the initial access broker TA571, this technique has evolved in just one year into a favored method for deploying malware. This technique manipulates users into executing malicious commands by either automatically or manually copying and pasting a malicious command into their terminal or Run dialog, under the guise of routine actions or resolution to non-existing issues.

As ClickFix continues to proliferate, understanding its mechanics and the threats it poses is crucial for bolstering cybersecurity defenses. In the last few weeks, it has been observed in various high-profile campaigns:

• Lazarus, a North Korean state-sponsored threat actor, has launched a new campaign called ClickFake Interview targeting cryptocurrency job seekers as reported by Sekoia.
  • This campaign uses fake job interview websites to deploy the GolangGhost backdoor on Windows and macOS systems.
  • The campaign primarily targets centralized finance (CeFi) entities, aligning with Lazarus' focus on cryptocurrency-related targets.
  • Notable changes include targeting non-technical roles and using ReactJS-based websites for the fake interviews. The malware gains Initial Access through a ClickFix bait and provides remote control and data theft capabilities, including browser information exfiltration
• The Interlock ransomware group, active since September 2024, has shown adaptability and innovation in its tactics despite a relatively low victim count.
  • Sekoia has reported the group has been employing fake browser updates and the ClickFix technique for initial access, followed by a multi-stage attack chain involving PowerShell backdoors, credential stealers, and a custom Remote Access Trojan.
  • The group targets various sectors across North America and Europe, conducting Big Game Hunting and double extortion campaigns.
  • Interlock has been observed improving their tools, including modifying their ransom notes to emphasize legal repercussions.
• A phishing campaign targeting organizations in the hospitality industry was identified by Microsoft in March.
  • They were impersonating Booking.com and using the ClickFix social engineering technique to deliver multiple credential-stealing malware.
  • The campaign, tracked as Storm-1865, targets individuals likely to work with Booking.com in North America, Oceania, Asia, and Europe.
  • The attack uses fake emails and webpages to trick users into executing malicious commands, leading to the download of various malware families including XWorm, Lumma stealer, VenomRAT, AsyncRAT, Danabot, and NetSupport RAT.
  • The campaign aims to steal financial data and credentials for fraudulent use, showing an evolution in the threat actor's tactics to bypass conventional security measures.
    
    

SonicWall SMA Credential Access Campaign

ArcticWolf has reported a campaign used since January 2025 that exploits a 2021 vulnerability to hack SonicWall SMA devices. The campaign targets VPN credential access on SonicWall SMA devices. The exploitation of this vulnerability, tracked as CVE-2021-20035, has been linked to the use of insecure default passwords and poor password hygiene. It allows remote authenticated attackers to inject arbitrary commands, leading to establishing persistence.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently added CVE-2021-20035 to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. CISA warned about these attacks last week, emphasizing the need for federal agencies to apply necessary mitigations by May 7, 2025, to secure their networks against active threats.

Tracking, Detection & Hunting Capabilities

LevelBlue SpiderLabs has created or updated the following Adversary Trackers to automatically identify and detect malicious infrastructure:

• FenixBotnet
• StealC

The team has identified the following malware/threat actors as the most active during the month of April.

• TA569: The threat actor, serving as initial access broker and pay-per-install service, continues to use fake update-themed lures like SocGholish and Gholoader to infect victims for malware installation and follow-on ransomware attacks.

The LevelBlue trackers have identified over 2700 new IOCs for the different families it tracks. The busiest trackers during the month of April have been: 

USM Anywhere Detection Improvements

In April, LevelBlue SpiderLabs added or updated 138 USM Anywhere detections. Here are a few examples of improvements and new elements LevelBlue SpiderLabs developed:

New Akamai ruleset with 9 new detections for its SIEM plugin.

Updated several Windows generic rules to detect the AbyssWorker driver, a malicious driver used with the MEDUSA ransomware attack-chain to disable anti-malware tools.

Please visit the LevelBlue Success Center for a full list of improvements, new elements, issues found, and tasks created.

LevelBlue SpiderLabs Open Threat Exchange

LevelBlue SpiderLabs Open Threat Exchange (OTX) is among the world’s largest open threat intelligence sharing communities, made up of 450,000 threat researchers from 140 countries globally who publish threat information to the platform daily.

LevelBlue SpiderLabs validates, analyzes, and enriches this threat intelligence. Members of OTX benefit from the collective research, can contribute to the community, analyze threats, create public and private threat intelligence sharing groups, and more.  

Learn more about OTX, its benefits, and how you can join.

New OTX Pulses

The LevelBlue SpiderLabs team is continuously publishing new pulses in OTX based on their research and discoveries. Pulses are interactive and researchable repositories of information about threats, threat actors, campaigns, and more. This includes indicators of compromise (IOCs) that are useful to members.

In April, 116 new Pulses were created by the SpiderLabs team, providing coverage for the latest threats and campaigns. Here are a few examples of the most relevant new Pulses:

• Lazarus APT updates its toolset in watering hole attacks

• Infostealer Malware FormBook Spread via Phishing Campaign

• New version of MysterySnail RAT and lightweight MysteryMonoSnail backdoor

   

• Inside BRUTED: Black Basta (RaaS) Used Automated Brute Forcing Framework to Target Edge Network Devices