VerSprite Weekly Threat Intelligence

Date Range: 26 May 2025 – 30 May 2025

Issue: 16th Edition

Security Triumphs of the Week

This week marked several major wins for global cybersecurity. U.S. authorities disrupted the DanaBot malware operation, charging 16 individuals involved in large-scale banking fraud. An Iranian national pleaded guilty in the Robbinhood ransomware case, showcasing accountability in cybercrime. The UK bolstered its cyber defense with the launch of a dedicated Cyber Warfare Command. Meta neutralized fake influence operations targeting multiple countries, and the U.S. sanctioned Funnull for defrauding victims in $200M crypto romance scams. These actions demonstrate strong international momentum in combating cyber threats.

• U.S. Authorities Charge 16 in DanaBot Malware Disruption Operation
  In a significant victory for cybercrime enforcement, U.S. federal prosecutors have charged 16 individuals tied to the notorious DanaBot malware operation, which was responsible for banking fraud and credential theft worldwide. The international takedown included collaboration with several countries and focused on dismantling infrastructure used for distributing the malware. DanaBot had been active since 2018 and was used to steal financial credentials, distribute ransomware, and exfiltrate sensitive data. This takedown highlights the power of joint law enforcement operations against global cybercrime syndicates.
  Read full article: Cybersecuritydive

• Iranian Man Pleads Guilty in Robbinhood Ransomware Campaign
  Further investigations into Lumma Stealer revealed it operated as a commercial-grade cybercrime enterprise. According to DarkReading, the malware was sold as a service on underground forums and used modular architectures, allowing cybercriminals to tailor attacks. Researchers uncovered how operators profited through illicit sales of access to stolen data, primarily targeting organizations in Europe and North America. The scale and structure of the operation underline the growing sophistication of cybercrime-as-a-service models.
  Read full article: Cyberscoop

• UK Ministry of Defence Launches New Cyber Warfare Command
  The UK has launched a dedicated Cyber Warfare Command, strengthening its national security strategy against evolving cyber threats. This new division will focus on both defensive and offensive operations to protect critical infrastructure and counter hostile state actors. General Sir James Hockenhull emphasized the importance of cyber capabilities in future conflicts and national defense. This move reflects a growing global recognition of cyberspace as a core military domain.
  Read full article: Infosecurity

• Meta Disrupts Coordinated Influence Operations with Fake Personas
  Meta has successfully taken down multiple coordinated influence operations that used fake accounts and personas to manipulate public opinion in Romania, Azerbaijan, and Taiwan. These campaigns aimed to spread disinformation and politically polarizing content through deceptive social media behavior. Meta’s threat intel team traced the operations to state-linked entities and private firms, highlighting the growing threat of synthetic influence online. The disruption is part of Meta’s ongoing efforts to maintain integrity across its platforms.
  Read full article: Thehackernews

• U.S. Sanctions Chinese Entity Funnull for $200M Romance Crypto Scams
  The U.S. Treasury has sanctioned Funnull, a China-linked entity, for its involvement in romance baiting and crypto investment scams that defrauded victims of over $200 million. These scams lured individuals through fake relationships, directing them to invest in fraudulent cryptocurrency schemes. The sanctions target the individuals and infrastructure behind these operations, aiming to cripple their financial networks. This move marks a strong stand against cross-border financial cybercrime.
  Read full article: Thehackernews

Security Setbacks of the Week

This week marked an alarming uptick in cyber incidents targeting finance executives, cryptocurrency ecosystems, and critical networking hardware. From highly personalized spearphishing campaigns exploiting finance departments to a botnet breaching over 9,000 ASUS routers with persistent SSH backdoors, attackers demonstrated escalating sophistication and scale. Simultaneously, the “Dark Partners” cybercrime syndicate executed multiple crypto heists, and Earth LAMIA, a state-aligned threat actor, resurfaced with an adaptive espionage campaign. These events underscore a coordinated and multi-vector shift in threat actor strategies.

• Spearphishing Surge Targets CFOs with Remote Access Payloads
  A sophisticated phishing campaign has emerged, targeting CFOs and senior finance executives across multiple industries. The operation, observed by Trellix, impersonates legitimate vendors and suppliers to trick victims into deploying remote access tools.
  Read full article: Cybersecurity Dive

• TikTok Breach Claim: 428 Million User Records Allegedly for Sale
  A threat actor claims to have breached TikTok, offering 428 million user records for sale on a cybercrime forum. The dataset reportedly includes email addresses, usernames, and profile details. While TikTok has not confirmed the breach, the scale of the alleged data trove raises concerns over third-party scraping or indirect compromise.
  Read full article: Hackread

• Earth LAMIA: A Silent, Persistent Espionage Campaign
  Trend Micro has disclosed a long-running cyberespionage campaign attributed to Earth LAMIA, targeting defense, telecom, and government entities. The attackers employed stealthy malware loaders, living-off-the-land techniques, and legitimate tools to maintain access and avoid detection, likely for intelligence-gathering purposes.
  Read full article: Trend Micro

• Botnet Hacks Over 9,000 ASUS Routers with SSH Backdoors
  A massive botnet campaign has compromised more than 9,000 ASUS routers, injecting persistent SSH backdoors via outdated firmware vulnerabilities. This wide-scale operation enables attackers to silently access home and business networks, creating opportunities for further attacks or resale of access on darknet forums.
  Read full article: BleepingComputer

• Dark Partners Gang Executes Coordinated Cryptocurrency Heists
  The “Dark Partners” cybercrime syndicate has been linked to a series of high-impact cryptocurrency thefts across multiple platforms. Utilizing phishing kits, SIM swapping, and exchange-specific exploits, the gang has reportedly stolen millions in digital assets, highlighting the continued vulnerability of crypto infrastructure.
  Read full article: BleepingComputer

The New Emerging Threats

This week revealed a surge in sophisticated cyber threats targeting a wide range of sectors. The EDDIESTEALER infostealer is being spread via fake CAPTCHA prompts to steal sensitive data. APT groups like APT41 are employing advanced techniques, including abuse of cloud services like Google Calendar for C2. Cybercriminals are also using fake job offers to deliver the PureHVNC RAT, while the Interlock ransomware group has launched a new NodeSnake RAT targeting universities. These threats highlight the need for heightened vigilance and adaptive defenses across industries.

• EDDIESTEALER Infostealer Delivered via Fake CAPTCHA Prompts
  A new Rust-based infostealer named EDDIESTEALER is being distributed through deceptive CAPTCHA verification pages. These pages trick users into executing malicious PowerShell scripts, leading to the deployment of the malware. Once installed, EDDIESTEALER harvests sensitive data, including credentials, browser information, and cryptocurrency wallet details. The malware employs sophisticated techniques to bypass security measures, such as Chrome’s app-bound encryption, and uses obfuscated code to evade detection. Its ability to adapt and target various data sources makes it a significant threat in the cybersecurity landscape.
  Read full article: Thehackernews

• PureHVNC RAT Distributed via Fake Job Offers
  Cybercriminals are distributing the PureHVNC remote access trojan through phishing campaigns that impersonate high-level job offers from fashion and beauty brands like Bershka and John Hardy. Victims receive malicious LNK files disguised as job documents, which, when executed, initiate a multi-stage infection process. This includes downloading malware-laced MP4 files and executing scripts that retrieve and run the PureHVNC RAT. This campaign highlights the importance of vigilance against social engineering tactics.
  Read full article: Scworld

• APT41 Utilizes Google Calendar for Command-and-Control Operations
  The Chinese state-sponsored threat actor APT41, also known as “Double Dragon,” has been observed using Google Calendar as a command-and-control (C2) infrastructure. In a campaign targeting government entities, APT41 sent spear-phishing emails containing links to malicious ZIP archives hosted on compromised websites. Upon execution, the malware communicates with Google Calendar events to receive commands, blending malicious traffic with legitimate services to evade detection.
  Read full article: Darkreading

• Interlock Ransomware Gang Deploys New NodeSnake RAT on Universities
  The Interlock ransomware group has introduced a previously undocumented remote access trojan named NodeSnake, targeting educational institutions in the UK. Delivered via phishing emails, NodeSnake is a JavaScript-based malware executed with Node.js, establishing persistence by creating deceptive registry entries that mimic legitimate processes. The malware’s variants show significant differences, indicating active development and enhancement of its capabilities. Interlock’s use of NodeSnake demonstrates a strategic shift towards targeting the education sector, emphasizing the need for robust cybersecurity measures in academic institutions.
  Read full article: Bleepingcomputer

In-Depth Expert CTI Analysis

This week’s threat landscape underscored the growing divide between targeted, state-sponsored attacks and widespread financially motivated cybercrime. On one end, campaigns like Earth LAMIA and APT41 reveal advanced nation-state tactics relying on stealth, obfuscation, and cloud abuse. On the other, botnet-fueled router compromises, crypto frauds, and infostealer infections show how cybercriminals continue to innovate at scale. Law enforcement wins-like the DanaBot takedown and Robbinhood plea-offer crucial momentum, but the adversarial pace remains unrelenting.

Proactive Defense and Strategic Foresight

• Finance teams remain a top target, with spear phishing and fake vendor lures leading to initial access.
• Fake CAPTCHAs and job offer phishing campaigns bypass user suspicion through behavioral engineering, reinforcing the need for user awareness training and advanced email security solutions.
• State actors are pushing beyond traditional infrastructure- APT41’s use of Google Calendar for C2 is a prime example of abusing legitimate cloud services to blend in.
• Security teams must expand monitoring to cover non-traditional channels like calendar syncs, collaboration tools, and DNS tunneling activity.

Evolving Ransomware and Malware Tactics

• NodeSnake (Interlock group) and PureHVNC highlight the malware-as-a-service (MaaS) model’s continued evolution-with modularity, obfuscation, and sandbox evasion as key features.
• Earth LAMIA’s malware loaders and living-off-the-land (LotL) techniques demonstrate the long-term persistence goals of APT actors, often avoiding traditional detection for months.
• EDDIESTEALER bypassing Chrome’s app-bound encryption shows a growing focus on targeting endpoint environments directly, especially for credential harvesting and crypto theft.

State-Sponsored and Organized Cybercrime Convergence

• While actors like APT41 and Earth LAMIA maintain geopolitical agendas, their tactics are bleeding into the criminal world.
• Cryptocurrency fraud campaigns (e.g., Dark Partners, Funnull) are growing in sophistication, mimicking state-level planning with phishing kits, SIM swaps, and exchange-specific exploits.
• The convergence is also evident in shared tooling, overlapping infrastructure, and mirrored playbooks-making attribution harder and remediation timelines longer.

Operational and Tactical Implications

• SOC and threat hunting teams must broaden detection rules to account for misuse of cloud services and legitimate apps.
• CVE exploitation remains high, but behavioral and user-targeted attack vectors (e.g., fake job offers, fake CAPTCHAs) are equally damaging and harder to prevent with patching alone.
• Router exploitation campaigns like the ASUS SSH backdoors highlight the urgency of managing home-office infrastructure in a hybrid workforce model.

Forward-Looking Recommendations

• Harden browser environments and user endpoints, especially against credential harvesters and info-stealers.
• Audit usage of SaaS platforms and cloud services for abnormal application behavior, such as API abuse or unexpected file syncs.
• Enforce mandatory firmware updates and admin credential rotation on exposed network devices like routers and IoT components.
• Promote cross-sector sharing of IOCs, particularly for evolving malware families like NodeSnake and PureHVNC.
• Incorporate behavioral analytics and threat deception tools to detect lateral movement and long-dwell-time adversaries earlier in the kill chain.

Additional Resources & Contact

VerSprite on LinkedIn

VerSprite on Twitter

Email VerSprite