Threat Intel Report Banner
New Threats Detection Added •    KoiStealer
Detection Summary
Threat Protections Integrated into Crystal Eye
 107
Newly Detected Threats
 5


Weekly Detected Threats

The following threats were added to Crystal Eye this week:

Threat name:
 Koi Stealer
KoiStealer is an infostealer that is suspected of being created by North Korean threat actors. There have been a few attack vectors of compromise linked to this malware. The most common technique used is for the threat actor group to pose as legitimate job recruiters for software developers. Through this process, they infect the victim by exchanging emails, with one of the emails containing the malicious file. Another method is by sending out benign emails to strike up a conversation, and if someone replies, they will send the malicious link to them.
 
This infostealer has two variants, one for MacOS and another for windows environments, this will focus on the Windows variant. Once the malware is running, it will run a script that creates a PowerShell process that will download another script. This will also create another PowerShell process that will further download more payloads. During this process, it will check the environment to ensure that it’s not running in a sandbox to disrupt analysis, and it will also set up a scheduled task to maintain persistence on the system.
 
Once the malware has gone through its setup, it will then begin to steal information such as device information, crypto wallets, web browser data such as saved credentials and cookies, and it will also steal credentials to applications such as SSH and WinAuth. All this information will be sent to the same C2 server that downloaded all the initial payloads.
Threat Protected:
 02
Rule Set Type:
Ruleset
IDS: Action
IPS: Action
Balanced
Reject
Drop
Security
Reject
Drop
WAF
Disabled
Disabled
Connectivity
Alert
Alert
OT
Disabled
Disabled
Class Type:
 Trojan-Activity
Kill Chain:
Tactic 
Technique (ID)
 Description
Initial Access
T1566
Phishing
Execution
T1059.001
T1059.007
T1204.001
Command and Scripting Interpreter – PowerShell & JavaScript
User Execution – Malicious Link
Persistence
T1053.005
Scheduled Task/ Job – Scheduled Task
Defence Evasion
T1497.001
Virtualisation/Sandbox Evasion - System Checks
Collection
T1119
Automated Collection
Command-and-Control
T1071.001
Application Layer Protocol Web Protocols
Exfiltration
T1041
Exfiltration Over C2 Channel


Known Exploited Vulnerabilities (Week 1 - September 2025)

For more information, please visit the Red Piranha Forum:
https://forum.redpiranha.net/t/known-exploited-vulnerabilities-catalog-4th-week-of-august-2025/588

Vulnerability
CVSS
 Description
Sangoma FreePBX
10 (Critical)
Sangoma FreePBX contains a vulnerability that can allow a remote unauthenticated attacker to bypass the authentication and gain access to the system. Exploitation of the vulnerability can lead to further attacks including SQL Injection as well as the ability to execute code.
Citrix NetScaler
9.2 (Critical)
Citrix NetScaler ADC and NetScaler Gateway contain a memory corruption vulnerability that can allow a remote unauthenticated attacker to execute code on the system. Exploitation of this vulnerability can result in an attacker gaining access to the system or to cause a denial of service.
Git
8.1 (High)
Git contains a vulnerability that can allow a remote unauthenticated attacker to execute code on a device upon cloning a malicious git repository with the “–recursive” tag.
Citrix Session Recording
5.1 (Medium)
Citrix Session Recording contains a vulnerability that can allow escalation of privileges to a NetworkService Account from an authenticated user that’s in the same Windows Active Directory domain as the session recording server.
Citrix Session Recording
5.1 (Medium)
Citrix Session Recording contains a deserialisation vulnerability that can allow an attacker within the same intranet of the session recording server to execute code with the privileges of a NetworkService Account.

Updated Malware Signatures (Week 1 - September 2025)

Threat
Description
XWorm
A Remote Access Trojan (RAT) and malware loader that's commonly used in cyberattacks to give attackers full remote control over a victim's system. It's part of a growing trend of commercialised malware sold or rented on dark web forums, often under the guise of a “legitimate tool.”
zgRAT
A Remote Access Trojan (RAT) used in cyberattacks that provides attackers with remote access to a machine. Commonly spread in malware loaders and through phishing emails.

Ransomware Report

The Red Piranha Team conducts ongoing surveillance of the dark web and other channels to identify global organisations impacted by ransomware attacks. In the past week, our monitoring revealed multiple ransomware incidents across diverse threat groups, underscoring the persistent and widespread nature of these cyber risks. Presented below is a detailed breakdown of ransomware group activities during this period.

Ransomware Victims – Weekly Overview

SafePay led this week’s activity, responsible for 16.52% of all reported incidents. Its continued rise highlights sustained campaigns against enterprises, leveraging both encryption and data theft for maximum extortion pressure.

Qilin and Cephalus followed closely at 14.78% each, cementing their positions among the most aggressive operators. Qilin’s consistency suggests strong affiliate participation, while Cephalus’ activity indicates a possible surge of new campaigns.

Inc Ransom accounted for 6.96%, maintaining its role as a mid-tier but disruptive actor.

WorldLeaks, DragonForce, and Akira each reported 5.22%, underscoring their ability to remain relevant with steady campaigns across various geographies and industries.

Direwolf and Play both contributed 4.35%, demonstrating persistent though moderate activity. Interlock followed with 3.48%, while Lynx registered 2.61% of total incidents.

Smaller but notable activity came from Kairos, Medusa, and Rhysida (each at 1.74%), suggesting probing attacks or targeted operations.

Finally, a wide group of actors—including RansomHouse, Metaencryptor, Warlock, Beast, LockBit3, Sinobi, Chaos, Sarcoma, Leaknet, Anubis, Black Nevas, Everest, and LeakedData—each represented 0.87% of activity. While individually limited, these groups collectively reflect the long-tail of the ransomware ecosystem, where smaller crews and splinter operators maintain a steady global presence.
Ransomware Hits Last Week

Cephalus Ransomware

Red Piranha observed two Cephalus intrusions in mid-August. In both cases the threat actor authenticated over RDP with compromised credentials without MFA, staged data via MEGA (MEGAcmd), then attempted to execute ransomware through DLL sideloading:

SentinelBrowserNativeHost.exe  →  SentinelAgentCore.dll  →  data.bin (encryptor)

One deployment failed due to Microsoft Defender quarantine; the other succeeded, dropping a note that begins “We’re Cephalus”, to increase pressure, and provides TOX/Email contact plus a proof-of-theft link.

Detailed TTPs

Initial Access

  • Vector: Valid-account RDP (no MFA).
  • Staging: MEGAcmd used to move archives to MEGA prior to encryption. Observed command line (example):

C:\Users\[user]\AppData\Local\MEGAcmd\MEGAcmdUpdater.exe --normal-update --do-not-install --version 2010100

Execution Tradecraft: DLL Sideload

  • Actor placed SentinelBrowserNativeHost.exe in Downloads, which loaded a rogue SentinelAgentCore.dll.
  • The DLL then loaded data.bin containing the ransomware code.
  • This is signed-binary proxy execution / DLL sideloading to blend with legitimate EDR tooling.
     

Defence Evasion

Child activity of the sideload chain included:

  • Inhibit recovery:
    vssadmin delete shadows /all /quiet
  • Tamper with Microsoft Defender:
    Add-MpPreference (exclusions for paths/extensions/processes).
    Registry policy edits:
    HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\* (e.g., DisableRealtimeMonitoring, DisableBehaviorMonitoring, DisableOnAccessProtection, DisableAntiSpyware).
    Service control: stop/disable WinDefend, WdNisSvc, Sense, SecurityHealthService.
  • Ransom note & extension: recover.txt; encrypted files observed with .sss.

A screenshot of a computer AI-generated content may be incorrect.

MITRE ATT&CK Mapping

Tactic
Technique
How it appears for Cephalus
Initial Access
T1133 External Remote Services / T1078 Valid Accounts
RDP login with stolen creds, no MFA
Execution
T1218 Signed Binary Proxy Exec
Launch of SentinelBrowserNativeHost.exe from Downloads
Persistence
T1053.005 Scheduled Task
MEGAcmd updater scheduled in user context
Defence Evasion
T1574.002 DLL Side-Loading
Rogue SentinelAgentCore.dll loaded by Sentinel binary
Defence Evasion
T1112 Modify Registry / T1562.001 Disable Security Tools
Defender policies flipped; services disabled
Discovery/Collection
(n/a evidence-lite)
Not primary focus in observed window
Exfiltration
T1567.002 Exfiltration to Cloud Storage
MEGA / MEGAcmd prior to encryption
Impact
T1490 Inhibit System Recovery / T1486 Data Encrypted for Impact
vssadmin deletions; encryption follows

Indicators of Compromise (IOCs)

File/Artifact Names

  • SentinelBrowserNativeHost.exe (unusual when executed from C:\Users\[user]\Downloads\)
  • SentinelAgentCore.dll (sideload DLL)
  • data.bin (encryptor payload)
  • recover.txt (ransom note)
  • Encrypted extension: .sss
     

Hashes:

  • SentinelBrowserNativeHost.exe à

SHA256: 0d9dfc113712054d8595b50975efd9c68f4cb8960eca010076b46d2fba3d2754

  • SentinelAgentCore.dll à

SHA256: 82f5fb086d15a8079c79275c2d4a6152934e2dd61cc6a4976b492f74062773a7

SHA256: a34acd47127196ab867d572c2c6cf2fcccffa3a7a87e82d338a8efed898ca722

IP:

51.145.123.29

Associated domain à ntp6.n-helix[.]com , http://ntp17.dn.n-helix[.]com/

Tor URL
http://cephalus6oiypuwumqlwurvbmwsfglg424zjdmywfgqm4iehkqivsjyd[.]onion

Evidence:

https://gofile.io/d/fixCg7 - proofs.

A screen shot of a computer AI-generated content may be incorrect.

Mitigation & Detection with CE 5.0

Identity & Access (CE-IAM/Email Security)

  • Enforce MFA on RDP/VPN/SSO; disable direct internet-exposed RDP.
  • Alert on suspicious mailbox rules / OAuth grants (if O365/Google Workspace present).
     

Endpoint (CE-EDR / CE-XDR)

  • Block/Alert when SentinelBrowserNativeHost.exe executes from Downloads/Temp/Desktop.
  • Detections for:
    • vssadmin shadow deletion
    • PowerShell Add-MpPreference / Set-MpPreference
    • Registry edits to Defender policy hives
    • Service stop/disable for Defender components
    • MEGAcmd execution and network egress
       

Network (CE-NGFW / CE-SOAR)

  • Restrict egress to approved destinations; flag connections to MEGA endpoints from servers.
  • Block/alert Tor/tor2web where feasible (actors sometimes reference dark-web content in notes).
     

Backup & Recovery

  • Maintain immutable/offline backups; validate restores quarterly.
  • Monitor for backup share access + VSS manipulation.

Ransomware Victims Worldwide

The United States continues to dominate the global ransomware landscape, reporting 52.17% of all incidents this week. Its high concentration of critical infrastructure, financial institutions, and enterprises ensures it remains the top target for ransomware groups.

Canada accounted for 9.57%, reflecting a significant increase in targeting compared to prior weeks. This spike underscores attackers’ preference for North American organisations, exploiting similar supply chain dependencies and digital infrastructures.

Germany and the United Kingdom each registered 6.09%, reinforcing their roles as key European hotspots. These mature economies remain attractive due to valuable intellectual property and business data.

Australia reported 4.35%, while Italy followed with 3.48%, indicating steady ransomware activity across both regions.

Spain, France, Brazil, and Mexico each accounted for 1.74%, signaling a dispersed but consistent targeting pattern across Southern Europe and Latin America.

Several countries—including Finland, Singapore, Greece, Mauritius, Indonesia, Japan, Denmark, Georgia, Costa Rica, Sweden, India, Peru, and Ireland—each logged 0.87% of global incidents. While individually small, this long tail highlights ransomware’s increasingly globalised reach, with operators probing diverse geographies for vulnerable entry points.

Worldwide Ransomware Victims Chart

Industry-wide Ransomware Victims

Manufacturing continues to be the most targeted sector this week, accounting for 24.35% of reported incidents. Its critical operational role, reliance on legacy systems, and limited tolerance for downtime make it a perennial focus for ransomware operators.

Construction and Business Services both followed at 11.3% each. Construction firms, with their complex vendor ecosystems and high-value projects, remain lucrative targets. Business Services, which often act as IT, consulting, and operational support providers to multiple industries, represent a key gateway for attackers into larger networks.

Hospitality registered 9.57%, reflecting steady exploitation of customer-centric sectors that manage significant volumes of sensitive personal and payment data.

Law Firms, Retail, Education, and Finance each recorded 6.96%, highlighting attackers’ continued interest in industries rich in sensitive intellectual property, consumer records, financial data, and institutional trust.

Mid-tier victims included Organisations (3.48%), Transportation, Media & Internet, and Consumer Services (each at 2.61%), sectors that, while less frequently targeted, still face substantial disruption risks due to their role in public services and customer engagement.

Smaller incidents were observed in Insurance and Real Estate (1.74% each), along with Federal entities (0.87%), underscoring ransomware’s wide reach across both public and private sector verticals, even when volumes remain comparatively low.

Industry Wide Ransomware Victims