Threat Intelligence

Top 10 Malware of Q2 2025: A Deep Dive into the IoCs

In the recently published "Top 10 Malware Q2 2025," the Center for Internet Security (CIS) Cyber Threat Intelligence (CTI) Team named the top 10 malware for the quarter, along with their corresponding indicators of compromise (IoCs).

RomCom and TransferLoader IoCs in the Spotlight

Proofpoint released "10 Things I Hate about Attribution: RomCom vs. TransferLoader" detailing connections between RomCom and TransferLoader. While the researchers said the backdoors were typically used by different groups -- RomCom by TA829 and TransferLoader by UNK_GreenSec, they did see similarities between the threat actors' campaigns.

A DNS Exploration of the Latest Educated Manticore Attack

Check Point Research published an in-depth analysis of the recent spearphishing attack launched by Iranian threat group Educated Manticore. The attackers targeted Israeli journalists, high-profile cybersecurity experts, and computer science professors from leading Israeli universities.

Global Domain Activity Trends Seen in Q2 2025

WhoisXML API analyzed 26.0+ million domains registered between 1 April and 30 June 2025 from the Newly Registered Domains (NRDs) Data Feed. We found out that the number of NRDs increased by 11.0% compared with the previous quarter.

Beneath the Belly of the Latest BlueNoroff Attack: A DNS Investigation

Huntress was alerted to the recent BlueNorroff attack when an end-user reported potentially downloading a malicious Zoom extension on 11 June 2025. As it turned out, the malware came disguised as a Calendly meeting invite from a supposed contact sent via Telegram.

Rounding Up DNS Facts about Operation RoundPress

The Cybersecurity & Infrastructure Security Agency (CISA) added CVE-2025-32433 and CVE-2024-42009 to the Known Exploited Vulnerabilities (KEV) Catalog on 9 June 2025 after they were reportedly abused by APT28 to hack government webmail servers in an operation dubbed "RoundPress."

Baring the DNS Traces of the Slow Pisces Attack on Cryptocurrency Developers

Palo Alto Unit 42 reported on the latest Slow Pisces attack that engaged with cryptocurrency developers on LinkedIn. The threat actors posed as potential employers and sent malware disguised as coding challenges. Developers who took on the challenge ended up running a compromised project, infecting their systems with RN Loader and RN Stealer.

Uncovering the DNS Underbelly of UNC5174: The Shift from SNOWLIGHT to VShell

UNC5174, a Chinese-sponsored group known for using the open-source reverse shell tool named "SUPERSHELL," struck again. In January 2025, they used a new open-source tool and command-and-control (C&C) infrastructure dubbed "SNOWLIGHT." This time around, they have begun using another tool dubbed "VShell."

Down the DNS Funnel and into the Funnull Infrastructure

The Federal Bureau of Investigation (FBI) issued a FLASH report to disseminate indicators of compromise (IoCs) for the Funnull infrastructure that threat actors used to manage domains related to cryptocurrency investment fraud scams between October 2023 and April 2025. The report provided links to two lists.

Framing the AkiraBot Framework Under the DNS Lens

SentinelLABS recently dug deep into AkiraBot, a framework made to spam website chats and contact forms to promote a low-quality search engine optimization (SEO) service. So far, the bot has targeted 400K+ websites and spammed 80K+ websites since September 2024.