Executive Summary

This week, various threat activity groups worldwide conducted sophisticated cyber espionage attacks. These groups primarily targeted perimeter equipment of high-level government agencies, defense contractors, and the technology and private sectors, including foreign ministries, defense contractors, aerospace companies, and law firms. They attempted infiltration using a Go-based backdoor called Pantegana and Cobalt Strike, exploiting vulnerabilities in devices like SonicWall, F5 BIG-IP, and Fortinet FortiGate for initial access. The attack methods included spear-phishing and exploiting known vulnerabilities in VPNs and other security products. The operations of these groups were mainly associated with geopolitical events such as military exercises around Taiwan or diplomatic developments in Panama. They also conducted large-scale attacks using open-source tools and employed strategies to conceal their origins. Reconnaissance and infiltration activities were primarily focused on the United States, Taiwan, South Korea, several Southeast Asian countries, and Europe. Additionally, an attack targeting Ukrainian entities through XLL files has been identified. These files are designed to execute automatically via Excel's Add-in Manager, and the malicious file was disguised as "500.zip" and distributed through Signal. This attack primarily executed smishing using phishing URLs masquerading as Ukrainian services. Furthermore, in May 2024, a new form of cyber-attack began through JavaScript files, which were disguised as tax forms to distribute various Malware. The attackers maintained persistence by utilizing various command and control (C2) techniques and continued operations for about two months. Moreover, there was an attack exploiting a pre-authentication deserialization vulnerability (CVE-2025–10035) in the Fortra GoAnywhere MFT system, which allows remote code execution (RCE). This attack leveraged RCE to create a backdoor administrator account and upload and execute additional payloads. Such attacks occurred widely across the globe, primarily targeting the financial, telecommunications, and government sectors. The attackers used various tactics to secure continuous access and challenged the identification and response timelines of existing security advisories. These cyber threat activities demonstrate various TTPs (tactics, techniques, and procedures), clearly revealing the capabilities of the Malware used by attackers and the objectives they aim to achieve. Attackers are employing advanced techniques for persistent infiltration and data exfiltration, which poses a significant challenge that cybersecurity professionals must continuously monitor and respond to. Examining the hacking activities of SectorB group reveals that they primarily focus on cyber espionage activities, employing a variety of advanced techniques and tools. They launch attacks targeting high-level government agencies, defense-related companies, and organizations in the technology and private sectors. Notably, they attempt initial access by exploiting vulnerabilities in perimeter devices such as SonicWall, F5 BIG-IP, and Fortinet FortiGate. Their attack methods are analyzed to include spear-phishing and exploiting known vulnerabilities in security products like VPNs. This group predominantly uses the Go-based backdoor Pantegana and Cobalt Strike, effectively concealing their origins while executing large-scale attacks through open-source tools. Their operations mainly target the United States, Taiwan, South Korea, as well as several countries in Southeast Asia and Europe, aligning with specific geopolitical events such as military exercises around Taiwan or diplomatic developments in Panama. On the other hand, they conduct espionage operations targeting the government and telecommunications sectors in Africa, the Middle East, and Asia, with a particular focus on ministries of foreign affairs and embassies. The TTPs used here are previously undocumented, showcasing sophisticated methods such as employing new Malware and custom tools. Notably, they have evolved their data collection methods by directly switching from email servers to SQL Server databases, using the mssq.bat script to extract information. Additionally, they have introduced a new Malware family called NET-STAR targeting IIS web servers, which includes components like IIServerCore, AssemblyExecuter V1, and V2. They use AMSI and ETW bypass techniques for executing different attack stages, maintaining persistence, and evading detection. Overall, it is evident that SectorB group conducts attacks targeting various regions and sectors using advanced technologies, continuously evolving their TTPs to create a complex cyber threat environment. SectorE group's cyber-attack activities primarily focus on continuous cyber espionage, with a notable tendency to maintain consistency in their tactics, techniques, and procedures while utilizing outsourced personnel. This group is adept at targeting a nation's strategic objectives while employing cost-effective and technically simple methods. Recently, they have been found to conduct attacks using a phishing framework, with the "DeliveryBoy" dropper as a primary operational tool, which is used to deploy the "MadBoy" loader and "Win" CMD command execution implant. The loader employs sophisticated techniques such as dynamic payload loading and process injection. Additionally, they distribute .xlsm files containing malicious macros through fake projects on GitHub to collect credentials and connect to command and control servers to maintain persistence. The use of cloud storage for payload delivery and maintaining anonymity through Tor nodes is also characteristic of this group. The exposure of these tools and techniques presents ongoing challenges in accurately profiling and predicting these cyber threats. The group primarily targets the Microsoft Windows platform in South Asia, focusing on government, military, defense, and critical industries. Recent activities demonstrate adaptability in technology, evolving from document stealers to more sophisticated tools like Python-based backdoors and AnonDoor, using spear phishing and malicious documents as initial access vectors. Campaigns spanning several months have utilized weaponized Office documents, LNK files, and custom Python RATs, inducing infections through authority spoofing in phishing emails and connecting to remote URLs to download various Malware components. WooperStealer can exfiltrate various file types to a remote server and uses structured commands for system profiling and information theft. Advanced techniques, including DLL side-loading and Python-based backdoors, demonstrate technical agility and persistence, with Malware aiming for long-term access to exfiltrate sensitive data, maintaining persistence through DLL side-loading and scheduled tasks, and reducing visibility by utilizing encoded components. SectorE group's TTPs (Tactics, Techniques, and Procedures) showcase their sophisticated attack capabilities and technical agility, with their Malware aiming for long-term access and the exfiltration of sensitive data. SectorM group's hacking activities are characterized by their infiltration into targets using highly sophisticated techniques and strategies. They primarily initiate attacks using XLL files, which are designed to masquerade as legitimate Excel add-ins and automatically execute through Excel's Add-in Manager. Notably, in an attack discovered in September 2025, a compressed file named "500.zip" was distributed via Signal, disguised as documents related to detentions at the Ukrainian border. This compressed file contained an XLL file, which, upon execution, generated multiple files and utilized registry keys and scheduled tasks to ensure persistence. The generated EXE file runs Excel in hidden mode to load "BasicExcelMath.xll," during which it reads the "Office.png" file to execute CABINETRAT shellcode. CABINETRAT is a backdoor Malware that enables data theft and system control through TCP connections, attempting communication using various ports similar to port knocking. They also employ techniques to evade analysis, checking for virtual machine artifacts and debugger settings to detect and respond to analysis environments. These TTPs demonstrate SectorM group's focus on meticulously analyzing targets, securing continuous access, and evading analysis. Based on the provided data, it is clear that SectorM group intends to infiltrate target systems through customized attacks based on advanced techniques and continuously exploit them. SectorJ group's hacking activities are quite sophisticated and exhibit a multi-stage attack pattern. This group primarily initiates attacks using malicious JavaScript files disguised as tax forms, making it easy for users to be deceived. In this initial stage, they execute the Brute Ratel payload through an MSI installer to distribute various malware such as Latrodectus and Cobalt Strike. They mainly target Windows systems, gaining access through credentials collected from LSASS, browser data, and Windows Answer files. Data exfiltration occurs about 20 days after the intrusion, with data being leaked externally via Rclone and FTP. Throughout this process, they maintain persistence using various command and control techniques, such as process injection, scheduled tasks, and registry run keys. These operations last for almost two months, including sophisticated lateral movement and data exfiltration tactics, but ransomware is not deployed. Communication is periodically maintained through BackConnect VNC, managing multiple payloads across various network environments to sustain the threat. These activities demonstrate that SectorJ group possesses a high level of technical expertise, combining various malware and tactics to achieve deep access and continuous control over target systems. They are noteworthy for not just simple intrusions but for conducting complex attacks over extended periods within target systems using diverse techniques. Notably, their strategic approach is highly systematic, as they have the capability to cause significant damage without using ransomware.

Key Characteristics of This Week's Cyber Threats

The main characteristics of recent cyber-attacks are sophisticated cyber espionage activities and the use of various attack vectors. Attackers primarily target peripheral devices of organizations in government, defense industry, technology, and private sectors. They attempt initial access by exploiting vulnerabilities in perimeter devices such as SonicWall, F5 BIG-IP, and Fortinet FortiGate, and use this to infiltrate advanced Go-based backdoors like Pantegana and Cobalt Strike. These activities are particularly concentrated in the United States, Taiwan, South Korea, Southeast Asia, and several European countries. Attackers exploit spear-phishing and known vulnerabilities in VPNs and other security products to breach systems. Attackers are also expanding their attacks directly targeting databases using custom development tools and new Malware. They use a script called mssq.bat to connect to MSSQL Server databases and extract information, and have introduced a new set of Malware called NET-STAR targeting IIS web servers. This set of Malware performs various attack stages, maintains persistence, and includes techniques to evade detection through AMSI and ETW bypasses. Meanwhile, a Chinese-speaking cybercrime group has been observed targeting IIS servers to manipulate search results and steal certificates and sensitive information. They maintain persistent access to servers using advanced tools and custom Malware, leveraging automation and persistence techniques to pursue financial gain. Another major feature is the injection of FakeCaptcha frames into vulnerable websites to collect user interaction events and transmit them in real-time to remote collection points (C2) or Telegram bots. This technique primarily targets the financial sector, deploying IcedID and Latrodectus payloads post-infiltration to support ransomware distribution. Latrodectus combines sophisticated user behavior monitoring techniques such as process injection, code obfuscation, and remote collection and relay of interaction logs using Telegram bots to maximize attack effectiveness. Finally, attackers are using multi-module stealers like Rhadamanthys to respond to various attack scenarios. This Malware enhances string encryption techniques using XOR-based algorithms and RC4, and utilizes WebSocket-based C2 communication to maintain network communication post-infection. Rhadamanthys detects system environments and integrates detection evasion techniques through virtual network interfaces to conduct more sophisticated attacks. This ongoing specialization demonstrates that Rhadamanthys is establishing itself as a strategic business tool in the cybercrime ecosystem. These characteristics suggest that the cyber threat landscape is continuously evolving, indicating the need for security analysts to monitor and respond accordingly. The unique usage methods of each Malware and attack vector make detection and defense challenging, as attackers continuously introduce new techniques and methods to bypass security systems.

Key Takeaways from This Week's Cyber Threat Landscape

The cyber threat landscape is becoming more complex and sophisticated. As revealed in various cyber-attack events, cybercriminals are conducting advanced attacks using a variety of techniques and tools. This means that the threats faced by organizations are not merely technical issues but require a broad strategic response. For example, cyber espionage groups are conducting sophisticated attacks on a global scale, which appear to be closely related to the strategic interests of certain countries. They bypass existing security solutions using their unique tactics, techniques, and procedures (TTP). Therefore, organizations must enhance cyber threat intelligence and proactively respond through continuous monitoring and analysis of the latest threat trends. Additionally, given that the main goal of cyber-attacks is focused on data collection and information theft, the importance of data protection is further highlighted. As government agencies, defense industries, and technology companies are major targets, strong security policies and technical measures such as data encryption and access control are necessary to prevent the leakage of sensitive information. Particularly, in situations where attackers are actively exploiting vulnerabilities in network boundary devices like VPNs, it is essential to regularly check and apply patches to these devices' security vulnerabilities. Organizations should also enhance employees' security awareness through internal education and training and strengthen their ability to respond to phishing attacks. Since many attacks attempt initial access through social engineering techniques like spear phishing, it is important to raise awareness of these threats and prepare response strategies. Especially, sophisticated phishing attacks can successfully steal critical organizational data, necessitating a multi-layered security approach to prevent them. Finally, in a rapidly changing cyber threat landscape, it is important to review and strengthen business continuity and disaster recovery plans. In the event of significant cyber threats such as ransomware attacks, having the ability to quickly recover is essential for increasing a company's resilience. To this end, organizations should be prepared for real situations through regular backups, recovery tests, and crisis response training. Such strategic responses will strengthen the overall security posture of the organization and contribute to effectively responding to various potential future cyber threats. In conclusion, today's cyber threat environment is becoming increasingly complex, and a comprehensive approach from both technical and strategic perspectives is necessary to respond. Organizations can address these challenges by continuously monitoring the latest threat trends, strengthening security infrastructure, and enhancing the security awareness of internal employees.