TIGR Threat Watch

Threat Watch Feed

🚩 – IOCs Added

The red flag indicates that Indicators of Compromise (IOCs) have been added to SRA’s Threat Feed used by CyberSOC clients. Articles may not be flagged if IOCs are not available at the time or are not applicable to the article.

🚩 Malvertising Campaign Delivers Vidar Stealer and XMRig Miner Disguised As Cracked Software Using Fake Code-Signing Certificates.

Palo Alto Networks Unit 42 disclosed a financially motivated malware campaign delivering Vidar stealer and the XMRig cryptocurrency miner to consumer and small and medium sized business victims worldwide. The campaign primarily targets users in the United States and European Union and is assessed to be operated by a Vidar stealer malware as a service affiliate.

Victims are lured through malvertising to pages offering downloads disguised as cracked versions of copyright protected software. The downloads are password protected archives with a .bin extension, chosen to evade email gateway scanning and automated sandbox analysis. Once extracted and run, a loader built with the Factory-v3 framework drops both Vidar stealer and XMRig. The loaders are digitally signed with fabricated certificates impersonating legitimate companies, first JustWatch GmbH and later Bleacher Report, though neither company was compromised. The loaders also use file size inflation with null byte padding, reaching up to 491 MB, to bypass sandbox size limits, along with an in-memory AMSI bypass to reduce detection. Unit 42 confirms this activity is an active, ongoing campaign rather than proof of concept.

Impact: This campaign puts both individuals and small organizations at risk of credential theft, cryptocurrency wallet compromise, and unauthorized use of computing resources for cryptomining. Vidar stealer harvests browser credentials, cookies, and crypto wallet data, which attackers can sell on criminal marketplaces, while XMRig generates ongoing revenue from hijacked CPU cycles. Because the malware uses fabricated but visually convincing certificates, file inflation to dodge sandbox limits, and an AMSI bypass, standard detection layers relying on certificate trust, file size assumptions, or default AMSI scanning may miss these samples. The use of a shared builder platform across multiple stealer families also suggests this delivery infrastructure will likely continue to be reused in future campaigns.

Recommendation:

  • Enforce strict Authenticode certificate chain validation and do not rely on publisher names alone, since signatures can be fabricated to impersonate legitimate entities.
  • Implement certificate serial number blacklisting to detect reuse of known malicious signing certificates.
  • Configure security solutions and sandboxes to scan files for malicious content regardless of size.
  • Monitor for MpClient.dll or similar Windows Defender component names loading from non-standard file paths.
  • Hunt for the persistence indicators described in this research, including registry Run key entries with the value SystemAgentService, scheduled tasks, and startup folder scripts referencing NisSrv.exe
  • Block outbound connections to all C2 addresses and pool[.]supportxmr[.]com.
  • Educate users on the risks of downloading cracked or pirated software through advertisements.

🚩 New Data Extortion Group “Helix” Uses Vishing and Device Code Phishing to Bypass MFA and Exfiltrate SharePoint Data

ReliaQuest disclosed a previously unreported data extortion group tracked as “Helix,” running a multi-target campaign built on vishing, device code phishing, and automated SharePoint exfiltration. ReliaQuest assesses Helix likely emerged from the same ecosystem as the now-defunct “BlackFile” group and shares infrastructure and tradecraft overlap with “ShinyHunters,” though direct attribution is not confirmed. Targeting has focused on high-visibility employees, including executives, across multiple organizations.

Helix initiates contact through vishing, in confirmed cases impersonating the target’s manager using their real contact details, and walks the victim through a device code phishing flow that captures a session token without ever touching a password. This bypasses Conditional Access policies since no password or interactive MFA is required. Sign-ins occur from unmanaged devices using residential proxies geo-matched to the target’s location to avoid impossible-travel alerts. The actor then registers a new MFA authenticator on the account for persistence, an action that is indistinguishable from legitimate user activity without additional context. After a variable dwell period, ranging from under an hour to over a week, the actor uses automated tooling from a specific hosted IP to enumerate and bulk-download SharePoint content. This activity is confirmed and observed across multiple incidents, not theoretical.

Impact: Because the entire intrusion runs through legitimate identity and session mechanisms rather than malware, there is no malicious file to detect or quarantine, making early identification dependent on correlating unrelated signals such as an unfamiliar sign-in, a new MFA registration, and SharePoint enumeration occurring in a short window. Successful intrusions lead to bulk exfiltration of SharePoint and email content, feeding a data extortion operation. Organizations that rely on device code authentication or allow sensitive SaaS access from unmanaged endpoints are most exposed to this specific playbook.

Recommendation:

  • Disable device code authentication where possible, since it was the confirmed initial access method in every Helix intrusion, and restrict sensitive SaaS applications such as SharePoint and Exchange to managed, compliant devices through conditional access policies. If device code authentication cannot be fully disabled, limit it to a narrow set of managed devices and monitor for anomalous requests.
  • Block or flag authentication attempts and domain resolution involving newly registered domains, since Helix’s phishing infrastructure was registered shortly before use.
  • Monitor for SharePoint enumeration patterns such as contentclass:STS_Site or wildcard searches followed by bulk downloads, particularly when they occur shortly after a new MFA registration.
  • Configure automated response actions, such as session termination, account disable, and password reset, to execute simultaneously across both cloud and on-premises identity systems to avoid sync gaps that allow an attacker to retain access on one side.
  • Train staff and helpdesk personnel to verify caller identity independently of caller ID or claimed authority before acting on requests involving device codes, MFA changes, or password resets.

🚩 Microsoft Details GigaWiper Backdoor Combining Multiple Destructive Malware Families

Microsoft Threat Intelligence reported GigaWiper, a Golang-based destructive backdoor observed in October 2025 intrusions involving wiping activity. Unlike a single-purpose wiper, GigaWiper combines command-and-control functionality with multiple destructive payloads that can be triggered on demand, including raw disk wiping, fake ransomware-style file encryption with unrecoverable keys, and multi-pass secure wiping logic. Microsoft identified both standalone wiper binaries and larger backdoor samples, with the standalone wiper functionality embedded inside the backdoor as one of its commands.

The backdoor persists through a scheduled task named “OneDrive Update” and tracks execution through the HKCU\SOFTWARE\OneDrive\Environment registry key. It receives commands through RabbitMQ over AMQP and sends command status and output to Redis, with observed infrastructure including 185.182.193.21 and 212.8.248.104. Microsoft found that GigaWiper was assembled from multiple previously separate malware families: a physical disk wiper, Crucio-derived fake ransomware functionality that encrypts files with unsaved random keys and appends the .candy extension, and FlockWiper logic reimplemented in Golang for multi-pass wiping of the Windows installation drive.

Impact: Successful GigaWiper deployment can give an actor persistent remote access, command execution, process and service management, registry manipulation, screenshot capture, screen recording, system information collection, remote control, event log clearing, file upload, and multiple destructive actions. The malware can overwrite physical disks, remove partition references, destroy boot files to trigger BSOD and prevent booting, encrypt files without retaining recoverable keys, wipe the Windows installation drive with multiple passes, and clear Windows event logs to hinder investigation. Its modular design allows a threat actor to operate quietly before choosing a destructive payload, increasing the risk of rapid operational disruption once the actor decides to act.

Recommendation:

  • Correlate physical disk enumeration through WMI with raw disk access, partition manipulation, DeviceIoControl activity, IOCTL_DISK_CREATE_DISK usage, and forced shutdown or reboot behavior.
  • Identify destructive file encryption activity involving .candy file extensions, AES-CBC encryption patterns, deletion of original files, and no recoverable key material.
  • Review command sequences that disable Windows recovery, modify permissions on boot or kernel files, delete critical system files, or otherwise attempt to force BSOD or prevent booting.
  • Treat event log clearing as high risk when wevtutil.exe targets System, Setup, Application, ForwardedEvents, or Security logs, especially if followed by direct deletion attempts against Security.evtx.
  • Review unexpected screenshot, screen recording, or remote-control behavior, including recordings written to C:\ProgramData\output and firewall rules masquerading as Microsoft.Windows.CloudExperienceHost.
  • Restrict direct outbound access to unapproved RabbitMQ, Redis, message broker, and external storage infrastructure from user workstations and servers.
  • Enable tamper protection, cloud-delivered protection, and EDR block mode to reduce the chance of unknown destructive tooling executing successfully.
  • Maintain offline, immutable, and regularly tested backups because GigaWiper is designed to destroy data rather than enable recovery.
  • Treat GigaWiper, FlockWiper, Crucio, or related destructive tooling detections as high-severity incidents requiring immediate host isolation and broader environment review.

🚩Signed Malicious Driver used to Disable Defenses in Hyadina’s GodDamn Ransomware

Symantec’s Threat Hunter Team disclosed details on GodDamn ransomware, identifying it as the latest rebrand of a ransomware lineage that began with Monster in 2022 and continued as Beast in 2024. Symantec attributes the ransomware family to a developer it tracks as Hyadina, which has historically operated a ransomware-as-a-service model with affiliates targeting Windows, and more recently Linux and VMware ESXi, environments.

In an incident investigated by Symantec, the initial access method was not identified. Once inside the network, attackers used AnyDesk for remote access, deployed a credential-harvesting toolkit built from Mimikatz and multiple NirSoft tools, and used a defense evasion tool disguised as a Symantec product to load the PoisonX kernel driver. PoisonX appears to be a malicious driver that is signed by Microsoft and can terminate security-product processes and remove user-mode API hooks, allowing attackers to disable endpoint defenses before deploying ransomware. Lateral movement was carried out using PsExec and stolen administrative credentials across at least 10 hosts before ransomware was deployed, sometimes renaming encrypted files with a .God8Damn extension or the name of the victim organization.

Impact: Organizations affected by this activity face ransomware risk, including credential theft, lateral movement across enterprise networks, and disabling of endpoint security tools prior to encryption. The use of a Microsoft-signed malicious driver is notable because it can evade defenses that rely on trusting signed kernel components, reducing visibility during the attack and increasing the likelihood of successful encryption once deployed. The multi-day dwell time observed between initial access and ransomware deployment also suggests opportunity for data staging or exfiltration.

Recommendation:

  • Block or restrict execution of known malicious or abused drivers, including the PoisonX driver.

  • Detect and restrict use of credential-harvesting tools, including Mimikatz and NirSoft utilities.

  • Monitor for unauthorized or unusual use of remote access tools such as AnyDesk.

  • Monitor for lateral movement indicators involving PsExec, including unusual process lineage through psexesvc.exe, services.exe, and wininit.exe.

  • Enforce strong administrative credential hygiene and limit use of shared or reused local administrator credentials to reduce the impact of credential theft during lateral movement.

  • Maintain offline, tested backups and an incident response plan that accounts for defense-evasion techniques capable of disabling endpoint security tools.

🚩 Trojanized 7-Zip and WireVPN Installers Recruit Devices into a Residential Proxy Network

Infoblox Threat Intel disclosed research on a threat actor it tracks as Lurking Lizard, which operates an end-to-end malicious residential proxy business built on trojanized software installers. The operation spans more than 230 lookalike domains impersonating software such as 7-Zip, several VPN services, and proxy providers including IPIDEA, SmartProxy, and 911Proxy.

The actor distributes trojanized installers, most recently branded as WireVPN, that enroll victim devices as proxy exit nodes without clear user consent. Infoblox linked this activity to earlier 7-Zip and VPN-themed lures dating back to at least 2022 through shared infrastructure, including a hardcoded IPLogger tracking link, consistent backend API endpoints, and overlapping domain registration details. This is described as an active, ongoing operation rather than a one-time incident.

Impact: Devices infected with WireVPN or related trojanized installers can be used to relay third-party internet traffic, meaning an organization’s IP address and network reputation could become associated with traffic it did not generate. Infoblox observed traffic patterns inconsistent with legitimate VPN behavior, including broad connection probing and communication with numerous unrelated, shared-infrastructure domains. Affected organizations face risk of data exposure, reputational harm from proxy misuse, and reduced visibility into outbound network activity.

Recommendation:

  • Restrict or inventory VPN and proxy applications, including mobile apps, allowed on corporate devices to limit exposure to unvetted third-party software.

  • Verify that software downloads, including 7-Zip and VPN clients, come from official vendor domains rather than lookalike sites, and reinforce this guidance with users.

  • Monitor endpoints for unauthorized proxy or VPN binaries, particularly files named hero.exe, uphero.exe, wire.exe, or upwire.exe, or installations under C:\Windows\SysWOW64\hero or \wire.

  • Review outbound traffic for unusual patterns such as broad ICMP probing or persistent connections to numerous unrelated domains, which may indicate proxyware activity.

  • Block known Lurking Lizard infrastructure at the DNS or network layer, including domains such as wirevpn[.]app, wirevpn[.]cc, wirevpn[.]io, smartproxy[.]org, ipidea[.]org, and 7zip[.]com.

🚩 Vishing Campaign Abuses Microsoft Passkey Enrollment to Hijack Microsoft 365 Accounts for Data Extortion.

Okta Threat Intelligence disclosed activity from a threat actor tracked as O-UNC-066, also known as “Pink,” using a panel-controlled phishing kit to target the passkey enrollment process for Microsoft 365 customers. Okta has observed enterprise targeting across the food and beverage, technology, healthcare, automotive, construction, and aviation sectors. The primary motivation is data extortion.

The threat actor registers domains containing the word “passkey” and calls targeted users by phone, persuading them they need to register a new passkey. Victims are directed to a phishing site that mimics Microsoft’s sign-in and passkey enrollment flow. The kit is not a transparent adversary-in-the-middle proxy. It is an operator-controlled panel that steers victims through authentication in near real time, adapting to whichever MFA method the account uses (TOTP, push with number matching, or SMS OTP). While the user is distracted completing a fake passkey setup task, the operator uses the stolen credentials and MFA approval to log into the real account and register their own passkey for persistent access. This is confirmed, ongoing observed activity, not a proof-of-concept. The kit does not currently handle federation to third-party identity providers such as Okta, so Okta has not observed direct compromise of federated Microsoft accounts through this kit.

Impact: Successful attacks give the threat actor persistent, passkey-based access to a compromised Microsoft 365 account, which can bypass the need for further phishing once established. The group operating this kit has published a data leak site to pressure compromised organizations, indicating the follow-on risk is extortion rather than simple credential theft. Organizations with federated identity through a third-party provider appear to have reduced exposure to full account compromise via this specific kit, though the initial vishing and credential-harvesting steps still pose risk.

Recommendation:

  • Enroll users in phishing-resistant authenticators, such as FastPass, hardware-backed passkeys, or smart cards, and enforce phishing resistance in authentication policy rather than allowing fallback to SMS or push MFA.

  • Establish and communicate a clear, verifiable process for confirming the identity of helpdesk or IT staff before users act on unsolicited calls about security changes like passkey enrollment.

  • Configure network zone policies to deny or challenge authentication attempts from geographies, ASNs, or IP ranges where the organization does not operate.

  • Restrict access to sensitive applications to devices that are managed and protected by endpoint security tools.

  • Enable end user notifications for every authenticator lifecycle event, including new passkey registrations, so users can recognize and report enrollments they did not perform.

  • Apply account management policies that restrict who can add or modify authenticators based on network context, device management status, and existing enrolled factors.

Sign up here!

To receive the TIGR Threat Watch email bulletin and critical vulnerability notifications, simply complete the form below.

 

Follow on Twitter

@SRA_ThreatWatch will keep you up to date with the most recent posts on your social media feed.

Subscribe to the RSS

Just copy and add this link to your RSS app and be notified immediately when new intel is posted.

How to use RSS

Following the RSS feed is easy. RSS can be added in your Outlook desktop app, and there are many free RSS readers available for your mobile device.

To follow using Outlook:

  • In Outlook, right-click the RSS Feeds folder and choose Add a New RSS Feed.
  • In the New RSS Feed dialog box, enter the URL of the RSS Feed: https://sra.io/category/tigr/feed

(click here for detailed instructions and additional options for Outlook)

Popular mobile RSS reader apps include:

  • Feedly
  • NewsBlur
  • RSS Reader
  • Inoreader

After installing your preferred RSS reader, you will be able to add this feed by entering the URL: https://sra.io/category/tigr/feed

Threat Bulletin Archive

About TIGR Threat Watch

Our Threat Intelligence Gathering & Research (TIGR) team is focused on threat intelligence and curates a daily intelligence report, TIGR Threat Watch, with information collected from several industry intel sources. We also create and publish ad-hoc critical vulnerability notifications in case of critical and time-sensitive vulnerabilities or threats. These notifications include details and recommendations for mitigation/remediation.