Cybersecurity Wiretap #38: From Phish-Free Campaigns to ChatGPT Exploits with a Focus on TA397 (week of 01/06/2025)

Welcome to the weekly digest about the Cybersecurity & Threats in the wild. Below you will find a very subjective summary of Cybersecurity events for the prior week.

1.APT PROFILE – TA397 by @CyfirmaR

  • TA397, also known as Bitter, is a South Asia-nexus cyber espionage group targeting government, energy, telecommunications, defense, and engineering organizations in the EMEA and APAC regions
  • operations typically involve spear-phishing emails with malicious attachments, leading to the installation of remote access trojans

https://www.cyfirma.com/research/apt-profile-ta397/

2.How Cracks and Installers Bring Malware to Your Device by @TrendMicro

  • attackers use YouTube & social media to share download links for fake installers
  • malicious downloads are password-protected and encoded
  • post infection malware collects sensitive info from web browsers to steal credentials

https://www.trendmicro.com/en_us/research/25/a/how-cracks-and-installers-bring-malware-to-your-device.html

3. Information Stealer Masquerades as LDAPNightmare (CVE-2024-49113) PoC Exploit by @TrendMicro

  • designed to lure security researchers into downloading and executing information-stealing malware
  • when a user executes the file, a PowerShell script is dropped and executed in the %Temp% folder. This will create a Scheduled Job, which in turn executes an encoded script

https://www.trendmicro.com/en_us/research/25/a/information-stealer-masquerades-as-ldapnightmare-poc-exploit.html

4. Phish-free PayPal Phishing by #FORTIGUARD LABS

  • scammer registered an MS365 test domain (free for 3 months)
  • created Distribution List containing victim emails
  • request money & add distribution list as the address via PaPal web portal
  • money request is distributed to targeted victims and M365 Sender Rewrite Scheme rewrites sender and pass SPF/DKIM/DMARC
  • after victim logs in to see what is going on scammer’s account gets linked to the victim’s account which leads to taking control of the victim’s PayPal

https://www.fortinet.com/blog/threat-research/phish-free-paypal-phishing

5. The Hunt for RedCurl by @HuntressLabs

  • activity across several organizations in Canada, with similar infrastructure and TTPs used that can be associated with the APT group known as RedCurl
  • 7zip binary executed from a suspicious location
  • several scheduled tasks that were used to execute the Windows Program Compatibility Assistant (pcalua.exe), which then executed a malicious binary

https://www.huntress.com/blog/the-hunt-for-redcurl-2

6. AI Domination: Remote Controlling ChatGPT ZombAI Instances by @wunderwuzzi23

  • research demonstrates the potential for advanced prompt injection exploits to compromise AI systems in unprecedented ways, for long-term remote control, exposing significant gaps in existing safeguards

https://embracethered.com/blog/posts/2025/spaiware-and-chatgpt-command-and-control-via-prompt-injection-zombai

Thank you.

Please add interesting items you came across during the week in the comments below.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.