Cybersecurity Wiretap #45: From RustDoor on macOS to Sneaky2FA Bypasses with a Focus on Nation-State Actors (week of 02/24/2025)

Welcome to the weekly digest about the Cybersecurity & Threats in the wild.

Below you will find a very subjective summary of Cybersecurity events for the prior week.

1.Auto-Color: An Emerging and Evasive Linux Backdoor by #PaloAlto’s #Unit42

using benign-looking file names
hiding remote C2 connections via advanced technique used by Symbiote malware family
deploying proprietary encryption algorithms to hide communication & configuration info

characteristics of attackers are similar to various reports during 2024 of North Korean threat actors targeting other job seekers
details of the activity of attackers within compromised environments
technical analysis of newly discovered Koi Stealer macOS variant & depicts the different stages of the attack

advanced backdoor that supports multiple modules, designed for stealth
features rarely seen set of capabilities, including using multiple protocols to communicate with the C2(Outlook API,DNS & ICMP tunneling)

common methodologies that JavaGhost uses to create their phishing infra
tactics employed within compromised cloud environments to establish long-term persistence

cybercriminals are leveraging DeepSeek’s popularity by creating websites hosted on fake look-alike domains to deceive users and deliver Vidar info stealer
campaign uses fake CAPTCHA page to conduct clipboard injection, secretly copying a malicious PowerShell command for users to execute

continue to dig deep into world of Linux persistence
building on foundational concepts and techniques explored previously, discusses some more obscure, creative and/or complex backdoors & persistence mechanisms

phishing operators making use of stolen session cookies behind VPN and proxy-associated hosting providers
leading to follow-on activities like modification/creation of MFA methods for maintaining persistent access to stolen accounts

In jan 2025 attack used Winos4.0, an advanced malware framework actively used in recent threat campaigns, to target companies in Taiwan
usually, there is loader that is used to load malicious DLL & Winos4.0 module is extracted from shellcode downloaded from its C2

recent malware samples & C2 infra activity indicate that operation remains active
this cluster of threat activity is extension of long-running Ghostwriter campaign identified in previous public reporting

recent phishing campaigns targeting sellers on marketplaces have leveraged platforms’ direct messaging feature(s) to attempt to steal credit card details for sellers’ payout accounts
shipment detail changes, pressure to conduct off-platform transactions, and attempted use of “friends and family” payment options are commonly encountered scam techniques, all of which seek to remove the seller protections usually afforded by platforms

based on examination of tactics, techniques, and procedures (TTPs) utilized in these campaigns, alongside deployment of Sagerunex, backdoor family used exclusively by Lotus Blossom was used
using specific commands to install their Sagerunex backdoor within the system registry and configuring it to run as a service on infected endpoints
also developed new variants of Sagerunex that not only use traditional C2 servers but also use legitimate, 3rd-party cloud services like Dropbox, Twitter & Zimbra (open-source webmail) as C2 tunnels

Thank you for reading.

Please add interesting items you came across during the week in the comments below.