Anomali Cyber Watch: APT 29, APT37, Silver Fox, Grok AI Exploits, and More


Amazon Disrupts APT29 Watering-Hole Credential Harvesting Campaign
(published: September 3, 2025)
Amazon has blocked a credential-harvesting campaign run by Russian state-sponsored group APT29. The attackers compromised legitimate websites and added malicious JavaScript that silently redirected about 10% of visitors to fake Cloudflare verification pages. These pages abused Microsoft’s device code authentication flow, tricking users into approving attacker-controlled devices and handing over account access. Amazon traced parts of the operation to EC2 infrastructure and isolated the affected instances, working with Microsoft and Cloudflare to dismantle the wider campaign.
Analyst Comment: The decision to redirect only a small share of visitors is telling. By throttling exposure, APT29 traded scale for stealth, aiming to prolong the life of the campaign. The group is best known for espionage against governments and critical industries, yet this operation shows an expansion into broader credential-harvesting campaigns. That shift matters because the same disciplined tradecraft once reserved for high-value espionage is now being applied across a wider set of targets, raising the baseline risk for many organizations. AWS services were not breached, and I believe the rapid takedown highlights the impact of a well coordinated defense.
MITRE ATT&CK: T1189 - Drive-By Compromise | T1059.007 - Command and Scripting Interpreter: Javascript | T1027 - Obfuscated Files Or Information | T1036.005 - Masquerading: Match Legitimate Name Or Location | T1528 - Steal Application Access Token | T1078.004 - Valid Accounts: Cloud Accounts | T1583.003 - Acquire Infrastructure: Virtual Private Server | T1608.004 - Stage Capabilities: Drive-By Target
APT37 Uses RokRAT in Operation HanKook Phantom
(published: September 1, 2025)
Researchers have linked a new spear-phishing campaign, Operation HanKook Phantom, to the North Korea-aligned group APT37. The attackers sent emails disguised as a “National Intelligence Research Society Newsletter—Issue 52” to South Korean academics, former officials, and researchers. Attached ZIP files contained malicious LNK shortcuts posing as PDFs. When opened, they deployed RokRAT, a backdoor capable of harvesting system information, capturing screenshots, executing commands, and downloading additional payloads. Stolen data was exfiltrated through services such as Dropbox, Google Cloud, pCloud, and Yandex Cloud. In some cases, the malware was delivered via an obfuscated PowerShell and batch script chain, accompanied by a decoy Word document. RokRAT has long been used by APT37, and this campaign highlights its continued reliance on cloud-based exfiltration and social engineering to compromise high-value South Korean targets.
Analyst Comment: RokRAT’s longevity is explained by the way it blends reliability with stealth. Beyond simple data theft, it checks for virtualized environments and antivirus, uses encrypted strings to resist static analysis, and employs layered encryption for command traffic and payloads. Its ability to masquerade exfiltrated files as harmless formats and clean traces of exploitation shows how much effort has gone into persistence and evasion. The fact that APT37 has kept the core unchanged since 2017 suggests defenders have yet to force a redesign, which says as much about the malware’s resilience as it does about gaps in detection.
MITRE ATT&CK: T1566.001 - Phishing: Spearphishing Attachment | T1204.002 - User Execution: Malicious File | T1059.001 - Command and Scripting Interpreter: Powershell | T1059.003 - Command and Scripting Interpreter: Windows Command Shell | T1497.001 - Virtualization/Sandbox Evasion: System Checks | T1027 - Obfuscated Files Or Information | T1027.009 - Obfuscated Files or Information: Embedded Payloads | T1036 - Masquerading | T1070 - Indicator Removal On Host | T1082 - System Information Discovery | T1113 - Screen Capture | T1071.001 - Application Layer Protocol: Web Protocols | T1567.002 - Exfiltration Over Web Service: Exfiltration To Cloud Storage | T1041 - Exfiltration Over C2 Channel
Silver Fox Exploits Microsoft‑Signed Driver to Deploy ValleyRAT
(published: September 2, 2025)
Silver Fox, a China‑linked advanced persistent threat actor, has been observed exploiting a Microsoft‑signed WatchDog anti‑malware driver (amsdk.sys, version 1.0.600) to disable Windows security protections and deploy ValleyRAT onto compromised systems. By using a driver not listed on Microsoft’s vulnerable driver blocklist, the group bypasses endpoint defenses. The loader performs anti‑analysis checks, installs vulnerable drivers, kills protected processes, and fetches ValleyRAT modules, all enabling undetected infiltration and persistence.
Analyst Comment: Although WatchDog issued an update to patch local privilege escalation, the driver can still be abused for arbitrary process termination, which leaves systems exposed even on newer versions. That detail highlights why trust based solely on signatures or hashes is fragile. A signed driver may still contain dangerous functionality, and attackers are quick to exploit that gap. Security teams should ensure Microsoft’s most recent vulnerable driver blocklist is applied, but also go further by layering YARA-based detection for known ValleyRAT loaders and monitoring drivers for unusual behavior such as repeated process kills.
MITRE ATT&CK: T1068 - Exploitation For Privilege Escalation | T1562.001 - Impair Defenses: Disable Or Modify Tools | T1543.003 - Create or Modify System Process: Windows Service
Tycoon Phishing Kit Uses Advanced URL Obfuscation to Bypass Detection
(published: September 4, 2025)
Researchers report that the Tycoon Phishing Kit, a widely used Phishing-as-a-Service platform, is employing increasingly sophisticated techniques to conceal malicious links. Instead of relying on simple URL shorteners or redirects, Tycoon manipulates the structure of links to evade both automated filters and human scrutiny. Examples include inserting redundant protocol strings, encoding spaces, disguising domains, and hiding characters within the link body. The kit also creates deceptive subdomains that mimic trusted services to lure victims into clicking.
Analyst Comment: Phishing remains one of the most common ways threat actors break in, and Tycoon shows just how far kits have come in making a bad link look safe. The focus here isn’t on the payload but on hiding the hook, using tricks like extra protocols, encoded spaces, and convincing subdomains. That matters because it’s the moment of the click that still decides most compromises. Defenses need to reflect that reality: filters should be tuned to catch these obfuscation quirks, but awareness is just as critical. A second look at a link is often the difference between spotting a trap and handing over credentials.
MITRE ATT&CK: T1566.002 - Phishing: Spearphishing Link | T1027 - Obfuscated Files Or Information | T1027.010 - Obfuscated Files or Information: Command Obfuscation
Cloudflare Repels Record-Setting 11.5 Tbps DDoS Attack
(published: September 5, 2025)
Cloudflare recently blocked an unprecedented DDoS attack, peaking at 11.5 Tbps and 5.1 Bpps, lasting approximately 35 seconds. Initially believed to originate predominantly from Google Cloud, further analysis clarified that the traffic was a coordinated flood from multiple IoT and cloud providers. This surpasses Cloudflare’s previous record of 7.3 Tbps, reported just two months earlier, underscoring the accelerating scale and frequency of hyper-volumetric DDoS attacks. Cloudflare's automated defenses mitigated the assault without manual intervention, and the company plans a detailed public breakdown of the incident.
Analyst Comment: Launching an 11.5 Tbps UDP flood over Labor Day weekend looks like a deliberate attempt to catch defenders with reduced coverage. The technique was simple, but scaling it through IoT botnets and cloud accounts made it the largest attack recorded. The 35-second duration fits a broader pattern I’ve been watching: ultra-short, high-intensity bursts meant to probe capacity as much as disrupt services. Cloudflare’s report of 6,500 hyper-volumetric attacks in Q2 alone confirms this is part of a rising trend. To me, this feels less like a single disruptive act and more like an infrastructure stress test by adversaries refining their playbook.
MITRE ATT&CK: T1498 - Network Denial Of Service | T1498.001 - Network Denial of Service: Direct Network Flood
Cybercriminals Exploit X’s Grok AI to Amplify Malvertising Campaigns
(published: September 4, 2025)
Researchers have uncovered a new tactic dubbed “Grokking,” where cybercriminals exploit X’s AI assistant Grok to boost the reach of malicious advertising campaigns. Attackers hide URLs in the “From:” metadata of promoted video posts, which Grok then surfaces when users ask it to identify the video source. Because Grok is a trusted, system-level account, its responses lend legitimacy to the embedded links, which often lead to fake CAPTCHA pages, phishing sites, and malware via traffic distribution systems. Guardio Labs, SecureWorld, and others report hundreds of accounts engaging in this activity, with some posts reaching millions of impressions before takedown. This approach shows how attackers are adapting social engineering and malvertising techniques to exploit trust in integrated AI systems, potentially lowering detection and raising click-through rates.
Analyst Comment: What concerns me most is that this isn’t just about Grok. Now that the tactic is exposed, it’s only a matter of time before we see it replicated across other AI-powered platforms in social, search, or chat. Attackers didn’t need to compromise Grok itself; they exploited the trust users place in its authority to push links at scale, with the final step still relying on the victim’s click. That kind of tradecraft spreads quickly once it proves effective. I’m raising this because defenders and platform owners need to think ahead: if metadata fields and AI responses aren’t properly validated, the same blind spot could emerge anywhere these models are embedded.
MITRE ATT&CK: T1583.008 - Acquire Infrastructure: Malvertising
APT28 Deploys NotDoor Outlook Backdoor
(published: September 4, 2025)
APT28 has been observed deploying a new Outlook-based backdoor named NotDoor. The malware hides inside a VBA macro that remains dormant until an email arrives containing a specific trigger phrase such as “Daily Report.” Once activated, it allows attackers to run commands, exfiltrate files, and upload additional payloads through what appears to be normal email traffic. The infection begins with DLL sideloading, where attackers abuse the legitimate Microsoft OneDrive executable to load a malicious DLL called SSPICLI.dll. This process disables macro security, installs the VBA project, and suppresses security warnings. NotDoor uses obfuscation techniques such as Base64-encoded PowerShell and encrypted payloads to avoid detection. It achieves persistence through registry changes and stores stolen data in temporary folders before exfiltrating it via Outlook. Targeting has focused on NATO-related organizations, reflecting APT28’s continued emphasis on espionage campaigns.
Analyst Comment: What caught my attention here is the use of DLL sideloading through OneDrive to get NotDoor onto the system. I am seeing this technique come up more often across different campaigns, not just APT28. Adversaries know defenders tend to trust signed executables, and sideloading gives them a reliable way to run malicious code without raising immediate alarms.
MITRE ATT&CK: T1566.001 - Phishing: Spearphishing Attachment | T1204.002 - User Execution: Malicious File | T1574.002 - Hijack Execution Flow: Dll Side-Loading | T1059.001 - Command and Scripting Interpreter: Powershell | T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | T1027 - Obfuscated Files Or Information | T1562.001 - Impair Defenses: Disable Or Modify Tools | T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
Undetected SVG Phishing Campaign Impersonating Colombian Judiciary
(published: September 5, 2025)
VirusTotal researchers have uncovered a phishing campaign abusing SVG files to impersonate Colombia’s Fiscalía General de la Nación. The SVGs embed obfuscated JavaScript that decodes and injects a Base64-encoded HTML page mimicking an official government document portal, complete with a fake progress bar. While victims wait, a ZIP archive is silently downloaded. VirusTotal identified 44 malicious SVGs that evaded antivirus detection but were exposed by its Code Insight tool.
Analyst Comment: VirusTotal flagged 44 SVGs that slipped past every AV engine, and analysis linked them to more than 500 related samples dating back to mid-August. This shows the campaign is both active and evolving. Defenders should resist the temptation to view a zero AV score as the final word. What closes the gap is layering behavioral analysis, sandbox testing, and tailored YARA rules, so suspicious files are judged on what they do rather than how they look.
MITRE ATT&CK: T1027.017 - Obfuscated Files or Information: SVG Smuggling | T1027.013 - Obfuscated Files or Information: Encrypted/Encoded File
Atomic macOS Stealer Campaign Exploits Cracked Apps and Terminal Prompts
(published: September 4, 2025)
Trend Research has uncovered a sophisticated campaign delivering the Atomic macOS Stealer (AMOS) malware to macOS users under the guise of cracked application installers or through deceptive Terminal commands. Victims are tricked into installing malicious .dmg files or executing scripts that bypass Gatekeeper. AMOS collects a wide range of sensitive information including credentials, browser data, keychain entries, Apple Notes, cryptocurrency wallets, Telegram chats, VPN profiles, and common files. The stolen data is exfiltrated through rotating domains that help the attackers evade detection. A variant uncovered by CloudSEK uses ClickFix style typo-squatted domains that imitate Spectrum and dynamically tailor payloads for different operating systems. Analysis also revealed Russian language code comments. The malware has recently evolved to include persistent backdoor functionality that allows it to survive reboots and give attackers full remote control of infected systems. This development increases the risk to both consumer and enterprise macOS environments.
Analyst Comment: Cracked apps are an easy lure because they play on the temptation to save money, and once you step outside "trusted" sources like the App Store you are operating without the usual security checks. I see this tactic becoming more common because users downloading pirated software already expect friction, so when the installer throws warnings or asks for Terminal commands, they are more likely to click through or paste without thinking. From the attacker’s perspective this is the perfect delivery method, low cost and high success rate. The best defense is simple but often overlooked: stick to reputable distribution channels and educate users on why those extra layers of trust matter. Security controls work best when they are not bypassed by choice.
MITRE ATT&CK: T1204.002 - User Execution: Malicious File | T1204.004 - User Execution: Malicious Copy and Paste | T1059.002 - Command and Scripting Interpreter: Applescript | T1543.004 - Create or Modify System Process: Launch Daemon | T1553.001 - Subvert Trust Controls: Gatekeeper Bypass | T1555.003 - Credentials from Password Stores: Credentials From Web Browsers | T1555.001 - Credentials from Password Stores: Keychain | T1005 - Data From Local System | T1082 - System Information Discovery | T1105 - Ingress Tool Transfer | T1560 - Archive Collected Data | T1041 - Exfiltration Over C2 Channel
GhostRedirector Poisons Windows Servers
(published: September 4, 2025)
ESET researchers have uncovered a new China-aligned threat actor called GhostRedirector that compromised at least 65 Windows servers across Brazil, Thailand, Vietnam, the United States, Canada, Finland, India, the Netherlands, the Philippines, and Singapore. The attackers deployed two custom tools: Rungan, a passive C++ backdoor that allows remote command execution, and Gamshen, a malicious Internet Information Services (IIS) module designed to alter web content only when visited by Googlebot. This selective manipulation enables large-scale SEO fraud that boosts the ranking of illicit sites, likely gambling related, while remaining invisible to human visitors. The group likely gained initial access through SQL injection, followed by PowerShell scripts and privilege escalation using exploits such as EfsPotato and BadPotato. They also relied on fallback tools and webshells to maintain persistence.
Analyst Comment: Rungan and Gamshen complement each other in a way that balances persistence with stealth. Rungan quietly waits for specific requests, creating user accounts or registering new backdoor paths when triggered. Gamshen manipulates responses only for Googlebot, boosting illicit sites while remaining invisible to human visitors. Together they give attackers durable control of the server and a covert way to monetize it without raising suspicion.
MITRE ATT&CK: T1190 - Exploit Public-Facing Application | T1059.001 - Command and Scripting Interpreter: Powershell | T1136.001 - Create Account: Local Account | T1505.004 - Server Software Component: Iis Components | T1505.003 - Server Software Component: Web Shell | T1068 - Exploitation For Privilege Escalation | T1071.001 - Application Layer Protocol: Web Protocols | T1553.002 - Subvert Trust Controls: Code Signing | T1027 - Obfuscated Files Or Information | T1565.003 - Data Manipulation: Runtime Data Manipulation
Discover More About Anomali
Get the latest news about cybersecurity, threat intelligence, and Anomali's Security and IT Operations platform.
Propel your mission with amplified visibility, analytics, and AI.
Learn how Anomali can help you cost-effectively improve your security posture.
