Blog

Anomali Cyber Watch: APT41, PoisonSeed Attacks, ToolShell Vulnerability, DCHSpy, Android Malware, and More

Anomali Threat Research
July 28, 2025
Table of contents

The July 22nd edition of Anomali Cyber Watch includes intelligence related to the following threats and topics: APT41, PoisonSeed, ToolShell, DCHSpy, Interlock ransomware attacks, maritime port hacks, fake Dalai Lama apps, Soco404, the Steam game "Chemia," and Patchwork espionage campaigns. Attack patterns for these threats can be viewed by Anomali ThreatStream users via the links below to check for potential malicious activity.

APT41 Targets African Government IT Services via SharePoint-Based C2

(published: July 21, 2025)

Kaspersky discovered that APT41, a prolific Chinese-linked cyberespionage group, conducted a targeted attack against an African government IT infrastructure. The operation used hardcoded internal service names, proxy IPs, and a captive SharePoint server as a command-and-control (C2) channel. Initial access was achieved via Impacket’s Atexec and WmiExec, enabling credential harvesting from dumped registry hives. The attackers escalated privileges, moved laterally using those credentials, and deployed Cobalt Strike beacons via DLL sideloading. Custom trojans (agents.exe/agentx.exe) were dropped and managed through a SharePoint web shell (CommandHandler.aspx). They also employed HTA-based reverse shells and a suite of tools, Pillager, Checkout, RawCopy, Mimikatz, to steal credentials, browser data, and system information.

Analyst Comment: APT41’s use of an internal SharePoint server for command and control shows clear knowledge of the target’s environment. This was a deliberate and well-planned intrusion. By combining legitimate tools with custom malware, the attackers avoided detection while moving laterally and stealing credentials. Defenders should monitor for unusual use of WMI, HTA files, and DLL sideloading. Service account privileges must be limited, and internal systems like SharePoint should receive the same attention as external-facing assets.

MITRE ATT&CK: T1021.002 - Remote Services: Smb/Windows Admin Shares | T1059.001 - Command and Scripting Interpreter: Powershell | T1218.011 - Signed Binary Proxy Execution: Rundll32 | T1055.001 - Process Injection: Dynamic-Link Library Injection | T1505.003 - Server Software Component: Web Shell | T1003.002 - OS Credential Dumping: Security Account Manager | T1036.005 - Masquerading: Match Legitimate Name Or Location | T1112 - Modify Registry | T1218 - Signed Binary Proxy Execution | T1003 - Os Credential Dumping | T1555 - Credentials From Password Stores | T1082 - System Information Discovery | T1012 - Query Registry | T1021.001 - Remote Services: Remote Desktop Protocol | T1071.001 - Application Layer Protocol: Web Protocols | T1041 - Exfiltration Over C2 Channel

PoisonSeed’s QR‑Based FIDO Downgrade Attack

(published: July 21, 2025)

Cybersecurity researchers at Expel have uncovered a novel adversary‑in‑the‑middle phishing attack by the group “PoisonSeed” that manipulates FIDO cross‑device sign‑in. Users enter credentials into a cloned Okta-like portal, which forwards them to the legitimate site. The attacker then triggers a QR‑based FIDO login flow, captures the QR code, and presents it back to the victim. When scanned via an MFA app, the victim unknowingly authorizes the attacker’s session—bypassing the physical FIDO key. This technique isn’t a flaw in FIDO itself but a strategic abuse of fallback authentication. Additional cases include attackers enrolling their own FIDO keys post-compromise. Mitigation measures include disabling phishable fallback options, enforcing Bluetooth proximity for cross‑device auth, monitoring for unusual key registrations, and limiting geolocated login allowances.

Analyst Comment: PoisonSeed did not break FIDO, they simply bypassed it by taking advantage of a feature most users do not think twice about. To reduce risk, logins should happen on the same device that holds the passkey, preventing attackers from abusing cross-device flows like QR codes. Security teams should monitor for unexpected passkey registrations or unusual QR logins. Furthermore, recovery processes must avoid phishable methods and instead rely on phishing-resistant authentication.

MITRE ATT&CK: T1566.002 - Phishing: Spearphishing Link | T1556.006 - Modify Authentication Process: Multi-Factor Authentication | T1556.003 - Modify Authentication Process: Pluggable Authentication Modules | T1098.005 - Account Manipulation: Device Registration | T1556.004 - Modify Authentication Process: Network Device Authentication

ToolShell: SharePoint’s Latest Critical Vulnerability

(published: July 22, 2025)

SentinelOne and Microsoft have confirmed active exploitation of a zero day vulnerability chain known as ToolShell, which targets on premises Microsoft SharePoint Servers including the Subscription Edition, 2019, and 2016. The core issue, CVE‑2025‑53770, enables unauthenticated remote code execution via the ToolPane.aspx endpoint. A secondary flaw, CVE‑2025‑53771, bypasses previous patches. Exploitation activity began on July 7 and escalated around July 18, with at least 400 compromised servers identified across government, healthcare, energy, telecom, and education sectors. Threat actors use the spinstall0.aspx web shell to gain access, extract ASP.NET machine keys, bypass MFA and SSO protections, exfiltrate sensitive data, and maintain persistence or deploy ransomware such as Warlock.

Analyst Comment: This is another clear example of attackers targeting the everyday systems many organizations rely on but rarely harden properly. SharePoint often sits inside the network with high trust and little monitoring, making it a prime target when left unpatched. The fact attackers are extracting machine keys to bypass authentication should raise alarms. Patch immediately, rotate keys, restart services, and isolate exposed servers where possible.

MITRE ATT&CK: T1190 - Exploit Public-Facing Application | T1059.003 - Command and Scripting Interpreter: Windows Command Shell | T1505.003 - Server Software Component: Web Shell | T1003 - Os Credential Dumping | T1071.001 - Application Layer Protocol: Web Protocols | T1041 - Exfiltration Over C2 Channel

Iran Linked DCHSpy Android Malware Masquerades as VPN Apps to Spy on Dissidents

(published: July 21, 2025)

Security researchers from Lookout and others have uncovered four new Android spyware samples, collectively dubbed DCHSpy, which are linked to Iran’s MuddyWater APT group, an entity affiliated with the Ministry of Intelligence and Security (MOIS). These samples appeared shortly after the onset of the Israel and Iran conflict and disguise themselves as legitimate VPN apps including Earth VPN, Comodo VPN, Hide VPN, and even a Starlink-branded APK to lure dissidents and activists. DCHSpy is a modular surveillance tool capable of harvesting a wide range of personal data such as WhatsApp messages, account information, contacts, SMS messages, call logs, files, location data, and access to the camera and microphone. The malware compresses and encrypts the stolen data before transmitting it via SFTP to attacker-controlled servers. Analysts observed infrastructure overlap with the earlier SandStrike Android malware, suggesting reuse of command and control infrastructure by the same threat actors. The malware is distributed through Telegram links written in both English and Farsi, and is primarily aimed at individuals who oppose the Iranian regime.

Analyst Comment: DCHSpy highlights how easily attackers exploit personal mobile devices to access sensitive data. In bring your own device environments, this risk extends into corporate networks. If a phone is not issued and managed by the organization, it should not contain work data. It cannot be properly secured, monitored, or audited if needed. Organizations should restrict sideloading, enforce app vetting, and monitor access from unmanaged devices. High risk users need secure app delivery and tighter controls on platforms like Telegram, which are often used to spread malware. Attackers are targeting what defenders overlook.

MITRE ATT&CK: T1587.001 - Develop Capabilities: Malware | T1204.001 - User Execution: Malicious Link | T1204.002 - User Execution: Malicious File | T1105 - Ingress Tool Transfer | T1005 - Data From Local System | T1056 - Input Capture | T1041 - Exfiltration Over C2 Channel

US Government Warns of Widespread Interlock Ransomware Attacks

(published: July 24, 2025)

A joint advisory from CISA, FBI, HHS, and MS-ISAC reveals that since September 2024, the Interlock ransomware group has been opportunistically targeting organizations across North America and Europe, with a particular focus on critical infrastructure and healthcare. Interlock uses uncommon initial access methods including drive-by downloads from compromised legitimate websites, fake software update prompts, and a social engineering lure known as “ClickFix” to deploy PowerShell-based remote access tools. It infects both Windows and Linux virtual machines, exfiltrates sensitive data to cloud services such as Azure blob storage, and then encrypts files with extensions like “.interlock” or “.1nt3rlock.” Victims are directed to ransom negotiation portals hosted on the Tor network. Notable targets include healthcare providers such as Kettering Health and DaVita.

Analyst Comment: Interlock’s use of drive-by downloads marks a shift from typical email-based delivery, allowing it to bypass phishing filters by exploiting trusted websites. This method makes detection harder and highlights the need for stronger web-layer defenses. DNS filtering and secure web gateways are key to stopping these payloads before they reach endpoints. User awareness should also extend beyond email threats to include risks from fake update prompts and compromised sites, even those that appear legitimate.

MITRE ATT&CK: T1189 - Drive-By Compromise | T1204.002 - User Execution: Malicious File | T1566.002 - Phishing: Spearphishing Link | T1059.001 - Command and Scripting Interpreter: Powershell | T1567.002 - Exfiltration Over Web Service: Exfiltration To Cloud Storage | T1486 - Data Encrypted For Impact | T1090.003 - Proxy: Multi-Hop Proxy

Ports Are Getting Smarter and More Hackable

(published: July 23, 2025)

A new policy brief from NATO’s Cooperative Cyber Defence Centre of Excellence warns that maritime ports, which handle 80 percent of global trade and play vital roles in military logistics, are increasingly targeted by state-linked cyber actors. Surveys show that access control systems and vessel traffic management are common attack points. Groups associated with Russia, Iran, and China are behind campaigns involving espionage, denial-of-service, malware, and ransomware. Ransomware operations by financially motivated groups like BlackCat and Conti have disrupted oil terminals in Northern Europe. At the same time, pro-Russian hacktivist group NoName057 has used botnets like DDoSia to launch denial-of-service attacks. The brief highlights a civil and military coordination gap. Although most ports are privately operated, they are critical to NATO’s supply chains and security posture.

Analyst Comment: This is a clear reminder that smart systems alone do not make secure environments. Many sectors are connecting faster than they are securing, creating gaps that threat actors exploit. NATO’s dependence on privately run ports highlights the risk of limited coordination. Threat intelligence must be shared across all stakeholders. Tools like Anomali ThreatStream help bridge that gap by centralizing IOCs and enabling timely response. This is not just about defending what you have, it is about building beyond it. Without structured collaboration and shared visibility, even small attacks can cause outsized disruption.

MITRE ATT&CK: T1566 - Phishing | T1204 - User Execution | T1046 - Network Service Scanning | T1571 - Non-Standard Port | T0885 - Commonly Used Port | T1499 - Endpoint Denial Of Service | T1486 - Data Encrypted For Impact | T1005 - Data From Local System

China-Based APTs Deploy Fake Dalai Lama Apps to Spy on Tibetan Community

(published: July 24, 2025)

Researchers at Zscaler’s ThreatLabz have uncovered two China-linked cyber-espionage operations targeting the Tibetan community in the lead-up to the Dalai Lama’s 90th birthday. In the first campaign, dubbed Operation GhostChat, a legitimate website used by the Tibetan diaspora was compromised to distribute a backdoored version of a chat app called TElement. This version installed the Gh0st remote access trojan through a technique involving DLL sideloading. In the second campaign, named Operation PhantomPrayers, attackers used a fake “90th Birthday Global Check-in” program that deployed a modular backdoor known as PhantomNet, also referred to as SManager. This backdoor communicates with command and control infrastructure using AES encryption. Both campaigns relied on watering-hole tactics and DLL hijacking to deliver malware capable of surveillance, data theft, and remote control of infected systems.

Analyst Comment: This was not a case of advanced malware doing something flashy, the real tactic was exploiting trust. By hijacking a legitimate Tibetan community site and disguising Gh0st RAT inside a repackaged chat app, the attackers counted on users downloading it without question. The same goes for the fake “birthday check-in” app that quietly deployed PhantomNet through DLL sideloading. These tools are not new, but they still work when defenders are not watching for them. The key is context, known apps spawning unexpected binaries, encrypted outbound traffic from apps that usually stay local, or DLLs loading from unusual directories. These are low-noise signals, but they are where campaigns like this reveal themselves.

MITRE ATT&CK: T1189 - Drive-By Compromise | T1204.002 - User Execution: Malicious File | T1106 - Native Api | T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | T1574.001 - Hijack Execution Flow: Dll Search Order Hijacking | T1055.002 - Process Injection: Portable Executable Injection | T1027.007 - Obfuscated Files or Information: Dynamic Api Resolution | T1027.009 - Obfuscated Files or Information: Embedded Payloads | T1027.015 - Obfuscated Files or Information: Compression | T1620 - Reflective Code Loading | T1070.001 - Indicator Removal on Host: Clear Windows Event Logs | T1056.001 - Input Capture: Keylogging | T1083 - File And Directory Discovery | T1057 - Process Discovery | T1012 - Query Registry | T1518.001 - Software Discovery: Security Software Discovery | T1082 - System Information Discovery | T1033 - System Owner/User Discovery | T1123 - Audio Capture | T1115 - Clipboard Data | T1005 - Data From Local System | T1113 - Screen Capture | T1125 - Video Capture | T1573.001 - Encrypted Channel: Symmetric Cryptography | T1095 - Non-Application Layer Protocol | T1071.001 - Application Layer Protocol: Web Protocols | T1529 - System Shutdown/Reboot

Cloud Cryptomining Campaign Exploits PostgreSQL Misconfigurations

(published: July 24, 2025)

Wiz Research has uncovered an active cryptomining campaign named “Soco404,” which targets misconfigured cloud environments. The attackers take advantage of publicly exposed PostgreSQL instances, often left with default or weak credentials, to execute malicious scripts using PostgreSQL’s COPY … FROM PROGRAM feature. A lightweight loader, called soco.sh, retrieves a packed Go binary that disguises itself as a legitimate process. The malware hides payloads in fake 404 error pages, establishes persistence through cron jobs and shell profile modifications, and launches Monero mining across Linux and Windows systems. The broader infrastructure points to a large-scale crypto-scam operation that uses compromised servers and a variety of misconfiguration flaws to maintain access and scale operations.

Analyst Comment: The key insight is the abuse of PostgreSQL’s COPY … FROM PROGRAM feature to run external scripts. This is not an exploit but a misuse of default functionality that works when cloud setups are poorly secured. Hiding payloads in fake 404 pages adds another layer of stealth. Defenders should disable unused database features, enforce strong credentials, and monitor for unusual process activity tied to database services. Furthermore, regular checks for unexpected cron jobs or shell profile changes could help detect persistence early.

MITRE ATT&CK: T1110.003 - Brute Force: Password Spraying | T1190 - Exploit Public-Facing Application | T1059.004 - Command and Scripting Interpreter: Unix Shell | T1053.003 - Scheduled Task/Job: Cron | T1546.004 - Event Triggered Execution: Unix Shell Configuration Modification | T1543.003 - Create or Modify System Process: Windows Service | T1070.002 - Indicator Removal on Host: Clear Linux Or Mac System Logs | T1070.004 - Indicator Removal on Host: File Deletion | T1027.002 - Obfuscated Files or Information: Software Packing | T1027.006 - Obfuscated Files or Information: Html Smuggling | T1036.005 - Masquerading: Match Legitimate Name Or Location | T1562.002 - Impair Defenses: Disable Windows Event Logging | T1559 - Inter-Process Communication | T1105 - Ingress Tool Transfer | T1496 - Resource Hijacking | T1082 - System Information Discovery | T1071.001 - Application Layer Protocol: Web Protocols | T1564.001 - Hide Artifacts: Hidden Files And Directories | T1620 - Reflective Code Loading | T1098 - Account Manipulation | T1136 - Create Account

Steam Early Access Game "Chemia" Used to Distribute Information Stealers

(published: July 25, 2025)

A cybercriminal group known as EncryptHub (also tracked as Larva‑208) infiltrated the Steam platform by uploading a malicious Early Access title, Chemia, under a fake developer name. The game build itself contained HijackLoader, which executed when players launched the game. This loader established persistence and delivered two infostealers: Vidar and Fickle Stealer. Vidar is a Malware‑as‑a‑Service stealer targeting browser‑saved credentials and crypto wallets, while Fickle uses PowerShell scripts to bypass UAC and exfiltrate browser data, system info, and wallet files. The malware spread entirely through Steam downloads, exploiting platform trust rather than phishing. Exfiltration was handled via Telegram C2. Valve has since removed Chemia, but the long-term safety of similar uploads remains uncertain.

Analyst Comment: This case is included because many readers may use Steam in their personal lives. EncryptHub the avoided phishing vector by uploading a malicious game directly to Steam, removing the typical warning signs. While Steam checks that user downloaded files match the developer’s upload, Steam does not deeply scan builds. So if the original package contains malware it will be delivered intact. Users can reduce risk by being selective with new or little‑known titles, keeping endpoint protection active, using the integrity check after updates, and avoiding storage of credentials or crypto wallets on gaming machines.

MITRE ATT&CK: T1204.002 - User Execution: Malicious File | T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | T1548.003 - Abuse Elevation Control Mechanism: Sudo And Sudo Caching | T1140 - Deobfuscate/Decode Files Or Information | T1055 - Process Injection | T1071.001 - Application Layer Protocol: Web Protocols | T1041 - Exfiltration Over C2 Channel

Dropping Elephant (Patchwork) Espionage Campaign Targets Turkish Defense Sector

(published: July 25, 2025)

Arctic Wolf has uncovered a targeted campaign by Patchwork, aimed at Turkish defense companies involved in missile guidance systems and unmanned aerial vehicles. The attackers relied on highly specific spear‑phishing lures, sending emails disguised as invitations to aerospace and defense conferences. These malicious LNK attachments, once opened, trigger a staged PowerShell infection chain that downloads payloads from expouav[.]org. The payload uses VLC Media Player for DLL side‑loading, establishes persistence through Task Scheduler, and communicates over encrypted channels. This activity, observed in July 2025, demonstrates the continued focus on critical defense technology firms and related research sectors as intelligence‑collection targets.

Analyst Comment: This campaign shows how social engineering remains the simplest and most effective entry point into sensitive networks. Patchwork timed its phishing emails to align with tensions around Türkiye’s growing defense ties with Pakistan, using conference invitations tailored for engineers and researchers. That timing and relevance make the lure hard to dismiss. In all sectors the strongest protection comes from people who know what to expect and when to be suspicious. Awareness training that uses realistic lures and builds understanding of how influence works, combined with close monitoring of shortcut file execution and user‑triggered PowerShell activity, can stop these attacks early. Technical controls matter, but they are most effective when the first click is avoided through informed vigilance.

MITRE ATT&CK: T1566.001 - Phishing: Spearphishing Attachment | T1059.001 - Command and Scripting Interpreter: Powershell | T1053.005 - Scheduled Task/Job: Scheduled Task | T1574.001 - Hijack Execution Flow: Dll Search Order Hijacking | T1105 - Ingress Tool Transfer | T1573.001 - Encrypted Channel: Symmetric Cryptography

Anomali Threat Research

Anomali's Threat Research team continually tracks security threats to identify when new, highly critical security threats emerge. The Anomali Threat Research team's briefings discuss current threats and risks like botnets, data breaches, misconfigurations, ransomware, threat groups, and various vulnerabilities. The team also creates free and premium threat intelligence feeds for Anomali's industry-leading Threat Intelligence Platform, ThreatStream.

Propel your mission with amplified visibility, analytics, and AI.

Learn how Anomali can help you cost-effectively improve your security posture.