Anomali Cyber Watch: BERT Ransomware Group, Employee Login Credential Attacks, Malicious Chrome Extensions, and More
This edition of Anomali Cyber Watch covers the following topics: BERT Ransomware Group, employee credential attacks, Atomic macOS Infostealer (AMOS), Batavia spyware, malicious Chrome extensions, Scattered Spider phishing, the Anatsa banking trojan, Windows exploits, Iranian threat actors, and a malicious Cursor AI extension. The IoCs related to these stories are linked below and can be referenced in Anomali ThreatStream to help you check your logs for potential malicious activity.
BERT Ransomware Group Targets Asia and Europe on Multiple Platforms
(published: July 7, 2025)
BERT, also tracked by Trend Micro as "Water Pombero," is a newly emerged ransomware group active since April 2025. It's capable of striking both Windows and Linux systems across Asia, Europe, and the U.S., with victims in healthcare, technology, and event services. On Windows, BERT deploys PowerShell-based loaders to disable security tools, escalate privileges, and download the payload from a Russian-registered IP (185[.]100[.]157[.]74). The Linux variant supports up to 50 concurrent threads for rapid encryption, forcibly shuts down ESXi virtual machines to disrupt recovery, and uses standard AES encryption with file extensions like “.encryptedbybert”. Early iterations waited to enumerate all files before encrypting, but newer versions use concurrent queues and DiskWorker threads to begin encryption immediately. Code similarities to REvil and Babuk ESXi lockers suggest possible reuse or shared development origins.
Analyst Comment: BERT’s Windows and Linux variants are tailored for fast, effective disruption. On Windows, it disables security tools and escalates privileges using PowerShell, while the Linux version aggressively targets ESXi environments with multi-threaded encryption and forced VM shutdowns. This split strategy suggests a deliberate focus on both endpoint compromise and server-level impact. Defenders should monitor for suspicious script activity on Windows systems and restrict remote access to ESXi hosts. Mitigation should include privilege separation, strict execution policies, and offline backups to reduce recovery time if systems are hit.
MITRE ATT&CK: T1059.006 - Command and Scripting Interpreter: Python | T1562.001 - Impair Defenses: Disable Or Modify Tools | T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control | T1105 - Ingress Tool Transfer | T1486 - Data Encrypted For Impact | T1489 - Service Stop | T1564 - Hide Artifacts
Hackers Target Employee Credentials Amid Spike in ID Attacks
(published: July 7, 2025)
Researchers have observed a significant surge in attacks targeting employee login credentials, with a 156% rise in identity-based intrusions since 2023. Attack methods include infostealer malware and credential stuffing tools, but phishing-as-a-service (PhaaS) platforms are playing a major role in driving this trend. Tycoon 2FA, in particular, has emerged as the leading PhaaS tool between January and May 2025, helping cybercriminals steal Microsoft business account credentials and session cookies. It has now overtaken competitors like EvilProxy and Sneaky 2FA. Stolen credentials are used to impersonate staff, access internal systems, move laterally across networks, and conduct Business Email Compromise campaigns that involve executive impersonation and wire fraud.
Analyst Comment: This massive surge in credential theft highlights a clear shift toward identity-driven attacks. When attackers use valid credentials, they can bypass traditional security and blend in with legitimate users. Preventing this requires more than basic controls. Organizations should adopt phishing resistant MFA such as biometrics or hardware tokens, strengthen monitoring with AI tools, and invest in ongoing employee training.
MITRE ATT&CK: T1566 - Phishing | T1189 - Drive-By Compromise | T1204 - User Execution | T1555 - Credentials From Password Stores | T1110 - Brute Force | T1078 - Valid Accounts | T1021 - Remote Services | T1114 - Email Collection | T1656 - Impersonation
Atomic macOS Infostealer Adds Backdoor for Persistent Attacks
(published: July 7, 2025)
A new variant of the Atomic macOS infostealer (also known as AMOS) has been discovered to include a persistent backdoor that survives system reboots and allows hackers ongoing control over compromised Macs. According to BleepingComputer, MacPaw’s Moonlock team—alerted by researcher g0njxa—noted that the malware uses a hidden binary (.helper), launched via a hidden wrapper script (.agent) and registered with a LaunchDaemon (com.finder.helper) using stolen credentials. This backdoor enables attackers to execute remote commands, log keystrokes, deploy additional malware, and potentially move laterally across networks. AMOS, a malware-as-a-service sold via Telegram for roughly $1,000/month, targets browser passwords, keychains, cryptocurrency wallets, and system files. Campaigns have reached over 120 countries, with distribution via cracked software, phishing emails, fake job interviews, fake apps, and spoofed websites.
Analyst Comment: What makes this update to Atomic especially concerning is the move from simple data theft to persistent, stealthy access. By abusing macOS LaunchDaemons and valid user credentials, attackers can quietly maintain control even after reboot, turning a quick hit into an ongoing foothold. This isn't typical behavior for infostealers. It blurs the line between commodity malware and advanced access tools. Defenders should treat this as more than just another info-grabber. Monitoring for unexpected persistence, auditing LaunchDaemon entries, and deploying macOS-specific detection tools are now essential steps in protecting against long-term compromise.
MITRE ATT&CK: T1566.002 - Phishing: Spearphishing Link | T1059.007 - Command and Scripting Interpreter: Javascript | T1543.004 - Create or Modify System Process: Launch Daemon | T1555.003 - Credentials from Password Stores: Credentials From Web Browsers | T1082 - System Information Discovery | T1071.001 - Application Layer Protocol: Web Protocols | T1113 - Screen Capture | T1041 - Exfiltration Over C2 Channel
Batavia Windows Spyware Campaign Targets Dozens of Russian Organizations
(published: July 7, 2025)
A newly detailed cyber espionage operation, dubbed Batavia, has been uncovered by Kaspersky and publicly reported by Bleeping Computer. Active since at least July 2024, the campaign has escalated through early 2025 and appears to be aimed at stealing sensitive data from Russian industrial organizations. The attack chain begins with phishing emails posing as contract-related correspondence, enticing recipients to open a Visual Basic Encoded (.VBE) script. Once executed, this script launches a Delphi-based dropper (WebView.exe) that presents a fake contract window while quietly collecting documents, screenshots, and system metadata. The intrusion deepens with a secondary payload (javav.exe) written in C++, which expands data collection and introduces update functionality. Researchers also discovered a third-stage component (windowsmsg.exe), hinting at a modular, evolving toolkit. With more than 100 users across multiple Russian enterprises impacted, the campaign demonstrates hallmarks of strategic, state-aligned industrial espionage. Attribution remains unconfirmed, but the operational design suggests a well-resourced and persistent threat actor.
Analyst Comment: Batavia shows how well-planned espionage campaigns can rely on simple methods to achieve complex goals. The use of common phishing lures followed by staged payloads reflects a focus on persistence and stealth rather than novelty. With clear targeting of industrial sectors, this operation appears designed for strategic data collection. Defenders should combine phishing-resistant email filtering, script execution restrictions, and strong endpoint monitoring. Training staff to recognize suspicious document requests remains one of the most effective safeguards.
MITRE ATT&CK: T1566.001 - Phishing: Spearphishing Attachment | T1059.005 - Command and Scripting Interpreter: Visual Basic | T1204.002 - User Execution: Malicious File | T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | T1027 - Obfuscated Files Or Information | T1036 - Masquerading | T1005 - Data From Local System | T1113 - Screen Capture | T1082 - System Information Discovery | T1105 - Ingress Tool Transfer | T1071.001 - Application Layer Protocol: Web Protocols | T1041 - Exfiltration Over C2 Channel
Malicious Chrome Extensions with 1.7 Million Installs Discovered
(published: July 8, 2025)
Security researchers have uncovered a large-scale browser extension campaign affecting over 1.7 million Google Chrome users. The campaign, dubbed Operation RedDirection, involved 15 extensions masquerading as helpful tools such as ad blockers, emoji keyboards, and productivity add-ons. Initially benign, these extensions were later updated with malicious code that silently tracked users' browsing activity, harvested full URLs, and sent them to attacker-controlled servers along with unique user identifiers. Some extensions even redirected users to phishing or scam sites. Despite being verified and receiving positive reviews, the extensions evaded detection for months. Microsoft Edge users were also impacted, bringing the total number of affected installations to more than 2.3 million.
Analyst Comment: The extensions appeared harmless, gained positive reviews, then quietly turned malicious. That delayed switch made them harder to detect and more dangerous. Relying on store approval or ratings may no longer enough. Organizations should enforce extension allowlists, monitor for suspicious browser activity, and audit extensions regularly. For users, the key is caution, review what you install, check permissions, and remove anything unnecessary. Browser security needs the same attention we give to apps and email.
MITRE ATT&CK: T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain | T1059.007 - Command and Scripting Interpreter: Javascript | T1056.004 - Input Capture: Credential Api Hooking | T1041 - Exfiltration Over C2 Channel | T1071.001 - Application Layer Protocol: Web Protocols
Scattered Spider Preps Over 500 Phishing Domains
(published: July 8, 2025)
Security firm Check Point has uncovered roughly 500 new domains matching Scattered Spider’s phishing naming pattern, signaling a widening of their campaign beyond aviation, retail, and tech into manufacturing, finance, and med‑tech sectors. These domains are poised to support credential-harvesting attacks, backed by social engineering, remote-access tools like TeamViewer and Vidar stealer, and SIM‑swap-enabled MFA bypasses. Public advisories from CISA/FBI and Check Point highlight similar TTPs, while AXIOS reporting shows the group continuing deployment of ESXi-targeted ransomware post phishing.
Analyst Comment: The scale and precision of these phishing domains suggest Scattered Spider is planning well ahead. This isn’t broad spraying, it’s targeted and strategic. They’re counting on weak MFA and lax help desk checks to get in. To stay ahead, organizations need to drop tighten identity verification for support requests, and keep a close eye on domain lookalikes. Small gaps in process are what this group exploits best.
MITRE ATT&CK: T1589 - Gather Victim Identity Information | T1583.001 - Acquire Infrastructure: Domains | T1566 - Phishing | T1566.004 - Phishing: Spearphishing Voice | T1660 - Phishing | T1219 - Remote Access Software | T1486 - Data Encrypted For Impact
Anatsa Android Banking Trojan Hits 90,000 Users with Fake PDF App on Google Play
(published: July 8, 2025)
Cybersecurity researchers at ThreatFabric have identified a new outbreak of the Anatsa banking trojan, which infiltrated Google Play through a deceptive "Document Viewer – File Reader" app developed by "Hybrid Cars Simulator, Drift & Racing." Released on May 7, 2025, the app climbed to the top‑4 free tools list before receiving a malicious update between June 24–30. The update deployed Anatsa via a secondary payload, which monitors devices for North American banking apps. Once it identifies a target, it uses overlay attacks and fake “scheduled maintenance” screens to steal login credentials and silently perform fraudulent transactions, delaying user suspicion. The app reached an estimated 90,000 installs before being removed, though Play Protect should now flag it.
Analyst Comment: For the second time this week, we’re seeing apps that looked safe at first turn malicious after gaining trust. Anatsa followed the same playbook as the recent Chrome extension campaign—start clean, wait for installs, then quietly switch tactics. The fake maintenance screens and hidden transaction tools weren’t just about stealing credentials, they were designed to keep users in the dark for as long as possible. Mobile users should be cautious with app permissions and keep an eye on their accounts. For banks and other organizations, better visibility into mobile behavior and early fraud signals is key. This kind of threat slips past first impressions.
MITRE ATT&CK: T1661 - Application Versioning | T1626.001 - Abuse Elevation Control Mechanism: Device Administrator Permissions | T1417.001 - Input Capture: Keylogging | T1417.002 - Input Capture: Gui Input Capture | T1544 - Remote File Copy
Critical Wormable Windows Flaw Allows Remote Code Execution – CVE‑2025‑47981
(published: July 9, 2025)
Microsoft has released patches addressing a severe heap‑based buffer overflow vulnerability in the SPNEGO Extended Negotiation (NEGOEX) component of Windows and Windows Server (CVE‑2025‑47981). This critical remote code execution (RCE) flaw, rated with a CVSS score of 9.8, can be exploited over the network without user interaction or credentials. It affects Windows 10 (version 1607 and later), Windows 11, and supported server editions, due to the default enabling of the "Allow PKU2U authentication requests" Group Policy Object. Microsoft has listed its exploitability as “More Likely,” warning that this wormable flaw could be used for self‑propagating malware within 30 days. The patch is included in the July 8, 2025 updates and should be applied immediately, particularly on internet-facing systems, domain controllers, VPN-accessible devices, and Active Directory servers. As interim measures, Microsoft and Qualys recommend disabling the PKU2U GPO or blocking ports 135, 445, and 5985 if patching is delayed.
Analyst Comment: This flaw exploits PKU2U, a Windows feature that’s rarely needed in enterprise environments but is enabled by default on affected systems. It was originally meant for peer-to-peer authentication, but now leaves machines open to unauthenticated, wormable attacks via NEGOEX. That’s what makes this vulnerability especially risky, it’s not just about the bug itself, but the quiet exposure from old defaults most teams don’t think about. Microsoft’s patch is critical, but it’s also a good reminder to review what legacy features are quietly active across your network.
MITRE ATT&CK: T1190 - Exploit Public-Facing Application | T1203 - Exploitation For Client Execution | T1021 - Remote Services
Critical UK Cyber Threat from Iranian State‑Backing Actors
(published: July 10, 2025)
UK MPs and intelligence officials have raised alarm over a growing cyber and physical threat from Iranian state-backed actors. A recent Intelligence and Security Committee report describes Iran’s cyber capabilities as "extensive," though somewhat less advanced than those of Russia or China, and stresses the need to bolster national cyber defenses. Notable are spear-phishing campaigns targeting journalists, activists, and officials, aiming to steal credentials and compromise sensitive networks. These operations supplement a broader strategy of espionage and intimidation, including attempted kidnappings and assassinations since 2022 . UK agencies have responded by upgrading Iran’s Foreign Influence Registration status and implementing sanctions, but experts warn more robust, Iran-specific cybersecurity expertise and long-term resilience strategies are urgently needed.
Analyst Comment: Iranian-linked cyber activity targeting the UK has become more structured and persistent, pairing phishing campaigns with broader influence and intimidation tactics. The focus appears to be access and pressure rather than disruption. Defending against this requires practical steps: tighten email security, educate high-risk users, and keep an eye on credential misuse. On a wider level, coordination between cybersecurity teams and physical security should be strengthened.
MITRE ATT&CK: T1566 - Phishing | T1598.002 - Phishing for Information: Spearphishing Attachment | T1591.001 - Gather Victim Org Information: Determine Physical Locations | T1555.001 - Credentials from Password Stores: Keychain | T1098.001 - Account Manipulation: Additional Cloud Credentials
Critical Threat: Malicious Cursor AI Extension Leads to $500,000 Crypto Heist
(published: July 10, 2025)
A fake “Solidity Language” extension, masquerading as a syntax highlighter in the Open VSX registry for Cursor AI (a VS Code–based IDE), was downloaded over 54,000 times and installed malicious PowerShell scripts. This led to automatic installation of ScreenConnect RDP software, deployment of Quasar backdoor and a stealer, and ultimately resulted in the theft of approximately $500,000 in cryptocurrency from a Russian blockchain developer. The fake package leveraged manipulated search rankings, mimicking legitimate extensions and using deceptive naming typography (e.g., “juanbIanco” vs. “juanblanco”) to mislead users. After removal on July 2, 2025, the attackers re-launched the package with inflated downloads of two million before its final takedown.
Analyst Comment: This attack highlights a growing trend of targeting developers through the tools they rely on. By disguising malicious code as a helpful extension, the attackers bypassed traditional security layers and hit directly at the development environment. It reinforces the need to treat dev tools and plugin sources with the same caution as production software. Security teams should monitor for unexpected behavior, avoid trusting extensions based on popularity alone, and isolate systems that handle sensitive operations like crypto wallets or credentials. Developer trust is a valuable asset, and clearly, it is now a target.
MITRE ATT&CK: T1195 - Supply Chain Compromise | T1059.001 - Command and Scripting Interpreter: Powershell | T1218.011 - Signed Binary Proxy Execution: Rundll32 | T1219 - Remote Access Software | T1566.001 - Phishing: Spearphishing Attachment | T1027 - Obfuscated Files Or Information | T1056.001 - Input Capture: Keylogging | T1083 - File And Directory Discovery | T1071.001 - Application Layer Protocol: Web Protocols | T1041 - Exfiltration Over C2 Channel
Discover More About Anomali
Get the latest news about cybersecurity, threat intelligence, and Anomali's Security and IT Operations platform.
Propel your mission with amplified visibility, analytics, and AI.
Learn how Anomali can help you cost-effectively improve your security posture.
