Anomali Cyber Watch: FileFix Phishing, AI-Driven Pen-Testing, the Return of Scattered Spider, and More
FileFix Campaign Leverages Steganography to Deliver StealC Infostealer
(published: September 16, 2025)
A newly observed FileFix campaign uses multilingual phishing pages impersonating Meta to trick victims into copying what appears to be a harmless file path into Windows File Explorer. The clipboard actually contains a PowerShell command that downloads a JPG from a Bitbucket repository; that image conceals a second-stage script and encrypted payloads via steganography. The script extracts and decrypts executables, deploys a Go-based loader, and finally installs the StealC infostealer which harvests browser data, cloud credentials, crypto wallets, and messaging artifacts. Detection is complicated by heavy string obfuscation, fragmented and encrypted URLs, and the use of image carriers for hidden code.
Analyst Comment: What stands out to me is how threat actors continue to exploit a simple clipboard trick to execute PowerShell. It is easy for security professionals to dismiss this as obvious, but many typical IT and business users may not realize File Explorer can launch commands. Defensive controls such as restricting PowerShell execution policies and monitoring unusual child processes from Explorer can reduce exposure, but they only go so far. Awareness is just as critical. Spreading awareness about these attacks helps users understand the risks and builds a more cyber-aware culture, making this type of campaign far less effective.
MITRE ATT&CK: T1566.002 - Phishing: Spearphishing Link | T1204.004 - User Execution: Malicious Copy and Paste | T1059.001 - Command and Scripting Interpreter: Powershell | T1027.003 - Obfuscated Files or Information: Steganography | T1027 - Obfuscated Files Or Information | T1001.002 - Data Obfuscation: Steganography | T1555.003 - Credentials from Password Stores: Credentials From Web Browsers | T1552.001 - Unsecured Credentials: Credentials In Files
Villager: AI-Native Successor to Cobalt Strike Raises Abuse Fears
(published: September 15, 2025)
Researchers are warning about Villager, an AI-driven penetration testing framework developed by China-linked Cyberspike and already downloaded over 11,000 times from PyPI. Straiker.ai describes Villager as an “AI-native successor to Cobalt Strike,” citing its modular design, containerized execution, and automated decision-making powered by DeepSeek models. The tool integrates with Kali Linux and LangChain to streamline reconnaissance, exploitation, and post-exploitation, while supporting RAT-like plugins such as AsyncRAT and Mimikatz for surveillance and credential theft. Its use of ephemeral containers that self-delete within 24 hours complicates detection and forensic analysis. While marketed as a red-teaming solution, analysts fear Villager could follow Cobalt Strike’s path from professional testing tool to widespread criminal weapon, lowering the barrier to entry for less-skilled attackers.
Analyst Comment: I find it interesting that Villager may also give less skilled actors confidence by masking the complexity of intrusion work behind AI-driven automation. Skills that once took years to develop, such as linking reconnaissance with exploitation and persistence, can now be executed with simple prompts. This shift matters because it broadens who feels capable of carrying out attacks. With more than 11,000 downloads, Villager is not just another red-team framework but a tool that extends offensive participation well beyond experienced operators. The comparison to Cobalt Strike is fair, yet Villager goes further by stripping away the natural friction that once acted as a barrier. The possible outcome is a wider, less predictable threat pool that defenders will need to account for.
MITRE ATT&CK: T1595 - Active Scanning | T1190 - Exploit Public-Facing Application | T1059 - Command And Scripting Interpreter | T1071 - Application Layer Protocol | T1219 - Remote Access Software | T1003 - Os Credential Dumping | T1003.001 - OS Credential Dumping: Lsass Memory | T1070 - Indicator Removal On Host | T1070.004 - Indicator Removal on Host: File Deletion
Shai-Hulud: Self-Propagating Worm Infects 187 NPM Packages
(published: September 17, 2025)
A large-scale supply-chain compromise in the npm (Node.js) ecosystem has been publicly disclosed. The attack, tracked as “Shai-Hulud,” involves more than 180 npm packages being infected with a malicious payload that steals developer secrets, cloud credentials, and environment data. It propagates like a worm: when a compromised package is installed, it searches for npm or GitHub tokens, uses them to access other packages under the same maintainer, modifies package metadata (e.g. package.json), injects a malicious “bundle.js” or post-install script, and republishes corrupted versions. The campaign includes multiple vendor-owned packages (including those from CrowdStrike), and the impact spans both developer workstations and CI/CD pipelines.
Analyst Comment: The defining risk with Shai-Hulud is its self-propagating design. By stealing maintainer tokens and automatically republishing malicious npm packages, it turns the supply chain into an active infection channel rather than a single compromised library. I am also tracking more frequent malicious use of TruffleHog. Shai-Hulud embedded it directly to harvest developer secrets, and weeks earlier its user-agent surfaced in logs from the Salesforce/Cloudflare OAuth breach. This marks a shift from opportunistic misuse to deliberate operationalisation by threat actors. For defenders, TruffleHog activity should be treated as a high-signal IOC unless you can verify it comes from approved CI/CD security scans. In SIEM, monitor for process.name=trufflehog, command_line containing trufflehog, or http.user_agent=TruffleHog/ across endpoints and SaaS/API logs, then baseline legitimate runs to avoid false positives.
MITRE ATT&CK: T1566 - Phishing | T1059 - Command And Scripting Interpreter | T1546.016 - Event Triggered Execution: Installer Packages | T1528 - Steal Application Access Token | T1082 - System Information Discovery | T1041 - Exfiltration Over C2 Channel | T1195.001 - Supply Chain Compromise: Compromise Software Dependencies And Development Tools
Scattered Spider Resurfaces With Financial Sector Attacks Despite Retirement Claims
(published: September 17, 2025)
Researchers have observed Scattered Spider, a known identity-based cybercrime collective, returning to active operations targeting the financial services industry in the U.S. Key tactics include social engineering of executives to reset passwords via Azure AD self-service tools, leveraging password resets to escalate privileges (including Azure Global Admin roles), lateral movement through VPN and Citrix, deployment of VMware ESXi infrastructure to dump credentials, and attempts to exfiltrate data from cloud platforms such as AWS and Snowflake. Despite public statements suggesting the group was disbanding or going dark, this recent activity indicates otherwise.
Analyst Comment: Scattered Spider’s resurgence shows they have doubled down on their core strength: social engineering. Using AI platforms like Vapi and Bland AI, they can conduct adaptive voice phishing calls that feel natural and convincing, moving beyond the crude scripts defenders are used to spotting. The real risk is no longer just stolen credentials but the erosion of trust in voice interactions. Defenders should stop treating phone calls as inherently trustworthy. Any request for password resets or MFA codes must be verified through out-of-band channels such as internal messaging or a call back to an approved contact number. Organizations should also limit who can authorize resets, log all privileged account changes, and ensure staff understand that the phone is now a primary attack vector.
MITRE ATT&CK: T1078 - Valid Accounts | T1133 - External Remote Services | T1098 - Account Manipulation | T1098.003 - Account Manipulation: Add Office 365 Global Administrator Role | T1003 - Os Credential Dumping | T1213 - Data From Information Repositories | T1530 - Data From Cloud Storage Object | T1567 - Exfiltration Over Web Service | T1583.001 - Acquire Infrastructure: Domains
Old File Types Fuel Malware Delivery in 2025
(published: September 17, 2025)
HP Wolf Security’s Q2 2025 Threat Insights Report shows attackers increasingly relying on old file formats and trusted tools to deliver malware. Phishing campaigns disguised as invoices used SVG and PDF files to deploy reverse shells, MassLogger, and ModiRAT. Other attacks abused compiled HTML Help (.chm), shortcut (.lnk), and Program Information Files (.pif) to drop XWorm and Remcos. Lumma Stealer also reappeared despite a law enforcement takedown, distributed through IMG archives and obfuscated PowerShell commands. Archives accounted for 40% of delivery methods, followed by scripts and executables at 35%, with documents remaining a steady vector. By embedding malware in familiar formats and leveraging built-in Windows binaries, attackers reduce detection rates.
Analyst Comment: What strikes me is how file types like CHM and PIF have not disappeared, they just fell out of fashion. And like fashion, these things have a way of coming back around. Attackers know defenders shift focus to the latest threats and use that gap to recycle what still works. Pairing these old formats with archives and Windows binaries makes them harder to spot, turning the fight into a constant game of cat and mouse.
MITRE ATT&CK: T1566.001 - Phishing: Spearphishing Attachment | T1059 - Command And Scripting Interpreter | T1027.017 - Obfuscated Files or Information: SVG Smuggling | T1027.006 - Obfuscated Files or Information: Html Smuggling | T1218 - Signed Binary Proxy Execution | T1036.008 - Masquerading: Masquerade File Type
Microsoft and Cloudflare Dismantle RaccoonO365 Phishing-as-a-Service
(published: September 17, 2025)
Microsoft, working with Cloudflare, has dismantled the RaccoonO365 (Storm-2246) Phishing-as-a-Service platform. The operation seized 338 domains used to deliver pre-packaged phishing kits that impersonated brands like DocuSign and SharePoint to harvest Microsoft 365 credentials and session cookies, bypassing MFA via adversary-in-the-middle tactics. Microsoft identified the alleged ringleader, Nigeria-based Joshua Ogundipe, after tracking cryptocurrency transactions tied to kit sales. RaccoonO365 offered tiered subscriptions ($355 for 30 days, $999 for 90 days), marketed through Telegram, and had generated at least $100,000. The group recently advertised an AI-powered tool, “AI-MailCheck,” to enhance phishing scalability. Legal action has been initiated, and law enforcement referrals have been made, though Microsoft anticipates attempts to rebuild infrastructure.
Analyst Comment: Was greed the weak link in these operations? RaccoonO365 wasn’t undone by an exotic technical flaw but by its operators chasing profits so openly that they slipped up on their own money trail. Microsoft quietly bought into the service, traced the cryptocurrency transactions, and uncovered a wallet that exposed the ringleader, Joshua Ogundipe. That single lapse brought down the network and led to a lawsuit against Ogundipe and four associates who remain at large. For all the sophistication of their phishing kits and AI tools, in the end it was basic human error that closed them down.
MITRE ATT&CK: T1566.002 - Phishing: Spearphishing Link | T1566.001 - Phishing: Spearphishing Attachment | T1557 - Man-In-The-Middle
Google Chrome Zero-Day CVE-2025-10585 Patched After Active Exploitation
(published: September 18, 2025)
Google has released an urgent security update for its Chrome browser addressing CVE-2025-10585, a zero-day vulnerability in the V8 JavaScript and WebAssembly engine. This type of confusion flaw, discovered by Google’s Threat Analysis Group, has been actively exploited in the wild. Google patched the issue in Chrome versions 140.0.7339.185 for Linux and macOS, and 140.0.7339.185/.186 for Windows. This marks the sixth zero-day actively exploited against Chrome this year.
Analyst Comment: The significance of this update is not only that CVE-2025-10585 was exploited, but that it continues a clear pattern. Six Chrome zero-days have been patched this year, several linked directly to the V8 engine. Earlier examples include CVE-2025-5419, an out-of-bounds read/write in V8, and CVE-2025-6554, another flaw in the same component. Attackers are repeatedly finding leverage in this area, which makes the browser one of the most exposed applications in daily use and highlights why staying current with patches is critical.
Evidence Emerges of Gamaredon and Turla Collaboration
(published: September 19, 2025)
ESET Research has uncovered the first definitive signs that two Russian FSB-linked threat groups, Gamaredon and Turla, are working together to attack high-value targets in Ukraine. Gamaredon has long been active against Ukrainian governmental bodies since at least 2013. Turla, operational since around 2004 (possibly earlier), conducts espionage against governments, diplomatic services, and military institutions globally. In several incidents during 2025, Gamaredon tools (such as PteroGraphin, PteroOdd, PteroPaste) were used to deploy or recover Turla’s Kazuar backdoor malware, Kazuar version 3 in February, version 2 in April and June. The data indicate that Gamaredon is being used to gain initial access and stage systems, with Turla selecting only specific compromised hosts, likely those holding highly sensitive intelligence. Both groups are separately associated with FSB Centers: Gamaredon with Center 18, Turla with Center 16.
Analyst Comment: Turla’s use of Gamaredon’s PteroGraphin to restart a failed Kazuar v3 backdoor is telling. It is not just access sharing, it is one group’s tool being wired directly into another’s operations. That level of technical integration is unusual and signals real collaboration between FSB-linked teams. It also underlines how critical the target must have been for Turla to ensure the backdoor stayed active. This is the strongest technical evidence so far that these groups are not merely overlapping but deliberately working together.
MITRE ATT&CK: T1566 - Phishing | T1204.002 - User Execution: Malicious File | T1547 - Boot Or Logon Autostart Execution | T1071 - Application Layer Protocol | T1027 - Obfuscated Files Or Information | T1005 - Data From Local System | T1041 - Exfiltration Over C2 Channel
Luma AI’s Ray3 Brings Realistic, Intuitive Generative Video
(published: September 19, 2025)
Luma AI has introduced Ray3, a generative video model designed to produce more realistic and intuitive content. Unlike earlier systems, Ray3 uses built-in reasoning to plan scenes, evaluate drafts, and refine outputs, giving creators a more coherent multi-scene narrative. The model supports HDR video in 16-bit color, improving fidelity and dynamic range for cinematic quality. It also allows for visual annotations that the model interprets directly, making it easier for users to guide complex storyboarding. The result is video generation that feels more intuitive and closer to professional production standards.
Analyst Comment: I am not suggesting that Luma AI itself is harmful in any way, though the name is ironically close to the Lumma Stealer. I include Ray3 because the leap in capability is what matters from a security perspective. Video that can reason, plan, and generate coherent sequences pushes synthetic content closer to everyday business use. As more professional interactions shift online, the risk is not creative misuse but convincing impersonation in social engineering. For cybersecurity and business professionals, the lesson is to prepare now for a world where video evidence cannot be taken at face value and independent verification is essential.
ShadowLeak: Zero-Click Flaw Leaks Gmail Data via OpenAI ChatGPT Deep Research Agent
(published: September 20, 2025)
A zero-click “indirect prompt injection” vulnerability dubbed ShadowLeak has been discovered in OpenAI’s ChatGPT Deep Research agent when connected to Gmail. Attackers can send a crafted email containing hidden HTML instructions (tiny font, white-on-white text, etc.) that the agent ingests without user interaction. When a user later asks the agent to summarize or research content from their inbox, the agent follows the hidden instructions and exfiltrates sensitive data (names, addresses, internal messages) to an attacker-controlled endpoint. This leak occurs on the server side (OpenAI’s infrastructure), making it invisible to local endpoint or enterprise monitoring. OpenAI was notified in mid-June 2025 and issued a fix in early August.
Analyst Comment: ShadowLeak shows how indirect prompt injection should be treated as a long-term threat class, not a one-off bug. The interesting point is that the attack happened on the service side, making it invisible to endpoint tools and SIEMs that defenders usually rely on. OpenAI has already patched this flaw, but the real lesson is in how we set trust boundaries for AI agents. Giving an agent permission to read emails or query internal systems without strict validation and audit creates blind spots. The focus now has to be on defining what content agents are allowed to process, constraining what they can output or transmit, and ensuring every interaction is logged. Otherwise, similar attacks will slip past visibility again, no matter how many individual flaws are patched.
MITRE ATT&CK: T1190 - Exploit Public-Facing Application | T1659 - Content Injection | T1041 - Exfiltration Over C2 Channel | T1071.001 - Application Layer Protocol: Web Protocols
Discover More About Anomali
Get the latest news about cybersecurity, threat intelligence, and Anomali's Security and IT Operations platform.
Propel your mission with amplified visibility, analytics, and AI.
Learn how Anomali can help you cost-effectively improve your security posture.
