Skip to main content
All Posts
Anomali Cyber Watch
1
min read

Anomali Cyber Watch: NSPX30 Implant Relies on Network Interception, Mustang Panda Spies on Myanmar Government, and More

Anomali Threat Research
Published on
January 30, 2024
Table of Contents

The various threat intelligence stories in this iteration of the Anomali Cyber Watch discuss the following topics: Adversary-in-the-middle, APT, Backdoors, China, Latin America, Ransomware, and Spearphishing. The IOCs related to these stories are attached to Anomali Cyber Watch and can be used to check your logs for potential malicious activity.

Image


Figure 1 - IOC Summary Charts. These charts summarize the IOCs attached to this magazine and provide a glimpse of the threats discussed.

Trending Cyber News and Threat Intelligence

Ransomware Roundup - Albabat

(published: January 26, 2024)

The Albabat (White Bat) ransomware first appeared in November 2023, with updated versions released in late December 2023 and mid-January 2024. The latest version blocks access to several antimalware websites by assigning them to the localhost in the Windows Hosts file. This Rust-based ransomware is spread under the pretense of pirated software and game cheats. Its ransom note in English has a translation option that uses Google Translate, with Portuguese automatically selected as the translated language. Albabat appears in its early development stages, but it has the potential for global targeting, and a Linux version might be released in the future. Currently, Fortinet researchers note the targeting of companies and individuals in Argentina, Brazil, the Czech Republic, Germany, Hungary, Kazakhstan, Russia, and the United States.
Analyst Comment: As long as individuals continue to download cracked software, threat actors will continue using it as a distribution method. Your company should restrict these types of downloads, supply legitimate software, and educate your employees about these risks. All known indicators associated with Albabat are available in the Anomali platform, and customers are advised to block them on their infrastructure.
MITRE ATT&CK: [MITRE ATT&CK] Execution - User Execution: Malicious File [T1204.002] | [MITRE ATT&CK] T1486: Data Encrypted for Impact | [MITRE ATT&CK] T1489 - Service Stop
Tags: malware:Albabat, malware:White Bat, malware-type:Ransomware, target-country:US, target-country:RU, target-country:KZ, target-country:AR, target-country:BR, target-country:CZ, target-country:DE, target-country:HU, language:Rust, file-type:ABBT, target-system:Windows

NSPX30: A Sophisticated AitM-Enabled Implant Evolving since 2005

(published: January 24, 2024)

A previously-unknown advanced threat actor, Blackwood, has been using sophisticated malware called NSPX30 in cyberespionage attacks against Japanese and Chinese companies and individuals since 2018. ESET researchers trace the origin of NSPX30 to the DCM implant used in 2008-2018 and the even older Project Wood backdoor (2005-2014). NSPX30 is a multistage implant that includes multiple components: a dropper, an installer, loaders, an orchestrator, a backdoor, and a set of infostealing plugins. Blackwood's deployment and use of NSPX30 rely on the adversary-in-the-middle technique, involving network interception closer to the targets. This is possibly achieved through deploying a network implant on vulnerable network appliances in the victims' networks. To download the backdoor or plugins from an unidentified network implant, the orchestrator makes contact with a HTTP request to the legitimate Baidu website. This request contains a specific User-Agent and a custom Request-URI to indicate the desired payload. The collected data is appended to DNS packets in DNS queries for the legitimate microsoft[.]com domain.
Analyst Comment: Network interception allows attackers to conceal their payload and exfiltration requests within calls to legitimate domains. Keep your routers and other network appliances updated with the latest security patches. Host-based indicators associated with NSPX30 are available in the Anomali platform for ongoing infections and historical reference.
MITRE ATT&CK: [MITRE ATT&CK] Resource Development - Develop Capabilities: Malware [T1587.001] | [MITRE ATT&CK] T1195 - Supply Chain Compromise | [MITRE ATT&CK] T1059.001: PowerShell | [MITRE ATT&CK] Execution - Command and Scripting Interpreter: Windows Command Shell [T1059.003] | [MITRE ATT&CK] Execution - Command and Scripting Interpreter: Visual Basic [T1059.005] | [MITRE ATT&CK] T1106: Native API | [MITRE ATT&CK] T1574 - Hijack Execution Flow | [MITRE ATT&CK] T1546 - Event Triggered Execution | [MITRE ATT&CK] T1548.002: Bypass User Access Control | [MITRE ATT&CK] Defense Evasion - Deobfuscate/Decode Files or Information [T1140] | [MITRE ATT&CK] T1562.001: Disable or Modify Tools | [MITRE ATT&CK] Defense Evasion - Indicator Removal: File Deletion [T1070.004] | [MITRE ATT&CK] T1070.009 - Indicator Removal: Clear Persistence | [MITRE ATT&CK] T1202 - Indirect Command Execution | [MITRE ATT&CK] T1036.005 - Masquerading: Match Legitimate Name Or Location | [MITRE ATT&CK] T1112: Modify Registry | [MITRE ATT&CK] Defense Evasion - Obfuscated Files or Information [T1027] | [MITRE ATT&CK] T1027.009 - Obfuscated Files or Information: Embedded Payloads | [MITRE ATT&CK] T1218.011 - Signed Binary Proxy Execution: Rundll32 | [MITRE ATT&CK] T1557 - Man-In-The-Middle | [MITRE ATT&CK] T1555 - Credentials From Password Stores | [MITRE ATT&CK] Discovery - File and Directory Discovery [T1083] | [MITRE ATT&CK] T1012: Query Registry | [MITRE ATT&CK] T1518 - Software Discovery | [MITRE ATT&CK] Picus: The System Information Discovery Technique Explained - MITRE ATT&CK T1082 | [MITRE ATT&CK] Discovery - System Network Configuration Discovery [T1016] | [MITRE ATT&CK] Discovery - System Network Connections Discovery [T1049] | [MITRE ATT&CK] Discovery - System Owner/User Discovery [T1033] | [MITRE ATT&CK] Credential Access - Input Capture: Keylogging [T1056.001] | [MITRE ATT&CK] T1560.002 - Archive Collected Data: Archive Via Library | [MITRE ATT&CK] T1123 - Audio Capture | [MITRE ATT&CK] T1119 - Automated Collection | [MITRE ATT&CK] Collection - Data Staged: Local Data Staging [T1074.001] | [MITRE ATT&CK] Collection - Screen Capture [T1113] | [MITRE ATT&CK] Command and Control - Application Layer Protocol: Web Protocols [T1071.001] | [MITRE ATT&CK] Command and Control - Application Layer Protocol: DNS [T1071.004] | [MITRE ATT&CK] T1132.001 - Data Encoding: Standard Encoding | [MITRE ATT&CK] T1001 - Data Obfuscation | [MITRE ATT&CK] Command and Control - Standard Non-Application Layer Protocol [T1095] | [MITRE ATT&CK] T1090 - Proxy | [MITRE ATT&CK] T1020 - Automated Exfiltration | [MITRE ATT&CK] T1030 - Data Transfer Size Limits | [MITRE ATT&CK] T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
Tags: malware:NSPX30, actor:Blackwood, source-country:CN, detection:Win32/Agent.AFYH, malware:Project Wood, malware:DCM, malware-type:Backdoor, malware-type:Dropper, malware-type:Installer, malware-type:Infostealer, malware-type:Orchestrator, technique:Adversary-in-the-Middle, technique:Packet interception, target-country:CN, target-country:JP, target-country:UK, abused:UPX, file-type:CFG, file-type:DLL.TXT, file-type:DLL, target-system:Windows

Mexican Banks and Cryptocurrency Platforms Targeted With AllaKore RAT

(published: January 24, 2024)

BlackBerry researchers discovered a new financially-motivated campaign delivering a modified version of an open-source remote access trojan called AllaKore RAT. The campaign, attributed to an unknown Latin American-based threat actor, has been active since 2021. The attacks are primarily aimed at large Mexican companies with gross revenues over $1 million USD (in many cases, over $100 million) across various sectors. From late 2021 to mid-2022, the actors used a simple attack chain directly delivering an archived AllaKore RAT. Starting late 2022, they switched to a slightly more complex attack chain involving a compressed MSI file deploying a .NET downloader and two PowerShell scripts for cleanup. The downloader first verifies that the target’s IP is located in Mexico and downloads AllaKore RAT. This is a custom AllaKore RAT version with new functionalities added by the threat actors: additional commands for banking fraud (targeting Mexican banks and crypto trading platforms), reverse shell, clipboard function, and loader functionality.
Analyst Comment: Organizations with branches in Mexico should educate their employees on phishing threats and the ongoing campaign impersonating the Mexican Social Security Institute (IMSS). YARA rules and indicators associated with this AllaKore RAT campaign are available in the Anomali platform for detection and historical reference.
MITRE ATT&CK: [MITRE ATT&CK] T1189: Drive-by Compromise | [MITRE ATT&CK] Execution - User Execution [T1204] | [MITRE ATT&CK] picus-security: The Most Used ATT&CK Technique — T1059 Command and Scripting Interpreter | [MITRE ATT&CK] T1059.001: PowerShell | [MITRE ATT&CK] T1218 - Signed Binary Proxy Execution | [MITRE ATT&CK] T1218.007 - Signed Binary Proxy Execution: Msiexec | [MITRE ATT&CK] T1480 - Execution Guardrails | [MITRE ATT&CK] T1070 - Indicator Removal On Host | [MITRE ATT&CK] Defense Evasion - Indicator Removal: File Deletion [T1070.004] | [MITRE ATT&CK] Defense Evasion - Deobfuscate/Decode Files or Information [T1140] | [MITRE ATT&CK] Command and Control - Remote File Copy [T1105] | [MITRE ATT&CK] Command and Control - Remote Access Software [T1219] | [MITRE ATT&CK] T1056 - Input Capture | [MITRE ATT&CK] Credential Access - Input Capture: Keylogging [T1056.001] | [MITRE ATT&CK] Collection - Screen Capture [T1113] | [MITRE ATT&CK] Exfiltration - Exfiltration Over C2 Channel [T1041]
Signatures: YARA Rules: MX_fin_downloader_kaje_decode_func | MX_fin_downloader_elearnscty_string | MX_fin_custom_allakore_rat
Tags: malware:AllaKore, malware-type:RAT, target-country:MX, target-industry:Cryptocurrency, target-industry:Financial, target-industry:Retail, target-industry:Agriculture, target-industry:Public-Sector, target-industry:Manufacturing, target-industry:Transportation, target-industry:Commercial-services, target-industry:Capital-goods, target-industry:Banking, language:Delphi, abused:Hostwinds, abused:eNom-LLC, file-type:EXE, file-type:MSI, file-type:RAR, file-type:ZIP, target-system:Windows

Kasseika Ransomware Deploys BYOVD Attacks, Abuses PsExec and Exploits Martini Driver 

(published: January 23, 2024)

Trend Micro researchers have analyzed the Kasseika ransomware, the unknown actors behind which appear to have acquired access to the source code of the notorious BlackMatter ransomware (active till 2021). Similar to BlackMatter, Kasseika uses pseudo-random extensions and includes the extension string to the ransom note file name (string.README.txt). Kasseika is spread by phishing emails and uses a variety of techniques to evade detection and terminate antivirus processes. The ransomware uses bring-your-own-vulnerable-driver (BYOVD) attack abusing Martini driver to terminate at least 991 processes within its list, including antivirus products, security tools, analysis tools, and system utility tools.
Analyst Comment: It is important to teach your users basic online hygiene and phishing awareness. Ransomware is a constantly evolving threat, and the most fundamental defense is having proper backup and restore processes in place that allows recovery without any need to decrypt the affected data. Data theft is containable through segmentation, encrypting data at rest, and limiting the storage of personal and sensitive data. Indicators associated with Kasseika are available in the Anomali platform, and customers are advised to block them on their infrastructure.
MITRE ATT&CK: [MITRE ATT&CK] Initial Access - Phishing [T1566] | [MITRE ATT&CK] T1486: Data Encrypted for Impact | [MITRE ATT&CK] T1490: Inhibit System Recovery | [MITRE ATT&CK] T1562.001: Disable or Modify Tools | [MITRE ATT&CK] Defense Evasion - Indicator Removal: Clear Windows Event Logs [T1070.001]
Tags: maware:Kasseika, malware-type:Ransomware, malware:PINCAV, detection:Trojan.Win64.PINCAV.A, detection:Trojan.BAT.KASSEIKA.A, detection:HackTool.BAT.Clearlog.A, detection:Ransom.Win32.KASSEIKA, technique:BYOVD, tool:Themida, tool:PsExec, encryption:ChaCha20, encryption:RSA, encryption:CryptoPP, file-type:BAT, file-type:EXE, target-system:Windows

Stately Taurus Targets Myanmar Amidst Concerns over Military Junta’s Handling of Rebel Attacks

(published: January 23, 2024)

The civil war in northern Myanmar attracts additional attention from China, with concerns regarding its effect on trade routes and security around the Myanmar-China border. CSIRT-CTI researchers have identified two connected campaigns attributed to Mustang Panda (Stately Taurus, Bronze President, Camaro Dragon, Red Delta, and Luminous Moth)—a China-sponsored group active since at least 2012. These campaigns targeted the Myanmar Ministry of Defence and Foreign Affairs, aligning with the developments in the country. Mustang Panda crafts malicious archives with executable or LNK files masquerading as relevant PDF documents. User execution is followed by the use of legitimate software to sideload malicious DLLs, verify command line arguments, copy the same two files to a different directory, and engage them in the second round of DLL side-loading. The threat actors attempt to disguise their RC4-encrypted C2 traffic as Microsoft update traffic by adding the “Host: www[.]asia[.]microsoft[.]com” and “User-Agent: Windows-Update-Agent” headers. Ultimately, additional malware is being downloaded such as PlugX, PUBLOAD, and TONESHELL.
Analyst Comment: The campaigns highlight the importance of implementing robust cybersecurity measures, particularly for entities involved in sensitive sectors, such as defense and foreign affairs. Indicators associated with this campaign are available in the Anomali platform, and customers are advised to block them on their infrastructure.
MITRE ATT&CK: [MITRE ATT&CK] Privilege Escalation - Hijack Execution Flow: DLL Side-Loading [T1574.002] | [MITRE ATT&CK] Persistence - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder [T1547.001] | [MITRE ATT&CK] Execution - User Execution: Malicious File [T1204.002] | [MITRE ATT&CK] Command and Control - Remote File Copy [T1105] | [MITRE ATT&CK] Defense Evasion - Obfuscated Files or Information [T1027] | [MITRE ATT&CK] Defense Evasion - Deobfuscate/Decode Files or Information [T1140]
Tags: actor:Stately-Taurus, actor:Mustang-Panda, malware:PlugX, malware:PUBLOAD, malware:TONESHELL, actor:Bronze-President, actor:Camaro-Dragon, actor:Red-Delta, actor:Luminous-Moth, source-country:CN, target-country:MM, target-industry:Defense, target-industry:Government, impersonated:Microsoft, file-type:DLL, file-type:EXE, file-type:ISO, file-type:LNK, file-type:ZIP, target-system:Windows

FEATURED RESOURCES

January 13, 2026
Anomali Cyber Watch

Anomali Cyber Watch: Cisco ISE Flaw, Ni8mare, N8scape, Zero-Click Prompt Injection and more

Anomali Cyber Watch: Cisco ISE Flaw Enables Arbitrary File Read via Administrative Access. Ni8mare and N8scape Vulnerabilities Expose n8n Automation Platforms to Full Compromise. Zero-Click Prompt Injection Abuse Enables Silent Data Exfiltration via AI Agents. Phishing Attacks Exploit Misconfigured Email Routing to Spoof Internal Domains. Ransomware Activity in the U.S. Continued to Rise in 2025. Android Ghost Tap Malware Drives Remote NFC Payment Fraud Campaigns. Black Cat SEO Poisoning Malware Campaign Exploits Software Search Results. MuddyWater Upgrades Espionage Arsenal with RustyWater RAT in Middle East Spear-Phishing. China-Linked ESXi VM Escape Exploit Observed in the Wild. Instagram Denies Data Breach Despite Claims of 17.5 Million Account Data Leak
Read More
January 6, 2026
Anomali Cyber Watch

Anomali Cyber Watch: OWASP Agentic AI, MongoBleed, WebRAT Malware, and more

Real-World Attacks Behind OWASP Agentic AI Top 10. MongoDB Memory Leak Vulnerability “MongoBleed” Actively Exploited. WebRAT Malware Spread via Fake GitHub Proof of Concept Exploits. Trusted Cloud Automation Weaponized for Credential Phishing. MacSync macOS Stealer Evolves to Abuse Code Signing and Swift Execution. Claimed Resecurity Breach Turns Out to Be Honeypot Trap. Cybersecurity Professionals Sentenced for Enabling Ransomware Attacks. Google Tests Nano Banana 2 Flash as Its Fastest Image AI Model. RondoDox Botnet Exploits React2Shell to Hijack 90,000+ Systems. Critical n8n Expression Injection Leads to Arbitrary Code Execution
Read More
December 23, 2025
Anomali Cyber Watch

Anomali Cyber Watch: SantaStealer Threat, Christmas Scams of 2025, React2Shell Exploit, Phishing via ISO, and more

SantaStealer Infostealer Threat Gains Traction in Underground Forums. From Fake Deals to Phishing: The Most Effective Christmas Scams of 2025. React2Shell Exploitation Expands With New Payloads and Broader Targeting. Russian Phishing Campaign Delivers Phantom Stealer via ISO Attachments. And More...
Read More
Explore All