Blog

Anomali Cyber Watch: Phantom Taurus, MatrixPDF, Klopatra, and More

Anomali Threat Research
October 7, 2025
Table of contents

Ransomware Gang Tried to Recruit BBC Reporter as Insider

(published: September 29, 2025)

The Medusa ransomware group attempted to recruit BBC cyber correspondent Joe Tidy by offering him a share of potential ransom payments if he provided access to internal systems. Contacting him via Signal, the actor “Syndicate” (later “Syn”) initially offered 15% of proceeds, later raising it to 25%, suggesting the ransom could reach tens of millions. Syn claimed Medusa had successfully leveraged insiders before against healthcare and emergency service providers. When persuasion failed, the actor launched MFA-bombing against Tidy’s BBC account, generating repeated login prompts to coerce a mistake. Medusa, active since 2021 and believed to operate from Russia or allied states, runs a ransomware-as-a-service model and has claimed over 300 victims worldwide.

Analyst Comment: Too often insider threats are discussed as a theoretical risk, but this account shows how criminals will directly reach out to employees, frame it as a life-changing offer, and then escalate when persuasion fails. The fact that Medusa openly claimed they have struck similar deals before could simply be social proof being exploited, yet it should still be taken seriously. Even if most people would never consider cooperating, it only takes one insider under pressure, in debt, or feeling undervalued to open the door. The lesson is that insider risk is not a compliance checkbox or a once-a-year training topic. It requires ongoing visibility into access patterns, clear reporting channels for suspicious approaches, and a culture where staff feel supported if targeted.

MITRE ATT&CK: T1621 - Multi-Factor Authentication Request Generation

UK Government Backs Jaguar Land Rover with £1.5 Billion Loan Guarantee After Cyberattack

(published: September 29, 2025)

The UK government has approved a £1.5 billion loan guarantee for Jaguar Land Rover (JLR) after a severe cyberattack forced production shutdowns and disrupted IT systems. The attackers, calling themselves “Scattered Lapsus$ Hunters,” claimed responsibility, posting evidence of access to JLR’s SAP system and alleging ransomware deployment. JLR later confirmed data theft and extended factory closures. Without finalized cyber insurance, the company faced mounting recovery costs. The loan guarantee, issued under the UK Export Finance program, will support supplier payments and help restore operations. JLR, employing 34,000 directly and supporting 120,000 supply chain jobs, is now working with NCSC and law enforcement as it resumes production.

Analyst Comment: What should catch your attention here is not just the scale of the disruption but the timing of JLR’s missed cyber insurance coverage. According to The Insurer, the company had not finalized its policy before the attack, leaving it exposed to direct recovery costs at the exact moment it needed that protection most. This is a stark reminder that cyber insurance is not just paperwork to be filed away; it is part of a wider risk strategy that must be locked in well before an incident. If you are in a leadership position, ask yourself today whether your organization has gaps between risk acceptance, insurance coverage, and actual incident response readiness. Waiting until after the fact is not an option. The JLR case shows that in a crisis, the difference between having a policy and nearly having one can mean billions in exposure.

Phantom Taurus: China-Linked APT Targets Governments With Precision and Persistence

(published: September 30, 2025)

A newly identified China-aligned threat group, dubbed Phantom Taurus, has been conducting espionage against governments, embassies, and telecom providers across Africa, the Middle East, and Asia since at least 2022. The campaign, tracked as Operation Diplomatic Specter, relies on precision exploitation of exposed Microsoft Exchange and IIS servers, often through flaws like ProxyLogon and ProxyShell. Once inside, the group deploys its custom NET-STAR malware suite, including IIServerCore backdoors and AssemblyExecuter loaders. These components use in-memory execution, AMSI/ETW bypasses, timestomping, and fileless techniques to stay hidden. Unlike earlier China-linked campaigns that focused heavily on email theft, Phantom Taurus is shifting toward structured intelligence collection by targeting SQL databases and exporting data via WMI-executed scripts. Researchers assess the activity aligns with state-directed espionage priorities tied to geopolitical interests.

Analyst Comment: Phantom Taurus is interesting not only for its technical approach but also for how it has been classified over time. Unit 42 first tracked the activity under internal codes CL-STA-0043 and later TGR-STA-0043, before formally designating it as a distinct China-linked APT under the name Operation Diplomatic Specter. That history tells us the campaigns were initially hard to separate from the noise of overlapping Chinese operations, but the sustained targeting and unique toolset eventually justified carving it out as its own entity. For defenders, the more important takeaway is not the name change but the evolution in focus: moving from email theft to structured SQL data collection.

MITRE ATT&CK: T1190 - Exploit Public-Facing Application | T1505.003 - Server Software Component: Web Shell | T1059.003 - Command and Scripting Interpreter: Windows Command Shell | T1047 - Windows Management Instrumentation | T1620 - Reflective Code Loading | T1562.001 - Impair Defenses: Disable Or Modify Tools | T1070.006 - Indicator Removal on Host: Timestomp | T1071.001 - Application Layer Protocol: Web Protocols | T1573 - Encrypted Channel | T1074.001 - Data Staged: Local Data Staging | T1041 - Exfiltration Over C2 Channel

MatrixPDF Toolkit Weaponizes PDFs as Phishing and Malware Lures

(published: October 1, 2025)

A new threat known as MatrixPDF has emerged, turning seemingly innocent PDF documents into powerful phishing and malware delivery tools. Attackers use a builder interface to import a legitimate PDF, add blurred overlays and fake “Secure Document” prompts, embed JavaScript actions, and specify payload URLs to which victims are redirected. Because the PDF itself contains no executable binary, it can slip past many email security filters; malicious activity only triggers when a user clicks on a prompt or link, often bypassing Gmail’s defenses. The toolkit is already being marketed on cybercrime forums and Telegram, with pricing tiers from $400/month to $1,500/year.

Analyst Comment: What stands out to me is how cheap and effective MatrixPDF appears to be, despite its simplicity. By blurring content and adding a fake “Open Secure Document” button, attackers exploit user trust without needing to embed anything overtly malicious in the file. This is a good reminder that attackers don’t always need complex exploits, sometimes the most effective tradecraft is leveraging what the platform already allows. User training and monitoring outbound connections from document interactions are crucial here.

MITRE ATT&CK: T1566 - Phishing | T1059.007 - Command and Scripting Interpreter: Javascript | T1204.002 - User Execution: Malicious File | T1562.001 - Impair Defenses: Disable Or Modify Tools | T1027.002 - Obfuscated Files or Information: Software Packing | T1071.001 - Application Layer Protocol: Web Protocols | T1041 - Exfiltration Over C2 Channel

Android Malware “Klopatra” Uses VNC for Banking Fraud

(published: October 1, 2025)

Researchers have identified a new Android banking and remote access trojan (RAT) named Klopatra, disguised as an IPTV/VPN app and already infecting more than 3,000 devices across Europe. The malware uses Android’s Accessibility services for input capture, gesture simulation, and overlay-based credential theft. A hidden Virtual Network Computing (VNC) mode allows attackers to perform banking transactions in real time while victims see a locked screen. Klopatra employs code obfuscation, anti-analysis features, and antivirus evasion, while evolving rapidly with 40+ builds since March 2025. Cleafy attributes it to a Turkish-speaking threat group.

Analyst Comment: What makes Klopatra concerning is not just the banking fraud angle but how clearly it shows the importance of mobile device security. Many different types mobile devices now sit at the center of both personal and corporate communication and workflows, yet many organizations still treat them as secondary to laptops and servers. A trojan like this is not only capable of draining a user’s bank account, it can also open a path into corporate email, messaging, and authentication apps that hold sensitive information. The ability for attackers to remotely operate a device in real time should move mobile security from convenience to priority. Companies need to give mobile controls the same weight as any other endpoint defense.

MITRE ATT&CK: T1655 - Masquerading | T1575 - Native Code | T1406 - Obfuscated Files Or Information | T1513 - Screen Capture | T1663 - Remote Access Software | T1646 - Exfiltration Over C2 Channel

Ukraine Warns of CABINETRAT Backdoor via Weaponized XLL Files

(published: October 1, 2025)

Ukraine’s CERT-UA has warned of a new campaign delivering a backdoor dubbed CABINETRAT (UAC-0245). Attackers are distributing malicious Excel add-in (XLL) files inside ZIP archives shared through Signal messaging, disguised as documents on sensitive topics. Once executed, the XLL installs multiple components for persistence and contacts a command-and-control server. CABINETRAT enables file exfiltration, command execution, screenshot capture, and data deletion. The malware also employs anti-analysis checks to avoid detection, underscoring its design for long-term espionage.

Analyst Comment: Campaigns like CABINETRAT remind us that conflict zones are often proving grounds for new tradecraft. Malware first deployed in a targeted geopolitical context frequently reappears later in broader criminal or espionage operations once its reliability is tested. The use of XLL add-ins, Signal as a delivery channel, and anti-analysis techniques suggests the operators are refining tools against highly scrutinized environments. That should be a warning for defenders elsewhere: what begins in Ukraine does not stay there. Tracking these developments is less about observing a distant conflict and more about anticipating what techniques may be repurposed globally.

MITRE ATT&CK: T1137.006 - Office Application Startup: Add-Ins | T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | T1053.005 - Scheduled Task/Job: Scheduled Task | T1497.001 - Virtualization/Sandbox Evasion: System Checks | T1082 - System Information Discovery | T1083 - File And Directory Discovery | T1113 - Screen Capture | T1041 - Exfiltration Over C2 Channel

Self-Propagating WhatsApp Malware “SORVEPOTEL”

(published: October 3, 2025)

Researchers have identified a self-spreading Windows malware dubbed SORVEPOTEL, actively targeting users in Brazil. The infection begins with phishing messages delivering a ZIP file containing a disguised LNK shortcut. Opening it launches a PowerShell script that downloads and executes the payload. Once installed, the malware achieves persistence by copying itself to the Windows Startup folder. Its most notable feature is abuse of WhatsApp Web sessions: it automatically sends the malicious ZIP archive to the victim’s contacts and groups, driving rapid spread without additional user action. At least 477 systems have been affected across sectors such as government, education, manufacturing, and technology. Unlike many modern campaigns, SORVEPOTEL does not appear to steal data or deploy ransomware; its primary objective is large-scale propagation and spam distribution.

Analyst Comment: SORVEPOTEL’s primary aim is propagation and spam distribution rather than direct monetization through data theft or extortion. It uses simple, well understood techniques: malicious ZIPs containing LNK shortcuts, PowerShell execution, and persistence via the Startup folder, then leverages WhatsApp Web to amplify reach. That operational simplicity matters because the same infection chain could be repurposed to deliver credential stealers, ransomware, or data exfiltration once attackers have established trust in the channel. In short, the campaign is noteworthy not for its current payload but for the reusable template it demonstrates.

MITRE ATT&CK: T1566 - Phishing | T1059.001 - Command and Scripting Interpreter: Powershell | T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Radiant Hackers Pull Stolen Nursery Data After Backlash

(published: October 3, 2025)

A criminal group calling itself Radiant claimed responsibility for stealing data on more than 8,000 children from Kido, an international nursery chain operating in the UK, US, China, and India. To pressure the company into paying ransom, the attackers published images and personal profiles of children, as well as sensitive employee records. They even escalated to threatening parents directly by phone. Following strong condemnation from the public and cybersecurity community, the group blurred the images, then removed the data entirely and issued an apology, claiming it had been deleted. Security experts caution that such assurances from criminals cannot be trusted, as leaked data often resurfaces in other forums.

Analyst Comment: The Radiant case raises the question of whether this was a rare moment of conscience or simply a response to overwhelming pressure. The group’s apology is unusual, but reports suggest they bought access from an initial broker, leaving them financially exposed after retreating under scrutiny. That loss, paired with intense public backlash, likely explains the reversal more than any sense of ethics. Even though the group claimed to have deleted the material, once data is stolen it remains compromised regardless of later assurances.

MITRE ATT&CK: T1587.001 - Develop Capabilities: Malware | T1078 - Valid Accounts | T1041 - Exfiltration Over C2 Channel | T1657 - Financial Theft | T1486 - Data Encrypted For Impact

Hackers Exploit Milesight Routers to Send Phishing SMS to European Users

(published: October 1, 2025)

Unknown actors are abusing exposed Milesight industrial cellular routers to send phishing SMS messages by calling the devices’ inbox and outbox API endpoints. Attackers impersonate government, banking, postal, and telecom services to increase credibility. Of roughly 18,000 Milesight routers visible on the internet, 572 are assessed as potentially vulnerable, with about half located in Europe. The root cause includes the information disclosure vulnerability tracked as CVE-2023-43261 in models UR5X, UR32L, UR32, UR35, and UR41 running firmware earlier than v35.3.0.7. Some compromised devices run firmware not covered by that CVE, indicating misconfiguration or alternate techniques are also being used. So far there is no public evidence of backdoors or lateral movement beyond SMS abuse.

Analyst Comment: While the technical exploit is noteworthy, the real lesson here is about smishing itself. Attackers are using compromised routers not to steal data or plant malware but to make their SMS messages look more legitimate by sending them through real infrastructure. That raises the likelihood that a recipient will trust the message, especially when it mimics government or banking services. The best defense is behavioral: treat every SMS that asks you to act as inherently suspicious, and verify requests through another channel such as a phone call, official app, or website you navigate to yourself. From an organizational standpoint, this campaign is a reminder to harden messaging gateways and reduce reliance on SMS for critical communications, because attackers will keep innovating ways to abuse trust in the channel.

MITRE ATT&CK: T1190 - Exploit Public-Facing Application | T1071.004 - Application Layer Protocol: Dns | T1027 - Obfuscated Files Or Information | T1566.002 - Phishing: Spearphishing Link

Red Hat Confirms Security Incident After Breach of Consulting GitLab Instance

(published: October 2, 2025)

Red Hat confirmed a security incident involving unauthorized access to a self-managed GitLab instance used by its Consulting division. The extortion group calling itself “Crimson Collective” claimed responsibility, alleging the theft of roughly 570 GB of compressed data from more than 28,000 repositories, including about 800 Customer Engagement Reports (CERs). These documents often contain sensitive infrastructure details, configurations, and credentials, though Red Hat has not verified the attackers’ claims regarding CERs. The group first publicized the breach on October 1 via a Telegram channel created in late September, sharing file trees, screenshots, and sample documents as evidence. Red Hat stated the compromise was isolated to the consulting environment and that its core product infrastructure and software supply chain remain unaffected. The company revoked access, isolated the instance, and began remediation, but the incident raises downstream risk for enterprise customers whose environments may be reflected in the consulting deliverables.

Analyst Comment: The real risk lies in the nature of what may have been exposed rather than the infrastructure that was breached. Consulting deliverables such as CERs often condense a detailed understanding of enterprise networks into a single source, mapping configurations, dependencies, and access patterns in a way that adversaries would otherwise spend months uncovering. This makes the material highly attractive from an attacker’s perspective, especially if it covers large, complex organizations. While Red Hat has emphasized that its broader software supply chain is unaffected, the claims around the consulting data highlight how documentation itself can become an attack surface. Even without confirmation of specific contents, the potential intelligence value is significant and explains why such repositories are high-value targets.

MITRE ATT&CK: T1190 - Exploit Public-Facing Application | T1562 - Impair Defenses | T1555 - Credentials From Password Stores | T1591 - Gather Victim Org Information | T1213 - Data From Information Repositories | T1041 - Exfiltration Over C2 Channel | T1490 - Inhibit System Recovery

Anomali Threat Research

Anomali's Threat Research team continually tracks security threats to identify when new, highly critical security threats emerge. The Anomali Threat Research team's briefings discuss current threats and risks like botnets, data breaches, misconfigurations, ransomware, threat groups, and various vulnerabilities. The team also creates free and premium threat intelligence feeds for Anomali's industry-leading Threat Intelligence Platform, ThreatStream.

Propel your mission with amplified visibility, analytics, and AI.

Learn how Anomali can help you cost-effectively improve your security posture.