Anomali Cyber Watch: PXA Stealer, ClickFix Malware, Fake TikTok Shops, Throttlestop, and More
In this edition of Anomali Cyber Watch, we're covering threats related to the following topics: ToolShell vulnerabilities, PXA Stealer, ClickFix Malware, a fake TikTok Shop network, Bahamut, DoNot APT, ThrottleStop, Samourai Wallet, RubyGems, GreedyBear, and Efimer Trojan. The IoCs related to these stories are linked below and can be used by Anomali ThreatStream users to check logs for potential malicious activity.
Ransomware Gangs Exploit ToolShell Vulnerabilities in Microsoft SharePoint Servers
(published: August 7, 2025)
Multiple ransomware groups have joined ongoing exploitation of critical Microsoft SharePoint vulnerabilities, collectively known as ToolShell. Initially leveraged by state‑linked actors for espionage, these flaws are now being actively abused by financially motivated gangs, including the Warlock and 4L4MD4R ransomware crews. Attackers gain unauthenticated access to SharePoint instances, extract machine keys to forge authentication tokens, and deploy ransomware to disrupt operations and demand payment. Hundreds of systems have been compromised globally, with sectors such as government, healthcare, and higher education hit hardest. Warlock ransomware, in particular, is being distributed freely in underground forums, lowering the barrier to entry for less skilled attackers. Microsoft has released patches, but many servers remain unprotected, leaving organizations exposed to both data loss and prolonged recovery times.
Analyst Comment: What stands out here is how quickly ransomware operators moved in once the ToolShell flaws became public. Groups like 4L4MD4R and Warlock are using the exact same exploit path as nation-state actors but applying it for fast, disruptive extortion. The free distribution of Warlock’s encryptor lowers the bar even further. That kind of accessibility means organizations will start seeing variants from less experienced actors who are still capable of causing real damage. Patching is the baseline, not the solution. Treat exposed SharePoint servers as already compromised until proven otherwise. Rotate machine keys, monitor for forged tokens, and isolate systems from critical infrastructure if patching cannot be immediate.
MITRE ATT&CK: T1190 - Exploit Public-Facing Application | T1059.003 - Command and Scripting Interpreter: Windows Command Shell | T1505.003 - Server Software Component: Web Shell | T1552.004 - Unsecured Credentials: Private Keys | T1003 - Os Credential Dumping | T1078 - Valid Accounts | T1021.006 - Remote Services: Windows Remote Management | T1005 - Data From Local System
Vietnamese Cybercriminals Deploy Evasive Python‑Based PXA Stealer Globally
(published: August 4, 2025)
Cybersecurity researchers have uncovered a sophisticated information stealing campaign using the Python based PXA Stealer, attributed to Vietnamese speaking criminal actors. Since late 2024, this malware has infected over 4,000 unique IP addresses across 62 countries, including South Korea, the United States, the Netherlands, Hungary, and Austria. It is capable of harvesting large volumes of sensitive data including over 200,000 passwords, hundreds of credit card records, and more than 4 million browser cookies. The attackers rely on advanced evasion tactics such as DLL sideloading and staged decoy files to avoid detection. Exfiltrated data is sent to a Telegram based infrastructure and monetized through a subscription style criminal marketplace.
Analyst Comment: What stands out here is the integration between PXA Stealer and platforms like Sherlock. Stolen data is not just dumped but routed into a ready-made marketplace where others can buy access and repurpose it. This creates a supply chain where credential theft, crypto fraud, and network intrusion are all linked. Defenders need to think in terms of downstream risk. A single infostealer infection can quietly open the door to much larger breaches weeks later. Monitoring for logins from unusual locations or devices long after initial compromise is essential.
MITRE ATT&CK: T1566 - Phishing | T1574.001 - Hijack Execution Flow: Dll Search Order Hijacking | T1059 - Command And Scripting Interpreter | T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | T1555.001 - Credentials from Password Stores: Keychain | T1555.003 - Credentials from Password Stores: Credentials From Web Browsers | T1555.002 - Credentials from Password Stores: Securityd Memory | T1005 - Data From Local System | T1041 - Exfiltration Over C2 Channel
ClickFix Malware Campaign Exploits CAPTCHAs to Spread Cross‑Platform Infections
(published: August 5, 2025)
A social engineering tactic known as ClickFix has rapidly evolved, leveraging a combination of propagation methods, narrative sophistication, and evasion techniques to replace the earlier fake browser‑update scams. First spotted in early 2024, this new strain capitalizes on fake CAPTCHA prompts and disguised error messages to trick users into executing malicious commands, either via the Windows Run dialog or macOS Terminal, sometimes via drive‑by downloads. The approach spreads through phishing, malvertising, SEO poisoning, and trusted infrastructure, leading to both mass drive‑by infections and precision spear‑phishing attacks.
Analyst Comment: ClickFix relies on users to execute the malware themselves through fake CAPTCHAs and error messages, making it harder to catch with traditional defenses. The campaign spreads across platforms and uses trusted infrastructure, avoiding many automated detection systems. Mitigation should focus on user awareness and behavioral monitoring. Train users to be cautious of command-line prompts from browsers. Deploy DNS filtering, monitor clipboard and shell activity, and consider browser isolation in sensitive environments. This is a social engineering problem wrapped in a technical delivery. Treat it accordingly.
MITRE ATT&CK: T1204.004 - User Execution: Malicious Copy and Paste
Massive Fake TikTok Shop Network Delivers Infostealers via Malvertising
(published: August 7, 2025)
Security researchers at Guardio Labs uncovered a large-scale malvertising campaign abusing Google Ads and search engine optimization (SEO) to distribute infostealer malware through over 15,000 typosquatted TikTok Shop lookalike domains. These fake sites impersonate the official TikTok e-commerce platform and lure users searching for "TikTok Shop" into downloading ZIP files that deliver known infostealers like Rilide and Lumma. The campaign is attributed to a threat actor dubbed "BogusTok" and has been active since July 2024. The attackers used automation to register thousands of deceptive domains and rotate them constantly, undermining blacklists and domain takedown efforts. Some domains were registered minutes apart, with as many as 75 launched in a single day. Victims are typically infected via drive-by download or through misleading ads placed on popular search engines. Guardio notes the campaign is ongoing and evolving, demonstrating industrial-scale abuse of internet trust mechanisms.
Analyst Comment: This campaign matters not just because of its scale, but because it hijacks a brand that reaches nearly every age group. TikTok is now deeply embedded in daily life for many, especially younger users who may not pause to verify a link when searching for TikTok Shop. That makes this an issue that goes beyond corporate security teams. If you’re reading this, take the time to talk to people around you, friends, family, anyone who uses TikTok, about the risks of clicking on ads or downloading from unofficial sites. A quick heads-up might save someone from handing over their credentials without realizing it.
MITRE ATT&CK: T1189 - Drive-By Compromise | T1583.008 - Acquire Infrastructure: Malvertising | T1204 - User Execution
Bahamut and DoNot APT Groups Deploy Spyware via Fake Android and iOS Utility Apps
(published: August 8, 2025)
ESET researchers have uncovered a long-running spyware campaign leveraging fake Android and iOS apps disguised as VPNs and parental control tools. Attributed to the Bahamut and DoNot APT groups, the campaign has been active since at least 2022 and targets users across South Asia, the Middle East, and parts of Europe. Android variants were distributed via third-party sites and fake branded websites, with apps like “Lite VPN” and “iWawa” exploiting accessibility services to steal call logs, contacts, location, and messages. For iOS, the attackers promoted a fake parental control app using realistic websites, likely delivered through phishing and sideloaded via MDM or Apple TestFlight rather than the App Store. The spyware is modular and remotely configurable, indicating a tailored approach to surveillance. Infrastructure overlaps suggest shared resources or cooperation between Bahamut and DoNot, both known for targeting civil society groups.
Analyst Comment: Some people still treat phones as less important than laptops when it comes to security, but for most of us, they hold the same accounts, the same access, and often even more personal data. This campaign exploits that blind spot. The apps seem useful, the websites look convincing, and it’s easy to see how someone might install one without a second thought, especially for a child’s device or a quick VPN. Mobile devices are now widely used for work and hold sensitive data just like any endpoint. They are part of the attack surface whether we acknowledge it or not. That shift needs to be reflected not just in policy but in how we think about risk at work and at home.
MITRE ATT&CK: T1598 - Phishing For Information | T1056.001 - Input Capture: Keylogging | T1420 - File And Directory Discovery | T1041 - Exfiltration Over C2 Channel
Threat Actors Exploit ThrottleStop Driver to Disable AV Protections
(published: August 8, 2025)
Researchers have discovered a stealthy anti-antivirus (AV) method abusing the signed ThrottleStop driver (ThrottleStop.sys) to disable security tools on compromised Windows systems. The attack leverages ThrottleStop’s legitimate driver, signed with a valid certificate, to exploit a known vulnerability (now tracked as CVE-2025-7771, a reassignment from CVE-2023-45925). This vulnerability enables kernel-level access, allowing attackers to bypass endpoint protection by directly modifying kernel memory and disabling AV drivers without detection. The abuse was found in the wild, with adversaries sideloading the driver via a dropper and issuing crafted IOCTL commands to kill defenses like Microsoft Defender and CrowdStrike Falcon. Despite being patched in October 2023, the technique remains viable due to unrevoked certificates and the fact that the driver is still loadable in most environments.
Analyst Comment: The attacker got in using valid admin credentials. That’s not unusual anymore. Phishing and info stealers still do most of the heavy lifting for initial access, and the results continue to circulate long after the breach. What stood out to me was the use of a signed but vulnerable driver to quietly kill off AV tools like Defender and Falcon through custom IOCTL calls. It’s a subtle but effective technique. The vulnerability was patched back in 2023, yet the certificate remains valid and the driver is still not reliably blocked. Detection should focus on abnormal memory operations linked to drivers. Mitigation means enforcing driver allowlists and rethinking what “trusted” really means in your environment. Note: The original article includes a YARA rule to detect this threat in real time, based on file structure, AV-related strings, and imported functions.'
MITRE ATT&CK: T1057 - Process Discovery | T1562.001 - Impair Defenses: Disable Or Modify Tools | T1562.006 - Impair Defenses: Indicator Blocking | T1543.003 - Create or Modify System Process: Windows Service | T1489 - Service Stop | T1068 - Exploitation For Privilege Escalation | T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control | T1036.005 - Masquerading: Match Legitimate Name Or Location | T1105 - Ingress Tool Transfer | T1078 - Valid Accounts
Samourai Wallet Founders Plead Guilty to Laundering Billions in Criminal Proceeds
(published: August 8, 2025)
The co-founders of the privacy-focused Samourai Wallet, Keonne Rodriguez and William Lonergan Hill, have pleaded guilty to operating an unlicensed money-transmitting business and conspiring to launder over $100 million in illicit funds. The wallet’s built-in CoinJoin mixer was marketed as a privacy tool but was widely used to obscure transactions linked to darknet markets, ransomware, and other criminal activities. Between 2015 and 2024, Samourai processed over $2 billion in cryptocurrency, including funds tied to Silk Road, Hydra, and sanctioned services. The service was shut down in April 2024 following a federal indictment and seizure of its infrastructure. The case is one of the largest US prosecutions targeting crypto mixing services, following actions against Tornado Cash and ChipMixer, and reflects a growing crackdown on tools facilitating anonymity in illicit finance. Rodriguez faces sentencing in November 2025, while Hill awaits extradition from Portugal.
Analyst Comment: Often cyber news, like the regular news, is filled with doom and gloom, but this case proves that bad actors do get caught and face real consequences. The arrests and guilty pleas of the Samourai Wallet founders send a strong signal that laundering ransomware and dark web proceeds through so-called privacy tools is not beyond reach. This is a win for the broader security community and a reminder that legal systems are adapting to the evolving threat landscape.
RubyGems, PyPI Hit by Malicious Packages Targeting Credentials
(published: August 8, 2025)
A wave of 60 malicious Ruby gems, active since at least March 2023, has been discovered posing as benign automation tools for platforms like Instagram, Twitter/X, TikTok, WordPress, Telegram, and others. These libraries, downloaded over 275,000 times, displayed simple user interfaces for credential input, while silently exfiltrating usernames and passwords to external servers, predominantly targeting South Korean users. Simultaneously, typosquat PyPI packages mimicking “bittensor” utilities were found to hijack cryptocurrency staking functions to steal digital assets. In response, PyPI will start rejecting wheel uploads with mismatched ZIP contents and metadata from February 1, 2026, following six months of warnings, to combat ZIP parser confusion attacks.
Analyst Comment: I'm seeing more and more of these “trusted” developer packages turn out to be malicious. They slip into ecosystems like RubyGems or PyPI disguised as helpful tools, often offering exactly the kind of automation developers are looking for. The functionality works, but so does the credential theft running quietly in the background. Security teams should treat every third-party package as a potential risk. Lock dependencies to known-good versions, manually review new or low-reputation packages, and run unknown code in isolated environments. Code reuse is necessary, but trust in public ecosystems should never be assumed.
MITRE ATT&CK: T1059 - Command And Scripting Interpreter | T1552 - Unsecured Credentials | T1119 - Automated Collection | T1567 - Exfiltration Over Web Service
GreedyBear Weaponizes Hundreds of Firefox Wallet Extensions to Steal Crypto
(published: August 8, 2025)
A campaign dubbed GreedyBear has infiltrated the Mozilla Firefox extension marketplace using over 150 malicious add-ons that mimic legitimate cryptocurrency wallets such as MetaMask, Exodus, TronLink, and Rabby Wallet. The adversaries employed a method called Extension Hollowing, where initially benign extensions are uploaded and later transformed into credential-stealing tools after passing initial review. These extensions harvest wallet credentials and IP addresses, forwarding them to a single attacker-controlled server, which also handles other malicious operations like distributing ransomware and baiting users with fake wallet‑repair tools. The same infrastructure has been observed targeting Google Chrome via a fake Filecoin Wallet extension. The use of AI-generated code and aged YouTube accounts for distributing smart‑contract scams further underscores the automation and sophistication of the operation.
Analyst Comment: Update channels should be treated as part of the attack surface, but they rarely are. This campaign shows how easily trust can be abused after install. I’ve seen more of this lately where clean code goes live and then turns malicious through a quiet update. Most environments miss it because no one is watching what happens after approval. Version locking and monitoring for post install changes like new permissions or outbound traffic should be standard, especially in environments that again touch crypto.
MITRE ATT&CK: T1176 - Browser Extensions
Efimer Trojan Campaign Uses Email and WordPress Sites to Target Cryptocurrency Users
(published: August 8, 2025)
A newly detailed campaign reveals how threat actors are distributing the Efimer Trojan through phishing emails and compromised WordPress sites to steal cryptocurrency. The emails impersonate legal complaints, using ZIP attachments that contain obfuscated script-based malware. Once executed, Efimer disables defenses, installs a Tor proxy, and launches a clipboard hijacker that swaps copied wallet addresses for attacker-controlled ones. Beyond clipjacking, Efimer also exfiltrates mnemonic phrases, takes screenshots, and executes remote commands over Tor. Its infrastructure includes additional scripts to brute-force WordPress sites, harvest email addresses, and deliver malware via fake torrents. The malware’s modular design, slow beaconing (every 30 minutes), and multi-vector distribution make it stealthy and persistent. Efimer has affected over 5,000 users globally since late 2024, with the highest concentration in Brazil.
Analyst Comment: Efimer grabs wallet data and seed phrases, then sends them out through Tor, keeping a low profile by spacing out its traffic. That kind of low-noise exfiltration is harder to catch, especially in environments that don’t monitor for Tor usage. It’s a reminder that even basic malware can be made stealthy with a bit of patience and planning. If your network allows Tor traffic by default, it’s worth rethinking that. Blocking or at least alerting on Tor usage from endpoints can help flag early signs of compromise before more damage is done.
MITRE ATT&CK: T1204.002 - User Execution: Malicious File | T1027 - Obfuscated Files Or Information | T1140 - Deobfuscate/Decode Files Or Information | T1053 - Scheduled Task/Job | T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | T1573 - Encrypted Channel | T1105 - Ingress Tool Transfer | T1113 - Screen Capture | T1115 - Clipboard Data | T1119 - Automated Collection | T1110 - Brute Force | T1041 - Exfiltration Over C2 Channel
Active Exploitation of Microsoft SharePoint “ToolShell” Vulnerabilities Triggers Urgent Mitigations
(published: August 6, 2025)
CISA warns that attackers are chaining SharePoint flaws to gain unauthenticated access to on-premises SharePoint Server, drop web shells, steal ASP.NET MachineKey material, and deploy ransomware. Microsoft confirms SharePoint Online is not affected and has released updates for SharePoint Server 2016, 2019, and Subscription Edition that address CVE-2025-49704, CVE-2025-49706, and related CVE-2025-53770 and CVE-2025-53771. Required actions include applying the updates, enabling AMSI in Full Mode, rotating machine keys, restarting IIS, and removing internet exposure if AMSI cannot be enabled. CISA recommends monitoring for POSTs to /_layouts/15/ToolPane.aspx?DisplayMode=Edit with a /_layouts/SignOut.aspx referrer and notes observed Warlock ransomware on compromised hosts. Unit 42 also reports 4L4MD4R ransomware deployed via the same activity.
Analyst Comment: ToolShell has been around since May, first shown at the Pwn2Own Berlin hacking contest where a researcher chained SharePoint flaws into a working exploit. It started as a proof of concept but by July attackers were bypassing Microsoft’s initial patch and using the same chain to breach servers. The technique has since been refined to steal machine keys directly from memory and deploy ransomware linked to groups such as Warlock and 4L4MD4R. This shift shows the need for more than just patching. Rotating keys, enabling AMSI, restarting IIS, and running targeted post-patch hunts are essential. If a server has been exploited, remediation should go further by revoking keys, checking IIS for malicious modules, and inspecting memory for threats that will not appear in file-based scans.
MITRE ATT&CK: T1190 - Exploit Public-Facing Application | T1059.001 - Command and Scripting Interpreter: Powershell | T1505.003 - Server Software Component: Web Shell | T1562.001 - Impair Defenses: Disable Or Modify Tools | T1552.004 - Unsecured Credentials: Private Keys | T1071.001 - Application Layer Protocol: Web Protocols | T1041 - Exfiltration Over C2 Channel | T1486 - Data Encrypted For Impact
Discover More About Anomali
Get the latest news about cybersecurity, threat intelligence, and Anomali's Security and IT Operations platform.
Propel your mission with amplified visibility, analytics, and AI.
Learn how Anomali can help you cost-effectively improve your security posture.
