Anomali Cyber Watch: SesameOp Backdoor, DragonForce Cartel, Gootloader Malware, and More
SesameOp Backdoor Abuses OpenAI Assistants API for Command and Control
(published: November 3, 2025)
Microsoft’s DART team discovered a backdoor dubbed SesameOp during an incident response in July 2025, with the actors having maintained access for several months prior. Investigation revealed internal web shells relaying commands to persistent malicious processes that abused multiple Microsoft Visual Studio utilities via injected malicious libraries using .NET AppDomainManager injection. The backdoor includes a loader (Netapi64.dll) and a managed component (OpenAIAgent.Netapi64) that uses the OpenAI Assistants API for encrypted command and control, retrieving tasking and returning execution results via the same channel. Microsoft states no OpenAI platform vulnerability was exploited; the API was misused as a covert C2 conduit.
Analyst Comment: The backdoor demonstrates that the responsible threat actors can maintain long-term access by compromising trusted developer tools and using legitimate cloud APIs for command and control. This approach allows malicious activity to blend into normal enterprise operations, making detection more difficult. Although the backdoor does not use AI to make decisions, its use of the OpenAI Assistants API as a covert communication channel is significant, revealing a new method for stealthy C2 that hides within high-trust services. From an intelligence perspective, this underscores the value of monitoring both developer activity and cloud API usage to detect anomalous behavior indicative of compromise.
MITRE ATT&CK: T1574.014 - Hijack Execution Flow: AppDomainManager | T1505.003 - Server Software Component: Web Shell | T1055 - Process Injection | T1105 - Ingress Tool Transfer | T1571 - Non-Standard Port | T1041 - Exfiltration Over C2 Channel | T1490 - Inhibit System Recovery
Weaponized Military Documents Deliver Advanced SSH‑Tor Backdoor
(published: November 3, 2025)
In October 2025, a spear‑phishing operation delivered a weaponized ZIP archive disguised as a military document targeting Belarusian military personnel. The archive contained an LNK shortcut and hidden folder with further payloads. The infection chain includes nested ZIPs, anti‑sandbox checks, and an obfuscated PowerShell script that installed two scheduled tasks: one launching a renamed OpenSSH service (listening on port 20321) and another running a customized Tor client with obfs4 bridges. Through a hidden‑service .onion address, the attacker gained access to SSH, RDP, SMB and SFTP channels while maintaining anonymity. Investigators observed no destructive payloads or lateral movement at the time of discovery, suggesting this campaign may still be in reconnaissance phase. The tactics align with earlier campaigns attributed to Sandworm (APT44), but attribution remains unconfirmed.
Analyst Comment: This campaign demonstrates a high level of operational sophistication, combining social engineering with a multi‑stage malware infection chain. What I found most interesting is the use of a Tor hidden service with obfs4 pluggable transport to tunnel multiple protocols providing the attacker with flexible, anonymous access while minimizing network detectability. This signals deliberate, long‑term espionage intent rather than opportunistic compromise. For corporate defenders, the intelligence value is still significant. The malware’s techniques are directly applicable beyond military environments. Even though this campaign currently focuses on Belarusian or Russian military personnel, the similarity to previously documented Sandworm‑type tradecraft suggests these techniques could be adapted and applied against private‑sector or global corporate networks.
MITRE ATT&CK: T1566.001 - Phishing: Spearphishing Attachment | T1059.001 - Command and Scripting Interpreter: Powershell | T1569.002 - System Services: Service Execution | T1053.005 - Scheduled Task/Job: Scheduled Task | T1098.004 - Account Manipulation: Ssh Authorized Keys | T1497 - Virtualization/Sandbox Evasion | T1027 - Obfuscated Files Or Information | T1090.003 - Proxy: Multi-Hop Proxy | T1021.001 - Remote Services: Remote Desktop Protocol | T1021.002 - Remote Services: Smb/Windows Admin Shares | T1021.004 - Remote Services: Ssh
Target Industry: Defense
Target Region: Europe
Target Country: Belarus
Ransomware Cartel Model Expands with DragonForce Operations
(published: November 6, 2025)
The DragonForce Cartel is a newly observed ransomware group evolving from leaked Conti and LockBit code. Active since 2023, the group reorganized into a cartel structure in 2025, offering affiliates up to 80% of ransom proceeds and permitting white‑label use of its encryptors. They employ “bring your own vulnerable driver” (BYOVD) techniques to disable security processes and collaborate with initial‑access brokers such as Scattered Spider, who use phishing, SIM swapping, MFA fatigue, and RMM tools to infiltrate enterprise networks. The cartel has targeted at least 200 victims across sectors including retail, airlines, insurance, and managed service providers, attacking Windows, Linux, and ESXi systems. Their toolkit shows clear lineage to Conti v3 and LockBit 3.0, reflecting shared routines and artefacts from these prior ransomware families.
Analyst Comment: DragonForce has evolved from a conventional ransomware group into a cartel-style operation, offering affiliates high profit shares and white-label access to its malware. This structure transforms the group into a scalable platform, enabling multiple actors to conduct attacks without directly managing every operation. By leveraging initial-access brokers and shared tooling, DragonForce lowers the barrier to entry for less sophisticated threat actors. For defenders, this signals a likely increase in attack frequency and diversity, as more affiliates can now deploy the ransomware. Understanding the cartel model allows security teams to anticipate common tactics, strengthen monitoring for phishing, BYOVD exploitation, and MFA fatigue attempts.
MITRE ATT&CK: T1190 - Exploit Public-Facing Application | T1078 - Valid Accounts | T1543.003 - Create or Modify System Process: Windows Service | T1059.001 - Command and Scripting Interpreter: Powershell | T1082 - System Information Discovery | T1003 - Os Credential Dumping | T1021.001 - Remote Services: Remote Desktop Protocol | T1105 - Ingress Tool Transfer | T1486 - Data Encrypted For Impact | T1490 - Inhibit System Recovery | T1567.002 - Exfiltration Over Web Service: Exfiltration To Cloud Storage
Target Industry: Retail, Transportation, Insurance, Technology
Cybercrime Groups Scattered LAPSUS$ Hunters Unite in Bold ‘Merger’
(published: November 4, 2025)
A new cyber‑threat alliance has been confirmed: the three previously independent groups Scattered Spider, LAPSUS$ and ShinyHunters are now operating under a federated umbrella known as Scattered LAPSUS$ Hunters (SLH). The collective began forming around August 2025 and has established at least 16 Telegram channels, repeatedly reinstating removed channels to maintain presence. SLH offers “extortion‑as‑a‑service” (EaaS), enabling affiliates to leverage the brand’s notoriety in data theft and ransom operations. The group is distinguished by its public-facing, theatrical style, combining social engineering, exploit development and data exfiltration, with a targeted focus on high‑value cloud/SaaS environments.
Analyst Comment: While security researchers had long observed a loose alliance between Scattered Spider, LAPSUS$, and ShinyHunters, the emergence of Scattered LAPSUS$ Hunters (SLH) confirms a more structured, federated collective. Their highly visible, self-promoting behavior reflects both the group’s youthful demographic, as shown in arrest data, and a deliberate strategy to cultivate a strong public brand. Despite their conspicuous, self-promoting activity, SLH has demonstrated significant technical competence, executing coordinated data exfiltration, ransomware campaigns, and resilient extortion-as-a-service operations. For defenders, this confirmation is critical: the consolidation may suggest attacks will be larger, more coordinated, and more persistent, with predictable patterns and public signaling that can be monitored. Recognizing their branding and public channels as part of the threat landscape may enable organizations to anticipate campaigns.
MITRE ATT&CK: T1078 - Valid Accounts | T1203 - Exploitation For Client Execution | T1114 - Email Collection | T1041 - Exfiltration Over C2 Channel | T1486 - Data Encrypted For Impact
Target Industry: Technology , Commercial
Gootloader Malware Resurfaces with Enhanced Tactics
(published: November 5, 2025)
The Gootloader loader operation has re-emerged after a seven-month hiatus, reviving campaigns that lure victims through search-engine poisoning and fake legal-document websites. Attackers target users searching for contract or agreement templates, hosting malicious WordPress pages that prompt downloads of ZIP archives containing JavaScript files disguised as text documents. These scripts deliver remote access trojans, the Supper SOCKS5 backdoor, and frequently enable ransomware deployment via affiliate groups such as Vanilla Tempest.
Analyst Comment: The latest variant employs advanced evasion techniques, including custom WOFF2 font-glyph obfuscation to conceal readable text in HTML source and malformed, XOR-encrypted ZIP archives that behave differently depending on the unpacking tool used. These tricks hinder automated sandboxes and static scanners, allowing payloads to bypass inspection. Gootloader continues to serve as a resilient and adaptable initial access mechanism across multiple sectors. For defenders, the key is to combine automated detection with targeted manual analysis, replicating realistic victim environments using native Windows utilities and browsers, capturing decoded font rendering and archive behavior, and correlating network traffic to uncover hidden payload retrieval steps.
MITRE ATT&CK: T1608.006 - Stage Capabilities: Seo Poisoning | T1189 - Drive-By Compromise | T1059.007 - Command and Scripting Interpreter: Javascript | T1204.002 - User Execution: Malicious File | T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | T1027 - Obfuscated Files Or Information | T1105 - Ingress Tool Transfer
Target Industry: Legal, Technology, Commercial
Mysterious ‘SmudgedSerpent’ Hackers Target U.S. Policy Experts Specializing in Iran
(published: November 5, 2025)
Between June and August 2025, a previously unreported cyber espionage group, UNK_SmudgedSerpent, conducted highly targeted campaigns against U.S.-based foreign-policy and think-tank experts specializing in Iran. The threat actors used impersonation of professional contacts, lures referencing Iranian socio-political issues, and weaponized MSI payloads. Victims were directed to credential-harvesting pages mimicking OnlyOffice and Microsoft 365 services, and in some cases RMM tools such as PDQ Connect and ISL Online were installed. Technical overlaps and tactics resemble known Iranian-aligned groups (TA453, TA450, TA455), though firm attribution remains inconclusive. The operation leveraged both social engineering and legitimate-seeming collaboration requests to compromise devices and harvest credentials, reflecting a sophisticated understanding of the human factor in espionage. Indicators include specific email domains and attachments, enabling defenders to identify and block related activity.
Analyst Comment: Social engineering, the hacking of humans, remains at the top of an attacker’s playbook and is often the simplest route to compromise. The SmudgedSerpent campaign illustrates this clearly; for example, operators cultivated benign conversations to build rapport and trust, then transitioned to credential‑harvesting pages and malicious MSI payloads, a classic “charm‑then‑phish” pattern. Because these techniques mimic normal professional outreach, organizations conducting business within the region are especially at risk, as routine collaboration requests can be weaponized. Defenders should prioritize identity verification, strict link and attachment handling, and role‑specific awareness training to mitigate influence and manipulation, reducing the human success rate of such incursions.
MITRE ATT&CK: T1566 - Phishing | T1656 - Impersonation | T1204 - User Execution | T1588.001 - Obtain Capabilities: Malware | T1219 - Remote Access Software
Target Industry: Nonprofit
Target Region: Americas
Target Country: United states
AI-Powered Malware Evolves to Morph Mid-Attack
(published: November 7, 2025)
Google’s Threat Intelligence Group (GTIG) has reported the emergence of AI-driven malware families that dynamically modify their behavior during execution. According to Google’s AI Threat Tracker blog, threat actors are using large language models (LLMs) for live code rewriting, command generation, and content crafting to improve evasion and efficiency. Malware such as PROMPTFLUX uses the Gemini API to mutate code in real time, while PROMPTSTEAL (linked to APT28) leverages LLM prompts to generate Windows commands for data theft. Additional families, including FRUITSHELL, QUIETVAULT, and PROMPTLOCK, demonstrate similar adaptive traits. GTIG emphasizes that AI use by both state and financially motivated actors is expanding rapidly, with over 100 observed cases of LLM use for phishing, reconnaissance, and malware development.
Analyst Comment: This is the second story this week showing AI’s deepening integration into the threat landscape. While the SesameOp backdoor abused the OpenAI Assistants API for covert C2 and data exfiltration, this report highlights the other side of that evolution, AI being used for decision-making and live code rewrites. For defenders, this convergence means that legitimate AI and cloud APIs can no longer be assumed benign. Security teams should baseline and monitor all AI service usage, correlate API calls with process behavior, and treat unexpected LLM traffic as potential command, control, or decision activity within the enterprise network.
MITRE ATT&CK: T1027 - Obfuscated Files Or Information | T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | T1543 - Create Or Modify System Process | T1071 - Application Layer Protocol | T1059 - Command And Scripting Interpreter | T1548 - Abuse Elevation Control Mechanism
Source Country: Russian federation
Source Region: Europe
Cybercriminals Exploit Remote Access Tools to Steal Real-World Cargo
(published: November 6, 2025)
Cybercriminals are hijacking the logistics sector through cyber-enabled cargo theft, blending social engineering with legitimate IT tools. According to Malwarebytes and Proofpoint, attackers impersonate freight brokers and carriers using fake load-board listings and hijacked email threads to distribute Remote Monitoring and Management (RMM) software such as ScreenConnect and SimpleHelp. Once installed, these tools provide full access to logistics portals and broker accounts, allowing criminals to bid on real shipments, redirect freight, and sell stolen goods through criminal networks. Victims span North American trucking, warehousing, and third-party logistics providers. The campaigns, active since early 2025, illustrate how organized crime has adapted digital tactics to exploit trust within transportation ecosystems.
Analyst Comment: This campaign underscores how deeply today’s physical supply chains depend on digital trust. For many organizations, these logistics partners are the unseen backbone of daily operations, supplying components, distributing products, and enabling global trade. Threat actors understand this reliance and increasingly exploit it, using compromised logistics networks as stepping stones to reach upstream manufacturers, retailers, and even critical infrastructure. Defenders should look beyond their immediate perimeter and treat supply-chain partners as extensions of their own attack surface, demanding the same level of access control, verification, and continuous monitoring to protect both data and goods in motion.
MITRE ATT&CK: T1566 - Phishing | T1199 - Trusted Relationship | T1219 - Remote Access Software | T1003 - Os Credential Dumping | T1018 - Remote System Discovery
Target Industry: Transportation
Target Region: Americas
Target Country: United states
Sora 2 Release Sparks Concern Over Next-Generation Deepfake Threats
(published: November 6, 2025)
The latest version of Sora 2, a generative AI video-creation tool from OpenAI, can produce highly convincing synthetic videos from text and images, accessible now without an invitation code. Security experts warn that threat actors are likely to exploit this capability for advanced social engineering, fraud, and impersonation. Although OpenAI introduced watermarking and guardrails, these are considered inadequate, malicious actors could remove watermarks or mimic real-video cues to deceive even experienced viewers. Industries such as healthcare, legal and finance are identified as particularly vulnerable, especially when video verification or remote consultations rely on authenticity of appearance and voice. Defence strategies emphasise multi-factor verification (beyond just video), background checks on video-conferencing contexts, staff education on synthetic-media threats and deployment of AI-driven deepfake detection tools.
Analyst Comment: This is a problem that’s only going to get worse. Deepfakes are becoming cheaper, faster, and harder to spot, and most malicious ones don’t rely solely on realism, but on inciting the right emotion. Fear, urgency, outrage, even excitement can be enough to make someone react before thinking, and that brief lapse is all an attacker needs. The more you understand how they hijack attention and emotion, the better equipped you are to slow down, verify, and stay in control. This topic is explored in detail in “Spotting AI-Generated Disinformation and Deepfakes Online,” available on the Anomali blog, where readers can find practical ways to recognize emotional triggers and stay grounded before clicking, sharing, or responding.
MITRE ATT&CK: T1566 - Phishing | T1646 - Exfiltration Over C2 Channel | T1119 - Automated Collection | T1027 - Obfuscated Files Or Information | T1102 - Web Service
Samsung Mobile Flaw Exploited to Deploy LANDFALL Android Spyware
(published: November 7, 2025)
A previously undisclosed Android spyware campaign, dubbed LANDFALL, exploited a zero-day vulnerability (CVE-2025-21042, CVSS 8.8) in the image-processing library libimagecodec.quram.so on select Samsung Galaxy devices, including the S22, S23, S24, Z Fold 4, and Z Flip 4. Malformed DNG images were used in the chain, with delivery via WhatsApp assessed from file names; researchers found no evidence of a WhatsApp zero-day. A zero-click trigger is possible but not confirmed. The campaign, active from July 2024 through early 2025, appears linked to commercial-grade surveillance activity in the Middle East, with potential targets in Iraq, Iran, Turkey, and Morocco. Samsung patched CVE-2025-21042 in April 2025, and later fixed a related flaw (CVE-2025-21043) in September 2025, closing the known vector used in this activity.
Analyst Comment: LANDFALL is full-spectrum spyware, microphone capture, real-time location, photos, contacts, SMS, files and call logs, which means a compromised phone is an immediate intelligence and lateral-access risk. Zero-click chains give defenders almost no time to react, so focus your effort where it actually matters: patch management and device oversight. Verify Samsung’s April and September 2025 SMRs are applied across your fleet, enforce auto-updates via your MDM, and keep a current mobile inventory with verification checks. Treat phones like any other critical endpoint: track patch status, revoke stale credentials, and escalate unpatched devices for immediate remediation.
MITRE ATT&CK: T1203 - Exploitation For Client Execution | T1629.003 - Impair Defenses: Disable Or Modify Tools | T1624 - Event Triggered Execution | T1071.001 - Application Layer Protocol: Web Protocols | T1041 - Exfiltration Over C2 Channel | T1005 - Data From Local System | T1123 - Audio Capture | T1125 - Video Capture
Target Region: Asia
Discover More About Anomali
Get the latest news about cybersecurity, threat intelligence, and Anomali's Security and IT Operations platform.
Propel your mission with amplified visibility, analytics, and AI.
Learn how Anomali can help you cost-effectively improve your security posture.
