Anomali Cyber Watch: SHUYAL Infostealer, PyPI Phishing Campaign, Gunra Ransomware, UNC2891, and More


This edition of Anomali Cyber Watch covers intelligence related to the following threats and topics: Scattered Spider, SHUYAL Infostealer, PyPI phishing, Gunra ransomware, Silk Typhoon, Cobalt Strike Beacon, Microsoft 365 credential phishing, UNC2891, Warlock ransomware, and Cursor AI. The links below reference attack patterns for these threats, and can be viewed by Anomali ThreatStream to check for potential malicious activity.
Scattered Spider Hijacks VMware vSphere via Hypervisor-Level Attacks
(published: July 28, 2025)
Google Threat Intelligence Group (GTIG) has revealed that UNC3944 (Scattered Spider) has developed a direct hypervisor‑level attack model targeting VMware vSphere environments. After social engineering IT help desks to reset Active Directory credentials, the actors escalate to vCenter Server, reboot it into single‑user mode, reset root passwords, enable SSH, and deploy the Teleport remote access tool to establish covert, persistent control. From there they move laterally into ESXi hosts, conducting “disk‑swap” attacks to steal NTDS.dit credential databases, delete backups and snapshots, and launch ransomware directly from the hypervisor. This bypass renders in‑guest EDR tools ineffective and increases attack velocity, enabling full infrastructure compromise in hours rather than days.
Analyst Comment: Scattered Spider’s control of VMware at the hypervisor layer renders in‑guest security ineffective. GTIG’s research makes clear that prevention now depends on hardening infrastructure, not waiting for endpoint alerts. Key measures include disabling ESXi shell access, encrypting VM disks, isolating backups, and enforcing phishing‑resistant multi‑factor authentication. A notable finding is that these techniques are already being copied by other groups, making hypervisor attacks a mainstream ransomware method. Organizations must expand monitoring to the vSphere layer and prioritise configuration and architectural controls over reliance on endpoint detection.
MITRE ATT&CK: T1566 - Phishing | T1566.004 - Phishing: Spearphishing Voice | T1199 - Trusted Relationship | T1078.002 - Valid Accounts: Domain Accounts | T1204 - User Execution | T1219 - Remote Access Software | T1021 - Remote Services | T1018 - Remote System Discovery | T1003.003 - OS Credential Dumping: Ntds | T1567.002 - Exfiltration Over Web Service: Exfiltration To Cloud Storage | T1486 - Data Encrypted For Impact
SHUYAL Infostealer Targets Credentials Across 19 Browsers
(published: July 28, 2025)
Researchers at Hybrid Analysis have identified a new infostealer called SHUYAL that harvests credentials, browsing data, clipboard content, system screenshots and Discord tokens from 19 different browsers including Chrome, Edge, Opera, Brave, Vivaldi, Tor and several niche privacy‑focused browsers. The malware performs local reconnaissance using WMI and PowerShell, packages stolen data and sends it through a Telegram bot. To avoid detection, SHUYAL disables Task Manager by editing the registry, copies itself to the Startup folder for persistence and deletes itself after exfiltration. Its runtime output includes files such as clipboard.txt, history.txt, saved_passwords.txt and ss.png. These tactics, combined with its wide coverage of browsers, make it a significant risk to both individual users and organizations.
Analyst Comment: What stands out about Shuyal is how much useful detection noise it creates while it works. Disabling Task Manager through a registry change is a clear early sign that can be monitored. The follow‑on behavior, where it spawns processes to query disk serials, input devices and display details, is typical of reconnaissance tools rather than ordinary software. These actions, combined with the sudden creation of text files and screenshots, give multiple points for defenders to spot suspicious activity if endpoint logging and process monitoring are in place. Alerting on these host behaviours and reviewing any outbound Telegram connections offers a more reliable way to catch this kind of infostealer before exfiltration rather than waiting for signature‑based tools to flag it.
MITRE ATT&CK: T1082 - System Information Discovery | T1047 - Windows Management Instrumentation | T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | T1562.001 - Impair Defenses: Disable Or Modify Tools | T1119 - Automated Collection | T1560 - Archive Collected Data | T1041 - Exfiltration Over C2 Channel
PyPI Phishing Campaign Exploits Typosquatted Domain to Harvest Credentials
(published: date unknown)
PyPI users, particularly developers with public email addresses in package metadata, have been targeted by a phishing campaign using fraudulent emails titled “[PyPI] Email verification” sent from [noreply@pypj[.]org]. The attackers registered pypj[.]org, a lookalike domain with a single character change, to host a fake PyPI login page. When victims enter their credentials, the page captures them and forwards the details to the legitimate PyPI site so the login appears normal. PyPI confirmed that no infrastructure was compromised. The team has issued warnings, displayed a banner on the official website, and initiated abuse and takedown actions against the malicious domain.
Analyst Comment: Typosquatting is one of the oldest tricks in phishing and it is still effective when executed well. In this case a single character change was enough to create a believable domain and catch developers off guard. These attacks work because they look routine and do not rely on any technical exploit. Reducing the impact comes down to a mix of habits and controls. Multi factor authentication limits the damage even if credentials are stolen. Password managers help by refusing to fill in details on a domain that is even slightly different from the real one. For developers who are easy to find through public email addresses, paying attention to the address bar before logging in and keeping an eye on account history is a small effort that prevents a common and predictable problem from turning into something more serious.
MITRE ATT&CK: T1566.002 - Phishing: Spearphishing Link | T1583.001 - Acquire Infrastructure: Domains | T1598.003 - Phishing for Information: Spearphishing Link | T1589.001 - Gather Victim Identity Information: Credentials
Gunra Ransomware Linux Variant Emerges
(published: July 31, 2025)
Trend Micro has identified a new Linux variant of the Gunra ransomware, marking its evolution from a Windows‑only threat to a cross‑platform adversary. First observed in April 2025, Gunra now targets both Windows and Linux environments. The Linux build supports up to 100 simultaneous encryption threads, double the concurrency of rivals like BERT, and enables partial encryption based on specified ratios or limits. It uses a hybrid encryption scheme (RSA + ChaCha20), and optionally stores RSA-encrypted keys in separate keystore files rather than embedding them. Encrypted files carry the .ENCRT extension, and notably no ransom note is dropped in Linux deployments. Since inception, the group has reportedly victimized at least 14 organizations across Brazil, Japan, Canada, Türkiye, South Korea, Taiwan, and the U.S., spanning sectors such as healthcare, manufacturing, IT, and professional services.
Analyst Comment: Gunra’s Linux version runs silently without a ransom note, leaving little warning before damage is done. Its ability to encrypt files with 100 threads and use partial encryption, speeds up the impact and shortens the window to react. Defenses need to focus on detecting abnormal file changes and process activity rather than waiting for a ransom note. Response plans and tested backups must include Linux systems so that recovery is not improvised under pressure.
MITRE ATT&CK: T1059 - Command And Scripting Interpreter | T1083 - File And Directory Discovery | T1486 - Data Encrypted For Impact | T1041 - Exfiltration Over C2 Channel
Chinese Companies Linked to Silk Typhoon Patent Advanced Cyber Capabilities
(published: July 30, 2025)
Researchers have found that private Chinese companies linked to Silk Typhoon (also known as Hafnium) have filed more than 15 public patents describing advanced cyber capabilities. These patents cover techniques for collecting data from endpoints, extracting information from Apple devices, and remotely accessing routers and smart devices. The companies, including Shanghai Firetech and Shanghai Siling Commerce Consulting, are connected to China’s Ministry of State Security and appear to operate as contractors that build tools and infrastructure for state-backed cyber operations. The findings highlight how openly these capabilities are being developed, while likely supporting espionage activities behind the scenes.
Analyst Comment: Seeing companies tied to a known espionage group filing patents for techniques that enable data collection and remote access takes away some of the secrecy around how these operations grow. It shows that parts of state activity have become routine business, handed off to contractors rather than confined to hidden labs. This points to a structured supply chain for offensive capability, where innovation is developed in the open but applied out of sight. It also highlights the need for analysts and researchers to think more broadly, looking beyond traditional indicators and considering sources like corporate filings and patents to understand how the cyber landscape is shifting.
MITRE ATT&CK: T1190 - Exploit Public-Facing Application | T1203 - Exploitation For Client Execution | T1071 - Application Layer Protocol | T1119 - Automated Collection | T1560 - Archive Collected Data | T1583 - Acquire Infrastructure
Cobalt Strike Beacon Delivered via GitHub, Quora and Social Media
(published: July 30, 2025)
Kaspersky’s Global Research and Analysis Team reported a sophisticated attack campaign spanning late 2024 into mid 2025, targeting medium to large enterprises in Russia, China, Japan, Malaysia and Peru. Adversaries initiated the intrusion via spear phishing emails impersonating state owned companies, distributing malicious RAR attachments containing fake PDF files that were in fact executables or DLLs. Once executed, the attackers exploited DLL hijacking of a legitimate crash reporting utility to load Cobalt Strike Beacon. The payload retrieved its encrypted C2 code stored across legitimate platforms including GitHub, Microsoft Learn Challenge, Quora and social media profiles to evade detection. This use of publicly hosted infrastructure as intermediate command and control channels is a notable escalation in stealth tradecraft.
Analyst Comment: The notable detail here is how attackers hid their second stage on trusted platforms like GitHub and Quora, making traffic blend with normal use and harder to block. It reflects a shift from dedicated servers to abusing services defenders already trust. Mitigation relies on spotting unusual behavior rather than destinations, such as a crash reporting tool connecting to developer or social platforms. Tight controls on where business tools can reach and careful inspection of email attachments are key to disrupting this tactic.
MITRE ATT&CK: T1566.001 - Phishing: Spearphishing Attachment | T1204.002 - User Execution: Malicious File | T1574.001 - Hijack Execution Flow: Dll Search Order Hijacking | T1071.001 - Application Layer Protocol: Web Protocols | T1105 - Ingress Tool Transfer
Experts Detect Multi‑Layer Redirect Tactic Used to Steal Microsoft 365 Credentials
(published: July 31, 2025)
A new phishing campaign delivered via compromised enterprise email accounts abuses multi‑layer URL redirection to defeat protective filtering. Attackers use services like Bitly to shorten malicious URLs, then route them through link-wrapping systems such as Proofpoint’s URL Defense before delivering them in emails appearing as voicemail, Teams messages, or document alerts. This multi-tier redirect chain obscures the destination and elevates the likelihood victims click through to fake Microsoft 365 login pages. Proofpoint and other vendors recognize the abuse and block these links at click time, leveraging behavioral AI to detect and intercept the final destination URL.
Analyst Comment: This campaign exploits trust by hiding behind link shorteners and security redirectors, making the final phishing page look routine to automated tools. It shows why analysts need to examine redirect patterns rather than only the end URL. Multiple chained redirects through trusted services should raise alerts. It is an interesting development because it turns defensive infrastructure into part of the attack path, showing that attackers are willing to work with existing safeguards rather than try to bypass them outright.
MITRE ATT&CK: T1566.003 - Phishing: Spearphishing Via Service | T1608.005 - Stage Capabilities: Link Target
UNC2891 Breaches ATM Network via 4G Raspberry Pi, Attempts CAKETAP Rootkit for Fraud
(published: July 31, 2025)
UNC2891, a financially motivated threat actor also associated with LightBasin, physically infiltrated a bank’s ATM infrastructure by installing a 4G‑enabled Raspberry Pi directly on the ATM’s network switch. This device, equipped with the TINYSHELL backdoor, established an external command‑and‑control channel via Dynamic DNS, bypassing perimeter firewalls entirely. Analysts also identified a sophisticated Linux kernel rootkit named CAKETAP, capable of hiding processes, files, and network traffic and intercepting and spoofing PIN and card verification messages to enable fraudulent ATM withdrawals. Although the intrusion was halted before significant damage occurred, UNC2891 maintained internal access through a backdoor on the mail server.
Analyst Comment: I have included this incident even though no money was ultimately taken because it highlights two points that are often underestimated. First, once an attacker has physical access to equipment the balance shifts entirely. Even inexpensive hardware such as a Raspberry Pi can be used to bypass layered defenses, which is why physical and cyber security need to work together with equal weight. Second, it is a good reminder that ATMs remain a long-standing target. Checking for signs of tampering before you use one is a simple step that continues to matter. Criminals are not going to stop trying, and the habit of being cautious is still one of the easiest defenses.
MITRE ATT&CK: T1543.003 - Create or Modify System Process: Windows Service | T1564.013 - Hide Artifacts: Bind Mounts | T1036.005 - Masquerading: Match Legitimate Name Or Location | T1071.001 - Application Layer Protocol: Web Protocols | T1071.002 - Application Layer Protocol: File Transfer Protocols | T1568.002 - Dynamic Resolution: Domain Generation Algorithms | T1056 - Input Capture
Storm 2603 Deploys Warlock Ransomware via SharePoint “ToolShell” Flaws
(published: August 1, 2025)
Microsoft and researchers have confirmed that the threat actor designated Storm 2603 is exploiting a chain of critical SharePoint Server vulnerabilities, CVE 2025 49704, CVE 2025 49706, CVE 2025 53770 and CVE 2025 53771. These vulnerabilities, collectively referred to as ToolShell, are being used to deploy Warlock, also known as X2anylock, and LockBit ransomware across unpatched on‑premises SharePoint 2016, 2019 and Subscription Edition systems. SharePoint Online is not affected. Victims include over 400 organizations globally, spanning government agencies such as NIH, NNSA and DHS, as well as healthcare, finance, education and infrastructure sectors. The attackers use a custom AK47 command and control framework, specifically AK47HTTP and AK47DNS, for persistence and control. They also employ DLL sideloading, bring your own vulnerable driver techniques and open‑source tools such as masscan, PsExec and Mimikatz. Threat actors exfiltrate ASP.NET machine keys, bypass multifactor authentication defenses and distribute ransomware using group policy objects. Microsoft and CISA have released patches and mitigation guidance, but analyst firms warn that many exposed servers remain at risk.
Analyst Comment: ToolShell has been a recurring subject in research and for good reason. This campaign shows that even after public attention and patches, the same set of SharePoint vulnerabilities is still a favored entry point for a well‑resourced group like Storm 2603. The persistence of these attacks suggests many organizations have not moved fast enough to close the gap. What stands out is how the attackers take the initial foothold from ToolShell and immediately pivot to long‑standing techniques such as machine key theft and group policy abuse, which allow them to spread quickly inside the network.
MITRE ATT&CK: T1190 - Exploit Public-Facing Application | T1505.003 - Server Software Component: Web Shell | T1574.001 - Hijack Execution Flow: Dll Search Order Hijacking | T1059 - Command And Scripting Interpreter | T1003 - Os Credential Dumping | T1552 - Unsecured Credentials | T1021.002 - Remote Services: Smb/Windows Admin Shares | T1071.004 - Application Layer Protocol: Dns | T1071 - Application Layer Protocol | T1562.001 - Impair Defenses: Disable Or Modify Tools | T1486 - Data Encrypted For Impact
Critical Cursor AI Code Editor Flaw Exposed Developers to Remote Code Execution
(published: August 1, 2025)
A high severity flaw in Cursor AI's code editor, tracked as CVE 2025 54135 with a CVSS score of 8.6, allowed attackers to achieve remote code execution under user privileges. The vulnerability, called “CurXecute” by Aim Security, stemmed from Cursor’s Model Control Protocol integration. By adding a malicious Slack or GitHub MCP server and using prompt injection, attackers could rewrite the user’s configuration file at ~/.cursor/mcp.json and execute arbitrary commands. This could lead to ransomware deployment, data theft or manipulation of AI-driven development processes. The issue was fixed in Cursor version 1.3 released on 29 July 2025 which introduced stricter input validation and sandboxing to prevent untrusted MCP entries from automatically executing. Users are strongly advised to upgrade immediately.
Analyst Comment: What stands out in this case is how again a development feature intended to make AI tools more flexible became an avenue for exploitation. Allowing an external service like Slack or GitHub to define MCP servers without strict guardrails effectively hands over control of part of the local environment. The fix in version 1.3 addresses this, but it also highlights the wider lesson. Development teams need to treat AI tool integrations with the same caution they would apply to browser extensions or build pipelines.
MITRE ATT&CK: T1659 - Content Injection | T1059 - Command And Scripting Interpreter
Discover More About Anomali
Get the latest news about cybersecurity, threat intelligence, and Anomali's Security and IT Operations platform.
Propel your mission with amplified visibility, analytics, and AI.
Learn how Anomali can help you cost-effectively improve your security posture.
