Anomali Cyber Watch: Typosquatted npm Packages, Qilin Ransomware, New Water Saci Campaign, and More
SideWinder Adopts ClickOnce-Based Espionage Chain
(published: October 30, 2025)
Cyber-espionage group SideWinder has launched a new campaign (March–September 2025) leveraging a ClickOnce-based infection chain to compromise diplomatic and government entities across India, Pakistan, Sri Lanka, and Bangladesh. According to Trellix, spear-phishing emails delivered malicious PDFs impersonating “Adobe Reader updates,” which redirected users to legitimate-looking ClickOnce installers signed by MagTek Inc.. Once executed, the installer (ReaderConfiguration.exe) sideloaded a malicious DLL that deployed loaders and data-stealing payloads such as StealerBot. The malware harvested credentials, files, screenshots, and keystrokes while maintaining persistence on victim systems. The campaign also employed geofencing to restrict payload execution to specific South Asian IPs, limiting detection and analysis. Researchers assess that this activity demonstrates SideWinder’s continued investment in living-off-the-land techniques and signed-software abuse to evade defenses.
Analyst Comment: The campaign’s payloads are interesting, but it’s the delivery that got my attention. SideWinder used ClickOnce, a legitimate Microsoft feature meant for easy software deployment, to deliver its malware in a way that looks completely routine. It’s a subtle exploitation of trust, showing that a valid signature or “verified” publisher doesn’t guarantee safety, especially when those certificates come from lesser-known or compromised sources. The actor’s use of geofencing and time-limited payloads also points to a deeper awareness of how researchers investigate, shaping visibility rather than simply hiding. And while this campaign unfolded in Asia, the method isn’t bound by geography; if it works there, it can work anywhere.
MITRE ATT&CK: T1566.001 - Phishing: Spearphishing Attachment | T1204.002 - User Execution: Malicious File | T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | T1574.001 - Hijack Execution Flow: Dll Search Order Hijacking | T1056.001 - Input Capture: Keylogging | T1119 - Automated Collection | T1105 - Ingress Tool Transfer
Typosquatted npm Packages Deploy Infostealer on Windows, Linux & macOS
(published: October 29, 2025)
Researchers have identified a set of ten malicious packages masquerading as legitimate modules in the npm registry. The packages, such as typescriptjs, deezcord.js, dizcordjs, dezcord.js, etherdjs, ethesjs, ethetsjs, nodemonjs, react-router-dom.js, and zustand.js, used typosquatting to lure developers into installing them. Upon installation, a post-install script triggers a malicious loader (app.js) that uses multiple layers of obfuscation before fetching a roughly 24 MB PyInstaller-packed binary. The payload collects data from browsers (Chromium-based and Firefox), system keyrings (Windows Credential Manager, macOS Keychain, Linux SecretService, libsecret, KWallet), SSH keys, OAuth/JWT tokens and more. It exfiltrates data via compressed archives to an attacker server after staging in temporary directories.
Analyst Comment: The steady drumbeat of npm abuse, from the Chalk/Debug supply-chain compromise to the Shai-Hulud worm-style campaign, shows this isn’t an isolated case but part of a systemic trend in open-source supply-chain compromise. Attackers know developers are the new perimeter; compromising one dependency can reach thousands of downstream systems. Defenders should treat developer environments with the same rigor as production networks: restrict npm installs to vetted sources, use tools that verify package provenance and detect post-install scripts, and continuously monitor for anomalous network activity from build systems. At the organizational level, review dependency-management policies and educate developers that package names alone aren’t proof of legitimacy.
MITRE ATT&CK: T1195.001 - Supply Chain Compromise: Compromise Software Dependencies And Development Tools | T1059 - Command And Scripting Interpreter | T1555.003 - Credentials from Password Stores: Credentials From Web Browsers | T1555.004 - Credentials from Password Stores: Windows Credential Manager | T1555.001 - Credentials from Password Stores: Keychain | T1119 - Automated Collection | T1560.002 - Archive Collected Data: Archive Via Library | T1041 - Exfiltration Over C2 Channel
Qilin Ransomware Gang Escalates Operations, Targets Manufacturing & Professional Services
(published: October 26, 2025)
Researchers at Cisco Talos observed that the Qilin ransomware-as-a-service group is achieving over 40 victim disclosures per month and has made striking inroads into the manufacturing sector (23 % of cases) and professional/scientific services (18 %). The group’s attack chain typically begins with initial access via compromised VPNs or exposed remote services, followed by reconnaissance, credential theft, lateral movement and deployment of dual ransomware payloads. It uses legitimate tools like Cyberduck for exfiltration and benign-looking utilities (e.g., notepad.exe, mspaint.exe) for data preview to evade detection. Qilin also offers affiliates a suite of services, including negotiation tools, DDoS support, and even legal-aid features, reflecting its evolution into a full-scale cyber-crime platform.
Analyst Comment: The use of legitimate tools like Cyberduck for exfiltration and built-in Windows utilities such as Notepad or Paint to preview stolen files allows Qilin’s activity to blend in with normal administrative behavior. These are exactly the kinds of tactics defenders need to watch for, the abuse of the ordinary. The group’s dependence on compromised VPNs and exposed remote services also shows how often small hygiene gaps become full compromises. Tuning detection toward unexpected use of trusted binaries, outbound file transfers from non-standard hosts, and unusual authentication patterns on remote services will significantly improve the chances of catching Qilin-style intrusions.
MITRE ATT&CK: T1078 - Valid Accounts | T1190 - Exploit Public-Facing Application | T1087.002 - Account Discovery: Domain Account | T1482 - Domain Trust Discovery | T1018 - Remote System Discovery | T1003 - Os Credential Dumping | T1021.002 - Remote Services: Smb/Windows Admin Shares | T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | T1562 - Impair Defenses | T1041 - Exfiltration Over C2 Channel | T1486 - Data Encrypted For Impact
Active Water Saci Campaign Spreads Via WhatsApp with Multi-Vector Persistence and Sophisticated C&C
(published: October 27, 2025)
A new iteration of the Water Saci campaign has been uncovered, employing the SORVEPOTEL malware to target primarily Portuguese-language users, especially in Brazil. Initial infection occurs through a ZIP file delivered via a compromised WhatsApp Web session; once executed, a Visual Basic-script loader downloads and executes a PowerShell script in memory. The malware hijacks WhatsApp Web sessions to automatically distribute itself to all contacts and groups in the victim’s account. Command-and-control (C2) is conducted via IMAP email access (terra[.]com[.]br accounts) with hard-coded credentials and HTTP polling fallback, enabling real-time pausing, resuming, and monitoring of the botnet. The campaign uses advanced anti-analysis, multi-vector persistence and targets enterprises via browser hijacking, suggesting a shift from legacy banking trojans to automation-driven mass propagation.
Analyst Comment: If your organization allows users to keep WhatsApp Web open on their work machines, this one’s worth paying attention to. The malware doesn’t hit the phone, it runs on the PC, but it spreads by hijacking the trust we place in that WhatsApp connection. The attacker uses the victim’s own identity to send the payload to everyone they’ve messaged, which is exactly why it works so well. If your policy allows them, make sure sessions are monitored, users know how to unlink them, and script execution from download folders is tightly controlled.
MITRE ATT&CK: T1204.002 - User Execution: Malicious File | T1059.001 - Command and Scripting Interpreter: Powershell | T1053.005 - Scheduled Task/Job: Scheduled Task | T1112 - Modify Registry | T1071.001 - Application Layer Protocol: Web Protocols | T1104 - Multi-Stage Channels | T1113 - Screen Capture | T1056.001 - Input Capture: Keylogging
Critical Chrome Browser Zero-Day Linked to Commercial Spyware Delivery
(published: October 28, 2025)
A severe zero-day vulnerability in Google Chrome on Windows systems (tracked as CVE‑2025‑2783) has been actively exploited in targeted espionage campaigns. The flaw resides in the Chromium “Mojo” inter-process component and permits sandbox escape via crafted files on vulnerable versions prior to 134.0.6998.177. Attackers used phishing links redirecting victims (notably in Russian-language forums) to malicious pages that triggered this exploit, then dropped modular spyware linked to Memento Labs (formerly Hacking Team) under campaigns labelled ForumTroll APT or “Mem3nt0 mori”. The vendor released an emergency patch and urged immediate upgrades; endpoint- and network-level mitigations are also recommended.
Analyst Comment: The convergence of a high-severity zero-day, a well-used browser with a massive install base, and commercial-grade spyware sold by a rebranded firm formerly tied to nation-state toolkits reveals a shift: adversaries are now deploying state-style capabilities through commodity software. From a defence stance I’d stress this single point: ensure all Chromium-based browsers are updated and extend monitoring to detect odd browser behaviour. Failing to treat the browser as a high-risk endpoint means organisations may be one click away from deep compromise.
MITRE ATT&CK: T1566.002 - Phishing: Spearphishing Link | T1204.001 - User Execution: Malicious Link | T1189 - Drive-By Compromise | T1203 - Exploitation For Client Execution | T1548 - Abuse Elevation Control Mechanism | T1056.001 - Input Capture: Keylogging
USB-Borne Worm Revives Old-School Infection Paths with Modern Persistence
(published: October 29, 2025)
Cybereason researchers detailed a new cryptomining campaign dubbed Tangerine Turkey, which spreads through infected USB drives using a VBScript loader executed by wscript.exe. Once triggered, it drops batch files and abuses legitimate Windows binaries such as printui.exe to side-load malicious DLLs and install the XMRig miner. The malware further disables Windows Defender exclusions, modifies registry keys, and creates disguised directories and services to maintain persistence. Though its core goal appears to be illicit cryptocurrency mining, the campaign’s methodical use of living-off-the-land binaries (LOLBins) and removable-media propagation makes it adaptable for broader malicious operations, including espionage or ransomware staging.
Analyst Comment: I’ve noticed a steady resurgence in USB use lately, and Tangerine Turkey is a timely reminder to tighten the hatches on portable media controls. The campaign may be dropping a miner today, but it wouldn’t take much for the same delivery path to drop something far worse. What’s clever here is the blend of nostalgia and precision, old-school thumb drives meeting modern LOLBin abuse. It’s quiet, simple, and effective because it doesn’t break anything; it just borrows what’s already trusted. Defenders should take this as a cue to revisit USB policies, enforce device control, and watch for odd uses of printui.exe or wscript.exe on supposedly “safe” systems. If this old vector still works, others will notice.
MITRE ATT&CK: T1091 - Replication Through Removable Media | T1059 - Command And Scripting Interpreter | T1059.003 - Command and Scripting Interpreter: Windows Command Shell | T1574.001 - Hijack Execution Flow: Dll Search Order Hijacking | T1055.001 - Process Injection: Dynamic-Link Library Injection | T1036 - Masquerading | T1562 - Impair Defenses | T1071.001 - Application Layer Protocol: Web Protocols | T1105 - Ingress Tool Transfer | T1496 - Resource Hijacking
Critical VMware Zero-Day Flaw Exploited by China-Linked Actor
(published: October 31, 2025)
A newly disclosed zero-day vulnerability, CVE‑2025‑41244 (CVSS 7.8), affects VMware Tools and VMware Aria Operations, allowing a user with non-administrator privileges inside a virtual machine (VM) to escalate to root on the same VM under certain configurations (specifically with Service Discovery Management Pack enabled). The flaw has been added to the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog following evidence of its use in active attacks linked to the China-affiliated actor UNC5174. Organizations using these VMware products should verify patch status immediately and confirm that management-level access is restricted.
Analyst Comment: This activity highlights how attackers are treating virtualization as prime real estate, CVE-2025-41244 shows that local privilege flaws inside virtual machines can ripple outward, blurring the line between guest and host. VMware Tools sits across nearly every enterprise deployment, giving adversaries a broad canvas to work with once they gain a foothold. As we continue the steady move toward cloud and virtualized workloads, this layer is becoming too valuable for threat actors to ignore.
MITRE ATT&CK: T1068 - Exploitation For Privilege Escalation | T1611 - Escape To Host
“Spoofing-as-a-Service” May Expand Social Engineering at Scale
(published: October 27, 2025)
Organized crime networks are increasingly exploiting caller-ID spoofing and SMS spoofing to target individuals and businesses across borders. Victims are tricked into believing they’re receiving calls from trusted entities such as banks, government agencies or family members, and are then manipulated into transferring money or divulging credentials. According to Europol, roughly €850 million in losses are tied to these frauds each year and about 64% of reported incidents begin via phone calls or texts. Moreover, criminal firms have developed “spoofing-as-a-service” offerings to lower the barrier for fraudulent campaigns. Europol identifies that fragmented regulatory frameworks, weak telecom-industry collaboration and limited trace-back tools leave around 400 million people in 23 surveyed countries exposed. The agency urges harmonised technical standards (such as verification of international inbound calls), better law-enforcement/telecom data sharing and stronger regulatory mandates to block spoofed traffic.
Analyst Comment: The evolution of caller-ID spoofing into a “spoofing-as-a-service” model shows just how industrialised social engineering has become. Europol’s warning goes beyond fraud, it underscores how the same infrastructure can be repurposed by threat actors to impersonate employees, suppliers, or MFA help-desks to gain initial access. This reflects the broader access-broker economy, where low-barrier services lower the skill curve for high-impact attacks. It’s a timely reminder that mobile devices are now a fixed part of the threat surface, that out-of-band authentication must be used and assume voice and SMS channels are inherently untrusted.
MITRE ATT&CK: T1566.002 - Phishing: Spearphishing Link | T1566.004 - Phishing: Spearphishing Voice | T1110.004 - Brute Force: Credential Stuffing | T1583.006 - Acquire Infrastructure: Web Services
Chinese Hackers Exploit Windows Zero-Day to Spy on European Diplomats
(published: October 31, 2025)
China-linked group UNC6384 (Mustang Panda) is exploiting the Windows .LNK zero-day CVE-2025-9491, also tracked as ZDI-CAN-25373, in targeted spear-phishing attacks against European diplomatic entities in Hungary, Belgium, Italy, the Netherlands, and Serbia. According to Arctic Wolf Labs, the flaw enables crafted shortcut files to execute hidden commands that deliver the PlugX remote access trojan. Lures reference NATO or EU policy topics to encourage engagement. Once executed, PlugX establishes persistence and C2 communications, granting attackers access to sensitive diplomatic data. The campaign shows clear alignment with Mustang Panda’s established tradecraft and infrastructure reuse patterns.
Analyst Comment: The NVD entry for CVE-2025-9491 rates it as a High-severity remote code execution flaw affecting Windows’ .LNK file handling. While Microsoft told BleepingComputer in March that it would “consider addressing” this zero-day, even though it “does not meet the bar for immediate servicing,” it has yet to release security updates to patch this now exploited vulnerability. Given the public disclosure and unpatched status, other threat actors may opportunistically exploit the vulnerability. Defenders should where feasible, restrict or block .LNK file execution, monitor for unusual processes spawned from shortcuts, filter phishing lures referencing sensitive themes, and implement network controls to detect or block suspicious outbound connections.
MITRE ATT&CK: T1566.001 - Phishing: Spearphishing Attachment | T1204.001 - User Execution: Malicious Link | T1059 - Command And Scripting Interpreter | T1574.002 - Hijack Execution Flow: Dll Side-Loading | T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | T1053.005 - Scheduled Task/Job: Scheduled Task | T1071 - Application Layer Protocol | T1119 - Automated Collection | T1041 - Exfiltration Over C2 Channel
Aisuru Botnet Shifts from DDoS to Residential Proxies
(published: October 28, 2025)
The Aisuru botnet, originally notorious for launching record-setting DDoS attacks exceeding 20 Tbps, has evolved its business model. Rather than merely overwhelming targets, its operators now rent out compromised IoT and home devices as residential proxies. This shift allows threat actors to anonymize malicious traffic, supporting credential stuffing, web scraping, and stealthy C2 operations, by blending into legitimate user IP space. Aisuru’s infrastructure reportedly comprises around 300,000 infected nodes, and its backend saw a takeover of Totolink router firmware updates in April 2025 to scale its foothold. Defensive measures emphasize that blocking by IP reputation will no longer suffice: network operators must focus on behavioral detection, collaboration with ISPs, and rapid remediation of compromised home networks.
Analyst Comment: The transformation of Aisuru into a rentable residential proxy service fits a wider trend across the cybercrime ecosystem. We are now seeing everything-as-a-service models emerge, from DDoS, Spoofing, Residential proxies, Ransomware and Access-as-a-Service. Each iteration lowers the technical barrier for malicious actors, enabling anyone with modest resources to outsource the most complex parts of an attack. This accessibility of tools means that even less skilled actors can launch campaigns that previously required significant expertise. While the attackers themselves may be less formidable, the impact on targets, whether through credential theft, service disruption, or data exfiltration, can be just as severe. The most important defensive measure is to focus on anomaly and behavioral detection, monitoring for unusual traffic patterns or device behavior that may indicate compromise.
MITRE ATT&CK: T1584.005 - Compromise Infrastructure: Botnet | T1584.008 - Compromise Infrastructure: Network Devices | T1090 - Proxy
Discover More About Anomali
Get the latest news about cybersecurity, threat intelligence, and Anomali's Security and IT Operations platform.
Propel your mission with amplified visibility, analytics, and AI.
Learn how Anomali can help you cost-effectively improve your security posture.
