The Deep Purple Sec – October 2025

📝 APT28 Operation Phantom Net Voxel

Sekoia.io’s analysis of APT28’s Operation Phantom Net Voxel reveals a sophisticated, multi-stage infection chain targeting Ukrainian military personnel via weaponized Office documents delivered through Signal Desktop—exploiting its lack of Mark-of-the-Web (MOTW) security. The attack begins with VBA macros that drop a malicious DLL (prnfldr.dll) and a steganographically hidden shellcode within a PNG file (windows.png). The DLL uses COM hijacking for persistence and extracts the shellcode via LSB steganography, which then loads the Covenant framework’s Grunt HTTP Stager via Koofr cloud storage, establishing a C2 channel.

The campaign leverages Covenant’s C2Bridge to interact with Koofr’s API, using file uploads/downloads for command execution and data exfiltration, with hybrid encryption for secure communication. APT28 also deployed BeardShell, a C++ backdoor using icedrive for C2, executing PowerShell commands and exfiltrating system info every four hours. The malware employs XOR and ChaCha20-Poly1305 encryption, anti-analysis checks, and masquerades as legitimate files (e.g., BMP, PNG) to evade detection.

This operation highlights APT28’s use of cloud storage abuse, advanced steganography, and living-off-the-land techniques to target military logistics and personnel, aligning with GRU’s cyber espionage objectives.

📌 Source: https://blog.sekoia.io/apt28-operation-phantom-net-voxel

📝 Hacking the World Poker Tour: Inside ClubWPT Gold’s Back Office

Sam Curry and Shubs Shah uncovered a critical security flaw in ClubWPT Gold’s infrastructure, starting with the discovery of an exposed staging environment (coin-admin.clubwpt.liuxinyi1.cn) via a hardcoded URL in the frontend JavaScript. The staging admin panel suffered from exposed .env and .git directories, leaking environment variables (including Alibaba cloud credentials, though inactive) and the entire back-office source code. The team found hardcoded admin usernames in the .env file and successfully logged in using weak credentials (eg3478:123456), bypassing authentication.

The most severe vulnerability was an unauthenticated 2FA bypass in the /admin/otp/bind endpoint, allowing attackers to overwrite any user’s 2FA secret by supplying a uid and secret. This was exploited to gain access to the production admin panel, exposing sensitive customer PII (KYC data, transaction histories, IP addresses, and geolocation). ClubWPT Gold patched the issues promptly after responsible disclosure.

The attack chain underscores the risks of exposed development artifacts, weak credentials, and broken authentication mechanisms in critical systems.

📌 Source: https://samcurry.net/hacking-clubwpt-gold

📝 Mustang Panda Adopts New DLL Side-Loading Method to Deploy Malware

Mustang Panda, a China-linked threat actor, recently deployed a refined DLL side-loading attack targeting the Tibetan community, using a weaponized ZIP file disguised as a Dalai Lama-related photo album (« Voice for the Voiceless Photos.exe »). The attack leveraged a hidden DLL (libjyy.dll) with stealth attributes (arhs), making it invisible to standard file browsers. The decoy executable acted as a loader, using LoadLibraryW to trigger the malicious DLL, which masqueraded as legitimate « Wargaming.net Game Center » software.

The malware, dubbed Claimloader, employed XOR encryption (key: 0x19) to obfuscate API calls and strings, dynamically resolving Windows APIs to evade detection. It established dual persistence via a fake Adobe directory and registry run key, and a scheduled task (« AdobeExperienceManager ») running every two minutes. Upon execution with the « Licensing » argument, it deployed Publoader shellcode via EnumFontsW API callback, using ROR13 API hashing and PEB walking to communicate with C2 servers and exfiltrate system data.

This campaign highlights Mustang Panda’s use of social engineering, advanced obfuscation, and redundant persistence to maintain access and evade security controls.

📌 Source: https://gbhackers.com/mustang-panda

📝 Crimson Collective hackers target AWS cloud instances for data theft

The Crimson Collective threat group has been actively targeting AWS cloud environments, exploiting exposed credentials and IAM misconfigurations to steal data and extort victims. Using the open-source tool TruffleHog, they scan for and compromise long-term AWS access keys, then create new IAM users with AdministratorAccess privileges, granting full control over the environment. The attackers enumerate resources, modify RDS database passwords, create snapshots, and exfiltrate data via S3 buckets and EC2 instances, often launching new instances under permissive security groups to facilitate transfer.

After data theft, Crimson Collective sends extortion notes via AWS Simple Email Service (SES) and external emails, demanding ransom payments. Rapid7 researchers noted the group’s reuse of IP addresses across incidents, aiding tracking efforts. AWS recommends using short-term, least-privilege credentials and restrictive IAM policies to mitigate such attacks, while tools like S3crets Scanner can help detect exposed secrets.

This campaign underscores the risks of credential exposure, privilege escalation, and cloud-native extortion tactics in modern cloud environments.

📌 Source: https://www.bleepingcomputer.com/news/security/crimson-collective-hackers-target-aws-cloud-instances-for-data-theft

🛠️ CISA Eviction Strategies Tool

CISA’s Eviction Strategies Tool provides cyber defenders with a structured framework for containing and evicting adversaries during incident response, featuring Playbook-NG (a web app for next-gen operations) and COUN7ER, a database of atomic post-compromise countermeasures mapped to adversary TTPs. COUN7ER enables defenders to quickly identify and deploy tailored, actionable countermeasures against specific threat behaviors, significantly accelerating response planning and reducing attacker dwell time. By leveraging COUN7ER’s curated, MITRE ATT&CK-aligned countermeasures, blue teams can systematically address advanced threats, bridge knowledge gaps, and ensure consistent, effective eviction strategies across diverse environments. The tool also supports customization, export, and integration with existing incident response workflows, enhancing collaboration and operational resilience for both public and private sector organizations

📌 Source: https://www.cisa.gov/resources-tools/resources/eviction-strategies-tool

📝 Velociraptor leveraged in ransomware attacks

Cisco Talos confirmed that the Storm-2603 threat group abused Velociraptor, an open-source DFIR tool, to maintain stealthy persistence and deploy Warlock, LockBit, and Babuk ransomware in a recent campaign. Attackers installed an outdated, vulnerable version of Velociraptor (0.73.4.0, affected by CVE-2025-6264), which could allow arbitrary command execution and endpoint takeover. This abuse is particularly problematic for blue teams because Velociraptor is a legitimate, trusted DFIR tool—its presence in an environment is often whitelisted or overlooked by security monitoring, making malicious activity harder to detect. The attackers used Velociraptor to maintain access even after hosts were isolated, complicating incident response and allowing them to deploy fileless PowerShell encryptors and exfiltrate data undetected.

The campaign also involved disabling Microsoft Defender protections, modifying GPOs, and using Smbexec for lateral movement, further evading detection. For blue teams, this abuse of a trusted DFIR tool creates a significant blind spot, as Velociraptor’s normal traffic and processes can mask malicious activity, delaying detection and response. This tactic forces defenders to scrutinize even legitimate tools and re-evaluate their detection strategies for living-off-the-land attacks.

📌 Source: https://blog.talosintelligence.com/velociraptor-leveraged-in-ransomware-attacks