Silver Fox APT Uses Winos 4.0 Malware in Cyber Attacks Against Taiwanese Organizations - Related to internal, logs, ransomware, uses, basta

Researchers Link CACTUS Ransomware Tactics to Former Black Basta Affiliates

Threat actors deploying the Black Basta and CACTUS ransomware families have been found to rely on the same BackConnect (BC) module for maintaining persistent control over infected hosts, a sign that affiliates previously associated with Black Basta may have transitioned to CACTUS.

"Once infiltrated, it grants attackers a wide range of remote control capabilities, allowing them to execute commands on the infected machine," Trend Micro mentioned in a Monday analysis. "This enables them to steal sensitive data, such as login credentials, financial information, and personal files."

It's worth noting that details of the BC module, which the cybersecurity business is tracking as QBACKCONNECT owing to overlaps with the QakBot loader, was first documented in late January 2025 by both Walmart's Cyber Intelligence team and Sophos, the latter of which has designated the cluster the name STAC5777.

Over the past year, Black Basta attack chains have increasingly leveraged email bombing tactics to trick prospective targets into installing Quick Assist after being contacted by the threat actor under the guise of IT support or helpdesk personnel.

The access then serves as a conduit to sideload a malicious DLL loader ("[website]") named REEDBED using [website], a legitimate executable responsible for updating Microsoft OneDrive. The loader ultimately decrypts and runs the BC module.

The shift to other initial access methods is the result of a law enforcement operation that took down the infrastructure associated with QakBot, which Black Basta has historically used to gain initial access to corporate networks. The use of QBACKCONNECT alludes to a close working relationship between Black Basta and the QakBot developers.

Trend Micro noted it observed a CACTUS ransomware attack that employed the same modus operandi to deploy BackConnect, but also go beyond it to carry out various post-exploitation actions like lateral movement and data exfiltration. However, efforts to encrypt the victim's network ended in failure.

Another previously recorded connection between Black Basta and CACTUS concerns the use of a PowerShell script called TotalExec to automate the deployment of the encryptor.

The convergence of tactics assumes special significance in light of the recent Black Basta chat log leaks that laid bare the e-crime gang's inner workings and organizational structure.

Specifically, it has emerged that members of the financially motivated crew shared valid credentials, some of which have been sourced from information stealer logs. Some of the other prominent initial access points are Remote Desktop Protocol (RDP) portals and VPN endpoints.

"Threat actors are using these tactics, techniques, and procedures (TTP) — vishing, Quick Assist as a remote tool, and BackConnect — to deploy Black Basta ransomware," Trend Micro noted.

"Specifically, there is evidence suggesting that members have transitioned from the Black Basta ransomware group to the CACTUS ransomware group. This conclusion is drawn from the analysis of similar tactics, techniques, and procedures (TTPs) being utilized by the CACTUS group."

A previously undocumented polyglot malware is being deployed in attacks against aviation, satellite communication, and critical transportation organiz......

A new botnet malware named 'Eleven11bot' has infected over 86,000 IoT devices, primarily security cameras and network video recorders (NVRs), to condu......

TrapC ist eine neue, auf Cybersicherheit spezialisierte Variante der Programmiersprache C. Sie zielt darauf ab, die in C und C++ gängigen Speicherprob......

Leaked Black Basta Ransomware Chat Logs Reveal Inner Workings and Internal Conflicts

More than a year's worth of internal chat logs from a ransomware gang known as Black Basta have been .

The Russian-language chats on the Matrix messaging platform between September 18, 2023, and September 28, 2024, were initially leaked on February 11, 2025, by an individual who goes by the handle ExploitWhispers, who claimed that they released the data because the group was targeting Russian banks. The identity of the leaker remains a mystery.

Black Basta first came under the spotlight in April 2022, using the now-largely-defunct QakBot (aka QBot) as a delivery vehicle. .S. government in May 2024, the double extortion crew is estimated to have targeted more than 500 private industry and critical infrastructure entities in North America, Europe, and Australia.

Per Elliptic and Corvus Insurance, the prolific ransomware group is estimated to have netted at least $107 million in Bitcoin ransom payments from more than 90 victims by the end of 2023.

Swiss cybersecurity corporation PRODAFT mentioned the financially motivated threat actor, also tracked as Vengeful Mantis, has been "mostly inactive since the start of the year" due to internal strife, with some of its operators scamming victims by collecting ransom payments without providing a working decryptor.

What's more, key members of the Russia-linked cybercrime syndicate are revealed to have jumped ship to the CACTUS (aka Nurturing Mantis) and Akira ransomware operations.

"The internal conflict was driven by 'Tramp' (LARVA-18), a known threat actor who operates a spamming network responsible for distributing QBot," PRODAFT expressed in a post on X. "As a key figure within BLACKBASTA, his actions played a major role in the group's instability."

Some of the salient aspects of the leak, which contains nearly 200,000 messages, are listed below -.

Lapa is one of the main administrators of Black Basta and involved in administrative tasks.

Cortes is associated with the QakBot group, which has sought to distance itself in the wake of Black Basta's attacks against Russian banks.

YY is another administrator of Black Basta who is involved in support tasks.

Trump is one of the aliases for "the group's main boss" Oleg Nefedov, who goes by the names GG and AA.

Trump and another individual, Bio, worked together in the now-dismantled Conti ransomware scheme.

One of the Black Basta affiliates is believed to be a minor aged 17 years.

Black Basta has begun to actively incorporate social engineering into their attacks following the success of Scattered Spider.

, the Black Basta group leverages known vulnerabilities, misconfigurations, and insufficient security controls to obtain initial access to target networks. The discussions show that SMB misconfigurations, exposed RDP servers, and weak authentication mechanisms are routinely exploited, often relying on default VPN credentials or brute-forcing stolen credentials.

Top 20 CVEs Actively Exploited by Black Basta.

Another key attack vector entails the deployment of malware droppers to deliver the malicious payloads. In a further attempt to evade detection, the e-crime group has been found to use legitimate file-sharing platforms like [website], [website], and [website] for hosting the payloads.

"Ransomware groups are no longer taking their time once they breach an organization's network," Saeed Abbasi, manager of product at Qualys Threat Research Unit (TRU), stated. "in recent times leaked data from Black Basta demonstrates they're moving from initial access to network-wide compromise within hours – sometimes even minutes."

The disclosure comes as Check Point's Cyberint Research Team revealed that the Cl0p ransomware group has resumed targeting organizations, listing organizations that were breached on its data leak site following the exploitation of a lately disclosed security flaw (CVE-2024-50623) impacting the Cleo managed file transfer software.

The development also follows an advisory released by the [website] Cybersecurity and Infrastructure Security Agency (CISA) about a wave of data exfiltration and ransomware attacks orchestrated by the Ghost actors targeting organizations across more than 70 countries, including those in China.

The group has been observed rotating its ransomware executable payloads, switching file extensions for encrypted files, and modifying ransom note text, leading the group called by other names such as Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture.

"Beginning early 2021, Ghost actors began attacking victims whose internet facing services ran outdated versions of software and firmware," the agency noted. "Ghost actors, located in China, conduct these widespread attacks for financial gain. Affected victims include critical infrastructure, schools and universities, healthcare, government networks, religious institutions, technology and manufacturing companies, and numerous small- and medium-sized businesses."

Ghost is known to use publicly available code to exploit internet-facing systems by employing various vulnerabilities in Adobe ColdFusion (CVE-2009-3960, CVE-2010-2861), Fortinet FortiOS appliances (CVE-2018-13379), and Microsoft Exchange Server (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207, aka ProxyShell).

A successful exploitation is followed by the deployment of a web shell, which is then utilized to download and execute the Cobalt Strike framework. The threat actors have also been observed using a wide range of tools like Mimikatz and BadPotato for credential harvesting and privilege escalation, respectively.

"Ghost actors used elevated access and Windows Management Instrumentation Command-Line (WMIC) to run PowerShell commands on additional systems on the victim network – often for the purpose of initiating additional Cobalt Strike Beacon infections," CISA mentioned. "In cases where lateral movement attempts are unsuccessful, Ghost actors have been observed abandoning an attack on a victim."

Cybersecurity firm VulnCheck revealed that 62 unique CVEs were mentioned in the Black Basta chat logs, of which 53 of them ([website] are known to be exploited in the wild.

"Black Basta exhibits a clear preference for targets with known weaknesses, focusing on vulnerabilities that already have available exploits," VulnCheck's Patrick Garrity stated. "The group seems to favor widely adopted enterprise technologies, including products like Citrix NetScaler, Confluence Atlassian, Fortinet, Cisco, Palo Alto, CheckPoint, and Microsoft Windows."

It also pointed out that targets are selected based on several factors, including the targeting of high-revenue companies that are more likely to pay up, the exploits available for gaining initial access, and geographic considerations.

Threat Intelligence firm GreyNoise, in a parallel findings, mentioned it has observed active exploitation of 23 of the 62 CVEs, necessitating that consumers move quickly to apply the necessary patches, if not already.

"Some of these CVEs have been actively exploited in just the past 24 hours, including critical flaws in Palo Alto PAN-OS, JetBrains TeamCity, Microsoft Exchange, and Cisco IOS XE," the firm noted.

As of February 26, 2025, the subset of CVEs targeted within the past 24 hours is as follows -.

CVE-2021-26855 – Microsoft Exchange Server RCE (ProxyLogon).

CVE-2021-44228 – Apache Log4j RCE (Log4Shell).

CVE-2022-30525 – Zyxel Multiple Firewalls OS Command Injection.

CVE-2022-41082 – Microsoft Exchange Server Remote Code Execution.

CVE-2023-4966 – Citrix NetScaler ADC Buffer Overflow (Citrix Bleed).

CVE-2023-20198 – Cisco IOS XE Web UI Privilege Escalation.

CVE-2023-22515 – Atlassian Confluence Broken Access Control.

CVE-2023-36845 – Juniper Junos OS PHP External Variable Control.

CVE-2024-1709 – ConnectWise ScreenConnect Authentication Bypass.

CVE-2024-3400 – Palo Alto Networks PAN-OS Command Injection.

CVE-2024-24919 – Check Point Quantum Security Gateways Information Disclosure.

CVE-2024-27198 – JetBrains TeamCity Authentication Bypass.

(The story was updated after publication to include additional information about the CVEs used by Black Basta.).

Fake travel reservations are exacting more pain from the travel weary, already dealing with the misery of canceled flights and overbooked hotels.

Microsoft warns that Chinese cyber-espionage threat group 'Silk Typhoon' has shifted its tactics, now targeting remote management tools and cloud serv......

The Electronic Frontier Foundation (EFF) has released a free, open-source tool named Rayhunter that is designed to detect cell-site simulators (CSS), ......

Silver Fox APT Uses Winos 4.0 Malware in Cyber Attacks Against Taiwanese Organizations

A new campaign is targeting companies in Taiwan with malware known as Winos [website] as part of phishing emails masquerading as the country's National Taxation Bureau.

The campaign, detected last month by Fortinet FortiGuard Labs, marks a departure from previous attack chains that have leveraged malicious game-related applications.

"The sender claimed that the malicious file attached was a list of enterprises scheduled for tax inspection and asked the receiver to forward the information to their business's treasurer," security researcher Pei Han Liao mentioned in a investigation shared with The Hacker News.

The attachment mimics an official document from the Ministry of Finance, urging the recipient to download the list of enterprises scheduled for tax inspection.

But in reality, the list is a ZIP file containing a malicious DLL ("[website]") that lays the groundwork for the next attack stage, leading to the execution of shellcode that's responsible for downloading a Winos [website] module from a remote server ("[website][.]60") for gathering sensitive data.

The component, described as a login module, is capable of taking screenshots, logging keystrokes, altering clipboard content, monitoring connected USB devices, running shellcode, and permitting the execution of sensitive actions ([website], [website] when security prompts from Kingsoft Security and Huorong are displayed.

Fortinet expressed it also observed a second attack chain that downloads an online module that can capture screenshots of WeChat and online banks.

It's worth noting that the intrusion set distributing the Winos [website] malware has been assigned the monikers Void Arachne and Silver Fox, with the malware also overlapping with another remote access trojan tracked as ValleyRAT.

"They are both derived from the same source: Gh0st RAT, which was developed in China and open-sourced in 2008," Daniel dos Santos, Head of Security Research at Forescout's Vedere Labs, told The Hacker News.

"Winos and ValleyRAT are variations of Gh0st RAT attributed to Silver Fox by different researchers at different points in time. Winos was a name commonly used in 2023 and 2024 while now ValleyRAT is more commonly used. The tool is constantly evolving, and it has both local Trojan/RAT capabilities as well as a command-and-control server."

ValleyRAT, first identified in early 2023, has been lately observed using fake Chrome sites as a conduit to infect Chinese-speaking clients. Similar drive-by download schemes have also been employed to deliver Gh0st RAT.

Furthermore, Winos [website] attack chains have incorporated what's called a CleverSoar installer that's executed by means of an MSI installer package distributed as fake software or gaming-related applications. Also dropped alongside Winos [website] via CleverSoar is the open-source Nidhogg rootkit.

"The CleverSoar installer [...] checks the user's language settings to verify if they are set to Chinese or Vietnamese," Rapid7 noted in late November 2024. "If the language is not recognized, the installer terminates, effectively preventing infection. This behavior strongly indicates that the threat actor is primarily targeting victims in these regions."

The disclosure comes as the Silver Fox APT has been linked to a new campaign that leverages trojanized versions of Philips DICOM viewers to deploy ValleyRAT, which is then used to drop a keylogger, and a cryptocurrency miner on victim computers. Notably, the attacks have been found to use a vulnerable version of the TrueSight driver to disable antivirus software.

"This campaign leverages trojanized DICOM viewers as lures to infect victim systems with a backdoor (ValleyRAT) for remote access and control, a keylogger to capture user activity and credentials, and a crypto miner to exploit system resources for financial gain," Forescout mentioned.

Cyber threats are growing more sophisticated, and traditional security approaches struggle to keep up. Organizations can no longer rely on periodic as......

The threat actor known as Space Pirates has been linked to a malicious campaign targeting Russian information technology (IT) organizations with a pre......

An insufficient validation input flaw, one of 11 patched in an improvement this week, could allow for arbitrary code execution and is under active attack.