Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Cyber Security Weekly Briefing, 11-15 August
UAC-0099 refines its arsenal and maintains cyber espionage TTPs in campaigns against Ukraine
UAC-0099 is a threat actor that has been active since 2022, focusing on cyber espionage against government, military, and defense agencies in Ukraine. In 2023, it used the PowerShell LONEPAGE loader distributed via spear-phishing with malicious attachments, deploying tools such as THUMBCHOP, CLOGFLAG, and TOR/SSH utilities.
In 2024, it maintained the email vector, incorporated the exploitation of the CVE-2023-38831 vulnerability (CVSSv3 7.8, according to CISA) in WinRAR, and adopted a two-stage LONEPAGE loader with 3DES encryption to evade detection, continuing to abuse cloud services for C2. In 2025, it replaced LONEPAGE with a new C# toolkit (MATCHBOIL, MATCHWOK, and DRAGSTARE), with more complex infection chains based on scheduled tasks and persistent payloads.
Despite the technical changes, it maintained key TTPs: targeted phishing, obfuscated scripts, persistence through tasks or registry keys, and data theft.
Analysis of SoupDealer malware
Malwation researchers have analyzed SoupDealer, a stealthy malware loader written in Java that runs in a three-stage chain with a high degree of obfuscation, scheduled task persistence, and TOR-based component retrieval, including environment checks for Turkish Windows regional settings.
It is distributed via phishing campaigns in the TEKLIFALINACAKURUNLER.jar and FIYATTEKLIFI.jar files, and downloads and executes variants of Adwind/Eclipse RAT capable of executing remote commands, capturing screens, performing lateral movement, and evading antivirus software.
Although it has not been publicly linked to any specific malicious actor, the campaigns have targeted banks, internet service providers, and medium-sized businesses in Turkey. Recommended defenses include disabling Java and macros in emails, implementing URL/DNS filters, segmenting networks, keeping EDR solutions up to date, and improving user awareness training.
Efimer: multipurpose Trojan that combines cryptocurrency theft and web expansion
In June 2025, a massive campaign was detected distributing the Efimer Trojan, designed to steal cryptocurrencies and spread via compromised WordPress sites, malicious torrents, and phishing emails. The messages posed as lawyers reporting alleged trademark infringements, attaching files that installed the malware.
Efimer functions as a ClipBanker, replacing wallet addresses in the clipboard and stealing seed phrases, communicating with its C2 server via Tor. It includes additional modules for WordPress brute force, email address harvesting, and spam distribution.
Some variants extend the theft to Tron and Solana wallets, in addition to Bitcoin, Ethereum, and Monero. Between October 2024 and July 2025, it affected more than 5,000 users, with the greatest impact in Brazil, India, and Spain.
Cmimai Stealer: VBS infostealer exfiltrating data and screenshots via Discord
K7 Labs has analyzed Cmimai Stealer, a Visual Basic Script infostealer detected since June 2025 that uses PowerShell and native Windows scripting to collect system information, Chrome/Edge profile metadata, and screenshots. The distinctive aspect of the campaign is that the data is exfiltrated via Discord webhooks.
The malware creates at least two temporary scripts (vbs_ps_browser.ps1 and vbs_ps_diag.ps1), used respectively to read browser profile settings and encrypted keys, and to capture the screen and compress the image before uploading it, running a persistent hourly cycle to update the information.
Behavioral patterns to monitor include the execution of powershell.exe, creation of temporary files with the vbs_ prefix, and HTTPS traffic to Discord with the User-Agent “Cmimai Stealer VBS UI Rev.”
CastleBot MaaS platform used in large-scale ransomware campaigns
IBM X-Force has identified CastleBot, a Malware-as-a-Service framework active since early 2025, distributing payloads ranging from infostealers to ransomware-linked backdoors such as WarmCookie and NetSupport. Its three-stage architecture uses stagers and loaders with ChaCha encryption and advanced EDR evasion techniques, including PEB_LDR_DATA manipulation and process injection (QueueUserAPC, NtManageHotPatch).
Initial access vectors include trojanized installers, SEO poisoning, fake GitHub repositories, and the ClickFix technique. Campaigns delivered multiple malware strains (Rhadamanthys, Remcos, DeerStealer, SecTopRAT, HijackLoader, MonsterV2) via DLL sideloading and malicious ZIP archives. Recommendations include strengthening EDR, blocking non-HTTPS outgoing traffic, implementing MFA, and training users to avoid unverified downloads.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
