Gurucul’s Threat Research team proactively develops countermeasures for a constantly evolving threat landscape. Our multidisciplinary approach, leveraging diverse expertise, ensures comprehensive detection coverage.
The Gurucul Threat Research team uses diverse public threat intelligence sources to gain insight into threat actor tactics and attack patterns.
This intelligence, when combined with commercial data and anonymized customer information, empowers our threat hunters, researchers, and data scientists to proactively identify and mitigate emerging threats.
Platforms like MISP, NIST, MITRE, and SIGMA serve as rich repositories to aid in the creation of new detection models and stay ahead of the adversary.
Gurucul maintains a dedicated team of threat researchers, data scientists, and threat hunters who meticulously analyze a vast array of threat intelligence, encompassing open-source, commercial, and proprietary data.
Our threat hunting and research teams leverage this intelligence to investigate emerging threats, uncovering their origins, scope, and potential impact. By meticulously cataloging Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise (IOCs), our experts develop robust countermeasures and mitigation strategies.
This comprehensive threat intelligence is shared with our data science team, who employ advanced analytics to build predictive models and algorithms.
Our detection engineering team is the culmination point for the collective efforts of our threat research, threat hunting, and data science teams. This fusion of intelligence, coupled with advanced models and algorithms, results in a robust Threat Content-as-a-Service offering, updated weekly. We share these insights with the broader community through the Gurucul Community and platforms like MITRE to bolster collective defense against evolving threats.
Beyond threat indicators, we provide pre-built threat hunting queries to accelerate investigations. Our detection engineering team meticulously crafts comprehensive threat content, including detections, classifications, pre-built reports, automated response actions, investigation tools, and alerts.
Intel Name: Gamaredon campaign abuses lnk files to distribute remcos backdoor
Date of Scan: 03/31/25
Impact: Medium
Summary:
A campaign targeting users in Ukraine is using malicious LNK files, which run a PowerShell downloader. These files are named with Russian words related to troop movements in Ukraine to lure victims. The downloader connects to geo-fenced servers in Russia and Germany to retrieve a second-stage Zip file containing the Remcos backdoor. The backdoor is executed via DLL side loading. This activity is believed to be associated with the Gamaredon threat actor group.
Intel Name: A deep dive into water gamayun’s arsenal and infrastructure
Date of Scan: 03/31/25
Impact: High
Summary:
Water Gamayun exploits the MSC EvilTwin zero-day (CVE-2025-26633) to compromise systems and steal data using custom payloads and exfiltration techniques. The attack deploys malicious provisioning packages, signed .msi files, and Windows MSC files, leveraging tools like IntelliJ runnerw.exe for execution. Malware strains such as EncryptHub Stealer, SilentPrism, and DarkWisp enable persistence, data theft, and C&C communication via encrypted channels. Organizations can mitigate this threat through patch management and advanced threat detection, with Trend customers protected by Trend Vision One™ rules and filters.
Intel Name: Look before you leap: imposter deepseek software seek gullible users
Date of Scan: 03/28/25
Impact: Medium
Summary:
The blog highlights how malware creators exploit popular trends, such as “AI” and “DeepSeek,” to deceive unsuspecting users into downloading malicious software. By manipulating search engine optimization (SEO) and using trending keywords, cybercriminals boost the visibility of malicious sites. The blog serves as a reminder to stay cautious and skeptical during hype cycles to avoid falling for such scams.
Intel Name: Pjobrat makes a comeback, takes another crack at chat apps
Date of Scan: 03/28/25
Impact: High
Summary:
In 2021, researchers reported that PJobRAT, an Android RAT first seen in 2019, targeted Indian military personnel by mimicking dating and messaging apps. Since then, little has been reported—until a recent threat hunt uncovered a now-concluded campaign targeting users in Taiwan. PJobRAT can steal SMS messages, contacts, device details, documents, and media files from infected Android devices. In this latest campaign, researchers found PJobRAT samples posing as instant messaging apps, with all identified victims based in Taiwan.
Intel Name: Dragonforce ransomware – reverse engineering report
Date of Scan: 03/27/25
Impact: High
Summary:
DragonForce ransomware is a malicious program that encrypts files on compromised systems and demands a cryptocurrency ransom, typically in Bitcoin, for decryption. It spreads through phishing emails, malicious websites, and system vulnerabilities. While it shares similarities with other ransomware variants, DragonForce exhibits distinct features and behaviors.
Intel Name: Coffeeloader: a brew of stealthy techniques
Date of Scan: 03/27/25
Impact: Medium
Summary:
“CoffeeLoader: A Brew of Stealthy Techniques” is a sophisticated malware loader designed to deploy secondary payloads while evading detection by endpoint security software. It employs advanced techniques such as call stack spoofing, sleep obfuscation, and Windows fibers to avoid analysis. The loader uses a custom packer, Armoury, which executes code on the system’s GPU, making analysis in virtual environments more difficult. Additionally, CoffeeLoader incorporates a domain generation algorithm (DGA) for fallback communication if primary channels are blocked and uses certificate pinning to prevent TLS man-in-the-middle attacks. It has been observed deploying Rhadamanthys shellcode.
Intel Name: New android malware campaigns evading detection using cross-platform framework .net maui
Date of Scan: 03/26/25
Impact: Medium
Summary:
“New Android Malware Campaigns Evading Detection Using Cross-Platform Framework .NET MAUI” discusses how cybercriminals are exploiting the .NET MAUI framework to create malware that bypasses security measures. These threats disguise themselves as legitimate apps to steal sensitive information. The blog highlights the malware’s evasion techniques and provides recommendations for staying protected.
Intel Name: Cve-2025-26633: how water gamayun weaponizes muipath using msc eviltwin
Date of Scan: 03/26/25
Impact: High
Summary:
Trend Research uncovered a campaign by the Russian threat actor Water Gamayun exploiting a zero-day in the Microsoft Management Console (CVE-2025-26633). The attack manipulates .msc files and MUIPath to execute malicious code, maintain persistence, and steal data. This threat poses significant risks to enterprises, potentially leading to data breaches and financial losses. Businesses relying on Microsoft’s administrative tools are particularly vulnerable. We have named this technique MSC EvilTwin (CVE-2025-26633) and are tracking it as ZDI-CAN-26371, also referred to as ZDI-25-150.
Intel Name: Cyber threat hunting in healthcare, file infectors, botnets
Date of Scan: 03/25/25
Impact: High
Summary:
“Cyber Threat Hunting in Healthcare, File Infectors, Botnets” expands on the initial investigation into Silver Fox, a Chinese threat actor abusing Philips DICOM viewers to deploy a backdoor trojan. In this follow-up, the analysis focuses on malware detection using VirusTotal (VT), leveraging threat intelligence sources like eyeInspect’s and REM’s default credentials lists, along with a database of common healthcare software names. The investigation identifies malware that masquerades as legitimate healthcare applications, exploits medical system credentials, and interacts with medical devices via protocols like DICOM and HL7, highlighting the growing threat of file infectors and botnets in healthcare environments.
Intel Name: Real-time anti-phishing: essential defense against evolving cyber threats
Date of Scan: 03/25/25
Impact: High
Summary:
Recent threat data reveals key insights into phishing campaigns and evolving cybercriminal tactics. Facebook remains a top phishing target due to its widespread use and valuable user data, with scams often disguised as account warnings. In mid-February, phishing attacks spiked against Roblox, tricking users with fake alerts and prize notifications. Late January saw a surge in phishing attempts targeting various platforms, highlighting the broad reach of these attacks.
REVEAL is the visionary security platform that delivers radical clarity into your cyber risk and drastically reduces data costs. It’s a unified suite of capabilities and tools that uncover true threats and quantify risks in real-time—regardless of the data source, across the entire IT estate.
REVEAL gives security teams the visibility, focus, and perspective they need to outpace threats and focus on what matters most.
REVEAL is the visionary security platform that delivers radical clarity into your cyber risk and drastically reduces data costs. It’s a unified suite of capabilities and tools that uncover true threats and quantify risks in real-time—regardless of the data source, across the entire IT estate.
REVEAL gives security teams the visibility, focus, and perspective they need to outpace threats and focus on what matters most.
The DisGoMoji malware operates under the control of its creators through the popular messaging platform Discord. To maintain secrecy, the attackers have ingeniously devised a system of using emojis within Discord messages to transmit commands to the malware.
Lockkey is a ransomware variant written in the Go programming language, making it potentially more cross-platform and resilient than ransomware traditionally written in languages like C++. While the specifics of its technical mechanisms are unavailable due to the restricted source.
