Gurucul’s Threat Research team proactively develops countermeasures for a constantly evolving threat landscape. Our multidisciplinary approach, leveraging diverse expertise, ensures comprehensive detection coverage.
The Gurucul Threat Research team uses diverse public threat intelligence sources to gain insight into threat actor tactics and attack patterns.
This intelligence, when combined with commercial data and anonymized customer information, empowers our threat hunters, researchers, and data scientists to proactively identify and mitigate emerging threats.
Platforms like MISP, NIST, MITRE, and SIGMA serve as rich repositories to aid in the creation of new detection models and stay ahead of the adversary.
Gurucul maintains a dedicated team of threat researchers, data scientists, and threat hunters who meticulously analyze a vast array of threat intelligence, encompassing open-source, commercial, and proprietary data.
Our threat hunting and research teams leverage this intelligence to investigate emerging threats, uncovering their origins, scope, and potential impact. By meticulously cataloging Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise (IOCs), our experts develop robust countermeasures and mitigation strategies.
This comprehensive threat intelligence is shared with our data science team, who employ advanced analytics to build predictive models and algorithms.
Our detection engineering team is the culmination point for the collective efforts of our threat research, threat hunting, and data science teams. This fusion of intelligence, coupled with advanced models and algorithms, results in a robust Threat Content-as-a-Service offering, updated weekly. We share these insights with the broader community through the Gurucul Community and platforms like MITRE to bolster collective defense against evolving threats.
Beyond threat indicators, we provide pre-built threat hunting queries to accelerate investigations. Our detection engineering team meticulously crafts comprehensive threat content, including detections, classifications, pre-built reports, automated response actions, investigation tools, and alerts.
Intel Name: Createdump process dump
Date of Scan: 04/30/25
Impact: Medium
Summary:
Detects the use of the LOLOBIN utility “createdump.exe” for capturing process memory dumps.
Intel Name: Gremlin stealer: new stealer on sale in underground forum
Date of Scan: 04/30/25
Impact: Medium
Summary:
Gremlin Stealer is a newly discovered information-stealing malware written in C# and actively promoted on a Telegram group since March 2025. Designed to target Windows systems, it exfiltrates sensitive data—including browser cookies, credit card information, clipboard contents, crypto wallets, FTP, and VPN credentials—and uploads it to a remote server. The malware scans for various applications on victims’ devices to maximize data theft. Its emergence adds to the growing threat landscape of stealers, highlighting the need for robust protection measures.
Intel Name: Distribution of pebbledash malware in march 2025
Date of Scan: 04/29/25
Impact: Medium
Summary:
n March 2025, the PebbleDash backdoor malware, previously linked to the Lazarus group, was observed being distributed in new campaigns targeting individuals. The latest activity includes the use of additional malware and modules alongside PebbleDash to enhance its capabilities. Notably, attackers have shifted from using open-source RDP Wrapper tools to directly patching the termsrv.dll file, enabling unauthorized remote desktop access and demonstrating evolving techniques for persistence and control.
Intel Name: Dumpminitool execution
Date of Scan: 04/29/25
Impact: Medium
Summary:
Detects the execution of “DumpMinitool.exe,” a utility used to capture process memory dumps through the “MiniDumpWriteDump” function.
Intel Name: Windows bot malware “blitz” abuses hugging face services
Date of Scan: 04/28/25
Impact: High
Summary:
Since last year, we have been monitoring a Windows bot malware known as “Blitz.” Its infection chain involves multiple stages, including an initial dropper, a downloader, and the main botnet component. The likely infection vectors are either backdoored game cheats in recent samples or installer files in older ones, with the cheats promoted via the threat actor’s Telegram channel. The attacker also exploits Hugging Face’s AI app directory, “Spaces,” to host the malware and manage command-and-control (C2) operations, ultimately aiming to deploy a cryptocurrency miner on compromised systems.
Intel Name: Earth kurma apt campaign targets southeast asian government, telecom sectors
Date of Scan: 04/28/25
Impact: Medium
Summary:
The Earth Kurma APT campaign targets government and telecommunications sectors in Southeast Asia, particularly in the Philippines, Vietnam, Thailand, and Malaysia. This sophisticated attack uses advanced malware, including custom rootkits and cloud storage for data exfiltration. The attackers aim for espionage, credential theft, and maintaining undetected access through kernel-level rootkits. Their tactics include strategic infrastructure abuse and complex evasion methods.
Intel Name: Unmasking the evolving threat: a deep dive into the latest version of lumma infostealer with code flow obfuscation
Date of Scan: 04/25/25
Impact: High
Summary:
Lumma Stealer, first detected in 2022, remains a persistent and evolving threat, frequently adapting its tactics, techniques, and procedures (TTPs) to match emerging trends. Distributed via a subscription-based Malware-as-a-Service (MaaS) model on the dark web, Lumma is built to evade detection by identifying virtual and sandbox environments. It can exfiltrate sensitive data such as browser credentials, email information, cryptocurrency wallet data, and other personally identifiable information (PII) stored within critical system directories.
Intel Name: Introducing toymaker, an initial access broker working in cahoots with double extortion gangs
Date of Scan: 04/25/25
Impact: Medium
Summary:
In 2023, “ToyMaker,” an initial access broker (IAB), was discovered working with double extortion gangs. Believed to be financially motivated, ToyMaker exploits internet-exposed vulnerabilities to deploy a custom backdoor called “LAGTOY” on victim systems, allowing access and credential extraction. LAGTOY enables reverse shells and command execution. After compromising systems, ToyMaker hands over access to groups like Cactus, a double extortion gang, which employs its own tactics to further exploit the victim’s network.
Intel Name: Russian infrastructure plays crucial role in north korean cybercrime operations
Date of Scan: 04/24/25
Impact: High
Summary:
Multiple Russian IP address ranges—masked through VPNs, proxy servers, and VPS infrastructure—are being used in cybercrime operations aligned with North Korea’s Void Dokkaebi group (also known as Famous Chollima). These IPs are linked to companies near the North Korea-Russia border and support IT workers operating from countries like China, Russia, and Pakistan. The infrastructure facilitates activities such as job scams, cryptocurrency theft, and brute-force attacks. Instructional materials and non-native English content suggest potential collaboration with foreign conspirators. Targets include IT professionals in Ukraine, the U.S., and Germany, particularly those involved in crypto, Web3, and blockchain.
Intel Name: Tunneling-based scans for dns resolvers
Date of Scan: 04/24/25
Impact: High
Summary:
Since January 2025, several domains have been observed engaging in scanning activity leveraging DNS tunneling techniques. These domains target DNS resolvers hosted on public IPv4 and IPv6 addresses. To evade source IP-based access controls, the attacker spoofs the source IP to appear as an adjacent destination address. The domains’ nameservers are hosted on IPs 209.141.56[.]200 and 2605:6400:20:9d:2d8c:6f33:f4dbab02, with the FQDN encoding the target IP in hexadecimal format within the domain name.
REVEAL is the visionary security platform that delivers radical clarity into your cyber risk and drastically reduces data costs. It’s a unified suite of capabilities and tools that uncover true threats and quantify risks in real-time—regardless of the data source, across the entire IT estate.
REVEAL gives security teams the visibility, focus, and perspective they need to outpace threats and focus on what matters most.
REVEAL is the visionary security platform that delivers radical clarity into your cyber risk and drastically reduces data costs. It’s a unified suite of capabilities and tools that uncover true threats and quantify risks in real-time—regardless of the data source, across the entire IT estate.
REVEAL gives security teams the visibility, focus, and perspective they need to outpace threats and focus on what matters most.
The DisGoMoji malware operates under the control of its creators through the popular messaging platform Discord. To maintain secrecy, the attackers have ingeniously devised a system of using emojis within Discord messages to transmit commands to the malware.
Lockkey is a ransomware variant written in the Go programming language, making it potentially more cross-platform and resilient than ransomware traditionally written in languages like C++. While the specifics of its technical mechanisms are unavailable due to the restricted source.
