Gurucul’s Threat Research team proactively develops countermeasures for a constantly evolving threat landscape. Our multidisciplinary approach, leveraging diverse expertise, ensures comprehensive detection coverage.
The Gurucul Threat Research team uses diverse public threat intelligence sources to gain insight into threat actor tactics and attack patterns.
This intelligence, when combined with commercial data and anonymized customer information, empowers our threat hunters, researchers, and data scientists to proactively identify and mitigate emerging threats.
Platforms like MISP, NIST, MITRE, and SIGMA serve as rich repositories to aid in the creation of new detection models and stay ahead of the adversary.
Gurucul maintains a dedicated team of threat researchers, data scientists, and threat hunters who meticulously analyze a vast array of threat intelligence, encompassing open-source, commercial, and proprietary data.
Our threat hunting and research teams leverage this intelligence to investigate emerging threats, uncovering their origins, scope, and potential impact. By meticulously cataloging Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise (IOCs), our experts develop robust countermeasures and mitigation strategies.
This comprehensive threat intelligence is shared with our data science team, who employ advanced analytics to build predictive models and algorithms.
Our detection engineering team is the culmination point for the collective efforts of our threat research, threat hunting, and data science teams. This fusion of intelligence, coupled with advanced models and algorithms, results in a robust Threat Content-as-a-Service offering, updated weekly. We share these insights with the broader community through the Gurucul Community and platforms like MITRE to bolster collective defense against evolving threats.
Beyond threat indicators, we provide pre-built threat hunting queries to accelerate investigations. Our detection engineering team meticulously crafts comprehensive threat content, including detections, classifications, pre-built reports, automated response actions, investigation tools, and alerts.
Intel Name: Dragonforce ransomware – reverse engineering report
Date of Scan: 03/27/25
Impact: High
Summary:
DragonForce ransomware is a malicious program that encrypts files on compromised systems and demands a cryptocurrency ransom, typically in Bitcoin, for decryption. It spreads through phishing emails, malicious websites, and system vulnerabilities. While it shares similarities with other ransomware variants, DragonForce exhibits distinct features and behaviors.
Intel Name: Coffeeloader: a brew of stealthy techniques
Date of Scan: 03/27/25
Impact: Medium
Summary:
“CoffeeLoader: A Brew of Stealthy Techniques” is a sophisticated malware loader designed to deploy secondary payloads while evading detection by endpoint security software. It employs advanced techniques such as call stack spoofing, sleep obfuscation, and Windows fibers to avoid analysis. The loader uses a custom packer, Armoury, which executes code on the system’s GPU, making analysis in virtual environments more difficult. Additionally, CoffeeLoader incorporates a domain generation algorithm (DGA) for fallback communication if primary channels are blocked and uses certificate pinning to prevent TLS man-in-the-middle attacks. It has been observed deploying Rhadamanthys shellcode.
Intel Name: New android malware campaigns evading detection using cross-platform framework .net maui
Date of Scan: 03/26/25
Impact: Medium
Summary:
“New Android Malware Campaigns Evading Detection Using Cross-Platform Framework .NET MAUI” discusses how cybercriminals are exploiting the .NET MAUI framework to create malware that bypasses security measures. These threats disguise themselves as legitimate apps to steal sensitive information. The blog highlights the malware’s evasion techniques and provides recommendations for staying protected.
Intel Name: Cve-2025-26633: how water gamayun weaponizes muipath using msc eviltwin
Date of Scan: 03/26/25
Impact: High
Summary:
Trend Research uncovered a campaign by the Russian threat actor Water Gamayun exploiting a zero-day in the Microsoft Management Console (CVE-2025-26633). The attack manipulates .msc files and MUIPath to execute malicious code, maintain persistence, and steal data. This threat poses significant risks to enterprises, potentially leading to data breaches and financial losses. Businesses relying on Microsoft’s administrative tools are particularly vulnerable. We have named this technique MSC EvilTwin (CVE-2025-26633) and are tracking it as ZDI-CAN-26371, also referred to as ZDI-25-150.
Intel Name: Cyber threat hunting in healthcare, file infectors, botnets
Date of Scan: 03/25/25
Impact: High
Summary:
“Cyber Threat Hunting in Healthcare, File Infectors, Botnets” expands on the initial investigation into Silver Fox, a Chinese threat actor abusing Philips DICOM viewers to deploy a backdoor trojan. In this follow-up, the analysis focuses on malware detection using VirusTotal (VT), leveraging threat intelligence sources like eyeInspect’s and REM’s default credentials lists, along with a database of common healthcare software names. The investigation identifies malware that masquerades as legitimate healthcare applications, exploits medical system credentials, and interacts with medical devices via protocols like DICOM and HL7, highlighting the growing threat of file infectors and botnets in healthcare environments.
Intel Name: Real-time anti-phishing: essential defense against evolving cyber threats
Date of Scan: 03/25/25
Impact: High
Summary:
Recent threat data reveals key insights into phishing campaigns and evolving cybercriminal tactics. Facebook remains a top phishing target due to its widespread use and valuable user data, with scams often disguised as account warnings. In mid-February, phishing attacks spiked against Roblox, tricking users with fake alerts and prize notifications. Late January saw a surge in phishing attempts targeting various platforms, highlighting the broad reach of these attacks.
Intel Name: Albabat ransomware group potentially expands targets to multiple os, uses github to streamline operations
Date of Scan: 03/24/25
Impact: High
Summary:
The financially motivated Albabat ransomware group has resurfaced with new versions. Our threat-hunting team recently identified versions 2.0.0 and 2.5, which target Windows while also collecting system and hardware data from Linux and macOS. Previously undetected variants were also discovered, retrieving configuration data via the GitHub REST API using a “User-Agent” string labeled “Awesome App.” This configuration contains critical details about the ransomware’s behavior and operations.
Intel Name: Cybercriminals impersonate dubai police to defraud consumers in the uae – smishing triad in action
Date of Scan: 03/24/25
Impact: High
Summary:
Cybercriminals in the UAE are impersonating Dubai Police to defraud consumers, using social engineering tactics such as smishing, phishing, and vishing. Victims are tricked into paying non-existent fines, including traffic tickets and license renewals, via fraudulent phone calls. This scam has been amplified during the holiday season, particularly around UAE National Day (Eid Al Etihad). Dubai Police have warned against providing financial details over the phone, as official institutions do not request such information. A recent report from the UAE Financial Intelligence Unit revealed that fraud, especially vishing, phishing, and smishing, led to losses of AED 1.2 billion (USD 326 million) between 2021 and 2023, posing a significant risk to financial security in the region.
Intel Name: Strategically aged domains used in tds for investment and job scams
Date of Scan: 03/21/25
Impact: High
Summary:
We’ve identified an ongoing campaign leveraging strategically aged domains in Traffic Direction System (TDS) activity. The final landing pages promote investment scams and fraudulent part-time or work-from-home opportunities. To evade detection, attackers register new domains and keep them dormant for at least a month before activation. Our analysis uncovered over 80,000 domains that eventually redirect to URLs under linksapp[.]top. This campaign primarily targets users in Japan and South Africa and is still active.
Intel Name: Uat-5918 targets critical infrastructure entities in taiwan
Date of Scan: 03/21/25
Impact: Medium
Summary:
UAT-5918 is an advanced persistent threat (APT) group targeting entities in Taiwan, aiming to establish long-term access by exploiting N-day vulnerabilities in unpatched web and application servers. The group uses a range of open-source tools for network reconnaissance and manual post-compromise activities, primarily focused on information theft. They deploy web shells, harvest credentials, create administrative accounts, and use RDP for lateral movement. Key tools include FRPC, Mimikatz, and Impacket, with a focus on compromising critical infrastructure in Taiwan.
REVEAL is the visionary security platform that delivers radical clarity into your cyber risk and drastically reduces data costs. It’s a unified suite of capabilities and tools that uncover true threats and quantify risks in real-time—regardless of the data source, across the entire IT estate.
REVEAL gives security teams the visibility, focus, and perspective they need to outpace threats and focus on what matters most.
REVEAL is the visionary security platform that delivers radical clarity into your cyber risk and drastically reduces data costs. It’s a unified suite of capabilities and tools that uncover true threats and quantify risks in real-time—regardless of the data source, across the entire IT estate.
REVEAL gives security teams the visibility, focus, and perspective they need to outpace threats and focus on what matters most.
The DisGoMoji malware operates under the control of its creators through the popular messaging platform Discord. To maintain secrecy, the attackers have ingeniously devised a system of using emojis within Discord messages to transmit commands to the malware.
Lockkey is a ransomware variant written in the Go programming language, making it potentially more cross-platform and resilient than ransomware traditionally written in languages like C++. While the specifics of its technical mechanisms are unavailable due to the restricted source.
