Gurucul’s Threat Research team proactively develops countermeasures for a constantly evolving threat landscape. Our multidisciplinary approach, leveraging diverse expertise, ensures comprehensive detection coverage.
The Gurucul Threat Research team uses diverse public threat intelligence sources to gain insight into threat actor tactics and attack patterns.
This intelligence, when combined with commercial data and anonymized customer information, empowers our threat hunters, researchers, and data scientists to proactively identify and mitigate emerging threats.
Platforms like MISP, NIST, MITRE, and SIGMA serve as rich repositories to aid in the creation of new detection models and stay ahead of the adversary.
Gurucul maintains a dedicated team of threat researchers, data scientists, and threat hunters who meticulously analyze a vast array of threat intelligence, encompassing open-source, commercial, and proprietary data.
Our threat hunting and research teams leverage this intelligence to investigate emerging threats, uncovering their origins, scope, and potential impact. By meticulously cataloging Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise (IOCs), our experts develop robust countermeasures and mitigation strategies.
This comprehensive threat intelligence is shared with our data science team, who employ advanced analytics to build predictive models and algorithms.
Our detection engineering team is the culmination point for the collective efforts of our threat research, threat hunting, and data science teams. This fusion of intelligence, coupled with advanced models and algorithms, results in a robust Threat Content-as-a-Service offering, updated weekly. We share these insights with the broader community through the Gurucul Community and platforms like MITRE to bolster collective defense against evolving threats.
Beyond threat indicators, we provide pre-built threat hunting queries to accelerate investigations. Our detection engineering team meticulously crafts comprehensive threat content, including detections, classifications, pre-built reports, automated response actions, investigation tools, and alerts.
Intel Name: Peaklight: illuminating the shadows
Date of Scan: 01/22/25
Impact: Medium
Summary: “PEAKLIGHT: Illuminating the Shadows” refers to a PowerShell-based downloader malware, first identified by Mandiant, that facilitates the delivery of infostealers through malware-as-a-service. The infection begins via a Microsoft Shortcut File (LNK) which connects to a CDN, serving a JavaScript dropper. This dropper ultimately runs a PowerShell script that delivers various payloads, including LummaC2, HijackLoader, and CryptBot. The name “PEAKLIGHT” symbolizes the malware’s ability to expose and deploy malicious activity in a covert manner.
Intel Name: Two ransomware campaigns using “email bombing,” microsoft teams “vishing”
Date of Scan: 01/22/25
Impact: High
Summary: Our team is actively responding to incidents involving two distinct threat actor groups leveraging Microsoft Office 365 to infiltrate organizations, likely aiming to steal data and deploy ransomware. Investigations into these clusters began following customer incidents in November and December 2024, with the threats tracked as STAC5143 and STAC5777. Both groups operated their own Office 365 tenants and exploited a default Microsoft Teams configuration allowing users from external domains to initiate chats or meetings with internal users.
Intel Name: Cluster of infrastructure likely used by affiliate of dark scorpius (black basta)
Date of Scan: 01/21/25
Impact: High
Summary: The infrastructure described is likely used by an affiliate of Dark Scorpius (associated with Black Basta ransomware). The attack began with email bombing to disrupt email systems, followed by social engineering via Microsoft Teams to install remote access tools. Attackers deploy malicious files, including a DLL that communicates with C2 servers, and in some cases, the attack leads to the deployment of Black Basta ransomware.
Intel Name: Gootloader inside out
Date of Scan: 01/21/25
Impact: High
Summary: The Gootloader malware family employs a unique social engineering tactic to infect computers. Its operators use hijacked Google search results to redirect users to compromised, legitimate WordPress websites. These sites display a fake online message board where a fabricated conversation takes place. In this setup, a fake visitor asks a fake site admin the exact question the victim was searching for, leading them to a link that delivers the malware.
Intel Name: Iot botnet linked to large-scale ddos attacks since the end of 2024
Date of Scan: 01/20/25
Impact: Medium
Summary: Since the end of 2024, a large-scale IoT botnet, primarily using malware variants from Mirai and Bashlite, has been launching DDoS attacks targeting companies globally, with a significant focus on Japan. The botnet infects devices like wireless routers and IP cameras by exploiting vulnerabilities and weak credentials. It is controlled through command-and-control servers and employs various DDoS attack methods, malware updates, and proxy services. Attack patterns differ between domestic and international targets, with a notable impact on sectors across North America and Europe.
Intel Name: Ivanti connect secure vpn targeted in new zero-day exploitation
Date of Scan: 01/20/25
Impact: High
Summary: On Wednesday, January 8, 2025, Ivanti disclosed two vulnerabilities, CVE-2025-0282 and CVE-2025-0283, affecting Ivanti Connect Secure (ICS) VPN appliances. Zero-day exploitation of CVE-2025-0282 has been observed in the wild since mid-December 2024. CVE-2025-0282 is an unauthenticated stack-based buffer overflow that, if successfully exploited, could enable remote code execution without authentication, potentially compromising the victim’s network.
Intel Name: Suspicious invoke-webrequest execution
Date of Scan: 01/17/25
Impact: Medium
Summary: “Suspicious Invoke-WebRequest Execution” refers to the detection of an unusual use of the Invoke-WebRequest cmdlet, a PowerShell command typically used to send HTTP requests. The suspicion arises when the output of the command is directed to a suspicious location, which may indicate malicious intent, such as downloading or exfiltrating data to an unauthorized location. This behavior could be a sign of a cyberattack or unauthorized activity.
Intel Name: Threat brief: cve-2025-0282 and cve-2025-0283
Date of Scan: 01/17/25
Impact: High
Summary: On January 8, 2025, Ivanti issued a security advisory addressing two vulnerabilities (CVE-2025-0282 and CVE-2025-0283) in its Connect Secure, Policy Secure, and ZTA gateway products. This threat brief shares insights from a recent incident response engagement, offering actionable intelligence to help detect ongoing attacks exploiting CVE-2025-0282. These Ivanti products are network-facing appliances designed to enable remote access, making them potential targets for attackers seeking to infiltrate networks.
Intel Name: Potential cve-2023-36874 exploitation – fake wermgr.exe creation
Date of Scan: 01/16/25
Impact: Medium
Summary: “Potential CVE-2023-36874 Exploitation – Fake Wermgr.Exe Creation” refers to the detection of a suspicious file named “wermgr.exe” being created in an uncommon directory, which may indicate an attempted exploitation of CVE-2023-36874. This vulnerability can be exploited by attackers to execute malicious code, and the creation of the fake wermgr.exe file is a potential sign of such exploitation, often used to disguise malicious activity or evade detection.
Intel Name: Kongtuke leads to infection abusing bionic
Date of Scan: 01/16/25
Impact: High
Summary: KongTuke involves an injected script that causes associated websites to display fake “verify you are human” pages. These deceptive pages load the victim’s Windows clipboard with a malicious PowerShell script and provide detailed instructions, urging victims to paste and execute the script in a Run window. This tactic is part of a campaign commonly tracked as #KongTuke.
REVEAL is the visionary security platform that delivers radical clarity into your cyber risk and drastically reduces data costs. It’s a unified suite of capabilities and tools that uncover true threats and quantify risks in real-time—regardless of the data source, across the entire IT estate.
REVEAL gives security teams the visibility, focus, and perspective they need to outpace threats and focus on what matters most.
REVEAL is the visionary security platform that delivers radical clarity into your cyber risk and drastically reduces data costs. It’s a unified suite of capabilities and tools that uncover true threats and quantify risks in real-time—regardless of the data source, across the entire IT estate.
REVEAL gives security teams the visibility, focus, and perspective they need to outpace threats and focus on what matters most.
The DisGoMoji malware operates under the control of its creators through the popular messaging platform Discord. To maintain secrecy, the attackers have ingeniously devised a system of using emojis within Discord messages to transmit commands to the malware.
Lockkey is a ransomware variant written in the Go programming language, making it potentially more cross-platform and resilient than ransomware traditionally written in languages like C++. While the specifics of its technical mechanisms are unavailable due to the restricted source.