Gurucul’s Threat Research team proactively develops countermeasures for a constantly evolving threat landscape. Our multidisciplinary approach, leveraging diverse expertise, ensures comprehensive detection coverage.
The Gurucul Threat Research team uses diverse public threat intelligence sources to gain insight into threat actor tactics and attack patterns.
This intelligence, when combined with commercial data and anonymized customer information, empowers our threat hunters, researchers, and data scientists to proactively identify and mitigate emerging threats.
Platforms like MISP, NIST, MITRE, and SIGMA serve as rich repositories to aid in the creation of new detection models and stay ahead of the adversary.
Gurucul maintains a dedicated team of threat researchers, data scientists, and threat hunters who meticulously analyze a vast array of threat intelligence, encompassing open-source, commercial, and proprietary data.
Our threat hunting and research teams leverage this intelligence to investigate emerging threats, uncovering their origins, scope, and potential impact. By meticulously cataloging Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise (IOCs), our experts develop robust countermeasures and mitigation strategies.
This comprehensive threat intelligence is shared with our data science team, who employ advanced analytics to build predictive models and algorithms.
Our detection engineering team is the culmination point for the collective efforts of our threat research, threat hunting, and data science teams. This fusion of intelligence, coupled with advanced models and algorithms, results in a robust Threat Content-as-a-Service offering, updated weekly. We share these insights with the broader community through the Gurucul Community and platforms like MITRE to bolster collective defense against evolving threats.
Beyond threat indicators, we provide pre-built threat hunting queries to accelerate investigations. Our detection engineering team meticulously crafts comprehensive threat content, including detections, classifications, pre-built reports, automated response actions, investigation tools, and alerts.
Intel Name: Amatera stealer: rebranded acr stealer with improved evasion, sophistication
Date of Scan: 06/20/25
Impact: High
Summary: Our team has identified a newly rebranded information stealer named Amatera Stealer, derived from ACR Stealer and delivered through complex web inject-based attack chains. Much of its code overlaps with known ACR Stealer samples, and it is currently offered as a malware-as-a-service (MaaS) and remains under active development. Recent versions of Amatera Stealer feature enhanced anti-analysis techniques and have moved away from using Steam/Telegram as dead drops for C2 communication. As stealer malware continues to gain traction, timely detection, reverse engineering, and analysis are essential for defense.
Intel Name: Clone, compile, compromise: water curse’s open-source malware trap on github
Date of Scan: 06/20/25
Impact: Medium
Summary: Water Curse, a newly identified threat actor, is exploiting weaponized GitHub repositories to deliver multistage malware disguised as legitimate open-source tools. Linked to at least 76 GitHub accounts, the campaign includes tools such as an SMTP email bomber and Sakura-RAT, which were presented as legitimate penetration testing utilities but contained hidden malicious payloads embedded within their Visual Studio project configuration files. The malware enables data exfiltration, remote access, and persistent system control through complex infection chains using obfuscated VBS and PowerShell scripts. Targeting cybersecurity professionals, game developers, and DevOps teams who trust open-source software, this campaign poses a significant supply chain risk and underscores the need to thoroughly audit and validate open-source tools before use.
Intel Name: Famous chollima deploying python version of golangghost rat
Date of Scan: 06/19/25
Impact: Medium
Summary: In May 2025, the North Korean-aligned threat actor Famous Chollima began deploying a Python-based version of their remote access trojan (RAT) called PylangGhost, which shares many capabilities with the previously known GolangGhost RAT. The Python RAT targets Windows systems, while the Golang version continues to target MacOS users. Recent campaigns focus on employees experienced in cryptocurrency and blockchain, primarily affecting a small number of users in India. Linux users are not targeted.
Intel Name: Uncovering a tor-enabled docker exploit
Date of Scan: 06/19/25
Impact: High
Summary: Cybercriminals have crafted a new attack method that leverages misconfigured Docker remote APIs and the Tor network to conduct covert cryptocurrency mining. Once inside containerized environments, attackers use Tor to conceal their operations while deploying crypto miners. A notable aspect of this campaign is the use of zstd, a compression tool based on the ZStandard algorithm, chosen for its efficiency. Cloud-reliant sectors—such as tech firms, financial institutions, and healthcare providers—are particularly at risk.
Intel Name: Exploring a new kimjongrat stealer variant and its powershell implementation
Date of Scan: 06/18/25
Impact: High
Summary: KimJongRAT, first identified in 2013, now appears in two variants: a Portable Executable (PE) and a PowerShell version. Both are triggered via a malicious LNK file that fetches droppers from a CDN. The PE dropper delivers a loader, decoy PDF, and text file, while the PowerShell variant unpacks a PDF and ZIP archive containing the stealer and keylogger. Both variants exfiltrate browser, crypto-wallet, and system data to an attacker-controlled server.
Intel Name: Threat group targets companies in taiwan
Date of Scan: 06/18/25
Impact: Medium
Summary: In early 2025, a threat group launched a targeted malware campaign against users in Taiwan, distributing the Winos 4.0 malware via phishing emails disguised as official messages from Taiwan’s National Taxation Bureau. By March 2025, the campaign expanded to include links reused from previous attacks. The group also deployed variants of the HoldingHands RAT (also known as Gh0stBins), typically delivered through ZIP file attachments in phishing emails. This ongoing campaign highlights a persistent effort to compromise organizations in Taiwan using evolving malware tactics.
Intel Name: Critical langflow vulnerability (cve-2025-3248) actively exploited to deliver flodrix botnet
Date of Scan: 06/17/25
Impact: Medium
Summary: A critical vulnerability (CVE-2025-3248, CVSS 9.8) in Langflow versions prior to 1.3.0 is being actively exploited to deliver the Flodrix botnet. Attackers leverage this flaw to execute downloader scripts on compromised Langflow servers, enabling full system compromise, DDoS attacks, and potential data exposure. Due to Langflow’s widespread use in intelligent automation, vulnerable deployments are high-value targets. Organizations are urged to immediately upgrade to version 1.3.0 or later, restrict public access to Langflow endpoints, and monitor for signs of Flodrix infection.
Intel Name: Mstsc.exe execution with local rdp file
Date of Scan: 06/17/25
Impact: Low
Summary: Detects a potential Remote Desktop Protocol (RDP) connection initiated through Mstsc by leveraging a locally stored “.rdp” configuration file.
Intel Name: Fog ransomware: unusual toolset used in recent attack
Date of Scan: 06/16/25
Impact: Medium
Summary: In May 2025, a financial institution in Asia was targeted by Fog ransomware, marking a significant shift in attack tactics. Unusually, the attackers deployed legitimate employee monitoring software, Syteca (formerly Ekran), and several open-source pentesting tools, including GC2, Adaptix, and Stowaway—tools not typically associated with ransomware attacks. After the ransomware deployment, the attackers created a service for persistence, intending to maintain access to the victim’s network, a departure from typical ransomware behavior. The attackers were active on the network for approximately two weeks before launching the attack. Fog ransomware, first documented in May 2024, initially targeted U.S. educational institutions and gained access through compromised VPN credentials.
Intel Name: Process execution from webdav share
Date of Scan: 06/16/25
Impact: Low
Summary: Detects process executions with image paths beginning with WebDAV shares (\), which may signal malicious activity involving remote file execution. Running processes from WebDAV paths can indicate lateral movement or exploitation attempts, particularly when the process isn’t a known legitimate application. Some exploits, such as CVE-2025-33053, involve executing payloads directly from WebDAV locations.
REVEAL is the visionary security platform that delivers radical clarity into your cyber risk and drastically reduces data costs. It’s a unified suite of capabilities and tools that uncover true threats and quantify risks in real-time—regardless of the data source, across the entire IT estate.
REVEAL gives security teams the visibility, focus, and perspective they need to outpace threats and focus on what matters most.
REVEAL is the visionary security platform that delivers radical clarity into your cyber risk and drastically reduces data costs. It’s a unified suite of capabilities and tools that uncover true threats and quantify risks in real-time—regardless of the data source, across the entire IT estate.
REVEAL gives security teams the visibility, focus, and perspective they need to outpace threats and focus on what matters most.
The DisGoMoji malware operates under the control of its creators through the popular messaging platform Discord. To maintain secrecy, the attackers have ingeniously devised a system of using emojis within Discord messages to transmit commands to the malware.
Lockkey is a ransomware variant written in the Go programming language, making it potentially more cross-platform and resilient than ransomware traditionally written in languages like C++. While the specifics of its technical mechanisms are unavailable due to the restricted source.
