Gurucul’s Threat Research team proactively develops countermeasures for a constantly evolving threat landscape. Our multidisciplinary approach, leveraging diverse expertise, ensures comprehensive detection coverage.
The Gurucul Threat Research team uses diverse public threat intelligence sources to gain insight into threat actor tactics and attack patterns.
This intelligence, when combined with commercial data and anonymized customer information, empowers our threat hunters, researchers, and data scientists to proactively identify and mitigate emerging threats.
Platforms like MISP, NIST, MITRE, and SIGMA serve as rich repositories to aid in the creation of new detection models and stay ahead of the adversary.
Gurucul maintains a dedicated team of threat researchers, data scientists, and threat hunters who meticulously analyze a vast array of threat intelligence, encompassing open-source, commercial, and proprietary data.
Our threat hunting and research teams leverage this intelligence to investigate emerging threats, uncovering their origins, scope, and potential impact. By meticulously cataloging Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise (IOCs), our experts develop robust countermeasures and mitigation strategies.
This comprehensive threat intelligence is shared with our data science team, who employ advanced analytics to build predictive models and algorithms.
Our detection engineering team is the culmination point for the collective efforts of our threat research, threat hunting, and data science teams. This fusion of intelligence, coupled with advanced models and algorithms, results in a robust Threat Content-as-a-Service offering, updated weekly. We share these insights with the broader community through the Gurucul Community and platforms like MITRE to bolster collective defense against evolving threats.
Beyond threat indicators, we provide pre-built threat hunting queries to accelerate investigations. Our detection engineering team meticulously crafts comprehensive threat content, including detections, classifications, pre-built reports, automated response actions, investigation tools, and alerts.
Intel Name: Cascading shadows: an attack chain approach to avoid detection and complicate analysis
Date of Scan: 04/18/25
Impact: High
Summary: In December 2024, we identified a multi-stage attack chain used to deliver malware such as Agent Tesla variants, Remcos RAT, and XLoader. Attackers are increasingly adopting layered delivery tactics to bypass detection tools and traditional sandboxes. The phishing campaign we examined disguised itself as an order release request, delivering a malicious attachment. The attack chain used several execution paths to evade defenses and hinder analysis.
Intel Name: Latest mustang panda arsenal: paklog, corklog, and splatcloak | p2
Date of Scan: 04/17/25
Impact: High
Summary: Mustang Panda continues to develop custom tools for targeted attacks. They use PAKLOG and CorKLOG keyloggers—PAKLOG obfuscates data with custom encoding, while CorKLOG encrypts logs using a 48-character RC4 key. Persistence is achieved via services and scheduled tasks. The group also deploys SplatCloak, a tool that disables security callbacks and uses heavy code obfuscation to evade analysis.
Intel Name: Slow pisces targets developers with coding challenges and introduces new customized python malware
Date of Scan: 04/16/25
Impact: High
Summary: Slow Pisces (aka Jade Sleet, TraderTraitor, PUKCHONG) is a North Korean threat group focused on funding the DPRK through crypto-targeted attacks. In a recent campaign, the group posed as employers on LinkedIn, targeting cryptocurrency developers. They sent malware-laced coding challenges that infected victims’ systems. The malware used, dubbed RN Loader and RN Stealer, enabled data theft and system compromise.
Intel Name: Unraveling the u.s. toll road smishing scams
Date of Scan: 04/15/25
Impact: High
Summary: Since mid-October 2024, ongoing smishing campaigns have impersonated U.S. toll road payment services like E-ZPass in an effort to commit financial fraud. Attackers have targeted individuals across at least eight U.S. states—including Washington, Florida, Pennsylvania, Virginia, Texas, Ohio, Illinois, and Kansas—using spoofed domains with state abbreviations embedded in the URLs. Victims receive SMS messages claiming they owe a small toll balance (under $5) and are urged to pay promptly to avoid late fees. These messages redirect users to phishing sites designed to steal payment information.
Intel Name: Phishing pages impersonating nintendo
Date of Scan: 04/14/25
Impact: High
Summary: We’ve observed multiple newly registered domains containing the term “nintendo,” emerging shortly after the announcement of the Switch 2 console. These domains are linked to phishing websites and monetized parking pages. The phishing sites mimic Nintendo’s branding, including logos and character imagery, to deceive users.
Intel Name: Qilin affiliates spear-phish msp screenconnect admin, targeting customers downstream
Date of Scan: 04/11/25
Impact: High
Summary: In late January 2025, a Managed Service Provider (MSP) administrator received a convincing phishing email disguised as an authentication alert for their ScreenConnect Remote Monitoring and Management (RMM) tool. The phishing attempt successfully compromised the administrator’s credentials, allowing Qilin ransomware operators to gain access and launch attacks against the MSP’s clients.
Intel Name: State-sponsored tactics: how gamaredon and shadowpad operate and rotate their infrastructure
Date of Scan: 04/10/25
Impact: High
Summary: Researchers have analyzed the infrastructure tactics of two state-sponsored groups: Gamaredon (linked to Russia) and RedFoxtrot/ShadowPad (linked to China). Gamaredon targets Ukrainian, Western, African, and NATO entities, using low-frequency DNS techniques, rapidly changing IPs, and a reusable TLS certificate for its .ru domains, making takedown difficult. Meanwhile, RedFoxtrot employs dynamic DNS services, spoofed certificates, and JA4X fingerprinting, delivering the ShadowPad backdoor via DLL side-loading, often facilitated by PowerShell and batch scripts.
Intel Name: Kongtuke web inject for fake captcha page
Date of Scan: 04/10/25
Impact: High
Summary: The attack chain begins with a malicious script injected into legitimate but compromised websites. This script redirects users to a fake CAPTCHA page designed to mimic a “verify you are human” check. The deceptive CAPTCHA page performs clipboard hijacking—also known as pastejacking—by injecting malicious code into the user’s clipboard. This campaign, tracked as #KongTuke by sources like @monitorsg on Mastodon and ThreatFox, shows post-infection traffic patterns resembling Async RAT. However, the final payload remains unidentified, and no sample is currently available.
Intel Name: Russia’s trident ursa (aka gamaredon apt) cyber conflict operations unwavering since invasion of ukraine
Date of Scan: 04/09/25
Impact: High
Summary: Since our previous update in early February on the advanced persistent threat (APT) group Trident Ursa (also known as Gamaredon, UAC-0010, Primitive Bear, Shuckworm), Ukraine has continued to face escalating cyber threats from Russia. The Security Service of Ukraine attributes Trident Ursa to Russia’s Federal Security Service (FSB). Throughout the ongoing conflict, the group has acted as a persistent access facilitator and intelligence collector. Trident Ursa remains one of the most active, aggressive, and persistent APTs focused on targeting Ukraine.
Intel Name: Tomcat in the crosshairs: new research reveals ongoing attacks
Date of Scan: 04/09/25
Impact: Medium
Summary: Researchers discovered a new attack campaign targeting Apache Tomcat servers. The attackers use brute-force methods to gain access, deploy encrypted payloads, steal SSH credentials, and hijack resources for cryptocurrency mining. The attack exploits vulnerabilities in Tomcat, involving disguised malicious binaries as kernel processes to maintain persistence. The campaign is believed to be linked to a Chinese-speaking threat actor.
REVEAL is the visionary security platform that delivers radical clarity into your cyber risk and drastically reduces data costs. It’s a unified suite of capabilities and tools that uncover true threats and quantify risks in real-time—regardless of the data source, across the entire IT estate.
REVEAL gives security teams the visibility, focus, and perspective they need to outpace threats and focus on what matters most.
REVEAL is the visionary security platform that delivers radical clarity into your cyber risk and drastically reduces data costs. It’s a unified suite of capabilities and tools that uncover true threats and quantify risks in real-time—regardless of the data source, across the entire IT estate.
REVEAL gives security teams the visibility, focus, and perspective they need to outpace threats and focus on what matters most.
The DisGoMoji malware operates under the control of its creators through the popular messaging platform Discord. To maintain secrecy, the attackers have ingeniously devised a system of using emojis within Discord messages to transmit commands to the malware.
Lockkey is a ransomware variant written in the Go programming language, making it potentially more cross-platform and resilient than ransomware traditionally written in languages like C++. While the specifics of its technical mechanisms are unavailable due to the restricted source.
