DigiCert’s Open-Source Intelligence (OSINT) Report – August 29 – September 4, 2025

Zscaler Data Breach Exposes Customer Info After Salesloft Drift Compromise

(TLP: CLEAR) Zscaler has confirmed that a data breach affecting its Salesforce instance occurred as a downstream consequence of the Salesloft Drift supply‑chain compromise. Threat actors first infiltrated the Salesloft Drift integration which is an AI chat agent connecting to Salesforce and obtaining OAuth and refresh tokens that granted unauthorized access to numerous customer environments, including Zscaler’s.

(TLP: CLEAR) Comments: These tokens allowed intruders to access sensitive customer-related information stored in Zscaler’s Salesforce, such as names, business email addresses, job titles, phone numbers, regional d In response, the company revoked all Salesloft Drift integrations, rotated other API tokens, strengthened authentication protocols for customer support interactions, and is conducting a detailed investigation with Salesforce details, product licensing and commercial data, as well as content from support cases. Although no misuse of the exposed data has been detected, Zscaler warned that the leaked information increases the risk of phishing and social‑engineering attacks, urging customers to remain vigilant.
(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency #StopRansomware Guide: “Implement Protective Domain Name System (DNS). By blocking malicious internet activity at the source, Protective DNS services can provide high network security for remote workers. These security services analyze DNS queries and take action to mitigate threats such as malware, ransomware, phishing attacks, viruses, malicious sites, and spyware—leveraging the existing DNS protocol and architecture.”
(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), receives DNS queries from enterprise users and other on-LAN devices, inspects the DNS response for indicators of malicious activity such as phishing, ransomware, and acceptable usage policy violations.
Source: https://www.bleepingcomputer.com/news/security/zscaler-data-breach-exposes-customer-info-after-salesloft-drift-compromise/

Researchers Warn of MystRodX Backdoor Using DNS and ICMP Triggers for Stealthy Control

(TLP: CLEAR) Cybersecurity researchers have uncovered a sophisticated new backdoor known as MystRodX (also referred to as ChronosRAT), notable for its stealth, flexibility, and modular design. Implemented in C++, this backdoor supports a range of operations such as file management, port forwarding, reverse shell, and socket handling. Its configurability allows attackers to dynamically select communication methods (TCP or HTTP) and encryption modes (plain text or AES), enabling adaptive behavior based on the deployment context. A standout stealth feature of MystRodX is its wake-up mode, enabling it to remain passive until activated via specially crafted DNS queries or ICMP packets. This activation mechanism, managed through embedded “magic values,” avoids overt network traffic and evades conventional intrusion detection techniques. The malware’s operational configuration, encrypted with AES, contains details such as C2 servers and ports, and dictates whether MystRodX operates in passive (trigger-based) or active communication modes.

(TLP: CLEAR) Comments: The malware employs anti-analysis tactics via a dropper that first detects debugger or virtual machine environments before decrypting the next-stage payload. That payload consists of three components: daytime (a launcher), chargen (the main MystRodX backdoor), and busybox. The daytime component ensures persistence by monitoring and relaunching if needed. Additionally, MystRodX aligns with earlier findings by Palo Alto Networks Unit 42, which linked ChronosRAT to a threat cluster dubbed CL‑STA‑0969 and suggested overlaps with the China-associated espionage group Liminal Panda. The combination of stealthy activation triggers, robust encryption, flexible communications, and sophisticated payload management makes MystRodX a potent tool for long-term undetected cyber-espionage.

(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency Selecting a Protective DNS (PDNS) Service: “The Domain Name System (DNS) is central to the operation of modern networks, translating human-readable domain names into machine-usable Internet Protocol (IP) addresses. DNS makes navigating to a website, sending an email, or making a secure shell connection easier, and is a key component of the Internet’s resilience. As with many Internet protocols, DNS was not built to withstand abuse from bad actors’ intent on causing harm. ‘Protective DNS’ (PDNS) is different from earlier security-related changes to DNS in that it is envisioned as a security service – not a protocol – that analyzes DNS queries and takes action to mitigate threats, leveraging the existing DNS protocol and architecture.”

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), receives DNS queries from enterprise users and other on-LAN devices, inspects the DNS response for indicators of malicious activity such as phishing, ransomware, and acceptable usage policy violations.

Source: https://thehackernews.com/2025/09/researchers-warn-of-mystrodx-backdoor.html

Abandoned Sogou Zhuyin Update Server Hijacked, Weaponized in Taiwan Espionage Campaign

(TLP: CLEAR) In mid‑2025, cybersecurity researchers at Trend Micro uncovered a clandestine espionage campaign dubbed TAOTH, in which attackers hijacked the long‑abandoned update server for Sogou Zhuyin—an input method editor (IME) that had ceased updates in June 2019. The adversaries re‑registered the dormant domain (sogouzhuyin[.]com) in October 2024 and began distributing malicious payloads through compromised automatic updates hosted on dl.sogouzhuyin[.]com and srv‑pc.sogouzhuyin[.]com starting in November 2024. High‑value targets—dissidents, journalists, researchers, and technology or business leaders—were selectively infected, with nearly half of the victims located in Taiwan (49%), followed by Cambodia (11%) and the U.S. (7%), among others across Eastern Asia. The compromised installer remained benign upon download, embedding the infection within the update routine: once the automatic updater (ZhuyinUp.exe) executed, it reached out to the hijacked server to fetch a configuration file directing the system to retrieve one of several malicious components. The deployed malware families include:

• TOSHIS (detected December 2024): a loader and variant of Xiangoop, capable of fetching follow‑on payloads such as Cobalt Strike or Merlin agents via DLL side‑loading or OAuth phishing vectors.
• DESFY (detected May 2025): spyware designed to enumerate file names from Desktop and Programs directories for profiling.
• GTELAM (detected May 2025): document discovery spyware targeting files with extensions like PDF, DOCX, XLSX, PPTX, then exfiltrating results to Google Drive.
• 6DOOR: a custom Go‑based backdoor offering extensive remote‑access capabilities including screenshot capture, process scanning, shell execution, file operations, shellcode injection, and WebSocket‑based C2 communication, which bears embedded Simplified Chinese indicators, hinting at a Chinese‑proficient threat actor.

(TLP: CLEAR) Comments: Additionally, the attackers used spear‑phishing campaigns employing fake cloud storage or OAuth login pages. These lures either initiated TOSHIS delivery or tricked victims into granting mailbox access, facilitating deeper intrusion and lateral movement. The operational sophistication, particularly the blend of hijacked supply‑chain infrastructure and phishing, enabled highly targeted espionage with negligible detection. This stealthy campaign underscores the risks of using outdated software: even inactive update mechanisms can be weaponized if domains lapse and are reactivated by malicious actors.

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) DE.CM-01: “Networks and network services are monitored to find potentially adverse events”. One of the ways to detect phishing, malware droppers, and command and control (C2) is at the network level. Intrusion Detection Systems (IDS), Intrusion Detection Systems (IPS), and next-generation firewalls can be used with a protective DNS solution to detect these malicious activities as they traverse the network, even if the initial infection occurs via physical media or on another network such as a hotel or airport.

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), supports 2 modes of onboarding DNS queries and protecting endpoints from phishing and malware: forwarding from an on-network resolver such as a firewall or Active Directory domain controller or via an endpoint client that captures and forwards DNS queries to UltraDDR’s servers.

Source: https://thehackernews.com/2025/08/abandoned-sogou-zhuyin-update-server.html, https://www.hendryadrian.com/taoth-campaign-exploits-end-of-support-software-to-target-traditional-chinese-users-and-dissidents/

Lazarus Group Expands Malware Arsenal with PondRAT, ThemeForestRAT and RemotePE

(TLP: CLEAR) The North Korea linked Lazarus Group executed a social engineering campaign against a decentralized finance (DeFi) organization, leveraging Telegram-based impersonation and fake scheduling services reminiscent of Calendly or Picktime to establish initial access (Fox‑IT/NCC Group observed this in 2024). Once a foothold was secured, they deployed a loader named PerfhLoader, which in turn installed PondRAT which is Remote Access Trojan (RAT) derived from earlier malware like POOLRAT/SIMPLESEA. PondRAT facilitated basic operations such as file manipulation, process execution, and shellcode delivery, communicating via HTTP(S) with a hardcoded command-and-control (C2) server.

(TLP: CLEAR) Comments: Accompanying PondRAT were auxiliary tools: a screenshot capturer, keylogger, Chrome credential and cookie stealer, Mimikatz for credential dumping, and proxy utilities like FRPC, MidProxy, and Proxy Mini. After roughly three months, an in-memory–loaded ThemeForestRAT took over. It actively monitored for new Remote Desktop (RDP) sessions and retrieved up to twenty types of commands from its C2—allowing for file and process operations, shellcode injection, network tests, file timestamp manipulation, and stealthy idle states. ThemeForestRAT bears functional similarities to RomeoGolf, a RAT employed by Lazarus in the 2014 Sony Pictures wiper attack linked to Operation Blockbuster. Finally, for high-value targets, the adversary deployed RemotePE, a more sophisticated RAT written in C++. RemotePE was delivered by RemotePELoader and loaded via DPAPILoader, suggesting a more capable and persistent stage in the attack chain

(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency Selecting a Protective DNS (PDNS) Service: “A core capability of PDNS is the ability to categorize domain names based on threat intelligence. PDNS services typically leverage open source, commercial, and governmental information feeds of known malicious domains. These feeds enable coverage of domain names found at numerous points of the network exploitation lifecycle. Some solutions may also detect novel malicious domains based on pattern recognition. The types of domains typically addressed by a PDNS system include the following:

• Phishing: Sites known to host applications that maliciously collect personal or organizational information, including credential harvesting scams. These domains may include typo-squats – or close lookalikes of common domains. PDNS can protect users from accidentally connecting to a potentially malicious link.
• Malware distribution and command and control: Sites known to serve malicious content or used by threat actors to command-and-control malware. For example, these may include sites hosting malicious JavaScript® files or domains that host advertisements that collect information for undesired profiling. PDNS can block and alert on known malicious connection attempts.
• Domain generation algorithms: Sites with programmatically generated domain names that are used by malware to circumvent static blocking. Advanced malware – including some botnets – depend on the ability to communicate with command and control (C2) infrastructure. Cyber threat actors use domain generation algorithms (DGAs) for malware to circumvent static blocking – either by domain name or IP – through programmatically generating domain names according to a pre-set seed. PDNS can offer protection from malware DGAs by analyzing every domain’s textual attribute and tagging those associated with known DGA attributes, such as high entropy.
• Content filtering: Sites whose content is in certain categories that are against an organization’s access policies. Although an ancillary benefit to malware protection, PDNS can use a categorization of various domains’ use cases (e.g., ‘gambling’) and warn or block on those that are deemed a risk for a given environment.

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses Cyber Threat Intelligence feeds, domain categories, and other detection engines to assess DNS queries in realtime and block domains that are being used for phishing, malware delivery, and malware Command and Control (C2). This reduces the quantity and impact of malware infections.

Source: https://thehackernews.com/2025/09/lazarus-group-expands-malware-arsenal.html