Vercara’s Open-Source Intelligence (OSINT) Report – February 14 – February 20, 2025

New FinalDraft Malware Abuses Outlook Mail Service for Stealthy Comms  

(TLP: CLEAR) FinalDraft is a newly discovered malware that uses Outlook email drafts for command-and-control (C2) communication, enabling covert data exfiltration, process injection, and lateral movement while leaving minimal traces. Discovered by Elastic Security Labs, the malware was used in cyber-espionage attacks against a South American foreign ministry as part of the REF7707 campaign. The attack begins with PathLoader, a malware loader that executes shellcode, including FinalDraft, which retrieves commands through Microsoft Graph API and stores an OAuth token in the Windows Registry for persistence. By hiding commands in Outlook drafts and deleting them after execution, FinalDraft blends into normal Microsoft 365 traffic, making detection difficult. The malware supports 37 commands, including credential theft, pass-the-hash attacks, and network proxying. A Linux variant was also observed, using Outlook via REST API alongside HTTP, TCP, and DNS-based C2 channels. Further analysis revealed links to Southeast Asian victims and the use of compromised infrastructure in telecommunications and universities. Another undocumented malware loader, GuidLoader, was also discovered, and YARA rules for detection are provided in Elastic’s reports. 

(TLP: CLEAR) Comments: FinalDraft malware represents a sophisticated cyber-espionage threat, leveraging Microsoft Graph API and Outlook email drafts for covert command-and-control (C2) communication. By hiding commands within draft emails instead of sending messages, it effectively evades detection by traditional email security tools and blends seamlessly into legitimate Microsoft 365 traffic. The malware’s ability to retrieve OAuth tokens and store them in the Windows Registry ensures persistent access, allowing attackers to maintain control even after reboots or partial remediation. Additionally, FinalDraft supports 37 commands, including data exfiltration, process injection, pass-the-hash attacks, and network proxying, making it highly versatile for espionage and persistent network infiltration. The discovery of a Linux variant further highlights the adaptability of this malware, indicating that threat actors behind REF7707 are targeting multiple platforms. With infrastructure linked to both South American and Southeast Asian targets, the campaign suggests a broader strategic operation, potentially state-sponsored 

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) PR.PS-05: “Installation and execution of unauthorized software are prevented”. By enforcing a content filtering policy to block typical software download sites in addition to hacker tools and P2P services, organizations reduce the amount of malware and trojan horses that are introduced into their organization unknowingly by their users.  This can be done via a protective DNS or forward web proxy solution with website categories feeds. 

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), filters internal DNS responses from users as well as machines using both defined categories, including botnet Command and Control (C2) as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation. 

Source: https://www.bleepingcomputer.com/news/security/new-finaldraft-malware-abuses-outlook-mail-service-for-stealthy-comms/  

PostgreSQL Flaw Exploited as Zero-Day in BeyondTrust Breach  

(TLP: CLEAR) Rapid7’s vulnerability research team discovered that attackers exploited a PostgreSQL zero-day (CVE-2025-1094) in combination with BeyondTrust Remote Support vulnerabilities (CVE-2024-12356 and CVE-2024-12686) to breach BeyondTrust’s network and 17 Remote Support SaaS instances in December. The breach was later linked to Chinese state-backed hackers, Silk Typhoon, who also used a stolen API key to infiltrate the U.S. Treasury Department’s BeyondTrust instance. The hackers targeted sensitive U.S. government entities, including the Committee on Foreign Investment in the U.S. (CFIUS) and the Office of Foreign Assets Control (OFAC), likely to steal unclassified data related to sanctions and foreign investments. The CVE-2025-1094 PostgreSQL vulnerability, discovered during Rapid7’s analysis, allows SQL injection when PostgreSQL improperly processes invalid UTF-8 characters. Exploiting this flaw enabled remote code execution (RCE) when combined with CVE-2024-12356. While BeyondTrust classified CVE-2024-12356 as a command injection vulnerability (CWE-77), Rapid7 suggests it is more accurately an argument injection vulnerability (CWE-88). Additionally, researchers found that CVE-2025-1094 could be exploited independently in BeyondTrust Remote Support systems, though BeyondTrust’s patch for CVE-2024-12356 prevents exploitation of both vulnerabilities. The U.S. CISA added CVE-2024-12356 to its Known Exploited Vulnerabilities catalog, mandating federal agencies patch their systems to prevent further attacks. 

(TLP: CLEAR) Comments: A malicious actor exploiting a PostgreSQL vulnerability—such as an SQL injection flaw or privilege escalation bug—could gain unauthorized access to sensitive data, execute arbitrary code, or even achieve full system compromise. By injecting crafted SQL queries through improperly sanitized inputs, an attacker could manipulate the database to exfiltrate confidential records, modify critical tables, or create hidden administrator accounts. If the vulnerability allows remote code execution (RCE), attackers could deploy malware, establish persistent access, or pivot to other systems within the network. In cases where the exploit affects authentication mechanisms or PostgreSQL extensions, adversaries might escalate privileges and disable security configurations to maintain long-term control. Additionally, if PostgreSQL is used as the backend for web applications, attackers could leverage server-side request forgery (SSRF) or lateral movement techniques to compromise connected services. To mitigate such risks, organizations must enforce strict input validation, apply regular security patches, implement least privilege access controls, and monitor unusual database queries to detect and prevent exploitation attempts. 

(TLP: CLEAR) Recommended best practices/regulations: OWASP Web Security Top 10 A03:2021 – Injection: An application is vulnerable to attack when: 

• User-supplied data is not validated, filtered, or sanitized by the application. 
• Dynamic queries or non-parameterized calls without context-aware escaping are used directly in the interpreter. 
• Hostile data is used within object-relational mapping (ORM) search parameters to extract additional, sensitive records. 
• Hostile data is directly used or concatenated. The SQL or command contains the structure and malicious data in dynamic queries, commands, or stored procedures.” 
• One way to validate input on the server side is through a Web Application Firewall. 

(TLP: CLEAR) Vercara: Vercara’s Web Application Firewall, UltraWAF, equips your company with adaptable security features to counteract the most significant network and application-layer threats, including SQL injection, XSS, and DDoS attacks. It’s always-on security posture, combined with cloud-based scalability, ensures comprehensive protection against the OWASP top 10, advanced bot management, and vulnerability scanning, allowing you to effectively shield your critical and customer-facing applications from emerging threats. 

Source: https://www.bleepingcomputer.com/news/security/postgresql-flaw-exploited-as-zero-day-in-beyondtrust-breach/  

Hackers Hiding Credit Card Stealer Script Within <img> Tag 

(TLP: CLEAR) Cybercriminals have developed an advanced technique to steal credit card information by embedding malicious scripts within <img> tags on e-commerce websites, a method commonly associated with MageCart attacks. This approach exploits the trusted nature of image tags to evade detection while targeting platforms such as Magento, WooCommerce, and PrestaShop. Security researchers at Sucuri identified that attackers inject Base64-encoded payloads into the tag’s attributes, allowing them to execute obfuscated JavaScript when an error occurs during image loading. The script then monitors user interactions on checkout pages, capturing sensitive payment details (credit card number, expiration date, and CVV) upon clicking the “Submit” button. The stolen data is then exfiltrated to an attacker-controlled server. Since browsers and security tools inherently trust <img> tags, embedding malicious scripts within them enables attackers to bypass traditional security measures while leveraging Base64 encoding and obfuscation to further conceal their payloads. To mitigate such threats, organizations should sanitize HTML inputs, remove non-whitelisted attributes like onerror, inspect checkout pages for anomalies, apply CMS security updates, and deploy web application firewalls (WAFs) and content security policies (CSPs) to restrict unauthorized script execution. Given the increasing prevalence of MageCart attacks, e-commerce site owners must remain proactive in protecting customer data and maintaining platform security. 

(TLP: CLEAR) Comments: The use of <img> tags for injecting malicious scripts represents a stealthy and highly effective method for credit card skimming, particularly in MageCart-style attacks. This technique exploits the inherent trust browsers and security tools place in <img> elements, allowing attackers to bypass Content Security Policies (CSPs) and evade detection by antivirus software. By encoding payloads in Base64 format and embedding them within non-image attributes, attackers can ensure that traditional signature-based defenses fail to recognize the threat. Once injected into the checkout page, the malicious script monitors user interactions in real time, capturing credit card details and transmitting them to an attacker-controlled server without the user’s knowledge. A malicious actor could further enhance this attack by dynamically loading the script only on specific geographical regions or user profiles, making detection even more difficult. Additionally, attackers might leverage JavaScript event listeners to prevent browser-based autofill protections and intercept keystrokes before encryption occurs. To mitigate such threats, organizations must enforce strict input sanitization, remove non-essential attributes like onerror, implement CSP rules restricting script execution to trusted domains, and regularly audit checkout pages for anomalies. Given the growing sophistication of MageCart-style attacks, real-time monitoring and anomaly detection on e-commerce platforms are crucial in protecting customer payment data. 

(TLP: CLEAR) Recommended best practices/regulations: CI-DSS V4.0 Section 6.4.1: “For public-facing web applications, new threats and vulnerabilities are addressed on an ongoing basis and these applications are protected against known attacks as follows:  

“Reviewing public-facing web applications via manual or automated application vulnerability security assessment tools or methods as follows:  

• By an entity that specializes in application security. – Including, at a minimum, all common software attacks in Requirement 6.2.4.  
• All vulnerabilities are ranked in accordance with requirement 6.3.1.  
• All vulnerabilities are corrected.  
• The application is re-evaluated after the corrections  

OR  

• Installing an automated technical solution(s) that continually detects and prevents web-based attacks as follows:  
• Installed in front of public-facing web applications to detect and prevent web-based attacks. – Actively running and up to date as applicable.  
• Generating audit logs.  
• Configured to either block web-based attacks or generate an alert that is immediately investigated.” 

(TLP: CLEAR) Vercara: Vercara’s Web Application Firewall, UltraWAF, helps prevent common exploits of vulnerabilities in web applications that could lead to the insertion of malware. Signatures for new vulnerabilities are constantly updated, along with granular input validation controls and traffic filtering measures for flexibility.  UltraWAF includes a number of tools for managing both benign and malicious bots, including bot signatures and device fingerprinting. UltraWAF can also prevent some layer 7 DDoS attacks. 

Source: https://cybersecuritynews.com/hackers-hiding-credit-card-stealer-script/  

Vgod Ransomware Encrypt Your Entire System and Set a Ransom Notes as Wallpaper  

(TLP: CLEAR) A new ransomware strain, Vgod, has emerged as a critical cybersecurity threat, employing advanced encryption and psychological pressure tactics. First observed on February 5, 2025, by CYFIRMA researchers, this Windows-targeting malware combines AES-256 file encryption with RSA-4096 key protection, similar to Ryuk and LockBit ransomware families. Upon infection, Vgod appends the .Vgod extension to encrypted files and alters the desktop wallpaper with a ransom note, ensuring victims are aware of the attack. It also embeds unique victim identifiers and threatens to publish stolen data on dark web forums if the ransom is not paid. The ransomware employs double extortion tactics, leveraging process injection (T1059.001), DLL side-loading (T1574.002), and registry modifications (T1112) to evade detection. Persistence mechanisms include bootkit installation (T1542.003), scheduled tasks, and network propagation via compromised RDP credentials. CYFIRMA researchers found Vgod’s infrastructure linked to CyberVolk operations, utilizing Russian-aligned servers and Babuk ransomware code components. Security experts urge organizations to implement application allowlisting, enforce MFA for remote access, and maintain frequent air-gapped backups. Defenders should monitor for unusual svchost.exe memory allocations exceeding 500MB, suspicious PowerShell logs, and failed login attempts from Eastern European IPs. With ransomware groups increasingly targeting virtualization platforms, organizations should prioritize patch management, especially for VMware ESXi vulnerabilities, to prevent cross-platform attacks. 

(TLP: CLEAR) Comments: Vgod ransomware represents a significant evolution in ransomware tactics, integrating strong encryption (AES-256 + RSA-4096), evasion techniques, and double extortion to maximize impact. By appending the .Vgod extension, altering the desktop wallpaper, and embedding victim-specific identifiers, the ransomware ensures psychological pressure, coercing victims into paying the ransom. The use of double extortion—encrypting files while threatening data leaks on dark web forums—follows a growing trend among modern ransomware groups like LockBit and Ryuk. A malicious actor deploying Vgod could maximize its reach through compromised RDP credentials, enabling network-wide propagation and potentially escalating privileges using process injection (T1059.001) and DLL side-loading (T1574.002). Furthermore, registry modifications (T1112) and bootkit installation (T1542.003) allow it to maintain persistent access, even after system reboots or partial remediation. The discovery of CyberVolk infrastructure links and the use of Babuk ransomware code suggests that Vgod is leveraging prior ransomware-as-a-service (RaaS) models, making it easier for cybercriminals to deploy at scale. Additionally, ransomware groups are increasingly targeting virtualization environments, meaning VMware ESXi vulnerabilities are prime attack vectors for cross-platform infections. To mitigate this threat, organizations must enforce MFA on all remote access points, implement strict application allowlisting, maintain frequent air-gapped backups, and continuously monitor system logs for unusual activity—such as high memory allocations in svchost.exe (500MB+), suspicious PowerShell executions, and failed login attempts from Eastern European IPs. As ransomware attacks continue to evolve, rapid incident response and proactive security measures remain critical in defending against Vgod and similar ransomware families. 

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) DE.CM-01: “Networks and network services are monitored to find potentially adverse events”. One of the ways to detect phishing, malware droppers, and command and control (C2) is at the network level. Intrusion Detection Systems (IDS), Intrusion Detection Systems (IPS), and next-generation firewalls can be used with a protective DNS solution to detect these malicious activities as they traverse the network, even if the initial infection occurs via physical media or on another network such as a hotel or airport. 

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), uses a multi-petabyte data lake filled with DNS query history and indicators of compromise from multiple Cyber Threat Intelligence (CTI) data feeds to correlate an incoming DNS query in real-time with previously observed malicious activity. This ensures that users and devices only go to safe, policy-compliant Internet locations. 

Source: https://cybersecuritynews.com/vgod-ransomware-encrypt-your-entire-system/  

Ransomware Gangs Encrypt Systems After 17hrs From Initial Infection  

(TLP: CLEAR) New research by Huntress reveals that ransomware gangs are accelerating encryption times while leveraging advanced evasion and extortion techniques. The average time to ransomware (TTR) has dropped to 17 hours, with some groups like Akira and RansomHub encrypting systems in just 4–6 hours after initial intrusion. This “smash-and-grab” strategy drastically reduces detection and response time for victims, contrasting with older campaigns that involved weeks-long dwell times. 

Attackers increasingly exploit credential theft tools like Mimikatz and PowerShell scripts for rapid lateral movement using stolen domain admin accounts. Over 60% of ransomware incidents in 2024 stemmed from vulnerabilities in remote tools, including ScreenConnect (CVE-2024-1709) and CrushFTP (CVE-2024-4040), which facilitated unauthorized access. Newer ransomware strains, such as CryptNet, optimize encryption speed by encrypting files partially instead of in full, reducing encryption time by 70% while maintaining effectiveness. The ransomware-as-a-service (RaaS) affiliate model has led to faster attacks, with payouts of up to 90% incentivizing high-volume infections. Additionally, 38% of incidents now involve pure data extortion without encryption, a tactic favored by BianLian ransomware. The healthcare and education sectors are among the most targeted, with 45% of healthcare attacks using Java-based RATs (e.g., STRRAT) and 24% of education-related incidents involving Chromeloader infostealers. To mitigate risks, organizations must restrict access to Remote Monitoring and Management (RMM) tools, as 74.5% of attacks exploited ConnectWise ScreenConnect. Additionally, blocking LOLBin execution via registry modifications and enabling AES-NI hardware encryption can help prevent partial-file encryption attacks. Huntress researchers emphasize that “The 17-hour window isn’t a grace period—it’s a countdown.” With ransomware exceeding $30 billion in global damages, businesses must prioritize rapid-response security, conduct hourly backup validation, and adopt proactive threat mitigation strategies to combat evolving ransomware threats. 

(TLP: CLEAR) Comments: The acceleration of ransomware encryption times to as little as 4–6 hours, as seen in Akira and RansomHub, represents a major shift in cybercriminal tactics, drastically reducing detection and response opportunities. Attackers exploit credential theft tools like Mimikatz and PowerShell scripts for rapid lateral movement, leveraging vulnerabilities in remote tools such as ScreenConnect (CVE-2024-1709) and CrushFTP (CVE-2024-4040) to gain unauthorized access. The rise of partial-file encryption, seen in CryptNet, optimizes speed by encrypting only critical sections of files, reducing encryption time by 70% while maintaining effectiveness. Additionally, the ransomware-as-a-service (RaaS) model incentivizes faster attacks with high payouts (up to 90%), leading to an increase in pure data extortion campaigns (38% of incidents), where attackers steal and threaten to leak sensitive data instead of encrypting files. To mitigate these threats, organizations must restrict access to Remote Monitoring and Management (RMM) tools, as 74.5% of attacks exploited ConnectWise ScreenConnect, while also blocking LOLBin execution via registry modifications and enabling AES-NI hardware encryption to counter partial-file encryption attacks. Implementing hourly backup validation, proactive threat monitoring, and rapid-response security protocols is essential to minimizing risk, as ransomware-related damages exceed $30 billion globally. Huntress researchers emphasize that “The 17-hour window isn’t a grace period—it’s a countdown,” reinforcing the need for early detection, patch management, and containment strategies to combat evolving ransomware threats. 

(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency #StopRansomware Guide: “Implement Protective Domain Name System (DNS). By blocking malicious internet activity at the source, Protective DNS services can provide high network security for remote workers. These security services analyze DNS queries and take action to mitigate threats—such as malware, ransomware, phishing attacks, viruses, malicious sites, and spyware—leveraging the existing DNS protocol and architecture.” 

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), supports 4 distinct detection engines to provide Defense in Depth against malware, phishing, and other abuses: 

• The Lists Engine allows UltraDDR customers the ability to bring their own block lists and allow lists for FQDNs, domains, IP addresses, CIDR blocks, and registrars. 
• The Categories Engine uses Vercara-provided Cyber Threat Intelligence feeds in 17 categories. Administrators can enable blocking on a category with just one button click. 
• The Decision Engine uses a multi-petabyte adversarial infrastructure data lake and artificial intelligence techniques to determine if a previously unseen or recently changed domain is malicious in nature. 
• The Ruleset Engine allows administrators the ability to build custom rules to augment and extend the other engines of UltraDDR. 

Source: https://cybersecuritynews.com/ransomware-gangs-encrypt-systems-after-17hrs/  

Pro-Russia Hackers NoName057(16) Hit Italian Banks and Airports  

(TLP: CLEAR) The pro-Russia hacker group NoName057(16) launched a DDoS attack targeting key Italian organizations, including Milan’s Linate and Malpensa airports, the Transport Authority, Intesa San Paolo bank, and the ports of Taranto and Trieste. The attacks, which occurred early Monday, were minor and swiftly mitigated by the Italian National Cybersecurity Agency (ACN), ensuring no significant operational impact. The attacks were motivated by Italian President Sergio Mattarella’s remarks in Marseille, where he compared Russia’s actions in Ukraine to the Third Reich, prompting backlash from both the Russian Foreign Ministry and NoName057(16). The hacker group, via its Telegram channel, vowed retaliation against Italy, referring to Mattarella as a “Russophobe.” This is not the first cyber offensive by NoName057(16) against Italy. In January 2025, the group targeted Italian ministries and critical infrastructure during Ukrainian President Zelensky’s visit to Rome. Previously, they have attacked government websites, banks, and Prime Minister Giorgia Meloni’s official website. Active since March 2022, NoName057(16) focuses on nations supporting Ukraine and escalates attacks amid geopolitical tensions. In response, the ACN reassured that Italy has the necessary countermeasures to mitigate DDoS attacks, which rely on overwhelming websites with fake traffic. Italian cybersecurity officials have urged organizations to stay alert, warning of potential future attacks as geopolitical tensions persist. 

(TLP: CLEAR) Comments: NoName057(16) is a pro-Russia hacktivist group specializing in DDoS (Distributed Denial-of-Service) attacks against Western nations, NATO allies, and organizations supporting Ukraine. The group emerged in March 2022, shortly after Russia’s invasion of Ukraine, positioning itself as a cyber retaliation force against countries perceived as hostile to Russian interests. Unlike financially motivated cybercriminals, NoName operates with ideological and geopolitical objectives, frequently launching attacks following anti-Russian political statements, sanctions, or military aid packages to Ukraine. The group has targeted government agencies, financial institutions, transportation networks, and media outlets, particularly in Italy, Poland, Sweden, Norway, and the U.S. NoName’s attack methodology revolves around volumetric and application-layer DDoS attacks, often leveraging botnets and voluntary contributors via its Telegram-based DDoS tool, “DDoSia.” Their campaigns demonstrate a high degree of coordination and adaptability, making them a persistent cyber threat. A malicious actor could exploit NoName’s tactics by enhancing their botnet infrastructure, using automated AI-driven attack scripts, or combining DDoS with ransomware or data exfiltration to create more severe disruptions. Additionally, geopolitical tensions could trigger more aggressive attacks, particularly targeting election systems, critical infrastructure, and financial networks in Western nations. To mitigate the threat, organizations should deploy advanced DDoS protection tools, such as Web Application Firewalls (WAFs), geo-blocking, and real-time traffic monitoring to detect anomalies. Given that DDoS attacks are increasingly being used as a form of cyber warfare, governments and businesses must enhance their resilience against politically motivated cyberattacks, ensuring that NoName and similar groups do not gain strategic leverage through cyber disruption. 

(TLP: CLEAR) Recommended best practices/regulations: NIST Cybersecurity Framework (CSF) PR.DS-02: “The confidentiality, integrity, and availability of data-in-transit are protected” Organizations should have a well-defined incident response plan in place that outlines the procedures to take in a DDoS attack, including communication protocols and escalation procedures. Additionally, organizations should utilize DDoS mitigation services from reputable providers that detect and mitigate attacks in real time such as Vercara’s UltraDDoS Protect. 

(TLP: CLEAR) Vercara: Vercara UltraDDoS Protect scrubs malicious traffic away from your infrastructure, defusing the large, complex attacks that make headlines every day and threaten your operational stability. Powerful automation allows you to activate on-demand cloud protection through means that include DNS Redirection, BGP Redirection, and API-triggering. The result is incredibly fast response against DDoS trouble when you need it most. 

Source: https://www.infosecurity-magazine.com/news/noname05716-hit-italian-banks/