Here is your weekly summary of news and other public coverage relevant to Vercara, the market leader in DNS, DDoS Mitigation, Web Application Firewalls, and Bot Management. Keep reading to learn about the week’s interesting and informative stories. To see all the OSINT reports, click here.
NOTE: Except where indicated, this report is released as TLP: CLEAR and items in it may be shared but not attributed to Vercara. For more information on the Traffic Light Protocol, the definitions and usage are at https://www.first.org/tlp/.
New Morphing Meerkat Phishing Kit Mimics 114 Brands Using Victims’ DNS Email Records
(TLP: CLEAR) The “Morphing Meerkat” phishing kit is a sophisticated phishing-as-a-service (PhaaS) platform used by cybercriminals to impersonate 114 different brands by exploiting DNS mail exchange (MX) records to dynamically generate fake login pages. This technique targets victims based on their email service provider (e.g., Gmail, Yahoo, Outlook), enhancing the realism of phishing attempts. The kit uses compromised websites and open redirects to distribute phishing emails, evading security filters. It also features multi-language support and anti-analysis measures, such as obfuscating code and disabling right-click and keyboard shortcuts. The stolen credentials are often exfiltrated via platforms like Telegram.
(TLP: CLEAR) Comments: The Morphing Meerkat phishing kit is a highly sophisticated tool that combines dynamic phishing page generation, evasive tactics, and multi-language support, making it a significant threat to both individuals and organizations. Its ability to mimic popular brands and bypass security measures underscores the evolving nature of phishing attacks.
(TLP: CLEAR) Recommended best practices/regulations:
Cybersecurity & Infrastructure Security Agency Selecting a Protective DNS (PDNS) Service: “A core capability of PDNS is the ability to categorize domain names based on threat intelligence. PDNS services typically leverage open source, commercial, and governmental information feeds of known malicious domains. These feeds enable coverage of domain names found at numerous points of the network exploitation lifecycle. Some solutions may also detect novel malicious domains based on pattern recognition. The types of domains typically addressed by a PDNS system include the following:
Phishing: Sites known to host applications that maliciously collect personal or organizational information, including credential harvesting scams. These domains may include typo-squats – or close lookalikes of common domains. PDNS can protect users from accidentally connecting to a potentially malicious link.
Malware distribution and command and control: Sites known to serve malicious content or used by threat actors to command-and-control malware. For example, these may include sites hosting malicious JavaScript® files or domains that host advertisements that collect information for undesired profiling. PDNS can block and alert on known malicious connection attempts.
Domain generation algorithms: Sites with programmatically generated domain names that are used by malware to circumvent static blocking. Advanced malware – including some botnets – depend on the ability to communicate with command and control (C2) infrastructure. Cyber threat actors use domain generation algorithms (DGAs) for malware to circumvent static blocking – either by domain name or IP – through programmatically generating domain names according to a pre-set seed. PDNS can offer protection from malware DGAs by analyzing every domain’s textual attribute and tagging those associated with known DGA attributes, such as high entropy.
Content filtering: Sites whose content is in certain categories that are against an organization’s access policies. Although an ancillary benefit to malware protection, PDNS can use a categorization of various domains’ use cases (e.g., ‘gambling’) and warn or block on those that are deemed a risk for a given environment.
(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), functions as a recursive/resolver DNS server that receives DNS queries either via forwarding from on-network resolvers or via an endpoint client. It then uses blocklists, domain categories, artificial intelligence, or a defined policy to determine if the domain should be allowed or blocked. Blocked user traffic is then sent to a sinkhole.
Source: https://thehackernews.com/2025/03/new-morphing-meerkat-phishing-kit.html
150,000 Sites Compromised by JavaScript Injection Promoting Chinese Gambling Platforms
(TLP: CLEAR) A large-scale cyberattack has compromised approximately 150,000 websites using a JavaScript injection technique to promote Chinese-language gambling platforms. The campaign hijacks website visitors’ browsers by injecting malicious scripts that redirect them to fraudulent gambling sites. The injected scripts are hosted on five domains and utilize iframe elements to display full-screen overlays in place of the legitimate content of infected sites.
(TLP: CLEAR) Comments: This tactic, which also includes impersonating official gambling sites like Bet365 with fake branding, aims to maximize the effectiveness of the redirect. The campaign has been evolving, with new layers of obfuscation being used to evade detection. This highlights the growing trend of client-side attacks, which increasingly target unsuspecting web visitors through malicious JavaScript. Additionally, the operation is a reminder of the sophistication of modern web threats, as attackers adapt their tactics to expand their reach and evade security measures.
(TLP: CLEAR) Recommended best practices/regulations: OWASP Web Application Firewall: “A ‘web application firewall (WAF)’ is an application firewall for HTTP applications. It applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as Cross-site Scripting (XSS) and SQL Injection. “While proxies generally protect clients, WAFs protect servers. A WAF is deployed to protect a specific web application or set of web applications. A WAF can be considered a reverse proxy. “WAFs may come in the form of an appliance, server plugin, or filter, and may be customized to an application. The effort to perform this customization can be significant and needs to be maintained as the application is modified.”
(TLP: CLEAR) Vercara: Vercara’s Web Application Firewall, UltraWAF, enables you to create your own rules in a variety of formats with the UltraWAF policy editor. Plus, you have the option to continuously add new threats through (signature protection for CVE and CWE, such as CMS vulnerabilities) captured by our threat research team.
Source: https://thehackernews.com/2025/03/150000-sites-compromised-by-javascript.html
RedCurl Shifts from Espionage to Ransomware with First-Ever QWCrypt Deployment
(TLP: CLEAR) The Russian-speaking cyber espionage group RedCurl has shifted its tactics from corporate espionage to ransomware deployment, marking a significant change in its operations. Previously known for targeting organizations globally with spear-phishing emails and malware like RedLoader, RedCurl’s attacks typically involved intelligence gathering. However, for the first time, they have deployed QWCrypt, a previously unseen ransomware strain, in an attack.
(TLP: CLEAR) Comments: The attack sequence mirrors their previous methods: spear-phishing emails, disguised as CVs or job applications, carry malware like ADNotificationManager.exe, which side-loads a malicious DLL to establish backdoor access. This gives attackers the ability to move laterally within networks. The ransomware is deployed to encrypt virtual machines, rendering the infrastructure unbootable and causing significant disruptions.
The QWCrypt ransomware employs techniques like BYOVD (Bring Your Own Vulnerable Driver) to disable endpoint security software. While the ransom note shows similarities to those used by other groups like LockBit and HardBit, the absence of a known leak site or confirmed extortion attempt raises questions about RedCurl’s motives. This shift may indicate an attempt to cause maximum damage with minimal effort, targeting virtualized infrastructures for greater impact.
(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency #StopRansomware Guide: “Implement Protective Domain Name System (DNS). By blocking malicious internet activity at the source, Protective DNS services can provide high network security for remote workers. These security services analyze DNS queries and take action to mitigate threats—such as malware, ransomware, phishing attacks, viruses, malicious sites, and spyware—leveraging the existing DNS protocol and architecture.”
(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), receives DNS queries from enterprise users and other on-LAN devices, inspects the DNS response for indicators of malicious activity such as phishing, ransomware, and acceptable usage policy violations.
Source: https://thehackernews.com/2025/03/redcurl-shifts-from-espionage-to.html
New npm Attack Poisons Local Packages With Backdoors
(TLP: CLEAR) A new attack targeting the npm (Node package manager) ecosystem has been discovered, where malicious packages were used to inject backdoors into legitimate, locally installed packages. These backdoors, primarily in the form of reverse shells, persist even after the malicious packages are removed. The two malicious packages identified, ethers-provider2 and ethers-providers, exploit npm’s installation process to inject a trojanized version of the ethers package with a reverse shell payload.
(TLP: CLEAR) Comments: Attack Mechanism –
Malicious Packages: The packages use a modified install.js script to download and execute a second-stage payload, which then replaces legitimate files in the ethers package with compromised ones.
Reverse Shell: The injected code establishes a reverse shell that communicates with a remote server, providing attackers with ongoing access, even if the malicious package is uninstalled.
Persistence: The malicious behavior remains in the system because the backdoor targets existing legitimate packages and modifies their code, ensuring that the infection persists beyond the package removal.
The attack highlights the risks of supply chain attacks in the open-source ecosystem, urging developers to verify the legitimacy of packages and be cautious of obfuscated code or external server calls. Reversing Labs has provided a YARA rule to help detect remnants of this attack.
(TLP: CLEAR) Recommended best practices/regulations:
NIST SP 800-53 Rev5 SI-3: “MALICIOUS CODE PROTECTION
Control:
- Implement [Selection (one or more): signature based; non-signature based] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code.
- Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures.
- Configure malicious code protection mechanisms to: 1. Perform periodic scans of the system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more): endpoint; network entry and exit points] as the files are downloaded, opened, or executed in accordance with organizational policy; and 2. [Selection (one or more): block malicious code; quarantine malicious code; take [Assignment: organization-defined action]]; and send alert to [Assignment: organization defined personnel or roles] in response to malicious code detection.
- Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.
NIST requires malware detection and prevention solutions. This can be on the device, as with anti-virus agents, but also can be augmented by Protective DNS provided by the network that the device is on or across the Internet. This provides defense-in-depth and support for devices such as Internet of Things (IoT) or some servers that cannot run an endpoint client.
(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), filters internal DNS responses from users as well as machines using both defined categories, including botnet Command and Control (C2) as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation.
Source: https://www.bleepingcomputer.com/news/security/new-npm-attack-poisons-local-packages-with-backdoors/, https://thehackernews.com/2025/03/malicious-npm-package-modifies-local.html