April 07, 2025 Cyber Threat Intelligence Briefing

This week’s briefing covers:

00:00 - Intro and Situational Awareness

North Korean Fake Workers Expand to European Organizations
Kroll has previously reported on the growing scale of the DPRK IT worker fraud scheme where the U.S. was a key focus, with some Southeast Asian countries also seeing fraudulent activity. It has since been reported that an increase in active operations in Europe has been observed—a notable expansion since its beginnings in 2024.

Increased Palo Alto Network Scanning Reported
Greynoise has reported on a significant spike in login scanning targeting Palo Alto PAN-OS GlobalProtect portals. It notes that over the last 30 days, 24,000 unique IP addresses have attempted to access these portals which could indicate "the emergence of new vulnerabilities in the near future" based on patterns they have observed in the past.

02:30 [CAMPAIGN] ScreenConnect Phishing Campaign Leads to QILIN Ransomware
Key Takeaways

• Threat actor known as STAC4365 (KTAC009) has been running a phishing campaign targeting Screenconnect admins since at least 2022.
• The group has been observed by Sophos to deploy QILIN ransomware after gaining initial access via a 3rd party MSP that uses ScreenConnect.
• Kroll has observed increases in the targeting of third party's ScreenConnect instances as an initial access vector.

05:04 [PHISHING] Phishing-As-A-Service Uses DNS-over-HTTPS and MX Record Abuse
Key Takeaways

• A phishing-as-a-service (PhaaS) platform dubbed Morphing Meerkat has been operating for over five years, using advanced techniques to tailor phishing content.
• The phishing kit dynamically loads branded phishing pages based on victims' email MX records, leveraging DNS-over-HTTPS (DoH) to evade detection.
• The campaign is highly evasive, cloaking phishing infrastructure, using open redirects on adtech networks and delivering stolen credentials via email and messaging platforms like Telegram.
• Morphing Meerkat impersonates over 100 brands and includes localization features to serve phishing pages in multiple languages.

07:35 [CAMPAIGN] KTA441 (AKA Earth Alux) Malware Tool Set
Key Takeaways

• KTA441 (AKA Earth Alux) targets government, technology, logistics, manufacturing and telecommunications, IT services and retail sectors.
• KTA441 utilizes multiple malware tools to achieve its goals, both common and bespoke, as well as anti-detection techniques such as unhooking API’s and time stomping, and vulnerability exploitation for initial access.
• VARGEIT uses multi-channel C2, employing the Microsoft Office API to pass C2 via Outlook.

10:44 [RANSOMWARE] Ransomware Roundup
DRAGONFORCE Claiming to Take Over RANSOMHUB
DRAGONFORCE ransomware is claiming to be taking over RANSOMHUB’s infrastructure by announcing the news on the dark web forum RAMP and its data leak site. It is unclear if this is a joint effort or if DRAGONFORCE compromised RANSOMHUB since RANSOMHUB’s data leak site has remained offline since March 31, 2025. On April 2, 2025, the operator of DRAGONFORCE posted on RAMP that RANSOMHUB will be up soon and that the group has decided to move to DRAGONFORCE’s infrastructure.

Dive deeper:

Kroll’s Monthly Threat Intelligence Spotlight Report: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports/cti-spotlight-trends-report

Kroll’s Q3 2024 Threat Landscape Report: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports/q3-2023-threat-landscape-report-social-engineering

Playlist of Kroll's Weekly Cyber Threat Intelligence Briefings: Cyber Threat Intelligence Briefings

Kroll Cyber Blog: https://www.kroll.com/en/insights/publications/cyber

Kroll Cyber Threat Intelligence: https://www.kroll.com/en/services/cyber-risk/managed-security/threat-intelligence-services

Kroll Threat Intelligence Reports: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports

Kroll Responder MDR: https://www.kroll.com/en/services/cyber-risk/managed-security/kroll-responder

#krollcyber #threatintelligence #cyberthreats