L'APT37 de Corée du Nord déploie un toolkit sophistiqué pour infiltrer les réseaux isolés via des malwares USB. CISA émet un avertissement mis à jour sur les implants RESURGE dormants sur les appareils Ivanti Connect Secure. L'opération "Project Compass" d'Europol démantèle le collectif cybercriminel The Com avec 30 arrestations dans 28 pays.
Zscaler ThreatLabz has uncovered "Ruby Jumper", a campaign by North Korean state-backed group APT37 (ScarCruft) that uses five previously unseen malware families to breach air-gapped networks through removable drives.
The infection begins with a malicious LNK shortcut file that triggers PowerShell to extract embedded payloads. A decoy document (an Arabic translation of a North Korean newspaper article) diverts the victim's attention while the malware deploys silently.
| Malware | Role |
|---|---|
RESTLEAF |
Initial implant using Zoho WorkDrive for C2 communications |
SNAKEDROPPER |
Ruby-based loader disguised as usbspeed.exe |
THUMBSBD |
USB-propagating implant for air-gapped network relay |
VIRUSTASK |
Surveillance module for data exfiltration |
FOOTWINE |
Advanced backdoor with full system access |
Key concern: APT37 installs the entire Ruby 3.3.0 runtime environment on victim systems, disguised as a legitimate USB utility. This gives them a flexible platform for delivering additional payloads while evading signature-based detection.
CISA has released updated technical details on RESURGE (libdsupgrade.so), a sophisticated implant exploiting CVE-2025-0282 that can survive reboots, evade network monitoring, and wait indefinitely for attacker connections.
accept() function to inspect incoming TLS packets, making it invisible to network monitoringAttribution: Linked to China-nexus threat actor UNC5221, who has been exploiting CVE-2025-0282 as a zero-day since December 2024.
Europol's yearlong "Project Compass" operation has resulted in 30 arrests across 28 countries, targeting "The Com" — a decentralized English-speaking cybercrime collective notorious for targeting minors.
| Subgroup | Activity |
|---|---|
| Offline Com | Property damage, violence, terrorism promotion |
| Cyber Com | Network intrusions, ransomware attacks |
| (S)extortion Com | Coercing minors, encouraging self-harm |
| 764 | Grooming, exploitation ring (leaders arrested April 2025) |
Investigators identified 179 suspects and 62 victims, directly safeguarding four individuals from ongoing attacks.
Socket security researchers have uncovered a malicious Go module (github[.]com/xinfeisoft/crypto) that impersonates the legitimate golang.org/x/crypto package to:
This attack exploits namespace confusion — the legitimate project uses go.googlesource.com/crypto as canonical with GitHub as a mirror, making the malicious package appear routine in dependency graphs.
✅ Real-time CVE Monitoring — CVE-2025-0282 and Ivanti vulnerabilities tracked and prioritized
✅ Supply Chain Scanning — Detect namespace-confused packages like the malicious Go crypto module
✅ APT Threat Intelligence — APT37, UNC5221, and state-sponsored threat actor tracking
✅ Continuous Exposure Management — Identify dormant implants before they activate
AI-powered vulnerability management with 331,910+ CVEs indexed.
Start Free TrialStay secure. Stay vigilant.
🗡️ KENSAI Security Team
Get a free security scan of your website in 60 seconds
Free Security Scan →