朝鲜的APT37部署了一套复杂的新工具包,通过USB恶意软件渗透气隙网络。CISA就隐藏在Ivanti Connect Secure设备上的休眠RESURGE植入物发布了紧急更新公告。欧洲刑警组织的"Project Compass"行动瓦解了网络犯罪集团The Com,在28个国家逮捕了30人。
Zscaler ThreatLabz has uncovered "Ruby Jumper", a campaign by North Korean state-backed group APT37 (ScarCruft) that uses five previously unseen malware families to breach air-gapped networks through removable drives.
The infection begins with a malicious LNK shortcut file that triggers PowerShell to extract embedded payloads. A decoy document (an Arabic translation of a North Korean newspaper article) diverts the victim's attention while the malware deploys silently.
| Malware | Role |
|---|---|
RESTLEAF |
Initial implant using Zoho WorkDrive for C2 communications |
SNAKEDROPPER |
Ruby-based loader disguised as usbspeed.exe |
THUMBSBD |
USB-propagating implant for air-gapped network relay |
VIRUSTASK |
Surveillance module for data exfiltration |
FOOTWINE |
Advanced backdoor with full system access |
Key concern: APT37 installs the entire Ruby 3.3.0 runtime environment on victim systems, disguised as a legitimate USB utility. This gives them a flexible platform for delivering additional payloads while evading signature-based detection.
CISA has released updated technical details on RESURGE (libdsupgrade.so), a sophisticated implant exploiting CVE-2025-0282 that can survive reboots, evade network monitoring, and wait indefinitely for attacker connections.
accept() function to inspect incoming TLS packets, making it invisible to network monitoringAttribution: Linked to China-nexus threat actor UNC5221, who has been exploiting CVE-2025-0282 as a zero-day since December 2024.
Europol's yearlong "Project Compass" operation has resulted in 30 arrests across 28 countries, targeting "The Com" — a decentralized English-speaking cybercrime collective notorious for targeting minors.
| Subgroup | Activity |
|---|---|
| Offline Com | Property damage, violence, terrorism promotion |
| Cyber Com | Network intrusions, ransomware attacks |
| (S)extortion Com | Coercing minors, encouraging self-harm |
| 764 | Grooming, exploitation ring (leaders arrested April 2025) |
Investigators identified 179 suspects and 62 victims, directly safeguarding four individuals from ongoing attacks.
Socket security researchers have uncovered a malicious Go module (github[.]com/xinfeisoft/crypto) that impersonates the legitimate golang.org/x/crypto package to:
This attack exploits namespace confusion — the legitimate project uses go.googlesource.com/crypto as canonical with GitHub as a mirror, making the malicious package appear routine in dependency graphs.
✅ Real-time CVE Monitoring — CVE-2025-0282 and Ivanti vulnerabilities tracked and prioritized
✅ Supply Chain Scanning — Detect namespace-confused packages like the malicious Go crypto module
✅ APT Threat Intelligence — APT37, UNC5221, and state-sponsored threat actor tracking
✅ Continuous Exposure Management — Identify dormant implants before they activate
AI-powered vulnerability management with 331,910+ CVEs indexed.
Start Free TrialStay secure. Stay vigilant.
🗡️ KENSAI Security Team
Get a free security scan of your website in 60 seconds
Free Security Scan →