Cybersecurity Threats and Trends - 04/01/2025

No April Fools here — today’s lineup showcases real-world threats involving repurposed ransomware frameworks, DNS-hardened phishing kits, GPU-hardened loaders, and mobile banking trojans.

Author

J.W. Croley
April 01, 2025

1. Hackers Repurpose RansomHub Infrastructure to Deliver EDRKillShifter

Primary Threat: Threat actors have co-opted infrastructure originally used by the RansomHub ransomware group to deliver a stealthy tool dubbed EDRKillShifter, aimed at neutralizing endpoint detection and response (EDR) tools before deploying malware. ESET researchers uncovered this pivot, emphasizing how adversaries are blending legacy ransomware channels with modern anti-EDR techniques.

Risk: Endpoint defense bypass, ransomware deployment, and system-wide compromise.

Detection Tips:

  • Monitor for abnormal process terminations tied to security applications.

  • Flag use of driver or kernel-level utilities attempting to tamper with EDR processes.

  • Implement endpoint protection capable of self-healing and process resiliency.

2. Morphing Meerkat Phishing Kit Uses DNS-over-HTTPS and MX Record Abuse

Primary Threat: A new phishing kit, dubbed Morphing Meerkat, uses DNS-over-HTTPS (DoH) and malicious MX record manipulation to obfuscate communications and dynamically rotate payloads. Infoblox's report reveals that attackers abuse DoH to bypass network defenses and manipulate DNS behavior to redirect victims to credential-harvesting portals, especially those impersonating Microsoft services.

Risk: Credential theft, email compromise, and persistent phishing infrastructure.

Detection Tips:

  • Monitor for unusual DoH traffic to uncommon resolvers.

  • Use DNS inspection tools capable of decrypting and analyzing DoH activity.

  • Detect sudden MX record changes pointing to unauthorized mail servers.

3. CoffeeLoader Uses GPU-Based Techniques for Obfuscation and Persistence

Primary Threat: Zscaler ThreatLabz has analyzed CoffeeLoader, a stealthy malware loader that utilizes GPU-based execution to obscure its payload and hinder analysis. By leveraging graphics drivers and OpenCL instructions, CoffeeLoader evades traditional CPU-centric behavioral detection and delivers commodity malware or ransomware in later stages.

Risk: Evasion of antivirus and EDR, covert payload delivery, lateral movement.

Detection Tips:

  • Monitor unexpected GPU-intensive processes or OpenCL module loads.

  • Use behavioral anomaly detection that extends beyond CPU-centric models.

  • Isolate systems that initiate unexpected outbound connections post-GPU usage.

Did you know...?

The use of DNS-over-HTTPS (DoH) in phishing campaigns was first documented around 2019, but today’s Morphing Meerkat campaign marks a new level—dynamically controlling payloads and phishing targets using nothing but DNS records. It’s a reminder: if your DNS tools can’t see it, your adversary might be using it.

4. Crocodilus Android Trojan Abuses Accessibility Services for Device Takeover

Primary Threat: A new Android banking trojan named Crocodilus has emerged, exploiting Android accessibility services to execute device takeovers, steal credentials, and initiate unauthorized transactions. ThreatFabric’s research shows it also includes capabilities to intercept SMS-based 2FA codes, making it a serious threat to financial apps.

Risk: Full device compromise, financial fraud, account takeover.

Detection Tips:

  • Block installation of non-store Android apps (sideloading).

  • Monitor for accessibility service abuse in security logs.

  • Encourage users to review and limit app permission requests.

5. Resurge Malware Targets Ivanti VPN Appliances via Known Flaw

Primary Threat: The Resurge malware campaign is exploiting a previously disclosed Ivanti Connect Secure vulnerability to gain unauthorized access to enterprise VPN appliances. CISA’s malware analysis report describes how the malware implants custom shells, enabling persistent access, credential theft, and lateral movement.

Risk: VPN appliance takeover, persistent remote access, lateral movement.

Detection Tips:

  • Patch all Ivanti Connect Secure systems to the latest version immediately.

  • Look for signs of web shell artifacts or unauthorized admin access.

  • Inspect logs for odd HTTP/S requests and credential harvesting attempts.

6. Russian Hackers Exploit CVE-2025-26633 in Global Water Utility Attackss

Primary Threat: Trend Micro’s deep dive reveals how the Water Gamayun campaign, linked to Russian APTs, is exploiting CVE-2025-26633, a flaw in widely deployed infrastructure management platforms. The campaign targets water utilities and civil infrastructure, aiming to disrupt operations and collect sensitive data.

Risk: Critical infrastructure disruption, espionage, supply chain compromise.

Detection Tips:

  • Immediately apply security patches addressing CVE-2025-26633.

  • Implement network segmentation between IT and OT systems.

  • Log and alert on unauthorized access to control system interfaces.

🔎 IN SUMMARY

Today’s threats show just how creative attackers have become—using GPU workloads to hide malware, DoH for stealthy phishing, and even legacy ransomware channels for new payload delivery. Organizations must defend not just the edges, but inside the wire, too.

🚨 Key Takeaways:
✔️ EDRKillShifter bypasses endpoint protection by hijacking RansomHub infrastructure.
✔️ Morphing Meerkat hides phishing payloads using DoH and DNS MX record abuse.
✔️ CoffeeLoader uses GPU-side execution to stealthily drop malware.
✔️ Crocodilus trojan uses accessibility abuse for Android device takeovers.
✔️ Resurge malware leverages Ivanti VPN flaws to maintain persistent network access.
✔️ Russian APTs are exploiting CVE-2025-26633 in attacks against critical infrastructure.

🔧 Immediate Actions:
✔️ Patch Ivanti, infrastructure platforms, and Chrome.
✔️ Review Android device policies, especially around accessibility permissions. Deploy DNS inspection capable of handling DoH.
✔️ Use GPU behavior analytics where available for suspicious process detection.

J.W.

💡 Stay alert, stay patched, and remember: defense starts with visibility. 🔍

(P.S. Check out our partners! It goes a long way to support this newsletter!)