Cybersecurity Threats and Trends - 04/03/2025

Today’s cyber roundup features nation-state espionage campaigns, botnet scanning waves, and evasive malware loaders...

Author

J.W. Croley
April 03, 2025

In partnership with

Receive Honest News Today

Join over 4 million Americans who start their day with 1440 – your daily digest for unbiased, fact-centric news. From politics to sports, we cover it all by analyzing over 100 sources. Our concise, 5-minute read lands in your inbox each morning at no cost. Experience news without the noise; let 1440 help you make up your own mind. Sign up now and invite your friends and family to be part of the informed.

1. China-Linked Earth Alux Deploys Vargeit Espionage Toolkit

Primary Threat: The APT group Earth Alux, linked to Chinese cyber-espionage operations, has been deploying a new modular backdoor framework called Vargeit to target government and critical infrastructure networks across Southeast Asia. Trend Micro’s research reveals that Vargeit is capable of credential harvesting, lateral movement, and file exfiltration, and is built with multiple layers of obfuscation to evade detection.

Risk: Persistent network access, sensitive data theft, and geopolitical espionage.

Detection Tips:

  • Monitor for anomalous DLL sideloading or unknown executable chains.

  • Watch for PowerShell abuse and credential dumping via LSASS access.

  • Apply network segmentation to limit lateral movement opportunities.

2. Nearly 24,000 IPs Probing PAN-OS Vulnerabilities

Primary Threat: A massive spike in scanner activity targeting Palo Alto Networks PAN-OS devices has been observed, with GreyNoise reporting over 24,000 unique IPs participating. While no zero-day has been confirmed, the scale and coordination suggest reconnaissance for future exploitation, possibly leveraging older or misconfigured PAN-OS versions.

Risk: Recon for targeted attacks, firewall compromise, and unauthorized remote access.

Detection Tips:

  • Monitor PAN-OS devices for unusual or repeated scanning attempts.

  • Restrict admin access to trusted IP ranges only.

  • Ensure firmware is updated and unused services are disabled.

3. Lucid PhaaS Hits 169 Victims in 88 Countries

Primary Threat: The Lucid phishing-as-a-service (PhaaS) platform has been tied to credential harvesting campaigns affecting 169 targets across 88 countries, according to Catalyst's investigation. Lucid provides an end-to-end phishing infrastructure, including email templates, payload delivery, and panel access, making it easier for low-skilled actors to deploy high-impact phishing campaigns.

Risk: Credential harvesting, account compromise, BEC (Business Email Compromise).

Detection Tips:

  • Inspect mail logs for suspicious login attempts and redirects to fake portals.

  • Use email security solutions to filter and sandbox unknown URLs.

  • Enforce MFA for all externally exposed services.

Did you know...?

The first high-profile use of call stack manipulation for evasion was observed in Stuxnet, where custom loaders and indirect API calls were used to avoid detection. Today’s HijackLoader variants reflect how that tactic has matured into a widespread evasion strategy in modern malware campaigns.

4. Over 1,500 PostgreSQL Servers Hijacked for Cryptomining

Primary Threat: More than 1,500 misconfigured PostgreSQL servers have been compromised and repurposed for cryptomining operations, per Wiz.io’s research. Attackers exploit weak credentials and open ports to install crypto miners, consuming resources and leaving systems vulnerable to further exploitation.

Risk: Resource hijacking, service degradation, and potential lateral movement.

Detection Tips:

  • Disable remote access to PostgreSQL unless necessary.

  • Enforce strong authentication and network restrictions.

  • Look for unexpected spikes in CPU usage or suspicious database processes.

5. New HijackLoader Variant Uses Call Stack Manipulation to Evade Detection

Primary Threat: Zscaler ThreatLabz has identified a new variant of HijackLoader that manipulates the call stack and return addresses to bypass behavioral analysis and evade endpoint security. The malware uses indirect system call execution, API unhooking, and shellcode injection to remain under the radar.

Risk: Defense evasion, malware delivery, stealth persistence.

Detection Tips:

  • Monitor for unusual call stack behavior or DLL injection activity.

  • Deploy EDR/XDR capable of detecting memory-based attacks.

  • Flag binaries attempting unusual process spawning or PE injections.

6. FIN7 Deploys Anubis Backdoor to Hijack Enterprise Networks

Primary Threat: FIN7, the financially motivated threat group behind numerous supply chain and ransomware attacks, is using a newly enhanced backdoor dubbed Anubis. According to PRODAFT's detailed analysis, this modular backdoor provides remote access, reconnaissance, and privilege escalation, and is being delivered via spear-phishing and living-off-the-land (LOTL) techniques.

Risk: Data exfiltration, lateral movement, ransomware staging.

Detection Tips:

  • Detect PowerShell and WMI activity from unexpected user accounts.

  • Monitor for C2 callbacks, especially using encrypted or proxy-tunneled channels.

  • Audit privilege elevation events and new service installations.

IN SUMMARY:

From PhaaS operations and malware loaders using call stack manipulation, to geopolitical espionage and cloud infrastructure abuse, today’s threats demand a layered defense approach with constant visibility across endpoints, servers, and identities.

🚨 Key Takeaways:
✔️ Earth Alux targets Southeast Asia using the stealthy Vargeit toolkit.
✔️ 24,000 IPs are probing PAN-OS devices — update and lock down your perimeter.
✔️ The Lucid PhaaS platform makes phishing accessible to low-tier actors.
✔️ Cryptominers are hijacking misconfigured PostgreSQL servers.
✔️ HijackLoader now dodges detection using call stack manipulation.
✔️ FIN7’s Anubis backdoor is the group’s latest tool for enterprise compromise.

🔎 Immediate Actions:
✔️ Patch and lock down PAN-OS firewalls.
✔️ Harden and monitor PostgreSQL deployments.
✔️ Flag stack manipulation and DLL injection behavior at the endpoint level.
✔️ Audit users and services for anomalous privilege use or LOTL behaviors.


💡 Stay sharp, patch promptly, and keep logs flowing — it’s a hostile cyber landscape out there. 💡

J.W.

(P.S. Check out our partners! It goes a long way to support this newsletter!)