- within Antitrust/Competition Law and Compliance topic(s)
Malware Activity
How Hacking Groups Are Evolving to Steal Data and Evade Detection
Recent reports reveal that cybercriminal groups like TA584 and Mustang Panda are becoming more advanced and targeted in their operations. TA584 has increased its activity since 2020, using clever methods such as compromised emails and malicious links to install malware like Tsundere Bot and XWorm, which can spy on systems, move within networks, and prepare for ransomware attacks. Tsundere Bot is particularly tricky because it communicates via the Ethereum blockchain, making it hard to detect. Meanwhile, Mustang Panda, a cyber-espionage group attributed to China by multiple cybersecurity firms, has upgraded its malware tools, especially its CoolClient backdoor, to steal login info, monitor screens, and control infected devices covertly. They often hide their malware inside legitimate software and use cloud services to exfiltrate data, making detection more difficult. Overall, these groups are continuously refining their techniques to spy on governments and steal sensitive information, demonstrating a growing sophistication and determination to stay ahead of security defenses. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
- BleepingComputer: Initial Access Hackers Switch to Tsundere Bot for Ransomware Attacks article
- BleepingComputer: Chinese Mustang Panda Hackers Deploy Infostealers Via Coolclient Backdoor article
- TheHackerNews: Mustang Panda Deploys Updated article
Threat Actor Activity
FBI Seizes RAMP Cybercrime Forum, Disrupting Ransomware Operations
The FBI has seized the RAMP (Russian Anonymous Marketplace) cybercrime forum, a notorious platform for advertising malware and hacking services, notably allowing the promotion of ransomware operations. Both the forum's Tor site and clearnet domain,
ramp4u.io
, now display a seizure notice, attributing the action to the FBI, the US Attorney's Office for the Southern District of Florida, and the Department of Justice's Computer Crime and Intellectual Property Section. The domain's DNS records confirm the FBI's control, providing access to user data that could lead to arrests of threat actors with weak operational security. Launched in July 2021 by a threat actor known as Orange, RAMP served as a marketplace for ransomware gangs after Russian-speaking forums banned such promotions. Orange, identified as Russian national Mikhail Matveev, repurposed Babuk's infrastructure to create RAMP. Despite constant DDoS attacks and lack of profit, RAMP became popular. Matveev was later indicted by the US Department of Justice for involvement in ransomware operations targeting critical infrastructure. The seizure disrupts a key hub for cybercriminals, forcing them to migrate to other platforms, such as Rehub. This transition can cause chaos, risking operational exposure, and infiltration. Law enforcement seizures offer opportunities for network defenders to gain insights into criminal networks and operational failures. Despite the takedown, cybercrime forums are expected to reemerge elsewhere, as users scatter to new platforms. CTIX Analysts will continue to provide the most recent news related to threat actor activities and operations.
- Bleeping Computer: RAMP Takedown Article
- The Register: RAMP Takedown Article
- The Record: RAMP Takedown Article
Vulnerabilities
Persistent Exploitation of WinRAR Vulnerability Exploited by State-Sponsored and Criminal Threat Actors
Google's Threat Intelligence Group (GTIG) has documented sustained and widespread exploitation of a high-severity WinRAR path traversal vulnerability months after it was patched in WinRAR 7.13 in July 2025, underscoring the enduring risk posed by widely weaponized n-day flaws. The vulnerability, tracked as
CVE-2025-8088
(CVSS 8.8), allows arbitrary code execution, and is exploited through specially crafted RAR archives that abuse Windows Alternate Data Streams (ADS) to conceal malicious files and write them to arbitrary locations (most commonly the Windows Startup folder) to achieve persistence and automatic execution upon user login. The flaw was initially exploited as a zero-day by the Russia-linked dual-use espionage and cybercrime group RomCom and has since been adopted across disparate operations by multiple Russian state-aligned APTs, including Sandworm, Gamaredon, and Turla, primarily targeting Ukrainian government, military, and technology organizations using tailored geopolitical lures. GTIG has also observed a China-based state-sponsored actor leveraging the same technique to deploy the Poison Ivy RAT, while financially motivated cybercriminals worldwide have rapidly operationalized the exploit to distribute commodity RATs and information stealers such as AsyncRAT and XWorm, targeting sectors including hospitality, travel, online banking, and commercial enterprises in regions like Latin America, Brazil, and Southeast Asia. The scale, longevity, and diversity of exploitation are attributed to a mature underground exploit economy, where sellers such as "zeroplayer" marketed ready-to-use WinRAR exploits. These were exploited alongside high-priced Office, Windows, VPN, and AV-bypass zero-days, lowering technical barriers and enabling both espionage-driven and financially motivated threat actors to continue abusing
CVE-2025-8088
long after patch availability. CTIX analysts urge all administrators to ensure they have patched this flaw to prevent future exploitation.
- Security Week: CVE-2025-8088 Article
- The Register: CVE-2025-8088 Article
- The Hacker News: CVE-2025-8088 Article
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
