In September 2025, Trend Micro researchers noted a striking decline in new command and control infrastructure activity associated with Lummastealer (which Trend Micro tracks as Water Kurita), as well as a significant reduction in the number of endpoints targeted by this notorious malware.
This sudden drop appears to align with a targeted underground exposure campaign that has put the spotlight on individuals allegedly linked to the Lummastealer operation. Allegedly driven by competitors, this campaign has unveiled personal and operational details of several supposed core members, leading to significant changes in Lummastealer’s infrastructure and communications.
Read more…
Source: Trend Micro
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- ZDI-CAN-25373: Windows shortcut exploit abused as Zero-Day in widespread APT campaigns
March 18, 2025
The Trend Zero Day Initiative threat hunting team identified significant instances of the exploitation of ZDI-CAN-25373 across a variety of campaigns dating back to 2017. The researchers analysis revealed that 11 state-sponsored groups from North Korea, Iran, Russia, and China have employed ZDI-CAN-25373 in operations primarily motivated by cyber espionage and data theft. Trend Micro discovered ...
- Critical Security Incident involving GitHub Action tj-action/changed-files
March 17, 2025
A critical security incident involving the tj-actions/changed-files GitHub Action has been reported. The changed-files action, which allows GitHub repositories to track file changes, has been tampered with to allow the exposure through GitHub Actions build logs of CI/CD secrets, including passwords, tokens, API keys, PII and other sensitive data that have been embedded within software code. ...
- Infamous ransomware hackers reveal new tool to brute-force VPNs
March 17, 2025
The “BRUTED” tool has apparently been in use for years now, according to cybersecurity researchers EclecticIQ, who have been sifting through the recently-leaked Black Basta chat logs, which were leaked and subsequently uploaded to a GPT for easier analysis. Besides being used to analyze the group’s structure, organization, and activities, researchers used it to identify the ...
- StilachiRAT analysis: From system reconnaissance to cryptocurrency theft
March 17, 2025
In November 2024, Microsoft Incident Response researchers uncovered a novel remote access trojan (RAT) they named StilachiRAT that demonstrates sophisticated techniques to evade detection, persist in the target environment, and exfiltrate sensitive data. Analysis of the StilachiRAT’s WWStartupCtrl64.dll module that contains the RAT capabilities revealed the use of various methods to steal information from the target ...
- Exploitation of Apache Tomcat Vulnerability CVE-2025-24813
March 17, 2025
The Apache Software Foundation has released security updates addressing a vulnerability in Apache Tomcat. Tomcat is an open-source web server and servlet container that is used to deploy and serve Java-based web applications. CVE-2025-24813 is ‘deserialisation of untrusted data’ and ‘path equivalence: file.name (Internal dot)’ vulnerability that an attacker could exploit to achieve remote code execution ...
- Research on iOS apps shows widespread exposure of secrets
March 14, 2025
Researchers found that most of the apps available on Apple’s App Store leak at least one hard-coded secret. The researchers looked at 156,000 iOS apps and discovered more than 815,000 hardcoded secrets, including very sensitive secrets like keys to cloud storage, various Application Programming Interfaces (APIs), and even payment processors. The researchers noted how: “The average ...