Malware Activity
Disruption of Lumma Infostealer and Rise of 3AM Ransomware
In a concerted international effort involving agencies such as the FBI and Europol, authorities successfully dismantled the widespread Lumma infostealer malware network by seizing over 2,300 domains associated with its operations. This notorious malware had been systematically harvesting sensitive user data, including login credentials, financial details, and personal information, from victims across various sectors. Causing significant concerns over data breaches and financial theft. The takedown involved tracing the malware’s infrastructure and shutting down key command and control servers. Effectively crippling its operational capacity and sending a strong message about the power of global collaboration in cybersecurity enforcement. Concurrently, the emergence of the highly sophisticated 3AM ransomware group highlights the evolving landscape of cyber threats. This threat actor employs complex tactics such as spoofed IT support calls and email bombing campaigns to deceive employees and facilitate rapid deployment of ransomware payloads. Their blend of social engineering and technical exploits underscores the increasing need for organizations to enhance security awareness and deploy comprehensive defense strategies to counter these layered, targeted attacks. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
- BleepingComputer: Lumma Infostealer Malware Operation Disrupted article
- TheHackerNews: FBI and Europol Disrupt Lumma Stealer article
- BleepingComputer: 3AM Ransomware Uses Spoofed It Calls & Email Bombing to Breach Networks article
Threat Actor Activity
Hazy Hawk Gang Observed Hijacking Trusted Domains by Exploiting DNS CNAME Records
The threat actor known as 'Hazy Hawk' is exploiting forgotten DNS CNAME records pointing to abandoned cloud services, hijacking trusted subdomains from prominent entities such as governments, universities, and Fortune 500 companies to spread scams, fake applications, and malicious ads. According to researchers, Hazy Hawk identifies domains with CNAME records linked to inactive cloud endpoints through passive DNS data validation. They then register new cloud resources using the same names as the abandoned CNAMEs, redirecting the original domain's subdomain to their malicious sites. Notable hijacked domains include “cdc[.]gov”, “Honeywell[.]com”, “Berkeley[.]edu”, “michelin[.]co[.]uk”, and others belonging to well-known organizations like the Australian Department of Health. The complete list of compromised domains is detailed in the Infoblox report. Once a subdomain is compromised, Hazy Hawk creates hundreds of malicious URLs under it, which appear legitimate in search engines due to the high trust score of the parent domain. Victims who click these URLs are redirected through multiple domains and TDS infrastructure, profiling them based on device type, IP address, VPN usage, and more to tailor the scam. The sites are used for various scams, including tech support frauds, fake antivirus alerts, bogus streaming or adult sites, and phishing pages. Users who allow browser push notifications continue to receive persistent alerts, generating significant revenue for Hazy Hawk. This method of exploiting CNAME records is not new; another threat actor, 'Savvy Seahorse,' has used similar tactics to redirect users to fake investment platforms. CNAME records are often overlooked, making them susceptible to stealthy abuse. Hazy Hawk's success is largely due to organizations neglecting to delete DNS records after decommissioning cloud services, allowing attackers to replicate resource names without authentication. This vulnerability highlights the importance of maintaining and updating DNS records to prevent exploitation.
Vulnerabilities
Critical Samlify Authentication Bypass Vulnerability Receives Patch
CVE-2025-47949 is a critical authentication bypass vulnerability in the widely adopted Samlify Node.js library, used to integrate SAML-based Single Sign-On (SSO) and Single Log-Out (SLO) in applications. Affecting all versions prior to v2.10.0, this Signature Wrapping flaw (CVSS score: 9.9/10) allows attackers to inject unsigned malicious assertions into legitimately signed SAML responses. Despite correctly verifying the digital signature on SAML responses, vulnerable versions of Samlify mistakenly process unsigned assertions from unprotected parts of the XML structure, enabling full SSO bypass and privilege escalation without user interaction or elevated access. This can lead to unauthorized access to user accounts, including administrative ones, and compromise of sensitive resources across systems integrated with identity providers like Azure AD or Okta. While no active exploitation has been reported, the vulnerability is easily exploitable with access to a valid signed XML blob. Organizations relying on Samlify (currently downloaded over 200,000 times weekly) are strongly urged to upgrade to v2.10.0, which contains the necessary patch but is only available via npm at the time of writing. CTIX analysts urge any affected readers to follow the advisory guidance and patch their instances immediately to prevent the threat of exploitation.
📧 Never Miss a Briefing
Stay informed and secure. Subscribe to Ankura's Cyber Flash Update, a bi-weekly briefing curated by our top cybersecurity experts. Receive timely insights on emerging threats, vulnerabilities and malicious actors to keep your systems secure.
Join the Cyber Flash Update community today.
© Copyright 2025. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
