Malware Activity
Rising Cyber Threats: From Destroyer Ransomware to Stealthy Social Engineering Attacks
Recent cybersecurity developments reveal an alarming escalation in cybercriminal tactics. The Anubis ransomware has evolved beyond traditional encryption. Now incorporating a destructive "wiper" component that irreversibly erases victim data. Signifying a shift toward sabotage and heightened danger. Concurrently, a sophisticated malware campaign exploits vulnerabilities in Discord's invitation system. It was found to be reusing expired vanity links to deceive users into executing malicious PowerShell commands. These attacks deploy advanced payloads like AsyncRAT and the Skuld Stealer. Often hosted on legitimate platforms, making detection challenging. The campaign primarily targets users across the US, Europe, and Asia, with a focus on cryptocurrency assets. This demonstrates cybercriminals' increasing technical prowess and malicious intent. These trends underscore the urgent need for organizations and individuals alike to adopt robust cybersecurity practices. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
- BleepingComputer: Anubis Ransomware Adds Wiper to Destroy Files Beyond Recovery article
- TheHackerNews: Discord Invite Link Hijacking Delivers AsyncRAT and Skuld Stealer article
Threat Actor Activity
Global Authorities Dismantle One of the Dark Web’s Largest Drug Empires, "Archetyp"
International law enforcement agencies have dismantled Archetyp Market, one of the dark web’s most prolific and long-running drug marketplaces, in a coordinated operation dubbed "Operation Deep Sentinel" conducted between June 11, and 13, 2024. Launched in 2020, the platform had facilitated over $290 million in Monero (XMR) cryptocurrency transactions, hosted more than 17,000 listings, and served over 600,000 users with drugs ranging from cocaine, MDMA, and amphetamines to highly potent synthetic opioids like fentanyl. The joint action (led by German authorities with support from Europol, Eurojust, and agencies across the Netherlands, Spain, Romania, and Sweden), involved the seizure of critical infrastructure and the arrest of the suspected administrator, German national known as “ASNT,” at his home in Barcelona. Additional arrests included one site moderator and six top vendors in Germany and Sweden. Authorities seized $9 million in assets, including luxury vehicles, cryptocurrency, and narcotics, and deployed around 300 officers to gather digital evidence and map the platform’s architecture. The takedown follows earlier operations like May’s "Operation RapTor," which dismantled other darknet markets and led to 270 arrests and major seizures worldwide, signaling intensified global efforts to disrupt online narcotics trafficking. CTIX analysts will continue to report on recent threat actor and dark web marketplace activity.
Vulnerabilities
Ransomware Surge: DragonForce, Fog, and LockBit Exploit Signal Escalation and Espionage Shift
Ransomware activity continues to escalate globally with multiple threats converging. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned that unpatched SimpleHelp RMM software is being exploited by ransomware actors, including DragonForce, to infiltrate customers of a utility billing provider, leveraging flaws like CVE-2024-57727 for double extortion attacks. Organizations are urged to update SimpleHelp, isolate instances from the internet, and notify affected clients. Meanwhile, Symantec has exposed a Fog ransomware attack on an Asian financial firm, notable for its deployment of employee monitoring software (Syteca) and tools linked to Chinese APTs, suggesting potential espionage motives masked by extortion. Fog ransomware has hit over 100 victims since early 2025, using both phishing and system vulnerabilities to infiltrate networks, escalate privileges, and maintain long-term persistence. Concurrently, a leaked admin panel from the LockBit ransomware-as-a-service (RaaS) operation revealed China among its top targets, with affiliates actively exploiting LockBit Black and Green variants across platforms. Despite recent disruptions, LockBit has attracted defectors from RansomHub and is developing version 5.0, continuing to thrive while portraying a misleading image of its internal organization and success. CTIX analysts will continue to report on recent exploited vulnerabilities, and the campaigns facilitating them.
📧 Never Miss a Briefing
Stay informed and secure. Subscribe to Ankura's Cyber Flash Update, a bi-weekly briefing curated by our top cybersecurity experts. Receive timely insights on emerging threats, vulnerabilities and malicious actors to keep your systems secure.
Join the Cyber Flash Update community today.
© Copyright 2025. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
