eSentire's Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Recent Threat Intelligence Advisories
Noteworthy News
New Banshee Stealer Version
Bottom Line: Security researchers have identified a new version of the macOS information stealer malware Banshee Stealer. macOS devices have the reputation of being secure, but as the market share of macOS devices has increased, so has the number of malware families that target the system.
Researchers from Check Point have identified a new versions of Banshee Stealer, a known macOS specific malware. Banshee Stealer was first identified in mid-2024, when it was offered for sale via the Malware-as-a-Service (MaaS) model. Threat actors could purchase access to Banshee Stealer for $3,000. The MaaS offering was shutdown in November 2024, following the leak of the malware’s source code. Despite Banshee Stealer no longer being for sale, it is still being used in real-world attacks.
The new version of Banshee Stealer was created in September of 2024, and went fully undetected until November. There are two notable updates: first, is the adoption of “a string encryption algorithm from Apple’s own XProtect antivirus engine”. String encryption replaced the plain test strings from the previous version, and this change is credited with the malware going undetected for roughly two months. Detections of the new version of Banshee Stealer only emerged following the source code leak for the previous version. The second notable update was the removal of the Russian language check. Previously this check would have prevented the malware from executing on devices with Russian language settings; with this check removed, threat actors are able to target Russian device users.
In recently observed campaigns, Banshee Stealer has been distributed through both malicious GitHub repos, as well as the impersonation of downloads for popular software including Chrome, TradingView, Zegent, Parallels, Solara, CryptoNews, MediaKIT, and Telegram. In at least one recent campaign, users attempting to download Telegram from non-reputable sources, received malware instead; macOS users were delivered Banshee Stealer, while Windows users received Lumma Stealer.
eSentire Threat Intelligence Analysis:
There is a misconception that macOS devices are not at risk to malware infections. While Apple products do include notable security features, the widespread adoption of macOS by both home users and organizations, has resulted in threat actors developing macOS specific malware. No matter what operating system is being used, it is critical that organizations ensure security monitoring and logging is deployed to enable prevention, detection, and investigation of potential threats.
The recent updates to Banshee Stealer enabled the malware to go undetected for a period of months. Now that technical details on the threat have been released, threat actors may pivot to developing a new variant in an attempt to limit detections. It remains unclear if the actors behind Banshee Stealer are carrying out campaigns themselves, following the shutdown of their service, or if they have moved to a private market, where only verified buyers can purchase the malware. There is a high probability that the original version of Banshee Stealer will still be used by a variety of threat actors due to the leak of source code.
In response to the release of this information, the eSentire Threat Intelligence team is performing indicators based threat hunts and has added known malicious IP addresses to the eSentire Global Block List.
CVE-2025-0282: Ivanti Connect Secure Zero-Day Exploited
Bottom Line: The exploitation of CVE-2025-0282 and the subsequent post-exploitation activities highlight the advanced capabilities of threat actors involved in the attack. The involvement of a China-nexus threat group underscores severity of the threat. Organizations are strongly encouraged to apply the recommended actions shared by Ivanti.
On January 8th, Ivanti disclosed a zero-day critical vulnerability affecting Connect Secure, Policy Secure, and Neurons for ZTA gateways. CVE-2025-0282 (CVSS: 9.0) is a stack-based buffer overflow vulnerability that allows unauthenticated remote attackers to execute arbitrary code. As per the advisory, CVE-2025- 0282 has been exploited in the wild, affecting a limited number of Connect Secure devices. Ivanti Policy Secure and Neurons for ZTA are not known to have been exploited in the wild at time of disclosure.
The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-0282 to its Known Exploited Vulnerabilities catalog. In a separate report published by Google, the organization identified the zero-day exploitation of CVE-2025-0282 occurring in the wild since mid-December 2024. This exploitation has led to the deployment of malware, system compromise, and potential intrusions into networks. The primary threat group responsible for these attacks is believed to be UNC5337, a China-nexus threat group. Mandiant suspects that UNC5337 is part of a larger group, UNC5221, which had previously exploited Ivanti Connect Secure zero-days.
The attackers have deployed multiple malware families in their campaigns, including the SPAWN ecosystem, which consists of SPAWNANT, SPAWNMOLE, and SPAWNSNAIL. Additionally, DRYHOOK and PHASEJAM have been identified as newer malware families used in these attacks. The attackers performed reconnaissance by detecting the version of the vulnerable VPN appliance using the Host Checker Launcher and by sending a series of sequential requests. The exploitation process involved disabling SELinux and syslog forwarding, allowing attackers to deploy web shells and malicious binaries on the compromised systems. In some cases, the attackers also removed logs to cause difficulty in forensic investigations.
Following successful exploitation, the attackers deployed PHASEJAM malware, which modified critical ICS components to block upgrades and insert backdoors into the system. The SPAWNANT malware utilized its supporting components from the SPAWN family to ensure persistence across software upgrades, allowing the attackers to maintain their foothold on the compromised systems. Attackers also carried out lateral movement within networks, using LDAP queries and gathering information about Active Directory (AD) to expand their access. Data exfiltration activities were observed, with attackers stealing cached database credentials, API keys, and session data, which could be used for further attacks or data breaches. The DryHook malware has been used by the attackers in the post-exploitation phase of the attack to steal credentials.
eSentire Threat Intelligence Analysis:
Given the widespread use and critical role of Ivanti products within organizations, vulnerabilities affecting these products present high-value targets for attackers. With the confirmed exploitation of CVE-2025- 0282, it is important for organizations to promptly apply the appropriate security patches.
Ivanti has released patches for Connect Secure (version 22.7R2.5). Patches for Policy Secure and Neurons for ZTA are expected by January 21st, 2025. In the case of Ivanti Policy Secure and Neurons for ZTA, where security patches are not available, Endpoint Detection and Response (EDR) solutions can act as a temporary mitigation. While exploitation will not be prevented, follow-on malicious activity will be identifiable. In addition to patching, Ivanti recommends using the Integrity Checker Tool (ICT) to assess the system for any signs of compromise. It is also essential to monitor network traffic for unusual or suspicious activities to detect potential exploitation attempts. Lastly, it is advised to follow the mitigation strategies provided by CISA.
In addition to CVE-2025-0282, Ivanti disclosed a second vulnerability tracked as CVE-2025-0283 (CVSS: 7.0). It is a stack-based buffer overflow that allows local authenticated attackers to escalate privileges on the device. There is currently no indication of real-world attacks involving CVE-2025-0283. At the time of writing, there are no public Proof-of-Concept (PoC) exploits for CVE-2025-0282 or CVE-2025-0283. The eSentire Threat Intelligence team assesses that the release of PoC exploit code would lead to an increase in real-world attacks.
In response to confirmation of real-world exploitation of CVE-2025-0282, eSentire released an advisory on the topic on January 9th , 2025. eSentire Managed Vulnerability Service (MVS) has plugins in place to identify vulnerable devices. eSentire’s Tactical Threat Response (TTR) team is crafting new detections to identify exploitation attempts. Additionally, eSentire Threat Intelligence team is actively tracking this topic for additional details and detection opportunities.
Gravy Analytics Breach
Bottom Line: If confirmed as accurate, this breach would be the largest compromise of location related data from a cyberattack to date. There is the potential that this data may be de-anonymized by combining it with Open-Source Intelligence (OSINT) and past breaches.
On January 4th, via Darkweb forums, threat actors claimed to have breached the U.S. based company Gravy Analytics and stolen large amounts of data. Gravy Analytics is a data location broker known for purchasing location data from a variety of companies and selling smartphone location information through its subsidiary Venntel. The company boasts of high-profile customers including the Department of Homeland Security (DHS), the FBI, and the IRS.
Details relating to this incident are currently minimal, as Gravy Analytics has not released any statements; the company’s website remains unreachable at the time of writing. According to the threat actor post, the group was able to gain root access to company servers, take control of domains, and exfiltrate data from Amazon S3 storage buckets. The threat actors claim to have stolen 17TB of data including customer lists, internal intelligence, GPS coordinates/timestamps, movement classifications, and information on government contractors. Samples of stolen data have been released in an attempt to prove the validity of breach claims.
Threat actors had given Gravy Analytics one day to respond to an extortion demand, before data is either leaked publicly or sold online. While this deadline has now passed, it remains unclear as to whether Gravy Analytics has engaged with the threat actors, or if stolen data is for sale.
eSentire Threat Intelligence Analysis:
This breach is especially concerning due to the inclusion of location related data. Depending on the information included, it may be possible to de-anonymize specific users. Regularly visited locations and repeating movement patterns could be used to identify specific individuals’ locations. While location data may not present an easily monetizable commodity for threat actors, excluding the initial seller, it could be used to carry out more sophisticated social engineering campaigns by adding additional location context to the lure. Concerningly, this information is likely valuable to state-sponsored APTs known for targeting high profile individuals or government employees.
This is not the first time that Gravy Analytics has received negative press attention. In December 2024, the Federal Trade Commission (FTC) sued the company “for unlawfully tracking and selling sensitive location data from users, including selling data about consumers’ visits to health-related locations and places of worship” .
About the threat briefings:
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
