eSentire's Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Recent Threat Intelligence Advisories
Noteworthy News
#StopRansomware: Ghost Ransomware
Bottom Line: A joint advisory from the FBI, CISA, and MS-ISAC was released on Ghost ransomware. The report details updated Tactics, Techniques, and Procedures (TTPs) and Indicators of Compromise (IoCs) associated with Ghost Ransomware actors, based on recent investigations.
On February 19th, the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) issued a joint advisory detailing the latest developments concerning Ghost ransomware activity. The advisory includes updated Indicators of Compromise (IoCs) and Tactics, Techniques, and Procedures (TTPs) identified in investigations conducted in January 2025. The joint effort aims to provide mitigations to reduce the likelihood of Ghost ransomware incidents.
Ghost (aka Cring, Crypt3r, Phantom, Strike, Hello, Wickrme, HsHarada, and Rapture) ransomware, operated by Chinese threat actors, began targeting outdated and unsecured internet facing services in early 2021. This operation impacted organizations including critical infrastructure, information technology, manufacturing, educational institutions, and multiple small and medium sized firms worldwide from more than 70 countries, including China.
Ghost operators are known to compromise the internet facing assets via known vulnerabilities that have not been patched. Some of the common vulnerabilities leveraged for initial access are CVE-2018-13379 in Fortinet FortiOS devices, CVE-2019-0604 in Microsoft SharePoint, CVE-2010-2861 and CVE-2009-3960 in Adobe ColdFusion, and CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207 in Microsoft Exchange. Upon successful exploitation of vulnerable servers, the threat actors uploaded malicious web shell to the compromised servers to download Cobalt Strike beacon malware. For persistence, the attackers created new local and domain accounts and changed passwords of the existing ones. The attackers used Cobalt Strike functions to steal tokens of System user to gain privileges. Some open-source tools such as SharpZeroLogon, SharpGPPPass, BadPotato, and GodPotato were also observed to be used for privilege escalation. Hashdump and Mimikatz were used to dump credentials from the victim devices. Using Cobalt Strike, the threat actors identified the antivirus service running on the devices and disabled it to evade detection. Cobalt Strike was further used for domain account discovery along with open-source tools such as SharpShares for network share discovery, Ladon 911, and SharpNBTScan for remote systems discovery. Ghost operators were able to move laterally in the network with the elevated access and use of Windows Management Instrumentation Command-Line (WMIC) to run PowerShell commands on other victim devices. Command-and-Control (C2) operations were executed using Cobalt Strike functions. Encryption on victim devices was carried out using payload files such as Cring.exe, Ghost.exe, ElysiumO.exe, and Locker.exe. However, Ghost threat actors did not prioritize data exfiltration. Various file extensions were noted for different payload executables. The ransomware payloads cleared Windows Event logs and deleted system volume shadow copies. The threat actors were observed relying heavily on the use of Cobalt Strike beacon throughout the attack lifecycle.
From the FBI’s investigation it was observed that Ghost actors did not focus on any particular industry. When encountering a secure network, they would move on to a new target rather than attempting to find ways to infiltrate the network.
eSentire Threat Intelligence Analysis:
The indiscriminate targeting by Ghost operators caused significant disruptions to organizations worldwide. The widespread impact of Ghost ransomware underscores the importance of securing networks against known vulnerabilities and implementing robust network and endpoint security solutions. It is crucial for organizations to maintain a strong security posture to prevent Ghost ransomware infections and other similar cyberattacks.
As noted in the advisory, Ghost threat actors exploit known vulnerabilities in edge devices to their advantage. Network devices are critical to an organization's network architecture, and failing to address flaws in these systems significantly increases the risk of compromising the entire network. Along with the rigorous vulnerability assessment efforts it is also essential to ensure only authorized applications are allowed on the systems as Ghost operators are seen to majorly use open-source software for privilege escalation, and network and device discovery. Detection of malicious activity via commercial tools like Cobalt Strike is also critical. It was observed that the threat actors were able to avoid attribution for a long period by switching the payload executables and encryption file extensions and using numerous ransom email addresses. Such techniques make it difficult for the investigators to accurately link the activity to true perpetrators leading to misattribution. It is essential to implement efficient detection capabilities that can accurately identify the threat actor.
eSentire Managed Vulnerability Service (MVS) has plugins in place to identify devices vulnerable to the flaws mentioned in the report. eSentire MDR for Endpoint and MDR for Network has detections in place to identify activities associated with Ghost ransomware. eSentire's Threat Intelligence team is conducting threat hunts for the available IoCs.
Darcula-suite 3.0 Phishing Kit
Bottom Line: A new phishing kit, tracked as Darcula Phishing Kit (V3) allows attackers to spoof any brand's website. With advanced customization features and anti-detection tools, the phishing kit can significantly enhance the scope and effectiveness of phishing attacks.
On February 20th, Netcraft researchers released a report on the new version of the Darcula Phishing Kit(V3), which allows users to spoof any brand's website. The new version of the platform enables criminals to create phishing campaigns with minimal technical skills. Since March 2024, Netcraft has detected and blocked over 90,000 new darcula phishing domains and nearly 31,000 IP addresses.
The core innovation in Darcula-suite is its DIY phishing kit generation system. By using a simple user interface, a fraudster can generate a phishing kit for any brand. To build a Darcula-suite phishing kit, an attacker starts by inputting the legitimate brand’s URL into the platform, which automatically scrapes the HTML and assets needed for the phishing page using a Puppeteer-style browser automation tool. Next, the attacker customizes the page by injecting phishing content, such as fake login forms or payment details, and selecting from various scam templates designed to capture sensitive data. They then restyle the form to closely match the brand's design, making the phishing attempt more convincing. Afterward, the platform generates separate pages for the initial lure page. This contains the address input forms, card details, and Two-Factor Authentication (2FA) code. Finally, the phishing kit is packaged as a .cat-page bundle, ready for deployment via the admin panel.
The Darcula-suite comes equipped with improved admin dashboards. These dashboards allow attackers to monitor campaign success, manage stolen data, and track stolen credit card details. Scammers have the ability to customize phishing forms to steal credentials, payment details, and Multi-Factor Authentication (MFA) codes. The platform's Telegram integration provides real-time alerts when victims submit data. The kit uses IP blocking to limit access from cybersecurity companies and user agent blocking used to stop automated scrapers, such as Google’s crawlers and other monitoring tools. Darcula-suite offers pre-made templates, like fake password reset pages, credit card payment forms, and 2FA code entry prompts. The tool also has the feature to convert stolen credit card data into virtual card images that can then be added to digital payment apps.
eSentire Threat Intelligence Analysis:
Netcraft expects Darcula-suite to officially launch in mid-February 2025, with criminals already testing the platform in advance. The ease of use, scalability, and built-in security evasion techniques in Darcula V3 make it a particularly dangerous tool within the phishing ecosystem. The new platform allows criminals to create phishing kits targeting any brand, even those not previously included in Darcula’s library. This development will likely result in a surge of phishing attacks, impacting organizations that may not have been targeted before.
Darcula-suite allows attackers to steal MFA codes, making it easier to compromise accounts that rely on SMS or app-based 2FA. The emergence of phishing kits like Tycoon 2FA and Sneaky 2FA also demonstrates a broader trend in phishing attacks, where fraudsters actively seek to bypass security layers designed to protect users. To mitigate this risk, users should avoid clicking on links or opening attachments from unknown or unexpected senders and always verify the sender’s identity before taking action.
Phishing attempts may now appear more convincing due to the use of generative AI; classic red flags like urgent messaging or offers that seem overly attractive should raise concern. Organizations should ensure employees are aware of common phishing tactics and implement a Phishing and Security Awareness Training (PSAT) program that educates and informs employees on emerging threats. Additionally, Darcula-suite provides fraudsters the ability to use and sell stolen financial information by creating images of the victim's credit card, which can be added to digital wallets or sold on the black market. Users are advised to frequently review their bank and credit card statements for any unauthorized transactions and enable MFA wherever possible.
eSentire MDR for Log has detections in place to identify risky sign-on activity common in phishing campaigns. eSentire MDR for Network detects activity associated with the Darcula phishing kit.
Russia-Aligned Threat Actors Actively Targeting Signal Messenger
Bottom Line: Russian-aligned threat actors are exploiting Signal Messenger's linked devices feature to intercept sensitive communications. Device linking is a legitimate feature on multiple platforms but can create risk as threat actor devices may be added for stealthy surveillance.
Researchers from Google’s Threat Intelligence Group (GTIG) have shared information on recent Russian state-sponsored APT activity that is targeting Signal Messenger accounts associated with individuals of interest to Russian intelligence services. Signal is a privacy focused open-source encrypted messaging service used for messaging, voice calls, and file sharing. The use of Signal to share sensitive communications has made it a high-value target for espionage focused threat actors.
The “most novel and widely used technique” observed in these attacks involves exploiting the legitimate Linked Devices feature. This feature allows Signal users to connect multiple devices to a single account. In observed attacks, threat actors established initial contact via phishing emails. The emails include a QR code, that is posed as a Signal resource, such as a security alert, group invites, or legitimate device paring instruction. Scanning the QR code links the victim account to a threat actor-controlled device. This connection does not grant access to previously sent messages but allows for real-time interception of all future messages.
GTIG has identified three Russian associated APT groups employing similar tactics: UNC5792, UNC4221, and APT44 (Sandworm, Seashell Blizzard). UNC4221 went so far as to develop a custom Signal phishing kit to enable Signal account compromise at scale. To date, the reported-on activity has primarily impacted government and military communications related to the ongoing invasion of Ukraine.
eSentire Threat Intelligence Analysis:
While Google has only identified three Russian groups currently targeting Signal Messenger via device linking, it is probable that the technique has been shared with other threat actors. According to this report, “emerging operational interest has likely been sparked by wartime demands to gain access to sensitive government and military communications in the context of Russia's re-invasion of Ukraine … [but] will grow in prevalence in the near-term and proliferate to additional threat actors and regions outside the Ukrainian theater of war”. The publication of this tactic is likely to attract other threat actors, including financially motivated groups. Concerningly, this threat extends beyond Signal; other similar messaging applications that include device linking, may be targeted. According to Google, WhatsApp and Telegram have already been targeted in a similar fashion.
The Signal team worked closely with Google during the investigation. In response to Google’s findings, Signal has released new Android and iOS versions that include hardened security features to help defend against similar attacks. Signal users are strongly recommended to update to the latest release. Additionally, organizations should review any supported chat applications, to ensure that safeguards for device linking are in place.
Mobile device security is a critical part of modern-day cybersecurity. Sophisticated threat actors may choose to specifically target mobile devices and applications, in an attempt to bypass other security features. It is important for users to understand the potential risks of using personal devices for work related tasks. If employees are using personal devices, there is an increased risk that the compromise of these devices will lead to additional attacks against corporate environments. This has previously been observed in cases where users’ personal devices are compromised via information-stealer malware, and saved work credentials are then sold via darkweb marketplaces.
The eSentire Threat Intelligence team continues to track this campaign, and other reports on Russian APT activity, for additional details and detection opportunities.
About the threat briefings:
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
