eSentire's Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Recent Threat Intelligence Advisories
Noteworthy News
China's Silver Fox Spoofs Medical Imaging Apps to Hijack Patients' Computers
Bottom Line: A malware campaign perpetrated by the Chinese APT group Silver Fox was uncovered, targeting the healthcare industry in North America.
On February 24th, Forescout’s Vedere Labs released a report on a new campaign attributed to the Chinese APT group Silver Fox. The group is exploiting the Phillips DICOM (Digital Imaging and Communications in Medicine) image viewer, commonly used for medical imaging, to distribute malware.
The malware samples masquerade as Philips DICOM Viewer, with initial submissions observed in December 2024 – January 2025 from U.S. and Canadian systems. The trojanized DICOM Viewer executes PowerShell scripts to disable Windows Defender and conducts system reconnaissance using built-in Windows utilities. The malware retrieves encrypted payloads from an Alibaba Cloud bucket, which includes TrueSightKiller, Cyren AV DLL & Executable, and other auxiliary files and shellcode to inject malicious processes.
Once downloaded, the malware decrypts and deploys multiple payloads, generating a secondary malicious executable. This executable is then registered as a Windows scheduled task, ensuring it launches immediately and persists by executing at every user login. The second-stage malware incorporates a Cyren AV DLL, which contains injected code designed to evade debugging. It then scans running processes to detect security software and employs TrueSightKiller to terminate identified security applications. After disabling security defenses, the malware retrieves an encrypted file, which it decrypts into a third-stage payload—ValleyRAT. This component, which serves as both a backdoor and loader module, establishes communication with a Command-and-Control (C2) server hosted on Alibaba Cloud. ValleyRAT then downloads additional encrypted payloads, which, upon decryption, function as a keylogger and cryptocurrency miner. These payloads achieve persistence through scheduled tasks, allowing them to operate stealthily on the compromised system.
The malware incorporates encryption, obfuscation, and evasion techniques at each stage to resist detection and analysis. Obfuscation methods include API hashing to conceal function calls, indirect API retrieval to avoid static analysis, and indirect control flow manipulation to hinder debugging and reverse engineering. Evasion techniques involve long sleep intervals to evade sandbox detection, system fingerprinting to tailor execution, masked DLL loading to bypass security monitoring, and RPC-based task scheduling and driver loading to avoid standard process monitoring.
eSentire Threat Intelligence Analysis:
As highlighted in the report, the Silver Fox APT campaign appears to target individual patients who download medical imaging software to view their DICOM files. This attack introduces a new patient-driven threat vector, where the infection chain could extend beyond personal devices into hospital networks, creating a stealthy entry point for APT operations. Infected patient devices connecting to hospital networks could potentially allow lateral movement of malware.
DICOM viewers are widely used by patients and healthcare professionals to access medical imaging. A trojanized version of such software increases the likelihood of successful infection. Even though the attack does not directly target hospitals, the potential for secondary infections through patient devices makes it a serious supply chain risk for the healthcare sector. Additionally, the malware distribution method does not rely on phishing or drive-by downloads but instead hijacks a legitimate software tool, making detection more challenging.
To mitigate the risk of attacks, healthcare organizations must adopt several key security measures. First, avoid downloading software or files from untrusted sources, as these can often harbor malicious content. Where possible, hospitals should limit external device interactions with critical healthcare systems. Additionally, loading files from patient devices onto healthcare workstations or other network-connected equipment should be prohibited. Ensuring that all endpoints are secured with up-to-date Antivirus or Endpoint Detection and Response (EDR) solutions is crucial in providing a layer of defense against potential threats. Furthermore, implementing strong network segmentation is essential to isolate untrusted devices and networks, such as guest Wi-Fi, from the internal hospital infrastructure, preventing unauthorized access to sensitive systems.
eSentire MDR for Network detects activity associated with ValleyRAT. The eSentire Threat Response Unit (TRU) is investigating the topic for additional details and detection opportunities.
Anubis Ransomware
Bottom Line: Anubis ransomware is a new Ransomware-as-a-Service group that is actively looking to expand their reach across Australia, Canada, Europe and the US via offering lucrative shares in their ransomware models for potential affiliate members.
On February 25th, cybersecurity researchers at Kela released a report on the Anubis Ransomware-as-a-Service (RaaS) group. Along with double extortion, the group utilizes a range of monetization strategies for its affiliates, including ransomware affiliate program, data ransom affiliate program, and access monetization affiliate program. Anubis group's X (formerly Twitter) account indicates that they have been active since December 2024, with its representatives actively promoting services on cybercrime forums. One member, "superSonic," joined the RAMP forum on September 13th, 2024, and published their first post on February 23rd, 2025, which included the format of affiliate programs offered by the group. Another user, "Anubis__media," has been active on XSS forum since November 16th, 2024, and is listed in the contact details section of Anubis’s X account.
The group offers three affiliate programs: “Anubis Ransomware – 80/20,” “Anubis Data Ransom – 60/40,” and “Access Monetization – 50/50.” In the first RaaS program, affiliates use the Anubis ransomware to encrypt victim devices; the affiliates receive 80% of the ransom payment. The ransomware features include ChaCha+ECIES encryption, targeting Windows, Linux, NAS, and ESXi x64/x32 systems, privilege escalation, domain-wide self-propagation, and web panel management.
The Anubis Data Ransom program allows affiliates to monetize previously stolen data using Anubis’s resources. Anubis would provide 60% share of extortion payments received from public exposure threats. In this program, Anubis offers to create investigative articles based on stolen files and publish them on their blog, as well as using “non-standard methods” to threaten the victims, and informing the affected organizations, their customers, and regulatory authorities.
The third model, Access Monetization, involves Initial Access Brokers who provide corporate access credentials to Anubis in exchange for a 50% revenue share from the group’s future extortion or ransom payments. Anubis requires victims to be from the US, Canada, Australia, or Europe, and the organizations must not have been attacked by ransomware in the past year. Additionally, credentials from educational institutions, government agencies, and non-profits are not accepted.
The group’s blog features the names of four victims claimed by Anubis including Pound Road Medical Centre in Australia, Summit Home Health in Canada, Comercializadora S&E Perú in Peru, and a U.S.-based Engineering and Construction organization.
eSentire Threat Intelligence Analysis:
Anubis RaaS group has come forward as an organized, knowledgeable emerging threat posing a risk to organizations across the US, Canada, Australia and Europe. The threat actors behind the Anubis group are unknown, but as per the Kela report they may be based in Russia. The group’s elaborate affiliate program offerings, their statements on their ransomware operations and victims, updates on their onion blog highlight that the threat actors are well-experienced in data extortion and ransomware activities, likely former affiliates of other ransomware groups.
The capabilities of Anubis ransomware remain unverified, as there are no details available regarding the ransomware attacks on the organizations claimed by the group. Two of the claimed victims are from the healthcare sector, indicating the group's interest in the industry. While Anubis has not provided a clear reason for targeting organizations in the US, Canada, Australia, and Europe, it is likely that the group operates from a region that does not have extradition agreements with these countries. Anubis’s strategy of reaching out not only to the victims of the stolen data leak but also to the company’s clients and regulatory agencies appears to be an effective method for pressuring victims into paying the ransom. This tactic forces the victims to view paying the ransom as a less damaging alternative. The group's primary focus is on generating revenue, and to minimize the risk of law enforcement intervention, it avoids being associated with any attacks against government agencies, non-profit organizations, and educational institutions.
Although the relevant Indicators of Compromise (IoCs) and Tactics, Techniques, and Procedures (TTPs) are not available yet, it is crucial for organizations especially in the critical industry to be prepared to detect any activities such as Anubis ransomware attack. Organizations must implement robust Endpoint Detection and Respond (EDR) solutions to identify malicious activity on the endpoints and ensure efficient network monitoring tools are employed to detect any anomalies in the network.
Any new developments in the Anubis RaaS group activities will be tracked by the eSentire Threat Intelligence team.
Black Basta Internal Chat Leaked
Bottom Line: Internal communications from the Russian ransomware group Black Basta were leaked online. The leaked chat logs reveal details on Tactics, Techniques, and Procedures used by the ransomware group, as well as insights into the group’s activities and internal conflicts.
The Black Basta Ransomware-as-a-Service (RaaS) group was impacted by a leak of the group’s internal communications in early February 2025. The leaked information includes roughly 200,000 messages sent by group members between September 2023 and September 2024. An actor operating under the name ExploitWhisper disclosed the information on February 11th; they claim that the disclosure was in retaliation to Black Basta’s targeting of a Russian bank.
The leak includes previously non-public details on key group members including the suspected leader of the group, who operates under the monikers GG, AA, and Trump. Additional information is included on Lapa, suspected to provide malware crypting services, Cortes, a threat actor linked to Qakbot malware, and YY, Black Basta’s main administrator. Outside of these main actors, there are also links to various underground services that were employed to purchase malware or infrastructure to be used in attacks.
Notably, the leaked information provides insight into Black Basta’s Tactics, Techniques, and Procedures (TTPs). Black Basta is not using novel or highly complex techniques to gain access into victim organizations. The group frequently purchased information-stealer logs and previously compromised credentials to access victim organizations. They have also been identified deploying commodity malware, such as Qakbot, via email to extract sensitive data. In some cases, unpatched known VPN vulnerabilities were targeted, and they often performed simple credential stuffing attacks.
Black Basta does not appear to specifically target one industry over others. The group is financially motivated, and their activity targets organizations that are most likely to pay a ransom. The susceptibility to extortion is decided by researching potential victims using tools such as ZoomInfo, LinkedIn, and RocketReach. These tools provide revenue data on companies. The leak includes 380 unique ZoomInfo links, indicating the targeting of as many organizations over a one-year period.
eSentire Threat Intelligence Analysis:
Black Basta has shown limited signs of activity in 2025; this is believed to relate to internal disagreements amongst group members. The release of group messages is likely to cause further fracturing between members. The Black Basta leader, Trump, was identified requesting a new ransomware encryptor, which could be used for a rebranding of the operation, allowing Black Basta members to evade law-enforcement and separate itself from negative attention and certain group members. Following the leak, there is a high probability that Black Basta will cease operating under its current name, but activity will continue, either under a new RaaS or as affiliates for other established groups.
There are three key takeaways from this leak: the fragile nature of cybercriminal groups, targeting insights, and the use of simple attack techniques. Black Basta heavily relies on other criminal services for aspects of their attacks; these relationships enable a separation of labor and overall increased ransomware activity but are also a potential weakness. Negative opinions from affiliates, political attacks, and infighting may lead other criminal services to avoid interaction with the ransomware service, impacting their ability to operate.
Black Basta has previously tried to brand itself as a Robin Hood type operation, that avoids targeting healthcare organizations. The messages in this leak make it clear that this is not the case. In the 2022 ransomware attack against the healthcare giant Ascension, decryption keys were only provided once CNN publicly attributed the attack to BlackBasta. And despite the release of decryption keys, the group still extorted Ascension via stolen data. The only deterrents to Black Basta targeting appear to be the amount of attention caused by a breach, and a victim’s inability to pay a ransom demand. In some cases, the leak indicated that French organizations would be disregarded, as French laws make payments less likely.
All of the techniques and tools outlined in the leak are publicly known and none are particularly sophisticated. Groups like Black Basta are targeting “low hanging fruit”. To defend against this activity, it is critical that organizations implement best security practices, such as Multi-Factor Authentication (MFA), deployment of Endpoint Detection and Response (EDR) capabilities across all workstations and servers, and regularly applying security patches to Internet-facing assets. Following these steps significantly decreases the likelihood of Black Basta actors achieving initial access.
At this time, the identity of the leaker ExploitWhisper remains unclear. While their stated goal was retribution for attacks against the Russian finance sector, this claim should be viewed skeptically. It is possible that ExploitWhisper was a disgruntled affiliate member, similar to the 2022 Conti RaaS chat leak. Alternatively, ExploitWhisper may be a member of a competing RaaS, or a greyhat security researcher.
The eSentire Threat Intelligence team is actively reviewing the full information leak. Research into the leaked information will be presented in the March 2025 TRU Intelligence Briefing on March 11th. It should be noted that eSentire multi-signal MDR service maintains a variety of detections for both tools and techniques associated with Black Basta ransomware.
About the threat briefings:
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
