eSentire's Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Recent Threat Intelligence Advisories
Noteworthy News
Windows Remote Desktop Protocol: Remote to Rogue
Bottom Line: Details on a new phishing campaign conducted by suspected Russian threat actors have emerged, targeting European government and military organizations. The attacks involve emails that contain attached RDP configuration files which when executed, can initiate an RDP connection from the victim’s machine.
On April 7th, the Google Threat Intelligence Group (GTIG) released a report about a new phishing campaign targeting European government and military organizations. This campaign was attributed to a suspected Russian espionage actor referred to as UNC5837.
The attack began with a phishing email that claimed to be part of a project in collaboration with Amazon, Microsoft, and the Ukrainian State Secure Communications and Information Security Agency. The email contained a signed .rdp file attachment claiming to be related to the described project. Executing the signed attachment initiated an RDP connection from the victim's machine. The attachment is signed with a Let’s Encrypt certificate issued to the domain the RDP connection is established with. Once the connection is established, the adversary is granted with read and write access to all victim drives, printers, COM ports, smart cards, WebAuthn requests (e.g., security key), Point-of-Sale (POS) devices and clipboard content. Furthermore, it utilizes the RemoteApp feature to display a misleading application called "AWS Secure Storage Connection Stability Test" on the victim's machine. This application, hosted on the attacker's RDP server, masquerades as a locally installed program hiding its potentially malicious nature. Google also states that the attacker may have utilized an RDP proxy tool such as PyRDP which could automate malicious activities such as file exfiltration and clipboard capture, including potentially sensitive data like passwords. This campaign resulted in the theft of sensitive data that may be valuable for espionage purposes.
eSentire Threat Intelligence Analysis:
This campaign illustrates how Remote Desktop Protocol (RDP) configuration files, which are legitimate Windows services, were used to gain access to victims' resources. By targeting sectors such as government and military organizations, UNC5837 aims to collect valuable sensitive information. The data obtained through this campaign could potentially be sold, shared, or leaked on the dark web. This exposure puts the affected organization at risk from other adversaries who may exploit the leaked information for financial gain or further espionage.
Public research from Microsoft and Trend Micro on Midnight Blizzard and Earth Koshchei show similar attack patterns. Earth Koshchei is linked to the Foreign Intelligence Service of Russia (SVR). This group has a long history of consistently targeting diplomatic, military, energy, telecommunications, and IT companies in Western nations. They have been observed targeting over 200 high-profile entities, including military organizations, foreign affairs offices, Ukrainian institutions, and academic researchers. Similarly, Midnight Blizzard has targeted more than 100 organizations, notably in the United Kingdom, Europe, Australia, and Japan. The threat actor is known for using Active Directory Federation Service (AD FS) malware like FOGGYWEB and MAGICWEB, to compromise and persist within targeted environments.
Combining the observations from these reports, adversary capabilities involve file stealing, clipboard data capture, and access to environment variables. Furthermore, phishing, despite its simplicity, remains an effective attack method, especially against targets with weaker email security or lacking Multi-Factor Authentication (MFA). APTs like UNC5837 leverage such techniques for their efficiency and high success rates. Using less-complex techniques conserves resources and allows APTs to deploy more sophisticated tools/files in victims' infrastructure. Such campaigns highlight the importance of monitoring and ensuring that detections and mitigations are implemented. Additionally, robust user education can help mitigate the threat of social engineering and phishing emails. Organizations should conduct user education programs that highlight how to identify and report suspicious emails. Additionally, blocking .rdp file extension in email attachments can prevent such attacks.
The eSentire Threat Intelligence team is actively tracking this topic for new details and detection opportunities.
Microsoft Patch Tuesday
Bottom Line: April 8th marked Microsoft's monthly Patch Tuesday release, which addressed a total of 134 vulnerabilities. Security patches address 11 critical vulnerabilities and one vulnerability that was confirmed to have been exploited in the wild by a threat actor in order to deploy ransomware.
This month, Microsoft addressed significantly more vulnerabilities than in the past two months, disclosing a total of 134 vulnerabilities, compared to 57 in March and 55 in February. The most notable vulnerability from the April release is the zero day vulnerability, tracked as CVE-2025-29824 (CVSS: 7.8), which is a use-after-free vulnerability within Windows Common Log File System (CLFS) Driver, that allows attackers to elevate privileges locally. Exploitation of the vulnerability requires threat actors to already have access to a target environment and can allow a standard user account to escalate privileges.
Microsoft Threat Intelligence released a report on April 8th, providing details on exploitation of this zero-day vulnerability, observed against a “small number of targets”. Reported targets include organizations in the IT and real estate sectors in the US, financial sector in Venezuela, retail sector in Saudi Arabia, and a Spanish software company. While Microsoft was unable to confirm initial access, they reported that the threat actors used the certutil utility to download the PipeMagic backdoor. The threat actors used PipeMagic to exploit CVE-2025-29824, escalating privileges of the compromised account, and ultimately led to the deployment of RansomEXX ransomware. Microsoft attributed these attacks to the group Storm-2460, based on similar behaviours observed within previous compromises.
Other notable vulnerabilities addressed by the patches include CVE-2025-29794 (CVSS: 8.8) and CVE-2025-27480 (CVSS: 8.1). CVE-2025-29794 is a Remote Code Execution (RCE) vulnerability within Microsoft SharePoint, while CVE-2025-27480 is an RCE vulnerability within Windows Remote Desktop Services. Both vulnerabilities have no reported Proof-of-Concept (PoC) exploit code, and no current reports of active exploitation, but have both been deemed as “Exploitation More Likely” by Microsoft.
eSentire Threat Intelligence Analysis:
Within their report, Microsoft addresses the exploitation of CVE-2025-24983 (CVSS: 7.0), which was also achieved through the PipeMagic backdoor as well. CVE-2025-24983 is a vulnerability within the Windows Win32 Kernel Subsystem, that allows for attackers to escalate privileges when exploited. The vulnerability was patched in Microsoft's March 2025 Patch Tuesday release. However, there are reports indicating that this vulnerability was first observed being exploited in March 2023. Although there are no details on attribution to specific threat actors provided, it is notable that both Windows zero-day vulnerabilities involved privilege escalation and were exploited in a similar manner through the PipeMagic backdoor.
Within the Frequently Asked Questions (FAQ) sections of some of the vulnerability pages addressed in the April 2025 Patch Tuesday release, Microsoft has stated that security patches for Windows 10 for x64-based and 32-bit systems were “not immediately available". Although Windows 10 is not set for End-of-Life status until October 14th, 2025, the lack of Windows 10 patches addressing these vulnerabilities is notable. Microsoft has not provided comment on the specific reason for the delay in Windows 10 patches. As of April 9th, there are reports that updates were pushed for Windows 10 version 1507, but at the time of writing, not all the pages for vulnerabilities addressed from April 2025’s Patch Tuesday release reflect that Windows 10 updates are available.
Organizations are strongly encouraged to apply available security patches as soon as possible, and to apply patches addressing the vulnerabilities for Windows 10 devices as they become available. eSentire's Threat Response Unit (TRU) is continuing to track these vulnerabilities for additional information and detection opportunities. eSentire Managed Vulnerability Service (MVS) has plugins in place to identify devices that are vulnerable to the flaws addressed in Microsoft's April 2025 Patch Tuesday release.
Lazarus Expands Malicious npm Campaign
Bottom Line: The North Korean APT Lazarus Group have been observed publishing malicious npm packages as part of the ongoing Contagious Interview campaign. These malicious packages are being used to deliver information stealer malware and Remote Access Trojans (RATs).
On April 4th, Socket released a report highlighting the expansion of the ongoing Contagious Interview campaign, led by the North Korean-backed Lazarus Group and aimed at software developers. The APT group has rolled out new malicious npm packages designed to deliver the BeaverTail information stealer and a Remote Access Trojan (RAT). The campaign shows advancements in payload obfuscation techniques and a noticeable shift in the platforms used for distributing the malware.
The Contagious Interview campaign started operating as early as December 2022 targeting software developers. The campaign uses fake job postings to lure the job seeking developers into deploying malicious payloads on their systems. The campaign is financially motivated and aims at stealing sensitive data, siphoning financial assets, and maintaining long-term access to compromised systems. Since its inception, the campaign has been expanding with introduction of new versions of the malware used in it such as BeaverTail, InvisibleFerret, and Ottercookie. Socket identified new developments in the campaign where new npm packages were observed. In total, the 11 newly identified malicious packages linked to this expanded campaign have been downloaded more than 5,600 times.
The packages were distributed via some old and some new aliases on platforms such as GitHub and BitBucket. The campaign initially featured the malicious packages on the GitHub repositories while the recent updates show use of BitBucket. These npm packages are capable of scanning up to 200 profile directories for popular web browsers including Brave, Chrome, and Opera, and can extract private keys from cryptocurrency wallets such as Solana. Socket notified that all the known npm registries distributing these malicious packages have been suspended. Analysis of the npm package samples by Socket revealed that the newly deployed packages utilized unique code structures and a range of obfuscation techniques. Each sample shows variation in execution to efficiently evade detection while loading the next stage RAT and connecting to Command-and-Control (C2) servers.
eSentire Threat Intelligence Analysis:
The software developer community continues to be a prime target for the Contagious Interview campaign, largely due to their reliance on open-source repositories and tools, which are generally perceived as trustworthy within the industry. The continued activity of the campaign underscores its effectiveness, as it stays consistent to its core tactic of enticing job-seeking developers into interacting with malicious npm packages. The recent developments observed in the npm ecosystem indicate that the campaign is actively evolving, suggesting ongoing refinement and a strong likelihood of further expansion in its operations.
The use of varied malware distribution platforms including GitHub and BitBucket suggest the Lazarus group’s interest in expanding their reach. The Socket report emphasizes that the threat actor employs a highly sophisticated approach when uploading malicious npm packages, carefully crafting them to appear legitimate and avoid raising suspicion about their malicious intent. The samples obtained by Socket from the attacker-controlled repositories showcased diverse coding routines and obfuscation methods, indicating a heightened level of customization in each sample aimed at maximizing evasion of detection mechanisms. These efforts indicate that, in addition to advancing the technical aspects of payload execution to evade detection, the threat actors are equally focused on concealing their activities in the non-technical facets of malware distribution, such as how the packages are presented and delivered. These updates to their techniques portray the Lazarus threat actors as highly skilled and well-researched, demonstrating a deep understanding of both technical evasion strategies and the open-source ecosystem they are exploiting.
It is important for organizations to implement secure software development practices and limit user permissions to prevent downloads from unsecure sources. To mitigate the threats posed by campaigns like Contagious Interview, organizations should adopt a defense-in-depth approach. Organizations should deploy a robust Endpoint Detection and Response (EDR) solution to effectively identify and contain any malicious activity across their assets within the environment. Continuously monitoring network traffic is crucial for detecting connections to known malicious infrastructure. Blocking known malicious IP addresses can serve as an effective preventive measure, helping organizations protect against potential network breaches.
The eSentire Threat Intelligence team has been consistently monitoring the Contagious Interview campaign and has frequently updated detection capabilities in response to the new developments observed within the campaign. eSentire’s Threat Response Unit (TRU) has published blogs outlining the activities of the Lazarus APT group in this campaign, titled “Bored BeaverTail Yacht Club – A Lazarus Lure” and “Bored BeaverTail & InvisibleFerret Yacht Club – A Lazarus Lure Pt.2”.
About the threat briefings:
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
