The last 72 hours have revealed critical shifts in the threat landscape. From Chinese APTs exploiting fresh WSUS vulnerabilities to ransomware groups like Kraken benchmarking systems for speed, threat actors are refining their toolkits for maximum impact.
Bactor Ransomware: A New Player in the Field
Researchers at CYFIRMA have uncovered a new ransomware strain dubbed Bactor. Unlike some “wiper” variants that masquerade as ransomware, Bactor performs a legitimate, full file-locking routine.
- The Attack: Once executed, it aggressively deletes Volume Shadow Copies to prevent easy recovery.
- The Signature: Files are renamed with the attacker’s email address and the specific extension
.bactor(e.g.,document.docx.[attacker_email].bactor). - Key Insight: Its reliance on WMI (Windows Management Instrumentation) for reconnaissance suggests it is designed to move quietly before striking.
Lynx Ransomware: The “Hands-On” RDP Threat
A new investigation by The DFIR Report highlights a “hands-on-keyboard” intrusion involving Lynx Ransomware.
- Entry Point: The attackers didn’t use a zero-day; they walked in through valid RDP credentials.
- Tactics: Before deploying the encryption payload, the operators spent time manually enumerating the network and, critically, locating and corrupting the victim’s backup infrastructure.
- Impact: This highlights the continued danger of exposed RDP services and the necessity of immutable backups that cannot be altered even by a domain admin.
EVALUSION Campaign: “ClickFix” Deception
A sophisticated social engineering campaign tracked as EVALUSION is making waves.
- The Lure: Victims encounter fake error pages (often mimicking Google Chrome or Microsoft updates) that prompt them to “Click to Fix.”
- The Trap: Clicking copies a malicious PowerShell script to the clipboard, which the user is tricked into pasting and running.
- The Payload: This delivers Amatera Stealer (an infostealer targeting crypto wallets and browsers) and the NetSupport RAT for long-term remote access.
🇨🇳 State-Sponsored Espionage (APT Activity)
ShadowPad Exploits Critical WSUS Flaw (CVE-2025-59287)
In a major development reported by AhnLab (ASEC), threat actors are actively exploiting a recently patched critical vulnerability in Microsoft Windows Server Update Services (WSUS).
- The Exploit: Attackers leverage CVE-2025-59287 (Remote Code Execution) to gain unauthenticated access to WSUS servers.
- The Payload: Post-exploitation, they deploy ShadowPad, a modular backdoor historically sold privately to Chinese state-sponsored groups.
- Significance: WSUS servers are often trusted hubs within a network, making them an ideal launchpad for lateral movement.
APT31 Targets Russian IT via “Home Turf” Clouds
The China-linked group APT31 (associated with the Ministry of State Security) has been caught targeting the Russian IT sector.
- Stealth Tactic: To evade detection, APT31 is using legitimate, localized cloud services for Command and Control (C2). They are exfiltrating data to Yandex Cloud buckets, blending their malicious traffic with normal Russian enterprise network activity.
- Persistence: The group uses a mix of custom backdoors and “living-off-the-land” techniques to maintain stealthy, long-term access.
🛡️ Ransomware Evolution
Akira Expands to Nutanix AHV
CISA and other agencies released an advisory (Nov 13) noting a dangerous evolution in Akira ransomware.
- New Target: Beyond Windows and ESXi, Akira now specifically targets Nutanix AHV (Acropolis Hypervisor) virtual machine disk files.
- Why it Matters: Many enterprises moved to Nutanix for its resilience; Akira’s adaptation shows they are following enterprise trends to ensure they can cripple modern virtualization stacks.
Kraken: Benchmarking for Speed
Cisco Talos reports that the Kraken ransomware group (linked to the defunct HelloKitty gang) has introduced a “benchmarking” feature.
- The Innovation: Before encrypting, Kraken runs a benchmark on the victim’s system to determine the fastest encryption algorithm and thread count that the CPU can handle without crashing.
- The Goal: Maximize encryption speed to finish the job before security tools can react.
🔬 Technical Intelligence: TTPs & IOCs
Tactics, Techniques, and Procedures (TTPs)
| Threat Actor / Malware | Technique ID | Description |
| Bactor | T1047 (WMI) | Uses WMI for system reconnaissance and execution. |
| Bactor | T1490 (Inhibit Recovery) | Deletes Shadow Copies via vssadmin and wmic. |
| Lynx | T1078 (Valid Accounts) | Leverages compromised RDP credentials for initial access. |
| Lynx | T1490 (Inhibit Recovery) | Manual deletion of backup jobs and corruption of backup catalogs. |
| EVALUSION | T1204 (User Execution) | “ClickFix” social engineering tricks users into pasting malicious PowerShell. |
| ShadowPad | T1190 (Exploit Public App) | Exploits CVE-2025-59287 (WSUS RCE) for initial access. |
| ShadowPad | T1574.002 (DLL Side-Loading) | Uses legitimate binaries (like ETDCtrlHelper.exe) to load malicious DLLs (ETDApix.dll). |
| APT31 | T1071 (App Layer Protocol) | Uses legitimate cloud services (Yandex Cloud) for C2 traffic. |
| Kraken | T1618 (Benchmark) | Benchmarks system performance to optimize encryption speed. |
Indicators of Compromise (IOCs)
⚠️ Disclaimer: These indicators are based on recent reports. Always verify against your own threat intelligence feeds.
Bactor Ransomware
- File Extension:
.bactor(often appended as.email[at]domain.com.bactor) - Key Processes:
vssadmin.exe,wmic.exe
ShadowPad (WSUS Campaign)
- C2 IP:
149.28.78[.]189:42306 - Malicious DLL Name:
ETDApix.dll - Legitimate Loader:
ETDCtrlHelper.exe
EVALUSION / Amatera
- Network Artifacts: Connections to
mediafire.com(payload download),api.ipify.org(recon). - Behavior:
mshta.exespawning PowerShell with clipboard content.
Kraken Ransomware
- File Extension:
.zpsc - Ransom Note:
readme_you_ws_hacked.txt - Tools: Presence of
Cloudflared(for persistence) andSSHFS(for exfiltration).
Akira (Nutanix Variant)
- Extensions:
.akira,.powerranges,.akiranew,.aki - Target Files: Nutanix AHV disk formats (in addition to
.vmdk,.avhd).