banner
LightNews
threatinsight.proofpoint.com
ThreatInsight
@threatinsight.proofpoint.com
300 followers 2 following 190 posts
Proofpoint's insights on targeted attacks and the cybersecurity threat landscape.
Posts Media Videos Starter Packs
threatinsight.proofpoint.com
ThreatInsight @threatinsight.proofpoint.com · 1d
New malware continues to emerge, and may be trying to fill gaps in the criminal malware ecosystem.

TA585 has adopted effective strategies for filtering, delivery, & malware installation.

Tip: Train users to recognize ClickFix. Prevent non-admin users from executing PowerShell.
threatinsight.proofpoint.com
ThreatInsight @threatinsight.proofpoint.com · 1d
Our blog also details TA585 campaigns. One interesting example was in August 2025, when it leveraged GitHub email notifications to deliver Rhadamanthys.
1
threatinsight.proofpoint.com
ThreatInsight @threatinsight.proofpoint.com · 1d
MonsterV2 fast facts:

⚡️Has capabilities of a remote access trojan (RAT), loader, and stealer

⚡️ Avoids infecting computers in Commonwealth of Independent States (CIS) countries

⚡️ Expensive compared to its peer malware families

⚡️ Used by TA585 and a small number of actors
1
threatinsight.proofpoint.com
ThreatInsight @threatinsight.proofpoint.com · 1d
TA585 fast facts:

⚡️ Demonstrates innovation in a constantly changing threat landscape, with unique web injection campaigns and complicated filtering

⚡️ Manages its own infrastructure, delivery, & malware installation, w/ activity typically distributed via compromised websites
1
threatinsight.proofpoint.com
ThreatInsight @threatinsight.proofpoint.com · 1d
TA585 is the identifier of the most recent threat actor named by Proofpoint.

The sophisticated cybercriminal, notably, appears to own its entire attack chain with multiple delivery techniques.

Learn about TA585 and one of its favored payloads, MonsterV2: brnw.ch/21wWAAU.
When the monster bytes: tracking TA585 and its arsenal | Proofpoint US
Key findings  TA585 is a sophisticated cybercriminal threat actor recently named by Proofpoint. It operates its entire attack chain from infrastructure to email delivery to malware
brnw.ch
1 1
threatinsight.proofpoint.com
ThreatInsight @threatinsight.proofpoint.com · 5d
Example UA

Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/1000005345.0.0.0 Safari/537.36 Edg/1000005345.0.0.0
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/10408.0.0.0 Safari/537.36 Edg/10408.0.0.0
threatinsight.proofpoint.com
ThreatInsight @threatinsight.proofpoint.com · 5d
The threat actor is seen rotating through over half a million IPs, predominantly IPv6. The method for spoofing user agents results in non-existent browser versions with a matching Chrome & Edge number, which can be used to uniquely characterize the campaign.
1
threatinsight.proofpoint.com
ThreatInsight @threatinsight.proofpoint.com · 5d
Windows Live Custom Domains (92bcc0b3-6fb6-40a5-9577-53629580dc3e) is a legacy service that allows domain owners to use Outlook with their own domains.

No malicious activity was observed to the application in the following months, indicating a shift in attacker tactics.
1
threatinsight.proofpoint.com
ThreatInsight @threatinsight.proofpoint.com · 5d
Researchers at Proofpoint have uncovered a recent brute force campaign, tracked as UNK_CustomCloak, targeting the first-party app, Windows Live Custom Domains.

Activity was observed from September 20-30th, affecting nearly half a million users in over 4,000 tenants.
Count of events per day targeting Windows Live Custom Domains
1
threatinsight.proofpoint.com
ThreatInsight @threatinsight.proofpoint.com · 26d
TA415’s pivot to target organizations and those tied to U.S.-China relations is noteworthy given today’s geopolitical landscape.

See our full blog for a detailed breakdown of these July and Aug 2025 campaigns, infection chain, IOCs, and ET rules.
2
threatinsight.proofpoint.com
ThreatInsight @threatinsight.proofpoint.com · 26d
Key finding 3️⃣: This marks a tactical shift away from earlier malware like the “Voldemort” backdoor, showing the group’s ability to adapt.

Key finding 4️⃣: A primary objective of these campaigns is likely the collection of intel on the trajectory of U.S.-China economic ties.
1 2
threatinsight.proofpoint.com
ThreatInsight @threatinsight.proofpoint.com · 26d
Key finding 2️⃣: Instead of traditional #malware, the campaigns deployed Visual Studio Code Remote Tunnels.

This is likely a concerted effort from #TA415 to blend in with existing legitimate traffic to trusted services, including Google Sheets/Calendar, & VS Code Remote Tunnels.
TA415 VS Code Remote Tunnel infection chain.
1 1
threatinsight.proofpoint.com
ThreatInsight @threatinsight.proofpoint.com · 26d
The group is impersonating trusted orgs and policymakers to target U.S. government, academic, and think tank targets.

Key finding 1️⃣: TA415 spoofed the U.S.-China Business Council and a senior congressional leader to deliver spearphishing lures tied to trade and sanctions policy.
TA415 phishing email spoofing US-China Business Council.
1 1
threatinsight.proofpoint.com
ThreatInsight @threatinsight.proofpoint.com · 26d
Proofpoint threat researchers have published new research identifying a new cyber-espionage campaign by #TA415 (#APT41), a China-aligned threat actor, exploiting growing uncertainty in U.S.-China economic relations.

Blog: www.proofpoint.com/us/blog/thre....
Going Underground: China-aligned TA415 Conducts U.S.-China Economic Relations Targeting Using VS Code Remote Tunnels | Proofpoint US
What happened  Throughout July and August 2025, TA415 conducted spearphishing campaigns targeting United States government, think tank, and academic organizations utilizing U.S.-China
www.proofpoint.com
1 4 7
threatinsight.proofpoint.com
ThreatInsight @threatinsight.proofpoint.com · Sep 3
On September 2-3 some of the files attached to the issues had random file names and were encrypted. While they contained an executable with the same name, the threat actor did not provide the password for these files so they could not be extracted and lead to any malware installation.
threatinsight.proofpoint.com
ThreatInsight @threatinsight.proofpoint.com · Sep 3
Although GitHub has removed some of the malicious comments, the links in the messages remained active as of September 3, including the actor-controlled URLs.
1
threatinsight.proofpoint.com
ThreatInsight @threatinsight.proofpoint.com · Sep 3
MD5: 4d8730a2f3388d018b7793f03fb79464
SHA1: cbc5b2181854a2672013422e02df9ea35c3c9e1c
SHA256: c8af1b27b718508574055b4271adc7246ddf4cec1c50b258d2c4179b19d0c839
1
threatinsight.proofpoint.com
ThreatInsight @threatinsight.proofpoint.com · Sep 3
&X-Amz-Date=20250903T111859Z&X-Amz-Expires=300&X-Amz-Signature=f0cd8226472614321e6b9e3b883bffe0adf9d9255af1207374947ea71d3c8f76&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3Bfilename%3Dfix.zip&response-content-type=application%2Fx-zip-compressed
1
threatinsight.proofpoint.com
ThreatInsight @threatinsight.proofpoint.com · Sep 3
Retrieved From: hxxps://objects[.]githubusercontent[.]com/github-production-repository-file-5c1aeb/195216627/22101425?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20250903%2Fus-east-1%2Fs3%2Faws4_request [...] [continued in next post]
1
threatinsight.proofpoint.com
ThreatInsight @threatinsight.proofpoint.com · Sep 3
The hash of the executable (and therefore the ZIP file) may vary depending on when the Lumma payload was built. Example:
File name: fix.zip
1
threatinsight.proofpoint.com
ThreatInsight @threatinsight.proofpoint.com · Sep 3
The downloaded file is always named “fix.zip”, which contains “x86_64-w64-ranlib.exe” and “msvcp140.dll”. If the executable is run, it launches #Lumma via “msbuild.exe”.
1
threatinsight.proofpoint.com
ThreatInsight @threatinsight.proofpoint.com · Sep 3
They claim to provide a fix for the reported problem. People who get these emails may include: the issue creator, the repository owner, the issue assignee, or any watchers.
1
threatinsight.proofpoint.com
ThreatInsight @threatinsight.proofpoint.com · Sep 3
The comment includes either a link to the actor-controlled domain droplink[.]digital, a Dropbox URL, or a file attached directly to the issue (which creates a link to the file hosted on GitHub).
1
threatinsight.proofpoint.com
ThreatInsight @threatinsight.proofpoint.com · Sep 3
Threat actors continue to abuse GitHub to deliver malware, this time: #LummaStealer. We identified GitHub notification emails that kick off the attack chain. Messages are sent when the threat actor, using an actor-controlled account, comments on existing GitHub issues. 🧵
1 2
threatinsight.proofpoint.com
ThreatInsight @threatinsight.proofpoint.com · Aug 29
Threat actors are exploiting #Microsoft365 Direct Send to make their phishing campaigns appear to originate from inside an organization.

On this episode of DISCARDED, you'll hear why legacy features like Direct Send are a prime target for cybercriminals.

Stream now on our website: brnw.ch/21wVja5