Web Server Exploits and Mimikatz Used in Attacks Targeting Asian Critical Infrastructure
Palo Alto Networks Unit 42 has published a detailed investigation into a previously undocumented Chinese threat actor cluster — designated CL-UNK-1068 — that has been quietly compromising high-value organizations across South, Southeast, and East Asia since at least 2020 with little to no detection. Targeted sectors span aviation, energy, government, law enforcement, pharmaceuticals, technology, and telecommunications, with the group deploying a cross-platform toolkit of custom malware, GodZilla and AntSword web shells, Mimikatz for credential theft, Fast Reverse Proxy (FRP) for tunneling, and DLL side-loading of a Python-based loader — adapting techniques for both Windows and Linux environments. Unit 42 attributes the activity with high confidence to a Chinese state-linked actor based on tool origins, Simplified Chinese linguistic artifacts embedded in configurations, and consistent targeting of strategically significant infrastructure aligned with Beijing’s regional intelligence priorities.
Global Coalition Dismantles Tycoon 2FA Phishing Kit
Microsoft, Europol, and authorities from six countries partnered with eleven security firms to seize 330 domains powering Tycoon 2FA — one of the world’s most prolific phishing-as-a-service platforms — after the kit was used to send more than 30 million fraudulent messages a month at its November 2025 peak and successfully phished an estimated 96,000 distinct victims globally since its 2023 emergence, including more than 100 member organizations of Health-ISAC. The platform’s central innovation was an adversary-in-the-middle architecture that allowed even low-skilled cybercriminals to capture session cookies in real time and bypass multi-factor authentication at scale, selling full access to a configurable phishing dashboard via Telegram and Signal for $350 per month. Microsoft filed a civil complaint against alleged creator Saad Fridi and four unnamed associates seeking a $10 million injunction, and the operation follows a wave of similar takedowns including RaccoonO365 and the Lumma Stealer infostealer network that infected approximately 10 million systems.
FBI Investigating ‘Suspicious Activities’ on Agency Network Following February Incident
The FBI confirmed it is investigating suspicious activity on its own network after a platform used to support court-authorized wiretaps was reportedly accessed during a February incident that the agency declined to describe in detail, with a spokesperson saying only that it “identified and addressed suspicious activities on FBI networks” and that the matter is being investigated. The disclosure follows an earlier breach in which the agency’s InfraGard critical infrastructure information-sharing portal was compromised and members’ contact data was offered for sale on a criminal forum, and comes at a time when multiple U.S. law enforcement and intelligence platforms have faced increased targeting. Members of Congress were separately notified that the bureau is working to determine the scope and impact of the incident, per a notification reviewed by news outlets — though the FBI has not publicly confirmed whether the wiretap system itself was compromised or only adjacent infrastructure.
Ghanaian Pleads Guilty to Role in $100M Romance Scam
Derrick Van Yeboah, a 40-year-old Ghanaian national, pleaded guilty in a New York federal court to conspiracy to commit wire fraud for his role in a sprawling Ghana-based romance scam and business email compromise operation that caused more than $100 million in total losses — of which prosecutors attributed more than $10 million directly to Van Yeboah’s own conduct. Operating from Ghana alongside a network of co-conspirators, Van Yeboah spent years cultivating fictitious online romantic relationships with vulnerable victims before persuading them to wire money to gang-controlled accounts, while also impersonating corporate executives and suppliers in BEC schemes to fraudulently redirect business payments. Van Yeboah, who was extradited to the U.S. following an indictment last August, faces up to 20 years in prison at sentencing, with U.S. Attorney Jay Clayton warning the public to “never give money to someone you just met” online.
Multi-Stage VOID#GEIST Malware Delivering XWorm, AsyncRAT, and Xeno RAT
Securonix Threat Research has detailed a sophisticated new malware campaign dubbed VOID#GEIST that uses heavily obfuscated batch scripts as the entry point for a multi-stage infection chain culminating in the delivery of three distinct RATs — XWorm, AsyncRAT, and Xeno RAT — entirely in memory without dropping decrypted payloads to disk. The attack chain deploys a second-stage batch script that stages a legitimately sourced Python runtime pulled directly from python.org, then uses that interpreter to decrypt encrypted shellcode blobs stored as .bin files and inject them into separate instances of explorer.exe via Early Bird Asynchronous Procedure Call (APC) injection — a technique that inserts code before the target process’s main thread executes, dramatically reducing behavioral detection opportunities. Researchers warn that the campaign reflects a broader industry shift away from standalone executables toward complex, script-driven delivery frameworks engineered to closely mimic legitimate administrative activity and evade both signature-based and behavioral endpoint controls.
