CloudSEK Updates

CloudSEK uncovered an advanced cryptojacking campaign by threat actor TA-NATALSTATUS, active since 2020 and now escalating globally in 2025. The group exploits exposed Redis servers in the US, Europe, Russia, India, and beyond, hijacking root access to install miners, disable defenses, and wipe out rivals. Their stealth tactics—binary hijacking, obfuscation, and persistence mechanisms—turn servers into long-term mining assets. CloudSEK advises immediate remediation, reimaging, and securing Redis instances.

Pakistan-linked APT36 (Transparent Tribe) launched a new cyber-espionage campaign targeting Indian government and defense entities. Active in August 2025, the group used phishing ZIP files containing malicious Linux “.desktop” shortcuts that downloaded payloads from Google Drive. The malware created persistence, evaded detection, and connected to a WebSocket C2 server (seemysitelive[.]store). Investigators urge blocking the C2 domain, scanning for indicators of compromise, and tightening email and endpoint defenses.

Ahead of India’s 79th Independence Day (August 2025), hacktivist groups and cybercriminals launched coordinated attacks targeting government, finance, and defense sectors. Fueled by the Pahalgam terror attack, threat actors from Pakistan, China, and others executed over 4,000 incidents, including phishing, fake websites, data breaches, and scams. APT groups like APT36 and SideCopy deployed credential theft campaigns. Citizens are urged to stay alert and report suspicious activity.

CloudSEK’s SVigil uncovered a misconfigured .git repository at a major roadside assistance and insurance vendor, exposing over 20GB of sensitive data tied to leading automotive brands. The leak included full source code, payment gateway tokens, cloud database credentials, and over 1 million PII records of customers and merchants. This flaw risked large-scale phishing, fraud, identity theft, and severe reputational damage across India’s automotive and insurance ecosystem.

Cybercriminals are exploiting the Raksha Bandhan festival globally with a surge of online shopping and phishing scams. They use fake websites, fraudulent gift offers, and imposter messages to trick victims into sharing personal data or making payments. To stay safe, experts advise verifying offers on official channels, using secure payment methods, and reporting fraud promptly to authorities like the National Cyber Crime Reporting Portal.

In July 2025, scammers in India used deepfake videos of influencer “Shweta Sharma” to run over 120 fake investment ads on Facebook and Instagram. The identity was stolen from real public figures, luring users to Telegram channels with false promises of fast stock market returns. Victims lost money in an ongoing cycle of payments. CloudSEK urges public awareness and legal action.

Cybercriminals targeted fans and teams at the 2025 Belgian Grand Prix (July 27, Spa-Francorchamps) with phishing emails, fake ticket sites, streaming scams, and counterfeit merchandise. The event’s popularity and reliance on tech made it a prime cyberattack target. A hacked official email in early 2024 led to major phishing campaigns. Fans and F1 teams are urged to follow strict cybersecurity practices to avoid scams and data theft.

CloudSEK discovered a new Epsilon Red ransomware campaign targeting users globally via fake ClickFix verification pages. Active since July 2025, threat actors use social engineering and impersonate platforms like Discord, Twitch, and OnlyFans to trick users into executing malicious .HTA files through ActiveX. This leads to silent payload downloads and ransomware deployment. Users are urged to disable ActiveX, block attacker IPs, and train against such lures.

In July 2025, CloudSEK analyzed how misinformation and recycled breach data—from forums, media, and researchers—flood threat intel teams with false alarms. High-profile cases like the “16 Billion Credential Leak” and ICMR breach were inflated using old or fake data. This noise wastes up to 25% of security teams’ time. The report offers a clear framework to verify breach legitimacy, reduce alert fatigue, and focus on real, high-priority cyber threats.