CloudSEK Updates

APT35 (Charming Kitten) operates a professional malware ecosystem featuring Saqeb System and RAT-2AC2 RATs, custom webshells, and FUD-tested modules. The group’s C2 uses TOR, multi-hop relays, and encrypted traffic for persistence and stealth. Targeting airlines, law enforcement, and regional infrastructure (2022-2025), it links cyber operations to IRGC geopolitical objectives

CloudSEK’s TRIAD team analyzed leaked internal documents from Iran-linked APT35 (Charming Kitten), revealing its structure, tools, and espionage operations. The group—tied to the IRGC—targeted government, legal, energy, and financial sectors across the Middle East, U.S., and Asia through phishing, CVE exploits, and supply-chain attacks. The leak exposes Iran’s organized cyber-espionage network capable of long-term persistence, data theft, and national security risks

CloudSEK uncovered a large-scale Loader-as-a-Service botnet distributing RondoDoX, Mirai, and Morte payloads through SOHO routers, IoT devices, and enterprise apps. Exploiting weak credentials, unsanitized inputs, and old CVEs, the campaign surged 230% in mid-2025, weaponizing compromised devices for cryptomining, DDoS, and enterprise intrusions. With rapid infrastructure rotation and multi-architecture malware, the threat is evolving fast—making early detection and defense critical

Threat actors are exploiting a fake Microsoft Teams download site to deliver the Odyssey macOS stealer via Clickfix. Once executed, the malware harvests credentials, cookies, Apple Notes, and crypto wallets, exfiltrating data to a C2 server before ensuring persistence through LaunchDaemons and even replacing Ledger Live with a trojanized version. The campaign poses severe risks of credential theft, financial loss, and long-term reinfection.

CloudSEK’s SVigil uncovered a misconfigured SPF record in a leading logistics SaaS provider’s domain—an oversight that opened the door to phishing, BEC, and large-scale fraud. For a company powering global supply chains, this flaw could have crippled trust and operations. Read how SVigil stopped a silent threat before it caused real damage.

Cybercriminals are targeting Formula 1 fans and teams ahead of the Dutch Grand Prix on August 31, 2025, with advanced threats including AI deepfakes impersonating executives, malicious F1 mobile apps, fake hospitality packages, crypto/NFT scams, and telemetry data theft. Fraudsters exploit regulatory gaps and fan demand for tickets, travel, and streaming. CloudSEK urges fans to use official sources and teams to strengthen verification, monitoring, and cybersecurity measures.

As Ganesh Chaturthi approaches, cybercriminals exploit festive cheer with fake offers, including sham idols, prizes, and fraudulent loans. These scams spread through social media and phishing websites, targeting Indian consumers. Read the full report to learn how to identify these threats and protect your money and data this festival season.

A Chinese-speaking threat group is exploiting Indonesia’s state pension fund, TASPEN, to launch a sophisticated mobile malware campaign targeting senior citizens. Disguised as an official app, the spyware steals banking credentials, OTPs, and even biometric data, enabling large-scale fraud. Beyond financial loss, the attack erodes public trust, threatens Indonesia’s digital transformation, and sets a dangerous precedent for pension fund attacks across Southeast Asia.

A new ClickFix social engineering attack weaponizes AI summarizers. Threat actors hide malicious instructions in documents using CSS obfuscation and prompt overdose. This makes the code invisible to humans but fully readable to AI models. When a user summarizes the content, the AI-generated output delivers the malicious payload, tricking the user into executing ransomware. Organizations must implement content sanitization and user awareness to mitigate this risk.