CloudSEK Updates

CloudSEK’s report details a persistent nine-month RondoDoX botnet campaign targeting IoT devices and web applications. Recently, the threat actors have shifted to weaponizing a critical Next.js vulnerability, deploying malicious payloads like "React2Shell" and cryptominers. This analysis offers crucial insights into their evolving infrastructure and provides defensive recommendations to mitigate these sophisticated attacks.

CloudSEK's TRIAD reveals a critical campaign by the Chinese "Silver Fox" APT targeting Indian entities with authentic-looking Income Tax phishing lures. While previously misattributed to SideWinder, this sophisticated attack leverages a complex kill chain involving DLL hijacking and the modular Valley RAT to ensure persistence. Discover the full technical breakdown and why accurate attribution is essential for effective defense.

CloudSEK has uncovered 2,000+ fake holiday-themed online stores ahead of Black Friday, including Amazon-lookalikes and .shop domains mimicking global brands. These coordinated scams use identical phishing kits, fake urgency tactics, and shell checkout pages, posing major risks to consumers. Full findings available in the detailed research report.

Over the past decade, the English-speaking cybercriminal ecosystem commonly referred to as “The COM” has undergone a profound transformation. What began as a niche subculture centered on the trading of what is called “OG Usernames (original gangster)”

APT35 (Charming Kitten) operates a professional malware ecosystem featuring Saqeb System and RAT-2AC2 RATs, custom webshells, and FUD-tested modules. The group’s C2 uses TOR, multi-hop relays, and encrypted traffic for persistence and stealth. Targeting airlines, law enforcement, and regional infrastructure (2022-2025), it links cyber operations to IRGC geopolitical objectives

CloudSEK’s TRIAD team analyzed leaked internal documents from Iran-linked APT35 (Charming Kitten), revealing its structure, tools, and espionage operations. The group—tied to the IRGC—targeted government, legal, energy, and financial sectors across the Middle East, U.S., and Asia through phishing, CVE exploits, and supply-chain attacks. The leak exposes Iran’s organized cyber-espionage network capable of long-term persistence, data theft, and national security risks

CloudSEK uncovered a large-scale Loader-as-a-Service botnet distributing RondoDoX, Mirai, and Morte payloads through SOHO routers, IoT devices, and enterprise apps. Exploiting weak credentials, unsanitized inputs, and old CVEs, the campaign surged 230% in mid-2025, weaponizing compromised devices for cryptomining, DDoS, and enterprise intrusions. With rapid infrastructure rotation and multi-architecture malware, the threat is evolving fast—making early detection and defense critical

Threat actors are exploiting a fake Microsoft Teams download site to deliver the Odyssey macOS stealer via Clickfix. Once executed, the malware harvests credentials, cookies, Apple Notes, and crypto wallets, exfiltrating data to a C2 server before ensuring persistence through LaunchDaemons and even replacing Ledger Live with a trojanized version. The campaign poses severe risks of credential theft, financial loss, and long-term reinfection.

CloudSEK’s SVigil uncovered a misconfigured SPF record in a leading logistics SaaS provider’s domain—an oversight that opened the door to phishing, BEC, and large-scale fraud. For a company powering global supply chains, this flaw could have crippled trust and operations. Read how SVigil stopped a silent threat before it caused real damage.