Top Security Threats for July 2022


The Monthly Intelligence Insights published by Securonix Threat Labs provides a summary of the total number of threats tracked and highlights the top threats during the month. It also provides a synopsis of the threats, indicators of compromise (IOCs), tactics, techniques and procedures (TTPs), and related tags. In the month of July 2022, Securonix Threat Labs analyzed and monitored major threat categories, including multiple cyber campaigns involving ransomware, malware attack on Linux-based servers, and threat actors like Luna Moth, Hagga, APT29.

A number of mobile malwares were active during the month targeting both Android and iOS users including- Revive, an Android malware targeting BBVA bank accounts in Spain by imitating the bank’s 2FA application, followed by a smishing campaign by Roaming Mantis Group that targeted Android and iOS users in France.

Additionally, other mobile malware campaigns have impacted more than 4 million Android users in two different malware campaigns named as Autolycos and HiddenAds. Threat Labs has also identified a new dropper-as-a-service (DaaS) model, which uses DawDropper, a malicious dropper with variants that dropped four banking Trojans.

In July 2022, Securonix Autonomous Threat Sweeper (ATS) identified 4,005 IOCs, 115 distinct threats, and reported 87 threat detections. The top data sources swept against include email/email security, cloud application security broker, authentication/single sign-on, and web application firewall.


During the month of July 2022, there were a lot of threats which created noise. Below are a few of the potential threats which Threat Labs believe are significant to highlight.


Threat actor Luna Moth or TG2729

Luna Moth or TG2729 is a new ransomware group operating since the end of March 2022. The group follows a double extortion attack method, where they infiltrate the target network via phishing, gain access to sensitive data, demand payment, or threaten to publish data. In the similar phishing campaign, the group managed to infiltrate MasterClass and Duolingo subscribers, by masquerading as Zoho MasterClass Inc. and Duolingo.

Threat actor Hagga

Threat Actor Hagga operated a backend MySQL database server linked from an Agent Tesla C2 server. The infrastructure was hosted on dedicated leased providers including QuadraNet and Vietnam Posts and Telecommunications. Additionally C2s have been identified hosting the Mana Tool C2 panel.

AiTM phishing campaign

A massive phishing campaign that used adversary-in-the-middle (AiTM) phishing sites stole passwords, hijacked a user’s sign-in session, and skipped the authentication process even if the user had enabled multi factor-authentication (MFA). The attackers used the stolen credentials and session cookies to access victim mailboxes and perform follow-on business email compromise (BEC) campaigns against other targets.

Threat actor APT29/Cloaked Ursa

Russian APT group APT29 is leveraging trusted online storage services, including DropBox and Google Drive to deliver malware to businesses and government agencies. Cybercriminals breach the millions of users’ trust in online storage services by leveraging them to exfiltrate data and spread their malware and dangerous tools, making their attacks extremely difficult or even impossible to identify and prevent.

Red-teaming tools abused  by threat actors

The red-teaming tool Brute Ratel C4 has started being abused by malicious cyber actors and mostly targeting large virtual private server (VPS) hosting providers in several countries and regions. In this campaign, the bad guys are leveraging APT29 techniques, but attribution is not conclusive.

STIFF#BIZON phishing campaign

The newly active campaign tracked as STIFF#BIZON, also attributed to North Korean actor APT37, is targeting high-value organizations in the Czech Republic, Poland, and other nations in Europe. In this campaign, the hackers used remote access trojan (RAT) Konni malware, which is capable of establishing persistence and performing privilege escalation on the host.



Securonix Threat Labs has continued to monitor top malware activities which are targeting government, education, and telecommunication sectors. The attackers used various backdoors and malware such as BumbleBee Loader, Vsingle Malware, Orbit Malware, and YamaBot malware with different TTPs.


BumbleBee loader

A recently discovered Bumblebee malware loader has been found to be connected to a number of noticeable ransomware groups and has been a key component of many cyberattacks. New findings by Securonix Threat Labsdemonstrates that the tool has links to threat groups such as Conti, Quantum and Mountlocker, per the team’s blog entry.

Vsingle malware

In a recent campaign Lazarus group has been using the updated version of Vsingle malware which can retrieve C2 servers information from GitHub. VSingle generally has two versions, one targeting Windows OS and the other targeting Linux OS.

Orbit malware

A new malware dubbed Orbit has come up which steals data and can affect all processes running on the Linux OS. The malware has advanced evasive techniques and it gains persistence by hooking key functions such as remote access capabilities over SSH, harvesting credentials.

YamaBot malware

The Lazarus group has been quite active in recent months and this month they have chosen to deploy a new malware dubbed YamaBot on its target. YamaBot is written in the Golang language, and targets Linux OS and Windows OS or both.

SmokeLoader malware

In a new campaign it was discovered that a new version of Amadey Bot was being installed by SmokeLoader malware. Users download the malware impersonating as software cracks and serial generation programs from websites. The software targeted are Mikrotik Router Management Program Winbox, Outlook, FileZilla, Pidgin, Total Commander FTP Client, RealVNC, TightVNC, TigerVNC, and WinSCP.

Lightning Framework malware

A new undetected malware dubbed Lightning Framework targets Linux systems and can be used to backdoor infected devices using SSH and deploy rootkits to cover the attackers’  paths. This malware has both active and passive capabilities for communication with the threat actors. The malware opens SSH on an infected machine and supports mixed adaptable command and control configuration.



Ransomware attacks were on the rise and continued to be a disruptive force in the cybersecurity industry. They are showing no signs of slowing down and are affecting everything from financial institutions to healthcare sectors.


Maui ransomware

The month has started with a joint advisory shared by CISA, FBI, Treasury, sharing information on Maui ransomware. Maui has been used by North Korea state-sponsored hackers to attack healthcare organizations across the U.S since May 2021.

Maui ransomware (maui.exe) appears to be designed for manual execution by a remote actor. The remote actor uses a command-line interface to interact with the malware and to identify files to encrypt.

H0lyGh0st ransomware/DEV-0530

H0lyGh0st ransomware is an infection that came out last year but has reached a new attack strategy right now. The payload has been used by a North-Korean named “DEV-0530”. DEV-0530 has leveraged H0lyGh0st ransomware under two malware families known as SiennaPurple and SiennaBlue.

Everest ransomware

Everest Ransomware Group has been active for quite a while now, and in the recent campaign researchers have analyzed the ransomware’s binary and identified new tactics, techniques, and procedures (TTPs). Moreover, researchers also attributed the sample to the BlackByte ransomware group.

LockBit ransomware evolution

LockBit ransomware was first detected in September 2019 and the group has since released multiple variants. The operators behind the LockBit follow the RaaS model. This month Threat Labs tracked two new variants LockBit 2.0 and LockBit 3.0 (LockBit Black) which launched ransomware.

LockBit 2.0 can spread quickly using its own malware and tools to launch its attacks. The initial infection vector was a misconfigured service, specifically a publicly available RDP port to deliver  LockBit 2.0.

Lockbit 3.0 code shows similarities between the new version and samples related to ransomware families like BlackMatter and DarkSide, which suggest possible correlation between these threat groups.

Moreover, the operators of LockBit 3.0 have introduced new management features for affiliates and added Zcash for victim payments in addition to Monero and Bitcoin.



Securonix Threat Labs has been monitoring ransomware activities, and recommends organizations follow the steps below to avoid ransomware attacks:

  • Review the security controls and make sure they continue to meet your organization’s needs.
  • Implement network segmentation and maintain offline backups of data to ensure limited interruption to your organization.
  • Audit user accounts with administrative privileges and configure access controls according to the principle of least privilege.
  • Disable unused ports and enable multi-factor authentication (2FA).
  • 65 IOCs are available on our Github repository and automatically swept against for Autonomous Threat Sweeper customers.