Cyber Threat Trends

Summary: 2025/04/28 22:31

First reported date: 2013/03/05
Inquiry period : 2025/03/29 22:31 ~ 2025/04/28 22:31 (1 months), 53 search results

전 기간대비 동일한 트렌드를 보이고 있습니다.
전 기간대비 상승한 Top5 연관 키워드는 c&c Phishing Advertising target Email 입니다.
악성코드 유형 Xloader Viper ViperSoftX 도 새롭게 확인됩니다.
공격자 SideCopy 도 새롭게 확인됩니다.
공격기술 RCE 도 새롭게 확인됩니다.
기관 및 기업 Binance AhnLab 도 새롭게 확인됩니다.
기타 Threat Actor CERTUA 파일 MWNEWS 등 신규 키워드도 확인됩니다.

* 최근 뉴스기사 Top3:
    ㆍ 2025/04/28 IR Trends Q1 2025: Phishing soars as identity-based attacks persist
    ㆍ 2025/04/23 How Threat Intelligence Feeds Help During Incident Response
    ㆍ 2025/04/23 Introducing ToyMaker, an Initial Access Broker working in cahoots with double extortion gangs

Date range button:

First seen:

Last seen:

Keyword

Trend graph by period

Related keyword cloud

Top 100

#	Trend	Count	Comparison
1	powershell	53	- 0 (0%)
2	Malware	38	▼ -8 (-21%)
3	Campaign	27	▼ -4 (-15%)
4	Windows	24	▼ -6 (-25%)
5	Microsoft	23	▼ -4 (-17%)
6	c&c	22	▲ 5 (23%)
7	Phishing	20	▲ 1 (5%)
8	Update	20	- 0 (0%)
9	Advertising	18	▲ 2 (11%)
10	Report	17	▼ -8 (-47%)
11	Victim	16	▼ -7 (-44%)
12	Exploit	16	▼ -2 (-13%)
13	target	16	▲ 2 (13%)
14	IoC	16	▼ -5 (-31%)
15	attack	14	▼ -5 (-36%)
16	United States	14	▼ -2 (-14%)
17	Email	13	▲ 2 (15%)
18	Software	13	▲ 5 (38%)
19	Russia	12	▲ 2 (17%)
20	Stealer	11	▼ -9 (-82%)
21	NetWireRC	11	▼ -2 (-18%)
22	Kaspersky	11	▲ 1 (9%)
23	Vulnerability	10	▼ -9 (-90%)
24	Distribution	10	- 0 (0%)
25	GameoverP2P	9	- 0 (0%)
26	Ucraina	9	▲ 7 (78%)
27	VBScript	9	▼ -1 (-11%)
28	GitHub	9	▼ -3 (-33%)
29	intelligence	9	- 0 (0%)
30	Operation	8	▼ -3 (-38%)
31	Ransomware	8	▲ 1 (13%)
32	Browser	7	▼ -3 (-43%)
33	Education	7	▲ 2 (29%)
34	Linux	7	▲ 3 (43%)
35	Social Engineering	7	▼ -3 (-43%)
36	Java	6	▼ -2 (-33%)
37	MFA	6	▼ -2 (-33%)
38	WMI	6	▲ 4 (67%)
39	RCE	6	▲ new
40	Remcos	6	▲ 1 (17%)
41	Government	6	▲ 2 (33%)
42	RAT	6	▲ 1 (17%)
43	Backdoor	6	- 0 (0%)
44	Black Basta	5	▲ 4 (80%)
45	Trojan	5	- 0 (0%)
46	Cobalt Strike	5	▼ -1 (-20%)
47	EDR	5	▼ -2 (-40%)
48	Downloader	5	▲ 4 (80%)
49	Lumma	4	▼ -5 (-125%)
50	China	4	▼ -4 (-100%)
51	South Korea	4	▲ 2 (50%)
52	North Korea	4	- 0 (0%)
53	Telegram	4	▼ -3 (-75%)
54	Android	4	▲ 3 (75%)
55	RATel	4	▲ 1 (25%)
56	Vawtrak	4	▲ 1 (25%)
57	Twitter	4	▼ -6 (-150%)
58	Red Team	4	▲ 3 (75%)
59	ZeroDay	4	▲ 1 (25%)
60	LinkedIn	4	▼ -5 (-125%)
61	Cisco	4	▼ -1 (-25%)
62	SMB	4	- 0 (0%)
63	VPN	4	▲ 2 (50%)
64	Cryptocurrency	4	▼ -3 (-75%)
65	Criminal	4	▼ -9 (-225%)
66	hijack	4	▲ 2 (50%)
67	Chrome	4	▼ -1 (-25%)
68	Remote Code Execution	3	▼ -13 (-433%)
69	DYEPACK	3	▲ 2 (67%)
70	Xloader	3	▲ new
71	fake	3	▲ 2 (67%)
72	Threat	3	▲ new
73	Germany	3	▲ 2 (67%)
74	Binance	3	▲ new
75	Taiwan	3	- 0 (0%)
76	ClickFix	3	- 0 (0%)
77	Password	3	- 0 (0%)
78	Australia	3	▲ 1 (33%)
79	hacking	3	- 0 (0%)
80	Actor	2	▲ new
81	Viper	2	▲ new
82	CERTUA	2	▲ new
83	ViperSoftX	2	▲ new
84	AhnLab	2	▲ new
85	Tick	2	▲ 1 (50%)
86	파일	2	▲ new
87	PoC	2	▲ 1 (50%)
88	DarkWeb	2	▼ -2 (-100%)
89	MWNEWS	2	▲ new
90	IcedID	2	▼ -2 (-100%)
91	Google	2	▼ -4 (-200%)
92	공격	2	▲ new
93	AsyncRAT	2	▼ -5 (-250%)
94	Alert	2	▲ new
95	Iran	2	▼ -1 (-50%)
96	Military	2	▲ new
97	SideCopy	2	▲ new
98	MimiKatz	2	▼ -5 (-250%)
99	India	2	▲ 1 (50%)
100	VMware	2	- 0 (0%)

Special keyword group

Top 5

Malware Type

This is the type of malware that is becoming an issue.

Keyword	Average	Label
NetWireRC		11 (13.3%)
GameoverP2P		9 (10.8%)
Ransomware		8 (9.6%)
Remcos		6 (7.2%)
RAT		6 (7.2%)

Attacker & Actors

The status of the attacker or attack group being issued.

Keyword	Average	Label
Tick		2 (25%)
SideCopy		2 (25%)
Kimsuky		2 (25%)
Gamaredon		2 (25%)

Technique

This is an attack technique that is becoming an issue.

Keyword	Average	Label
Campaign		27 (24.3%)
Phishing		20 (18%)
Exploit		16 (14.4%)
Stealer		11 (9.9%)
Social Engineering		7 (6.3%)

Country & Company

This is a country or company that is an issue.

Keyword	Average	Label
Microsoft		23 (20%)
United States		14 (12.2%)
Russia		12 (10.4%)
Kaspersky		11 (9.6%)
Ucraina		9 (7.8%)

Threat info

Last 5

SNS

(Total : 17)

Total keyword

powershell Malware target Attacker NetWireRC Russia Kaspersky Email Stealer Phishing ClickFix Remcos Ucraina Campaign Ransomware DCRat VBScript Microsoft Browser Rhadamanthys Government attack ZeroDay Update RCE Iran Exploit Downloader Xloader Palo Alto Networks North Korea Advertising Binance SectopRAT CVSS RAT Gamaredon Germany Backdoor Ukraine Cisco Lumma hijack Report ...

No	Title	Date
1	Threat Intelligence @threatintel #ThreatProtection Interlock ransomware group uses ClickFix social engineering, fake CAPTCHAs & PowerShell to deploy malware payloads. Read more about Symantec's protection: https://t.co/JGooj4A0XI #CyberThreat #Ransomware	2025.04.22
2	Cyber_OSINT @Cyber_O51NT A recent multi-stage malware attack utilizes .JSE and PowerShell to deliver Agent Tesla, Remcos RAT, and XLoader, as noted by Palo Alto Networks' Saqib Khanzada, who highlights attackers' tactics to evade detection and ensure payload execution. https://t.co/i7vn5wZL9L	2025.04.18
3	The Hacker News @TheHackersNews ???? Microsoft Alert: Node.js-Powered Malware Campaign Ongoing... Since Oct 2024, fake Binance & TradingView installers have been used to deploy malware via Node.js and PowerShell. Linked threats include ClickFix tricks, SectopRAT malware, fake PDF tools, and HR-themed phishing https://t.co/0J	2025.04.17
4	Threat Insight @threatinsight If the target recipient opens attachments and allows execution (PDF -> URL -> zipped LNK -> PowerShell -> Ransomware), we have seen ransom examples like the below. PowerShell downloads and runs an executable which encrypts files (file extension: .flocked). This has previously https://t.c	2025.04.17
5	Threat Insight @threatinsight UNK_RemoteRogue (Russia): In Dec 2024, a targeted campaign used compromised infrastructure to send emails to people linked to a defense industry manufacturer. The emails contained directions in Russian to copy malicious PowerShell code from the browser to their terminal. https://t.co/8c7S1wTplG	2025.04.17

News

(Total : 36)

Total keyword

powershell Malware Windows Campaign c&c Microsoft Attacker Update Advertising Phishing IoC Report Victim Exploit United States Software attack target Vulnerability Email Distribution GameoverP2P intelligence GitHub Operation Stealer Russia NetWireRC Education VBScript Linux Kaspersky MFA Ransomware Social Engineering Java Ucraina WMI Cobalt Strike Browser Backdoor RCE RAT Trojan Black Basta EDR Chrome VPN South Korea Downloader Android Government China Criminal Red Team Twitter SMB Cryptocurrency Vawtrak LinkedIn RATel Telegram DYEPACK hacking Lumma ZeroDay Remcos North Korea hijack Password Australia Taiwan Remote Code Execution Cisco Binance ViperSoftX Viper AsyncRAT schtasks Xloader VMware Tick CACTUS PoC MimiKatz DarkWeb SideCopy Copy-Paste India Exploit Kit AhnLab Kimsuky IcedID Japan Firefox ...

No	Title	Date
1	IR Trends Q1 2025: Phishing soars as identity-based attacks persist - Malware.News	2025.04.28
2	How Threat Intelligence Feeds Help During Incident Response - Malware.News	2025.04.23
3	Introducing ToyMaker, an Initial Access Broker working in cahoots with double extortion gangs - Malware.News	2025.04.23
4	ATT&CK v17: New Platform (ESXi), Collection Optimization, & More Countermeasures - Malware.News	2025.04.23
5	Getting the Most Value Out of the OSCP: The Exam - Malware.News	2025.04.22

Additional information

No	Title	Date
1	Introducing XSIAM 3.0 - Malware.News	2025.04.28
2	Deploy Bravely with Prisma AIRS - Malware.News	2025.04.28
3	2025 Cyber Resilience Research Discovers Speed of AI Advancing Emerging Attack Types - Malware.News	2025.04.28
4	Intel CEO Targets Change in Corporate Culture to Shape Up - Bloomberg Technology	2025.04.28
5	IR Trends Q1 2025: Phishing soars as identity-based attacks persist - Malware.News	2025.04.28
View only the last 5

No	Title	Date
1	IR Trends Q1 2025: Phishing soars as identity-based attacks persist - Malware.News	2025.04.28
2	IR Trends Q1 2025: Phishing soars as identity-based attacks persist - Malware.News	2025.04.28
3	Introducing ToyMaker, an Initial Access Broker working in cahoots with double extortion gangs - Malware.News	2025.04.23
4	Introducing ToyMaker, an Initial Access Broker working in cahoots with double extortion gangs - Malware.News	2025.04.23
5	Introducing ToyMaker, an Initial Access Broker working in cahoots with double extortion gangs - Malware.News	2025.04.23
View only the last 5

No	Request	Hash(md5)	Report No	Date
1	nums.vbs Generic Malware Antivirus PowerShell	fe71e84d826e568fb59858c87d53d966	60252	2025.04.28
2	nums.vbs Generic Malware Antivirus PowerShell	99478b4bbce91c6b394be55e1b9df39d	59870	2025.04.23
3	prevenue.hta AntiDebug AntiVM PowerShell MSOffice File	a3353ea094f45915408065d03ae157c4	59871	2025.04.23
4	wsoj.hta AntiDebug AntiVM PowerShell MSOffice File	0dd2d15b3a13e7c7728997084bd6fb65	59873	2025.04.23
5	sfmw.hta AntiDebug AntiVM PowerShell MSOffice File	f32e7891e2cfc58230057a506325c3c8	59872	2025.04.23
View only the last 5

Level	Description
danger	The process wscript.exe wrote an executable file to disk which it then attempted to execute
watch	A potential heapspray has been detected. 58 megabytes was sprayed onto the heap of the powershell.exe process
watch	Communicates with host for which no DNS query was performed
watch	Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe
watch	One or more non-whitelisted processes were created
notice	A process created a hidden window
notice	Allocates read-write-execute memory (usually to unpack itself)
notice	Checks adapter addresses which can be used to detect virtual network interfaces
notice	Checks for the Locally Unique Identifier on the system for a suspicious privilege
notice	Creates a shortcut to an executable file
notice	Creates a suspicious process
notice	File has been identified by 8 AntiVirus engines on VirusTotal as malicious
notice	HTTP traffic contains suspicious features which may be indicative of malware related traffic
notice	One or more potentially interesting buffers were extracted
notice	Performs some HTTP requests
notice	Poweshell is sending data to a remote host
notice	URL downloaded by powershell script
info	Checks amount of memory in system
info	Checks if process is being debugged by a debugger
info	Command line console output was observed
info	Powershell script has download & invoke calls
info	Queries for the computername
info	Uses Windows APIs to generate a cryptographic key
Network	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
Network	ET INFO Executable Download from dotted-quad Host
Network	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
Network	ET INFO PS1 Powershell File Request
Network	ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
Network	ET POLICY PE EXE or DLL Windows file download HTTP

No data

No	URL	CC	ASN Co	Reporter	Date
1	https://paste.ee/d/foOP0g8Z/0 ascii powershell ps1			abuse_ch	2025.04.25
2	http://176.65.134.8/metacodings.txt ascii AsyncRAT powershell ps1 rat	DE	Diogelo Ltd.	abuse_ch	2025.04.25
3	https://paste.ee/d/L8tHN98p/0 ascii powershell ps1 xworm			abuse_ch	2025.04.25
4	https://www.wilkinsonbeane.com/css/slider/asclepiadaceaebOet.php ascii opendir powershell ps1	US	UNIFIEDLAYER-AS-1	abuse_ch	2025.04.25
5	https://www.wilkinsonbeane.com/css/slider/sciurineslwWf.php ascii opendir powershell ps1	US	UNIFIEDLAYER-AS-1	abuse_ch	2025.04.25
View only the last 5

Beta Service, If you select keyword, you can check detailed information.