Active Ransom Demands Issued by Medusa Ransomware Group

In the past week, critical cybersecurity threats have emerged, with significant vulnerabilities being reported across various platforms. Recent cybersecurity incidents include:

1. Chaos RAT Campaign Exploiting Fake Network Tools to Target Windows and Linux
2. Threat Alert: Lazarus Group Deploying New Malware Samples
3. Active Ransom Demands Issued by Medusa Ransomware Group
4. AMOS Stealer Targeting macOS via Fake Spectrum CAPTCHA in Clickfix Campaign
5. PumaBot Campaign Targeting Linux Devices with SSH Brute Force and PAM Credential Theft

These developments underscore the urgent need for organizations to stay vigilant and apply security updates promptly.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Chaos RAT Campaign Exploits Fake Network Tools to Target Windows and Linux

A new variant of the Chaos Remote Access Trojan (RAT) is actively targeting both Windows and Linux platforms. Written in Golang, Chaos RAT leverages open-source availability to deliver remote access, file manipulation, surveillance, and cryptocurrency mining. Distributed via phishing emails disguised as tools like NetworkAnalyzer.tar.gz, it establishes persistence by modifying Linux cron jobs. Its design mirrors advanced tools like Cobalt Strike, making detection harder and enabling both advanced and low-tier attackers. Recent vulnerabilities (CVE-2024-30850, CVE-2024-31839) in its admin panel were patched in May 2024, but risks remain. Parallel campaigns are also targeting Trust Wallet users via clipboard hijacking and credential theft.

Recommendations to mitigate this threat include validating downloads with checksums, monitoring cron jobs for unauthorized changes, restricting execution of downloaded archives, implementing allowlisting and behavior monitoring, conducting phishing awareness training, enforcing MFA, monitoring system activities, deploying EDR/XDR solutions, sandboxing Chaos RAT testing, and auditing admin panels for vulnerabilities.

2. Threat Alert: Lazarus Group Deploys New Malware Sample

A new malware sample linked to North Korea’s Lazarus Group (APT38) surfaced on 30 May 2025. Disguised as Zoom_SDK_Update.scpt, the AppleScript-based payload is suspected to be part of Lazarus’s financially motivated operations, likely run by its CryptoCore subgroup. While the exact infection method is unclear, spear-phishing is the probable vector. The malware mimics software updates and attempts communication with spoofed domains (e.g., support.us05biz-zoom[.]us) but didn’t deliver follow-up payloads during analysis. Lazarus, active since 2018, remains focused on targeting financial institutions, crypto exchanges, and blockchain platforms using spoofed domains, VBScript loaders, and inter-organizational trust exploitation.

Recommendations to mitigate this threat include employee phishing awareness training, enforcing MFA, limiting admin privileges, enabling behavioral analytics in endpoint tools, continuous monitoring for unusual system/network activity, applying strict patch management, disabling unused remote protocols, enforcing least privilege access, segmenting networks, and aligning incident response procedures with PCI DSS guidelines and best practices like Visa’s PCI Compliance Portal.

3. Active Ransom Demands Issued by Medusa Ransomware Group

Between May 27 and May 30, 2025, multiple U.S. organizations—including Town of North Providence, RE/MAX, Presort First Class, and Bailey’s Catering—were targeted in coordinated ransomware attacks involving data theft and extortion. Ransom demands ranged from $100,000 to $200,000, with attackers threatening to leak financial records, personal data, and corporate files. In some cases, data exfiltration reached up to 279 GB. The campaigns used time-limited extortion notices to pressure victims. While attribution isn’t officially confirmed, the tactics align with financially motivated ransomware groups.

Recommendations to mitigate this threat include activating incident response protocols, preserving forensic evidence, isolating infected systems, segmenting networks, performing detailed forensic reviews, and re-imaging compromised hosts. Organizations should restore from verified clean backups, notify stakeholders, comply with legal reporting mandates, and involve law enforcement. Continuous monitoring through EDR/XDR solutions, threat intelligence tracking, and updated IDS/IPS detection rules is essential to identify any lingering footholds or future targeting.

4. AMOS Stealer Targets macOS via Fake Spectrum CAPTCHA in Clickfix Campaign

Researchers have identified a malicious campaign distributing a new variant of Atomic macOS Stealer (AMOS), using typosquatted domains mimicking Spectrum, a U.S. telecom provider. Linked to Russian-speaking hackers, the campaign employs dynamic payload delivery based on OS detection. macOS users encounter fake CAPTCHA pages prompting them to execute malicious shell scripts in their terminal, allowing credential theft and malware installation. The attack demonstrates poor implementation—mixing Windows and macOS instructions—but still poses serious multi-platform risks. The macOS payload repeatedly harvests system passwords, downloads AMOS variants (like Poseidon and Odyssey), and exfiltrates credentials, crypto wallets, and sensitive data.

Recommendations to mitigate this threat include training users to avoid executing terminal commands from untrusted sites, enforcing Gatekeeper, XProtect, and SIP protections, applying MDM policies to block unsigned scripts, auditing sudo logs and temporary directories, monitoring for suspicious dscl and password prompt loops, and leveraging EDR solutions to detect AMOS behaviors including credential theft and unauthorized crypto wallet access.

5. Campaign Targets Linux Devices with SSH Brute Force and PAM Credential Theft

Researchers have uncovered PumaBot, a new Linux-based botnet targeting IoT devices by brute-forcing weak SSH credentials. Written in Go, PumaBot retrieves SSH-exposed IPs from a C2 server (ssh.ddos-cc[.]org), bypassing mass scanning. After gaining access, it establishes persistence via systemd services (e.g., redis.service, mysqI.service), installs cryptominers (xmrig), and deploys multiple payloads for credential theft and data exfiltration. The malware disguises itself as Redis and replaces PAM authentication modules to log credentials into hidden files for exfiltration. Additional components like ddaemon, networkxm, and installx.sh expand lateral movement and maintain stealthy control over compromised devices.

Recommendations to mitigate this threat include disabling password-based SSH authentication, enforcing key-based logins, using rate-limiting tools like fail2ban, auditing systemd services, monitoring key directories and binaries for tampering, enabling file integrity monitoring, reviewing SSH login logs, blocking known C2 domains, restricting unauthorized processes like xmrig, applying least privilege principles, ensuring regular patching, and deploying EDR solutions for behavioral monitoring.