Pakistan‑Linked Cyber Threats: Advisory & Mitigation Steps

In the past week, critical cybersecurity threats have emerged, with significant vulnerabilities being reported across various platforms. Recent cybersecurity incidents include the emergence of the MintsLoader malware loader, actively delivering GhostWeaver (a PowerShell-based remote access trojan) via multi-stage phishing campaigns and ClickFix social engineering. It uses obfuscated JavaScript, PowerShell, DGA, and encrypted C2 channels, with links to malware like StealC, modified BOINC clients, and Lumma Stealer. A severe supply-chain attack has been uncovered involving malicious Go and Python packages that can irreversibly wipe Linux systems (/dev/sda) and steal cryptocurrency credentials, using stealthy exfiltration channels like Gmail SMTP and WebSockets. Pakistan-linked cyber threat groups, including APT36, SideCopy, and Gorgon, along with nationalist hacktivists, have escalated phishing, espionage, and defacement attacks targeting government and critical infrastructure sectors globally. The Play ransomware group exploited a Windows zero-day (CVE-2025-29824), gaining initial access via a Cisco ASA device and deploying Grixba, a custom information stealer, though no ransomware was executed. Finally, attackers abused SentinelOne’s own installer in a “Bring Your Own Installer” attack, bypassing tamper protection to deploy Babuk ransomware by disabling EDR protection during the upgrade process. These developments underscore the urgent need for organizations to stay vigilant and apply security updates promptly.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. MintsLoader Delivers GhostWeaver RAT via Phishing and ClickFix Campaigns

The MintsLoader malware loader is actively delivering GhostWeaver, a PowerShell-based remote access trojan (RAT), through a multi-stage infection chain that uses obfuscated JavaScript and PowerShell, along with sandbox evasion, domain generation algorithms (DGA), and encrypted command-and-control (C2) channels. It spreads via phishing emails and fake browser updates, employing emerging tactics like ClickFix social engineering. The campaign is linked to other malware like StealC, modified BOINC clients, and Lumma Stealer, indicating its use in professional e-crime services. Industries such as industrial, legal, and energy are prime targets. To mitigate risks, organizations should block malicious domains and URLs, analyze email attachments in sandboxes, and enforce PowerShell restrictions like Constrained Language Mode. Behavior-based EDR should flag suspicious PowerShell and JavaScript activities. Monitoring for self-signed TLS certificates and educating users on ClickFix-style lures is critical. Additionally, blocking outbound HTTP requests, deploying DNS filtering, and conducting threat hunting for DGA patterns and anomalous PowerShell activity can enhance protection.

2. Supply Chain Attack Uses Go Modules to Deliver Disk-Wiping Linux Malware

A critical supply-chain attack has been discovered, involving malicious Go and Python packages designed for destruction and data theft. Three Go modules (including prototransform and go-mcp) can irreversibly destroy Linux systems by overwriting /dev/sda, making devices unbootable with no chance of data recovery. Simultaneously, malicious npm packages like crypto-encrypt-ts and bankingbundleserv are actively stealing cryptocurrency credentials and exfiltrating them. Researchers also flagged Python packages using Gmail SMTP and WebSockets to execute remote commands and exfiltrate data stealthily, bypassing security through trusted services. To counter these threats, organizations must rigorously verify package dependencies, check maintainers’ history, and employ dependency scanners and lockfiles like npm audit or pip-audit. Monitoring for unusual SMTP or WebSocket traffic, restricting system access, and hardening CI/CD pipelines by sandboxing external code and validating third-party packages are also strongly advised. These steps are vital against the extreme sabotage potential of modern supply-chain attacks.

3. Pakistan‑Linked Cyber Threats: Advisory & Mitigation Steps

Between 2022 and early 2025, Pakistan-linked APTs, cybercrime groups, and hacktivists ramped up attacks. Groups like Transparent Tribe (APT36) and SideCopy expanded to cloud-based C2 and targeted Indian government and defense using phishing campaigns with lookalike domains and malware like CrimsonRAT. Gorgon APT attacked India’s MSME sector via spear-phishing, exploiting CVE-2017-11882 to deploy data-stealing payloads like Agent Tesla. Nationalist groups like Team Insane PK, Pakistan Cyber Force, and IOK Hacker defaced sites and leaked sensitive data during the Pahalgam retaliation wave (April 2025). To mitigate these threats, organizations should block risky attachments, enforce DMARC, DKIM, SPF, and patch vulnerable applications such as WinRAR (CVE-2023-38831). Restricting script execution, deploying EDR, and blocking malicious domains and C2 infrastructure are vital. Securing Linux deployments, hardening web applications, and conducting phishing simulations enhance readiness. A solid incident response plan tied to threat actor tactics and enriched IOC monitoring is required to mitigate against these threats.

4. Ransomware Group Exploits Windows Zero-Day for Privilege Escalation

Threat actors tied to the Play ransomware group exploited a zero-day vulnerability (CVE-2025-29824) in the Windows CLFS driver to target a U.S. organization, likely gaining access via a Cisco ASA device. Though no ransomware was deployed, attackers achieved privilege escalation and data exfiltration using Grixba, a custom information stealer disguised as legitimate files like paloaltoconfig.exe. The exploit involved DLL injection into winlogon.exe, creation of a LocalSvc user with admin rights, and use of batch scripts to escalate privileges and erase forensic traces. Following escalation, they performed Active Directory reconnaissance, mapped domain systems, and saved outputs for further exploitation. Targets spanned IT and real estate sectors in the US, financial firms in Venezuela, a Spanish software company, and retail in Saudi Arabia. Organizations are advised to apply April 2025 security patches, harden network perimeters, monitor for unauthorized accounts and suspicious batch activity, and enable EDR tools to detect behavioral anomalies linked to such attacks.

5. EDR Bypass via Legitimate Installer Exploited to Deploy Babuk Ransomware

A new attack technique, known as “Bring Your Own Installer”, allows attackers to bypass SentinelOne’s tamper protection by exploiting its legitimate installer. The attack disrupts the upgrade process where the installer terminates existing agent processes before reinstalling. By forcefully killing msiexec.exe during this window, attackers leave the system unprotected and proceed to deploy Babuk ransomware without EDR interference. This approach requires no external tools or drivers, making it stealthier than traditional bypasses. It has proven effective across multiple SentinelOne agent versions, regardless of updates. The attack begins with administrative access, downloads the installer, and disables protection by halting the reinstallation. To mitigate, organizations should enable Online Authorization, enforce Local Agent Passphrase protection, monitor for abnormal msiexec.exe terminations, and alert on agents going offline. Reviewing SentinelOne policies, communicating with endpoint admins, and ensuring full endpoint compliance with protection settings are essential to reduce exposure to this flaw.