Go to listing page

Cyware Daily Threat Intelligence, October 27, 2021

Cyware Daily Threat Intelligence, October 27, 2021

Share Blog Post

Meet Balikbayan Foxes aka TA2722, a new highly sophisticated threat actor group that is actively targeting organizations in the Philippines. The gang is taking advantage of COVID-19, the Philippines government entities, and other businesses to propagate Remcos and NanoCore trojans.

Meanwhile, supply chain chaos is turning ugly as threat actors evolve their attack techniques. Now, the prolific Lazarus APT group has shifted its focus on supply chain attacks as researchers unearthed two different attacks targeting high-profile businesses in South Korea and Latvia. The attacks were executed using a new variant of the BLINDINGCAN backdoor. The lesser-known Ranzy ransomware has also emerged from the shadows as the FBI disclosed widespread attacks on U.S. companies.

Top Breaches Reported in the Last 24 Hours

Philippines organizations targeted
A new threat actor group named Balikbayan Foxes aka TA2722 has been found targeting several organizations across the Philippines. The gang impersonates DHL Philippines and the Manila embassy for the Kingdom of Saudi Arabia to lure users into opening well-crafted PDFs that ultimately download Remcos and NanoCore trojans. These malicious PDFs pretend to be messages related to COVID-19 infection rates, billing, invoicing, and industry advisories.

New supply chain attack
Lazarus threat actors have been spotted in two different supply chain attacks launched in South Korea and Latvia. Researchers highlighted that the attackers had deployed a Remote Access Tool COPPERHEDGE using a new variant of the BLINDINGCAN backdoor. These attacks were observed between May and June.

Top Malware Reported in the Last 24 Hours

Ranzy Locker ransomware emerges
The FBI has published a flash report on the recent activities of the Ranzy ransomware. The agency highlights that the ransomware has already compromised at least 30 U.S. companies this year. The victim organizations include those from the government, IT, and transportation sectors. The attackers either use brute force attacks or RDP credentials to launch attacks.

New malware loader discovered
A new malware loader named Wslink has been found to be active for the past two years. Researchers found the malware being used across Central Europe, North America, and the Middle East. The special ability of the loader is it runs as a server and executes received modules in memory.

Top vulnerabilities Reported in the Last 24 Hours

Flawed WordPress plugin
A high severity flaw found in the Hashthemes Demo Importer WordPress plugin can be abused by attackers to reset and wipe out vulnerable websites. The developers have fixed the issue in the latest version (1.1.2) of the plugin.

Top Scams Reported in the Last 24 Hours

New Steam account scam
Steam account users are being targeted in a new ‘free knife’ scam that is being propagated via Discord and other similar platforms. The victims are lured using well-crafted messages that include a phishing link to the site.  


blindingcan backdoor
ranzy ransomware
balikbayan foxes
lazarus apt group

Posted on: October 28, 2021

More from Cyware

Stay updated on the security threat landscape and technology innovations at Cyware with our threat intelligence briefings and blogs.