Date: 1.23.25

---

🚨 Top Headlines

New GhostGPT AI Chatbot Facilitates Malware Creation and Phishing

Summary:  Cybercriminals are selling access to a new malicious generative AI chatbot called GhostGPT. The AI tool is designed to assist with malicious activities such as malware creation and phishing emails.

Researchers from Abnormal Security observed the cybercrime tool being sold through Telegram from the end of 2024.

They believe GhostGPT uses a wrapper to connect to a jailbroken version of ChatGPT or another open-source large language model (LLM), ensuring uncensored responses for customers.

Source: Infosecurity Magazine

Japanese Companies Threatened by DPRK IT Workers

Summary: The Japanese government warned domestic companies in March 2024 about contracting North Korean (DPRK) IT workers posing as Japanese nationals to earn cash, as it is suspected they are using the proceeds to fund Pyongyang’s ballistic missile and nuclear weapons development programs. [1] The United States, Japan, and the Republic of Korea jointly issued an updated warning on 14 January 2025 advising private sector entities, particularly in blockchain and freelance work industries, to thoroughly review risk advisories and announcements to better inform cyber threat mitigation measures and to mitigate the risk of inadvertently hiring DPRK IT workers.[2] Many smaller companies however do not have adequate resources to perform these checks themselves.

Source: Security Boulevard

Trump Pardons Silk Road Founder Ulbricht

Summary: Donald Trump has used his presidential powers to pardon convicted felon Ross Ulbricht, the founder of notorious dark web marketplace Silk Road.

Ulbricht was sentenced to life in prison in 2015, on charges related to distributing narcotics, engaging in a continuing criminal enterprise, conspiracy to commit computer hacking, conspiracy to traffic in false identity documents, and conspiracy to commit money laundering.

Source: Infosecurity Magazine

---

🔍 Emerging Threats and Indicators

Malware Campaigns

QakBot-Linked BC Malware Adds Enhanced Remote Access and Data Gathering Features

Summary: Cybersecurity researchers have disclosed details of a new BackConnect (BC) malware that has been developed by threat actors linked to the infamous QakBot loader.

“BackConnect is a common feature or module utilized by threat actors to maintain persistence and perform tasks,” Walmart’s Cyber Intelligence team told The Hacker News. “The BackConnect(s) in use were ‘DarkVNC’ alongside the IcedID BackConnect (KeyHole).”

Source: The Hacker News

Ransomware Activities

Funksec gang turned up ransomware heat in December

Summary: December 2024 broke records for ransomware attack volumes, according to data released by cyber security firm NCC Group, which said it saw a total of 574 confirmed incidents last month and a new threat actor referred to as Funksec accounted for more than 100 of them.

This was the highest level of attacks observed by NCC’s analysts since the organisation first published its monthly Threat Pulse index back in 2021, rising from 565 in November 2025 and topping December 2023’s figure of 387 by some margin. The industrials sector once again held the dubious honour of being the most attacked vertical, and North America and Europe were the most attacked regions.

Source: Computer Weekly

Phishing Campaigns

Tycoon 2FA Phishing Kit Upgraded to Bypass Security Measures

Summary: A new version of the phishing kit Tycoon 2FA, which uses advanced tactics to bypass multi factor authentication (MFA) and evade detection, has been analyzed by threat researchers at Barracuda.

Tycoon 2FA, which first emerged in August 2023, has undergone several updates to enhance its capabilities. The latest version, observed in November 2024, targets Microsoft 365 session cookies to bypass 2FA protections. The creators of the phishing kit have since incorporated several measures to prevent detection by automated tools and security analysts.

Source: Infosecurity Magazine

---

📈 Sector-Specific Intelligence

Financial Services:

5 Cyberattacks that Rocked Financial Services in 2024

Summary: More than 90% of 2024 breaches were financially motivated. No surprise that the banking and financial services industry and insurance (BFSI) is a top target for cybercriminals. Let’s explore five major attacks that rocked the industry in 2024, exploring methods used by threat actors, the resulting impact on affected organizations, and key security takeaways from these breaches.

Source: Finextra

Healthcare:

Black Kite Research Finds Certain Ransomware Groups Disproportionately Target Healthcare Organizations

Summary: BOSTON, Jan. 22, 2025 (GLOBE NEWSWIRE) — Black Kite, the leader in third-party cyber risk intelligence, published new data from the Black Kite Research Intelligence Team (BRITE) that shows certain ransomware groups are disproportionately targeting healthcare organizations. Ransomware groups Everest and Monti lead with 25% and 20.8%, respectively, of their victims in healthcare. Notably, high-volume groups INC Ransom (21.7%) and BianLian (15%) show a strong healthcare focus, making them especially dangerous to the sector.

Source: Globe News Wire

Infrastructure:

Researchers say new attack could take down the European power grid

Summary: Late last month, researchers revealed a finding that’s likely to shock some people and confirm the low expectations of others: Renewable energy facilities throughout Central Europe use unencrypted radio signals to receive commands to feed or ditch power into or from the grid that serves some 450 million people throughout the continent.

Source: Ars Technica

---

🌐 Global Threat Landscape

Notable APT Activities:

Chinese Cyberspies Target South Korean VPN in Supply Chain Attack

Summary: A newly discovered Chinese threat group has targeted a South Korean VPN developer with a supply chain attack aimed at deploying a custom backdoor to collect data for cyber-espionage purposes.

The group, dubbed PlushDaemon by the researchers at ESET Research who discovered it, typically aims to hijack legitimate updates of Chinese applications in its malicious operations “by redirecting traffic to attacker-controlled servers,” according to a blog post by ESET researcher Facundo Muñoz published on Jan. 22. “Additionally, we have observed the group gaining access via vulnerabilities in legitimate web servers,” he wrote.

Source: Dark Reading

Critical Vulnerabilities Released (CVE’s): 

CVE-2025-0411: 7-Zip Security Vulnerability Enables Code Execution – Update Now

Summary: Security researchers at Trend Micro Zero Day Initiative recently uncovered a vulnerability in 7-Zip, a widely-used file archiving utility. This flaw, tracked as CVE-2025-0411 and assigned a CVSS score of 7.0 (High), could allow attackers to bypass the “Mark-of-the-Web” security feature in Windows.

Source: Security Online

---

⚠️ Critical Alerts from Official Channels

CISA: 

Threat Actors Chained Vulnerabilities in Ivanti Cloud Service Applications

Summary: The Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) are releasing this joint Cybersecurity Advisory in response to exploitation in September 2024 of vulnerabilities in Ivanti Cloud Service Appliances (CSA): CVE-2024-8963, an administrative bypass vulnerability; CVE-2024-9379, a SQL injection vulnerability; and CVE-2024-8190 and CVE-2024-9380, remote code execution vulnerabilities.

Source: CISA

FBI: 

FBI Warns Gmail, Apple Mail, Outlook Users—Emailing These 2 Words Is Dangerous

Summary: The cyber threat landscape is getting worse. Driven by new and frightening AI-fueled threats, it is becoming ever harder to tell real from fake, safe from sorry. With “criminals exploiting generative artificial intelligence (AI) to commit fraud on a larger scale, which increases the believability of their schemes,” as the FBI warned last month, it would be great to know some of the telltale signs to help us root out the threats now sneaking into our inboxes.

Source: Forbes

---

Prepared by: Krypt3ia
For inquiries, contact: [email protected]

---

Disclaimer: This digest is for informational purposes only. Use provided intelligence responsibly and validate all IOCs before implementing network or system changes.