VexTrio Viper Exploits Fake CAPTCHAs and Malicious Apps for Global Campaigns
Security researchers have detailed the operations of VexTrio Viper. This long-running cybercriminal network has been active since at least 2017 and is now recognized as one of the most extensive traffic distribution system (TDS) operators in the world. This group brokers traffic through the most comprehensive known cybercriminal affiliate program, delivering malware, scams, and illicit content via complex redirection chains powered by DNS manipulation, lookalike domains, and registered domain generation algorithms (RDGAs). They embed malicious smartlinks in compromised websites, social media platforms, and even email security tools to evade detection, directing victims to fraudulent verticals in dating, cryptocurrency, sweepstakes, and nutritional supplements. A key lure involves fake CAPTCHA challenges that trick users into granting browser notification permissions or disclosing personal information under the guise of verification. These persistent notification permissions then enable spam and scam delivery over time. The group’s global reach and technical sophistication enable it to remain embedded in both enterprise and consumer networks, making it a sustained threat to organizations and individuals alike. VexTrio’s operations also extend to mobile platforms, where they distribute malicious applications through Google Play and the Apple App Store under developer aliases like HolaCode, LocoMind, Hugmi, Klover Group, and AlphaScale Media. Apps such as Hugmi, Cheri, WinkChat, Spam Shield, and Fast VPN disguise themselves as dating services, spam blockers, or VPN tools, but instead flood users with ads, enforce predatory subscriptions, and harvest personal data through cost-per-action schemes. Technical forensics link these apps to VexTrio’s infrastructure, including shared code, IP ranges in AS5368, and hosting overlaps with affiliates like Techintrade and Oilimpex. With access to more than 220 million harvested email addresses, VexTrio sustains a self-reinforcing scam cycle, sending personalized spam with tracked links that redirect to scam portals often hosted on Swiss-based infrastructure. To counter this threat, organizations should enhance DNS-based threat detection, monitor for malicious domains and application indicators, and improve app store vetting processes. Users should avoid installing unverified apps, disable unnecessary browser notifications, and report suspicious CAPTCHA or unsolicited emails to reduce exposure to VexTrio’s campaigns.
Curly COMrades Uses MucorAgent Backdoor in Russian-Aligned Operations
A newly identified cyber-espionage group, tracked as Curly COMrades, has been conducting targeted campaigns since mid-2024 against government and judicial entities in Georgia and energy sector firms in Moldova, aligning with Russian geopolitical interests. The group deploys a custom three-stage [.]NET backdoor, MucorAgent, designed to execute AES-encrypted PowerShell scripts and exfiltrate output via curl.exe to command-and-control (C2) servers. Researchers named the group for its reliance on curl[.]exe and its tactic of hijacking Component Object Model (COM) objects during attacks. Although the initial access vector remains undetermined, analysts observed the installation of multiple proxy agents, such as the Go-based Resocks, which are registered as scheduled tasks or Windows services for persistence and communicate over TCP ports 443 or 8443. For redundancy, Curly COMrades uses custom SOCKS5 servers, SSH with Stunnel, and a proprietary CurlCat tool that obfuscates traffic through compromised legitimate websites. A notable persistence mechanism exploits CLSID hijacking to target the Windows [. NET] Native Image Generator (NGEN), enabling backdoor execution through an ostensibly disabled scheduled task that the OS triggers unpredictably during idle times or system updates. MucorAgent’s three components work together to maintain stealth and persistence. The first hijacks a legitimate COM handler, the second bypasses the Antimalware Scan Interface (AMSI), and the third searches for index[.]png or icon[.]png files containing encrypted payloads downloaded from compromised sites. Despite using legitimate binaries, open-source tools, and covert persistence techniques to blend with normal traffic, the group’s operations generated detectable patterns, allowing EDR/XDR solutions to identify their presence. To defend against this threat, organizations should monitor for unusual COM hijacking activity, block unauthorized curl.exe usage, restrict the installation of RMM tools, enforce strong authentication for administrative access, and maintain active threat hunting for indicators, payloads, or Resocks proxy activity.
Charon Ransomware Targets Public Sector and Aviation with APT-Style Tactics
Researchers have identified a new ransomware family, Charon, which has been deployed in targeted attacks against public sector and aviation organizations in the Middle East. The campaign uses advanced persistent threat–style methods, including DLL sideloading via a legitimate Edge[.]exe binary to execute a malicious loader called SWORDLDR, which decrypts encrypted shellcode hidden in a DumpStack[.]log file. This multilayer payload delivery reveals configuration settings for injecting into svchost[.]exe, allowing the ransomware to blend in as a legitimate service and bypass endpoint defenses. Further decryption produces the final Charon executable, which encrypts files, appends the [.]Charon extension, and drops a ransom note personalized with the victim’s organization name. The operation shows potential links to Earth Baxia campaigns through shared techniques, although attribution remains unconfirmed due to a lack of evidence of shared infrastructure. Command-line parameters enable attackers to target specific network shares, paths, or prioritize shares over local drives, and the ransomware establishes a mutex to prevent duplicate execution. Charon also terminates security tools, deletes shadow copies using COM interfaces, and clears the Recycle Bin before encrypting the data. The ransomware embeds an anti-EDR driver from the Dark-Kill project, which is inactive in this version but indicates ongoing development for advanced defense evasion. Its stealthy approach, combined with targeted ransom notes and APT-grade tactics, significantly increases operational and financial risks for victims, including data loss, downtime, and complex recovery due to the deletion of backups. Organizations should defend against Charon by restricting DLL loading in vulnerable directories, monitoring for suspicious chains where signed binaries like Edge[.]exe spawn svchost[.]exe, and ensuring EDR tools can resist tampering. Additional measures include limiting lateral movement through strong authentication and disabling admin shares, maintaining offline, immutable backups, enforcing phishing-resistant training and least-privilege access, and proactively hunting for indicators of compromise to prevent attacks before encryption occurs.
