<img src="https://ws.zoominfo.com/pixel/csEHmvjEA1iScHExXGZE" width="1" height="1" style="display: none;">

The Week in Review from Stamus Labs

Welcome to the weekly threat detection update report from Stamus Networks. Each week, you will receive this email with a summary of the updates.

 

Current Stamus Threat Intelligence (STI) release version: 1600

 

This week, in addition to daily ruleset and IOC updates, we provided Stamus Security Platform customers with the following improved defense(s):

  • New threat detection(s) added [1]: 5 (RDP Malicious Cookie, defendnot, LoJax, TA395, DemonHavoc)

  • Major changes to detections(s) [2]: 180

  • Updated threat detection(s) [3]: 248

 

Note: a "method" as referenced below, is a discrete detection vector for a given threat.

 

New Threat(s) Detected

The following detections were added to your Clear NDR this past week:

 

RDP Malicious Cookie (Trojan)

mstshash cookies in RDP connections aid load balancers but can be exploited by attackers for Session Hijacking or Redirection. Attack involves intercepting, manipulating, and redirecting traffic for information gathering or access.

DFIR Report | Nishtahir |

  • Total number of detection methods: 2

  • Kill chain phase(s): exploitation

 

defendnot (Offensive Tools)

Defendnot is a tool that interacts with the Windows Security Center to disable Microsoft Defender Antivirus, bypassing the need for third-party code and an NDA with Microsoft.

  • Total number of detection methods: 6

  • Kill chain phase(s): command and control, delivery

  • MITRE ATT&CK: T1105

 

LoJax (Rootkit)

ESET discovered LoJax malware, derived from LoJack anti-theft software, used by Sednit group to evade detection. It can track computers even after Windows reinstallation or hard drive swap.

LoJax - Mitre | LoJax - malpedia |

  • Total number of detection methods: 30

  • Kill chain phase(s): command and control

 

TA395 (APT)

Cybersecurity firms report multiple groups tied to India, including TA397, TA399, and TA395, linked to the Sloppy Lemming threat group, targeting individuals and critical infrastructure.

TA395-Proofpoint |

  • Total number of detection methods: 9

  • Kill chain phase(s): command and control

 

DemonHavoc (Data Theft)

Huntress discovered a coordinated cyber attack involving email spam, fake IT support calls, and malware delivery across multiple organizations, with rapid lateral movement indicating a data exfiltration or ransomware threat.

  • Total number of detection methods: 24

  • Kill chain phase(s): command and control

  • MITRE ATT&CK: T1071

 

Major Detection Changes

The following detections were updated this past week with changes to kill chain phase(s) or MITRE ATT&CK tactic(s)/technique(s):

 

APT35 (APT)

Iranian-backed group Magic Hound engages in cyber espionage targeting U.S. and Middle Eastern officials and organizations since 2014, likely working with the Islamic Revolutionary Guard Corps through elaborate social engineering tactics.

  • Added kill chain phase(s): command and control, delivery

  • Previously supported kill chain phase(s): command and control, delivery, actions on objectives

  • MITRE ATT&CK added: T1566

  • Previously existing MITRE ATT&CK: T1041, T1071, T1587, T1566, T1665, T1102

  • Methods added: 5

 

Backdoor (Trojan)

Backdoors give malicious users control over infected computers, similar to administration systems. They can do multiple tasks on the computer and be used to form botnets or spread through networks.

  • Added kill chain phase(s): command and control

  • Previously supported kill chain phase(s): command and control, actions on objectives, installation, delivery

  • MITRE ATT&CK added: T1105

  • Previously existing MITRE ATT&CK: T1041, T1496, T1071

  • Methods added: 1

 

Cobalt Strike (Pentest Tools)

Cobalt Strike is a commercial penetration testing tool that simulates advanced threat actor attacks, covering the full range of ATT&CK tactics and integrating with tools like Metasploit and Mimikatz.

  • Added kill chain phase(s): command and control

  • Previously supported kill chain phase(s): command and control, actions on objectives, exploitation, delivery

  • Methods added: 6

 

 

Fake Browser (Trojan)

Attackers infect enterprise networks with malware by promoting fake browser updates on hacked websites, leading to the installation of banking trojans and later ransomware encryption on compromised networks.

  • Added kill chain phase(s): exploitation

  • Previously supported kill chain phase(s): delivery, exploitation, command and control

  • MITRE ATT&CK added: T1189

  • Previously existing MITRE ATT&CK: T1071, T1189

  • Methods added: 3

 

Fake Service (Phishing)

Phishing involves scammers posing as familiar companies to obtain personal information. Consumers should avoid responding to suspicious emails requesting personal or financial details to prevent falling victim to these scams.

  • Added kill chain phase(s): installation

  • Previously supported kill chain phase(s): command and control, installation, delivery, actions on objectives

  • Methods added: 1

 

LandUpdate808 (Trojan)

Fake update variants like SocGholish, Clear Fake, Smart Ape, and ClickFix are being tracked by a collaboration introducing the LandUpdate808 Fake Update Variant.

  • Added kill chain phase(s): command and control

  • Previously supported kill chain phase(s): delivery, command and control

  • MITRE ATT&CK added: T1189

  • Previously existing MITRE ATT&CK: T1189, T1105, T1071

  • Methods added: 12

 

Lumma (Data Theft)

Lumma is a C-based information stealer sold on Russian underground forums and Telegram by LummaC since August 2022. It targets cryptocurrency wallets and has file grabber capabilities.

  • Added kill chain phase(s): command and control, actions on objectives

  • Previously supported kill chain phase(s): actions on objectives, command and control, installation, delivery

  • MITRE ATT&CK added: T1071

  • Previously existing MITRE ATT&CK: T1005, T1071, T1573, T1105

  • Methods added: 51

 

Molerats (APT)

The politically-motivated threat group Molerats has been active since 2012 targeting victims in the Middle East, Europe, and the US according to reports by MITRE.

  • Added kill chain phase(s): command and control

  • Previously supported kill chain phase(s): command and control, delivery

  • Methods added: 3

 

NetSupport RAT (RAT)

Remote Access Trojans allow covert surveillance and unauthorized access to victim PCs, collecting keystrokes, passwords, screenshots, and more. They differ from keyloggers by providing remote access capabilities to attackers.

  • Added kill chain phase(s): command and control

  • Previously supported kill chain phase(s): actions on objectives, command and control, exploitation, installation

  • MITRE ATT&CK added: T1105

  • Previously existing MITRE ATT&CK: T1071, T1105

  • Methods added: 1

 

SocGholish (Social Engineering)

Malwarebytes found a new social engineering toolkit that uses compromised websites to perform advanced fingerprinting checks and deliver the NetSupport RAT payload.

  • Added kill chain phase(s): command and control

  • Previously supported kill chain phase(s): command and control, exploitation, delivery, reconnaissance, actions on objectives

  • Methods added: 9

 

Stealer and Exfiltration (Data Theft)

Info stealers gather sensitive data on infected computers to send to attackers, typically targeting online banking, social media, email, and FTP accounts. They use various methods including hooking browsers and keylogging.

  • Added kill chain phase(s): actions on objectives, command and control

  • Previously supported kill chain phase(s): actions on objectives, command and control, installation, delivery, exploitation

  • MITRE ATT&CK added: T1005, T1041, T1071

  • Previously existing MITRE ATT&CK: T1071, T1005, T1041, T1567, T1095, T1105, T1486, T1587, T1496

  • Methods added: 6

 

TransparentTribe (APT)

Group targeting Indian Army and related assets in India, as well as activists and civil society in Pakistan, attributed to a Pakistani connection by TrendMicro and others.

  • Added kill chain phase(s): delivery

  • Previously supported kill chain phase(s): delivery, command and control

  • MITRE ATT&CK added: T1105

  • Previously existing MITRE ATT&CK: T1071, T1041, T1105

  • Methods added: 1

 

Trojan Downloader (Downloader)

Trojan downloaders are malicious software that look legitimate, but can harm your computer by downloading files, often without user consent, to steal, damage, or disrupt your devices.

  • Added kill chain phase(s): delivery

  • Previously supported kill chain phase(s): command and control, delivery, actions on objectives, installation

  • Methods added: 6

 

Tycoon (Phishing)

Tycoon 2FA is a PhaaS platform seen in 2023 that bypasses MFA protections, targeting Microsoft 365 and Gmail accounts. A significant threat to users, it has been grabbing headlines in recent campaigns.

  • Added kill chain phase(s): delivery

  • Previously supported kill chain phase(s): delivery, command and control

  • MITRE ATT&CK added: T1566

  • Previously existing MITRE ATT&CK: T1071, T1566

  • Methods added: 50

 

Unknown APT (APT)

Sophisticated adversary with expertise and resources uses multiple attack vectors to establish presence in organizations' IT infrastructure, exfiltrate information, undermine missions, and persistently adapt to defenders.

  • Added kill chain phase(s): command and control

  • Previously supported kill chain phase(s): command and control, delivery, actions on objectives

  • Methods added: 9

 

XWorm (RAT)

Cyble research labs found a malware developer advertising a powerful Windows RAT on the dark web during a threat-hunting exercise.

  • Added kill chain phase(s): command and control

  • Previously supported kill chain phase(s): command and control, delivery

  • MITRE ATT&CK added: T1573

  • Previously existing MITRE ATT&CK: T1071, T1573

  • Methods added: 16

 

Other Threat Detection Update(s)

The following threat detection(s) were improved this past week with new or updated threat methods.

Name of threat New coverage Total coverage Last updated
  New Detection methods Kill chain phases Protocols involved Detection methods Kill chain phases Protocols involved  
APT35 5 command and control, delivery dns, tls, http 1992 actions on objectives, command and control, delivery dns, ftp, http, tcp, tls, udp 2026-03-14
Backdoor 1 command and control http 472 actions on objectives, command and control, delivery, installation dns, ftp, http, icmp, smtp, tcp, tcp-pkt, tls, udp 2026-03-12
Cobalt Strike 6 command and control dns, tls, http 608 actions on objectives, command and control, delivery, exploitation dns, http, smb, tcp, tls, udp 2026-03-14
DemonHavoc 24 command and control http, dns, tls 24 command and control http, dns, tls 2026-03-13
Fake Browser 3 exploitation dns, tls, http 1933 command and control, delivery, exploitation dns, http, tls 2026-03-13
Fake Service 1 installation http 177 actions on objectives, command and control, delivery, installation dns, http, tcp, tls 2026-03-12
LandUpdate808 12 command and control dns, tls, http 872 command and control, delivery dns, http, tls 2026-03-14
LoJax 30 command and control dns, tls, http 30 command and control dns, tls, http 2026-03-12
Lumma 51 command and control, actions on objectives dns, tls, http 7690 actions on objectives, command and control, delivery, installation dns, http, tls 2026-03-12
Molerats 3 command and control dns, tls, http 346 command and control, delivery dns, http, tcp, tls 2026-03-14
NetSupport RAT 1 command and control http 197 actions on objectives, command and control, exploitation, installation dns, http, tls 2026-03-10
RDP Malicious Cookie 2 exploitation tcp 2 exploitation tcp 2026-03-12
SocGholish 9 command and control dns, tls, http 2116 actions on objectives, command and control, delivery, exploitation, reconnaissance dns, http, tcp, tcp-pkt, tls 2026-03-12
Stealer and Exfiltration 6 actions on objectives, command and control http, dns, tls 515 actions on objectives, command and control, delivery, exploitation, installation dns, ftp, http, smtp, tcp, tcp-pkt, tls 2026-03-13
TA395 6 command and control dns, tls, http 9 command and control dns, tls, http 2026-03-13
TransparentTribe 1 delivery http 60 command and control, delivery dns, http, tcp, tcp-pkt, tls 2026-03-12
Trojan Downloader 6 delivery dns, tls, http 447 actions on objectives, command and control, delivery, installation dns, http, tcp, tls, udp 2026-03-10
Tycoon 50 delivery http, dns, tls 81 command and control, delivery dns, http, tls 2026-03-12
Unknown APT 9 command and control dns, tls, http 1909 actions on objectives, command and control, delivery dns, http, tcp, tls 2026-03-14
XWorm 16 command and control tcp-pkt 4735 command and control, delivery dns, http, tcp, tcp-pkt, tls 2026-03-13
defendnot 6 command and control, delivery dns, tls, http 6 command and control, delivery dns, tls, http 2026-03-12

 

Additional Resources

Technical support
Join the conversation on Discord
Follow us Twitter
Follow us on LinkedIn
Subscribe to our YouTube channel
Stamus Networks website

Schedule a Demo of Clear NDR

Request a Demo

ABOUT STAMUS® NETWORKS

Stamus Networks is the global leader in Suricata-based network security and the creator of the innovative Clear NDR® system. Designed to close visibility gaps and reduce alert fatigue, Clear NDR transforms raw network traffic into actionable security insights with unmatched transparency, customization, and effectiveness. Trusted by leading financial institutions, government agencies, and battle-tested over 9 years in NATO’s largest cybersecurity exercises, Stamus Networks delivers proven, high-performance network detection and response solutions. Stamus empowers security teams – delivering clarity amidst complexity – with greater control, fewer false positives, faster response times, and a more responsive, open approach than legacy vendors.

Indianapolis, USA Paris, France

Privacy

© 2014-2026 Stamus Networks, Inc. All rights Reserved.