Cyber Threat Research: 2025 wrap up

As you’re into cybersecurity, these topics or names may sound familiar. If so and you need a refresher, or if no and you want to find out more, here is a summary of research conducted in 2025. 

SadFuture: Mapping XDSpy latest evolution 

A unique cluster of malicious shortcut files leveraging vulnerability has been found by tracking state-sponsored threats. These led our CTR Team to uncover XDSpy’s sophisticated, active multi-stage infection chain targeting government entities in Eastern Europe.

Why does it matter? 

XDSpy has operated largely undetected since 2011 with minimal public coverage yet maintains sophisticated capabilities and persistent targeting of government entities. Despite their operational security, sufficient tactical fingerprints were identified, including consistent execution techniques and unique infrastructure patterns, that enabled attribution across multiple campaigns.  

The full report provides comprehensive malware analysis, infrastructure indicators, IOCs, and YARA rules for defenders and researchers, and:  

• Detailed analysis of XDigo, XDSpy’s Go-based implant, including its data collection capabilities, anti-analysis techniques, and communication protocols
• In-depth technical examination of ZDI-CAN-25373 vulnerability exploitation, with additional LNK parsing tricks discoveries, revealing how XDSpy weaponized LNK file structure manipulation to conceal malicious payloads
• Comprehensive infrastructure mapping which connects current activities with historical XDSpy campaigns
  
  

Inside Gamaredon’s PteroLNK: Dead Drop Resolvers and evasive Infrastructure 

Our CTR team has been proactively tracking Russian-nexus threats and identified the latest samples from the Pterodo malware family, closely associated with the Gamaredon APT group.  

These samples, uploaded between late 2024 and mid-March 2025, revealed that Gamaredon’s Dead Drop Resolvers (DDRs) are still being updated daily – clear evidence of ongoing, active operations.

Why does it matter? 

As the threat landscape evolves, understanding Gamaredon’s tactics is crucial for defense – not just in Ukraine, but across Europe. 

Gamaredon’s is as active as ever but receives little in-depth coverage. Their ability to consistently evade detection and maintain operational impact makes them a persistent threat in the region. 

The report provides technical analysis, detection signatures, hashes, and infrastructure indicators for defenders and researchers, including details about:  

• Analysis of PteroLNK VBScript malware which is heavily obfuscated and dynamically constructs a downloader and an LNK dropper
• The LNK dropper that enables rapid propagation across local and network drives by replacing files with deceptive shortcuts, allowing the malware to spread via shared storage
• Gamaredon usage of Telegraph and Teletype articles as well as Cloudflare quick tunnels as malicious infrastructure, ein order to blend malicious traffic with legitimate web activity
  
  

Ivanti CSA vulnerabilities 

Ivanti CSA vulnerabilities have been exploited in the wild starting September 2024, as recently reminded by the US CISA.

Why does it matter? 

Our CTR team presented their own research confirming worldwide exploitation of Ivanti devices, that lead to many Webshells deployments in late 2024. They share: 

• Unique insight into malicious activities which follow the compromise of such device, within a targeted organization, and they also provide IOCs for a cluster of associated implants and infrastructure
• Detailed root causes analysis for an Ivanti vulnerability (CVE-2024-8963), which was erroneously linked to PHP scripts by another vendor
  
  

UAC-0057 keeps applying pressure on Ukraine and Poland 

Our CTR Team identified intrusion campaigns which targeted Ukraine and Poland starting April 2025. They were able to connect the malicious campaigns to previously documented activities from UAC-0057 (aka UNC1151, FrostyNeighbor, Ghostwriter) – a cyber espionage actor with reported ties to the Belarusian government. 

Why does it matter? 

The identified activities aim to perform discovery on compromised systems, and to deploy further malware if the operators deems it fit. The threat actor leveraged readily available tools to obfuscate scripts and implants, and made efforts to adapt the infection logic depending on the targeted country, as well as to implement minor evolutions.  

The invasion of Ukraine is also supported by infection chains, convoluted execution logic, information discovery, downloader implants and command and control infrastructure. The report offers baselines to detect some of those, and provides insights into the evolution of a threat actor’s practices. 

RudePanda owns IIS servers like it’s 2003 

Late August and early September 2025, our security platform detected the compromises of IIS servers with a previously undocumented malicious module which our CTR team called “HijackServer”.

Investigating the case, our CTR team discovered an extensive operation which infected hundreds of servers around the world, variants of the HijackServer module, as well as additional and likely associated infrastructure.

Why does it matter? 

While the malicious operators appear to be using Chinese as its main language and leveraging the compromises to support SEO, our CTR team noticed that the deployed module offers a persistent and unauthenticated channel which allow any party to remotely execute commands on affected servers.