Threat actor Earth Alux is using VARGEIT and COBEACON backdoors to attack critical APAC and LATAM sectors.
A newly identified threat actor, Earth Alux, linked to China, has been actively targeting critical sectors such as government, logistics, telecommunications and IT services across the APAC and LATAM regions since the middle of 2023.
Earth Alux infiltrates networks by exploiting internet-facing applications, deploying the Godzilla web shell to deliver payloads including the VARGEIT and COBEACON backdoors. VARGEIT, the group's primary tool, enables stealthy data exfiltration and lateral movement using a fileless approach and various C&C communication channels, even through Microsoft Outlook via Graph API.
Meanwhile, COBEACON acts as an early-stage backdoor, often launched using MASQLOADER or RSBINJECT, the latter being a Rust-based loader. Their toolkit includes RAILLOAD and RAILSETTER for persistence and timestomping, aided by techniques like DLL side-loading and API unhooking to avoid detection. Earth Alux's use of testing tools like ZeroEye and VirTest highlights its dedication to refining its malware and maintaining long-term stealthy access to compromised environments.
Data breach hits the State Bar of Texas; INC ransomware gang claims responsibility
The State Bar of Texas has disclosed a data breach following claims by the INC ransomware gang, which posted samples of allegedly stolen data on its extortion site. With over 100,000 licensed attorneys, the organization regulates the legal profession in Texas.
In notices sent to affected individuals, the Bar confirmed unauthorized access and data theft, including full names and unspecified additional information. While the public breach notice does not detail the attackers, INC ransomware listed the organization as a victim on March 9 and published legal case files allegedly taken during the attack.
INC is a ransomware group known for targeting health care organizations, including attacks on Alder Hey Children's Hospital in Liverpool in November 2024 and Genea, an Australian fertility clinic, in February 2025. In the first quarter of 2025, INC Ransom claimed responsibility for 72 ransomware attacks, ranking tenth among ransomware groups during that period.
Updated version of Hijack Loader uses call stack spoofing to deliver infostealer malware
Researchers have identified an updated version of Hijack Loader, that incorporates new features to evade detection and establish persistence.
The new version includes a module for call stack spoofing, allowing it to obscure the origin of API and system calls. It also features anti-virtual machine (anti-VM) checks to detect sandbox environments used for malware analysis. Originally discovered in 2023, Hijack Loader is capable of delivering second-stage payloads, such as infostealers, and bypassing security software. It is also known as DOILoader, GHOSTPULSE, IDAT Loader, and SHADOWLADDER.
The loader now uses a technique similar to CoffeeLoader, manipulating EBP pointers to hide malicious stack frames. Additional updates include process injection via Heaven’s Gate, targeting popular antivirus solutions, and the addition of persistence mechanisms through scheduled tasks.
Wave of tax-themed phishing campaigns using PDFs and QR codes to deliver malware
Researchers have identified a wave of tax-themed phishing campaigns using URL shorteners, QR codes, and legitimate services to evade detection and distribute malware. These attacks often lead to fake Microsoft 365 login pages hosted via the RaccoonO365 phishing-as-a-service platform and deliver malware like Remcos RAT, Latrodectus, AHKBot, GuLoader, and BruteRatel C4.
In one recent campaign, PDF attachments with shortened links redirecting to malicious sites disguised as DocuSign pages were used to target U.S. users during tax season. If the system meets specific criteria, users unknowingly download a malicious MSI that installs malware; otherwise, they receive a harmless PDF.
Another large-scale attack hit over 2,300 U.S. organizations, especially in IT and consulting, using QR-coded PDFs to steal Microsoft credentials. These tactics are part of a broader trend that includes fake installers, browser-in-the-browser popups, and abused services like Dropbox and DocuSign to bypass protections.
Threat actor GHNA leaks data stolen thorough Royal Mail’s supplier, Spectos GmbH
Royal Mail is investigating a possible data breach after a threat actor known as “GHNA” leaked over 144GB of sensitive data, allegedly stolen through a third-party supplier, Spectos GmbH.
Spectos confirmed unauthorized access to its systems, affecting personal customer data, including names, addresses, and internal documents. The attacker published 16,549 files on BreachForums, claiming they contained Royal Mail customer information, delivery schedules, and internal meeting recordings. While Royal Mail emphasized that its operations remain unaffected, researchers traced the breach to credentials stolen from a Spectos employee during a 2021 incident involving infostealer malware. Despite Spectos’ claim that there’s no current evidence of leaked credentials being reused, forensic investigations are ongoing.
The Royal Mail has faced previous cyber incidents, including a major ransomware attack in January 2023 that halted international shipments. Both companies are now working with cybersecurity experts to assess the full impact and strengthen their systems against future threats.
