Ransomware

Silent Ransom Group Extends BigLaw Campaign, Breaches Orrick Herrington Following Jones Day

Chatty Spider UNC3753 Attor

Silent Ransom Group (Luna Moth / Chatty Spider / UNC3753) has claimed a breach of Orrick, Herrington & Sutcliffe following a similar incident at Jones Day, indicating an active and deliberate campaign against Am Law 100 firms. SRG's operational model — callback phishing leading to remote access tool deployment, data exfiltration, and extortion without any encryption component — is purpose-built to evade ransomware-focused detection playbooks. For a financial institution, the exposure is indirect but significant: outside counsel handling M&A transactions, litigation strategy, and privileged communications holds data as sensitive as anything on the bank's own estate. A breach at external counsel may trigger disclosure or regulatory obligations depending on what data is held and under which jurisdictional regimes. This warrants a conversation with legal operations about what your outside counsel panel is holding and what their contractual incident notification SLAs actually require.

SRG operates as a pure extortion group — no RaaS, no encryption, no affiliates — which makes them harder to track through conventional ransomware telemetry. Their focus on breach-averse professional services reflects deliberate target selection: law firms have strong incentives to pay quietly and limited public disclosure obligations. The callback phishing methodology has been documented since 2022 and shows no sign of operational degradation. Time to pressure-test your outside counsel panel's incident response and notification posture.

Editorial

Three of today's notable stories — Silent Ransom Group's systematic targeting of Am Law 100 firms, DPRK's six-month conference-based cultivation for the Drift theft, and Flashpoint's PhaaS documentation — converge on the same strategic problem: adversaries are routing around well-defended perimeters by exploiting trust relationships that produce no actionable IOCs. For financial institutions, Silent Ransom Group's exfil-only model hitting your outside counsel is the most immediate concern — Orrick following Jones Day suggests deliberate target selection of firms holding privileged financial sector data, and the absence of ransomware detonation means your detection playbooks for that kill chain never fire. The DPRK post-mortem should recalibrate how leadership thinks about vendor and partner vetting: a zero-IOC, six-month social engineering operation isn't an edge case anymore, it's a documented and successful playbook.

Separately, three stories within this lookback window — the trojanized Claude AI installer delivering PlugX, CPUID's supply chain compromise pushing malware through CPU-Z downloads, and the JSON Formatter Chrome extension turning malicious — represent a clear clustering around developer and utility tooling as initial access vectors. These aren't novel techniques (DLL side-loading is practically artisanal at this point), but the social engineering wrapper has evolved: AI tool downloads are where developer trust and urgency intersect right now, and lookalike domains for tools people actively want to install enjoy a much higher conversion rate than traditional phishing. If your endpoint controls aren't validating sideloaded DLLs from non-corporate download sources, that's the gap.

Notable

Malware

Trojanized Claude AI Installer Delivers PlugX via DLL Side-Loading Campaign

T1574.002 PlugX

A threat actor registered a lookalike domain impersonating Anthropic's Claude and distributed a trojanized installer that deploys PlugX via DLL side-loading (T1574.002). The installer functions normally from the user's perspective, making detection entirely dependent on behavioral signals rather than user-reported anomalies. PlugX has extensive documented use across Chinese state-nexus APT clusters, though broad proliferation into crimeware ecosystems means this campaign alone doesn't establish confident attribution. The targeting demographic — developers and AI-adjacent users searching for a Claude desktop client — is precisely the population most likely to bypass enterprise app controls via a direct download. The DLL side-loading chain is worth validating against current EDR behavioral coverage given its prevalence in this class of campaign.

The 'trojanized legitimate installer' vector is as evergreen as it gets — we've seen it with VPNs, crypto wallets, messaging apps, and now AI clients. The pattern will continue exactly as long as AI tool downloads remain a growth category. PlugX has been in active circulation since approximately 2008 and at this point functions as a generic marker of Chinese-nexus tooling provenance, though that attribution signal has degraded considerably.

Geopolitical

Post-Mortem Reveals Six-Month DPRK Social Engineering Operation Preceded $280M Drift Cryptocurrency Theft

AppleJeus AppleJeus

Drift's published post-mortem details a multi-month operation attributed to North Korean actors (Lazarus Group / TraderTraitor cluster) using the AppleJeus toolset. The operation began with fabricated front companies established at an industry conference, continued through months of trust-building with zero malware deployment, and culminated in a $280M theft. The operational template precisely matches CISA's TraderTraitor advisory (AA23-308A). The six-month cultivation phase producing no detectable IOC trail is the operationally significant detail. For a financial institution, this reframes third-party and vendor risk assessment: long-running social engineering campaigns targeting your partners, legal counsel, or counterparties won't look like an intrusion until they become one. Standard conference opsec guidance doesn't address the gap — relationship vetting processes need to account for this template.

DPRK's systematic pivot from disruptive operations to cryptocurrency theft is a documented state revenue program estimated at $3B+ since 2017. The sophistication of the conference infiltration methodology is a meaningful maturation signal, not an anomaly. AppleJeus has been running in various forms since at least 2018; the tooling is proven, and the social engineering wrapper is getting more patient and more credible.

Social Engineering

Flashpoint Documents Industrialized Phishing-as-a-Service Pipeline with Explicit Financial Sector Targeting

UPPERCUT

Flashpoint, in partnership with financial institutions, has published analysis of mature PhaaS operations exhibiting RaaS-level specialization: distinct actors handling infrastructure provisioning, delivery, credential harvesting, and cash-out as a coordinated supply chain with explicit financial sector focus. The specialized operator model means each kill chain stage produces distinct, non-overlapping IOCs — the delivery infrastructure won't match the harvesting kit, which won't match the cash-out layer. Defenses scoped to 'the phishing email' catch only the first handoff. The more durable detection surface is credential harvesting kit behavior and initial post-harvest access patterns, where specialist operators leave more consistent behavioral signatures.

The division of criminal labor now mirrors legitimate software supply chains in ways that are structurally elegant and analytically inconvenient. PhaaS, IABs, MaaS — this serviceification has been accelerating since at least 2020 and represents a durable structural shift. Each handoff boundary is a detection opportunity, but only if your telemetry spans the full chain rather than optimizing for the initial delivery vector.

Supply Chain

JSON Formatter Chrome Extension Compromised After Developer Transition to Closed-Source Model

The callumlocke JSON Formatter Chrome extension — a widely-installed developer tool — has been observed injecting adware after the developer abandoned open-source development for a commercial model. The original repository remains online as a reference, but the actively distributed version exhibits malicious behavior. The extension's broad page-read permissions create an exposure surface extending well beyond nuisance advertising, particularly where developers use the same browser profile for internal tooling, CI/CD dashboards, or authenticated enterprise applications. The immediate risk is not the adware payload — it's the permissions footprint. A developer extension with access to all page content coexisting in a browser profile with internal portals and admin consoles is a data harvesting risk regardless of the current payload's intent.

Browser extensions remain a chronically under-managed attack surface in enterprise environments: permissions are coarse, the Chrome Web Store review process is not rigorous, and most endpoint controls don't cover extension provenance. The 'developer monetizes popular free tool via malicious update' supply chain vector is recurring and systematically underweighted. This is a reasonable prompt to audit developer browser extension inventories and verify whether allow-listing is enforced.

Briefs

ICS/OT

CyberAv3ngers Rockwell PLC Targeting — Continuing Coverage (No New Indicators)

Iranian cyberattack group CyberAv3ngers exposed targeting and potential compromise of 4,000 US industrial control devices.

CyberAv3ngers

Cloud

GCP Issues Delayed Bulletin for 2024 OpenSSH regreSSHion in Managed Serverless Infrastructure

CVE-2024-6387 affecting GCP infrastructure with EPSS 0.445 and publicly available exploit code.

CVE-2024-6387

Supply Chain

Vulnerabilities

Google Pixel Firmware Hardening with Rust Memory-Safe Language Migration

Google discloses firmware hardening improvements in Pixel baseband processors using memory-safe languages.

CVE-2024-27227 Milan