The actors threatened with the Ransomware Family shows exploit the recently fixed security lack of Microsoft Windows as a zero day as part of an attack aimed at an unnamed organization in the US.
Attack, according to the hunting team for Symantec, part Broadcom, debt Cve-2025-29824Lack of escalation of privileges in the driver of the general log file (CLFS). Last month, it was secured by Microsoft.
Play. It is actively working at least in mid -2012.
In the activity observed Symantec, as they say, the threat subjects that are most likely used by the public adaptive CISCO security device (ASA) as a point of entry, taking advantage of the fact that there is a technique for moving into another Windows machine in the target network.
The attack is characteristic of use GrieksbaCustom information about the theft, previously attributed to the game, and the feat for the CVE-2025-29824, which fell into the music folder, giving it the names that mask as the software of Palo Alto Networks (eg, “paloaltoconfig.exe” and “Paloaltoconfig.dll”).
The actors were also noticed by the threats that the teams to collect information about all available machines in Active Directory affected and save the results to the CSV file.
“During the operation, two files are created on the way C: \ Programdata \ Skypdf,” Symantec explained. “The first file, pdudrv.blf, is a common log file and is an artifact created during operation.”
“The second file, clsrv.inf, is a dll that is introduced into the Winlogon.exe process. This Dll has the ability to give up two additional batch files.”
One of the backed files called “Servtask.bat” is used to escalate privileges, Hives SAM, system and security register, create a new user called “Localsvc” and IT to the administrator group. Another package “cmdpostfix.bat” is used to clean the operation.
Symantec said there was no useful load in the penetration. The data shows that the feats for the CVE-2025-29824 may have been available by a few threats before it was recorded by Microsoft.
It is worth noting that the nature of the operation, described in detail by the cybersecurity company Storm-2460 This Microsoft has revealed as an armed shortage in a limited set of attacks to deliver the Trojan name Pipemagic.
Operation CVE-2025-29824 also indicates the trend of redemption actors using zero days to penetrate the goals. Last year Symantec start The fact that the Black Basta group may have used the CVE-2024-26169, escalation of privileges in the Windows Error reporting.
New “Bring Your Own Installer” Edr, used in Attack Babuk Ransomware Attack
The disclosure of the information occurs when the respondents’ responding services Aon Stroz Friedberg talked in detail about the local technique of the Bypas called “Give your own installer dust Ransomware.
The attack, according to the company, sent a system of detection and response to the final points of Sentinelone (EDR), using a deficiency in the process of modernization/lowering Sentinelone after receiving local administrative access to the public server.
“Bring your own installer – a technique that can be used by the threat subjects to bypass the EDR protection on the hosts through the termination process of the agent’s upgrade if insufficiently set up,” Aon John Eils and Tim Kashi – Note.
The approach deserves attention because it does not rely on vulnerable drivers or other safety disarmament tools. Rather, it uses a temporary window during the agent upgrade to stop running EDR agents, leaving the devices unprotected.
In particular, this abuses the fact that the installation of another version of the software using the MSI file makes it stop the already running Windows process before the update.
Give your own attack by the installer, essentially launches the legal installer and forcibly stop the installation process by releasing the Taskkill command after it disables launch services.
“Because the old version of Sentinelone’s processes was stopped during the modernization, and the new processes were interrupted before spawning, the final result was the system without the defense of Sentinelone,” Aon researchers said.
Sentinelone who stated that the technique may apply to other final points protection since then Updated updates to it Local permit to update The function to mitigate such bypass from one and a half. This includes the default permit for all new customers.
Discovering information occurs as cisco disclosed What a ransom family, known as CryTox, used HRSWord as part of its assault chain to exclude the final points protection.
HRSWORD previously observed in attacks BabyLockerkz and Phobas Redemption as well as those name Stop AHNLAB security decisions in South Korea.
New trends of extorting programs
Ransomware attacks have also increasingly trained their sights on domain controllers for violations of organizations, allowing subjects to get access to privileged accounts and equip centralized network access to encrypted hundreds or thousands of systems in minutes.
“More than 78% of cyberattacks running a person successfully violated domain controller,” Microsoft disclosed Last month.
“In addition, in more than 35% of cases, the main device of distributor – the system responsible for the spread of redemption on a scale – is a domain controller that emphasizes its crucial role in providing extensive encryption and operation.”
Other extracts with the extortions revealed in recent months have used a new ransom as a service (RAAS) known as Locker Playboy, which provides relatively unqualified cybercrime with a comprehensive tool that contains redeeming ransom panels and support.
“Playboy Locker Raa Platform offers numerous building buybacks that are oriented – Note. “Playboy Locker RAAS operators advertise regular updates, detection features and even customer support for affiliates.”
Developments also coincided with the launch of the cartel about the ransom DragonThe electronic crimes group that declared control over RansomHub, RAAS scheme, which stopped the operations sharply at the end of March 2025.
The Branding Service of the White Mark is designed to allow branches to mask the DragonForce ransom as another deformation for an additional fee. The threat actor claims that he has accepted a 20% share of successful ransom payments, allowing branches to save the remaining 80%.
Dragon conclusion In August 2023, having placed itself as a Prolestinova Hactivist operation before turning into a full -fledged ransom. In recent weeks, Syndicate Raas has attracted attention to retailers in UK such as Harrods, Marks and Spencer, and Co -op.
“This step, along with the DragonForce impetus to the brand as a” ransom cartel “, illustrates the group’s desire to enhance their profile in the criminal landscape – Note. “According to this model, Dragonforce provides infrastructure, malware and regular support services, while branches are conducting companies under their own branding.”
According to A a AR report With BBC NEWS, it is assumed that the attacks aimed at the retail sector in the UK Scattered spider (Aka Octo Rempest or UNC3944).
“Probably the threats, including the UNC3944, consider retail organizations as attractive goals, given that they usually have a lot of personal information (PII) and financial data,”-Mandiant owned by Google – Note.
“In addition, these companies can faster the demand for buyout if the ransom attack affects their ability to process financial transactions.”
The ransomware attacks are observed by 25% in 2024, with the number of ransomware leak sites increased by 53%. Fragment, according to the Bits, is the arrival of smaller, more agile gangs that affect medium-sized organizations that can not always have resources to resolve such threats.
‘Expanding groups of ransomers means that they increase faster than law enforcement, can close them and their focus on the smaller – Note.
