WithSecure™ Labs: With great research comes great responsibility

In 2025, WithSecure discovered two cyberattacks that we attributed to the Andariel group, a state-sponsored cyber group linked to the RGB 3^rd bureau of Democratic People’s Republic of Korea (DPRK). During our investigation, we also discovered a staging server used by Andariel. We were able to pull artifacts from it during its uptime.

Throughout our research, we identified several new implants, tools, and techniques that shape a part of Andariel’s latest arsenal. These include new remote access trojans (RATs) such as JelusRAT, StarshellRAT, and GopherRAT, as well as tools and techniques such as a custom port scanner, a PetitPotato sample, and abusing a vulnerable driver to target AV/EDR products.

WithSecure's STINGR Group is releasing a detailed technical analysis of TangleCrypt, a previously undocumented packer for Windows malware. The packer was found on two executables of the STONESTOP EDR killer used in a recent ransomware attack. The blogpost describes how TangleCrypt unpacks and launches the payload, which anti-analysis techniques it uses, and the implementation flaws we identified.

WithSecure’s STINGR has been investigating a malware campaign, tracked as WEBJACK, which compromises Microsoft IIS servers to deploy malicious IIS modules belonging to the BadIIS malware family. The hijacked servers are being abused for SEO poisoning and fraud, redirecting users to casino, gambling, or betting websites. The threat actor has compromised high-profile targets, including government institutions, universities, tech firms, and many other organizations, abusing their domain reputation to serve fraudulent content through search engine results pages (SERPs).

TamperedChef is a sophisticated malware campaign that leveraged a convincing advertising campaign strategy and a fully functional decoy application to target European organizations. Disguised as a legitimate application such as a PDF editor, the malware operated with expected functionality for nearly two months before activating its payload to harvest browser credentials, impacting a significant number of systems.

Since November 2024, WithSecure has been tracking a slight uptick of targeted activities leveraging Remote Monitoring and Management (RMM) tools embedded within PDF documents. The activity primarily targets organizations in France and Luxembourg, using socially engineered emails to deliver a clean PDF containing an embedded link to an RMM installer, a simple but effective method of bypassing many email and malware defences. 

Organizations are facing an attack surface that is not only expanding at an unprecedented rate but also becoming more difficult to manage using traditional security approaches. The first half of 2025 has shown a sharp rise in both the discovery and exploitation of vulnerabilities, especially zero-days and those affecting security services, indicating that attackers are moving faster than defenders can respond. A new exploited vulnerability is published every two days, and a new exploited zero-day every three, with both categories growing significantly faster than in 2024. This growing gap between discovery and mitigation underscores a fundamental reality: reactive defence is no longer sufficient. Companies must adopt a proactive approach centred around continuous exposure management: monitoring, prioritizing, and remediating vulnerabilities before they are exploited. This research draws on verified exploitation data and real-world vulnerability trends to demonstrate why exposure management is no longer optional, but a foundational requirement for any organization aiming to stay ahead of cyber threats.