Betruger: Backdoor Powering RansomHub Ransomware Attacks

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Betruger: Backdoor Powering RansomHub Ransomware Attacks

Cybersecurity researchers have uncovered Betruger, a custom-built backdoor tied to RansomHub ransomware affiliates. Unlike typical ransomware that leans on public tools, Betruger is designed for stealth, packing in keylogging, credential dumping, privilege escalation, network scanning, and data exfiltration, all without relying on external software. It masquerades as legitimate files like “mailer.exe” and uses the BYVOD (Bring Your Own Vulnerable Driver) technique along with tools like EDRKillshifter to disable security defenses. Threat actors also exploit known flaws such as CVE-2022-24521 and CVE-2023-27532 to escalate privileges and extract credentials. Additional tools like Impacket, Rclone, and TightVNC are used for lateral movement, persistence, and remote control. Cybersecurity researchers recommend organizations monitor for abnormal behavior, patch vulnerabilities, enforce least-privilege access, and adopt behavioral-based detection to spot sophisticated threats early. Staying updated on indicators of compromise (IoCs) is key to reducing exposure to threats like Betruger.

2. Oracle Cloud Breach Exposes 6 Million Records, Impacting 140K Tenants

Cybersecurity researchers are tracking a claim by threat actor “rose87168” who alleges a breach of Oracle Cloud’s federated SSO login servers, exfiltrating 6 million sensitive records. This includes Java KeyStore (JKS) files, encrypted SSO passwords, enterprise manager JPS keys, and more. The attacker exploited CVE-2021-35587, a known flaw in Oracle Fusion Middleware, allowing unauthenticated remote access. Oracle has denied the breach, stating no customer data was impacted, though researchers suspect a targeted compromise of login.us2.oraclecloud.com. The unpatched system had not been updated since 2014, significantly increasing its risk. The attacker is demanding ransom for data removal and reportedly incentivizing others to crack credentials. The breach may affect over 140,000 tenants, posing a serious supply chain risk. Researchers recommend resetting LDAP and SSO passwords, rotating credentials, enforcing MFA, engaging Oracle Support, and replacing compromised authentication secrets to limit exposure.

3. Critical Ingress Vulnerability Exposes Kubernetes Clusters to Unauthenticated RCE

Cybersecurity researchers have uncovered IngressNightmare, a set of five critical vulnerabilities affecting the Ingress NGINX Controller for Kubernetes, tracked as CVE-2025-24513, 24514, 1097, 1098, and 1974. These flaws enable unauthenticated remote code execution (RCE) and affect over 6,500 Kubernetes clusters. Attackers exploit the admission controller, which lacks proper authentication, to inject arbitrary NGINX configurations, upload malicious libraries, and seize control over cluster secrets. The most severe, CVE-2025-1974 (CVSS 9.8), allows full cluster compromise via exposed network access. Around 43% of Kubernetes cloud environments are potentially at risk. Exploitation could lead to credential theft, lateral movement, data exfiltration, and cluster-wide control. Experts recommend immediate upgrades to Ingress NGINX Controller 1.12.1 or 1.11.5, restricting network access to the webhook, or disabling the admission controller if patching isn’t possible. Use tools like Nuclei to detect exposures and re-enable security controls post-upgrade to maintain protection.

4. Rogue npm Packages Infect ‘ethers’ Library with Backdoor

Cybersecurity researchers discovered two malicious npm packages, ethers-provider2 and ethers-providerz, designed to compromise systems using the popular ethers library. These packages initiated a multi-stage attack, starting with a trojanized install script that fetched a second-stage payload from 5.199.166[.]1. The malware then patched the local ethers package, modifying provider-jsonrpc.js to establish a reverse shell over SSH. This allowed persistent remote access, even if the rogue package was uninstalled. Stealth tactics included deleting temporary files and mimicking legitimate packages like ssh2. While downloads were low, the attack’s strategy poses a significant supply chain risk. To stay protected, organizations should strictly validate dependencies, use checksum or diff tools to detect tampered packages, and block unknown outbound connections. Employ behavioral detection tools, conduct sandbox testing, and if compromised, remove infected packages, clean modified files, rotate credentials, and perform forensic analysis to uncover deeper persistence.

5. Chinese APT FamousSparrow Unleashes Upgraded Malware in Targeted Attacks

Cybersecurity researchers have reported that FamousSparrow, a Chinese state-sponsored threat actor, targeted a U.S. trade group and a Mexican research institute in July 2024. The group used ShadowPad malware for the first time, alongside upgraded versions of its SparrowDoor backdoor. Attacks began via web shells on outdated IIS and Microsoft Exchange Servers, leading to the deployment of Base64-encoded .NET web shells. SparrowDoor’s enhancements now support parallel command execution, interactive shells, file transfers, and keylogging through a modular, plugin-based design. The infection chain enables full remote access and data exfiltration, with ShadowPad indicating possible collaboration with other Chinese APT groups. To mitigate risk, researchers recommend patching outdated servers, disabling unnecessary IIS services, deploying Web Application Firewalls (WAFs), and enabling Endpoint Detection and Response (EDR) tools. Also enforce multi-factor authentication (MFA), monitor for web shell activity, and investigate any suspicious C&C traffic or keystroke logging.

To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories