Weekly Threat Briefing: July 28 - August 1, 2025
Every week, eSentire’s Threat Response Unit (TRU) compiles the following threat intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Sealed Chain of Deception: Actors Leveraging Node.JS to Launch JSCeal
Bottom Line: Check Point Research published details on an ongoing malvertising campaign observed, dubbed JSCEAL. Ongoing since at least March 2024, the campaign involves fake software downloads impersonating cryptocurrency apps, ultimately leading to the interception of web traffic and theft of sensitive data.
On July 29th, CheckPoint released a report on an ongoing threat activity targeting crypto application users in the European Union (EU) to deploy malicious JavaScript (JS) payload via malversiting. The activity is dubbed as JSCEAL as it involves execution of Compiled JavaScript files (JSC) payloads via Node.JS platform.
JSCEAL was first observed in March 2024 with its recent attack chain comprising of three main stages: Initial Deployment, Profiling Scripts, and the Final JSC Payload. For initial deployment, victims are lured into downloading malicious MSI installers using paid Facebook malvertising related to cryptocurrencies, tokens, and financial institutions.
The advertisements are redirected to a decoy page if the victim's IP address is not within the desired range or if the referrer is not Facebook. Otherwise, the victims are redirected to a fake website with instructions to download and execute the malicious MSI installer. The installation succeeds only if the fake website is running, making static analysis of the installer difficult.
The website hosts two JS files namely Primary script and Worker script that track and facilitate the installation process. The MSI installer consists of additional components such as custom Dynamic Link Library (DLL) files for creating scheduled tasks and executing WMI commands, JSON framework for .NET, and .NET wrapper for Windows Task Scheduler.
In the second phase of the infection chain, several PowerShell (PS) scripts are executed through a scheduled task. These scripts interact with Windows Defender to exempt PowerShell and PowerShell’s directory from Defender’s intervention. It also deploys a PS-based backdoor. The threat actor gathers extensive information related to the infected device including installed software, UAC settings, proxy configuration, location, system and network details, email data, and more. Upon evaluating the gathered information, a PS script to download the final stage payload from attacker-controlled Cloudflare domain is executed.
The final stage payload contains two ZIP archives, with one Node.js runtime archive and another containing the JSCEAL malware payload (build.zip). The JSC payload enables the threat actor to gain full control of the compromised device while leveraging a combination of compiled code and heavy obfuscation to evade detection. Upon launch, the JSC malware starts communicating with two C2 servers.
The malware is able to gather system and user information, steal browser cookies, saved passwords, and Telegram credentials, take screenshots, capture keystrokes, and manipulate cryptowallets and crypto-related browser extensions. The JSC malware also serves as Remote Access Trojan (RAT) as it can execute remote PS commands and automate user activity.
Although the JSC payloads deployed in the campaign have a low detection rate, organizations are recommended to monitor the legitimate frameworks leveraged throughout the deployment chain by threat actors to detect malicious activity. Implementation of robust Endpoint Detection and Response (EDR) solutions is recommended to identify and contain malicious activity. Organizations should conduct security trainings educating employees on safe browsing and malware distribution methods such as malvertising and phishing.
eSentire MDR for Endpoint has detections in place to identify activity related to creation of malicious scheduled tasks. eSentire observed an incident resembling threat actor activity in the JSCEAL campaign that was successfully contained by eSentire MDR for Endpoint.
Gunra Ransomware Emerges with New Dedicated Leak Site
Bottom Line: With the constant emergence of new ransomware groups, the financially motivated Gunra ransomware group stands out based on its Tactics, Techniques, and Procedures (TTPs), high activity volume, and wide range of targets.
On July 23rd, 2025, AhnLab published a report on the financially motivated Gunra ransomware group, first observed in April 2025, along with technical details regarding the ransomware strain. AhnLab observed the creation of Gunra’s Dedicated Leak Site (DLS) in April 2025, which is in line with reports on the group's emergence and activities, while also noting a steady increase in DLS creation by other newly observed ransomware groups throughout 2025.
An analysis of the Gunra ransomware code showed similarities to Conti ransomware, which was leaked in February 2022 because of an internal group conflict. Although Gunra ransomware is leveraging leaked Conti source code, the group has made “enhancements focused on speeding up negotiations and refining social engineering tactics”. A notable strategy used by Gunra is a time-based pressure technique, forcing victims to begin negotiations within 5 days, which adds urgency and additional psychological stress to attacks. Gunra ransomware is known to target Windows systems, but recently, a Linux variant has been observed in the wild.
Reports on Gunra ransomware indicate that the Initial Access Vectors (IAVs) used by the group include social engineering and phishing, and the exploitation of vulnerabilities. During infection, Gunra creates a thread with an encryption routine which is used to encrypt files. Once file encryption is completed, the ransomware uses Windows Management Instrumentation Command-line (WMIC) queries to delete volume shadow copies on the host, to prevent backup restoration.
Ransom notes are left by the ransomware, which provide victims with instructions on how to contact the group to begin negotiations, and make ransom payments. The Gunra ransomware group is also known to exfiltrate data prior to encryption, utilizing double-extortion tactics to apply additional layers of pressure to victims, in a further attempt to get victims to meet the ransom demands.
As the Gunra ransomware group is known to use phishing and vulnerability exploitation in their attacks, organizations should develop robust patch management policies, which can be used to identify vulnerable devices and apply relevant security patches in a timely manner.
Organizations should also implement Phishing and Security Awareness Training (PSAT), which can be used to train users on how to identify and report threats. Finally, organizations should ensure that Endpoint Detection and Response (EDR) tools are deployed, which can be used to detect and contain threats.
Attackers Abusing Proofpoint & Intermedia Link-Wrapping to Deliver Phishing Payloads
Bottom Line: Threat actors are exploiting the trusted link-wrapping services of Proofpoint and Intermedia to deliver phishing payloads, primarily targeting Microsoft 365 credentials. These campaigns bypass email security filters by wrapping malicious URLs within legitimate domains, increasing the likelihood of successful credential theft.
On July 30th, 2025, Cloudflare researchers released a report on threat actors actively abusing the link-wrapping features of trusted email security services such as Proofpoint and Intermedia. By leveraging these services, attackers are successfully delivering phishing payloads that target Microsoft 365 credentials. Between June and July 2025, Cloudflare observed a series of phishing campaigns in which attackers exploited the automatic link-wrapping functionality provided by Proofpoint and Intermedia.
These security services, designed to inspect and secure embedded URLs, inadvertently aided attackers by wrapping malicious links under trusted domains. As a result, recipients were more likely to click on the links, believing them to be safe. In many cases, the phishing emails originated from compromised accounts within organizations that already used these security services.
Attackers began by compromising legitimate email accounts within organizations protected by Proofpoint. They crafted phishing emails that included malicious URLs, often shortened using services like Bitly. When these emails were sent, Proofpoint automatically wrapped the URLs using its secure redirection service, typically displaying domains such as urldefense[.]proofpoint[.]com. This wrapping made the links appear trusted and less suspicious to recipients. When users clicked on these links, they were redirected through the wrapped chain to phishing pages that mimicked Microsoft 365 login portals. Common social engineering themes included voicemail alerts, fake Teams meeting notifications, and shared document invitations.
In a similar manner, attackers compromised email accounts hosted by Intermedia and used them to distribute phishing messages. These emails contained links that were wrapped using Intermedia’s secure redirect domain, url[.]emailprotection[.]link. In many instances, the wrapped links redirected through additional legitimate services such as Constant Contact before landing on phishing sites. The final payloads were credential harvesting pages designed to steal Microsoft account information. Phishing lures commonly impersonated secure message delivery platforms like Zix or contained prompts to open shared documents.
Just as threat actors continuously evolve their Tactics, Techniques, and Procedures (TTPs) to bypass email security measures, security teams must be prepared to implement new protections and rapidly take action to limit threat actor success.
Organizations need to educate employees about the risks associated with clicking on suspicious links, even if they appear to come from legitimate sources, and emphasize the importance of verifying unexpected secure message requests or document-sharing prompts. Implement SIEM solutions as they can provide early detection of wrapped-link abuse by correlating email events, web proxy logs, DNS requests, and endpoint alerts. In addition, organizations must ensure they have the tools and procedures in place to detect and remove a threat actor’s access.
This includes the availability of Endpoint tools on all supported assets, swiftly resetting potentially impacted credentials, terminating existing sessions/tokens, locking out accounts, and reimaging impacted devices after relevant artifacts for an investigation are retrieved. eSentire’s Threat Response Unit (TRU) continues to track this campaign for additional information and detection opportunities.
About the eSentire Threat Response Unit (TRU)
Our industry-renowned Threat Response Unit (TRU) is an elite team of threat hunters and researchers, that supports our 24/7 Security Operations Centers (SOCs), builds detection models across our XDR Cloud Platform, and works as an extension of your security team to continuously improve our Managed Detection and Response service. TRU has been recognized for its threat hunting, original research and content development capabilities. TRU is strategically organized into cross-functional groups to protect you against advanced and emerging threats, allowing your organization to gain leading threat intelligence and incredible cybersecurity acumen.