APT37 expands toolkit to pierce air gaps using removable media and cloud C2
Context and chronology
Private research telemetry attributed a coordinated December 2025 operation to the cluster tracked as APT37. Analysts reconstructed a chained intrusion designed to extract data from isolated or segmented networks: an initial social-engineered removable‑media lure, in‑memory loaders that staged a disguised interpreter runtime, a scheduled persistent execution cadence, and a cloud‑hosted command channel used to retrieve commands and payloads. The technical writeup from the original finder is available via Zscaler and provides indicators and technical notes.
At the component level, investigators described five distinct modules: a memory‑resident loader that decrypts later stages, a backdoored runtime installed under an innocuous utility name, a USB propagation/spreader that replaces or masks user files with shortcut stubs and uses drive roots as staging areas, a secondary dropper that leverages those staging locations for bidirectional relay, and an auxiliary Android package capable of keystroke, microphone and camera capture. The runtime was observed scheduled to execute on a tight five‑minute cadence to maintain persistence and trigger secondary actions, and several stages operated in memory to reduce forensic artifacts.
Operationally the campaign paired physical relays (removable media used to ferry commands and exfiltrated content across segmented boundaries) with abuse of a mainstream cloud storage service for command‑and‑control and payload hosting. That hybrid model reduces the utility of pure network‑monitoring approaches because callbacks and staging traffic can resemble legitimate cloud syncs and repository usage. The removable‑media mechanics allowed operators to bridge air gaps: USBs carried short command stubs and exfiltrated blobs between isolated hosts and externally reachable systems.
This activity fits a wider pattern seen in recent espionage operations: many actors are converging on low‑noise persistence, living‑off‑the‑land abuse, and cloud primitives to blend malicious activity into normal enterprise telemetry. Other recent disclosures (covering distinct clusters and vectors) underscore similar tradecraft — from cloud‑hosted C2 and long‑lived implants to memory‑only loaders and social engineering lures — although attribution, victim counts and specific tooling vary by investigation. Platform‑level interventions (for example, cloud provider takedowns) can disrupt operator infrastructure but do not erase implanted footholds or change the attractiveness of commodity cloud services for misuse.
For defenders the implications are concrete: organizations protecting classified enclaves, industrial control systems and high‑value research should treat removable media as a primary risk vector, instrument task scheduling and process starts for anomalous cadence, enforce strict media hygiene (disable autorun, enforce encryption and logging), and fuse endpoint, identity and cloud telemetry to detect benign‑looking callbacks that carry malicious intent. Cross‑sector collaboration with cloud and platform providers can remove infrastructure quickly, but long‑term resilience requires procedural controls, identity‑first architectures, and hardened runtimes that reduce the blast radius of staged interpreters.
Read Our Expert Analysis
Create an account or login for free to unlock our expert analysis and key takeaways for this development.
By continuing, you agree to receive marketing communications and our weekly newsletter. You can opt-out at any time.
Recommended for you
India targeted by Pakistan‑linked APT36 in coordinated three‑pronged RAT campaign
A Pakistan‑linked actor tracked as APT36 is conducting coordinated espionage against Indian government and defense networks using three distinct RAT families across Windows and Linux hosts, emphasizing stealthy persistence and in‑memory execution. The tradecraft mirrors broader long‑duration intrusion campaigns—including session orchestration and social‑engineering techniques—so defenders should prioritize cross‑domain telemetry, identity‑first controls, and rapid session protections to detect and disrupt access.
Malware Campaign Used Hugging Face to Host Android RAT Payloads
Security researchers discovered an Android remote-access Trojan distributed via a dropper that redirected victims to Hugging Face-hosted payloads. The campaign used short-lived repositories and frequent payload updates to evade takedowns while abusing a popular model-sharing platform as a file host.
MuddyWater Breaches US Networks; Broadcom Flags Dindoor and Fakeset
The Iran-linked threat actor MuddyWater gained footholds across multiple North American and Israeli-facing networks, deploying two novel backdoors tracked as Dindoor and Fakeset . Parallel telemetry from other vendors (notably Check Point) documents a late-Feb/early-Mar 2026 wave of camera- and edge-focused intrusions that reuse commodity VPNs and automated credential-validation pipelines — reinforcing the need for identity-first hunts, management-plane isolation and rapid patching/credential rotation.
Google: Multiple APTs and crime syndicates widely exploited a critical WinRAR flaw
Google Threat Intelligence Group says a high-severity WinRAR vulnerability (CVE-2025-8088) has been actively abused for months by both nation-state actors and financially motivated groups. Attackers leveraged crafted RAR archives and hidden alternate data streams to place persistent payloads — affecting government, military, technology, travel, and banking targets globally.
Coruna Toolkit: iPhone Zero-days Move into Criminal Markets
The Coruna exploit toolkit — a polished WebKit chain targeting iOS 13–17.2.1 — has appeared beyond government channels in a criminalized, modular form and likely reached tens of thousands of devices. Evidence suggests operators bought or re-hosted turnkey control panels and distribution builders (messaging/phishing), increasing resilience to takedown and raising urgency for emergency patches, telemetry hunts, and procurement controls for offensive tooling.
Chinese-linked APT exploits zero-day and rootkits against Singapore telcos
A China-linked advanced persistent threat group targeted all four major Singapore telecommunications operators last year, using a firewall zero-day and rootkits to gain limited footholds. Authorities report no service outages or confirmed data theft so far, and are coordinating containment, remediation, and strengthened monitoring across the sector.
Field Effect: Cloud Identity Drove Majority of 2025 Incidents
Field Effect's 2026 outlook finds over 80% of incident alerts in 2025 traced to compromised cloud identities, with collaboration tools, remote‑support flows and edge appliances weaponized. Industry telemetry shows complementary trends — machine identities, exposed management planes and generative-model automation compressed reconnaissance and validation windows — elevating the urgency of non‑human credential rotation and behaviour‑based detection.
Moonlock Lab: ClickFix Campaigns Leverage Fake VCs and Extension Hijack
Researchers link a coordinated ClickFix-style campaign that combines professional-identity impersonation with hijacked browser extensions to trick victims into pasting and executing clipboard payloads; the delivery chain has been observed installing a Python RAT on selected enterprise hosts and affected an estimated 7,000 extension users. The episode highlights converging supply‑chain and social‑engineering playbooks — from fake VC recruiting pages to crash‑then‑paste extension tricks — and calls for stronger extension vetting, developer-account controls and clipboard/shell telemetry.