New CTI Labs: Threat Actors Akira and DragonForce
These labs will highlight the background and TTPs of Akira, a highly prolific threat actor with indiscriminate targeting, and DragonForce, a ransomware actor recently in the news, connected to the attacks on M&S, Co-op, and Harrods. Why are these labs important? Akira is one of the most prolific threat actors that does not discriminate in its targeting. It often targets medium to large enterprises worldwide, with a strong focus on North America and Europe, including the UK. This means that no one is exempt from Akira's targeting in the future, so knowing your TTPs and how to prepare for attacks from threat actors is paramount to keeping your organization safe. Throughout late April 2025, DragonForce has been all over the news since they claimed responsibility for being involved in the attacks against Marks and Spencer, Co-Op, and Harrods in the UK. The information in the labs reflects DragonForce's latest known TTPs and helps customers to stay one step ahead of actors like DragonForce. Who are these labs for? These labs deliver the latest information relating to threat actors and their TTPs. The personas who would benefit the most from these labs are: Cyber Threat Intelligence Analysts SOC Analysts Incident Responders Threat Hunters Here are the links to the labs: Threat Actors: Akira Ransomware Groups: DragonForceLabs Live
This event has now ended. You can watch the recording here. Ever felt totally stuck with a lab? Getting frustrated? Maybe you could have used the helpful guidance of an expert? Introducing Labs Live, a groundbreaking community webinar series from Immersive! For the first time, we're bringing you live, interactive lab sessions led by seasoned professionals. In each Labs Live webinar, you'll collaborate directly with an expert as they navigate a challenging lab. They'll share their techniques, answer your questions, and together, you might even discover new insights. This isn't just a demonstration; it's a hands-on learning experience.Don't miss out on this unique opportunity to elevate your cyber skills. Our very first Labs Live session will be hosted by KevBreen Senior Director of Cyber Threat Research, as he tackles the latest Cyber Threat Intelligence Lab. Join him on April 25th to solve it together!New CTI Lab: CVE-2025-35433 (Erlang SSH): Offensive
On April 16, 2025, a critical vulnerability, identified as CVE-2025-32433, was disclosed in the Erlang/OTP SSH server. This critical vulnerability allows unauthenticated attackers to execute arbitrary code on affected systems by sending specially crafted SSH messages before authentication. After these messages have been sent, attackers have code execution on the victim machine. This lab will walk you through the mechanics of this vulnerability, helping you understand its implications and learn how an attacker could exploit it. Why is this lab important? Given Erlang's widespread use in telecommunications, IoT, and distributed systems, this vulnerability poses a significant risk to victims in multiple sectors and industries. Customers using Erlang should assess its vulnerability status and patch as soon as practicable. Who is this lab for? This lab is an offensive CTI lab, so it primarily benefits penetration testers and red teamers. That said, it's still incredibly valuable for defensive personas as well, so they can see how the attack could work. These personas include: SOC Analysts Incident Responders Threat Hunters Here is the link to the lab: https://iml.immersivelabs.online/v2/labs/cve-2025-35433-erlang-ssh-offensiveOperational CTI: Lessons from the Attacks That Didn’t Target You
Watch the recording from this event here ⬇️ Many organizations overlook vulnerabilities and attack campaigns that don’t directly impact them. While this makes sense for risk prioritization, studying these threats can reveal valuable insights that improve your defensive posture and technical skills. In this webinar, we’ll take you through a technical analysis of a recent malicious campaign and explore how analyzing adversary techniques — even those that haven’t targeted your organization — can uncover hidden gaps in your security strategy and enhance your ability to detect and mitigate future threats. Key Takeaways Threat Awareness Beyond Your Scope – Understanding attack campaigns that don’t directly affect your organization can still provide critical insights into evolving threat landscapes. Improving Defensive Posture – Learning from other attacks helps identify weaknesses in your own security strategy before they become exploited. Expanding Technical Knowledge – Deep-diving into attack techniques and vulnerabilities sharpens your ability to detect and mitigate sophisticated threats. Proactive Security Mindset – Adopting a proactive rather than reactive approach can help organizations stay ahead of adversaries, even if they’re not immediate targets. Applying Lessons Practically – Insights from external threats can shape better incident response plans, detection rules, and security skills.Operational CTI: How Immersive Builds Labs for Real-World Threat Preparedness
This event has now ended. You can watch the recording here. --- 📢 Today's the day! Our exclusive Community webinar 'Operational CTI: How Immersive Builds Labs for Real-World Threat Preparedness' will be live at 3pm GMT (10am EST). Here's a few tips to help you get the most from your experience: 🚀 This is a live, interactive session. Make sure you join the session promptly in order to get the full experience. 🔗 To join today's session, visit the event page or simply use the Zoom link. ❓You’ll also have the opportunity to participate in a Q&A with our expert panel so you can leave with an action plan to turn your ideas into reality! You can pre-submit questions here. Event Description Have you ever wondered how Immersive Labs can release CTI labs on the latest threats so quickly? Come backstage with us on this ✨ Community Exclusive ✨ event to learn just how we do it. BenMcCarthy and benhopkins, two of the experts from the CTI team will reveal what it takes to make a lab, some of their favourites from 2024 and what is to come from the CTI team. Agenda What are CTI labs and how do we select labs to build? Build Stage 1 - Research Build Stage 2 - "Labified" Build Stage 3 - Content Build Stage 4 - QA Some of our favourite labs Examples of speedy launches of labs C2 research What next for our Threat Research and CTI Labs You’ll also have the opportunity to pre-submit questions here so you can ensure that you leave with all of the information you need! This is a Community Exclusive event: Hit the attend button to register. This webinar will be live at 3pm GMT and will be recorded.New CTI Labs: CVE-2025-31161 (CrushFTP): Defensive and CVE-2025-31161 (CrushFTP): Offensive
On the 7th April 2025, a vulnerability in the CrushFTP was added to the CISA Kev Catalogue, CrushFTP is an enterprise FTP solution with tens of thousands of instances publicly accessible online. Recent reporting has confirmed that since a proof-of-concept dropped, there has been an uptick in this vulnerability being exploited in the wild. Successful exploitation of this critical vulnerability allows attackers to achieve code execution, file upload, and download, as well as create backdoor accounts. Why should our customers care? As a critical vulnerability with a CVSS base score of 9.8, with no user interaction required, this vulnerability represents a significant impact to customers using CrushFTP or other, similar file transfer solutions. The addition of vulnerabilities to the CISA KEV catalog shows how serious it is and how important it is to patch against the vulnerability, given that the attacker could upload files, achieve persistently, and backdoors onto the server. Who is it for? Incident responders SOC analyst CTI Analysts Threat Hunters Penetration Testers System Administrators Here are the links to the labs: CVE-2025-31161 (CrushFTP): Offensive CVE-2025-31161 (CrushFTP): Defensive In addition, we've released a proof-of-concept script to demonstrate how an attacker could exploit this vulnerability: https://github.com/Immersive-Labs-Sec/CVE-2025-31161New CTI Labs: Water Gamayun: (CVE-2025-26633) Campaign Analysis
Water Gamayun, also known as EncryptHub and Larva-208, is a threat actor (suspected to be of Russian origin) that has been observed exploiting a zero-day vulnerability in the Microsoft Management Console (MMC). This vulnerability has been dubbed MSC EvilTwin and assigned CVE-2025-26633. This lab takes you through the campaign, explaining how the vulnerability works to allow the attacker to silently execute malicious code, and what actions on objective the threat actor performs. Why should our customers care? EncryptHub has been reported to have breached over 618 organizations to deploy StealC, SilentPrism, and ransomware for the purposes of maintaining persistence, stealing data, and causing severe operational disruption; therefore, our customers should be mindful of this threat actor and their tactics. Their use of a zero day vulnerability shows how standard Windows configurations can be abused by threat actors to silently transport this malware into a victims environment to allow attackers to fulfil their operational objectives. Who is it for? Incident responders SOC analyst CTI Analysts Threat Hunters Here is the link to the campaign analysis lab: https://immersivelabs.online/labs/water-gamayun-campaign-analysisReverse Engineering SmokeLoader: An In-Depth Analysis (Part 3)
The previous blog entry covered how SmokeLoader uses various obfuscation techniques to slow reverse engineers down. We also identified yet another shellcode being allocated to a memory region, which we then dumped and analysed. In this blog entry, we’ll try to identify some of the key API functions the malware employs through dynamic API resolution to allocate memory, store shellcode, and deceive analysts. This third stage uses techniques similar to those used before – dynamic API resolution – but this time, the APIs are declared on the stack as their names and don’t go through API hashing. A number of APIs are executed with GetProcAddress for the malware to dynamically resolve functionality. These APIs are: LoadLibraryA(“Kerne32.dll”) GetProcAddress(“VirtualAlloc”) GetProcAddress(“VirtualProtect”) GetProcAddress(“VirtualFree”) GetProcAddress(“GetVersionExA”) GetProcAddress(“TerminateProcess”) GetProcAddress(“ExitProcess”) GetProcAddress(“SetErrorMode”) Then we came up against an issue. The malware only wants to run on a specific version of Windows – we think it was made for Server versions. The Windows API, GetVersionExW, has its return values compared to a very specific version. So when we run this program, it causes an exception as we weren't on the correct Windows version. To get around this for now, we had to set the ZF flag in x32dbg to jump over the code that caused the exception. This is necessary, or the memory address in EAX will cause an exception two lines later. Taking another look at the function, we found another jmp eax! We then performed the same process of setting a breakpoint, executing until that point, and then dumping the memory. Conclusion The third part of our SmokeLoader analysis explored dynamic API resolution, and we found another layer of shellcode in memory to dump. By this point, it was clear that SmokeLoader had multiple layers of shellcode inside it, with layers of obfuscation to slow down reverse engineers. During our analysis, we came across a number of these issues relating to control flow obfuscation. Trying to jump to certain instructions to identify shellcode gave us the EXCEPTION_ACCESS_VOILATION error. The final blog post of this series will discuss this exception more closely, describe how to defeat it and look at some indicators of compromise you can identify in the later stages of reverse engineering.New CTI Labs: Threat Actors: Salt Typhoon – SNAPPYBEE Campaign Analysis & Threat Actors: Salt Typhoon
Salt Typhoon has been a threat actor that has caused a lot of worry for defensive teams all over the world. They are a threat actor group which has been predominately targeting Telecommunication companies. They have been in the media a lot over the past few months for their hacks on telecommunication companies in the US.Immersive were finally able to get access to some of the malware samples, as more get released we shall cover more of the campaigns. Threat Actors: Salt Typhoon This lab takes the user through who Salt Typhoon are, what their techniques, tactics, and procedures are, and who they target. Discussing their previous campaigns in depth and why they are so feared as a group. Salt Typhoon: SNAPPYBEE Campaign Analysis Many of our customers want to learn how salt typhoons operate. This lab shows people how to start hunting for them inside a network, taking our users through the different stages, techniques, and tactics they use and how to identify them for detection. Why should our customers care? Salt Typhoon are a big threat to telecommunication companies around the world. Their main focus is to be in a network and perform cyber espionage without being detected. They largely operate inside networks without being detected for a long time, sometimes even months to a year. Our customers need to proactively understand what this threat is and how to start monitoring for them in their network. Who is it for? Incident responders SOC analyst CTI Analysts Threat Hunters Here is the link to the threat actor lab: https://immersivelabs.online/labs/threat-actors-salt-typhoon Here is the link to the campaign analysis lab: https://immersivelabs.online/v2/labs/salt-typhoon-campaign-analysisReverse Engineering SmokeLoader: An In-Depth Analysis (Stage 2)
This is the second part of a series of blog posts analyzing the SmokeLoader malware. It goes into detail on how we reverse-engineered it to identify its objectives and actions. The first part of this blog series looked at the malware’s contextual information and some of our initial analysis considerations. In this second part, we’ll continue where we left off by going deeper into the debugging and decompiling process to identify more shellcode and obfuscation techniques. As a reminder, we left off the previous post by identifying the first shellcode in memory, which was located at memory address 0x008A300. EAX pointed to this memory address, where deobfuscated instructions were provided. The execution was now at this location, meaning we had to dump the memory and load it into Ghidra for some static analysis. We dumped the whole heap allocation from here instead of starting at 0x2310. When we started analyzing it in Ghidra, we had to start at location 0x2310. The first thing that occurred was a CALL instruction. The second stage of this malware runs similarly to the first stage but employs some API hashing to obfuscate the API function calls that the malware makes. The malware ultimately allocates memory on the heap, places obfuscated data there, deobfuscates it, and then calls it. The starting function of the shellcode resembles a similar structure to the main() of the parent stage malware. We’ve changed some of the names of the functions and variables to help you understand these screenshots. The first function did the API hashing and called a nested function for the process of LoadLibraryA and GetProcAddress. Inside the function called FUN_00002448, you are presented with the following: The image above shows a function that performs the LoadLibraryA and GetProcAddress processes commonly used by malware. This is done for the following APIs: LoadLibraryA(“Kerne32.dll”) GetProcAddress(“GlobalAlloc”) GetProcAddress(“Sleep”) GetProcAddress(“VirtualAlloc”) GetProcAddress(“CreateTool32Snapshot”) GetProcAddress(“Module32First”) GetProcAddress(“CloseHandle”) These APIs indicate some of the malware’s behavior. But the most important here is VirtualAlloc. The size of the allocated location on the heap is important to note for later dumping of the third-stage shellcode. The second important function is the allocation on the heap and the deobfuscation. In the debugger, we set a breakpoint at the line (*local_8)(), which is the location of the return value from VirtualAlloc. This process is the same as the previous stage; we simply had to dump the memory from that location then load it into Ghidra for the next stage! This image shows the jump to the new shellcode location 0x02420000! Conclusion The second part of our SmokeLoader analysis identified another location in memory where shellcode is being allocated and stored. We also identified some obfuscation and XOR decryption being used throughout. Stay tuned for the next blog entry, where we’ll delve even deeper into this sample to identify some of the key API functions the malware employs to allocate memory, store shellcode, and deceive analysts.
