Security Advisories

In April 2025, cybersecurity researchers uncovered two advanced threats that highlight the grow ing sophistication of adversaries: an upgraded Hijack Loader variant and a newly discovered malware family named SHELBY (REF8685). Both demonstrate enhanced capabilities in evading detection, maintaining persistence, and misusing legitimate platforms.The Hijack Loader—also known as DOILoader, SHADOWLADDER, and GHOSTPULSE—has evolved to include call stack spoofing, direct system calls via Heaven’s Gate, and virtualisation-aware execution. These enhancements improve its ability to bypass sandboxes and endpoint protections while serving as a stealthy delivery mechanism for second-stage payloads such as Cobalt Strike. Meanwhile, SHELBY exploits GitHub for Command-and-Control (C2) communications—a tactic designed to blend into legitimate network traffic. It uses a multi-stage chain with DLL side-loading and sandbox evasion to complicate detection and analysis. These threats reinforce the need for organisations to strengthen their detection strategies against stealthy loaders, abuse of legitimate services, and evasive malware behaviours.

  SideWinder APT — also referred to as APT-C-17, Baby Elephant, Hardcore Nationalist, Leafperforator, Rattlesnake, Razor Tiger, or T-APT-04—has been operational since at least 2012 and continues to demonstrate a high degree of operational maturity, adaptability, and strategic intent. While historically focused on military and government entities in South Asia, SideWinder has significantly broadened its target profile over the past year. This expansion has seen aggressive campaigns against logistics firms, maritime infrastructure, diplomatic missions, and, more recently, nuclear energy organisations—spanning across South and Southeast Asia, the Middle East, and Africa. These campaigns have employed refined spear-phishing techniques, leveraged well-known but still effective vulnerabilities such asCVE-2017-11882,CVE-2025-2783, and deployed bespoke implants designed for stealth and persistence within critical environments. The targeting of maritime and nuclear infrastructure—combined with post-compromise activity that includes tailored malware deployment and advanced evasion tactics—suggests an intelligence-driven campaign with strategic geopolitical objectives. The group’s ability to retool within hours of detection, coupled with its use of complex infection chains and memory-resident payloads, reflects a threat actor that is not only technically sophisticated but also operationally agile.

 FatalRAT has significant re-purposing potential for intellectual property theft, corporate espionage, and disruption in sectors like government, finance, and technology. Its ability to evade detection and exploit vulnerabilities means it could easily target other industries globally. This makes it a growing threat, as it can be adjusted to target regions and sectors outside of its current focus. Given its evolving nature, FatalRAT poses a major risk not just to Chinese-speaking targets, but to global organizations. Its capabilities underline the critical need for robust cybersecurity and proactive threat defenses to protect against such highly adaptable threats.