MOXFIVE Monthly Insights - December 2024
In this newsletter, we share the latest threat insights and recommendations from the MOXFIVE team. Click button below to subscribe if not already on the MOXFIVE mailing list.

December Highlights

In December, we saw an increase in ransomware activity driven by Clop and RansomHub, which launched impactful campaigns across multiple industries. The evolving threat landscape was further highlighted by the emergence of SafePay, a new ransomware variant, and the exploitation of vulnerabilities such as Ivanti Connect Secure (CVE-2025-0282) and Cleo Secure File Transfer (CVE-2024-50623).

In December, threat actors continued to target key sectors, with notable activity observed in Manufacturing, Healthcare, Construction & Engineering, and Transportation & Logistics. These industries remain high-value targets due to their critical operations and reliance on complex supply chains, which threat actors seek to exploit for maximum impact.

In a recent Rhysida case, MOXFIVE responded to an incident involving a GootLoader infection initiated through a malicious file download. GootLoader is a JavaScript-based malware loader known for its use of search engine optimization (SEO) poisoning to lure victims to malicious websites, where it delivers additional payloads, including ransomware. The malware remains a prominent tool in the threat landscape due to its versatility and effectiveness.

In this incident, the threat actors leveraged GootLoader to establish a foothold in the environment, deploying additional backdoors and targeting domain controllers to export sensitive data. Using an obfuscated version of Invoke-Kerberoasting, a PowerShell tool used to extract and crack encrypted Kerberos service tickets, the attackers obtained service account credentials and exfiltrated data via AZCopy to a suspected cloud storage account. The attackers relied on PowerShell and RDP for lateral movement and disabled security defenses before deploying the Rhysida ransomware payload.

MOXFIVE's recovery team minimized data loss by reconfiguring the client’s backup storage and restoring all critical servers within 48 hours. This incident underscores the importance of user vigilance, robust endpoint defenses, and effective backup strategies in ransomware incident response.

Phishing emails, VPN vulnerabilities, lack of MFA, software flaws, drive-by downloads, and social engineering remain the most frequently observed initial access points for ransomware attacks. In December, threat actors also exploited the following critical vulnerabilities as part of their campaigns:

• ‍Ivanti Connect Secure Vulnerability (CVE-2025-0282): Exploited since December, this vulnerability allows unauthenticated remote code execution. Although it was publicly disclosed in January 2025, attackers began using it earlier to target secure remote access systems. For mitigation guidance, refer to the MOXFIVE Ivanti vulnerability alert.
• Cleo Secure File Transfer Vulnerability (CVE-2024-50623): Actively exploited by the Clop ransomware group in early December, this flaw in Cleo’s Managed File Transfer (MFT) products enabled unauthorized access and exfiltration of sensitive data. Organizations using Cleo’s MFT solutions should prioritize patching to avoid compromise.

GootLoader delivers ransomware and remote access tools through diverse delivery methods, making it a persistent threat to organizations. Threat actors use multiple delivery mechanisms for GootLoader and other malware infections, including:

• Search Engine Optimization (SEO) Poisoning: Manipulating search results to direct users to malicious download sites.
• Phishing Campaigns: Distributing malicious links or attachments via email to unsuspecting users.
• Compromised Websites: Legitimate websites injected with malicious scripts to deliver the payload.
• Malvertising: Displaying malicious ads on legitimate websites that redirect users to harmful sites.

To defend against these delivery mechanisms, organizations should implement web content filtering and DNS security controls. These measures can block access to malicious domains and prevent connections to newly registered or suspicious sites, regardless of the access point. Coupled with endpoint protection and user training, this layered approach significantly reduces the risk of initial compromise.

In December, the following ransomware groups were among the most active: SafePay emerged as a new group, Clop was the most active based on data leak sites, and RansomHub followed closely after maintaining high activity levels for months.

• SafePay was newly observed in December and is associated with double-extortion tactics, including encrypting files and exfiltrating sensitive data to increase pressure on victims.
• Clop was the most active ransomware group in December, and continued their large-scale exploitation campaigns, including exploiting the Cleo Secure File Transfer vulnerability (CVE-2024-50623). The group is known for leveraging zero-day vulnerabilities and conducting mass data exfiltration attacks.
• RansomHub, the second most active ransomware variant seen in December, has consistently led ransomware-as-a-service (RaaS) activity in recent months. This ransomware variant has been used to target a wide range of industries through double-extortion techniques. For more details, check out the MOXFIVE RansomHub Threat Actor Spotlight here.