4N6 BEAT

Elastic Security Labs documents an intrusion cluster (REF3927) abusing publicly disclosed ASP.NET machine keys to sign malicious ViewState and achieve in-process code execution on IIS, then dropping an IIS module dubbed TOLLBOOTH for monetization/persistence and layering in a modified “Hidden” rootkit and off-the-shelf tools like Godzilla and GotoHTTP. Elastic report. (elastic.co)

Microsoft independently warned earlier in 2025 that over 3,000 machine keys had been found in public repos and documentation, and that threat actors were already using these to perform ViewState code injection leading to Godzilla deployment. Microsoft Security Blog. (microsoft.com)

Unit 42’s 5-minute read on October 20, 2025 documents three notable shifts tied to Scattered LAPSUS$ Hunters (SLSH): a formal push toward extortion-as-a-service (EaaS), renewed insider recruitment, and chatter about a new ransomware brand, “SHINYSP1D3R.” Their guidance: build playbooks that handle data-theft extortion the way many of us handle encryption-driven ransomware today-verification, negotiation posture, and reputation impact included (Unit 42, Oct 20, 2025). (unit42.paloaltonetworks.com)

What changed in early October 2025

• EaaS advertisement (no encryption): On Oct 10, SLSH promoted an EaaS program analogous to RaaS but explicitly “no file encryption”-consistent with attempts to avoid law-enforcement heat focused on encrypting crews (Unit 42). (unit42.paloaltonetworks.com)
• Insider recruitment redux: On Oct 5, SLSH solicited insiders, prioritizing call centers, gaming, hosting, SaaS, and telecom in the U.S., UK, AU, CA, and FR-also noted by ReliaQuest activity on X (Unit 42). (unit42.paloaltonetworks.com)
• “SHINYSP1D3R” claims: On Oct 4, the actors teased a ransomware effort; Unit 42 emphasizes it’s unclear whether development is real vs. psyops, though separate intel shops have tracked similar chatter since August (Unit 42; FalconFeeds reference via Unit 42; EclecticIQ analysis of ShinyHunters links and RaaS development). (unit42.paloaltonetworks.com)

Context: Unit 42’s earlier Oct 10 brief connects “Scattered LAPSUS$ Hunters” to a coalition of Bling Libra (ShinyHunters), Muddled Libra (Scattered Spider/UNC3944), and LAPSUS$-sometimes dubbed a “Trinity” within a broader e-crime social milieu known as “The Com” (Unit 42, Oct 10). (unit42.paloaltonetworks.com)

Kaspersky reported on October 17, 2025 that a malicious npm package named https-proxy-utils masqueraded as a proxy helper and, during installation, executed a postinstall script that fetched and launched an AdaptixC2 agent; the package has since been removed from npm (Securelist). The lure name mimicked popular packages like http-proxy-agent and https-proxy-agent, and even cloned functionality from proxy-from-env to appear legitimate (Securelist).

AdaptixC2 is an open-source, cross-platform post-exploitation framework with server components in Go and a Qt client, providing beacons and listeners across Windows, macOS, and Linux-features attractive both to red teams and threat actors (AdaptixC2 GitHub).