Malware Brief: Something old, something new …

Today we’ll round up a few of the latest malware trends, including threats to Entra ID data and AI-company spoofing. Plus, we’ll reach into the way-back file and check in on a classic ransomware variant that’s still doing plenty of harm nearly 10 years after its first appearance on the scene.

Password spraying vs. Entra ID

Type: Brute-force variant

Tools: dafthack/DomainPasswordSpray, dafthack/MSOLSpray, iomoath/SharpSpray (all available on GitHub)

Threat actors: APT28 aka IRON TWILIGHT, SNAKEMACKEREL, Swallowtail, Group 74, Sednit, Sofacy, Pawn Storm, Fancy Bear, STRONTIUM, Tsar Team, Threat Group-4127, TG-4127, Forest Blizzard, FROZENLAKE, APT29 aka IRON RITUAL, IRON HEMLOCK, NobleBaron, Dark Halo, StellarParticle, NOBELIUM, UNC2452, YTTRIUM, The Dukes, Cozy Bear, CozyDuke, SolarStorm, Blue Kitsune, UNC3524, Midnight Blizzard, APT33 aka HOLMIUM, Elfin, Peach Sandstorm, Play

As that very long list of threat actors suggests, password spraying is exploding in popularity as a method of gaining access to target networks. Once inside, attackers can move laterally, find and exfiltrate high-value data, insert ransomware and other malware, and so on.

Unlike traditional brute-force methods, which hammer targeted accounts with rapid-fire access attempts using (more or less) randomly generated passwords, password spraying uses a small list of passwords that are known to be common (e.g., “password,” “1234,” etc.), at low frequency.

Password-spraying attacks against Entra ID systems are increasingly common, with one recent campaign targeting some 80,000 accounts on three continents. This highlights the importance of enforcing the use of strong, unique passwords, and of protecting your Entra ID data with a robust backup system.

Fake GenAI tools

Type: Phishing, Trojan, malvertising

Tools: NoodlophileStealer, ransomware

Threat actors have learned to exploit the increasing interest in all things AI to craft a new generation of attacks. They are creating bogus generative-AI tools that conceal malware and distribute them through malvertising and phishing.

Concealed malware often consists of a stealer (NoodlophileStealer is particularly common) and is used to find and exfiltrate financial and other sensitive data.

As always, security awareness — and a big dose of skepticism about new tools that are not already widely known — is the key to preventing these attacks.

Blast from the past: WannaCry

Type: Ransomware, Worm

First seen in the wild: May 2017

Exploits used: EternalBlue, DoublePulsar

Threat actors: The Lazarus Group (linked to North Korea)

Back in 2017, WannaCry (aka WCry, WanaCryptor) took the world by storm and ushered in the modern ransomware era, infecting an estimated 200,000 computers in just the first two days of the attack. Microsoft, working alongside several cybersecurity firms, was quick to provide a Windows patch that activated a kill switch that analysts had uncovered within the malware. Nonetheless, the attack netted billions of dollars in ransom payments by the time it was over.

One key innovation of WannaCry is that it had worm capabilities. Not only did it seek out and encrypt critical data within its target environment, it also had the capability to inject copies of itself into other connected computers, allowing it to spread with unprecedented speed.

Newer variants of WannaCry continue to attack systems around the world — and they lack the kill switch that early interventions were able to exploit. While it is not among the top malware types in use, Any.Run reports 227 tasks detected just in July 2025.

It’s a useful reminder that old malware never dies, and it doesn’t even really fade away. Keep your systems patched and your security up to date.