{"id":14463,"date":"2025-06-25T11:47:26","date_gmt":"2025-06-25T11:47:26","guid":{"rendered":"\/cybersecurity-blog\/?p=14463"},"modified":"2025-06-27T07:42:57","modified_gmt":"2025-06-27T07:42:57","slug":"cyber-attacks-june-2025","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/cyber-attacks-june-2025\/","title":{"rendered":"Top 3 Cyber Attacks in June 2025: GitHub Abuse, Control Flow Flattening, and More\u00a0"},"content":{"rendered":"\n

June 2025 saw several sophisticated and stealthy cyber attacks that relied heavily on obfuscated scripts, abuse of legitimate services, and multi-stage delivery techniques. Among the key threats observed by ANY.RUN\u2019s analysts were malware campaigns using GitHub for payload hosting, JavaScript employing control-flow flattening to drop Remcos, and obfuscated BAT scripts delivering NetSupport RAT. Let\u2019s see how ANY.RUN\u2019s Interactive Sandbox<\/a> and Threat Intelligence Lookup<\/a> can help security teams detect, investigate, and understand these threats.\u00a0<\/p>\n\n\n\n

1. Braodo Stealer Abuses GitHub for Payload Staging and Hosting <\/h2>\n\n\n\n

Original post on X<\/a> and LinkedIn<\/a> <\/p>\n\n\n\n

A new campaign distributing Braodo stealer leverages public GitHub repository, including raw file content, to host payloads. The primary goal of this stealer is data exfiltration, and at the time of analysis, its detection rate was low. The BAT files used in the campaign include misleading comments to complicate analysis.  <\/p>\n\n\n\n

ANY.RUN\u2019s Script Tracer<\/a> simplifies the analysis by logging the multi-stage execution flow step by step, without the need for manual deobfuscation. Let\u2019s take a closer look at this threat\u2019s behavior using ANY.RUN Interactive Sandbox, which provides full visibility into process activity and persistence mechanisms.  
 
View analysis<\/a> <\/p>\n\n\n

\n
\"\"
Braodo stealer detonated in Interactive Sandbox<\/em> <\/figcaption><\/figure><\/div>\n\n\n

The first BAT file executes a CMD command that launches PowerShell<\/a> in hidden mode to avoid displaying a visible window. It then downloads a second BAT file from github[.]com, disguised as a .PNG file, saves it to the %temp% folder, and executes it.  <\/p>\n\n\n

\n
\"This
Pseudo .png file downloaded from GitHub<\/em><\/figcaption><\/figure><\/div>\n\n\n

The second BAT file launches a new PowerShell script file, that removes components from the earlier stages, enforces TLS 1.2, retrieves an additional payload from raw.githubusercontent[.]com, saving it in the Startup folder, and downloads main payload in a ZIP file. This behavior is captured in ANY.RUN\u2019s Script Tracer. <\/p>\n\n\n

\n
\"\"
 Script Tracer: TLS 1.2 protocol launched, .zip file downloaded<\/em> <\/figcaption><\/figure><\/div>\n\n\n

The final payload, Braodo Stealer, is extracted from a ZIP file, stored in the Public directory, and executed using python.exe. After execution, it deletes the initial archive to reduce artifacts. The Python file is obfuscated with pyobfuscate and contains non-encrypted, custom Base64-encoded payload strings appended to the script. <\/p>\n\n\n

\n
\"\"
The whole attack chain detailed in the Interactive Sandbox<\/em> <\/figcaption><\/figure><\/div>\n\n\n

ANY.RUN\u2019s Threat Intelligence Lookup allows analysts to discover recent Braodo attacks and fresh samples of this stealer dissected by the users of the Interactive Sandbox. Search by the malware\u2019s name and view analyses:  
 
threatName:”Braodo”<\/a> 
<\/p>\n\n\n

\n
\"\"
Braodo analyses in the Sandbox found via Threat Intelligence Lookup<\/em> <\/figcaption><\/figure><\/div>\n\n\n

The search results contain a selection of Brado samples recently analyzed by the Sandbox users. Each analysis session can be explored in depth for harvesting IOCs and observing the malware\u2019s behavior.  <\/p>\n\n\n\n\n

\n\n

\nSpeed up triage and incident response with instant access
to threat data on attacks across 15,000 organizations<\/span>  \n<\/p>\n\n\nStart with 50 trial requests\n<\/a>\n<\/div>\n\n\n\n