Intelligence Center

Key Takeaways

• AI has democratized Business Email Compromise (BEC), making it economically viable for attackers to target small organizations, charities, and community associations.
• A large-scale automated campaign is exploiting the React2Shell vulnerability (CVE-2025-55182) in Next.js applications using the 'NEXUS Listener' framework to harvest credentials.
• Qilin ransomware is utilizing a malicious 'msimg32.dll' in a multi-stage infection chain capable of terminating over 300 different EDR drivers.

Affected Systems

• Next.js applications
• AWS instances
• EDR systems

Vulnerabilities (CVEs)

• CVE-2025-55182

Attack Chain

In the BEC campaigns, attackers leverage AI to rapidly reconnoiter targets and generate highly tailored, socially engineered emails to trick personnel into transferring funds. In a separate campaign, attackers exploit the React2Shell vulnerability (CVE-2025-55182) in Next.js applications to deploy the NEXUS Listener framework, which automatically extracts and aggregates sensitive data like cloud tokens and SSH keys. Additionally, Qilin ransomware utilizes a malicious 'msimg32.dll' to terminate over 300 EDR drivers, impairing defenses before executing its primary payload.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

No specific detection rules are provided in the article text.

Detection Engineering Assessment

EDR Visibility: High — EDR solutions should have high visibility into the dropping and loading of suspicious DLLs like msimg32.dll, as well as the execution of the provided malware hashes, despite Qilin's attempts to terminate drivers. Network Visibility: Medium — Network sensors and WAFs can detect exploitation attempts against Next.js applications (React2Shell) and subsequent C2 communication from the NEXUS Listener framework. Detection Difficulty: Moderate — While the malware hashes and specific vulnerabilities (React2Shell) are straightforward to detect, identifying AI-generated BEC emails relies heavily on behavioral anomalies and user reporting, which is inherently difficult to automate.

Required Log Sources

• Email Gateway Logs
• Web Application Firewall (WAF) Logs
• EDR Telemetry

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Threat actors are exploiting CVE-2025-55182 (React2Shell) in Next.js applications to gain initial access and deploy credential harvesting frameworks.	WAF logs, Web server access logs	Initial Access	Low
Adversaries are loading a malicious msimg32.dll to terminate EDR processes and drivers prior to ransomware deployment.	EDR process execution logs, Image load events	Defense Evasion	Medium
Attackers are utilizing compromised internal email accounts to send urgent, out-of-band payment requests to finance personnel.	Email gateway logs, Office 365/Google Workspace audit logs	Execution	High

Control Gaps

• Lack of strict procurement rules for urgent payments
• Unpatched Next.js applications
• Missing IMDSv2 enforcement on AWS instances

Key Behavioral Indicators

• Unexpected urgent payment requests via email
• Exploitation payloads targeting React2Shell
• Unexpected termination of EDR drivers or processes

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Audit Next.js applications for the React2Shell vulnerability (CVE-2025-55182).
• Rotate all potentially compromised credentials, including API keys and SSH keys.

Infrastructure Hardening

• Enforce IMDSv2 on AWS instances.
• Implement RASP or tuned WAF rules to detect malicious payloads targeting Next.js.
• Apply strict least-privilege access controls within container environments.

User Protection

• Verify unexpected payment requests through separate channels (e.g., calling a known phone number).

Security Awareness

• Educate employees, especially in smaller organizations, about the democratization of BEC scams and AI-generated phishing.
• Enforce strict procurement rules that prevent any last-minute urgent payments.

MITRE ATT&CK Mapping

• T1566 - Phishing
• T1190 - Exploit Public-Facing Application
• T1552 - Unsecured Credentials
• T1562.001 - Impair Defenses: Disable or Modify Tools

Additional IOCs

• Urls:
  • hxxps://talosintelligence[.]com/talos_file_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974 - Talos reputation lookup for W32.Injector:Gen.21ie.1201
  • hxxps://talosintelligence[.]com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507 - Talos reputation lookup for Win.Worm.Coinminer::1201
  • hxxps://talosintelligence[.]com/talos_file_reputation?s=90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59 - Talos reputation lookup for Auto.90B145.282358.in02
  • hxxps://talosintelligence[.]com/talos_file_reputation?s=38d053135ddceaef0abb8296f3b0bf6114b25e10e6fa1bb8050aeecec4ba8f55 - Talos reputation lookup for W32.38D053135D-95.SBX.TG
  • hxxps://talosintelligence[.]com/talos_file_reputation?s=5e6060df7e8114cb7b412260870efd1dc05979454bd907d8750c669ae6fcbcfe - Talos reputation lookup for W32.5E6060DF7E-100.SBX.TG
  • hxxps://talosintelligence[.]com/talos_file_reputation?s=e303ac1a9b378382830fc6a0b5a9574eca415d14d9282e2b4aced725db9cfbc5 - Talos reputation lookup for W32.E303AC1A9B-95.SBX.TG
• File Hashes:
  • aac3165ece2959f39ff98334618d10d9 (MD5) - W32.Injector:Gen.21ie.1201 malware executable
  • 2915b3f8b703eb744fc54c81f4a9c67f (MD5) - Win.Worm.Coinminer::1201 malware executable
  • c2efb2dcacba6d3ccc175b6ce1b7ed0a (MD5) - Auto.90B145.282358.in02 malicious DLL (APQ9305.dll)
  • 41444d7018601b599beac0c60ed1bf83 (MD5) - W32.38D053135D-95.SBX.TG malicious script (content.js)
  • a2cf85d22a54e26794cbc7be16840bb1 (MD5) - W32.5E6060DF7E-100.SBX.TG malware executable
  • 48a4f5fb6dc4633a41e6fe0aa65b4fa6 (MD5) - W32.E303AC1A9B-95.SBX.TG malware executable
• File Paths:
  • msimg32.dll - Malicious DLL used by Qilin ransomware to terminate EDR drivers