Threat Context monthly: Executive intelligence briefing for January 2025
Welcome to the Threat Context Monthly blog series where we provide a comprehensive roundup of the most relevant cybersecurity news and threat information from KrakenLabs, Outpost24’s cyber threat intelligence team. Here’s what you need to know from January.
Threat actor of the month: Funksec ransomware
“Funksec ransomware” is a threat group active at least since September 2024. The adversary engages in various activities such as leaking databases from victimized companies, selling access to websites and networks, defacing websites, and sharing tools to perform Distributed Denial of Service (DDoS) attacks. Furthermore, at the end of December 2024 the group started a Ransomware-as-a-Service (RaaS) operation.
Funksec claims that its primary targets are India, the US, and Israel. However, it also claims that its motivation is financial and not political or religious. Despite these claims, most of the listed victims are from countries and regions different than the targeted ones. Therefore, Funksec attacks seem opportunistic, indiscriminate and apparently not very complex thus it should be noted that the adversary’s sophistication and skills have increased notably in a short period of time.
The group seems to be also interested in creating a cybercriminal community. In their Data Leak Site (DLS) and in GitHub they offer for free various malware such as JQRAXY_HVNC (a hidden virtual network computing malware), Funksec DDoS Tool (a Python script to perform DDoS attacks), and funkgenerate (a password lists generator). Furthermore, they have also habilitated a specific section in their DLS named “Blackzone” to allow others to upload leaks for free.
Funksec claimed to have developed their own ransomware strain. And to assist them with this task they would have also created an artificial intelligence tool named WormGPT. Outpost24 KrakenLabs analysts could not confirm if they did indeed develop this tool. However, a tool named WormGPT with similar functionalities has been available since July 2023. Therefore, it is possible that this is the tool Funksec would be using.

Spotlight threat: Fortigate firewalls data leak – Belsen Group’s activity
On January 14, 2025, a group dubbed “Belsen Group” published a post on BreachForums announcing a leak with sensitive data for over 15,000 FortiGate firewalls. The leak included plain text VPN credentials, device configurations, and IP addresses, organized by country.

The data was analyzed by security researchers, who identified a relation with compromises that date back to 2022. More specifically, it was linked to CVE-2022-40684, an authentication bypass vulnerability in FortiGate firewalls exploited as a 0-day in 2022. Although quite old, a subsequent Censys scan revealed that 54.75% of the affected devices remain online, and 32.88% continue to expose login interfaces, increasing the risk of further exploitation.
The data leaked belongs in its majority to Small and Medium-Sized Businesses (SMBs) using telco or business leased line services. Furthermore, researcher Kevin Beaumont observed that Iran has no configurations leaked in the dataset, despite Shodan showing nearly two thousand exposed devices. In the case of Russia, only one device is leaked.
It remains unclear whether Belsen Group actually was the group that obtained the data in 2022 and why the leak has remained hidden for so long. Belsen Group registered in forums and created social mediaaccounts some days prior to the publication. Their motivations could be not only to obtain a financial gain, but also notoriety.
For releasing the data, the group relied on their DLS on the TOR network, where, initially, they published it for free. However, according to their own words “due to the high demand and the increasing number of requests on their dark net site” they decided to make it available “on the regular internet for those interested, at a nominal fee of 100 USDT to ensure easy access.“
KrakenLabs observed highlights
Vulnerability
Ivanti 0-day exploitation: Mandiant researchers have observed a China-nexus espionage actor “UNC5337” exploiting a 0-day vulnerability (CVE-2025-0282) affecting Ivanti Connect Secure VPN appliances to deploy the SPAWN malware ecosystem. Furthermore, analysts also observed other toolsets named DRYHOOK and PHASEJAM, and believe it is possible that other threat actors are also exploiting this vulnerability. Learn more →
Bug in ChatGPT’s API: Security researcher Benjamin Flesch detailed a bug in ChatGPT’s API that allowed generating DDoS attacks against targeted websites. Although Flesch responsibly disclosed the flaw, OpenAI and Microsoft did not address it disabling the vulnerable endpoint until it was covered in the media. Learn more →
Emerging threat
Doubleclickjacking – new technique: Researcher Paulos Yibelo reported doubleclickjacking a new version of the clickjacking technique which relies upon mouse double-click timing to get the victim to validate a login or some other account authorization while thinking they are clicking other thing, like a captcha. Attackers can use this technique for targeting websites and browser extensions for stealing the victim’s credentials. Learn more →
Malware through Reddit impersonations: Threat actors are distributing the Lumma Stealer malware through web pages impersonating Reddit. Simulating a discussion threat, they ask for help to download a specific tool, and another user offers to help upload it to WeTransfer and share the link which actually would download the stealer. To make everything appear legitimate, a third user answers thanking for the contribution. Learn more →
Ransomware
Reusing source code: Researchers from SentinelOne analyzed payloads believed related to the “Hellcat” and “Morpheus” ransomware operations, which emerged in October and December 2024 respectively, and observed they contain almost identical code. Members of the Hellcat group denied that the samples attributed to them were real. Learn more →
What’s new in Threat Context this month?
Threat actors: Billionaire Boys Club, Funksec ransomware, blackod, comradbinski, HeartCrypt, Lawxsz, Celestial, FatherOfCarders, Belsen Group, waifu, bosstrader001, 570RM, Raven Logs, Kiberphant0m, Morpheus, gwap, and more!
Tools: NotLockBit, CatDDoS, Funseklocker, Private Protector, Iris Stealer, Prysmax, PXA stealer, Celestial stealer, Flame stealer, PackLab Crypter, VietCredCare, Rugmi, and more!
Try Threat Compass for yourself
Want more threat intel? Get started with Threat Compass to receive the latest actionable intelligence from our world-class in-house analyst team. Request a live demo here.