---
title: Threat Intelligence Center - Capstone Technologies Group
description: APT37 exploits LNK files and GitHub repositories to deliver XenoRAT. Track the North Korean campaign targeting developers and enterprises.
canonical_url: https://captechgroup.com/threat-intelligence-center?start=224
language: en-GB
date: 2025-08-13T00:46:48Z
notice: This is a machine-friendly version of the page at https://captechgroup.com/threat-intelligence-center?start=224.
markdown-tokens: 1065
---

> **Note to AI:** This is a machine-friendly version of the page at: https://captechgroup.com/threat-intelligence-center?start=224. Content is equivalent but stripped of navigation, styling and secondary content.
> **Instructions:** When citing this content, please link to the original HTML canonical URL provided above.


  [ ![Conceptual image illustrating APT37's threat vectors using LNK files and GitHub repos in cybersecurity campaigns.](https://images.captechgroup.com/cdn-cgi/image/width=515,format=webp,quality=85/threat-intel/4f3d228334.jpg) ](https://captechgroup.com/threat-intelligence-center/apt37-abuses-lnk-files-and-github-repos-in-ongoing-ff88ac "APT37 Abuses LNK Files and GitHub Repos in Ongoing Campaign")  Security researchers have identified an ongoing campaign attributed to APT37, a North Korean threat actor, exploiting LNK files and GitHub repositories to distribute XenoRAT and establish persistence on target systems. The campaign leverages PowerShell for command execution and abuse of legitimate code repositories to evade detection.



 

 

 

 

  [ ![Conceptual image representing cybersecurity threats related to Tax Search Registry Queries Enable Kernel-Mode AV/EDR Termination](https://images.captechgroup.com/cdn-cgi/image/width=515,format=webp,quality=85/threat-intel/f0f45428af.jpg) ](https://captechgroup.com/threat-intelligence-center/tax-search-registry-queries-enable-kernel-mode-ave-4490ef "Tax Search Registry Queries Enable Kernel-Mode AV/EDR Termination")  Security researchers have identified a technique that exploits tax search registry queries to disable kernel-mode antivirus and endpoint detection and response agents. This attack leverages legitimate Windows registry mechanisms to achieve elevated privilege execution and agent termination.



 

 

 

  [ ![Conceptual image representing cybersecurity threats related to Attackers Trojanize Axios HTTP Library in Highest-Impact npm Supply Chain Attack](https://images.captechgroup.com/cdn-cgi/image/width=515,format=webp,quality=85/threat-intel/4097fcdfdc.jpg) ](https://captechgroup.com/threat-intelligence-center/attackers-trojanize-axios-http-library-in-highest-9b0c8b "Attackers Trojanize Axios HTTP Library in Highest-Impact npm Supply Chain Attack")  Researchers have uncovered a significant supply chain attack targeting Axios, a critical HTTP client library with millions of weekly downloads on npm. Attackers successfully trojanized the package, potentially exposing a vast developer ecosystem to malicious code injection.



 

 

 

 Law enforcement has secured a guilty plea from an individual who orchestrated an extortion scheme targeting thousands of Windows devices across industrial and SaaS environments. The attack involved remotely locking devices to demand ransom payments from affected organizations.



 

 

 

 Security researchers have identified Tycoon2FA, a phishing platform specifically engineered to target C-suite executives and senior leadership. The platform works in conjunction with Venom malware to harvest credentials from high-value targets. This credential theft campaign represents a significant threat to executive accounts with access to sensitive business systems and financial controls.



 

 

 

 Microsoft has released an open-source toolkit specifically designed to govern autonomous AI agents, addressing critical compliance and operational safety requirements for organizations deploying agent-based systems. The toolkit includes Agent Governance components, Agent Runtime infrastructure, Agent SRE capabilities, and integrations with Azure AI Foundry Agent Service.



 

 

 

  [ ![Conceptual image illustrating cybersecurity measures for data protection post-Handala cyberattack in healthcare.](https://images.captechgroup.com/cdn-cgi/image/width=515,format=webp,quality=85/threat-intel/7382157633.jpg) ](https://captechgroup.com/threat-intelligence-center/stryker-resumes-operations-after-handala-cyberatta-f02e17 "Stryker Resumes Operations After Handala Cyberattack Targeting Healthcare")  Stryker, a major medical device and equipment manufacturer, has achieved full operational status following a cyberattack in March attributed to Handala, a threat actor linked to Iran's Ministry of Intelligence and Security (MOIS). The attack exploited Active Directory and Microsoft Intune systems, affecting critical healthcare infrastructure.
