InfoSecBulletin Cybersecurity for mankind
There has been a sharp rise in malware linked to the Nymaim / Avalanche loader in Bangladesh. CIRT BD observed over 27,000 malware events, which means bad actors are trying to infect systems and there is ongoing contact with the botnet.
Threat Overview
India’s Tata Electronics hit by cyber breach: Hacker target 630 GB record
Anthropic’s Mythos reportedly broke NSA classified systems in hours
OpenAI New Method “Deployment Simulation” Predicts AI Risks Before Deployment
AryStinger botnet infected thousands of D-Link routers globally
Hacker suspected of sending alerts across Brazil
CyberSentinel AI features 33 security tools like Nmap, SQLMap, and ZAP, utilizing Claude and GPT
Barracuda hosts Dhaka roundtable on cyber resilience
CISA Alerts Fortinet Users as FortiBleed Affects 86,644 FortiGate Devices
CISA: Splunk flaw under active exploit, patch by Sunday
Texas data breach exposes 3 million driver’s licenses
Nymaim (also known as Gozi ISFB Loader) is a multi-stage malware loader used to deploy additional malicious payloads, including:
Banking trojans
Credential stealers
Ransomware
Remote access tools (RATs)
The malware is highly adaptive, allowing attackers to update capabilities post-infection through command-and-control (C2) servers.
Key Findings in Bangladesh
27,000+ malware events detected
Activity across 20+ network providers (ASNs)
Multiple compromised hosts communicating with botnet servers
C2 communication captured via sinkhole monitoring
These signs show that there are infected devices in Bangladesh networks that are trying to reconnect with known harmful servers.
Targeted Data
Nymaim infections aim to steal sensitive information such as:
Banking credentials
Payment card data
System configuration details
This data is commonly used for
Financial fraud
Account takeovers
Identity theft
Secondary cyberattacks
Malware File Names Observed
Suspicious File Names:
update.exe
flashplayer_update.exe
svchost.exe
java_update.exe
Malicious Domains (examples):
g-update[.]net
secure-update[.]biz
update-service[.]org
Known Malicious IPs:
184.105.192[.]2
185.82.202[.]132
91.220.131[.]37
Behavioral Indicators:
Outbound HTTP/HTTPS traffic to unknown domains
Encrypted payload downloads
Activity in AppData/Temp directories
Organizations in Bangladesh are strongly advised to:
Block known malicious IPs and domains
Implement DNS sinkholing
Deploy Endpoint Detection & Response (EDR)
Monitor unusual DNS and HTTP traffic
Sandbox suspicious files and attachments
Continuously monitor networks for anomalies
Incident Response Guidance
If compromise is suspected:
Isolate affected systems immediately
Conduct full malware scans and forensic analysis
Reset all compromised credentials
Remove persistence mechanisms
Restore from secure backups
CIRT encourages to send reports of unusual behavior to: [email protected]
