Splunk Security Content for Threat Detection & Response: November 2025 Update

Looking for the latest Splunk security content? You’ve come to the right place! This page is updated quarterly with all the latest security content details. This blog post covers security content developed August 2025 - October 2025. Jump straight to the updates below, or read on to learn more about:

• How Splunk develops security content
• The types of content we deliver
• How to access security content

See the latest Splunk Security Content >

Splunk continuously monitors the threat landscape to develop, test, and deliver security content to help identify and respond to vulnerabilities and cyber attacks within your environment.  

Types of Security Content 

Splunk provides a variety of security content, all of which is designed to help you make the most of your Splunk environment. This includes:

Detections

Splunk’s out-of-the-box detection searches are created to help identify patterns and alert you to threats and anomalous behavior. 

Analytic Stories

All detection searches relevant to a particular threat are packaged in the form of analytic stories (also known as use cases).

SOAR Playbook Packs 

A collection of pre-built automation playbooks that are designed to help users tackle specific use cases.

How To Get Security Content

Take advantage of security content in two ways: 

• Enterprise Security Content Update (ESCU) app 
• Splunk Security Essentials (SSE) app

Both apps allow you to deploy the over 1,900 out-of-the-box searches to start detecting, investigating and responding to threats. You can also view the full security content repository by visiting research.splunk.com.

And with that information, we can move onto the latest content. Let's take a look!

Splunk Security Content: August - October 2025

Below you will find a brief table of contents, followed by an overview of the security content developed from August 2025 - October 2025.

Table of Contents

Adversary Tradecraft Analytic Stories

• APT37 Rustonotto and FadeStealer 
• GhostRedirector IIS Module and Rungan Backdoor 
• PromptLock 
• Suspicious Ollama Activities 
• Scattered Lapsus$ Hunters
• Interlock Ransomware
• Interlock Rat
• NailaoLocker Ransomware
• MSIX Package Abuse
• Medusa Rootkit
• Windows RDP Artifacts and Defense Evasion
• 0bj3ctivity Stealer
• LAMEHUG
• NotDoor Malware
• PathWiper
• Secret Blizzard
• Suspicious Cisco Adaptive Security Appliance Activity
• Lokibot 
• Suspicious Microsoft 365 Copilot Activities 
• HTTP Request Smuggling
• Hellcat Ransomware
• Scattered Spider

Emerging Threats Analytic Stories

• Microsoft WSUS CVE-2025-59287
• Oracle E-Business Suite Exploitation
• ArcaneDoor
• Cisco Smart Install Remote Code Execution CVE-2018-0171

Overview: Adversary Tradecraft Analytic Stories

The Splunk Threat Research Team created several new analytic stories to help identify activity related to various malware threats:

APT37 is a North Korean aligned threat actor that continues to evolve its Windows tradecraft by combining a Rust backdoor, a PowerShell stage, and a Python based loader to deploy the FadeStealer surveillance tool. The Team released the analytic story APT37 Rustonotto and FadeStealer which detectsrecent activity that relies on spear phishing attachments that deliver Windows shortcut or compiled HTML Help files, which stage artifacts in ProgramData and establish persistence through scheduled tasks and Run key modifications. The campaign centralizes command and control on a single server and uses standard web protocols with Base64 and XOR encoding to move data and instructions.

GhostRedirector IIS Module and Rungan Backdoor tracks a China‑aligned threat actor that compromises Windows servers and abuses IIS to deliver SEO fraud alongside a passive C++ backdoor. The actor leverages web application flaws, most notably SQL injection, to execute PowerShell via sqlserver.exe and retrieve tooling from a shared staging infrastructure. Persistence and server‑side manipulation are achieved by installing a native IIS module, while command execution and basic backdoor capabilities are provided by the Rungan implant. Tooling, including privilege escalation components, is frequently staged in ProgramData paths and may be obfuscated or signed to evade controls.

PromptLock is a proof-of-concept ransomware identified by ESET in August 2025, marking the first known instance of malware utilizing generative artificial intelligence (GenAI) for attack execution. Unlike traditional ransomware, PromptLock employs a locally hosted AI language model, specifically OpenAI's gpt-oss:20b, accessed via the Ollama API, to dynamically generate malicious Lua scripts in real time. These scripts are compatible across multiple platforms, including Windows, Linux, and macOS. 

Leverage advanced Splunk searches to detect and investigate suspicious activities targeting Ollama local LLM framework, including prompt injection attacks, information extraction attempts, compliance violations, and anomalous user behaviors. The team released further research in the blog: Introducing the Splunk Technology Add-on for Ollama: Illuminating Shadow AI Deployments.

Further, Scattered Lapsus$ Hunters is a collaboration of three sophisticated threat actor groups (Scattered Spider, Lapsus$, and Shiny Hunters) known for devastating supply chain attacks, advanced social engineering, MFA bypass techniques, and credential theft. The group gained notoriety following their September 2025 attack on Jaguar Land Rover, causing three weeks of production shutdown and £50M+ weekly losses.

Overview: Emerging Threats Analytic Stories

The team also released the analytic story Microsoft WSUS CVE-2025-59287 that addresses the exploitation of CVE-2025-59287, a critical remote code execution vulnerability in Microsoft Windows Server Update Services (WSUS). Threat actors exploit a deserialization vulnerability in the WSUS AuthorizationCookie to achieve unauthenticated remote code execution on exposed WSUS servers. The attack leverages publicly accessible WSUS instances on default ports 8530/TCP (HTTP) and 8531/TCP (HTTPS) to send specially crafted POST requests that trigger deserialization attacks, resulting in shell spawning from the WSUS service and IIS worker processes.

Oracle E-Business Suite Exploitation enables users to detect and investigate unusual activities that might relate to the exploitation of Oracle E-Business Suite vulnerabilities (CVE-2025-61882 and CVE-2025-61884). The team also detected that attackers were observed to have exploited multiple zero-day vulnerabilities targeting certain Cisco Adaptive Security Appliance (ASA) 5500-X Series devices that were running Cisco Secure Firewall ASA Software with VPN web services enabled to implant malware, execute commands, and potentially exfiltrate data from the compromised devices.  Attackers were also observed exploiting CVE-2018-0171. This story focuses on detecting exploitation attempts and successful compromises related to CVE-2018-0171, a critical vulnerability in Cisco's Smart Install feature. This vulnerability allows unauthenticated, remote attackers to execute arbitrary code on affected devices or trigger device reloads resulting in denial of service conditions. Recently highlighted by Cisco Talos as being actively exploited by the Russian state-sponsored threat actor "Static Tundra," this vulnerability continues to be a significant threat vector for organizations with unpatched or end-of-life network devices.

The team also published the following blogs:

• Introducing the Splunk Technology Add-on for Ollama: Illuminating Shadow AI Deployments
• The Lost Payload: MSIX Resurrection
• From Prompt to Payload: LAMEHUG’s LLM-Driven Cyber Intrusion
• Getting Started With Copilot Log Analysis for Security in Microsoft 365 With Splunk
• Operationalize ESCU Detections Featuring Onboarding Assistant
• Static Tundra Analysis & CVE-2018-0171 Detection Guide

Previous Security Content Roundups

Looking for previous security content updates? Check out the previous quarters of security content roundups from the Spunk Threat Research Team. Stay tuned to that page and this one — we're updating them every quarter!