Cyware Daily Threat Intelligence, April 04, 2025

Daily Threat Briefing • April 4, 2025
Daily Threat Briefing • April 4, 2025
Phishing lures are slipping through trusted channels. CERT-UA reports that attackers are using compromised government emails to send malicious links via trusted file-sharing platforms. The goal: to deliver WRECKSTEEL, a VBS loader that steals documents and screenshots.
A tiny schema bug, massive consequences. A critical flaw in Apache Parquet allows attackers to run arbitrary code just by processing a malicious file. The issue affects data pipelines that rely on Parquet imports and has been patched in version 1.15.1.
Scammers are feeding off crypto chaos. In the aftermath of the Bybit breach, nearly 600 phishing domains emerged, many mimicking the exchange or offering fake refund services. Most were designed to steal login credentials from users desperate to recover lost funds.
WRECKSTEEL malware targets Ukrainian state systems
CERT-UA reported three cyberattacks against state administration bodies and critical infrastructure facilities in Ukraine. The attacks aimed to steal sensitive data using compromised email accounts to send phishing messages with links to legitimate services like DropMeFiles and Google Drive. The links led to the download of a VBS loader, named WRECKSTEEL, which harvested files and captured screenshots. The activity, attributed to threat cluster UAC-0219, has been ongoing since at least fall 2024.
Tax-themed email attacks deliver malware
Microsoft has warned of multiple phishing campaigns that use tax-related themes to distribute malware and steal credentials. These campaigns employ redirection methods such as URL shorteners and QR codes in malicious attachments, and abuse legitimate services to evade detection. The phishing pages are delivered via a PhaaS platform known as RaccoonO365. The campaigns spread Remcos RAT, along with other malware and post-exploitation frameworks such as Latrodectus, AHKBot, GuLoader, and BruteRatel C4 (BRc4). One campaign spotted in February 2025 targeted the U.S. ahead of the tax filing season, sending hundreds of emails in an attempt to deliver BRc4 and Latrodectus.
Critical flaw in Apache Parquet
A maximum severity vulnerability (CVE-2025-30065) has been discovered in Apache Parquet's Java Library, which could potentially allow remote attackers to execute arbitrary code on vulnerable systems. The flaw exists in the schema parsing of the parquet-avro module in Apache Parquet versions up to 1.15.0. It has been rectified in version 1.15.1. The vulnerability could be exploited by tricking a system into reading a specially crafted Parquet file, particularly impacting data pipelines and analytics systems that import Parquet files from external or untrusted sources.
OpenVPN bug poses DoS risk
OpenVPN recently addressed a security vulnerability, CVE-2025-2704, that could potentially allow attackers to crash servers and execute remote code under certain conditions. This flaw affects OpenVPN servers running versions 2.6.1 to 2.6.13 and using the –tls-crypt-v2 configuration. It allows an attacker with a valid tls-crypt-v2 client key or network observation of a handshake using such a key to send a combination of authenticated and malformed packets, causing the server to crash. While it poses a Denial-of-Service (DoS) risk, no data is leaked and remote code execution is not directly possible. OpenVPN has released version 2.6.14 to patch this issue.
Phishing domains emerge post Bybit heist
In the wake of the Bybit heist, a significant number of phishing campaigns surfaced, aiming to steal cryptocurrency from its users. Researchers identified 596 dubious domains from at least 13 countries within three weeks of the largest crypto theft in history. Some of these domains impersonated the cryptocurrency exchange itself, employing typosquatting techniques and incorporating keywords like "refund," "wallet," "information," "check," and "recovery." The U.K registered the highest number of confirmed malicious domains. Many phishing websites posed as recovery services for customers who may have lost funds in the heist. The ultimate objective was to deceive victims into revealing their Bybit/crypto passwords.