Cyware Daily Threat Intelligence, April 07, 2025
Daily Threat Briefing • April 7, 2025
It starts with a PDF search and ends with malware on your machine. A new campaign is using fake CAPTCHAs and Cloudflare Turnstile to lure users into downloading LegionLoader. Victims are tricked into enabling browser notifications, setting off a silent infection chain that’s already impacted tech and finance users across multiple regions.
Seed phrases aren’t supposed to come from strangers. The PoisonSeed campaign is targeting crypto holders and enterprise users by compromising bulk email services. Victims are lured with fake wallet setup instructions that embed attacker-controlled recovery phrases - giving threat actors full access once the wallets are used.
One toll text turns into ten. A surge in phishing attacks is spoofing toll agencies, bombarding users with urgent text notifications. The messages link to fake payment sites designed to steal credit card and personal info, while rotating sender addresses help them bypass spam filters undetected.
Top Malware Reported in the Last 24 Hours
A new campaign, fake CAPTCHAs, and LegionLoader
Netskope discovered a new malicious campaign that distributes the LegionLoader malware using fake CAPTCHAs and CloudFlare Turnstile. This campaign, active since February, targets users searching for PDF documents online. The infection chain begins with a drive-by download from a malicious website, followed by a fake CAPTCHA that redirects victims to a notification page. If victims enable browser notifications, they are guided through a process that ultimately leads to the download of an MSI file containing the LegionLoader payload. The campaign has targeted over 140 Netskope customers, primarily in North America, Asia, and Southern Europe, with a focus on the technology and financial services sectors.
Malicious Python packages target crypto library
The ReversingLabs research team has discovered a sophisticated software supply chain attack aimed at cryptocurrency application developers. The attack involved two malicious Python packages, bitcoinlibdbfix and bitcoinlib-dev, which were uploaded to PyPI to steal sensitive database files. These packages were designed to exploit a known issue in bitcoinlib, a popular open-source library for managing cryptocurrency wallets and blockchain interactions. The malicious code attempted to overwrite the legitimate clw cli command to steal sensitive files.
Top Vulnerabilities Reported in the Last 24 Hours
Critical pgAdmin bug enables RCE
A critical RCE vulnerability (CVE-2025-2945) in pgAdmin, a widely used PostgreSQL database management tool, has been fixed. The flaw, found in pgAdmin versions ≤9.1, could allow authenticated users to execute arbitrary commands on affected systems due to the improper use of Python's eval() function in two endpoints. Attackers could potentially manipulate databases, move laterally within networks, steal credentials, or install persistent backdoors. The pgAdmin team has patched the issue in version 9.2 by removing the use of eval().
PoC released for Python JSON Logger flaw
A low severity RCE vulnerability, CVE-2025-27607, has been discovered in the Python JSON Logger package, affecting versions 3.2.0 to 3.2.1. The vulnerability is due to a missing dependency, msgspec-python313-pre, which could potentially be exploited by malicious actors. The Python JSON Logger has patched the vulnerability in version 3.3.0, and users are advised to upgrade immediately.
Top Scams Reported in the Last 24 Hours
PoisonSeed campaign - New supply chain spam
Silent Push spotted a sophisticated cyber threat dubbed PoisonSeed that targets enterprise organizations, VIP individuals, and cryptocurrency holders. The campaign involves compromising CRM and bulk email providers, and deploying a novel "crypto seed phrase" phishing attack. The threat actors have targeted significant platforms like Coinbase, Ledger, Mailchimp, SendGrid, Hubspot, Mailgun, and Zoho. The campaign involves presenting victims with security seed phrases to deceive them into copying and pasting these phrases into new cryptocurrency wallets, which the attackers can later compromise.
Phishing campaign impersonates E-ZPass
An ongoing phishing campaign impersonating toll agencies like E-ZPass has seen a recent surge, with recipients receiving multiple iMessage and SMS texts to steal personal and credit card information. The messages contain links that lead to a phishing site designed to steal personal information. This scam, although not new, has seen an increase in activity, bypassing anti-spam measures and coming from random email addresses, indicating an automated attack. The texts often claim to be from E-ZPass or the Department of Motor Vehicles and create a sense of urgency to pay a toll.