Cyware Daily Threat Intelligence, April 09, 2025

shutterstock 2436658431

Daily Threat Briefing April 9, 2025

Invasive spyware campaigns are zeroing in on high-risk communities. MOONSHINE and BADBAZAAR are being deployed through trojanized mobile apps to surveil Uyghur, Tibetan, and Taiwanese individuals, as well as civil society groups. Some of the apps mimic popular platforms, while others are tailored to target interests. The campaign reflects a broader strategy to monitor groups viewed as threats to state control.

A zero-day in Windows' core logging system has made its way into active exploitation. A use-after-free bug in the CLFS driver is being targeted by the PipeMagic trojan to escalate privileges and gain system-level access. Once exploited, attackers can bypass security protections, deploy additional malware, and harvest sensitive data.

Search for QuickBooks during tax season, and you might land on a trap. Threat actors are placing deceptive Google Ads that link to phishing pages almost identical to the real QuickBooks login portal. The tactic preys on urgency and familiarity, making it easy for distracted users to miss small red flags.

Top Malware Reported in the Last 24 Hours

Hackers target Uyghurs with two spyware

The NCSC and international cybersecurity agencies have discovered that hackers are using two types of spyware, MOONSHINE and BADBAZAAR, to spy on Uyghur, Tibetan, and Taiwanese individuals and civil society organizations. The spyware-infected apps target individuals and groups perceived as a threat to China's stability, including those associated with Taiwan's independence, Tibetan rights, Uyghur Muslims, ethnic minorities in Xinjiang, democracy advocates, and Falun Gong members. Some apps mimic popular platforms like WhatsApp and Skype, while others are standalone apps designed to attract potential victims. The Tibet One and Audio Quran apps, which have been used to spread the spyware, have been removed from app stores. 

Vidar Stealer hides in BGInfo tool

Vidar Stealer has evolved since its first appearance in 2018, and now it's being disguised within a legitimate Microsoft Sysinternals tool, BGInfo.exe. The malware sample was observed in the wild, mimicking the legitimate binary's creation time to avoid suspicion. The malicious BGInfo has a larger file size and different cryptographic hashes compared to the official version. The malware author modifies the initialization routine of BGInfo.exe to run the malicious code instead of the expected function. The main behaviors of Vidar Stealer include credential theft, cryptocurrency wallet theft, session hijacking, and cloud and storage data theft. 

Top Vulnerabilities Reported in the Last 24 Hours

Windows 0-day exploited in wild

Microsoft has revealed that a zero-day vulnerability in the Windows Common Log File System (CLFS) driver, identified as CVE-2025-29824, is being actively exploited by the PipeMagic trojan. This elevation of privilege vulnerability, with a CVSS score of 7.8, is due to a use-after-free weakness. If exploited, it could allow attackers to gain full control of the system, bypass security mechanisms, install malicious programs, or steal sensitive data. Microsoft has confirmed active exploitation and has released an official patch as part of its latest security updates. 

Adobe fixes 11 ColdFusion bugs

Adobe has released security updates to address multiple critical-severity bugs in ColdFusion versions 2025, 2023, and 2021, which could result in arbitrary file read and code execution. Out of the 30 flaws, 11 are rated critical, with the highest CVSS score being 9.1. These vulnerabilities include improper input validation, deserialization of untrusted data, improper access control, improper authentication, and operating system command injection. Adobe has resolved these vulnerabilities in ColdFusion 2021 Update 19, ColdFusion 2023 Update 13, and ColdFusion 2025 Update 1. Additionally, Adobe has fixed several out-of-bounds write and heap-based buffer overflow bugs in After Effects, Media Encoder, Bridge, Premiere Pro, Photoshop, Animate, and FrameMaker that could lead to arbitrary code execution.

Patch this WhatsApp for Windows flaw!

A security vulnerability, identified as CVE-2025-30401, was discovered in WhatsApp for Windows, which could have allowed hackers to send malicious attachments to users. The flaw, which affected versions prior to 2.2450.6, stemmed from a discrepancy in how WhatsApp for Windows interpreted file types. Although the app displayed attachments based on their MIME type, it opened them based on their file extension, potentially allowing harmful files to be executed unknowingly. The vulnerability has been fixed by WhatsApp, and users are advised to ensure they are using version 2.2450.6 or later.

Top Scams Reported in the Last 24 Hours

QuickBooks scam exploits Google Ads

Cybercriminals are targeting Intuit QuickBooks users by purchasing prominent Google Ads that lead to fake login pages, aiming to steal sensitive information like usernames, passwords, and one-time passcodes. The phishing pages closely resemble the genuine QuickBooks site, making it difficult for users to distinguish between the two. Users are advised to access their QuickBooks account directly through the official Intuit website or application, and to be vigilant about verifying the URL.

Related Threat Briefings