Cyware Daily Threat Intelligence, April 10, 2025

shutterstock 2486881661 (1)

Daily Threat Briefing April 10, 2025

A torrent download might be doing more than delivering cracked software. A campaign has been distributing ViperSoftX to Korean users, likely run by Arabic-speaking threat actors. The malware quickly expands its footprint by downloading multiple payloads. It even manipulates Windows Defender settings to stay hidden, making cleanup far more difficult once it’s embedded.

Dell users have a new reason to check their patch status. Six vulnerabilities in PowerScale OneFS could expose systems to compromise, including one high-severity flaw that warrants immediate attention. While version 9.10.1.1 addresses the issues, Dell has provided workaround steps and targeted patches for older releases.

What looks like a harmless file-sharing notification is actually the start of a RAT deployment. A new phishing campaign mimics messages from files[.]fm, warning users of file deletion to create urgency. Clicking through leads to a real landing page, ultimately triggering malware. The payload often includes ConnectWise RAT, giving attackers persistent, remote access to compromised systems.

Top Malware Reported in the Last 24 Hours

ViperSoftX malware targets Korean victims

ASEC discovered a malware campaign targeting Korean victims since April 1, suspected to be orchestrated by Arabic-speaking attackers. The malware, known as ViperSoftX, is primarily spread through cracked software or torrents and operates as a PowerShell script. During the C&C communication process, the malware downloads additional malicious software, including a VBS downloader, malicious PowerShell script, PureCrypter, and Quasar RAT. The VBS downloader is responsible for downloading and executing PowerShell and VBS files from a remote server. The PowerShell script, in turn, downloads and executes PureCrypter and Quasar RAT, while also adding Windows Defender exception paths to evade detection. 

New TCESB malware targets ESET Security Scanner

A Chinese-linked threat group, ToddyCat, has been exploiting a security vulnerability in ESET's software to deliver a new malware, TCESB, in Asia. The malware uses DLL Search Order Hijacking to gain control of the execution flow, exploiting a flaw in ESET Command Line Scanner, which insecurely loads a DLL named "version.dll." TCESB is a modified version of an open-source tool, EDRSandBlast, and uses the BYOVD technique to install a vulnerable Dell driver, DBUtilDrv2.sys, susceptible to a privilege escalation flaw tracked as CVE-2021-36276. 

Top Vulnerabilities Reported in the Last 24 Hours

CISA warns of two Linux kernel bugs

The CISA has warned about two actively exploited vulnerabilities in the Linux kernel, identified as CVE-2024-53197 and CVE-2024-53150, both located in the USB-audio driver. These flaws could allow attackers to manipulate system memory, escalate privileges, or access sensitive information. CVE-2024-53197 is an out-of-bounds access vulnerability that can be exploited by an attacker with physical access to a system using a malicious USB device. CVE-2024-53150 is an out-of-bounds read vulnerability that can be exploited by a local, privileged attacker to obtain sensitive information. Both vulnerabilities were added to the KEV catalog.

Dell issues security advisory

Dell has issued a security advisory for multiple vulnerabilities—CVE-2025-27690, CVE-2025-26330, CVE-2025-22471, CVE-2025-26480, CVE-2025-23378, and CVE-2025-26479—in its PowerScale OneFS operating system. These vulnerabilities could be exploited by malicious users to compromise affected systems. Upgrading to PowerScale OneFS version 9.10.1.1 or later typically resolves these vulnerabilities, but specific remediated versions are available for older OneFS releases. For the high-severity CVE-2025-27690 vulnerability, several workarounds are suggested until an upgrade or patch is applied. 

Hackers target SSRF flaws in EC2-hosted sites

A targeted cyber campaign exploited SSRF vulnerabilities in websites hosted on AWS EC2 instances to extract sensitive data, including IAM credentials, between March 13 and 25. This campaign was likely carried out by a single threat actor who used SSRF flaws to remotely query internal EC2 Metadata URLs and gain unauthorized access to sensitive information. The attackers focused on instances running on IMDSv1, AWS's older metadata service, which has since been replaced by the more secure IMDSv2.

Top Scams Reported in the Last 24 Hours

“Pick Your Poison” phishing campaign

Cofense analyzed a sophisticated phishing campaign titled "Pick Your Poison." The attack begins with an email that appears to be from a legitimate file-sharing service, files[.]fm, warning the recipient of an impending file deletion. Upon clicking the embedded link, users are redirected to a legitimate files[.]fm page, enhancing the illusion of safety. However, when users open the shared file, they are presented with two options, "Preview" or "Download," both leading to malicious outcomes. The malware often installs a RAT such as ConnectWise RAT, allowing threat actors unauthorized access to compromised systems.

Related Threat Briefings

Apr 24, 2025

Cyware Daily Threat Intelligence, April 24, 2025

It starts with a fake sales order and ends with FormBook silently stealing your data. A recent phishing campaign has been abusing a long-patched Microsoft flaw to deliver a fileless variant of the malware. The attack uses a Word document, a fake PNG file follows, carrying an encrypted payload that’s decrypted and run entirely in memory - leaving no trace on disk. A single request is all it takes to bring SonicWall firewalls to a halt. CVE-2025-32818 targets the SSLVPN Virtual Office interface and can trigger a DoS condition on affected Gen7 appliances. The vulnerability, rated 7.5 in severity, has been patched in recent firmware updates. Signal and WhatsApp are the new frontline for cloud compromise. Russian actors are running OAuth phishing campaigns against Microsoft 365 users tied to Ukraine and human rights work. Victims are tricked into handing over legitimate Microsoft auth codes, often via chats impersonating European officials.

Apr 23, 2025

Cyware Daily Threat Intelligence, April 23, 2025

One compromised package, five tainted versions, and private keys silently siphoned away. A supply chain attack hit a widely used JavaScript library for the XRP Ledger. Malicious code was slipped into several recent versions, enabling private key theft via an external domain. The incident is linked to a compromised npm account tied to a Ripple employee. Docker containers aren’t always what they seem. A new threat named TenoBot is targeting systems running outdated Teneo Web3 node software, deploying malicious containers to hijack environments. Once inside, it enables attackers to conduct multiple actions, all while blending in with legitimate processes to avoid detection. A hidden flaw could turn Moodle into an unintentional threat vector. A recent audit exposed a TOC-TOU bug in the LMS’s URL validation process, enabling SSRF. By tampering with DNS responses, attackers can redirect requests to internal endpoints. Features like Calendar imports and File Picker are directly impacted, potentially affecting millions of users.

Apr 22, 2025

Cyware Daily Threat Intelligence, April 22, 2025

Apr 21, 2025

Cyware Daily Threat Intelligence, April 21, 2025

An unfamiliar name is showing up in ransomware notes and it’s backed by code, not bureaucracy. FOG ransomware is being distributed through phishing emails that reference the “Department of Government Efficiency,” deploying payloads that encrypt data. Victims receive ransom notes alongside scripts for data collection and privilege escalation. Since January, the campaign has claimed 100 victims across multiple sectors. A single enabled feature could open your network to remote control. ASUS has warned of a critical vulnerability in its routers when AiCloud is active. The flaw allows attackers to send specially crafted requests to run commands without authentication. Firmware updates are available, but until patched, users are advised to disable internet-facing services and secure admin interfaces. A forged email that passes every security check - that’s the new phishing trick. Attackers are using DKIM replay tactics to forward legitimate Google security alerts to unsuspecting victims. The alerts, signed and verified, redirect users to fake support pages hosted on trusted platforms.

Apr 18, 2025

Cyware Daily Threat Intelligence, April 18, 2025

Six million users and 57 extensions they probably shouldn’t trust. A wave of Chrome add-ons, many unlisted and quietly distributed through ads, have been caught with invasive capabilities. Laced with obfuscated code, several have been removed from the Chrome Web Store, but others still linger. A trio of exploited vulnerabilities just made CISA’s KEV list. Two affect Apple device, both patched in the latest iOS and macOS updates. The third, a Windows NTLM hash leak, has reportedly been used by groups like APT28. All three are now confirmed as actively exploited and fully patchable. Reward points and toll notices are the new bait. Researchers have flagged a surge in global SMS phishing attacks through two campaigns: PointyPhish and TollShark. Both rely on urgency, fake branding, and thousands of rapidly deployed domains via the Darcula Suite platform. From iMessage to RCS, no inbox is safe.

Apr 17, 2025

Cyware Daily Threat Intelligence, April 17, 2025

Mustang Panda has updated its arsenal and stealth is a priority. In a new campaign, it rolled out an upgraded version of its backdoor. Alongside it, new tools like StarProxy, Paklog, Corklog, and SplatCloakdriver were delivered through a dropper engineered to hunt down security products. Researchers have observed a fresh wave of Agent Tesla attacks using multi-stage loaders. The chain starts with a JavaScript file hidden in an archive, then pivots to PowerShell for in-memory execution. The malware finishes the job by injecting into trusted processes, effectively vanishing from traditional antivirus scans. A long-patched flaw is back in the spotlight and now it’s being exploited. SonicWall has updated its advisory for CVE-2021-20035, confirming active abuse in the wild. The bug affects SMA 100 series devices and allows authenticated users to execute arbitrary commands.

Apr 16, 2025

Cyware Daily Threat Intelligence, April 16, 2025

UNC5174 is keeping it quiet and clean. Since late 2024, the Chinese state-linked group has been targeting Linux environments using a domain-squatting infrastructure to deliver SNOWLIGHT malware and a new RAT. The campaign leans on stealth, — WebSockets for C2, bash scripts for delivery, and zero on-disk footprint — pointing to a mix of espionage and access brokering. It looks like a PDF tool, acts like malware. A new phishing campaign is spoofing a legitimate website to deliver a stealthy SectopRAT variant. Victims are funneled through cloned interfaces and fake CAPTCHAs before unknowingly executing PowerShell commands that drop the payload. Browser security just got a round of urgent fixes. Chrome 135 and Firefox 137 patch several critical bugs, including memory corruption issues that could lead to remote code execution. Thunderbird updates close off serious risks too.

Apr 15, 2025

Cyware Daily Threat Intelligence, April 15, 2025

Cryptocurrency developers are the latest targets in a calculated cyber offensive orchestrated by a North Korean threat group known as Slow Pisces. The group is leveraging seemingly legitimate coding challenges embedded with malware, in a calculated effort to breach systems, steal sensitive information, and funnel funds back to the DPRK government. A severe security vulnerability has surfaced in the widely-used BentoML framework, posing a significant threat to Python-based production environments. Tracked as CVE-2025-27520, the flaw allows remote attackers to take full control of affected servers without authentication. In a long-awaited move, Google has rolled out a fix in Chrome version number 136 for a 20-year-old privacy loophole that allowed websites to track users' browsing history using visited link styles.

Apr 11, 2025

Cyware Daily Threat Intelligence, April 11, 2025

Bots don’t sleep and AkiraBot proves it. Since late 2024, this spam operation has flooded over 400,000 websites, zeroing in on small businesses using platforms like Shopify, Wix, and Squarespace. The messages push shady SEO services, powered by AI-generated content to dodge filters. With rotating domains, CAPTCHA bypass tools, and an expanding reach into live chats and comment sections, AkiraBot is becoming harder to pin down. One bug, admin access - just like that. A critical flaw in the OttoKit WordPress plugin is being actively exploited, allowing attackers to create admin accounts and take over sites. Only some configurations are vulnerable, but where it hits, it hits hard. When a checkout page starts asking for your card details twice, something’s wrong. A WordPress site was found hosting a fake credit card form. The malicious script captured payment info and funneled it to a freshly registered domain, designed to look harmless, but built to steal.

Apr 9, 2025

Cyware Daily Threat Intelligence, April 09, 2025

Invasive spyware campaigns are zeroing in on high-risk communities. MOONSHINE and BADBAZAAR are being deployed through trojanized mobile apps to surveil Uyghur, Tibetan, and Taiwanese individuals, as well as civil society groups. Some of the apps mimic popular platforms, while others are tailored to target interests. The campaign reflects a broader strategy to monitor groups viewed as threats to state control. A zero-day in Windows' core logging system has made its way into active exploitation. A use-after-free bug in the CLFS driver is being targeted by the PipeMagic trojan to escalate privileges and gain system-level access. Once exploited, attackers can bypass security protections, deploy additional malware, and harvest sensitive data. Search for QuickBooks during tax season, and you might land on a trap. Threat actors are placing deceptive Google Ads that link to phishing pages almost identical to the real QuickBooks login portal. The tactic preys on urgency and familiarity, making it easy for distracted users to miss small red flags.

Apr 8, 2025

Cyware Daily Threat Intelligence, April 08, 2025

What looked like useful dev tools were actually mining rigs in disguise. Several malicious extensions on the VSCode Marketplace were found silently installing XMRig miner. Over 300,000 installs flew under the radar before discovery. A wave of Mirai-linked scanning is hitting video surveillance systems. GreyNoise has tracked a spike in exploitation attempts targeting TVT NVMS9000 DVRs, with over 2,500 IPs launching attacks. The flaw could grant attackers admin access to DVRs. Two USB-related vulnerabilities in the Linux kernel have been weaponized in real-world attacks. Google patched them, both tied to information disclosure and privilege escalation. The latter was previously used in a targeted Android exploit late last year. All known active exploitation paths have now been patched in the latest round of 62 fixes.

Apr 7, 2025

Cyware Daily Threat Intelligence, April 07, 2025

It starts with a PDF search and ends with malware on your machine. A new campaign is using fake CAPTCHAs and Cloudflare Turnstile to lure users into downloading LegionLoader. Victims are tricked into enabling browser notifications, setting off a silent infection chain that’s already impacted tech and finance users across multiple regions. Seed phrases aren’t supposed to come from strangers. The PoisonSeed campaign is targeting crypto holders and enterprise users by compromising bulk email services. Victims are lured with fake wallet setup instructions that embed attacker-controlled recovery phrases - giving threat actors full access once the wallets are used. One toll text turns into ten. A surge in phishing attacks is spoofing toll agencies, bombarding users with urgent text notifications. The messages link to fake payment sites designed to steal credit card and personal info, while rotating sender addresses help them bypass spam filters undetected.