Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing April 13, 2023

Now you can protect yourself against BlackLotus UEFI bootkit attacks. The Incident Response team at Microsoft has pinpointed various stages in the installation and execution process of the malware that can enable its detection. Criminals would abuse the CVE-2022-21894 vulnerability to pull off bootkit attacks. In other news, Fortinet released a series of updates fixing several vulnerabilities affecting its range of products. The most critical among them was a security hole impacting data analytics solution platform FortiPresence.

Telegram has once again come in handy to cybercriminals who are offering a new offensive tool dubbed Legion to others. The highlight of the Python-based credential harvester and hacking tool is that it has the ability to spam mobile users in the U.S., across all carriers.

Top Breaches Reported in the Last 24 Hours

Unprotected database at fintech firm

Cybersecurity researcher Jeremiah Fowler located an unguarded database that contained a large number of PDF documents pertaining to NorthOne Bank. The PDFs contained invoices from both businesses and individuals who leverage an app to pay for products and services. More than 320,000 American companies use the bank’s services.

Hyundai revealed data breach

A data breach has affected Hyundai's French and Italian customers, as well as those who scheduled a test drive. The breach allowed unauthorized individuals to obtain personal information such as email addresses, physical addresses, phone numbers, and vehicle chassis numbers. The firm has assured victims that their financial information wasn’t affected in the incident.

**Ransomware attack on luxury yacht maker **

German shipbuilder Lürssen disclosed that it fell victim to a ransomware attack over the Easter weekend. It is unsure about stolen customer information. The attack has caused significant disruptions to the operations of the company, with only the Lürssen-Kröger shipyard in Schleswig-Holstein remaining operational.

Top Malware Reported in the Last 24 Hours

Protect against UEFI bootkit

Microsoft has shared guidelines to assist organizations in determining whether their systems have been compromised by BlackLotus UEFI bootkit through the CVE-2022-21894 flaw. Detecting malware that targets UEFI is generally difficult because such threats are active even before the OS starts running, leading to disabling security elements.

Legion: a new hijacking tool

The cybercriminal group, which goes by the moniker “Forza Tools,” was seen offering Legion - a Python-based credential harvester and SMTP hijacking tool. The malware targets online email services for phishing and spam attacks. Experts suggest it is likely based on the AndroxGhOst malware and has several feature modules.

Top Vulnerabilities Reported in the Last 24 Hours

Bug in popular WordPress plugin

Limit Login Attempts WordPress security plugin, which has over 600,000 installations, was affected by a flaw that could allow an unauthenticated hacker to take over websites. However, the flaw doesn’t affect every single website that has deployed the plugin. Experts urged users to immediately upgrade to version 1.7.2.

Fortinet addresses multiple flaws

A sensitive vulnerability was patched in Fortinet’s FortiPresence that could be leveraged to gain access to Redis and MongoDB instances. Earmarked CVE-2022-41331, the flaw can be exploited by a remote, unauthenticated attacker, through specially crafted authentication requests. Meanwhile, other flaws across products risk devices to XSS attacks, arbitrary code execution, privilege escalation, MitM attacks, information disclosure, and other threats.

Top Scams Reported in the Last 24 Hours

Zelle scams are back

Scammers were seen impersonating money-transfer service Zelle and convincing service users to click on malicious links. The phishing email informs a potential victim that they have received money from Zelle and it has not been accepted yet. The email has a click button ‘Get paid’. Adversaries have apparently done a decent job of imitating the platform, said security experts.

Related Threat Briefings

Jul 18, 2025

Cyware Daily Threat Intelligence, July 18, 2025

The H2Miner botnet has resurfaced with updated scripts that mine Monero, kill rival malware, and deploy multiple malware. Bundled with it is Lcrypt0rx, a likely AI-generated ransomware that exhibits sloppy logic, malformed syntax, and weak encryption using XOR. Cisco Talos uncovered a MaaS campaign targeting Ukraine, where attackers used Amadey malware and GitHub repositories to stage payloads. The setup mimics tactics from a SmokeLoader phishing operation, with obfuscated JavaScript loaders and Emmenthal plugins helping evade detection and filter-based defenses. In a sharp postmortem from Pwn2Own Berlin, VMware patched four zero-day flaws exploited during the contest. Three high-severity bugs let attackers break out of guest VMs, while a fourth in VMware Tools leaks sensitive host info. Separately, the Scanception campaign is sneaking into inboxes via QR code phishing PDFs.

Jul 17, 2025

Cyware Daily Threat Intelligence, July 17, 2025

A persistent backdoor is giving UNC6148 quiet, long-term access to SonicWall SMA appliances. The group is using stolen credentials—and possibly a zero-day—to deploy OVERSTEP malware. It steals sensitive data, maintains stealth, and executes commands through web requests. Over 600 malicious domains are distributing fake Telegram APKs to unsuspecting users. Most are hosted in China and exploit the Janus vulnerability in Android. These APKs request broad permissions, bypass security protocols, and enable full device control. Oracle’s July 2025 patch update is a heavyweight. It includes 309 fixes across products like Communications, MySQL, Java SE, and Fusion Middleware. Of the nearly 200 CVEs addressed, 127 can be exploited remotely without authentication. An additional 20 Solaris patches target flaws with similar reach.

Jul 16, 2025

Cyware Daily Threat Intelligence, July 16, 2025

A harmless-looking app on Google Play may have a malicious twin elsewhere. A new Konfety variant uses the same package name as a legitimate app but hides the real payload in a lookalike version distributed through third-party stores. It employs obfuscation tactics to evade detection, while leveraging the CaramelAds SDK. Some malware no longer travels through links or attachments, it hides in plain text. Researchers have spotted attackers embedding payloads in DNS records, allowing malware to slip past traditional security tools. By encoding binaries as hex and retrieving them during DNS resolution, this technique avoids common detection points and delivers disruptive code without a visible trace. One sandbox escape makes five. Google patched a high-severity Chrome flaw that lets attackers break out of the browser’s sandbox using crafted HTML and unvalidated GPU commands. The update also addressed issues in V8 and WebRTC, but only CVE-2025-6558 was under active exploitation, making it the fifth Chrome zero-day of the year.

Jul 15, 2025

Cyware Daily Threat Intelligence, July 15, 2025

A quiet but deliberate campaign is now zeroing in on Southeast Asia’s trade secrets. HazyBeacon, a newly identified Windows backdoor, is targeting government entities with an eye on sensitive tariff and trade data. It uses DLL side-loading and communicates through AWS Lambda URLs, helping it blend in with legitimate cloud activity while quietly collecting targeted documents. Developers are once again in the crosshairs of North Korean threat actors. As part of the ongoing Contagious Interview campaign, attackers have pushed 67 malicious npm packages carrying XORIndex, a malware loader designed to steal browser data, crypto wallet info, and deploy Python-based backdoors. With over 17,000 downloads and manipulated package metrics, the threat is both widespread and deceptive. An invisible prompt is all it takes to turn Gemini into a phishing assistant. Attackers are exploiting Google’s Gemini AI for Workspace by hiding malicious instructions in emails using HTML and CSS. When Gemini generates a summary, it unknowingly includes phishing content redirecting users to malicious sites. Suggested defenses focus on stripping hidden content and warning users not to rely on AI summaries for security cues.

Jul 14, 2025

Cyware Daily Threat Intelligence, July 14, 2025

A silent redirect to PowerShell is the entry point for a new Interlock RAT variant. Linked to the KongTuke cluster, the PHP-based malware uses compromised websites with hidden scripts to launch system profiling and establish Cloudflare Tunnel-based C2 with fallback IPs for persistence. Users who trusted GravityForms’ official site got more than they expected. A supply chain attack injected backdoors into plugin files distributed via the official site and Composer, enabling attackers to collect WordPress environment data or more. A single HTTP header is enough to hijack vulnerable FortiWeb servers. A critical SQL injection flaw in Fortinet’s Fabric Connector, allows pre-auth RCE through unsanitized bearer tokens, with PoC exploits using MySQL queries to drop and execute malicious scripts.

Jul 11, 2025

Cyware Daily Threat Intelligence, July 11, 2025

You don’t need to visit shady corners of the internet to get infected, GitHub will do. A malware campaign is disguising Lumma Stealer as tools like Free VPN for PC, using polished project pages, Base64 payloads, and trusted Windows processes to slip past defenses. Meanwhile, MCP-based tools are facing a string of critical vulnerabilities, with CVE-2025-6514 leading the list. The flaw allows remote code execution via malicious MCP servers and affects users across platforms. Other bugs enable code injection, directory traversal, and symlink abuse. Crypto users are being lured in by fake AI and gaming firms offering too-good-to-be-true deals. A social engineering campaign is using Telegram, Discord, and spoofed social media accounts to deliver stealer malware. Attackers impersonate legit teams on GitHub and Notion, promising crypto payouts in exchange for “testing” software.

Jul 10, 2025

Cyware Daily Threat Intelligence, July 10, 2025

A fake defense official and a Google Drive link were all it took to breach a European ministry. Recent DoNot APT campaigns reveal a shift toward diplomatic espionage, using custom malware to exfiltrate data and maintain persistence through scheduled tasks and obfuscated binaries. A botnet announcing itself with Hello-World is now sweeping through Taiwan. A new scraper botnet has been using repeated GET requests across ports 80–85. Thousands of IPs are involved, with more than half traced back to Taiwanese infrastructure, hinting at regional tech compromise or shared vulnerabilities. You might not hear it, but your car’s Bluetooth could be listening. Researchers have found critical flaws in the BlueSDK stack used by major automakers, enabling remote code execution through a PerfektBlue attack. The vulnerabilities allow attackers to access call logs, record in-cabin audio, and track vehicles.

Jul 9, 2025

Cyware Daily Threat Intelligence, July 09, 2025

A PDF reader with 50,000 downloads turned out to be anything but harmless. The Anatsa banking trojan slipped back into Google Play, targeting North American users with fake maintenance screens while logging keystrokes and automating fraudulent transactions. However, the app has been pulled by Google. This month’s Patch Tuesday came with a hefty payload. Microsoft released fixes for 137 vulnerabilities, including a zero-day in SQL Server, which allowed access to uninitialized memory. Among the 14 critical issues were remote code execution bugs in SharePoint and multiple RCE and side-channel flaws affecting AMD-based systems. When a tap does more than you think, it’s probably TapTrap. Researchers have uncovered a sneaky Android exploit that uses near-invisible UI animations to trick users into approving sensitive actions. By overlaying transparent elements, TapTrap misleads users into tapping unintended buttons.

Jul 8, 2025

Cyware Daily Threat Intelligence, July 08, 2025

A spyware campaign targeting Russian industrial firms has been quietly escalating since mid-2024. Batavia spreads through phishing emails disguised as contract requests. Later stages drop Delphi-based malware that shows fake documents while harvesting data, followed by a payload that broadens file collection and ensures persistence, with signs of a potential fourth stage. A new ransomware group named BERT is hitting victims across sectors and operating systems. Targeting both Windows and Linux, BERT launches fast, multi-threaded encryption attacks. The malware shuts down critical services and shares code similarities with REvil and Babuk, hinting at recycled tools and techniques. SAP has released patches for 27 vulnerabilities, seven of them critical. The most severe, with a CVSS score of 10.0, affects the Live Auction Cockpit in SAP SRM. Other high-impact bugs include a code injection flaw in SAP S/4HANA and insecure deserialization issues in NetWeaver. Updates also address privilege escalation flaws in the SAPCAR utility.

Jul 7, 2025

Cyware Daily Threat Intelligence, July 07, 2025

SHELLTER has gone rogue—what was once a legit security tool is now fueling infostealer campaigns with AES-128 encryption, polymorphic junk code, and sneaky call stack tricks to dodge detection. Meanwhile, Hpingbot, a Go-based botnet with a flair for innovation, uses Pastebin, hping3, and persistent tactics to do more than just DDoS—hinting at nastier payloads like ransomware or APT tools. Critical bugs are back on the menu—this time hitting low-code platforms and the Linux boot process. ScriptCase’s Production Environment module harbors two flaws (CVE-2025-47227 & CVE-2025-47228, enabling remote command execution and admin password resets, risking full server compromise, while CVE-2016-4484 in Linux lets attackers gain root access during boot by exploiting the initramfs debug shell.

Jul 4, 2025

Cyware Daily Threat Intelligence, July 04, 2025

There’s a reason that app never showed up on your home screen. The IconAds fraud operation used 352 hidden-UI apps to flood ad networks with over a billion fake bid requests daily. Kaleidoscope took it further, using decoy apps to mask malicious versions distributed via third-party stores. Meanwhile, NGate and Ghost Tap abused NFC to enable remote cash theft, and Qwizzserial posed as a government app in Uzbekistan. When routers fall, botnets rise. RondoDox is exploiting flaws in TBK DVRs and Four-Faith routers to install a Linux-based botnet that renames critical system files into nonsense strings, effectively crippling recovery efforts. It launches DDoS attacks through spoofed traffic that looks like OpenVPN or online games, making detection even harder. Sometimes, all it takes is a single misplaced HTTP header. Three critical vulnerabilities in Apache Tomcat and Camel are under active exploitation, enabling remote code execution. One stems from mishandling PUT requests; the others from flawed case handling in headers. Over 125,000 attempts were recorded in March alone, signaling widespread attacker interest.

Jul 3, 2025

Cyware Daily Threat Intelligence, July 03, 2025

Two different names - same tactics, same tools, same playbook. Researchers have found striking overlaps between TA829 and the lesser-known UNK_GreenSec, both of which use phishing lures and REM Proxy services through compromised MikroTik routers. Victims are redirected from fake Google Drive or OneDrive pages to payloads like RomCom RAT, Metasploit, and Morpheus ransomware. They look like wallet helpers, but they’re after everything inside. More than 40 malicious Firefox extensions have been caught stealing seed phrases and wallet keys from unsuspecting crypto users. Masquerading as MetaMask, Coinbase, and Trust Wallet, these clones use tampered open-source code, fake five-star reviews, and slick branding to blend in. A single HTTP request is all it takes to bring the server down. A critical bug in Wing FTP Server allows unauthenticated remote code execution via the login confirmation endpoint. The flaw lets attackers inject Lua code into session files, enabling total takeover, even as root or SYSTEM. It affects all versions up to 7.4.3, with a fix issued in 7.4.4.