Cyware Daily Threat Intelligence, April 17, 2025
Daily Threat Briefing • April 17, 2025
Mustang Panda has updated its arsenal and stealth is a priority. In a new campaign, it rolled out an upgraded version of its backdoor. Alongside it, new tools like StarProxy, Paklog, Corklog, and SplatCloakdriver were delivered through a dropper engineered to hunt down security products.
Researchers have observed a fresh wave of Agent Tesla attacks using multi-stage loaders. The chain starts with a JavaScript file hidden in an archive, then pivots to PowerShell for in-memory execution. The malware finishes the job by injecting into trusted processes, effectively vanishing from traditional antivirus scans.
A long-patched flaw is back in the spotlight and now it’s being exploited. SonicWall has updated its advisory for CVE-2021-20035, confirming active abuse in the wild. The bug affects SMA 100 series devices and allows authenticated users to execute arbitrary commands.
Top Malware Reported in the Last 24 Hours
Mustang Panda expands arsenal
In a recent campaign, the Chinese APT Mustang Panda deployed an updated ToneShell backdoor, enhancing its payload execution capabilities and using a modified FakeTLS protocol for C&C communication to evade detection. Newly observed tools include StarProxy, designed for lateral movement by proxying traffic over FakeTLS; two keyloggers, Paklog (logs keystrokes/clipboard locally) and Corklog (encrypts data, sets persistence); and the SplatCloakdriver. Delivered via SplatDropper, SplatCloak specifically identifies and disables Windows Defender and Kaspersky defenses.
Malvertising campaign targets crypto users
Microsoft is warning about an ongoing malvertising campaign, active since October 2024, that uses Node.js to deliver info-stealing malware. Lures related to cryptocurrency trading trick users into installing fake software containing a malicious DLL. This initial payload sets up persistence via scheduled tasks, which then use PowerShell scripts to download Node[.]js and compiled JavaScript. The malware gathers extensive system information, exfiltrates it, and likely steals browser data. An alternate infection uses the "ClickFix" social engineering trick and inline JavaScript executed via Node[.]js for network discovery and persistence, disguising C2 traffic to evade detection.
Multiple Agent tesla strains in new campaigns
Researchers have identified malicious spam campaigns distributing Agent Tesla malware through multi-stage attacks. The attack begins with emails carrying archive attachments containing a JavaScript file. This file downloads a PowerShell script, which subsequently loads and executes the Agent Tesla malware directly into system memory, bypassing traditional file-based antivirus detection. The malware further evades scrutiny by injecting itself into legitimate running processes.
Top Vulnerabilities Reported in the Last 24 Hours
Critical bug in Erlang/OTP SSH
A critical vulnerability, CVE-2025-32433, has been found in Erlang/OTP SSH, permitting unauthenticated remote code execution. Attackers can send specially crafted messages before authentication to run arbitrary code, potentially gaining full system control if the SSH daemon runs as root. This affects applications, messaging infrastructure, and IoT devices using Erlang's SSH. Users are strongly urged to update immediately to patched versions (OTP-27.3.3, OTP-26.2.5.11, OTP-25.3.2.20) or block network access to affected SSH servers.
Active exploitation of old SonicWall flaw
SonicWall has updated its advisory for CVE-2021-20035, a vulnerability in its SMA 100 series appliances (200, 210, 400, 410, 500v) patched back in September 2021. The company now warns this flaw is being actively exploited in the wild. This authenticated arbitrary command execution vulnerability allows attackers with credentials to potentially execute code. Consequently, SonicWall raised the severity rating from Medium (CVSS 5.5) to High (CVSS 7.2). Since exploitation requires authentication, attacks might involve stolen credentials or be combined with other flaws. CISA added CVE-2021-20035 to its KEV catalog.
High-severity flaw in Cisco Webex
Cisco has disclosed a high-severity vulnerability (CVE-2025-20236, CVSS 8.8) affecting Webex App versions 44.6 and 44.7. The flaw arises from improper input validation in the application's custom URL parser. Attackers can craft malicious meeting invite links which, if clicked by a user, could trigger arbitrary file downloads and potentially lead to remote code execution with the user's privileges. Although exploitation requires user interaction, it needs no authentication. Users must upgrade to version 44.6.2.30589 or later (44.8+) and be cautious with links.