Cyware Daily Threat Intelligence, April 25, 2025
Daily Threat Briefing • April 25, 2025
An APT group with deep roots in Southeast Asia is quietly siphoning data through everyday cloud platforms. Earth Kurma has been active since late 2020, targeting government and telecom entities across the Philippines, Vietnam, Thailand, and Malaysia. Its extensive toolkit enables credential theft, stealthy surveillance, and Dropbox-based exfiltration.
One patch, two problems. Microsoft’s fix for CVE-2025–21204 may have closed a privilege escalation bug but it opened the door to a DoS vulnerability. By creating junction points, non-admin users can block future Windows updates from installing. There’s no fix yet, and unless the rogue junction is manually removed, security updates will fail silently.
Logos, lures, and lies - the Power Parasites campaign is using all three. Fraudsters are impersonating global energy brands to scam victims in Bangladesh, Nepal, and India through fake jobs and investment offers. With over 150 domains and active Telegram and YouTube promotion, the scheme blends fake onboarding forms with identity theft and financial fraud, all under the guise of renewable energy.
Top Malware Reported in the Last 24 Hours
Earth Kurma targets Southeast Asia
Trend Research has uncovered the Earth Kurma APT campaign, targeting government and telecommunications sectors in Southeast Asia, particularly in the Philippines, Vietnam, Thailand, and Malaysia. Active since November 2020, this group uses advanced malware and rootkits for data exfiltration via Dropbox and OneDrive, posing significant risks like espionage and credential theft. Tools such as TESDAT, SIMPOBOXSPY, KRNRAT, and MORIYA facilitate their operations. While some tools overlap with groups like ToddyCat and Operation TunnelSnake, differences prevent clear attribution.
New ELENOR-corp ransomware targets healthcare
The ELENOR-corp ransomware, a variant of Mimic version 7.5, is targeting the healthcare sector with advanced features like data exfiltration and persistent access. It uses techniques such as command-line access via sticky keys, aggressive evidence tampering, and backup deletion to hinder recovery efforts. The malware spreads via RDP, harvesting credentials, and encrypting network shares.
Iranian hackers use MURKYTOUR, target Israel
Iran-linked hackers, UNC2428, targeted Israel with MURKYTOUR malware through a fake job campaign in October 2024. The campaign involved impersonating Israeli defense contractor Rafael and tricking individuals into downloading malware disguised as a job application tool. The operation was linked to broader Iranian cyber espionage activities, including other groups like Black Shadow, Cyber Toufan, and UNC3313, which employed various tactics to infiltrate and gather information from Israeli entities.
Top Vulnerabilities Reported in the Last 24 Hours
Symlink patch introduces new Symlink bug
Microsoft's patch for CVE-2025–21204, which addressed a symlink vulnerability allowing privilege escalation via the Windows servicing stack, inadvertently created a new DoS vulnerability. Non-admin users can exploit this by creating junction points in the c:\inetpub folder, preventing future Windows security updates from installing. Affected systems cannot receive future updates unless the malicious junction is manually removed. As of now, Microsoft has not publicly acknowledged this issue or provided a fix.
Active exploitation of SAP NetWeaver bug
A critical zero-day vulnerability, CVE-2025-31324, in SAP NetWeaver Visual Composer MetadataUploader has been actively exploited to deploy webshells and C2 frameworks, compromising enterprise and government systems. The vulnerability allows unauthenticated attackers to gain full control over affected systems by uploading and executing malicious binaries. Despite having the latest service packs, many systems were breached, with attackers bypassing protections to exploit the /developmentserver/metadatauploader endpoint. This has led to unauthorized file uploads and remote code execution. Techniques like Brute Ratel and Heaven’s Gate were used to maintain persistence and evade detection.
Top Scams Reported in the Last 24 Hours
Phishing campaign targets WooCommerce users
A sophisticated phishing campaign is targeting WooCommerce users by falsely claiming a security vulnerability in their installations. The attackers use an email and web-based template to lure users into downloading a malicious plugin that compromises their websites. The campaign mimics a previous attack on WordPress users and employs similar tactics such as IDN homograph attacks and fake domain names. Upon installation, the malicious plugin creates unauthorized administrator accounts, installs web shells, and can lead to further exploitation like data theft or server abuse.
Power Parasites campaign targets energy brands
A scam campaign called Power Parasites is targeting global energy brands by impersonating their logos and executives to deceive individuals in Bangladesh, Nepal, and India into fraudulent job and investment schemes. This operation utilizes deceptive websites, social media, and Telegram channels to facilitate financial fraud and identity theft. Victims are tricked into providing sensitive information under the guise of job joining formalities, leading to scams that mimic renewable energy and tech brands. The campaign uses over 150 domains and promotes scams through YouTube videos and Telegram channels.