Cyware Daily Threat Intelligence, April 28, 2025
Daily Threat Briefing • April 28, 2025
Ransomware groups aren’t always the ones breaking the door open. Researchers have uncovered ToyMaker, an initial access broker selling network entry to ransomware groups. Using a custom malware strain called LAGTOY, ToyMaker establishes reverse shells and executes commands on compromised systems. After gaining access, ToyMaker hands over the keys - leaving ransomware operators to finish the job.
Industrial remote access just got a lot more dangerous. Three vulnerabilities have been discovered in the IXON VPN client, affecting both Windows and Linux. Attackers can exploit temporary file handling flaws to escalate privileges. Full details remain under wraps until patches are ready.
One bad notification and your iPhone could be stuck in an endless reboot loop. A critical iOS flaw allowed malicious apps to abuse the Darwin notification system and brick devices with a single command. Apple’s fix in iOS 18.3 now requires special entitlements to send sensitive notifications but unpatched devices remain at risk.
Top Malware Reported in the Last 24 Hours
RansomHub affiliates use SocGholish
A sophisticated cyberattack campaign has been identified by eSentire, linking SocGholish malware to RansomHub ransomware affiliates. The attack starts when victims download a fake Microsoft Edge update from a compromised WordPress site, leading to the deployment of a Python backdoor. This malware collects system information to identify high-value targets and employs multiple encryption layers for concealment. It enables remote command execution and lateral movement within networks.
ToyMaker drops LAGTOY, sells access
Researchers identified ToyMaker, an initial access broker selling access to ransomware groups like CACTUS, using custom malware called LAGTOY. This malware enables the creation of reverse shells and command execution on infected systems. ToyMaker exploits known vulnerabilities to gain initial access, followed by credential harvesting and deploying LAGTOY. CACTUS then uses these stolen credentials for infiltration, indicating that ToyMaker is financially motivated rather than espionage-driven.
Top Vulnerabilities Reported in the Last 24 Hours
Actively exploited Craft CMS bugs
Hackers are exploiting two critical vulnerabilities in Craft CMS to compromise servers. These zero-day attacks involve CVE-2024-58136, an improper path protection flaw in the Yii PHP framework, and CVE-2025-32432, a remote code execution vulnerability. The latter allows unauthenticated users to send POST requests to manipulate image transformation features, requiring a valid asset ID to exploit. Researchers have identified approximately 13,000 vulnerable instances, with nearly 300 potentially compromised.
Three vulnerabilities in IXON VPN client
Three vulnerabilities have been discovered in the IXON VPN client, potentially allowing attackers to escalate privileges on Windows and Linux systems. These vulnerabilities affect the VPN solution used for remote access to industrial systems. The vulnerabilities are temporarily labeled as CVE-2025-ZZZ-01, CVE-2025-ZZZ-02, and CVE-2025-ZZZ-03, with official CVE IDs pending. The first vulnerability's details are withheld until a fix is available. The second vulnerability exploits the OpenVPN configuration process on Linux, allowing attackers to intercept and manipulate temporary files to execute scripts with root privileges. The third vulnerability impacts Windows systems through temporary file manipulation, enabling local users to gain SYSTEM privileges.
New iOS Darwin notification flaw
A critical vulnerability in iOS, identified as CVE-2025-24091, allows malicious applications to disable iPhones with a single line of code by exploiting the Darwin notifications system. This vulnerability can trigger an endless reboot cycle, effectively ‘bricking’ the devices. The flaw arises because any application can send sensitive system-level Darwin notifications without special privileges, which can lead to a ‘restore in progress’ mode fail, causing the device to restart continuously. Apple has addressed this issue in iOS 18.3 by requiring new entitlements for sensitive notifications.