Cyware Daily Threat Intelligence, April 30, 2025

Daily Threat Briefing • April 30, 2025
Daily Threat Briefing • April 30, 2025
A familiar threat actor is back with sharper tools. A new spear-phishing wave from Earth Kasha is hitting government targets in Taiwan and Japan. Using a malicious Excel file, the group drops an updated ANEL backdoor and maintains stealthy persistence with SharpHide. The second-stage malware hides C2 traffic behind DNS over HTTPS - signaling renewed focus on quiet, long-term access.
TheWizards aren’t casting spells, they’re hijacking software updates. This Chinese-linked threat group is abusing IPv6 SLAAC to perform AitM attacks with the Spellbinder lateral movement tool. Spellbinder redirects traffic to attacker-controlled domains to deliver malware-laced updates to apps like Tencent QQ and Sogou Pinyin. Once inside, a modular backdoor takes over.
New vulnerabilities in Apple’s AirPlay protocol, collectively dubbed AirBorne, expose billions of devices to remote code execution without user interaction. Attackers could silently hijack devices via use-after-free and buffer overflow vulnerabilities, affecting not only Apple hardware but also third-party products using the AirPlay SDK.
Earth Kasha drops new ANEL backdoor version
Earth Kasha, an APT group believed to be part of APT10, has launched a new spear-phishing campaign targeting Taiwan and Japan in March. The campaign aims to deliver a new version of the ANEL backdoor for espionage, potentially leading to information theft and compromising sensitive data. The campaign uses a malicious Excel file, ROAMINGMOUSE, to drop ANEL components, and employs SharpHide for persistence. The second-stage backdoor, NOOPDOOR, utilizes DNS over HTTPS for secure IP resolution.
WordPress malware impersonates anti-malware plugin
Wordfence spotted WP-antymalwary-bot.php, a malware disguised as a WordPress plugin. The malware uses a backdoor function for admin login and registers a REST API route without permission checks. It enables unauthorized access, remote code execution, and script injection. The malware hides from the dashboard and can reinfect sites via a modified `wp-cron.php` file. It communicates with a C2 server, sending site URLs for tracking. It injects malicious JavaScript ads using obfuscated methods and evolves rapidly with enhanced mechanisms.
Chinese hackers use Spellbinder, drop WizardNet
Chinese hackers, known as TheWizards, are exploiting IPv6 SLAAC for Adversary-in-the-Middle (AitM) attacks using a tool called Spellbinder. This tool intercepts and redirects traffic to download malicious updates from attacker-controlled servers, targeting software update mechanisms like Sogou Pinyin and Tencent QQ. The attacks involve delivering a modular backdoor named WizardNet and using the WinPcap library for packet capture. TheWizards have been active since at least 2022, targeting individuals and sectors in various Asian countries.
Chrome 136 and Firefox 138 released
Google and Mozilla have released updates for Chrome 136 and Firefox 138, addressing multiple high-severity vulnerabilities. Chrome 136 includes eight security fixes, with CVE-2025-4096, a critical heap buffer overflow. Other issues include medium-severity out-of-bounds memory access and low-severity flaws in DevTools. Firefox 138 patches 11 vulnerabilities, four of which are high-severity, potentially allowing privilege escalation and arbitrary code execution. It also fixes six medium-severity flaws related to information disclosure and CSRF attacks.
Zero-click RCE in Apple AirPlay
Oligo Security identified critical vulnerabilities in Apple's AirPlay Protocol, termed "AirBorne," enabling zero-click RCE and other attacks. Key vulnerabilities include CVE-2025-24252 (use-after-free) and CVE-2025-24132 (buffer overflow), allowing attackers to exploit devices without user interaction. These vulnerabilities affect billions of devices, including Macs and third-party products using the AirPlay SDK. Apple has released patches, and users are urged to update their devices and adjust AirPlay settings to mitigate risks.
Privilege escalation bug in Avast
A critical vulnerability in Avast Free Antivirus, identified as CVE-2025-3500, allows attackers to escalate privileges and execute code with kernel-level access. This flaw, caused by improper data validation in the aswbidsdriver kernel driver, has a CVSS score of 8.8. Although local access is required to exploit it, the vulnerability poses a significant risk due to the potential for complete system control. Avast has released a patch in version 25.3.9983.922, urging users to update immediately. The issue affects versions from 20.1.2397 to 2016.11.1.2262.