Cyware Daily Threat Intelligence, August 01, 2025

shutterstock_2285026091

Daily Threat Briefing August 1, 2025

In a move straight out of a spy novel, Russian state hackers have been caught red-handed targeting embassies in Moscow with a sophisticated cyberespionage campaign. Known as Secret Blizzard, these attackers wielded the ApolloShadow malware to manipulate system certificates and disguise their activities as trusted applications.

A critical flaw in PostgreSQL's pg_dump utility has left databases vulnerable to a race condition attack, potentially handing attackers superuser privileges. This TOCTOU vulnerability impacts multiple PostgreSQL versions, allowing those with sufficient privileges to execute arbitrary SQL commands during the dump process.

Cybercriminals are donning digital disguises, impersonating trusted enterprises with fake Microsoft OAuth applications to steal credentials and bypass multi-factor authentication. Proofpoint uncovered campaigns redirecting users to phishing URLs through OAuth apps mimicking services like RingCentral, DocuSign, and Adobe.

A newly discovered cyberattack technique, dubbed Man in the Prompt, is turning browser extensions into unwitting accomplices in data theft from generative AI tools. By exploiting DOM access, malicious extensions can intercept and manipulate interactions with platforms like ChatGPT and Google Gemini - no elevated permissions required.

Top Malware Reported in the Last 24 Hours

Secret Blizzard drops custom ApolloShadow

Russian state hackers, known as Secret Blizzard, have launched a cyberespionage campaign targeting foreign embassies in Moscow using sophisticated adversary-in-the-middle (AiTM) attacks. Central to this operation is a malware tool named ApolloShadow, which manipulates system certificates and masquerades as trusted applications to maintain stealthy persistence. The attack initiates at the ISP level, redirecting users through a fake captive portal that prompts them to download ApolloShadow. Once installed, the malware alters network settings, collects sensitive information, and creates a new administrative user with a hardcoded password for ongoing access. 

Android malware targets banking users via Discord

A sophisticated Android banking Trojan named DoubleTrouble has expanded its delivery methods and technical features, targeting users across Europe through Discord-hosted APKs. The malware disguises itself as a legitimate app, uses Android’s accessibility services, and employs advanced techniques like session-based installation to evade detection. DoubleTrouble’s capabilities include real-time screen recording, phishing overlays, keylogging, and bypassing multi-factor authentication by mirroring the device screen. Captured data, including credentials from banking apps, password managers, and crypto wallets, is sent to a remote C2 server.

Top Vulnerabilities Reported in the Last 24 Hours

Race Condition in PostgreSQL 

CVE-2024-7348 is a race condition vulnerability in PostgreSQL's `pg_dump` utility that allows attackers with sufficient privileges to execute arbitrary SQL commands as the user running the dump, often a superuser. This vulnerability affects multiple PostgreSQL versions and poses a significant risk if left unpatched. Successful exploitation of this vulnerability can lead to arbitrary SQL execution with superuser privileges, potentially compromising the integrity and confidentiality of the database. This could allow attackers to manipulate or exfiltrate sensitive data. CVE-2024-7348 is a Time-of-check Time-of-use (TOCTOU) race condition in the `pg_dump` utility of PostgreSQL. The attacker can exploit this by replacing a relation type with a view or foreign table during the dump process while retaining an open transaction, making it easier to win the race condition.

Top Scams Reported in the Last 24 Hours

Experts uncover multi-layer phishing tactics

Cybersecurity researchers uncovered a phishing campaign abusing link wrapping services like Proofpoint and Intermedia to bypass defenses and redirect victims to Microsoft 365 phishing pages. Attackers gain unauthorized access to email accounts, enabling malicious URLs to be rewritten with wrapped links, which pass through multiple layers of obfuscation before leading to phishing pages. Phishing tactics include impersonating voicemail notifications, Microsoft Teams messages, or unread Teams alerts to lure victims into credential harvesting pages. 

Microsoft OAuth phishing campaigns exposed

Threat actors are impersonating enterprises with fake Microsoft OAuth applications to steal credentials and bypass MFA. Proofpoint identified malicious campaigns using redirects to phishing URLs via OAuth applications impersonating services like RingCentral, DocuSign, and Adobe. Observed email campaigns often use compromised accounts and lure themes such as RFQs or business agreements to target victims. Threat actors use CAPTCHA pages and counterfeit Microsoft authentication pages to intercept MFA tokens and session cookies. Proofpoint identified nearly 3,000 attempted account compromises across 900 Microsoft 365 environments in 2025, with a confirmed success rate exceeding 50%.

Threats in Spotlight

North Korean hackers steal millions in crypto

North Korean hacking group UNC4899 targeted organizations by using job lures and social engineering techniques via LinkedIn and Telegram, convincing employees to execute malicious Docker containers. The group exploited cloud environments like Google Cloud and AWS by employing stolen credentials and session cookies to manipulate cryptocurrency transactions. Although MFA initially hindered their efforts, they managed to disable it to gain administrative access. Their sophisticated attacks involved uploading malicious JavaScript files to exploit cloud services, ultimately leading to the theft of millions in cryptocurrency. The group’s activities have also included embedding malware into open-source package registries, indicating a strategic pivot in their approach to cybercrime. 

Man in the Prompt: New attack technique identified

A newly identified cyberattack method, dubbed Man in the Prompt, enables malicious browser extensions to manipulate or exfiltrate data from generative AI tools such as ChatGPT and Google Gemini. This attack exploits the Document Object Model (DOM) access granted to browser extensions, allowing them to act as intermediaries in AI interactions without requiring elevated permissions. The attack poses a significant threat to organizations using browser-based AI tools, especially those processing sensitive or proprietary data. The widespread use of browser extensions and the common practice of allowing users to freely install them significantly increases the risk of exploitation. A single compromised extension can silently extract confidential information, turning AI tools into vectors for data theft. The attack allows extensions to act as a “man in the middle” for AI interactions. In the case of Gemini, the exploit worked even when the Gemini sidebar was closed.

Related Threat Briefings