Cyware Daily Threat Intelligence, August 04, 2025

shutterstock 1709630374

Daily Threat Briefing August 4, 2025

Akira ransomware is striking with surgical precision, exploiting a suspected zero-day flaw in SonicWall SSL VPN devices, even those fully patched. Since mid-July 2025, attackers have used Virtual Private Server logins to bypass MFA, hitting multiple targets in rapid succession.

A cunning Android RAT, PlayPraetor, is sweeping through six countries, already compromising over 11,000 devices with its deceptive tactics. Masquerading as legitimate apps via fake Google Play Store pages and Meta Ads, it exploits accessibility services to overlay phishing screens on nearly 200 banking and crypto apps.

MediaTek chipsets powering smartphones and IoT devices are vulnerable to new flaws that could expose millions of users. These issues, affecting a wide range of Android devices, allow attackers to escalate privileges or execute malicious code. With some exploits requiring no user interaction, unpatched systems face significant risks, urging immediate updates.

Top Malware Reported in the Last 24 Hours

Akira ransomware targets SonicWall VPNs

Akira ransomware has recently targeted SonicWall SSL VPN devices, exploiting a likely zero-day vulnerability even on fully-patched systems. This surge in attacks began around July 15, with multiple pre-ransomware intrusions occurring in quick succession. Researchers noted that the malicious logins often originated from Virtual Private Server hosting rather than typical broadband networks, indicating a sophisticated approach by the attackers. Since its emergence in March 2023, Akira ransomware has extorted approximately $42 million from over 250 victims, with a notable focus on Italian companies.

PlayPraetor infects over 11,000 devices

A newly discovered Android RAT named PlayPraetor has infected over 11,000 devices, primarily targeting users in Portugal, Spain, France, Morocco, Peru, and Hong Kong. This malware exploits Android's accessibility services to gain remote control and can overlay fake login screens on nearly 200 banking apps and cryptocurrency wallets, facilitating account hijacking. PlayPraetor is distributed through fraudulent Google Play Store pages and Meta Ads, tricking users into downloading malicious APKs. It operates under a Chinese C2 panel and features five variants, each with distinct functionalities, including phishing and full device control. The malware establishes a bidirectional communication channel with its C2 server, allowing real-time commands and data theft, while also livestreaming the infected device's screen. 

Plague: New Linux backdoor discovered

A new Linux backdoor, dubbed Plague, has been identified by cybersecurity researchers, having evaded detection for over a year. This malicious Pluggable Authentication Module (PAM) allows attackers to bypass system authentication and gain persistent SSH access without raising alarms. Plague features static credentials for covert access and employs advanced techniques to resist analysis, such as anti-debugging and string obfuscation. It enhances its stealth by erasing evidence of SSH sessions, manipulating environment variables, and redirecting command logs to avoid detection. Multiple samples of this malware have been uploaded to VirusTotal since July 2024, indicating ongoing development by unknown threat actors.

Top Vulnerabilities Reported in the Last 24 Hours

MediaTek patches multiple bugs

MediaTek's Product Security Bulletin reveals multiple vulnerabilities in its chipsets used in smartphones and IoT devices. It includes CVE-2025-20696, a high-severity out-of-bounds write vulnerability in the Download Agent. This flaw requires physical access and user interaction but no elevated execution privileges. CVE-2025-20697, another out-of-bounds write vulnerability in Power HAL, allows privilege escalation or arbitrary code execution. It requires System-level privileges but no user interaction. This affects Android 14.0 and 15.0 devices. CVE-2025-20698 impacts a broader range of chipsets, including legacy and high-performance models. It does not require user interaction and affects Android 13.0, 14.0, and 15.0 devices.

HashiCorp vulnerability allows code execution

HashiCorp disclosed a critical vulnerability (CVE-2025-6000, HCSEC-2025-14) in its Vault products, allowing privileged operators to execute arbitrary code on the host machine. The flaw impacts Vault Community Edition versions 0.8.0 to 1.20.0 and various Vault Enterprise versions, but excludes HashiCorp’s managed HCP Vault Dedicated service due to enhanced security boundaries. Exploitation requires write permissions to the sys/audit endpoint and involves manipulating file audit device functionality and plugin directories. HashiCorp released patches for affected versions (e.g., Vault Community Edition 1.20.1, Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23) and implemented security enhancements to mitigate risks.

Top Scams Reported in the Last 24 Hours

Link-wrapping services abused for phishing

Attackers are leveraging link-wrapping services from companies like Proofpoint and Intermedia to disguise phishing links aimed at stealing Microsoft 365 login credentials. By compromising email accounts protected by these services, they are able to create seemingly legitimate URLs that redirect victims to phishing pages. The attackers employed techniques such as URL shortening and fake notifications, including alerts for voicemail or shared Microsoft Teams documents, to entice users into clicking the malicious links. Once clicked, these links lead to fraudulent Microsoft Office 365 login pages designed to harvest user credentials. This method of exploiting link-wrapping features represents a new tactic in the evolving landscape of phishing attacks.

Related Threat Briefings

Aug 12, 2025

Cyware Daily Threat Intelligence, August 12, 2025

GitHub repositories are turning into unexpected traps, with SmartLoader malware lurking behind seemingly legitimate projects like game cheats and software cracks. Disguised in README files and compressed archives, it activates via a malicious batch file that loads an obfuscated Lua script, delivering infostealers. A formidable new ransomware, Charon, is borrowing pages from APT playbooks to deliver tailored strikes against organizations. Using DLL sideloading and process injection via legitimate binaries, it deploys advanced encryption with Curve25519 and ChaCha20 and spreads across networks by targeting shares. Dutch cybersecurity officials are spotlighting active exploits of a critical Citrix NetScaler vulnerability, hitting key organizations since early May. The bug enables control flow hijacking and DoS attacks on Gateway or AAA configurations, with web shells found on compromised devices.

Aug 11, 2025

Cyware Daily Threat Intelligence, August 11, 2025

ScarCruft is pulling out all the stops with a malware campaign disguised as a simple postal code update, blending languages and abusing legitimate services for maximum stealth. This North Korean APT group deploys phishing emails with malicious LNK files in RAR archives, unleashing nine malicious components. A fresh twist on the DarkCloud malware is catching victims off guard through phishing emails packed with obfuscated JavaScript in RAR archives. Written in Visual Basic 6, this variant dodges sandboxes by monitoring user activity, steals credentials and payment data from apps, and exfiltrates it all via SMTP as text files. Attackers are turning Windows domain controllers into unwitting DDoS weapons with a clever technique called Win-DDoS. This leverages the sheer bandwidth of thousands of DCs, while exposed critical DoS vulnerabilities in LDAP and LSASS add to the remote exploitation risks, turning the platform against itself.

Aug 8, 2025

Cyware Daily Threat Intelligence, August 08, 2025

A new breed of EDR killer tool is arming multiple ransomware gangs with the power to silently disable security defenses. This heavily obfuscated binary, injected into legitimate applications, uses a signed driver with a random name to execute BYOVD attacks, terminating processes of major security tools. Shared among threat groups, its varied builds suggest a collaborative framework, amplifying its threat to compromised systems. CISA is sounding the alarm with a tight deadline, urging federal agencies to patch a critical Microsoft Exchange vulnerability by Monday morning. Tracked as a high-risk flaw affecting Exchange Server 2016, 2019, and Subscription Edition, it allows attackers with on-premises admin access to breach cloud environments, potentially seizing full domain control. GreedyBear is rewriting the playbook for crypto theft with a sprawling campaign that’s as bold as it is cunning. Deploying over 150 malicious Firefox extensions, 500 executables, and numerous phishing sites, the group uses Extension Hollowing to weaponize initially benign extensions for stealing wallet credentials. This highly organized operation runs from a centralized server, posing a major risk to users.

Aug 7, 2025

Cyware Daily Threat Intelligence, August 07, 2025

Lazarus Group is back with a cunning new Python-based RAT, PyLangGhost, targeting tech and finance sectors with a fresh twist. Using fake job interviews and deceptive error prompts, attackers trick developers and executives into running scripts that grant remote access. A sneaky flaw in Amazon’s ECS, dubbed ECScape, is opening the door to privilege escalation in shared cloud environments. By exploiting an undocumented internal protocol and metadata service, low-privileged containers can steal IAM credentials from higher-privileged tasks on the same EC2 instance. Ghost Calls, a new evasion tactic, is turning Zoom and Microsoft Teams into covert channels for malicious activity, slipping past traditional defenses with ease. This tactic exploits TURN servers to tunnel C2 traffic disguised as legitimate WebRTC video conferencing data.

Aug 6, 2025

Cyware Daily Threat Intelligence, August 06, 2025

Phishing emails disguised as court summons are delivering a malicious payload to Ukrainian government and defense sectors, courtesy of UAC-0099. These attacks use shortened URLs to deploy HTA files that execute obfuscated VB scripts, installing malware like MATCHBOIL, MATCHWOK, and DRAGSTARE. The CISA is sounding the alarm on three actively exploited vulnerabilities in D-Link Wi-Fi cameras and video recorders, now added to its KEV catalog. These flaws, with severity scores up to 8.8, include a remote password disclosure issue, an authenticated command injection vulnerability, and an unpatched code execution flaw tied to end-of-life models. A critical set of flaws dubbed ReVault is exposing over 100 Dell laptop models to devastating firmware attacks. Affecting the ControlVault3 firmware in Latitude and Precision series, these vulnerabilities allow attackers with physical access to bypass Windows login, execute arbitrary code, and install persistent malware that survives system reinstalls.

Aug 5, 2025

Cyware Daily Threat Intelligence, August 05, 2025

A stealthy Python-based PXA Stealer is sweeping across 62 countries, pilfering sensitive data from unsuspecting victims. This infostealer campaign has exfiltrated hundreds of thousands of passwords and more. Using sideloading tricks with legitimate software, it targets browsers, cryptocurrency wallets, and financial sites, posing a severe threat to users and organizations alike. ClickTok is luring TikTok Shop users into a trap with a crafty blend of phishing and malware. This global campaign deploys over 10,000 fake TikTok websites and 5,000 malicious apps, impersonating TikTok’s e-commerce platforms to steal cryptocurrency wallet credentials. Trojanized apps laced with SparkKitty spyware snatch sensitive data, making this a sophisticated scam targeting digital shoppers. Google’s August 2025 Android security update is a critical shield against newly discovered vulnerabilities threatening millions of devices. Addressing six flaws, the update also patches high-severity Android framework bugs and issues in Arm and Qualcomm components. With two patch levels rolled out, manufacturers are now racing to deploy fixes to keep users secure.

Aug 1, 2025

Cyware Daily Threat Intelligence, August 01, 2025

In a move straight out of a spy novel, Russian state hackers have been caught red-handed targeting embassies in Moscow with a sophisticated cyberespionage campaign. Known as Secret Blizzard, these attackers wielded the ApolloShadow malware to manipulate system certificates and disguise their activities as trusted applications. A critical flaw in PostgreSQL's pg_dump utility has left databases vulnerable to a race condition attack, potentially handing attackers superuser privileges. This TOCTOU vulnerability impacts multiple PostgreSQL versions, allowing those with sufficient privileges to execute arbitrary SQL commands during the dump process. Cybercriminals are donning digital disguises, impersonating trusted enterprises with fake Microsoft OAuth applications to steal credentials and bypass multi-factor authentication. Proofpoint uncovered campaigns redirecting users to phishing URLs through OAuth apps mimicking services like RingCentral, DocuSign, and Adobe. A newly discovered cyberattack technique, dubbed Man in the Prompt, is turning browser extensions into unwitting accomplices in data theft from generative AI tools. By exploiting DOM access, malicious extensions can intercept and manipulate interactions with platforms like ChatGPT and Google Gemini - no elevated permissions required.

Jul 31, 2025

Cyware Daily Threat Intelligence, July 31, 2025

With a cunning pivot, the North Korean Lazarus Group has flooded npm and PyPI with over 200 malicious packages, potentially compromising 36,000 developers. Mimicking legitimate libraries, these packages deploy multi-stage attacks to steal secrets and target DevOps-heavy organizations, risking intellectual property theft and reputational damage through compromised build pipelines. A critical chink in Lenovo’s armor has exposed Secure Boot vulnerabilities in its IdeaCentre AIO 3 and Yoga AIO series desktops. Six flaws in the Insyde UEFI firmware allow local attackers to execute arbitrary code via SMM exploits, potentially implanting undetectable malware, with firmware updates already available for some models. Apple’s latest security updates have fortified its ecosystem against a barrage of vulnerabilities across iOS, iPadOS, macOS, watchOS, tvOS, and visionOS. Addressing over 90 issues in macOS Sequoia alone, the patches tackle memory corruption, privilege escalation, and WebKit flaws, while enhancing privacy protections for microphone and camera access across devices.

Jul 30, 2025

Cyware Daily Threat Intelligence, July 30, 2025

In a stealthy strike, hackers exploited a critical SAP NetWeaver flaw to deploy the Auto-Color Linux malware. This malware, equipped with a rootkit and adaptive evasion tactics, adjusts its behavior based on user privileges and goes dormant in sandboxes, drawing attention from ransomware groups and state-sponsored actors. A subtle misstep in the AI-powered Base44 platform exposed private applications to unauthorized access through easily discoverable “app_id” values. By bypassing SSO and authentication controls, the flaw posed a significant risk but was swiftly patched within 24 hours of discovery. Sophisticated nation-state actors, possibly Liminal Panda, have set their sights on Southwest Asia’s telecom networks with a complex attack campaign. Identified as CL-STA-0969, this threat cluster leverages custom tools and exploits vulnerabilities to maintain persistent access with high operational security.

Jul 29, 2025

Cyware Daily Threat Intelligence, July 29, 2025

A stealthy Android banking trojan, RedHook, is targeting Vietnamese users through phishing sites mimicking trusted agencies. Spread via a malicious APK on an exposed AWS S3 bucket, it exploits accessibility services to steal credentials and banking details, with over 500 infections tied to Chinese-speaking actors. A critical vulnerability in Google’s Gemini CLI allows attackers to silently execute malicious commands. By exploiting prompt injection and poor validation, attackers can embed harmful instructions in seemingly harmless code, evading detection with tactics like excessive whitespace. A cunning phishing campaign is hitting Python developers, using spoofed PyPI emails to trick maintainers into revealing credentials on a fake login page. The deceptive site forwards data to the real PyPI portal, exploiting trust without breaching the platform itself.

Jul 28, 2025

Cyware Daily Threat Intelligence, July 28, 2025

Spear-phishing emails are slipping past defenses in Russia’s aerospace industry. Operation CargoTalon, tied to threat cluster UNG0901, targets organizations like the Voronezh Aircraft Production Association with EAGLET malware hidden in fake invoice files, quietly siphoning off sensitive data to a C2 server. A slew of vulnerabilities in Tridium’s Niagara Framework demands urgent attention. Over a dozen high-severity flaws, including CVE-2025-3936 through CVE-2025-3945, could let attackers exploit misconfigured systems for remote code execution or persistent access, threatening critical infrastructure. Scattered Spider is turning social engineering into a devastating weapon. By posing as employees to reset Active Directory passwords, the group swiftly escalates privileges, hijacks VMware ESXi hypervisors, and deploys ransomware to paralyze virtual environments in retail and transportation sectors within hours.

Jul 25, 2025

Cyware Daily Threat Intelligence, July 25, 2025

A browser tweak here, a fake mod there, and suddenly your crypto wallet spills its secrets. In a new campaign, the Scavenger trojan exploits DLL Search Order Hijacking to infiltrate password managers and wallets like MetaMask, Bitwarden, and Exodus. Delivered via fake game mods and malicious sites, the trojan uses multi-stage loaders and obfuscation. Not every scam needs sophistication, sometimes all it takes is a lonely heart and a convincing profile picture. SarangTrap, a massive mobile spyware campaign, is luring victims on Android and iOS through fake dating apps. With over 250 malicious APKs and nearly 90 phishing domains, the campaign uses emotional manipulation and search engine indexing to appear credible. Fire Ant doesn’t crash through the front door, it slips in quietly, sets up shop, and rewires the building. This advanced China-linked actor is targeting VMware ESXi and vCenter servers using old vulnerabilities to establish espionage footholds. The attackers extract credentials, deploy stealthy backdoors, and tamper with logs to stay hidden.