Cyware Daily Threat Intelligence, August 19, 2025

shutterstock 1913857594

Daily Threat Briefing August 19, 2025

With a diplomat’s charm, malicious emails are smuggling XenoRAT into South Korea’s embassies via GitHub traps. Since March, this spearphishing spree has targeted European missions, using password-protected ZIPs to unleash a trojan that snatches data and grants attackers remote control.

A Windows flaw is opening the door for RansomExx to wield PipeMagic like a digital skeleton key. This vulnerability lets Storm-2460 deploy a backdoor through fake ChatGPT apps, targeting IT and finance sectors with stealthy, encrypted remote access.

Unpatched N-able N-central servers are sitting ducks for hackers exploiting two critical flaws. These vulnerabilities enable unauthorized command execution, spurring CISA to list them in its KEV Catalog with a federal patching deadline of August 20.

Top Malware Reported in the Last 24 Hours

XenoRAT targets embassies in South Korea

A state-sponsored espionage campaign is targeting foreign embassies in South Korea with XenoRAT malware, delivered through malicious GitHub repositories. Since March, at least 19 spearphishing attacks have been launched, primarily against European embassies, using sophisticated email lures that include fake meeting invitations and official correspondence. The attackers employed password-protected ZIP files from cloud storage services, containing disguised .LNK files that execute PowerShell code to retrieve the malware. XenoRAT is a powerful trojan capable of logging keystrokes, capturing screenshots, accessing webcams, and facilitating remote operations.

Android malware targets users with scams

An active Android phishing campaign is targeting Indian users by impersonating a government electricity subsidy service. Attackers lure victims into downloading a malicious app through YouTube videos and a phishing website that mimics an official government portal. Once installed, the app masquerades as a “security update” and requests aggressive permissions to access contacts and SMS messages. It steals sensitive financial information, including UPI credentials, by directing users to fake payment forms. The malware can also send phishing messages to the victim's contacts and is remotely controlled via Firebase.

Microsoft Windows vulnerability exploited by PipeMagic

Cybersecurity researchers have uncovered the exploitation of a privilege escalation vulnerability in Microsoft Windows, identified as CVE-2025-29824, to deploy the PipeMagic malware in RansomExx ransomware attacks. This malware, which first emerged in 2022, acts as a sophisticated backdoor, allowing remote access and command execution on compromised systems. The exploitation involves a combination of techniques, including the use of a fake OpenAI ChatGPT app and DLL hijacking, to deliver the malware. PipeMagic operates through a modular architecture, utilizing named pipes for encrypted communication and enabling attackers to maintain control over infected hosts. Targeting various sectors across the globe, including IT and finance, the malware has shown persistence and adaptability, indicating ongoing development by the threat actor known as Storm-2460.

Top Vulnerabilities Reported in the Last 24 Hours

800+ N-able servers remain unpatched 

Over 800 N-able N-central servers remain unpatched against two critical vulnerabilities, CVE-2025-8875 and CVE-2025-8876, which are actively being exploited. These flaws allow authenticated attackers to execute commands through improper sanitization of user input and insecure deserialization. N-able has released a patch in version 2025.3.1 and urged administrators to update their systems promptly. The Shadowserver Foundation reported that 880 vulnerable servers are primarily located in the U.S., Canada, and the Netherlands, with around 2,000 N-central instances exposed online. In response to the situation, CISA added these vulnerabilities to its KEV Catalog and mandated federal agencies to patch their systems by August 20, 2025.

CISA adds Trend Micro bug to KEV catalog

The CISA added two critical vulnerabilities in Trend Micro Apex One, tracked as CVE-2025-54948 and CVE-2025-54987, to its KEV catalog due to active exploitation in the wild. These vulnerabilities allow pre-authenticated remote attackers to upload malicious code and execute commands via the Apex One Management Console. Trend Micro confirmed that both flaws, which share similar characteristics but target different CPU architectures, have been exploited in real-world attacks. The vulnerabilities have a high CVSS score of 9.4, prompting urgent attention from organizations, particularly those with exposed management consoles. Federal agencies are required to address these vulnerabilities by September 8, in compliance with Binding Operational Directive 22-01.

Related Threat Briefings

Aug 18, 2025

Cyware Daily Threat Intelligence, August 18, 2025

Trojan Horses are making a comeback as AI-powered apps like "JustAskJacky" disguise malware within useful tools such as recipe or image search apps. By leveraging AI-generated websites, attackers make them look legitimate while slipping past antivirus defenses.

Aug 15, 2025

Cyware Daily Threat Intelligence, August 15, 2025

PhantomCard malware hits Brazilian banks, Cisco patches critical firewall flaw, and Netflix job scams steal Facebook logins from professionals.

Aug 14, 2025

Cyware Daily Threat Intelligence, August 14, 2025

A crafty malvertising campaign is slipping PS1Bot into systems through deceptive compressed archives. With techniques like environmental polling and dynamic C# DLL compilation, PS1Bot evades detection while siphoning off passwords and cryptocurrency wallet data, echoing tactics of Skitnet and AHK Bot. Crypto24 is striking high-profile organizations with surgical precision, blending legitimate IT tools like PSExec and AnyDesk with custom malware to devastating effect. Targeting sectors from finance to entertainment across Asia, Europe, and the U.S., this ransomware group uses privileged accounts and scheduled tasks to maintain stealthy persistence. Fortinet is sounding the alarm on a critical FortiSIEM vulnerability that’s already being exploited in the wild with circulating exploit code. Rated 9.8 on CVSS, this remote unauthenticated command injection flaw allows attackers to execute unauthorized commands via crafted CLI requests.

Aug 13, 2025

Cyware Daily Threat Intelligence, August 13, 2025

Lurking in the shadows since mid-2024, the Curly COMrades group is weaving a web of cyber-espionage across Georgia’s government and Moldova’s energy sector. Their weapon, MucorAgent, uses AES-encrypted PowerShell scripts and hijacked COM objects to slip past defenses, employing erratic scheduled tasks and legitimate remote tools to steal credentials. Microsoft’s August 2025 Patch Tuesday dropped a hefty fix for 111 vulnerabilities, including a zero-day Kerberos flaw that’s raising alarms. Dubbed BadSuccessor, this privilege escalation bug allows attackers with sufficient access to hijack Active Directory domains via Managed Service Accounts. A slick phishing campaign is hitting UK organizations hard, masquerading as the Home Office to swipe Sponsorship Management System credentials. Using urgent emails to lure victims to fake login pages, attackers are raking in £15,000 to £20,000 per scam through fake job offers and visa fraud.

Aug 12, 2025

Cyware Daily Threat Intelligence, August 12, 2025

GitHub repositories are turning into unexpected traps, with SmartLoader malware lurking behind seemingly legitimate projects like game cheats and software cracks. Disguised in README files and compressed archives, it activates via a malicious batch file that loads an obfuscated Lua script, delivering infostealers. A formidable new ransomware, Charon, is borrowing pages from APT playbooks to deliver tailored strikes against organizations. Using DLL sideloading and process injection via legitimate binaries, it deploys advanced encryption with Curve25519 and ChaCha20 and spreads across networks by targeting shares. Dutch cybersecurity officials are spotlighting active exploits of a critical Citrix NetScaler vulnerability, hitting key organizations since early May. The bug enables control flow hijacking and DoS attacks on Gateway or AAA configurations, with web shells found on compromised devices.

Aug 11, 2025

Cyware Daily Threat Intelligence, August 11, 2025

ScarCruft is pulling out all the stops with a malware campaign disguised as a simple postal code update, blending languages and abusing legitimate services for maximum stealth. This North Korean APT group deploys phishing emails with malicious LNK files in RAR archives, unleashing nine malicious components. A fresh twist on the DarkCloud malware is catching victims off guard through phishing emails packed with obfuscated JavaScript in RAR archives. Written in Visual Basic 6, this variant dodges sandboxes by monitoring user activity, steals credentials and payment data from apps, and exfiltrates it all via SMTP as text files. Attackers are turning Windows domain controllers into unwitting DDoS weapons with a clever technique called Win-DDoS. This leverages the sheer bandwidth of thousands of DCs, while exposed critical DoS vulnerabilities in LDAP and LSASS add to the remote exploitation risks, turning the platform against itself.

Aug 8, 2025

Cyware Daily Threat Intelligence, August 08, 2025

A new breed of EDR killer tool is arming multiple ransomware gangs with the power to silently disable security defenses. This heavily obfuscated binary, injected into legitimate applications, uses a signed driver with a random name to execute BYOVD attacks, terminating processes of major security tools. Shared among threat groups, its varied builds suggest a collaborative framework, amplifying its threat to compromised systems. CISA is sounding the alarm with a tight deadline, urging federal agencies to patch a critical Microsoft Exchange vulnerability by Monday morning. Tracked as a high-risk flaw affecting Exchange Server 2016, 2019, and Subscription Edition, it allows attackers with on-premises admin access to breach cloud environments, potentially seizing full domain control. GreedyBear is rewriting the playbook for crypto theft with a sprawling campaign that’s as bold as it is cunning. Deploying over 150 malicious Firefox extensions, 500 executables, and numerous phishing sites, the group uses Extension Hollowing to weaponize initially benign extensions for stealing wallet credentials. This highly organized operation runs from a centralized server, posing a major risk to users.

Aug 7, 2025

Cyware Daily Threat Intelligence, August 07, 2025

Lazarus Group is back with a cunning new Python-based RAT, PyLangGhost, targeting tech and finance sectors with a fresh twist. Using fake job interviews and deceptive error prompts, attackers trick developers and executives into running scripts that grant remote access. A sneaky flaw in Amazon’s ECS, dubbed ECScape, is opening the door to privilege escalation in shared cloud environments. By exploiting an undocumented internal protocol and metadata service, low-privileged containers can steal IAM credentials from higher-privileged tasks on the same EC2 instance. Ghost Calls, a new evasion tactic, is turning Zoom and Microsoft Teams into covert channels for malicious activity, slipping past traditional defenses with ease. This tactic exploits TURN servers to tunnel C2 traffic disguised as legitimate WebRTC video conferencing data.

Aug 6, 2025

Cyware Daily Threat Intelligence, August 06, 2025

Phishing emails disguised as court summons are delivering a malicious payload to Ukrainian government and defense sectors, courtesy of UAC-0099. These attacks use shortened URLs to deploy HTA files that execute obfuscated VB scripts, installing malware like MATCHBOIL, MATCHWOK, and DRAGSTARE. The CISA is sounding the alarm on three actively exploited vulnerabilities in D-Link Wi-Fi cameras and video recorders, now added to its KEV catalog. These flaws, with severity scores up to 8.8, include a remote password disclosure issue, an authenticated command injection vulnerability, and an unpatched code execution flaw tied to end-of-life models. A critical set of flaws dubbed ReVault is exposing over 100 Dell laptop models to devastating firmware attacks. Affecting the ControlVault3 firmware in Latitude and Precision series, these vulnerabilities allow attackers with physical access to bypass Windows login, execute arbitrary code, and install persistent malware that survives system reinstalls.

Aug 5, 2025

Cyware Daily Threat Intelligence, August 05, 2025

A stealthy Python-based PXA Stealer is sweeping across 62 countries, pilfering sensitive data from unsuspecting victims. This infostealer campaign has exfiltrated hundreds of thousands of passwords and more. Using sideloading tricks with legitimate software, it targets browsers, cryptocurrency wallets, and financial sites, posing a severe threat to users and organizations alike. ClickTok is luring TikTok Shop users into a trap with a crafty blend of phishing and malware. This global campaign deploys over 10,000 fake TikTok websites and 5,000 malicious apps, impersonating TikTok’s e-commerce platforms to steal cryptocurrency wallet credentials. Trojanized apps laced with SparkKitty spyware snatch sensitive data, making this a sophisticated scam targeting digital shoppers. Google’s August 2025 Android security update is a critical shield against newly discovered vulnerabilities threatening millions of devices. Addressing six flaws, the update also patches high-severity Android framework bugs and issues in Arm and Qualcomm components. With two patch levels rolled out, manufacturers are now racing to deploy fixes to keep users secure.

Aug 4, 2025

Cyware Daily Threat Intelligence, August 04, 2025

Akira ransomware is striking with surgical precision, exploiting a suspected zero-day flaw in SonicWall SSL VPN devices, even those fully patched. Since mid-July 2025, attackers have used Virtual Private Server logins to bypass MFA, hitting multiple targets in rapid succession. A cunning Android RAT, PlayPraetor, is sweeping through six countries, already compromising over 11,000 devices with its deceptive tactics. Masquerading as legitimate apps via fake Google Play Store pages and Meta Ads, it exploits accessibility services to overlay phishing screens on nearly 200 banking and crypto apps. MediaTek chipsets powering smartphones and IoT devices are vulnerable to new flaws that could expose millions of users. These issues, affecting a wide range of Android devices, allow attackers to escalate privileges or execute malicious code. With some exploits requiring no user interaction, unpatched systems face significant risks, urging immediate updates.

Aug 1, 2025

Cyware Daily Threat Intelligence, August 01, 2025

In a move straight out of a spy novel, Russian state hackers have been caught red-handed targeting embassies in Moscow with a sophisticated cyberespionage campaign. Known as Secret Blizzard, these attackers wielded the ApolloShadow malware to manipulate system certificates and disguise their activities as trusted applications. A critical flaw in PostgreSQL's pg_dump utility has left databases vulnerable to a race condition attack, potentially handing attackers superuser privileges. This TOCTOU vulnerability impacts multiple PostgreSQL versions, allowing those with sufficient privileges to execute arbitrary SQL commands during the dump process. Cybercriminals are donning digital disguises, impersonating trusted enterprises with fake Microsoft OAuth applications to steal credentials and bypass multi-factor authentication. Proofpoint uncovered campaigns redirecting users to phishing URLs through OAuth apps mimicking services like RingCentral, DocuSign, and Adobe. A newly discovered cyberattack technique, dubbed Man in the Prompt, is turning browser extensions into unwitting accomplices in data theft from generative AI tools. By exploiting DOM access, malicious extensions can intercept and manipulate interactions with platforms like ChatGPT and Google Gemini - no elevated permissions required.