Cyware Daily Threat Intelligence, August 25, 2025

shutterstock 1661078329

Daily Threat Briefing August 25, 2025

Posing as a trusty antivirus app, Android.Backdoor.916.origin is giving Russia's FSB a backdoor into executives' devices. Disguised as a fake antivirus, this malware spreads via private messages, grabs extensive permissions, and uses Accessibility Service to steal chats and more.

APT36 is turning innocent Linux desktop files into espionage tools against India's government and defense sectors. Through phishing ZIPs with malicious .desktop files mimicking PDFs, they execute hidden bash commands to fetch Go-based ELF payloads.

Salesforce is plugging critical holes in Tableau Server and Desktop that could let attackers run wild with code execution. The top flaw, a 9.6 CVSS type confusion bug, enables local exploits on Windows and Linux, alongside upload vulnerabilities leading to path traversal and improper input validation issues.

Top Malware Reported in the Last 24 Hours

Android malware targets Russian executives

Android.Backdoor.916.origin is a sophisticated malware disguised as an antivirus application linked to Russia's FSB, specifically targeting business executives. This multifunctional backdoor allows attackers to execute commands, conduct surveillance, and steal sensitive information, including chats, browser data, and live audio/video streams. The malware is distributed through private messages under the guise of a legitimate security app named "GuardCB," which mimics real antivirus tools to avoid detection. Upon installation, it requests extensive permissions, granting attackers full control over the device. The malware exploits the Accessibility Service to log keystrokes and extract data from popular applications like Telegram and WhatsApp. 

APT36 exploits Linux files for malware

APT36 is targeting Indian government and defense entities by exploiting Linux .desktop files to install malware. They send phishing emails containing ZIP files with malicious .desktop files disguised as PDF documents. When users open these files, hidden bash commands execute, fetching hex-encoded payloads from the attackers' servers. The malware, a Go-based ELF executable, is designed for espionage and can establish persistence through cron jobs and systemd services. Additionally, the attackers use techniques to conceal their actions, such as launching a benign decoy PDF in Firefox to distract victims.

Malicious Go module steals SSH credentials

A malicious Go module, disguised as an SSH brute-force tool, has been discovered to exfiltrate credentials to a Telegram bot controlled by the attacker. Named "golang-random-ip-ssh-bruteforce," this module scans random IPv4 addresses for exposed SSH services on TCP port 22 and attempts to log in using a simplistic username-password list that includes common credentials like "root" and "admin." Notably, the module disables host key verification, allowing it to connect to any server without identity checks. Once a successful login occurs, the module sends the target IP address, username, and password to a hard-coded Telegram bot named "@sshZXC_bot." 

Top Vulnerabilities Reported in the Last 24 Hours

Critical vulnerabilities found in Tableau Server

Salesforce has addressed multiple critical vulnerabilities in Tableau Server and Desktop that could allow attackers to upload malicious files and execute arbitrary code. The most severe vulnerability, CVE-2025-26496, has a CVSS score of 9.6 and involves type confusion, enabling local code execution on both Windows and Linux systems. Other significant flaws include CVE-2025-26497 and CVE-2025-26498, which allow unrestricted file uploads with a CVSS score of 7.7, leading to absolute path traversal. Additionally, CVE-2025-52450 and CVE-2025-52451, both scoring 8.5, exploit improper pathname limitations and input validation issues.

Related Threat Briefings

Aug 22, 2025

Cyware Daily Threat Intelligence, August 22, 2025

Masquerading as an Australian electronics store, Cookie Spider’s malvertising campaign unleashed the AMOS malware on over 300 targets. From June to August, victims were tricked into running commands that installed SHAMOS, a variant stealing passwords, Keychain data, and crypto wallet details. Berserk Bear hackers are wielding a seven-year-old Cisco flaw to infiltrate global critical infrastructure. Exploiting CVE-2018-0171, these FSB-linked attackers trigger device reloads and use custom SNMP tools and SYNful Knock implants to harvest configurations and maintain covert access. Posing as Rothschild & Co recruiters, MuddyWater APT is targeting CFOs with spear-phishing finesse. Using Firebase-hosted phishing pages and custom CAPTCHAs, they deploy VBS scripts and ZIPs to install NetBird and OpenSSH, ensuring persistent access to compromised systems worldwide.

Aug 21, 2025

Cyware Daily Threat Intelligence, August 21, 2025

Slipping through the cracks like a chameleon, QuirkyLoader is spreading infostealers and remote access tools with a multi-stage attack. Since November 2024, it’s used malicious emails with legitimate executables, leveraging DLL side-loading to target organizations, evading detection with process hollowing. A zero-day flaw has Apple racing to patch millions of devices with emergency iOS and iPadOS updates. This critical ImageIO vulnerability, triggered by malicious images, allows sophisticated attacks—potentially by nation-state actors—to corrupt memory and access devices like iPhone XS and various iPads. Hackers are hijacking Microsoft’s own infrastructure to steal 365 logins with a sly phishing trick. Using legitimate office[.]com links and ADFS redirects, attackers funnel users from Google searches to deceptive phishing pages, bypassing MFA and URL detection with custom tenants and conditional loading.

Aug 20, 2025

Cyware Daily Threat Intelligence, August 20, 2025

Crafty attackers are slipping into cloud Linux systems through a critical Apache ActiveMQ flaw, unleashing DripDropper malware. Exploiting CVE-2023-46604, they use a password-protected payload to communicate via Dropbox, patch the vulnerability to block rivals, and tweak SSH settings for persistent root access. Microsoft’s latest patches are racing to fix a recovery meltdown across Windows 10 and 11. Emergency updates address failures in reset and recovery operations caused by August 2025 patches, with new cumulative fixes released on August 19 to stabilize affected systems. Fraudsters posing as celebrity podcast reps are reeling in business owners with a bait. This podcast imposter scam lures victims into tech-check calls that grant remote access, hijacking social media and risking corporate systems through shared passwords.

Aug 19, 2025

Cyware Daily Threat Intelligence, August 19, 2025

With a diplomat’s charm, malicious emails are smuggling XenoRAT into South Korea’s embassies via GitHub traps. Since March, this spearphishing spree has targeted European missions, using password-protected ZIPs to unleash a trojan that snatches data and grants attackers remote control. A Windows flaw is opening the door for RansomExx to wield PipeMagic like a digital skeleton key. This vulnerability lets Storm-2460 deploy a backdoor through fake ChatGPT apps, targeting IT and finance sectors with stealthy, encrypted remote access. Unpatched N-able N-central servers are sitting ducks for hackers exploiting two critical flaws. These vulnerabilities enable unauthorized command execution, spurring CISA to list them in its KEV Catalog with a federal patching deadline of August 20.

Aug 18, 2025

Cyware Daily Threat Intelligence, August 18, 2025

Trojan Horses are making a comeback as AI-powered apps like "JustAskJacky" disguise malware within useful tools such as recipe or image search apps. By leveraging AI-generated websites, attackers make them look legitimate while slipping past antivirus defenses.

Aug 15, 2025

Cyware Daily Threat Intelligence, August 15, 2025

PhantomCard malware hits Brazilian banks, Cisco patches critical firewall flaw, and Netflix job scams steal Facebook logins from professionals.

Aug 14, 2025

Cyware Daily Threat Intelligence, August 14, 2025

A crafty malvertising campaign is slipping PS1Bot into systems through deceptive compressed archives. With techniques like environmental polling and dynamic C# DLL compilation, PS1Bot evades detection while siphoning off passwords and cryptocurrency wallet data, echoing tactics of Skitnet and AHK Bot. Crypto24 is striking high-profile organizations with surgical precision, blending legitimate IT tools like PSExec and AnyDesk with custom malware to devastating effect. Targeting sectors from finance to entertainment across Asia, Europe, and the U.S., this ransomware group uses privileged accounts and scheduled tasks to maintain stealthy persistence. Fortinet is sounding the alarm on a critical FortiSIEM vulnerability that’s already being exploited in the wild with circulating exploit code. Rated 9.8 on CVSS, this remote unauthenticated command injection flaw allows attackers to execute unauthorized commands via crafted CLI requests.

Aug 13, 2025

Cyware Daily Threat Intelligence, August 13, 2025

Lurking in the shadows since mid-2024, the Curly COMrades group is weaving a web of cyber-espionage across Georgia’s government and Moldova’s energy sector. Their weapon, MucorAgent, uses AES-encrypted PowerShell scripts and hijacked COM objects to slip past defenses, employing erratic scheduled tasks and legitimate remote tools to steal credentials. Microsoft’s August 2025 Patch Tuesday dropped a hefty fix for 111 vulnerabilities, including a zero-day Kerberos flaw that’s raising alarms. Dubbed BadSuccessor, this privilege escalation bug allows attackers with sufficient access to hijack Active Directory domains via Managed Service Accounts. A slick phishing campaign is hitting UK organizations hard, masquerading as the Home Office to swipe Sponsorship Management System credentials. Using urgent emails to lure victims to fake login pages, attackers are raking in £15,000 to £20,000 per scam through fake job offers and visa fraud.

Aug 12, 2025

Cyware Daily Threat Intelligence, August 12, 2025

GitHub repositories are turning into unexpected traps, with SmartLoader malware lurking behind seemingly legitimate projects like game cheats and software cracks. Disguised in README files and compressed archives, it activates via a malicious batch file that loads an obfuscated Lua script, delivering infostealers. A formidable new ransomware, Charon, is borrowing pages from APT playbooks to deliver tailored strikes against organizations. Using DLL sideloading and process injection via legitimate binaries, it deploys advanced encryption with Curve25519 and ChaCha20 and spreads across networks by targeting shares. Dutch cybersecurity officials are spotlighting active exploits of a critical Citrix NetScaler vulnerability, hitting key organizations since early May. The bug enables control flow hijacking and DoS attacks on Gateway or AAA configurations, with web shells found on compromised devices.

Aug 11, 2025

Cyware Daily Threat Intelligence, August 11, 2025

ScarCruft is pulling out all the stops with a malware campaign disguised as a simple postal code update, blending languages and abusing legitimate services for maximum stealth. This North Korean APT group deploys phishing emails with malicious LNK files in RAR archives, unleashing nine malicious components. A fresh twist on the DarkCloud malware is catching victims off guard through phishing emails packed with obfuscated JavaScript in RAR archives. Written in Visual Basic 6, this variant dodges sandboxes by monitoring user activity, steals credentials and payment data from apps, and exfiltrates it all via SMTP as text files. Attackers are turning Windows domain controllers into unwitting DDoS weapons with a clever technique called Win-DDoS. This leverages the sheer bandwidth of thousands of DCs, while exposed critical DoS vulnerabilities in LDAP and LSASS add to the remote exploitation risks, turning the platform against itself.

Aug 8, 2025

Cyware Daily Threat Intelligence, August 08, 2025

A new breed of EDR killer tool is arming multiple ransomware gangs with the power to silently disable security defenses. This heavily obfuscated binary, injected into legitimate applications, uses a signed driver with a random name to execute BYOVD attacks, terminating processes of major security tools. Shared among threat groups, its varied builds suggest a collaborative framework, amplifying its threat to compromised systems. CISA is sounding the alarm with a tight deadline, urging federal agencies to patch a critical Microsoft Exchange vulnerability by Monday morning. Tracked as a high-risk flaw affecting Exchange Server 2016, 2019, and Subscription Edition, it allows attackers with on-premises admin access to breach cloud environments, potentially seizing full domain control. GreedyBear is rewriting the playbook for crypto theft with a sprawling campaign that’s as bold as it is cunning. Deploying over 150 malicious Firefox extensions, 500 executables, and numerous phishing sites, the group uses Extension Hollowing to weaponize initially benign extensions for stealing wallet credentials. This highly organized operation runs from a centralized server, posing a major risk to users.

Aug 7, 2025

Cyware Daily Threat Intelligence, August 07, 2025

Lazarus Group is back with a cunning new Python-based RAT, PyLangGhost, targeting tech and finance sectors with a fresh twist. Using fake job interviews and deceptive error prompts, attackers trick developers and executives into running scripts that grant remote access. A sneaky flaw in Amazon’s ECS, dubbed ECScape, is opening the door to privilege escalation in shared cloud environments. By exploiting an undocumented internal protocol and metadata service, low-privileged containers can steal IAM credentials from higher-privileged tasks on the same EC2 instance. Ghost Calls, a new evasion tactic, is turning Zoom and Microsoft Teams into covert channels for malicious activity, slipping past traditional defenses with ease. This tactic exploits TURN servers to tunnel C2 traffic disguised as legitimate WebRTC video conferencing data.