Cyware Daily Threat Intelligence, December 10, 2025

The Makop ransomware is evolving, and it has Indian organizations in its crosshairs. This variant has upgraded its arsenal with privilege escalation exploits and the GuLoader malware. Attackers are breaking in through weak RDP credentials, then using off-the-shelf tools to harvest secrets and disable security measures before locking down the network.

A cybercriminal entrepreneur known as GrayBravo is arming multiple threat groups with a sophisticated new toolkit. Four distinct clusters have been spotted using CastleLoader under a MaaS model to target the logistics sector. The attacks leverage a suite of "Castle" tools to deliver stealers like RedLine.

It is a race against time for Windows administrators this week. Microsoft's latest Patch Tuesday update fixes 57 vulnerabilities, including a zero-day flaw in the Cloud Files driver that attackers are actively exploiting right now to gain SYSTEM privileges. The release also patches two publicly exposed issues in GitHub Copilot and PowerShell.

Top Malware Reported in the Last 24 Hours

Makop ransomware targets RDP systems 

Makop ransomware, a variant of the Phobos family, has evolved by incorporating techniques like privilege escalation exploits and loader malware, specifically GuLoader, into its operations. Targeting primarily Indian organizations, attackers exploit weak RDP credentials to gain initial access, followed by network scanning, lateral movement, and disabling security measures. The use of off-the-shelf tools facilitates their low-effort yet effective approach, allowing them to navigate through networks and deploy encryptors. Credential dumping tools such as Mimikatz and LaZagne are employed to harvest sensitive information, while various local privilege escalation vulnerabilities enhance their control over compromised systems. 

GrayBravo expands malware service infrastructure

Four distinct threat clusters have emerged utilizing the CastleLoader malware, indicating its distribution under a MaaS model by the actor known as GrayBravo. This group, previously identified as TAG-150, exhibits rapid development cycles and technical sophistication. Notable tools in their arsenal include CastleRAT and CastleBot, which facilitate the delivery of various malware families such as DeerStealer and RedLine Stealer. The clusters employ diverse tactics, including phishing campaigns targeting the logistics sector and impersonation of legitimate brands like Booking[.]com. GrayBravo has established a multi-tiered infrastructure, leveraging compromised accounts on freight-matching platforms to enhance the credibility of its phishing efforts.

STAC6565 targets Canada with ransomware attacks

Canadian organizations have become the primary focus of a campaign by the STAC6565 group, also known as Gold Blade, which has conducted nearly 40 intrusions from February 2024 to August 2025. Initially targeting Russia, the group has expanded its operations to Canada and other countries, employing phishing emails and weaponized resumes to deliver ransomware known as QWCrypt. Their tactics reflect a shift from cyber espionage to a hybrid model that combines data theft with selective ransomware deployment. The group’s sophisticated approach includes multi-stage attacks and the use of legitimate job platforms to increase the likelihood of successful intrusions. Despite their professional operation, there is no evidence suggesting state sponsorship, and they operate under a "hack-for-hire" model, further complicating the cybersecurity landscape.

Top Vulnerabilities Reported in the Last 24 Hours

SAP patches three critical bugs

SAP has released its December 2025 security updates, addressing 14 vulnerabilities across various products, including three critical flaws. The most severe issue, with a CVSS score of 9.9, is a code injection vulnerability in SAP Solution Manager ST 720, which could allow authenticated attackers to gain full control of the system. Another critical flaw, rated at 9.6, affects multiple Apache Tomcat vulnerabilities within SAP Commerce Cloud components, posing significant risks to enterprise e-commerce platforms. Additionally, a deserialization vulnerability in SAP jConnect, with a CVSS score of 9.1, could enable remote code execution under specific conditions. The updates also include fixes for several high and medium-severity issues.

Microsoft December 2025 Patch Tuesday

Microsoft released its Patch Tuesday updates, addressing 57 vulnerabilities, including three zero-day flaws - one actively exploited and two publicly disclosed. The actively exploited vulnerability, CVE-2025-62221, affects the Windows Cloud Files Mini Filter Driver, allowing attackers to elevate privileges to SYSTEM level. Publicly disclosed vulnerabilities include CVE-2025-64671, a remote code execution flaw in GitHub Copilot for Jetbrains, and CVE-2025-54100, a PowerShell vulnerability that could execute commands via the Invoke-WebRequest function. Additionally, the updates include critical fixes for remote code execution vulnerabilities in Microsoft Office and SharePoint, enhancing the security of various Microsoft products.