Cyware Daily Threat Intelligence, December 22, 2025

In what reads like a phishing operation on overdrive, the Scripted Sparrow BEC group is flooding inboxes worldwide with an estimated 6.6 million targeted emails each month. It masquerades as executive coaching firms and relies on fake invoices, spoofed email threads, webmail, custom domains, and clever attachment-free tactics across five countries to quietly slip past security controls.

BlueDelta ran a credential-harvesting campaign against UKR.NET users between June 2024 and April 2025 using fake login pages to steal credentials and 2FA codes. The group distributed malicious PDF lures and leveraged free web services and proxy tunneling platforms to bypass email security, evade detection, and avoid infrastructure takedowns.

WatchGuard has released patches for a critical, actively exploited zero-day flaw (CVE-2025-14733, CVSS 9.3) in Firebox firewalls that enables unauthenticated remote code execution and affects about 125,000 exposed systems worldwide. CISA has added the vulnerability to its Known Exploited Vulnerabilities catalog and urged immediate remediation, as Fireware 11.x remains unpatched due to end-of-life.

Top Malware Reported in the Last 24 Hours

Scripted Sparrow shoots millions of phishing emails

Scripted Sparrow is a global business email compromise (BEC) group that sends millions of targeted phishing emails monthly. The group impersonates executive coaching firms, using fake invoices and spoofed email chains to deceive victims. They operate across five countries, leveraging webmail, custom domains, and location spoofing to evade detection. Their tactics include omitting attachments to avoid exposing their financial details prematurely. Fortra estimates the group sends approximately 6.6 million emails monthly, targeting organizations worldwide.

BlueDelta targets Ukrainian users

BlueDelta is a Russian state-sponsored threat group associated with the GRU, known for conducting credential-harvesting and espionage operations for over a decade. Between June 2024 and April 2025, BlueDelta conducted a credential-harvesting campaign targeting UKR.NET users. The campaign utilized fake UKR.NET login portals to collect usernames, passwords, and two-factor authentication codes. BlueDelta used free web services such as Mocky, DNS EXIT, ngrok, and Serveo to create and host credential-harvesting pages. The group distributed malicious PDF lures with embedded links to bypass email scanning and sandbox detections. BlueDelta transitioned from using compromised routers to proxy tunneling platforms like ngrok and Serveo to evade detection and infrastructure takedowns.

Top Vulnerabilities Reported in the Last 24 Hours

WatchGuard Firebox faces a zero-day threat

WatchGuard has released patches for a critical vulnerability (CVE-2025-14733) in its Firebox firewalls. This zero-day flaw, with a CVSS score of 9.3, could allow unauthenticated remote code execution. Approximately 125,000 IP addresses, including 40,000 in the U.S., are affected. Threat actors have actively exploited this vulnerability, which impacts Fireware OS versions 11.x, 12.x, and 2025.x. Patches for most versions have been issued, except for version 11.x, which has reached end-of-life. The U.S. cybersecurity agency CISA has added this vulnerability to its Known Exploited Vulnerabilities catalog and urged swift remediation.

FortiCloud SSO vulnerability

Over 25,000 Fortinet devices with FortiCloud SSO enabled are exposed online, making them vulnerable to remote attacks due to a critical authentication bypass flaw (CVE-2025-59718 and CVE-2025-59719). Threat actors exploit the vulnerability via malicious SAML messages, gaining admin-level access to web management interfaces and extracting sensitive system configuration files. Shadowserver identified over 25,000 affected devices globally, with over 5,400 in the U.S. and nearly 2,000 in India, while scans by researcher Yutaka Sejiyama revealed over 30,000 devices exposed. The flaw has been added to CISA's actively exploited vulnerabilities list, mandating U.S. government agencies to patch by December 23, 2025.