Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing February 19, 2024

Multi-OS ransomware represents a significant evolution in cyber threats. A new ransomware tool, M.O.R.E, promises swift encryption using advanced algorithms and can encrypt or decrypt hefty files in seconds. In different headlines, Middle East policy experts have appeared to fall under the radar of an infamous Iranian threat group. Attackers are utilizing social engineering tactics, like extended email conversations, to lure potential victims into clicking malicious links that download different payloads.

Despite Google Play's enhanced security measures, the operators behind the Anatsa Android banking trojan have been able to expand their reach to Slovakia, Slovenia, and Czechia. As observed, operators abuse the accessibility service tailored to Samsung devices.

Top Breaches Reported in the Last 24 Hours

**Russian group hits 80+ organizations **

Winter Vivern, the threat group associated with Belarus and Russia, has been discovered targeting European government and military mail servers. The attack chains exploit Roundcube vulnerabilities, deploying JavaScript payloads to extract user credentials sent to a C2 server. The campaign has impacted over 80 organizations, mainly in Georgia, Poland, and Ukraine, to collect intelligence on European political and military activities.

ALPHV behind attacks on Fortune 500 giants

The ALPHV/Blackcat ransomware gang claimed responsibility for recently breaching Fortune 500 companies Prudential Financial and loanDepot. While loanDepot confirmed a data breach affecting 16.6 million individuals, Prudential is still assessing the full scope of the incident. ALPHV revealed plans to sell loanDepot's stolen data and release Prudential's data for free.

Alleged breach at Robert Half

Hackers operating under the aliases IntelBroker and Sanggiero claim to have breached staffing giant Robert Half International once more, offering a trove of stolen data for $20,000 in Monero. The data purportedly includes confidential records, employee documents, customer information, and service configuration settings. The full extent of the breach and the number of affected individuals remain unclear.

Top Malware Reported in the Last 24 Hours

Charming Kitten unloads multiple malware

Iranian-origin threat group Charming Kitten has launched an espionage campaign targeting Middle East policy experts. The attackers are using social engineering tactics and a fake webinar portal to distribute malware-laden RAR archives containing LNK files. The multi-stage infection sequence deploys BASICSTAR and KORKULOADER, capable of executing remote commands and displaying decoy PDF files. Some phishing attacks dropped customized backdoors, POWERLESS for Windows and NokNok for macOS, based on the victim's operating system.

M.O.R.E ransomware poses greater risks

A new threat dubbed M.O.R.E (Multi OS Ransomware Executable) has emerged on the dark web, boasting compatibility with Windows, Mac OS, and Linux. This multi-OS ransomware is capable of encrypting hefty files in just 4 seconds, using RSA/Chacha20Poly1305 algorithms. Furthermore, this new tool can infiltrate networks and encrypt target files across different platforms simultaneously.

Anatsa trojan expands target surface

The Anatsa Android banking trojan, also known as TeaBot and Toddler, has reportedly extended its operations to Slovakia, Slovenia, and Czechia in a new campaign. Anatsa droppers successfully exploited Accessibility Services restrictions in Android 13, potentially affecting over 100,000 devices. The trojan, disguised as benign apps on the Play Store, grants full control over infected devices, enabling credential theft and fraudulent transactions.

Is ‘Alpha’ the resurgence of NetWalker?

Alpha ransomware, which surfaced in February 2023, has been found bearing striking resemblances with the now-defunct NetWalker ransomware, suggesting a potential revival of the notorious cyber threat. Both utilize similar PowerShell-based loaders and exhibit code overlaps in their payloads, including execution flow and configuration settings. Despite NetWalker's apparent halt in 2021 following law enforcement actions, Alpha has recently intensified its attacks, employing living-off-the-land tools like Taskkill and PsExec.

CISA: Akira abusing Cisco bug

The CISA included a patched security vulnerability, CVE-2020-3259, affecting Cisco ASA and FTD software, in its KEV catalog. This comes following reports of likely exploitation by the Akira ransomware group, although no publicly available exploit code exists. Truesec, a cybersecurity firm, uncovered evidence indicating that Akira ransomware actors have weaponized it to exploit numerous vulnerable Cisco AnyConnect SSL VPN appliances in 2023.

SpyNote makes a comeback

The infamous SpyNote Android spyware has resurfaced, now exploiting Accessibility APIs to target cryptocurrency wallets and users, aiming to steal their digital assets. The RAT automatically fills out cryptocurrency transfer forms with the attacker's wallet address, initiated without alerting the user. Android users are advised to scrutinize requests for Accessibility API access, especially from purported crypto wallet apps, PDF readers, and video players, to mitigate the threat.

Top Vulnerabilities Reported in the Last 24 Hours

SolarWinds mitigates flaws in ARM and Orion

SolarWinds issued updates addressing five vulnerabilities in its Access Rights Manager (ARM) solution, discovered by researchers including Piotr Bazyd?o from Trend Micro Zero Day Initiative. These flaws, including critical directory traversal issues and high-severity unsafe deserialization bugs, could enable RCE attacks. SolarWinds Platform (formerly Orion) also received fixes for two SQL injection vulnerabilities that could allow remote attackers to execute arbitrary code on affected installations.

Top Scams Reported in the Last 24 Hours

Utility scam exploits energy bill

A recent investigation uncovered a vast network of fraudulent ads promoting utility scams. In this attack campaign, many Pakistani adversaries were seen employing extortion tactics to coerce victims into making immediate payments or divulging sensitive information to restore their connection. Sophisticated tactics like fraudulent ads shown in Google searches are at the core of this campaign.

Related Threat Briefings

Mar 25, 2025

Cyware Daily Threat Intelligence, March 25, 2025

A stealthy browser extension called Rilide has resurfaced with improved evasion capabilities and support for Chrome’s latest extension framework. Disguised as a utility for Google Drive, it quietly collects data, particularly those tied to cryptocurrency wallets. Ongoing campaigns have used lures ranging from fake PowerPoint documents to spoofed Twitter notifications, all aimed at embedding the extension into Chromium-based browsers. On GitHub, a seemingly innocent coding challenge is being used as a delivery mechanism for malware. A malicious repository targets Polish-speaking developers and installs FogDoor, a backdoor capable of data theft, remote command execution, and persistence. The campaign uses clever techniques, while quietly harvesting sensitive information. Kubernetes environments are facing serious risk after the discovery of IngressNightmare - a collection of five critical flaws in the Ingress NGINX Controller. These bugs open the door to unauthenticated remote code execution and expose thousands of clusters to full compromise. In the wrong hands, this vulnerability could allow attackers to exfiltrate secrets across all namespaces, effectively granting full control over affected clusters.

Mar 24, 2025

Cyware Daily Threat Intelligence, March 24, 2025

A newly surfaced threat actor, UAT-5918, has been quietly embedding itself into Taiwan’s critical infrastructure since 2023. With a focus on information theft, the group has been targeting multiple sectors using a mix of off-the-shelf tools and stealthy web shells. The threat actor also boasts of an extensive toolkit. Meanwhile, the Medusa ransomware operation is refining its ability to bypass defenses using a malicious driver disguised as a legitimate security component. Dubbed ABYSSWORKER, the driver is signed with compromised certificates. Once deployed, it disables anti-malware tools and clears the path for ransomware delivery through a loader. On the plugin front, a critical vulnerability in WP Ghost has put thousands of WordPress sites at risk. If certain non-default settings are enabled, the bug can be used to load arbitrary files - opening the door to remote code execution. Though a patch has been issued in version 5.4.02, the exposure window combined with the plugin’s wide install base makes this a notable concern for site admins still lagging on updates.

Mar 21, 2025

Cyware Daily Threat Intelligence, March 21, 2025

A stealthy cyber campaign briefly surfaced before vanishing. Researchers uncovered a public web server tied to a campaign targeting South Korean entities, hosting a Rust-based payload delivering Cobalt Strike Cat alongside open-source hacking tools. The infrastructure disappeared within 24 hours but revealed a target list of over 1,000 Korean domains. A backup tool vulnerability is now a fast track for attackers. CISA issued a warning for a path traversal flaw in Nakivo Backup and Replication, which is being actively exploited to execute code remotely and access sensitive enterprise data. The vulnerability has also been added to the KEV catalog. Fake ads are turning Semrush into phishing bait. A malicious ad campaign is tricking users into visiting fraudulent Semrush login pages, stealing Google credentials by forcing victims to use the “Log in with Google” option on spoofed pages.

Mar 20, 2025

Cyware Daily Threat Intelligence, March 20, 2025

Cybercriminals don’t just break in; they move in and redecorate. The DollyWay malware campaign, active since 2016, has now compromised over 20,000 WordPress sites, according to GoDaddy. By February 2025, it was redirecting 10 million users each month to scam sites. Originally a ransomware operation, it has evolved into a redirection scam using the VexTrio and LosPollos affiliate networks. Hackers have found a new disguise for malware—virtual hard disk files. Threat actors are distributing VenomRAT through phishing emails with .VHD files masked as purchase orders. These files help the malware evade detection while a hidden batch script self-replicates, maintains PowerShell persistence, and steals data using HVNC and Pastebin-based C2 communication. Meanwhile, a year-old sophisticated phishing campaign has shifted gears. After successfully tricking Windows users with fake Microsoft security alerts on windows[.]net, attackers are now targeting macOS users. For detailed Cyber Threat Intel, click ‘Read More’.

Mar 19, 2025

Cyware Daily Threat Intelligence, March 19, 2025

Cyber threats are increasingly targeting sensitive industries and posing national security concerns. Ukraine’s CERT-UA has raised alarms about a wave of cyberattacks leveraging the DarkCrystal RAT to target defense industry professionals and military entities. The attackers are using Signal messenger to send phishing messages disguised as trusted contacts, luring victims into opening a fake PDF file containing a malware dropper. When even your AI assistant can be tricked into working for hackers, the stakes couldn’t be higher. Security researchers have uncovered a supply chain attack known as the 'Rules File backdoor,' which compromises AI-powered code editors like GitHub Copilot and Cursor. Meanwhile, in the healthcare sector, PoC exploits have surfaced for vulnerabilities in Sante PACS servers. These flaws, including CVE-2025-2263 through CVE-2025-2284, could enable unauthorized data access and system disruption. For detailed Cyber Threat Intel, click ‘Read More’.

Mar 18, 2025

Cyware Daily Threat Intelligence, March 18, 2025

Cybercriminals are getting craftier, with Microsoft uncovering StilachiRAT, a stealthy malware that steals crypto, spies on systems, and evades detection. It targets digital wallets, browser data, and RDP sessions while maintaining persistence through Windows services. Meanwhile, a year-old SSRF flaw in ChatGPT (CVE-2024-27564) is under active exploitation, with over 10,000 attack attempts in a week, mainly targeting US financial and government entities. Phishers are now exploiting Microsoft 365 infrastructure in a BEC campaign, tricking users with fake support notifications and fraudulent call centers. Attackers collect credentials and take over accounts while avoiding detection. As AI vulnerabilities, RATs, and phishing tactics evolve, businesses must stay ahead to protect sensitive data. For detailed Cyber Threat Intel, click ‘Read More’.

Mar 17, 2025

Cyware Daily Threat Intelligence, March 17, 2025

The Black Basta gang has cooked up a relentless new tool. Its automated brute-forcing framework has been relentlessly probing edge networking devices since 2023, zeroing in on widely used edge networking devices. Something sinister was brewing in the PyPI repository. Multiple fraudulent packages racked up tens of thousands of downloads and hid a nasty secret: code designed to siphon cloud access tokens. However, the packages have been removed. Coinbase users are getting hit with a scam that’s all polish and bad intentions. Dressed up as an official notice about a court-ordered shift to self-custodial wallets, it nudges recipients to set up a new wallet with a recovery phrase - except it’s a trap, pre-controlled by the attackers.

Mar 14, 2025

Cyware Daily Threat Intelligence, March 14, 2025

A new ransomware group is making waves with tactics reminiscent of LockBit. Mora_001 has been exploiting Fortinet vulnerabilities to gain access to networks. Subsequently, it deploys its SuperBlack ransomware, ensuring persistent control before encrypting critical systems. GitLab users should patch now as critical authentication flaws surface. Two newly discovered GitLab vulnerabilities could allow attackers to impersonate users, potentially leading to data breaches and privilege escalation. Security updates have been released to mitigate the risk. Cybercriminals are faking Clop ransomware attacks to scam businesses. Fraudsters are posing as the Clop ransomware gang, fabricating extortion claims to trick victims into paying ransoms for non-existent data breaches.

Mar 13, 2025

Cyware Daily Threat Intelligence, March 13, 2025

A new spyware is lurking in fake apps, and it’s tied to North Korea. KoSpy, a newly discovered Android surveillance tool, is believed to be the work of APT37 and has been targeting Korean and English-speaking users. Distributed via Google Play Store and Firebase Firestore, the spyware could access a plethora of information. Juniper routers are being turned into stealthy backdoors. The Chinese threat group UNC3886 has infiltrated older Juniper MX routers, deploying customized TinyShell backdoors to evade detection. By accessing devices via terminal servers with legitimate credentials, the attackers bypassed Junos OS security protections, allowing persistent access to compromised networks. A widely used font library is now a security risk. Facebook has warned of a critical flaw in FreeType. The bug, caused by an out-of-bounds write, can lead to arbitrary code execution and has been exploited in attacks.

Mar 12, 2025

Cyware Daily Threat Intelligence, March 12, 2025

Copy, paste, and lose everything - MassJacker turns a simple action into a costly mistake. The operation leverages 778,000 fraudulent wallet addresses to siphon digital assets from unsuspecting victims. It has targeted victims by replacing copied cryptocurrency wallet addresses with those controlled by attackers. Exploited in the wild and patched just in time. Microsoft has released security updates fixing 57 vulnerabilities, including six zero-days actively exploited by attackers. The update also addresses 17 Edge browser vulnerabilities, reinforcing the critical need for immediate patching before these flaws can be leveraged for malicious purposes. A botnet is turning home routers into attack platforms, and there’s still no fix in sight. The Ballista botnet is actively exploiting a remote code execution flaw in TP-Link Archer routers, allowing attackers to inject commands without authentication. With thousands of compromised devices and growing, the botnet uses Tor domains for stealth and has been traced back to an Italian-based threat actor.

Mar 11, 2025

Cyware Daily Threat Intelligence, March 11, 2025

A new ransomware strain isn’t just locking up files, it’s locking out hope of recovery. Researchers uncovered EByte Ransomware, a Golang-based malware that’s actively targeting Windows systems with advanced cryptographic techniques, making decryption nearly impossible without the attackers' key. A simple-looking PDF is all it takes for attackers to hijack your system. A new malware strain, Phantom Goblin, is being spread through RAR attachments in phishing campaigns, tricking users into opening a malicious LNK file disguised as a document. It also abuses VSCode tunnels for remote access. Attackers don’t need new tricks when unpatched systems do the job for them. The CISA has flagged five new vulnerabilities under active exploitation, affecting Advantive VeraCore and Ivanti Endpoint Manager. The VeraCore flaw exploitation is linked to a likely Vietnamese threat group, while the Ivanti EPM vulnerabilities allow attackers to coerce credentials for further access.

Mar 10, 2025

Cyware Daily Threat Intelligence, March 10, 2025

When cybercriminals upgrade their arsenal, staying hidden becomes easier than ever. Several ransomware and cybercrime groups are leveraging the Ragnar Loader malware toolkit to maintain long-term access to compromised systems. Constantly evolving with new features, Ragnar Loader has become more modular and harder to detect. A single flaw in a widely used API almost handed attackers full control over vulnerable applications. The Volt API for Livewire recently patched a critical remote code execution vulnerability. The issue has been fixed in version 1.7.0, and users are strongly urged to update to prevent exploitation. A billion devices, a hidden backdoor, and tens of undocumented commands that could change everything. Security researchers have uncovered a major issue in ESP32 revealing 29 undocumented commands that attackers could exploit for spoofing devices, unauthorized data access, and long-term persistence. This vulnerability raises concerns over supply chain security, as OEMs could unknowingly ship compromised devices.