Cyware Daily Threat Intelligence, February 28, 2025

Daily Threat Briefing • February 28, 2025
Daily Threat Briefing • February 28, 2025
Cybercriminals are evolving their tactics, using stealthy botnets and disguised malware to expand their reach. A new Vo1d botnet variant has infected 1.6 million Android TV devices across 226 nations, with 800,000 active bots at its peak. Now featuring advanced encryption and stealth, it enables ad fraud and illegal proxy services, affecting Brazil, South Africa, Indonesia, Argentina, Thailand, and China.
Meanwhile, over 1,100 rogue GitHub repositories are spreading Redox Stealer, disguised as game mods and cracked software. This malware steals crypto wallets, browser cookies, and gaming credentials, using fake descriptions and deceptive links to evade detection. Despite reports, many infected repositories remain active.
On a different note, Better Auth has patched a critical flaw in its TypeScript authentication library, which could let attackers steal password reset tokens and redirect users to malicious sites. The vulnerability, found in the trustedOrigins feature, could allow account takeovers.
Novel variant of Vo1d botnet spotted
Since November 2024, a new variant of the Vo1d botnet has infected 1,590,299 Android TV devices in 226 nations. The botnet peaked on January 14, 2025, and has 800,000 active bots. It has evolved with advanced encryption and stealth features. The infected nations are Brazil, South Africa, Indonesia, Argentina, Thailand, and China. The botnet facilitates illegal activities by using compromised devices as proxy servers and engages in ad fraud. Android TV users must apply firmware updates and isolate IoT devices from sensitive data on the network.
Mustang Panda hits Thai targets with Yokai
A malware campaign was aimed at the Royal Thai Police by the Chinese group Mustang Panda. It uses fake FBI documents to deliver a shortcut file that runs the Yokai backdoor. The attack involves a rogue RAR archive holding a shortcut file and a disguised PDF. The shortcut uses Windows FTP to execute commands from the PDF, leading to a trojanized PDF-XChange Driver Installer. This trojan employs evasion techniques, connects to a C2 server, and targets Thailand specifically. The campaign reflects Mustang Panda's TTPs, focusing on government bodies in Asia.
Redox Stealer distributed through GitHub
A malware campaign weaponized GitHub repositories disguised as game mods and cracked software, involving social engineering techniques and automatic data theft. Over 1,100 rogue repositories were detected spreading the Redox Stealer, which steals cryptocurrency wallet keys, browser cookies, and gaming platform credentials. Intruders use clever tactics to hide their activities, including fake descriptions and links to bypass detection. Many repositories continue to operate despite reports of malware indicating defects in monitoring.
Lotus Blossom deploys Sagerunex backdoor
A threat actor named Lotus Blossom (aka Spring Dragon, Billbug, Thrip) conducted multiple cyber espionage campaigns against the government, manufacturing, telecommunications, and media sectors in the Philippines, Vietnam, Hong Kong, and Taiwan to deliver Sagerunex backdoor and other hacking tools for post-compromise activities. Persistence was gained using specific commands to install Sagerunex within the system registry and configure it to run as a service on infected endpoints. Thr group has also developed novel variants of Sagerunex that can use third-party cloud services like Dropbox, Twitter, and the Zimbra webmail as C2 tunnels.
Critical Better Auth library flaw patched
A critical security flaw in the Better Auth library, a TypeScript authentication framework, could let hackers bypass security and take control of user accounts. The issue lies in the trustedOrigins feature intended to restrict redirects, letting hackers redirect users to harmful websites. The flaw allows the stealing of password reset tokens by manipulating the ‘callbackURL’ parameter. Better Auth has released version 1.1.21 to fix the flaw. Users should update to this latest version soon to mitigate risks.
Nakvio resolves a critical flaw
Data protection and backup software provider Nakivo patched a critical unauthenticated arbitrary file read flaw (CVE-2024-48248) in version 10.11.3.86570 of its backup and replication tool. However, it is unclear if Nakivo warned affected customers beforehand. The flaw allowed hackers to access backups and credentials and unlock entire infrastructure environments, creating serious security risks. Nakivo patched the flaw in version v11.0.0.88174. However, details about other affected versions remain unknown. Researchers provided a tool for Nakivo customers to check their exposure.
Google Chrome add-ons hijacked for fraud
A potential supply chain compromise has resulted in the hijacking of 16 Chrome extensions, endangering over 3.2 million Google Chrome users. The attackers injected harmful scripts to redirect web traffic for fraud. Hackers gained control via compromised developer accounts and pushed harmful updates via the Chrome Web Store, unnoticed by users. The rogue code could steal data, modify web activity, and inject ads without users' knowledge. Although Google has removed the affected extensions from the store, they remain installed for users. Affected users should remove suspicious extensions, reset browser settings, and install trusted security software.
Scammers abuse PayPal’s “no-code checkout” feature
A new scam targets PayPal users with bogus search ads and fraudulent payment links. Scammers use Google search ads that look like legitimate PayPal links, especially on mobile devices. They abuse PayPal’s “no-code checkout” feature to create bogus payment links, misleading users into contacting their fake customer support contact to steal their personal information.