Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Daily Threat Intelligence, January 29, 2025

shutterstock 1709630371

Daily Threat Briefing Jan 29, 2025

Cybercriminals are refining their tactics, blending deception with persistence to breach defenses. A financially motivated threat actor has been running a phishing email campaign since last year, targeting users in Poland and Germany. The attacks use payloads like Agent Tesla, Snake Keylogger, and a new backdoor named TorNet.

Zyxel CPE Series devices are under siege as researchers uncover an actively exploited zero-day vulnerability. This flaw allows attackers to execute remote commands, potentially leading to system takeovers, data loss, and network intrusions. The attacks, originating primarily from Taiwan, have compromised over 1,500 devices, sparking urgent calls for users to apply security updates.

Phishing scams continue to evolve, with a new campaign exploiting PDF documents to steal Amazon Prime credentials. Victims receive emails warning of an expired membership, leading them to a fake Amazon login page where they unknowingly hand over personal and credit card information. 

Top Malware Reported in the Last 24 Hours

PureCrypter drops Agent Tesla

A financially motivated threat actor is running a phishing email campaign that began in July 2024, targeting users in Poland and Germany. The attacks involve payloads like Agent Tesla, Snake Keylogger, and a new backdoor called TorNet, delivered through PureCrypter. TorNet enables communication with victim machines over the TOR network. The actor uses scheduled tasks on victims' computers for persistence and disconnects them from the network to avoid detection. Phishing emails appear to be from financial institutions and contain .tgz files. 

Lynx RaaS now has an affiliate program

The Lynx RaaS group has created a well-organized platform with a structured affiliate program and strong encryption methods. The affiliate panel features sections like “News,” “Companies,” “Chats,” “Stuffers,” and “Leaks” to help affiliates manage victim profiles and generate ransomware samples easily. Affiliates earn 80% of the ransom, manage negotiations, and control the ransom wallet. Lynx provides an “All-in-One Archive” with versions for Windows, Linux, and ESXi, which allows attacks across various networks. They have introduced different encryption modes—“fast,” “medium,” “slow,” and “entire”—and use strong algorithms like Curve25519 Donna and AES-128. 

Top Vulnerabilities Reported in the Last 24 Hours

OAuth redirect vulnerability exposes millions

Salt Labs discovered an account takeover vulnerability in a popular online travel service used by various commercial airlines. This flaw allowed attackers to gain unauthorized access to user accounts, enabling them to perform actions like booking hotels and car rentals using the victim's loyalty points. The vulnerability was exploited through a manipulated link, putting millions of airline users at risk. Following coordinated disclosure, the service has addressed and mitigated the risks. 

Flaw in VMware Avi Load Balancer

Broadcom has alerted about a high-severity security flaw in VMware Avi Load Balancer, identified as CVE-2025-22217. The issue is an unauthenticated blind SQL injection with a CVSS score of 8.6. The vulnerability affects several versions of the software and could be exploited by malicious actors to gain database access. Users are advised to update to the latest version for optimal protection, as there are no workarounds available.

Active exploitation of unpatched Zyxel flaw

Cybersecurity experts are alerting that a serious zero-day vulnerability in Zyxel CPE Series devices is being actively exploited. This vulnerability, CVE-2024-40891, allows attackers to run commands on affected devices, which could lead to complete system failure, data loss, or network breaches. It has led to attacks from many IP addresses, mostly from Taiwan, with over 1,500 vulnerable devices online. 

Top Scams Reported in the Last 24 Hours

Phishing campaign uses malicious Amazon PDFs

Researchers are warning about a new phishing tactic that uses PDF documents to deceive users by claiming their Amazon Prime memberships have expired. Victims receive email links to PDFs, which redirect them to fake Amazon pages where they are prompted to enter personal and credit card information. Palo Alto Networks Unit42 found 31 such PDF files linked to phishing sites, mainly hosted on duckdns[. ]org. The researchers emphasize the need for people to stay alert to suspicious emails and educate themselves on how to identify phishing attempts.

Related Threat Briefings