Cyware Daily Threat Intelligence, July 02, 2025

shutterstock 2517566697

Daily Threat Briefing July 2, 2025

It starts with what looks like an official message from the Colombian government. Behind it is a phishing campaign delivering DCRAT, a modular remote access tool designed for theft and system control. The attack chain begins with a ZIP file containing a VBS script that downloads an obfuscated payload. DCRAT uses steganography, multi-stage execution, and evasion techniques to dig in and stay hidden, while quietly stealing data and manipulating infected systems.

That Zoom update request on Telegram? It could be a trap. North Korean actors are deploying NimDoor malware to infiltrate Web3 and crypto platforms using social engineering via Telegram. Victims are tricked into running a fake AppleScript update that launches Nim-compiled binaries with advanced techniques like signal-based persistence, process injection, and encrypted WebSocket communication.

It only takes one crafted page to turn a browser into a backdoor. Google has patched CVE-2025-6554, a critical zero-day in Chrome’s V8 engine that was exploited in the wild to execute arbitrary code. The flaw, caused by a type confusion bug, may have been used in targeted attacks. Users across Windows, macOS, and Linux are urged to update immediately.

Top Malware Reported in the Last 24 Hours

Linux SSH servers targeted to deploy proxy

ASEC identified attacks on poorly managed Linux SSH servers using weak credentials, aiming to install proxies like TinyProxy or Sing-box for malicious purposes. Attackers install TinyProxy by manipulating configuration files to allow unrestricted external access, enabling exploitation of infected systems as proxy nodes. Sing-box, an open-source proxy tool, is being installed by attackers to bypass restrictions on services like ChatGPT and Netflix, with unauthorized access to systems for illegal or profit-driven activities. 

DCRAT poses as Colombian government 

Fortinet spotted a phishing campaign that has been distributing DCRAT by impersonating a Colombian government entity. This malware utilizes a modular architecture, enabling attackers to customize its functionality for tasks such as data theft and system manipulation. The attack begins with a phishing email containing a ZIP file that executes an obfuscated VBS script, which then downloads a malicious executable. DCRAT employs various evasion techniques, including obfuscation, steganography, and multi-stage payloads. Once installed, it can steal sensitive information, alter system settings, and ensure persistence on infected machines. 

DPRK actors drop NimDoor

North Korean threat actors are leveraging a malware named NimDoor to target Web3 and cryptocurrency platforms. This campaign utilizes Nim-compiled binaries and employs advanced techniques such as process injection, encrypted WebSocket communication, and a novel persistence mechanism based on signal handling. The attack begins with social engineering through Telegram, tricking victims into executing a malicious AppleScript disguised as a Zoom SDK update. The malware comprises multiple stages, including C++ and Nim binaries that facilitate data exfiltration and long-term access. Key functionalities include stealing browser data, credentials, and Telegram user information, while using C2 servers that mimic legitimate domains.

Top Vulnerabilities Reported in the Last 24 Hours

Google patches Chrome 0-day

Google has released a security update to address a critical zero-day vulnerability in Chrome's V8 engine, identified as CVE-2025-6554, which was actively exploited in the wild. This type confusion flaw allowed remote attackers to execute arbitrary code via specially crafted HTML pages. The bug may have been used in targeted attacks, possibly by nation-state actors. Users are urged to update their Chrome browsers to versions 138.0.7204.96/.97 for Windows, 138.0.7204.92/.93 for macOS, and 138.0.7204.96 for Linux.

600K+ WordPress sites at risk

An Arbitrary File Deletion vulnerability was identified in the Forminator WordPress plugin, affecting versions 1.44.2 and earlier, with over 600,000 active installations. The flaw, rated 8.8 (High) on the CVSS scale, stems from insufficient validation in file deletion processes, enabling attackers to target critical files like wp-config.php, which could lead to remote code execution. The patch restricts deletions to legitimate upload fields and ensures files reside within the uploads directory, with added sanitization and path normalization. Site administrators are urged to update Forminator to version 1.44.3 or higher.

Related Threat Briefings