Cyware Daily Threat Intelligence, July 04, 2025

Daily Threat Briefing • July 4, 2025

There’s a reason that app never showed up on your home screen. The IconAds fraud operation used 352 hidden-UI apps to flood ad networks with over a billion fake bid requests daily. Kaleidoscope took it further, using decoy apps to mask malicious versions distributed via third-party stores. Meanwhile, NGate and Ghost Tap abused NFC to enable remote cash theft, and Qwizzserial posed as a government app in Uzbekistan.

When routers fall, botnets rise. RondoDox is exploiting flaws in TBK DVRs and Four-Faith routers to install a Linux-based botnet that renames critical system files into nonsense strings, effectively crippling recovery efforts. It launches DDoS attacks through spoofed traffic that looks like OpenVPN or online games, making detection even harder.

Sometimes, all it takes is a single misplaced HTTP header. Three critical vulnerabilities in Apache Tomcat and Camel are under active exploitation, enabling remote code execution. One stems from mishandling PUT requests; the others from flawed case handling in headers. Over 125,000 attempts were recorded in March alone, signaling widespread attacker interest.

Top Malware Reported in the Last 24 Hours

More malicious Firefox extensions

Eight malicious Firefox extensions have emerged, exploiting user trust by impersonating popular games and stealing OAuth tokens. The threat actor, known as mre1903, has been active since 2018, employing deceptive tactics to redirect users to gambling sites and scam pages. Notable extensions include Little Alchemy 2 and 1v1.LOL, which leverage familiar game names to lure users. Additionally, GimmeGimme hijacks shopping sessions for affiliate revenue, while VPN Grab A Proxy Free employs invisible tracking techniques. The most concerning is CalSyncMaster, which steals Google Authentication tokens, granting unauthorized access to sensitive data.

Android ad fraud operations spotted

Recent investigations have revealed several massive Android fraud operations, including IconAds, Kaleidoscope, and various malware campaigns. IconAds involved 352 malicious apps that hid their icons and displayed intrusive ads, generating 1.2 billion bid requests daily before being removed from the Play Store. Kaleidoscope utilized the evil twin technique, where legitimate-looking apps served as decoys while malicious counterparts distributed through third-party stores generated fraudulent ad revenue. Additionally, malware like NGate and Ghost Tap exploited NFC technology to facilitate financial fraud, allowing attackers to withdraw cash remotely. Another significant threat is the Qwizzserial SMS stealer, which infected nearly 100,000 devices in Uzbekistan, targeting financial data through fake government apps.

New RondoDox abuses critical bugs

RondoDox is a new botnet threat that exploits two critical vulnerabilities: CVE-2024-3721 (TBK DVR models) and CVE-2024-12856 (Four-Faith router models). These vulnerabilities allow remote attackers to execute arbitrary commands. RondoDox targets various Linux architectures and disrupts critical system functions by renaming executable files to random strings, impairing system stability and recovery efforts. It connects to a C2 server for receiving instructions to launch DDoS attacks using HTTP, UDP, and TCP protocols while disguising malicious traffic as legitimate services like OpenVPN and gaming platforms.

Top Vulnerabilities Reported in the Last 24 Hours

Exploit attempts target Apache

Three critical vulnerabilities in Apache Tomcat (CVE-2025-24813) and Apache Camel (CVE-2025-27636, CVE-2025-29891) enable remote code execution (RCE), allowing attackers to hijack systems. Apache Tomcat’s flaw arises from mishandling HTTP PUT requests when partial PUT and session persistence are enabled. Affected versions range from 9.0.0.M1 to 11.0.2. Apache Camel vulnerabilities stem from improper case-sensitive HTTP header filtering, enabling attackers to inject malicious commands via misformatted headers. Unit 42 tracked 125,856 exploit attempts in March 2025.

Grafana issues critical security update

Grafana addressed four high-severity Chromium vulnerabilities (CVE-2025-5959, CVE-2025-6554, CVE-2025-6191, CVE-2025-6192) affecting the Image Renderer plugin and Synthetic Monitoring Agent. These vulnerabilities could lead to remote code execution, arbitrary memory read/write, and heap corruption through crafted HTML pages. The affected versions are Image Renderer prior to 3.12.9 and Synthetic Monitoring Agent before 0.38.3. Updated versions are available via Grafana CLI, Docker, and GitHub. Grafana Cloud and Azure Managed Grafana instances have been patched, requiring no user action for these services.

Related Threat Briefings

Jul 18, 2025

Cyware Daily Threat Intelligence, July 18, 2025

The H2Miner botnet has resurfaced with updated scripts that mine Monero, kill rival malware, and deploy multiple malware. Bundled with it is Lcrypt0rx, a likely AI-generated ransomware that exhibits sloppy logic, malformed syntax, and weak encryption using XOR. Cisco Talos uncovered a MaaS campaign targeting Ukraine, where attackers used Amadey malware and GitHub repositories to stage payloads. The setup mimics tactics from a SmokeLoader phishing operation, with obfuscated JavaScript loaders and Emmenthal plugins helping evade detection and filter-based defenses. In a sharp postmortem from Pwn2Own Berlin, VMware patched four zero-day flaws exploited during the contest. Three high-severity bugs let attackers break out of guest VMs, while a fourth in VMware Tools leaks sensitive host info. Separately, the Scanception campaign is sneaking into inboxes via QR code phishing PDFs.

Jul 17, 2025

Cyware Daily Threat Intelligence, July 17, 2025

A persistent backdoor is giving UNC6148 quiet, long-term access to SonicWall SMA appliances. The group is using stolen credentials—and possibly a zero-day—to deploy OVERSTEP malware. It steals sensitive data, maintains stealth, and executes commands through web requests. Over 600 malicious domains are distributing fake Telegram APKs to unsuspecting users. Most are hosted in China and exploit the Janus vulnerability in Android. These APKs request broad permissions, bypass security protocols, and enable full device control. Oracle’s July 2025 patch update is a heavyweight. It includes 309 fixes across products like Communications, MySQL, Java SE, and Fusion Middleware. Of the nearly 200 CVEs addressed, 127 can be exploited remotely without authentication. An additional 20 Solaris patches target flaws with similar reach.

Jul 16, 2025

Cyware Daily Threat Intelligence, July 16, 2025

A harmless-looking app on Google Play may have a malicious twin elsewhere. A new Konfety variant uses the same package name as a legitimate app but hides the real payload in a lookalike version distributed through third-party stores. It employs obfuscation tactics to evade detection, while leveraging the CaramelAds SDK. Some malware no longer travels through links or attachments, it hides in plain text. Researchers have spotted attackers embedding payloads in DNS records, allowing malware to slip past traditional security tools. By encoding binaries as hex and retrieving them during DNS resolution, this technique avoids common detection points and delivers disruptive code without a visible trace. One sandbox escape makes five. Google patched a high-severity Chrome flaw that lets attackers break out of the browser’s sandbox using crafted HTML and unvalidated GPU commands. The update also addressed issues in V8 and WebRTC, but only CVE-2025-6558 was under active exploitation, making it the fifth Chrome zero-day of the year.

Jul 15, 2025

Cyware Daily Threat Intelligence, July 15, 2025

A quiet but deliberate campaign is now zeroing in on Southeast Asia’s trade secrets. HazyBeacon, a newly identified Windows backdoor, is targeting government entities with an eye on sensitive tariff and trade data. It uses DLL side-loading and communicates through AWS Lambda URLs, helping it blend in with legitimate cloud activity while quietly collecting targeted documents. Developers are once again in the crosshairs of North Korean threat actors. As part of the ongoing Contagious Interview campaign, attackers have pushed 67 malicious npm packages carrying XORIndex, a malware loader designed to steal browser data, crypto wallet info, and deploy Python-based backdoors. With over 17,000 downloads and manipulated package metrics, the threat is both widespread and deceptive. An invisible prompt is all it takes to turn Gemini into a phishing assistant. Attackers are exploiting Google’s Gemini AI for Workspace by hiding malicious instructions in emails using HTML and CSS. When Gemini generates a summary, it unknowingly includes phishing content redirecting users to malicious sites. Suggested defenses focus on stripping hidden content and warning users not to rely on AI summaries for security cues.

Jul 14, 2025

Cyware Daily Threat Intelligence, July 14, 2025

A silent redirect to PowerShell is the entry point for a new Interlock RAT variant. Linked to the KongTuke cluster, the PHP-based malware uses compromised websites with hidden scripts to launch system profiling and establish Cloudflare Tunnel-based C2 with fallback IPs for persistence. Users who trusted GravityForms’ official site got more than they expected. A supply chain attack injected backdoors into plugin files distributed via the official site and Composer, enabling attackers to collect WordPress environment data or more. A single HTTP header is enough to hijack vulnerable FortiWeb servers. A critical SQL injection flaw in Fortinet’s Fabric Connector, allows pre-auth RCE through unsanitized bearer tokens, with PoC exploits using MySQL queries to drop and execute malicious scripts.

Jul 11, 2025

Cyware Daily Threat Intelligence, July 11, 2025

You don’t need to visit shady corners of the internet to get infected, GitHub will do. A malware campaign is disguising Lumma Stealer as tools like Free VPN for PC, using polished project pages, Base64 payloads, and trusted Windows processes to slip past defenses. Meanwhile, MCP-based tools are facing a string of critical vulnerabilities, with CVE-2025-6514 leading the list. The flaw allows remote code execution via malicious MCP servers and affects users across platforms. Other bugs enable code injection, directory traversal, and symlink abuse. Crypto users are being lured in by fake AI and gaming firms offering too-good-to-be-true deals. A social engineering campaign is using Telegram, Discord, and spoofed social media accounts to deliver stealer malware. Attackers impersonate legit teams on GitHub and Notion, promising crypto payouts in exchange for “testing” software.

Jul 10, 2025

Cyware Daily Threat Intelligence, July 10, 2025

A fake defense official and a Google Drive link were all it took to breach a European ministry. Recent DoNot APT campaigns reveal a shift toward diplomatic espionage, using custom malware to exfiltrate data and maintain persistence through scheduled tasks and obfuscated binaries. A botnet announcing itself with Hello-World is now sweeping through Taiwan. A new scraper botnet has been using repeated GET requests across ports 80–85. Thousands of IPs are involved, with more than half traced back to Taiwanese infrastructure, hinting at regional tech compromise or shared vulnerabilities. You might not hear it, but your car’s Bluetooth could be listening. Researchers have found critical flaws in the BlueSDK stack used by major automakers, enabling remote code execution through a PerfektBlue attack. The vulnerabilities allow attackers to access call logs, record in-cabin audio, and track vehicles.

Jul 9, 2025

Cyware Daily Threat Intelligence, July 09, 2025

A PDF reader with 50,000 downloads turned out to be anything but harmless. The Anatsa banking trojan slipped back into Google Play, targeting North American users with fake maintenance screens while logging keystrokes and automating fraudulent transactions. However, the app has been pulled by Google. This month’s Patch Tuesday came with a hefty payload. Microsoft released fixes for 137 vulnerabilities, including a zero-day in SQL Server, which allowed access to uninitialized memory. Among the 14 critical issues were remote code execution bugs in SharePoint and multiple RCE and side-channel flaws affecting AMD-based systems. When a tap does more than you think, it’s probably TapTrap. Researchers have uncovered a sneaky Android exploit that uses near-invisible UI animations to trick users into approving sensitive actions. By overlaying transparent elements, TapTrap misleads users into tapping unintended buttons.

Jul 8, 2025

Cyware Daily Threat Intelligence, July 08, 2025

A spyware campaign targeting Russian industrial firms has been quietly escalating since mid-2024. Batavia spreads through phishing emails disguised as contract requests. Later stages drop Delphi-based malware that shows fake documents while harvesting data, followed by a payload that broadens file collection and ensures persistence, with signs of a potential fourth stage. A new ransomware group named BERT is hitting victims across sectors and operating systems. Targeting both Windows and Linux, BERT launches fast, multi-threaded encryption attacks. The malware shuts down critical services and shares code similarities with REvil and Babuk, hinting at recycled tools and techniques. SAP has released patches for 27 vulnerabilities, seven of them critical. The most severe, with a CVSS score of 10.0, affects the Live Auction Cockpit in SAP SRM. Other high-impact bugs include a code injection flaw in SAP S/4HANA and insecure deserialization issues in NetWeaver. Updates also address privilege escalation flaws in the SAPCAR utility.

Jul 7, 2025

Cyware Daily Threat Intelligence, July 07, 2025

SHELLTER has gone rogue—what was once a legit security tool is now fueling infostealer campaigns with AES-128 encryption, polymorphic junk code, and sneaky call stack tricks to dodge detection. Meanwhile, Hpingbot, a Go-based botnet with a flair for innovation, uses Pastebin, hping3, and persistent tactics to do more than just DDoS—hinting at nastier payloads like ransomware or APT tools. Critical bugs are back on the menu—this time hitting low-code platforms and the Linux boot process. ScriptCase’s Production Environment module harbors two flaws (CVE-2025-47227 & CVE-2025-47228, enabling remote command execution and admin password resets, risking full server compromise, while CVE-2016-4484 in Linux lets attackers gain root access during boot by exploiting the initramfs debug shell.

Jul 3, 2025

Cyware Daily Threat Intelligence, July 03, 2025

Two different names - same tactics, same tools, same playbook. Researchers have found striking overlaps between TA829 and the lesser-known UNK_GreenSec, both of which use phishing lures and REM Proxy services through compromised MikroTik routers. Victims are redirected from fake Google Drive or OneDrive pages to payloads like RomCom RAT, Metasploit, and Morpheus ransomware. They look like wallet helpers, but they’re after everything inside. More than 40 malicious Firefox extensions have been caught stealing seed phrases and wallet keys from unsuspecting crypto users. Masquerading as MetaMask, Coinbase, and Trust Wallet, these clones use tampered open-source code, fake five-star reviews, and slick branding to blend in. A single HTTP request is all it takes to bring the server down. A critical bug in Wing FTP Server allows unauthenticated remote code execution via the login confirmation endpoint. The flaw lets attackers inject Lua code into session files, enabling total takeover, even as root or SYSTEM. It affects all versions up to 7.4.3, with a fix issued in 7.4.4.

Jul 2, 2025

Cyware Daily Threat Intelligence, July 02, 2025

It starts with what looks like an official message from the Colombian government. Behind it is a phishing campaign delivering DCRAT, a modular remote access tool designed for theft and system control. The attack chain begins with a ZIP file containing a VBS script that downloads an obfuscated payload. DCRAT uses steganography, multi-stage execution, and evasion techniques to dig in and stay hidden, while quietly stealing data and manipulating infected systems. That Zoom update request on Telegram? It could be a trap. North Korean actors are deploying NimDoor malware to infiltrate Web3 and crypto platforms using social engineering via Telegram. Victims are tricked into running a fake AppleScript update that launches Nim-compiled binaries with advanced techniques like signal-based persistence, process injection, and encrypted WebSocket communication. It only takes one crafted page to turn a browser into a backdoor. Google has patched CVE-2025-6554, a critical zero-day in Chrome’s V8 engine that was exploited in the wild to execute arbitrary code. The flaw, caused by a type confusion bug, may have been used in targeted attacks. Users across Windows, macOS, and Linux are urged to update immediately.