Cyware Daily Threat Intelligence, July 04, 2025

Daily Threat Briefing • July 4, 2025

There’s a reason that app never showed up on your home screen. The IconAds fraud operation used 352 hidden-UI apps to flood ad networks with over a billion fake bid requests daily. Kaleidoscope took it further, using decoy apps to mask malicious versions distributed via third-party stores. Meanwhile, NGate and Ghost Tap abused NFC to enable remote cash theft, and Qwizzserial posed as a government app in Uzbekistan.

When routers fall, botnets rise. RondoDox is exploiting flaws in TBK DVRs and Four-Faith routers to install a Linux-based botnet that renames critical system files into nonsense strings, effectively crippling recovery efforts. It launches DDoS attacks through spoofed traffic that looks like OpenVPN or online games, making detection even harder.

Sometimes, all it takes is a single misplaced HTTP header. Three critical vulnerabilities in Apache Tomcat and Camel are under active exploitation, enabling remote code execution. One stems from mishandling PUT requests; the others from flawed case handling in headers. Over 125,000 attempts were recorded in March alone, signaling widespread attacker interest.

Top Malware Reported in the Last 24 Hours

More malicious Firefox extensions

Eight malicious Firefox extensions have emerged, exploiting user trust by impersonating popular games and stealing OAuth tokens. The threat actor, known as mre1903, has been active since 2018, employing deceptive tactics to redirect users to gambling sites and scam pages. Notable extensions include Little Alchemy 2 and 1v1.LOL, which leverage familiar game names to lure users. Additionally, GimmeGimme hijacks shopping sessions for affiliate revenue, while VPN Grab A Proxy Free employs invisible tracking techniques. The most concerning is CalSyncMaster, which steals Google Authentication tokens, granting unauthorized access to sensitive data.

Android ad fraud operations spotted

Recent investigations have revealed several massive Android fraud operations, including IconAds, Kaleidoscope, and various malware campaigns. IconAds involved 352 malicious apps that hid their icons and displayed intrusive ads, generating 1.2 billion bid requests daily before being removed from the Play Store. Kaleidoscope utilized the evil twin technique, where legitimate-looking apps served as decoys while malicious counterparts distributed through third-party stores generated fraudulent ad revenue. Additionally, malware like NGate and Ghost Tap exploited NFC technology to facilitate financial fraud, allowing attackers to withdraw cash remotely. Another significant threat is the Qwizzserial SMS stealer, which infected nearly 100,000 devices in Uzbekistan, targeting financial data through fake government apps.

New RondoDox abuses critical bugs

RondoDox is a new botnet threat that exploits two critical vulnerabilities: CVE-2024-3721 (TBK DVR models) and CVE-2024-12856 (Four-Faith router models). These vulnerabilities allow remote attackers to execute arbitrary commands. RondoDox targets various Linux architectures and disrupts critical system functions by renaming executable files to random strings, impairing system stability and recovery efforts. It connects to a C2 server for receiving instructions to launch DDoS attacks using HTTP, UDP, and TCP protocols while disguising malicious traffic as legitimate services like OpenVPN and gaming platforms.

Top Vulnerabilities Reported in the Last 24 Hours

Exploit attempts target Apache

Three critical vulnerabilities in Apache Tomcat (CVE-2025-24813) and Apache Camel (CVE-2025-27636, CVE-2025-29891) enable remote code execution (RCE), allowing attackers to hijack systems. Apache Tomcat’s flaw arises from mishandling HTTP PUT requests when partial PUT and session persistence are enabled. Affected versions range from 9.0.0.M1 to 11.0.2. Apache Camel vulnerabilities stem from improper case-sensitive HTTP header filtering, enabling attackers to inject malicious commands via misformatted headers. Unit 42 tracked 125,856 exploit attempts in March 2025.

Grafana issues critical security update

Grafana addressed four high-severity Chromium vulnerabilities (CVE-2025-5959, CVE-2025-6554, CVE-2025-6191, CVE-2025-6192) affecting the Image Renderer plugin and Synthetic Monitoring Agent. These vulnerabilities could lead to remote code execution, arbitrary memory read/write, and heap corruption through crafted HTML pages. The affected versions are Image Renderer prior to 3.12.9 and Synthetic Monitoring Agent before 0.38.3. Updated versions are available via Grafana CLI, Docker, and GitHub. Grafana Cloud and Azure Managed Grafana instances have been patched, requiring no user action for these services.

Related Threat Briefings

Jul 3, 2025

Cyware Daily Threat Intelligence, July 03, 2025

Two different names - same tactics, same tools, same playbook. Researchers have found striking overlaps between TA829 and the lesser-known UNK_GreenSec, both of which use phishing lures and REM Proxy services through compromised MikroTik routers. Victims are redirected from fake Google Drive or OneDrive pages to payloads like RomCom RAT, Metasploit, and Morpheus ransomware. They look like wallet helpers, but they’re after everything inside. More than 40 malicious Firefox extensions have been caught stealing seed phrases and wallet keys from unsuspecting crypto users. Masquerading as MetaMask, Coinbase, and Trust Wallet, these clones use tampered open-source code, fake five-star reviews, and slick branding to blend in. A single HTTP request is all it takes to bring the server down. A critical bug in Wing FTP Server allows unauthenticated remote code execution via the login confirmation endpoint. The flaw lets attackers inject Lua code into session files, enabling total takeover, even as root or SYSTEM. It affects all versions up to 7.4.3, with a fix issued in 7.4.4.

Jul 2, 2025

Cyware Daily Threat Intelligence, July 02, 2025

It starts with what looks like an official message from the Colombian government. Behind it is a phishing campaign delivering DCRAT, a modular remote access tool designed for theft and system control. The attack chain begins with a ZIP file containing a VBS script that downloads an obfuscated payload. DCRAT uses steganography, multi-stage execution, and evasion techniques to dig in and stay hidden, while quietly stealing data and manipulating infected systems. That Zoom update request on Telegram? It could be a trap. North Korean actors are deploying NimDoor malware to infiltrate Web3 and crypto platforms using social engineering via Telegram. Victims are tricked into running a fake AppleScript update that launches Nim-compiled binaries with advanced techniques like signal-based persistence, process injection, and encrypted WebSocket communication. It only takes one crafted page to turn a browser into a backdoor. Google has patched CVE-2025-6554, a critical zero-day in Chrome’s V8 engine that was exploited in the wild to execute arbitrary code. The flaw, caused by a type confusion bug, may have been used in targeted attacks. Users across Windows, macOS, and Linux are urged to update immediately.

Jun 30, 2025

Cyware Daily Threat Intelligence, June 30, 2025

Cybercriminals are sharpening their bait, whether it’s fake installers, hijacked Bluetooth connections, or internal-looking spoofed emails. A new malware campaign uncovered by Netskope is stealthily infecting victims using fake installers of popular Chinese-language software like WPS Office and Sogou to deploy a cocktail of malware, including Sainbox RAT (a Gh0stRAT variant) and a powerful rootkit. Meanwhile, Bluetooth devices from top audio brands, such as Bose, Sony, and Beyerdynamic, are under scrutiny after researchers disclosed three critical flaws in Airoha chipsets (CVE-2025-20700, CVE-2025-20701, and CVE-2025-20702). Exploiting these vulnerabilities could let attackers hijack Bluetooth connections, snoop on calls, access contacts, or even rewrite firmware for remote code execution. In a new phishing campaign flagged by Varonis, attackers are abusing Microsoft 365’s Direct Send feature to impersonate internal users and send phishing emails without ever breaching a mailbox. By exploiting the lack of authentication in Direct Send, the campaign sidesteps standard email protections like SPF and DMARC.

Jun 26, 2025

Cyware Daily Threat Intelligence, June 26, 2025

A phishing email is all it takes to breach critical infrastructure. The OneClik APT campaign is targeting energy and oil sectors using Microsoft ClickOnce to deliver a .NET loader and Golang backdoor. The malware uses AWS infrastructure to hide in plain sight, evolving through multiple variants with increasingly stealthy techniques. What do a server board, a home router, and a firewall have in common? They’re all vulnerable, and now officially on CISA’s hit list.CISA has added three exploited vulnerabilities to its KEV catalog, affecting AMI MegaRAC, D-Link DIR-859 routers, and Fortinet FortiOS. A familiar name in your WhatsApp inbox might not be who you think it is. APT42 is targeting Israeli cybersecurity experts and academics through highly personalized spear-phishing campaigns. By posing as journalists or researchers and using platforms like WhatsApp, they lure victims to phishing pages disguised as Google Meet, aiming to steal credentials. With over 100 domains linked to the campaign, the scope likely extends well beyond Israel.

Jun 25, 2025

Cyware Daily Threat Intelligence, June 25, 2025

A familiar package name could be hiding far more than useful code. North Korean actors behind the Contagious Interview campaign have published 35 malicious npm packages, including keyloggers and multi-stage malware loaders like HexEval and InvisibleFerret. By mimicking popular libraries, they’ve tricked thousands of developers into pulling in backdoors designed for cross-platform surveillance. Search results for AI tools are leading users straight into malware traps. Researchers uncovered a campaign that abuses SEO tactics to rank malicious sites for AI-related queries. These sites distribute payloads like Vidar Stealer and Lumma, wrapped in deceptive installers and ZIP files, while using obfuscation techniques like XOR encryption and browser fingerprinting to stay hidden. Even AI model frameworks aren’t immune to critical flaws. NVIDIA has patched two vulnerabilities in its Megatron-LM framework that could allow attackers to inject code or escalate privileges. The bugs, affecting the Python component, pose a serious risk to model integrity and data security if left unpatched.

Jun 24, 2025

Cyware Daily Threat Intelligence, June 24, 2025

Encrypted messaging apps aren’t immune to state-backed malware delivery. APT28 is targeting Ukrainian government entities via Signal, sharing macro-laced documents that deploy a backdoor named Covenant. Once inside, the attackers use two new malware strains - BeardShell for PowerShell execution and data exfiltration, and SlimAgent for covert screenshot capture and encryption. Some WordPress plugins are doing a lot more than extending site functionality. Researchers uncovered a long-running malware campaign that uses rogue plugins to skim credit card data, steal credentials, and manage backend systems on infected sites. The malware adapts its behavior to avoid admins, manipulates Google Ads, and hooks into WooCommerce to maintain stealth and persistence. A simple archive file could compromise your entire system. A directory traversal flaw in WinRAR, allows attackers to execute arbitrary code when users open specially crafted archive files. The vulnerability affects all Windows versions of the tool.

Jun 23, 2025

Cyware Daily Threat Intelligence, June 23, 2025

A fake Windows update might just be the start of something worse. The EvilConwi campaign is abusing ConnectWise ScreenConnect to deliver signed malware through tampered installers. Using phishing links hosted on Canva and Facebook ads, attackers lure victims into downloading infected software, leading to erratic system behavior and stealthy compromise via Authenticode stuffing. A handful of outdated routers is all it takes to build a persistent espionage network. The LapDogs campaign is targeting SOHO devices with a custom backdoor called ShortLeash, giving attackers root access and control over compromised systems. Spoofed Nginx servers and TLS certificates help mask the activity, with signs pointing to China-nexus threat actors based on the tooling and code comments. Resetting an admin password shouldn’t be this easy. A bug in the WordPress Motors theme allows attackers to hijack websites by exploiting a flaw in the password recovery function. Despite a patch, widespread inaction has led to a surge in attacks, with thousands of login takeovers and persistent backdoor accounts being reported.

Jun 20, 2025

Cyware Daily Threat Intelligence, June 20, 2025

A new Android trojan is turning devices into data-harvesting tools under attackers’ full control. Attributed to the LARVA-398 group, AntiDot has infected thousands of devices through phishing and malicious ads. Using Accessibility Services and screen recording APIs, it steals credentials, intercepts messages, and mimics app logins. A fake job offer could now come bundled with custom-built spyware. PylangGhost is targeting crypto professionals in India. Delivered through spoofed job sites, the malware includes registry tampering, remote control, and data exfiltration modules aimed at compromising Windows systems. A popular WordPress plugin is exposing sites to full takeover. It affects the AI Engine plugin, allowing privilege escalation via the MCP module in versions 2.8.0 to 2.8.3. If enabled, this feature gives even low-level users the ability to run admin-level commands - impacting over 100,000 websites and opening the door to site-wide compromise.

Jun 19, 2025

Cyware Daily Threat Intelligence, June 19, 2025

Cloud services are being quietly turned into covert attack channels. The Serpentine#Cloud campaign is abusing Cloudflare Tunnels and Python to deploy fileless malware via invoice-themed phishing lures. Using layered scripts and memory-only payloads, the attack blends into normal traffic and ensures persistence through Windows startup routines, targeting users in the U.S., the U.K, and Germany. Unsecured DVRs are once again powering a wave of botnet-driven DDoS attacks. A critical command injection flaw in TBK DVR devices is being exploited by multiple botnets to gain unauthenticated remote access. Tens of thousands of devices have been hijacked to expand large-scale attacks through malware like Mirai, Condi, and Fodcha. Weak MySQL credentials are opening the door to full system compromise. ASEC has observed ongoing campaigns targeting mismanaged Windows-based MySQL servers in Korea, where attackers use brute-force techniques to deploy malware like Gh0stRAT and XWorm. With UDF modules and remote payloads, these intrusions enable deep access and persistent control.

Jun 18, 2025

Cyware Daily Threat Intelligence, June 18, 2025

An official-looking email from the tax department may be anything but. Silver Fox APT is targeting Taiwanese users with phishing emails posing as the National Taxation Bureau, delivering malware like Winos 4.0, HoldingHands RAT, and Gh0stCringe. The attack chain uses DLL side-loading, privilege escalation, and anti-analysis techniques to evade detection and maintain access through remote desktop and file management modules. One compromised travel site is now a launchpad for infostealer infections. A new ClickFix variant, LightPerlGirl, is using fake Cloudflare CAPTCHA prompts and clipboard hijacking to deliver the Lumma infostealer. By exploiting PowerShell and personal device access, the malware could lead to broader breaches across enterprise environments. A pair of Linux vulnerabilities could give attackers root in seconds. CVE-2025-6018 and CVE-2025-6019 impact multiple major Linux distributions, enabling local users to escalate privileges via flaws in PAM and libblockdev. If chained together, the bugs allow full system compromise with minimal friction, posing a serious risk if left unpatched.

Jun 17, 2025

Cyware Daily Threat Intelligence, June 17, 2025

Langflow, an open-source AI framework, is now being weaponized in a botnet campaign. A new variant of the Flodrix botnet is exploiting a critical vulnerability in unpatched Langflow servers, allowing attackers to run arbitrary code and deploy encrypted DDoS malware. Despite a fix released in March, many systems remain exposed, and threat actors are using publicly available exploits to scale their attacks. A simple "I'm not a robot" click is being used to launch a fileless RAT. A deceptive campaign targeting German-speaking users delivers AsyncRAT via obfuscated PowerShell triggered through fake CAPTCHA prompts. The malware runs entirely in memory, establishes persistence through registry edits, and communicates with a remote C2 server on TCP port 4444—all while avoiding traditional detection methods. A zero-day in Chrome is letting attackers break out of the browser and into the system. The TaxOff (Team46) group is actively exploiting CVE-2025-2783, a flaw in Chrome’s Mojo IPC component, through phishing emails masked as event invites. Once inside, they deploy a layered backdoor called Trinper, using encryption and anti-debugging techniques to maintain control and gather intel.

Jun 16, 2025

Cyware Daily Threat Intelligence, June 16, 2025

A trusted developer platform is now a delivery system for stealthy malware. The newly uncovered threat actor Water Curse is abusing GitHub to distribute weaponized repositories aimed at cybersecurity pros, game developers, and DevOps teams. With payloads hidden in build scripts and obfuscated, the campaign enables data theft, remote access, and persistent control. Some ransomware isn’t just extorting, it’s erasing everything in its path. Anubis, a new RaaS group, adds a destructive twist with its “wipe mode,” ensuring file recovery is impossible even if a ransom is paid. With ties to the older Sphinx malware, Anubis is now offering flexible affiliate terms, data extortion, and encryption via ECIES. A critical bug is still lurking across thousands of Grafana dashboards. A client-side redirect flaw leaves over 46,000 internet-facing Grafana instances at risk of account takeovers and plugin-based attacks. Despite a patch issued in May, more than a third of deployments remain exposed.