Cyware Daily Threat Intelligence, July 04, 2025

Daily Threat Briefing • July 4, 2025
Daily Threat Briefing • July 4, 2025
There’s a reason that app never showed up on your home screen. The IconAds fraud operation used 352 hidden-UI apps to flood ad networks with over a billion fake bid requests daily. Kaleidoscope took it further, using decoy apps to mask malicious versions distributed via third-party stores. Meanwhile, NGate and Ghost Tap abused NFC to enable remote cash theft, and Qwizzserial posed as a government app in Uzbekistan.
When routers fall, botnets rise. RondoDox is exploiting flaws in TBK DVRs and Four-Faith routers to install a Linux-based botnet that renames critical system files into nonsense strings, effectively crippling recovery efforts. It launches DDoS attacks through spoofed traffic that looks like OpenVPN or online games, making detection even harder.
Sometimes, all it takes is a single misplaced HTTP header. Three critical vulnerabilities in Apache Tomcat and Camel are under active exploitation, enabling remote code execution. One stems from mishandling PUT requests; the others from flawed case handling in headers. Over 125,000 attempts were recorded in March alone, signaling widespread attacker interest.
More malicious Firefox extensions
Eight malicious Firefox extensions have emerged, exploiting user trust by impersonating popular games and stealing OAuth tokens. The threat actor, known as mre1903, has been active since 2018, employing deceptive tactics to redirect users to gambling sites and scam pages. Notable extensions include Little Alchemy 2 and 1v1.LOL, which leverage familiar game names to lure users. Additionally, GimmeGimme hijacks shopping sessions for affiliate revenue, while VPN Grab A Proxy Free employs invisible tracking techniques. The most concerning is CalSyncMaster, which steals Google Authentication tokens, granting unauthorized access to sensitive data.
Android ad fraud operations spotted
Recent investigations have revealed several massive Android fraud operations, including IconAds, Kaleidoscope, and various malware campaigns. IconAds involved 352 malicious apps that hid their icons and displayed intrusive ads, generating 1.2 billion bid requests daily before being removed from the Play Store. Kaleidoscope utilized the evil twin technique, where legitimate-looking apps served as decoys while malicious counterparts distributed through third-party stores generated fraudulent ad revenue. Additionally, malware like NGate and Ghost Tap exploited NFC technology to facilitate financial fraud, allowing attackers to withdraw cash remotely. Another significant threat is the Qwizzserial SMS stealer, which infected nearly 100,000 devices in Uzbekistan, targeting financial data through fake government apps.
New RondoDox abuses critical bugs
RondoDox is a new botnet threat that exploits two critical vulnerabilities: CVE-2024-3721 (TBK DVR models) and CVE-2024-12856 (Four-Faith router models). These vulnerabilities allow remote attackers to execute arbitrary commands. RondoDox targets various Linux architectures and disrupts critical system functions by renaming executable files to random strings, impairing system stability and recovery efforts. It connects to a C2 server for receiving instructions to launch DDoS attacks using HTTP, UDP, and TCP protocols while disguising malicious traffic as legitimate services like OpenVPN and gaming platforms.
Exploit attempts target Apache
Three critical vulnerabilities in Apache Tomcat (CVE-2025-24813) and Apache Camel (CVE-2025-27636, CVE-2025-29891) enable remote code execution (RCE), allowing attackers to hijack systems. Apache Tomcat’s flaw arises from mishandling HTTP PUT requests when partial PUT and session persistence are enabled. Affected versions range from 9.0.0.M1 to 11.0.2. Apache Camel vulnerabilities stem from improper case-sensitive HTTP header filtering, enabling attackers to inject malicious commands via misformatted headers. Unit 42 tracked 125,856 exploit attempts in March 2025.
Grafana issues critical security update
Grafana addressed four high-severity Chromium vulnerabilities (CVE-2025-5959, CVE-2025-6554, CVE-2025-6191, CVE-2025-6192) affecting the Image Renderer plugin and Synthetic Monitoring Agent. These vulnerabilities could lead to remote code execution, arbitrary memory read/write, and heap corruption through crafted HTML pages. The affected versions are Image Renderer prior to 3.12.9 and Synthetic Monitoring Agent before 0.38.3. Updated versions are available via Grafana CLI, Docker, and GitHub. Grafana Cloud and Azure Managed Grafana instances have been patched, requiring no user action for these services.