Cyware Daily Threat Intelligence, July 09, 2025

Daily Threat Briefing • July 9, 2025

A PDF reader with 50,000 downloads turned out to be anything but harmless. The Anatsa banking trojan slipped back into Google Play, targeting North American users with fake maintenance screens while logging keystrokes and automating fraudulent transactions. However, the app has been pulled by Google.

This month’s Patch Tuesday came with a hefty payload. Microsoft released fixes for 137 vulnerabilities, including a zero-day in SQL Server, which allowed access to uninitialized memory. Among the 14 critical issues were remote code execution bugs in SharePoint and multiple RCE and side-channel flaws affecting AMD-based systems.

When a tap does more than you think, it’s probably TapTrap. Researchers have uncovered a sneaky Android exploit that uses near-invisible UI animations to trick users into approving sensitive actions. By overlaying transparent elements, TapTrap misleads users into tapping unintended buttons.

Top Malware Reported in the Last 24 Hours

Iranian ransomware group reemerges

An Iranian ransomware-as-a-service group, linked to Tehran's Pioneer Kitten, has resurfaced after a five-year hiatus, offering affiliates 80% profits for targeting US and Israeli organizations. The updated malware, Pay2Key.I2P, incorporates Mimic ransomware capabilities and operates via the I2P network for anonymity. The group emphasizes anonymity to bypass ceasefire restrictions and continues cyberattacks despite geopolitical tensions. The malware was updated to target Linux systems, further incentivizing attacks against U.S. and Israeli targets.

Anatsa trojan sneaks into Google Play

Anatsa, a banking trojan, has once again infiltrated Google Play, disguised as a PDF viewer app that garnered over 50,000 downloads. Once installed, the malware activates and targets North American banking applications by displaying deceptive messages about scheduled maintenance, which obscures its malicious activities like keylogging and unauthorized transactions. The latest app, Document Viewer – File Reader, was removed by Google, following its detection of the trojan, which had been active between June 24 and 30, shortly after its release. The malware can execute keylogging, automate transactions, and steal sensitive information.

Multiple malicious Chrome extensions spotted

Researchers discovered nearly a dozen malicious Chrome extensions with 1.7 million downloads that track users, steal browser activity, and redirect to unsafe web addresses. These extensions pose as legitimate tools like color pickers, VPNs, volume boosters, and emoji keyboards, with many verified and highly rated on the Chrome Web Store. Malicious functionality is embedded in the background service worker of the extensions, capturing visited URLs and exfiltrating data to remote servers, potentially enabling cyberattacks. The malicious code was introduced via updates after the extensions were initially safe, possibly due to hijacking by external actors. Similar malicious extensions were found in the Microsoft Edge store, infecting over 600,000 users, bringing the total affected across browsers to 2.3 million.

Top Vulnerabilities Reported in the Last 24 Hours

Microsoft Patch Tuesday July 2025

Microsoft released security updates for 137 flaws, including one publicly disclosed zero-day vulnerability in Microsoft SQL Server. The updates addressed 14 critical vulnerabilities, including 10 remote code execution flaws, one information disclosure issue, and two AMD side-channel attack vulnerabilities. The zero-day vulnerability (CVE-2025-49719) in Microsoft SQL Server allows remote attackers to access uninitialized memory due to improper input validation. Microsoft SharePoint's critical RCE vulnerability (CVE-2025-49704) enables remote exploitation by authenticated users.

New Android TapTrap attack exploits permissions

Researchers have developed a novel Android exploit called TapTrap, which uses invisible UI animations to bypass permissions and trick users into performing risky actions. TapTrap works by launching a transparent activity over a malicious app, creating a visual mismatch between what users see and the actions registered by the system. The exploit leverages custom low-opacity animations to make risky prompts nearly invisible, increasing the likelihood of accidental user interaction. TapTrap remains unmitigated in Android 15 and 16, exposing devices unless animations are disabled via developer options or accessibility settings.

July 2025 Patch Tuesday ICS security advisories

Siemens, Schneider Electric, and Phoenix Contact released ICS security advisories for July 2025 Patch Tuesday, addressing vulnerabilities in ICS and OT. Siemens addressed critical flaws in products like Sinec NMS, TIA Administrator, and Ruggedcom ROS, among others, which could lead to privilege escalation, code execution, and denial-of-service (DoS) attacks. Schneider Electric disclosed vulnerabilities in EcoStruxure IT Data Center Expert and other products, including issues enabling remote code execution, privilege escalation, and sensitive data exposure. Phoenix Contact revealed critical vulnerabilities in PLCnext firmware and Charx EV charging controllers, allowing DoS conditions, unauthorized access, and privilege escalation.

Related Threat Briefings

Jul 10, 2025

Cyware Daily Threat Intelligence, July 10, 2025

A fake defense official and a Google Drive link were all it took to breach a European ministry. Recent DoNot APT campaigns reveal a shift toward diplomatic espionage, using custom malware to exfiltrate data and maintain persistence through scheduled tasks and obfuscated binaries. A botnet announcing itself with Hello-World is now sweeping through Taiwan. A new scraper botnet has been using repeated GET requests across ports 80–85. Thousands of IPs are involved, with more than half traced back to Taiwanese infrastructure, hinting at regional tech compromise or shared vulnerabilities. You might not hear it, but your car’s Bluetooth could be listening. Researchers have found critical flaws in the BlueSDK stack used by major automakers, enabling remote code execution through a PerfektBlue attack. The vulnerabilities allow attackers to access call logs, record in-cabin audio, and track vehicles.

Jul 8, 2025

Cyware Daily Threat Intelligence, July 08, 2025

A spyware campaign targeting Russian industrial firms has been quietly escalating since mid-2024. Batavia spreads through phishing emails disguised as contract requests. Later stages drop Delphi-based malware that shows fake documents while harvesting data, followed by a payload that broadens file collection and ensures persistence, with signs of a potential fourth stage. A new ransomware group named BERT is hitting victims across sectors and operating systems. Targeting both Windows and Linux, BERT launches fast, multi-threaded encryption attacks. The malware shuts down critical services and shares code similarities with REvil and Babuk, hinting at recycled tools and techniques. SAP has released patches for 27 vulnerabilities, seven of them critical. The most severe, with a CVSS score of 10.0, affects the Live Auction Cockpit in SAP SRM. Other high-impact bugs include a code injection flaw in SAP S/4HANA and insecure deserialization issues in NetWeaver. Updates also address privilege escalation flaws in the SAPCAR utility.

Jul 7, 2025

Cyware Daily Threat Intelligence, July 07, 2025

SHELLTER has gone rogue—what was once a legit security tool is now fueling infostealer campaigns with AES-128 encryption, polymorphic junk code, and sneaky call stack tricks to dodge detection. Meanwhile, Hpingbot, a Go-based botnet with a flair for innovation, uses Pastebin, hping3, and persistent tactics to do more than just DDoS—hinting at nastier payloads like ransomware or APT tools. Critical bugs are back on the menu—this time hitting low-code platforms and the Linux boot process. ScriptCase’s Production Environment module harbors two flaws (CVE-2025-47227 & CVE-2025-47228, enabling remote command execution and admin password resets, risking full server compromise, while CVE-2016-4484 in Linux lets attackers gain root access during boot by exploiting the initramfs debug shell.

Jul 4, 2025

Cyware Daily Threat Intelligence, July 04, 2025

There’s a reason that app never showed up on your home screen. The IconAds fraud operation used 352 hidden-UI apps to flood ad networks with over a billion fake bid requests daily. Kaleidoscope took it further, using decoy apps to mask malicious versions distributed via third-party stores. Meanwhile, NGate and Ghost Tap abused NFC to enable remote cash theft, and Qwizzserial posed as a government app in Uzbekistan. When routers fall, botnets rise. RondoDox is exploiting flaws in TBK DVRs and Four-Faith routers to install a Linux-based botnet that renames critical system files into nonsense strings, effectively crippling recovery efforts. It launches DDoS attacks through spoofed traffic that looks like OpenVPN or online games, making detection even harder. Sometimes, all it takes is a single misplaced HTTP header. Three critical vulnerabilities in Apache Tomcat and Camel are under active exploitation, enabling remote code execution. One stems from mishandling PUT requests; the others from flawed case handling in headers. Over 125,000 attempts were recorded in March alone, signaling widespread attacker interest.

Jul 3, 2025

Cyware Daily Threat Intelligence, July 03, 2025

Two different names - same tactics, same tools, same playbook. Researchers have found striking overlaps between TA829 and the lesser-known UNK_GreenSec, both of which use phishing lures and REM Proxy services through compromised MikroTik routers. Victims are redirected from fake Google Drive or OneDrive pages to payloads like RomCom RAT, Metasploit, and Morpheus ransomware. They look like wallet helpers, but they’re after everything inside. More than 40 malicious Firefox extensions have been caught stealing seed phrases and wallet keys from unsuspecting crypto users. Masquerading as MetaMask, Coinbase, and Trust Wallet, these clones use tampered open-source code, fake five-star reviews, and slick branding to blend in. A single HTTP request is all it takes to bring the server down. A critical bug in Wing FTP Server allows unauthenticated remote code execution via the login confirmation endpoint. The flaw lets attackers inject Lua code into session files, enabling total takeover, even as root or SYSTEM. It affects all versions up to 7.4.3, with a fix issued in 7.4.4.

Jul 2, 2025

Cyware Daily Threat Intelligence, July 02, 2025

It starts with what looks like an official message from the Colombian government. Behind it is a phishing campaign delivering DCRAT, a modular remote access tool designed for theft and system control. The attack chain begins with a ZIP file containing a VBS script that downloads an obfuscated payload. DCRAT uses steganography, multi-stage execution, and evasion techniques to dig in and stay hidden, while quietly stealing data and manipulating infected systems. That Zoom update request on Telegram? It could be a trap. North Korean actors are deploying NimDoor malware to infiltrate Web3 and crypto platforms using social engineering via Telegram. Victims are tricked into running a fake AppleScript update that launches Nim-compiled binaries with advanced techniques like signal-based persistence, process injection, and encrypted WebSocket communication. It only takes one crafted page to turn a browser into a backdoor. Google has patched CVE-2025-6554, a critical zero-day in Chrome’s V8 engine that was exploited in the wild to execute arbitrary code. The flaw, caused by a type confusion bug, may have been used in targeted attacks. Users across Windows, macOS, and Linux are urged to update immediately.

Jun 30, 2025

Cyware Daily Threat Intelligence, June 30, 2025

Cybercriminals are sharpening their bait, whether it’s fake installers, hijacked Bluetooth connections, or internal-looking spoofed emails. A new malware campaign uncovered by Netskope is stealthily infecting victims using fake installers of popular Chinese-language software like WPS Office and Sogou to deploy a cocktail of malware, including Sainbox RAT (a Gh0stRAT variant) and a powerful rootkit. Meanwhile, Bluetooth devices from top audio brands, such as Bose, Sony, and Beyerdynamic, are under scrutiny after researchers disclosed three critical flaws in Airoha chipsets (CVE-2025-20700, CVE-2025-20701, and CVE-2025-20702). Exploiting these vulnerabilities could let attackers hijack Bluetooth connections, snoop on calls, access contacts, or even rewrite firmware for remote code execution. In a new phishing campaign flagged by Varonis, attackers are abusing Microsoft 365’s Direct Send feature to impersonate internal users and send phishing emails without ever breaching a mailbox. By exploiting the lack of authentication in Direct Send, the campaign sidesteps standard email protections like SPF and DMARC.

Jun 26, 2025

Cyware Daily Threat Intelligence, June 26, 2025

A phishing email is all it takes to breach critical infrastructure. The OneClik APT campaign is targeting energy and oil sectors using Microsoft ClickOnce to deliver a .NET loader and Golang backdoor. The malware uses AWS infrastructure to hide in plain sight, evolving through multiple variants with increasingly stealthy techniques. What do a server board, a home router, and a firewall have in common? They’re all vulnerable, and now officially on CISA’s hit list.CISA has added three exploited vulnerabilities to its KEV catalog, affecting AMI MegaRAC, D-Link DIR-859 routers, and Fortinet FortiOS. A familiar name in your WhatsApp inbox might not be who you think it is. APT42 is targeting Israeli cybersecurity experts and academics through highly personalized spear-phishing campaigns. By posing as journalists or researchers and using platforms like WhatsApp, they lure victims to phishing pages disguised as Google Meet, aiming to steal credentials. With over 100 domains linked to the campaign, the scope likely extends well beyond Israel.

Jun 25, 2025

Cyware Daily Threat Intelligence, June 25, 2025

A familiar package name could be hiding far more than useful code. North Korean actors behind the Contagious Interview campaign have published 35 malicious npm packages, including keyloggers and multi-stage malware loaders like HexEval and InvisibleFerret. By mimicking popular libraries, they’ve tricked thousands of developers into pulling in backdoors designed for cross-platform surveillance. Search results for AI tools are leading users straight into malware traps. Researchers uncovered a campaign that abuses SEO tactics to rank malicious sites for AI-related queries. These sites distribute payloads like Vidar Stealer and Lumma, wrapped in deceptive installers and ZIP files, while using obfuscation techniques like XOR encryption and browser fingerprinting to stay hidden. Even AI model frameworks aren’t immune to critical flaws. NVIDIA has patched two vulnerabilities in its Megatron-LM framework that could allow attackers to inject code or escalate privileges. The bugs, affecting the Python component, pose a serious risk to model integrity and data security if left unpatched.

Jun 24, 2025

Cyware Daily Threat Intelligence, June 24, 2025

Encrypted messaging apps aren’t immune to state-backed malware delivery. APT28 is targeting Ukrainian government entities via Signal, sharing macro-laced documents that deploy a backdoor named Covenant. Once inside, the attackers use two new malware strains - BeardShell for PowerShell execution and data exfiltration, and SlimAgent for covert screenshot capture and encryption. Some WordPress plugins are doing a lot more than extending site functionality. Researchers uncovered a long-running malware campaign that uses rogue plugins to skim credit card data, steal credentials, and manage backend systems on infected sites. The malware adapts its behavior to avoid admins, manipulates Google Ads, and hooks into WooCommerce to maintain stealth and persistence. A simple archive file could compromise your entire system. A directory traversal flaw in WinRAR, allows attackers to execute arbitrary code when users open specially crafted archive files. The vulnerability affects all Windows versions of the tool.

Jun 23, 2025

Cyware Daily Threat Intelligence, June 23, 2025

A fake Windows update might just be the start of something worse. The EvilConwi campaign is abusing ConnectWise ScreenConnect to deliver signed malware through tampered installers. Using phishing links hosted on Canva and Facebook ads, attackers lure victims into downloading infected software, leading to erratic system behavior and stealthy compromise via Authenticode stuffing. A handful of outdated routers is all it takes to build a persistent espionage network. The LapDogs campaign is targeting SOHO devices with a custom backdoor called ShortLeash, giving attackers root access and control over compromised systems. Spoofed Nginx servers and TLS certificates help mask the activity, with signs pointing to China-nexus threat actors based on the tooling and code comments. Resetting an admin password shouldn’t be this easy. A bug in the WordPress Motors theme allows attackers to hijack websites by exploiting a flaw in the password recovery function. Despite a patch, widespread inaction has led to a surge in attacks, with thousands of login takeovers and persistent backdoor accounts being reported.

Jun 20, 2025

Cyware Daily Threat Intelligence, June 20, 2025

A new Android trojan is turning devices into data-harvesting tools under attackers’ full control. Attributed to the LARVA-398 group, AntiDot has infected thousands of devices through phishing and malicious ads. Using Accessibility Services and screen recording APIs, it steals credentials, intercepts messages, and mimics app logins. A fake job offer could now come bundled with custom-built spyware. PylangGhost is targeting crypto professionals in India. Delivered through spoofed job sites, the malware includes registry tampering, remote control, and data exfiltration modules aimed at compromising Windows systems. A popular WordPress plugin is exposing sites to full takeover. It affects the AI Engine plugin, allowing privilege escalation via the MCP module in versions 2.8.0 to 2.8.3. If enabled, this feature gives even low-level users the ability to run admin-level commands - impacting over 100,000 websites and opening the door to site-wide compromise.