Cyware Daily Threat Intelligence, July 10, 2025

Daily Threat Briefing • July 10, 2025
Daily Threat Briefing • July 10, 2025
A fake defense official and a Google Drive link were all it took to breach a European ministry. Recent DoNot APT campaigns reveal a shift toward diplomatic espionage, using custom malware to exfiltrate data and maintain persistence through scheduled tasks and obfuscated binaries.
A botnet announcing itself with Hello-World is now sweeping through Taiwan. A new scraper botnet has been using repeated GET requests across ports 80–85. Thousands of IPs are involved, with more than half traced back to Taiwanese infrastructure, hinting at regional tech compromise or shared vulnerabilities.
You might not hear it, but your car’s Bluetooth could be listening. Researchers have found critical flaws in the BlueSDK stack used by major automakers, enabling remote code execution through a PerfektBlue attack. The vulnerabilities allow attackers to access call logs, record in-cabin audio, and track vehicles.
DoNot APT expands operations, drops malware
Recent campaigns by the DoNot APT group show an expansion of targets to European diplomatic entities, emphasizing espionage motives. The group uses custom-built Windows malware (e.g., YTY and GEdit), delivered via spear-phishing emails or malicious documents, to achieve persistent surveillance and data exfiltration. A recent campaign targeted a European foreign affairs ministry, impersonating defense officials and using a malicious Google Drive link to deliver malware. The infection chain involved executing notflog.exe, deploying batch files, and creating scheduled tasks for persistence. The malware, LoptikMod, employs obfuscation techniques such as binary string encoding and selective packing to evade detection.
New ZuRu malware strain targets devs
Cybersecurity researchers identified a new variant of ZuRu malware targeting macOS users through a trojanized Termius app, leveraging modified loaders and C2 techniques. ZuRu malware has been active since 2021, initially spreading via fake websites mimicking legitimate macOS apps like iTerm2, and later through pirated software such as Microsoft Remote Desktop for Mac. The malware employs the Khepri post-exploitation toolkit, enabling remote control, persistence, and system reconnaissance on infected hosts. It uses altered code signatures to bypass macOS security protocols. The loader checks for existing malware versions, compares MD5 hash values, and downloads updates if necessary, potentially serving as an update mechanism or integrity check. The latest variant uses trojanized helper applications instead of older Dylib injection techniques, aiming to evade detection while maintaining similar tactics for persistence and communication.
Scraper botnet identified in Taiwan
GreyNoise has identified a new variant of a scraper botnet, primarily concentrated in Taiwan, which is detectable through unique behavioral fingerprints using JA4+ signatures. This botnet operates with a simple user-agent string, "Hello-World/1.0," and exhibits a traffic pattern characterized by repeated GET requests over ports 80-85, involving over 3,600 unique IPs globally. Notably, 54% of the botnet's infrastructure originates from Taiwanese networks, followed by Japan, Bulgaria, and France. This geographical concentration suggests potential compromises in local technologies or shared vulnerabilities among users. The analysis reveals that a significant portion of the detected IPs is classified as malicious or suspicious.
Hackers abuse GeoServer bug
Hackers are exploiting an unpatched GeoServer RCE vulnerability (CVE-2024-36401) to deploy cryptocurrency miners and malware. The vulnerability allows unauthorized code execution, with attacks documented globally, including campaigns targeting South Korea and Taiwanese government agencies. Bash scripts in Linux environments terminate competing CoinMiner processes, execute XMRig, and register persistence commands in Cron jobs. Attacks drain system performance, enable data theft, and facilitate further malware deployment via NetCat backdoors.
High-severity flaw in ServiceNow
Varonis identified a critical vulnerability in ServiceNow, dubbed Count(er) Strike, which allows unauthorized data exposure through enumeration techniques. This vulnerability, CVE-2025-3648, affects numerous ServiceNow solutions, enabling attackers to exploit misconfigured Access Control Lists (ACLs) and query parameters to infer sensitive information, including PII, credentials, and financial data. The ease of exploitation means that even users with minimal privileges can access restricted data. Features such as dot-walking, which lets users access related data through reference fields, and self-registration, allowing new users to create accounts without admin approval, further exacerbate the risk.
Millions of cars vulnerable to hacking
Researchers have uncovered critical vulnerabilities in the BlueSDK Bluetooth stack, potentially exposing millions of vehicles to remote hacking. These flaws enable attackers to execute remote code on car infotainment systems, allowing them to track vehicle locations, record audio from inside the car, and access phonebook data. The vulnerabilities can be exploited through a method known as the PerfektBlue attack, which has been demonstrated on recent models from manufacturers like Mercedes-Benz, Skoda, and Volkswagen. Vulnerabilities include Use-After-Free (CVE-2024-45434), improper validation (CVE-2024-45431), incorrect function termination (CVE-2024-45433), and incorrect function parameters (CVE-2024-45432).