Cyware Daily Threat Intelligence, July 21, 2025

Daily Threat Briefing • July 21, 2025

A new ransomware strain named Crux, allegedly tied to the BlackByte group, has been uncovered. It gains access via RDP and abuses legitimate processes for malicious activity.

A severe vulnerability (CVE-2025-54309) in CrushFTP servers affects over 10,000 instances globally, enabling remote attackers to gain admin rights via HTTPS. The flaw stems from AS2 validation mishandling and impacts servers lacking the DMZ proxy.

PoisonSeed threat actors have devised a way to bypass FIDO key authentication using adversary-in-the-middle (AitM) phishing. By exploiting the cross-device sign-in feature, attackers trick users into scanning malicious QR codes.

Top Malware Reported in the Last 24 Hours

A new ransomware variant has been spotted

Huntress has identified a new ransomware variant named "Crux," which claims affiliation with the BlackByte ransomware group. Crux ransomware encrypts files with a .crux extension and uses ransom notes named "crux_readme_[random].txt." The ransomware employs Remote Desktop Protocol (RDP) as one of its initial access vectors and uses legitimate processes like svchost.exe and bcdedit.exe for malicious activities.

Iran-linked Spyware poses as VPN

Four new Android spyware samples linked to Iran's Ministry of Intelligence and Security (MOIS) have emerged, disguised as VPN apps, targeting WhatsApp data, audio/video recordings, and sensitive files. The spyware, attributed to the MuddyWater espionage group, reflects Iran's evolving surveillance tactics amid Middle Eastern tensions. Researchers identified these samples shortly after the Iran-Israel conflict began, with distribution methods including Telegram channels, phishing emails, and messaging apps.

Top Vulnerabilities Reported in the Last 24 Hours

New CrushFTP critical vulnerability exploited in the wild

A critical vulnerability (CVE-2025-54309) in CrushFTP servers affects at least 10,000 instances globally, allowing remote attackers to gain admin access via HTTPS. The flaw involves AS2 validation mishandling and impacts servers without the DMZ proxy feature. CrushFTP disclosed the vulnerability on July 18, assigning it a CVSS score of 9, and urged users to update to fixed versions (11.3.4_26 and 10.8.5_12).

Hackers exploit Microsoft software vulnerability

Microsoft issued an alert about "active attacks" on SharePoint server software used by businesses and government agencies for document sharing, recommending immediate security updates. The attacks, identified as "zero-day" exploits, targeted a previously unknown vulnerability in SharePoint servers, putting tens of thousands of servers at risk. SharePoint Online in Microsoft 365 (cloud-based) is not affected. Microsoft has been coordinating with global cybersecurity partners, including CISA and DOD Cyber Defense Command.

Top Scams Reported in the Last 24 Hours

FIDO keys under siege

PoisonSeed attackers have developed a method to bypass FIDO key authentication using adversary-in-the-middle (AitM) phishing attacks. These attacks exploit the cross-device sign-in feature of FIDO keys by tricking users into scanning QR codes, granting attackers access to accounts. FIDO keys, though secure, are not immune to identity-based attacks, which made up 66.2% of incidents in Q1 2025.

Related Threat Briefings

Jul 18, 2025

Cyware Daily Threat Intelligence, July 18, 2025

The H2Miner botnet has resurfaced with updated scripts that mine Monero, kill rival malware, and deploy multiple malware. Bundled with it is Lcrypt0rx, a likely AI-generated ransomware that exhibits sloppy logic, malformed syntax, and weak encryption using XOR. Cisco Talos uncovered a MaaS campaign targeting Ukraine, where attackers used Amadey malware and GitHub repositories to stage payloads. The setup mimics tactics from a SmokeLoader phishing operation, with obfuscated JavaScript loaders and Emmenthal plugins helping evade detection and filter-based defenses. In a sharp postmortem from Pwn2Own Berlin, VMware patched four zero-day flaws exploited during the contest. Three high-severity bugs let attackers break out of guest VMs, while a fourth in VMware Tools leaks sensitive host info. Separately, the Scanception campaign is sneaking into inboxes via QR code phishing PDFs.

Jul 17, 2025

Cyware Daily Threat Intelligence, July 17, 2025

A persistent backdoor is giving UNC6148 quiet, long-term access to SonicWall SMA appliances. The group is using stolen credentials—and possibly a zero-day—to deploy OVERSTEP malware. It steals sensitive data, maintains stealth, and executes commands through web requests. Over 600 malicious domains are distributing fake Telegram APKs to unsuspecting users. Most are hosted in China and exploit the Janus vulnerability in Android. These APKs request broad permissions, bypass security protocols, and enable full device control. Oracle’s July 2025 patch update is a heavyweight. It includes 309 fixes across products like Communications, MySQL, Java SE, and Fusion Middleware. Of the nearly 200 CVEs addressed, 127 can be exploited remotely without authentication. An additional 20 Solaris patches target flaws with similar reach.

Jul 16, 2025

Cyware Daily Threat Intelligence, July 16, 2025

A harmless-looking app on Google Play may have a malicious twin elsewhere. A new Konfety variant uses the same package name as a legitimate app but hides the real payload in a lookalike version distributed through third-party stores. It employs obfuscation tactics to evade detection, while leveraging the CaramelAds SDK. Some malware no longer travels through links or attachments, it hides in plain text. Researchers have spotted attackers embedding payloads in DNS records, allowing malware to slip past traditional security tools. By encoding binaries as hex and retrieving them during DNS resolution, this technique avoids common detection points and delivers disruptive code without a visible trace. One sandbox escape makes five. Google patched a high-severity Chrome flaw that lets attackers break out of the browser’s sandbox using crafted HTML and unvalidated GPU commands. The update also addressed issues in V8 and WebRTC, but only CVE-2025-6558 was under active exploitation, making it the fifth Chrome zero-day of the year.

Jul 15, 2025

Cyware Daily Threat Intelligence, July 15, 2025

A quiet but deliberate campaign is now zeroing in on Southeast Asia’s trade secrets. HazyBeacon, a newly identified Windows backdoor, is targeting government entities with an eye on sensitive tariff and trade data. It uses DLL side-loading and communicates through AWS Lambda URLs, helping it blend in with legitimate cloud activity while quietly collecting targeted documents. Developers are once again in the crosshairs of North Korean threat actors. As part of the ongoing Contagious Interview campaign, attackers have pushed 67 malicious npm packages carrying XORIndex, a malware loader designed to steal browser data, crypto wallet info, and deploy Python-based backdoors. With over 17,000 downloads and manipulated package metrics, the threat is both widespread and deceptive. An invisible prompt is all it takes to turn Gemini into a phishing assistant. Attackers are exploiting Google’s Gemini AI for Workspace by hiding malicious instructions in emails using HTML and CSS. When Gemini generates a summary, it unknowingly includes phishing content redirecting users to malicious sites. Suggested defenses focus on stripping hidden content and warning users not to rely on AI summaries for security cues.

Jul 14, 2025

Cyware Daily Threat Intelligence, July 14, 2025

A silent redirect to PowerShell is the entry point for a new Interlock RAT variant. Linked to the KongTuke cluster, the PHP-based malware uses compromised websites with hidden scripts to launch system profiling and establish Cloudflare Tunnel-based C2 with fallback IPs for persistence. Users who trusted GravityForms’ official site got more than they expected. A supply chain attack injected backdoors into plugin files distributed via the official site and Composer, enabling attackers to collect WordPress environment data or more. A single HTTP header is enough to hijack vulnerable FortiWeb servers. A critical SQL injection flaw in Fortinet’s Fabric Connector, allows pre-auth RCE through unsanitized bearer tokens, with PoC exploits using MySQL queries to drop and execute malicious scripts.

Jul 11, 2025

Cyware Daily Threat Intelligence, July 11, 2025

You don’t need to visit shady corners of the internet to get infected, GitHub will do. A malware campaign is disguising Lumma Stealer as tools like Free VPN for PC, using polished project pages, Base64 payloads, and trusted Windows processes to slip past defenses. Meanwhile, MCP-based tools are facing a string of critical vulnerabilities, with CVE-2025-6514 leading the list. The flaw allows remote code execution via malicious MCP servers and affects users across platforms. Other bugs enable code injection, directory traversal, and symlink abuse. Crypto users are being lured in by fake AI and gaming firms offering too-good-to-be-true deals. A social engineering campaign is using Telegram, Discord, and spoofed social media accounts to deliver stealer malware. Attackers impersonate legit teams on GitHub and Notion, promising crypto payouts in exchange for “testing” software.

Jul 10, 2025

Cyware Daily Threat Intelligence, July 10, 2025

A fake defense official and a Google Drive link were all it took to breach a European ministry. Recent DoNot APT campaigns reveal a shift toward diplomatic espionage, using custom malware to exfiltrate data and maintain persistence through scheduled tasks and obfuscated binaries. A botnet announcing itself with Hello-World is now sweeping through Taiwan. A new scraper botnet has been using repeated GET requests across ports 80–85. Thousands of IPs are involved, with more than half traced back to Taiwanese infrastructure, hinting at regional tech compromise or shared vulnerabilities. You might not hear it, but your car’s Bluetooth could be listening. Researchers have found critical flaws in the BlueSDK stack used by major automakers, enabling remote code execution through a PerfektBlue attack. The vulnerabilities allow attackers to access call logs, record in-cabin audio, and track vehicles.

Jul 9, 2025

Cyware Daily Threat Intelligence, July 09, 2025

A PDF reader with 50,000 downloads turned out to be anything but harmless. The Anatsa banking trojan slipped back into Google Play, targeting North American users with fake maintenance screens while logging keystrokes and automating fraudulent transactions. However, the app has been pulled by Google. This month’s Patch Tuesday came with a hefty payload. Microsoft released fixes for 137 vulnerabilities, including a zero-day in SQL Server, which allowed access to uninitialized memory. Among the 14 critical issues were remote code execution bugs in SharePoint and multiple RCE and side-channel flaws affecting AMD-based systems. When a tap does more than you think, it’s probably TapTrap. Researchers have uncovered a sneaky Android exploit that uses near-invisible UI animations to trick users into approving sensitive actions. By overlaying transparent elements, TapTrap misleads users into tapping unintended buttons.

Jul 8, 2025

Cyware Daily Threat Intelligence, July 08, 2025

A spyware campaign targeting Russian industrial firms has been quietly escalating since mid-2024. Batavia spreads through phishing emails disguised as contract requests. Later stages drop Delphi-based malware that shows fake documents while harvesting data, followed by a payload that broadens file collection and ensures persistence, with signs of a potential fourth stage. A new ransomware group named BERT is hitting victims across sectors and operating systems. Targeting both Windows and Linux, BERT launches fast, multi-threaded encryption attacks. The malware shuts down critical services and shares code similarities with REvil and Babuk, hinting at recycled tools and techniques. SAP has released patches for 27 vulnerabilities, seven of them critical. The most severe, with a CVSS score of 10.0, affects the Live Auction Cockpit in SAP SRM. Other high-impact bugs include a code injection flaw in SAP S/4HANA and insecure deserialization issues in NetWeaver. Updates also address privilege escalation flaws in the SAPCAR utility.

Jul 7, 2025

Cyware Daily Threat Intelligence, July 07, 2025

SHELLTER has gone rogue—what was once a legit security tool is now fueling infostealer campaigns with AES-128 encryption, polymorphic junk code, and sneaky call stack tricks to dodge detection. Meanwhile, Hpingbot, a Go-based botnet with a flair for innovation, uses Pastebin, hping3, and persistent tactics to do more than just DDoS—hinting at nastier payloads like ransomware or APT tools. Critical bugs are back on the menu—this time hitting low-code platforms and the Linux boot process. ScriptCase’s Production Environment module harbors two flaws (CVE-2025-47227 & CVE-2025-47228, enabling remote command execution and admin password resets, risking full server compromise, while CVE-2016-4484 in Linux lets attackers gain root access during boot by exploiting the initramfs debug shell.

Jul 4, 2025

Cyware Daily Threat Intelligence, July 04, 2025

There’s a reason that app never showed up on your home screen. The IconAds fraud operation used 352 hidden-UI apps to flood ad networks with over a billion fake bid requests daily. Kaleidoscope took it further, using decoy apps to mask malicious versions distributed via third-party stores. Meanwhile, NGate and Ghost Tap abused NFC to enable remote cash theft, and Qwizzserial posed as a government app in Uzbekistan. When routers fall, botnets rise. RondoDox is exploiting flaws in TBK DVRs and Four-Faith routers to install a Linux-based botnet that renames critical system files into nonsense strings, effectively crippling recovery efforts. It launches DDoS attacks through spoofed traffic that looks like OpenVPN or online games, making detection even harder. Sometimes, all it takes is a single misplaced HTTP header. Three critical vulnerabilities in Apache Tomcat and Camel are under active exploitation, enabling remote code execution. One stems from mishandling PUT requests; the others from flawed case handling in headers. Over 125,000 attempts were recorded in March alone, signaling widespread attacker interest.

Jul 3, 2025

Cyware Daily Threat Intelligence, July 03, 2025

Two different names - same tactics, same tools, same playbook. Researchers have found striking overlaps between TA829 and the lesser-known UNK_GreenSec, both of which use phishing lures and REM Proxy services through compromised MikroTik routers. Victims are redirected from fake Google Drive or OneDrive pages to payloads like RomCom RAT, Metasploit, and Morpheus ransomware. They look like wallet helpers, but they’re after everything inside. More than 40 malicious Firefox extensions have been caught stealing seed phrases and wallet keys from unsuspecting crypto users. Masquerading as MetaMask, Coinbase, and Trust Wallet, these clones use tampered open-source code, fake five-star reviews, and slick branding to blend in. A single HTTP request is all it takes to bring the server down. A critical bug in Wing FTP Server allows unauthenticated remote code execution via the login confirmation endpoint. The flaw lets attackers inject Lua code into session files, enabling total takeover, even as root or SYSTEM. It affects all versions up to 7.4.3, with a fix issued in 7.4.4.