Cyware Daily Threat Intelligence, July 22, 2025

shutterstock 622791731

Daily Threat Briefing July 22, 2025

Greedy Sponge isn’t just soaking up data, it’s draining bank accounts. Active since 2021, this financially motivated threat group targets Mexican organizations using a modified AllaKore RAT and SystemBC malware to carry out fraud. Delivered via spear-phishing and drive-by downloads, the malware is geofenced to avoid exposure and now includes server-side payload delivery and secondary infections to bypass detection.

What looks like a Google Doc or Steam message may be ACRStealer in disguise. Now rebranded as AmateraStealer, this infostealer uses the Dead Drop Resolver method to communicate via legitimate services, recently adopting stronger evasion features. Ongoing updates and variants have made Amatera one of the most active and elusive stealers currently circulating.

Two bugs, one big hole. Apache Jena has been found vulnerable to critical flaws (CVE-2025-49656 and CVE-2025-50151) that allow administrators to create or access files outside intended directories, undermining system sandboxing. Though both require admin privileges, they pose serious risks in shared environments or if admin credentials are compromised. Users are urged to upgrade to version 5.5.0 to patch the flaws.

Top Malware Reported in the Last 24 Hours

Greedy Sponge targets Mexico, drops AllaKore RAT

Greedy Sponge is a financially-motivated threat group active since 2021, targeting Mexican organizations with a modified version of AllaKore RAT and SystemBC malware to conduct financial fraud. This group employs custom packaged installers delivered through spear-phishing and drive-by downloads, utilizing geofencing techniques to restrict access to their malware. Their tactics have evolved, incorporating secondary infections and server-side payload delivery to evade detection. The AllaKore RAT is a potent remote access tool capable of keylogging, taking screenshots, and remotely controlling victim devices. Greedy Sponge's infrastructure is primarily hosted in Texas, allowing them to maintain operations while focusing on stealing banking credentials and authentication tokens from various sectors, including retail, banking, and public services.

New ACRStealer variant spotted

ACRStealer is an infostealer that exploits Google Docs and Steam for C2 communications using the Dead Drop Resolver (DDR) technique. It has recently been modified with enhanced detection evasion and analysis obstruction techniques. The malware employs the Heaven’s Gate technique to evade detection and uses low-level NT functions for C2 communication, bypassing library-based monitoring. Some samples use legitimate domain names as disguise host addresses, potentially misleading monitoring tools. Recent variants have introduced random string paths for C2 communication and switched from GET to POST methods for requesting configuration data. ACRStealer has been rebranded as AmateraStealer, with ongoing updates making it one of the most active infostealer malware variants.

Top Vulnerabilities Reported in the Last 24 Hours

ExpressVPN patches bug in Windows client

ExpressVPN fixed a bug in its Windows client that allowed RDP traffic to bypass the VPN tunnel, exposing users' real IP addresses. The flaw was caused by debug code mistakenly included in production builds, affecting versions 12.97 to 12.101.0.2-beta. The flaw was caused by debug code mistakenly included in production builds, affecting versions 12.97 to 12.101.0.2-beta. The issue did not compromise encryption but allowed observers to see RDP traffic and user IPs, which should have been protected. A patch was released in version 12.101.0.45 on June 18, and ExpressVPN emphasized that the risk was low due to the limited use of RDP among typical consumers. 

Critical flaws in Apache Jena

Critical vulnerabilities in Apache Jena allow administrators to access and create files outside server directories, compromising system security. Two CVEs (CVE-2025-49656 and CVE-2025-50151) were disclosed, affecting all versions through 5.4.0; upgrading to version 5.5.0 is strongly recommended. CVE-2025-49656 enables file creation outside designated directories via the admin UI, breaking sandbox protections. CVE-2025-50151 involves improper validation of configuration file paths, allowing access to files outside application directories. Both vulnerabilities require administrative access to exploit but pose significant risks in multi-user environments or compromised admin scenarios.

Related Threat Briefings

Jul 25, 2025

Cyware Daily Threat Intelligence, July 25, 2025

A browser tweak here, a fake mod there, and suddenly your crypto wallet spills its secrets. In a new campaign, the Scavenger trojan exploits DLL Search Order Hijacking to infiltrate password managers and wallets like MetaMask, Bitwarden, and Exodus. Delivered via fake game mods and malicious sites, the trojan uses multi-stage loaders and obfuscation. Not every scam needs sophistication, sometimes all it takes is a lonely heart and a convincing profile picture. SarangTrap, a massive mobile spyware campaign, is luring victims on Android and iOS through fake dating apps. With over 250 malicious APKs and nearly 90 phishing domains, the campaign uses emotional manipulation and search engine indexing to appear credible. Fire Ant doesn’t crash through the front door, it slips in quietly, sets up shop, and rewires the building. This advanced China-linked actor is targeting VMware ESXi and vCenter servers using old vulnerabilities to establish espionage footholds. The attackers extract credentials, deploy stealthy backdoors, and tamper with logs to stay hidden.

Jul 24, 2025

Cyware Daily Threat Intelligence, July 24, 2025

Storm-2603 is slipping through SharePoint’s cracks and locking the doors behind it. The suspected China-based threat group is exploiting two SharePoint vulnerabilities to deploy Warlock ransomware. The group uses Mimikatz for credential theft and moves laterally with PsExec. At least 400 organizations have already been impacted. When your router has more holes than a sieve, it’s time to worry. Researchers uncovered several critical vulnerabilities in Weidmueller IE-SR-2TX industrial routers. These flaws allow remote attackers to gain root-level code execution, posing a significant risk to industrial networks and critical infrastructure. Chaos by name, chaos by method. A new RaaS group called Chaos is conducting high-impact ransomware campaigns through a number of tactics, using remote management tools for long-term access. Chaos supports multiple platforms and avoids politically sensitive or healthcare-related victims, offering automated control panels and individualized encryption keys per infection.

Jul 23, 2025

Cyware Daily Threat Intelligence, July 23, 2025

A trusted source turned treacherous. Hackers launched a supply chain attack on Arch Linux by slipping malware into three AUR packages. These packages silently deployed a RAT that gave attackers persistent control over infected machines. The backdoor executed during installation and remained undetected for 46 hours before Arch’s security team intervened. No login needed, just code execution. Cisco has confirmed active exploitation of three zero-day RCE flaws in its ISE. Attackers can exploit these bugs via crafted API requests to run arbitrary commands, upload malware, and escalate privileges to root - all without authentication. Mimo is getting stealthier and greedier. The financially motivated group has moved from targeting Craft CMS to Magento, exploiting PHP-FPM vulnerabilities to deploy malware via fileless techniques. Its monetization play is twofold - mining Monero through cryptojacking and running proxyjacking operations via IPRoyal Pawns. The group also targets AWS environments by probing for SSH access using hardcoded usernames.

Jul 21, 2025

Cyware Daily Threat Intelligence, July 21, 2025

Jul 18, 2025

Cyware Daily Threat Intelligence, July 18, 2025

The H2Miner botnet has resurfaced with updated scripts that mine Monero, kill rival malware, and deploy multiple malware. Bundled with it is Lcrypt0rx, a likely AI-generated ransomware that exhibits sloppy logic, malformed syntax, and weak encryption using XOR. Cisco Talos uncovered a MaaS campaign targeting Ukraine, where attackers used Amadey malware and GitHub repositories to stage payloads. The setup mimics tactics from a SmokeLoader phishing operation, with obfuscated JavaScript loaders and Emmenthal plugins helping evade detection and filter-based defenses. In a sharp postmortem from Pwn2Own Berlin, VMware patched four zero-day flaws exploited during the contest. Three high-severity bugs let attackers break out of guest VMs, while a fourth in VMware Tools leaks sensitive host info. Separately, the Scanception campaign is sneaking into inboxes via QR code phishing PDFs.

Jul 17, 2025

Cyware Daily Threat Intelligence, July 17, 2025

A persistent backdoor is giving UNC6148 quiet, long-term access to SonicWall SMA appliances. The group is using stolen credentials—and possibly a zero-day—to deploy OVERSTEP malware. It steals sensitive data, maintains stealth, and executes commands through web requests. Over 600 malicious domains are distributing fake Telegram APKs to unsuspecting users. Most are hosted in China and exploit the Janus vulnerability in Android. These APKs request broad permissions, bypass security protocols, and enable full device control. Oracle’s July 2025 patch update is a heavyweight. It includes 309 fixes across products like Communications, MySQL, Java SE, and Fusion Middleware. Of the nearly 200 CVEs addressed, 127 can be exploited remotely without authentication. An additional 20 Solaris patches target flaws with similar reach.

Jul 16, 2025

Cyware Daily Threat Intelligence, July 16, 2025

A harmless-looking app on Google Play may have a malicious twin elsewhere. A new Konfety variant uses the same package name as a legitimate app but hides the real payload in a lookalike version distributed through third-party stores. It employs obfuscation tactics to evade detection, while leveraging the CaramelAds SDK. Some malware no longer travels through links or attachments, it hides in plain text. Researchers have spotted attackers embedding payloads in DNS records, allowing malware to slip past traditional security tools. By encoding binaries as hex and retrieving them during DNS resolution, this technique avoids common detection points and delivers disruptive code without a visible trace. One sandbox escape makes five. Google patched a high-severity Chrome flaw that lets attackers break out of the browser’s sandbox using crafted HTML and unvalidated GPU commands. The update also addressed issues in V8 and WebRTC, but only CVE-2025-6558 was under active exploitation, making it the fifth Chrome zero-day of the year.

Jul 15, 2025

Cyware Daily Threat Intelligence, July 15, 2025

A quiet but deliberate campaign is now zeroing in on Southeast Asia’s trade secrets. HazyBeacon, a newly identified Windows backdoor, is targeting government entities with an eye on sensitive tariff and trade data. It uses DLL side-loading and communicates through AWS Lambda URLs, helping it blend in with legitimate cloud activity while quietly collecting targeted documents. Developers are once again in the crosshairs of North Korean threat actors. As part of the ongoing Contagious Interview campaign, attackers have pushed 67 malicious npm packages carrying XORIndex, a malware loader designed to steal browser data, crypto wallet info, and deploy Python-based backdoors. With over 17,000 downloads and manipulated package metrics, the threat is both widespread and deceptive. An invisible prompt is all it takes to turn Gemini into a phishing assistant. Attackers are exploiting Google’s Gemini AI for Workspace by hiding malicious instructions in emails using HTML and CSS. When Gemini generates a summary, it unknowingly includes phishing content redirecting users to malicious sites. Suggested defenses focus on stripping hidden content and warning users not to rely on AI summaries for security cues.

Jul 14, 2025

Cyware Daily Threat Intelligence, July 14, 2025

A silent redirect to PowerShell is the entry point for a new Interlock RAT variant. Linked to the KongTuke cluster, the PHP-based malware uses compromised websites with hidden scripts to launch system profiling and establish Cloudflare Tunnel-based C2 with fallback IPs for persistence. Users who trusted GravityForms’ official site got more than they expected. A supply chain attack injected backdoors into plugin files distributed via the official site and Composer, enabling attackers to collect WordPress environment data or more. A single HTTP header is enough to hijack vulnerable FortiWeb servers. A critical SQL injection flaw in Fortinet’s Fabric Connector, allows pre-auth RCE through unsanitized bearer tokens, with PoC exploits using MySQL queries to drop and execute malicious scripts.

Jul 11, 2025

Cyware Daily Threat Intelligence, July 11, 2025

You don’t need to visit shady corners of the internet to get infected, GitHub will do. A malware campaign is disguising Lumma Stealer as tools like Free VPN for PC, using polished project pages, Base64 payloads, and trusted Windows processes to slip past defenses. Meanwhile, MCP-based tools are facing a string of critical vulnerabilities, with CVE-2025-6514 leading the list. The flaw allows remote code execution via malicious MCP servers and affects users across platforms. Other bugs enable code injection, directory traversal, and symlink abuse. Crypto users are being lured in by fake AI and gaming firms offering too-good-to-be-true deals. A social engineering campaign is using Telegram, Discord, and spoofed social media accounts to deliver stealer malware. Attackers impersonate legit teams on GitHub and Notion, promising crypto payouts in exchange for “testing” software.

Jul 10, 2025

Cyware Daily Threat Intelligence, July 10, 2025

A fake defense official and a Google Drive link were all it took to breach a European ministry. Recent DoNot APT campaigns reveal a shift toward diplomatic espionage, using custom malware to exfiltrate data and maintain persistence through scheduled tasks and obfuscated binaries. A botnet announcing itself with Hello-World is now sweeping through Taiwan. A new scraper botnet has been using repeated GET requests across ports 80–85. Thousands of IPs are involved, with more than half traced back to Taiwanese infrastructure, hinting at regional tech compromise or shared vulnerabilities. You might not hear it, but your car’s Bluetooth could be listening. Researchers have found critical flaws in the BlueSDK stack used by major automakers, enabling remote code execution through a PerfektBlue attack. The vulnerabilities allow attackers to access call logs, record in-cabin audio, and track vehicles.

Jul 9, 2025

Cyware Daily Threat Intelligence, July 09, 2025

A PDF reader with 50,000 downloads turned out to be anything but harmless. The Anatsa banking trojan slipped back into Google Play, targeting North American users with fake maintenance screens while logging keystrokes and automating fraudulent transactions. However, the app has been pulled by Google. This month’s Patch Tuesday came with a hefty payload. Microsoft released fixes for 137 vulnerabilities, including a zero-day in SQL Server, which allowed access to uninitialized memory. Among the 14 critical issues were remote code execution bugs in SharePoint and multiple RCE and side-channel flaws affecting AMD-based systems. When a tap does more than you think, it’s probably TapTrap. Researchers have uncovered a sneaky Android exploit that uses near-invisible UI animations to trick users into approving sensitive actions. By overlaying transparent elements, TapTrap misleads users into tapping unintended buttons.