Cyware Daily Threat Intelligence, July 23, 2025

shutterstock 1953964036

Daily Threat Briefing July 23, 2025

A trusted source turned treacherous. Hackers launched a supply chain attack on Arch Linux by slipping malware into three AUR packages. These packages silently deployed a RAT that gave attackers persistent control over infected machines. The backdoor executed during installation and remained undetected for 46 hours before Arch’s security team intervened.

No login needed, just code execution. Cisco has confirmed active exploitation of three zero-day RCE flaws in its ISE. Attackers can exploit these bugs via crafted API requests to run arbitrary commands, upload malware, and escalate privileges to root - all without authentication. Mimo is getting stealthier and greedier. The financially motivated group has moved from targeting Craft CMS to Magento, exploiting PHP-FPM vulnerabilities to deploy malware via fileless techniques. Its monetization play is twofold - mining Monero through cryptojacking and running proxyjacking operations via IPRoyal Pawns. The group also targets AWS environments by probing for SSH access using hardcoded usernames.

Top Malware Reported in the Last 24 Hours

Supply chain attack targets Arch Linux

Hackers executed a supply chain attack targeting Arch Linux users by injecting malicious packages into the Arch User Repository (AUR). Three compromised packages—librewolf-fix-bin, firefox-patch-bin, and zen-browser-patched-bin—were uploaded, containing RAT that allowed attackers to gain persistent remote access to infected systems. The malware was designed to execute silently during installation, which enabled extensive system control without user awareness. The breach remained undetected for approximately 46 hours before the Arch Linux security team identified and removed the malicious packages. 

Lumma Stealer re-emerges post takedown

Lumma Stealer, previously taken down in May 2025, has resurfaced with stealthier tactics. The takedown involved the seizure of over 2,300 domains and disruption of its infrastructure, but the malware's developer claimed servers were remotely wiped due to a vulnerability in Dell's IDRAC system. By June 2025, Lumma Stealer's activity rebounded, adopting covert strategies like reduced reliance on Cloudflare and increased use of Russian hosting providers to evade law enforcement. Attack vectors include fake software download sites using JavaScript redirection, CAPTCHA-based campaigns leveraging PowerShell scripts, and fake GitHub repositories with AI-generated content. Social media platforms are exploited to promote pirated tools, linking users to malware-hosting pages.

Malicious LNK file targets user information

A malicious LNK file disguised as a credit card security email authentication pop-up has been identified, aiming to steal user information. The LNK file executes a decoy HTML file and downloads additional malicious files, including an HTA file, DLLs, and a text file containing URLs for further downloads. The Reflective technique is used to execute DLL files directly in memory, making detection difficult. Three main DLL files are involved: "app" (browser infostealer), "net" (multi-platform infostealer), and "notepad.log" (backdoor with keylogging and remote shell capabilities).

Top Vulnerabilities Reported in the Last 24 Hours

Cisco ISE bugs exploited in attacks

Cisco has reported that three critical remote code execution vulnerabilities in the Cisco ISE are actively being exploited. These vulnerabilities, identified as CVE-2025-20281, CVE-2025-20282, and CVE-2025-20337, allow unauthenticated attackers to execute arbitrary commands, upload malicious files, and gain root access through specially crafted API requests. All three vulnerabilities carry a maximum severity rating with a CVSS score of 10.0, making them particularly attractive targets for hackers seeking unauthorized access to corporate networks. 

CISA adds two bugs to KEV catalog

CISA has identified two critical vulnerabilities in SysAid IT support software, CVE-2025-2775 and CVE-2025-2776, which are currently being actively exploited. Both flaws involve improper restrictions of XML external entity references, allowing attackers to take over administrator accounts and access files. These vulnerabilities were addressed in SysAid's on-premise version released in March 2025. They could facilitate SSRF attacks and, when combined with a previously revealed command injection flaw, potentially lead to remote code execution. Specific details about the exploitation methods or the identities and motives of the threat actors remain unclear, but federal agencies are required to implement necessary fixes by August 12.

Top Scams Reported in the Last 24 Hours

RFQ scams exploit vendor financing options

Request for Quote (RFQ) scammers exploit vendor financing options, such as Net 15, 30, and 45-day terms, to steal high-value goods. These fraudsters impersonate legitimate companies using stolen information like Employer Identification Numbers (EINs) and create convincing email signatures. They send requests for specific items, including electronics and medical devices, to lure victims. Once a business responds, scammers often request credit terms and provide false documentation to facilitate the shipment of goods. They utilize shipping forwarding services and residential addresses to receive stolen items, often without the knowledge of the shipping companies involved. The operation relies on a network of mules and rented warehouses to manage logistics, making it a sophisticated scheme that poses significant risks to businesses.

Threats in Spotlight

Mimo group shifts from Craft to Magento

The cybercriminal group Mimo has shifted from Craft CMS to Magento CMS, employing advanced techniques for persistence and evasion. Mimo exploits PHP-FPM vulnerabilities in Magento installations, using tools like GSocket and disguised scripts for persistence. Fileless execution via memfd_create() syscall allows malware to operate without disk storage, enhancing stealth. Docker infrastructure is targeted via misconfigured APIs, with malware propagating laterally by brute-forcing SSH access and extracting keys. Mimo employs cryptojacking (Monero mining) and proxyjacking (IPRoyal Pawns proxyware) for dual monetization strategies. Mimo targets AWS environments by attempting SSH connections using hard-coded usernames, including "ec2-user."

Related Threat Briefings