Cyware Daily Threat Intelligence, July 23, 2025

shutterstock 1953964036

Daily Threat Briefing July 23, 2025

A trusted source turned treacherous. Hackers launched a supply chain attack on Arch Linux by slipping malware into three AUR packages. These packages silently deployed a RAT that gave attackers persistent control over infected machines. The backdoor executed during installation and remained undetected for 46 hours before Arch’s security team intervened.

No login needed, just code execution. Cisco has confirmed active exploitation of three zero-day RCE flaws in its ISE. Attackers can exploit these bugs via crafted API requests to run arbitrary commands, upload malware, and escalate privileges to root - all without authentication. Mimo is getting stealthier and greedier. The financially motivated group has moved from targeting Craft CMS to Magento, exploiting PHP-FPM vulnerabilities to deploy malware via fileless techniques. Its monetization play is twofold - mining Monero through cryptojacking and running proxyjacking operations via IPRoyal Pawns. The group also targets AWS environments by probing for SSH access using hardcoded usernames.

Top Malware Reported in the Last 24 Hours

Supply chain attack targets Arch Linux

Hackers executed a supply chain attack targeting Arch Linux users by injecting malicious packages into the Arch User Repository (AUR). Three compromised packages—librewolf-fix-bin, firefox-patch-bin, and zen-browser-patched-bin—were uploaded, containing RAT that allowed attackers to gain persistent remote access to infected systems. The malware was designed to execute silently during installation, which enabled extensive system control without user awareness. The breach remained undetected for approximately 46 hours before the Arch Linux security team identified and removed the malicious packages. 

Lumma Stealer re-emerges post takedown

Lumma Stealer, previously taken down in May 2025, has resurfaced with stealthier tactics. The takedown involved the seizure of over 2,300 domains and disruption of its infrastructure, but the malware's developer claimed servers were remotely wiped due to a vulnerability in Dell's IDRAC system. By June 2025, Lumma Stealer's activity rebounded, adopting covert strategies like reduced reliance on Cloudflare and increased use of Russian hosting providers to evade law enforcement. Attack vectors include fake software download sites using JavaScript redirection, CAPTCHA-based campaigns leveraging PowerShell scripts, and fake GitHub repositories with AI-generated content. Social media platforms are exploited to promote pirated tools, linking users to malware-hosting pages.

Malicious LNK file targets user information

A malicious LNK file disguised as a credit card security email authentication pop-up has been identified, aiming to steal user information. The LNK file executes a decoy HTML file and downloads additional malicious files, including an HTA file, DLLs, and a text file containing URLs for further downloads. The Reflective technique is used to execute DLL files directly in memory, making detection difficult. Three main DLL files are involved: "app" (browser infostealer), "net" (multi-platform infostealer), and "notepad.log" (backdoor with keylogging and remote shell capabilities).

Top Vulnerabilities Reported in the Last 24 Hours

Cisco ISE bugs exploited in attacks

Cisco has reported that three critical remote code execution vulnerabilities in the Cisco ISE are actively being exploited. These vulnerabilities, identified as CVE-2025-20281, CVE-2025-20282, and CVE-2025-20337, allow unauthenticated attackers to execute arbitrary commands, upload malicious files, and gain root access through specially crafted API requests. All three vulnerabilities carry a maximum severity rating with a CVSS score of 10.0, making them particularly attractive targets for hackers seeking unauthorized access to corporate networks. 

CISA adds two bugs to KEV catalog

CISA has identified two critical vulnerabilities in SysAid IT support software, CVE-2025-2775 and CVE-2025-2776, which are currently being actively exploited. Both flaws involve improper restrictions of XML external entity references, allowing attackers to take over administrator accounts and access files. These vulnerabilities were addressed in SysAid's on-premise version released in March 2025. They could facilitate SSRF attacks and, when combined with a previously revealed command injection flaw, potentially lead to remote code execution. Specific details about the exploitation methods or the identities and motives of the threat actors remain unclear, but federal agencies are required to implement necessary fixes by August 12.

Top Scams Reported in the Last 24 Hours

RFQ scams exploit vendor financing options

Request for Quote (RFQ) scammers exploit vendor financing options, such as Net 15, 30, and 45-day terms, to steal high-value goods. These fraudsters impersonate legitimate companies using stolen information like Employer Identification Numbers (EINs) and create convincing email signatures. They send requests for specific items, including electronics and medical devices, to lure victims. Once a business responds, scammers often request credit terms and provide false documentation to facilitate the shipment of goods. They utilize shipping forwarding services and residential addresses to receive stolen items, often without the knowledge of the shipping companies involved. The operation relies on a network of mules and rented warehouses to manage logistics, making it a sophisticated scheme that poses significant risks to businesses.

Threats in Spotlight

Mimo group shifts from Craft to Magento

The cybercriminal group Mimo has shifted from Craft CMS to Magento CMS, employing advanced techniques for persistence and evasion. Mimo exploits PHP-FPM vulnerabilities in Magento installations, using tools like GSocket and disguised scripts for persistence. Fileless execution via memfd_create() syscall allows malware to operate without disk storage, enhancing stealth. Docker infrastructure is targeted via misconfigured APIs, with malware propagating laterally by brute-forcing SSH access and extracting keys. Mimo employs cryptojacking (Monero mining) and proxyjacking (IPRoyal Pawns proxyware) for dual monetization strategies. Mimo targets AWS environments by attempting SSH connections using hard-coded usernames, including "ec2-user."

Related Threat Briefings

Aug 7, 2025

Cyware Daily Threat Intelligence, August 07, 2025

Lazarus Group is back with a cunning new Python-based RAT, PyLangGhost, targeting tech and finance sectors with a fresh twist. Using fake job interviews and deceptive error prompts, attackers trick developers and executives into running scripts that grant remote access. A sneaky flaw in Amazon’s ECS, dubbed ECScape, is opening the door to privilege escalation in shared cloud environments. By exploiting an undocumented internal protocol and metadata service, low-privileged containers can steal IAM credentials from higher-privileged tasks on the same EC2 instance. Ghost Calls, a new evasion tactic, is turning Zoom and Microsoft Teams into covert channels for malicious activity, slipping past traditional defenses with ease. This tactic exploits TURN servers to tunnel C2 traffic disguised as legitimate WebRTC video conferencing data.

Aug 6, 2025

Cyware Daily Threat Intelligence, August 06, 2025

Phishing emails disguised as court summons are delivering a malicious payload to Ukrainian government and defense sectors, courtesy of UAC-0099. These attacks use shortened URLs to deploy HTA files that execute obfuscated VB scripts, installing malware like MATCHBOIL, MATCHWOK, and DRAGSTARE. The CISA is sounding the alarm on three actively exploited vulnerabilities in D-Link Wi-Fi cameras and video recorders, now added to its KEV catalog. These flaws, with severity scores up to 8.8, include a remote password disclosure issue, an authenticated command injection vulnerability, and an unpatched code execution flaw tied to end-of-life models. A critical set of flaws dubbed ReVault is exposing over 100 Dell laptop models to devastating firmware attacks. Affecting the ControlVault3 firmware in Latitude and Precision series, these vulnerabilities allow attackers with physical access to bypass Windows login, execute arbitrary code, and install persistent malware that survives system reinstalls.

Aug 5, 2025

Cyware Daily Threat Intelligence, August 05, 2025

A stealthy Python-based PXA Stealer is sweeping across 62 countries, pilfering sensitive data from unsuspecting victims. This infostealer campaign has exfiltrated hundreds of thousands of passwords and more. Using sideloading tricks with legitimate software, it targets browsers, cryptocurrency wallets, and financial sites, posing a severe threat to users and organizations alike. ClickTok is luring TikTok Shop users into a trap with a crafty blend of phishing and malware. This global campaign deploys over 10,000 fake TikTok websites and 5,000 malicious apps, impersonating TikTok’s e-commerce platforms to steal cryptocurrency wallet credentials. Trojanized apps laced with SparkKitty spyware snatch sensitive data, making this a sophisticated scam targeting digital shoppers. Google’s August 2025 Android security update is a critical shield against newly discovered vulnerabilities threatening millions of devices. Addressing six flaws, the update also patches high-severity Android framework bugs and issues in Arm and Qualcomm components. With two patch levels rolled out, manufacturers are now racing to deploy fixes to keep users secure.

Aug 4, 2025

Cyware Daily Threat Intelligence, August 04, 2025

Akira ransomware is striking with surgical precision, exploiting a suspected zero-day flaw in SonicWall SSL VPN devices, even those fully patched. Since mid-July 2025, attackers have used Virtual Private Server logins to bypass MFA, hitting multiple targets in rapid succession. A cunning Android RAT, PlayPraetor, is sweeping through six countries, already compromising over 11,000 devices with its deceptive tactics. Masquerading as legitimate apps via fake Google Play Store pages and Meta Ads, it exploits accessibility services to overlay phishing screens on nearly 200 banking and crypto apps. MediaTek chipsets powering smartphones and IoT devices are vulnerable to new flaws that could expose millions of users. These issues, affecting a wide range of Android devices, allow attackers to escalate privileges or execute malicious code. With some exploits requiring no user interaction, unpatched systems face significant risks, urging immediate updates.

Aug 1, 2025

Cyware Daily Threat Intelligence, August 01, 2025

In a move straight out of a spy novel, Russian state hackers have been caught red-handed targeting embassies in Moscow with a sophisticated cyberespionage campaign. Known as Secret Blizzard, these attackers wielded the ApolloShadow malware to manipulate system certificates and disguise their activities as trusted applications. A critical flaw in PostgreSQL's pg_dump utility has left databases vulnerable to a race condition attack, potentially handing attackers superuser privileges. This TOCTOU vulnerability impacts multiple PostgreSQL versions, allowing those with sufficient privileges to execute arbitrary SQL commands during the dump process. Cybercriminals are donning digital disguises, impersonating trusted enterprises with fake Microsoft OAuth applications to steal credentials and bypass multi-factor authentication. Proofpoint uncovered campaigns redirecting users to phishing URLs through OAuth apps mimicking services like RingCentral, DocuSign, and Adobe. A newly discovered cyberattack technique, dubbed Man in the Prompt, is turning browser extensions into unwitting accomplices in data theft from generative AI tools. By exploiting DOM access, malicious extensions can intercept and manipulate interactions with platforms like ChatGPT and Google Gemini - no elevated permissions required.

Jul 31, 2025

Cyware Daily Threat Intelligence, July 31, 2025

With a cunning pivot, the North Korean Lazarus Group has flooded npm and PyPI with over 200 malicious packages, potentially compromising 36,000 developers. Mimicking legitimate libraries, these packages deploy multi-stage attacks to steal secrets and target DevOps-heavy organizations, risking intellectual property theft and reputational damage through compromised build pipelines. A critical chink in Lenovo’s armor has exposed Secure Boot vulnerabilities in its IdeaCentre AIO 3 and Yoga AIO series desktops. Six flaws in the Insyde UEFI firmware allow local attackers to execute arbitrary code via SMM exploits, potentially implanting undetectable malware, with firmware updates already available for some models. Apple’s latest security updates have fortified its ecosystem against a barrage of vulnerabilities across iOS, iPadOS, macOS, watchOS, tvOS, and visionOS. Addressing over 90 issues in macOS Sequoia alone, the patches tackle memory corruption, privilege escalation, and WebKit flaws, while enhancing privacy protections for microphone and camera access across devices.

Jul 30, 2025

Cyware Daily Threat Intelligence, July 30, 2025

In a stealthy strike, hackers exploited a critical SAP NetWeaver flaw to deploy the Auto-Color Linux malware. This malware, equipped with a rootkit and adaptive evasion tactics, adjusts its behavior based on user privileges and goes dormant in sandboxes, drawing attention from ransomware groups and state-sponsored actors. A subtle misstep in the AI-powered Base44 platform exposed private applications to unauthorized access through easily discoverable “app_id” values. By bypassing SSO and authentication controls, the flaw posed a significant risk but was swiftly patched within 24 hours of discovery. Sophisticated nation-state actors, possibly Liminal Panda, have set their sights on Southwest Asia’s telecom networks with a complex attack campaign. Identified as CL-STA-0969, this threat cluster leverages custom tools and exploits vulnerabilities to maintain persistent access with high operational security.

Jul 29, 2025

Cyware Daily Threat Intelligence, July 29, 2025

A stealthy Android banking trojan, RedHook, is targeting Vietnamese users through phishing sites mimicking trusted agencies. Spread via a malicious APK on an exposed AWS S3 bucket, it exploits accessibility services to steal credentials and banking details, with over 500 infections tied to Chinese-speaking actors. A critical vulnerability in Google’s Gemini CLI allows attackers to silently execute malicious commands. By exploiting prompt injection and poor validation, attackers can embed harmful instructions in seemingly harmless code, evading detection with tactics like excessive whitespace. A cunning phishing campaign is hitting Python developers, using spoofed PyPI emails to trick maintainers into revealing credentials on a fake login page. The deceptive site forwards data to the real PyPI portal, exploiting trust without breaching the platform itself.

Jul 28, 2025

Cyware Daily Threat Intelligence, July 28, 2025

Spear-phishing emails are slipping past defenses in Russia’s aerospace industry. Operation CargoTalon, tied to threat cluster UNG0901, targets organizations like the Voronezh Aircraft Production Association with EAGLET malware hidden in fake invoice files, quietly siphoning off sensitive data to a C2 server. A slew of vulnerabilities in Tridium’s Niagara Framework demands urgent attention. Over a dozen high-severity flaws, including CVE-2025-3936 through CVE-2025-3945, could let attackers exploit misconfigured systems for remote code execution or persistent access, threatening critical infrastructure. Scattered Spider is turning social engineering into a devastating weapon. By posing as employees to reset Active Directory passwords, the group swiftly escalates privileges, hijacks VMware ESXi hypervisors, and deploys ransomware to paralyze virtual environments in retail and transportation sectors within hours.

Jul 25, 2025

Cyware Daily Threat Intelligence, July 25, 2025

A browser tweak here, a fake mod there, and suddenly your crypto wallet spills its secrets. In a new campaign, the Scavenger trojan exploits DLL Search Order Hijacking to infiltrate password managers and wallets like MetaMask, Bitwarden, and Exodus. Delivered via fake game mods and malicious sites, the trojan uses multi-stage loaders and obfuscation. Not every scam needs sophistication, sometimes all it takes is a lonely heart and a convincing profile picture. SarangTrap, a massive mobile spyware campaign, is luring victims on Android and iOS through fake dating apps. With over 250 malicious APKs and nearly 90 phishing domains, the campaign uses emotional manipulation and search engine indexing to appear credible. Fire Ant doesn’t crash through the front door, it slips in quietly, sets up shop, and rewires the building. This advanced China-linked actor is targeting VMware ESXi and vCenter servers using old vulnerabilities to establish espionage footholds. The attackers extract credentials, deploy stealthy backdoors, and tamper with logs to stay hidden.

Jul 24, 2025

Cyware Daily Threat Intelligence, July 24, 2025

Storm-2603 is slipping through SharePoint’s cracks and locking the doors behind it. The suspected China-based threat group is exploiting two SharePoint vulnerabilities to deploy Warlock ransomware. The group uses Mimikatz for credential theft and moves laterally with PsExec. At least 400 organizations have already been impacted. When your router has more holes than a sieve, it’s time to worry. Researchers uncovered several critical vulnerabilities in Weidmueller IE-SR-2TX industrial routers. These flaws allow remote attackers to gain root-level code execution, posing a significant risk to industrial networks and critical infrastructure. Chaos by name, chaos by method. A new RaaS group called Chaos is conducting high-impact ransomware campaigns through a number of tactics, using remote management tools for long-term access. Chaos supports multiple platforms and avoids politically sensitive or healthcare-related victims, offering automated control panels and individualized encryption keys per infection.

Jul 22, 2025

Cyware Daily Threat Intelligence, July 22, 2025

Greedy Sponge isn’t just soaking up data, it’s draining bank accounts. Active since 2021, this financially motivated threat group targets Mexican organizations using a modified AllaKore RAT and SystemBC malware to carry out fraud. Delivered via spear-phishing and drive-by downloads, the malware is geofenced to avoid exposure and now includes server-side payload delivery and secondary infections to bypass detection. What looks like a Google Doc or Steam message may be ACRStealer in disguise. Now rebranded as AmateraStealer, this infostealer uses the Dead Drop Resolver method to communicate via legitimate services, recently adopting stronger evasion features. Ongoing updates and variants have made Amatera one of the most active and elusive stealers currently circulating. Two bugs, one big hole. Apache Jena has been found vulnerable to critical flaws (CVE-2025-49656 and CVE-2025-50151) that allow administrators to create or access files outside intended directories, undermining system sandboxing. Though both require admin privileges, they pose serious risks in shared environments or if admin credentials are compromised. Users are urged to upgrade to version 5.5.0 to patch the flaws.