Cyware Daily Threat Intelligence, July 29, 2025

Daily Threat Briefing • July 29, 2025
Daily Threat Briefing • July 29, 2025
A stealthy Android banking trojan, RedHook, is targeting Vietnamese users through phishing sites mimicking trusted agencies. Spread via a malicious APK on an exposed AWS S3 bucket, it exploits accessibility services to steal credentials and banking details, with over 500 infections tied to Chinese-speaking actors.
A critical vulnerability in Google’s Gemini CLI allows attackers to silently execute malicious commands. By exploiting prompt injection and poor validation, attackers can embed harmful instructions in seemingly harmless code, evading detection with tactics like excessive whitespace.
A cunning phishing campaign is hitting Python developers, using spoofed PyPI emails to trick maintainers into revealing credentials on a fake login page. The deceptive site forwards data to the real PyPI portal, exploiting trust without breaching the platform itself.
Hackers exploit IIS servers with web shell
Hackers are exploiting IIS servers using a complex web shell script named UpdateChecker.aspx, which allows full remote control of compromised systems. This script, disguised as a legitimate ASPX page, employs heavy obfuscation techniques, encoding method names and strings to evade detection. It processes commands via HTTP POST requests, requiring encrypted payloads structured as JSON objects. The web shell is organized into modules that enable reconnaissance, arbitrary command execution, and extensive file system manipulation. Attackers can gather server information, execute Windows commands, and perform a variety of file operations, such as creating, modifying, and deleting files.
RedHook trojan targets Vietnamese users
Cyble researchers discovered RedHook, an Android banking trojan targeting Vietnamese users via phishing sites impersonating trusted agencies. The malware is distributed through a trojanized APK hosted on an exposed AWS S3 bucket, active since November 2024. RedHook abuses Android accessibility services and MediaProjection API to capture keystrokes, contacts, SMS, and screen images, maintaining persistent communication with its C2 server. The trojan collects device information, logs credentials, and prompts victims to upload citizen IDs and banking details, indicating over 500 infections. Chinese-language artifacts suggest the malware originates from Chinese-speaking threat actors, evolving from cosmetic scams to sophisticated banking trojans.
Gunra ransomware introduces Linux strain
Gunra ransomware has introduced a Linux variant that significantly enhances its encryption capabilities, allowing it to run up to 100 encryption threads in parallel and enabling partial file encryption. This development marks a strategic shift towards cross-platform targeting, expanding the group's reach beyond its original focus. Since its emergence in April, Gunra has victimized various sectors, including healthcare, manufacturing, and IT, across multiple countries. Unlike its Windows counterpart, the Linux variant does not drop a ransom note, prioritizing quick and efficient encryption instead. It renames encrypted files with a .ENCRT extension and offers attackers the option to store RSA-encrypted keys separately, showcasing its advanced and flexible approach to ransomware attacks.
Vulnerability spotted in Gemini CLI
Tracebit uncovered a critical vulnerability in Google’s Gemini CLI, which allows silent execution of malicious commands through a combination of prompt injection, inadequate validation, and misleading user experience. The attack exploits Gemini CLI's ability to run shell commands and utilize context files, enabling attackers to embed harmful instructions within seemingly benign code. By manipulating the command whitelist and leveraging user trust in innocuous commands like 'grep', attackers can execute harmful actions without user awareness. This method employs obfuscation techniques, such as excessive whitespace, to conceal malicious intent.
CISA adds PaperCutNG/MF bug to KEV catalog
A high-severity CSRF vulnerability, tracked as CVE-2023-2533, has been added to the CISA’s KEV catalog due to active exploitation. This flaw affects PaperCut NG/MF print management software, commonly used by schools, businesses, and government offices. Exploiting this vulnerability could allow attackers to alter security settings or execute arbitrary code by deceiving logged-in admin users into clicking malicious links. The risk is heightened as various threat actors, including Iranian nation-state groups and ransomware organizations like Cl0p and LockBit have targeted the software.
PyPI warns of ongoing phishing campaign
PyPI issued a security warning about a phishing campaign targeting Python developers, where project maintainers are tricked into revealing their credentials via a spoofed domain. The phishing email impersonates PyPI with a deceptive address (noreply@pypj[.]org) and directs users to a fake login page, forwarding their credentials to the real PyPI portal to create a false sense of legitimacy. PyPI confirmed that the attack is not due to a platform breach but is an opportunistic campaign targeting maintainers whose emails are listed in package metadata.