Cyware Daily Threat Intelligence, July 30, 2025
Daily Threat Briefing • July 30, 2025
In a stealthy strike, hackers exploited a critical SAP NetWeaver flaw to deploy the Auto-Color Linux malware. This malware, equipped with a rootkit and adaptive evasion tactics, adjusts its behavior based on user privileges and goes dormant in sandboxes, drawing attention from ransomware groups and state-sponsored actors.
A subtle misstep in the AI-powered Base44 platform exposed private applications to unauthorized access through easily discoverable “app_id” values. By bypassing SSO and authentication controls, the flaw posed a significant risk but was swiftly patched within 24 hours of discovery.
Sophisticated nation-state actors, possibly Liminal Panda, have set their sights on Southwest Asia’s telecom networks with a complex attack campaign. Identified as CL-STA-0969, this threat cluster leverages custom tools and exploits vulnerabilities to maintain persistent access with high operational security.
Top Malware Reported in the Last 24 Hours
Fake WordPress plugin creates hidden admin
Sucuri investigated a malware incident where a WordPress site was compromised by a fake plugin named "WP Compatibility Patch." This malicious plugin was designed to create a hidden administrator account called "adminbackup," which was concealed from the WordPress admin dashboard. The infection was found in the plugins directory, and the plugin's legitimate appearance allowed it to evade detection. Upon each page load, the malware checked for the existence of the "adminbackup" user, creating it if absent or updating its details if it already existed. To maintain its presence, the malware employed various WordPress hooks to hide the malicious user and blocked any attempts to delete or edit the account. This sophisticated backdoor allowed attackers to retain full control over the site while remaining undetected.
Hackers exploit bug, drop malware
Hackers exploited a critical vulnerability in SAP NetWeaver, tracked as CVE-2025-31324, to deploy the Auto-Color Linux malware against a U.S.-based chemicals company. The attack began on April 25, with the malware delivering a Linux executable file that features advanced evasion tactics and stealthy persistence mechanisms, including a rootkit. Auto-Color adjusts its behavior based on user privilege levels and can suppress its malicious activities if it cannot connect to its C2 server, making it appear benign in sandboxed environments. Auto-Color has been linked to exploitation attempts by various threat actors, including ransomware groups and state-sponsored hackers, following the vulnerability's disclosure.
New JCSEAL malware campaign unveiled
JSCEAL is a sophisticated malware campaign targeting cryptocurrency app users through malicious advertisements that promote fake applications. Leveraging Node.js and compiled JavaScript files, JSCEAL steals sensitive data, including credentials and crypto wallets, while employing advanced anti-analysis techniques to evade detection. The campaign impersonates nearly 50 popular cryptocurrency brands and utilizes a multi-layered infection flow, starting with malicious advertisements leading to fake websites. The infection process involves MSI installers that require simultaneous execution with the malicious site, complicating detection efforts. With an estimated global reach exceeding 10 million users, JSCEAL has demonstrated low detection rates on platforms like VirusTotal, making it a significant threat in the cybersecurity landscape.
Top Vulnerabilities Reported in the Last 24 Hours
Apple patches Safari flaw
Apple has released security updates for its software portfolio, addressing a critical vulnerability, CVE-2025-6558, which was previously exploited as a zero-day in Google Chrome. This vulnerability involves incorrect validation of untrusted input in the browser's ANGLE and GPU components, potentially leading to sandbox escapes through crafted HTML pages. The flaw affects Apple's WebKit browser engine, which powers Safari, and could cause unexpected crashes when handling malicious web content. The updates apply to various devices, including iPhones, iPads, Macs, Apple TV, and Apple Watch, with specific versions listed for each.
Critical vulnerability in Base44
A critical vulnerability in the AI-powered vibe coding platform Base44 exposed private applications to unauthorized access by allowing attackers to exploit non-secret "app_id" values for account registration and email verification. The flaw bypassed authentication controls, including SSO protections, but was patched within 24 hours of disclosure. No evidence of exploitation was found. The vulnerability stemmed from exposed authentication endpoints, enabling attackers to register and verify accounts using visible "app_id" values found in app URLs and manifest files.
Threats in Spotlight
CL-STA-0969: Threats to telecom networks
Unit 42 has identified a sophisticated threat cluster, CL-STA-0969, targeting telecommunications networks in Southwest Asia. This activity, attributed to nation-state actors like Liminal Panda, involves exploiting interconnected mobile roaming networks. Attackers employed various custom tools and techniques to infiltrate systems, maintaining high operational security and employing defense evasion strategies. Notably, they utilized tools such as Cordscan, which suggests a focus on collecting victim location data. The threat actors exploited multiple vulnerabilities, including CVE-2016-5195 and CVE-2021-4034, to escalate privileges and maintain persistent access.