Cyware Daily Threat Intelligence, June 04, 2025

shutterstock_1427728523

Daily Threat Briefing June 4, 2025

Cybercriminals are turning CAPTCHA prompts into malware gateways. A recent multi-stage malware campaign is using spoofed sites like fake Git repositories and bogus Docusign pages to lure users into executing PowerShell scripts that drop NetSupport RAT. By layering downloaders that each fetch the next stage, the attackers dodge detection and prolong infection.

In a similar vein, a free software download could end up costing your entire crypto wallet. ViperSoftX is back in circulation, targeting crypto users with malicious PowerShell scripts bundled into cracked apps, keygens, and torrent packages. Beyond wallet theft, it pulls in additional payloads like Quasar RAT and PureHVNC, while using scheduled tasks and registry tricks to quietly maintain persistence.

Meanwhile, Google’s June 2025 Android security update fixed a slate of high-severity issues, including a critical privilege escalation vulnerability in the System component affecting Android 13, 14, and 15. While most bugs haven't been exploited in the wild, three Qualcomm-related flaws made it to CISA’s KEV Catalog.

Top Malware Reported in the Last 24 Hours

ViperSoftX malware targets cryptocurrency users

ViperSoftX malware is actively targeting cryptocurrency users, distributing PowerShell scripts to execute malicious commands, steal cryptocurrency wallets, and deploy additional payloads like Quasar RAT, PureCrypter, and PureHVNC. The malware is distributed via cracked software, key generators, illegal duplication programs, or torrent sites, affecting victims worldwide, including South Korea. ViperSoftX ensures persistence by leveraging task schedulers that execute obfuscated PowerShell scripts and registry-stored commands.

The rise of multi-stage malware campaigns

Attackers use spoofed websites, such as Gitcodes and fake Docusign verification pages, to trick users into running malicious PowerShell scripts that install the NetSupport RAT. The campaign employs multi-stage downloader scripts to evade detection, with each stage downloading and executing additional scripts. Key recommendations include avoiding running scripts from unverified sources, scrutinizing CAPTCHA-like prompts, and verifying website authenticity.

Operation Phantom Enigma targets Brazil

Positive Technologies identified a malicious campaign, "Operation Phantom Enigma," targeting Brazilian users since early 2025. Phishing emails were used to distribute malware disguised as invoices, leading to the installation of malicious browser extensions or RATs. The attackers used PowerShell scripts and BAT files to download and execute malicious extensions, targeting Google Chrome, Microsoft Edge, and Brave browsers.

Top Vulnerabilities Reported in the Last 24 Hours

Authentication Bypass Vulnerability in HPE

Hewlett Packard Enterprise (HPE) has released security patches for eight vulnerabilities in its StoreOnce data backup solution, including a critical authentication bypass flaw (CVE-2025-37093) with a CVSS score of 9.8. The flaws, reported in late 2024, could allow remote code execution, information disclosure, and other exploits. Users are advised to update to the latest version for protection.

Google patches 34 bugs in Android

Google released the June 2025 Android security update, addressing multiple high-severity vulnerabilities, including a critical privilege escalation flaw in the System component (CVE-2025-26443), affecting Android versions 13, 14, and 15. While Google has not reported any active exploitation of these vulnerabilities, three Qualcomm flaws (CVE-2025-21479, CVE-2025-21480, and CVE-2025-27038) have been added to CISA’s Known Exploited Vulnerabilities catalog. Google urged users to update to patch levels 2025-06-01 and 2025-06-05 to install the fixes.

CISA warns of Schneider Electric bug

The CISA warned of a stack-based buffer overflow vulnerability (CVE-2025-3916) in Schneider Electric’s EcoStruxure Power Build Rapsody software, affecting version 2.7.12 FR and earlier. This vulnerability could allow local attackers to execute arbitrary code when a user opens a malicious SSD project file. The vulnerability is rated with a CVSS v4 base score of 4.6 and a CVSS v3.1 base score of 5.3. Schneider Electric recommends updating to version 2.8.1 FR of EcoStruxure Power Build Rapsody to mitigate the vulnerability. Users should reboot the system after installation.

Top Scams Reported in the Last 24 Hours

FBI reports Hedera Hashgraph crypto scam

The FBI issued a Public Service Announcement (PSA) on cybercriminals exploiting NFT airdrops in Hedera Hashgraph non-custodial wallets to defraud users. Scammers embed malicious URLs in transaction memos, social media, phishing emails, or third-party sites, tricking users into sharing login details or seed phrases, enabling cryptocurrency theft. The FBI advises verifying offers, avoiding unsolicited links, and reporting incidents to the IC3 with transaction details.

Related Threat Briefings

Jun 6, 2025

Cyware Daily Threat Intelligence, June 06, 2025

A silent takeover is unfolding through cheap, everyday smart devices. The FBI has reported over a million infections tied to BADBOX 2.0, a malware campaign targeting uncertified Android-based smart TVs, tablets, and IoT devices. Preinstalled malware and rogue updates turn these devices into residential proxies, with infections spanning 222 countries. A harmless-looking paste site is quietly fueling major malware campaigns. Cybercriminals are leveraging Paste[.]ee to host malicious scripts that deliver strains like XWorm and AsyncRAT through phishing emails. The platform’s anonymity helps attackers avoid detection while executing keylogging, credential theft, and remote system manipulation. A spearphishing campaign is exploiting a critical flaw in Roundcube to compromise webmail users. Threat actor UNC1151 targeted Polish organizations using CVE-2024-42009 to execute JavaScript via XSS and plant a persistent Service Worker. The vulnerability affects multiple Roundcube versions and carries a CVSS score of 9.3.

Jun 5, 2025

Cyware Daily Threat Intelligence, June 05, 2025

Not all GitHub projects are built with good intentions. Researchers uncovered a widespread campaign involving more than 130 repositories booby-trapped with malware disguised as game cheats, hacking tools, and utilities. Hidden behind obfuscated code and automated workflows, the campaign deploys backdoors while using Telegram bots and paste sites to manage infections behind the scenes. Destruction masquerading as maintenance tools is hitting Ukraine’s infrastructure. Researchers attributed a new wiper malware called PathWiper to a Russia-linked APT group, targeting critical systems by leveraging legitimate administrative frameworks. The malware erases storage media and key file system data. Though reminiscent of HermeticWiper, PathWiper shows a more advanced method of drive targeting and destruction. Cisco is closing two critical gaps before attackers can exploit them further. A patch has been issued for CVE-2025-20129 in Cisco’s CCP chat interface, a flaw that could let attackers intercept sensitive data through manipulated HTTP requests. Another vulnerability, CVE-2025-20130 in Cisco ISE, allowed file uploads due to weak validation, now fixed in the latest patches for ISE versions up to 3.3.

Jun 3, 2025

Cyware Daily Threat Intelligence, June 03, 2025

A geopolitical ripple just triggered a global software supply chain scare. Socket has exposed a malicious campaign in the RubyGems ecosystem where two lookalike Fastlane plugins were used to siphon off Telegram bot tokens and messages. Timed around Vietnam’s Telegram ban, the attacker used typosquatting and subtle code tweaks - targeting affected developers and putting downstream users at risk worldwide. A silent zero-day is loose in the wild, and Google’s racing to contain it. Chrome users are urged to update immediately after Google issued an emergency patch for a high-severity flaw in the V8 JavaScript engine that’s already being exploited. Some attackers mine crypto, JINX-0132 mines misconfigurations. This threat actor is running a stealthy cryptojacking campaign against DevOps platforms, exploiting exposed defaults and overlooked RCE flaws. They stay under the radar while deploying XMRig miners across poorly secured cloud setups, many of which are still internet-facing and misconfigured.

Jun 2, 2025

Cyware Daily Threat Intelligence, June 02, 2025

A casual scroll through gaming forums or social media might land users in a trap they didn’t see coming. Cybercriminals are hijacking web traffic to lure users onto fake Booking[.]com sites with malicious CAPTCHA prompts that silently trigger harmful commands. The URLs shift constantly, and any site asking users to paste clipboard commands should raise serious red flags. A few swapped letters could be all it takes to get owned. A new supply chain attack targets Python and npm developers through typo-squatting and name confusion. The campaign spans both ecosystems, dropping platform-specific payloads that harvest environment data, evade antivirus tools, and create persistence. What began as one bug unraveled into a deeper security mess. Researchers uncovered multiple privilege escalation flaws in SonicWall’s NetExtender VPN client, letting local users achieve SYSTEM-level access or sabotage services. The discovery of CVE-2025-23007 led to a deeper dive, exposing two more high-risk vulnerabilities now patched in version 10.3.2.

May 30, 2025

Cyware Daily Threat Intelligence, May 30, 2025

Fake CAPTCHA prompts are now doing more than testing if you're human—they're installing malware. EDDIESTEALER, a new Rust-based infostealer, spreads through deceptive CAPTCHA pages that trigger malicious PowerShell scripts. The malware downloads obfuscated JavaScript and executable payloads designed to harvest credentials, browser data, and cryptocurrency wallets. A quiet but relentless campaign has been unfolding across multiple industries. The Chinese group Earth Lamia is targeting finance, government, logistics, and more by exploiting known web app vulnerabilities, including flaws in Apache Struts, GitLab, and WordPress. After gaining access, they deploy webshells, create admin accounts, and move laterally using a plethora of tools. Even Google's trusted ecosystem isn’t off-limits anymore. Attackers are misusing Google Apps Script to host phishing pages that convincingly imitate real login portals. The method allows them to slip through email filters by operating under Google's domain, tricking victims into handing over credentials before redirecting them to legitimate sites to avoid suspicion.

May 29, 2025

Cyware Daily Threat Intelligence, May 29, 2025

APT41 hides malware commands where no one’s looking: your calendar. In a creative twist on C2 infrastructure, China-backed APT41 embedded encrypted instructions inside Google Calendar events. Targets received ZIPs masquerading as PDFs, which deployed a multistage malware suite. The result: stealthy, long-term access across governments and industries. AyySSHush doesn’t make noise, it builds armies. More than 9,000 ASUS routers have been compromised by this botnet, which quietly slips in through a CVE-2023-39780 exploit. Attackers install persistent SSH backdoors, disable logging, and remain invisible through firmware updates. The campaign’s low network footprint hides a growing infrastructure of hijacked devices ready for future use. OneDrive’s permissions flaw lets apps peek at everything. A design issue in Microsoft’s OneDrive File Picker lets apps access more data than intended. Vague consent prompts and overly broad OAuth scopes mean entire OneDrive contents could be exposed. Microsoft hasn’t patched it yet, so users should tread carefully.

May 28, 2025

Cyware Daily Threat Intelligence, May 28, 2025

Threat actors are faking Bitdefender to peddle VenomRAT. Using deceptive domains and phishing lures that mimic banks and IT services, this campaign delivers modular malware bundled with tools like SilentTrinity and StormKitty for credential theft, lateral movement, and persistence. A new Go-based botnet called PumaBot is clawing its way through Linux IoT devices. It brute-forces SSH credentials, impersonates Redis files for stealth, and deploys rootkits to mine crypto and steal credentials, while avoiding honeypots and non-targets along the way. A critical flaw in the TI WooCommerce Wishlist plugin lets attackers upload arbitrary files without authentication when paired with WC Fields Factory. With over 100,000 installs affected and no patch in sight, WordPress site owners are exposed.

May 27, 2025

Cyware Daily Threat Intelligence, May 27, 2025

Chinese threat group UAT-6382 is digging deep into local U.S. government systems, exploiting a flaw in Cityworks to breach Microsoft IIS servers. Their playbook includes web shells, Cobalt Strike, and custom backdoors, all aimed at maintaining quiet, long-term access for espionage or potential ransomware deployment. A critical flaw in Siemens’ SiPass integrated access control system could allow unauthenticated attackers to crash the service remotely. The vulnerability stems from an out-of-bounds read issue in how it handles network packets. Siemens has patched the issue in version V2.95.3.18 and urges immediate upgrades. Void Blizzard, a Russian hacking group with ties to multiple Kremlin-aligned actors, has ramped up its espionage operations by breaching over 20 NGOs across Europe and the U.S. Their weapon of choice: Evilginx phishing kits, fake Microsoft Entra login portals, and malicious QR codes. Targets included policy groups and defense-focused organizations, with attackers siphoning off credentials, emails, and Teams conversations.

May 26, 2025

Cyware Daily Threat Intelligence, May 26, 2025

Threat actors are wrapping their tools in layers of obfuscation, and DOUBLELOADER is no exception. This new backdoor uses the ALCATRAZ obfuscator—once seen in the game-hacking scene—to disguise its presence. It reaches out to hardcoded IPs and paves the way for the RHADAMANTHYS infostealer. In a campaign likely aimed at Chinese-speaking users, fake installers for QQ Browser and LetsVPN are being used to quietly deliver Winos 4.0. Behind the scenes, a memory-resident loader named Catena helps the malware dodge AV tools. Linked to the Silver Fox threat group, the payload uses reflective DLL injection to steal data and provide remote access. A critical bug in D-Link routers could give attackers an easy way in. The flaw affects DIR-605L and DIR-816L models, exposing hardcoded Telnet credentials through the firmware. Once inside, attackers can run arbitrary commands, change configs, or pivot deeper into a network - all without needing to brute-force anything.

May 23, 2025

Cyware Daily Threat Intelligence, May 23, 2025

The copyright threat in your inbox might be bait. A phishing campaign sweeping across central and eastern Europe is using fake legal complaints to deliver the Rhadamanthys Stealer. Attackers use DLL side-loading to hijack legitimate PDF readers and establish persistence via Registry Run keys. Meanwhile, researchers flagged three critical vulnerabilities in the Versa Concerto platform that could allow authentication bypass, privilege escalation, and remote code execution. The vulnerabilities affect popular SD-WAN and SASE deployments, leaving organizations exposed if patches haven’t been manually applied. Think twice before clicking on that Ledger update. A new macOS malware campaign is deploying fake versions of the Ledger Live app to steal cryptocurrency seed phrases. The latest malware strain, dubbed Odyssey, impersonates the real app and tricks users into typing their 24-word passphrase after simulating an error. Click to read more!

May 22, 2025

Cyware Daily Threat Intelligence, May 22, 2025

Two years of silence, 6,200 downloads later - the malware is finally found. A malicious campaign targeting JavaScript developers slipped past detection by disguising harmful npm packages as plugins for frameworks like React, Vue.js, Vite, and Quill Editor. The attacker combined typosquatting with a blend of legitimate and malicious modules to build trust and exploit developer habits. Fake AI tools are the new phishing lures and they’re convincing. Cybercriminals cloned Kling AI’s brand through Facebook ads and spoofed websites to trick users into downloading malware. Victims who interacted with fake image-generation tools unknowingly installed PureHVNC RAT. A single flaw in Samlify could let attackers waltz into admin panels. The bug lets adversaries inject unsigned assertions into signed SAML responses. The result? Easy privilege escalation via forged credentials. The issue has been patched in Samlify v2.10.0.

May 21, 2025

Cyware Daily Threat Intelligence, May 21, 2025

Cryptominers are hiding in plain sight, this time inside encrypted chat traffic. ASEC uncovered a stealthy new backdoor paired with a Monero coinminer, using the PyBitmessage library for encrypted peer-to-peer communications. The malware evades typical detection methods. Payloads are decrypted using XOR and pulled from sources like GitHub or suspected Russian drives, while mimicking legitimate software to stay under the radar. Millions of Node[.]js apps just got riskier. Two critical bugs in the Multer middleware can crash servers or slowly bleed memory through malformed requests and unclosed streams. With no workarounds available, developers are urged to upgrade to version 2.0.0. Until then, close monitoring of system performance is the only safeguard. Hazy Hawk is weaponizing your forgotten cloud. Since late 2023, this threat actor has been hijacking abandoned subdomains to launch scams and malware campaigns. By exploiting misconfigured DNS records across platforms like Azure and AWS, they repurpose trusted domains from federal agencies and major organizations to sidestep defenses and hijack SEO.