Cyware Daily Threat Intelligence, June 06, 2025

shutterstock 2286876861 (1)

Daily Threat Briefing June 6, 2025

A silent takeover is unfolding through cheap, everyday smart devices. The FBI has reported over a million infections tied to BADBOX 2.0, a malware campaign targeting uncertified Android-based smart TVs, tablets, and IoT devices. Preinstalled malware and rogue updates turn these devices into residential proxies, with infections spanning 222 countries.

A harmless-looking paste site is quietly fueling major malware campaigns. Cybercriminals are leveraging Paste[.]ee to host malicious scripts that deliver strains like XWorm and AsyncRAT through phishing emails. The platform’s anonymity helps attackers avoid detection while executing keylogging, credential theft, and remote system manipulation.

A spearphishing campaign is exploiting a critical flaw in Roundcube to compromise webmail users. Threat actor UNC1151 targeted Polish organizations using CVE-2024-42009 to execute JavaScript via XSS and plant a persistent Service Worker. The vulnerability affects multiple Roundcube versions and carries a CVSS score of 9.3.

Top Malware Reported in the Last 24 Hours

BADBOX 2.0 campaign on the rise, warns FBI

The FBI reported that the BADBOX 2.0 malware has infected over one million internet-connected devices, primarily Chinese-manufactured Android-based smart TVs, tablets, and IoT devices, turning them into residential proxies for malicious activities. Devices are infected through preloaded malware, malicious firmware updates, or apps downloaded from unofficial marketplaces. Once compromised, they connect to C2 servers for tasks like ad fraud, credential stuffing, and routing malicious traffic. The malware primarily targets uncertified Android Open Source Project devices, often from lesser-known brands, and impacts devices in 222 countries. BADBOX 2.0 evolved from the original BADBOX malware discovered in 2023 and has spread globally, with significant infections in Brazil (37.6%), the US (18.2%), and Mexico (6.3%).

Paste[.]ee abused to drop XWorm and AsyncRAT

Paste.ee is being misused by cybercriminals to distribute malware, including XWorm and AsyncRAT, via phishing emails. Attackers exploit Paste[.]ee’s anonymity and accessibility to host malicious scripts, complicating traceability and bypassing security defenses. XWorm and AsyncRAT enable keylogging, credential theft, and system manipulation, with advanced evasion tactics like polymorphic code and encrypted communications. The attacks pose significant risks to sectors like banking, potentially stealing sensitive credentials, and share similarities with tactics used by APT groups.

Details on Operation DRAGONCLONE

Operation DRAGONCLONE is a malicious campaign targeting China Mobile Tietong Co., Ltd. using VELETRIX and VShell malware. The attack begins with a malicious ZIP file containing signed and unsigned binaries, employing DLL-sideloading techniques. VELETRIX uses anti-sandbox methods, such as execution delays and IPFuscation to obfuscate shellcode, which is executed via callback mechanisms. The campaign has identified 44 implants linked to known APT groups like UNC5174 and Earth Lamia, utilizing tools like Cobalt Strike and SuperShell. The operation has been active since March, showcasing advanced techniques for persistence and evasion.

Top Vulnerabilities Reported in the Last 24 Hours

Attackers abuse Roundcube bug

Hackers exploited a critical vulnerability (CVE-2024-42009) in the Roundcube webmail platform to steal user credentials via a spearphishing campaign targeting Polish entities. This attack, attributed to the UNC1151 threat actor linked to Belarusian and possibly Russian state interests, used XSS to execute malicious JavaScript and register a Service Worker for persistent access. The vulnerability affects Roundcube versions ≤1.5.7 and 1.6.x ≤1.6.7, with a CVSS score of 9.3. Another vulnerability (CVE-2025-49113) allowing remote code execution has been identified but not yet exploited. 

Critical flaw in HPE Insight Remote Support (IRS)

Multiple high-severity vulnerabilities (CVE-2025-37097, CVE-2025-37098, CVE-2025-37099) were found in HPE IRS software, allowing remote attackers to execute arbitrary code and access sensitive data. The flaws include Directory Traversal, RCE, and XML External Entity (XXE) injection, which can compromise system integrity and leak sensitive information. Successful exploitation enables attackers to place malicious files, steal authentication tokens, and escalate privileges. HPE has released IRS version 7.15.0.646, addressing these vulnerabilities with improved input validation, XML parsing security, and authentication checks.

Related Threat Briefings

Jun 5, 2025

Cyware Daily Threat Intelligence, June 05, 2025

Not all GitHub projects are built with good intentions. Researchers uncovered a widespread campaign involving more than 130 repositories booby-trapped with malware disguised as game cheats, hacking tools, and utilities. Hidden behind obfuscated code and automated workflows, the campaign deploys backdoors while using Telegram bots and paste sites to manage infections behind the scenes. Destruction masquerading as maintenance tools is hitting Ukraine’s infrastructure. Researchers attributed a new wiper malware called PathWiper to a Russia-linked APT group, targeting critical systems by leveraging legitimate administrative frameworks. The malware erases storage media and key file system data. Though reminiscent of HermeticWiper, PathWiper shows a more advanced method of drive targeting and destruction. Cisco is closing two critical gaps before attackers can exploit them further. A patch has been issued for CVE-2025-20129 in Cisco’s CCP chat interface, a flaw that could let attackers intercept sensitive data through manipulated HTTP requests. Another vulnerability, CVE-2025-20130 in Cisco ISE, allowed file uploads due to weak validation, now fixed in the latest patches for ISE versions up to 3.3.

Jun 4, 2025

Cyware Daily Threat Intelligence, June 04, 2025

Cybercriminals are turning CAPTCHA prompts into malware gateways. A recent multi-stage malware campaign is using spoofed sites like fake Git repositories and bogus Docusign pages to lure users into executing PowerShell scripts that drop NetSupport RAT. By layering downloaders that each fetch the next stage, the attackers dodge detection and prolong infection. In a similar vein, a free software download could end up costing your entire crypto wallet. ViperSoftX is back in circulation, targeting crypto users with malicious PowerShell scripts bundled into cracked apps, keygens, and torrent packages. Beyond wallet theft, it pulls in additional payloads like Quasar RAT and PureHVNC, while using scheduled tasks and registry tricks to quietly maintain persistence. Meanwhile, Google’s June 2025 Android security update fixed a slate of high-severity issues, including a critical privilege escalation vulnerability in the System component affecting Android 13, 14, and 15. While most bugs haven't been exploited in the wild, three Qualcomm-related flaws made it to CISA’s KEV Catalog. For detailed Cyber Threat Intel, click ‘Read More’.

Jun 3, 2025

Cyware Daily Threat Intelligence, June 03, 2025

A geopolitical ripple just triggered a global software supply chain scare. Socket has exposed a malicious campaign in the RubyGems ecosystem where two lookalike Fastlane plugins were used to siphon off Telegram bot tokens and messages. Timed around Vietnam’s Telegram ban, the attacker used typosquatting and subtle code tweaks - targeting affected developers and putting downstream users at risk worldwide. A silent zero-day is loose in the wild, and Google’s racing to contain it. Chrome users are urged to update immediately after Google issued an emergency patch for a high-severity flaw in the V8 JavaScript engine that’s already being exploited. Some attackers mine crypto, JINX-0132 mines misconfigurations. This threat actor is running a stealthy cryptojacking campaign against DevOps platforms, exploiting exposed defaults and overlooked RCE flaws. They stay under the radar while deploying XMRig miners across poorly secured cloud setups, many of which are still internet-facing and misconfigured.

Jun 2, 2025

Cyware Daily Threat Intelligence, June 02, 2025

A casual scroll through gaming forums or social media might land users in a trap they didn’t see coming. Cybercriminals are hijacking web traffic to lure users onto fake Booking[.]com sites with malicious CAPTCHA prompts that silently trigger harmful commands. The URLs shift constantly, and any site asking users to paste clipboard commands should raise serious red flags. A few swapped letters could be all it takes to get owned. A new supply chain attack targets Python and npm developers through typo-squatting and name confusion. The campaign spans both ecosystems, dropping platform-specific payloads that harvest environment data, evade antivirus tools, and create persistence. What began as one bug unraveled into a deeper security mess. Researchers uncovered multiple privilege escalation flaws in SonicWall’s NetExtender VPN client, letting local users achieve SYSTEM-level access or sabotage services. The discovery of CVE-2025-23007 led to a deeper dive, exposing two more high-risk vulnerabilities now patched in version 10.3.2.

May 30, 2025

Cyware Daily Threat Intelligence, May 30, 2025

Fake CAPTCHA prompts are now doing more than testing if you're human—they're installing malware. EDDIESTEALER, a new Rust-based infostealer, spreads through deceptive CAPTCHA pages that trigger malicious PowerShell scripts. The malware downloads obfuscated JavaScript and executable payloads designed to harvest credentials, browser data, and cryptocurrency wallets. A quiet but relentless campaign has been unfolding across multiple industries. The Chinese group Earth Lamia is targeting finance, government, logistics, and more by exploiting known web app vulnerabilities, including flaws in Apache Struts, GitLab, and WordPress. After gaining access, they deploy webshells, create admin accounts, and move laterally using a plethora of tools. Even Google's trusted ecosystem isn’t off-limits anymore. Attackers are misusing Google Apps Script to host phishing pages that convincingly imitate real login portals. The method allows them to slip through email filters by operating under Google's domain, tricking victims into handing over credentials before redirecting them to legitimate sites to avoid suspicion.

May 29, 2025

Cyware Daily Threat Intelligence, May 29, 2025

APT41 hides malware commands where no one’s looking: your calendar. In a creative twist on C2 infrastructure, China-backed APT41 embedded encrypted instructions inside Google Calendar events. Targets received ZIPs masquerading as PDFs, which deployed a multistage malware suite. The result: stealthy, long-term access across governments and industries. AyySSHush doesn’t make noise, it builds armies. More than 9,000 ASUS routers have been compromised by this botnet, which quietly slips in through a CVE-2023-39780 exploit. Attackers install persistent SSH backdoors, disable logging, and remain invisible through firmware updates. The campaign’s low network footprint hides a growing infrastructure of hijacked devices ready for future use. OneDrive’s permissions flaw lets apps peek at everything. A design issue in Microsoft’s OneDrive File Picker lets apps access more data than intended. Vague consent prompts and overly broad OAuth scopes mean entire OneDrive contents could be exposed. Microsoft hasn’t patched it yet, so users should tread carefully.

May 28, 2025

Cyware Daily Threat Intelligence, May 28, 2025

Threat actors are faking Bitdefender to peddle VenomRAT. Using deceptive domains and phishing lures that mimic banks and IT services, this campaign delivers modular malware bundled with tools like SilentTrinity and StormKitty for credential theft, lateral movement, and persistence. A new Go-based botnet called PumaBot is clawing its way through Linux IoT devices. It brute-forces SSH credentials, impersonates Redis files for stealth, and deploys rootkits to mine crypto and steal credentials, while avoiding honeypots and non-targets along the way. A critical flaw in the TI WooCommerce Wishlist plugin lets attackers upload arbitrary files without authentication when paired with WC Fields Factory. With over 100,000 installs affected and no patch in sight, WordPress site owners are exposed.

May 27, 2025

Cyware Daily Threat Intelligence, May 27, 2025

Chinese threat group UAT-6382 is digging deep into local U.S. government systems, exploiting a flaw in Cityworks to breach Microsoft IIS servers. Their playbook includes web shells, Cobalt Strike, and custom backdoors, all aimed at maintaining quiet, long-term access for espionage or potential ransomware deployment. A critical flaw in Siemens’ SiPass integrated access control system could allow unauthenticated attackers to crash the service remotely. The vulnerability stems from an out-of-bounds read issue in how it handles network packets. Siemens has patched the issue in version V2.95.3.18 and urges immediate upgrades. Void Blizzard, a Russian hacking group with ties to multiple Kremlin-aligned actors, has ramped up its espionage operations by breaching over 20 NGOs across Europe and the U.S. Their weapon of choice: Evilginx phishing kits, fake Microsoft Entra login portals, and malicious QR codes. Targets included policy groups and defense-focused organizations, with attackers siphoning off credentials, emails, and Teams conversations.

May 26, 2025

Cyware Daily Threat Intelligence, May 26, 2025

Threat actors are wrapping their tools in layers of obfuscation, and DOUBLELOADER is no exception. This new backdoor uses the ALCATRAZ obfuscator—once seen in the game-hacking scene—to disguise its presence. It reaches out to hardcoded IPs and paves the way for the RHADAMANTHYS infostealer. In a campaign likely aimed at Chinese-speaking users, fake installers for QQ Browser and LetsVPN are being used to quietly deliver Winos 4.0. Behind the scenes, a memory-resident loader named Catena helps the malware dodge AV tools. Linked to the Silver Fox threat group, the payload uses reflective DLL injection to steal data and provide remote access. A critical bug in D-Link routers could give attackers an easy way in. The flaw affects DIR-605L and DIR-816L models, exposing hardcoded Telnet credentials through the firmware. Once inside, attackers can run arbitrary commands, change configs, or pivot deeper into a network - all without needing to brute-force anything.

May 23, 2025

Cyware Daily Threat Intelligence, May 23, 2025

The copyright threat in your inbox might be bait. A phishing campaign sweeping across central and eastern Europe is using fake legal complaints to deliver the Rhadamanthys Stealer. Attackers use DLL side-loading to hijack legitimate PDF readers and establish persistence via Registry Run keys. Meanwhile, researchers flagged three critical vulnerabilities in the Versa Concerto platform that could allow authentication bypass, privilege escalation, and remote code execution. The vulnerabilities affect popular SD-WAN and SASE deployments, leaving organizations exposed if patches haven’t been manually applied. Think twice before clicking on that Ledger update. A new macOS malware campaign is deploying fake versions of the Ledger Live app to steal cryptocurrency seed phrases. The latest malware strain, dubbed Odyssey, impersonates the real app and tricks users into typing their 24-word passphrase after simulating an error. Click to read more!

May 22, 2025

Cyware Daily Threat Intelligence, May 22, 2025

Two years of silence, 6,200 downloads later - the malware is finally found. A malicious campaign targeting JavaScript developers slipped past detection by disguising harmful npm packages as plugins for frameworks like React, Vue.js, Vite, and Quill Editor. The attacker combined typosquatting with a blend of legitimate and malicious modules to build trust and exploit developer habits. Fake AI tools are the new phishing lures and they’re convincing. Cybercriminals cloned Kling AI’s brand through Facebook ads and spoofed websites to trick users into downloading malware. Victims who interacted with fake image-generation tools unknowingly installed PureHVNC RAT. A single flaw in Samlify could let attackers waltz into admin panels. The bug lets adversaries inject unsigned assertions into signed SAML responses. The result? Easy privilege escalation via forged credentials. The issue has been patched in Samlify v2.10.0.

May 21, 2025

Cyware Daily Threat Intelligence, May 21, 2025

Cryptominers are hiding in plain sight, this time inside encrypted chat traffic. ASEC uncovered a stealthy new backdoor paired with a Monero coinminer, using the PyBitmessage library for encrypted peer-to-peer communications. The malware evades typical detection methods. Payloads are decrypted using XOR and pulled from sources like GitHub or suspected Russian drives, while mimicking legitimate software to stay under the radar. Millions of Node[.]js apps just got riskier. Two critical bugs in the Multer middleware can crash servers or slowly bleed memory through malformed requests and unclosed streams. With no workarounds available, developers are urged to upgrade to version 2.0.0. Until then, close monitoring of system performance is the only safeguard. Hazy Hawk is weaponizing your forgotten cloud. Since late 2023, this threat actor has been hijacking abandoned subdomains to launch scams and malware campaigns. By exploiting misconfigured DNS records across platforms like Azure and AWS, they repurpose trusted domains from federal agencies and major organizations to sidestep defenses and hijack SEO.