Cyware Daily Threat Intelligence, June 09, 2025

shutterstock 1973399114

Daily Threat Briefing June 9, 2025

What looks like support for defectors may actually be spyware in disguise. Kimsuky launched a stealthy campaign, targeting defense entities, activists, and crypto exchanges through Facebook impersonations, spear-phishing emails, and Telegram messages. Malware is delivered via EGG archives and disguised outreach, using encoded scripts, malicious DLLs, and registry tweaks.

Malicious packages are creeping into trusted ecosystems under familiar names. A new supply chain attack compromised 16 packages linked to GlueStack, enabling command execution, data theft, and file deletion. The packages posed as developer tools or Instagram growth apps, stealing credentials and relaying them to external bot services.

An old botnet just found a new way in. A Mirai variant is actively exploiting a command injection vulnerability in TBK DVR-4104 and DVR-4216 devices, to conscript them into a botnet for DDoS attacks. The exploit enables attackers to run shell commands via POST requests.

Top Malware Reported in the Last 24 Hours

Kimsuky’s AppleSeed campaign 

Kimsuky, a North Korea-aligned APT group, launched a sophisticated cyber-espionage campaign named AppleSeed, targeting defense sectors, activists, and cryptocurrency exchanges through Facebook, email, and Telegram. The group employed impersonation tactics on Facebook, spear-phishing emails with malicious EGG archives, and Telegram for delivering malware disguised as support for North Korean defectors. The malware payload involved encoded scripts, malicious DLLs, and registry modifications for persistence, using advanced techniques like VMProtect and encryption to evade detection.

Blitz malware targets gamers

Blitz malware targets gamers by distributing backdoored cheat packages for the mobile game Standoff 2, compromising systems, stealing data, and mining cryptocurrency. The malware uses legitimate platforms like Hugging Face Spaces for C2 operations and stores malicious payloads. Distributed through Telegram, the malware operates in two stages: a downloader and a bot capable of keylogging, screenshot capture, file transfer, DDoS attacks, and cryptojacking. Researchers identified 289 active infections across 26 countries, with Russia, Ukraine, Belarus, and Kazakhstan being most affected.

New DuplexSpy RAT emerges

DuplexSpy RAT is a newly emerged modular remote access trojan developed in C# and available on GitHub. It features a GUI for surveillance, persistence, and anti-analysis, mimicking legitimate processes to avoid detection. Key capabilities include keylogging, live streaming, audio spying, remote command execution, and system shutdowns. The RAT uses AES/RSA encryption and DLL injection for secure, in-memory payload execution. It mimics legitimate system processes, such as "Windows Update," to avoid suspicion. 

Supply chain attack targets npm and PyPI

A supply chain malware operation has targeted npm and PyPI ecosystems, compromising 16 packages associated with GlueStack. Malicious code allows attackers to execute commands, take screenshots, and steal data. Two rogue npm packages, express-api-sync and system-health-sync-api, were found to delete files and exfiltrate information via email. Additionally, a Python package named imad213 masqueraded as an Instagram growth tool, harvesting user credentials and distributing them to multiple bot services. The first compromise was detected on June 6, with nearly 1 million weekly downloads affected.

Top Vulnerabilities Reported in the Last 24 Hours

New Mirai variant abuses TBK DVR bug

A new variant of the Mirai botnet is exploiting a command injection vulnerability (CVE-2024-3721) in TBK DVR-4104 and DVR-4216 devices to hijack them. This flaw, disclosed in April 2024, enables shell command execution through crafted POST requests. The exploit uses a PoC to drop malware and connect devices to a botnet for DDoS attacks and malicious traffic proxying. An estimated 50,000 devices remain exposed globally, with infections primarily affecting countries such as China, India, and Brazil. 

Critical SOQL injection flaw in Salesforce

A critical SOQL injection vulnerability was discovered in Salesforce's default Aura controller, potentially exposing millions of user records across thousands of deployments. The flaw allowed attackers to inject malicious input into dynamically constructed SOQL queries, enabling unauthorized data access. The vulnerability could allow attackers to extract sensitive data such as user emails, names, addresses, and potentially password hashes, depending on the deployment configuration. The researcher reported the issue to Salesforce, which quietly patched the vulnerability without issuing a CVE or public advisory.

Related Threat Briefings

Jun 6, 2025

Cyware Daily Threat Intelligence, June 06, 2025

A silent takeover is unfolding through cheap, everyday smart devices. The FBI has reported over a million infections tied to BADBOX 2.0, a malware campaign targeting uncertified Android-based smart TVs, tablets, and IoT devices. Preinstalled malware and rogue updates turn these devices into residential proxies, with infections spanning 222 countries. A harmless-looking paste site is quietly fueling major malware campaigns. Cybercriminals are leveraging Paste[.]ee to host malicious scripts that deliver strains like XWorm and AsyncRAT through phishing emails. The platform’s anonymity helps attackers avoid detection while executing keylogging, credential theft, and remote system manipulation. A spearphishing campaign is exploiting a critical flaw in Roundcube to compromise webmail users. Threat actor UNC1151 targeted Polish organizations using CVE-2024-42009 to execute JavaScript via XSS and plant a persistent Service Worker. The vulnerability affects multiple Roundcube versions and carries a CVSS score of 9.3.

Jun 5, 2025

Cyware Daily Threat Intelligence, June 05, 2025

Not all GitHub projects are built with good intentions. Researchers uncovered a widespread campaign involving more than 130 repositories booby-trapped with malware disguised as game cheats, hacking tools, and utilities. Hidden behind obfuscated code and automated workflows, the campaign deploys backdoors while using Telegram bots and paste sites to manage infections behind the scenes. Destruction masquerading as maintenance tools is hitting Ukraine’s infrastructure. Researchers attributed a new wiper malware called PathWiper to a Russia-linked APT group, targeting critical systems by leveraging legitimate administrative frameworks. The malware erases storage media and key file system data. Though reminiscent of HermeticWiper, PathWiper shows a more advanced method of drive targeting and destruction. Cisco is closing two critical gaps before attackers can exploit them further. A patch has been issued for CVE-2025-20129 in Cisco’s CCP chat interface, a flaw that could let attackers intercept sensitive data through manipulated HTTP requests. Another vulnerability, CVE-2025-20130 in Cisco ISE, allowed file uploads due to weak validation, now fixed in the latest patches for ISE versions up to 3.3.

Jun 4, 2025

Cyware Daily Threat Intelligence, June 04, 2025

Cybercriminals are turning CAPTCHA prompts into malware gateways. A recent multi-stage malware campaign is using spoofed sites like fake Git repositories and bogus Docusign pages to lure users into executing PowerShell scripts that drop NetSupport RAT. By layering downloaders that each fetch the next stage, the attackers dodge detection and prolong infection. In a similar vein, a free software download could end up costing your entire crypto wallet. ViperSoftX is back in circulation, targeting crypto users with malicious PowerShell scripts bundled into cracked apps, keygens, and torrent packages. Beyond wallet theft, it pulls in additional payloads like Quasar RAT and PureHVNC, while using scheduled tasks and registry tricks to quietly maintain persistence. Meanwhile, Google’s June 2025 Android security update fixed a slate of high-severity issues, including a critical privilege escalation vulnerability in the System component affecting Android 13, 14, and 15. While most bugs haven't been exploited in the wild, three Qualcomm-related flaws made it to CISA’s KEV Catalog. For detailed Cyber Threat Intel, click ‘Read More’.

Jun 3, 2025

Cyware Daily Threat Intelligence, June 03, 2025

A geopolitical ripple just triggered a global software supply chain scare. Socket has exposed a malicious campaign in the RubyGems ecosystem where two lookalike Fastlane plugins were used to siphon off Telegram bot tokens and messages. Timed around Vietnam’s Telegram ban, the attacker used typosquatting and subtle code tweaks - targeting affected developers and putting downstream users at risk worldwide. A silent zero-day is loose in the wild, and Google’s racing to contain it. Chrome users are urged to update immediately after Google issued an emergency patch for a high-severity flaw in the V8 JavaScript engine that’s already being exploited. Some attackers mine crypto, JINX-0132 mines misconfigurations. This threat actor is running a stealthy cryptojacking campaign against DevOps platforms, exploiting exposed defaults and overlooked RCE flaws. They stay under the radar while deploying XMRig miners across poorly secured cloud setups, many of which are still internet-facing and misconfigured.

Jun 2, 2025

Cyware Daily Threat Intelligence, June 02, 2025

A casual scroll through gaming forums or social media might land users in a trap they didn’t see coming. Cybercriminals are hijacking web traffic to lure users onto fake Booking[.]com sites with malicious CAPTCHA prompts that silently trigger harmful commands. The URLs shift constantly, and any site asking users to paste clipboard commands should raise serious red flags. A few swapped letters could be all it takes to get owned. A new supply chain attack targets Python and npm developers through typo-squatting and name confusion. The campaign spans both ecosystems, dropping platform-specific payloads that harvest environment data, evade antivirus tools, and create persistence. What began as one bug unraveled into a deeper security mess. Researchers uncovered multiple privilege escalation flaws in SonicWall’s NetExtender VPN client, letting local users achieve SYSTEM-level access or sabotage services. The discovery of CVE-2025-23007 led to a deeper dive, exposing two more high-risk vulnerabilities now patched in version 10.3.2.

May 30, 2025

Cyware Daily Threat Intelligence, May 30, 2025

Fake CAPTCHA prompts are now doing more than testing if you're human—they're installing malware. EDDIESTEALER, a new Rust-based infostealer, spreads through deceptive CAPTCHA pages that trigger malicious PowerShell scripts. The malware downloads obfuscated JavaScript and executable payloads designed to harvest credentials, browser data, and cryptocurrency wallets. A quiet but relentless campaign has been unfolding across multiple industries. The Chinese group Earth Lamia is targeting finance, government, logistics, and more by exploiting known web app vulnerabilities, including flaws in Apache Struts, GitLab, and WordPress. After gaining access, they deploy webshells, create admin accounts, and move laterally using a plethora of tools. Even Google's trusted ecosystem isn’t off-limits anymore. Attackers are misusing Google Apps Script to host phishing pages that convincingly imitate real login portals. The method allows them to slip through email filters by operating under Google's domain, tricking victims into handing over credentials before redirecting them to legitimate sites to avoid suspicion.

May 29, 2025

Cyware Daily Threat Intelligence, May 29, 2025

APT41 hides malware commands where no one’s looking: your calendar. In a creative twist on C2 infrastructure, China-backed APT41 embedded encrypted instructions inside Google Calendar events. Targets received ZIPs masquerading as PDFs, which deployed a multistage malware suite. The result: stealthy, long-term access across governments and industries. AyySSHush doesn’t make noise, it builds armies. More than 9,000 ASUS routers have been compromised by this botnet, which quietly slips in through a CVE-2023-39780 exploit. Attackers install persistent SSH backdoors, disable logging, and remain invisible through firmware updates. The campaign’s low network footprint hides a growing infrastructure of hijacked devices ready for future use. OneDrive’s permissions flaw lets apps peek at everything. A design issue in Microsoft’s OneDrive File Picker lets apps access more data than intended. Vague consent prompts and overly broad OAuth scopes mean entire OneDrive contents could be exposed. Microsoft hasn’t patched it yet, so users should tread carefully.

May 28, 2025

Cyware Daily Threat Intelligence, May 28, 2025

Threat actors are faking Bitdefender to peddle VenomRAT. Using deceptive domains and phishing lures that mimic banks and IT services, this campaign delivers modular malware bundled with tools like SilentTrinity and StormKitty for credential theft, lateral movement, and persistence. A new Go-based botnet called PumaBot is clawing its way through Linux IoT devices. It brute-forces SSH credentials, impersonates Redis files for stealth, and deploys rootkits to mine crypto and steal credentials, while avoiding honeypots and non-targets along the way. A critical flaw in the TI WooCommerce Wishlist plugin lets attackers upload arbitrary files without authentication when paired with WC Fields Factory. With over 100,000 installs affected and no patch in sight, WordPress site owners are exposed.

May 27, 2025

Cyware Daily Threat Intelligence, May 27, 2025

Chinese threat group UAT-6382 is digging deep into local U.S. government systems, exploiting a flaw in Cityworks to breach Microsoft IIS servers. Their playbook includes web shells, Cobalt Strike, and custom backdoors, all aimed at maintaining quiet, long-term access for espionage or potential ransomware deployment. A critical flaw in Siemens’ SiPass integrated access control system could allow unauthenticated attackers to crash the service remotely. The vulnerability stems from an out-of-bounds read issue in how it handles network packets. Siemens has patched the issue in version V2.95.3.18 and urges immediate upgrades. Void Blizzard, a Russian hacking group with ties to multiple Kremlin-aligned actors, has ramped up its espionage operations by breaching over 20 NGOs across Europe and the U.S. Their weapon of choice: Evilginx phishing kits, fake Microsoft Entra login portals, and malicious QR codes. Targets included policy groups and defense-focused organizations, with attackers siphoning off credentials, emails, and Teams conversations.

May 26, 2025

Cyware Daily Threat Intelligence, May 26, 2025

Threat actors are wrapping their tools in layers of obfuscation, and DOUBLELOADER is no exception. This new backdoor uses the ALCATRAZ obfuscator—once seen in the game-hacking scene—to disguise its presence. It reaches out to hardcoded IPs and paves the way for the RHADAMANTHYS infostealer. In a campaign likely aimed at Chinese-speaking users, fake installers for QQ Browser and LetsVPN are being used to quietly deliver Winos 4.0. Behind the scenes, a memory-resident loader named Catena helps the malware dodge AV tools. Linked to the Silver Fox threat group, the payload uses reflective DLL injection to steal data and provide remote access. A critical bug in D-Link routers could give attackers an easy way in. The flaw affects DIR-605L and DIR-816L models, exposing hardcoded Telnet credentials through the firmware. Once inside, attackers can run arbitrary commands, change configs, or pivot deeper into a network - all without needing to brute-force anything.

May 23, 2025

Cyware Daily Threat Intelligence, May 23, 2025

The copyright threat in your inbox might be bait. A phishing campaign sweeping across central and eastern Europe is using fake legal complaints to deliver the Rhadamanthys Stealer. Attackers use DLL side-loading to hijack legitimate PDF readers and establish persistence via Registry Run keys. Meanwhile, researchers flagged three critical vulnerabilities in the Versa Concerto platform that could allow authentication bypass, privilege escalation, and remote code execution. The vulnerabilities affect popular SD-WAN and SASE deployments, leaving organizations exposed if patches haven’t been manually applied. Think twice before clicking on that Ledger update. A new macOS malware campaign is deploying fake versions of the Ledger Live app to steal cryptocurrency seed phrases. The latest malware strain, dubbed Odyssey, impersonates the real app and tricks users into typing their 24-word passphrase after simulating an error. Click to read more!

May 22, 2025

Cyware Daily Threat Intelligence, May 22, 2025

Two years of silence, 6,200 downloads later - the malware is finally found. A malicious campaign targeting JavaScript developers slipped past detection by disguising harmful npm packages as plugins for frameworks like React, Vue.js, Vite, and Quill Editor. The attacker combined typosquatting with a blend of legitimate and malicious modules to build trust and exploit developer habits. Fake AI tools are the new phishing lures and they’re convincing. Cybercriminals cloned Kling AI’s brand through Facebook ads and spoofed websites to trick users into downloading malware. Victims who interacted with fake image-generation tools unknowingly installed PureHVNC RAT. A single flaw in Samlify could let attackers waltz into admin panels. The bug lets adversaries inject unsigned assertions into signed SAML responses. The result? Easy privilege escalation via forged credentials. The issue has been patched in Samlify v2.10.0.