Cyware Daily Threat Intelligence, June 13, 2025

shutterstock 1963275886

Daily Threat Briefing June 13, 2025

CyberEye lowers the barrier for cybercrime with a plug-and-play toolkit. This .NET-based RAT uses Telegram for command and control while offering modules for keylogging, credential theft, and platform-specific data grabbing. Its built-in evasion tactics and easy-to-use builder make it accessible even to low-skill attackers.

Unpatched IT tools are once again opening the door to ransomware attacks. CISA has warned about vulnerabilities in SimpleHelp RMM software being exploited by groups like Play and DragonForce in double-extortion campaigns. The flaws, including CVE-2024-57727, have already led to breaches in sectors like utility billing.

A subtle tweak in language could be all it takes to fool your AI. The TokenBreak attack manipulates how text is tokenized in classification models to sneak past defenses. While models using Unigram tokenization remain secure, others like BERT and RoBERTa are vulnerable—raising red flags for AI-based content moderation and detection systems.

Top Malware Reported in the Last 24 Hours

Discord Invite exploitation

Attackers exploited Discord’s invite system by hijacking expired or deleted invite links, redirecting users to malicious servers. The attack used a fake verification bot and phishing sites to trick users into running harmful commands, downloading malware like AsyncRAT and Skuld Stealer. The malware spread through multi-stage infection chains using trusted services like GitHub and Pastebin to evade detection. Over 1,300 downloads were tracked globally, targeting cryptocurrency users and stealing credentials and wallet data. A parallel campaign targeted gamers, embedding malware in a Trojanized cheat tool for The Sims 4.

CyberEye RAT exploits Telegram for attacks

CyberEye is a .NET-based RAT with modular features like keyloggers, file grabbers, and clipboard hijackers, leveraging Telegram for C2 operations. The malware disables Windows Defender using PowerShell and registry manipulations to evade detection. CyberEye's builder GUI allows attackers to customize payloads with minimal technical expertise. Anti-analysis mechanisms detect sandbox, virtual machine, or debugging environments, terminating the malware to avoid detection. Credential theft modules target browsers, extracting passwords, cookies, and credit card information using decryption techniques. Specific modules like TelegramGrabber, DiscordGrabber, and SteamGrabber steal session data from popular platforms.

Top Vulnerabilities Reported in the Last 24 Hours

Ransomware actors abuse unpatched SimpleHelp RMM

The CISA issued an advisory regarding ransomware actors exploiting unpatched vulnerabilities in SimpleHelp RMM software, particularly versions 5.5.7 and earlier, which include CVE-2024-57727, a path traversal vulnerability. Since January, these vulnerabilities have been leveraged to compromise customers of a utility billing software provider. This vulnerability was leveraged in double-extortion attacks by Play ransomware gang and DragonForce, where sensitive data was stolen and files encrypted. CISA added CVE-2024-57727 to its KEV Catalog in February. Organizations using SimpleHelp are urged to assess their systems for unpatched versions and take appropriate actions to secure their networks against potential disruptions and data breaches.

Apple zero-click exploited in attacks

Apple disclosed a zero-click vulnerability in its Messages app (CVE-2025-43200) that was exploited to target journalists with Paragon's Graphite spyware. This flaw, which allowed attackers to access sensitive data without user interaction, was patched on February 10. Notably, the spyware was used in sophisticated attacks against Italian journalist Ciro Pellegrino and another unnamed European journalist. Apple informed the victims of the targeted attacks, which were linked to state-sponsored entities. The spyware could be deployed via iMessages from a single Apple account, raising concerns about the misuse of such surveillance tools. 

Trend Micro patches critical bugs

Trend Micro fixed critical RCE and authentication bypass vulnerabilities in Apex Central and Endpoint Encryption PolicyServer products. Key flaws include insecure deserialization and broken authentication implementations, enabling attackers to execute arbitrary code or bypass admin credentials. Specific vulnerabilities include CVE-2025-49212, CVE-2025-49213, CVE-2025-49216, CVE-2025-49217, CVE-2025-49219, and CVE-2025-49220, with CVSS scores as high as 9.8. Updates to Endpoint Encryption PolicyServer (version 6.0.0.4013) and Apex Central (Patch B7007) address these issues.

Palo Alto issues vulnerability updates 

Palo Alto Networks released patches on June 11 addressing multiple vulnerabilities across its product line, including GlobalProtect App, Cortex XDR, PAN-OS, and Prisma Access Browser. Among the six flaws found in its core products, the most severe is CVE-2025-4232—a code injection vulnerability in GlobalProtect App for macOS—with a CVSS score of 7.1. Two other issues, CVE-2025-4230 and CVE-2025-4231, impact PAN-OS and involve authenticated admin command injection, rated at 5.7 and 6.1. Additionally, 12 Chrome-based vulnerabilities affecting the Prisma Access Browser were patched, with CVE-2025-4233 and others receiving a high CVSS score of 8.6. All browser-related issues stem from Chromium, the engine behind Prisma Access Browser.

Threats in Spotlight

All about this new TokenBreak attack

The TokenBreak attack exploits vulnerabilities in text classification models by manipulating tokenization strategies. Specifically, it targets models using BPE (Byte Pair Encoding) and WordPiece tokenizers, which are prone to false negatives, allowing malicious input to bypass detection. In contrast, models employing Unigram tokenization remain unaffected. The attack works by subtly altering input text, preserving its meaning while evading protective models. Testing showed that models like BERT and RoBERTa are susceptible, while DeBERTa-v2 and v3 are not. This divergence between detection models and target LLMs highlights a significant security concern in content moderation systems, as manipulated prompts can lead to successful prompt injections.

Related Threat Briefings