Cyware Daily Threat Intelligence, June 13, 2025

shutterstock 1963275886

Daily Threat Briefing June 13, 2025

CyberEye lowers the barrier for cybercrime with a plug-and-play toolkit. This .NET-based RAT uses Telegram for command and control while offering modules for keylogging, credential theft, and platform-specific data grabbing. Its built-in evasion tactics and easy-to-use builder make it accessible even to low-skill attackers.

Unpatched IT tools are once again opening the door to ransomware attacks. CISA has warned about vulnerabilities in SimpleHelp RMM software being exploited by groups like Play and DragonForce in double-extortion campaigns. The flaws, including CVE-2024-57727, have already led to breaches in sectors like utility billing.

A subtle tweak in language could be all it takes to fool your AI. The TokenBreak attack manipulates how text is tokenized in classification models to sneak past defenses. While models using Unigram tokenization remain secure, others like BERT and RoBERTa are vulnerable—raising red flags for AI-based content moderation and detection systems.

Top Malware Reported in the Last 24 Hours

Discord Invite exploitation

Attackers exploited Discord’s invite system by hijacking expired or deleted invite links, redirecting users to malicious servers. The attack used a fake verification bot and phishing sites to trick users into running harmful commands, downloading malware like AsyncRAT and Skuld Stealer. The malware spread through multi-stage infection chains using trusted services like GitHub and Pastebin to evade detection. Over 1,300 downloads were tracked globally, targeting cryptocurrency users and stealing credentials and wallet data. A parallel campaign targeted gamers, embedding malware in a Trojanized cheat tool for The Sims 4.

CyberEye RAT exploits Telegram for attacks

CyberEye is a .NET-based RAT with modular features like keyloggers, file grabbers, and clipboard hijackers, leveraging Telegram for C2 operations. The malware disables Windows Defender using PowerShell and registry manipulations to evade detection. CyberEye's builder GUI allows attackers to customize payloads with minimal technical expertise. Anti-analysis mechanisms detect sandbox, virtual machine, or debugging environments, terminating the malware to avoid detection. Credential theft modules target browsers, extracting passwords, cookies, and credit card information using decryption techniques. Specific modules like TelegramGrabber, DiscordGrabber, and SteamGrabber steal session data from popular platforms.

Top Vulnerabilities Reported in the Last 24 Hours

Ransomware actors abuse unpatched SimpleHelp RMM

The CISA issued an advisory regarding ransomware actors exploiting unpatched vulnerabilities in SimpleHelp RMM software, particularly versions 5.5.7 and earlier, which include CVE-2024-57727, a path traversal vulnerability. Since January, these vulnerabilities have been leveraged to compromise customers of a utility billing software provider. This vulnerability was leveraged in double-extortion attacks by Play ransomware gang and DragonForce, where sensitive data was stolen and files encrypted. CISA added CVE-2024-57727 to its KEV Catalog in February. Organizations using SimpleHelp are urged to assess their systems for unpatched versions and take appropriate actions to secure their networks against potential disruptions and data breaches.

Apple zero-click exploited in attacks

Apple disclosed a zero-click vulnerability in its Messages app (CVE-2025-43200) that was exploited to target journalists with Paragon's Graphite spyware. This flaw, which allowed attackers to access sensitive data without user interaction, was patched on February 10. Notably, the spyware was used in sophisticated attacks against Italian journalist Ciro Pellegrino and another unnamed European journalist. Apple informed the victims of the targeted attacks, which were linked to state-sponsored entities. The spyware could be deployed via iMessages from a single Apple account, raising concerns about the misuse of such surveillance tools. 

Trend Micro patches critical bugs

Trend Micro fixed critical RCE and authentication bypass vulnerabilities in Apex Central and Endpoint Encryption PolicyServer products. Key flaws include insecure deserialization and broken authentication implementations, enabling attackers to execute arbitrary code or bypass admin credentials. Specific vulnerabilities include CVE-2025-49212, CVE-2025-49213, CVE-2025-49216, CVE-2025-49217, CVE-2025-49219, and CVE-2025-49220, with CVSS scores as high as 9.8. Updates to Endpoint Encryption PolicyServer (version 6.0.0.4013) and Apex Central (Patch B7007) address these issues.

Palo Alto issues vulnerability updates 

Palo Alto Networks released patches on June 11 addressing multiple vulnerabilities across its product line, including GlobalProtect App, Cortex XDR, PAN-OS, and Prisma Access Browser. Among the six flaws found in its core products, the most severe is CVE-2025-4232—a code injection vulnerability in GlobalProtect App for macOS—with a CVSS score of 7.1. Two other issues, CVE-2025-4230 and CVE-2025-4231, impact PAN-OS and involve authenticated admin command injection, rated at 5.7 and 6.1. Additionally, 12 Chrome-based vulnerabilities affecting the Prisma Access Browser were patched, with CVE-2025-4233 and others receiving a high CVSS score of 8.6. All browser-related issues stem from Chromium, the engine behind Prisma Access Browser.

Threats in Spotlight

All about this new TokenBreak attack

The TokenBreak attack exploits vulnerabilities in text classification models by manipulating tokenization strategies. Specifically, it targets models using BPE (Byte Pair Encoding) and WordPiece tokenizers, which are prone to false negatives, allowing malicious input to bypass detection. In contrast, models employing Unigram tokenization remain unaffected. The attack works by subtly altering input text, preserving its meaning while evading protective models. Testing showed that models like BERT and RoBERTa are susceptible, while DeBERTa-v2 and v3 are not. This divergence between detection models and target LLMs highlights a significant security concern in content moderation systems, as manipulated prompts can lead to successful prompt injections.

Related Threat Briefings

Jul 30, 2025

Cyware Daily Threat Intelligence, July 30, 2025

In a stealthy strike, hackers exploited a critical SAP NetWeaver flaw to deploy the Auto-Color Linux malware. This malware, equipped with a rootkit and adaptive evasion tactics, adjusts its behavior based on user privileges and goes dormant in sandboxes, drawing attention from ransomware groups and state-sponsored actors. A subtle misstep in the AI-powered Base44 platform exposed private applications to unauthorized access through easily discoverable “app_id” values. By bypassing SSO and authentication controls, the flaw posed a significant risk but was swiftly patched within 24 hours of discovery. Sophisticated nation-state actors, possibly Liminal Panda, have set their sights on Southwest Asia’s telecom networks with a complex attack campaign. Identified as CL-STA-0969, this threat cluster leverages custom tools and exploits vulnerabilities to maintain persistent access with high operational security.

Jul 29, 2025

Cyware Daily Threat Intelligence, July 29, 2025

A stealthy Android banking trojan, RedHook, is targeting Vietnamese users through phishing sites mimicking trusted agencies. Spread via a malicious APK on an exposed AWS S3 bucket, it exploits accessibility services to steal credentials and banking details, with over 500 infections tied to Chinese-speaking actors. A critical vulnerability in Google’s Gemini CLI allows attackers to silently execute malicious commands. By exploiting prompt injection and poor validation, attackers can embed harmful instructions in seemingly harmless code, evading detection with tactics like excessive whitespace. A cunning phishing campaign is hitting Python developers, using spoofed PyPI emails to trick maintainers into revealing credentials on a fake login page. The deceptive site forwards data to the real PyPI portal, exploiting trust without breaching the platform itself.

Jul 28, 2025

Cyware Daily Threat Intelligence, July 28, 2025

Spear-phishing emails are slipping past defenses in Russia’s aerospace industry. Operation CargoTalon, tied to threat cluster UNG0901, targets organizations like the Voronezh Aircraft Production Association with EAGLET malware hidden in fake invoice files, quietly siphoning off sensitive data to a C2 server. A slew of vulnerabilities in Tridium’s Niagara Framework demands urgent attention. Over a dozen high-severity flaws, including CVE-2025-3936 through CVE-2025-3945, could let attackers exploit misconfigured systems for remote code execution or persistent access, threatening critical infrastructure. Scattered Spider is turning social engineering into a devastating weapon. By posing as employees to reset Active Directory passwords, the group swiftly escalates privileges, hijacks VMware ESXi hypervisors, and deploys ransomware to paralyze virtual environments in retail and transportation sectors within hours.

Jul 25, 2025

Cyware Daily Threat Intelligence, July 25, 2025

A browser tweak here, a fake mod there, and suddenly your crypto wallet spills its secrets. In a new campaign, the Scavenger trojan exploits DLL Search Order Hijacking to infiltrate password managers and wallets like MetaMask, Bitwarden, and Exodus. Delivered via fake game mods and malicious sites, the trojan uses multi-stage loaders and obfuscation. Not every scam needs sophistication, sometimes all it takes is a lonely heart and a convincing profile picture. SarangTrap, a massive mobile spyware campaign, is luring victims on Android and iOS through fake dating apps. With over 250 malicious APKs and nearly 90 phishing domains, the campaign uses emotional manipulation and search engine indexing to appear credible. Fire Ant doesn’t crash through the front door, it slips in quietly, sets up shop, and rewires the building. This advanced China-linked actor is targeting VMware ESXi and vCenter servers using old vulnerabilities to establish espionage footholds. The attackers extract credentials, deploy stealthy backdoors, and tamper with logs to stay hidden.

Jul 24, 2025

Cyware Daily Threat Intelligence, July 24, 2025

Storm-2603 is slipping through SharePoint’s cracks and locking the doors behind it. The suspected China-based threat group is exploiting two SharePoint vulnerabilities to deploy Warlock ransomware. The group uses Mimikatz for credential theft and moves laterally with PsExec. At least 400 organizations have already been impacted. When your router has more holes than a sieve, it’s time to worry. Researchers uncovered several critical vulnerabilities in Weidmueller IE-SR-2TX industrial routers. These flaws allow remote attackers to gain root-level code execution, posing a significant risk to industrial networks and critical infrastructure. Chaos by name, chaos by method. A new RaaS group called Chaos is conducting high-impact ransomware campaigns through a number of tactics, using remote management tools for long-term access. Chaos supports multiple platforms and avoids politically sensitive or healthcare-related victims, offering automated control panels and individualized encryption keys per infection.

Jul 23, 2025

Cyware Daily Threat Intelligence, July 23, 2025

A trusted source turned treacherous. Hackers launched a supply chain attack on Arch Linux by slipping malware into three AUR packages. These packages silently deployed a RAT that gave attackers persistent control over infected machines. The backdoor executed during installation and remained undetected for 46 hours before Arch’s security team intervened. No login needed, just code execution. Cisco has confirmed active exploitation of three zero-day RCE flaws in its ISE. Attackers can exploit these bugs via crafted API requests to run arbitrary commands, upload malware, and escalate privileges to root - all without authentication. Mimo is getting stealthier and greedier. The financially motivated group has moved from targeting Craft CMS to Magento, exploiting PHP-FPM vulnerabilities to deploy malware via fileless techniques. Its monetization play is twofold - mining Monero through cryptojacking and running proxyjacking operations via IPRoyal Pawns. The group also targets AWS environments by probing for SSH access using hardcoded usernames.

Jul 22, 2025

Cyware Daily Threat Intelligence, July 22, 2025

Greedy Sponge isn’t just soaking up data, it’s draining bank accounts. Active since 2021, this financially motivated threat group targets Mexican organizations using a modified AllaKore RAT and SystemBC malware to carry out fraud. Delivered via spear-phishing and drive-by downloads, the malware is geofenced to avoid exposure and now includes server-side payload delivery and secondary infections to bypass detection. What looks like a Google Doc or Steam message may be ACRStealer in disguise. Now rebranded as AmateraStealer, this infostealer uses the Dead Drop Resolver method to communicate via legitimate services, recently adopting stronger evasion features. Ongoing updates and variants have made Amatera one of the most active and elusive stealers currently circulating. Two bugs, one big hole. Apache Jena has been found vulnerable to critical flaws (CVE-2025-49656 and CVE-2025-50151) that allow administrators to create or access files outside intended directories, undermining system sandboxing. Though both require admin privileges, they pose serious risks in shared environments or if admin credentials are compromised. Users are urged to upgrade to version 5.5.0 to patch the flaws.

Jul 21, 2025

Cyware Daily Threat Intelligence, July 21, 2025

Jul 18, 2025

Cyware Daily Threat Intelligence, July 18, 2025

The H2Miner botnet has resurfaced with updated scripts that mine Monero, kill rival malware, and deploy multiple malware. Bundled with it is Lcrypt0rx, a likely AI-generated ransomware that exhibits sloppy logic, malformed syntax, and weak encryption using XOR. Cisco Talos uncovered a MaaS campaign targeting Ukraine, where attackers used Amadey malware and GitHub repositories to stage payloads. The setup mimics tactics from a SmokeLoader phishing operation, with obfuscated JavaScript loaders and Emmenthal plugins helping evade detection and filter-based defenses. In a sharp postmortem from Pwn2Own Berlin, VMware patched four zero-day flaws exploited during the contest. Three high-severity bugs let attackers break out of guest VMs, while a fourth in VMware Tools leaks sensitive host info. Separately, the Scanception campaign is sneaking into inboxes via QR code phishing PDFs.

Jul 17, 2025

Cyware Daily Threat Intelligence, July 17, 2025

A persistent backdoor is giving UNC6148 quiet, long-term access to SonicWall SMA appliances. The group is using stolen credentials—and possibly a zero-day—to deploy OVERSTEP malware. It steals sensitive data, maintains stealth, and executes commands through web requests. Over 600 malicious domains are distributing fake Telegram APKs to unsuspecting users. Most are hosted in China and exploit the Janus vulnerability in Android. These APKs request broad permissions, bypass security protocols, and enable full device control. Oracle’s July 2025 patch update is a heavyweight. It includes 309 fixes across products like Communications, MySQL, Java SE, and Fusion Middleware. Of the nearly 200 CVEs addressed, 127 can be exploited remotely without authentication. An additional 20 Solaris patches target flaws with similar reach.

Jul 16, 2025

Cyware Daily Threat Intelligence, July 16, 2025

A harmless-looking app on Google Play may have a malicious twin elsewhere. A new Konfety variant uses the same package name as a legitimate app but hides the real payload in a lookalike version distributed through third-party stores. It employs obfuscation tactics to evade detection, while leveraging the CaramelAds SDK. Some malware no longer travels through links or attachments, it hides in plain text. Researchers have spotted attackers embedding payloads in DNS records, allowing malware to slip past traditional security tools. By encoding binaries as hex and retrieving them during DNS resolution, this technique avoids common detection points and delivers disruptive code without a visible trace. One sandbox escape makes five. Google patched a high-severity Chrome flaw that lets attackers break out of the browser’s sandbox using crafted HTML and unvalidated GPU commands. The update also addressed issues in V8 and WebRTC, but only CVE-2025-6558 was under active exploitation, making it the fifth Chrome zero-day of the year.

Jul 15, 2025

Cyware Daily Threat Intelligence, July 15, 2025

A quiet but deliberate campaign is now zeroing in on Southeast Asia’s trade secrets. HazyBeacon, a newly identified Windows backdoor, is targeting government entities with an eye on sensitive tariff and trade data. It uses DLL side-loading and communicates through AWS Lambda URLs, helping it blend in with legitimate cloud activity while quietly collecting targeted documents. Developers are once again in the crosshairs of North Korean threat actors. As part of the ongoing Contagious Interview campaign, attackers have pushed 67 malicious npm packages carrying XORIndex, a malware loader designed to steal browser data, crypto wallet info, and deploy Python-based backdoors. With over 17,000 downloads and manipulated package metrics, the threat is both widespread and deceptive. An invisible prompt is all it takes to turn Gemini into a phishing assistant. Attackers are exploiting Google’s Gemini AI for Workspace by hiding malicious instructions in emails using HTML and CSS. When Gemini generates a summary, it unknowingly includes phishing content redirecting users to malicious sites. Suggested defenses focus on stripping hidden content and warning users not to rely on AI summaries for security cues.