Cyware Daily Threat Intelligence, June 16, 2025

shutterstock 1728601711

Daily Threat Briefing June 16, 2025

A trusted developer platform is now a delivery system for stealthy malware. The newly uncovered threat actor Water Curse is abusing GitHub to distribute weaponized repositories aimed at cybersecurity pros, game developers, and DevOps teams. With payloads hidden in build scripts and obfuscated, the campaign enables data theft, remote access, and persistent control.

Some ransomware isn’t just extorting, it’s erasing everything in its path. Anubis, a new RaaS group, adds a destructive twist with its “wipe mode,” ensuring file recovery is impossible even if a ransom is paid. With ties to the older Sphinx malware, Anubis is now offering flexible affiliate terms, data extortion, and encryption via ECIES.

A critical bug is still lurking across thousands of Grafana dashboards. A client-side redirect flaw leaves over 46,000 internet-facing Grafana instances at risk of account takeovers and plugin-based attacks. Despite a patch issued in May, more than a third of deployments remain exposed.

Top Malware Reported in the Last 24 Hours

Water Curse drops multistage malware

Water Curse is a newly identified threat actor exploiting GitHub to distribute weaponized repositories containing multistage malware. At least 76 GitHub accounts are linked to the campaign, targeting cybersecurity professionals, game developers, and DevOps teams. The malware facilitates data exfiltration (credentials, browser data, session tokens), remote access, and long-term persistence. Malicious payloads are embedded in build scripts and project files, exploiting trust in open-source tools. The infection chain includes obfuscated VBS and PowerShell scripts, encrypted payloads, and anti-debugging techniques. Attackers use privilege escalation, registry modifications, and scheduled tasks to maintain persistence. Water Curse employs a multivertical approach, targeting cybersecurity tools, game cheats, crypto wallets, and more.

Anubis: New RaaS emerges

Anubis is a newly identified RaaS group that integrates file encryption and destruction, making recovery impossible even if ransom is paid. The ransomware features a "wipe mode" that permanently erases files, adding a destructive element to its operations. Anubis runs a flexible affiliate program offering negotiable revenue splits and additional monetization paths like data extortion and access sales. The group evolved from an earlier malware sample called Sphinx, with improved branding and functionality. Anubis encrypts files using Elliptic Curve Integrated Encryption Scheme (ECIES), similar to other ransomware like EvilByte.

New Katz Stealer and its capabilities

Katz Stealer is a MaaS platform designed for credential theft, system fingerprinting, and stealthy persistence mechanisms. It targets sensitive information such as browser passwords, cookies, session tokens, cryptocurrency wallets, VPN and Wi-Fi credentials, and game accounts. Katz Stealer operates through phishing campaigns and fake software downloads, utilizing obfuscated JavaScript droppers and PowerShell loaders for infection. The malware employs advanced obfuscation techniques, including polymorphic string manipulation and in-memory execution, to evade detection. The malware hijacks Discord by modifying its JavaScript files, establishing a persistent backdoor for attacker control. It aggressively targets cryptocurrency wallets, scanning for desktop wallet files and browser-based wallet extensions to steal private keys and seeds.

GrayAlpha deploys PowerNet and NetSupport RAT

GrayAlpha, a cybercriminal group associated with FIN7, has been identified using new infrastructure for malware distribution. The group uses custom PowerShell loaders like PowerNet and MaskBat to deploy NetSupport RAT. Three primary infection vectors were identified: fake browser update pages, fake 7-Zip download sites, and the traffic distribution system (TDS TAG-124). Analysis reveals that while all three infection methods were used simultaneously, only the fake 7-Zip download pages remained active as of April.

Top Vulnerabilities Reported in the Last 24 Hours

Bug impacts 46,000+ Grafana instances

Over 46,000 internet-facing Grafana instances are vulnerable to a client-side open redirect flaw. Tracked as CVE-2025-4123, the vulnerability allows attackers to execute malicious plugins and perform account takeovers. The bug affects multiple versions of Grafana and was patched on May 21. Despite the fix, approximately 36% of Grafana instances remain unpatched. Attackers can exploit this flaw to hijack user sessions, change account credentials, and, if the Grafana Image Renderer plugin is installed, conduct SSRF attacks. The exploitation process does not require elevated privileges or authentication, significantly increasing the risk of attacks.

Tenable patches high-severity flaws

Tenable has patched three high-severity vulnerabilities in its Nessus Agent for Windows, tracked as CVE-2025-36631, CVE-2025-36632, and CVE-2025-36633. These flaws could allow non-administrative users to overwrite local system files, execute arbitrary code, and delete files with System privileges. The vulnerabilities affect Nessus Agent versions 10.8.4 and earlier. The first vulnerability (CVE-2025-36631) has a CVSS score of 8.4, while the second (CVE-2025-36632) scores 7.8, and the third (CVE-2025-36633) scores 8.8. Tenable has released version 10.8.5 to address these issues. 

Critical vulnerability in IBM BRMS for i

A critical vulnerability (CVE-2025-33108) has been identified in IBM Backup, Recovery, and Media Services (BRMS) for i versions 7.5 and 7.4, allowing attackers to escalate privileges and execute malicious code with system-level access. This flaw arises from an unqualified library call within the BRMS program and is classified as CWE-250: Execution with Unnecessary Privileges. Exploitation requires network access and low user privileges, posing significant risks to enterprise environments where backup systems often have extensive access. The vulnerability carries a CVSS base score of 8.5, indicating high severity, and could compromise the confidentiality, integrity, and availability of affected systems.

Related Threat Briefings

Jun 13, 2025

Cyware Daily Threat Intelligence, June 13, 2025

CyberEye lowers the barrier for cybercrime with a plug-and-play toolkit. This .NET-based RAT uses Telegram for command and control while offering modules for keylogging, credential theft, and platform-specific data grabbing. Its built-in evasion tactics and easy-to-use builder make it accessible even to low-skill attackers. Unpatched IT tools are once again opening the door to ransomware attacks. CISA has warned about vulnerabilities in SimpleHelp RMM software being exploited by groups like Play and DragonForce in double-extortion campaigns. The flaws, including CVE-2024-57727, have already led to breaches in sectors like utility billing. A subtle tweak in language could be all it takes to fool your AI. The TokenBreak attack manipulates how text is tokenized in classification models to sneak past defenses. While models using Unigram tokenization remain secure, others like BERT and RoBERTa are vulnerable—raising red flags for AI-based content moderation and detection systems.

Jun 12, 2025

Cyware Daily Threat Intelligence, June 12, 2025

Fog ransomware operators are blurring the line between admin tools and attack chains. In a recent incident, they deployed a mix of open-source and legitimate software to gain persistence and exfiltrate data undetected. The attack combined tools like Stowaway, Impacket, and 7-Zip to move laterally and quietly siphon off sensitive information. A flaw in Secure Boot could let attackers hijack your system before the OS even loads. It affects the UEFI firmware layer and allows unsigned code execution during boot, leading to persistent malware installation. The issue stems from a vulnerable BIOS flashing utility signed by Microsoft, raising concerns about trusted bootchain integrity. Legitimate testing tools are being twisted into powerful attack platforms. A campaign, dubbed UNK_SneakyStrike, has been using the TeamFiltration tool to compromise Microsoft Entra ID accounts and exploit services like OneDrive and Teams. Over 80,000 accounts have been targeted since late 2024, with activity tied to AWS-hosted infrastructure.

Jun 11, 2025

Cyware Daily Threat Intelligence, June 11, 2025

Recruiters are the new targets in FIN6’s evolving playbook. The financially motivated group is impersonating job seekers on platforms, sending phishing emails that deliver malware through deceptive resumes. Using AWS-hosted sites and fingerprinting tactics, they deploy the More Eggs backdoor to steal credentials and pivot further. Adobe just patched a mountain of vulnerabilities - most of them XSS. A total of 254 flaws were addressed across multiple products, with many posing risks of arbitrary code execution. Key patches include CVE-2025-47110 and CVE-2025-43585, both rated high in severity and impact. A sprawling scam network is impersonating trusted brands at scale. Researchers uncovered over 4,000 domains tied to GhostVendors, a fake marketplace campaign abusing Meta’s ad system to evade detection. By spoofing major brands and rotating scam sites, the operation continues to lure users into fraudulent purchases.

Jun 10, 2025

Cyware Daily Threat Intelligence, June 10, 2025

Fake wallet apps are slipping through the cracks on Google Play. Over 20 phishing applications impersonating popular crypto wallets have been found stealing mnemonic phrases to drain users’ funds. Distributed via compromised developer accounts, the apps have been linked to over 50 phishing domains. Wazuh servers are now a hot target for botnet operators. Researchers observed active exploitation of a critical flaw allowing remote code execution via unsanitized API requests. Both a Mirai variant and the Resbot botnet are abusing the flaw to infect IoT devices with malware across multiple architectures. Another day, another remote code execution bug patched under pressure. A critical RCE vulnerability in ManageEngine Exchange Reporter Plus has been patched following its discovery in the Content Search module. Attackers could use it to take over systems entirely, prompting an emergency update from ManageEngine.

Jun 9, 2025

Cyware Daily Threat Intelligence, June 09, 2025

What looks like support for defectors may actually be spyware in disguise. Kimsuky launched a stealthy campaign, targeting defense entities, activists, and crypto exchanges through Facebook impersonations, spear-phishing emails, and Telegram messages. Malware is delivered via EGG archives and disguised outreach, using encoded scripts, malicious DLLs, and registry tweaks. Malicious packages are creeping into trusted ecosystems under familiar names. A new supply chain attack compromised 16 packages linked to GlueStack, enabling command execution, data theft, and file deletion. The packages posed as developer tools or Instagram growth apps, stealing credentials and relaying them to external bot services. An old botnet just found a new way in. A Mirai variant is actively exploiting a command injection vulnerability in TBK DVR-4104 and DVR-4216 devices, to conscript them into a botnet for DDoS attacks. The exploit enables attackers to run shell commands via POST requests.

Jun 6, 2025

Cyware Daily Threat Intelligence, June 06, 2025

A silent takeover is unfolding through cheap, everyday smart devices. The FBI has reported over a million infections tied to BADBOX 2.0, a malware campaign targeting uncertified Android-based smart TVs, tablets, and IoT devices. Preinstalled malware and rogue updates turn these devices into residential proxies, with infections spanning 222 countries. A harmless-looking paste site is quietly fueling major malware campaigns. Cybercriminals are leveraging Paste[.]ee to host malicious scripts that deliver strains like XWorm and AsyncRAT through phishing emails. The platform’s anonymity helps attackers avoid detection while executing keylogging, credential theft, and remote system manipulation. A spearphishing campaign is exploiting a critical flaw in Roundcube to compromise webmail users. Threat actor UNC1151 targeted Polish organizations using CVE-2024-42009 to execute JavaScript via XSS and plant a persistent Service Worker. The vulnerability affects multiple Roundcube versions and carries a CVSS score of 9.3.

Jun 5, 2025

Cyware Daily Threat Intelligence, June 05, 2025

Not all GitHub projects are built with good intentions. Researchers uncovered a widespread campaign involving more than 130 repositories booby-trapped with malware disguised as game cheats, hacking tools, and utilities. Hidden behind obfuscated code and automated workflows, the campaign deploys backdoors while using Telegram bots and paste sites to manage infections behind the scenes. Destruction masquerading as maintenance tools is hitting Ukraine’s infrastructure. Researchers attributed a new wiper malware called PathWiper to a Russia-linked APT group, targeting critical systems by leveraging legitimate administrative frameworks. The malware erases storage media and key file system data. Though reminiscent of HermeticWiper, PathWiper shows a more advanced method of drive targeting and destruction. Cisco is closing two critical gaps before attackers can exploit them further. A patch has been issued for CVE-2025-20129 in Cisco’s CCP chat interface, a flaw that could let attackers intercept sensitive data through manipulated HTTP requests. Another vulnerability, CVE-2025-20130 in Cisco ISE, allowed file uploads due to weak validation, now fixed in the latest patches for ISE versions up to 3.3.

Jun 4, 2025

Cyware Daily Threat Intelligence, June 04, 2025

Cybercriminals are turning CAPTCHA prompts into malware gateways. A recent multi-stage malware campaign is using spoofed sites like fake Git repositories and bogus Docusign pages to lure users into executing PowerShell scripts that drop NetSupport RAT. By layering downloaders that each fetch the next stage, the attackers dodge detection and prolong infection. In a similar vein, a free software download could end up costing your entire crypto wallet. ViperSoftX is back in circulation, targeting crypto users with malicious PowerShell scripts bundled into cracked apps, keygens, and torrent packages. Beyond wallet theft, it pulls in additional payloads like Quasar RAT and PureHVNC, while using scheduled tasks and registry tricks to quietly maintain persistence. Meanwhile, Google’s June 2025 Android security update fixed a slate of high-severity issues, including a critical privilege escalation vulnerability in the System component affecting Android 13, 14, and 15. While most bugs haven't been exploited in the wild, three Qualcomm-related flaws made it to CISA’s KEV Catalog. For detailed Cyber Threat Intel, click ‘Read More’.

Jun 3, 2025

Cyware Daily Threat Intelligence, June 03, 2025

A geopolitical ripple just triggered a global software supply chain scare. Socket has exposed a malicious campaign in the RubyGems ecosystem where two lookalike Fastlane plugins were used to siphon off Telegram bot tokens and messages. Timed around Vietnam’s Telegram ban, the attacker used typosquatting and subtle code tweaks - targeting affected developers and putting downstream users at risk worldwide. A silent zero-day is loose in the wild, and Google’s racing to contain it. Chrome users are urged to update immediately after Google issued an emergency patch for a high-severity flaw in the V8 JavaScript engine that’s already being exploited. Some attackers mine crypto, JINX-0132 mines misconfigurations. This threat actor is running a stealthy cryptojacking campaign against DevOps platforms, exploiting exposed defaults and overlooked RCE flaws. They stay under the radar while deploying XMRig miners across poorly secured cloud setups, many of which are still internet-facing and misconfigured.

Jun 2, 2025

Cyware Daily Threat Intelligence, June 02, 2025

A casual scroll through gaming forums or social media might land users in a trap they didn’t see coming. Cybercriminals are hijacking web traffic to lure users onto fake Booking[.]com sites with malicious CAPTCHA prompts that silently trigger harmful commands. The URLs shift constantly, and any site asking users to paste clipboard commands should raise serious red flags. A few swapped letters could be all it takes to get owned. A new supply chain attack targets Python and npm developers through typo-squatting and name confusion. The campaign spans both ecosystems, dropping platform-specific payloads that harvest environment data, evade antivirus tools, and create persistence. What began as one bug unraveled into a deeper security mess. Researchers uncovered multiple privilege escalation flaws in SonicWall’s NetExtender VPN client, letting local users achieve SYSTEM-level access or sabotage services. The discovery of CVE-2025-23007 led to a deeper dive, exposing two more high-risk vulnerabilities now patched in version 10.3.2.

May 30, 2025

Cyware Daily Threat Intelligence, May 30, 2025

Fake CAPTCHA prompts are now doing more than testing if you're human—they're installing malware. EDDIESTEALER, a new Rust-based infostealer, spreads through deceptive CAPTCHA pages that trigger malicious PowerShell scripts. The malware downloads obfuscated JavaScript and executable payloads designed to harvest credentials, browser data, and cryptocurrency wallets. A quiet but relentless campaign has been unfolding across multiple industries. The Chinese group Earth Lamia is targeting finance, government, logistics, and more by exploiting known web app vulnerabilities, including flaws in Apache Struts, GitLab, and WordPress. After gaining access, they deploy webshells, create admin accounts, and move laterally using a plethora of tools. Even Google's trusted ecosystem isn’t off-limits anymore. Attackers are misusing Google Apps Script to host phishing pages that convincingly imitate real login portals. The method allows them to slip through email filters by operating under Google's domain, tricking victims into handing over credentials before redirecting them to legitimate sites to avoid suspicion.

May 29, 2025

Cyware Daily Threat Intelligence, May 29, 2025

APT41 hides malware commands where no one’s looking: your calendar. In a creative twist on C2 infrastructure, China-backed APT41 embedded encrypted instructions inside Google Calendar events. Targets received ZIPs masquerading as PDFs, which deployed a multistage malware suite. The result: stealthy, long-term access across governments and industries. AyySSHush doesn’t make noise, it builds armies. More than 9,000 ASUS routers have been compromised by this botnet, which quietly slips in through a CVE-2023-39780 exploit. Attackers install persistent SSH backdoors, disable logging, and remain invisible through firmware updates. The campaign’s low network footprint hides a growing infrastructure of hijacked devices ready for future use. OneDrive’s permissions flaw lets apps peek at everything. A design issue in Microsoft’s OneDrive File Picker lets apps access more data than intended. Vague consent prompts and overly broad OAuth scopes mean entire OneDrive contents could be exposed. Microsoft hasn’t patched it yet, so users should tread carefully.