Cloud services are being quietly turned into covert attack channels. The Serpentine#Cloud campaign is abusing Cloudflare Tunnels and Python to deploy fileless malware via invoice-themed phishing lures. Using layered scripts and memory-only payloads, the attack blends into normal traffic and ensures persistence through Windows startup routines, targeting users in the U.S., the U.K, and Germany.

Unsecured DVRs are once again powering a wave of botnet-driven DDoS attacks. A critical command injection flaw in TBK DVR devices is being exploited by multiple botnets to gain unauthenticated remote access. Tens of thousands of devices have been hijacked to expand large-scale attacks through malware like Mirai, Condi, and Fodcha.

Weak MySQL credentials are opening the door to full system compromise. ASEC has observed ongoing campaigns targeting mismanaged Windows-based MySQL servers in Korea, where attackers use brute-force techniques to deploy malware like Gh0stRAT and XWorm. With UDF modules and remote payloads, these intrusions enable deep access and persistent control.

Top Malware Reported in the Last 24 Hours

SERPENTINE#CLOUD abuses Cloudflare Tunnels

The Serpentine#Cloud malware campaign has been exploiting Cloudflare tunnels to inject Python-based malware and gain persistent access to systems. Threat actors lure users via phishing emails containing malicious .lnk files disguised as invoices or payment-themed documents. The infection chain involves multiple stages, including batch files, VBScript, and Python scripts, to deploy shellcode and Donut-packed PE payloads entirely in memory. Persistence is established by placing malicious scripts in Windows startup directories, ensuring the malware executes upon user login. The campaign exploits legitimate tools like Cloudflare Tunnels and Python, blending malicious activity with legitimate traffic to evade detection. The campaign targets Western countries, including the U.S., the U.K, and Germany.

Banana Squad campaign targets GitHub repos

The Banana Squad threat group has been exploiting GitHub repositories with trojanized files. Over 60 GitHub repositories containing hundreds of malicious Python files were discovered. These files were disguised as hacking tools but contained backdoors. The group used techniques like long spaces in code to hide malicious backdoor content from visual detection. The malicious repositories were created using fake GitHub accounts, each hosting only one repository. The primary domain associated with this campaign is "dieserbenni[.]ru," with a new domain, "1312services[.]ru," identified in June. The campaign, which began in April 2023, resulted in nearly 75,000 downloads before the malicious packages were removed from GitHub.

Attacks target MySQL servers with RATs

ASEC has identified ongoing attacks targeting poorly managed MySQL servers, particularly in Korea, to install various malware types, including Gh0stRAT, AsyncRAT, XWorm, HpLoader, and Zoho ManageEngine. Threat actors exploit MySQL servers in Windows environments using brute-force or dictionary attacks to compromise administrator credentials, enabling them to install additional payloads. User Defined Function (UDF) malware is used to execute malicious commands on infected systems, often by uploading DLL libraries. Some versions download and execute files or payloads from C&C servers. 

ACR Stealer rebrands itself

Proofpoint identified Amatera Stealer as a rebranded version of ACR Stealer, with significant code overlap and enhanced capabilities. Amatera Stealer is sold as MaaS via subscription plans. Amatera Stealer is distributed through compromised websites using ClearFake web injects, malicious scripts, and social engineering techniques like fake CAPTCHAs. The malware employs NTSockets for stealthier C2 communication, bypassing traditional Windows networking APIs. Amatera uses WoW64 Syscalls to dynamically resolve and execute Windows APIs, bypassing user-mode hooks and analysis tools.  

Top Vulnerabilities Reported in the Last 24 Hours

New bug in Apache Traffic Server

A newly disclosed vulnerability in Apache Traffic Server (ATS), tracked as CVE-2025-49763, allows attackers to exploit the Edge Side Includes (ESI) plugin to trigger denial-of-service (DoS) attacks via memory exhaustion. The issue impacts ATS versions 9.0.0–9.2.10 and 10.0.0–10.0.5. Apache has released patched versions (9.2.11 and 10.0.6) with new configuration options, such as the --max-inclusion-depth setting, to address the flaw. 

Active Exploitation of CVE-2024-3721 in TBK DVRs

A critical command injection vulnerability, CVE-2024-3721, in TBK DVR devices is being actively exploited by multiple botnet operators. This flaw enables unauthenticated remote code execution via crafted HTTP requests, allowing attackers to conscript vulnerable devices into botnets such as Mirai, Condi, Fodcha, and Unstable. These botnets are used to launch large-scale DDoS attacks. Exploitation of this vulnerability allows attackers to gain remote control of affected DVR devices without authentication. Compromised devices are integrated into botnets, significantly increasing the scale and impact of DDoS campaigns. According to researchers, 68,596 detection events have been recorded, indicating the scale of the threat.

Top Scams Reported in the Last 24 Hours

APT29 abuses Gmail app passwords

A Russia state-sponsored cyber actor, tracked as UNC6293, impersonated the U.S. Department of State to target prominent academics and critics of Russia between April and June 2025. The attackers used sophisticated phishing techniques, including fake meeting invitations and spoofed Department of State email addresses, to build rapport and legitimacy. Victims were directed to create Application Specific Passwords (ASPs) via a benign PDF lure, which attackers used to gain persistent access to their Gmail accounts. Two campaigns were identified: one using a "ms.state.gov" ASP name and another with Ukrainian and Microsoft-themed ASP names, with attackers leveraging residential proxies and VPS servers for access.