Cyware Daily Threat Intelligence, June 23, 2025

Daily Threat Briefing • June 23, 2025
Daily Threat Briefing • June 23, 2025
A fake Windows update might just be the start of something worse. The EvilConwi campaign is abusing ConnectWise ScreenConnect to deliver signed malware through tampered installers. Using phishing links hosted on Canva and Facebook ads, attackers lure victims into downloading infected software, leading to erratic system behavior and stealthy compromise via Authenticode stuffing.
A handful of outdated routers is all it takes to build a persistent espionage network. The LapDogs campaign is targeting SOHO devices with a custom backdoor called ShortLeash, giving attackers root access and control over compromised systems. Spoofed Nginx servers and TLS certificates help mask the activity, with signs pointing to China-nexus threat actors based on the tooling and code comments.
Resetting an admin password shouldn’t be this easy. A bug in the WordPress Motors theme allows attackers to hijack websites by exploiting a flaw in the password recovery function. Despite a patch, widespread inaction has led to a surge in attacks, with thousands of login takeovers and persistent backdoor accounts being reported.
ConnectWise abused to deploy signed malware
A new malware campaign tracked as EvilConwi is actively abusing ConnectWise’s ScreenConnect software to distribute signed malware. This follows earlier exploitation of CVE-2024-1708 and CVE-2024-1709 in February 2024. Threat actors leverage poor signing practices and Authenticode stuffing to embed malicious configurations into legitimate ConnectWise installers. Since March 2025, there has been a surge in infections involving maliciously signed ConnectWise samples. Victims often report symptoms such as fake Windows update screens and erratic mouse movement. Infection vectors typically begin with phishing emails linking to Canva pages or Facebook ads, which lead to the download of trojanized ConnectWise installers.
Confucius APT releases new Anondoor backdoor
The Confucius APT group has introduced a new modular backdoor named Anondoor, aimed at enhancing its cyber-espionage capabilities. This sophisticated framework allows for the delivery of customized payloads while effectively evading traditional sandbox detection methods. Anondoor operates through a malicious .lnk file that downloads multiple payloads, including a C# DLL for the backdoor and a legitimate executable for execution. It collects detailed system information, such as OS version and IP addresses, and communicates with its C2 server using dynamic parameters to retrieve additional instructions.
Stealthy backdoor targets Linux SOHO devices
Researchers have identified a backdoor campaign named LapDogs, which targets Linux-based SOHO devices, particularly in the U.S., Japan, South Korea, Taiwan, and Hong Kong. The campaign employs a custom backdoor called ShortLeash, granting attackers root access and enabling them to set up fake Nginx servers with spoofed TLS certificates. Over 1,000 infected nodes have been traced, primarily focusing on outdated devices such as Ruckus Wireless and Buffalo AirStation routers. The operation exhibits structured campaign planning and consistent targeting patterns, suggesting links to China-Nexus threat actors, as indicated by the use of Mandarin in code comments and tactics reminiscent of previous Chinese espionage efforts.
Mass exploitation of WordPress theme bug
Hackers are exploiting a critical privilege escalation vulnerability (CVE-2025-4322) in the WordPress Motors theme to hijack administrator accounts and gain full control of websites. The vulnerability, discovered on May 2, allows attackers to reset administrator passwords due to improper user identity validation in the password update process. StylemixThemes released a patch (version 5.6.68) on May 14, but many users did not apply the update, leaving them exposed to attacks. Attacks began on May 20, with a surge observed by June 7, as Wordfence reported blocking over 23,000 attack attempts. The flaw lies in the Login Register widget of the theme, where attackers exploit the password recovery functionality to reset admin passwords using crafted POST requests. After gaining access, attackers create new admin accounts for persistence, locking out original administrators.
Multiple flaws in Amazon EKS
Security researchers have identified critical vulnerabilities in Amazon Elastic Kubernetes Service (EKS) that could expose AWS credentials and enable privilege escalation. These flaws arise from misconfigured containers and excessive privileges, particularly in environments using the EKS Pod Identity feature. The vulnerabilities allow attackers to intercept credentials and manipulate network interfaces to gain unauthorized access to AWS resources. Exploitation of these vulnerabilities can lead to unauthorized access to AWS services, lateral movement within cloud environments, and potential compromise of sensitive data. The flaws highlight the risks associated with overprivileged containers and the importance of enforcing strict security boundaries in Kubernetes deployments.