Cyware Daily Threat Intelligence, June 30, 2025

Daily Threat Briefing • June 30, 2025
Daily Threat Briefing • June 30, 2025
Cybercriminals are sharpening their bait, whether it’s fake installers, hijacked Bluetooth connections, or internal-looking spoofed emails. A new malware campaign uncovered by Netskope is stealthily infecting victims using fake installers of popular Chinese-language software like WPS Office and Sogou to deploy a cocktail of malware, including Sainbox RAT (a Gh0stRAT variant) and a powerful rootkit.
Meanwhile, Bluetooth devices from top audio brands, such as Bose, Sony, and Beyerdynamic, are under scrutiny after researchers disclosed three critical flaws in Airoha chipsets (CVE-2025-20700, CVE-2025-20701, and CVE-2025-20702). Exploiting these vulnerabilities could let attackers hijack Bluetooth connections, snoop on calls, access contacts, or even rewrite firmware for remote code execution.
In a new phishing campaign flagged by Varonis, attackers are abusing Microsoft 365’s Direct Send feature to impersonate internal users and send phishing emails without ever breaching a mailbox. By exploiting the lack of authentication in Direct Send, the campaign sidesteps standard email protections like SPF and DMARC.
WordPress malware drops Windows RAT
A stealthy malware campaign has been discovered targeting WordPress websites to deliver a Windows-based RAT through a PHP backdoor. The infection chain involves obfuscated PHP scripts, IP-based evasion, and a malicious ZIP archive containing the trojan executable. The malware was found embedded in compromised WordPress environments, using legitimate-looking PHP files to deliver a trojan payload. The infection chain includes the use of header.php and man.php scripts, a batch file (update.bat), and a ZIP archive (psps.zip) containing client32.exe. The trojan establishes a covert connection to a C2 server at 5[.]252[.]178[.]123 on port 443.
Sainbox RAT and hidden rootkit campaign
Netskope identified a phishing campaign using fake installers for software like WPS Office and Sogou to deliver malware targeting Chinese speakers. The malware includes Sainbox RAT, a Gh0stRAT variant, and Hidden rootkit, which provide attackers with control and stealth capabilities. The infection process involves MSI files executing legitimate software alongside malicious DLLs and shellcode payloads. The rootkit protects malware processes, conceals files, and evades security tools, granting attackers extensive control over compromised systems. Attribution to the Silver Fox group is based on consistent tactics and tools, though adversary attribution remains complex.
Beware of these Bluetooth flaws!
Vulnerabilities in Bluetooth chipsets used in over two dozen audio devices from brands like Beyerdynamic, Bose, and Sony could allow hackers to eavesdrop and steal sensitive information. Researchers disclosed three flaws in Airoha systems on a chip, identified as CVE-2025-20700, CVE-2025-20701, and CVE-2025-20702. Exploitation requires close proximity and advanced technical skills. Attackers could hijack connections between mobile phones and Bluetooth devices, potentially extracting call history and contacts or initiating calls. The vulnerabilities may also enable firmware rewriting for remote code execution, posing further risks.
Citrix Bleed 2 now abused in attacks
The Citrix Bleed 2 vulnerability (CVE-2025-5777) in NetScaler ADC and Gateway is reportedly being exploited in targeted attacks. This critical flaw allows unauthenticated attackers to perform out-of-bounds memory reads, potentially accessing sensitive data such as session tokens and credentials, thus bypassing MFA. Observations include hijacked Citrix sessions where attackers gained authentication without user interaction and conducted Active Directory reconnaissance. Additionally, another related vulnerability, CVE-2025-6543, is confirmed to be exploited for denial-of-service attacks on NetScaler devices.
Multiple bugs in D-Link EOL routers
D-Link has reported six critical vulnerabilities in its DIR-816 wireless routers, which are no longer supported since reaching end-of-life status on November 10, 2023. These vulnerabilities, tracked under separate CVEs, include stack-based buffer overflows and OS command injection, allowing remote attackers to execute arbitrary code. Notable flaws include CVE-2025-5622, CVE-2025-5623, and CVE-2025-5624, all scoring 9.8 on the CVSS scale, indicating critical severity. Additionally, CVE-2025-5620 and CVE-2025-5621 present command injection risks with scores of 7.3. D-Link warns that these issues will remain unpatched, posing ongoing security threats to users still relying on this model.
Phishing campaign exploits Microsoft 365 Direct Send
Varonis identified a phishing campaign exploiting Microsoft 365's Direct Send feature, which allows internal devices to send emails without authentication. This vulnerability enables attackers to spoof internal users and deliver phishing emails without compromising accounts. The campaign, active since May, targets various organizations, primarily in the U.S., using PowerShell to send spoofed emails that bypass traditional security filters. Detection relies on analyzing email headers for indicators such as failed SPF and DMARC checks and unusual geolocation activity. One notable tactic involved crafting emails that resembled voicemail notifications, leading users to phishing sites designed to harvest credentials.
CapCut phishing scheme spotted
Cybercriminals are exploiting the popularity of CapCut by launching phishing campaigns that mimic CapCut invoices to steal Apple ID credentials and credit card information. Victims are redirected to a fake Apple ID login page, where credentials are exfiltrated to a C2 server. The phishing attack includes a second stage where victims are asked for credit card details under the guise of a refund, with the data being exfiltrated in plaintext. A fake authentication code prompt is used to delay suspicion and extend the attack window.