Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing March 11, 2020

Remember the infamous Rowhammer vulnerability? It has now returned with a new variant that affects almost all devices using DDR3 and DDR4 memory chips. Termed as a TRR-bypassing Rowhammer, the vulnerability bypasses the mitigation steps called Target Row Refresh (TRR) so that attackers can obtain higher kernel privileges on a targeted system. This latest flaw also affects LPDDR4 and LPDDR4X chips embedded in most modern smartphones.

That’s not all. Even Intel CPUs have been found to be vulnerable to a new Load Value Injection vulnerability. The flaw impacts the security feature baked into Intel’s SGX (Software Guard Extensions).

In other news, Microsoft has released security updates for 115 vulnerabilities as part of its March 2020 Patch Tuesday. The vulnerabilities affect Microsoft’s Azure, Edge, Exchange Server, Graphics Component, Office, SharePoint, and more.

Top Breaches Reported in the Last 24 Hours

8 million sales records exposed

A software vendor used by small retailers in the EU had exposed nearly 8 million sales records on the web due to an unprotected MongoDB database. The exposed sales records included customers’ names, email addresses, shipping addresses, purchases, and the last four digit of credit card numbers. The leaky database was discovered on February 3, 2020, and taken offline on February 8, 2020. The sales records discovered in the database were related to Amazon UK, eBay, Shopify, and PayPal.

Top Malware Reported in the Last 24 Hours

Necurs botnet down

Microsoft’s Digital Crime Unit and government agencies in 35 countries have put a halt to the operations of large Necurs botnet. In an eight-year joint effort, Microsoft was able to track down over six million unique domain names operated by Necurs botnet. The botnet has infected over nine million computers worldwide and was first observed in 2012.

A new variant of Paradise ransomware

A new spam campaign leveraging IQY files to distribute a new variant of Paradise ransomware has been uncovered recently. The malware variant uses Salsa20 to encrypt victims’ files. Once it finishes the encryption routine, the ransomware drops a ransom note to disk.

Decryptor released

Emsisoft has released a new decryption tool to decrypt files encrypted by PwndLocker ransomware. This strain of crypto-locking malware has largely been targeting U.S businesses and governments, and "has numerous variants. It demands a ransom of over $650,000 from victim organizations.

Top Vulnerabilities Reported in the Last 24 Hours

TRR-bypassing Rowhammer attack

Researchers have published a new paper that demonstrates how Target Row Refresh (TRR) protections on RAM cards can be broken down to launch Rowhammer attacks. This TRR-bypassing Rowhammer attack affects all DDR3 and DDR4 memory cards.

Microsoft fixes 115 flaws

Microsoft has rolled out fixes for 115 vulnerabilities as part of March 2020 Patch Tuesday. The vulnerabilities affect Microsoft’s Azure, Edge, Exchange Server, Graphics Component, Office, SharePoint and more. In a different incident, the firm has leaked info on a security update for a ‘wormable’ pre-auth remote code execution vulnerability found in the SMBv3.0.

Intel CPUs vulnerable to new LVI attacks

Researchers have disclosed a new Load Value Injection vulnerability found in Intel chips. The vulnerability impacts all Core families spanning from the third-generation Ivy Bridge chips to the 10th generation Comet Lake processors. The attack builds upon the Meltdown vulnerabilities that Intel already patched in software.

Certification validation issue

A vulnerability impacting Avast and AVG AntiTrack privacy software can open up user PCs to MiTM attacks, browser session hijack, and data theft. The vulnerability tracked as CVE-2020-8987 is a certification validation issue and affects Avast AntiTrach prior to version 1.5.172 and AVG AntiTrack before version 2.0.0.178.

Mozilla releases Firefox 74

Mozilla has released Firefox 74 with bug fixes, new features, and security fixes. A total of 12 vulnerabilities have been fixed as part of the new release. Five have been classified as ‘High’ severity, six as ‘Moderate’, and one as ‘Low’. All the vulnerabilities classified as ‘High’ can lead to system crash or possibly remote code execution.

Top Scams Reported in the Last 24 Hours

Phishing scam

A new phishing scam that pretended to be sending HIV test results has been found tricking users into downloading malware designed to steal files. The scam starts with scammers sending emails that appear to be from Vanderbilt University. It includes a malicious Excel spreadsheet named TestResults.xlsb. When the recipient opens the spreadsheet and clicks on the ‘Enable Content’ to view the document, malicious macros get executed which later downloads and installs the Koadic penetration toolkit.

Related Threat Briefings

May 15, 2025

Cyware Daily Threat Intelligence, May 15, 2025

TransferLoader doesn’t just sneak in, it evolves. Active since early 2025, this modular loader combines a downloader, backdoor loader, and backdoor into one stealthy package. It uses anti-analysis tricks, dynamic C2 updates via IPFS, and has already been linked to Morpheus ransomware deployments. Once inside, it enables arbitrary command execution and long-term persistence. Two ransomware gangs, BianLian and RansomExx, are now exploiting the same SAP NetWeaver vulnerability as Chinese APTs. Using CVE-2025-31324, the attackers deliver PipeMagic alongside privilege escalation flaws like CVE-2025-29824. Infrastructure links tie the activity to BianLian, with payloads deployed via web shells and C2 managed through Brute Ratel and inline assembly. Fancy Bear is broadening its reach. Operation RoundPress shows the group leveraging XSS zero-days to breach webmail platforms. Its spearphishing campaigns use malicious JavaScript to deploy SpyPress variants aimed at stealing credentials and exfiltrating emails, often bypassing 2FA in the process. Targets span government and defense sectors from Eastern Europe to South America.

May 14, 2025

Cyware Daily Threat Intelligence, May 14, 2025

Swan Vector is the latest addition to a string of APT campaigns zeroing in on East Asia’s research and engineering sectors. Seqrite Labs uncovered the group’s four-stage malware chain, beginning with a malicious LNK in a ZIP archive and culminating in Cobalt Strike deployment. A PowerShell script posing as a helpful utility is the entry point for Chihuahua Stealer. This .NET-based info-stealer uses scheduled tasks for persistence and grabs browser credentials and crypto wallet data. It compresses the loot, encrypts it, and exfiltrates over HTTPS - all while cleaning up traces. Microsoft’s latest Patch Tuesday addresses 78 vulnerabilities, including five zero-days actively exploited in the wild. Among the critical flaws is a CVSS 10 bug in Azure DevOps Server. The CISA has flagged these vulnerabilities as high priority for federal agencies, emphasizing risks around memory corruption and privilege escalation. SAP’s NetWeaver platform is now at the center of a global cyber campaign. Chinese APT groups have been exploiting CVE-2025-31324 to gain remote code execution via unauthenticated file uploads, targeting over 580 systems. Victims span energy, utilities, and government sectors, with attackers using tools like SNOWLIGHT and KrustyLoader. For detailed Cyber Threat Intel, click ‘Read More’.

May 13, 2025

Cyware Daily Threat Intelligence, May 13, 2025

APT37 is back with another Dropbox-powered espionage play. In Operation: ToyBox Story, the North Korean group used fake national security event invites to deliver RoKRAT malware via ZIP archives. The campaign abused Dropbox for both delivery and command-and-control, using .lnk files to initiate multi-layer encrypted data exfiltration. Apple’s May security update patches multiple critical flaws affecting iOS and macOS. These include code execution bugs in AppleJPEG and CoreMedia, and multiple WebKit vulnerabilities exploitable via crafted media. Affected users should apply the update to avoid potential memory corruption and privilege escalation. Marbled Dust, a Turkish-aligned threat group, exploited a zero-day in the Output Messenger app to spy on Kurdish military networks. CVE-2025-27920, a directory traversal vulnerability, enabled access to sensitive data, even after a patch was released. The group used DNS hijacking, typo-squatted domains, and backdoor implants to maintain long-term access.

May 12, 2025

Cyware Daily Threat Intelligence, May 12, 2025

Not every AI tool on Facebook is what it claims to be. Threat actors are luring users with fake content-generation apps, pushing Noodlophile malware to tens of thousands of victims. Disguised as AI-powered services, these tools trick users into executing malicious files that steal browser credentials, crypto wallet data, and other sensitive information through a layered infection chain. OtterCookie is getting smarter with every version. The North Korea-linked group WaterPlum is actively using the malware to breach financial institutions and crypto platforms worldwide. Since late 2024, new iterations have added capabilities like credential theft from browsers and file uploads - each version revealing signs of modular development and distinct authorship. A flaw in Linux’s nftables is turning dirty sets into dangerous ones. A critical double-free vulnerability allows local attackers to escalate privileges by exploiting memory corruption. Kernel-level fixes are already rolling out to improve cleanup routines and patch the vulnerable destroy path.

May 9, 2025

Cyware Daily Threat Intelligence, May 09, 2025

Old routers are becoming cybercrime goldmines. The FBI has warned that end-of-life routers are being hijacked with malware like TheMoon and sold on proxy networks such as 5Socks and Anyproxy. These compromised devices are used for crypto theft, cybercrime-as-a-service, and even espionage. Meanwhile, Chaya_004 is exploiting SAP systems on a global scale. The Chinese threat group was found exploiting CVE-2025-31324, a critical flaw in SAP NetWeaver, to gain remote code execution. Their campaign has hit hundreds of organizations globally, leveraging a Golang-based shell named SuperShell and tools hosted on Chinese cloud platforms in a coordinated effort. Phishing pages are climbing the search results and duping users. The FreeDrain campaign is using SEO poisoning and free-tier platforms like GitBook and Webflow to host fake wallet interfaces that harvest seed phrases. Over 38,000 phishing subdomains have been linked to this large-scale crypto scam, believed to originate from India and powered by generative AI. For detailed Cyber Threat Intel, click ‘Read More’.

May 8, 2025

Cyware Daily Threat Intelligence, May 08, 2025

COLDRIVER’s latest malware, LOSTKEYS, is now in play. The Russian state-backed group is deploying this tool to steal files and system data from advisors, journalists, NGOs, and individuals linked to Ukraine. Delivered via ClickFix, LOSTKEYS expands COLDRIVER’s toolkit beyond credential phishing, signaling a continued focus on espionage and document theft. SysAid users, it’s time to patch. Multiple vulnerabilities—ranging from XXE to OS command injection—have been fixed in version 24.4.60. Researchers uncovered the flaws and even released a PoC, warning that 77 unpatched instances remain exposed online. Given SysAid’s large user base, the window for exploitation remains a real concern. A clever lure is fueling a quiet takeover in Brazil. Cisco Talos uncovered a campaign abusing the country’s electronic invoicing system to trick victims into installing remote monitoring tools. The attackers use free trials of RMM products to hijack machines, often targeting high-level accounts in finance, education, and government.

May 7, 2025

Cyware Daily Threat Intelligence, May 07, 2025

Agenda’s playbook just got upgraded. The ransomware group has added two new tools: SmokeLoader and a stealthy .NET-based loader called NETXLOADER. The latter leverages techniques like JIT hooking and AES decryption to deploy ransomware and loaders directly into memory, while SmokeLoader injects payloads into explorer.exe using anti-analysis tricks. In a different vein, a bogus debugging package was found duping Discord bot developers. The malicious PyPI package ‘discordpydebug,’ posing as a helpful tool, is designed to steal data and execute commands. Downloaded over 11,500 times, it exploited community trust, mirrored by over 45 npm lookalikes in what appears to be a broader campaign. AWS patched a critical bug in Amplify Studio version 2.20.3. CVE-2025-4318 allowed attackers to inject JavaScript into UI components during render time via the amplify-codegen-ui package. No active exploitation was detected.

May 6, 2025

Cyware Daily Threat Intelligence, May 06, 2025

Mamona isn’t calling home but it’s still locking you out. This offline ransomware strain skips data theft and C2 communication altogether, instead encrypting files using its own cryptographic routines. Though it avoids detection through network monitoring, a working decryption tool is already available for victims. Google’s latest Android update delivers fixes for around 50 vulnerabilities, including a critical zero-day in FreeType, which was already under active attack. The patch batch covers issues across Android OS, MediaTek, Qualcomm, Wear OS, and Automotive OS, reinforcing security across a wide device ecosystem. CoGUI is fueling a phishing surge in Japan by spoofing trusted brands like Rakuten and PayPay. The kit uses geofencing and browser fingerprinting to narrow its targets, directing victims to convincingly faked login pages that siphon credentials and payment details with precision.

May 5, 2025

Cyware Daily Threat Intelligence, May 05, 2025

Corporate HR teams are the latest target in a spear-phishing spree by Venom Spider. Disguised as job applications, these emails deliver More_eggs backdoor, now upgraded with advanced features. The attack leverages advanced evasion tactics to slip past defenses and establish persistent access. A fresh batch of vulnerabilities from MediaTek could leave millions of devices open to attack. The most severe enables remote DoS via rogue base stations. Other flaws impact encryption, memory handling, and certificate validation across phones, tablets, and smart devices running Android 13 to 15. Luna Moth is back, and it's using helpdesk lookalikes to worm its way into corporate inboxes. The campaign spoofs trusted brands with phishing emails and fake domains, siphoning credentials and financial data. So far, 50 domains tied to this operation have been linked to breaches in legal, healthcare, and finance sectors.

May 2, 2025

Cyware Daily Threat Intelligence, May 02, 2025

In the shadows of the cybersecurity landscape, MintsLoader emerges as a formidable adversary, orchestrating a multi-faceted infection strategy that deploys the notorious GhostWeaver RAT. This malware loader ingeniously employs a blend of obfuscated JavaScript and PowerShell scripts to execute its malicious agenda, utilizing sophisticated evasion techniques and a DGA for C2 communications. Two new malware families—TerraStealerV2 and TerraLogger—are now linked to the Golden Chickens threat group. TerraStealerV2 steals credentials and crypto wallet data but can’t yet bypass Chrome’s built-in encryption, suggesting it’s still in progress. TerraLogger, meanwhile, operates as a standalone keylogger with no exfiltration module, hinting at a plug-and-play role in a broader MaaS toolkit. A fake refund for a real blackout. A phishing campaign is spoofing TAP Air Portugal, preying on confusion after the Iberian power outage. Victims are promised compensation for delayed flights, only to be directed to phishing pages that steal payment details. The lure is simple, but effective, and the infrastructure, as usual, runs through compromised WordPress sites.

May 1, 2025

Cyware Daily Threat Intelligence, May 01, 2025

Some PyPI packages are doing more than importing functions. Researchers uncovered seven malicious Python packages under the “Coffin” naming scheme, using Gmail’s SMTP service as a stealthy C2 channel. Hardcoded credentials let the malware establish outbound tunnels via port 465, send activation signals, and quietly exfiltrate data. Apache ActiveMQ users should be on high alert. A flaw in its .NET Message Service library now lets remote attackers inject code by abusing deserialization. All versions prior to the latest update are at risk, so prompt patching is essential to protect your systems. Emails that look like official Social Security alerts are turning into dangerous gateways. In the new Molatori phishing campaign, attackers send messages claiming your Social Security Statement is ready to download. Once you install the ScreenConnect client they push, remote access is granted, and sensitive data gets swept away, thanks to convincing links from compromised WordPress sites.

Apr 30, 2025

Cyware Daily Threat Intelligence, April 30, 2025

A familiar threat actor is back with sharper tools. A new spear-phishing wave from Earth Kasha is hitting government targets in Taiwan and Japan. Using a malicious Excel file, the group drops an updated ANEL backdoor and maintains stealthy persistence with SharpHide. The second-stage malware hides C2 traffic behind DNS over HTTPS - signaling renewed focus on quiet, long-term access. TheWizards aren’t casting spells, they’re hijacking software updates. This Chinese-linked threat group is abusing IPv6 SLAAC to perform AitM attacks with the Spellbinder lateral movement tool. Spellbinder redirects traffic to attacker-controlled domains to deliver malware-laced updates to apps like Tencent QQ and Sogou Pinyin. Once inside, a modular backdoor takes over. New vulnerabilities in Apple’s AirPlay protocol, collectively dubbed AirBorne, expose billions of devices to remote code execution without user interaction. Attackers could silently hijack devices via use-after-free and buffer overflow vulnerabilities, affecting not only Apple hardware but also third-party products using the AirPlay SDK.