Cyware Daily Threat Intelligence, March 26, 2025
Daily Threat Briefing • March 26, 2025
The macOS malware loader ReaderUpdate is evolving fast, with new versions now written in Crystal, Nim, Rust, and Go. Originally distributed through free software sites, the loader continues to target Intel-based macOS systems, quietly collecting system data and generating unique identifiers. While its past activity has mostly involved adware, the loader’s ability to parse and execute remote commands leaves the door open for more serious threats.
A zero-day exploit in the Microsoft Management Console has been linked to a threat actor known as EncryptHub, who’s actively using it in the wild. The flaw allows for security bypass via malicious MSC files, enabling attackers to deploy multiple payloads. This campaign is still in development, cycling through various delivery techniques and toolsets.
In the gaming world, phishers have stepped up their game with a browser-in-the-browser attack targeting Steam users and Counter-Strike 2 players. The campaign spoofs a login window branded with a well-known pro eSports team, to lure victims into handing over credentials. With stolen accounts likely resold on underground markets, this scheme is aimed squarely at the gaming community.
Top Malware Reported in the Last 24 Hours
Hackers use Atlantis AIO tool
Threat actors are using a cybercrime tool called Atlantis AIO Multi-Checker to carry out credential stuffing attacks. This tool enables attackers to test millions of stolen credentials rapidly, posing a significant threat to various online platforms and services. Atlantis AIO offers pre-configured modules to target a range of platforms and cloud-based services, leading to fraud, data theft, and account takeovers. The tool can also conduct brute-force attacks and automate account recovery processes.
Playboy Locker: New RaaS emerges
Cybereason investigated PlayBoy Locker, a new Ransomware-as-a-Service (RaaS). PlayBoy Locker offers frequent updates, anti-detection features, and customer support for affiliates. The group has been active since September 2024 and operates on an affiliate model. It supports Windows, NAS, and ESXi systems. PlayBoy Locker performs LDAP scans to search for available machines in the network and then tries to copy the ransomware executable to the remote device. It exploits the Restart Manager DLL in a malicious way and stops services and processes to unlock and safely close open files before encrypting them. The list of targeted services and processes includes Telegram, Skype, Firefox, Chrome, and Oracle, among others.
New version of ReaderUpdate malware
The creators of the macOS malware loader, ReaderUpdate, have developed new versions using Crystal, Nim, Rust, and Go programming languages. The malware is distributed through free and third-party software download sites, targeting the x86 Intel architecture. The Go variant collects system hardware information upon execution, which is used to create a unique identifier and sent to the C2 server. The threat can also parse and execute responses from the server, suggesting it could execute any commands sent by its operator. Although ReaderUpdate infections have only been linked to adware, the loader could potentially deliver more malicious payloads. SentinelOne has identified nine samples of the Go variant, which is less common than the Nim, Crystal, and Rust variants.
Top Vulnerabilities Reported in the Last 24 Hours
Google patches actively exploited Chrome 0-day
Google has addressed a high-severity zero-day vulnerability in Chrome, tracked as CVE-2025-2783, which was exploited to bypass the browser's sandbox and deploy malware in espionage attacks targeting Russian organizations. Google has rolled out a security update to fix the issue for users in the Stable Desktop channel, with patched versions available for Windows users. The vulnerability is being exploited in phishing attacks, redirecting victims to the primakovreadings[.]info domain as part of a cyber-espionage campaign dubbed Operation ForumTroll.
Patch this bug immediately! Warns CrushFTP
CrushFTP warned its customers about an unauthenticated HTTP(S) port access vulnerability and advised them to patch their servers immediately. The security flaw allows attackers to gain unauthenticated access to unpatched servers exposed on the internet over HTTP(S). The company stated that all CrushFTP v11 versions are affected, but an advisory issued on the same day revealed that both v10 and v11 are impacted. As a workaround, those who can't immediately update CrushFTP v11.3.1+ can enable the DMZ perimeter network option to protect their CrushFTP instance until security updates can be deployed. Over 3,400 CrushFTP instances have their web interface exposed online, potentially vulnerable to attacks.
EncryptHub abuses MSC EvilTwin
A threat actor named EncryptHub has been associated with Windows zero-day attacks that exploit a Microsoft Management Console vulnerability, which was patched this month. This security bypass, dubbed MSC EvilTwin (CVE-2025-26633), exists in how MSC files are handled on vulnerable devices. The threat actor has deployed multiple malicious payloads, including the EncryptHub stealer, DarkWisp backdoor, SilentPrism backdoor, Stealc, Rhadamanthys stealer, and the PowerShell-based MSC EvilTwin trojan loader. This campaign is under active development and employs multiple delivery methods and custom payloads.
Top Scams Reported in the Last 24 Hours
New phishing campaign targets gamers
A new phishing campaign using complex browser-in-the-browser attacks has been targeting the Steam Gaming Platform and Counter-Strike 2 players while abusing the brand of the pro eSports team Navi. The campaign employs fake but realistic-looking browser pop-up windows to trick victims into logging into the scams, with the likely intention of reselling the compromised accounts through online marketplaces. The campaign primarily targets English-speaking users, with one Chinese site in Mandarin and some English words.