Cyware Daily Threat Intelligence

Cyware Daily Threat Intelligence - Featured Image

Daily Threat Briefing March 30, 2023

Another cunning malware toolkit has been introduced to the cybercrime marketplace. Named AlienFox, it can be leveraged by adversaries to harvest API keys and secrets from popular services, including AWS SES & Microsoft Office 365. Meanwhile, a trojanized version of the 3CX VOIP desktop client has joined the list of threats emerging from rouge software programs. Cybersecurity analysts believe North Korean state-backed actor—tracked as Labyrinth Collima (believed to be a subset of the Lazarus Group)—is responsible for the campaign.

If you’re a QNAP client, do refer to the latest security advisory released by the company. The advisory outlines a much critical Sudo privilege escalation vulnerability. While a fix has been rolled out for some products, some await updates.

Top Breaches Reported in the Last 24 Hours

The (Un)SafeMoon landing

As hackers exploited a flaw in the SafeMoon token liquidity pool's smart contracts, the DeFi platform lost approximately $8.9 million worth of tokens. The smart contract function, which burns tokens, was unwittingly exposed to the public without any restrictions, giving users a free hand to manipulate it. Officials said they have located the suspected exploit and patched the flaw.

Traveler data stolen

NS, the Dutch national railway, informed roughly 780,000 commuters about a breach incident affecting their personal data. It reportedly suffered a breach after a hacker infiltrated the networks of market research firm Blauw via software supplied to it by a third party. E-mail addresses, telephone numbers, and full names of travelers may have been exposed.

Top Malware Reported in the Last 24 Hours

AlienFox chases misconfigured servers

Security experts at SentinelLabs uncovered a new modular toolkit dubbed AlienFox. It comprises custom tools and modified open-source utilities developed by different authors. As a threat, the malware scans for misconfigured servers to extract authentication secrets and credentials for cloud-based email services. The toolkit has different scripts for persistence and privilege escalation.

Realtek and Cacti bugs exploited

Security issues in Realtek and Cacti are being exploited to distribute ShellBot and Moobot malware, revealed FortiGuard Labs. Realtek bug, CVE-2021-35394, is an arbitrary command injection bug that affects UDPServer. CVE-2022-46169, the Cacti bug, is a command injection flaw that enables an unauthenticated user to execute arbitrary code on the vulnerable server.

Infected 3CX phone system

Cybercriminals are allegedly using a digitally signed and trojanized version of the 3CX desktop client to target the company's clients in an ongoing supply chain attack. Both Windows and macOS users are being targeted. While Sophos researchers aren’t sure who could be behind the attack, CrowdStrike suspects the involvement of a North Korean state-backed group it tracks as Labyrinth Collima.

Top Vulnerabilities Reported in the Last 24 Hours

QNAP Linux Sudo flaw

A critical Sudo privilege escalation flaw in Linux-powered NAS devices is affecting several QNAP products. The flaw, earmarked CVE-2023-22809, is described as a "sudoers policy bypass in Sudo version 1.9.12p1 when using sudoedit." The range of products impacted includes QTS, QuTS hero, QuTScloud, and QVP (QVR Pro appliances) NAS operating systems.

Related Threat Briefings

Jul 14, 2025

Cyware Daily Threat Intelligence, July 14, 2025

A silent redirect to PowerShell is the entry point for a new Interlock RAT variant. Linked to the KongTuke cluster, the PHP-based malware uses compromised websites with hidden scripts to launch system profiling and establish Cloudflare Tunnel-based C2 with fallback IPs for persistence. Users who trusted GravityForms’ official site got more than they expected. A supply chain attack injected backdoors into plugin files distributed via the official site and Composer, enabling attackers to collect WordPress environment data or more. A single HTTP header is enough to hijack vulnerable FortiWeb servers. A critical SQL injection flaw in Fortinet’s Fabric Connector, allows pre-auth RCE through unsanitized bearer tokens, with PoC exploits using MySQL queries to drop and execute malicious scripts.

Jul 11, 2025

Cyware Daily Threat Intelligence, July 11, 2025

You don’t need to visit shady corners of the internet to get infected, GitHub will do. A malware campaign is disguising Lumma Stealer as tools like Free VPN for PC, using polished project pages, Base64 payloads, and trusted Windows processes to slip past defenses. Meanwhile, MCP-based tools are facing a string of critical vulnerabilities, with CVE-2025-6514 leading the list. The flaw allows remote code execution via malicious MCP servers and affects users across platforms. Other bugs enable code injection, directory traversal, and symlink abuse. Crypto users are being lured in by fake AI and gaming firms offering too-good-to-be-true deals. A social engineering campaign is using Telegram, Discord, and spoofed social media accounts to deliver stealer malware. Attackers impersonate legit teams on GitHub and Notion, promising crypto payouts in exchange for “testing” software.

Jul 10, 2025

Cyware Daily Threat Intelligence, July 10, 2025

A fake defense official and a Google Drive link were all it took to breach a European ministry. Recent DoNot APT campaigns reveal a shift toward diplomatic espionage, using custom malware to exfiltrate data and maintain persistence through scheduled tasks and obfuscated binaries. A botnet announcing itself with Hello-World is now sweeping through Taiwan. A new scraper botnet has been using repeated GET requests across ports 80–85. Thousands of IPs are involved, with more than half traced back to Taiwanese infrastructure, hinting at regional tech compromise or shared vulnerabilities. You might not hear it, but your car’s Bluetooth could be listening. Researchers have found critical flaws in the BlueSDK stack used by major automakers, enabling remote code execution through a PerfektBlue attack. The vulnerabilities allow attackers to access call logs, record in-cabin audio, and track vehicles.

Jul 9, 2025

Cyware Daily Threat Intelligence, July 09, 2025

A PDF reader with 50,000 downloads turned out to be anything but harmless. The Anatsa banking trojan slipped back into Google Play, targeting North American users with fake maintenance screens while logging keystrokes and automating fraudulent transactions. However, the app has been pulled by Google. This month’s Patch Tuesday came with a hefty payload. Microsoft released fixes for 137 vulnerabilities, including a zero-day in SQL Server, which allowed access to uninitialized memory. Among the 14 critical issues were remote code execution bugs in SharePoint and multiple RCE and side-channel flaws affecting AMD-based systems. When a tap does more than you think, it’s probably TapTrap. Researchers have uncovered a sneaky Android exploit that uses near-invisible UI animations to trick users into approving sensitive actions. By overlaying transparent elements, TapTrap misleads users into tapping unintended buttons.

Jul 8, 2025

Cyware Daily Threat Intelligence, July 08, 2025

A spyware campaign targeting Russian industrial firms has been quietly escalating since mid-2024. Batavia spreads through phishing emails disguised as contract requests. Later stages drop Delphi-based malware that shows fake documents while harvesting data, followed by a payload that broadens file collection and ensures persistence, with signs of a potential fourth stage. A new ransomware group named BERT is hitting victims across sectors and operating systems. Targeting both Windows and Linux, BERT launches fast, multi-threaded encryption attacks. The malware shuts down critical services and shares code similarities with REvil and Babuk, hinting at recycled tools and techniques. SAP has released patches for 27 vulnerabilities, seven of them critical. The most severe, with a CVSS score of 10.0, affects the Live Auction Cockpit in SAP SRM. Other high-impact bugs include a code injection flaw in SAP S/4HANA and insecure deserialization issues in NetWeaver. Updates also address privilege escalation flaws in the SAPCAR utility.

Jul 7, 2025

Cyware Daily Threat Intelligence, July 07, 2025

SHELLTER has gone rogue—what was once a legit security tool is now fueling infostealer campaigns with AES-128 encryption, polymorphic junk code, and sneaky call stack tricks to dodge detection. Meanwhile, Hpingbot, a Go-based botnet with a flair for innovation, uses Pastebin, hping3, and persistent tactics to do more than just DDoS—hinting at nastier payloads like ransomware or APT tools. Critical bugs are back on the menu—this time hitting low-code platforms and the Linux boot process. ScriptCase’s Production Environment module harbors two flaws (CVE-2025-47227 & CVE-2025-47228, enabling remote command execution and admin password resets, risking full server compromise, while CVE-2016-4484 in Linux lets attackers gain root access during boot by exploiting the initramfs debug shell.

Jul 4, 2025

Cyware Daily Threat Intelligence, July 04, 2025

There’s a reason that app never showed up on your home screen. The IconAds fraud operation used 352 hidden-UI apps to flood ad networks with over a billion fake bid requests daily. Kaleidoscope took it further, using decoy apps to mask malicious versions distributed via third-party stores. Meanwhile, NGate and Ghost Tap abused NFC to enable remote cash theft, and Qwizzserial posed as a government app in Uzbekistan. When routers fall, botnets rise. RondoDox is exploiting flaws in TBK DVRs and Four-Faith routers to install a Linux-based botnet that renames critical system files into nonsense strings, effectively crippling recovery efforts. It launches DDoS attacks through spoofed traffic that looks like OpenVPN or online games, making detection even harder. Sometimes, all it takes is a single misplaced HTTP header. Three critical vulnerabilities in Apache Tomcat and Camel are under active exploitation, enabling remote code execution. One stems from mishandling PUT requests; the others from flawed case handling in headers. Over 125,000 attempts were recorded in March alone, signaling widespread attacker interest.

Jul 3, 2025

Cyware Daily Threat Intelligence, July 03, 2025

Two different names - same tactics, same tools, same playbook. Researchers have found striking overlaps between TA829 and the lesser-known UNK_GreenSec, both of which use phishing lures and REM Proxy services through compromised MikroTik routers. Victims are redirected from fake Google Drive or OneDrive pages to payloads like RomCom RAT, Metasploit, and Morpheus ransomware. They look like wallet helpers, but they’re after everything inside. More than 40 malicious Firefox extensions have been caught stealing seed phrases and wallet keys from unsuspecting crypto users. Masquerading as MetaMask, Coinbase, and Trust Wallet, these clones use tampered open-source code, fake five-star reviews, and slick branding to blend in. A single HTTP request is all it takes to bring the server down. A critical bug in Wing FTP Server allows unauthenticated remote code execution via the login confirmation endpoint. The flaw lets attackers inject Lua code into session files, enabling total takeover, even as root or SYSTEM. It affects all versions up to 7.4.3, with a fix issued in 7.4.4.

Jul 2, 2025

Cyware Daily Threat Intelligence, July 02, 2025

It starts with what looks like an official message from the Colombian government. Behind it is a phishing campaign delivering DCRAT, a modular remote access tool designed for theft and system control. The attack chain begins with a ZIP file containing a VBS script that downloads an obfuscated payload. DCRAT uses steganography, multi-stage execution, and evasion techniques to dig in and stay hidden, while quietly stealing data and manipulating infected systems. That Zoom update request on Telegram? It could be a trap. North Korean actors are deploying NimDoor malware to infiltrate Web3 and crypto platforms using social engineering via Telegram. Victims are tricked into running a fake AppleScript update that launches Nim-compiled binaries with advanced techniques like signal-based persistence, process injection, and encrypted WebSocket communication. It only takes one crafted page to turn a browser into a backdoor. Google has patched CVE-2025-6554, a critical zero-day in Chrome’s V8 engine that was exploited in the wild to execute arbitrary code. The flaw, caused by a type confusion bug, may have been used in targeted attacks. Users across Windows, macOS, and Linux are urged to update immediately.

Jun 30, 2025

Cyware Daily Threat Intelligence, June 30, 2025

Cybercriminals are sharpening their bait, whether it’s fake installers, hijacked Bluetooth connections, or internal-looking spoofed emails. A new malware campaign uncovered by Netskope is stealthily infecting victims using fake installers of popular Chinese-language software like WPS Office and Sogou to deploy a cocktail of malware, including Sainbox RAT (a Gh0stRAT variant) and a powerful rootkit. Meanwhile, Bluetooth devices from top audio brands, such as Bose, Sony, and Beyerdynamic, are under scrutiny after researchers disclosed three critical flaws in Airoha chipsets (CVE-2025-20700, CVE-2025-20701, and CVE-2025-20702). Exploiting these vulnerabilities could let attackers hijack Bluetooth connections, snoop on calls, access contacts, or even rewrite firmware for remote code execution. In a new phishing campaign flagged by Varonis, attackers are abusing Microsoft 365’s Direct Send feature to impersonate internal users and send phishing emails without ever breaching a mailbox. By exploiting the lack of authentication in Direct Send, the campaign sidesteps standard email protections like SPF and DMARC.

Jun 26, 2025

Cyware Daily Threat Intelligence, June 26, 2025

A phishing email is all it takes to breach critical infrastructure. The OneClik APT campaign is targeting energy and oil sectors using Microsoft ClickOnce to deliver a .NET loader and Golang backdoor. The malware uses AWS infrastructure to hide in plain sight, evolving through multiple variants with increasingly stealthy techniques. What do a server board, a home router, and a firewall have in common? They’re all vulnerable, and now officially on CISA’s hit list.CISA has added three exploited vulnerabilities to its KEV catalog, affecting AMI MegaRAC, D-Link DIR-859 routers, and Fortinet FortiOS. A familiar name in your WhatsApp inbox might not be who you think it is. APT42 is targeting Israeli cybersecurity experts and academics through highly personalized spear-phishing campaigns. By posing as journalists or researchers and using platforms like WhatsApp, they lure victims to phishing pages disguised as Google Meet, aiming to steal credentials. With over 100 domains linked to the campaign, the scope likely extends well beyond Israel.

Jun 25, 2025

Cyware Daily Threat Intelligence, June 25, 2025

A familiar package name could be hiding far more than useful code. North Korean actors behind the Contagious Interview campaign have published 35 malicious npm packages, including keyloggers and multi-stage malware loaders like HexEval and InvisibleFerret. By mimicking popular libraries, they’ve tricked thousands of developers into pulling in backdoors designed for cross-platform surveillance. Search results for AI tools are leading users straight into malware traps. Researchers uncovered a campaign that abuses SEO tactics to rank malicious sites for AI-related queries. These sites distribute payloads like Vidar Stealer and Lumma, wrapped in deceptive installers and ZIP files, while using obfuscation techniques like XOR encryption and browser fingerprinting to stay hidden. Even AI model frameworks aren’t immune to critical flaws. NVIDIA has patched two vulnerabilities in its Megatron-LM framework that could allow attackers to inject code or escalate privileges. The bugs, affecting the Python component, pose a serious risk to model integrity and data security if left unpatched.