Cyware Daily Threat Intelligence, May 02, 2025

shutterstock 1772847728 (1)

Daily Threat Briefing May 2, 2025

In the shadows of the cybersecurity landscape, MintsLoader emerges as a formidable adversary, orchestrating a multi-faceted infection strategy that deploys the notorious GhostWeaver RAT. This malware loader ingeniously employs a blend of obfuscated JavaScript and PowerShell scripts to execute its malicious agenda, utilizing sophisticated evasion techniques and a DGA for C2 communications.

Two new malware families—TerraStealerV2 and TerraLogger—are now linked to the Golden Chickens threat group. TerraStealerV2 steals credentials and crypto wallet data but can’t yet bypass Chrome’s built-in encryption, suggesting it’s still in progress. TerraLogger, meanwhile, operates as a standalone keylogger with no exfiltration module, hinting at a plug-and-play role in a broader MaaS toolkit.

A fake refund for a real blackout. A phishing campaign is spoofing TAP Air Portugal, preying on confusion after the Iberian power outage. Victims are promised compensation for delayed flights, only to be directed to phishing pages that steal payment details. The lure is simple, but effective, and the infrastructure, as usual, runs through compromised WordPress sites.

Top Malware Reported in the Last 24 Hours

MintsLoader deploys GhostWeaver via ClickFix

MintsLoader is a malware loader used to deploy GhostWeaver, a PowerShell-based RAT. It operates through a multi-stage infection chain utilizing obfuscated JavaScript and PowerShell scripts, with evasion techniques and a DGA for C2 communications. Since early 2023, MintsLoader has been distributing various payloads like StealC and a modified BOINC client via phishing emails targeting sectors such as industrial, legal, and energy. The ClickFix social engineering tactic is used to trick users into executing malicious code. GhostWeaver maintains communication with its C2 server, using TLS encryption for secure interactions. 

npm malware targets crypto wallets

Sonatype uncovered a malicious npm package named crypto-encrypt-ts impersonating the CryptoJS library. It aims to steal cryptocurrency using Better Stack for data collection. It targets wallets with balances over 1000 and uses cron jobs for persistence. The package has been downloaded over 1,928 times. It pretends to be a TypeScript version of CryptoJS but secretly accesses wallets and sends data to attackers. The code includes Turkish language comments, suggesting a possible origin from Turkey.

Malicious Go modules fetch disk wiper

Socket has identified three malicious Go modules containing obfuscated disk-wiping malware, posing a threat of complete data loss. These modules exploit the decentralized nature of the Go ecosystem, where developers often encounter namespace confusion, making it difficult to distinguish between legitimate and malicious packages. The modules use sophisticated obfuscation techniques and dynamic payload execution to fetch destructive shell scripts, primarily targeting Linux systems. 

Meet these new malware families

Researchers discovered two new malware families, TerraStealerV2 and TerraLogger, linked to the threat actor Golden Chickens. TerraStealerV2 targets browser credentials and cryptocurrency wallets but lacks the ability to bypass Chrome's Application Bound Encryption, suggesting it's outdated or in development. TerraLogger is a standalone keylogger module without data exfiltration capabilities, indicating it may be a modular component of Golden Chickens' MaaS ecosystem. Both malware families are under active development.

Top Vulnerabilities Reported in the Last 24 Hours

NVIDIA issues urgent security advisory

NVIDIA has discovered a critical vulnerability (CVE-2025-23254) in its TensorRT-LLM framework, affecting versions before 0.18.2 across Windows, Linux, and macOS. This flaw in the Python executor component allows attackers to execute malicious code and tamper with data through insecure Inter-Process Communication (IPC). NVIDIA has released a security update to mitigate the risk by enabling HMAC encryption by default. Users are urged to update to version 0.18.2 or later to protect their systems.

Microsoft fixes Exchange Online bug

Microsoft addressed a vulnerability in Exchange Online that caused its machine learning model to mistakenly flag Gmail emails as spam, starting April 25. This issue, tracked as EX1064599, led to legitimate emails being moved to junk folders due to their similarity to spam messages. Microsoft reverted the model to a previous version to resolve the problem and is investigating improvements to its detection processes to prevent future occurrences. 

Top Scams Reported in the Last 24 Hours

Spain Portugal power outages drive phishing 

Cofense spotted an email phishing campaign spoofing TAP Air Portugal, exploiting the recent power outage in Spain and Portugal. The emails claim eligibility for refunds under EU regulations. They link to a phishing page designed to steal personal and credit card information. The emails mimic official communication about compensation for delayed flights but instead request sensitive data. Notably, there is no redirect after submission, indicating the attackers aim to collect data directly. The campaign utilizes compromised WordPress sites for its operations.

Related Threat Briefings