Cyware Daily Threat Intelligence, May 05, 2025

Daily Threat Briefing • May 5, 2025
Daily Threat Briefing • May 5, 2025
Corporate HR teams are the latest target in a spear-phishing spree by Venom Spider. Disguised as job applications, these emails deliver More_eggs backdoor, now upgraded with advanced features. The attack leverages advanced evasion tactics to slip past defenses and establish persistent access.
A fresh batch of vulnerabilities from MediaTek could leave millions of devices open to attack. The most severe enables remote DoS via rogue base stations. Other flaws impact encryption, memory handling, and certificate validation across phones, tablets, and smart devices running Android 13 to 15.
Luna Moth is back, and it's using helpdesk lookalikes to worm its way into corporate inboxes. The campaign spoofs trusted brands with phishing emails and fake domains, siphoning credentials and financial data. So far, 50 domains tied to this operation have been linked to breaches in legal, healthcare, and finance sectors.
Backdoor in eCommerce components
A coordinated supply chain attack compromised 21 popular eCommerce applications, with backdoors injected into software from vendors like Tigren, Meetanshi, and Magesolution (MGS). The malware lay dormant for six years and became active recently, affecting 500-1000 stores, including a $40 billion multinational. The backdoor exploits a fake license check in files like License.php or LicenseApi.php, allowing attackers to execute malicious code. Earlier versions required no authentication, while later ones used secret keys. Each backdoor is unique per vendor, varying in authorization checksum, backdoor path, and license filename.
Venom Spider drops More_Eggs backdoor
Arctic Wolf Labs has identified a new campaign by the financially motivated threat group Venom Spider targeting corporate HR departments via spear-phishing emails. The campaign uses fake resumes to deliver a backdoor malware called More_eggs, which has been enhanced with new features for evasion and effectiveness. The malware uses advanced techniques like server-side polymorphism, code obfuscation, and encrypted payloads to evade detection and analysis.The More_eggs_Dropper library generates polymorphic JavaScript payloads and uses time-delayed execution to avoid sandboxing.
MediaTek released May 2025 security bulletin
MediaTek's May 2025 Security Bulletin reveals six vulnerabilities affecting various MediaTek-powered devices, including smartphones, tablets, AIoT platforms, and TV chipsets. The most severe vulnerability is CVE-2025-20666, a reachable assertion in the modem subsystem, which could allow a remote DoS attack by connecting to a rogue base station. Other medium-severity vulnerabilities include inadequate encryption (CVE-2025-20667), out-of-bounds write issues (CVE-2025-20671 and CVE-2025-20668), improper certificate validation (CVE-2025-20670), and file/directory information exposure (CVE-2025-20665). Affected devices span Android versions 13 to 15, and users are advised to update their firmware to mitigate risks.
Critical bug in ADOdb PHP library
A critical SQL injection vulnerability (CVE-2025-46337) has been found in the ADOdb PHP database library, affecting over 2.8 million installations globally. The flaw resides in the PostgreSQL driver’s pg_insert_id() method, allowing attackers to execute arbitrary SQL commands when improperly sanitized user inputs are passed. The vulnerability has a CVSS score of 10.0, indicating its severity, and impacts multiple PostgreSQL driver versions like postgres64, postgres7, postgres8, and postgres9. The issue has been patched in ADOdb version 5.22.9.
Luna Moth uses fake helpdesk domains for scams
The Luna Moth hacking group is using fake helpdesk-themed domains to impersonate legitimate businesses, primarily targeting law firms and corporations. They create lookalike domains (e.g., vorys-helpdesk[.]com) and utilize phishing emails to steal login credentials and financial data. Key characteristics include naming patterns, frequent use of GoDaddy as a registrar, and routing through domaincontrol[.]com. Since March, researchers have identified 50 malicious domains linked to this campaign, posing significant risks to the legal, finance, and healthcare sectors.