Cyware Daily Threat Intelligence, May 06, 2025
Daily Threat Briefing • May 6, 2025
Mamona isn’t calling home but it’s still locking you out. This offline ransomware strain skips data theft and C2 communication altogether, instead encrypting files using its own cryptographic routines. Though it avoids detection through network monitoring, a working decryption tool is already available for victims.
Google’s latest Android update delivers fixes for around 50 vulnerabilities, including a critical zero-day in FreeType, which was already under active attack. The patch batch covers issues across Android OS, MediaTek, Qualcomm, Wear OS, and Automotive OS, reinforcing security across a wide device ecosystem.
CoGUI is fueling a phishing surge in Japan by spoofing trusted brands like Rakuten and PayPay. The kit uses geofencing and browser fingerprinting to narrow its targets, directing victims to convincingly faked login pages that siphon credentials and payment details with precision.
Top Malware Reported in the Last 24 Hours
Mamona: New ransomware strain uncovered
Mamona is a newly identified commodity ransomware strain that operates entirely offline, with no C2 communication or data exfiltration. The ransomware encrypts files locally using custom cryptographic routines, without relying on standard libraries like Windows CryptoAPI or OpenSSL. Mamona lacks network activity, making it harder to detect using traditional network-based defenses. Its encryption key is generated locally or hardcoded. A decryption tool for Mamona is available, despite its outdated interface, and successfully restores encrypted files.
Top Vulnerabilities Reported in the Last 24 Hours
CISA adds Langflow bug to KEV catalog
The CISA has issued an urgent alert about an actively exploited vulnerability in Langflow, an open-source framework for building language model applications. The flaw, tracked as CVE-2025-3248, allows unauthenticated attackers to execute malicious code remotely, posing severe risks such as system compromise and data theft. The flaw resides in Langflow’s api/v1/validate/code endpoint, which lacks proper authentication controls, leading to risks like system compromise and data theft.
0-click UDP flaw in Microsoft WDP
Windows Deployment Services (WDS) in Microsoft’s enterprise IT infrastructure is vulnerable to a newly discovered pre-authentication DoS flaw. This 0-click UDP vulnerability allows attackers to crash systems remotely by exhausting memory through spoofed UDP packets on port 69. The exploit creates endless session objects without limits, leading to server memory exhaustion and system failure. Researchers demonstrated that a Windows Server with 8GB RAM could crash within minutes of an attack.
Android May 2025 security update
Google's May 2025 Android security update addresses roughly 50 vulnerabilities, including a critical zero-day flaw (CVE-2025-27363) in the FreeType rendering engine, which was actively exploited. The update includes patches for high-severity vulnerabilities in Android Framework, System, and components from MediaTek, Qualcomm, and others, as well as fixes for Wear OS and Automotive OS. Google Play system updates also resolve additional issues in Project Mainline components.
Top Scams Reported in the Last 24 Hours
CoGUI phishing kit targets Japan
The CoGUI phishing kit is actively targeting Japanese organizations, impersonating well-known consumer and finance brands to steal credentials and payment data. CoGUI employs advanced evasion techniques like geofencing, browser fingerprinting, and header fencing to avoid detection, selectively targeting specific regions. High-volume campaigns have been observed, with the majority targeting Japan, and impersonating brands like Amazon, Rakuten, PayPay, and financial institutions. Campaigns often use urgency-based lures and URLs leading to credential phishing pages, stealing usernames, passwords, and payment information.