Cyware Daily Threat Intelligence, May 07, 2025
Daily Threat Briefing • May 7, 2025
Agenda’s playbook just got upgraded. The ransomware group has added two new tools: SmokeLoader and a stealthy .NET-based loader called NETXLOADER. The latter leverages techniques like JIT hooking and AES decryption to deploy ransomware and loaders directly into memory, while SmokeLoader injects payloads into explorer.exe using anti-analysis tricks.
In a different vein, a bogus debugging package was found duping Discord bot developers. The malicious PyPI package ‘discordpydebug,’ posing as a helpful tool, is designed to steal data and execute commands. Downloaded over 11,500 times, it exploited community trust, mirrored by over 45 npm lookalikes in what appears to be a broader campaign.
AWS patched a critical bug in Amplify Studio version 2.20.3. CVE-2025-4318 allowed attackers to inject JavaScript into UI components during render time via the amplify-codegen-ui package. No active exploitation was detected.
Top Malware Reported in the Last 24 Hours
Inferno Drainer returns in a phishing campaign
Check Point Research uncovered a phishing campaign using Discord to target crypto users, redirecting them from legitimate sites to phishing pages linked to Inferno Drainer. It operates as a drainer-as-a-service, creating malicious scripts and infrastructure for other cybercriminals to use. The phishing campaign impersonates the Collab.Land bot on Discord, tricking users into signing malicious transactions. Inferno Drainer uses advanced techniques such as single-use smart contracts, encrypted configurations, and proxy communication to bypass wallet security and blacklists. Over 30,000 wallets have been compromised in the last six months, causing losses exceeding $9 million.
Agenda ransomware welcomes SmokeLoader and NETXLOADER
The Agenda ransomware group has incorporated SmokeLoader malware and a new loader, NETXLOADER, into its arsenal. NETXLOADER is a highly obfuscated .NET-based loader that deploys additional malware payloads, including Agenda ransomware and SmokeLoader, through advanced techniques like JIT hooking and AES decryption. SmokeLoader incorporates anti-analysis methods and injects payloads into processes like explorer.exe. Agenda ransomware is delivered using reflective DLL loading, allowing it to execute in memory without being written to disk.
Malicious PyPI package downloaded 11,500+ times
Researchers have uncovered a malicious PyPI package - discordpydebug. It targeted Discord bot developers, posing as a debugging tool but functioning as a RAT. Attackers exploited the trust within Discord's developer community, spreading the package through recommendations and server threads. The RAT allows attackers to read/write files, execute shell commands, and exfiltrate sensitive data without persistence mechanisms. The package, downloaded over 11,500 times, enabled data exfiltration and command execution. Additionally, over 45 npm packages imitating legitimate libraries were identified, suggesting a coordinated attack targeting developers.
Top Vulnerabilities Reported in the Last 24 Hours
Bugs spotted in IBM Cognos Analytics
IBM has disclosed two high-severity vulnerabilities in its Cognos Analytics platform, tracked as CVE-2024-40695 and CVE-2024-51466. CVE-2024-40695 allows unauthorized file uploads due to improper file validation, affecting versions 12.0.0–12.0.4 and 11.2.0–11.2.4 FP4. CVE-2024-51466 enables remote code injection, leading to sensitive data exposure and server crashes, considered critical with a CVSS score of 9.0. IBM recommends updating to patched versions (12.0.4 Interim Fix 1 or 11.2.4 FP5) as no temporary mitigations are available.
Critical flaw in AWS Amplify Studio
AWS addressed a critical vulnerability (CVE-2025-4318) in its Amplify Studio platform, which allowed authenticated attackers to inject and execute malicious JavaScript code during component rendering. The flaw was found in the amplify-codegen-ui package, specifically in the expression-binding function used for processing UI component schemas with the create-component command. The issue affected versions ≤2.20.2 and was patched in version 2.20.3. AWS confirmed no active exploits before the fix.