Cyware Daily Threat Intelligence, May 08, 2025

shutterstock 2418418293 (1)

Daily Threat Briefing May 8, 2025

COLDRIVER’s latest malware, LOSTKEYS, is now in play. The Russian state-backed group is deploying this tool to steal files and system data from advisors, journalists, NGOs, and individuals linked to Ukraine. Delivered via ClickFix, LOSTKEYS expands COLDRIVER’s toolkit beyond credential phishing, signaling a continued focus on espionage and document theft.

SysAid users, it’s time to patch. Multiple vulnerabilities—ranging from XXE to OS command injection—have been fixed in version 24.4.60. Researchers uncovered the flaws and even released a PoC, warning that 77 unpatched instances remain exposed online. Given SysAid’s large user base, the window for exploitation remains a real concern.

A clever lure is fueling a quiet takeover in Brazil. Cisco Talos uncovered a campaign abusing the country’s electronic invoicing system to trick victims into installing remote monitoring tools. The attackers use free trials of RMM products to hijack machines, often targeting high-level accounts in finance, education, and government.

Top Malware Reported in the Last 24 Hours

COLDRIVER uses ClickFix, drops LOSTKEYS

Russian hackers linked to the COLDRIVER group are deploying a new malware called LOSTKEYS, targeting advisors, journalists, and NGOs, particularly those connected to Ukraine. LOSTKEYS is designed to steal files, system information, and running processes, marking an evolution in COLDRIVER's toolset. The group is also known for credential phishing and hack-and-leak campaigns. The malware is delivered through a multi-stage infection chain starting with a fake CAPTCHA page, known as ClickFix, that socially engineers users into executing PowerShell commands.

Malicious npm packages hijack Cursor on macOS

Malicious npm packages (sw-cur, sw-cur1, aiide-cur) have been discovered targeting macOS users of the Cursor IDE, stealing credentials and embedding backdoors. These packages disguise themselves as developer tools offering cheaper API access, exploiting developers' trust in their IDEs. Upon execution, they modify critical files, disable auto-updates, and maintain persistent access by executing attacker-controlled code. The packages have been downloaded over 3,200 times and are linked to threat actors using npm aliases gtr2018 and aiide.

Top Vulnerabilities Reported in the Last 24 Hours

SysAid instances vulnerable to RCE

SysAid has patched vulnerabilities in its IT service management software, which could allow unauthenticated remote command execution. Discovered by WatchTowr, these include several XXE vulnerabilities (CVE-2025-2775, CVE-2025-2776, CVE-2025-2777) and an OS command injection issue (CVE-2025-2778). The patches were released in version 24.4.60, affecting versions 23.3.40 and earlier. Researchers identified 77 unpatched SysAid instances exposed online and published a PoC exploit, highlighting the potential for exploitation by attackers targeting SysAid products, which are used by 10 million users globally.

CISA adds GeoVision bugs to KEV catalog

The CISA added two critical vulnerabilities in GeoVision devices—CVE-2024-6047 and CVE-2024-11120—to its KEV catalog. These OS command injection flaws allow unauthenticated remote attackers to execute arbitrary commands on affected devices. Shadowserver Foundation observed botnets exploiting GeoVision zero-day flaws for DDoS and cryptomining attacks, with 17,000 vulnerable devices identified globally. Most vulnerable GeoVision devices are located in the U.S., Germany, Taiwan, and Canada.

Top Scams Reported in the Last 24 Hours

Spam campaign targets Brazil with RMM tool

Cisco Talos identified a spam campaign in Brazil targeting users with RMM tools, leveraging the Brazilian electronic invoice system (NF-e) as a lure. Threat actors exploit free trial periods of RMM tools (e.g., N-able and PDQ Connect) to distribute malicious agents, gaining full control over victims' machines. Victims include C-level executives and financial or human resources accounts across industries such as education and government. The campaign utilizes Dropbox-hosted malicious files disguised as financial documents to trick users into downloading RMM tools.

Related Threat Briefings

May 9, 2025

Cyware Daily Threat Intelligence, May 09, 2025

Old routers are becoming cybercrime goldmines. The FBI has warned that end-of-life routers are being hijacked with malware like TheMoon and sold on proxy networks such as 5Socks and Anyproxy. These compromised devices are used for crypto theft, cybercrime-as-a-service, and even espionage. Meanwhile, Chaya_004 is exploiting SAP systems on a global scale. The Chinese threat group was found exploiting CVE-2025-31324, a critical flaw in SAP NetWeaver, to gain remote code execution. Their campaign has hit hundreds of organizations globally, leveraging a Golang-based shell named SuperShell and tools hosted on Chinese cloud platforms in a coordinated effort. Phishing pages are climbing the search results and duping users. The FreeDrain campaign is using SEO poisoning and free-tier platforms like GitBook and Webflow to host fake wallet interfaces that harvest seed phrases. Over 38,000 phishing subdomains have been linked to this large-scale crypto scam, believed to originate from India and powered by generative AI. For detailed Cyber Threat Intel, click ‘Read More’.

May 7, 2025

Cyware Daily Threat Intelligence, May 07, 2025

Agenda’s playbook just got upgraded. The ransomware group has added two new tools: SmokeLoader and a stealthy .NET-based loader called NETXLOADER. The latter leverages techniques like JIT hooking and AES decryption to deploy ransomware and loaders directly into memory, while SmokeLoader injects payloads into explorer.exe using anti-analysis tricks. In a different vein, a bogus debugging package was found duping Discord bot developers. The malicious PyPI package ‘discordpydebug,’ posing as a helpful tool, is designed to steal data and execute commands. Downloaded over 11,500 times, it exploited community trust, mirrored by over 45 npm lookalikes in what appears to be a broader campaign. AWS patched a critical bug in Amplify Studio version 2.20.3. CVE-2025-4318 allowed attackers to inject JavaScript into UI components during render time via the amplify-codegen-ui package. No active exploitation was detected.

May 6, 2025

Cyware Daily Threat Intelligence, May 06, 2025

Mamona isn’t calling home but it’s still locking you out. This offline ransomware strain skips data theft and C2 communication altogether, instead encrypting files using its own cryptographic routines. Though it avoids detection through network monitoring, a working decryption tool is already available for victims. Google’s latest Android update delivers fixes for around 50 vulnerabilities, including a critical zero-day in FreeType, which was already under active attack. The patch batch covers issues across Android OS, MediaTek, Qualcomm, Wear OS, and Automotive OS, reinforcing security across a wide device ecosystem. CoGUI is fueling a phishing surge in Japan by spoofing trusted brands like Rakuten and PayPay. The kit uses geofencing and browser fingerprinting to narrow its targets, directing victims to convincingly faked login pages that siphon credentials and payment details with precision.

May 5, 2025

Cyware Daily Threat Intelligence, May 05, 2025

Corporate HR teams are the latest target in a spear-phishing spree by Venom Spider. Disguised as job applications, these emails deliver More_eggs backdoor, now upgraded with advanced features. The attack leverages advanced evasion tactics to slip past defenses and establish persistent access. A fresh batch of vulnerabilities from MediaTek could leave millions of devices open to attack. The most severe enables remote DoS via rogue base stations. Other flaws impact encryption, memory handling, and certificate validation across phones, tablets, and smart devices running Android 13 to 15. Luna Moth is back, and it's using helpdesk lookalikes to worm its way into corporate inboxes. The campaign spoofs trusted brands with phishing emails and fake domains, siphoning credentials and financial data. So far, 50 domains tied to this operation have been linked to breaches in legal, healthcare, and finance sectors.

May 2, 2025

Cyware Daily Threat Intelligence, May 02, 2025

In the shadows of the cybersecurity landscape, MintsLoader emerges as a formidable adversary, orchestrating a multi-faceted infection strategy that deploys the notorious GhostWeaver RAT. This malware loader ingeniously employs a blend of obfuscated JavaScript and PowerShell scripts to execute its malicious agenda, utilizing sophisticated evasion techniques and a DGA for C2 communications. Two new malware families—TerraStealerV2 and TerraLogger—are now linked to the Golden Chickens threat group. TerraStealerV2 steals credentials and crypto wallet data but can’t yet bypass Chrome’s built-in encryption, suggesting it’s still in progress. TerraLogger, meanwhile, operates as a standalone keylogger with no exfiltration module, hinting at a plug-and-play role in a broader MaaS toolkit. A fake refund for a real blackout. A phishing campaign is spoofing TAP Air Portugal, preying on confusion after the Iberian power outage. Victims are promised compensation for delayed flights, only to be directed to phishing pages that steal payment details. The lure is simple, but effective, and the infrastructure, as usual, runs through compromised WordPress sites.

May 1, 2025

Cyware Daily Threat Intelligence, May 01, 2025

Some PyPI packages are doing more than importing functions. Researchers uncovered seven malicious Python packages under the “Coffin” naming scheme, using Gmail’s SMTP service as a stealthy C2 channel. Hardcoded credentials let the malware establish outbound tunnels via port 465, send activation signals, and quietly exfiltrate data. Apache ActiveMQ users should be on high alert. A flaw in its .NET Message Service library now lets remote attackers inject code by abusing deserialization. All versions prior to the latest update are at risk, so prompt patching is essential to protect your systems. Emails that look like official Social Security alerts are turning into dangerous gateways. In the new Molatori phishing campaign, attackers send messages claiming your Social Security Statement is ready to download. Once you install the ScreenConnect client they push, remote access is granted, and sensitive data gets swept away, thanks to convincing links from compromised WordPress sites.

Apr 30, 2025

Cyware Daily Threat Intelligence, April 30, 2025

A familiar threat actor is back with sharper tools. A new spear-phishing wave from Earth Kasha is hitting government targets in Taiwan and Japan. Using a malicious Excel file, the group drops an updated ANEL backdoor and maintains stealthy persistence with SharpHide. The second-stage malware hides C2 traffic behind DNS over HTTPS - signaling renewed focus on quiet, long-term access. TheWizards aren’t casting spells, they’re hijacking software updates. This Chinese-linked threat group is abusing IPv6 SLAAC to perform AitM attacks with the Spellbinder lateral movement tool. Spellbinder redirects traffic to attacker-controlled domains to deliver malware-laced updates to apps like Tencent QQ and Sogou Pinyin. Once inside, a modular backdoor takes over. New vulnerabilities in Apple’s AirPlay protocol, collectively dubbed AirBorne, expose billions of devices to remote code execution without user interaction. Attackers could silently hijack devices via use-after-free and buffer overflow vulnerabilities, affecting not only Apple hardware but also third-party products using the AirPlay SDK.

Apr 29, 2025

Cyware Daily Threat Intelligence, April 29, 2025

Sharp and TX stealers are back, donning a new cloak - named Hannibal Stealer. It is going after credentials from browsers, crypto wallets, FTP clients, and VPN apps. It even captures Discord tokens and Steam sessions. While its core is largely unoriginal, its control panel and delivery updates point to a more commercialized approach, complete with dark web subscriptions. Privilege escalation is just a pointer error away. Attack of the Vsock exposes a critical use-after-free bug in the Linux kernel’s VMware vsock driver. A mishandled reference count allows attackers to reclaim memory and more. With exploit code already circulating, this one has the potential to hit millions of virtualized systems. They sound urgent. They look official. And they’re emptying wallets. TA2900, a newly identified BEC actor, is impersonating landlords to trick renters in France and Canada into sending payments to attacker-controlled accounts. Messages come from compromised university inboxes and often swap out IBANs mid-thread.

Apr 28, 2025

Cyware Daily Threat Intelligence, April 28, 2025

Ransomware groups aren’t always the ones breaking the door open. Researchers have uncovered ToyMaker, an initial access broker selling network entry to ransomware groups. Using a custom malware strain called LAGTOY, ToyMaker establishes reverse shells and executes commands on compromised systems. After gaining access, ToyMaker hands over the keys - leaving ransomware operators to finish the job. Industrial remote access just got a lot more dangerous. Three vulnerabilities have been discovered in the IXON VPN client, affecting both Windows and Linux. Attackers can exploit temporary file handling flaws to escalate privileges. Full details remain under wraps until patches are ready. One bad notification and your iPhone could be stuck in an endless reboot loop. A critical iOS flaw allowed malicious apps to abuse the Darwin notification system and brick devices with a single command. Apple’s fix in iOS 18.3 now requires special entitlements to send sensitive notifications but unpatched devices remain at risk.

Apr 25, 2025

Cyware Daily Threat Intelligence, April 25, 2025

An APT group with deep roots in Southeast Asia is quietly siphoning data through everyday cloud platforms. Earth Kurma has been active since late 2020, targeting government and telecom entities across the Philippines, Vietnam, Thailand, and Malaysia. Its extensive toolkit enables credential theft, stealthy surveillance, and Dropbox-based exfiltration. One patch, two problems. Microsoft’s fix for CVE-2025–21204 may have closed a privilege escalation bug but it opened the door to a DoS vulnerability. By creating junction points, non-admin users can block future Windows updates from installing. There’s no fix yet, and unless the rogue junction is manually removed, security updates will fail silently. Logos, lures, and lies - the Power Parasites campaign is using all three. Fraudsters are impersonating global energy brands to scam victims in Bangladesh, Nepal, and India through fake jobs and investment offers. With over 150 domains and active Telegram and YouTube promotion, the scheme blends fake onboarding forms with identity theft and financial fraud, all under the guise of renewable energy.

Apr 24, 2025

Cyware Daily Threat Intelligence, April 24, 2025

It starts with a fake sales order and ends with FormBook silently stealing your data. A recent phishing campaign has been abusing a long-patched Microsoft flaw to deliver a fileless variant of the malware. The attack uses a Word document, a fake PNG file follows, carrying an encrypted payload that’s decrypted and run entirely in memory - leaving no trace on disk. A single request is all it takes to bring SonicWall firewalls to a halt. CVE-2025-32818 targets the SSLVPN Virtual Office interface and can trigger a DoS condition on affected Gen7 appliances. The vulnerability, rated 7.5 in severity, has been patched in recent firmware updates. Signal and WhatsApp are the new frontline for cloud compromise. Russian actors are running OAuth phishing campaigns against Microsoft 365 users tied to Ukraine and human rights work. Victims are tricked into handing over legitimate Microsoft auth codes, often via chats impersonating European officials.

Apr 23, 2025

Cyware Daily Threat Intelligence, April 23, 2025

One compromised package, five tainted versions, and private keys silently siphoned away. A supply chain attack hit a widely used JavaScript library for the XRP Ledger. Malicious code was slipped into several recent versions, enabling private key theft via an external domain. The incident is linked to a compromised npm account tied to a Ripple employee. Docker containers aren’t always what they seem. A new threat named TenoBot is targeting systems running outdated Teneo Web3 node software, deploying malicious containers to hijack environments. Once inside, it enables attackers to conduct multiple actions, all while blending in with legitimate processes to avoid detection. A hidden flaw could turn Moodle into an unintentional threat vector. A recent audit exposed a TOC-TOU bug in the LMS’s URL validation process, enabling SSRF. By tampering with DNS responses, attackers can redirect requests to internal endpoints. Features like Calendar imports and File Picker are directly impacted, potentially affecting millions of users.