Cyware Daily Threat Intelligence, May 08, 2025

shutterstock 2418418293 (1)

Daily Threat Briefing May 8, 2025

COLDRIVER’s latest malware, LOSTKEYS, is now in play. The Russian state-backed group is deploying this tool to steal files and system data from advisors, journalists, NGOs, and individuals linked to Ukraine. Delivered via ClickFix, LOSTKEYS expands COLDRIVER’s toolkit beyond credential phishing, signaling a continued focus on espionage and document theft.

SysAid users, it’s time to patch. Multiple vulnerabilities—ranging from XXE to OS command injection—have been fixed in version 24.4.60. Researchers uncovered the flaws and even released a PoC, warning that 77 unpatched instances remain exposed online. Given SysAid’s large user base, the window for exploitation remains a real concern.

A clever lure is fueling a quiet takeover in Brazil. Cisco Talos uncovered a campaign abusing the country’s electronic invoicing system to trick victims into installing remote monitoring tools. The attackers use free trials of RMM products to hijack machines, often targeting high-level accounts in finance, education, and government.

Top Malware Reported in the Last 24 Hours

COLDRIVER uses ClickFix, drops LOSTKEYS

Russian hackers linked to the COLDRIVER group are deploying a new malware called LOSTKEYS, targeting advisors, journalists, and NGOs, particularly those connected to Ukraine. LOSTKEYS is designed to steal files, system information, and running processes, marking an evolution in COLDRIVER's toolset. The group is also known for credential phishing and hack-and-leak campaigns. The malware is delivered through a multi-stage infection chain starting with a fake CAPTCHA page, known as ClickFix, that socially engineers users into executing PowerShell commands.

Malicious npm packages hijack Cursor on macOS

Malicious npm packages (sw-cur, sw-cur1, aiide-cur) have been discovered targeting macOS users of the Cursor IDE, stealing credentials and embedding backdoors. These packages disguise themselves as developer tools offering cheaper API access, exploiting developers' trust in their IDEs. Upon execution, they modify critical files, disable auto-updates, and maintain persistent access by executing attacker-controlled code. The packages have been downloaded over 3,200 times and are linked to threat actors using npm aliases gtr2018 and aiide.

Top Vulnerabilities Reported in the Last 24 Hours

SysAid instances vulnerable to RCE

SysAid has patched vulnerabilities in its IT service management software, which could allow unauthenticated remote command execution. Discovered by WatchTowr, these include several XXE vulnerabilities (CVE-2025-2775, CVE-2025-2776, CVE-2025-2777) and an OS command injection issue (CVE-2025-2778). The patches were released in version 24.4.60, affecting versions 23.3.40 and earlier. Researchers identified 77 unpatched SysAid instances exposed online and published a PoC exploit, highlighting the potential for exploitation by attackers targeting SysAid products, which are used by 10 million users globally.

CISA adds GeoVision bugs to KEV catalog

The CISA added two critical vulnerabilities in GeoVision devices—CVE-2024-6047 and CVE-2024-11120—to its KEV catalog. These OS command injection flaws allow unauthenticated remote attackers to execute arbitrary commands on affected devices. Shadowserver Foundation observed botnets exploiting GeoVision zero-day flaws for DDoS and cryptomining attacks, with 17,000 vulnerable devices identified globally. Most vulnerable GeoVision devices are located in the U.S., Germany, Taiwan, and Canada.

Top Scams Reported in the Last 24 Hours

Spam campaign targets Brazil with RMM tool

Cisco Talos identified a spam campaign in Brazil targeting users with RMM tools, leveraging the Brazilian electronic invoice system (NF-e) as a lure. Threat actors exploit free trial periods of RMM tools (e.g., N-able and PDQ Connect) to distribute malicious agents, gaining full control over victims' machines. Victims include C-level executives and financial or human resources accounts across industries such as education and government. The campaign utilizes Dropbox-hosted malicious files disguised as financial documents to trick users into downloading RMM tools.

Related Threat Briefings