Cyware Daily Threat Intelligence, May 09, 2025

shutterstock 2342226379 (1)

Daily Threat Briefing May 9, 2025

Old routers are becoming cybercrime goldmines. The FBI has warned that end-of-life routers are being hijacked with malware like TheMoon and sold on proxy networks such as 5Socks and Anyproxy. These compromised devices are used for crypto theft, cybercrime-as-a-service, and even espionage.

Meanwhile, Chaya_004 is exploiting SAP systems on a global scale. The Chinese threat group was found exploiting CVE-2025-31324, a critical flaw in SAP NetWeaver, to gain remote code execution. Their campaign has hit hundreds of organizations globally, leveraging a Golang-based shell named SuperShell and tools hosted on Chinese cloud platforms in a coordinated effort.

Phishing pages are climbing the search results and duping users. The FreeDrain campaign is using SEO poisoning and free-tier platforms like GitBook and Webflow to host fake wallet interfaces that harvest seed phrases. Over 38,000 phishing subdomains have been linked to this large-scale crypto scam, believed to originate from India and powered by generative AI.

Top Malware Reported in the Last 24 Hours

EoL routers under active exploitation

FBI warned that cybercriminals are exploiting End-of-Life (EoL) routers to deploy malware and convert them into proxies for malicious activities. These compromised routers are sold on networks like 5Socks and Anyproxy, enabling illegal actions such as cryptocurrency theft and cybercrime-for-hire. Chinese state-sponsored actors have also used these vulnerabilities for espionage, including targeting U.S. infrastructure. The agency also confirmed that the routers are compromised with a strain of TheMoon malware

Supply chain attack targets npm package

The npm package rand-user-agent was compromised in a supply chain attack, injecting a RAT into versions 1.0.110, 2.0.83, and 2.0.84, which averaged 45,000 weekly downloads. The malicious code created hidden directories, modified module paths, and connected to an attacker-controlled server. The attack exploited an outdated automation token without 2-factor authentication, allowing unauthorized releases. The legitimate version (2.0.82) remains safe, and the malicious versions have been removed from the npm repository. 

Top Vulnerabilities Reported in the Last 24 Hours

Play ransomware exploits Windows 0-day

Play ransomware was observed exploiting a Windows zero-day vulnerability (CVE-2025-29824) in the CLFS driver, enabling privilege escalation. The attacks, linked to the cybercrime group Balloonfly, targeted a U.S. organization, deploying the Grixba infostealer and persistence mechanisms. The exploit manipulated the CLFS driver by exploiting a race condition during file handle operations, leading to kernel memory modification and privilege escalation. Multiple actors, including the Storm-2460 group, also exploited this vulnerability, with some attacks involving the PipeMagic malware.

Cisco patches max severity bug

Cisco has addressed a critical vulnerability (CVE-2025-20188) in its IOS XE Software for Wireless LAN Controllers. The flaw involves a hard-coded JSON web token that allows unauthenticated attackers to hijack devices if the Out-of-Band AP Image Download feature is enabled. This feature, which is disabled by default, may be activated in large-scale enterprise deployments. Affected devices include Catalyst 9800 Series Wireless Controllers and Embedded Wireless Controllers on Catalyst APs. Cisco has released a patch and recommends immediate updates, as no mitigations or workarounds are available. 

Chinese attackers abuse SAP flaw

Chinese hacking group Chaya_004 is exploiting the critical SAP NetWeaver vulnerability CVE-2025-31324 that allows remote code execution via the ‘/developmentserver/metadatauploader’ endpoint. This flaw has affected hundreds of SAP systems globally across various sectors since its exploitation began in early 2025. The group has deployed a Golang-based reverse shell called SuperShell and is using various tools hosted on Chinese cloud services, indicating a likely origin in China. Malicious infrastructure includes IP addresses, servers, and tools such as NPS, SuperShell, SoftEther VPN, NHAS, Cobalt Strike, and others, indicating a coordinated campaign.

Top Scams Reported in the Last 24 Hours

FreeDrain subdomains steal seed phrases

Researchers have identified FreeDrain, a large-scale phishing campaign targeting cryptocurrency wallets, utilizing SEO manipulation and free-tier platforms like GitBook and Webflow. Over 38,000 subdomains were found hosting deceptive pages that mimic legitimate wallet interfaces to steal seed phrases. Generative AI tools, like OpenAI’s GPT-4o mini, are used to scale phishing content creation. Victims are lured through high-ranking search results and redirected to phishing sites that capture their wallet seed phrases. The operation is believed to be based in India, with activity dating back to at least 2022 and a significant increase in 2024.

Related Threat Briefings