Swan Vector is the latest addition to a string of APT campaigns zeroing in on East Asia’s research and engineering sectors. Seqrite Labs uncovered the group’s four-stage malware chain, beginning with a malicious LNK in a ZIP archive and culminating in Cobalt Strike deployment.

A PowerShell script posing as a helpful utility is the entry point for Chihuahua Stealer. This .NET-based info-stealer uses scheduled tasks for persistence and grabs browser credentials and crypto wallet data. It compresses the loot, encrypts it, and exfiltrates over HTTPS - all while cleaning up traces.

Microsoft’s latest Patch Tuesday addresses 78 vulnerabilities, including five zero-days actively exploited in the wild. Among the critical flaws is a CVSS 10 bug in Azure DevOps Server. The CISA has flagged these vulnerabilities as high priority for federal agencies, emphasizing risks around memory corruption and privilege escalation.

SAP’s NetWeaver platform is now at the center of a global cyber campaign. Chinese APT groups have been exploiting CVE-2025-31324 to gain remote code execution via unauthenticated file uploads, targeting over 580 systems. Victims span energy, utilities, and government sectors, with attackers using tools like SNOWLIGHT and KrustyLoader.

Top Malware Reported in the Last 24 Hours

Malicious PyPI packages target Solana devs

A malicious Python package called solana-token was discovered, targeting Solana blockchain developers to steal source code and sensitive information. It was downloaded over 600 times before being removed from PyPI. The package displayed suspicious behaviors, including outbound communications to non-standard ports and reading files for data exfiltration. It reused the name of a previously removed malicious package. 

New info-stealer unlocked

Chihuahua Stealer is a .NET-based infostealer identified through a deceptive PowerShell script shared via Google Drive. The malware employs a multi-stage payload chain, achieving persistence through scheduled tasks and targeting browser data and crypto wallet extensions. Stolen data is compressed into a ".chihuahua" archive and encrypted using AES-GCM, then exfiltrated over HTTPS while erasing local traces. Its techniques include Base64 encoding, hex-string obfuscation, and dynamic payload retrieval from fallback domains, demonstrating a sophisticated approach to evade detection.

Horabot targets Latin America

Cybersecurity researchers have uncovered a phishing campaign distributing Horabot malware, targeting Windows users in six Latin American countries: Mexico, Guatemala, Colombia, Peru, Chile, and Argentina. It spreads through emails disguised as invoices, using malicious HTML files to download payloads. The malware employs VBScript, AutoIt, and PowerShell for credential theft and lateral propagation via Outlook. It checks for antivirus software and virtual machines to evade detection while collecting sensitive information like IP addresses and usernames. Horabot also steals browser data and automates phishing emails, effectively creating a network of infected users.

Swan Vector APT targets Japan and Taiwan

Seqrite Labs discovered the Swan Vector APT campaign targeting Taiwan and Japan, primarily focusing on educational and mechanical engineering sectors. The campaign uses a four-stage malware deployment process, starting with a malicious LNK file and progressing through various DLL implants to deliver Cobalt Strike shellcode. The attack chain begins with a decoy ZIP file containing a malicious LNK and a PNG-masqueraded DLL, executed via rundll32.exe. The Pterois implant performs API hashing and downloads further malware stages from Google Drive using OAuth credentials. The Isurus implant uses DLL sideloading to execute shellcode extracted from an encrypted file, employing techniques like API hashing and direct syscall execution. Cobalt Strike shellcode is decrypted and utilized for process injection, with infrastructure details indicating the use of specific IPs and URLs.

Top Vulnerabilities Reported in the Last 24 Hours

Microsoft May 2025 Patch Tuesday

Microsoft has released patches addressing 78 security flaws, including five zero-day vulnerabilities, across its software. Among these, a critical CVSS 10 bug impacts Azure DevOps Server. The updates also include fixes for vulnerabilities in the Chromium-based Edge browser. The zero-day vulnerabilities, actively exploited in the wild, involve memory corruption and privilege escalation issues. Notably, CVE-2025-30400 is the third such flaw in the DWM Core Library to be weaponized since 2023. The CISA has added these vulnerabilities to its KEV catalog, urging federal agencies to apply the fixes. 

Fortinet patches FortiVoice 0-day

Fortinet patched a critical zero-day vulnerability, CVE-2025-32756, in FortiVoice systems, with a CVSS score of 9.6. The vulnerability allows remote code execution through crafted HTTP requests, affecting multiple Fortinet products. Fortinet observed active exploitation but did not disclose attack details or threat actor identities. Affected products include FortiCamera, FortiMail, FortiNDR, FortiRecorder, and FortiVoice, with specific version updates recommended.

Threats in Spotlight

China-linked APTs abuse SAP bug

A critical security flaw in SAP NetWeaver, identified as CVE-2025-31324, is being exploited by China-linked APTs, impacting 581 systems worldwide. This vulnerability allows unauthenticated file uploads leading to remote code execution, targeting sectors such as natural gas, water management, and government ministries. The attackers conducted widespread scanning and utilized Webshells like coreasp.js to maintain remote access. Key groups involved included UNC5221, UNC5174, and CL-STA-0048, focusing on essential services and government entities in the U.K, U.S., and Saudi Arabia. Malicious activities included deploying KrustyLoader via AWS S3 buckets and using the SNOWLIGHT downloader to establish persistent access.