Cyware Daily Threat Intelligence, May 26, 2025

shutterstock 1621717168 (1)

Daily Threat Briefing May 26, 2025

Threat actors are wrapping their tools in layers of obfuscation, and DOUBLELOADER is no exception. This new backdoor uses the ALCATRAZ obfuscator—once seen in the game-hacking scene—to disguise its presence. It reaches out to hardcoded IPs and paves the way for the RHADAMANTHYS infostealer.

In a campaign likely aimed at Chinese-speaking users, fake installers for QQ Browser and LetsVPN are being used to quietly deliver Winos 4.0. Behind the scenes, a memory-resident loader named Catena helps the malware dodge AV tools. Linked to the Silver Fox threat group, the payload uses reflective DLL injection to steal data and provide remote access.

A critical bug in D-Link routers could give attackers an easy way in. The flaw affects DIR-605L and DIR-816L models, exposing hardcoded Telnet credentials through the firmware. Once inside, attackers can run arbitrary commands, change configs, or pivot deeper into a network - all without needing to brute-force anything.

Top Malware Reported in the Last 24 Hours

DOUBLELOADER malware uses ALCATRAZ obfuscator

Elastic Security Labs identified a new malware family called DOUBLELOADER, which uses the ALCATRAZ obfuscator for evasion and pairs with the RHADAMANTHYS infostealer. DOUBLELOADER operates as a backdoor, injecting code into explorer.exe and communicating with a hardcoded IP address while collecting host information. The ALCATRAZ obfuscator, originally from the game-hacking scene, enables obfuscation of compiled binaries and has been adopted by threat actors for advanced malware techniques. DOUBLELOADER employs multiple obfuscation techniques such as entry point obfuscation, anti-disassembly, instruction mutation, constant unfolding, LEA obfuscation, and control flow flattening, making detection and analysis challenging.

Bumblebee spreads via Zenmap and WinMTR

Fake Zenmap and WinMRT websites are targeting IT staff with malware through SEO poisoning campaigns. These sites distribute trojanized installers for popular tools like Zenmap and WinMTR, which deliver the Bumblebee malware loader. The malware evades detection by most antivirus engines and can introduce additional threats such as ransomware and infostealers. The campaign also targets users of other software like WisenetViewer and Milestone XProtect. Official RVTools sites were taken offline due to DDoS attacks, possibly by the same threat actors to redirect users to malicious sites.

Hacker abuse NSIS, drop Winos 4.0

A malware campaign has been uncovered that uses fake software installers mimicking popular tools like LetsVPN and QQ Browser to deliver the Winos 4.0 malware framework. This operation employs a memory-resident loader named Catena to evade antivirus detection. The campaign targets Chinese-speaking environments and is linked to the threat actor Silver Fox. The malware, based on the Gh0st RAT, is capable of data harvesting, remote access, and DDoS attacks. The infection chain involves trojanized NSIS installers, reflective DLL injection, and communication with C2 servers.

Top Vulnerabilities Reported in the Last 24 Hours

Bugs in Tenable Network Monitor

Tenable has released version 6.5.1 of its Network Monitor to address multiple high-severity vulnerabilities in its codebase and third-party libraries, including OpenSSL, expat, curl, libpcap, and libxml2. Two critical local privilege escalation vulnerabilities (CVE-2025-24916 and CVE-2025-24917) have been resolved. CVE-2025-24916 involved insecure directory permissions during installation on non-default locations. CVE-2025-24917 allowed non-administrative users to execute arbitrary code with SYSTEM privileges. 

RCE flaw in D-Link routers

A critical vulnerability (CVE-2025-46176) in D-Link DIR-605L and DIR-816L routers exposes hardcoded Telnet credentials, enabling remote command execution. The flaw originates from improper command neutralization (CWE-77), allowing attackers to bypass authentication through firmware analysis. Researchers identified plaintext passwords in the firmware using tools like binwalk, exposing the routers to potential exploitation. Attackers can execute arbitrary commands, modify configurations, deploy malware, or pivot to internal networks via this vulnerability.

Related Threat Briefings

May 30, 2025

Cyware Daily Threat Intelligence, May 30, 2025

Fake CAPTCHA prompts are now doing more than testing if you're human—they're installing malware. EDDIESTEALER, a new Rust-based infostealer, spreads through deceptive CAPTCHA pages that trigger malicious PowerShell scripts. The malware downloads obfuscated JavaScript and executable payloads designed to harvest credentials, browser data, and cryptocurrency wallets. A quiet but relentless campaign has been unfolding across multiple industries. The Chinese group Earth Lamia is targeting finance, government, logistics, and more by exploiting known web app vulnerabilities, including flaws in Apache Struts, GitLab, and WordPress. After gaining access, they deploy webshells, create admin accounts, and move laterally using a plethora of tools. Even Google's trusted ecosystem isn’t off-limits anymore. Attackers are misusing Google Apps Script to host phishing pages that convincingly imitate real login portals. The method allows them to slip through email filters by operating under Google's domain, tricking victims into handing over credentials before redirecting them to legitimate sites to avoid suspicion.

May 29, 2025

Cyware Daily Threat Intelligence, May 29, 2025

APT41 hides malware commands where no one’s looking: your calendar. In a creative twist on C2 infrastructure, China-backed APT41 embedded encrypted instructions inside Google Calendar events. Targets received ZIPs masquerading as PDFs, which deployed a multistage malware suite. The result: stealthy, long-term access across governments and industries. AyySSHush doesn’t make noise, it builds armies. More than 9,000 ASUS routers have been compromised by this botnet, which quietly slips in through a CVE-2023-39780 exploit. Attackers install persistent SSH backdoors, disable logging, and remain invisible through firmware updates. The campaign’s low network footprint hides a growing infrastructure of hijacked devices ready for future use. OneDrive’s permissions flaw lets apps peek at everything. A design issue in Microsoft’s OneDrive File Picker lets apps access more data than intended. Vague consent prompts and overly broad OAuth scopes mean entire OneDrive contents could be exposed. Microsoft hasn’t patched it yet, so users should tread carefully.

May 28, 2025

Cyware Daily Threat Intelligence, May 28, 2025

Threat actors are faking Bitdefender to peddle VenomRAT. Using deceptive domains and phishing lures that mimic banks and IT services, this campaign delivers modular malware bundled with tools like SilentTrinity and StormKitty for credential theft, lateral movement, and persistence. A new Go-based botnet called PumaBot is clawing its way through Linux IoT devices. It brute-forces SSH credentials, impersonates Redis files for stealth, and deploys rootkits to mine crypto and steal credentials, while avoiding honeypots and non-targets along the way. A critical flaw in the TI WooCommerce Wishlist plugin lets attackers upload arbitrary files without authentication when paired with WC Fields Factory. With over 100,000 installs affected and no patch in sight, WordPress site owners are exposed.

May 27, 2025

Cyware Daily Threat Intelligence, May 27, 2025

Chinese threat group UAT-6382 is digging deep into local U.S. government systems, exploiting a flaw in Cityworks to breach Microsoft IIS servers. Their playbook includes web shells, Cobalt Strike, and custom backdoors, all aimed at maintaining quiet, long-term access for espionage or potential ransomware deployment. A critical flaw in Siemens’ SiPass integrated access control system could allow unauthenticated attackers to crash the service remotely. The vulnerability stems from an out-of-bounds read issue in how it handles network packets. Siemens has patched the issue in version V2.95.3.18 and urges immediate upgrades. Void Blizzard, a Russian hacking group with ties to multiple Kremlin-aligned actors, has ramped up its espionage operations by breaching over 20 NGOs across Europe and the U.S. Their weapon of choice: Evilginx phishing kits, fake Microsoft Entra login portals, and malicious QR codes. Targets included policy groups and defense-focused organizations, with attackers siphoning off credentials, emails, and Teams conversations.

May 23, 2025

Cyware Daily Threat Intelligence, May 23, 2025

The copyright threat in your inbox might be bait. A phishing campaign sweeping across central and eastern Europe is using fake legal complaints to deliver the Rhadamanthys Stealer. Attackers use DLL side-loading to hijack legitimate PDF readers and establish persistence via Registry Run keys. Meanwhile, researchers flagged three critical vulnerabilities in the Versa Concerto platform that could allow authentication bypass, privilege escalation, and remote code execution. The vulnerabilities affect popular SD-WAN and SASE deployments, leaving organizations exposed if patches haven’t been manually applied. Think twice before clicking on that Ledger update. A new macOS malware campaign is deploying fake versions of the Ledger Live app to steal cryptocurrency seed phrases. The latest malware strain, dubbed Odyssey, impersonates the real app and tricks users into typing their 24-word passphrase after simulating an error. Click to read more!

May 22, 2025

Cyware Daily Threat Intelligence, May 22, 2025

Two years of silence, 6,200 downloads later - the malware is finally found. A malicious campaign targeting JavaScript developers slipped past detection by disguising harmful npm packages as plugins for frameworks like React, Vue.js, Vite, and Quill Editor. The attacker combined typosquatting with a blend of legitimate and malicious modules to build trust and exploit developer habits. Fake AI tools are the new phishing lures and they’re convincing. Cybercriminals cloned Kling AI’s brand through Facebook ads and spoofed websites to trick users into downloading malware. Victims who interacted with fake image-generation tools unknowingly installed PureHVNC RAT. A single flaw in Samlify could let attackers waltz into admin panels. The bug lets adversaries inject unsigned assertions into signed SAML responses. The result? Easy privilege escalation via forged credentials. The issue has been patched in Samlify v2.10.0.

May 21, 2025

Cyware Daily Threat Intelligence, May 21, 2025

Cryptominers are hiding in plain sight, this time inside encrypted chat traffic. ASEC uncovered a stealthy new backdoor paired with a Monero coinminer, using the PyBitmessage library for encrypted peer-to-peer communications. The malware evades typical detection methods. Payloads are decrypted using XOR and pulled from sources like GitHub or suspected Russian drives, while mimicking legitimate software to stay under the radar. Millions of Node[.]js apps just got riskier. Two critical bugs in the Multer middleware can crash servers or slowly bleed memory through malformed requests and unclosed streams. With no workarounds available, developers are urged to upgrade to version 2.0.0. Until then, close monitoring of system performance is the only safeguard. Hazy Hawk is weaponizing your forgotten cloud. Since late 2023, this threat actor has been hijacking abandoned subdomains to launch scams and malware campaigns. By exploiting misconfigured DNS records across platforms like Azure and AWS, they repurpose trusted domains from federal agencies and major organizations to sidestep defenses and hijack SEO.

May 20, 2025

Cyware Daily Threat Intelligence, May 20, 2025

A fake KeePass build is more than just a phony password manager. Promoted as a legitimate KeePass installer and spread via Bing ads, KeeLoader steals passwords and establishes Cobalt Strike beacons linked to UNC4696, an IAB known for working with Black Basta and BlackCat/ALPHV affiliates. Broadcom just plugged a string of VMware bugs. The company issued security patches for four vulnerabilities across ESXi, vCenter Server, Workstation, and Fusion. The most critical (CVE-2025-41225) scores an 8.8 CVSS and lets privileged users execute arbitrary commands on vCenter. Microsoft Outlook users are in the crosshairs again. A new campaign is abusing the W3LL phishing kit to steal Microsoft 365 credentials via adversary-in-the-middle techniques. This PhaaS toolkit bypasses MFA by intercepting sessions and uses realistic login pages, often posing as Adobe, to fool victims. For detailed Cyber Threat Intel, click ‘Read More’.

May 19, 2025

Cyware Daily Threat Intelligence, May 19, 2025

A Turkish phishing lure leads straight to SnakeKeylogger. The DBatLoader (aka ModiLoader) malware is making the rounds again - this time disguised as a Turkish bank email. Victims who open the fake attachment trigger a chain of BAT scripts, DLL sideloading, and obfuscated executables that ultimately deploy SnakeKeylogger. glibc gets an unexpected twist. A newly identified vulnerability in the GNU C Library affects how static setuid binaries interact with shared libraries, specifically through improper use of LD_LIBRARY_PATH. While no known software currently exploits this bug, developers are urged to patch or update glibc to avoid potential abuse in custom or legacy applications. A quiet wave of phishing hits Kuwait. An ongoing campaign is targeting telecom, insurance, and fisheries sectors across the country, using hundreds of domains to impersonate familiar brands. The operation cleverly masks itself with lookalike domains and fake mobile payment portals, siphoning off sensitive data.

May 16, 2025

Cyware Daily Threat Intelligence, May 16, 2025

Procolored’s software downloads came bundled with more than just printer drivers. Researchers uncovered two embedded threats: SnipVex and XRedRAT. One BTC wallet linked to the malware racked up over $100,000, with infections traced back to nearly 40 compromised executables. A jailbreak enabler reemerges from the patch notes. An iOS kernel vulnerability fixed last year has resurfaced through a public proof-of-concept exploit. The flaw allows unsigned apps to escalate privileges, potentially fueling future jailbreak chains. Devices running older OS versions remain at risk despite Apple’s tightened certificate validation. Criminals are now cloning voices with AI and using them to phish officials. The FBI warns of deepfake audio-driven vishing campaigns impersonating senior U.S. figures to access sensitive accounts. These attacks often begin with smishing texts and evolve into sophisticated voice calls, combining stolen credentials and social engineering to extract more valuable data.

May 15, 2025

Cyware Daily Threat Intelligence, May 15, 2025

TransferLoader doesn’t just sneak in, it evolves. Active since early 2025, this modular loader combines a downloader, backdoor loader, and backdoor into one stealthy package. It uses anti-analysis tricks, dynamic C2 updates via IPFS, and has already been linked to Morpheus ransomware deployments. Once inside, it enables arbitrary command execution and long-term persistence. Two ransomware gangs, BianLian and RansomExx, are now exploiting the same SAP NetWeaver vulnerability as Chinese APTs. Using CVE-2025-31324, the attackers deliver PipeMagic alongside privilege escalation flaws like CVE-2025-29824. Infrastructure links tie the activity to BianLian, with payloads deployed via web shells and C2 managed through Brute Ratel and inline assembly. Fancy Bear is broadening its reach. Operation RoundPress shows the group leveraging XSS zero-days to breach webmail platforms. Its spearphishing campaigns use malicious JavaScript to deploy SpyPress variants aimed at stealing credentials and exfiltrating emails, often bypassing 2FA in the process. Targets span government and defense sectors from Eastern Europe to South America.

May 14, 2025

Cyware Daily Threat Intelligence, May 14, 2025

Swan Vector is the latest addition to a string of APT campaigns zeroing in on East Asia’s research and engineering sectors. Seqrite Labs uncovered the group’s four-stage malware chain, beginning with a malicious LNK in a ZIP archive and culminating in Cobalt Strike deployment. A PowerShell script posing as a helpful utility is the entry point for Chihuahua Stealer. This .NET-based info-stealer uses scheduled tasks for persistence and grabs browser credentials and crypto wallet data. It compresses the loot, encrypts it, and exfiltrates over HTTPS - all while cleaning up traces. Microsoft’s latest Patch Tuesday addresses 78 vulnerabilities, including five zero-days actively exploited in the wild. Among the critical flaws is a CVSS 10 bug in Azure DevOps Server. The CISA has flagged these vulnerabilities as high priority for federal agencies, emphasizing risks around memory corruption and privilege escalation. SAP’s NetWeaver platform is now at the center of a global cyber campaign. Chinese APT groups have been exploiting CVE-2025-31324 to gain remote code execution via unauthenticated file uploads, targeting over 580 systems. Victims span energy, utilities, and government sectors, with attackers using tools like SNOWLIGHT and KrustyLoader. For detailed Cyber Threat Intel, click ‘Read More’.