Cyware Daily Threat Intelligence, May 27, 2025

Daily Threat Briefing • May 27, 2025

Chinese threat group UAT-6382 is digging deep into local U.S. government systems, exploiting a flaw in Cityworks to breach Microsoft IIS servers. Their playbook includes web shells, Cobalt Strike, and custom backdoors, all aimed at maintaining quiet, long-term access for espionage or potential ransomware deployment.

A critical flaw in Siemens’ SiPass integrated access control system could allow unauthenticated attackers to crash the service remotely. The vulnerability stems from an out-of-bounds read issue in how it handles network packets. Siemens has patched the issue in version V2.95.3.18 and urges immediate upgrades.

Void Blizzard, a Russian hacking group with ties to multiple Kremlin-aligned actors, has ramped up its espionage operations by breaching over 20 NGOs across Europe and the U.S. Their weapon of choice: Evilginx phishing kits, fake Microsoft Entra login portals, and malicious QR codes. Targets included policy groups and defense-focused organizations, with attackers siphoning off credentials, emails, and Teams conversations.

Top Malware Reported in the Last 24 Hours

Chinese hackers abuse Cityworks bug, drop malware

Chinese hackers, identified as UAT-6382, exploited a vulnerability (CVE-2025-0994) in Cityworks, an asset management system, to target U.S. local governments. The vulnerability allowed remote code execution on Microsoft IIS web servers, with the attackers deploying web shells and custom malware for long-term access. Tools such as Cobalt Strike and VShell were used to maintain control, perform reconnaissance, and enable further malicious activities like ransomware or espionage. The attackers used various backdoors, including Rust-based TetraLoader, to deploy payloads and maintain persistent access.

Top Vulnerabilities Reported in the Last 24 Hours

Siemens SiPass bug enables DoS conditions

Siemens has addressed a critical vulnerability (CVE-2022-31812) in its SiPass integrated versions before V2.95.3.18, which could allow unauthenticated remote attackers to cause a DoS condition. The flaw, an out-of-bounds read issue (CWE-125), arises from improper handling of network packet integrity checks, potentially leading to application crashes. Siemens has released an updated version (V2.95.3.18) and recommends patching immediately.

Critical vulnerability in MeteoBridge firmware

ONEKEY discovered a critical vulnerability (CVE-2025-4008) in the MeteoBridge firmware, allowing remote unauthenticated command execution with root privileges due to insecure use of eval calls in CGI scripts. The vulnerability impacts MeteoBridge devices running version 6.1 or earlier, with a patch available in version 6.2. Exploitation is possible via unauthenticated access due to a public directory bypass and can be triggered remotely, including through malicious web pages.

Top Scams Reported in the Last 24 Hours

SEO poisoning techniques and payroll fraud

A recent campaign has been uncovered that exploits SEO poisoning to trick employees into visiting fake payroll portal login pages, resulting in payroll fraud. Attackers target mobile devices, which lack enterprise security, using compromised routers to mask their activities. The campaign leverages phishing tactics, including fake Microsoft login pages, to steal credentials and uses push notifications for real-time credential usage.

Threats in Spotlight

Void Blizzard uses Evilginx phishing

Russian hackers, identified as Void Blizzard, have breached over 20 NGOs in Europe and the U.S. using Evilginx phishing via fake Microsoft Entra pages. Active since April 2024, they target organizations linked to Russian government interests, employing stolen credentials purchased from online marketplaces. Their tactics include password spraying, spear-phishing emails, and utilizing tools like AzureHound for reconnaissance. In April 2025, Void Blizzard began using spear phishing campaigns involving fake emails and malicious QR codes to steal login credentials, including spoofing Microsoft Entra authentication portals. Recent attacks involved phishing emails impersonating the European Defense and Security Summit, leading to significant data theft from compromised organizations, including access to Microsoft Teams conversations. The group’s activities overlap with other Russian-affiliated actors, such as Forest Blizzard and Seashell Blizzard, indicating shared intelligence objectives.

Related Threat Briefings

May 30, 2025

Cyware Daily Threat Intelligence, May 30, 2025

Fake CAPTCHA prompts are now doing more than testing if you're human—they're installing malware. EDDIESTEALER, a new Rust-based infostealer, spreads through deceptive CAPTCHA pages that trigger malicious PowerShell scripts. The malware downloads obfuscated JavaScript and executable payloads designed to harvest credentials, browser data, and cryptocurrency wallets. A quiet but relentless campaign has been unfolding across multiple industries. The Chinese group Earth Lamia is targeting finance, government, logistics, and more by exploiting known web app vulnerabilities, including flaws in Apache Struts, GitLab, and WordPress. After gaining access, they deploy webshells, create admin accounts, and move laterally using a plethora of tools. Even Google's trusted ecosystem isn’t off-limits anymore. Attackers are misusing Google Apps Script to host phishing pages that convincingly imitate real login portals. The method allows them to slip through email filters by operating under Google's domain, tricking victims into handing over credentials before redirecting them to legitimate sites to avoid suspicion.

May 29, 2025

Cyware Daily Threat Intelligence, May 29, 2025

APT41 hides malware commands where no one’s looking: your calendar. In a creative twist on C2 infrastructure, China-backed APT41 embedded encrypted instructions inside Google Calendar events. Targets received ZIPs masquerading as PDFs, which deployed a multistage malware suite. The result: stealthy, long-term access across governments and industries. AyySSHush doesn’t make noise, it builds armies. More than 9,000 ASUS routers have been compromised by this botnet, which quietly slips in through a CVE-2023-39780 exploit. Attackers install persistent SSH backdoors, disable logging, and remain invisible through firmware updates. The campaign’s low network footprint hides a growing infrastructure of hijacked devices ready for future use. OneDrive’s permissions flaw lets apps peek at everything. A design issue in Microsoft’s OneDrive File Picker lets apps access more data than intended. Vague consent prompts and overly broad OAuth scopes mean entire OneDrive contents could be exposed. Microsoft hasn’t patched it yet, so users should tread carefully.

May 28, 2025

Cyware Daily Threat Intelligence, May 28, 2025

Threat actors are faking Bitdefender to peddle VenomRAT. Using deceptive domains and phishing lures that mimic banks and IT services, this campaign delivers modular malware bundled with tools like SilentTrinity and StormKitty for credential theft, lateral movement, and persistence. A new Go-based botnet called PumaBot is clawing its way through Linux IoT devices. It brute-forces SSH credentials, impersonates Redis files for stealth, and deploys rootkits to mine crypto and steal credentials, while avoiding honeypots and non-targets along the way. A critical flaw in the TI WooCommerce Wishlist plugin lets attackers upload arbitrary files without authentication when paired with WC Fields Factory. With over 100,000 installs affected and no patch in sight, WordPress site owners are exposed.

May 26, 2025

Cyware Daily Threat Intelligence, May 26, 2025

Threat actors are wrapping their tools in layers of obfuscation, and DOUBLELOADER is no exception. This new backdoor uses the ALCATRAZ obfuscator—once seen in the game-hacking scene—to disguise its presence. It reaches out to hardcoded IPs and paves the way for the RHADAMANTHYS infostealer. In a campaign likely aimed at Chinese-speaking users, fake installers for QQ Browser and LetsVPN are being used to quietly deliver Winos 4.0. Behind the scenes, a memory-resident loader named Catena helps the malware dodge AV tools. Linked to the Silver Fox threat group, the payload uses reflective DLL injection to steal data and provide remote access. A critical bug in D-Link routers could give attackers an easy way in. The flaw affects DIR-605L and DIR-816L models, exposing hardcoded Telnet credentials through the firmware. Once inside, attackers can run arbitrary commands, change configs, or pivot deeper into a network - all without needing to brute-force anything.

May 23, 2025

Cyware Daily Threat Intelligence, May 23, 2025

The copyright threat in your inbox might be bait. A phishing campaign sweeping across central and eastern Europe is using fake legal complaints to deliver the Rhadamanthys Stealer. Attackers use DLL side-loading to hijack legitimate PDF readers and establish persistence via Registry Run keys. Meanwhile, researchers flagged three critical vulnerabilities in the Versa Concerto platform that could allow authentication bypass, privilege escalation, and remote code execution. The vulnerabilities affect popular SD-WAN and SASE deployments, leaving organizations exposed if patches haven’t been manually applied. Think twice before clicking on that Ledger update. A new macOS malware campaign is deploying fake versions of the Ledger Live app to steal cryptocurrency seed phrases. The latest malware strain, dubbed Odyssey, impersonates the real app and tricks users into typing their 24-word passphrase after simulating an error. Click to read more!

May 22, 2025

Cyware Daily Threat Intelligence, May 22, 2025

Two years of silence, 6,200 downloads later - the malware is finally found. A malicious campaign targeting JavaScript developers slipped past detection by disguising harmful npm packages as plugins for frameworks like React, Vue.js, Vite, and Quill Editor. The attacker combined typosquatting with a blend of legitimate and malicious modules to build trust and exploit developer habits. Fake AI tools are the new phishing lures and they’re convincing. Cybercriminals cloned Kling AI’s brand through Facebook ads and spoofed websites to trick users into downloading malware. Victims who interacted with fake image-generation tools unknowingly installed PureHVNC RAT. A single flaw in Samlify could let attackers waltz into admin panels. The bug lets adversaries inject unsigned assertions into signed SAML responses. The result? Easy privilege escalation via forged credentials. The issue has been patched in Samlify v2.10.0.

May 21, 2025

Cyware Daily Threat Intelligence, May 21, 2025

Cryptominers are hiding in plain sight, this time inside encrypted chat traffic. ASEC uncovered a stealthy new backdoor paired with a Monero coinminer, using the PyBitmessage library for encrypted peer-to-peer communications. The malware evades typical detection methods. Payloads are decrypted using XOR and pulled from sources like GitHub or suspected Russian drives, while mimicking legitimate software to stay under the radar. Millions of Node[.]js apps just got riskier. Two critical bugs in the Multer middleware can crash servers or slowly bleed memory through malformed requests and unclosed streams. With no workarounds available, developers are urged to upgrade to version 2.0.0. Until then, close monitoring of system performance is the only safeguard. Hazy Hawk is weaponizing your forgotten cloud. Since late 2023, this threat actor has been hijacking abandoned subdomains to launch scams and malware campaigns. By exploiting misconfigured DNS records across platforms like Azure and AWS, they repurpose trusted domains from federal agencies and major organizations to sidestep defenses and hijack SEO.

May 20, 2025

Cyware Daily Threat Intelligence, May 20, 2025

A fake KeePass build is more than just a phony password manager. Promoted as a legitimate KeePass installer and spread via Bing ads, KeeLoader steals passwords and establishes Cobalt Strike beacons linked to UNC4696, an IAB known for working with Black Basta and BlackCat/ALPHV affiliates. Broadcom just plugged a string of VMware bugs. The company issued security patches for four vulnerabilities across ESXi, vCenter Server, Workstation, and Fusion. The most critical (CVE-2025-41225) scores an 8.8 CVSS and lets privileged users execute arbitrary commands on vCenter. Microsoft Outlook users are in the crosshairs again. A new campaign is abusing the W3LL phishing kit to steal Microsoft 365 credentials via adversary-in-the-middle techniques. This PhaaS toolkit bypasses MFA by intercepting sessions and uses realistic login pages, often posing as Adobe, to fool victims. For detailed Cyber Threat Intel, click ‘Read More’.

May 19, 2025

Cyware Daily Threat Intelligence, May 19, 2025

A Turkish phishing lure leads straight to SnakeKeylogger. The DBatLoader (aka ModiLoader) malware is making the rounds again - this time disguised as a Turkish bank email. Victims who open the fake attachment trigger a chain of BAT scripts, DLL sideloading, and obfuscated executables that ultimately deploy SnakeKeylogger. glibc gets an unexpected twist. A newly identified vulnerability in the GNU C Library affects how static setuid binaries interact with shared libraries, specifically through improper use of LD_LIBRARY_PATH. While no known software currently exploits this bug, developers are urged to patch or update glibc to avoid potential abuse in custom or legacy applications. A quiet wave of phishing hits Kuwait. An ongoing campaign is targeting telecom, insurance, and fisheries sectors across the country, using hundreds of domains to impersonate familiar brands. The operation cleverly masks itself with lookalike domains and fake mobile payment portals, siphoning off sensitive data.

May 16, 2025

Cyware Daily Threat Intelligence, May 16, 2025

Procolored’s software downloads came bundled with more than just printer drivers. Researchers uncovered two embedded threats: SnipVex and XRedRAT. One BTC wallet linked to the malware racked up over $100,000, with infections traced back to nearly 40 compromised executables. A jailbreak enabler reemerges from the patch notes. An iOS kernel vulnerability fixed last year has resurfaced through a public proof-of-concept exploit. The flaw allows unsigned apps to escalate privileges, potentially fueling future jailbreak chains. Devices running older OS versions remain at risk despite Apple’s tightened certificate validation. Criminals are now cloning voices with AI and using them to phish officials. The FBI warns of deepfake audio-driven vishing campaigns impersonating senior U.S. figures to access sensitive accounts. These attacks often begin with smishing texts and evolve into sophisticated voice calls, combining stolen credentials and social engineering to extract more valuable data.

May 15, 2025

Cyware Daily Threat Intelligence, May 15, 2025

TransferLoader doesn’t just sneak in, it evolves. Active since early 2025, this modular loader combines a downloader, backdoor loader, and backdoor into one stealthy package. It uses anti-analysis tricks, dynamic C2 updates via IPFS, and has already been linked to Morpheus ransomware deployments. Once inside, it enables arbitrary command execution and long-term persistence. Two ransomware gangs, BianLian and RansomExx, are now exploiting the same SAP NetWeaver vulnerability as Chinese APTs. Using CVE-2025-31324, the attackers deliver PipeMagic alongside privilege escalation flaws like CVE-2025-29824. Infrastructure links tie the activity to BianLian, with payloads deployed via web shells and C2 managed through Brute Ratel and inline assembly. Fancy Bear is broadening its reach. Operation RoundPress shows the group leveraging XSS zero-days to breach webmail platforms. Its spearphishing campaigns use malicious JavaScript to deploy SpyPress variants aimed at stealing credentials and exfiltrating emails, often bypassing 2FA in the process. Targets span government and defense sectors from Eastern Europe to South America.

May 14, 2025

Cyware Daily Threat Intelligence, May 14, 2025

Swan Vector is the latest addition to a string of APT campaigns zeroing in on East Asia’s research and engineering sectors. Seqrite Labs uncovered the group’s four-stage malware chain, beginning with a malicious LNK in a ZIP archive and culminating in Cobalt Strike deployment. A PowerShell script posing as a helpful utility is the entry point for Chihuahua Stealer. This .NET-based info-stealer uses scheduled tasks for persistence and grabs browser credentials and crypto wallet data. It compresses the loot, encrypts it, and exfiltrates over HTTPS - all while cleaning up traces. Microsoft’s latest Patch Tuesday addresses 78 vulnerabilities, including five zero-days actively exploited in the wild. Among the critical flaws is a CVSS 10 bug in Azure DevOps Server. The CISA has flagged these vulnerabilities as high priority for federal agencies, emphasizing risks around memory corruption and privilege escalation. SAP’s NetWeaver platform is now at the center of a global cyber campaign. Chinese APT groups have been exploiting CVE-2025-31324 to gain remote code execution via unauthenticated file uploads, targeting over 580 systems. Victims span energy, utilities, and government sectors, with attackers using tools like SNOWLIGHT and KrustyLoader. For detailed Cyber Threat Intel, click ‘Read More’.