Cyware Daily Threat Intelligence, September 02, 2025

shutterstock 1917841850

Daily Threat Briefing September 2, 2025

Masquerading as a scholarly newsletter, North Korea’s ScarCruft is targeting South Korean academics and ex-officials with RokRAT malware. Launched via spear-phishing emails with malicious LNK files, Operation HanKook Phantom uses PowerShell and obfuscated scripts to steal sensitive data, cloaking exfiltration as Chrome uploads to hit government and research sectors.

A fake PDF editor peddled through Google ads is dishing out the TamperedChef infostealer to unsuspecting users. Promoted across 50 domains since June, AppSuite PDF Editor, signed with bogus certificates, activates its data-stealing tricks post-update, grabbing credentials and cookies while dodging security agents.

WhatsApp and Apple are racing to patch critical zero-day flaws exposing users to spyware attacks. A WhatsApp vulnerability, paired with an Apple OS flaw, allows exploits via malicious image files and device sync messages, potentially targeting high-profile individuals in sophisticated campaigns.

Top Malware Reported in the Last 24 Hours

ScarCruft targets South Korean academics 

North Korea-linked hacking group ScarCruft (APT37) launched Operation HanKook Phantom, targeting South Korean academics and former government officials using RokRAT malware for espionage purposes. The attack begins with a spear-phishing email disguised as a "National Intelligence Research Society Newsletter," using malicious LNK files to deploy RokRAT malware, which exfiltrates data via popular cloud services. A second campaign involves PowerShell scripts and obfuscated batch files to deploy malware that steals sensitive data while masking network activity as Chrome file uploads. The campaign includes tailored spear-phishing attacks and covert exfiltration mechanisms targeting South Korean government sectors and research institutions.

Brokewell malware spreads through fake ads

Cybercriminals are exploiting Meta's advertising platforms to distribute Brokewell malware through fraudulent ads promising a free TradingView Premium app, specifically targeting Android users interested in cryptocurrency. This campaign, active since July 22, employs around 75 localized ads that redirect users to a fake TradingView site, where they download a malicious APK file. Once installed, the malware requests extensive permissions under the guise of an update prompt, allowing it to steal sensitive information, including device lockscreen PINs. Brokewell is equipped with advanced capabilities, enabling it to monitor and control infected devices, steal cryptocurrency credentials, bypass two-factor authentication, and intercept messages. This operation is part of a broader scheme that initially targeted Windows users through deceptive Facebook ads impersonating well-known brands.

Fake PDF Editor drops infostealer

Cybercriminals are distributing the TamperedChef infostealer through a fraudulent PDF editing application called AppSuite PDF Editor, promoted via Google ads across multiple websites. This campaign, which began on June 26, involves over 50 domains and utilizes apps signed with fake certificates from various companies. Initially, the app functions normally, but an update on August 21 activates its malicious capabilities, allowing it to collect sensitive data such as credentials and web cookies. Researchers discovered that the malware checks for security agents on the host system and queries installed web browsers using Windows' Data Protection API. The threat actors employed a strategy to maximize downloads before activating the infostealer, suggesting a well-coordinated operation.

Top Vulnerabilities Reported in the Last 24 Hours

WhatsApp patches 0-day, 0-click bug

WhatsApp has addressed a critical zero-day vulnerability (CVE-2025-55177) that allowed unauthorized users to exploit linked device synchronization messages, potentially leading to sophisticated attacks. This vulnerability is believed to have been used in conjunction with an Apple OS-level flaw (CVE-2025-43300), which involved an out-of-bounds write issue that could result in memory corruption when processing malicious image files. Both vulnerabilities may have been exploited as part of a commercial spyware campaign targeting specific individuals. 

Three new flaws in Sitecore Experience Platform

Three new security vulnerabilities have been identified in the Sitecore Experience Platform, including HTML cache poisoning, RCE via insecure deserialization, and information disclosure through brute-force enumeration of cache keys. The vulnerabilities, assigned CVEs CVE-2025-53693, CVE-2025-53691, and CVE-2025-53694, could allow unauthorized access to sensitive information and execution of malicious code. Patches for the first two vulnerabilities were released in June, while the patch for the information disclosure flaw followed in July. Researchers indicated that these vulnerabilities could be exploited in a chain, where attackers could use the ItemService API to enumerate cache keys and send poisoned requests, ultimately leading to the execution of arbitrary code.

Related Threat Briefings

Aug 29, 2025

Cyware Daily Threat Intelligence, August 29, 2025

Posing as a golden ticket from the Bangladesh Education Board, SikkahBot is preying on students with fake scholarship lures. Active since July 2024, this Android malware grabs high-risk permissions to intercept SMS and steal financial data, spread via smishing links, with evolving variants showing sharper automation. A sneaky loophole in the VS Code Marketplace is letting attackers recycle names of deleted extensions to push ransomware. The “shiba” extension, active from late 2024 to mid-2025, encrypts files and demands Shiba Inu tokens, exploiting the platform’s name-reuse flaw to dodge detection. Click Studios is sounding the alarm on a dangerous flaw in Passwordstate’s password manager. This authentication bypass lets attackers access the admin section via a crafted URL, threatening the credentials of 370,000 IT pros across 29,000 firms, with a fix in Build 9972.

Aug 28, 2025

Cyware Daily Threat Intelligence, August 28, 2025

A data theft campaign attributed to UNC6395 targeted Salesforce instances via compromised OAuth tokens linked to the Salesloft Drift app, exfiltrating sensitive credentials between August 8-18, 2025. Salesloft and Salesforce responded by revoking all active access tokens and removing the Drift app from AppExchange.

Aug 27, 2025

Cyware Daily Threat Intelligence, August 27, 2025

The Underground ransomware gang is striking with precision, blending AES and RSA encryption to lock down global targets. After reconnaissance and breaches, they deploy customized malware that wipes shadow copies, blocks remote desktops, and selectively encrypts files using a stripe method for larger ones, sparing critical system folders. Blind Eagle's shadow looms over Colombia, with five activity clusters unleashing RATs and phishing on government sectors from May 2024 to July 2025. Targeting judiciary, education, and healthcare, they impersonate agencies via spear-phishing to deliver Lime RAT and AsyncRAT, leveraging compromised emails and dynamic DNS for espionage and financial gains. Citrix is sealing critical gaps in NetScaler ADC and Gateway, including a zero-day remote code execution flaw that's already under attack. This memory overflow bug affects Gateway configurations, urging immediate firmware updates, alongside fixes for denial-of-service and improper access control vulnerabilities.

Aug 26, 2025

Cyware Daily Threat Intelligence, August 26, 2025

Sneaky adware is sneaking onto millions of Android devices through 77 malicious apps yanked from Google Play. With over 19 million installs, these apps pack Joker malware that steals info and signs up for premium services, alongside Harly variants and the evolving Anatsa trojan. A Docker Desktop flaw is handing attackers the keys to host systems on Windows and macOS. This SSRF vulnerability lets malicious containers bypass isolation to access the Engine API, mount drives, and escalate privileges, fixed in version 4.44.3 to curb unauthorized file access. Phony Tesla sites are reeling in robot enthusiasts with Google Ads promising Optimus preorders for a $250 deposit. These scams mimic Tesla's look to harvest credit card details for underground markets, using rotating domains and Cloudflare to stay elusive.

Aug 25, 2025

Cyware Daily Threat Intelligence, August 25, 2025

Posing as a trusty antivirus app, Android.Backdoor.916.origin is giving Russia's FSB a backdoor into executives' devices. Disguised as a fake antivirus, this malware spreads via private messages, grabs extensive permissions, and uses Accessibility Service to steal chats and more. APT36 is turning innocent Linux desktop files into espionage tools against India's government and defense sectors. Through phishing ZIPs with malicious .desktop files mimicking PDFs, they execute hidden bash commands to fetch Go-based ELF payloads. Salesforce is plugging critical holes in Tableau Server and Desktop that could let attackers run wild with code execution. The top flaw, a 9.6 CVSS type confusion bug, enables local exploits on Windows and Linux, alongside upload vulnerabilities leading to path traversal and improper input validation issues.

Aug 22, 2025

Cyware Daily Threat Intelligence, August 22, 2025

Masquerading as an Australian electronics store, Cookie Spider’s malvertising campaign unleashed the AMOS malware on over 300 targets. From June to August, victims were tricked into running commands that installed SHAMOS, a variant stealing passwords, Keychain data, and crypto wallet details. Berserk Bear hackers are wielding a seven-year-old Cisco flaw to infiltrate global critical infrastructure. Exploiting CVE-2018-0171, these FSB-linked attackers trigger device reloads and use custom SNMP tools and SYNful Knock implants to harvest configurations and maintain covert access. Posing as Rothschild & Co recruiters, MuddyWater APT is targeting CFOs with spear-phishing finesse. Using Firebase-hosted phishing pages and custom CAPTCHAs, they deploy VBS scripts and ZIPs to install NetBird and OpenSSH, ensuring persistent access to compromised systems worldwide.

Aug 21, 2025

Cyware Daily Threat Intelligence, August 21, 2025

Slipping through the cracks like a chameleon, QuirkyLoader is spreading infostealers and remote access tools with a multi-stage attack. Since November 2024, it’s used malicious emails with legitimate executables, leveraging DLL side-loading to target organizations, evading detection with process hollowing. A zero-day flaw has Apple racing to patch millions of devices with emergency iOS and iPadOS updates. This critical ImageIO vulnerability, triggered by malicious images, allows sophisticated attacks—potentially by nation-state actors—to corrupt memory and access devices like iPhone XS and various iPads. Hackers are hijacking Microsoft’s own infrastructure to steal 365 logins with a sly phishing trick. Using legitimate office[.]com links and ADFS redirects, attackers funnel users from Google searches to deceptive phishing pages, bypassing MFA and URL detection with custom tenants and conditional loading.

Aug 20, 2025

Cyware Daily Threat Intelligence, August 20, 2025

Crafty attackers are slipping into cloud Linux systems through a critical Apache ActiveMQ flaw, unleashing DripDropper malware. Exploiting CVE-2023-46604, they use a password-protected payload to communicate via Dropbox, patch the vulnerability to block rivals, and tweak SSH settings for persistent root access. Microsoft’s latest patches are racing to fix a recovery meltdown across Windows 10 and 11. Emergency updates address failures in reset and recovery operations caused by August 2025 patches, with new cumulative fixes released on August 19 to stabilize affected systems. Fraudsters posing as celebrity podcast reps are reeling in business owners with a bait. This podcast imposter scam lures victims into tech-check calls that grant remote access, hijacking social media and risking corporate systems through shared passwords.

Aug 19, 2025

Cyware Daily Threat Intelligence, August 19, 2025

With a diplomat’s charm, malicious emails are smuggling XenoRAT into South Korea’s embassies via GitHub traps. Since March, this spearphishing spree has targeted European missions, using password-protected ZIPs to unleash a trojan that snatches data and grants attackers remote control. A Windows flaw is opening the door for RansomExx to wield PipeMagic like a digital skeleton key. This vulnerability lets Storm-2460 deploy a backdoor through fake ChatGPT apps, targeting IT and finance sectors with stealthy, encrypted remote access. Unpatched N-able N-central servers are sitting ducks for hackers exploiting two critical flaws. These vulnerabilities enable unauthorized command execution, spurring CISA to list them in its KEV Catalog with a federal patching deadline of August 20.

Aug 18, 2025

Cyware Daily Threat Intelligence, August 18, 2025

Trojan Horses are making a comeback as AI-powered apps like "JustAskJacky" disguise malware within useful tools such as recipe or image search apps. By leveraging AI-generated websites, attackers make them look legitimate while slipping past antivirus defenses.

Aug 15, 2025

Cyware Daily Threat Intelligence, August 15, 2025

PhantomCard malware hits Brazilian banks, Cisco patches critical firewall flaw, and Netflix job scams steal Facebook logins from professionals.

Aug 14, 2025

Cyware Daily Threat Intelligence, August 14, 2025

A crafty malvertising campaign is slipping PS1Bot into systems through deceptive compressed archives. With techniques like environmental polling and dynamic C# DLL compilation, PS1Bot evades detection while siphoning off passwords and cryptocurrency wallet data, echoing tactics of Skitnet and AHK Bot. Crypto24 is striking high-profile organizations with surgical precision, blending legitimate IT tools like PSExec and AnyDesk with custom malware to devastating effect. Targeting sectors from finance to entertainment across Asia, Europe, and the U.S., this ransomware group uses privileged accounts and scheduled tasks to maintain stealthy persistence. Fortinet is sounding the alarm on a critical FortiSIEM vulnerability that’s already being exploited in the wild with circulating exploit code. Rated 9.8 on CVSS, this remote unauthenticated command injection flaw allows attackers to execute unauthorized commands via crafted CLI requests.