Cyware Daily Threat Intelligence, September 04, 2025

shutterstock 1913276557

Daily Threat Briefing September 4, 2025

Lurking in your inbox, Russia’s APT28 is wielding NotDoor to turn Outlook into an espionage tool. This VBA backdoor, triggered by email keywords, uses obfuscation and DLL side-loading to dodge detection, altering registry settings to steal sensitive data across NATO organizations.

Critical flaws in Hikvision’s HikCentral software are leaving security systems wide open to unauthenticated attackers. These vulnerabilities, including a high-severity access control issue, allow privilege escalation to manipulate logs, disable surveillance, or unlock doors, with patches now available.

Iran’s Homeland Justice APT is casting a wide phishing net, targeting over 50 global embassies and organizations. Using 100+ hijacked email accounts and malicious Word docs since August 19, they exploit trusted identities to deliver malware, hitting targets like the UN and World Bank.

Top Malware Reported in the Last 24 Hours

New NotDoor malware targets Outlook users

Russian state-sponsored hackers, known as APT28 or Fancy Bear, have developed a sophisticated malware called NotDoor that specifically targets Microsoft Outlook users. This stealthy backdoor, written in VBA, activates when it detects certain keywords in incoming emails, allowing attackers to execute malicious commands. NotDoor employs advanced evasion techniques, including code obfuscation and DLL side-loading, to avoid detection by security software. It modifies Outlook's registry settings to ensure persistence and suppress security alerts. Once activated, the malware exfiltrates sensitive data to an attacker-controlled email address while confirming its execution through web callbacks. NotDoor has already compromised multiple organizations across NATO member countries.

XWorm malware evolves with advanced tactics

XWorm, a sophisticated backdoor malware, has transitioned from predictable distribution methods to more deceptive and intricate infection chains. Initially relying on email-based attacks, it now employs .lnk files to initiate complex infections that drop disguised executables like discord.exe and system32.exe. This multi-stage deployment evades detection by using legitimate-looking filenames and advanced packing techniques. Once executed, XWorm disables Windows Firewall, checks for security applications, and establishes persistence through scheduled tasks and registry entries. It employs cryptographic methods, including Rijndael and Base64 encoding, to conceal communication with its command and control servers. 

Stealerium malware resurfaces in phishing attacks

Proofpoint researchers have observed a significant increase in phishing campaigns utilizing Stealerium, an open-source infostealer launched on GitHub in 2022. Initially overlooked, Stealerium has gained traction among cybercriminals who modify it for real-world attacks, leading to the emergence of variants like Phantom Stealer and Warp Stealer. Recent campaigns have targeted various sectors, employing tactics such as impersonating charitable organizations, travel booking requests, and legal threats. Stealerium is equipped with advanced features for credential theft, system reconnaissance, and cryptocurrency wallet targeting, alongside a sextortion capability that captures sensitive content. Its diverse exfiltration methods, including SMTP, Discord webhooks, and Telegram, complicate detection efforts, underscoring the growing appeal of open-source malware in the cybercriminal landscape.

Obscura: New ransomware strain spotted

Obscura is a newly identified ransomware variant that emerged on August 29. This ransomware targets domain controllers, executing from the NETLOGON folder, and employs scheduled tasks to facilitate its spread across networks. It disables recovery options by deleting shadow copies and utilizes a ransom note to threaten data exposure while demanding payment for decryption assistance. Obscura requires administrative privileges to operate, performing system reconnaissance and terminating security processes to prepare for encryption. It uses advanced encryption techniques, specifically XChaCha20, and appends a unique footer to encrypted files. The variant also includes a filtering mechanism to exclude certain file types, ensuring system functionality remains intact while maximizing damage to user data.

Top Vulnerabilities Reported in the Last 24 Hours

CISA adds two flaws to KEV catalog

CISA added TP-Link router vulnerabilities CVE-2023-50224 and CVE-2025-9377 to its KEV catalog due to evidence of active exploitation. CVE-2023-50224 involves an authentication bypass vulnerability, while CVE-2025-9377 allows remote code execution via command injection. TP-Link released firmware updates in November 2024 for affected models, but many have reached End-of-Life and no longer receive active support. Federal agencies are urged to apply mitigations by September 24, 2025, to secure networks.

Severe Hikvision HikCentral bugs

Severe vulnerabilities in Hikvision HikCentral software allow unauthenticated users to gain admin rights, risking control over configurations, logs, and critical monitoring. Three key vulnerabilities identified: CSV Injection (CVE-2025-39245), Unquoted Service Path (CVE-2025-39246), and Access Control (CVE-2025-39247). The Access Control vulnerability (CVE-2025-39247) is rated high severity, enabling attackers to escalate privileges without authentication and compromise security infrastructure. Exploiting these flaws could allow attackers to disable surveillance, unlock restricted doors, or alter audit trails during physical intrusions. Affected HikCentral versions span Master Lite, FocSign, and Professional builds, with fixed versions now available. 

Top Scams Reported in the Last 24 Hours

Iranian phishing campaign targets global embassies

Iranian state hackers, associated with the Homeland Justice APT group, launched a phishing campaign targeting over 50 embassies, ministries, and international organizations worldwide. Utilizing more than 100 compromised email accounts, the attackers sent emails disguised as official communications, often containing malicious Word document attachments that required users to enable macros. This tactic, although considered outdated, proved effective due to the credibility of the compromised accounts. The campaign began on August 19 and involved sophisticated evasion techniques, such as hiding malware within the victim's Documents folder. Targets spanned various regions, including the Middle East, Europe, Africa, Asia, and the Americas, with notable organizations like the UN and the World Bank among those affected. 

Californians face tax refund scam

The California Franchise Tax Board (FTB) warned taxpayers about a scam involving fraudulent text messages that appear to be from the FTB. These messages contain links to fake websites designed to steal personal and banking information. The scam uses urgent language, claiming that failure to respond will result in the permanent forfeiture of tax refunds. Messages often feature suspicious domain names and odd instructions for accessing links, raising red flags for recipients. Scammers exploit the urgency of tax-related communications to trick individuals into providing sensitive information. Indicators of the scam include generic sign-offs and grammatical errors, which can help users identify fraudulent messages.

Related Threat Briefings

Sep 5, 2025

Cyware Daily Threat Intelligence, September 05, 2025

Slipping through digital cracks, China-aligned GhostRedirector is hijacking Windows servers with a stealthy C++ backdoor called Rungan. Paired with the Gamshen IIS module for SEO fraud, it boosts gambling sites on Google while exploiting EfsPotato and BadPotato to compromise 65 servers across multiple countries. A zero-day flaw in Sitecore deployments is opening doors for hackers to unleash WeepSteel malware. By exploiting a reused ASP.NET key, attackers achieve remote code execution, using tools like Earthworm and Dwagent to steal data and maintain access through local admin accounts and SYSTEM services. A macOS flaw is exposing sensitive data despite System Integrity Protection. This vulnerability, tied to the gcore utility, allows attackers to read process memory, extract login Keychain Master Keys, and decrypt iOS app binaries, patched in macOS 15.3 after a researcher’s discovery.

Sep 3, 2025

Cyware Daily Threat Intelligence, September 03, 2025

Slithering through networks like a digital phantom, TinyLoader malware is hitting Windows systems with a crafty mix of network share and USB attacks. It delivers threats like Redline Stealer and DCRat, hijacking cryptocurrency transactions by swapping wallet addresses while spreading via deceptive shortcuts and shared folders. Lazarus Group is playing a dangerous game of impersonation, wielding three new RATs against a DeFi target. Using fake Telegram profiles and sham scheduling sites, they deploy PondRAT for initial access, ThemeForestRAT for advanced monitoring, and RemotePE for high-value control, showcasing their evolving tactics. Chrome 140 is locking down a critical flaw that could let attackers run rogue code in your browser. Fixing a severe use-after-free bug in the V8 engine, alongside issues in the Toolbar, Extensions, and Downloads, Google’s latest update is a must for Windows, macOS, and Linux users.

Sep 2, 2025

Cyware Daily Threat Intelligence, September 02, 2025

Masquerading as a scholarly newsletter, North Korea’s ScarCruft is targeting South Korean academics and ex-officials with RokRAT malware. Launched via spear-phishing emails with malicious LNK files, Operation HanKook Phantom uses PowerShell and obfuscated scripts to steal sensitive data, cloaking exfiltration as Chrome uploads to hit government and research sectors. A fake PDF editor peddled through Google ads is dishing out the TamperedChef infostealer to unsuspecting users. Promoted across 50 domains since June, AppSuite PDF Editor, signed with bogus certificates, activates its data-stealing tricks post-update, grabbing credentials and cookies while dodging security agents. WhatsApp and Apple are racing to patch critical zero-day flaws exposing users to spyware attacks. A WhatsApp vulnerability, paired with an Apple OS flaw, allows exploits via malicious image files and device sync messages, potentially targeting high-profile individuals in sophisticated campaigns.

Aug 29, 2025

Cyware Daily Threat Intelligence, August 29, 2025

Posing as a golden ticket from the Bangladesh Education Board, SikkahBot is preying on students with fake scholarship lures. Active since July 2024, this Android malware grabs high-risk permissions to intercept SMS and steal financial data, spread via smishing links, with evolving variants showing sharper automation. A sneaky loophole in the VS Code Marketplace is letting attackers recycle names of deleted extensions to push ransomware. The “shiba” extension, active from late 2024 to mid-2025, encrypts files and demands Shiba Inu tokens, exploiting the platform’s name-reuse flaw to dodge detection. Click Studios is sounding the alarm on a dangerous flaw in Passwordstate’s password manager. This authentication bypass lets attackers access the admin section via a crafted URL, threatening the credentials of 370,000 IT pros across 29,000 firms, with a fix in Build 9972.

Aug 28, 2025

Cyware Daily Threat Intelligence, August 28, 2025

A data theft campaign attributed to UNC6395 targeted Salesforce instances via compromised OAuth tokens linked to the Salesloft Drift app, exfiltrating sensitive credentials between August 8-18, 2025. Salesloft and Salesforce responded by revoking all active access tokens and removing the Drift app from AppExchange.

Aug 27, 2025

Cyware Daily Threat Intelligence, August 27, 2025

The Underground ransomware gang is striking with precision, blending AES and RSA encryption to lock down global targets. After reconnaissance and breaches, they deploy customized malware that wipes shadow copies, blocks remote desktops, and selectively encrypts files using a stripe method for larger ones, sparing critical system folders. Blind Eagle's shadow looms over Colombia, with five activity clusters unleashing RATs and phishing on government sectors from May 2024 to July 2025. Targeting judiciary, education, and healthcare, they impersonate agencies via spear-phishing to deliver Lime RAT and AsyncRAT, leveraging compromised emails and dynamic DNS for espionage and financial gains. Citrix is sealing critical gaps in NetScaler ADC and Gateway, including a zero-day remote code execution flaw that's already under attack. This memory overflow bug affects Gateway configurations, urging immediate firmware updates, alongside fixes for denial-of-service and improper access control vulnerabilities.

Aug 26, 2025

Cyware Daily Threat Intelligence, August 26, 2025

Sneaky adware is sneaking onto millions of Android devices through 77 malicious apps yanked from Google Play. With over 19 million installs, these apps pack Joker malware that steals info and signs up for premium services, alongside Harly variants and the evolving Anatsa trojan. A Docker Desktop flaw is handing attackers the keys to host systems on Windows and macOS. This SSRF vulnerability lets malicious containers bypass isolation to access the Engine API, mount drives, and escalate privileges, fixed in version 4.44.3 to curb unauthorized file access. Phony Tesla sites are reeling in robot enthusiasts with Google Ads promising Optimus preorders for a $250 deposit. These scams mimic Tesla's look to harvest credit card details for underground markets, using rotating domains and Cloudflare to stay elusive.

Aug 25, 2025

Cyware Daily Threat Intelligence, August 25, 2025

Posing as a trusty antivirus app, Android.Backdoor.916.origin is giving Russia's FSB a backdoor into executives' devices. Disguised as a fake antivirus, this malware spreads via private messages, grabs extensive permissions, and uses Accessibility Service to steal chats and more. APT36 is turning innocent Linux desktop files into espionage tools against India's government and defense sectors. Through phishing ZIPs with malicious .desktop files mimicking PDFs, they execute hidden bash commands to fetch Go-based ELF payloads. Salesforce is plugging critical holes in Tableau Server and Desktop that could let attackers run wild with code execution. The top flaw, a 9.6 CVSS type confusion bug, enables local exploits on Windows and Linux, alongside upload vulnerabilities leading to path traversal and improper input validation issues.

Aug 22, 2025

Cyware Daily Threat Intelligence, August 22, 2025

Masquerading as an Australian electronics store, Cookie Spider’s malvertising campaign unleashed the AMOS malware on over 300 targets. From June to August, victims were tricked into running commands that installed SHAMOS, a variant stealing passwords, Keychain data, and crypto wallet details. Berserk Bear hackers are wielding a seven-year-old Cisco flaw to infiltrate global critical infrastructure. Exploiting CVE-2018-0171, these FSB-linked attackers trigger device reloads and use custom SNMP tools and SYNful Knock implants to harvest configurations and maintain covert access. Posing as Rothschild & Co recruiters, MuddyWater APT is targeting CFOs with spear-phishing finesse. Using Firebase-hosted phishing pages and custom CAPTCHAs, they deploy VBS scripts and ZIPs to install NetBird and OpenSSH, ensuring persistent access to compromised systems worldwide.

Aug 21, 2025

Cyware Daily Threat Intelligence, August 21, 2025

Slipping through the cracks like a chameleon, QuirkyLoader is spreading infostealers and remote access tools with a multi-stage attack. Since November 2024, it’s used malicious emails with legitimate executables, leveraging DLL side-loading to target organizations, evading detection with process hollowing. A zero-day flaw has Apple racing to patch millions of devices with emergency iOS and iPadOS updates. This critical ImageIO vulnerability, triggered by malicious images, allows sophisticated attacks—potentially by nation-state actors—to corrupt memory and access devices like iPhone XS and various iPads. Hackers are hijacking Microsoft’s own infrastructure to steal 365 logins with a sly phishing trick. Using legitimate office[.]com links and ADFS redirects, attackers funnel users from Google searches to deceptive phishing pages, bypassing MFA and URL detection with custom tenants and conditional loading.

Aug 20, 2025

Cyware Daily Threat Intelligence, August 20, 2025

Crafty attackers are slipping into cloud Linux systems through a critical Apache ActiveMQ flaw, unleashing DripDropper malware. Exploiting CVE-2023-46604, they use a password-protected payload to communicate via Dropbox, patch the vulnerability to block rivals, and tweak SSH settings for persistent root access. Microsoft’s latest patches are racing to fix a recovery meltdown across Windows 10 and 11. Emergency updates address failures in reset and recovery operations caused by August 2025 patches, with new cumulative fixes released on August 19 to stabilize affected systems. Fraudsters posing as celebrity podcast reps are reeling in business owners with a bait. This podcast imposter scam lures victims into tech-check calls that grant remote access, hijacking social media and risking corporate systems through shared passwords.

Aug 19, 2025

Cyware Daily Threat Intelligence, August 19, 2025

With a diplomat’s charm, malicious emails are smuggling XenoRAT into South Korea’s embassies via GitHub traps. Since March, this spearphishing spree has targeted European missions, using password-protected ZIPs to unleash a trojan that snatches data and grants attackers remote control. A Windows flaw is opening the door for RansomExx to wield PipeMagic like a digital skeleton key. This vulnerability lets Storm-2460 deploy a backdoor through fake ChatGPT apps, targeting IT and finance sectors with stealthy, encrypted remote access. Unpatched N-able N-central servers are sitting ducks for hackers exploiting two critical flaws. These vulnerabilities enable unauthorized command execution, spurring CISA to list them in its KEV Catalog with a federal patching deadline of August 20.