Cyware Daily Threat Intelligence, September 05, 2025

shutterstock 2176027437

Daily Threat Briefing September 5, 2025

Slipping through digital cracks, China-aligned GhostRedirector is hijacking Windows servers with a stealthy C++ backdoor called Rungan. Paired with the Gamshen IIS module for SEO fraud, it boosts gambling sites on Google while exploiting EfsPotato and BadPotato to compromise 65 servers across multiple countries.

A zero-day flaw in Sitecore deployments is opening doors for hackers to unleash WeepSteel malware. By exploiting a reused ASP.NET key, attackers achieve remote code execution, using tools like Earthworm and Dwagent to steal data and maintain access through local admin accounts and SYSTEM services.

A macOS flaw is exposing sensitive data despite System Integrity Protection. This vulnerability, tied to the gcore utility, allows attackers to read process memory, extract login Keychain Master Keys, and decrypt iOS app binaries, patched in macOS 15.3 after a researcher’s discovery.

Top Malware Reported in the Last 24 Hours

New HexStrike-AI exploits n-day bugs

Hackers are increasingly exploiting vulnerabilities using HexStrike-AI, an AI-powered security framework designed for penetration testing. This tool automates the exploitation of newly disclosed n-day flaws, such as Citrix vulnerabilities CVE-2025-7775, CVE-2025-7776, and CVE-2025-8424, significantly reducing the time required for attacks from days to mere minutes. With nearly 8,000 endpoints still vulnerable as of early September, attackers have begun discussing HexStrike-AI on hacking forums, sharing methods to deploy it for unauthorized access. The tool’s open-source nature has made it popular among malicious actors, enabling them to achieve remote code execution and maintain persistence through automated processes. 

SVG files used in phishing attacks

Cybersecurity researchers have uncovered a malware campaign utilizing SVG files to carry out phishing attacks that impersonate the Colombian judicial system. These SVG files, distributed via email, contain embedded JavaScript payloads that decode and inject Base64-encoded phishing pages, mimicking the Fiscalía General de la Nación's official portal. This deceptive page simulates a document download process while secretly downloading a ZIP file in the background. VirusTotal identified 44 unique SVG files that evade antivirus detection through techniques like obfuscation and junk code. Additionally, the campaign is part of a larger trend where attackers are increasingly targeting macOS users with the Atomic macOS Stealer (AMOS), which extracts sensitive data, including credentials and cryptocurrency information.

GhostRedirector poisons Windows servers

GhostRedirector is a newly identified China-aligned threat actor targeting Windows servers. It uses a passive C++ backdoor named Rungan for remote command execution. A malicious IIS module, Gamshen, is used for SEO fraud, manipulating Google search rankings to promote gambling websites. GhostRedirector exploits public vulnerabilities like EfsPotato and BadPotato for privilege escalation. The campaign compromised at least 65 Windows servers, mainly in Brazil, Thailand, Vietnam, and the U.S., affecting diverse sectors such as healthcare, education, and retail. GhostRedirector deploys tools like Zunput to collect website information and install webshells.

Sitecore 0-day abused to drop backdoor

Hackers exploited a zero-day vulnerability (CVE-2025-53690) in legacy Sitecore deployments caused by the reuse of a sample ASP.NET machine key, leading to RCE. Attackers used the '/sitecore/blocked.aspx' endpoint to drop WeepSteel reconnaissance malware, which collects system, process, disk, and network information disguised as standard ViewState responses. The multi-stage attack involved deploying tools like Earthworm (network tunneling), Dwagent (remote access), and 7-Zip for data exfiltration and archiving. Privilege escalation was achieved by creating local administrator accounts, dumping cached credentials, and using tools like GoTokenTheft for token impersonation. Persistence was ensured through disabling password expiration and registering Dwagent as a SYSTEM service.

Top Vulnerabilities Reported in the Last 24 Hours

Bug in Linux kernel actively exploited

A high-severity vulnerability, CVE-2025-38352, has been identified in the Linux kernel. This Time-of-Check Time-of-Use (TOCTOU) race condition affects the handling of POSIX CPU timers and has been added to CISA’s Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild. Successful exploitation of this vulnerability can lead to significant compromise of system confidentiality, integrity, and availability. It allows attackers to exploit race conditions during task exit, potentially bypassing timer checks and leading to undefined behavior or system instability. The vulnerability arises from a race condition between handle_posix_cpu_timers() and posix_cpu_timer_del() in the Linux kernel. When a non-autoreaping task exits and invokes handle_posix_cpu_timers() from an interrupt context, it may be reaped by its parent or debugger immediately after unlock_task_sighand().

​​macOS flaw allows unauthorized memory access

A recently disclosed macOS vulnerability (CVE-2025-24204) allowed attackers to read the memory of any process, even with System Integrity Protection enabled. This issue arose from Apple mistakenly granting the gcore utility elevated permissions in macOS 15.0, which was later revoked in macOS 15.3. Security researcher Koh M. Nakagawa discovered the flaw while testing Microsoft's ProcDump-for-Mac tool, which utilizes gcore. The vulnerability enabled the extraction of sensitive information, including the Master Key for decrypting the login Keychain without a password, and allowed access to decrypted FairPlay-encrypted iOS app binaries.

Related Threat Briefings

Sep 4, 2025

Cyware Daily Threat Intelligence, September 04, 2025

Lurking in your inbox, Russia’s APT28 is wielding NotDoor to turn Outlook into an espionage tool. This VBA backdoor, triggered by email keywords, uses obfuscation and DLL side-loading to dodge detection, altering registry settings to steal sensitive data across NATO organizations. Critical flaws in Hikvision’s HikCentral software are leaving security systems wide open to unauthenticated attackers. These vulnerabilities, including a high-severity access control issue, allow privilege escalation to manipulate logs, disable surveillance, or unlock doors, with patches now available. Iran’s Homeland Justice APT is casting a wide phishing net, targeting over 50 global embassies and organizations. Using 100+ hijacked email accounts and malicious Word docs since August 19, they exploit trusted identities to deliver malware, hitting targets like the UN and World Bank.

Sep 3, 2025

Cyware Daily Threat Intelligence, September 03, 2025

Slithering through networks like a digital phantom, TinyLoader malware is hitting Windows systems with a crafty mix of network share and USB attacks. It delivers threats like Redline Stealer and DCRat, hijacking cryptocurrency transactions by swapping wallet addresses while spreading via deceptive shortcuts and shared folders. Lazarus Group is playing a dangerous game of impersonation, wielding three new RATs against a DeFi target. Using fake Telegram profiles and sham scheduling sites, they deploy PondRAT for initial access, ThemeForestRAT for advanced monitoring, and RemotePE for high-value control, showcasing their evolving tactics. Chrome 140 is locking down a critical flaw that could let attackers run rogue code in your browser. Fixing a severe use-after-free bug in the V8 engine, alongside issues in the Toolbar, Extensions, and Downloads, Google’s latest update is a must for Windows, macOS, and Linux users.

Sep 2, 2025

Cyware Daily Threat Intelligence, September 02, 2025

Masquerading as a scholarly newsletter, North Korea’s ScarCruft is targeting South Korean academics and ex-officials with RokRAT malware. Launched via spear-phishing emails with malicious LNK files, Operation HanKook Phantom uses PowerShell and obfuscated scripts to steal sensitive data, cloaking exfiltration as Chrome uploads to hit government and research sectors. A fake PDF editor peddled through Google ads is dishing out the TamperedChef infostealer to unsuspecting users. Promoted across 50 domains since June, AppSuite PDF Editor, signed with bogus certificates, activates its data-stealing tricks post-update, grabbing credentials and cookies while dodging security agents. WhatsApp and Apple are racing to patch critical zero-day flaws exposing users to spyware attacks. A WhatsApp vulnerability, paired with an Apple OS flaw, allows exploits via malicious image files and device sync messages, potentially targeting high-profile individuals in sophisticated campaigns.

Aug 29, 2025

Cyware Daily Threat Intelligence, August 29, 2025

Posing as a golden ticket from the Bangladesh Education Board, SikkahBot is preying on students with fake scholarship lures. Active since July 2024, this Android malware grabs high-risk permissions to intercept SMS and steal financial data, spread via smishing links, with evolving variants showing sharper automation. A sneaky loophole in the VS Code Marketplace is letting attackers recycle names of deleted extensions to push ransomware. The “shiba” extension, active from late 2024 to mid-2025, encrypts files and demands Shiba Inu tokens, exploiting the platform’s name-reuse flaw to dodge detection. Click Studios is sounding the alarm on a dangerous flaw in Passwordstate’s password manager. This authentication bypass lets attackers access the admin section via a crafted URL, threatening the credentials of 370,000 IT pros across 29,000 firms, with a fix in Build 9972.

Aug 28, 2025

Cyware Daily Threat Intelligence, August 28, 2025

A data theft campaign attributed to UNC6395 targeted Salesforce instances via compromised OAuth tokens linked to the Salesloft Drift app, exfiltrating sensitive credentials between August 8-18, 2025. Salesloft and Salesforce responded by revoking all active access tokens and removing the Drift app from AppExchange.

Aug 27, 2025

Cyware Daily Threat Intelligence, August 27, 2025

The Underground ransomware gang is striking with precision, blending AES and RSA encryption to lock down global targets. After reconnaissance and breaches, they deploy customized malware that wipes shadow copies, blocks remote desktops, and selectively encrypts files using a stripe method for larger ones, sparing critical system folders. Blind Eagle's shadow looms over Colombia, with five activity clusters unleashing RATs and phishing on government sectors from May 2024 to July 2025. Targeting judiciary, education, and healthcare, they impersonate agencies via spear-phishing to deliver Lime RAT and AsyncRAT, leveraging compromised emails and dynamic DNS for espionage and financial gains. Citrix is sealing critical gaps in NetScaler ADC and Gateway, including a zero-day remote code execution flaw that's already under attack. This memory overflow bug affects Gateway configurations, urging immediate firmware updates, alongside fixes for denial-of-service and improper access control vulnerabilities.

Aug 26, 2025

Cyware Daily Threat Intelligence, August 26, 2025

Sneaky adware is sneaking onto millions of Android devices through 77 malicious apps yanked from Google Play. With over 19 million installs, these apps pack Joker malware that steals info and signs up for premium services, alongside Harly variants and the evolving Anatsa trojan. A Docker Desktop flaw is handing attackers the keys to host systems on Windows and macOS. This SSRF vulnerability lets malicious containers bypass isolation to access the Engine API, mount drives, and escalate privileges, fixed in version 4.44.3 to curb unauthorized file access. Phony Tesla sites are reeling in robot enthusiasts with Google Ads promising Optimus preorders for a $250 deposit. These scams mimic Tesla's look to harvest credit card details for underground markets, using rotating domains and Cloudflare to stay elusive.

Aug 25, 2025

Cyware Daily Threat Intelligence, August 25, 2025

Posing as a trusty antivirus app, Android.Backdoor.916.origin is giving Russia's FSB a backdoor into executives' devices. Disguised as a fake antivirus, this malware spreads via private messages, grabs extensive permissions, and uses Accessibility Service to steal chats and more. APT36 is turning innocent Linux desktop files into espionage tools against India's government and defense sectors. Through phishing ZIPs with malicious .desktop files mimicking PDFs, they execute hidden bash commands to fetch Go-based ELF payloads. Salesforce is plugging critical holes in Tableau Server and Desktop that could let attackers run wild with code execution. The top flaw, a 9.6 CVSS type confusion bug, enables local exploits on Windows and Linux, alongside upload vulnerabilities leading to path traversal and improper input validation issues.

Aug 22, 2025

Cyware Daily Threat Intelligence, August 22, 2025

Masquerading as an Australian electronics store, Cookie Spider’s malvertising campaign unleashed the AMOS malware on over 300 targets. From June to August, victims were tricked into running commands that installed SHAMOS, a variant stealing passwords, Keychain data, and crypto wallet details. Berserk Bear hackers are wielding a seven-year-old Cisco flaw to infiltrate global critical infrastructure. Exploiting CVE-2018-0171, these FSB-linked attackers trigger device reloads and use custom SNMP tools and SYNful Knock implants to harvest configurations and maintain covert access. Posing as Rothschild & Co recruiters, MuddyWater APT is targeting CFOs with spear-phishing finesse. Using Firebase-hosted phishing pages and custom CAPTCHAs, they deploy VBS scripts and ZIPs to install NetBird and OpenSSH, ensuring persistent access to compromised systems worldwide.

Aug 21, 2025

Cyware Daily Threat Intelligence, August 21, 2025

Slipping through the cracks like a chameleon, QuirkyLoader is spreading infostealers and remote access tools with a multi-stage attack. Since November 2024, it’s used malicious emails with legitimate executables, leveraging DLL side-loading to target organizations, evading detection with process hollowing. A zero-day flaw has Apple racing to patch millions of devices with emergency iOS and iPadOS updates. This critical ImageIO vulnerability, triggered by malicious images, allows sophisticated attacks—potentially by nation-state actors—to corrupt memory and access devices like iPhone XS and various iPads. Hackers are hijacking Microsoft’s own infrastructure to steal 365 logins with a sly phishing trick. Using legitimate office[.]com links and ADFS redirects, attackers funnel users from Google searches to deceptive phishing pages, bypassing MFA and URL detection with custom tenants and conditional loading.

Aug 20, 2025

Cyware Daily Threat Intelligence, August 20, 2025

Crafty attackers are slipping into cloud Linux systems through a critical Apache ActiveMQ flaw, unleashing DripDropper malware. Exploiting CVE-2023-46604, they use a password-protected payload to communicate via Dropbox, patch the vulnerability to block rivals, and tweak SSH settings for persistent root access. Microsoft’s latest patches are racing to fix a recovery meltdown across Windows 10 and 11. Emergency updates address failures in reset and recovery operations caused by August 2025 patches, with new cumulative fixes released on August 19 to stabilize affected systems. Fraudsters posing as celebrity podcast reps are reeling in business owners with a bait. This podcast imposter scam lures victims into tech-check calls that grant remote access, hijacking social media and risking corporate systems through shared passwords.

Aug 19, 2025

Cyware Daily Threat Intelligence, August 19, 2025

With a diplomat’s charm, malicious emails are smuggling XenoRAT into South Korea’s embassies via GitHub traps. Since March, this spearphishing spree has targeted European missions, using password-protected ZIPs to unleash a trojan that snatches data and grants attackers remote control. A Windows flaw is opening the door for RansomExx to wield PipeMagic like a digital skeleton key. This vulnerability lets Storm-2460 deploy a backdoor through fake ChatGPT apps, targeting IT and finance sectors with stealthy, encrypted remote access. Unpatched N-able N-central servers are sitting ducks for hackers exploiting two critical flaws. These vulnerabilities enable unauthorized command execution, spurring CISA to list them in its KEV Catalog with a federal patching deadline of August 20.