Cyware Daily Threat Intelligence, September 09, 2025

shutterstock 2517566697

Daily Threat Briefing September 9, 2025

Slipping through phishing emails like a digital ninja, MostereRAT is targeting Japanese users with encrypted payloads. This malware grabs SYSTEM-level control, disables antivirus and Windows defenses, and uses AnyDesk and TightVNC to steal data and capture screens via secure C2 channels.

SAP’s latest patch day is a wake-up call, tackling four critical vulnerabilities threatening enterprise systems. The worst, an insecure deserialization flaw in NetWeaver’s RMI-P4, allows unauthenticated attackers to run arbitrary commands, with patches addressing file uploads and access control issues.

China-linked Salt Typhoon and UNC4841 are lurking behind 45 newly uncovered domains, some active since May 2020. Using fake identities and Proton Mail, these espionage groups exploit vulnerabilities like Barracuda’s, revealing a persistent threat to global networks.

Top Malware Reported in the Last 24 Hours

Ongoing malvertising campaign targets IT workers

A malvertising campaign has been targeting IT workers in the EU by using fake GitHub Desktop installers to deliver malware. The attackers employ malicious Google Ads to redirect users to a compromised GitHub repository, where a modified README file links to a fake download page. Users who download the software receive malicious executables from a lookalike domain, with MacOS users getting the Atomic Stealer and Windows users receiving a bloated MSI file. This MSI contains a malicious executable designed to evade detection by complicating analysis and is programmed to avoid execution in virtual machines. If installed on a suitable system, the malware executes PowerShell scripts for persistence and privilege escalation, ultimately allowing attackers to access sensitive enterprise information and infrastructure.

APT37 drops new malware

APT37, a North Korean-aligned threat group, has enhanced its cyber capabilities by deploying sophisticated Rust and Python-based malware targeting Windows systems. APT37's latest campaign utilizes a coordinated approach with a single C2 server managing multiple malware components. The newly identified Rustonotto backdoor is complemented by the established Chinotto PowerShell backdoor and the comprehensive surveillance tool FadeStealer. FadeStealer offers extensive capabilities, including keystroke logging, audio recording, and data exfiltration, employing advanced evasion techniques such as Transactional NTFS and Process Doppelgänging. 

MostereRAT: New RAT bypasses EDR

MostereRAT is a sophisticated malware that initiates attacks through phishing emails targeting Japanese users, leading to the download of malicious payloads. It employs Easy Programming Language to create encrypted tools that bypass security measures and gain full control over infected systems. The malware operates by establishing SYSTEM-level privileges, using custom RPC communication, and creating persistent services. It effectively disables antivirus solutions and Windows security features, blocking their traffic to evade detection. MostereRAT communicates with C2 servers using mutual TLS for secure operations and leverages popular remote access tools like AnyDesk and TightVNC to maintain control. Additionally, it collects sensitive victim information and performs screen captures for data exfiltration.

Supply chain attack hits software packages

Hackers executed a significant supply chain attack on npm, compromising nearly two dozen software packages with over two billion weekly downloads. The breach was initiated when a maintainer fell victim to a phishing email, which led to the unauthorized injection of malicious code into foundational JavaScript packages. This malware monitored cryptocurrency transactions and redirected payments to wallets controlled by the attackers. The incident is notable not only for its scale but also for its impact on essential packages relied upon by numerous applications. Additionally, two other recent supply-chain attacks targeted PyPI, DockerHUB, and GitHub, exposing numerous authentication secrets and further highlighting vulnerabilities within the open-source software ecosystem.

Top Vulnerabilities Reported in the Last 24 Hours

SAP patches four critical bugs

SAP released 21 new Security Notes during its monthly Security Patch Day, addressing four critical vulnerabilities that pose significant risks to enterprise environments. The most severe, CVE-2025-42944, involves an insecure deserialization flaw in SAP NetWeaver’s RMI-P4 module, allowing unauthenticated attackers to execute arbitrary commands with a CVSS score of 10.0. Another critical vulnerability, CVE-2025-42922, permits authenticated non-administrative users to upload arbitrary files in SAP NetWeaver AS Java, potentially leading to full system compromise. Additionally, CVE-2023-27500 presents a directory traversal risk in SAP NetWeaver AS for ABAP, threatening system availability, while CVE-2025-42958 involves a missing authentication check that could allow unauthorized access to sensitive information. SAP also addressed 17 other vulnerabilities with varying severity levels.

Multiple flaws in Hiawatha web server

Hiawatha, an open-source web server, has been found to have multiple vulnerabilities, including a significant request smuggling issue (CVE-2025-57783) in the fetch_request function, which allows unauthenticated attackers to bypass authentication and access restricted resources. Additionally, an authentication timing attack (CVE-2025-57784) exists in the Tomahawk component due to the use of the strcmp function, enabling local attackers to access the management client. Another critical vulnerability involves a double free error (CVE-2025-57785) in the XSLT show_index function, which can lead to arbitrary code execution. These vulnerabilities pose significant risks, including session hijacking and potential data corruption, as they can be exploited by attackers to execute malicious actions on the server. 

Threats in Spotlight

Salt Typhoon linked to unreported domains

Threat hunters have discovered 45 previously unreported domains associated with the China-linked cyber espionage groups Salt Typhoon and UNC4841, with some domains dating back to May 2020. These findings indicate that Salt Typhoon was involved in activities prior to the notable attacks in 2024. The identified domains share some overlap with UNC4841, known for exploiting a critical vulnerability in Barracuda Email Security Gateway appliances. Investigations revealed that many domains were registered using fake identities and Proton Mail addresses, with some pointing to high-density IP addresses. The oldest domain linked to these espionage campaigns, onlineeylity[.]com, was registered on May 19, 2020, by a fictitious persona, underscoring the long-term nature of these cyber threats.

Related Threat Briefings

Sep 8, 2025

Cyware Daily Threat Intelligence, September 08, 2025

Posing as Microsoft Teams with chilling accuracy, cybercriminals are tricking macOS users into downloading the Odyssey stealer. This malware grabs browser credentials and crypto wallet data, using social engineering to gain privileges and swap out legitimate apps for persistent theft. A gaping hole in Progress Software’s OpenEdge AdminServer is letting attackers run rogue code with ease. This high-severity flaw allows command injection via the Java RMI interface, now patched with better input sanitization and disabled remote RMI. iCloud Calendar invites are being hijacked to deliver phishing emails that dodge spam filters. Masquerading as payment alerts from Apple’s servers, they lure victims to fake support lines, enabling scammers to steal data or deploy malware via remote access.

Sep 5, 2025

Cyware Daily Threat Intelligence, September 05, 2025

Slipping through digital cracks, China-aligned GhostRedirector is hijacking Windows servers with a stealthy C++ backdoor called Rungan. Paired with the Gamshen IIS module for SEO fraud, it boosts gambling sites on Google while exploiting EfsPotato and BadPotato to compromise 65 servers across multiple countries. A zero-day flaw in Sitecore deployments is opening doors for hackers to unleash WeepSteel malware. By exploiting a reused ASP.NET key, attackers achieve remote code execution, using tools like Earthworm and Dwagent to steal data and maintain access through local admin accounts and SYSTEM services. A macOS flaw is exposing sensitive data despite System Integrity Protection. This vulnerability, tied to the gcore utility, allows attackers to read process memory, extract login Keychain Master Keys, and decrypt iOS app binaries, patched in macOS 15.3 after a researcher’s discovery.

Sep 4, 2025

Cyware Daily Threat Intelligence, September 04, 2025

Lurking in your inbox, Russia’s APT28 is wielding NotDoor to turn Outlook into an espionage tool. This VBA backdoor, triggered by email keywords, uses obfuscation and DLL side-loading to dodge detection, altering registry settings to steal sensitive data across NATO organizations. Critical flaws in Hikvision’s HikCentral software are leaving security systems wide open to unauthenticated attackers. These vulnerabilities, including a high-severity access control issue, allow privilege escalation to manipulate logs, disable surveillance, or unlock doors, with patches now available. Iran’s Homeland Justice APT is casting a wide phishing net, targeting over 50 global embassies and organizations. Using 100+ hijacked email accounts and malicious Word docs since August 19, they exploit trusted identities to deliver malware, hitting targets like the UN and World Bank.

Sep 3, 2025

Cyware Daily Threat Intelligence, September 03, 2025

Slithering through networks like a digital phantom, TinyLoader malware is hitting Windows systems with a crafty mix of network share and USB attacks. It delivers threats like Redline Stealer and DCRat, hijacking cryptocurrency transactions by swapping wallet addresses while spreading via deceptive shortcuts and shared folders. Lazarus Group is playing a dangerous game of impersonation, wielding three new RATs against a DeFi target. Using fake Telegram profiles and sham scheduling sites, they deploy PondRAT for initial access, ThemeForestRAT for advanced monitoring, and RemotePE for high-value control, showcasing their evolving tactics. Chrome 140 is locking down a critical flaw that could let attackers run rogue code in your browser. Fixing a severe use-after-free bug in the V8 engine, alongside issues in the Toolbar, Extensions, and Downloads, Google’s latest update is a must for Windows, macOS, and Linux users.

Sep 2, 2025

Cyware Daily Threat Intelligence, September 02, 2025

Masquerading as a scholarly newsletter, North Korea’s ScarCruft is targeting South Korean academics and ex-officials with RokRAT malware. Launched via spear-phishing emails with malicious LNK files, Operation HanKook Phantom uses PowerShell and obfuscated scripts to steal sensitive data, cloaking exfiltration as Chrome uploads to hit government and research sectors. A fake PDF editor peddled through Google ads is dishing out the TamperedChef infostealer to unsuspecting users. Promoted across 50 domains since June, AppSuite PDF Editor, signed with bogus certificates, activates its data-stealing tricks post-update, grabbing credentials and cookies while dodging security agents. WhatsApp and Apple are racing to patch critical zero-day flaws exposing users to spyware attacks. A WhatsApp vulnerability, paired with an Apple OS flaw, allows exploits via malicious image files and device sync messages, potentially targeting high-profile individuals in sophisticated campaigns.

Aug 29, 2025

Cyware Daily Threat Intelligence, August 29, 2025

Posing as a golden ticket from the Bangladesh Education Board, SikkahBot is preying on students with fake scholarship lures. Active since July 2024, this Android malware grabs high-risk permissions to intercept SMS and steal financial data, spread via smishing links, with evolving variants showing sharper automation. A sneaky loophole in the VS Code Marketplace is letting attackers recycle names of deleted extensions to push ransomware. The “shiba” extension, active from late 2024 to mid-2025, encrypts files and demands Shiba Inu tokens, exploiting the platform’s name-reuse flaw to dodge detection. Click Studios is sounding the alarm on a dangerous flaw in Passwordstate’s password manager. This authentication bypass lets attackers access the admin section via a crafted URL, threatening the credentials of 370,000 IT pros across 29,000 firms, with a fix in Build 9972.

Aug 28, 2025

Cyware Daily Threat Intelligence, August 28, 2025

A data theft campaign attributed to UNC6395 targeted Salesforce instances via compromised OAuth tokens linked to the Salesloft Drift app, exfiltrating sensitive credentials between August 8-18, 2025. Salesloft and Salesforce responded by revoking all active access tokens and removing the Drift app from AppExchange.

Aug 27, 2025

Cyware Daily Threat Intelligence, August 27, 2025

The Underground ransomware gang is striking with precision, blending AES and RSA encryption to lock down global targets. After reconnaissance and breaches, they deploy customized malware that wipes shadow copies, blocks remote desktops, and selectively encrypts files using a stripe method for larger ones, sparing critical system folders. Blind Eagle's shadow looms over Colombia, with five activity clusters unleashing RATs and phishing on government sectors from May 2024 to July 2025. Targeting judiciary, education, and healthcare, they impersonate agencies via spear-phishing to deliver Lime RAT and AsyncRAT, leveraging compromised emails and dynamic DNS for espionage and financial gains. Citrix is sealing critical gaps in NetScaler ADC and Gateway, including a zero-day remote code execution flaw that's already under attack. This memory overflow bug affects Gateway configurations, urging immediate firmware updates, alongside fixes for denial-of-service and improper access control vulnerabilities.

Aug 26, 2025

Cyware Daily Threat Intelligence, August 26, 2025

Sneaky adware is sneaking onto millions of Android devices through 77 malicious apps yanked from Google Play. With over 19 million installs, these apps pack Joker malware that steals info and signs up for premium services, alongside Harly variants and the evolving Anatsa trojan. A Docker Desktop flaw is handing attackers the keys to host systems on Windows and macOS. This SSRF vulnerability lets malicious containers bypass isolation to access the Engine API, mount drives, and escalate privileges, fixed in version 4.44.3 to curb unauthorized file access. Phony Tesla sites are reeling in robot enthusiasts with Google Ads promising Optimus preorders for a $250 deposit. These scams mimic Tesla's look to harvest credit card details for underground markets, using rotating domains and Cloudflare to stay elusive.

Aug 25, 2025

Cyware Daily Threat Intelligence, August 25, 2025

Posing as a trusty antivirus app, Android.Backdoor.916.origin is giving Russia's FSB a backdoor into executives' devices. Disguised as a fake antivirus, this malware spreads via private messages, grabs extensive permissions, and uses Accessibility Service to steal chats and more. APT36 is turning innocent Linux desktop files into espionage tools against India's government and defense sectors. Through phishing ZIPs with malicious .desktop files mimicking PDFs, they execute hidden bash commands to fetch Go-based ELF payloads. Salesforce is plugging critical holes in Tableau Server and Desktop that could let attackers run wild with code execution. The top flaw, a 9.6 CVSS type confusion bug, enables local exploits on Windows and Linux, alongside upload vulnerabilities leading to path traversal and improper input validation issues.

Aug 22, 2025

Cyware Daily Threat Intelligence, August 22, 2025

Masquerading as an Australian electronics store, Cookie Spider’s malvertising campaign unleashed the AMOS malware on over 300 targets. From June to August, victims were tricked into running commands that installed SHAMOS, a variant stealing passwords, Keychain data, and crypto wallet details. Berserk Bear hackers are wielding a seven-year-old Cisco flaw to infiltrate global critical infrastructure. Exploiting CVE-2018-0171, these FSB-linked attackers trigger device reloads and use custom SNMP tools and SYNful Knock implants to harvest configurations and maintain covert access. Posing as Rothschild & Co recruiters, MuddyWater APT is targeting CFOs with spear-phishing finesse. Using Firebase-hosted phishing pages and custom CAPTCHAs, they deploy VBS scripts and ZIPs to install NetBird and OpenSSH, ensuring persistent access to compromised systems worldwide.

Aug 21, 2025

Cyware Daily Threat Intelligence, August 21, 2025

Slipping through the cracks like a chameleon, QuirkyLoader is spreading infostealers and remote access tools with a multi-stage attack. Since November 2024, it’s used malicious emails with legitimate executables, leveraging DLL side-loading to target organizations, evading detection with process hollowing. A zero-day flaw has Apple racing to patch millions of devices with emergency iOS and iPadOS updates. This critical ImageIO vulnerability, triggered by malicious images, allows sophisticated attacks—potentially by nation-state actors—to corrupt memory and access devices like iPhone XS and various iPads. Hackers are hijacking Microsoft’s own infrastructure to steal 365 logins with a sly phishing trick. Using legitimate office[.]com links and ADFS redirects, attackers funnel users from Google searches to deceptive phishing pages, bypassing MFA and URL detection with custom tenants and conditional loading.