Cyware Daily Threat Intelligence, September 12, 2025

shutterstock 1661078329

Daily Threat Briefing September 12, 2025

Mustang Panda's latest ToneShell variant is digging deep into systems with slick persistence moves. Delivered via DLL sideloading in archives, it dodges analysis, enforces single-instance rules, and sets up scheduled tasks in user directories. XOR-obfuscated payloads communicate via fake TLS to C2 servers, generating unique GUIDs per machine for ongoing ops.

Researchers uncovered a RAT storm hitting Chinese users since May. Phishing on GitHub Pages drops ValleyRAT, FatalRAT, and kkRAT, the latter echoing Ghost RAT with beefed-up encryption and commands. kkRAT sniffs sandboxes, hijacks clipboards for crypto swaps, and installs RMM tools like Sunlogin, all via multi-stage shellcodes.

Akira ransomware is busting into networks through SonicWall's CVE-2024-40766 flaw. This unpatched SSL VPN hole lets them snag access, but SonicWall's August patch plus password resets can block it. ACSC warns of fresh exploits since September, with 40 incidents probed.

Top Malware Reported in the Last 24 Hours

ToneShell backdoor variant targets Myanmar

A new variant of the ToneShell backdoor, attributed to the Mustang Panda group, has emerged with advanced persistence and anti-analysis capabilities. Delivered through DLL sideloading within compressed archives, this variant employs sophisticated anti-analysis techniques to evade detection. It checks the execution environment to prevent self-infection and enforces a single-instance policy. The malware establishes persistence by copying itself and essential DLLs to a user profile directory and creates a scheduled task to ensure it runs regularly. Communication with its command and control server is disguised using a TLS-like protocol, and the payloads are XOR-obfuscated. This variant also generates unique GUIDs for each infected machine, ensuring continued operation.

VoidProxy: New phishing threat bypasses MFA

VoidProxy is a sophisticated PhaaS platform that leverages AitM techniques to compromise Microsoft and Google accounts by bypassing MFA. It operates using compromised email accounts and employs various evasion tactics, including URL obfuscation and disposable phishing domains, to avoid detection. Phishing campaigns begin with emails that contain shortened links leading to these domains, which are protected by Cloudflare CAPTCHA challenges. The attack unfolds in several stages, from delivery to session hijacking, allowing attackers to capture sensitive information like usernames, passwords, and MFA codes. VoidProxy’s backend features a web-based admin console that enables real-time management of phishing campaigns and stolen data extraction, making it a potent tool for cybercriminals.

New kkRAT targets cryptocurrency users

Zscaler ThreatLabz discovered a malware campaign targeting Chinese-speaking users since May 2025, delivering ValleyRAT, FatalRAT, and kkRAT. kkRAT shares code similarities with Ghost RAT and Big Bad Wolf, with enhanced encryption and additional commands. The campaign uses phishing sites hosted on GitHub Pages to deliver malicious installer packages. kkRAT employs sandbox/VM detection techniques, including time stability analysis and hardware configuration checks. kkRAT uses shellcodes for multi-stage attacks, with decrypted payloads delivered via structured Base64-encoded data. Commands supported by kkRAT include clipboard hijacking for cryptocurrency wallet replacement, persistence establishment, and installing RMM tools like Sunlogin and GotoHTTP.

Top Vulnerabilities Reported in the Last 24 Hours

Cursor AI editor flaw enables code execution

A security vulnerability in the Cursor AI Code Editor allows attackers to execute arbitrary code silently when a malicious repository is opened. This issue arises because the Workspace Trust feature is disabled by default, enabling attackers to embed autorun instructions in project files. As a result, opening a seemingly innocuous folder can lead to the execution of harmful code within the user's environment. This flaw poses significant risks, including the potential for sensitive credential leaks and broader system compromises. 

Akira ransomware exploits SonicWall bug

The Akira ransomware gang is exploiting CVE-2024-40766, a critical vulnerability in SonicWall SSL VPN devices, to gain unauthorized access to networks via unpatched endpoints. SonicWall released a patch for CVE-2024-40766 in August 2024 but emphasized that password resets are necessary to prevent exploitation of exposed credentials. Akira ransomware began exploiting this vulnerability in September 2024, with recent activity prompting warnings from the ACSC. SonicWall clarified that the recent activity is linked to CVE-2024-40766 and not a zero-day vulnerability, with investigations into 40 related security incidents.

Related Threat Briefings

Sep 11, 2025

Cyware Daily Threat Intelligence, September 11, 2025

Slipping through macOS like a shadow in the fog, ChillyHell malware cloaks itself as a harmless app to wreak havoc. Using LaunchAgent, LaunchDaemon, and shell injections, it digs into systems at boot, stealing data and launching reverse shells while evading Apple’s notarization checks. A rogue Chrome extension, Madgicx Plus, is preying on Meta advertisers with a slick AI optimization pitch. This malware, spread through polished domains tied to past scams, hijacks Google and Facebook accounts, siphoning off valuable ad assets with deceptive ease. NVIDIA’s NVDebug tool is under siege from three high-severity flaws, opening doors to code execution and privilege escalation. These vulnerabilities, with the worst scoring 8.2, allow attackers to tamper with systems or steal data in multi-user setups, fixed in version 1.7.0.

Sep 10, 2025

Cyware Daily Threat Intelligence, September 10, 2025

Masquerading as harmless GitHub files, Kimsuky is sneaking malware into systems with malicious LNK files. These trigger PowerShell scripts to steal system metadata and upload it to private repositories, using scheduled tasks for persistent espionage targeting sensitive networks. Slipping into devices like a digital ghost, Buterat backdoor is hitting government and enterprise systems via phishing and trojanized downloads. It hides in processes, tweaks registry keys for persistence, and uses encrypted C2 channels to drop payloads and evade detection. Microsoft’s latest patch tackles 81 flaws, including two zero-day vulnerabilities in Windows SMB and Newtonsoft.Json. With nine critical fixes addressing remote code execution and privilege escalation, enabling SMB protections is urged, though compatibility hiccups may arise.

Sep 9, 2025

Cyware Daily Threat Intelligence, September 09, 2025

Slipping through phishing emails like a digital ninja, MostereRAT is targeting Japanese users with encrypted payloads. This malware grabs SYSTEM-level control, disables antivirus and Windows defenses, and uses AnyDesk and TightVNC to steal data and capture screens via secure C2 channels. SAP’s latest patch day is a wake-up call, tackling four critical vulnerabilities threatening enterprise systems. The worst, an insecure deserialization flaw in NetWeaver’s RMI-P4, allows unauthenticated attackers to run arbitrary commands, with patches addressing file uploads and access control issues. China-linked Salt Typhoon and UNC4841 are lurking behind 45 newly uncovered domains, some active since May 2020. Using fake identities and Proton Mail, these espionage groups exploit vulnerabilities like Barracuda’s, revealing a persistent threat to global networks.

Sep 8, 2025

Cyware Daily Threat Intelligence, September 08, 2025

Posing as Microsoft Teams with chilling accuracy, cybercriminals are tricking macOS users into downloading the Odyssey stealer. This malware grabs browser credentials and crypto wallet data, using social engineering to gain privileges and swap out legitimate apps for persistent theft. A gaping hole in Progress Software’s OpenEdge AdminServer is letting attackers run rogue code with ease. This high-severity flaw allows command injection via the Java RMI interface, now patched with better input sanitization and disabled remote RMI. iCloud Calendar invites are being hijacked to deliver phishing emails that dodge spam filters. Masquerading as payment alerts from Apple’s servers, they lure victims to fake support lines, enabling scammers to steal data or deploy malware via remote access.

Sep 5, 2025

Cyware Daily Threat Intelligence, September 05, 2025

Slipping through digital cracks, China-aligned GhostRedirector is hijacking Windows servers with a stealthy C++ backdoor called Rungan. Paired with the Gamshen IIS module for SEO fraud, it boosts gambling sites on Google while exploiting EfsPotato and BadPotato to compromise 65 servers across multiple countries. A zero-day flaw in Sitecore deployments is opening doors for hackers to unleash WeepSteel malware. By exploiting a reused ASP.NET key, attackers achieve remote code execution, using tools like Earthworm and Dwagent to steal data and maintain access through local admin accounts and SYSTEM services. A macOS flaw is exposing sensitive data despite System Integrity Protection. This vulnerability, tied to the gcore utility, allows attackers to read process memory, extract login Keychain Master Keys, and decrypt iOS app binaries, patched in macOS 15.3 after a researcher’s discovery.

Sep 4, 2025

Cyware Daily Threat Intelligence, September 04, 2025

Lurking in your inbox, Russia’s APT28 is wielding NotDoor to turn Outlook into an espionage tool. This VBA backdoor, triggered by email keywords, uses obfuscation and DLL side-loading to dodge detection, altering registry settings to steal sensitive data across NATO organizations. Critical flaws in Hikvision’s HikCentral software are leaving security systems wide open to unauthenticated attackers. These vulnerabilities, including a high-severity access control issue, allow privilege escalation to manipulate logs, disable surveillance, or unlock doors, with patches now available. Iran’s Homeland Justice APT is casting a wide phishing net, targeting over 50 global embassies and organizations. Using 100+ hijacked email accounts and malicious Word docs since August 19, they exploit trusted identities to deliver malware, hitting targets like the UN and World Bank.

Sep 3, 2025

Cyware Daily Threat Intelligence, September 03, 2025

Slithering through networks like a digital phantom, TinyLoader malware is hitting Windows systems with a crafty mix of network share and USB attacks. It delivers threats like Redline Stealer and DCRat, hijacking cryptocurrency transactions by swapping wallet addresses while spreading via deceptive shortcuts and shared folders. Lazarus Group is playing a dangerous game of impersonation, wielding three new RATs against a DeFi target. Using fake Telegram profiles and sham scheduling sites, they deploy PondRAT for initial access, ThemeForestRAT for advanced monitoring, and RemotePE for high-value control, showcasing their evolving tactics. Chrome 140 is locking down a critical flaw that could let attackers run rogue code in your browser. Fixing a severe use-after-free bug in the V8 engine, alongside issues in the Toolbar, Extensions, and Downloads, Google’s latest update is a must for Windows, macOS, and Linux users.

Sep 2, 2025

Cyware Daily Threat Intelligence, September 02, 2025

Masquerading as a scholarly newsletter, North Korea’s ScarCruft is targeting South Korean academics and ex-officials with RokRAT malware. Launched via spear-phishing emails with malicious LNK files, Operation HanKook Phantom uses PowerShell and obfuscated scripts to steal sensitive data, cloaking exfiltration as Chrome uploads to hit government and research sectors. A fake PDF editor peddled through Google ads is dishing out the TamperedChef infostealer to unsuspecting users. Promoted across 50 domains since June, AppSuite PDF Editor, signed with bogus certificates, activates its data-stealing tricks post-update, grabbing credentials and cookies while dodging security agents. WhatsApp and Apple are racing to patch critical zero-day flaws exposing users to spyware attacks. A WhatsApp vulnerability, paired with an Apple OS flaw, allows exploits via malicious image files and device sync messages, potentially targeting high-profile individuals in sophisticated campaigns.

Aug 29, 2025

Cyware Daily Threat Intelligence, August 29, 2025

Posing as a golden ticket from the Bangladesh Education Board, SikkahBot is preying on students with fake scholarship lures. Active since July 2024, this Android malware grabs high-risk permissions to intercept SMS and steal financial data, spread via smishing links, with evolving variants showing sharper automation. A sneaky loophole in the VS Code Marketplace is letting attackers recycle names of deleted extensions to push ransomware. The “shiba” extension, active from late 2024 to mid-2025, encrypts files and demands Shiba Inu tokens, exploiting the platform’s name-reuse flaw to dodge detection. Click Studios is sounding the alarm on a dangerous flaw in Passwordstate’s password manager. This authentication bypass lets attackers access the admin section via a crafted URL, threatening the credentials of 370,000 IT pros across 29,000 firms, with a fix in Build 9972.

Aug 28, 2025

Cyware Daily Threat Intelligence, August 28, 2025

A data theft campaign attributed to UNC6395 targeted Salesforce instances via compromised OAuth tokens linked to the Salesloft Drift app, exfiltrating sensitive credentials between August 8-18, 2025. Salesloft and Salesforce responded by revoking all active access tokens and removing the Drift app from AppExchange.

Aug 27, 2025

Cyware Daily Threat Intelligence, August 27, 2025

The Underground ransomware gang is striking with precision, blending AES and RSA encryption to lock down global targets. After reconnaissance and breaches, they deploy customized malware that wipes shadow copies, blocks remote desktops, and selectively encrypts files using a stripe method for larger ones, sparing critical system folders. Blind Eagle's shadow looms over Colombia, with five activity clusters unleashing RATs and phishing on government sectors from May 2024 to July 2025. Targeting judiciary, education, and healthcare, they impersonate agencies via spear-phishing to deliver Lime RAT and AsyncRAT, leveraging compromised emails and dynamic DNS for espionage and financial gains. Citrix is sealing critical gaps in NetScaler ADC and Gateway, including a zero-day remote code execution flaw that's already under attack. This memory overflow bug affects Gateway configurations, urging immediate firmware updates, alongside fixes for denial-of-service and improper access control vulnerabilities.

Aug 26, 2025

Cyware Daily Threat Intelligence, August 26, 2025

Sneaky adware is sneaking onto millions of Android devices through 77 malicious apps yanked from Google Play. With over 19 million installs, these apps pack Joker malware that steals info and signs up for premium services, alongside Harly variants and the evolving Anatsa trojan. A Docker Desktop flaw is handing attackers the keys to host systems on Windows and macOS. This SSRF vulnerability lets malicious containers bypass isolation to access the Engine API, mount drives, and escalate privileges, fixed in version 4.44.3 to curb unauthorized file access. Phony Tesla sites are reeling in robot enthusiasts with Google Ads promising Optimus preorders for a $250 deposit. These scams mimic Tesla's look to harvest credit card details for underground markets, using rotating domains and Cloudflare to stay elusive.