Cyware Daily Threat Intelligence, September 15, 2025

shutterstock 1801768537

Daily Threat Briefing September 15, 2025

From the shadows of the darknet, the Yurei ransomware group has emerged, targeting organizations in Sri Lanka, India, and Nigeria with a double-extortion scheme that encrypts files and leaks sensitive data. Operating from a suspected base in Morocco, the group’s darknet blog pressures victims with data leak threats, highlighting the growing risk of low-skill ransomware operations.

Masquerading as legitimate tools, the WhiteCobra group has infiltrated VS Code and OpenVSX marketplaces with 24 malicious extensions aimed at stealing cryptocurrency and sensitive data. By inflating download counts, WhiteCobra exploits developer trust, exposing critical weaknesses in marketplace security.

A flaw in the CUPS printing system has left Linux systems vulnerable to remote crashes and authentication bypasses. Stemming from unsafe deserialization in the libcups library, this vulnerability disrupts printing services and can be exploited with simple Python scripts, requiring only network adjacency.

Top Malware Reported in the Last 24 Hours

New Yurei ransomware emerges

Yurei is a newly emerged ransomware group that adopts a double-extortion model, encrypting files and exfiltrating sensitive data from victims, primarily targeting organizations in Sri Lanka, India, and Nigeria. Yurei is derived from the open-source Prince-Ransomware, featuring only minor modifications that lower the barrier for cybercriminals. The ransomware employs the ChaCha20 encryption algorithm and utilizes goroutines for concurrent encryption of drives, while its lack of anti-analysis features indicates a low skill level among its developers. Notably, Yurei does not delete Shadow Copies, allowing potential recovery for victims. With a rapid increase in victims, the group operates a darknet blog for communication and negotiation, leveraging the threat of data leakage to pressure victims into paying ransoms. Investigations suggest the threat actors may be based in Morocco, linking them to other ransomware operations.

Phishing campaigns exploit RMM tools for access

Malicious actors are increasingly using phishing campaigns to install RMM software on victim machines, as reported by Red Canary. These campaigns exploit various lures, including fake browser updates that prompt users to download the ITarian RMM tool, misleading meeting invites that install Atera or PDQ software, and deceptive party invitations that deliver RMM tools via trusted domains like Cloudflare R2. Additionally, government forms such as W9s and tax returns are used to entice victims into installing malicious software. Additionally, threat actors leverage compromised websites and malicious domains to manage large-scale malware campaigns.

WhiteCobra's malicious extension campaign exposed

A coordinated campaign by the threat actor group WhiteCobra has infiltrated the VS Code and OpenVSX marketplaces, deploying 24 malicious extensions designed to steal cryptocurrency and sensitive information. This sophisticated operation, which has already claimed high-profile victims like crypto influencer zak.eth, reveals a detailed playbook outlining a five-phase attack strategy: packaging, deployment, promotion, download inflation, and exfiltration. WhiteCobra manipulates download counts to create false credibility, employing social engineering tactics that exploit developer psychology through social media. Their multi-stage payload delivery chain utilizes obfuscated code to evade detection, ultimately delivering malware such as LummaStealer, which targets cryptocurrency wallets and other sensitive data.

New HybridPetya ransomware bypasses Secure Boot

HybridPetya is a newly discovered ransomware strain that can bypass UEFI Secure Boot, allowing it to install malicious software on the EFI System Partition. This ransomware appears to draw inspiration from the notorious Petya and NotPetya malware, incorporating their visual style and attack methods while adding new features such as installation in the EFI System Partition and exploiting the CVE-2024-7344 vulnerability. Upon execution, HybridPetya drops a bootkit into the EFI System partition, which includes various files for encryption and validation. It encrypts Master File Table (MFT) clusters using a Salsa20 key, displays a fake CHKDSK message, and demands a ransom of $1,000 in Bitcoin for decryption. 

Top Vulnerabilities Reported in the Last 24 Hours

LangChainGo vulnerability allows file access exploitation

A vulnerability in LangChainGo (CVE-2025-9556) allows attackers to perform arbitrary file reads via malicious prompt injections using the Gonja template engine. The flaw enables attackers to reference critical system files like /etc/passwd through server-side template injection (SSTI), compromising sensitive data. Exploitation requires only access to the prompt input field, making systems like chatbots particularly vulnerable, with potential for further attacks like privilege escalation. A fix has been implemented with the RenderTemplateFS function, isolating template rendering from filesystem access. Users should update LangChainGo and review custom templates for compliance.

Critical CUPS bug poses major risks

A critical vulnerability in the CUPS printing system, tracked as CVE-2025-58364, allows attackers to remotely crash Linux systems and bypass authentication. This flaw arises from unsafe deserialization and validation of printer attributes in the libcups library, particularly during IPP operations. When exploited, the vulnerability triggers crashes in both the CUPS daemon and the cups-browsed service, disrupting printing capabilities. Exploitation requires network adjacency, but systems with unpatched vulnerabilities could face remote attacks. Proof-of-concept demonstrations reveal that attackers can easily exploit this flaw using simple Python scripts, highlighting significant risks to Linux infrastructure.

CISA warns of critical Dassault flaw

The CISA warned of active exploitation of a critical RCE vulnerability, tracked as CVE-2025-5086, in Dassault Systèmes' DELMIA Apriso software. The vulnerability, caused by deserialization of untrusted data, affects all versions of DELMIA Apriso from Release 2020 to Release 2025. A tThreat researcher observed exploitation attempts using malicious SOAP requests that execute Base64-encoded, GZIP-compressed .NET executables. Malicious requests were traced to the IP 156.244.33[.]162, possibly linked to automated scanning.

Related Threat Briefings

Sep 12, 2025

Cyware Daily Threat Intelligence, September 12, 2025

Mustang Panda's latest ToneShell variant is digging deep into systems with slick persistence moves. Delivered via DLL sideloading in archives, it dodges analysis, enforces single-instance rules, and sets up scheduled tasks in user directories. XOR-obfuscated payloads communicate via fake TLS to C2 servers, generating unique GUIDs per machine for ongoing ops. Researchers uncovered a RAT storm hitting Chinese users since May. Phishing on GitHub Pages drops ValleyRAT, FatalRAT, and kkRAT, the latter echoing Ghost RAT with beefed-up encryption and commands. kkRAT sniffs sandboxes, hijacks clipboards for crypto swaps, and installs RMM tools like Sunlogin, all via multi-stage shellcodes. Akira ransomware is busting into networks through SonicWall's CVE-2024-40766 flaw. This unpatched SSL VPN hole lets them snag access, but SonicWall's August patch plus password resets can block it. ACSC warns of fresh exploits since September, with 40 incidents probed.

Sep 11, 2025

Cyware Daily Threat Intelligence, September 11, 2025

Slipping through macOS like a shadow in the fog, ChillyHell malware cloaks itself as a harmless app to wreak havoc. Using LaunchAgent, LaunchDaemon, and shell injections, it digs into systems at boot, stealing data and launching reverse shells while evading Apple’s notarization checks. A rogue Chrome extension, Madgicx Plus, is preying on Meta advertisers with a slick AI optimization pitch. This malware, spread through polished domains tied to past scams, hijacks Google and Facebook accounts, siphoning off valuable ad assets with deceptive ease. NVIDIA’s NVDebug tool is under siege from three high-severity flaws, opening doors to code execution and privilege escalation. These vulnerabilities, with the worst scoring 8.2, allow attackers to tamper with systems or steal data in multi-user setups, fixed in version 1.7.0.

Sep 10, 2025

Cyware Daily Threat Intelligence, September 10, 2025

Masquerading as harmless GitHub files, Kimsuky is sneaking malware into systems with malicious LNK files. These trigger PowerShell scripts to steal system metadata and upload it to private repositories, using scheduled tasks for persistent espionage targeting sensitive networks. Slipping into devices like a digital ghost, Buterat backdoor is hitting government and enterprise systems via phishing and trojanized downloads. It hides in processes, tweaks registry keys for persistence, and uses encrypted C2 channels to drop payloads and evade detection. Microsoft’s latest patch tackles 81 flaws, including two zero-day vulnerabilities in Windows SMB and Newtonsoft.Json. With nine critical fixes addressing remote code execution and privilege escalation, enabling SMB protections is urged, though compatibility hiccups may arise.

Sep 9, 2025

Cyware Daily Threat Intelligence, September 09, 2025

Slipping through phishing emails like a digital ninja, MostereRAT is targeting Japanese users with encrypted payloads. This malware grabs SYSTEM-level control, disables antivirus and Windows defenses, and uses AnyDesk and TightVNC to steal data and capture screens via secure C2 channels. SAP’s latest patch day is a wake-up call, tackling four critical vulnerabilities threatening enterprise systems. The worst, an insecure deserialization flaw in NetWeaver’s RMI-P4, allows unauthenticated attackers to run arbitrary commands, with patches addressing file uploads and access control issues. China-linked Salt Typhoon and UNC4841 are lurking behind 45 newly uncovered domains, some active since May 2020. Using fake identities and Proton Mail, these espionage groups exploit vulnerabilities like Barracuda’s, revealing a persistent threat to global networks.

Sep 8, 2025

Cyware Daily Threat Intelligence, September 08, 2025

Posing as Microsoft Teams with chilling accuracy, cybercriminals are tricking macOS users into downloading the Odyssey stealer. This malware grabs browser credentials and crypto wallet data, using social engineering to gain privileges and swap out legitimate apps for persistent theft. A gaping hole in Progress Software’s OpenEdge AdminServer is letting attackers run rogue code with ease. This high-severity flaw allows command injection via the Java RMI interface, now patched with better input sanitization and disabled remote RMI. iCloud Calendar invites are being hijacked to deliver phishing emails that dodge spam filters. Masquerading as payment alerts from Apple’s servers, they lure victims to fake support lines, enabling scammers to steal data or deploy malware via remote access.

Sep 5, 2025

Cyware Daily Threat Intelligence, September 05, 2025

Slipping through digital cracks, China-aligned GhostRedirector is hijacking Windows servers with a stealthy C++ backdoor called Rungan. Paired with the Gamshen IIS module for SEO fraud, it boosts gambling sites on Google while exploiting EfsPotato and BadPotato to compromise 65 servers across multiple countries. A zero-day flaw in Sitecore deployments is opening doors for hackers to unleash WeepSteel malware. By exploiting a reused ASP.NET key, attackers achieve remote code execution, using tools like Earthworm and Dwagent to steal data and maintain access through local admin accounts and SYSTEM services. A macOS flaw is exposing sensitive data despite System Integrity Protection. This vulnerability, tied to the gcore utility, allows attackers to read process memory, extract login Keychain Master Keys, and decrypt iOS app binaries, patched in macOS 15.3 after a researcher’s discovery.

Sep 4, 2025

Cyware Daily Threat Intelligence, September 04, 2025

Lurking in your inbox, Russia’s APT28 is wielding NotDoor to turn Outlook into an espionage tool. This VBA backdoor, triggered by email keywords, uses obfuscation and DLL side-loading to dodge detection, altering registry settings to steal sensitive data across NATO organizations. Critical flaws in Hikvision’s HikCentral software are leaving security systems wide open to unauthenticated attackers. These vulnerabilities, including a high-severity access control issue, allow privilege escalation to manipulate logs, disable surveillance, or unlock doors, with patches now available. Iran’s Homeland Justice APT is casting a wide phishing net, targeting over 50 global embassies and organizations. Using 100+ hijacked email accounts and malicious Word docs since August 19, they exploit trusted identities to deliver malware, hitting targets like the UN and World Bank.

Sep 3, 2025

Cyware Daily Threat Intelligence, September 03, 2025

Slithering through networks like a digital phantom, TinyLoader malware is hitting Windows systems with a crafty mix of network share and USB attacks. It delivers threats like Redline Stealer and DCRat, hijacking cryptocurrency transactions by swapping wallet addresses while spreading via deceptive shortcuts and shared folders. Lazarus Group is playing a dangerous game of impersonation, wielding three new RATs against a DeFi target. Using fake Telegram profiles and sham scheduling sites, they deploy PondRAT for initial access, ThemeForestRAT for advanced monitoring, and RemotePE for high-value control, showcasing their evolving tactics. Chrome 140 is locking down a critical flaw that could let attackers run rogue code in your browser. Fixing a severe use-after-free bug in the V8 engine, alongside issues in the Toolbar, Extensions, and Downloads, Google’s latest update is a must for Windows, macOS, and Linux users.

Sep 2, 2025

Cyware Daily Threat Intelligence, September 02, 2025

Masquerading as a scholarly newsletter, North Korea’s ScarCruft is targeting South Korean academics and ex-officials with RokRAT malware. Launched via spear-phishing emails with malicious LNK files, Operation HanKook Phantom uses PowerShell and obfuscated scripts to steal sensitive data, cloaking exfiltration as Chrome uploads to hit government and research sectors. A fake PDF editor peddled through Google ads is dishing out the TamperedChef infostealer to unsuspecting users. Promoted across 50 domains since June, AppSuite PDF Editor, signed with bogus certificates, activates its data-stealing tricks post-update, grabbing credentials and cookies while dodging security agents. WhatsApp and Apple are racing to patch critical zero-day flaws exposing users to spyware attacks. A WhatsApp vulnerability, paired with an Apple OS flaw, allows exploits via malicious image files and device sync messages, potentially targeting high-profile individuals in sophisticated campaigns.

Aug 29, 2025

Cyware Daily Threat Intelligence, August 29, 2025

Posing as a golden ticket from the Bangladesh Education Board, SikkahBot is preying on students with fake scholarship lures. Active since July 2024, this Android malware grabs high-risk permissions to intercept SMS and steal financial data, spread via smishing links, with evolving variants showing sharper automation. A sneaky loophole in the VS Code Marketplace is letting attackers recycle names of deleted extensions to push ransomware. The “shiba” extension, active from late 2024 to mid-2025, encrypts files and demands Shiba Inu tokens, exploiting the platform’s name-reuse flaw to dodge detection. Click Studios is sounding the alarm on a dangerous flaw in Passwordstate’s password manager. This authentication bypass lets attackers access the admin section via a crafted URL, threatening the credentials of 370,000 IT pros across 29,000 firms, with a fix in Build 9972.

Aug 28, 2025

Cyware Daily Threat Intelligence, August 28, 2025

A data theft campaign attributed to UNC6395 targeted Salesforce instances via compromised OAuth tokens linked to the Salesloft Drift app, exfiltrating sensitive credentials between August 8-18, 2025. Salesloft and Salesforce responded by revoking all active access tokens and removing the Drift app from AppExchange.

Aug 27, 2025

Cyware Daily Threat Intelligence, August 27, 2025

The Underground ransomware gang is striking with precision, blending AES and RSA encryption to lock down global targets. After reconnaissance and breaches, they deploy customized malware that wipes shadow copies, blocks remote desktops, and selectively encrypts files using a stripe method for larger ones, sparing critical system folders. Blind Eagle's shadow looms over Colombia, with five activity clusters unleashing RATs and phishing on government sectors from May 2024 to July 2025. Targeting judiciary, education, and healthcare, they impersonate agencies via spear-phishing to deliver Lime RAT and AsyncRAT, leveraging compromised emails and dynamic DNS for espionage and financial gains. Citrix is sealing critical gaps in NetScaler ADC and Gateway, including a zero-day remote code execution flaw that's already under attack. This memory overflow bug affects Gateway configurations, urging immediate firmware updates, alongside fixes for denial-of-service and improper access control vulnerabilities.