Cyware Daily Threat Intelligence, September 16, 2025

shutterstock 2374533403

Daily Threat Briefing September 16, 2025

Maranhão Stealer is hunting gamers through pirated software. Built with Node.js and Inno Setup, it mimics Microsoft components to hide, using DLL injection for persistence. It steals crypto wallet credentials, grabbing hardware and network data for targeted attacks.

AppSuite, OneStart, and ManualFinder are a malware triple threat. Posing as legit tools like PDF editors, they use Electron and PowerShell to track users and install sneaky extensions. Active since 2018, they evolve with randomized domains for control.

Phoenix is cracking DDR5 memory defenses wide open. This Rowhammer variant bypasses SK Hynix protections, flipping bits to gain root access in minutes. It targets RSA-2048 keys and binaries, impacting all DDR5 chips from 2021 to 2024.

Top Malware Reported in the Last 24 Hours

SmokeLoader malware evolves with new variants

SmokeLoader, a modular malware loader active since 2011, is designed to deliver various second-stage payloads such as trojans and ransomware. Following Operation Endgame in 2024, which aimed to dismantle its infrastructure, new variants emerged in early 2025, specifically version 2025 alpha and version 2025. These updates include significant bug fixes that enhance performance and improve evasion tactics against detection systems. Version 2025 alpha introduces a mutex check to prevent repeated injections into processes, while version 2025 modifies the network protocol and adds checks for the victim's keyboard layout. Additionally, both versions incorporate obfuscation techniques to hinder analysis and detection. Despite efforts to mitigate its impact, SmokeLoader continues to be actively used by multiple threat groups, with version 2025 alpha currently being the most prevalent variant.

New Maranhão Stealer targets gamers

A sophisticated malware campaign known as Maranhão Stealer has emerged, targeting gaming enthusiasts through malicious pirated software distributed on cloud-hosted platforms. Utilizing Node[.]js and Inno Setup installers, this malware employs advanced evasion techniques and social engineering to compromise user accounts and cryptocurrency wallets. Once installed, it creates a deceptive directory structure resembling legitimate Microsoft components, ensuring persistence through registry modifications and reflective DLL injection. Maranhão Stealer conducts extensive reconnaissance of infected systems, collecting hardware specifications, network details, and geolocation information. Its primary focus is on stealing credentials from popular cryptocurrency wallet applications, reflecting a shift towards targeting high-value digital assets.

Coordinated malware campaign uncovered

A coordinated malware campaign involving AppSuite, OneStart, and ManualFinder has been uncovered, revealing a shared infrastructure and overlapping tactics. These programs, often disguised as legitimate software like PDF editors or browsers, have evolved over time to include various components such as Electron, Node.js, and PowerShell scripts. The actors behind these threats have been active since at least 2018, leveraging deceptive installers and randomized domains to distribute and control malware. OneStart, derived from the Chromium browser, installs extensions that track user behavior and can silently add additional software. Older versions of OneStart employed PowerShell scripts and node.exe to execute malicious JavaScript, linking them to ManualFinder infections. Additionally, earlier iterations like SecureBrowser and DesktopBar were distributed under different names, showcasing the actors' evolving tactics.

Top Vulnerabilities Reported in the Last 24 Hours

New Phoenix attack bypasses DDR5 defenses

Researchers from ETH Zurich and Google have developed a new variant of Rowhammer attacks, named Phoenix, which successfully bypasses the latest protection mechanisms in DDR5 memory chips from SK Hynix. This attack exploits specific refresh intervals overlooked by the Target Row Refresh (TRR) defense, allowing attackers to flip bits in memory and potentially gain unauthorized access or escalate privileges. During testing, the team demonstrated that Phoenix could compromise all 15 DDR5 chips analyzed, achieving root access in under two minutes on a standard system. Additionally, the researchers found that the attack could manipulate sensitive data, including breaking SSH authentication by targeting RSA-2048 keys and altering binaries to elevate privileges. Phoenix is tracked as CVE-2025-6202 and affects all DDR5 DIMMs produced between January 2021 and December 2024.

Apple fixes critical vulnerabilities in software

Apple has released backported fixes for the critical vulnerability CVE-2025-43300, which affects the ImageIO component and can lead to memory corruption when processing malicious image files. This flaw has been actively exploited in sophisticated spyware attacks targeting fewer than 200 individuals. The company also addressed CVE-2025-55177, a vulnerability in WhatsApp's messaging apps, which was used in conjunction with CVE-2025-43300. Updates were rolled out for both recent and older versions of iOS, iPadOS, and macOS, including devices like the iPhone 6s and iPad Air 2. In addition to these vulnerabilities, Apple has patched several other security flaws across its platforms, including issues in Safari, LaunchServices, and CoreAudio.

Related Threat Briefings

Sep 15, 2025

Cyware Daily Threat Intelligence, September 15, 2025

From the shadows of the darknet, the Yurei ransomware group has emerged, targeting organizations in Sri Lanka, India, and Nigeria with a double-extortion scheme that encrypts files and leaks sensitive data. Operating from a suspected base in Morocco, the group’s darknet blog pressures victims with data leak threats, highlighting the growing risk of low-skill ransomware operations. Masquerading as legitimate tools, the WhiteCobra group has infiltrated VS Code and OpenVSX marketplaces with 24 malicious extensions aimed at stealing cryptocurrency and sensitive data. By inflating download counts, WhiteCobra exploits developer trust, exposing critical weaknesses in marketplace security. A flaw in the CUPS printing system has left Linux systems vulnerable to remote crashes and authentication bypasses. Stemming from unsafe deserialization in the libcups library, this vulnerability disrupts printing services and can be exploited with simple Python scripts, requiring only network adjacency.

Sep 12, 2025

Cyware Daily Threat Intelligence, September 12, 2025

Mustang Panda's latest ToneShell variant is digging deep into systems with slick persistence moves. Delivered via DLL sideloading in archives, it dodges analysis, enforces single-instance rules, and sets up scheduled tasks in user directories. XOR-obfuscated payloads communicate via fake TLS to C2 servers, generating unique GUIDs per machine for ongoing ops. Researchers uncovered a RAT storm hitting Chinese users since May. Phishing on GitHub Pages drops ValleyRAT, FatalRAT, and kkRAT, the latter echoing Ghost RAT with beefed-up encryption and commands. kkRAT sniffs sandboxes, hijacks clipboards for crypto swaps, and installs RMM tools like Sunlogin, all via multi-stage shellcodes. Akira ransomware is busting into networks through SonicWall's CVE-2024-40766 flaw. This unpatched SSL VPN hole lets them snag access, but SonicWall's August patch plus password resets can block it. ACSC warns of fresh exploits since September, with 40 incidents probed.

Sep 11, 2025

Cyware Daily Threat Intelligence, September 11, 2025

Slipping through macOS like a shadow in the fog, ChillyHell malware cloaks itself as a harmless app to wreak havoc. Using LaunchAgent, LaunchDaemon, and shell injections, it digs into systems at boot, stealing data and launching reverse shells while evading Apple’s notarization checks. A rogue Chrome extension, Madgicx Plus, is preying on Meta advertisers with a slick AI optimization pitch. This malware, spread through polished domains tied to past scams, hijacks Google and Facebook accounts, siphoning off valuable ad assets with deceptive ease. NVIDIA’s NVDebug tool is under siege from three high-severity flaws, opening doors to code execution and privilege escalation. These vulnerabilities, with the worst scoring 8.2, allow attackers to tamper with systems or steal data in multi-user setups, fixed in version 1.7.0.

Sep 10, 2025

Cyware Daily Threat Intelligence, September 10, 2025

Masquerading as harmless GitHub files, Kimsuky is sneaking malware into systems with malicious LNK files. These trigger PowerShell scripts to steal system metadata and upload it to private repositories, using scheduled tasks for persistent espionage targeting sensitive networks. Slipping into devices like a digital ghost, Buterat backdoor is hitting government and enterprise systems via phishing and trojanized downloads. It hides in processes, tweaks registry keys for persistence, and uses encrypted C2 channels to drop payloads and evade detection. Microsoft’s latest patch tackles 81 flaws, including two zero-day vulnerabilities in Windows SMB and Newtonsoft.Json. With nine critical fixes addressing remote code execution and privilege escalation, enabling SMB protections is urged, though compatibility hiccups may arise.

Sep 9, 2025

Cyware Daily Threat Intelligence, September 09, 2025

Slipping through phishing emails like a digital ninja, MostereRAT is targeting Japanese users with encrypted payloads. This malware grabs SYSTEM-level control, disables antivirus and Windows defenses, and uses AnyDesk and TightVNC to steal data and capture screens via secure C2 channels. SAP’s latest patch day is a wake-up call, tackling four critical vulnerabilities threatening enterprise systems. The worst, an insecure deserialization flaw in NetWeaver’s RMI-P4, allows unauthenticated attackers to run arbitrary commands, with patches addressing file uploads and access control issues. China-linked Salt Typhoon and UNC4841 are lurking behind 45 newly uncovered domains, some active since May 2020. Using fake identities and Proton Mail, these espionage groups exploit vulnerabilities like Barracuda’s, revealing a persistent threat to global networks.

Sep 8, 2025

Cyware Daily Threat Intelligence, September 08, 2025

Posing as Microsoft Teams with chilling accuracy, cybercriminals are tricking macOS users into downloading the Odyssey stealer. This malware grabs browser credentials and crypto wallet data, using social engineering to gain privileges and swap out legitimate apps for persistent theft. A gaping hole in Progress Software’s OpenEdge AdminServer is letting attackers run rogue code with ease. This high-severity flaw allows command injection via the Java RMI interface, now patched with better input sanitization and disabled remote RMI. iCloud Calendar invites are being hijacked to deliver phishing emails that dodge spam filters. Masquerading as payment alerts from Apple’s servers, they lure victims to fake support lines, enabling scammers to steal data or deploy malware via remote access.

Sep 5, 2025

Cyware Daily Threat Intelligence, September 05, 2025

Slipping through digital cracks, China-aligned GhostRedirector is hijacking Windows servers with a stealthy C++ backdoor called Rungan. Paired with the Gamshen IIS module for SEO fraud, it boosts gambling sites on Google while exploiting EfsPotato and BadPotato to compromise 65 servers across multiple countries. A zero-day flaw in Sitecore deployments is opening doors for hackers to unleash WeepSteel malware. By exploiting a reused ASP.NET key, attackers achieve remote code execution, using tools like Earthworm and Dwagent to steal data and maintain access through local admin accounts and SYSTEM services. A macOS flaw is exposing sensitive data despite System Integrity Protection. This vulnerability, tied to the gcore utility, allows attackers to read process memory, extract login Keychain Master Keys, and decrypt iOS app binaries, patched in macOS 15.3 after a researcher’s discovery.

Sep 4, 2025

Cyware Daily Threat Intelligence, September 04, 2025

Lurking in your inbox, Russia’s APT28 is wielding NotDoor to turn Outlook into an espionage tool. This VBA backdoor, triggered by email keywords, uses obfuscation and DLL side-loading to dodge detection, altering registry settings to steal sensitive data across NATO organizations. Critical flaws in Hikvision’s HikCentral software are leaving security systems wide open to unauthenticated attackers. These vulnerabilities, including a high-severity access control issue, allow privilege escalation to manipulate logs, disable surveillance, or unlock doors, with patches now available. Iran’s Homeland Justice APT is casting a wide phishing net, targeting over 50 global embassies and organizations. Using 100+ hijacked email accounts and malicious Word docs since August 19, they exploit trusted identities to deliver malware, hitting targets like the UN and World Bank.

Sep 3, 2025

Cyware Daily Threat Intelligence, September 03, 2025

Slithering through networks like a digital phantom, TinyLoader malware is hitting Windows systems with a crafty mix of network share and USB attacks. It delivers threats like Redline Stealer and DCRat, hijacking cryptocurrency transactions by swapping wallet addresses while spreading via deceptive shortcuts and shared folders. Lazarus Group is playing a dangerous game of impersonation, wielding three new RATs against a DeFi target. Using fake Telegram profiles and sham scheduling sites, they deploy PondRAT for initial access, ThemeForestRAT for advanced monitoring, and RemotePE for high-value control, showcasing their evolving tactics. Chrome 140 is locking down a critical flaw that could let attackers run rogue code in your browser. Fixing a severe use-after-free bug in the V8 engine, alongside issues in the Toolbar, Extensions, and Downloads, Google’s latest update is a must for Windows, macOS, and Linux users.

Sep 2, 2025

Cyware Daily Threat Intelligence, September 02, 2025

Masquerading as a scholarly newsletter, North Korea’s ScarCruft is targeting South Korean academics and ex-officials with RokRAT malware. Launched via spear-phishing emails with malicious LNK files, Operation HanKook Phantom uses PowerShell and obfuscated scripts to steal sensitive data, cloaking exfiltration as Chrome uploads to hit government and research sectors. A fake PDF editor peddled through Google ads is dishing out the TamperedChef infostealer to unsuspecting users. Promoted across 50 domains since June, AppSuite PDF Editor, signed with bogus certificates, activates its data-stealing tricks post-update, grabbing credentials and cookies while dodging security agents. WhatsApp and Apple are racing to patch critical zero-day flaws exposing users to spyware attacks. A WhatsApp vulnerability, paired with an Apple OS flaw, allows exploits via malicious image files and device sync messages, potentially targeting high-profile individuals in sophisticated campaigns.

Aug 29, 2025

Cyware Daily Threat Intelligence, August 29, 2025

Posing as a golden ticket from the Bangladesh Education Board, SikkahBot is preying on students with fake scholarship lures. Active since July 2024, this Android malware grabs high-risk permissions to intercept SMS and steal financial data, spread via smishing links, with evolving variants showing sharper automation. A sneaky loophole in the VS Code Marketplace is letting attackers recycle names of deleted extensions to push ransomware. The “shiba” extension, active from late 2024 to mid-2025, encrypts files and demands Shiba Inu tokens, exploiting the platform’s name-reuse flaw to dodge detection. Click Studios is sounding the alarm on a dangerous flaw in Passwordstate’s password manager. This authentication bypass lets attackers access the admin section via a crafted URL, threatening the credentials of 370,000 IT pros across 29,000 firms, with a fix in Build 9972.

Aug 28, 2025

Cyware Daily Threat Intelligence, August 28, 2025

A data theft campaign attributed to UNC6395 targeted Salesforce instances via compromised OAuth tokens linked to the Salesloft Drift app, exfiltrating sensitive credentials between August 8-18, 2025. Salesloft and Salesforce responded by revoking all active access tokens and removing the Drift app from AppExchange.