Cyware Daily Threat Intelligence, September 30, 2025

shutterstock 2021698187 (1)

Daily Threat Briefing September 30, 2025

Elderly folks are being sweet-talked by AI-crafted Facebook travel scams into installing fake APKs, then Datzbro slips in, hijacks their Androids with accessibility abuse, keylogging, overlays and a creepily efficient remote-control mode to swipe credentials and drain accounts.

Another Android banking trojan  Klopatra, enables full remote device takeover and mass financial fraud, using Virbox obfuscation and native C/C++ libraries. It spreads via a streaming-app dropper that abuses Install Unknown Apps and Accessibility permissions, and installs a hidden VNC that can simulate a “black screen” for stealthy control.

CVE-2024-3400, a critical, publicly exploited 10.0 CVSS vulnerability in Palo Alto PAN-OS GlobalProtect (versions 10.2, 11.0, 11.1) allows for OS command injection and requires immediate application of vendor-released fixes and hotfixes.

Top Malware Reported in the Last 24 Hours

Datzbro trojan uses AI to trick elderly users

Cybersecurity researchers discovered a new Android banking trojan called Datzbro, targeting elderly users through AI-generated Facebook travel event scams. Victims are tricked into downloading malicious APK files via fraudulent links, leading to device takeover and financial fraud. The malware uses advanced techniques like Android accessibility services, keylogging, and overlay attacks to steal credentials and conduct transactions. Datzbro's remote control mode allows attackers to recreate the victim's device layout for effective exploitation.

New Android banking trojan uses hidden VNC for stealthy attacks

Klopatra, a new Android banking trojan is enabling full remote control of devices and large-scale financial fraud. It uses Virbox for advanced obfuscation and native C/C++ libraries to evade detection. Infection begins with a dropper disguised as a streaming app, exploiting "Install Unknown Apps" and Accessibility Services permissions. Hidden VNC allows attackers to operate devices stealthily, even simulating a "black screen" to avoid user suspicion. 

Top Vulnerabilities Reported in the Last 24 Hours

Broadcom patches critical VMware NSX flaws

Broadcom released updates to fix two high-severity VMware NSX vulnerabilities reported by the NSA, including password recovery and username enumeration flaws that could lead to unauthorized access. Broadcom patched a high-severity SMTP header injection vulnerability in VMware vCenter, along with other flaws in VMware Aria Operations and VMware Tools that could escalate privileges and compromise credentials. Earlier in 2025, Broadcom addressed zero-day vulnerabilities exploited during the Pwn2Own Berlin contest, as well as other actively exploited VMware zero-days reported by Microsoft.

Hackers exploit a critical bug in Palo Alto GlobalProtect

Hackers are probing systems for CVE-2024-3400, a critical vulnerability in Palo Alto PAN-OS GlobalProtect, enabling file creation and possible OS command injection. The vulnerability affects PAN-OS versions 10.2, 11.0, and 11.1 configured with GlobalProtect, but not Cloud NGFW, Panorama, or Prisma Access. A CVSS score of 10.0 and public proof-of-concept code heighten the urgency for patching and mitigation. Palo Alto Networks has released fixes and hotfixes for affected versions, along with threat prevention signatures to block exploit attempts.

Apple addresses critical Font Parser vulnerability

Apple has issued a security update for macOS Sequoia 15.7.1 to address a critical vulnerability in its font parser (CVE-2025-43400). The flaw, which involves an out-of-bounds write, could lead to application crashes or memory corruption if exploited via malicious font files. While no active exploitation has been reported, the vulnerability might enable remote code execution when combined with other bugs. Apple advises users to promptly install the update, which also applies to iOS, iPadOS, visionOS, and earlier macOS versions.

Related Threat Briefings

Sep 29, 2025

Cyware Daily Threat Intelligence, September 29, 2025

Exploiting SonicWall firewalls like a battering ram, Akira ransomware is surging through malicious SSL VPN logins. By targeting CVE-2024-40766, attackers bypass MFA, swiftly move laterally, and deploy ransomware within hours, harvesting credentials and exfiltrating data. A cunning malvertising scheme lures victims with a fake Microsoft Teams installer to unleash Oyster malware. Using SEO poisoning via Bing, this signed installer creates a backdoor in under 15 seconds, though Microsoft Defender blocks its C2 communication attempts. A zero-day flaw in Fortra’s GoAnywhere MFT software opens the door to remote command injection. This deserialization bug, exploited since September 10, allows attackers to create backdoor admin accounts, urging immediate upgrades to patched versions and restricted console access.

Sep 26, 2025

Cyware Daily Threat Intelligence, September 26, 2025

China’s UNC5221 is sneaking Brickstorm into network appliances, lurking undetected for over a year. This Go-based backdoor, mimicking legit software, hits SaaS and tech firms with custom C2 servers, using zero-day exploits and obfuscation to maintain stealthy control. North Korean hackers are reeling in crypto developers with fake LinkedIn job offers, hiding AkdoorTea malware. This Contagious Interview campaign uses BeaverTail and Tropidoor to pilfer data across platforms, spreading via deceptive GitHub projects and video assessments. State-sponsored attackers are breaching Cisco ASA firewalls with zero-day exploits, unleashing RayInitiator and LINE VIPER. Linked to China’s UAT4356, these malware variants dodge detection by disabling logs, targeting government networks since May with persistent firmware tweaks.

Sep 25, 2025

Cyware Daily Threat Intelligence, September 25, 2025

Cloaked in fake copyright notices, the Lone None group is sneaking Pure Logs and Lone None Stealer into systems. Spoofing legal firms, their phishing emails use Telegram bots and obfuscated Python to steal crypto wallet addresses, targeting social media accounts with high credibility. Russia’s COLDRIVER is baiting victims with a fake CAPTCHA in the ClickFix campaign. Using BAITSWITCH to download SIMPLEFIX, a PowerShell backdoor, this multi-stage attack targets Russian civil society and Western groups, gathering system data via stealthy C2 communication. A critical zero-day flaw in Cisco’s IOS and IOS XE software is under active attack. This SNMP stack overflow bug lets admins run root-level code, affecting Meraki and Catalyst devices, with patches addressing 14 vulnerabilities to curb DoS and authentication risks.

Sep 24, 2025

Cyware Daily Threat Intelligence, September 24, 2025

Since 2022, a stealthy campaign has been hijacking DLLs to unleash a PlugX variant on Asia’s telecom and manufacturing sectors. Linked to Naikon and BackdoorDiplomacy, it uses malicious documents and shared cryptographic tools to deploy RainyDay and Turian-like backdoors. Salesforce CLI installer harbors a critical flaw, letting attackers seize SYSTEM-level control on Windows. This path-handling bug in versions before 2.106.6 enables code execution via rogue installers, now fixed with proper signing in the latest release. Exploiting a Linux Pandoc flaw, hackers are targeting AWS credentials through SSRF attacks. This vulnerability allows iframe-based credential theft from EC2 IMDSv1, urging users to adopt IMDSv2 and sandbox options to lock down systems.

Sep 23, 2025

Cyware Daily Threat Intelligence, September 23, 2025

With fake job portals as bait, Iran’s Nimbus Manticore targets Europe’s defense and telecom sectors. Their spear-phishing campaign uses multi-stage DLL sideloading to deploy MiniJunk and MiniBrowse, stealthy malware evading detection with obfuscation to hit aerospace and defense networks. The fezbox npm package, a wolf in utility library clothing, hides a cookie-stealing payload in QR codes. Linked to “janedu,” it uses steganography and reversed-string obfuscation to swipe usernames and passwords, quietly exfiltrating them to remote servers via HTTPS. Libraesva ESG’s email scanning engine has a chink in its armor, letting attackers slip through with crafted attachments. This command injection flaw, exploited by a state actor, triggered rapid patches for ESG 5.x to secure systems against unauthorized command execution.

Sep 22, 2025

Cyware Daily Threat Intelligence, September 22, 2025

A rogue patch for Steam’s BlockBlasters game is pilfering crypto wallets and user data. This trojan-laced update, slipped past security checks, grabs IP addresses and Steam credentials, disables Microsoft Defender, and uploads data to a C2 server, impacting hundreds of players. MalTerminal is breaking new ground as the first malware wielding GPT-4 to craft ransomware and backdoors. Using a deprecated OpenAI API, this LLM-embedded threat, paired with phishing that exploits Follina, dodges AI security to deliver malicious payloads. A critical Entra ID flaw let attackers impersonate Global Administrators across tenants. This maximum-severity bug, tied to legacy Azure AD Graph API, allowed MFA bypass and undetected access, now fixed to block unauthorized tenant compromise.

Sep 19, 2025

Cyware Daily Threat Intelligence, September 19, 2025

In a rare crossover of Russian APT playbooks, Gamaredon and Turla have joined forces to target Ukrainian defense entities with coordinated malware operations. Researchers have uncovered joint activity involving the use of Gamaredon's custom tools to deploy Kazuar, a powerful Turla-developed backdoor known for its stealth and persistence. Malware deployment is getting more modular and more menacing. CountLoader is a newly developed malware loader tied to Russia-affiliated ransomware groups like LockBit, BlackBasta, and Qilin. Disguised as Ukrainian police messages in phishing campaigns, CountLoader excels at blending into enterprise traffic, gathering detailed system data, and maintaining persistent access through varied execution techniques. No clicks, no downloads, no warnings - just data theft by design. A critical flaw in OpenAI’s ChatGPT Deep Research agent has been patched following the discovery of ShadowLeak, a zero-click vulnerability that enabled attackers to exfiltrate sensitive information from user inboxes via maliciously crafted emails. The exploit abused the agent’s autonomous email-processing capabilities to embed covert instructions.

Sep 18, 2025

Cyware Daily Threat Intelligence, September 18, 2025

A JPG file that looks like a simple image might now be the start of a full-blown infostealing operation. In a recent FileFix campaign, threat actors are hiding malicious PowerShell scripts and encrypted binaries inside seemingly innocent image files. Unlike earlier proof-of-concept variants, this iteration ups the ante by using multilingual phishing pages and deeply obfuscated JavaScript. When package managers become threat vectors, even a string manipulation library can be a trap. Two rogue Python packages have been removed from PyPI after researchers discovered they were dropping SilentSync RAT. SilentSync is capable of executing arbitrary commands, exfiltrating files, and stealing browser credentials, making it especially dangerous for unsuspecting developers. Another day, another zero-day. Google has shipped an urgent patch to plug a critical flaw in Chrome. Tracked as CVE-2025-10585, the newly patched vulnerability stems from a type confusion bug in the V8 JavaScript engine, which could allow attackers to remotely execute arbitrary code by luring users to maliciously crafted HTML pages. This marks the sixth actively exploited zero-day in Chrome this year.

Sep 17, 2025

Cyware Daily Threat Intelligence, September 17, 2025

Wriggling through npm like a digital sandworm, Shai-Hulud is hijacking developer accounts to poison popular packages. This JavaScript worm steals tokens, deploys TruffleHog to snatch secrets, and creates public “Shai-Hulud” GitHub repos, exposing sensitive code across over 700 repositories. Slipping past defenses with Russian flair, XillenStealer is plundering data across Windows, Linux, and macOS. Using a Tkinter GUI, this Python malware grabs credentials, crypto wallets, and gaming tokens, employing anti-debugging and Telegram exfiltration to stay covert. A BitLocker bypass dubbed BitPixie is cracking open encrypted drives with a sneaky PXE reboot trick. Exploiting a 2005-2022 Windows Boot Manager flaw, attackers extract keys from memory, with Microsoft’s May 2023 patch swapping certificates to block this downgrade attack.

Sep 16, 2025

Cyware Daily Threat Intelligence, September 16, 2025

Maranhão Stealer is hunting gamers through pirated software. Built with Node.js and Inno Setup, it mimics Microsoft components to hide, using DLL injection for persistence. It steals crypto wallet credentials, grabbing hardware and network data for targeted attacks. AppSuite, OneStart, and ManualFinder are a malware triple threat. Posing as legit tools like PDF editors, they use Electron and PowerShell to track users and install sneaky extensions. Active since 2018, they evolve with randomized domains for control. Phoenix is cracking DDR5 memory defenses wide open. This Rowhammer variant bypasses SK Hynix protections, flipping bits to gain root access in minutes. It targets RSA-2048 keys and binaries, impacting all DDR5 chips from 2021 to 2024.

Sep 15, 2025

Cyware Daily Threat Intelligence, September 15, 2025

From the shadows of the darknet, the Yurei ransomware group has emerged, targeting organizations in Sri Lanka, India, and Nigeria with a double-extortion scheme that encrypts files and leaks sensitive data. Operating from a suspected base in Morocco, the group’s darknet blog pressures victims with data leak threats, highlighting the growing risk of low-skill ransomware operations. Masquerading as legitimate tools, the WhiteCobra group has infiltrated VS Code and OpenVSX marketplaces with 24 malicious extensions aimed at stealing cryptocurrency and sensitive data. By inflating download counts, WhiteCobra exploits developer trust, exposing critical weaknesses in marketplace security. A flaw in the CUPS printing system has left Linux systems vulnerable to remote crashes and authentication bypasses. Stemming from unsafe deserialization in the libcups library, this vulnerability disrupts printing services and can be exploited with simple Python scripts, requiring only network adjacency.

Sep 12, 2025

Cyware Daily Threat Intelligence, September 12, 2025

Mustang Panda's latest ToneShell variant is digging deep into systems with slick persistence moves. Delivered via DLL sideloading in archives, it dodges analysis, enforces single-instance rules, and sets up scheduled tasks in user directories. XOR-obfuscated payloads communicate via fake TLS to C2 servers, generating unique GUIDs per machine for ongoing ops. Researchers uncovered a RAT storm hitting Chinese users since May. Phishing on GitHub Pages drops ValleyRAT, FatalRAT, and kkRAT, the latter echoing Ghost RAT with beefed-up encryption and commands. kkRAT sniffs sandboxes, hijacks clipboards for crypto swaps, and installs RMM tools like Sunlogin, all via multi-stage shellcodes. Akira ransomware is busting into networks through SonicWall's CVE-2024-40766 flaw. This unpatched SSL VPN hole lets them snag access, but SonicWall's August patch plus password resets can block it. ACSC warns of fresh exploits since September, with 40 incidents probed.