Cyware Monthly Threat Intelligence

Monthly Threat Briefing • April 30, 2019

The Good

As April comes to an end, let’s quickly brush up all that happened in the cybersecurity world this month. The past month witnessed several cybersecurity advancements, new laws and policies, security incidents, as well as the emergence of new threats. To begin with, let’s first glance through all the good that has happened in the cyberspace. USA.gov, the official online portal of the U.S federal government, has launched an artificial intelligence (AI) powered chatbot named ‘Sam’ that is capable of answering users’ questions on scams and frauds. The General Services Administration (GSA) has expanded its cybersecurity service offerings to help federal agencies and state governments to protect their valuable data. Meanwhile, the EU Parliament has voted to create a gigantic biometrics database that aggregates both identity records and biometrics of over 3.5 million EU and non-EU citizens.

Department of Homeland Security (DHS) is planning to roll out its new risk scoring algorithm ‘Agency-Wide Adaptive Risk Enumeration’ (AWARE) in October 2019. AWARE will help agencies prioritize mitigation activities and improve their basic cybersecurity hygiene.
Singapore has introduced a bill ‘Protection From Online Falsehoods and Manipulation Bill’ that aims at preventing the spread of fake news in online platforms. The bill promises to punish disseminators of fake news, with fines of up to S$100,000 or imprisonment of up to 10 years, or both.
The General Services Administration (GSA) has expanded its cybersecurity service offerings to help federal agencies and state governments to protect their valuable data. This will help agencies secure high-value assets on mission-critical systems.
USA.gov, the official online portal of the U.S federal government, has launched an artificial intelligence (AI) powered chatbot named ‘Sam’ that is capable of answering users’ questions on scams and frauds. In just over a month, Sam interacted with over 4,000 users, with 78% users having successfully asked their questions and received an answer.
US senators have introduced a bipartisan bill named ‘Cyber Resiliency Act’ that would require DHS to provide grants to support state and local governments in enhancing cyber defenses and addressing cybersecurity threats.
NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE) organized the Locked Shields 2019 event. This is considered as the largest live-fire cyber exercise in the world.
Another two US senators have introduced a new bipartisan legislation to ban social networking platforms from using ‘dark patterns’ to trick users into providing their private data. Social media platforms have long abused dark patterns and have gained access to users’ private data such as geolocation, contacts, call logs, friend lists, and more.
The Washington state legislators have unanimously passed a bill ‘HB 1071’ that expands consumer data breach notification requirements to include more types of consumer information such as full birth dates, health insurance ID numbers, medical histories, student ID numbers, military ID numbers, passport ID numbers, username-password combinations, or biometric data.
The EU Parliament has voted to create a gigantic biometrics database that aggregates both identity records and biometrics of over 3.5 million EU and non-EU citizens. The identity records and biometrics include names, dates of birth, passport numbers, fingerprints, facial scans, and other identification details.

The Bad

April witnessed numerous data breaches and cyber attacks that saw the exposure of millions of people's personal information across the globe. Researchers have uncovered two misconfigured Amazon cloud servers belonging to third-party companies ‘Cultura Colectiva’ and ‘At the Pool game’ that contained over 540 million Facebook user records. An unprotected database belonging to Justdial exposed the personal information of almost 100 million users. Last but not least, more than 500 million iOS users have been targeted by eGobbler hacker group through massive malvertising campaigns.

Researchers have uncovered two misconfigured Amazon cloud servers belonging to third-party companies ‘Cultura Colectiva’ and ‘At the Pool game’ that contained over 540 million Facebook user records. The exposed user records include account names, Facebook IDs, comments, likes, list of Facebook friends, photos, groups, check-ins, and user preferences like movies, music, books, and interests.
Several HR companies in China have exposed over 590 million resumes in the past 3 months due to unprotected databases. While some of these misconfigured databases have been secured, there are few that are still leaking data on the internet.
An unprotected database belonging to JustDial exposed the personal information of almost 100 million users. The exposed data includes Justdial users’ names, email addresses, mobile numbers, location addresses, genders, dates of birth, photos, designations, company names, and more.
After two weeks of first exposure, JustDial has again exposed personal information. This time, it exposed the database of individuals who posted reviews on the platform. The information made public includes the reviewer’s name, mobile number, and location.
More than 500 million iOS users have been targeted by eGobbler hacker group through massive malvertising campaigns. These campaigns were conducted for almost a week starting from April 6, 2019. The group had used ‘8 individual campaigns and over 30 fake creatives’ to perform the attacks.
Bithumb cryptocurrency exchange platform suffered a cyber attack compromising 3 million EOS worth $13.4 million and 20 million Ripple coins (XRP) worth $6 million. An internal inspection revealed that the incident is an ‘accident involving insiders’.
A security researcher detected an unprotected database belonging to the Department of Medical, Health and Family Welfare of a state in northern India that exposed medical records of almost 12.5 million pregnant women who underwent an ultrasound scan, genetic testing, or sex determination testing of their unborn child.
Medical billing service provider ‘Doctors’ Management Service’ suffered a GandCrab ransomware attack compromising patients’ data from almost 38 clients including Beverly Surgical Associates, Today’s Wellness PLLC, Neuro Institute of New England, and more. The compromised data includes patients’ personal information such as names, addresses, dates of birth, Social Security numbers, driver’s license numbers, insurance, Medicare/Medicaid information and numbers, and medical information.
Magecart group has compromised the online store of Atlanta Hawks, a basketball team in Atlanta, Georgia. The attack has impacted all those who have shopped from the online store on or after April 20, 2019. Shoppers’ data such as names, addresses, and credit card details have been potentially stolen by the Magecart group through skimmers injected on hawksshop.com.
Manufacturing giant Aebi Schmidt has been hit with a major ransomware attack, forcing the company to shut down its systems across the company’s international network, including its U.S. subsidiaries. The attack has primarily impacted its European base leaving a number of systems non-operational.
‘Gnosticplayers’ hacker has been back with the fifth round of stolen data. This time, he has put up over 65 million user accounts on sale on the dark web forum. The latest batch includes user records that belonged to six new companies. The hacked data is being sold for 0.8463 Bitcoin ($4,350) on the DreamMarket forum.
Eight misconfigured databases have been found leaking approximately 60 million records of LinkedIn user information. The total size of databases is estimated to be 229 GB, with each database ranging between 25 GB and 32 GB. Security researcher Sanyam Jain who discovered these misconfigured databases told that the data had been removed every day and loaded on different IPs.
In another revelation on Thursday, Facebook has disclosed that it stored millions of passwords of Instagram users in plaintext. The social networking company mentioned this incident in an update to the earlier blog written on passwords kept in plaintext in its storage systems. However, Facebook has emphasized that these unencrypted passwords were not being abused or accessed by its employees.
Researchers have detected around 74 Facebook groups with nearly 385,000 members that were used to carry out illicit trading of stolen credentials, email addresses, private data, credit card information, and phishing kits. Facebook’s security team has removed all the 74 groups from the site.
Hackers breached Toyota’s IT systems and gained unauthorized access to servers that contained sales information of almost 3.1 million customers. The data belonged to several sales subsidiaries such as Toyota Tokyo Sales Holdings, Tokyo Motor, Tokyo Toyopet, Toyota Tokyo Corolla, Netz Toyota Tokyo, Lexus Koishikawa Sales, Jamil Shoji (Lexus Nerima), and Toyota West Tokyo Corolla.
Kaspersky Lab researchers have revealed the existence of a new cybercrime marketplace named ‘Genesis’ where cybercriminals are selling full digital fingerprints for over 60,000 users. Genesis market sells digital fingerprints, digital identity, cookies, credit card information, sensitive documents, browser user-agent details, WebGL signatures, website user logins, and passwords.

New Threats

Several new malware, ransomware, vulnerabilities, and threat groups emerged over the past month. Researchers have uncovered over a dozen servers that are hosting ten different malware families. The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have released a security alert about a new malware strain named HOPLIGHT. Meanwhile, the Nokia 9 PureView smartphone has apparently become vulnerable to an easy trick to bypass the fingerprint lock after a recent system update.

Researchers have uncovered over a dozen servers that are hosting ten different malware families. The malware families are distributed via phishing campaigns potentially tied to the Necurs botnet. The ten malware families include Dridex, Gootkit, IcedID, Nymaim, Trickbot, Gandcrab, Hermes, Fareit, Neutrino, and Azorult.
Researchers have discovered a new variant of Emotet trojan that distributes a malware downloader dubbed ‘Nymaim’. This malware downloader, in turn, downloads the Nozelesn ransomware. This Emotet variant has been found targeting the hospitality sector.
A fraudulent ad-clicking campaign has been observed infecting 90 million Android mobiles across the world. In this campaign, six fake apps claiming to boost the performance of smartphones have been used to distribute adware named ‘PreAmo’.
Android device owners complained about a bug in Skype that automatically answer incoming calls. Some users reported that calls are being answered automatically when their Android device is paired with a smartwatch. However, Microsoft has fixed the issue.
A security researcher has created a malware dubbed ‘SMBdoor’ with the help of two leaked NSA exploit kits. The malware has been created with a purpose to help academicians in their research. The malware’s characteristics are similar to that of DoublePulsar and DarkPulsar.
After a recent operating system update, the Nokia 9 PureView smartphone has apparently become vulnerable to an easy trick to bypass the fingerprint lock. The flawed update allows anyone to bypass the phone's fingerprint lock.
Researchers have discovered a new variant of the GoBrut malware that targets Unix-based machines. This malware was also spotted exploiting WordPress-based websites. GoBrut uses a malicious Executable and Linkable Format (ELF) file for this purpose.
A new variant of Mirai botnet that targets processors has been discovered recently. The new variant has been evolved to include a modified version of XOR encryption algorithm and a type of DDoS attack method. This Mirai variant targets Altera Nios II, OpenRISC, Tensilica Xtensa, and Xilinx MicroBlaze processors.
The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have released a security alert about a new malware strain named HOPLIGHT. The backdoor trojan has been linked to HIDDEN COBRA, the North Korea-based hacking group.
Researchers have discovered a sophisticated APT framework dubbed ‘TajMahal’. Researchers noted that the recent activity related to TajMahal indicated that it contained two different packages named Tokyo and Yokohama. Tokyo was used to deploy Yokohama on victims’ machines, while Yokohama was used to steal sensitive data belonging to the victims.
A privilege escalation vulnerability in the Yellow Pencil Visual Theme Customizer plugin has exposed several WordPress sites to various attacks. The plugin is estimated to be installed on over 30,000 websites. The vulnerability can allow remote attackers to update arbitrary code and take control of WordPress-based websites.
Another ransomware called RobbinHood has been found targeting computers within an entire network. The ransomware renames encrypted files and drops ransom notes with four different names at the same time. The ransom notes contain information regarding the victim’s files, the ransom amount and links to the TOR sites.
A new variant of Hawkeye dubbed ‘Reborn v9’ has emerged. Reborn v9 is currently marketed as an ‘Advance Monitoring Solution’ and is being sold using a licensing model. It has been modified from earlier versions and has been heavily obfuscated to make analysis complex and difficult. It is capable of stealing system information and credentials from browsers, Filezilla, Beyluxe Messenger, CoreFTP and the video game ‘Minecraft’.
Researchers have discovered four new versions of Bashlite botnet. They are named as Backdoor.Linux.BASHLITE.AMF, Troj.ELF.TRX.XXELFC1DFF002, and Trojan.SH.BASHDLOD.AMF. One of these versions is used to target devices with the WeMo Universal Plug and Play (UPnP) API.
A new ransomware family called ‘NamPoHyu Virus’ ransomware has been found targeting vulnerable Samba servers. Instead of running executables on a victim’s computer, the attackers directly launched the malware on vulnerable Samba servers by brute forcing passwords. The ransomware was first detected in March 2019 after users complained that their NAS storage devices were suddenly encrypted by new ransomware called MegaLocker virus.

Related Threat Briefings

Jul 1, 2025

Cyware Monthly Threat Intelligence, June 2025

Jun 1, 2025

Cyware Monthly Threat Intelligence, May 2025

May 1, 2025

Cyware Monthly Threat Intelligence, April 2025

Apr 2, 2025

Cyware Monthly Threat Intelligence, March 2025

ETSI has rolled out a new quantum-safe encryption standard featuring Covercrypt, a novel key encapsulation scheme with built-in access controls. By tying decryption permissions to user attributes, Covercrypt delivers speed and post-quantum security. The code caves of GitHub got a cleanup crew courtesy of Microsoft. A sprawling malvertising campaign that snagged nearly a million devices worldwide has been knocked down a peg. The race to outpace quantum threats is officially on. The NCSC has issued guidance to help organizations transition to post-quantum cryptography by 2035, with a focus on NIST-approved algorithms and planned support for critical sectors. A fresh face in the cybercrime underworld is juggling a bag of nasty surprises. EncryptHub is hitting users of QQ Talk, WeChat, Google Meet, and more with trojanized apps and slick multi-stage attacks. Lucid isn’t just phishing - it’s engineering trust through your inbox. This advanced PhaaS platform weaponizes the built-in features of iMessage and RCS to create hyper-realistic scams. A botnet is turning home routers into attack platforms. The Ballista botnet is exploiting an unpatched TP-Link Archer router flaw (CVE-2023-1389) to spread stealthily, using Tor domains and remote command execution to launch DDoS attacks worldwide.

Mar 4, 2025

Cyware Monthly Threat Intelligence, February 2025

Google ramped up its defenses against the quantum threat. The company rolled out quantum-resistant digital signatures in Cloud KMS, following NIST’s post-quantum cryptography standards. Cyber defenders sharpened their tools, this month, and EARLYCROW is the latest weapon against stealthy APT operations. This method detects C2 activity over HTTP(S) using a novel traffic analysis format called PAIRFLOW. PyPI adopted a "dead but not gone" approach to abandoned software with Project Archival, a new system that flags inactive projects while keeping them accessible. Developers will see warnings about outdated dependencies, helping them make smarter security choices and avoid relying on unmaintained code. China’s Salt Typhoon made itself right at home in global telecom networks. The group was caught using JumbledPath, a custom-built spying tool, to infiltrate ISPs in the U.S., Italy, South Africa, and Thailand. Russia’s Sandworm hackers are using pirated software as bait. Their latest attack on Ukrainian Windows users disguises malware inside trojanized KMS activators and fake Windows updates. The CISA flagged major security holes in Microsoft Outlook and Sophos XG Firewall. One flaw allows remote code execution in Outlook, while another exposes firewall users to serious risks. A new payment card skimming campaign turned Stripe’s old API into a weapon. Hackers inserted malicious scripts into checkout pages, validating stolen card details through Stripe before exfiltration. A new malware named Ratatouille is stirring up trouble by bypassing UAC and using I2P for anonymous communications. Spreading through phishing emails and fake CAPTCHA pages, it tricks victims into running an embedded PowerShell script. A new version of ValleyRAT was also spotted, using stealthy techniques to infiltrate systems. Researchers found the malware being spread through fake Chrome downloads.

Feb 10, 2025

Cyware Monthly Threat Intelligence, January 2025

The U.K took a proactive stance on cyber resilience with its Cyber Local initiative, injecting £1.9 million into 30 projects across England and Northern Ireland. The effort focuses on closing the cyber skills gap, fortifying small businesses, and supporting underrepresented groups. India tightened its grip on data privacy with new draft rules designed to give citizens more control over their personal information. The proposed regulations mandate clearer data processing disclosures, stricter security protocols, and swift breach reporting. Hackers turned to SparkRAT, an open-source GoLang RAT, to target macOS users and government entities. Initially released in 2022, its modular design and cross-platform capability have made it a cybercriminal favorite. More than 10,000 WordPress sites were hijacked in a large-scale malware campaign delivering AMOS to macOS users and SocGholish to Windows users. Attackers exploited outdated plugins to inject fake browser update prompts. Lumma Stealer is made its way through GitHub in a new malware campaign that abuses the platform’s release infrastructure. Attackers deployed malware like SectopRAT and Vidar, using secure-looking download links to exfiltrate data while evading detection. Cybercriminals deployed the Coyote banking trojan against financial firms in Brazil, using malicious Windows LNK files to execute PowerShell scripts. This malware established secure connections with C2 servers, enabling keylogging and data theft. A two-year-long phishing campaign targeted Microsoft’s advertising platform users through malicious Google Search ads. A Mirai-based botnet exploited zero-day vulnerabilities in industrial routers and smart home devices. With 15,000 active nodes daily, it launched high-intensity DDoS attacks surpassing 100 Gbps, posing a growing threat across multiple countries.

Jan 3, 2025

Cyware Monthly Threat Intelligence, December 2024

The cloud revolution isn’t just about convenience anymore; it’s now the frontline of defense. With CISA's new directive mandating cloud environment fortification, federal agencies face a race against time to safeguard Microsoft 365 and other services. Meanwhile, proposed updates to the HIPAA security rules push healthcare organizations toward stronger PHI protection with advanced technical controls and detailed incident planning. On the global front, Operation PowerOFF turned the tables on DDoS attackers, dismantling 27 illegal platforms and curbing festive-season chaos. The cyber battlefield sees no intermission as new threats take center stage. A phishing campaign, dubbed Aggressive Inventory Zombies (AIZ), exploited brand trust by mimicking retail giants and crypto platforms. Meanwhile, the resurrected BADBOX botnet has compromised 192,000 Android devices globally, sneaking into supply chains to wreak havoc with ad fraud and account abuse. Adding to the turbulence, Poison Ivy (APT-C-01) resurged, targeting critical sectors with advanced phishing techniques and deploying Sliver RAT to breach systems and steal sensitive data. This month, new threats targeted IoT, banking, and app ecosystems, with threat actors unleashing diverse attacks. Iranian hackers deployed IOCONTROL malware to compromise IoT and OT systems, targeting critical infrastructure like gas stations. Meanwhile, the DroidBot banking malware infiltrates cryptocurrency and banking apps across Europe, leveraging MaaS operations for tailored attacks. Adding to the chaos, SpyLoan malware apps, with over eight million installs, exploited users in South America, Southeast Asia, and Africa, highlighting the escalating risks within app marketplaces. For detailed Cyber Threat Intel, click ‘Read More’.

Dec 4, 2024

Cyware Monthly Threat Intelligence, November 2024

The TSA reshaped the cybersecurity landscape for pipeline and railroad operators with proposed rules mandating incident reporting and risk management plans. Estimated to cost $2.1 billion over the next decade, the rules aimed to address growing cyber threats while balancing flexibility with resilience. Meta dismantled a sprawling web of over two million accounts tied to pig butchering scams in Southeast Asia and the UAE. Africa’s cybercrime ecosystem faced a decisive blow with Operation Serengeti, as over 1,000 suspects were arrested, and 134,000 malicious networks taken offline. TAG-110, a Russia-aligned threat group, launched a cyber-espionage campaign targeting governments and organizations in Asia and Europe. Using malware like HATVIBE and CHERRYSPY, it aimed to monitor geopolitical developments and assert influence. A botnet powered by Ngioweb malware converted 35,000 IoT devices into residential proxies. These compromised devices, found largely in the U.S., were sold on platforms like NSOCKS for malicious purposes. Water Barghest compromised over 20,000 IoT devices by exploiting known vulnerabilities. The group used Shodan to identify targets and deployed Ngioweb malware to connect them to its monetized network. LIMINAL PANDA, a Chinese cyberespionage group, has been targeting telecoms in South Asia and Africa since 2020. Using tools like SIGTRANslator and PingPong, the group exploits telecom protocols to steal critical data while staying undetected. NodeStealer has resurfaced, targeting Facebook Ads Manager accounts to steal credit card details and browser credentials. It uses Windows Restart Manager and Python scripts to execute its attacks, with stolen data sent via Telegram. BabbleLoader, a stealthy malware loader, delivers WhiteSnake and Meduza stealers. Disguised as accounting software, it targets English and Russian speakers, evading antivirus systems with advanced techniques.

Sep 30, 2024