Cyware Monthly Threat Intelligence

Cyware Monthly Threat Intelligence - Featured Image

Monthly Threat Briefing May 4, 2021

The Good

Controlling one of the most dangerous and prolific malware threats is indeed a great achievement. In a big blow to Emotet operators, a coordinated law enforcement action disrupted the infamous botnet and caused it to self-destruct. In different news, Microsoft released a simulator that helps study attacks on networks by AI-controlled cyber agents. Further, the U.K. NCSC presented a free cybersecurity training program to teachers and staff.

  • European law enforcement agencies used a customized DLL to wipe out the notorious Windows malware Emotet. The specially-crafted DLL caused the software to self-destruct. Besides, the FBI shared about 4.3 million email addresses stolen by Emotet with the Have I Been Pwned breach notification site to mitigate threats faced by the victims.
  • The NFC Forum released a new framework for NFC-enabled mobile devices that will safeguard the confidentiality and privacy of NFC communications.
  • An open-source cyberattack simulator was developed by Microsoft that would allow developers to create simulated environments to play against AI-controlled cyber agents. Dubbed CyberBattleSim, this Python-based Open AI Gym Interface models the way intruders spread laterally on a network.
  • The Internet of Secure Things Alliance (ioXt) launched a new security certification for VPNs and mobile apps. The compliance program consists of a set of security-related requirements against which apps can be certified.
  • The U.K NCSC released a free cybersecurity training package for teachers and staff to help them mitigate cyber threats, while demonstrating case studies for a better understanding of the impact of cyber incidents.

The Bad

There was quite a lot of cybercriminal activity against government entities this month, with the Washington, D.C., Police Department and Illinois Office of the Attorney General reporting data leaks. Meanwhile, the sensitive data of millions of users of BigBasket, ParkMobile, Facebook, and other platforms were leaked on hacking forums. Threats against financial firms continue to rise with VISA warning of hackers attempting to steal payment and personal data.

  • The Washington, D.C. Ppolice Department confirmed that its computer network was breached and data was stolen in an attack by the Babuk ransomware gang. The threat actor posted more than 250GB of data on its site on the dark web.
  • Hundreds of third-party Android contact-tracing apps were found leaking sensitive data due to the API developed by Apple and Google. With these apps, anyone could view users’ medical data.
  • DopplePaymer ransomware operators leaked files from the Illinois Office of the Attorney General after a failed negotiation. The leaked files consist of information from court cases orchestrated by the Illinois OAG, including some private documents.
  • A set of 20 million records belonging to BigBasket users was dropped by ShinyHunters on a popular hacking forum. Earlier this month, it also leaked sensitive information of about 2.5 million Upstox users, including 56 million KYC documents stolen from the company’s server.
  • In another data leak incident, a staggering 3.28 billion passwords linked to 2.18 billion unique email addresses were exposed on a cybercrime forum. The leaked details were claimed to be stolen from government domains from across the world, including the U.S., the U.K, Australia, Brazil, and Canada.
  • Conti ransomware claimed to have attacked Broward County Public schools and demanded a $40 million ransom. More than 1TB of data was stolen that included social security numbers, addresses, birth dates, and contact information.
  • Cybercriminals abused Google Alerts by redirecting users to fake adult sites, fake dating apps, sweepstake scams, and unwanted browser extensions. Such attacks were launched by sending fake Google Alert URLs to unsuspicious users.
  • A hacker was found selling approximately 50GB of sensitive data stolen from OTP-generating companies, including Google, Facebook, Amazon, Emirates, Apple, Microsoft, Signal, Telegram, and Twitter.
  • Babuk ransomware operators reportedly posted 500GB worth of Houston Rockets’ internal business data—contracts, NDA, and financial data—on its dark web forum.
  • ParkMobile suffered a breach and the account information of 21 million customers was for sale on a Russian-speaking crime forum for $125,000.
  • Global payment processor VISA issued a warning against threat actors increasingly deploying web shells, to inject malicious scripts, on compromised servers to exfiltrate credit card information from online customers.
  • Data of 533 million Facebook users were posted on a cybercrime forum. The leaked data included phone numbers, Facebook IDs, birth dates, gender, and location.

New Threats

From zero-day exploits to using modified tools, cybercriminals appear to be working hard amidst the pandemic. Researchers spotted two phishing campaigns launched against JPMorgan Chase customers. In more threats, security experts exposed new backdoor malware such as RotaJakiro, Nebulae, and Vyveva, with file-stealing capabilities. Nonetheless, if you fall for a pink-themed WhatsApp, hackers may gain your unsolicited permission to control your device.

  • JPMorgan Chase Bank customers were being targeted in two new phishing scams that leveraged social engineering and brand impersonation tactics to steal customers’ login credentials.
  • A new cyberespionage campaign was spotted deploying a new backdoor called Nebulae and its activities spanned for two years. The campaign was launched by the Chinese Naikon APT group and targeted military organizations in Southeast Asia.
  • The UNC2447 threat actor abused a zero-day flaw in Sonicwall SMA 100 Series VPN appliances to deploy the new FiveHands ransomware on North American and European target networks. The patches were released in February.
  • A new backdoor malware named RotaJakiro, reportedly associated with the Torii botnet, targeted Linux 64-bit systems. It can exfiltrate system details and sensitive data while using a double encryption algorithm (a combination of AES and XOR) to evade detection.
  • An updated WhatsApp Pink malware was found doing rounds with an added feature - automatically responding to Signal, Telegram, Viber, and Skype messages. The malware is distributed via a fake version of WhatsApp claiming to be pink-themed.
  • The new Pareto botnet infected a massive number of Android devices to conduct fraud in the internet TV advertising ecosystem. It works by spoofing signals within malicious Android mobile apps to impersonate consumer TV streaming products running Fire OS, tvOS, Roku OS, and other prominent platforms.
  • A newly discovered zero-day authentication bypass vulnerability found in Pulse Connect Secure gateway is currently being exploited in the wild. Tracked as CVE-2021-22893, the flaw has been linked with UNC2603 and UNC2717 threat actors against different government and law enforcement agencies.
  • Lazarus APT was found stealing cryptocurrency with a never-before-seen tool - modified JS sniffers. Named Lazarus BTC Changer, this crypto skimmer switches the destination payment address to the threat actor’s BTC address.
  • The new Saint Bot malware was leveraged to drop information stealers and other malware downloaders in targeted campaigns against Georgian government institutions.
  • NAME:WRECK, a set of nine newly disclosed DNS vulnerabilities, put more than 100 million consumers, enterprises, and industrial IoT devices at risk. These vulnerabilities affect four well-known TCP/IP stacks, IPnet, FreeBSD, Nucleus NET, and NetX.
  • Cring ransomware exploited a vulnerability in Fortigate VPN servers. Although Fortinet issued a security patch to fix the vulnerability last year, cybercriminals are deploying the exploit against networks that are yet to be patched.
  • New backdoor malware Vyveva was used by the Lazarus APT group against a South African freight and logistics firm. The backdoor can exfiltrate files, collect data from infected machines and drives, connect to a C2 server remotely, and execute arbitrary code.
  • A new malicious document builder known as EtterSilent was used to run cybercriminal schemes. The tool comes in two versions: one that exploits a vulnerability in Microsoft Office, and another one that imitates the digital signature product DocuSign.

Related Threat Briefings

Aug 1, 2025

Cyware Monthly Threat Intelligence, July 2025

Jul 1, 2025

Cyware Monthly Threat Intelligence, June 2025

Jun 1, 2025

Cyware Monthly Threat Intelligence, May 2025

May 1, 2025

Cyware Monthly Threat Intelligence, April 2025

Apr 2, 2025

Cyware Monthly Threat Intelligence, March 2025

ETSI has rolled out a new quantum-safe encryption standard featuring Covercrypt, a novel key encapsulation scheme with built-in access controls. By tying decryption permissions to user attributes, Covercrypt delivers speed and post-quantum security. The code caves of GitHub got a cleanup crew courtesy of Microsoft. A sprawling malvertising campaign that snagged nearly a million devices worldwide has been knocked down a peg. The race to outpace quantum threats is officially on. The NCSC has issued guidance to help organizations transition to post-quantum cryptography by 2035, with a focus on NIST-approved algorithms and planned support for critical sectors.  A fresh face in the cybercrime underworld is juggling a bag of nasty surprises. EncryptHub is hitting users of QQ Talk, WeChat, Google Meet, and more with trojanized apps and slick multi-stage attacks. Lucid isn’t just phishing - it’s engineering trust through your inbox. This advanced PhaaS platform weaponizes the built-in features of iMessage and RCS to create hyper-realistic scams. A botnet is turning home routers into attack platforms. The Ballista botnet is exploiting an unpatched TP-Link Archer router flaw (CVE-2023-1389) to spread stealthily, using Tor domains and remote command execution to launch DDoS attacks worldwide.

Mar 4, 2025

Cyware Monthly Threat Intelligence, February 2025

Google ramped up its defenses against the quantum threat. The company rolled out quantum-resistant digital signatures in Cloud KMS, following NIST’s post-quantum cryptography standards. Cyber defenders sharpened their tools, this month, and EARLYCROW is the latest weapon against stealthy APT operations. This method detects C2 activity over HTTP(S) using a novel traffic analysis format called PAIRFLOW. PyPI adopted a "dead but not gone" approach to abandoned software with Project Archival, a new system that flags inactive projects while keeping them accessible. Developers will see warnings about outdated dependencies, helping them make smarter security choices and avoid relying on unmaintained code. China’s Salt Typhoon made itself right at home in global telecom networks. The group was caught using JumbledPath, a custom-built spying tool, to infiltrate ISPs in the U.S., Italy, South Africa, and Thailand. Russia’s Sandworm hackers are using pirated software as bait. Their latest attack on Ukrainian Windows users disguises malware inside trojanized KMS activators and fake Windows updates. The CISA flagged major security holes in Microsoft Outlook and Sophos XG Firewall. One flaw allows remote code execution in Outlook, while another exposes firewall users to serious risks. A new payment card skimming campaign turned Stripe’s old API into a weapon. Hackers inserted malicious scripts into checkout pages, validating stolen card details through Stripe before exfiltration. A new malware named Ratatouille is stirring up trouble by bypassing UAC and using I2P for anonymous communications. Spreading through phishing emails and fake CAPTCHA pages, it tricks victims into running an embedded PowerShell script. A new version of ValleyRAT was also spotted, using stealthy techniques to infiltrate systems. Researchers found the malware being spread through fake Chrome downloads.

Feb 10, 2025

Cyware Monthly Threat Intelligence, January 2025

The U.K took a proactive stance on cyber resilience with its Cyber Local initiative, injecting £1.9 million into 30 projects across England and Northern Ireland. The effort focuses on closing the cyber skills gap, fortifying small businesses, and supporting underrepresented groups. India tightened its grip on data privacy with new draft rules designed to give citizens more control over their personal information. The proposed regulations mandate clearer data processing disclosures, stricter security protocols, and swift breach reporting. Hackers turned to SparkRAT, an open-source GoLang RAT, to target macOS users and government entities. Initially released in 2022, its modular design and cross-platform capability have made it a cybercriminal favorite. More than 10,000 WordPress sites were hijacked in a large-scale malware campaign delivering AMOS to macOS users and SocGholish to Windows users. Attackers exploited outdated plugins to inject fake browser update prompts. Lumma Stealer is made its way through GitHub in a new malware campaign that abuses the platform’s release infrastructure. Attackers deployed malware like SectopRAT and Vidar, using secure-looking download links to exfiltrate data while evading detection. Cybercriminals deployed the Coyote banking trojan against financial firms in Brazil, using malicious Windows LNK files to execute PowerShell scripts. This malware established secure connections with C2 servers, enabling keylogging and data theft. A two-year-long phishing campaign targeted Microsoft’s advertising platform users through malicious Google Search ads. A Mirai-based botnet exploited zero-day vulnerabilities in industrial routers and smart home devices. With 15,000 active nodes daily, it launched high-intensity DDoS attacks surpassing 100 Gbps, posing a growing threat across multiple countries.

Jan 3, 2025

Cyware Monthly Threat Intelligence, December 2024

The cloud revolution isn’t just about convenience anymore; it’s now the frontline of defense. With CISA's new directive mandating cloud environment fortification, federal agencies face a race against time to safeguard Microsoft 365 and other services. Meanwhile, proposed updates to the HIPAA security rules push healthcare organizations toward stronger PHI protection with advanced technical controls and detailed incident planning. On the global front, Operation PowerOFF turned the tables on DDoS attackers, dismantling 27 illegal platforms and curbing festive-season chaos. The cyber battlefield sees no intermission as new threats take center stage. A phishing campaign, dubbed Aggressive Inventory Zombies (AIZ), exploited brand trust by mimicking retail giants and crypto platforms. Meanwhile, the resurrected BADBOX botnet has compromised 192,000 Android devices globally, sneaking into supply chains to wreak havoc with ad fraud and account abuse. Adding to the turbulence, Poison Ivy (APT-C-01) resurged, targeting critical sectors with advanced phishing techniques and deploying Sliver RAT to breach systems and steal sensitive data. This month, new threats targeted IoT, banking, and app ecosystems, with threat actors unleashing diverse attacks. Iranian hackers deployed IOCONTROL malware to compromise IoT and OT systems, targeting critical infrastructure like gas stations. Meanwhile, the DroidBot banking malware infiltrates cryptocurrency and banking apps across Europe, leveraging MaaS operations for tailored attacks. Adding to the chaos, SpyLoan malware apps, with over eight million installs, exploited users in South America, Southeast Asia, and Africa, highlighting the escalating risks within app marketplaces. For detailed Cyber Threat Intel, click ‘Read More’.

Dec 4, 2024

Cyware Monthly Threat Intelligence, November 2024

The TSA reshaped the cybersecurity landscape for pipeline and railroad operators with proposed rules mandating incident reporting and risk management plans. Estimated to cost $2.1 billion over the next decade, the rules aimed to address growing cyber threats while balancing flexibility with resilience. Meta dismantled a sprawling web of over two million accounts tied to pig butchering scams in Southeast Asia and the UAE. Africa’s cybercrime ecosystem faced a decisive blow with Operation Serengeti, as over 1,000 suspects were arrested, and 134,000 malicious networks taken offline. TAG-110, a Russia-aligned threat group, launched a cyber-espionage campaign targeting governments and organizations in Asia and Europe. Using malware like HATVIBE and CHERRYSPY, it aimed to monitor geopolitical developments and assert influence. A botnet powered by Ngioweb malware converted 35,000 IoT devices into residential proxies. These compromised devices, found largely in the U.S., were sold on platforms like NSOCKS for malicious purposes. Water Barghest compromised over 20,000 IoT devices by exploiting known vulnerabilities. The group used Shodan to identify targets and deployed Ngioweb malware to connect them to its monetized network. LIMINAL PANDA, a Chinese cyberespionage group, has been targeting telecoms in South Asia and Africa since 2020. Using tools like SIGTRANslator and PingPong, the group exploits telecom protocols to steal critical data while staying undetected. NodeStealer has resurfaced, targeting Facebook Ads Manager accounts to steal credit card details and browser credentials. It uses Windows Restart Manager and Python scripts to execute its attacks, with stolen data sent via Telegram. BabbleLoader, a stealthy malware loader, delivers WhiteSnake and Meduza stealers. Disguised as accounting software, it targets English and Russian speakers, evading antivirus systems with advanced techniques.

Sep 30, 2024

Cyware Monthly Threat Intelligence

The Good The government took significant steps to strengthen cybersecurity resilience across various sectors. The DHS allocated $279.9 million in grants for the FY 2024 State and Local Cybersecurity Grant Program (SLCGP) to help state, local, and t

Sep 2, 2024

Cyware Monthly Threat Intelligence

The Good In a series of proactive measures aimed at bolstering global cybersecurity resilience, significant strides were made in the education and law enforcement sectors to safeguard critical systems against evolving threats. The NASA Katherine Jo

Aug 1, 2024

Cyware Monthly Threat Intelligence

The Good The collaborative efforts and enhanced protocols by different government bodies represent significant steps forward in strengthening cybersecurity on a global scale. French authorities, in collaboration with Europol, have launched a "disin