Cyware Monthly Threat Intelligence

The Good

Digital modernization in the federal sphere took a leap with the announcement of the bureau of cyberspace and digital policy. However, threats to the critical infrastructure have their own set of challenges. To address the rise in attacks on the country’s industrial systems, some top industry players have joined hands. Meanwhile, Cert-In mandated organizations to report infosec incidents within six hours of detection.

The Bureau of Cyberspace and Digital Policy was launched officially under the State Department to address the national security challenges, economic opportunities, and implications for the U.S. in the areas of cyberspace, digital technologies, and digital policy.
The U.S. is partnering with six other countries—Canada, Japan, South Korea, Singapore, the Philippines, and Taiwan—to create privacy and cybersecurity standards for the data that cross over into each other’s borders.
A group of cybersecurity companies that help defend industrial systems from hackers, joined forces to launch the Operational Technology Cybersecurity Coalition, which aims to strengthen the ICS and critical infrastructure in the U.S. The coalition aims to streamline how the founding members share threat information with each other and the government.
CERT-In rolled out a new set of rules for organizations that mandate organizations to report 20 different types of infosec incidents within six hours of detection. The rules will apply to service providers, data center operators, intermediaries, government organizations, and companies.
Google released a new Data Safety program for Android apps on the Play Store that will have the details of the type of data being collected and shared with third parties. The Data Safety section will include information such as if the developer is collecting data and for what purpose, whether the data is shared with third parties, and app security practices, among others.

The Bad

Crypto and NFT platforms are undoubtedly the new crime paradise. Several crypto firms and major NFT projects were targeted to nest millions of dollars. There’s been a significant development in the ransomware landscape. Conti continues to give nightmares to government as well as private sector organizations as it claimed at least five potential victims. Also, organizations may have to gear up as REvil and Emotet are back in the game!

A compromised Trezor hardware wallet mailing list was used by hackers to send fake data breach notifications to steal cryptocurrency wallets and the assets stored within them. Attackers leveraged one of the newsletters hosted at MailChimp to launch the attack. The notifications prompted recipients to download a fake Trezor Suite software that would steal their recovery seeds.
Cadbury UK has issued a warning to its 315,000 followers on Twitter about a scam that steals their personal information. The scam, which goes with the title ‘Free easter chocolate basket,’ is making the rounds on WhatsApp and social media sites. The recipients are asked to click on a link to claim the free gift. But, before that, the recipients are asked to answer a series of questions appearing on the screen.
Multiple crypto platforms were targeted in April. An attack on Ethereum-based stablecoin protocol Beanstalk Farms resulted in a loss of about $182 million. More than $15 million were stolen after hackers exploited the DeFi platform Inverse Finance. In similar news, hackers bilked over $13.4 million from Deus Finance.
Wind turbine giant Nordex was forced to shut down its IT systems after discovering a cyberattack. The incident affected multiple systems in the firm. As a part of the precautionary measure, the company took immediate actions to prevent further propagation of the attack.
The Texas Department of Insurance (TDI) disclosed a data security incident that affected roughly 1.8 million people. It occurred due to a vulnerability in one of its web applications. The exposed information included names, phone numbers, addresses, dates of birth, and social security numbers of individuals.
A report found that Fraudsters made nearly $1.7 million by promising cryptocurrency giveaway scams on YouTube. Over 36 YouTube channels used for the purpose were observed between February 16 and February 18, attracting at least 165,000 viewers. The videos were made using footage of tech entrepreneurs and crypto investors like Elon Musk, Brad Gralinghouse, Michael Saylor, Changpeng Zhao, and Cathie Wood to add legitimacy to scams.
The Conti ransomware group added at least five new organizations to its list of victims. These were Snap-on Tools, Panasonic Corp, TrustFord UK, Elgin County (Ontario), BlueForce, and industrial component giant Parker Hannifin. Additionally, Security researchers found a connection between the Conti group and the recently emerged Karakurt data extortion group and Conti and Emotet, which resumed its operations after a ten-month hiatus.
Researchers revealed that LockBit ransomware group managed to maintain its persistence on a regional U.S. government agency for at least five months. However, logs retrieved from the compromised machines showed that two threat groups were engaged in reconnaissance and remote access operations. The toolset included utilities for brute-force attacks, scanning, and command execution.
Researchers spotted REvil ransomware’s servers being up in the Tor network after several months of inactivity. A new leak site associated with the ransomware is being promoted on a RuTOR dark web marketplace. The site includes a list of organizations targeted by ransomware, out of which two are new ones.
The Instagram account and Discord server of Bored Ape Yacht Club were hacked by cybercriminals to steal 24 Bored Apes and 30 Mutant Apes (which are estimated to be worth $13.7 million). In another streak, Discord communities of multiple major NFT projects were hacked as part of a phishing scam to mint a fake NFT by sending ETH and in some instances an NFT to wrap into a token.
Iranian-linked threat actor group, Rocket Kitten, has been observed actively exploiting a recently patched VMware vulnerability to gain initial access and deploy the Core Impact penetration testing tool on vulnerable systems. Tracked as CVE-2022-22954, the remote code execution vulnerability affects VMware Workspace ONE Access and Identity Manager.
Coca-Cola launched an investigation into a ransomware attack after hackers claimed to steal documents from the beverage giant. The Stormous ransomware group took to underground forums to claim the attack by putting 161 GB of stolen data on sale. The group is offering the stolen data for about $64,000.
The Italian luxury fashion house Ermenegildo Zegna confirmed a ransomware attack that resulted in an extensive IT systems outage. The attack occurred in August 2021 and was the work of the RansomEXX ransomware group.

New Threats

On the other side, hackers continue to evolve their tools and tactics. There was a new Russian-linked malware developed to target ICS and SCADA systems. A group of security researchers uncovered the new Parrot TDS posing risks to web developers worldwide. In separate news, LemonDuck was spotted targeting exposed Docker APIs to mine cryptocurrency.

A malware, called PIPEDREAM, capable of targeting ICS/SCADA systems was unveiled this week. The malware can target a wide range of PLCs from Schneider Electric and Omron. It can also attack other industrial technologies from the likes of CODESYS, Modbus, and Open Platform Communications Unified Architecture (OPC UA).
A set of five newly discovered vulnerabilities called JekyllBot:5 were found impacting Aethon TUG autonomous mobile robots. The flaws, if exploited, could put several medical firms at risk of remote hijack. Attackers can gain access to real-time camera feeds, disrupt the timely delivery of patient medication, and interfere in operations.
The CISA urged federal agencies to patch a WatchGuard firewall vulnerability that is being actively exploited in the wild. The vulnerability, tracked as CVE-2022-23176, affects the Fireware OS running on WatchGuard Firebox and XTM appliances.
A newly discovered Fodcha botnet infected around 62,000 IoT devices between March 29 and April 10. The botnet is distributed via brute-force attacks and exploits. Most of its infected devices are located in China.
Researchers discovered a new RAT named Borat that is capable of conducting DDoS and ransomware attacks. Other capabilities include recording keystrokes, capturing videos from the webcam, stealing credentials from Chromium-based web browsers, and pilfering Discord tokens from infected systems.
The FIN7 APT group was observed with evolved malware and attack tactics. These include a new POWERPLANT backdoor and two new versions of BIRDWATCH downloader—tracked as CROWVIEW and FOWLGAZE. Researchers claim that these malware are being used by threat actors to gain initial access and deliver more payloads.
Researchers found a new campaign distributing SharkBot malware. At least six apps with over 15,000 downloads were leveraged to spread the malware. Most of the victims were from Italy and the U.K, with some users from China, India, Romania, Russia, Ukraine, and Belarus.
A new information stealer named FFDroider capable of stealing credentials and cookies stored in browsers has been uncovered by security researchers. The stolen credentials can be used further to hijack victims’ social media accounts. The malware is distributed via cracked software, free software for games, and other files downloaded from torrent sites.
Operators of the LemonDuck botnet are back in a new cryptocurrency mining campaign. The attackers take advantage of misconfigured Docker API on the Linux platform to launch malicious payloads. The campaign is currently active.
A new Traffic Direction System (TDS) called Parrot emerged in recent months to redirect victims to 16,500 malicious websites for universities, local governments, adult content platforms, and personal blogs. The newly discovered TDS shares similarities to the Prometheus TDS that appeared in 2021.
Microsoft uncovered a new campaign associated with the Chinese-backed Hafnium hacking group. The campaign leverages an unpatched zero-day in Windows task scheduling to deploy a new malware named Tarrask.
Security researchers detected a new Remcos RAT campaign that targeted the African banking sector. Threat actors attempted to deliver the malware using the HTML smuggling technique. The phishing emails purported to be from a recruiter from another African bank with information about job opportunities.
A new report reveals that the recently discovered Nokoyawa ransomware is a variant of Nemt ransomware. Researchers came to the conclusion after assessing the encryption technique, ransom note, and C2 servers used by both ransomware.

Cyware Monthly Threat Intelligence, March 2025

ETSI has rolled out a new quantum-safe encryption standard featuring Covercrypt, a novel key encapsulation scheme with built-in access controls. By tying decryption permissions to user attributes, Covercrypt delivers speed and post-quantum security. The code caves of GitHub got a cleanup crew courtesy of Microsoft. A sprawling malvertising campaign that snagged nearly a million devices worldwide has been knocked down a peg. The race to outpace quantum threats is officially on. The NCSC has issued guidance to help organizations transition to post-quantum cryptography by 2035, with a focus on NIST-approved algorithms and planned support for critical sectors. A fresh face in the cybercrime underworld is juggling a bag of nasty surprises. EncryptHub is hitting users of QQ Talk, WeChat, Google Meet, and more with trojanized apps and slick multi-stage attacks. Lucid isn’t just phishing - it’s engineering trust through your inbox. This advanced PhaaS platform weaponizes the built-in features of iMessage and RCS to create hyper-realistic scams. A botnet is turning home routers into attack platforms. The Ballista botnet is exploiting an unpatched TP-Link Archer router flaw (CVE-2023-1389) to spread stealthily, using Tor domains and remote command execution to launch DDoS attacks worldwide.

Cyware Monthly Threat Intelligence, February 2025

Google ramped up its defenses against the quantum threat. The company rolled out quantum-resistant digital signatures in Cloud KMS, following NIST’s post-quantum cryptography standards. Cyber defenders sharpened their tools, this month, and EARLYCROW is the latest weapon against stealthy APT operations. This method detects C2 activity over HTTP(S) using a novel traffic analysis format called PAIRFLOW. PyPI adopted a "dead but not gone" approach to abandoned software with Project Archival, a new system that flags inactive projects while keeping them accessible. Developers will see warnings about outdated dependencies, helping them make smarter security choices and avoid relying on unmaintained code. China’s Salt Typhoon made itself right at home in global telecom networks. The group was caught using JumbledPath, a custom-built spying tool, to infiltrate ISPs in the U.S., Italy, South Africa, and Thailand. Russia’s Sandworm hackers are using pirated software as bait. Their latest attack on Ukrainian Windows users disguises malware inside trojanized KMS activators and fake Windows updates. The CISA flagged major security holes in Microsoft Outlook and Sophos XG Firewall. One flaw allows remote code execution in Outlook, while another exposes firewall users to serious risks. A new payment card skimming campaign turned Stripe’s old API into a weapon. Hackers inserted malicious scripts into checkout pages, validating stolen card details through Stripe before exfiltration. A new malware named Ratatouille is stirring up trouble by bypassing UAC and using I2P for anonymous communications. Spreading through phishing emails and fake CAPTCHA pages, it tricks victims into running an embedded PowerShell script. A new version of ValleyRAT was also spotted, using stealthy techniques to infiltrate systems. Researchers found the malware being spread through fake Chrome downloads.

Cyware Monthly Threat Intelligence, January 2025

The U.K took a proactive stance on cyber resilience with its Cyber Local initiative, injecting £1.9 million into 30 projects across England and Northern Ireland. The effort focuses on closing the cyber skills gap, fortifying small businesses, and supporting underrepresented groups. India tightened its grip on data privacy with new draft rules designed to give citizens more control over their personal information. The proposed regulations mandate clearer data processing disclosures, stricter security protocols, and swift breach reporting. Hackers turned to SparkRAT, an open-source GoLang RAT, to target macOS users and government entities. Initially released in 2022, its modular design and cross-platform capability have made it a cybercriminal favorite. More than 10,000 WordPress sites were hijacked in a large-scale malware campaign delivering AMOS to macOS users and SocGholish to Windows users. Attackers exploited outdated plugins to inject fake browser update prompts. Lumma Stealer is made its way through GitHub in a new malware campaign that abuses the platform’s release infrastructure. Attackers deployed malware like SectopRAT and Vidar, using secure-looking download links to exfiltrate data while evading detection. Cybercriminals deployed the Coyote banking trojan against financial firms in Brazil, using malicious Windows LNK files to execute PowerShell scripts. This malware established secure connections with C2 servers, enabling keylogging and data theft. A two-year-long phishing campaign targeted Microsoft’s advertising platform users through malicious Google Search ads. A Mirai-based botnet exploited zero-day vulnerabilities in industrial routers and smart home devices. With 15,000 active nodes daily, it launched high-intensity DDoS attacks surpassing 100 Gbps, posing a growing threat across multiple countries.

Cyware Monthly Threat Intelligence, December 2024

The cloud revolution isn’t just about convenience anymore; it’s now the frontline of defense. With CISA's new directive mandating cloud environment fortification, federal agencies face a race against time to safeguard Microsoft 365 and other services. Meanwhile, proposed updates to the HIPAA security rules push healthcare organizations toward stronger PHI protection with advanced technical controls and detailed incident planning. On the global front, Operation PowerOFF turned the tables on DDoS attackers, dismantling 27 illegal platforms and curbing festive-season chaos. The cyber battlefield sees no intermission as new threats take center stage. A phishing campaign, dubbed Aggressive Inventory Zombies (AIZ), exploited brand trust by mimicking retail giants and crypto platforms. Meanwhile, the resurrected BADBOX botnet has compromised 192,000 Android devices globally, sneaking into supply chains to wreak havoc with ad fraud and account abuse. Adding to the turbulence, Poison Ivy (APT-C-01) resurged, targeting critical sectors with advanced phishing techniques and deploying Sliver RAT to breach systems and steal sensitive data. This month, new threats targeted IoT, banking, and app ecosystems, with threat actors unleashing diverse attacks. Iranian hackers deployed IOCONTROL malware to compromise IoT and OT systems, targeting critical infrastructure like gas stations. Meanwhile, the DroidBot banking malware infiltrates cryptocurrency and banking apps across Europe, leveraging MaaS operations for tailored attacks. Adding to the chaos, SpyLoan malware apps, with over eight million installs, exploited users in South America, Southeast Asia, and Africa, highlighting the escalating risks within app marketplaces. For detailed Cyber Threat Intel, click ‘Read More’.

Cyware Monthly Threat Intelligence, November 2024

The TSA reshaped the cybersecurity landscape for pipeline and railroad operators with proposed rules mandating incident reporting and risk management plans. Estimated to cost $2.1 billion over the next decade, the rules aimed to address growing cyber threats while balancing flexibility with resilience. Meta dismantled a sprawling web of over two million accounts tied to pig butchering scams in Southeast Asia and the UAE. Africa’s cybercrime ecosystem faced a decisive blow with Operation Serengeti, as over 1,000 suspects were arrested, and 134,000 malicious networks taken offline. TAG-110, a Russia-aligned threat group, launched a cyber-espionage campaign targeting governments and organizations in Asia and Europe. Using malware like HATVIBE and CHERRYSPY, it aimed to monitor geopolitical developments and assert influence. A botnet powered by Ngioweb malware converted 35,000 IoT devices into residential proxies. These compromised devices, found largely in the U.S., were sold on platforms like NSOCKS for malicious purposes. Water Barghest compromised over 20,000 IoT devices by exploiting known vulnerabilities. The group used Shodan to identify targets and deployed Ngioweb malware to connect them to its monetized network. LIMINAL PANDA, a Chinese cyberespionage group, has been targeting telecoms in South Asia and Africa since 2020. Using tools like SIGTRANslator and PingPong, the group exploits telecom protocols to steal critical data while staying undetected. NodeStealer has resurfaced, targeting Facebook Ads Manager accounts to steal credit card details and browser credentials. It uses Windows Restart Manager and Python scripts to execute its attacks, with stolen data sent via Telegram. BabbleLoader, a stealthy malware loader, delivers WhiteSnake and Meduza stealers. Disguised as accounting software, it targets English and Russian speakers, evading antivirus systems with advanced techniques.

The Good

The Bad

New Threats

Related Threat Briefings

Jun 1, 2025