Cyware Monthly Threat Intelligence, April 2025

List of Data Breaches, Malware, Vulnerabilities, Scams, and Issued Patches in July 2018 - Featured Image

Monthly Threat Briefing May 1, 2025

The Good

Cyber defenders are flexing their innovation muscles this season. ETSI unveiled ETSI TS 104 223, the world’s first comprehensive technical specification for AI security, outlining 13 core and 72 trackable principles across the AI lifecycle, addressing threats like data poisoning and model obfuscation. MITRE released ATT&CK v17, expanding its threat intelligence framework with ESXi platform coverage, new analytics, mobile attack techniques, and enriched mitigation strategies. Meanwhile, CISA extended funding to MITRE to sustain the Common Vulnerabilities and Exposures (CVE)  program until 2026, safeguarding vulnerability coordination. In the U.K., the government rolled out a Cyber Governance Code of Practice to help organizational leaders strengthen cyber resilience, complemented by a modular training package.

  • ETSI has released new technical specifications, ETSI TS 104 223, to establish a global benchmark for securing AI models and systems. The specifications include 13 core principles and 72 trackable principles across five lifecycle phases: secure design, development, deployment, maintenance, and end of life. These standards address unique AI challenges such as data poisoning and model obfuscation. ETSI's initiative is seen as a global first in setting a baseline for AI security, developed with input from international bodies, including significant contributions from the UK's Department for Science, Innovation and Technology and the National Cyber Security Centre.
  • MITRE introduced ATT&CK v17, enhancing its cybersecurity framework to address evolving threats. Key updates include the addition of the ESXi platform to the Enterprise matrix, reflecting increased attacks on virtualization infrastructure. Defensive improvements feature over 140 new analytics, optimized data collection with platform-specific guidance, and enriched mitigation strategies. Mobile updates encompass new techniques and tools, such as SIM Card Swap and virtualization-based malware. The CTI section now tracks additional groups and campaigns, highlighting state-sponsored and criminal operations. 
  • The DOJ launched the Data Security Program to prevent foreign adversaries, particularly designated "countries of concern" like China and Russia, from commercially purchasing sensitive U.S. data. The program prohibits unauthorized transactions, such as data brokerage, involving bulk personal (genomic, biometric, health, financial) and government-related data transfers to these nations. This initiative aims to counter espionage, surveillance, and data misuse by adversaries. 
  • To enhance digital security, the CA/Browser Forum has voted to drastically shorten SSL/TLS certificate lifespans. Currently valid for up to 398 days, the maximum validity will drop incrementally: to 200 days by March 2026, 100 days by 2027, and finally 47 days by March 2029. This reduces the time attackers can exploit compromised certificates and encourages certificate management automation and crypto-agility, aiding quantum-readiness. 
  • The CISA has extended funding to MITRE to ensure continuity of the Common Vulnerabilities and Exposures (CVE) program, avoiding a potential lapse in critical services. CISA announced the 11-month extension on April 16, utilizing an existing option period in the $57.8 million contract and ensuring the CVE program's continuity until at least March 16, 2026.
  • Prodaft has launched a unique initiative called SYS, offering to purchase user accounts on five prominent cybercrime-focused dark web forums: XSS, Exploit in, RAMP4U, Verified, and Breachforums. The program encourages users looking to leave cybercrime to sell their accounts. While Prodaft guarantees seller anonymity, it states that the purchased accounts will be reported to its law enforcement partners for transparency. 
  • The U.K government launched a new Cyber Governance Code of Practice to enhance cyber-resilience in medium and large organizations. This initiative, developed by experts from the NCSC, Department for Science, Innovation and Technology, and other professional bodies, provides guidance for board members and directors to effectively manage cyber risk. The code includes a set of actions, a training package, and a toolkit for boards. The training package is divided into five modules based on the pillars of the code: risk management, strategy, people, incident planning, response and recovery, and assurance and oversight. 
  • The British Business Bank committed nearly £37.5 million of a £50 million ($64 million) fund to support early-stage cybersecurity startups in the U.K. Osney Capital's Fund 1 plans to invest between £250,000 and £2.5 million in 30 portfolio companies at pre-seed and seed stage, with plans for follow-on Series A rounds. The British Business Bank's contribution to the Osney Capital fund reflects the growing strategic importance of cybersecurity to the government. 

The Bad

Cybercriminals have been busy, and unfortunately, so have their exploits.  Critical zero-click vulnerabilities in Apple’s AirPlay protocol, dubbed AirBorne (CVE-2025-24252, CVE-2025-24132), could allow remote code execution on billions of devices, while a flaw in Avast Free Antivirus (CVE-2025-3500) enables local privilege escalation to kernel level. Meanwhile, a campaign linked to SocGholish malware and RansomHub ransomware affiliates begins with fake Microsoft Edge updates and deploys a Python backdoor for remote access and lateral movement. Another campaign by Slow Pisces targets cryptocurrency developers with macOS malware disguised as job challenges, delivered via LinkedIn. In the supply chain domain, a malicious Python package named disgrasya on PyPI was found automating carding attacks against WooCommerce stores and downloaded over 34,000 times before detection.

  • Oligo Security identified critical vulnerabilities in Apple's AirPlay Protocol, termed "AirBorne," enabling zero-click RCE and other attacks. Key vulnerabilities include CVE-2025-24252 (use-after-free) and CVE-2025-24132 (buffer overflow), allowing attackers to exploit devices without user interaction. These vulnerabilities affect billions of devices, including Macs and third-party products using the AirPlay SDK. Apple has released patches, and users are urged to update their devices and adjust AirPlay settings to mitigate risks. 
  • A critical vulnerability in Avast Free Antivirus, identified as CVE-2025-3500, allows attackers to escalate privileges and execute code with kernel-level access. This flaw, caused by improper data validation in the aswbidsdriver kernel driver, has a CVSS score of 8.8. Although local access is required to exploit it, the vulnerability poses a significant risk due to the potential for complete system control. Avast has released a patch in version 25.3.9983.922, urging users to update immediately. The issue affects versions from 20.1.2397 to 2016.11.1.2262. 
  • Wordfence spotted WP-antymalwary-bot.php, a malware disguised as a WordPress plugin. The malware uses a backdoor function for admin login and registers a REST API route without permission checks. It enables unauthorized access, remote code execution, and script injection. The malware hides from the dashboard and can reinfect sites via a modified `wp-cron.php` file. It communicates with a C2 server, sending site URLs for tracking. It injects malicious JavaScript ads using obfuscated methods and evolves rapidly with enhanced mechanisms.
  • Hannibal Stealer is a sophisticated rebranded malware variant of the Sharp and TX stealers, targeting sensitive data from Chromium- and Gecko-based browsers, cryptocurrency wallets, and FTP clients. It employs geofencing to evade detection and compromises VPN credentials, Steam sessions, and Discord tokens. Advertised on dark web forums with a subscription model, it features a Django-based control panel for managing stolen data. The malware's source code shows minimal innovation, with changes mainly in log delivery mechanisms.
  • A sophisticated cyberattack campaign has been identified by eSentire, linking SocGholish malware to RansomHub ransomware affiliates. The attack starts when victims download a fake Microsoft Edge update from a compromised WordPress site, leading to the deployment of a Python backdoor. This malware collects system information to identify high-value targets and employs multiple encryption layers for concealment. It enables remote command execution and lateral movement within networks.
  • The Kimsuky group is distributing PebbleDash malware, previously associated with the Lazarus group, using spear-phishing tactics. The initial access involves executing JavaScript via LNK files, which then runs PowerShell for persistence and malware installation. The attackers use tools like AsyncRAT alongside PebbleDash for remote control. The modification of termsrv.dll disables RDP authentication, allowing unauthorized access. Users are advised to verify file extensions, check for modified DLLs using hash comparisons, and monitor for suspicious accounts like ‘Root’. 
  • In a recent campaign, the Chinese APT Mustang Panda deployed an updated ToneShell backdoor, enhancing its payload execution capabilities and using a modified FakeTLS protocol for C&C communication to evade detection. Newly observed tools include StarProxy, designed for lateral movement by proxying traffic over FakeTLS; two keyloggers, Paklog (logs keystrokes/clipboard locally) and Corklog (encrypts data, sets persistence); and the SplatCloakdriver. Delivered via SplatDropper, SplatCloak specifically identifies and disables Windows Defender and Kaspersky defenses. 
  • The North Korean hacking group, Slow Pisces, has been linked to a malicious campaign targeting cryptocurrency developers. The group engages with developers on LinkedIn, posing as potential employers and sending malware disguised as coding challenges. This malware, named RN Loader and RN Stealer, infects the developers' systems. The multi-stage attack chain involves sending a malicious payload only to validated targets, likely based on IP address, geolocation, time, and HTTP request headers. This information stealer harvests sensitive information from infected Apple macOS systems.
  • Cofense analyzed a sophisticated phishing campaign titled "Pick Your Poison." The attack begins with an email that appears to be from a legitimate file-sharing service, files[.]fm, warning the recipient of an impending file deletion. Upon clicking the embedded link, users are redirected to a legitimate files[.]fm page, enhancing the illusion of safety. However, when users open the shared file, they are presented with two options, "Preview" or "Download," both leading to malicious outcomes. The malware often installs a RAT such as ConnectWise RAT, allowing threat actors unauthorized access to compromised systems. 
  • Cybercriminals are targeting Intuit QuickBooks users by purchasing prominent Google Ads that lead to fake login pages, aiming to steal sensitive information like usernames, passwords, and one-time passcodes. The phishing pages closely resemble the genuine QuickBooks site, making it difficult for users to distinguish between the two. Users are advised to access their QuickBooks account directly through the official Intuit website or application, and to be vigilant about verifying the URL. 
  • The NCSC and international cybersecurity agencies have discovered that hackers are using two types of spyware, MOONSHINE and BADBAZAAR, to spy on Uyghur, Tibetan, and Taiwanese individuals and civil society organizations. The spyware-infected apps target individuals and groups perceived as a threat to China's stability, including those associated with Taiwan's independence, Tibetan rights, Uyghur Muslims, ethnic minorities in Xinjiang, democracy advocates, and Falun Gong members. Some apps mimic popular platforms like WhatsApp and Skype, while others are standalone apps designed to attract potential victims. The Tibet One and Audio Quran apps, which have been used to spread the spyware, have been removed from app stores. 
  • Socket spotted a malicious Python package named "disgrasya" on PyPI. This package contains an automated carding script targeting WooCommerce stores using CyberSource as their payment gateway. Unlike typical supply chain attacks, disgrasya made no attempt to appear legitimate. The script simulates real transactions to test stolen credit card numbers, making it hard to detect. It has been downloaded over 34,000 times. 

New Threats

Several emerging cyber threats have recently come to light, highlighting growing risks across global sectors. Earth Kasha, linked to China’s APT10, launched a spear-phishing campaign in Taiwan and Japan using a malicious Excel file, ROAMINGMOUSE, to deploy the ANEL and NOOPDOOR backdoors for espionage. Unit 42 exposed Gremlin Stealer, a C#-based malware that harvests sensitive data like credentials and crypto wallets, while Proofpoint flagged TA2900, a French-speaking BEC actor targeting rental payments using socially engineered emails and possibly generative AI. Sysdig identified UNC5174, a Chinese group, using SNOWLIGHT malware and VShell RAT in fileless Linux attacks. Meanwhile, ToddyCat exploited a flaw in ESET software to deliver TCESB malware using DLL hijacking and BYOVD techniques. 

  • Earth Kasha, an APT group believed to be part of APT10, has launched a new spear-phishing campaign targeting Taiwan and Japan in March. The campaign aims to deliver a new version of the ANEL backdoor for espionage, potentially leading to information theft and compromising sensitive data. The campaign uses a malicious Excel file, ROAMINGMOUSE, to drop ANEL components, and employs SharpHide for persistence. The second-stage backdoor, NOOPDOOR, utilizes DNS over HTTPS for secure IP resolution.
  • Unit 42 has identified Gremlin Stealer, a new info-stealer written in C# and advertised on Telegram since March. It targets sensitive data, including browser cookies, credit card information, cryptocurrency wallets, and credentials from FTP and VPN services. The malware bypasses Chrome's cookie protection and uploads stolen data to a server at 207.244.199[.]46. Gremlin Stealer is actively developed and capable of exfiltrating data from various applications, including Telegram and Discord.
  • Proofpoint has identified a new BEC threat actor, TA2900, targeting rental payments in France and occasionally Canada. This actor sends fraudulent French language emails claiming unpaid rent and instructs recipients to send payments to new bank accounts, often changing IBAN details frequently. The campaigns use compromised educational institution mailboxes and social engineering tactics to elicit emotional responses from victims. Researchers suspect the use of generative AI in crafting the emails, although this is unconfirmed. The threat actor's objective is financial theft, using opportunistically compromised accounts globally. 
  • A newly disclosed vulnerability in the Linux kernel, CVE-2025-21756, known as Attack of the Vsock, allows privilege escalation to root, threatening millions of systems. The flaw is within VMware vsock driver due to errors in reference counting during vsock transport reassignment. This leads to a use-after-free vulnerability, enabling attackers to execute arbitrary code with kernel privileges. A proof-of-concept exploit demonstrates how attackers can trigger the vulnerability, reclaim freed memory, leak kernel addresses, and hijack control flow to gain root access. 
  • A critical zero-day vulnerability, CVE-2025-31324, in SAP NetWeaver Visual Composer MetadataUploader has been actively exploited to deploy webshells and C2 frameworks, compromising enterprise and government systems. The vulnerability allows unauthenticated attackers to gain full control over affected systems by uploading and executing malicious binaries. Despite having the latest service packs, many systems were breached, with attackers bypassing protections to exploit the /developmentserver/metadatauploader endpoint. This has led to unauthorized file uploads and remote code execution. Techniques like Brute Ratel and Heaven’s Gate were used to maintain persistence and evade detection. 
  • A new Android spyware, Android.Spy.1292.origin, has been discovered in a fake Alpine Quest app, targeting Russian military personnel. The spyware, hidden in a trojanized version of the app, steals contacts, geolocation, and file information and can download additional modules to exfiltrate stored data. Distributed via Russian Android catalogs and a fake Telegram channel, the spyware sends data to a command-and-control server and shares geolocation updates with attackers' Telegram bots. The modular design allows it to perform a broader range of malicious activities. 
  • Sysdig uncovered a new campaign by Chinese state-linked group UNC5174, active since late 2024. The group used a malicious bash script to deliver the SNOWLIGHT malware and fileless VShell RAT via domain-squatting-based infrastructure. UNC5174 targeted Linux systems, using WebSockets for stealthy C2. Their techniques, victims, and infrastructure pointed to espionage and access brokering, with operations traced back to November 2024.
  • Check Point Research uncovered a phishing campaign by Russian APT29, targeting European diplomatic entities using fake wine-tasting event invites. The attackers impersonated a European foreign ministry and used a new loader, GRAPELOADER, to deploy a variant of their WINELOADER backdoor. GRAPELOADER handled fingerprinting, persistence, and payload delivery, while the updated WINELOADER acted as a modular backdoor. Both shared stealth techniques and obfuscation methods. 
  • A Chinese-linked threat group, ToddyCat, has been exploiting a security vulnerability in ESET's software to deliver a new malware, TCESB, in Asia. The malware uses DLL Search Order Hijacking to gain control of the execution flow, exploiting a flaw in ESET Command Line Scanner, which insecurely loads a DLL named "version.dll." TCESB is a modified version of an open-source tool, EDRSandBlast, and uses the BYOVD technique to install a vulnerable Dell driver, DBUtilDrv2.sys, susceptible to a privilege escalation flaw tracked as CVE-2021-36276. 
  • A latest version of Neptune RAT has been discovered, which uses advanced anti-analysis techniques and persistence methods to maintain its presence on the victim’s system. It comes packed with malicious features, including a crypto clipper, password stealer that exfiltrate credentials from 270+ unique apps, ransomware capabilities, and live desktop monitoring. Neptune RAT uses a technique involving PowerShell commands, irm (Invoke-RestMethod) and iex (Invoke-Expression), to download and execute a batch script and malware payload, establishing a connection between the client and the attacker’s server. The malware has been proliferating across GitHub, Telegram, and YouTube and targeting Windows users.
  • A new, sophisticated phishing campaign misuses Cloudflare services and Telegram for malicious purposes. The attacks use Cloudflare-branded phishing pages and advanced tactics to evade detection. The phishing pages, hosted on Cloudflare’s Pages[.]dev and Workers[.]dev platforms, impersonate DMCA takedown notices and trick victims into downloading malicious files disguised as PDFs. The attackers exploit the "search-ms" protocol to initiate a malware infection chain. The malware establishes persistence and communicates with Pyramid C2 servers. A significant evolution in this campaign is the integration of Telegram for victim tracking. 
  • The Gootloader malware has re-emerged with a new campaign that combines traditional social engineering tactics with modern ad-based delivery methods. The operators are now using Google Ads to target individuals searching for legal document templates. The attack chain begins with a Google search, where a sponsored ad from a seemingly legitimate legal document provider, lawliner[.]com, appears among the top results. Upon clicking, users are prompted to enter their email address to access the document. They then receive an email containing a link to download a ZIP archive with a JavaScript file. When executed, this file performs classic Gootloader behavior, creating a scheduled task, dropping another .js file, and launching PowerShell scripts that attempt to reach out to a series of compromised WordPress blogs.

Related Threat Briefings

Mar 4, 2025

Cyware Monthly Threat Intelligence, February 2025

Google ramped up its defenses against the quantum threat. The company rolled out quantum-resistant digital signatures in Cloud KMS, following NIST’s post-quantum cryptography standards. Cyber defenders sharpened their tools, this month, and EARLYCROW is the latest weapon against stealthy APT operations. This method detects C2 activity over HTTP(S) using a novel traffic analysis format called PAIRFLOW. PyPI adopted a "dead but not gone" approach to abandoned software with Project Archival, a new system that flags inactive projects while keeping them accessible. Developers will see warnings about outdated dependencies, helping them make smarter security choices and avoid relying on unmaintained code. China’s Salt Typhoon made itself right at home in global telecom networks. The group was caught using JumbledPath, a custom-built spying tool, to infiltrate ISPs in the U.S., Italy, South Africa, and Thailand. Russia’s Sandworm hackers are using pirated software as bait. Their latest attack on Ukrainian Windows users disguises malware inside trojanized KMS activators and fake Windows updates. The CISA flagged major security holes in Microsoft Outlook and Sophos XG Firewall. One flaw allows remote code execution in Outlook, while another exposes firewall users to serious risks. A new payment card skimming campaign turned Stripe’s old API into a weapon. Hackers inserted malicious scripts into checkout pages, validating stolen card details through Stripe before exfiltration. A new malware named Ratatouille is stirring up trouble by bypassing UAC and using I2P for anonymous communications. Spreading through phishing emails and fake CAPTCHA pages, it tricks victims into running an embedded PowerShell script. A new version of ValleyRAT was also spotted, using stealthy techniques to infiltrate systems. Researchers found the malware being spread through fake Chrome downloads.

Feb 10, 2025

Cyware Monthly Threat Intelligence, January 2025

The U.K took a proactive stance on cyber resilience with its Cyber Local initiative, injecting £1.9 million into 30 projects across England and Northern Ireland. The effort focuses on closing the cyber skills gap, fortifying small businesses, and supporting underrepresented groups. India tightened its grip on data privacy with new draft rules designed to give citizens more control over their personal information. The proposed regulations mandate clearer data processing disclosures, stricter security protocols, and swift breach reporting. Hackers turned to SparkRAT, an open-source GoLang RAT, to target macOS users and government entities. Initially released in 2022, its modular design and cross-platform capability have made it a cybercriminal favorite. More than 10,000 WordPress sites were hijacked in a large-scale malware campaign delivering AMOS to macOS users and SocGholish to Windows users. Attackers exploited outdated plugins to inject fake browser update prompts. Lumma Stealer is made its way through GitHub in a new malware campaign that abuses the platform’s release infrastructure. Attackers deployed malware like SectopRAT and Vidar, using secure-looking download links to exfiltrate data while evading detection. Cybercriminals deployed the Coyote banking trojan against financial firms in Brazil, using malicious Windows LNK files to execute PowerShell scripts. This malware established secure connections with C2 servers, enabling keylogging and data theft. A two-year-long phishing campaign targeted Microsoft’s advertising platform users through malicious Google Search ads. A Mirai-based botnet exploited zero-day vulnerabilities in industrial routers and smart home devices. With 15,000 active nodes daily, it launched high-intensity DDoS attacks surpassing 100 Gbps, posing a growing threat across multiple countries.

Jan 3, 2025

Cyware Monthly Threat Intelligence, December 2024

The cloud revolution isn’t just about convenience anymore; it’s now the frontline of defense. With CISA's new directive mandating cloud environment fortification, federal agencies face a race against time to safeguard Microsoft 365 and other services. Meanwhile, proposed updates to the HIPAA security rules push healthcare organizations toward stronger PHI protection with advanced technical controls and detailed incident planning. On the global front, Operation PowerOFF turned the tables on DDoS attackers, dismantling 27 illegal platforms and curbing festive-season chaos. The cyber battlefield sees no intermission as new threats take center stage. A phishing campaign, dubbed Aggressive Inventory Zombies (AIZ), exploited brand trust by mimicking retail giants and crypto platforms. Meanwhile, the resurrected BADBOX botnet has compromised 192,000 Android devices globally, sneaking into supply chains to wreak havoc with ad fraud and account abuse. Adding to the turbulence, Poison Ivy (APT-C-01) resurged, targeting critical sectors with advanced phishing techniques and deploying Sliver RAT to breach systems and steal sensitive data. This month, new threats targeted IoT, banking, and app ecosystems, with threat actors unleashing diverse attacks. Iranian hackers deployed IOCONTROL malware to compromise IoT and OT systems, targeting critical infrastructure like gas stations. Meanwhile, the DroidBot banking malware infiltrates cryptocurrency and banking apps across Europe, leveraging MaaS operations for tailored attacks. Adding to the chaos, SpyLoan malware apps, with over eight million installs, exploited users in South America, Southeast Asia, and Africa, highlighting the escalating risks within app marketplaces. For detailed Cyber Threat Intel, click ‘Read More’.

Dec 4, 2024

Cyware Monthly Threat Intelligence, November 2024

The TSA reshaped the cybersecurity landscape for pipeline and railroad operators with proposed rules mandating incident reporting and risk management plans. Estimated to cost $2.1 billion over the next decade, the rules aimed to address growing cyber threats while balancing flexibility with resilience. Meta dismantled a sprawling web of over two million accounts tied to pig butchering scams in Southeast Asia and the UAE. Africa’s cybercrime ecosystem faced a decisive blow with Operation Serengeti, as over 1,000 suspects were arrested, and 134,000 malicious networks taken offline. TAG-110, a Russia-aligned threat group, launched a cyber-espionage campaign targeting governments and organizations in Asia and Europe. Using malware like HATVIBE and CHERRYSPY, it aimed to monitor geopolitical developments and assert influence. A botnet powered by Ngioweb malware converted 35,000 IoT devices into residential proxies. These compromised devices, found largely in the U.S., were sold on platforms like NSOCKS for malicious purposes. Water Barghest compromised over 20,000 IoT devices by exploiting known vulnerabilities. The group used Shodan to identify targets and deployed Ngioweb malware to connect them to its monetized network. LIMINAL PANDA, a Chinese cyberespionage group, has been targeting telecoms in South Asia and Africa since 2020. Using tools like SIGTRANslator and PingPong, the group exploits telecom protocols to steal critical data while staying undetected. NodeStealer has resurfaced, targeting Facebook Ads Manager accounts to steal credit card details and browser credentials. It uses Windows Restart Manager and Python scripts to execute its attacks, with stolen data sent via Telegram. BabbleLoader, a stealthy malware loader, delivers WhiteSnake and Meduza stealers. Disguised as accounting software, it targets English and Russian speakers, evading antivirus systems with advanced techniques.