Cyware Monthly Threat Intelligence, April 2025

Monthly Threat Briefing • May 1, 2025
Monthly Threat Briefing • May 1, 2025
Cyber defenders are flexing their innovation muscles this season. ETSI unveiled ETSI TS 104 223, the world’s first comprehensive technical specification for AI security, outlining 13 core and 72 trackable principles across the AI lifecycle, addressing threats like data poisoning and model obfuscation. MITRE released ATT&CK v17, expanding its threat intelligence framework with ESXi platform coverage, new analytics, mobile attack techniques, and enriched mitigation strategies. Meanwhile, CISA extended funding to MITRE to sustain the Common Vulnerabilities and Exposures (CVE) program until 2026, safeguarding vulnerability coordination. In the U.K., the government rolled out a Cyber Governance Code of Practice to help organizational leaders strengthen cyber resilience, complemented by a modular training package.
Cybercriminals have been busy, and unfortunately, so have their exploits. Critical zero-click vulnerabilities in Apple’s AirPlay protocol, dubbed AirBorne (CVE-2025-24252, CVE-2025-24132), could allow remote code execution on billions of devices, while a flaw in Avast Free Antivirus (CVE-2025-3500) enables local privilege escalation to kernel level. Meanwhile, a campaign linked to SocGholish malware and RansomHub ransomware affiliates begins with fake Microsoft Edge updates and deploys a Python backdoor for remote access and lateral movement. Another campaign by Slow Pisces targets cryptocurrency developers with macOS malware disguised as job challenges, delivered via LinkedIn. In the supply chain domain, a malicious Python package named disgrasya on PyPI was found automating carding attacks against WooCommerce stores and downloaded over 34,000 times before detection.
Several emerging cyber threats have recently come to light, highlighting growing risks across global sectors. Earth Kasha, linked to China’s APT10, launched a spear-phishing campaign in Taiwan and Japan using a malicious Excel file, ROAMINGMOUSE, to deploy the ANEL and NOOPDOOR backdoors for espionage. Unit 42 exposed Gremlin Stealer, a C#-based malware that harvests sensitive data like credentials and crypto wallets, while Proofpoint flagged TA2900, a French-speaking BEC actor targeting rental payments using socially engineered emails and possibly generative AI. Sysdig identified UNC5174, a Chinese group, using SNOWLIGHT malware and VShell RAT in fileless Linux attacks. Meanwhile, ToddyCat exploited a flaw in ESET software to deliver TCESB malware using DLL hijacking and BYOVD techniques.