Cyware Monthly Threat Intelligence

The Good

In a major stride towards security with AI, the Five Eyes agencies released a cybersecurity guide to help organizations secure AI system deployments. Separately, heightened attacks on mobile networks made the GSM Association unveil the MoTIF framework for mobile network threat intelligence. In another remarkable decision, the CISA launched a webpage offering tailored cybersecurity resources for civil society groups, including activists, journalists, and human rights defenders.

The Five Eyes agencies have published a joint cybersecurity information sheet that offers guidance and recommendations on deploying and operating externally developed AI systems. The document, titled "Deploying AI Systems Securely: Best Practices for Deploying Secure and Resilient AI Systems," provides methodologies for protecting data and AI systems, with a focus on securing the deployment environment, continuously protecting AI systems, and securing AI operation and maintenance.
GSM Association’s Fraud and Security Group (FASG) issued the first version of the Mobile Threat Intelligence Framework (MoTIF) to delineate how adversaries attack and use mobile networks, based on their TTPs. MoTIF covers mobile network-related attacks not addressed by existing frameworks like MITRE ATT&CK and MITRE FiGHT, encompassing 2G, 3G, 4G, 5G, telecommunication service enablers, and future mobile technology evolutions.
The CISA introduced a dedicated High-Risk Communities webpage aimed at providing cybersecurity resources for high-risk communities, including activists, journalists, and human rights defenders. The initiative offers tailored guidance and tools to mitigate cyber threats, recognizing the increased risk these groups face. Resources include Project Upskill, offering "how-to" guides for non-technical individuals, information on local cyber volunteer programs, and a repository of free or discounted cybersecurity tools.
The Biden administration introduced new privacy regulations aimed at protecting abortion providers and patients from conservative legal threats. The rules by HHS prevent healthcare entities from sharing patient information with state officials investigating or prosecuting abortion-related cases. They safeguard individuals seeking abortions across state lines or facing state abortion bans due to circumstances like rape. Despite the controversy, officials stress the importance of privacy and patient rights.

The Bad

In a parallel world, cybercrimes kept surging, challenging the resilience of different infrastructures worldwide. The Resecurity team found a new JSOutProx version targeting finance sectors in APAC and MENA. In a campaign dubbed Dev Popper, North Korean threat actors target software developers through fake job interview lures. Besides, cybersecurity experts uncovered a concerning trend wherein Cactus ransomware operators abused security flaws in Qlik Sense, disclosed months ago.

A new cyber campaign dubbed Dev Popper was found tricking software developers with fake job interviews, leading them to download a Python RAT. Orchestrated by North Korean threat actors, the attack employs multi-stage social engineering tactics. Victims are instructed to run code from GitHub during the interview, unknowingly activating the RAT. Once installed, the trojan gathers system data and enables remote access.
Months after Qlik disclosed security flaws, Cactus ransomware has been found abusing those to gain an initial foothold in target environments. The flaws, disclosed in August and September 2023, allow remote code execution. Despite prior warnings, thousands of Qlik Sense servers remain vulnerable, with over 3,000 exposed to Cactus group attacks. Fox-IT's scan revealed 122 likely compromised instances, emphasizing the urgency for remediation.
A newly discovered RAT was observed targeting Android devices by masquerading as popular social media apps like Snapchat and Instagram. This malware, equipped with advanced capabilities, harvests credentials through phishing attacks facilitated by fraudulent HTML login pages. Upon installation, it gains intrusive permissions and communicates with a C2 server to execute commands.
Cybersecurity researchers at F.A.C.C.T. took the wraps off of a new ransomware group dubbed Muliaka. Operating since at least December 2023, Muliaka targets Russian businesses, utilizing tactics like disguising ransomware as corporate antivirus software and exploiting VPN services for remote access. Unlike its predecessor, Muliaka's malware terminates processes and system services before encryption, marking a notable evolution in malicious tools post-Conti leak.
Eric Daigle, a student at the University of British Columbia, disclosed vulnerabilities in the popular location-tracking app iSharing, allowing access to users' precise location data and personal information. The bugs, affecting over 35 million users, enabled unauthorized access to location data and exposed users' names, profile photos, email addresses, and phone numbers. Daigle's findings prompted iSharing to address the issue, acknowledging the oversight.
AI security firm HiddenLayer uncovered a critical vulnerability in the R programming language's serialization process (CVE-2024-27322). This flaw allowed for arbitrary code execution when loading malicious RDS files, posing a significant risk to the associated software supply chain. Exploiting lazy evaluation and promise objects, attackers could inject code that executes upon referencing the symbol associated with the compromised file.
The Blackjack hacker group reportedly unleashed the destructive Fuxnet malware to target one of Moscow's internet providers and military infrastructure, damaging emergency detection and response systems. This sophisticated malware aimed to disable 87,000 sensors and control systems. Fuxnet was deployed to lock devices, erase filesystems, disable services, and rewrite flash memory, rendering them inoperable. The malware's final objective was to disrupt sensors by flooding serial channels.
Cyber espionage group Earth Freybug (aka APT41) launched a phishing campaign utilizing a new malware called UNAPIMON. The attack, reminiscent of previous campaigns, targeted multiple sectors across several countries. The UNAPIMON malware, detected in the attack flow, utilizes DLL hijacking and API unhooking techniques to evade detection. Deployed through batch files and service manipulation, the malware prevents child processes from being monitored, allowing malicious activity to go undetected.
??Red Hat issued a warning regarding a backdoor flaw discovered in the xz data compression software library, potentially impacting instances of Fedora Linux 40 and Fedora Rawhide. The backdoor, present in xz versions 5.6.0 and 5.6.1, allows for remote access via OpenSSH and System. Designated as CVE-2024-3094, the vulnerability is rated as critical.
Apple sent alerts to iPhone users in 92 countries, warning them of potential targeting by mercenary spyware attacks. The notifications advise users to take the threat seriously as the company refrained from disclosing attacker identities or affected countries to prevent adaptive behavior. Similar past incidents were linked to NSO Group's Pegasus. The alert comes amid rising concerns about state-sponsored interference in elections within selective countries.
Visa warned about a surge in detections of a new variant of JsOutProx malware targeting financial institutions in South and Southeast Asia, the Middle East, and Africa. The malware enabled attackers to execute various malicious activities, including command execution, payload downloads, and keyboard/mouse control. The phishing campaign associated with JsOutProx involved fake financial notifications sent via email, with malicious JavaScript files hosted on GitLab.
Cybersecurity firm Wiz identified two critical vulnerabilities within Hugging Face's AI platform, potentially exposing millions of private AI models and apps. The risks involved a shared inference infrastructure takeover and a shared CI/CD takeover, allowing attackers to compromise the platform's integrity. Wiz recommended isolation and segmentation as crucial steps to mitigate such risks for AI-as-a-service providers.
Juniper Networks published multiple advisories detailing more than a hundred vulnerabilities in Junos OS, Junos OS Evolved, and other products. Patches were released for over 80 bugs, including critical issues in Junos cRPD and Cloud Native Router. Additionally, Paragon Active Assurance Control Center and Junos OS also received patches for high-severity flaws, such as information leaks and denial-of-service vulnerabilities.
The TA558 hacking group launched a new campaign called SteganoAmor, with over 320 attacks impacting multiple sectors across different countries. The attackers exploited the CVE-2017-11882 flaw in Microsoft Office while deploying long chains of tools and malware, including AgentTesla, FormBook, Remcos, LokiBot, Guloader, SnakeKeylogger, and XWorm. The attackers used compromised legitimate FTP servers for C2 and SMTP servers for C2 and phishing. The group also uses legitimate services to store malware strings and images with embedded malicious code.

Cyware Monthly Threat Intelligence, March 2025

ETSI has rolled out a new quantum-safe encryption standard featuring Covercrypt, a novel key encapsulation scheme with built-in access controls. By tying decryption permissions to user attributes, Covercrypt delivers speed and post-quantum security. The code caves of GitHub got a cleanup crew courtesy of Microsoft. A sprawling malvertising campaign that snagged nearly a million devices worldwide has been knocked down a peg. The race to outpace quantum threats is officially on. The NCSC has issued guidance to help organizations transition to post-quantum cryptography by 2035, with a focus on NIST-approved algorithms and planned support for critical sectors. A fresh face in the cybercrime underworld is juggling a bag of nasty surprises. EncryptHub is hitting users of QQ Talk, WeChat, Google Meet, and more with trojanized apps and slick multi-stage attacks. Lucid isn’t just phishing - it’s engineering trust through your inbox. This advanced PhaaS platform weaponizes the built-in features of iMessage and RCS to create hyper-realistic scams. A botnet is turning home routers into attack platforms. The Ballista botnet is exploiting an unpatched TP-Link Archer router flaw (CVE-2023-1389) to spread stealthily, using Tor domains and remote command execution to launch DDoS attacks worldwide.

Cyware Monthly Threat Intelligence, February 2025

Google ramped up its defenses against the quantum threat. The company rolled out quantum-resistant digital signatures in Cloud KMS, following NIST’s post-quantum cryptography standards. Cyber defenders sharpened their tools, this month, and EARLYCROW is the latest weapon against stealthy APT operations. This method detects C2 activity over HTTP(S) using a novel traffic analysis format called PAIRFLOW. PyPI adopted a "dead but not gone" approach to abandoned software with Project Archival, a new system that flags inactive projects while keeping them accessible. Developers will see warnings about outdated dependencies, helping them make smarter security choices and avoid relying on unmaintained code. China’s Salt Typhoon made itself right at home in global telecom networks. The group was caught using JumbledPath, a custom-built spying tool, to infiltrate ISPs in the U.S., Italy, South Africa, and Thailand. Russia’s Sandworm hackers are using pirated software as bait. Their latest attack on Ukrainian Windows users disguises malware inside trojanized KMS activators and fake Windows updates. The CISA flagged major security holes in Microsoft Outlook and Sophos XG Firewall. One flaw allows remote code execution in Outlook, while another exposes firewall users to serious risks. A new payment card skimming campaign turned Stripe’s old API into a weapon. Hackers inserted malicious scripts into checkout pages, validating stolen card details through Stripe before exfiltration. A new malware named Ratatouille is stirring up trouble by bypassing UAC and using I2P for anonymous communications. Spreading through phishing emails and fake CAPTCHA pages, it tricks victims into running an embedded PowerShell script. A new version of ValleyRAT was also spotted, using stealthy techniques to infiltrate systems. Researchers found the malware being spread through fake Chrome downloads.

Cyware Monthly Threat Intelligence, January 2025

The U.K took a proactive stance on cyber resilience with its Cyber Local initiative, injecting £1.9 million into 30 projects across England and Northern Ireland. The effort focuses on closing the cyber skills gap, fortifying small businesses, and supporting underrepresented groups. India tightened its grip on data privacy with new draft rules designed to give citizens more control over their personal information. The proposed regulations mandate clearer data processing disclosures, stricter security protocols, and swift breach reporting. Hackers turned to SparkRAT, an open-source GoLang RAT, to target macOS users and government entities. Initially released in 2022, its modular design and cross-platform capability have made it a cybercriminal favorite. More than 10,000 WordPress sites were hijacked in a large-scale malware campaign delivering AMOS to macOS users and SocGholish to Windows users. Attackers exploited outdated plugins to inject fake browser update prompts. Lumma Stealer is made its way through GitHub in a new malware campaign that abuses the platform’s release infrastructure. Attackers deployed malware like SectopRAT and Vidar, using secure-looking download links to exfiltrate data while evading detection. Cybercriminals deployed the Coyote banking trojan against financial firms in Brazil, using malicious Windows LNK files to execute PowerShell scripts. This malware established secure connections with C2 servers, enabling keylogging and data theft. A two-year-long phishing campaign targeted Microsoft’s advertising platform users through malicious Google Search ads. A Mirai-based botnet exploited zero-day vulnerabilities in industrial routers and smart home devices. With 15,000 active nodes daily, it launched high-intensity DDoS attacks surpassing 100 Gbps, posing a growing threat across multiple countries.

Cyware Monthly Threat Intelligence, December 2024

The cloud revolution isn’t just about convenience anymore; it’s now the frontline of defense. With CISA's new directive mandating cloud environment fortification, federal agencies face a race against time to safeguard Microsoft 365 and other services. Meanwhile, proposed updates to the HIPAA security rules push healthcare organizations toward stronger PHI protection with advanced technical controls and detailed incident planning. On the global front, Operation PowerOFF turned the tables on DDoS attackers, dismantling 27 illegal platforms and curbing festive-season chaos. The cyber battlefield sees no intermission as new threats take center stage. A phishing campaign, dubbed Aggressive Inventory Zombies (AIZ), exploited brand trust by mimicking retail giants and crypto platforms. Meanwhile, the resurrected BADBOX botnet has compromised 192,000 Android devices globally, sneaking into supply chains to wreak havoc with ad fraud and account abuse. Adding to the turbulence, Poison Ivy (APT-C-01) resurged, targeting critical sectors with advanced phishing techniques and deploying Sliver RAT to breach systems and steal sensitive data. This month, new threats targeted IoT, banking, and app ecosystems, with threat actors unleashing diverse attacks. Iranian hackers deployed IOCONTROL malware to compromise IoT and OT systems, targeting critical infrastructure like gas stations. Meanwhile, the DroidBot banking malware infiltrates cryptocurrency and banking apps across Europe, leveraging MaaS operations for tailored attacks. Adding to the chaos, SpyLoan malware apps, with over eight million installs, exploited users in South America, Southeast Asia, and Africa, highlighting the escalating risks within app marketplaces. For detailed Cyber Threat Intel, click ‘Read More’.

Cyware Monthly Threat Intelligence, November 2024

The TSA reshaped the cybersecurity landscape for pipeline and railroad operators with proposed rules mandating incident reporting and risk management plans. Estimated to cost $2.1 billion over the next decade, the rules aimed to address growing cyber threats while balancing flexibility with resilience. Meta dismantled a sprawling web of over two million accounts tied to pig butchering scams in Southeast Asia and the UAE. Africa’s cybercrime ecosystem faced a decisive blow with Operation Serengeti, as over 1,000 suspects were arrested, and 134,000 malicious networks taken offline. TAG-110, a Russia-aligned threat group, launched a cyber-espionage campaign targeting governments and organizations in Asia and Europe. Using malware like HATVIBE and CHERRYSPY, it aimed to monitor geopolitical developments and assert influence. A botnet powered by Ngioweb malware converted 35,000 IoT devices into residential proxies. These compromised devices, found largely in the U.S., were sold on platforms like NSOCKS for malicious purposes. Water Barghest compromised over 20,000 IoT devices by exploiting known vulnerabilities. The group used Shodan to identify targets and deployed Ngioweb malware to connect them to its monetized network. LIMINAL PANDA, a Chinese cyberespionage group, has been targeting telecoms in South Asia and Africa since 2020. Using tools like SIGTRANslator and PingPong, the group exploits telecom protocols to steal critical data while staying undetected. NodeStealer has resurfaced, targeting Facebook Ads Manager accounts to steal credit card details and browser credentials. It uses Windows Restart Manager and Python scripts to execute its attacks, with stolen data sent via Telegram. BabbleLoader, a stealthy malware loader, delivers WhiteSnake and Meduza stealers. Disguised as accounting software, it targets English and Russian speakers, evading antivirus systems with advanced techniques.

The Good

The Bad

Related Threat Briefings

Jun 1, 2025