Cyware Monthly Threat Intelligence

The Good

In response to escalating cybersecurity threats, and also a breakthrough for computer security, a team of cyber experts has introduced a new and highly efficient cipher designed to combat cache side-channel attacks. Along the same lines, the CISA released the Remote Monitoring and Management (RMM) Cyber Defense Plan to aid government organizations and SMBs in mitigating risks associated with RMM software. What more? The White House has decided to work on a plan to modernize outdated IT systems in federal agencies.

A team of academics and researchers at Tohoku University, Ruhr University Bochum, and NTT Social Informatics Laboratories have developed a new standard to address the threat of cache side-channel attacks. Dubbed Secure CAche Randomization Function (SCARF), the technique is compatible with different computer architectures, bolstering widespread applicability and computer security.
The CISA released the RMM Cyber Defense Plan to help government organizations mitigate the risk of deploying and using RMM software in their environments. Built upon the JCDC 2023 Planning Agenda, the new guideline will also be useful for SMBs that are MSP/MSSP customers, as threat actors can gain a foothold into MSPs/MSSPs via RMM software.
The White House reportedly has initiated working on a plan to replace vulnerable and outdated IT systems across federal civilian agencies in an effort to bolster the nation’s cyber posture. The Office of Management and Budget has been assigned the job of developing a multi-year lifecycle plan that includes migrating to cloud-based services and mitigating risks associated with older systems. This development comes after the GAO found in May that 10 critical federal agencies had failed to take proper security measures to secure their legacy systems.
CERT-NZ officially joined hands with the NCSC to bolster the nation’s cyber defenses. The development comes a month after the government announced its commitment to enhance cybersecurity readiness and response. The integration marks the first step in creating a unified operational cybersecurity agency in New Zealand, with similar actions taking place in countries like Australia, the U.K, and Canada.

The Bad

Significant recent cybersecurity incidents have rocked the digital realm, especially in the cryptocurrency space. While Exactly and Harbor suffered substantial losses, FTX, BlockFi, and Genesis fell victim to a SIM-swapping attack pulled off at their common risk and financial advisory firm. A French national employment agency compromised the sensitive data of up to 10 million individuals in the MOVEit hack. Moving on, an alarming discovery showed that more than 60% of Kubernetes clusters from over 350 organizations were targeted in an active cryptomining campaign.

Cryptocurrency firms FTX, BlockFi, and Genesis suffered data breaches caused by a SIM-swapping attack at Kroll. By transferring a victim’s phone number to a new SIM card, the attacker successfully accessed information stored on Kroll’s systems, specifically files containing personal information of bankruptcy claimants.
A data breach at Topgolf Callaway exposed the personal and account details of 1.1 million customers, including those associated with Callaway’s sub-brands Odyssey, Ogio, and Callaway Gold Preowned sites. The incident occurred on August 1 and the affected data includes full names, email addresses, phone numbers, and order histories.
Two cryptocurrency platforms, Exactly Protocol and Harbor Protocol, experienced cyberattacks resulting in millions of dollars worth of cryptocurrency being stolen. While Harbor Protocol could not disclose how much amount was stolen from its vaults, Exactly Protocol reported losing $7.3 million worth of ETH in the attack.
Brunswick Corporation, one of the leading marine parts manufacturers, suffered a financial loss of $85 million due to the downtime following a cyberattack. The incident affected its IT systems and other facilities, forcing the firm to halt its operations and businesses for almost nine days. No hacking group claimed responsibility for the attack.
The French national employment agency, Pôle emploi, is the latest in a series of victims affected in the MOVEit hack. The incident impacted the critical information of up to 10 million people, summing the count to almost 59 million impacted individuals. Moreover, the total number of impacted organizations due to the MOVEit incident reached almost 1,000.
Travel giant Mondee inadvertently exposed more than 1.7TB of customers’ data due to a vulnerable database hosted on Oracle’s cloud. The exposed information included names, genders, dates of birth, home addresses, flight information, and passport numbers.
The LockBit ransomware group added Varian Medical Systems to its list of victim organizations and threatened to leak the medical data of cancer patients if the firm failed to pay the ransom by August 17. Neither the group disclosed the amount of data stolen nor did the firm confirm the attack.
Around 60% of Kubernetes clusters belonging to more than 350 organizations were targets of an active cryptomining campaign. These clusters belonged to small to medium-sized organizations, with a smaller subset tied to bigger companies in the financial, aerospace, automotive, industrial, and security sectors.
A pro-Russian hacking group, NoName057, listed the Dutch public transport website, local bank SNS, the Groningen seaport, and the website of the municipality of Vlardingen among its targets. These websites were taken down in DDoS attacks, making them unreachable.
The personal information of 1.5 million individuals was compromised in a ransomware attack at Canada’s Alberta Dental Service Corporation (ADSC). The attack occurred last month, and according to ADSC, the attackers had access to its network for more than two months before deploying the ransomware. The compromised systems contained the personal and banking information of the users.
The New Haven Public Schools district in Connecticut disclosed losing more than $6 million in a BEC scam that took place in June. While more than $3.6 million of the stolen funds have been recovered so far, the FBI is working to understand the scope of the incident to recover the remaining amount.
The scraped data of 2.6 million Duolingo users were leaked on a hacking forum, allowing threat actors to conduct targeted phishing attacks. The data includes public login and real names, email addresses, and internal information related to the Duolingo service. This data was scraped using an exposed API that has been shared openly since at least March.
Danish cloud hosting services provider, CloudNordic, suffered a ransomware attack that paralyzed all of its systems, including websites, customer systems, and email systems. According to the firm, the attackers leveraged an existing dormant infection to encrypt all systems.

New Threats

Recent cybersecurity events are alarming, with evolving threats and notable developments. Microsoft's identification of BlackCat ransomware 2.0, incorporating Impacket and Remcom tools, amplifies detection challenges. Simultaneously, the Lazarus group's campaign against healthcare entities exploits ManageEngine vulnerabilities, distributing QuiteRAT malware akin to MagicRAT. Additionally, the TZW variant of Adhubllka ransomware has been targeting small entities, displaying similarities to multiple ransomware families.

A new mobile malware called Infamous Chisel infected the Android devices of the Ukrainian military in a campaign launched by the Russian Sandworm APT group. The malware consists of components that provide the attackers with backdoor access to infected devices for network monitoring and file transfer operations.
Microsoft discovered a new version of the BlackCat ransomware (version 2.0) that includes the Impacket networking framework and the Remcom hacking tool to facilitate lateral movement for attackers in target environments. Adding these tools only makes it harder for defenders to detect the ransomware.
After a two-year hiatus, the DreamBus botnet resurfaced in a new campaign to deliver Monero mining malware. The campaign exploited a recently patched vulnerability (CVE-2023-33246) in Apache RocketMQ that allowed attackers to perform remote code execution attacks.
The Lazarus group was found to be associated with a new campaign against healthcare entities in Europe and the U.S. In this campaign, the attackers are exploiting a ManageEngine ServiceDesk vulnerability (CVE-2022-47966) to distribute the QuiteRAT malware. The malware has many capabilities similar to MagicRAT, another malware from the Lazarus group.
A new version of Adhubllka ransomware, dubbed TZW, has been launching attacks since 2019 with lower ransom demands from small businesses and individuals. Studies conducted by researchers reveal that the ransomware shares similarities with LOLKEK, BIT, OBZ, and U2K ransomware families.
According to researchers at Aquasec, the Meow attack campaign has been revamped to target misconfigured Jupyter notebooks. Interestingly, the attackers use Python scripts to target databases, maintaining an unusual modus operandi. While the infrastructure of the attackers is still under investigation, a total of 1,283 distinct IP addresses have been targeted by them.
A new version of Rilide info-stealer is targeting Chromium-based web browsers to steal sensitive information and cryptocurrency from users. The updated version overlaps with a malware strain tracked as CookieGenesis, and includes modules for infecting Chrome Extension Manifest V3 and code obfuscation.
A newly discovered QwixxRAT (aka TelegramRAT) was found being advertised on Telegram and Discord platforms, boasting the ability to collect and exfiltrate a wide range of sensitive information. This includes data from browser histories, credit card details, FTP credentials, screenshots, and keystrokes. Written in C#, it includes a clipper code to capture cryptocurrency wallet information.
Sophos revealed that a threat actor linked to the FIN8 hacking group is exploiting a critical vulnerability in Citrix NetScaler systems to launch domain-wide attacks. The vulnerability under abuse, in Citrix NetScaler ADC and NetScaler Gateway, is tracked as CVE-2023-3519 and can allow attackers to launch remote code execution attacks.
Cybercriminals behind Smoke Loader malware have been found dropping a new Wi-Fi scanning malware called Whiffy Recon. The malicious code locates the position of infected devices using nearby Wi-Fi access points, thus helping attackers carry out further attacks.
ESET Researchers observed a new phishing campaign, aimed at collecting Zimbra account users’ credentials. Active since April, the campaign was carried out via phishing emails notifying recipients about an email server update and deceiving them by redirecting them to a fake Zimbra web login page that steals their credentials.

Cyware Monthly Threat Intelligence, March 2025

ETSI has rolled out a new quantum-safe encryption standard featuring Covercrypt, a novel key encapsulation scheme with built-in access controls. By tying decryption permissions to user attributes, Covercrypt delivers speed and post-quantum security. The code caves of GitHub got a cleanup crew courtesy of Microsoft. A sprawling malvertising campaign that snagged nearly a million devices worldwide has been knocked down a peg. The race to outpace quantum threats is officially on. The NCSC has issued guidance to help organizations transition to post-quantum cryptography by 2035, with a focus on NIST-approved algorithms and planned support for critical sectors. A fresh face in the cybercrime underworld is juggling a bag of nasty surprises. EncryptHub is hitting users of QQ Talk, WeChat, Google Meet, and more with trojanized apps and slick multi-stage attacks. Lucid isn’t just phishing - it’s engineering trust through your inbox. This advanced PhaaS platform weaponizes the built-in features of iMessage and RCS to create hyper-realistic scams. A botnet is turning home routers into attack platforms. The Ballista botnet is exploiting an unpatched TP-Link Archer router flaw (CVE-2023-1389) to spread stealthily, using Tor domains and remote command execution to launch DDoS attacks worldwide.

Cyware Monthly Threat Intelligence, February 2025

Google ramped up its defenses against the quantum threat. The company rolled out quantum-resistant digital signatures in Cloud KMS, following NIST’s post-quantum cryptography standards. Cyber defenders sharpened their tools, this month, and EARLYCROW is the latest weapon against stealthy APT operations. This method detects C2 activity over HTTP(S) using a novel traffic analysis format called PAIRFLOW. PyPI adopted a "dead but not gone" approach to abandoned software with Project Archival, a new system that flags inactive projects while keeping them accessible. Developers will see warnings about outdated dependencies, helping them make smarter security choices and avoid relying on unmaintained code. China’s Salt Typhoon made itself right at home in global telecom networks. The group was caught using JumbledPath, a custom-built spying tool, to infiltrate ISPs in the U.S., Italy, South Africa, and Thailand. Russia’s Sandworm hackers are using pirated software as bait. Their latest attack on Ukrainian Windows users disguises malware inside trojanized KMS activators and fake Windows updates. The CISA flagged major security holes in Microsoft Outlook and Sophos XG Firewall. One flaw allows remote code execution in Outlook, while another exposes firewall users to serious risks. A new payment card skimming campaign turned Stripe’s old API into a weapon. Hackers inserted malicious scripts into checkout pages, validating stolen card details through Stripe before exfiltration. A new malware named Ratatouille is stirring up trouble by bypassing UAC and using I2P for anonymous communications. Spreading through phishing emails and fake CAPTCHA pages, it tricks victims into running an embedded PowerShell script. A new version of ValleyRAT was also spotted, using stealthy techniques to infiltrate systems. Researchers found the malware being spread through fake Chrome downloads.

Cyware Monthly Threat Intelligence, January 2025

The U.K took a proactive stance on cyber resilience with its Cyber Local initiative, injecting £1.9 million into 30 projects across England and Northern Ireland. The effort focuses on closing the cyber skills gap, fortifying small businesses, and supporting underrepresented groups. India tightened its grip on data privacy with new draft rules designed to give citizens more control over their personal information. The proposed regulations mandate clearer data processing disclosures, stricter security protocols, and swift breach reporting. Hackers turned to SparkRAT, an open-source GoLang RAT, to target macOS users and government entities. Initially released in 2022, its modular design and cross-platform capability have made it a cybercriminal favorite. More than 10,000 WordPress sites were hijacked in a large-scale malware campaign delivering AMOS to macOS users and SocGholish to Windows users. Attackers exploited outdated plugins to inject fake browser update prompts. Lumma Stealer is made its way through GitHub in a new malware campaign that abuses the platform’s release infrastructure. Attackers deployed malware like SectopRAT and Vidar, using secure-looking download links to exfiltrate data while evading detection. Cybercriminals deployed the Coyote banking trojan against financial firms in Brazil, using malicious Windows LNK files to execute PowerShell scripts. This malware established secure connections with C2 servers, enabling keylogging and data theft. A two-year-long phishing campaign targeted Microsoft’s advertising platform users through malicious Google Search ads. A Mirai-based botnet exploited zero-day vulnerabilities in industrial routers and smart home devices. With 15,000 active nodes daily, it launched high-intensity DDoS attacks surpassing 100 Gbps, posing a growing threat across multiple countries.

Cyware Monthly Threat Intelligence, December 2024

The cloud revolution isn’t just about convenience anymore; it’s now the frontline of defense. With CISA's new directive mandating cloud environment fortification, federal agencies face a race against time to safeguard Microsoft 365 and other services. Meanwhile, proposed updates to the HIPAA security rules push healthcare organizations toward stronger PHI protection with advanced technical controls and detailed incident planning. On the global front, Operation PowerOFF turned the tables on DDoS attackers, dismantling 27 illegal platforms and curbing festive-season chaos. The cyber battlefield sees no intermission as new threats take center stage. A phishing campaign, dubbed Aggressive Inventory Zombies (AIZ), exploited brand trust by mimicking retail giants and crypto platforms. Meanwhile, the resurrected BADBOX botnet has compromised 192,000 Android devices globally, sneaking into supply chains to wreak havoc with ad fraud and account abuse. Adding to the turbulence, Poison Ivy (APT-C-01) resurged, targeting critical sectors with advanced phishing techniques and deploying Sliver RAT to breach systems and steal sensitive data. This month, new threats targeted IoT, banking, and app ecosystems, with threat actors unleashing diverse attacks. Iranian hackers deployed IOCONTROL malware to compromise IoT and OT systems, targeting critical infrastructure like gas stations. Meanwhile, the DroidBot banking malware infiltrates cryptocurrency and banking apps across Europe, leveraging MaaS operations for tailored attacks. Adding to the chaos, SpyLoan malware apps, with over eight million installs, exploited users in South America, Southeast Asia, and Africa, highlighting the escalating risks within app marketplaces. For detailed Cyber Threat Intel, click ‘Read More’.

Cyware Monthly Threat Intelligence, November 2024

The TSA reshaped the cybersecurity landscape for pipeline and railroad operators with proposed rules mandating incident reporting and risk management plans. Estimated to cost $2.1 billion over the next decade, the rules aimed to address growing cyber threats while balancing flexibility with resilience. Meta dismantled a sprawling web of over two million accounts tied to pig butchering scams in Southeast Asia and the UAE. Africa’s cybercrime ecosystem faced a decisive blow with Operation Serengeti, as over 1,000 suspects were arrested, and 134,000 malicious networks taken offline. TAG-110, a Russia-aligned threat group, launched a cyber-espionage campaign targeting governments and organizations in Asia and Europe. Using malware like HATVIBE and CHERRYSPY, it aimed to monitor geopolitical developments and assert influence. A botnet powered by Ngioweb malware converted 35,000 IoT devices into residential proxies. These compromised devices, found largely in the U.S., were sold on platforms like NSOCKS for malicious purposes. Water Barghest compromised over 20,000 IoT devices by exploiting known vulnerabilities. The group used Shodan to identify targets and deployed Ngioweb malware to connect them to its monetized network. LIMINAL PANDA, a Chinese cyberespionage group, has been targeting telecoms in South Asia and Africa since 2020. Using tools like SIGTRANslator and PingPong, the group exploits telecom protocols to steal critical data while staying undetected. NodeStealer has resurfaced, targeting Facebook Ads Manager accounts to steal credit card details and browser credentials. It uses Windows Restart Manager and Python scripts to execute its attacks, with stolen data sent via Telegram. BabbleLoader, a stealthy malware loader, delivers WhiteSnake and Meduza stealers. Disguised as accounting software, it targets English and Russian speakers, evading antivirus systems with advanced techniques.

The Good

The Bad

New Threats

Related Threat Briefings

Jun 1, 2025