Cyware Monthly Threat Intelligence, August 2025

The Good

Global law enforcement agencies achieved major victories against cybercrime this month. The FBI and Dutch Police dismantled VerifTools, a counterfeit ID marketplace that generated over $6.4 million in illegal proceeds, seizing 23 servers and the domain veriftools.net. In a separate effort, Chainalysis, Binance, OKX, and Tether froze $46.9 million tied to “pig butchering” romance scams, with Tether taking swift action after intelligence was shared with APAC law enforcement. Meanwhile, INTERPOL’s Operation Serengeti across 18 African nations led to 1,209 arrests, the recovery of $97.4 million, and the dismantling of 11,432 malicious infrastructures, including crypto-mining centers and a $300 million investment scam. These coordinated crackdowns highlight the growing global collaboration in disrupting cybercrime networks.

• The FBI and Dutch Police shut down VerifTools, a major marketplace for fake IDs, seizing servers in Amsterdam and the domain veriftools.net. The platform, generating an estimated $6.4 million in illegal proceeds, sold counterfeit documents for bypassing identity verification, aiding crimes like bank fraud and phishing. Authorities seized two physical and 21 virtual servers, with ongoing investigations potentially leading to arrests.
• Cryptocurrency firms Chainalysis, Binance, OKX, and Tether collaborated to freeze $46.9 million in funds stolen through "romance baiting" scams, also known as pig butchering. Chainalysis identified wallets linked to a Southeast Asia-based operation, where scammers groomed victims on dating sites before defrauding them with fake investment schemes. Tether froze the funds in June 2024 after transferring findings to an APAC law enforcement agency.
• The CISA launched the ‘Software Acquisition Guide: Supplier Response Web Tool’ to enhance security in software procurement. This free, interactive platform helps IT leaders, procurement officers, and vendors integrate cybersecurity into the acquisition process. Built on the CISA’s Software Acquisition Guide, it offers tailored questions, exportable summaries, and supports secure-by-design principles. With over 10,000 users of the original guide, the tool addresses rising software supply chain vulnerabilities, promoting resilient procurement practices.
• U.S. authorities disrupted the Rapper Bot DDoS botnet, one of the most powerful on record, with attacks peaking at over six terabits per second. The botnet, active since 2021, targeted 18,000 victims across 80 countries, infecting between 65,000 to 95,000 IoT devices. The DDoS attacks were most heavily concentrated in China, Japan, the United States, Ireland, and Hong Kong. Ethan Foltz, a 22-year-old from Oregon, was charged for developing and running the botnet.
• The Python Package Index (PyPI) implemented new defenses against domain resurrection attacks, which exploit expired domains to hijack accounts via password resets. PyPI now uses Domainr’s Status API to monitor domain lifecycles, marking expired email domains as unverified to block unauthorized access. Since June 2025, over 1,800 email addresses have been unverified. PyPI recommends adding backup emails and enabling two-factor authentication to enhance account security and prevent supply-chain attacks.
• INTERPOL’s Operation Serengeti, conducted from June to August 2025, led to the arrest of 1,209 cybercriminals across 18 African nations, targeting 88,000 victims. The crackdown recovered $97.4 million and dismantled 11,432 malicious infrastructures, including 25 cryptocurrency mining centers in Angola and a $300 million investment scam operation in Zambia. The operation also disrupted a transnational inheritance scam, highlighting the need for global cooperation to combat cybercrime.
• ISACA launched the Advanced in AI Security Management (AAISM) certification to equip cybersecurity professionals with skills to manage AI-related security risks. Aimed at CISM or CISSP holders, AAISM focuses on AI governance, risk management, and technologies. ISACA’s research highlights a knowledge gap, with only 25% of digital trust professionals highly familiar with AI, and 89% needing AI training soon. The certification, announced on August 19, complements ISACA’s AI-focused courses and credentials like AAIA.

The Bad

The cyber threat landscape saw several concerning developments this month. A new Android malware campaign, SikkahBot, has been targeting students in Bangladesh since July 2024 by posing as Bangladesh Education Board apps to steal sensitive data and enable fraudulent transactions. Google TAG also uncovered a large-scale data theft campaign by actor UNC6395, which exploited compromised OAuth tokens tied to the Salesloft Drift app to exfiltrate credentials from multiple Salesforce customer instances before the app was revoked. Meanwhile, Zscaler’s ThreatLabs reported the takedown of 77 malicious Android apps with over 19 million installs, many delivering adware or Joker malware, while variants like Harly and Anatsa banking trojan continue to evolve with stronger evasion techniques and expanded targeting of financial and crypto apps.

• SikkahBot is an Android malware campaign that has been active since July 2024, specifically targeting students in Bangladesh. Disguised as applications from the Bangladesh Education Board, it lures victims with false promises of scholarships, coercing them into sharing sensitive personal and financial information. Once installed, SikkahBot requests high-risk permissions, including Accessibility Service and SMS access, enabling it to intercept bank-related messages and execute unauthorized transactions. The malware is distributed through shortened links, likely circulated via smishing attacks, and maintains low detection rates on VirusTotal. As it evolves, newer variants exhibit enhanced automation features, demonstrating the ongoing development by threat actors. 
• Google Threat Intelligence Group has identified a widespread data theft campaign, attributed to the actor UNC6395, targeting Salesforce customer instances through compromised OAuth tokens associated with the Salesloft Drift third-party application. Between August 8 and August 18, 2025, the actor exfiltrated large volumes of data from numerous corporate Salesforce instances, primarily seeking credentials such as AWS access keys and Snowflake-related access tokens. In response, Salesloft and Salesforce have revoked all active access tokens with the Drift application and removed it from the Salesforce AppExchange.
• A campaign exploiting VS Code extensions revealed a loophole in the VS Code Marketplace, allowing attackers to reuse names of previously removed packages to distribute ransomware. The malicious extension “shiba” executed a multi-stage attack, encrypting files and demanding ransom in Shiba Inu tokens, though no payment wallet address was provided. The loophole arises because removed extensions free up their names for reuse, contradicting VS Code Marketplace's documentation stating extension names must be unique. Attackers repeatedly used the name-reuse tactic from late 2024 to mid-2025.
• The Underground ransomware gang has been conducting targeted attacks against various companies globally, including those in South Korea, since July 2023. Utilizing a sophisticated encryption process that combines random number generation, AES symmetric encryption, and RSA asymmetric encryption, the malware ensures that decryption is impossible without the corresponding RSA private key. The gang conducts thorough reconnaissance to select specific targets, breaching systems prior to deploying customized ransomware. By deleting shadow copies and restricting remote desktop connections, the malware prevents recovery efforts. It selectively encrypts files based on their size, employing a stripe method for larger files, while excluding certain folders and file types to avoid system damage. 
• Cybersecurity researchers have identified five distinct activity clusters linked to the threat actor Blind Eagle, which has targeted Colombian government entities from May 2024 to July 2025. These attacks employed various tactics, including RATs and phishing lures, primarily aimed at local, municipal, and federal levels. Blind Eagle's operations reflect both cyber espionage and financially motivated activities, with significant focus on sectors such as judiciary, education, and healthcare. Attack chains often utilized spear-phishing emails impersonating government agencies to deliver malicious documents. The group leveraged compromised email accounts and dynamic DNS services to obscure their infrastructure. Notably, they employed well-known RATs like Lime RAT and AsyncRAT, indicating a persistent and evolving threat landscape in the region, with a majority of their activities concentrated in Colombia.
• Seventy-seven malicious Android apps with over 19 million installs were removed from Google Play after a discovery by Zscaler's ThreatLabs. These apps primarily delivered adware, with Joker malware being the most prevalent, affecting nearly 25% of the analyzed applications. Joker can steal sensitive information, send texts, and subscribe users to premium services. Another variant, Harly, hides its malicious payload within seemingly legitimate apps like games and photo editors. The Anatsa banking trojan has also evolved, expanding its target list to 831 banking and cryptocurrency apps while using advanced evasion techniques. This latest campaign has shifted from remote code loading to direct payload installation, employing malformed APKs to evade detection. 
• CORNFLAKE.V3 is a sophisticated backdoor malware linked to the threat groups UNC5518 and UNC5774, which exploit compromised websites to deliver malicious payloads. Since June 2024, UNC5518 has been using deceptive techniques, such as fake CAPTCHA pages, to lure users into executing downloader scripts that facilitate malware infections. CORNFLAKE.V3, which supports various payload types including executables and DLLs, establishes persistence through registry Run keys and communicates with its command-and-control server via HTTP. The malware conducts extensive reconnaissance, including Active Directory enumeration and credential harvesting through Kerberoasting, thereby enabling lateral movement within networks. 
• Russian hackers linked to the FSB are exploiting a seven-year-old vulnerability (CVE-2018-0171) in Cisco devices, to target critical infrastructure globally. This flaw allows unauthenticated attackers to remotely trigger device reloads, potentially causing DoS conditions or executing arbitrary code. Over the past year, the FBI has observed these hackers collecting configuration files from thousands of networking devices associated with U.S. entities and modifying them for unauthorized access. The group, known as Berserk Bear, has previously targeted various government and aviation networks. The attackers are employing custom SNMP tools and the SYNful Knock firmware implant to maintain long-term access and evade detection, indicating a significant ongoing threat to vulnerable systems.
• MuddyWater APT is executing a sophisticated spear-phishing campaign aimed at CFOs and finance executives worldwide. This campaign employs social engineering tactics, including impersonating a Rothschild & Co recruiter, to lure victims to Firebase-hosted phishing pages featuring custom CAPTCHA challenges. Attackers utilize multi-stage payload delivery methods, incorporating malicious VBS scripts and ZIP archives to install legitimate remote-access tools like NetBird and OpenSSH, ensuring persistent access to compromised systems. The investigation revealed a shift in infrastructure from 192.3.95.152 to 198.46.178.135, with multiple hosting paths observed. 
• Blue Locker ransomware is targeting critical government institutions and the oil and gas sector in Pakistan, including Pakistan Petroleum Limited (PPL). The ransomware uses PowerShell-based loaders and phishing emails to deliver its payload, encrypt files, and demand ransom payments. NCERT issued high-alert notifications to 39 ministries to mitigate risks, emphasizing robust cybersecurity measures and employee awareness training. Blue Locker is linked to the Shinra malware family, which shares similarities with RaaS models like Conti and Black Basta.
• Cisco Talos identified UAT-7237, a Chinese-speaking APT group targeting web infrastructure entities in Taiwan since 2022, using open-source and customized tools for long-term persistence. UAT-7237 employs a customized Shellcode loader called "SoundBill" to decode and load shellcodes, including Cobalt Strike payloads. It is assessed as a subgroup of UAT-5918, sharing victimology and tooling but differing in tactics such as selective web shell deployment and reliance on SoftEther VPN and RDP access. The group exploits known vulnerabilities on unpatched servers to gain initial access and uses tools for reconnaissance, credential extraction, and network scanning.
• A malvertising campaign has been observed distributing PS1Bot, a multi-stage malware framework implemented in PowerShell and C#. This malware features a modular design, enabling various malicious activities such as information theft, keylogging, and establishing persistent access on infected systems. PS1Bot minimizes artifacts by executing modules in memory, avoiding disk writes. Victims are initially delivered a compressed archive containing a downloader script, which retrieves additional payloads from attacker-controlled servers. The malware can exfiltrate sensitive information, including passwords and cryptocurrency wallet data, through various modules. It uses techniques like environmental polling and dynamic compilation of C# DLLs to enhance its capabilities and evade detection, showcasing significant overlaps with previous malware families like Skitnet and AHK Bot.

New Threats

This month brought to light several new threats, showcasing how adversaries are blending AI, advanced evasion tactics, and multi-stage attack chains to expand their reach. ESET has uncovered PromptLock, the first known AI-driven ransomware leveraging the gpt-oss:20b model to craft malicious Lua scripts capable of scanning, stealing, and encrypting files across Windows, Linux, and macOS, with indications of further destructive features in development. In Indonesia, threat actors are exploiting the state pension fund TASPEN via a fake Android portal app that deploys a banking trojan and spyware to harvest credentials, biometrics, and OTPs through encrypted C2 channels, likely linked to Chinese-speaking groups. Meanwhile, researchers identified QuirkyLoader, a stealthy malware loader active since late 2024, that uses DLL side-loading, process hollowing, and unique Speck-128 encryption to deliver infostealers and RATs, with observed campaigns targeting organizations such as Nusoft in Taiwan.

• ESET has discovered PromptLock, the first AI-driven ransomware that utilizes OpenAI’s gpt-oss:20b model to generate and execute malicious Lua scripts for scanning, stealing, and encrypting files on multiple platforms, including Windows, Linux, and macOS. This ransomware employs the SPECK 128-bit encryption algorithm and has been identified as a work-in-progress, with a potential data destruction feature that has not yet been implemented. 
• A new malware campaign is exploiting Indonesia's state pension fund, TASPEN, by deploying a malicious Android application disguised as an official portal. Targeting pensioners and civil servants, the banking trojan and spyware leverages legacy system vulnerabilities to steal sensitive data, including banking credentials and biometric information. The operation begins with a phishing website that tricks victims into downloading the APK, employing advanced evasion tactics to avoid detection. The malware, packed with DEX encryption, unpacks at runtime and uses various services to intercept one-time passwords and monitor user activity. Communication with command-and-control servers occurs through encrypted channels, indicating potential links to Chinese-speaking threat actors. This attack not only threatens individual financial security but also undermines public trust in Indonesia's digital ecosystem.
• A zero-day vulnerability in FreePBX, identified as CVE-2025-57819, poses a significant threat to systems with exposed administrator control panels. This vulnerability, which has a maximum CVSS score of 10.0, allows unauthenticated users to access the FreePBX Administrator, leading to potential arbitrary database manipulation and remote code execution. Exploitation began on or before August 21, 2025, affecting FreePBX versions 15, 16, and 17. Attackers have exploited insufficient IP filtering and access control lists to gain unauthorized access, eventually seeking root-level control. The Sangoma FreePBX Security Team has confirmed active exploitation in the wild, with evidence of backdoors being installed post-compromise.
• Mosyle revealed a new Mac malware strain called JSCoreRunner, which evades detection and spreads through a fake PDF conversion site, fileripple[.]com. The malware operates in two stages: "FileRipple.pkg," a signed package now blocked by macOS, and "Safari14.1.2MojaveAuto.pkg," an unsigned package that bypasses Gatekeeper protections. JSCoreRunner hijacks Chrome browser settings, redirecting searches to fraudulent sites, enabling phishing attacks, and facilitating data theft. The malware modifies Chrome profiles, hides crash logs, and avoids detection while targeting search engine settings.
• Truesec has identified a large cybercrime campaign promoting a trojanized PDF editor called "AppSuite PDF Editor" through Google advertising. The malicious PDF Editor.exe file installs an information-stealing malware dubbed "TamperedChef," which harvests sensitive data, including credentials and web cookies. The campaign began on June 26, 2025, and the malicious capabilities were activated on August 21, 2025. The threat actor has used digital certificates from various companies to sign the malware.
• Between June and August, over 300 entities were targeted in a malvertising campaign utilizing the Atomic macOS Stealer (AMOS) by the cybercrime group Cookie Spider. Victims were lured into executing malicious commands that fetched a Bash script, enabling the installation of a variant called SHAMOS. This malware conducted reconnaissance and data theft, searching for sensitive information such as passwords, Keychain data, and cryptocurrency wallet details, which it exfiltrated to remote servers in ZIP archives. The campaign, which spanned multiple countries but excluded Russia, cleverly impersonated a legitimate Australian electronics store to bypass security measures. 
• QuirkyLoader is a newly identified malware loader that has been actively delivering various infostealers and remote access tools since November 2024. This multi-stage infection process begins with malicious emails containing an archive file that includes a legitimate executable, an encrypted payload, and a malicious DLL. By employing DLL side-loading, QuirkyLoader executes the DLL, which decrypts and injects the final payload into target processes using techniques like process hollowing. Notably, the loader's DLL module is consistently written in C# .NET and utilizes Ahead-of-Time (AOT) compilation to disguise its true nature. QuirkyLoader has been observed in campaigns targeting specific organizations, such as Nusoft in Taiwan, and employs unique encryption methods, including the Speck-128 cipher, to evade detection and execute its malicious activities effectively.
• Apple issued emergency updates for iOS 18.6.2 and iPadOS 18.6.2 to fix a critical zero-day vulnerability actively exploited in attacks. The vulnerability (CVE-2025-43300) is an out-of-bounds write issue in the ImageIO framework, triggered by malicious image files. Exploitation can lead to memory corruption and unauthorized device access, affecting millions of users globally. Devices impacted include iPhone XS and later models, and various iPad generations such as iPad Pro, iPad Air, and iPad mini. The attacks are described as "extremely sophisticated," potentially linked to nation-state actors or advanced threat groups.
• Researchers have identified significant vulnerabilities in the Terrestrial Trunked Radio (TETRA) communications protocol, particularly affecting its end-to-end encryption mechanism. These vulnerabilities include issues that allow replay and brute-force attacks, potentially enabling attackers to decrypt encrypted traffic. Notable vulnerabilities include the risk of replay attacks on voice streams and the use of a weakened AES-128 implementation, which reduces key entropy, making it susceptible to brute-force methods. Additionally, TETRA networks can be exploited through message injection due to a lack of authentication. 
• Researchers identified a new variant of the DarkCloud malware campaign, which begins with a phishing email containing a malicious RAR archive. This archive includes an obfuscated JavaScript file that, when executed, runs PowerShell code to load an encrypted .NET DLL disguised as a legitimate Task Scheduler module. The malware establishes persistence by copying itself and modifying the system registry, while downloading a fileless payload from a remote URL. The DarkCloud payload, written in Visual Basic 6, employs anti-analysis techniques to avoid detection, such as monitoring user activity to evade sandboxes. It collects sensitive information, including login credentials and payment data from various applications, and exfiltrates this data via SMTP, sending it to the attacker as text files.