Cyware Monthly Threat Intelligence

The Good

The necessity of creating a resilient cybersecurity framework for organizations of all sizes is now more crucial than ever. In this light, Google publicized Atheris—a tool to assist developers in identifying vulnerabilities—last month. The tech giant also rolled out a new feature that warns Chrome users of compromised passwords, along with other security measures. Further, cyber experts at NIST laid out security protocols for IoT devices used within the federal information systems.

Google security experts open-sourced a fuzzing tool, named Atheris, to help developers find security vulnerabilities and patch them before attackers abuse them. The tool supports Python 2.7, 3.3+, and native extensions created with CPython.
Last month, Google reportedly worked on Chrome’s Safety check feature that would alert users if their passwords were discovered in data breaches. This feature comes as a warning against weak passwords.
The NIST drafted a set of guidelines for federal agencies on improving security for IoT devices. The four new documents are drafted with the goal of integrating IoT devices into the security and privacy controls of federal information systems.
Apple, Cloudflare, and Fastly codesigned a new DNS benchmark to deal with privacy issues faced by DNS. The new standard would separate IP addresses from queries to mask requests and make it harder for attackers to track users online.
CISA’s Cloud Forensics team released a PowerShell-based tool, dubbed Sparrow, that is capable of detecting potentially compromised applications and accounts in Azure/Microsoft 365 environments.

The Bad

All’s well that ends well. However, it cannot be said in this case as hackers breached the Texas monitoring service company SolarWinds. The supply chain attack impacted several top federal agencies and Fortune 500 companies. Moreover, researchers uncovered a cyberespionage campaign compromising tens of iPhone devices of Al Jazeera employees allegedly by an Israel-based NSO group. In another vein, an extensive Emotet campaign crippled Lithuania’s National Center for Public Health (NVSC) and several municipalities.

Last month witnessed a massive supply chain attack on SolarWinds Orion platform used by several U.S. government agencies and private firms, such as Boeing, AT&T, and Ford. Microsoft stated that the ultimate purpose of the actors behind the SolarWinds supply chain attack was to access victims’ cloud assets after deploying the Solorigate backdoor on their local networks.
REvil (Sodinokibi) ransomware actors claimed to have pumped out about 600GB of documents from The Hospital Group and published a sample database with a threat to release before and after pictures of celebrity clients.
Vodafone-owned Ho mobile was caught in a data breach after an actor allegedly dumped about 2,500,000 customer records and other data on a hacker forum. Besides customers’ PII, leaked information included SIM card PUK code, ICCID number, IMSI number, and various base64-encoded hashes.
Fashion marketplace app 21 Buttons exposed over 50 million private files belonging to hundreds of influencers across Europe via a misconfigured AWS cloud storage bucket. Researchers discovered invoices for commissions paid by 21 Buttons to the influencers.
Broker business Freedom Finance allegedly leaked 12GB of confidential data of around 16,000 clients on darknet forums after an employee fell for a phishing email. The attackers were successful because an employee opened an email despite the security warning.
At least 36 employees of AlJazeera were targeted in a cyberespionage campaign that leveraged an invisible zero-click iOS exploit called KISMET to hack into their iPhones. The infection malware was traced back to the Israel-based cyber intelligence company NSO Group (previously criticized for selling spyware to governments).
ThreatNix unearthed a phishing campaign on Facebook touching 615,000 lives in Egypt, the Philippines, Pakistan, and Nepal. Criminals used ads to steal user credentials. The campaign would redirect users to GitHub where the actual phishing pages resided.
Cybercriminals compromised the DNS server of cryptocurrency firm Voyager Digital in a cyberattack that halted trading activities. The company tweeted that no funds or personal information were compromised.
More than 250,000 databases were compromised due to an ongoing ransomware attack that abused weak credentials on MySQL servers. The campaign was launched in January and, to date, 83,000 victims have been targeted.
The Netherlands-based staffing agency Randstad was hit by Egregor, in which its IT services were breached. The hackers published some internal corporate data, including financial reports and legal documents, in an extortion attempt.
A large-scale Emotet campaign infected the systems of Lithuania’s National Center for Public Health (NVSC) and several municipalities. As per reports, infected computers started sending fake emails or engaging in various types of malicious activities.
nTreatment inadvertently exposed thousands of medical records online after it failed to add password protection to a cloud server. The misconfigured server included medical records, doctors’ notes, insurance claims, lab test results from third-party providers, and other sensitive patient information.

New Threats

In a parallel world, healthcare continued to flounder due to external, as well as insider threats. A research group found 45 million medical images—including X-rays and CT scans—exposed on unprotected servers, while the Emotet group launched COVID-19 related phishing campaigns. Meanwhile, several threats including APTs, malware, and vulnerabilities made the final month of 2020 a bit challenging for security teams.

Unprotected online storage devices tied to hospitals and medical centers all over the world had left 45 million medical scans exposed to the internet. Not only these scans were available online over the past twelve months, but malicious folks had also accessed those servers and poisoned them with apparent malware.
Group-IB uncovered a cybercriminal gang, dubbed UltraRank, targeting more than a dozen e-commerce sites to knock off payment card data in a new campaign. Over the last five years, the cybercriminal group has targeted more than 700 e-commerce sites as well as 13 third-party suppliers in North America, Europe, Asia, and Latin America.
Sansec warned against a multi-platform credit card skimmer that can target online stores running on Shopify, BigCommerce, Zencart, and Woocommerce. The skimmer would show a bogus payment form that convincingly recorded customer keystrokes before they reached the actual checkout page.
Financial institutions in the U.S. and Canada were reported under greater risk from a new credential stealer—written in AutoHotkey (AHK) scripting language—that had various browsers such as Chrome, Opera, and Microsoft Edge on its target.
New variants of AgentTesla, Gitpaste-12 botnet, and SystemBC made impacts on several observed attack campaigns. These variants were designed to target more devices with additional abilities.
Security experts uncovered APT28, a Russia-linked cyberespionage gang, leveraging COVID-19 phishing lures to disseminate the Go version of its Zebrocy malware. The lure was spread as a part of a Virtual Hard Disk file that can be accessed only by Windows 10 users.
After a two-month hiatus, Emotet botnet returned in circulation around Christmas targeting unsuspecting users with Christmas and COVID-19-themed campaigns. Reports suggested that the group behind Emotet was hitting 100,000 targets per day.
Critical vulnerabilities discovered in D-Link routers make them susceptible to zero-day attacks. The flaws include an unauthenticated remote LAN/WAN root command injection flaw (CVE-2020-25757), authenticated root command injection vulnerability (CVE-2020-25759), and an authenticated crontab injection (CVE-2020-25758).
A new form of biohacking technique was reported that had the potential to disrupt operations in the biological research sector. The attack form focuses on infecting a biologist’s computer with malware and replacing substring in DNA sequencing at the same time.
A new strain of the RANA Android malware was spotted spying on Telegram, WhatsApp, Skype, and other instant messaging platforms. The malware has been linked to the APT39 Iranian cyberespionage group and possesses new surveillance functionalities.
Cisco Talos detected two RCE bugs—CVE-2020-7559 and CVE-2020-7560—in Schneider Electric EcoStruxure. These bugs could be abused by sending the target a specially designed network request or project archive.

Cyware Monthly Threat Intelligence, March 2025

ETSI has rolled out a new quantum-safe encryption standard featuring Covercrypt, a novel key encapsulation scheme with built-in access controls. By tying decryption permissions to user attributes, Covercrypt delivers speed and post-quantum security. The code caves of GitHub got a cleanup crew courtesy of Microsoft. A sprawling malvertising campaign that snagged nearly a million devices worldwide has been knocked down a peg. The race to outpace quantum threats is officially on. The NCSC has issued guidance to help organizations transition to post-quantum cryptography by 2035, with a focus on NIST-approved algorithms and planned support for critical sectors. A fresh face in the cybercrime underworld is juggling a bag of nasty surprises. EncryptHub is hitting users of QQ Talk, WeChat, Google Meet, and more with trojanized apps and slick multi-stage attacks. Lucid isn’t just phishing - it’s engineering trust through your inbox. This advanced PhaaS platform weaponizes the built-in features of iMessage and RCS to create hyper-realistic scams. A botnet is turning home routers into attack platforms. The Ballista botnet is exploiting an unpatched TP-Link Archer router flaw (CVE-2023-1389) to spread stealthily, using Tor domains and remote command execution to launch DDoS attacks worldwide.

Cyware Monthly Threat Intelligence, February 2025

Google ramped up its defenses against the quantum threat. The company rolled out quantum-resistant digital signatures in Cloud KMS, following NIST’s post-quantum cryptography standards. Cyber defenders sharpened their tools, this month, and EARLYCROW is the latest weapon against stealthy APT operations. This method detects C2 activity over HTTP(S) using a novel traffic analysis format called PAIRFLOW. PyPI adopted a "dead but not gone" approach to abandoned software with Project Archival, a new system that flags inactive projects while keeping them accessible. Developers will see warnings about outdated dependencies, helping them make smarter security choices and avoid relying on unmaintained code. China’s Salt Typhoon made itself right at home in global telecom networks. The group was caught using JumbledPath, a custom-built spying tool, to infiltrate ISPs in the U.S., Italy, South Africa, and Thailand. Russia’s Sandworm hackers are using pirated software as bait. Their latest attack on Ukrainian Windows users disguises malware inside trojanized KMS activators and fake Windows updates. The CISA flagged major security holes in Microsoft Outlook and Sophos XG Firewall. One flaw allows remote code execution in Outlook, while another exposes firewall users to serious risks. A new payment card skimming campaign turned Stripe’s old API into a weapon. Hackers inserted malicious scripts into checkout pages, validating stolen card details through Stripe before exfiltration. A new malware named Ratatouille is stirring up trouble by bypassing UAC and using I2P for anonymous communications. Spreading through phishing emails and fake CAPTCHA pages, it tricks victims into running an embedded PowerShell script. A new version of ValleyRAT was also spotted, using stealthy techniques to infiltrate systems. Researchers found the malware being spread through fake Chrome downloads.

Cyware Monthly Threat Intelligence, January 2025

The U.K took a proactive stance on cyber resilience with its Cyber Local initiative, injecting £1.9 million into 30 projects across England and Northern Ireland. The effort focuses on closing the cyber skills gap, fortifying small businesses, and supporting underrepresented groups. India tightened its grip on data privacy with new draft rules designed to give citizens more control over their personal information. The proposed regulations mandate clearer data processing disclosures, stricter security protocols, and swift breach reporting. Hackers turned to SparkRAT, an open-source GoLang RAT, to target macOS users and government entities. Initially released in 2022, its modular design and cross-platform capability have made it a cybercriminal favorite. More than 10,000 WordPress sites were hijacked in a large-scale malware campaign delivering AMOS to macOS users and SocGholish to Windows users. Attackers exploited outdated plugins to inject fake browser update prompts. Lumma Stealer is made its way through GitHub in a new malware campaign that abuses the platform’s release infrastructure. Attackers deployed malware like SectopRAT and Vidar, using secure-looking download links to exfiltrate data while evading detection. Cybercriminals deployed the Coyote banking trojan against financial firms in Brazil, using malicious Windows LNK files to execute PowerShell scripts. This malware established secure connections with C2 servers, enabling keylogging and data theft. A two-year-long phishing campaign targeted Microsoft’s advertising platform users through malicious Google Search ads. A Mirai-based botnet exploited zero-day vulnerabilities in industrial routers and smart home devices. With 15,000 active nodes daily, it launched high-intensity DDoS attacks surpassing 100 Gbps, posing a growing threat across multiple countries.

Cyware Monthly Threat Intelligence, December 2024

The cloud revolution isn’t just about convenience anymore; it’s now the frontline of defense. With CISA's new directive mandating cloud environment fortification, federal agencies face a race against time to safeguard Microsoft 365 and other services. Meanwhile, proposed updates to the HIPAA security rules push healthcare organizations toward stronger PHI protection with advanced technical controls and detailed incident planning. On the global front, Operation PowerOFF turned the tables on DDoS attackers, dismantling 27 illegal platforms and curbing festive-season chaos. The cyber battlefield sees no intermission as new threats take center stage. A phishing campaign, dubbed Aggressive Inventory Zombies (AIZ), exploited brand trust by mimicking retail giants and crypto platforms. Meanwhile, the resurrected BADBOX botnet has compromised 192,000 Android devices globally, sneaking into supply chains to wreak havoc with ad fraud and account abuse. Adding to the turbulence, Poison Ivy (APT-C-01) resurged, targeting critical sectors with advanced phishing techniques and deploying Sliver RAT to breach systems and steal sensitive data. This month, new threats targeted IoT, banking, and app ecosystems, with threat actors unleashing diverse attacks. Iranian hackers deployed IOCONTROL malware to compromise IoT and OT systems, targeting critical infrastructure like gas stations. Meanwhile, the DroidBot banking malware infiltrates cryptocurrency and banking apps across Europe, leveraging MaaS operations for tailored attacks. Adding to the chaos, SpyLoan malware apps, with over eight million installs, exploited users in South America, Southeast Asia, and Africa, highlighting the escalating risks within app marketplaces. For detailed Cyber Threat Intel, click ‘Read More’.

Cyware Monthly Threat Intelligence, November 2024

The TSA reshaped the cybersecurity landscape for pipeline and railroad operators with proposed rules mandating incident reporting and risk management plans. Estimated to cost $2.1 billion over the next decade, the rules aimed to address growing cyber threats while balancing flexibility with resilience. Meta dismantled a sprawling web of over two million accounts tied to pig butchering scams in Southeast Asia and the UAE. Africa’s cybercrime ecosystem faced a decisive blow with Operation Serengeti, as over 1,000 suspects were arrested, and 134,000 malicious networks taken offline. TAG-110, a Russia-aligned threat group, launched a cyber-espionage campaign targeting governments and organizations in Asia and Europe. Using malware like HATVIBE and CHERRYSPY, it aimed to monitor geopolitical developments and assert influence. A botnet powered by Ngioweb malware converted 35,000 IoT devices into residential proxies. These compromised devices, found largely in the U.S., were sold on platforms like NSOCKS for malicious purposes. Water Barghest compromised over 20,000 IoT devices by exploiting known vulnerabilities. The group used Shodan to identify targets and deployed Ngioweb malware to connect them to its monetized network. LIMINAL PANDA, a Chinese cyberespionage group, has been targeting telecoms in South Asia and Africa since 2020. Using tools like SIGTRANslator and PingPong, the group exploits telecom protocols to steal critical data while staying undetected. NodeStealer has resurfaced, targeting Facebook Ads Manager accounts to steal credit card details and browser credentials. It uses Windows Restart Manager and Python scripts to execute its attacks, with stolen data sent via Telegram. BabbleLoader, a stealthy malware loader, delivers WhiteSnake and Meduza stealers. Disguised as accounting software, it targets English and Russian speakers, evading antivirus systems with advanced techniques.

Related Threat Briefings

Jun 1, 2025