Cyware Monthly Threat Intelligence

The Good

Quantum computing will change cryptography as we know it. The U.S. President signed a bipartisan law referring to post-quantum cybersecurity guidelines. Investments in cybersecurity are on the rise. U.S. Congress set aside $2.9 billion in funds for cybersecurity initiatives in the FY2023 spending bill. In the wake of rising cyberattacks in France, the government announced its plan to train all its employees at the most important health facilities under a new initiative by May 2023.

President Joe Biden signed the Quantum Computing Cybersecurity guidelines into law to motivate federal agencies to adopt technology protected from decryption by quantum computing. Called Quantum Computing Cybersecurity Preparedness Act, the bill will help organizations to protect their systems against quantum tech threats.
The FTC and the HHS updated their Mobile Health App Interactive Tool to improve the data security of patients. The tool is for anyone developing a mobile app to understand the implications of collecting and misusing the PHI of patients. It also helps developers navigate the patchwork of different laws that may be applicable while building mobile apps to ensure that any sensitive health information is protected accordingly.
About $2.9 billion has been allocated to the CISA for the fiscal year 2023. With the given budget, the CISA aims to improve emergency communications preparedness and strengthen civilian and government networks. A portion of the amount will also be used for CISA’s advanced cybersecurity operations.
The French government has announced a vast training program to help hospitals and medical facilities protect themselves against cyberattacks. The development comes following repeated attacks against hospitals that saw either hackers damaging their critical infrastructures or stealing patients’ sensitive data.

The Bad

Financial and healthcare institutions remained the top sectors as the hotbed of cyberattacks. The California Department of Finance and crypto platforms, such as 3Commas, BitKeep, and BTC[.]com, were added to the long list of hacks that took place last year in the crypto world. Victims in healthcare include Lake Charles Memorial Health and a hospital in Riverside County of California. Besides, security analysts laid bare an investment scam group that victimized at least 40 firms in fintech, cryptocurrency, and asset management services.

The Royal ransomware group claimed responsibility for a cyberattack against telecommunications company Intrado. As proof of the breach, the gang shared a 52.8MB archive containing scans of passports, business documents, and driver’s licenses of employees.
The California Department of Finance confirmed that it suffered a security breach, hours after the LockBit ransomware gang listed the agency as a victim on its dark web leak site. The gang has given time until Christmas eve to avoid the publishing of more than 500GB of stolen files.
Restaurant CRM platform SevenRooms confirmed suffering a data breach after a hacker claimed to have stolen 427GB of customer records and leaked a sample on a cybercrime forum. The leaked sample included a folder named after big restaurant chains, clients of SevenRooms, API keys, promo codes, payment reports, reservation lists, and more.
A hospital in California’s Riverside County reported a data breach that impacted its patients’ sensitive information, such as Social Security numbers and medical information. According to the notice, the hackers had unauthorized access to the data between October 29 and November 10.
The details of more than 70,000 Uber employees have reportedly been leaked online, marking another data breach for the company this year. The incident occurred after a threat actor targeted a third-party software provider, Teqtivity, used by Uber for IT asset management services.
Members of the North Korean Kimsuky cyberespionage group have been found impersonating think tank members to reach out to political and foreign affairs analysts. It was also associated with a new spear-phishing campaign that was aimed at nearly 900 foreign policy experts in South Korea.
Australian telecommunications giant TPG revealed that emails of 15,000 iiNet and Westnet business customers were breached as hackers looked for cryptocurrency and other financial information. Investigation into the incident is underway. However, the breach did not affect mobile or broadband services.
Comcast Xfinity accounts were hacked through credential stuffing attacks that bypassed the 2FA protection. This enabled the attackers to use the compromised customer accounts and reset passwords for other sites, such as Coinbase and Gemini.
The Play ransomware group claimed to have stolen an unconfirmed amount of data from H-Hotels. The group has recently listed the company as a victim on its Tor site. It allegedly pilfered private and personal data, including client documents, IDs, passport data, and more. While H-Hotels denied the possibility of data exfiltration last week, hackers have also failed to present any proof.
Several crypto platforms, including BTC[.]com, 3Commas, and Bitkeep, lost millions to cybercriminals in different hacking incidents. BTC[.]com lost approximately $3 million worth of crypto assets. 3Commas suffered a massive API key hack impacting Kucoin, Coinbase, and Binance. Hackers exploited BitKeep wallets to steal around $8 million worth of assets.
Popular authentication services and IAM solutions provider Okta suffered a breach impacting its private GitHub source code repositories. The company said attackers could not access the Okta service or its customers’ data.
Threat actors used Black Basta ransomware to steal sensitive data from multiple electric utilities linked to the Chicago-based engineering firm Sargent & Lundy, which is also a major U.S. government contractor. The attack occurred in October.
Lake Charles Memorial Health System in Louisiana disclosed that the personal data of nearly 270,000 patients were accessed in an October ransomware attack. This included patients’ health insurance information, medical records, and Social Security numbers.
A previously unknown investment scam group named CryptosLabs has reportedly stolen up to $505 million from victims in France, Belgium, and Luxembourg. The group has been active since 2018 and has targeted over 40 companies in fintech, cryptocurrency, and asset management services.

New Threats

Besides, researchers took the wraps off an offensive marketplace, InTheBox, that has been relaying 400+ customer web injects to other hackers. New ransomware strains Cryptonite and CatB and a potential info-stealer dubbed RisePro surfaced last month. Meanwhile, Xnspy spyware app was found laced with flaws exposing the personal data of iPhones and Android users.

The recently discovered Cryptonite ransomware was discovered in the wild as a wiper malware used to target Microsoft Windows users. The malware implements the common functionality of ransomware but it does not offer the decryption key.
Resecurity researchers shared details of a darknet marketplace, called InTheBox, which offers over 400 custom web injects to launch mobile malware attacks. Web injects enable attackers to serve malicious HTML or JavaScript code in the form of an overlay screen and steal information when victims launch banking, crypto, and e-commerce apps.
A new Go-based botnet called Zerobot was found exploiting dozens of vulnerabilities in IoT devices to expand its network. The malware is designed to target a wide range of CPU architectures such as i386, amd64, arm, arm64, mips, mips64, mips64le, mipsle, ppc64, ppc64le, riscv64, and s390x.
A new obfuscation service called Zombinder was discovered in a campaign employing several trojans, including Ermac, to target both Android and Windows systems. It is used to bind malicious payloads to a legitimate application.
The Formbook malware made a comeback in a campaign that used trojanized OneNote documents. The malware can steal data from various web browsers and other applications. It also has keylogging capabilities.
FortiGuard Labs encountered a Golang-based botnet named GoTrim that utilizes a bot network to perform distributed brute-force attacks against WordPress and OpenCart sites. The botnet campaign began in September and is still ongoing.
A malicious stalkerware app called Xnspy was found stealing and leaking data from tens of thousands of iPhones and Android devices. Once installed, the app silently pilfered call records, browsing history, location data, text messages, and photos from victims’ phones.
Experts from American universities demonstrated a new attack technique that could be used to eavesdrop on smartphone users. Called EarSpy, the technique relied on motion sensor data arising from the echo of speakers in Android phones.
A newly identified CatB ransomware group has been found implementing several anti-VM and DLL hijacking techniques to evade detection. The ransomware is believed to have a connection with Pandora ransomware.
A new info-stealer named RisePro has garnered popularity on the illicit dark web forum called Russian Market. The malware is a clone of Vidar stealer and has been designed primarily to steal credentials and exfiltrate them in the form of logs.
The CISA added two-year-old security flaws impacting TIBCO Software’s JasperReports products to its list of most exploited vulnerabilities catalog. The flaws, tracked as CVE-2018- 5430 and CVE-2018-18809, are related to information disclosure vulnerability and directory traversal vulnerability respectively.
A new Android malware, dubbed BrasDex, was spotted targeting Brazilian users in a new campaign. Developed by threat actors behind the Casbaneiro banking trojan, the malware possesses a complicated keylogging capability that abuses Android Accessibility Services and pilfers credentials from a set of Brazilian banking apps.

Cyware Monthly Threat Intelligence, March 2025

ETSI has rolled out a new quantum-safe encryption standard featuring Covercrypt, a novel key encapsulation scheme with built-in access controls. By tying decryption permissions to user attributes, Covercrypt delivers speed and post-quantum security. The code caves of GitHub got a cleanup crew courtesy of Microsoft. A sprawling malvertising campaign that snagged nearly a million devices worldwide has been knocked down a peg. The race to outpace quantum threats is officially on. The NCSC has issued guidance to help organizations transition to post-quantum cryptography by 2035, with a focus on NIST-approved algorithms and planned support for critical sectors. A fresh face in the cybercrime underworld is juggling a bag of nasty surprises. EncryptHub is hitting users of QQ Talk, WeChat, Google Meet, and more with trojanized apps and slick multi-stage attacks. Lucid isn’t just phishing - it’s engineering trust through your inbox. This advanced PhaaS platform weaponizes the built-in features of iMessage and RCS to create hyper-realistic scams. A botnet is turning home routers into attack platforms. The Ballista botnet is exploiting an unpatched TP-Link Archer router flaw (CVE-2023-1389) to spread stealthily, using Tor domains and remote command execution to launch DDoS attacks worldwide.

Cyware Monthly Threat Intelligence, February 2025

Google ramped up its defenses against the quantum threat. The company rolled out quantum-resistant digital signatures in Cloud KMS, following NIST’s post-quantum cryptography standards. Cyber defenders sharpened their tools, this month, and EARLYCROW is the latest weapon against stealthy APT operations. This method detects C2 activity over HTTP(S) using a novel traffic analysis format called PAIRFLOW. PyPI adopted a "dead but not gone" approach to abandoned software with Project Archival, a new system that flags inactive projects while keeping them accessible. Developers will see warnings about outdated dependencies, helping them make smarter security choices and avoid relying on unmaintained code. China’s Salt Typhoon made itself right at home in global telecom networks. The group was caught using JumbledPath, a custom-built spying tool, to infiltrate ISPs in the U.S., Italy, South Africa, and Thailand. Russia’s Sandworm hackers are using pirated software as bait. Their latest attack on Ukrainian Windows users disguises malware inside trojanized KMS activators and fake Windows updates. The CISA flagged major security holes in Microsoft Outlook and Sophos XG Firewall. One flaw allows remote code execution in Outlook, while another exposes firewall users to serious risks. A new payment card skimming campaign turned Stripe’s old API into a weapon. Hackers inserted malicious scripts into checkout pages, validating stolen card details through Stripe before exfiltration. A new malware named Ratatouille is stirring up trouble by bypassing UAC and using I2P for anonymous communications. Spreading through phishing emails and fake CAPTCHA pages, it tricks victims into running an embedded PowerShell script. A new version of ValleyRAT was also spotted, using stealthy techniques to infiltrate systems. Researchers found the malware being spread through fake Chrome downloads.

Cyware Monthly Threat Intelligence, January 2025

The U.K took a proactive stance on cyber resilience with its Cyber Local initiative, injecting £1.9 million into 30 projects across England and Northern Ireland. The effort focuses on closing the cyber skills gap, fortifying small businesses, and supporting underrepresented groups. India tightened its grip on data privacy with new draft rules designed to give citizens more control over their personal information. The proposed regulations mandate clearer data processing disclosures, stricter security protocols, and swift breach reporting. Hackers turned to SparkRAT, an open-source GoLang RAT, to target macOS users and government entities. Initially released in 2022, its modular design and cross-platform capability have made it a cybercriminal favorite. More than 10,000 WordPress sites were hijacked in a large-scale malware campaign delivering AMOS to macOS users and SocGholish to Windows users. Attackers exploited outdated plugins to inject fake browser update prompts. Lumma Stealer is made its way through GitHub in a new malware campaign that abuses the platform’s release infrastructure. Attackers deployed malware like SectopRAT and Vidar, using secure-looking download links to exfiltrate data while evading detection. Cybercriminals deployed the Coyote banking trojan against financial firms in Brazil, using malicious Windows LNK files to execute PowerShell scripts. This malware established secure connections with C2 servers, enabling keylogging and data theft. A two-year-long phishing campaign targeted Microsoft’s advertising platform users through malicious Google Search ads. A Mirai-based botnet exploited zero-day vulnerabilities in industrial routers and smart home devices. With 15,000 active nodes daily, it launched high-intensity DDoS attacks surpassing 100 Gbps, posing a growing threat across multiple countries.

Cyware Monthly Threat Intelligence, December 2024

The cloud revolution isn’t just about convenience anymore; it’s now the frontline of defense. With CISA's new directive mandating cloud environment fortification, federal agencies face a race against time to safeguard Microsoft 365 and other services. Meanwhile, proposed updates to the HIPAA security rules push healthcare organizations toward stronger PHI protection with advanced technical controls and detailed incident planning. On the global front, Operation PowerOFF turned the tables on DDoS attackers, dismantling 27 illegal platforms and curbing festive-season chaos. The cyber battlefield sees no intermission as new threats take center stage. A phishing campaign, dubbed Aggressive Inventory Zombies (AIZ), exploited brand trust by mimicking retail giants and crypto platforms. Meanwhile, the resurrected BADBOX botnet has compromised 192,000 Android devices globally, sneaking into supply chains to wreak havoc with ad fraud and account abuse. Adding to the turbulence, Poison Ivy (APT-C-01) resurged, targeting critical sectors with advanced phishing techniques and deploying Sliver RAT to breach systems and steal sensitive data. This month, new threats targeted IoT, banking, and app ecosystems, with threat actors unleashing diverse attacks. Iranian hackers deployed IOCONTROL malware to compromise IoT and OT systems, targeting critical infrastructure like gas stations. Meanwhile, the DroidBot banking malware infiltrates cryptocurrency and banking apps across Europe, leveraging MaaS operations for tailored attacks. Adding to the chaos, SpyLoan malware apps, with over eight million installs, exploited users in South America, Southeast Asia, and Africa, highlighting the escalating risks within app marketplaces. For detailed Cyber Threat Intel, click ‘Read More’.

Cyware Monthly Threat Intelligence, November 2024

The TSA reshaped the cybersecurity landscape for pipeline and railroad operators with proposed rules mandating incident reporting and risk management plans. Estimated to cost $2.1 billion over the next decade, the rules aimed to address growing cyber threats while balancing flexibility with resilience. Meta dismantled a sprawling web of over two million accounts tied to pig butchering scams in Southeast Asia and the UAE. Africa’s cybercrime ecosystem faced a decisive blow with Operation Serengeti, as over 1,000 suspects were arrested, and 134,000 malicious networks taken offline. TAG-110, a Russia-aligned threat group, launched a cyber-espionage campaign targeting governments and organizations in Asia and Europe. Using malware like HATVIBE and CHERRYSPY, it aimed to monitor geopolitical developments and assert influence. A botnet powered by Ngioweb malware converted 35,000 IoT devices into residential proxies. These compromised devices, found largely in the U.S., were sold on platforms like NSOCKS for malicious purposes. Water Barghest compromised over 20,000 IoT devices by exploiting known vulnerabilities. The group used Shodan to identify targets and deployed Ngioweb malware to connect them to its monetized network. LIMINAL PANDA, a Chinese cyberespionage group, has been targeting telecoms in South Asia and Africa since 2020. Using tools like SIGTRANslator and PingPong, the group exploits telecom protocols to steal critical data while staying undetected. NodeStealer has resurfaced, targeting Facebook Ads Manager accounts to steal credit card details and browser credentials. It uses Windows Restart Manager and Python scripts to execute its attacks, with stolen data sent via Telegram. BabbleLoader, a stealthy malware loader, delivers WhiteSnake and Meduza stealers. Disguised as accounting software, it targets English and Russian speakers, evading antivirus systems with advanced techniques.

The Good

The Bad

New Threats

Related Threat Briefings

Jun 1, 2025