Cyware Monthly Threat Intelligence

Cyware Monthly Threat Intelligence - Featured Image

Monthly Threat Briefing March 2, 2022

The Good

As we brace for the ever-growing cyber-physical threats in the current landscape, let us first take you through some top developments for the month. Cyber experts from different organizations devised a Quantum Key Distribution (QKD) network to withstand quantum computing attacks of up to 800Gbps. New York state vows to boost its cyber defenses and add more cyber talent in the coming times via a centralized cybersecurity operations center.

  • Researchers from JPMorgan Chase, Ciena, and Toshiba developed a unique QKD network for metropolitans, which is resistant to quantum computing attacks. The QKD network sustains encryption of 800Gbps under real-world conditions and can rapidly identify and defend against quantum computing threats.
  • Singapore government announced plans to design a quantum-safe network to display crypto-agile connectivity and encourage trials with private and public firms. The initiative is driven by the Quantum Engineering Program (QEP) and includes a quantum security lab for vulnerability research. The project is supported by the National Research Foundation, along with 15 partners from both the public and private sectors. The three-year program aims to conduct an extensive analysis of security systems and design guidelines to support organizations adopting quantum-safe technologies.
  • New York City established a centralized cybersecurity hub to aid state officers in times of a cyber crisis. The Joint Security Operations Center consists of experts from state and federal law enforcement agencies, NYC3, and representatives from the country and local governments.
  • The DHS announced the creation of a new Cyber Safety Review Board to gather all security experts from private and public sectors to review and analyze cybersecurity incidents. This board comes as a part of the executive order signed by the U.S. President last year. The board’s first task would focus on Log4j vulnerabilities.
  • In the light of rising sophisticated cyberattacks targeting critical infrastructure throughout 2021, cybersecurity agencies from Australia, the U.K, and the U.S. released a joint advisory that offers trends and behaviors of criminals while also underlining recommendations for mitigation.

The Bad

The Russia-Ukraine conflict has precipitated attacks in cyberspace as well. Every day, researchers are reporting damages on both sides. Russian threat actors were also found sniffing around the U.S. defense sector. Meanwhile, there were a few crypto crimes in February that cost millions of dollars to businesses.

  • The Russia-Ukraine crisis spilled into the cyber domain as multiple Ukrainian government sites and two of the country’s largest banks were once again hit with a wave of DDoS attacks. In response, multiple Russian government websites also experienced DDoS attacks. Furthermore, a new data wiper malware, dubbed HermeticWiper, was found targeting financial organizations and government contractors in Ukraine.
  • A vulnerability in the Wormhole cryptocurrency platform allowed a threat actor to steal an estimated $322 million worth of Ether cryptocurrency. The attackers exploited the ‘smart contracts’ feature on the platform to hack the portal.
  • A statement released by the CISA last month revealed that Russian state-sponsored operatives have been targeting the U.S. cleared defense contractor networks to obtain sensitive information. Some of these attacks have been ongoing for at least six months. According to the agency, threat actors are using tactics such as spear-phishing and brute-force attacks to breach networks.
  • The BlackCat ransomware group was held responsible for the recent cyberattacks on two German oil companies. This ultimately affected hundreds of gas stations across northern Germany. The firms took immediate actions as part of their contingency plans. Meanwhile, the ransomware gang has confirmed that they are former members of the notorious BlackMatter/DarkSide ransomware.
  • A targeted spear-phishing campaign called Operation EmailThief exploited an XSS zero-day vulnerability in Zimbra to target several government and media organizations in Europe. Launched by a threat actor named TEMP_Heretic, the campaign was executed in December 2021 in two phases. The initial phase aimed at reconnaissance and leveraged specially designed phishing emails.
  • More than 500 online stores running the outdated Magento 1 platform were compromised in a large-scale digital skimming attack. Researchers indicate that nearly 19 backdoors were deployed on compromised systems. All of these websites were compromised by exploiting a known vulnerability in the Quickview plugin.
  • The U.K Foreign Office was the target of a serious cybersecurity incident. According to media reports, attackers infiltrated Foreign Commonwealth and Development Office (FCDO) systems. Nevertheless, not many details were available about the attack, and BAE Systems Applied Intelligence was called for urgent remediation.
  • A low-lying threat actor tracked as TA2541 was spotted targeting entities in the aviation sector since 2017. The attacker used off-the-shelf malware and relied on malicious Microsoft Word documents to deliver trojans such as AsyncRAT, NetWire, WSH RAT, and Parallax. Most of the themes included transportation-related terms, such as flight, aircraft, fuel, yacht, charter, etc.
  • New South Wales Premier Dominic Perrottet has admitted a data leak due to a misconfigured NSW government website. This affected more than 500,000 addresses, including defense sites, a missile maintenance unit, and domestic violence shelters, among others.
  • The San Francisco 49ers NFL team confirmed a ransomware attack that encrypted the files on its corporate IT network. The attack is the work of the BlackByte ransomware gang which also claimed responsibility by leaking some stolen files on its site. The firm added that it has taken mitigation steps to contain the attack and has also informed the law enforcement agencies.
  • A hack on the OpenSea platform affected its 32 users. This caused a loss of 254 tokens, which amounted to nearly $1.7 million. While the attack is no longer active, it is believed that the affected users might have signed a malicious payload sent by the attack. The attack vector is still unknown.
  • A new attack campaign targeted publicly-exposed, unpatched Microsoft SQL servers. The attackers scanned port 1433 to check for vulnerable servers to launch brute force or dictionary attacks to gain access to system admin accounts. Consequently, the attackers would also deploy Cobalt Strike beacons on targeted hosts.

New Threats

Moving on, security researchers have laid bare new threats in the form of a backdoor used for espionage, a RAT used by an APT group, and a refreshed malware with added capabilities, among others. The month also witnessed new updates in attack tactics involved in espionage campaigns of Chinese as well as North Korean threat groups. In other news, adversaries reportedly continued to exploit Log4shell flaws.

  • Microsoft warned about a new class of threats, named ice phishing, affecting Web3 and blockchain networks. Ice phishing involves luring a user into signing an agreement that assigns the user’s tokens to the malicious actor. It completely ignores private keys. The transaction requires interaction with DeFi smart contracts for a token swap to occur.
  • A new backdoor, dubbed Marlin, was associated with a long-running espionage campaign named Out to Sea that started in April 2018. The malware is a new addition to the arsenal of OilRig aka APT34 threat actor group. Victims of the campaign include diplomatic organizations, technology companies, and medical organizations in Israel, Tunisia, and the United Arab Emirates.
  • A newly unearthed Goland-based Kraken botnet is under active development, claimed researchers. The botnet features an array of backdoor capabilities to pilfer sensitive information from compromised Windows hosts. It makes use of SmokeLoader to spread quickly, gaining control over hundreds of devices each time.
  • A new phishing email attack campaign was found distributing the Emotet trojan. The campaign leveraged stolen email threads to bypass security systems. It included a zip file that resulted in the execution of Excel 4.0 macros.
  • Hackers distributed a new version of CryptBot infostealer via pirated software sites that offered free downloads for games and pro-grade software. The operators behind the malware were leveraging SEO poisoning tactics to increase the visibility of these sites. The malware is capable of stealing browser credentials, cookies, browser history, cryptocurrency wallets, and credit card details.
  • Researchers at Positive Security built an Apple Airtag clone that is able to bypass anti-stalking protection features while running on Apple's Find My protocol. The cloned Airtags could be used to successfully track iPhone users without triggering a tracking notification.
  • In a significant revelation, researchers found that numerous Windows machines located in South Korea were targeted by the PseudoManuscrypt botnet since at least May 2021. The botnet employs the same tactics as CryptBot and is distributed in the form of an installer or via cracked software.
  • New Mars Stealer malware was discovered in the wild. Researchers surmise it to be a redesign of the Oski malware that shut down development abruptly in 2020. Mars Stealer can steal data from all popular web browsers, two-factor authentication plugins, and multiple cryptocurrency extensions and wallets.
  • Researchers observed a new StrifeWater RAT being used by the Moses APT group. The RAT comes with multiple evasion and screen capturing capabilities. The malware can also create persistence, download additional extensions, and execute system commands.
  • A Chinese threat actor group tracked as Antlion was seen using a new custom backdoor called xPack to target organizations in the financial and manufacturing sectors. The campaign has been active for over 18 months and the backdoor allows attackers to run WMI commands remotely. The ultimate goal of the campaign is to exfiltrate data from infected networks.
  • Researchers tracked down a new campaign that exploits the Log4j vulnerability. The campaign is linked with the Iran-based TunnelVision APT group and is being used to deploy ransomware on machines running vulnerable VMware Horizon instances.
  • A new wave of attack campaigns from the Kimsuky hacking group has been delivering a custom backdoor malware, dubbed Gold Dragon. The malware is a second-stage backdoor that establishes persistence on the victim’s system. Furthermore, it helps the attackers install the xRAT tool to manually steal sensitive data from the targeted system.
  • Siemens released nine advisories to address 27 new flaws in its SIMATIC products. The vulnerabilities, if exploited, could allow the attackers to remotely launch DoS attacks against several Siemens PLCs and related products.

Related Threat Briefings

Jul 1, 2025

Cyware Monthly Threat Intelligence, June 2025

Jun 1, 2025

Cyware Monthly Threat Intelligence, May 2025

May 1, 2025

Cyware Monthly Threat Intelligence, April 2025

Apr 2, 2025

Cyware Monthly Threat Intelligence, March 2025

ETSI has rolled out a new quantum-safe encryption standard featuring Covercrypt, a novel key encapsulation scheme with built-in access controls. By tying decryption permissions to user attributes, Covercrypt delivers speed and post-quantum security. The code caves of GitHub got a cleanup crew courtesy of Microsoft. A sprawling malvertising campaign that snagged nearly a million devices worldwide has been knocked down a peg. The race to outpace quantum threats is officially on. The NCSC has issued guidance to help organizations transition to post-quantum cryptography by 2035, with a focus on NIST-approved algorithms and planned support for critical sectors.  A fresh face in the cybercrime underworld is juggling a bag of nasty surprises. EncryptHub is hitting users of QQ Talk, WeChat, Google Meet, and more with trojanized apps and slick multi-stage attacks. Lucid isn’t just phishing - it’s engineering trust through your inbox. This advanced PhaaS platform weaponizes the built-in features of iMessage and RCS to create hyper-realistic scams. A botnet is turning home routers into attack platforms. The Ballista botnet is exploiting an unpatched TP-Link Archer router flaw (CVE-2023-1389) to spread stealthily, using Tor domains and remote command execution to launch DDoS attacks worldwide.

Mar 4, 2025

Cyware Monthly Threat Intelligence, February 2025

Google ramped up its defenses against the quantum threat. The company rolled out quantum-resistant digital signatures in Cloud KMS, following NIST’s post-quantum cryptography standards. Cyber defenders sharpened their tools, this month, and EARLYCROW is the latest weapon against stealthy APT operations. This method detects C2 activity over HTTP(S) using a novel traffic analysis format called PAIRFLOW. PyPI adopted a "dead but not gone" approach to abandoned software with Project Archival, a new system that flags inactive projects while keeping them accessible. Developers will see warnings about outdated dependencies, helping them make smarter security choices and avoid relying on unmaintained code. China’s Salt Typhoon made itself right at home in global telecom networks. The group was caught using JumbledPath, a custom-built spying tool, to infiltrate ISPs in the U.S., Italy, South Africa, and Thailand. Russia’s Sandworm hackers are using pirated software as bait. Their latest attack on Ukrainian Windows users disguises malware inside trojanized KMS activators and fake Windows updates. The CISA flagged major security holes in Microsoft Outlook and Sophos XG Firewall. One flaw allows remote code execution in Outlook, while another exposes firewall users to serious risks. A new payment card skimming campaign turned Stripe’s old API into a weapon. Hackers inserted malicious scripts into checkout pages, validating stolen card details through Stripe before exfiltration. A new malware named Ratatouille is stirring up trouble by bypassing UAC and using I2P for anonymous communications. Spreading through phishing emails and fake CAPTCHA pages, it tricks victims into running an embedded PowerShell script. A new version of ValleyRAT was also spotted, using stealthy techniques to infiltrate systems. Researchers found the malware being spread through fake Chrome downloads.

Feb 10, 2025

Cyware Monthly Threat Intelligence, January 2025

The U.K took a proactive stance on cyber resilience with its Cyber Local initiative, injecting £1.9 million into 30 projects across England and Northern Ireland. The effort focuses on closing the cyber skills gap, fortifying small businesses, and supporting underrepresented groups. India tightened its grip on data privacy with new draft rules designed to give citizens more control over their personal information. The proposed regulations mandate clearer data processing disclosures, stricter security protocols, and swift breach reporting. Hackers turned to SparkRAT, an open-source GoLang RAT, to target macOS users and government entities. Initially released in 2022, its modular design and cross-platform capability have made it a cybercriminal favorite. More than 10,000 WordPress sites were hijacked in a large-scale malware campaign delivering AMOS to macOS users and SocGholish to Windows users. Attackers exploited outdated plugins to inject fake browser update prompts. Lumma Stealer is made its way through GitHub in a new malware campaign that abuses the platform’s release infrastructure. Attackers deployed malware like SectopRAT and Vidar, using secure-looking download links to exfiltrate data while evading detection. Cybercriminals deployed the Coyote banking trojan against financial firms in Brazil, using malicious Windows LNK files to execute PowerShell scripts. This malware established secure connections with C2 servers, enabling keylogging and data theft. A two-year-long phishing campaign targeted Microsoft’s advertising platform users through malicious Google Search ads. A Mirai-based botnet exploited zero-day vulnerabilities in industrial routers and smart home devices. With 15,000 active nodes daily, it launched high-intensity DDoS attacks surpassing 100 Gbps, posing a growing threat across multiple countries.

Jan 3, 2025

Cyware Monthly Threat Intelligence, December 2024

The cloud revolution isn’t just about convenience anymore; it’s now the frontline of defense. With CISA's new directive mandating cloud environment fortification, federal agencies face a race against time to safeguard Microsoft 365 and other services. Meanwhile, proposed updates to the HIPAA security rules push healthcare organizations toward stronger PHI protection with advanced technical controls and detailed incident planning. On the global front, Operation PowerOFF turned the tables on DDoS attackers, dismantling 27 illegal platforms and curbing festive-season chaos. The cyber battlefield sees no intermission as new threats take center stage. A phishing campaign, dubbed Aggressive Inventory Zombies (AIZ), exploited brand trust by mimicking retail giants and crypto platforms. Meanwhile, the resurrected BADBOX botnet has compromised 192,000 Android devices globally, sneaking into supply chains to wreak havoc with ad fraud and account abuse. Adding to the turbulence, Poison Ivy (APT-C-01) resurged, targeting critical sectors with advanced phishing techniques and deploying Sliver RAT to breach systems and steal sensitive data. This month, new threats targeted IoT, banking, and app ecosystems, with threat actors unleashing diverse attacks. Iranian hackers deployed IOCONTROL malware to compromise IoT and OT systems, targeting critical infrastructure like gas stations. Meanwhile, the DroidBot banking malware infiltrates cryptocurrency and banking apps across Europe, leveraging MaaS operations for tailored attacks. Adding to the chaos, SpyLoan malware apps, with over eight million installs, exploited users in South America, Southeast Asia, and Africa, highlighting the escalating risks within app marketplaces. For detailed Cyber Threat Intel, click ‘Read More’.

Dec 4, 2024

Cyware Monthly Threat Intelligence, November 2024

The TSA reshaped the cybersecurity landscape for pipeline and railroad operators with proposed rules mandating incident reporting and risk management plans. Estimated to cost $2.1 billion over the next decade, the rules aimed to address growing cyber threats while balancing flexibility with resilience. Meta dismantled a sprawling web of over two million accounts tied to pig butchering scams in Southeast Asia and the UAE. Africa’s cybercrime ecosystem faced a decisive blow with Operation Serengeti, as over 1,000 suspects were arrested, and 134,000 malicious networks taken offline. TAG-110, a Russia-aligned threat group, launched a cyber-espionage campaign targeting governments and organizations in Asia and Europe. Using malware like HATVIBE and CHERRYSPY, it aimed to monitor geopolitical developments and assert influence. A botnet powered by Ngioweb malware converted 35,000 IoT devices into residential proxies. These compromised devices, found largely in the U.S., were sold on platforms like NSOCKS for malicious purposes. Water Barghest compromised over 20,000 IoT devices by exploiting known vulnerabilities. The group used Shodan to identify targets and deployed Ngioweb malware to connect them to its monetized network. LIMINAL PANDA, a Chinese cyberespionage group, has been targeting telecoms in South Asia and Africa since 2020. Using tools like SIGTRANslator and PingPong, the group exploits telecom protocols to steal critical data while staying undetected. NodeStealer has resurfaced, targeting Facebook Ads Manager accounts to steal credit card details and browser credentials. It uses Windows Restart Manager and Python scripts to execute its attacks, with stolen data sent via Telegram. BabbleLoader, a stealthy malware loader, delivers WhiteSnake and Meduza stealers. Disguised as accounting software, it targets English and Russian speakers, evading antivirus systems with advanced techniques.

Sep 30, 2024

Cyware Monthly Threat Intelligence

The Good The government took significant steps to strengthen cybersecurity resilience across various sectors. The DHS allocated $279.9 million in grants for the FY 2024 State and Local Cybersecurity Grant Program (SLCGP) to help state, local, and t

Sep 2, 2024

Cyware Monthly Threat Intelligence

The Good In a series of proactive measures aimed at bolstering global cybersecurity resilience, significant strides were made in the education and law enforcement sectors to safeguard critical systems against evolving threats. The NASA Katherine Jo

Aug 1, 2024

Cyware Monthly Threat Intelligence

The Good The collaborative efforts and enhanced protocols by different government bodies represent significant steps forward in strengthening cybersecurity on a global scale. French authorities, in collaboration with Europol, have launched a "disin

Jul 1, 2024

Cyware Monthly Threat Intelligence

The Good Recent developments showcase a proactive stance in bolstering cybersecurity across critical sectors. The collaboration between the U.K’s National Crime Agency (NCA) and the FBI to dismantle the Qilin ransomware gang highlights internationa