Cyware Monthly Threat Intelligence

The Good

Cybercriminals are quickly catching up with security protocols that come along with quantum computers. In the wake of it, the NIST has finalized the first four quantum-resistant cryptographic algorithms that researchers have been working on for nearly six years. The collection of personal sensitive data by various tech firms to cater to us better is backfiring due to the shadowy ad tech and data broker ecosystem. This has prompted the FTC to caution tech firms against sharing such sensitive data with third parties.

The exploitation of sensitive data, including users' browser behavior, healthcare data, and their precise whereabouts, is rising with each passing day. The U.S. Federal Trade Commission (FTC) has issued a warning that it will take action against tech companies that are illegally using and sharing highly sensitive data of users. The agency aims at using the full scope of its legal authorities to protect consumers’ privacy.
Google has officially added support for DNS-over-HTTP/3 (DoH3) in Android to keep DNS queries private. This will effectively prevent third parties from snooping on users' browsing activities. Phones running Android 11 and higher versions are expected to use DoH3 instead of DNS-over-TLS (DoT), which came with Android 9.0.
After six years, the NIST handpicked four encryption algorithms—CRYSTALS-Kyber, CRYSTALS-Dilithium, FALCON, and SPHINCS+—that will withstand attacks from quantum computers. While CRYSTALS-Kyber will be used for access to websites, the other three are to protect digital signatures. These algorithms will also be helpful in safeguarding daily-in-use critical online banking and email software systems.
The U.S. federal credit union regulators announced a new mandate to report cyber incidents. According to the new proposed rule, federally chartered credit union organizations are required to report within 72 hours of a cyberattack and apply for third-party security breaches as well.

The Bad

The efforts to disrupt the Web3 universe are intensifying with each passing day. In the past month, security experts witnessed multiple decentralized protocols and platforms, including Uniswap, Crema Finance, Audius, and Premint, lose tens of millions of dollars altogether. Meanwhile, researchers reported European cyber mercenaries dropping Subzero surveillance malware on the networks of entities in Central America and Europe. In other news, the virtual pets website Neopets fell victim to a breach affecting millions of people worldwide.

The FBI issued a warning against cybercriminals distributing fake cryptocurrency investment applications to crypto enthusiasts in the U.S. They make users install fake apps and deposit funds into wallets allegedly associated with the victims' accounts. Cybercriminals defrauded at least 244 investors to pilfer roughly $42.7 million.
The decentralized music platform Audius was hacked, with threat actors stealing over 18 million AUDIO tokens worth approximately $6 million. The hacker exploited a bug in the contract initialization code to launch the hack.
Austrian hack-for-hire company DSIRF, along with the Knotweed gang, was spotted abusing multiple bugs in Windows and Adobe software products in a targeted attack campaign against European and Central American individuals. The Private-Sector Offensive Actor (PSOA) drops a surveillance tool known as Subzero. The malware can be used to hack phones, computers, and IoT devices.
American Marriage Ministries (AMM) disclosed a data breach incident that affected the data of about 185,000 officiants and 15,000 married couples, as well as their wedding guests. This occurred due to an unsecured Amazon bucket that contained around 630GB of data.
Solana-based liquidity protocol Crema Finance lost more than $8.78 million worth of cryptocurrencies after hackers attacked the platform. The attackers used the infamous flash loan trick to manipulate the prices of assets before stealing the assets.
Microsoft researchers revealed that a large-scale phishing attack campaign has targeted more than 10,000 organizations since September 2021. The campaign used the Evilginx2 phishing toolkit to construct phishing pages, bypass MFA, and steal credentials and session cookies from Office 365 users.
Professional Finance Company disclosed a ransomware attack that impacted the private data of around 1.9 million people associated with hundreds of U.S. hospitals, medical clinics, and dental firms. The debt collection firm revealed that the criminals were able to access files from more than 650 healthcare providers.
Threat actors compromised the official website of Premint NFT and stole 314 NFTs, amounting to approximately $375,000. The attack has six primary EOAs associated with it, among which two wallets contain Bored Ape Yacht Club, Otherside, Oddities, and goblintown.wtf NFTs.
Over the last month, a crimeware group named 8220 has expanded its botnet to roughly 30,000 hosts. The group makes use of SSH brute force attacks and abuses Linux and cloud app vulnerabilities to grow its botnet.
Neopets, a virtual pets website, suffered a data breach that impacted the personal data of 69 million members. Reportedly, a hacker named 'TarTarX' has begun selling the source code and database for the Neopets.com website for four bitcoins.
The Marriott hotel chain suffered another data breach incident that allowed attackers to exfiltrate around 20GB of data, including customer credit card details. Threat actors used social engineering techniques to trick an employee into providing access to their computer.
About 4295 ETH (approximately $4.6 million at the time of reporting) was stolen in a phishing attack on the Uniswap cryptocurrency exchange. The attackers exploited the Uniswap V3 protocol on the ETH blockchain to launch the attack.
Cozy Bear (APT29) was seen abusing legitimate cloud services, such as Google Drive and DropBox, to target a number of Western diplomatic missions, including foreign embassies of Portugal and Brazil. The group’s phishing technique involves the use of a malicious HTML file, called EnvyScout, which acts as a dropper for Cobalt Strike and additional payloads.

New Threats

Phishers and scammers are following the ebbs and flow of the threat landscape. A highly-successful phishing campaign was observed stealing banking data from the likes of Bank of America, Capital One, Citibank, Wells Fargo, and others. Linux systems continue to gain the attention of cybercriminals as Orbit and Lightning Framework join as fresh threats against the open-source, community-developed operating system. That’s not all. The introduction of new malware strains, such as Autolycos, Havanacrypt and, Checkmate, has stirred anxiety among researchers.

Phishers and scammers are following the ebbs and flow of the threat landscape. A highly-successful phishing campaign was observed stealing banking data from the likes of Bank of America, Capital One, Citibank, Wells Fargo, and others. Linux systems continue to gain the attention of cybercriminals as Orbit and Lightning Framework join as fresh threats against the open-source, community-developed operating system. That’s not all. The introduction of new malware strains, such as Autolycos, Havanacrypt and Checkmate, has stirred anxiety among researchers.
A new malware, masquerading as cleaner apps, infected over 1 million users across the globe. These apps are distributed via the Google Play Store. Once executed, the malware displays unwanted advertisements and runs malicious payloads without the knowledge of the users.
Multiple DHL phishing pages were found exfiltrating users’ personal data via a Telegram bot. The fake pages use design elements like colors, fonts, and styles found on a typical DHL tracking page to convince victims that it’s legitimate in nature.
A new macOS malware, CloudMensis, was observed gathering information from the victims’ systems by exfiltrating documents, keystrokes, and screen captures. Developed in Objective-C, the spyware uses public cloud storage services to communicate back and forth with its operators.
Lightning Framework emerged as a new threat that targets Linux systems and can be used to backdoor infected devices using SSH and deploy multiple types of rootkits. The malware masquerades as the Seahorse GNOME password and encryption key manager to evade detection on infected systems.
QNAP warned customers about a new Checkmate ransomware attack aimed at its NAS devices. The ransomware employs dictionary attacks to break accounts with weak passwords. It appends .checkmate extension to encrypted files and drops a ransom note named !CHECKMATE_DECRYPTION_README.
A total of 53 fake apps on the Google Play Store were spotted distributing Joker, FaceStealer, and Coper malware strains. These apps posed as SMS, photo editors, blood pressure monitor, emoji keyboards, and translation apps were downloaded over 300,000 times.
A new threat group named the Atlas Intelligence Group (A.I.G), aka Atlantis Cyber-Army, is actively selling Cybercrime-as-a-Service on Telegram and dark web forums. The services include exclusive data leaks, distributed denial-of-service (DDoS) campaigns for hire, RDP attacks, and initial access.
Trend Micro identified over a thousand malicious repositories and more than 550 code samples that abused GitHub Actions to mine cryptocurrency in an automated attack. The attack involved threat actors forking a legitimate repository that has GitHub Actions enabled. This allowed them to inject malicious code into legitimate repositories.
A new phishing-as-a-service (PhaaS) platform is being sold to cybercriminals aiming to gain access to the financial information of individuals residing in the U.S., the U.K, Canada, and Australia. The toolkit is tracked as Robin Banks and was utilized in a large-scale phishing campaign observed in June.
Another new malware targeting the Linux operating system named OrBit is primarily designed to drop malicious payloads. It implements advanced evasion capabilities to gain persistence on targeted machines. The main goal of the backdoor is to steal information by hooking the read and write functions.
A new ransomware family, dubbed HavanaCrypt, makes use of a fake Google Software Update application to propagate across systems. Additionally, it relies on Microsoft web hosting service IP address to circumvent detection.
A new Android malware family named Autolycos was discovered in at least eight Android applications, two of which are still available on the Google Play Store. By the time of reporting, the malware had infected over 3 million users and is capable of harvesting data from mobile devices.
Researchers reported a new malware attack campaign that exploited the known Follina vulnerability to distribute a backdoor malware dubbed Rozena. The malware is capable of injecting a remote shell connection linking back to the attacker’s machine.

Cyware Monthly Threat Intelligence, March 2025

ETSI has rolled out a new quantum-safe encryption standard featuring Covercrypt, a novel key encapsulation scheme with built-in access controls. By tying decryption permissions to user attributes, Covercrypt delivers speed and post-quantum security. The code caves of GitHub got a cleanup crew courtesy of Microsoft. A sprawling malvertising campaign that snagged nearly a million devices worldwide has been knocked down a peg. The race to outpace quantum threats is officially on. The NCSC has issued guidance to help organizations transition to post-quantum cryptography by 2035, with a focus on NIST-approved algorithms and planned support for critical sectors. A fresh face in the cybercrime underworld is juggling a bag of nasty surprises. EncryptHub is hitting users of QQ Talk, WeChat, Google Meet, and more with trojanized apps and slick multi-stage attacks. Lucid isn’t just phishing - it’s engineering trust through your inbox. This advanced PhaaS platform weaponizes the built-in features of iMessage and RCS to create hyper-realistic scams. A botnet is turning home routers into attack platforms. The Ballista botnet is exploiting an unpatched TP-Link Archer router flaw (CVE-2023-1389) to spread stealthily, using Tor domains and remote command execution to launch DDoS attacks worldwide.

Cyware Monthly Threat Intelligence, February 2025

Google ramped up its defenses against the quantum threat. The company rolled out quantum-resistant digital signatures in Cloud KMS, following NIST’s post-quantum cryptography standards. Cyber defenders sharpened their tools, this month, and EARLYCROW is the latest weapon against stealthy APT operations. This method detects C2 activity over HTTP(S) using a novel traffic analysis format called PAIRFLOW. PyPI adopted a "dead but not gone" approach to abandoned software with Project Archival, a new system that flags inactive projects while keeping them accessible. Developers will see warnings about outdated dependencies, helping them make smarter security choices and avoid relying on unmaintained code. China’s Salt Typhoon made itself right at home in global telecom networks. The group was caught using JumbledPath, a custom-built spying tool, to infiltrate ISPs in the U.S., Italy, South Africa, and Thailand. Russia’s Sandworm hackers are using pirated software as bait. Their latest attack on Ukrainian Windows users disguises malware inside trojanized KMS activators and fake Windows updates. The CISA flagged major security holes in Microsoft Outlook and Sophos XG Firewall. One flaw allows remote code execution in Outlook, while another exposes firewall users to serious risks. A new payment card skimming campaign turned Stripe’s old API into a weapon. Hackers inserted malicious scripts into checkout pages, validating stolen card details through Stripe before exfiltration. A new malware named Ratatouille is stirring up trouble by bypassing UAC and using I2P for anonymous communications. Spreading through phishing emails and fake CAPTCHA pages, it tricks victims into running an embedded PowerShell script. A new version of ValleyRAT was also spotted, using stealthy techniques to infiltrate systems. Researchers found the malware being spread through fake Chrome downloads.

Cyware Monthly Threat Intelligence, January 2025

The U.K took a proactive stance on cyber resilience with its Cyber Local initiative, injecting £1.9 million into 30 projects across England and Northern Ireland. The effort focuses on closing the cyber skills gap, fortifying small businesses, and supporting underrepresented groups. India tightened its grip on data privacy with new draft rules designed to give citizens more control over their personal information. The proposed regulations mandate clearer data processing disclosures, stricter security protocols, and swift breach reporting. Hackers turned to SparkRAT, an open-source GoLang RAT, to target macOS users and government entities. Initially released in 2022, its modular design and cross-platform capability have made it a cybercriminal favorite. More than 10,000 WordPress sites were hijacked in a large-scale malware campaign delivering AMOS to macOS users and SocGholish to Windows users. Attackers exploited outdated plugins to inject fake browser update prompts. Lumma Stealer is made its way through GitHub in a new malware campaign that abuses the platform’s release infrastructure. Attackers deployed malware like SectopRAT and Vidar, using secure-looking download links to exfiltrate data while evading detection. Cybercriminals deployed the Coyote banking trojan against financial firms in Brazil, using malicious Windows LNK files to execute PowerShell scripts. This malware established secure connections with C2 servers, enabling keylogging and data theft. A two-year-long phishing campaign targeted Microsoft’s advertising platform users through malicious Google Search ads. A Mirai-based botnet exploited zero-day vulnerabilities in industrial routers and smart home devices. With 15,000 active nodes daily, it launched high-intensity DDoS attacks surpassing 100 Gbps, posing a growing threat across multiple countries.

Cyware Monthly Threat Intelligence, December 2024

The cloud revolution isn’t just about convenience anymore; it’s now the frontline of defense. With CISA's new directive mandating cloud environment fortification, federal agencies face a race against time to safeguard Microsoft 365 and other services. Meanwhile, proposed updates to the HIPAA security rules push healthcare organizations toward stronger PHI protection with advanced technical controls and detailed incident planning. On the global front, Operation PowerOFF turned the tables on DDoS attackers, dismantling 27 illegal platforms and curbing festive-season chaos. The cyber battlefield sees no intermission as new threats take center stage. A phishing campaign, dubbed Aggressive Inventory Zombies (AIZ), exploited brand trust by mimicking retail giants and crypto platforms. Meanwhile, the resurrected BADBOX botnet has compromised 192,000 Android devices globally, sneaking into supply chains to wreak havoc with ad fraud and account abuse. Adding to the turbulence, Poison Ivy (APT-C-01) resurged, targeting critical sectors with advanced phishing techniques and deploying Sliver RAT to breach systems and steal sensitive data. This month, new threats targeted IoT, banking, and app ecosystems, with threat actors unleashing diverse attacks. Iranian hackers deployed IOCONTROL malware to compromise IoT and OT systems, targeting critical infrastructure like gas stations. Meanwhile, the DroidBot banking malware infiltrates cryptocurrency and banking apps across Europe, leveraging MaaS operations for tailored attacks. Adding to the chaos, SpyLoan malware apps, with over eight million installs, exploited users in South America, Southeast Asia, and Africa, highlighting the escalating risks within app marketplaces. For detailed Cyber Threat Intel, click ‘Read More’.

Cyware Monthly Threat Intelligence, November 2024

The TSA reshaped the cybersecurity landscape for pipeline and railroad operators with proposed rules mandating incident reporting and risk management plans. Estimated to cost $2.1 billion over the next decade, the rules aimed to address growing cyber threats while balancing flexibility with resilience. Meta dismantled a sprawling web of over two million accounts tied to pig butchering scams in Southeast Asia and the UAE. Africa’s cybercrime ecosystem faced a decisive blow with Operation Serengeti, as over 1,000 suspects were arrested, and 134,000 malicious networks taken offline. TAG-110, a Russia-aligned threat group, launched a cyber-espionage campaign targeting governments and organizations in Asia and Europe. Using malware like HATVIBE and CHERRYSPY, it aimed to monitor geopolitical developments and assert influence. A botnet powered by Ngioweb malware converted 35,000 IoT devices into residential proxies. These compromised devices, found largely in the U.S., were sold on platforms like NSOCKS for malicious purposes. Water Barghest compromised over 20,000 IoT devices by exploiting known vulnerabilities. The group used Shodan to identify targets and deployed Ngioweb malware to connect them to its monetized network. LIMINAL PANDA, a Chinese cyberespionage group, has been targeting telecoms in South Asia and Africa since 2020. Using tools like SIGTRANslator and PingPong, the group exploits telecom protocols to steal critical data while staying undetected. NodeStealer has resurfaced, targeting Facebook Ads Manager accounts to steal credit card details and browser credentials. It uses Windows Restart Manager and Python scripts to execute its attacks, with stolen data sent via Telegram. BabbleLoader, a stealthy malware loader, delivers WhiteSnake and Meduza stealers. Disguised as accounting software, it targets English and Russian speakers, evading antivirus systems with advanced techniques.

The Good

The Bad

New Threats

Related Threat Briefings

Jun 1, 2025