Cyware Monthly Threat Intelligence, July 2025

The Good

In a positive stride for cybersecurity, CISA has unveiled two powerful open-source tools, Thorium and the Eviction Strategies Tool. Developed with Sandia National Laboratories, Thorium automates malware and forensic analysis, processing over 10 million files per hour to supercharge incident response. The Eviction Strategies Tool, built with MITRE, helps defenders craft tailored response playbooks using frameworks like ATT&CK and D3FEND. Meanwhile, Romanian and U.K. authorities, aided by Europol and Eurojust, dismantled a €580,000 ATM fraud ring exploiting transaction reversal techniques. In regulatory progress, New York has proposed new cybersecurity rules for water systems, aligning with federal guidelines and setting the stage for improved OT and IT infrastructure protection.

• The CISA has released Thorium, an open-source platform designed for malware and forensic analysis, developed with Sandia National Laboratories. Thorium automates cyberattack investigation tasks, handling over 1,700 jobs per second and ingesting 10 million files per hour per permission group. It supports software analysis, digital forensics, and incident response, enhancing cybersecurity teams' efficiency in assessing malware threats. Key features include tool import/export, Docker integration, tag-based filtering, strict access control, and scalability with Kubernetes and ScyllaDB.
• The CISA released the Eviction Strategies Tool to help organizations respond to cyber incidents and remove adversaries from compromised systems. Developed with MITRE, the tool enables rapid creation of tailored playbooks using structured frameworks like MITRE ATT&CK or free-text descriptions of threat behavior. The tool integrates two resources: COUN7ER, a database of over 100 post-compromise countermeasures, and Cyber Eviction Strategies Playbook NextGen, a web-based interface for aligning findings with countermeasures. Key features include exporting plans in various formats, integrating knowledge from frameworks like MITRE D3FEND, and open-source access under the MIT License.
• OWASP has released comprehensive guidance for securing agentic AI applications powered by LLMs, aimed at developers, engineers, and security professionals. The guidance emphasizes securing agentic architectures with strong user authentication controls and safeguards against manipulation during design and development. Additional measures include enhanced security actions like OAuth 2.0, managed identity services, and encryption of sensitive data to mitigate risks. Operational risks from connecting agentic AI to APIs, databases, and other systems are addressed, along with supply chain security to reduce vulnerabilities from third-party code.
• The FBI has seized approximately 20.29 Bitcoins, valued at over $2.4 million, from a member of the Chaos ransomware group known as "Hors." This seizure involved tracing the cryptocurrency to a specific address linked to cyberattacks against Texas companies. Following the seizure, the U.S. DOJ filed a civil complaint on July 24, seeking to permanently forfeit the funds, a process that allows the government to claim assets connected to criminal activities without needing a criminal conviction. The Chaos ransomware operation is believed to be a rebrand of the BlackSuit group, which itself emerged from the notorious Conti ransomware gang.
• Law enforcement agencies have successfully seized the dark web extortion sites associated with the BlackSuit ransomware operation as part of Operation Checkmate. This coordinated effort involved multiple authorities, including the U.S. Homeland Security Investigations, the Secret Service, and Europol, among others. The takedown included not only the main extortion sites but also negotiation platforms used to extract ransoms from victims. BlackSuit, which has undergone several rebrandings, is believed to be linked to over 350 attacks globally since September 2022, resulting in ransom demands exceeding $500 million. 
• A network of ATM fraudsters responsible for approximately €580,000 ($681,360) in profits has been dismantled by law enforcement agencies in Romania and the U.K, with support from Europol and Eurojust. Following extensive investigations, two coordinated raids were executed, resulting in two arrests and the seizure of luxury cars, real estate, electronic devices, and cash. The fraudsters employed the Transaction Reversal Fraud (TRF) method, which involves canceling ATM transactions just before cash is dispensed, allowing them to extract money illicitly. 
• New York has proposed new cybersecurity regulations for water and wastewater systems to enhance their resilience against rising cyber threats. These regulations include specific OT security requirements from the Department of Health and the Department of Environmental Conservation, alongside IT security measures from the Department of Public Service. The rules aim to align with federal guidelines and establish a funding program to assist water systems in modernizing their cybersecurity infrastructure. Public comments on the proposals are open until September 2025, with compliance deadlines set for January 2026 and January 2027.
• Europol's Operation Eastwood has successfully disrupted the pro-Russian hacktivist group NoName057(16), known for its DDoS attacks across Europe, Israel, and Ukraine. This operation involved law enforcement from 12 countries and resulted in the disruption of over 100 servers and the arrest of two individuals. NoName057(16) utilizes Telegram and the "DDoSia" project to coordinate attacks on critical infrastructure, targeting NATO sites, government agencies, and banks, particularly in countries supporting Ukraine. The group has executed numerous attacks, especially during significant events like European elections and NATO summits. 
• An international law enforcement operation, Operation Elicius, dismantled the Romanian Diskstation ransomware gang that had been targeting Synology NAS devices since 2021. This operation, coordinated by Europol and involving police forces from France and Romania, focused on the gang's attacks on internet-exposed NAS devices, which resulted in severe disruptions for various companies, including graphic and film production firms and NGOs. The ransomware encrypted vital data, demanding ransoms that ranged from $10,000 to hundreds of thousands of dollars. Investigations led by the Milan Prosecutor's Office utilized forensic and blockchain analysis, ultimately leading to raids in Bucharest in June 2024 and the arrest of a key suspect believed to be the primary operator behind the attacks.

The Bad

In troubling developments, cyber threats surged across the globe. North Korean group UNC4899 exploited LinkedIn and Telegram job lures to hijack cloud environments like AWS and Google Cloud, bypassing MFA to steal millions in cryptocurrency. Russian state hackers Secret Blizzard targeted foreign embassies in Moscow using adversary-in-the-middle (AiTM) tactics and the stealthy ApolloShadow malware to hijack systems at the ISP level. Scattered Spider attackers compromised VMware ESXi servers using social engineering, password resets, and disk-swap attacks to deploy ransomware and steal Active Directory data. Meanwhile, the SarangTrap campaign leveraged fake dating apps to steal sensitive data from Android and iOS users, with over 250 malicious apps and 88 phishing domains uncovered.

• North Korean hacking group UNC4899 targeted organizations by using job lures and social engineering techniques via LinkedIn and Telegram, convincing employees to execute malicious Docker containers. The group exploited cloud environments like Google Cloud and AWS by employing stolen credentials and session cookies to manipulate cryptocurrency transactions. Although MFA initially hindered their efforts, they managed to disable it to gain administrative access. Their sophisticated attacks involved uploading malicious JavaScript files to exploit cloud services, ultimately leading to the theft of millions in cryptocurrency. The group’s activities have also included embedding malware into open-source package registries, indicating a strategic pivot in their approach to cybercrime. 
• Russian state hackers, known as Secret Blizzard, have launched a cyberespionage campaign targeting foreign embassies in Moscow using sophisticated adversary-in-the-middle (AiTM) attacks. Central to this operation is a malware tool named ApolloShadow, which manipulates system certificates and masquerades as trusted applications to maintain stealthy persistence. The attack initiates at the ISP level, redirecting users through a fake captive portal that prompts them to download ApolloShadow. Once installed, the malware alters network settings, collects sensitive information, and creates a new administrative user with a hardcoded password for ongoing access. 
• The North Korean Lazarus Group distributed over 200 malicious open source packages through npm and PyPI, potentially compromising around 36,000 victims. This campaign marks a strategic shift for the group, targeting developers who often install packages without proper verification. Many of the detected packages were designed to mimic legitimate libraries and executed multi-stage attacks to maintain stealth and exfiltrate sensitive data. Among the 234 malicious packages, 120 served as droppers for additional malware, while 90 were specifically aimed at stealing secrets. The targets primarily included DevOps-heavy organizations, where compromised developer machines and build pipelines could lead to significant intellectual property theft and reputational damage.
• Operation CargoTalon is a targeted cyber-espionage campaign attributed to threat cluster UNG0901, aimed at Russia’s aerospace and defense sectors. The campaign specifically targeted the Voronezh Aircraft Production Association (VASO) using spear-phishing emails to deliver the EAGLET malware. The operation employs advanced malware capabilities and social engineering tactics to infiltrate and exfiltrate sensitive data. The infection begins with spear-phishing emails containing a ZIP file that is actually a disguised DLL file. A similarly named LNK shortcut file is also included. When executed, these files trigger the EAGLET implant. The ZIP file, named in Russian as a TTN (goods and transport invoice), serves as a decoy to lure victims into executing the payload. EAGLET is a PE-based implant that generates a unique GUID to identify victims, collects system information, creates a hidden directory, and communicates with a C2 server via HTTP using disguised requests.
• Scattered Spider hackers are aggressively targeting VMware ESXi hypervisors in various sectors, including retail and transportation, using sophisticated social engineering tactics. They initiate attacks by impersonating employees to convince IT help desks to reset Active Directory passwords, allowing them to gain initial access. This access enables them to identify and exploit high-value targets, such as domain administrators. The attackers then escalate their privileges by impersonating these users to gain control over the VMware vCenter Server Appliance, enabling SSH connections and executing a "disk-swap" attack to extract sensitive Active Directory data. Ultimately, they deploy ransomware to encrypt virtual machine files, achieving complete control over the virtualized environment in just a few hours.
• A large-scale malware campaign, named SarangTrap, uses fake dating and social networking apps to steal sensitive personal data on Android and iOS platforms. The apps mimic legitimate services, employing emotionally manipulative tactics like fake profiles and invitation codes to lure victims. Once installed, the apps exfiltrate data such as contacts, images, SMS content, and device identifiers to attacker-controlled servers. Over 250 malicious Android apps and 88 phishing domains have been linked to the campaign, with some indexed by search engines to appear credible.
• A threat actor known as Fire Ant has been targeting VMware ESXi and vCenter environments in a sophisticated cyber espionage campaign, leveraging vulnerabilities such as CVE-2023-34048 and CVE-2023-20867. This group, linked to the China-based UNC3886, demonstrates advanced capabilities by establishing persistent control over compromised systems, extracting credentials, and deploying backdoors. Fire Ant's tactics include bypassing network segmentation, deploying unregistered virtual machines, and tampering with logging processes to evade detection.
• Cisco Talos identified a MaaS operation using Amadey malware and fake GitHub accounts to host payloads and plugins, targeting Ukrainian entities. The operation overlaps with tactics from a SmokeLoader phishing campaign observed earlier in 2025. Phishing emails targeting Ukrainian entities used compressed archives containing obfuscated JavaScript files to download SmokeLoader. Emmenhtal loaders were used to deliver Amadey malware and other payloads, bypassing email delivery in some cases by hosting files on GitHub. GitHub repositories served as open directories for staging malware, leveraging public access to evade web filtering.
• Between March and June, several China-aligned threat actors intensified phishing campaigns targeting Taiwan's semiconductor industry, primarily for espionage purposes. These actors, identified as UNK_FistBump, UNK_DropPitch, and UNK_SparkyCarp, employed spearphishing and credential phishing to infiltrate organizations involved in semiconductor manufacturing, design, and investment analysis. UNK_FistBump posed as job seekers to lure HR personnel, delivering malware like Cobalt Strike and the custom Voldemort backdoor through compromised emails. Meanwhile, UNK_DropPitch focused on financial analysts, using deceptive emails to distribute a simple backdoor known as HealthKick.
• Cybercriminals are exploiting GitHub to distribute malware disguised as free software, specifically targeting users with applications like "Free VPN for PC" and "Minecraft Skin Changer." The malware dropper, named Launch.exe, utilizes sophisticated techniques such as obfuscation, process injection, and DLL side-loading to implant Lumma Stealer. This campaign involves hosting multiple malware samples on GitHub, where they employ Base64-encoded payloads concealed within seemingly harmless applications. The malware's execution process involves dynamic loading and the use of legitimate Windows processes, such as MSBuild.exe, to bypass security measures.
• A social engineering campaign targets cryptocurrency users through fake AI, gaming, and Web3 firms, tricking them into downloading malware via Telegram and Discord. These fake companies use spoofed social media accounts and legitimate platforms like GitHub and Notion to appear credible. The campaign, active since at least March 2024, employs stealer malware like Realst and AMOS to siphon cryptocurrency and sensitive data from Windows and macOS systems. Attackers leverage verified and compromised X accounts to approach victims, urging them to test software in exchange for cryptocurrency payments.
• A critical vulnerability (CVE-2025-47812) in Wing FTP Server, rated with a maximum severity score of 10.0, is being actively exploited. The flaw stems from improper handling of null ('\0') bytes in the server's web interface, enabling remote code execution. The vulnerability allows attackers to inject arbitrary Lua code into user session files, execute system commands with high privileges, and exploit anonymous FTP accounts. Threat actors have used the flaw for reconnaissance, creating persistence through new user accounts, and deploying malicious Lua files, though no evidence of remote desktop software installation has been confirmed. Over 8,000 publicly accessible Wing FTP Server devices are at risk, with 5,004 exposing their web interfaces. Most affected servers are located in the U.S., China, Germany, the U.K, and India.
• Fortinet spotted a phishing campaign that has been distributing DCRAT by impersonating a Colombian government entity. This malware utilizes a modular architecture, enabling attackers to customize its functionality for tasks such as data theft and system manipulation. The attack begins with a phishing email containing a ZIP file that executes an obfuscated VBS script, which then downloads a malicious executable. DCRAT employs various evasion techniques, including obfuscation, steganography, and multi-stage payloads. Once installed, it can steal sensitive information, alter system settings, and ensure persistence on infected machines.

New Threats

Emerging cyber threats highlight growing risks across platforms. The newly uncovered "Man in the Prompt" attack exploits browser extensions to intercept and exfiltrate data from AI tools like ChatGPT and Google Gemini, even when Gemini is inactive. On Android, the DoubleTrouble banking Trojan is spreading via Discord-hosted APKs, using real-time screen recording, phishing overlays, and MFA bypass techniques to steal sensitive data. Meanwhile, the H2Miner botnet and AI-generated Lcrypt0rx ransomware have resurfaced, deploying malware like Kinsing, using flawed yet destructive tactics like MBR overwrites. A new Konfety malware variant also uses an “evil twin” package technique, advanced obfuscation, and ad SDKs to distribute payloads and evade detection.

• A newly identified cyberattack method, dubbed Man in the Prompt, enables malicious browser extensions to manipulate or exfiltrate data from generative AI tools such as ChatGPT and Google Gemini. This attack exploits the Document Object Model (DOM) access granted to browser extensions, allowing them to act as intermediaries in AI interactions without requiring elevated permissions. The attack poses a significant threat to organizations using browser-based AI tools, especially those processing sensitive or proprietary data. The widespread use of browser extensions and the common practice of allowing users to freely install them significantly increases the risk of exploitation. A single compromised extension can silently extract confidential information, turning AI tools into vectors for data theft. The attack allows extensions to act as a “man in the middle” for AI interactions. In the case of Gemini, the exploit worked even when the Gemini sidebar was closed.
• A sophisticated Android banking Trojan named DoubleTrouble has expanded its delivery methods and technical features, targeting users across Europe through Discord-hosted APKs. The malware disguises itself as a legitimate app, uses Android’s accessibility services, and employs advanced techniques like session-based installation to evade detection. DoubleTrouble’s capabilities include real-time screen recording, phishing overlays, keylogging, and bypassing multi-factor authentication by mirroring the device screen. Captured data, including credentials from banking apps, password managers, and crypto wallets, is sent to a remote C2 server.
• Russian state-sponsored group APT28 (Fancy Bear) has developed LameHug, the first AI-powered malware using large language models (LLMs) for automated command generation and execution. LameHug targets organizations by exploiting compromised official email accounts to deliver spearphishing emails containing malicious ZIP archives. The malware uses Hugging Face's Qwen 2.5-Coder-32B-Instruct model to translate natural language prompts into executable system commands, enabling flexible automation of reconnaissance and data exfiltration tasks. The malware introduces risks like prompt injection vulnerabilities and API abuse, blending malicious activity with legitimate processes for stealth.
• Cyble researchers discovered RedHook, an Android banking trojan targeting Vietnamese users via phishing sites impersonating trusted agencies. The malware is distributed through a trojanized APK hosted on an exposed AWS S3 bucket, active since November 2024. RedHook abuses Android accessibility services and MediaProjection API to capture keystrokes, contacts, SMS, and screen images, maintaining persistent communication with its C2 server. The trojan collects device information, logs credentials, and prompts victims to upload citizen IDs and banking details, indicating over 500 infections. Chinese-language artifacts suggest the malware originates from Chinese-speaking threat actors, evolving from cosmetic scams to sophisticated banking trojans.
• Gunra ransomware has introduced a Linux variant that significantly enhances its encryption capabilities, allowing it to run up to 100 encryption threads in parallel and enabling partial file encryption. This development marks a strategic shift towards cross-platform targeting, expanding the group's reach beyond its original focus. Since its emergence in April, Gunra has victimized various sectors, including healthcare, manufacturing, and IT, across multiple countries. Unlike its Windows counterpart, the Linux variant does not drop a ransom note, prioritizing quick and efficient encryption instead. It renames encrypted files with a .ENCRT extension and offers attackers the option to store RSA-encrypted keys separately, showcasing its advanced and flexible approach to ransomware attacks.
• Coyote malware has emerged as a significant threat by exploiting Microsoft’s UI Automation (UIA) framework to steal credentials from Brazilian users linked to 75 banking institutions and cryptocurrency exchanges. This marks the first confirmed instance of UIA abuse in the wild, allowing Coyote to parse UI elements of applications to identify sensitive information. During its infection process, Coyote collects detailed victim data, including financial services used, by comparing active window titles and utilizing UIA to access sub-elements when no direct match is found.
• A new Linux malware named Koske uses AI and polyglot files to deploy cryptocurrency miners via seemingly benign JPEG images of panda bears. Koske exploits misconfigured JupyterLab instances for initial access and uses images that contain both valid JPEG headers and malicious scripts. The malware executes two payloads: a C-based rootkit compiled in memory and a shell script for persistence and stealth. It adapts to host resources, evaluating CPU/GPU to optimize mining for 18 different cryptocurrencies, switching to backups if needed. Researchers suspect Koske was developed using LLMs or automation frameworks due to its advanced adaptability.
• Chaos is a new RaaS group conducting big-game hunting and double extortion attacks, using spam flooding, voice-based social engineering, and RMM tools for persistent access. The ransomware employs multi-threaded selective encryption, anti-analysis techniques, and targets both local and network resources. Victims are primarily in the U.S., with fewer cases in the U.K, New Zealand, and India, and Chaos avoids targeting BRICS/CIS countries, hospitals, and government entities. Chaos is actively promoted in Russian-speaking dark web forums and offers cross-platform compatibility for Windows, ESXi, Linux, and NAS systems. The ransomware uses unique encryption keys for files, rapid encryption speeds, and automated panels for managing targets and communications.
• H2Miner botnet has been active since 2019 and resurfaces with updated configurations to mine Monero cryptocurrency. Lcrypt0rx ransomware appears AI-generated, exhibiting flawed encryption logic, malformed syntax, and ineffective defense evasion techniques. H2Miner scripts deploy malware such as Kinsing and terminate security software, database processes, and competing miners. Lcrypt0rx ransomware disrupts system usability, encrypts files using XOR logic, and deploys scare tactics rather than effective ransomware measures. Tools used include commercial hacking utilities like Cobalt Strike, Lumma Stealer, and DCRat, targeting multiple operating systems. Lcrypt0rx introduces destructive actions like overwriting the Master Boot Record and deploying redundant embedded scripts.
• A new variant of the Android malware Konfety uses an "evil twin" technique, where a benign app on the Google Play Store shares the same package name as a malicious version distributed via third-party sources. The malware employs sophisticated obfuscation tactics, including tampering with APK ZIP structures, dynamic code loading, and encryption flags to evade detection and complicate reverse engineering. It uses deceptive manifest declarations, such as falsely claiming BZIP compression, causing analysis tools to crash. This approach was previously observed in other malware like SoumniBot. Konfety leverages the CaramelAds SDK to fetch ads, deliver payloads, and maintain communication with attacker-controlled servers. It can redirect users to malicious websites, trigger app installs, and send spam notifications. 
• VMware fixed four zero-day vulnerabilities in ESXi, Workstation, Fusion, and Tools that were exploited during the Pwn2Own Berlin 2025 hacking contest. Three vulnerabilities (CVE-2025-41236, CVE-2025-41237, CVE-2025-41238) have a severity rating of 9.3 and enable programs in guest virtual machines to execute commands on the host. The fourth flaw, CVE-2025-41239, rated at 7.1, is an information disclosure vulnerability impacting VMware Tools for Windows.
• The LameHug malware uses a LLM to dynamically generate commands for data theft on compromised Windows systems, marking a novel approach in cyberattacks. LameHug was discovered by CERT-UA and attributed to Russian state-backed APT28, with malicious emails impersonating Ukrainian ministry officials to distribute the malware. The malware leverages the Hugging Face API to interact with the Qwen 2.5-Coder-32B-Instruct LLM, which converts natural language into executable code or commands. LameHug is delivered via ZIP email attachments containing loaders with names such as ‘Attachment.pif,’ ‘AI_generator_uncensored_Canvas_PRO_v0.9.exe,’ and ‘image.py.’
• A new spyware called Batavia has been targeting Russian industrial enterprises via phishing emails since July 2024, intensifying in early 2025. The phishing emails contain links disguised as contract attachments, downloading a malicious Visual Basic Encoded script (.VBE) file that profiles the system and sends data to a C2 server. The second stage deploys Delphi-based malware, which displays fake contracts while collecting system logs, documents, and screenshots, exfiltrating data to a separate server. The third-stage payload, 'javav.exe,' expands data collection to include additional file types, adds a startup shortcut for persistence, and potentially leads to a fourth payload ('windowsmsg.exe').
• North Korean threat actors are leveraging a malware named NimDoor to target Web3 and cryptocurrency platforms. This campaign utilizes Nim-compiled binaries and employs advanced techniques such as process injection, encrypted WebSocket communication, and a novel persistence mechanism based on signal handling. The attack begins with social engineering through Telegram, tricking victims into executing a malicious AppleScript disguised as a Zoom SDK update. The malware comprises multiple stages, including C++ and Nim binaries that facilitate data exfiltration and long-term access. Key functionalities include stealing browser data, credentials, and Telegram user information, while using C2 servers that mimic legitimate domains.