Cyware Monthly Threat Intelligence

Monthly Threat Briefing • July 1, 2022

The Good

In light of the growing occurrence of cyber incidents, 37 organizations across eight countries have formed a coalition to work on cyber resilience and combat cyber threats globally. To counter the data privacy issues around IoT devices, a research group has proposed a framework based on the principle of data minimization. In another story, the CISA announced the release of CMMC 2.0, a compliance program for businesses interested in working with the U.S. Department of Defense.

The Coalition to Reduce Cyber Risk (CR2) along with 37 tech leaders from across eight countries have signed a pledge to improve cybersecurity standards and incorporate them into policies and controls. The adoption of these standards among companies and government agencies is expected to mitigate cyber risks and facilitate economic growth.
The U.S. President signed two bipartisan bills—Federal Rotational Cyber Workforce Program Act and State and Local Government Cybersecurity Act—to strengthen the government’s cybersecurity posture across the local, state, and federal levels.
Researchers have designed a new privacy framework, dubbed Peekaboo, that can help address the data sharing concerns across IoT devices. The framework operates on the principle of data minimization, which refers to the practice of limiting the collection of data on a need basis.
The House appropriations subcommittee approved a budget of $2.9 billion for CISA in Homeland Security FY2023 Budget Print. The fund will be used to support the agency’s security, infrastructure security, emergency communications, integrated operations, and risk management.
The Cybersecurity Maturity Model Certification (CMMC) 2.0 is in the rule-making process and will be launched in 2023, revealed CISA officials. The model aims to bring a unified security standard among contractors linked to the U.S. Department of Defense (DoD). An official said that third-party assessment organizations will perform the assessments as an ongoing process rather than a point-in-time complaint.

The Bad

Ransomware actors going bonkers! 50 victim organizations in a couple of months. The menace and mystery of Black Basta is beyond comprehension for many. Meanwhile, another ransomware group has been zeroing in on targets in Europe with a focus on state entities and educational institutes. Meanwhile, several large organizations, including AMD, OpenSea, and the Bank of the West, suffered leaks in the past month.

OpenSea confirmed experiencing a breach, owing to a security incident at its email delivery vendor, Customer[.]io. An employee downloaded email addresses belonging to OpenSea users and newsletter subscribers and shared them with an unauthorized third-party. Users have been warned against phishing attacks that may stem in the wake of the leak.
As per its own claims, extortion group RansomHouse penetrated the systems of processor manufacturer AMD to steal about 450GB of data. The group, however, said it did not breach the networks themselves but rather acted as a negotiator on behalf of its partner who allegedly attacked the firm. The stolen data trove may include research and financial information from the firm.
Sharp Boys hacker group made a claim about obtaining personal and credit card data from at least five tourism-related sites in Israel. Hackers allegedly accessed the backend interface of the targeted sites. As proof of the leak, they also released a spreadsheet containing the personal information of 120,000 people.
A Mexico-based production plant belonging to Foxconn fell victim to a ransomware attack. The LockBit gang claimed responsibility for the attack. Foxconn assured that the impact on its overall operations is minimal, and the recovery will unfold according to a pre-determined plan.
MyEasyDocs, an India-based online document verification platform, exposed 30GB of data owing to a misconfigured Azure server. This included both personal and financial information of over 50,000 students from India and Israel.
BlackCat ransomware group claimed its attack against Regina Public Schools in the Canadian province of Saskatchewan. The threat actors, reportedly, stole 500GB of files containing tax reports, health information, passports, and Social Security numbers.
Several customers of California-headquartered Bank of the West apparently lost their debit card numbers and PINs to skimmers installed at the bank's ATMs. Cybercriminals can use this stolen data to generate fake cards and attempt cash withdrawals. Experts have been able to identify all the affected accounts.
The FBI warned the public again about the fraudulent schemes seeking donations or other financial assistance related to the crisis in Ukraine. Criminal actors are taking advantage of the ongoing crisis by posing as Ukrainian entities needing humanitarian aid or developing fundraising efforts.
Black Basta, a RaaS syndicate, crippled as many as 50 victims in the U.S., Canada, the U.K, New Zealand, and Australia, within two months of launching. Researchers have warned of the threat it poses to various industries, such as manufacturing, transportation, cosmetics, telcos, pharmaceuticals, plumbing and heating, automobile dealers, and retail.
The Vice Society ransomware group targeted European organizations lately. The group claimed responsibility for the cyberattack against the Medical University of Innsbruck and the city of Palermo in Italy, which triggered a massive service outage.
Malicious hackers again managed to steal 32 NFTs (worth more than $250,000) from Bored Ape Yacht Club (BAYC) by compromising the Discord account of one of its community managers. The threat actors used this compromised account to send a phishing link, which was later used to gain access to BAYC owners’ cryptocurrency wallets. Among the NFTs compromised in the hack were 1 Bored Ape, 2 Mutant Apes, 5 Otherdeeds, and 1 Bored Kennel.
Ukraine CERT warned that the Russian hacking group Sandworm is exploiting the Follina vulnerability in a new campaign to target various media organizations in Ukraine. The campaign is carried out via phishing email and targeted more than 500 recipients.
An unprotected Elasticsearch database had exposed 5GB of personal data belonging to over 30,000 students. The unprotected database apparently belongs to account holders of Transact Campus, which works with higher education institutions in the U.S.
Around 32GB of sensitive data stored in an unsecured database of the Uganda Securities Exchange (USE) was left exposed on the internet. The leaked data included the full name, address, date of birth, phone number, email address, and bank details of customers from across the globe.
A phishing email campaign spoofed MetaMask cryptocurrency wallet provider in an attempt to steal recovery phrases from Microsoft 365 users. The recovery phrases could later enable attackers to steal NFTs and cryptocurrency from compromised wallets. The phishing email used a Know Your Customer (KYC) verification request to lure recipients into sharing sensitive data.
Ukrainian organizations were subjected to new hacking attempts tailored to drop CredoMap malware and malicious Cobalt Strike beacons onto their networks. It is suspected to be the work of Fancy Bear and UAC-0098. The CredoMap malware is capable of stealing account credentials and cookies stored in Firefox, Edge, and Chrome web browsers.

New Threats

Crypto threats are reaching new heights. A recent report found a rather contagious cryptominer that harvested millions in cryptocurrency since the beginning of the year. Furthermore, two ransomware strains have released their news versions in an attempt to up their game. One of them has also promised huge payouts for identifying bugs in their program.

A new campaign involving the new information-stealing malware YTStealer is targeting YouTube content creators. It is assumed that the cybercriminal group has specially crafted it to extract credentials from one single service. One notable aspect of the malware is that it uses the open-source Chacal anti-VM framework to hide from debugging and memory analysis.
A new malware, dubbed ZuoRAT, is propagating through SOHO routers as part of a sophisticated campaign aimed at networks in North American and European regions. An investigation into the case divulged that the trojan can cripple routers from multiple brands, such as ASUS, DrayTek, Cisco, and NETGEAR.
Revive, a previously undocumented Android malware was seen targeting users of the Spanish financial services company, BBVA. Hackers lured users into downloading a fake app posing as the bank's original 2FA app. The malicious app reportedly draws inspiration from an open-source spyware called Teardroid.
Last month, we saw the launch of AstraLocker 2.0 and LockBit 3.0. The latter became the first ransomware to roll out a bug bounty program and a reward of up to $1 million for those reporting bugs in its malicious program.
Checkmarx disclosed a flaw in the Amazon Photos app for Android that has over 50 million downloads through the Play Store. A misconfigured app component exposed its manifest file to anyone without authentication. An individual could abuse this flaw to steal Amazon access tokens used for Amazon API authentication via a malicious app installed on the affected device.
Symantec reported that Clipminer botnet operators have made a profit of almost $1.7 million since January 2021. The malware most likely spreads via Trojanized cracks or pirated software. Clipminer scans the clipboard content for wallet addresses and replaces it with addresses of wallets controlled by the attacker.
Kaspersky revealed the tactics and techniques of a new APT group targeting high-profile entities in Europe and Asia. Named ToddyCat, the group has a distinct sign of using two new malware, called Samurai backdoor and Ninja trojan, in its attack campaigns.
Smilodon credit skimming malware has shifted its focus from WooCommerce stores to WordPress e-commerce sites to earn more profits. The malware can pilfer credit card numbers, expiration dates, security codes, billing addresses, names, and other sensitive information from the checkout pages of targeted sites.
A new pro-Russian hacking group, dubbed Cyber Spetsnaz, has been identified leveraging current geopolitical tensions between Ukraine and Russia to conduct cyberattacks. So far, the group has targeted five Italian logistic terminals—Sech, Trieste, TDT, Yilport, and VTP—along with several financial institutions.
Sentinel One uncovered a series of activities associated with a new threat actor group called Aoqin Dragon. Some of these activities are ongoing and a few of them are found to have begun in 2013. The group is believed to have targeted organizations in government, education, and telecommunications sectors in Southeast Asia and Australia.
A new version of Cuba ransomware targeted two organizations in Asia. The updates are aimed at optimizing its execution, minimizing unintended system behavior, and providing technical support for victims to negotiate the ransom.
Operation technology devices from 10 ICS vendors were found to be vulnerable to 56 new security flaws. Collectively called OT:Icefall, these flaws stem from insecure engineering protocols, weak cryptography or broken authentication schemes, insecure firmware update mechanisms, and native functionality abuse.
RARlab's UnRAR utility was affected by a path traversal vulnerability in its Unix versions. Tracked as CVE-2022-30333, the bug could allow remote hackers to conduct arbitrary code execution on a vulnerable system by extracting a maliciously crafted RAR archive. Any software or program utilizing an unpatched version of UnRAR is impacted by the flaw.

Related Threat Briefings

Jul 1, 2025

Cyware Monthly Threat Intelligence, June 2025

Jun 1, 2025

Cyware Monthly Threat Intelligence, May 2025

May 1, 2025

Cyware Monthly Threat Intelligence, April 2025

Apr 2, 2025

Cyware Monthly Threat Intelligence, March 2025

ETSI has rolled out a new quantum-safe encryption standard featuring Covercrypt, a novel key encapsulation scheme with built-in access controls. By tying decryption permissions to user attributes, Covercrypt delivers speed and post-quantum security. The code caves of GitHub got a cleanup crew courtesy of Microsoft. A sprawling malvertising campaign that snagged nearly a million devices worldwide has been knocked down a peg. The race to outpace quantum threats is officially on. The NCSC has issued guidance to help organizations transition to post-quantum cryptography by 2035, with a focus on NIST-approved algorithms and planned support for critical sectors. A fresh face in the cybercrime underworld is juggling a bag of nasty surprises. EncryptHub is hitting users of QQ Talk, WeChat, Google Meet, and more with trojanized apps and slick multi-stage attacks. Lucid isn’t just phishing - it’s engineering trust through your inbox. This advanced PhaaS platform weaponizes the built-in features of iMessage and RCS to create hyper-realistic scams. A botnet is turning home routers into attack platforms. The Ballista botnet is exploiting an unpatched TP-Link Archer router flaw (CVE-2023-1389) to spread stealthily, using Tor domains and remote command execution to launch DDoS attacks worldwide.

Mar 4, 2025

Cyware Monthly Threat Intelligence, February 2025

Google ramped up its defenses against the quantum threat. The company rolled out quantum-resistant digital signatures in Cloud KMS, following NIST’s post-quantum cryptography standards. Cyber defenders sharpened their tools, this month, and EARLYCROW is the latest weapon against stealthy APT operations. This method detects C2 activity over HTTP(S) using a novel traffic analysis format called PAIRFLOW. PyPI adopted a "dead but not gone" approach to abandoned software with Project Archival, a new system that flags inactive projects while keeping them accessible. Developers will see warnings about outdated dependencies, helping them make smarter security choices and avoid relying on unmaintained code. China’s Salt Typhoon made itself right at home in global telecom networks. The group was caught using JumbledPath, a custom-built spying tool, to infiltrate ISPs in the U.S., Italy, South Africa, and Thailand. Russia’s Sandworm hackers are using pirated software as bait. Their latest attack on Ukrainian Windows users disguises malware inside trojanized KMS activators and fake Windows updates. The CISA flagged major security holes in Microsoft Outlook and Sophos XG Firewall. One flaw allows remote code execution in Outlook, while another exposes firewall users to serious risks. A new payment card skimming campaign turned Stripe’s old API into a weapon. Hackers inserted malicious scripts into checkout pages, validating stolen card details through Stripe before exfiltration. A new malware named Ratatouille is stirring up trouble by bypassing UAC and using I2P for anonymous communications. Spreading through phishing emails and fake CAPTCHA pages, it tricks victims into running an embedded PowerShell script. A new version of ValleyRAT was also spotted, using stealthy techniques to infiltrate systems. Researchers found the malware being spread through fake Chrome downloads.

Feb 10, 2025

Cyware Monthly Threat Intelligence, January 2025

The U.K took a proactive stance on cyber resilience with its Cyber Local initiative, injecting £1.9 million into 30 projects across England and Northern Ireland. The effort focuses on closing the cyber skills gap, fortifying small businesses, and supporting underrepresented groups. India tightened its grip on data privacy with new draft rules designed to give citizens more control over their personal information. The proposed regulations mandate clearer data processing disclosures, stricter security protocols, and swift breach reporting. Hackers turned to SparkRAT, an open-source GoLang RAT, to target macOS users and government entities. Initially released in 2022, its modular design and cross-platform capability have made it a cybercriminal favorite. More than 10,000 WordPress sites were hijacked in a large-scale malware campaign delivering AMOS to macOS users and SocGholish to Windows users. Attackers exploited outdated plugins to inject fake browser update prompts. Lumma Stealer is made its way through GitHub in a new malware campaign that abuses the platform’s release infrastructure. Attackers deployed malware like SectopRAT and Vidar, using secure-looking download links to exfiltrate data while evading detection. Cybercriminals deployed the Coyote banking trojan against financial firms in Brazil, using malicious Windows LNK files to execute PowerShell scripts. This malware established secure connections with C2 servers, enabling keylogging and data theft. A two-year-long phishing campaign targeted Microsoft’s advertising platform users through malicious Google Search ads. A Mirai-based botnet exploited zero-day vulnerabilities in industrial routers and smart home devices. With 15,000 active nodes daily, it launched high-intensity DDoS attacks surpassing 100 Gbps, posing a growing threat across multiple countries.

Jan 3, 2025

Cyware Monthly Threat Intelligence, December 2024

The cloud revolution isn’t just about convenience anymore; it’s now the frontline of defense. With CISA's new directive mandating cloud environment fortification, federal agencies face a race against time to safeguard Microsoft 365 and other services. Meanwhile, proposed updates to the HIPAA security rules push healthcare organizations toward stronger PHI protection with advanced technical controls and detailed incident planning. On the global front, Operation PowerOFF turned the tables on DDoS attackers, dismantling 27 illegal platforms and curbing festive-season chaos. The cyber battlefield sees no intermission as new threats take center stage. A phishing campaign, dubbed Aggressive Inventory Zombies (AIZ), exploited brand trust by mimicking retail giants and crypto platforms. Meanwhile, the resurrected BADBOX botnet has compromised 192,000 Android devices globally, sneaking into supply chains to wreak havoc with ad fraud and account abuse. Adding to the turbulence, Poison Ivy (APT-C-01) resurged, targeting critical sectors with advanced phishing techniques and deploying Sliver RAT to breach systems and steal sensitive data. This month, new threats targeted IoT, banking, and app ecosystems, with threat actors unleashing diverse attacks. Iranian hackers deployed IOCONTROL malware to compromise IoT and OT systems, targeting critical infrastructure like gas stations. Meanwhile, the DroidBot banking malware infiltrates cryptocurrency and banking apps across Europe, leveraging MaaS operations for tailored attacks. Adding to the chaos, SpyLoan malware apps, with over eight million installs, exploited users in South America, Southeast Asia, and Africa, highlighting the escalating risks within app marketplaces. For detailed Cyber Threat Intel, click ‘Read More’.

Dec 4, 2024

Cyware Monthly Threat Intelligence, November 2024

The TSA reshaped the cybersecurity landscape for pipeline and railroad operators with proposed rules mandating incident reporting and risk management plans. Estimated to cost $2.1 billion over the next decade, the rules aimed to address growing cyber threats while balancing flexibility with resilience. Meta dismantled a sprawling web of over two million accounts tied to pig butchering scams in Southeast Asia and the UAE. Africa’s cybercrime ecosystem faced a decisive blow with Operation Serengeti, as over 1,000 suspects were arrested, and 134,000 malicious networks taken offline. TAG-110, a Russia-aligned threat group, launched a cyber-espionage campaign targeting governments and organizations in Asia and Europe. Using malware like HATVIBE and CHERRYSPY, it aimed to monitor geopolitical developments and assert influence. A botnet powered by Ngioweb malware converted 35,000 IoT devices into residential proxies. These compromised devices, found largely in the U.S., were sold on platforms like NSOCKS for malicious purposes. Water Barghest compromised over 20,000 IoT devices by exploiting known vulnerabilities. The group used Shodan to identify targets and deployed Ngioweb malware to connect them to its monetized network. LIMINAL PANDA, a Chinese cyberespionage group, has been targeting telecoms in South Asia and Africa since 2020. Using tools like SIGTRANslator and PingPong, the group exploits telecom protocols to steal critical data while staying undetected. NodeStealer has resurfaced, targeting Facebook Ads Manager accounts to steal credit card details and browser credentials. It uses Windows Restart Manager and Python scripts to execute its attacks, with stolen data sent via Telegram. BabbleLoader, a stealthy malware loader, delivers WhiteSnake and Meduza stealers. Disguised as accounting software, it targets English and Russian speakers, evading antivirus systems with advanced techniques.

Sep 30, 2024