Cyware Monthly Threat Intelligence

The Good

Allow us to open the newsletter with a major announcement - the release of the new U.S. National Cybersecurity Strategy, that envisages closer collaboration between government and industry while also focusing on increased collaboration with international coalitions and partnerships. Another development was observed to secure cloud servers as they face a range of security challenges, leaving organizations vulnerable to a myriad of cyber threats. In that light, the CISA released a publicly available and free post-incident hunting tool for organizations using Microsoft cloud applications and services.

The White House unveiled its National Cybersecurity Strategy that focuses on securing cyberspace across public and private sectors. The strategy includes mandatory regulations on critical infrastructure vendors and offensive actions to deal with nation-state actors. The strategy will enable the FBI’s National Cyber Investigative Joint Task Force to work in tandem with all relevant U.S. agencies.
The CISA released a new open-source incident response tool called ‘Untitled Goose Tool’ that can help organizations detect signs of malicious activity in Microsoft cloud environments. The tool comes with several authentication and data collection methods that can be used to run a full investigation on Azure AD, Azure, and Microsoft 365 environments.
The CISA released an open-source tool to help defenders map an attacker’s behaviors to the MITRE ATT&CK framework. The tool can also be used to assess security tools, identify defense gaps, hunt for threats, and validate mitigation controls.
The SEC proposed new cyber incident reporting rules for a range of financial organizations. The new rules make it mandatory for some financial organizations to annually test and review the effectiveness of their cybersecurity policies and procedures. In case of an attack, organizations are required to report within 48 hours of detecting the incident.

The Bad

Supply chain attacks continue to pose a significant threat across industry verticals. For instance, a major supply chain attack that has a connection to the North Korean Lazarus Group began last month. The group targeted 3CX, a software-based PBX provider. Victims of Cl0p witnessed a spike with at least ten victims disclosing data breaches owing to Forta’s GoAnywhere MFT zero-day abuse. Furthermore, a lesser-known Russian hacking group was associated with a new wave of attacks against government entities in Europe.

Enterprise communications software maker 3CX confirmed that it was a victim of a supply chain attack that affected multiple versions of its desktop app for Windows and macOS. A few days later, researchers at Volexity attributed the supply chain attack to the North Korean Lazarus APT group.
The Cl0p ransomware group gave sleepless nights to security officials across industries owing to the Fortra GoAnywhere MFT breach incident. The list of victims includes Procter & Gamble, Pension Protection Fund (U.K), Hitachi Energy, data security firm Rubrik, Community Health Systems, Hatch Bank, luxury brand retailer Saks Fifth Avenue, the City of Toronto, and Crown Resorts.
Acer confirmed that attackers broke into one of its servers and stole 160GB of confidential data. The stolen data was put up for sale on dark web forums and includes 655 directories and 2,869 files related to presentations, staff technical manuals, product documents, Windows System Deployment Image, BIOS components, and ROMs.
The Hospital Clínic de Barcelona suffered an attack by the RansomHouse ransomware that disrupted its healthcare services. Meanwhile, Zoll Medical Corporation notified more than one million individuals of a healthcare data breach that affected their personal information.
DeFi platform Euler Finance was hacked for $197 million worth of cryptocurrency assets. The attackers exploited a vulnerability in the donation feature of the platform to exfiltrate legitimate funds and transfer them to an account they controlled.
Lionsgate Play streaming platform leaked nearly 37 million subscribers’ IP addresses and data due to an unprotected Elasticsearch database. The entries in the database were as old as May 2022 and also contained other information such as the platform’s usage data, search queries entered by users, and titles of URLs.
The Winter Vivern APT group was found exploiting a Zimbra flaw to gain access to emails and steal sensitive information of NATO officials, government agencies, military personnel, and diplomats involved in the Russia-Ukraine war. The attack is launched via phishing emails from a compromised address.
A hacker group that goes by the name Dark Angels stole 3TB of emails and corporate information from Brazilian multinational firm, Andrade Gutierrez. The stolen data belonged to over 10,000 employees and consisted of names, email addresses, passport details, tax ID numbers, and payment information.
The official network portal of the City of Waynesboro, Virginia, was compromised by a BianLian ransomware attack. The attackers claimed to have exfiltrated 350GB of data from the network, including file server data and public relations documents. The exfiltrated data also included internal files and personal data of staff members.
Latitude Financial, Australia, updated that a cyberattack earlier this month resulted in the theft of over 14 million customer records. While an investigation was underway, the firm further stated that 6.1 million records dating back to 2005 were also stolen.
Researchers discovered that a series of cyberespionage attacks launched by subgroups of Earth Preta APT affected over 200 organizations. Among the targets were educational institutions and financial services organizations, the maritime industry, the energy production industry, and ore and material refineries.
Around 500,000 individuals were impacted by a data breach at debt buyer NCB Management Services. The incident occurred after attackers gained unauthorized access to NCB’s systems and stole information such as names, addresses, phone numbers, email addresses, birth dates, and social security numbers of users.

New Threats

Moving on, Emotet malware made a comeback after a hiatus of three months. In the latest campaign, cybercriminals camouflaged as fake invoices. Meanwhile, hackers attempted to take over thousands of Facebook user accounts via a couple of trojanized ChatGPT extensions for Chrome (in reality, there are none). Also, security experts spotted several new threats namely dotRunpeX, Nexus, and Kritec described as a .NET malware injector, an Android banking trojan, and a skimmer malware, respectively.

The GlobeImposter ransomware was being distributed by the same threat actors who are responsible for MedusaLocker. The ransomware was being disseminated via RDP endpoints. Once the attackers take over systems via RDP, GlobeImposter conducts lateral movement and internal reconnaissance.
After three months of inactivity, the Emotet trojan resumed its malspam campaign last month. Unlike previously where it would use reply-chain emails, new phishing emails include ZIP files that are related to fake invoices. As per the researchers, the operators are gathering new credentials from address books to drive the campaign.
A new and sophisticated malware dubbed HiatusRAT, that targets various business-grade routers, has emerged in the threat landscape. Threat actors compromise DrayTek Vigor routers that have reached end-of-life to deploy the malware along with a variant of tcpdump, which enabled packet capture. At least 100 computers were infected, predominantly in Europe and Latin America.
A new variant of Xenomorph Android banking trojan surfaced in the wild. The new version comes with features to perform financial fraud seamlessly. It is capable of targeting more than 400 banking and financial institutions, including several cryptocurrency wallets.
Two fake ChatGPT Chrome extensions were recently discovered, called Quick access to Chat GPT and Chat GPT for Google. Both the variants were found targeting Facebook users in an attempt to hijack their accounts and installing backdoors that could give threat actors super-admin permissions to run paid ads and steal cookies of authorized active sessions.
Microsoft stumbled across a new phishing kit that has been part of several high-volume AiTM phishing attacks. Offered by a threat actor named DEV-1101, the kit was first advertised on a cybercrime forum in May 2022. The kit includes a wide range of readymade phishing pages that mimics several services such as Microsoft Office and Outlook.
A newly discovered .NET malware injector was discovered in the wild to deliver a wide range of malware. Tracked as dotRunpeX, the malware rose to prominence between November 2022 and January 2023. The malware leverages the process hollowing technique to hide its presence during the infection process.
A new Kritec skimming malware was used in Magecart attacks to target Magento stores. The malware masqueraded as a legitimate Google Tag Manager to evade detection. Once executed, the stolen credit card details were exfiltrated twice - one via a WebSocket skimmer and the other via a POST request.
Several threat actors were observed using a new Android banking trojan, dubbed Nexus, to target 450 financial applications and conduct fraud. While it was found to be still under development, the trojan provides all the main features to perform ATO attacks against banking portals and cryptocurrency services. The trojan was advertised on various hacking forums for a monthly fee of $3,000.
The threat group tracked as REF2924 was found deploying previously unseen malware in its attacks against entities in South and Southeast Asia. The malware, dubbed NAPLISTENER, is an HTTP listener programmed in C# and is designed to evade network-based forms of detection.
A new variant of BlackGuard stealer was spotted with capabilities like USB propagation, persistence mechanisms, and targeting additional crypto wallets. While the developers are constantly improving the malware, researchers warn that the new variant was being widely used to launch attacks.

Cyware Monthly Threat Intelligence, March 2025

ETSI has rolled out a new quantum-safe encryption standard featuring Covercrypt, a novel key encapsulation scheme with built-in access controls. By tying decryption permissions to user attributes, Covercrypt delivers speed and post-quantum security. The code caves of GitHub got a cleanup crew courtesy of Microsoft. A sprawling malvertising campaign that snagged nearly a million devices worldwide has been knocked down a peg. The race to outpace quantum threats is officially on. The NCSC has issued guidance to help organizations transition to post-quantum cryptography by 2035, with a focus on NIST-approved algorithms and planned support for critical sectors. A fresh face in the cybercrime underworld is juggling a bag of nasty surprises. EncryptHub is hitting users of QQ Talk, WeChat, Google Meet, and more with trojanized apps and slick multi-stage attacks. Lucid isn’t just phishing - it’s engineering trust through your inbox. This advanced PhaaS platform weaponizes the built-in features of iMessage and RCS to create hyper-realistic scams. A botnet is turning home routers into attack platforms. The Ballista botnet is exploiting an unpatched TP-Link Archer router flaw (CVE-2023-1389) to spread stealthily, using Tor domains and remote command execution to launch DDoS attacks worldwide.

Cyware Monthly Threat Intelligence, February 2025

Google ramped up its defenses against the quantum threat. The company rolled out quantum-resistant digital signatures in Cloud KMS, following NIST’s post-quantum cryptography standards. Cyber defenders sharpened their tools, this month, and EARLYCROW is the latest weapon against stealthy APT operations. This method detects C2 activity over HTTP(S) using a novel traffic analysis format called PAIRFLOW. PyPI adopted a "dead but not gone" approach to abandoned software with Project Archival, a new system that flags inactive projects while keeping them accessible. Developers will see warnings about outdated dependencies, helping them make smarter security choices and avoid relying on unmaintained code. China’s Salt Typhoon made itself right at home in global telecom networks. The group was caught using JumbledPath, a custom-built spying tool, to infiltrate ISPs in the U.S., Italy, South Africa, and Thailand. Russia’s Sandworm hackers are using pirated software as bait. Their latest attack on Ukrainian Windows users disguises malware inside trojanized KMS activators and fake Windows updates. The CISA flagged major security holes in Microsoft Outlook and Sophos XG Firewall. One flaw allows remote code execution in Outlook, while another exposes firewall users to serious risks. A new payment card skimming campaign turned Stripe’s old API into a weapon. Hackers inserted malicious scripts into checkout pages, validating stolen card details through Stripe before exfiltration. A new malware named Ratatouille is stirring up trouble by bypassing UAC and using I2P for anonymous communications. Spreading through phishing emails and fake CAPTCHA pages, it tricks victims into running an embedded PowerShell script. A new version of ValleyRAT was also spotted, using stealthy techniques to infiltrate systems. Researchers found the malware being spread through fake Chrome downloads.

Cyware Monthly Threat Intelligence, January 2025

The U.K took a proactive stance on cyber resilience with its Cyber Local initiative, injecting £1.9 million into 30 projects across England and Northern Ireland. The effort focuses on closing the cyber skills gap, fortifying small businesses, and supporting underrepresented groups. India tightened its grip on data privacy with new draft rules designed to give citizens more control over their personal information. The proposed regulations mandate clearer data processing disclosures, stricter security protocols, and swift breach reporting. Hackers turned to SparkRAT, an open-source GoLang RAT, to target macOS users and government entities. Initially released in 2022, its modular design and cross-platform capability have made it a cybercriminal favorite. More than 10,000 WordPress sites were hijacked in a large-scale malware campaign delivering AMOS to macOS users and SocGholish to Windows users. Attackers exploited outdated plugins to inject fake browser update prompts. Lumma Stealer is made its way through GitHub in a new malware campaign that abuses the platform’s release infrastructure. Attackers deployed malware like SectopRAT and Vidar, using secure-looking download links to exfiltrate data while evading detection. Cybercriminals deployed the Coyote banking trojan against financial firms in Brazil, using malicious Windows LNK files to execute PowerShell scripts. This malware established secure connections with C2 servers, enabling keylogging and data theft. A two-year-long phishing campaign targeted Microsoft’s advertising platform users through malicious Google Search ads. A Mirai-based botnet exploited zero-day vulnerabilities in industrial routers and smart home devices. With 15,000 active nodes daily, it launched high-intensity DDoS attacks surpassing 100 Gbps, posing a growing threat across multiple countries.

Cyware Monthly Threat Intelligence, December 2024

The cloud revolution isn’t just about convenience anymore; it’s now the frontline of defense. With CISA's new directive mandating cloud environment fortification, federal agencies face a race against time to safeguard Microsoft 365 and other services. Meanwhile, proposed updates to the HIPAA security rules push healthcare organizations toward stronger PHI protection with advanced technical controls and detailed incident planning. On the global front, Operation PowerOFF turned the tables on DDoS attackers, dismantling 27 illegal platforms and curbing festive-season chaos. The cyber battlefield sees no intermission as new threats take center stage. A phishing campaign, dubbed Aggressive Inventory Zombies (AIZ), exploited brand trust by mimicking retail giants and crypto platforms. Meanwhile, the resurrected BADBOX botnet has compromised 192,000 Android devices globally, sneaking into supply chains to wreak havoc with ad fraud and account abuse. Adding to the turbulence, Poison Ivy (APT-C-01) resurged, targeting critical sectors with advanced phishing techniques and deploying Sliver RAT to breach systems and steal sensitive data. This month, new threats targeted IoT, banking, and app ecosystems, with threat actors unleashing diverse attacks. Iranian hackers deployed IOCONTROL malware to compromise IoT and OT systems, targeting critical infrastructure like gas stations. Meanwhile, the DroidBot banking malware infiltrates cryptocurrency and banking apps across Europe, leveraging MaaS operations for tailored attacks. Adding to the chaos, SpyLoan malware apps, with over eight million installs, exploited users in South America, Southeast Asia, and Africa, highlighting the escalating risks within app marketplaces. For detailed Cyber Threat Intel, click ‘Read More’.

Cyware Monthly Threat Intelligence, November 2024

The TSA reshaped the cybersecurity landscape for pipeline and railroad operators with proposed rules mandating incident reporting and risk management plans. Estimated to cost $2.1 billion over the next decade, the rules aimed to address growing cyber threats while balancing flexibility with resilience. Meta dismantled a sprawling web of over two million accounts tied to pig butchering scams in Southeast Asia and the UAE. Africa’s cybercrime ecosystem faced a decisive blow with Operation Serengeti, as over 1,000 suspects were arrested, and 134,000 malicious networks taken offline. TAG-110, a Russia-aligned threat group, launched a cyber-espionage campaign targeting governments and organizations in Asia and Europe. Using malware like HATVIBE and CHERRYSPY, it aimed to monitor geopolitical developments and assert influence. A botnet powered by Ngioweb malware converted 35,000 IoT devices into residential proxies. These compromised devices, found largely in the U.S., were sold on platforms like NSOCKS for malicious purposes. Water Barghest compromised over 20,000 IoT devices by exploiting known vulnerabilities. The group used Shodan to identify targets and deployed Ngioweb malware to connect them to its monetized network. LIMINAL PANDA, a Chinese cyberespionage group, has been targeting telecoms in South Asia and Africa since 2020. Using tools like SIGTRANslator and PingPong, the group exploits telecom protocols to steal critical data while staying undetected. NodeStealer has resurfaced, targeting Facebook Ads Manager accounts to steal credit card details and browser credentials. It uses Windows Restart Manager and Python scripts to execute its attacks, with stolen data sent via Telegram. BabbleLoader, a stealthy malware loader, delivers WhiteSnake and Meduza stealers. Disguised as accounting software, it targets English and Russian speakers, evading antivirus systems with advanced techniques.

The Good

The Bad

New Threats

Related Threat Briefings

Jul 1, 2025