Cyware Monthly Threat Intelligence

The Good

In the top news for the month, President Joe Biden an extensive executive order on improving the cybersecurity stature of the U.S. Meanwhile, top browser makers Google and Mozilla came along to develop an API to fend off XSS attacks. Advancing its cybersecurity posture, the U.S. Coast Guard announced to establish its own red team to take on cybersecurity threats.

After an overhaul that focuses on cybersecurity spending, the U.S. President finally signed an executive order to strengthen the country’s cybersecurity defenses. The order comes as a response to the recent SolarWinds and other significant attacks carried out by foreign threat actors.
Google, Mozilla, and security firm Cure53 announced to develop an API that sanitizes HTML input strings and prevents cross-site scripting (XSS) attacks. The API will be integrated into future versions of Mozilla Firefox and Google Chrome browsers.
A researcher from HSE University proposed a new algorithm to assess vulnerabilities in encryption programs, leveraging a brute-force search of possible options of symbol deciphering.
Microsoft released an open-source lab environment SimuLand that will help test and strengthen Microsoft 365 Defender, Azure Sentinel, and Azure Defender against real attack scenarios.
The U.S. Coast Guard announced the establishment of its first-ever red team under the Cyber Operational Assessments Branch to bolster its cyber defenses. It will transform its enterprise cyber blue team into a more comprehensive task force.
The U.K’s NCSC rolled out a free cyber threat warning service that gives timely notification about possible incidents and security issues. The service, called Early Warning, is the latest Active Cyber Defence service from the NCSC.

The Bad

From healthcare to audio device manufacturers, several global firms, such as Fujitsu, Bose, and Toyota, faced interruptions in services due to cyberattacks. Threats racked up against government agencies in Australia, Belgium, and Indonesia that impacted millions of citizens. Moreover, the new Agrius group from Iran launched disruptive attacks against Israeli targets.

Fujitsu was forced to temporarily shut down its ProjectWEB SaaS platform after cyberattacks on multiple Japanese government entities, including the Ministry of Land, Infrastructure, Transport and Tourism; the Ministry of Foreign Affairs; the Cabinet Secretariat; and the Narita Airport.
Microsoft disclosed that the Russia-based APT29 threat actor targeted around 150 government agencies, consultants, think tanks, and NGOs across at least 24 nations. The group behind the SolarWinds attack also breached the networks of the United States Agency for International Development’s (USAID) email marketing service, Constant Contact.
Private patient info was released to media outlets by hackers who targeted hospitals in New Zealand’s Waikato district. The hackers gained unauthorized access to documents containing names, phone numbers, and addresses of patients and staff.
A pair of attacks hit Toyota. While the first one attacked Daihatsu Diesel, a subsidiary of Toyota; the other one was launched against Auto Parts Manufacturing Mississippi, another subsidiary.
Bose Corporation suffered a data breach that occurred due to a ransomware attack in March. The personal information—social security numbers, compensation information, and other HR-related details—of some of its current and former employees was accessed by the attackers.
A cryptocurrency scam that hit some members of Reddit’s WallStreetBets forum resulted in a loss of $2 million. Criminals reportedly misled people in a fake transaction on Telegram.
The Iranian hacking group Agrius came up with a new destructible wiper malware Apostle that includes the functionality of wiper and ransomware. The new malware primarily focuses on cyberespionage and destruction and demands a ransom posing as ransomware actors.
The Avaddon ransomware gang threatened to release sensitive information, including passport images, driver’s licenses, and employment contracts, belonging to the NSW Labor Party of Australia after gaining access to its computer network in a major cyberattack.
A database belonging to Bergen Logistics remained exposed for public access without any security authentication. It included 467,979 records, containing names, addresses, order numbers, and email addresses, all relevant to shipments and customers.
More than 200 organizations in Belgium were affected by a DDoS attack that took the country’s internet offline. The affected entities include government, parliament, universities, and research institutes.
An Iranian hacker group identified as N3tw0rm threatened to release 110GB of data belonging to H&M Israel. The group is suspected to be affiliated with the Iran-linked Pay2Key.
Indonesia’s government admitted to the leak of the personal data of millions of citizens on the RaidForums dark web market. The data was stolen from a national health insurance scheme Badan Penyelenggara Jaminan Sosial (BPJS).
Australian digital real estate business Domain Group fell victim to a phishing attack that targeted its users by asking them to pay a deposit to secure rental property on a website nominated by the scammer.
Taxpayers in South Korea, Australia, and the U.S. are being targeted in a phishing campaign pretending to be accounting ledgers. The campaign is used to distribute RATs.

New Threats

New vulnerabilities, phishing techniques, and malware actors tried well enough to undermine organizations’ efforts to subdue them. While FragAttacks flaws concern WiFi devices, the new Snip3 deploys multiple RAT families and features exceptional evasive behavior. Moreover, flaws in multiple Android apps were found risking the data of 100 million users.

A total of 12 design and implementation flaws, dubbed FragAttacks, in IEEE 802.11 technical standards were discovered in WiFi devices, rendering them vulnerable to attacks. These flaws can be exploited by attackers within the radio range of the target.
Personal data—names, email addresses, dates of birth, chat messages, location, and payment details—of over 100 million Android users was exposed due to unprotected databases used by 23 apps. Some of the apps are Logo Maker, Astro Guru, and T’Leva.
A new and stealthy malware loader called Snip3 was part of an ongoing phishing campaign that targeted aerospace and travel organizations. The malware loader has been used to drop Revenge RAT, AsyncRAT, Agent Tesla, and NetWire RAT on compromised systems.
In a new technique, the Magecart group 12 was identified hiding web shells known as Smilodon or Megalodon inside website favicons. These web shells were used to dynamically load JavaScript skimming code via server-side requests into online stores.
Researchers observed an updated version of Lemon Duck cryptomining botnet that targeted unpatched Microsoft Exchange servers and attempted to execute payloads for Cobalt Strike DNS beacons.
Three new malware, DOUBLEDRAG, DOUBLEDROP, and DOUBLEBACK, were associated with a massive cyberespionage campaign that targeted many organizations in the U.S. Launched via phishing emails, the attacks were carried out by a new uncategorized group - UNC2529.
A new cryptocurrency stealer variant, Panda Stealer, was found targeting individuals across the U.S., Australia, Japan, and Germany. It is being spread through a global spam campaign that leverages Discord channels.
The new Buer malware loader variant was being propagated via phishing emails. Dubbed RustyBuer, the new strain is written in Rust language and is capable of delivering Cobalt Strike Beacon as a second-stage payload.
Researchers demonstrated a new attack technique, dubbed TBONE, that can enable attackers to hack Tesla and other cars remotely without any user interaction. It abuses two vulnerabilities affecting ConnMan, an internet connection manager for embedded devices.
Moriya, a previously unknown rootkit, was used by unknown threat actors to execute passive backdoors on public-facing servers. It allows the attackers to spy on victim network traffic. This rootkit is part of the TunnelSnake campaign.
The Royal Mail delivery firm, once again, came into the crosshairs of scammers aiming to evade security checks in a new phishing scam. The scam is initiated with recipients receiving SMS messages claiming that a parcel has been redirected to the local post office due to an unpaid shipping fee.

Cyware Monthly Threat Intelligence, March 2025

ETSI has rolled out a new quantum-safe encryption standard featuring Covercrypt, a novel key encapsulation scheme with built-in access controls. By tying decryption permissions to user attributes, Covercrypt delivers speed and post-quantum security. The code caves of GitHub got a cleanup crew courtesy of Microsoft. A sprawling malvertising campaign that snagged nearly a million devices worldwide has been knocked down a peg. The race to outpace quantum threats is officially on. The NCSC has issued guidance to help organizations transition to post-quantum cryptography by 2035, with a focus on NIST-approved algorithms and planned support for critical sectors. A fresh face in the cybercrime underworld is juggling a bag of nasty surprises. EncryptHub is hitting users of QQ Talk, WeChat, Google Meet, and more with trojanized apps and slick multi-stage attacks. Lucid isn’t just phishing - it’s engineering trust through your inbox. This advanced PhaaS platform weaponizes the built-in features of iMessage and RCS to create hyper-realistic scams. A botnet is turning home routers into attack platforms. The Ballista botnet is exploiting an unpatched TP-Link Archer router flaw (CVE-2023-1389) to spread stealthily, using Tor domains and remote command execution to launch DDoS attacks worldwide.

Cyware Monthly Threat Intelligence, February 2025

Google ramped up its defenses against the quantum threat. The company rolled out quantum-resistant digital signatures in Cloud KMS, following NIST’s post-quantum cryptography standards. Cyber defenders sharpened their tools, this month, and EARLYCROW is the latest weapon against stealthy APT operations. This method detects C2 activity over HTTP(S) using a novel traffic analysis format called PAIRFLOW. PyPI adopted a "dead but not gone" approach to abandoned software with Project Archival, a new system that flags inactive projects while keeping them accessible. Developers will see warnings about outdated dependencies, helping them make smarter security choices and avoid relying on unmaintained code. China’s Salt Typhoon made itself right at home in global telecom networks. The group was caught using JumbledPath, a custom-built spying tool, to infiltrate ISPs in the U.S., Italy, South Africa, and Thailand. Russia’s Sandworm hackers are using pirated software as bait. Their latest attack on Ukrainian Windows users disguises malware inside trojanized KMS activators and fake Windows updates. The CISA flagged major security holes in Microsoft Outlook and Sophos XG Firewall. One flaw allows remote code execution in Outlook, while another exposes firewall users to serious risks. A new payment card skimming campaign turned Stripe’s old API into a weapon. Hackers inserted malicious scripts into checkout pages, validating stolen card details through Stripe before exfiltration. A new malware named Ratatouille is stirring up trouble by bypassing UAC and using I2P for anonymous communications. Spreading through phishing emails and fake CAPTCHA pages, it tricks victims into running an embedded PowerShell script. A new version of ValleyRAT was also spotted, using stealthy techniques to infiltrate systems. Researchers found the malware being spread through fake Chrome downloads.

Cyware Monthly Threat Intelligence, January 2025

The U.K took a proactive stance on cyber resilience with its Cyber Local initiative, injecting £1.9 million into 30 projects across England and Northern Ireland. The effort focuses on closing the cyber skills gap, fortifying small businesses, and supporting underrepresented groups. India tightened its grip on data privacy with new draft rules designed to give citizens more control over their personal information. The proposed regulations mandate clearer data processing disclosures, stricter security protocols, and swift breach reporting. Hackers turned to SparkRAT, an open-source GoLang RAT, to target macOS users and government entities. Initially released in 2022, its modular design and cross-platform capability have made it a cybercriminal favorite. More than 10,000 WordPress sites were hijacked in a large-scale malware campaign delivering AMOS to macOS users and SocGholish to Windows users. Attackers exploited outdated plugins to inject fake browser update prompts. Lumma Stealer is made its way through GitHub in a new malware campaign that abuses the platform’s release infrastructure. Attackers deployed malware like SectopRAT and Vidar, using secure-looking download links to exfiltrate data while evading detection. Cybercriminals deployed the Coyote banking trojan against financial firms in Brazil, using malicious Windows LNK files to execute PowerShell scripts. This malware established secure connections with C2 servers, enabling keylogging and data theft. A two-year-long phishing campaign targeted Microsoft’s advertising platform users through malicious Google Search ads. A Mirai-based botnet exploited zero-day vulnerabilities in industrial routers and smart home devices. With 15,000 active nodes daily, it launched high-intensity DDoS attacks surpassing 100 Gbps, posing a growing threat across multiple countries.

Cyware Monthly Threat Intelligence, December 2024

The cloud revolution isn’t just about convenience anymore; it’s now the frontline of defense. With CISA's new directive mandating cloud environment fortification, federal agencies face a race against time to safeguard Microsoft 365 and other services. Meanwhile, proposed updates to the HIPAA security rules push healthcare organizations toward stronger PHI protection with advanced technical controls and detailed incident planning. On the global front, Operation PowerOFF turned the tables on DDoS attackers, dismantling 27 illegal platforms and curbing festive-season chaos. The cyber battlefield sees no intermission as new threats take center stage. A phishing campaign, dubbed Aggressive Inventory Zombies (AIZ), exploited brand trust by mimicking retail giants and crypto platforms. Meanwhile, the resurrected BADBOX botnet has compromised 192,000 Android devices globally, sneaking into supply chains to wreak havoc with ad fraud and account abuse. Adding to the turbulence, Poison Ivy (APT-C-01) resurged, targeting critical sectors with advanced phishing techniques and deploying Sliver RAT to breach systems and steal sensitive data. This month, new threats targeted IoT, banking, and app ecosystems, with threat actors unleashing diverse attacks. Iranian hackers deployed IOCONTROL malware to compromise IoT and OT systems, targeting critical infrastructure like gas stations. Meanwhile, the DroidBot banking malware infiltrates cryptocurrency and banking apps across Europe, leveraging MaaS operations for tailored attacks. Adding to the chaos, SpyLoan malware apps, with over eight million installs, exploited users in South America, Southeast Asia, and Africa, highlighting the escalating risks within app marketplaces. For detailed Cyber Threat Intel, click ‘Read More’.

Cyware Monthly Threat Intelligence, November 2024

The TSA reshaped the cybersecurity landscape for pipeline and railroad operators with proposed rules mandating incident reporting and risk management plans. Estimated to cost $2.1 billion over the next decade, the rules aimed to address growing cyber threats while balancing flexibility with resilience. Meta dismantled a sprawling web of over two million accounts tied to pig butchering scams in Southeast Asia and the UAE. Africa’s cybercrime ecosystem faced a decisive blow with Operation Serengeti, as over 1,000 suspects were arrested, and 134,000 malicious networks taken offline. TAG-110, a Russia-aligned threat group, launched a cyber-espionage campaign targeting governments and organizations in Asia and Europe. Using malware like HATVIBE and CHERRYSPY, it aimed to monitor geopolitical developments and assert influence. A botnet powered by Ngioweb malware converted 35,000 IoT devices into residential proxies. These compromised devices, found largely in the U.S., were sold on platforms like NSOCKS for malicious purposes. Water Barghest compromised over 20,000 IoT devices by exploiting known vulnerabilities. The group used Shodan to identify targets and deployed Ngioweb malware to connect them to its monetized network. LIMINAL PANDA, a Chinese cyberespionage group, has been targeting telecoms in South Asia and Africa since 2020. Using tools like SIGTRANslator and PingPong, the group exploits telecom protocols to steal critical data while staying undetected. NodeStealer has resurfaced, targeting Facebook Ads Manager accounts to steal credit card details and browser credentials. It uses Windows Restart Manager and Python scripts to execute its attacks, with stolen data sent via Telegram. BabbleLoader, a stealthy malware loader, delivers WhiteSnake and Meduza stealers. Disguised as accounting software, it targets English and Russian speakers, evading antivirus systems with advanced techniques.

The Good

The Bad

New Threats

Related Threat Briefings

Jun 1, 2025