Cyware Monthly Threat Intelligence

The Good

User privacy remained at the forefront of cutting-edge cyber innovations in the month of October. For instance, security experts from CSIRO's Data61 and Monash University claimed to have developed the world’s most efficient blockchain protocol, promising both utmost security and privacy. Meanwhile, another research group spurred hopes with their new method of distributing secret cryptographic keys and ensuring user privacy using optical framed knots. In other news, Microsoft collaborated with other firms for the release of a new framework called Adversarial ML Threat Matrix to protect ML systems from cybercriminals.

Researchers from CSIRO’s Data61 and Monash Blockchain Technology Centre claimed to have developed the world’s most efficient blockchain protocol that is both secure against quantum computers and protects the privacy of its users and their transactions. The technology can be applied beyond cryptocurrencies, such as digital health, banking, finance, and government services.
The DHS Science and Technology Directorate (S&T) has designed a new technology called Trusted Mobile System (TrustMS) to secure apps from cyberattacks. It provides protection against exploits, such as stack manipulation, buffer overflows, execution of unintended code, and even execution of an app’s code in incorrect order.
Researchers from the Ben-Gurion University of the Negev and Bar-Ilan University devised a new method of distributing secret cryptographic keys that can be used to encrypt and decrypt data, ensure secure communication, and protect private information. This is possible using optical framed knots.
Researchers at CMU’s CyLab Security and Privacy Institute discovered a neural network model that can help users pick more secure passwords. To claim the research, a series of different machine-generated password recommendations was evaluated.
Microsoft, in collaboration with MITRE, IBM, NVIDIA, and Bosch, released Adversarial ML Threat Matrix—a new open framework to help security analysts detect, respond to, and remediate adversarial attacks against ML systems. The framework is vetted to protect ML systems.

The Bad

However, threat actors maintained their grip on the cyberspace, acting as a roadblock in the path of development. Exempli gratia, Harvest Finance, a decentralized finance service was hit with a $24 million cryptocurrency heist in a hack operation that lasted only seven minutes. Further, a global corporate immigration law firm disclosed sensitive information of employees at tech giants, including Microsoft and Google, in a breach incident. Some attackers also targeted healthcare facilities and providers in DDoS and ransomware attacks.

A hacker stole cryptocurrency assets, including $13 million worth of USD Coin and $11 million worth of Tether from Harvest Finance, a decentralized financial service. Two minutes after the attack, the hacker also returned $2.5 million back to the platform. The company announced offering a $400,000 bounty for anyone who can help recover the stolen funds.
Fragomen, Del Rey, Bernsen & Loewy, LLP, an immigration law firm, suffered a data breach exposing the personal information of current and former Google employees via their Form I-9. Talking about data breaches, Nitro PDF services underwent a humongous data breach that could potentially affect Microsoft, Google, Apple, Citibank, and other major firms. The stolen data is on sale in a private auction, with a starting price of $80,000.
The month didn’t end well for hospitals and healthcare providers: more than 2PB of medical data was found exposing around 3.5 million U.S. patients via PACS servers; Germany’s Robert Koch Institute for infectious disease control was hit by a DDoS attack, knocking its website offline for two hours; and hospitals in New York and Oregon were targeted by ransomware attacks, disrupting systems and forcing reroute ambulances.
Cyber adversaries swindled 19GB of sensitive data from Gunnebo, a Swedish security company. The leaked data include floor plans of bank vaults and shops, monitoring and alarm equipment, and security functions for ATMs. The records were first used to try to blackmail the company but then emails demanding ransoms were sent directly to patients.
Several giants including media monitoring organization Isentia, furniture making company Steelcase, and multinational energy firm Enel Group suffered ransomware attacks by various groups in the last month disrupting its online services. The Netwalker gang reportedly demanded a ransom of $14 million from the Enel Group.
Malicious actors hacked the Signaling System (SS7) network to gain access to Telegram accounts and email data of high-profile individuals in the cryptocurrency business. Occurring in September, the attack targeted at least 20 subscribers of the Partner Communications Company.
Cybercriminals stole more than $22 million in user funds in multiple campaigns targeting Electrum wallet app for more than two years. The attack was carried out through a social engineering technique, wherein users received a false message for updating their wallets.
Cybercriminals exfiltrated and published nearly 9GB of sensitive data belonging to Toledo Public Schools (TPS). The exposed information included names, addresses, dates of birth, phone numbers, and social security numbers of staff and students.
A threat actor group named Spectre123 allegedly leaked sensitive data from NATO and Havelsan online. The documents included work files, proposals, contracts, 3D designs, resumes, excel sheets containing raw materials information, and financial statements.
Joker’s Stash dark market forum was abuzz after a hacker dumped card details for 3 million Dickey’s Barbecue Pit users. The data, which was compromised between July 2019 and August 2020, was sold for a median price of $17 per card.
Fraudsters siphoned off $15 million from a U.S. company in a well-planned BEC attack that lasted for about two months. They used Microsoft Office 365 email services as part of the evasion strategy. Experts suggest that dozens of businesses in construction, legal sectors, retail, and finance could be on their list of targets.

New Threats

Moreover, the month manifested a sea of diverse vulnerable systems that make an attractive hotspot for cyberattacks. Over a hundred smart irrigation systems designed by Mottech Water Management were found to be deployed with lax security measures. Separately, researchers reported variants of TrickBot and Mirai Botnet suffocating critical infrastructures in the U.S. Additionally, the Silent Librarian hacker group made a comeback as schools and universities began to reopen.

More than 100 smart irrigation systems deployed worldwide were installed without changing the default password, making them vulnerable to malicious attacks. Discovered by researchers, these irrigation systems were found to be visible on the open internet across Israel, South Korea, the U.S., Switzerland, and France, with more than half of the systems in Israel.
Variants of TrickBot and Mirai disrupted the critical infrastructure of several organizations. While TrickBot’s operators moved a portion of trojan code to Linux called Anchor_Linux in an attempt to widen the scope of attacks, the new version of Mirai, dubbed Katana, came with enhanced modules such as layer 7 DDoS, unique encryption keys, fast self-replication, and secure C2 server.
According to researchers, over 100,000 Windows systems are still vulnerable to the previously known SMBGhost flaw that could allow malware to spread malware across machines without any need for user interaction. Most of the vulnerable machines are located in Taiwan (22%), followed by Japan (20%), and Russia (11%).
The Silent Librarian returned targeting universities across the globe in a massive spearphishing campaign. The group’s primary focus is on universities in the U.S., the U.K, Canada, Australia, and the Netherlands.
Abaddon becomes the first RAT that uses the freeware instant messaging and VoIP app and digital distribution platform, Discord, as a C2 server. The RAT’s capabilities include stealing multiple data from the infected host, including Chrome cookies, saved credit cards, and Steam credentials.
Threat actors were found scanning the internet for Oracle WebLogic server affected by a critical remote code execution vulnerability, allowing attackers to achieve RCE on a vulnerable WebLogic Server by sending an HTTP GET request.
The NSA published a list of 25 highly-exploited vulnerabilities by Chinese actors worldwide. In these attacks, criminals typically first identify their target, gather technical data, look for vulnerabilities linked to the target, develop or reuse an exploit, and then launch their attack operation.
In a series of recent attacks, Sophos researchers found that LockBit ransomware used automated tools such as using renamed copies of PowerShell and Windows VBScript to move laterally across networks and evade detection.
Seven mobile browsers—Apple Safari, Opera Touch, Opera Mini, Bolt, RITS, UC Browser, and Yandex Browser—affected by an address bar spoofing vulnerability could allow malicious actors to spoof legitimate sites. While some of these browsers have received a security patch, few are yet to be fixed.
A new report highlights that ransomware operators are buying network access credentials, vulnerable endpoints, and compromised employee accounts to simplify their attack process. Access to these entities is priced between $300 and $10,000.
A new phishing email attack that pretended to offer updates on the U.S. President Donald Trump’s health was used to distribute BazarLoader backdoor. The email included a link that redirected victims to a malicious webpage, from where the malware got downloaded in the background.

Cyware Monthly Threat Intelligence, March 2025

ETSI has rolled out a new quantum-safe encryption standard featuring Covercrypt, a novel key encapsulation scheme with built-in access controls. By tying decryption permissions to user attributes, Covercrypt delivers speed and post-quantum security. The code caves of GitHub got a cleanup crew courtesy of Microsoft. A sprawling malvertising campaign that snagged nearly a million devices worldwide has been knocked down a peg. The race to outpace quantum threats is officially on. The NCSC has issued guidance to help organizations transition to post-quantum cryptography by 2035, with a focus on NIST-approved algorithms and planned support for critical sectors. A fresh face in the cybercrime underworld is juggling a bag of nasty surprises. EncryptHub is hitting users of QQ Talk, WeChat, Google Meet, and more with trojanized apps and slick multi-stage attacks. Lucid isn’t just phishing - it’s engineering trust through your inbox. This advanced PhaaS platform weaponizes the built-in features of iMessage and RCS to create hyper-realistic scams. A botnet is turning home routers into attack platforms. The Ballista botnet is exploiting an unpatched TP-Link Archer router flaw (CVE-2023-1389) to spread stealthily, using Tor domains and remote command execution to launch DDoS attacks worldwide.

Cyware Monthly Threat Intelligence, February 2025

Google ramped up its defenses against the quantum threat. The company rolled out quantum-resistant digital signatures in Cloud KMS, following NIST’s post-quantum cryptography standards. Cyber defenders sharpened their tools, this month, and EARLYCROW is the latest weapon against stealthy APT operations. This method detects C2 activity over HTTP(S) using a novel traffic analysis format called PAIRFLOW. PyPI adopted a "dead but not gone" approach to abandoned software with Project Archival, a new system that flags inactive projects while keeping them accessible. Developers will see warnings about outdated dependencies, helping them make smarter security choices and avoid relying on unmaintained code. China’s Salt Typhoon made itself right at home in global telecom networks. The group was caught using JumbledPath, a custom-built spying tool, to infiltrate ISPs in the U.S., Italy, South Africa, and Thailand. Russia’s Sandworm hackers are using pirated software as bait. Their latest attack on Ukrainian Windows users disguises malware inside trojanized KMS activators and fake Windows updates. The CISA flagged major security holes in Microsoft Outlook and Sophos XG Firewall. One flaw allows remote code execution in Outlook, while another exposes firewall users to serious risks. A new payment card skimming campaign turned Stripe’s old API into a weapon. Hackers inserted malicious scripts into checkout pages, validating stolen card details through Stripe before exfiltration. A new malware named Ratatouille is stirring up trouble by bypassing UAC and using I2P for anonymous communications. Spreading through phishing emails and fake CAPTCHA pages, it tricks victims into running an embedded PowerShell script. A new version of ValleyRAT was also spotted, using stealthy techniques to infiltrate systems. Researchers found the malware being spread through fake Chrome downloads.

Cyware Monthly Threat Intelligence, January 2025

The U.K took a proactive stance on cyber resilience with its Cyber Local initiative, injecting £1.9 million into 30 projects across England and Northern Ireland. The effort focuses on closing the cyber skills gap, fortifying small businesses, and supporting underrepresented groups. India tightened its grip on data privacy with new draft rules designed to give citizens more control over their personal information. The proposed regulations mandate clearer data processing disclosures, stricter security protocols, and swift breach reporting. Hackers turned to SparkRAT, an open-source GoLang RAT, to target macOS users and government entities. Initially released in 2022, its modular design and cross-platform capability have made it a cybercriminal favorite. More than 10,000 WordPress sites were hijacked in a large-scale malware campaign delivering AMOS to macOS users and SocGholish to Windows users. Attackers exploited outdated plugins to inject fake browser update prompts. Lumma Stealer is made its way through GitHub in a new malware campaign that abuses the platform’s release infrastructure. Attackers deployed malware like SectopRAT and Vidar, using secure-looking download links to exfiltrate data while evading detection. Cybercriminals deployed the Coyote banking trojan against financial firms in Brazil, using malicious Windows LNK files to execute PowerShell scripts. This malware established secure connections with C2 servers, enabling keylogging and data theft. A two-year-long phishing campaign targeted Microsoft’s advertising platform users through malicious Google Search ads. A Mirai-based botnet exploited zero-day vulnerabilities in industrial routers and smart home devices. With 15,000 active nodes daily, it launched high-intensity DDoS attacks surpassing 100 Gbps, posing a growing threat across multiple countries.

Cyware Monthly Threat Intelligence, December 2024

The cloud revolution isn’t just about convenience anymore; it’s now the frontline of defense. With CISA's new directive mandating cloud environment fortification, federal agencies face a race against time to safeguard Microsoft 365 and other services. Meanwhile, proposed updates to the HIPAA security rules push healthcare organizations toward stronger PHI protection with advanced technical controls and detailed incident planning. On the global front, Operation PowerOFF turned the tables on DDoS attackers, dismantling 27 illegal platforms and curbing festive-season chaos. The cyber battlefield sees no intermission as new threats take center stage. A phishing campaign, dubbed Aggressive Inventory Zombies (AIZ), exploited brand trust by mimicking retail giants and crypto platforms. Meanwhile, the resurrected BADBOX botnet has compromised 192,000 Android devices globally, sneaking into supply chains to wreak havoc with ad fraud and account abuse. Adding to the turbulence, Poison Ivy (APT-C-01) resurged, targeting critical sectors with advanced phishing techniques and deploying Sliver RAT to breach systems and steal sensitive data. This month, new threats targeted IoT, banking, and app ecosystems, with threat actors unleashing diverse attacks. Iranian hackers deployed IOCONTROL malware to compromise IoT and OT systems, targeting critical infrastructure like gas stations. Meanwhile, the DroidBot banking malware infiltrates cryptocurrency and banking apps across Europe, leveraging MaaS operations for tailored attacks. Adding to the chaos, SpyLoan malware apps, with over eight million installs, exploited users in South America, Southeast Asia, and Africa, highlighting the escalating risks within app marketplaces. For detailed Cyber Threat Intel, click ‘Read More’.

Cyware Monthly Threat Intelligence, November 2024

The TSA reshaped the cybersecurity landscape for pipeline and railroad operators with proposed rules mandating incident reporting and risk management plans. Estimated to cost $2.1 billion over the next decade, the rules aimed to address growing cyber threats while balancing flexibility with resilience. Meta dismantled a sprawling web of over two million accounts tied to pig butchering scams in Southeast Asia and the UAE. Africa’s cybercrime ecosystem faced a decisive blow with Operation Serengeti, as over 1,000 suspects were arrested, and 134,000 malicious networks taken offline. TAG-110, a Russia-aligned threat group, launched a cyber-espionage campaign targeting governments and organizations in Asia and Europe. Using malware like HATVIBE and CHERRYSPY, it aimed to monitor geopolitical developments and assert influence. A botnet powered by Ngioweb malware converted 35,000 IoT devices into residential proxies. These compromised devices, found largely in the U.S., were sold on platforms like NSOCKS for malicious purposes. Water Barghest compromised over 20,000 IoT devices by exploiting known vulnerabilities. The group used Shodan to identify targets and deployed Ngioweb malware to connect them to its monetized network. LIMINAL PANDA, a Chinese cyberespionage group, has been targeting telecoms in South Asia and Africa since 2020. Using tools like SIGTRANslator and PingPong, the group exploits telecom protocols to steal critical data while staying undetected. NodeStealer has resurfaced, targeting Facebook Ads Manager accounts to steal credit card details and browser credentials. It uses Windows Restart Manager and Python scripts to execute its attacks, with stolen data sent via Telegram. BabbleLoader, a stealthy malware loader, delivers WhiteSnake and Meduza stealers. Disguised as accounting software, it targets English and Russian speakers, evading antivirus systems with advanced techniques.

Related Threat Briefings

Jul 1, 2025