Cyware Monthly Threat Intelligence

The Good

Besides implementing all the key security controls, organizations also need to focus on the human element in cybersecurity. Given this, the NIST has devised a method—Phish Scale—to help organizations analyze why employees fall prey to phishing attacks. Further, a team from Quantum Engineering Technology Labs found a unique method to make messaging secure. The U.S. Federal Energy Regulatory Commission (FERC) and the North American Electricity Reliability Corporation (NERC) outlined the best cybersecurity practices for electric utilities.

Researchers at NIST developed a new method called Phish Scale to help organizations avoid getting victimized by phishing attacks. Phish Scale uses a rating system based on the message content in a phishing email.
A team of scientists from the QET Labs at the University of Bristol came up with a new technique to secure a multi-user quantum communication network. The technique can make messaging completely safe from interceptions.
The U.S. General Services Administration’s 18F digital services unit issued a field guide for federal agencies to help them mitigate cyber risks in their systems. The guide covers various topics related to cyber strategy development, including planning, acquisition, and execution.
Additionally, the DHS collaborated with Akamai and the Center for Internet Security on a project called the Malicious Domain Block and Reporting (MDBR) service. Under this initiative, the agency plans to improve the digital security of state and local governments by offering DNS filtering systems for free.
The U.S. FERC and NERC and its entities released a report outlining the cyber incident response and recovery best practices for electric utilities. The guidelines include a clear definition of personnel roles and staff about taking action without unnecessary delays.

The Bad

This month witnessed a range of different incidents where organization fell prey to targeted attacks. One of the largest-ever healthcare ransomware attacks struck Universal Health Services, shutting down its IT network across facilities in the U.S. Whereas, Midwest Property Management, Town Sports International, Microsoft Bing, shopping site Windeln.de, and several others exposed millions of records via unsecured servers. In other news, a hacker uploaded hacking techniques, in a PDF doc, on official websites of the WHO and UNESCO.

Allegedly, Ryuk actors crippled computer networks of the Fortune 500 healthcare provider, Universal Health Services, locking its computers and phone systems. The attack, which is also touted as one of the largest medical cyberattacks in U.S. history, saw no patient or employee data leak during the attack.
French maritime transport and logistics giant, CMA CGM S.A. suffered a cyberattack, shutting down some of its servers at two of its APAC subsidiaries. Reportedly, the company’s Chinese offices were infected with the Ragnar Locker ransomware.
Unsecured databases were responsible for data leaks at Midwest Property Management and Town Sports International. While the Midwest Property Management exposed 1.2 million records, the data leak at Town Sports International affected a terabyte of data associated with the company.
An unencrypted Elasticsearch server at BrandBQ, a European fashion retailer, laid bare sensitive personal and financial data of about 500,000 shoppers. Most of the database’s entries were activity logs from customer actions on the affected websites, including newsletter registrations, purchases (and related checkout details), and user agreements.
Hackers allegedly published data of thousands of Clark County School District students after it was infected with malware on August 27. Some of the files reportedly included employee SSNs, retirement paperwork, student birthdates, addresses, and grades.
University Hospital New Jersey (UHNJ) suffered an attack by SunCrypt ransomware. The attackers stole 240GB of data, of which 1.7GB containing 48,000 documents were posted online.
Researchers found PDF documents containing tricks for hacking online games and Facebook and Instagram accounts, which were uploaded to the websites of several organizations, including the WHO, UNESCO, the Georgia Institute of Technology, and a Cuban government website.
Microsoft exposed one of its backend servers that exposed over 6.5TB of log files containing 13 billion records originating from the Bing search engine via an unsecured Elasticsearch server.
The College of the Nurses of Ontario fell victim to a cyberattack, forcing the governing body for nurses to shut down its services. On the contrary, Long Island’s tertiary care center, Regional Trauma Center, and Stony Brook University notified their patients about a data breach due to the Blackbaud ransomware attack.
The German shopping giant Windeln.de exposed 882GB data from 70 dating and e-commerce sites due to a misconfigured Elasticsearch database. The leaked data included invoices, full names, IP addresses, phone numbers, email addresses, and home addresses.

New Threats

Numerous new malware and vulnerability threats were also discovered this month. Security experts discovered the new Alien trojan capable of stealing credentials from at least 226 Android applications. Meanwhile, BLE reconnection procedure risked billions of Android and iOS devices vulnerable to the new attack dubbed BLESA. Moreover, the Maze actor was spotted using Ragnar Locker’s evasion techniques.

ThreatFabric reported a new strain of Android malware called Alien that can steal credentials from 226 apps including Facebook, Gmail, and Snapchat. This malware is based on the source code of a rival malware gang named Cerberus, a witty trojan that has also integrated remote access features into their codebases.
Billions of IoT devices were reported vulnerable to new Bluetooth Low Energy Spoofing Attacks (BLESA) that arise due to a reconnection issue between paired devices. Apple has assigned CVE-2020-9770 for the related vulnerability affecting iOS and iPadOS.
Microsoft removed 18 Azure Active Directory applications from its Azure portal that were created and abused by a Chinese state-sponsored hacker group called Gadolinium. These apps were hosted on Active Directory as a part of their command and control infrastructure under a COVID-19-related spearphishing campaign.
A new ransomware operation named Mount Locker was found to be active since July 2020, stealing victims’ files before encrypting them and demanding multi-million dollar ransoms. The ransomware uses ChaCha20 and RSA-2048 to encrypt files.
The return of Zebrocy and Emotet, in different cyberespionage campaigns, was also reported by researchers and federal agencies. While the Zebrocy campaign leveraged fake NATO documents to target government bodies in specific countries, the Emotet trojan made use of legitimate email threads to evade detection.
While conducting an investigation, researchers found that Maze ransomware operators adopted an evasion technique pioneered by Ragnar Locker ransomware. The technique includes deploying payload inside a virtual machine to evade detection.
Zeppelin ransomware returned in August with a newly spotted infection routine. The campaign was carried out through a phishing email containing malicious macros. The macros executed About1.vbs trojan downloader, which later downloaded the ransomware onto a victim’s machine.
A newly discovered malware gang, named Epic Manchego, used malicious Excel files to bypass security scanners in an attack campaign targeted against companies across the world. The malicious files were distributed via phishing emails.
Cybercrime group TeamTNT relied on a legitimate tool, Weave Scope, to gain full control of Docker and Kubernetes platforms. The attackers installed this tool to map the cloud environment of their victim and execute system commands without deploying malicious code on the server.
Cisco Talos uncovered a series of email campaigns distributing various malware payloads, such as GoziISFB, ZLoader, SmokeLoader, and AveMaria. These emails included links to malicious documents that were hosted on legitimate file-sharing platforms.

Cyware Monthly Threat Intelligence, March 2025

ETSI has rolled out a new quantum-safe encryption standard featuring Covercrypt, a novel key encapsulation scheme with built-in access controls. By tying decryption permissions to user attributes, Covercrypt delivers speed and post-quantum security. The code caves of GitHub got a cleanup crew courtesy of Microsoft. A sprawling malvertising campaign that snagged nearly a million devices worldwide has been knocked down a peg. The race to outpace quantum threats is officially on. The NCSC has issued guidance to help organizations transition to post-quantum cryptography by 2035, with a focus on NIST-approved algorithms and planned support for critical sectors. A fresh face in the cybercrime underworld is juggling a bag of nasty surprises. EncryptHub is hitting users of QQ Talk, WeChat, Google Meet, and more with trojanized apps and slick multi-stage attacks. Lucid isn’t just phishing - it’s engineering trust through your inbox. This advanced PhaaS platform weaponizes the built-in features of iMessage and RCS to create hyper-realistic scams. A botnet is turning home routers into attack platforms. The Ballista botnet is exploiting an unpatched TP-Link Archer router flaw (CVE-2023-1389) to spread stealthily, using Tor domains and remote command execution to launch DDoS attacks worldwide.

Cyware Monthly Threat Intelligence, February 2025

Google ramped up its defenses against the quantum threat. The company rolled out quantum-resistant digital signatures in Cloud KMS, following NIST’s post-quantum cryptography standards. Cyber defenders sharpened their tools, this month, and EARLYCROW is the latest weapon against stealthy APT operations. This method detects C2 activity over HTTP(S) using a novel traffic analysis format called PAIRFLOW. PyPI adopted a "dead but not gone" approach to abandoned software with Project Archival, a new system that flags inactive projects while keeping them accessible. Developers will see warnings about outdated dependencies, helping them make smarter security choices and avoid relying on unmaintained code. China’s Salt Typhoon made itself right at home in global telecom networks. The group was caught using JumbledPath, a custom-built spying tool, to infiltrate ISPs in the U.S., Italy, South Africa, and Thailand. Russia’s Sandworm hackers are using pirated software as bait. Their latest attack on Ukrainian Windows users disguises malware inside trojanized KMS activators and fake Windows updates. The CISA flagged major security holes in Microsoft Outlook and Sophos XG Firewall. One flaw allows remote code execution in Outlook, while another exposes firewall users to serious risks. A new payment card skimming campaign turned Stripe’s old API into a weapon. Hackers inserted malicious scripts into checkout pages, validating stolen card details through Stripe before exfiltration. A new malware named Ratatouille is stirring up trouble by bypassing UAC and using I2P for anonymous communications. Spreading through phishing emails and fake CAPTCHA pages, it tricks victims into running an embedded PowerShell script. A new version of ValleyRAT was also spotted, using stealthy techniques to infiltrate systems. Researchers found the malware being spread through fake Chrome downloads.

Cyware Monthly Threat Intelligence, January 2025

The U.K took a proactive stance on cyber resilience with its Cyber Local initiative, injecting £1.9 million into 30 projects across England and Northern Ireland. The effort focuses on closing the cyber skills gap, fortifying small businesses, and supporting underrepresented groups. India tightened its grip on data privacy with new draft rules designed to give citizens more control over their personal information. The proposed regulations mandate clearer data processing disclosures, stricter security protocols, and swift breach reporting. Hackers turned to SparkRAT, an open-source GoLang RAT, to target macOS users and government entities. Initially released in 2022, its modular design and cross-platform capability have made it a cybercriminal favorite. More than 10,000 WordPress sites were hijacked in a large-scale malware campaign delivering AMOS to macOS users and SocGholish to Windows users. Attackers exploited outdated plugins to inject fake browser update prompts. Lumma Stealer is made its way through GitHub in a new malware campaign that abuses the platform’s release infrastructure. Attackers deployed malware like SectopRAT and Vidar, using secure-looking download links to exfiltrate data while evading detection. Cybercriminals deployed the Coyote banking trojan against financial firms in Brazil, using malicious Windows LNK files to execute PowerShell scripts. This malware established secure connections with C2 servers, enabling keylogging and data theft. A two-year-long phishing campaign targeted Microsoft’s advertising platform users through malicious Google Search ads. A Mirai-based botnet exploited zero-day vulnerabilities in industrial routers and smart home devices. With 15,000 active nodes daily, it launched high-intensity DDoS attacks surpassing 100 Gbps, posing a growing threat across multiple countries.

Cyware Monthly Threat Intelligence, December 2024

The cloud revolution isn’t just about convenience anymore; it’s now the frontline of defense. With CISA's new directive mandating cloud environment fortification, federal agencies face a race against time to safeguard Microsoft 365 and other services. Meanwhile, proposed updates to the HIPAA security rules push healthcare organizations toward stronger PHI protection with advanced technical controls and detailed incident planning. On the global front, Operation PowerOFF turned the tables on DDoS attackers, dismantling 27 illegal platforms and curbing festive-season chaos. The cyber battlefield sees no intermission as new threats take center stage. A phishing campaign, dubbed Aggressive Inventory Zombies (AIZ), exploited brand trust by mimicking retail giants and crypto platforms. Meanwhile, the resurrected BADBOX botnet has compromised 192,000 Android devices globally, sneaking into supply chains to wreak havoc with ad fraud and account abuse. Adding to the turbulence, Poison Ivy (APT-C-01) resurged, targeting critical sectors with advanced phishing techniques and deploying Sliver RAT to breach systems and steal sensitive data. This month, new threats targeted IoT, banking, and app ecosystems, with threat actors unleashing diverse attacks. Iranian hackers deployed IOCONTROL malware to compromise IoT and OT systems, targeting critical infrastructure like gas stations. Meanwhile, the DroidBot banking malware infiltrates cryptocurrency and banking apps across Europe, leveraging MaaS operations for tailored attacks. Adding to the chaos, SpyLoan malware apps, with over eight million installs, exploited users in South America, Southeast Asia, and Africa, highlighting the escalating risks within app marketplaces. For detailed Cyber Threat Intel, click ‘Read More’.

Cyware Monthly Threat Intelligence, November 2024

The TSA reshaped the cybersecurity landscape for pipeline and railroad operators with proposed rules mandating incident reporting and risk management plans. Estimated to cost $2.1 billion over the next decade, the rules aimed to address growing cyber threats while balancing flexibility with resilience. Meta dismantled a sprawling web of over two million accounts tied to pig butchering scams in Southeast Asia and the UAE. Africa’s cybercrime ecosystem faced a decisive blow with Operation Serengeti, as over 1,000 suspects were arrested, and 134,000 malicious networks taken offline. TAG-110, a Russia-aligned threat group, launched a cyber-espionage campaign targeting governments and organizations in Asia and Europe. Using malware like HATVIBE and CHERRYSPY, it aimed to monitor geopolitical developments and assert influence. A botnet powered by Ngioweb malware converted 35,000 IoT devices into residential proxies. These compromised devices, found largely in the U.S., were sold on platforms like NSOCKS for malicious purposes. Water Barghest compromised over 20,000 IoT devices by exploiting known vulnerabilities. The group used Shodan to identify targets and deployed Ngioweb malware to connect them to its monetized network. LIMINAL PANDA, a Chinese cyberespionage group, has been targeting telecoms in South Asia and Africa since 2020. Using tools like SIGTRANslator and PingPong, the group exploits telecom protocols to steal critical data while staying undetected. NodeStealer has resurfaced, targeting Facebook Ads Manager accounts to steal credit card details and browser credentials. It uses Windows Restart Manager and Python scripts to execute its attacks, with stolen data sent via Telegram. BabbleLoader, a stealthy malware loader, delivers WhiteSnake and Meduza stealers. Disguised as accounting software, it targets English and Russian speakers, evading antivirus systems with advanced techniques.

Related Threat Briefings

Jul 1, 2025