Cyware Monthly Threat Intelligence

Monthly Threat Briefing • October 2, 2023

The Good

To ensure a secure open-source software landscape, the CISA is charting a collaborative course to bring together all the stakeholders, while the DHS unveiled its IT Strategic Plan for 2024-2028 to modernize and fortify national cybersecurity. The DHS’ plan also encourages investment in a talented workforce to prepare them for future challenges. Down under, Australia is fortifying its cyber defenses with a comprehensive strategy encompassing education, safer technology standards, real-time threat sharing, critical infrastructure protection, nurturing cybersecurity talent, and fostering global collaboration.

The CISA released new guidelines to help federal agencies combat DDoS attacks. Separately, the CISA launched a new initiative “K-12 Education Technology Secure by Design Pledge,” as part of its ongoing efforts to bolster cybersecurity in K-12 schools.
The CISA released an Open Source Software (OSS) Security roadmap that aligns with the layouts of the National Cybersecurity Strategy and the CISA Cybersecurity Strategic Plan. The roadmap will focus on four key goals to ensure collaboration between the CISA, federal agencies, and OSS consumers and communities for the security of OSS infrastructure.
The NIST announced the release of a special publication for a Zero-Trust Architecture model for federal organizations to assist them in having control over cloud-native applications in multi-location environments. This guidance recommends the formulation of network-tier and identity-tier policies, along with the configuration of technology components that enable the deployment and enforcement of these policies.
The DHS released its new IT strategic plan for fiscal years 2024 through 2028, which prioritizes including the DHS IT academy to upskill its workforce on cybersecurity, among other training. The plan also lays out its objective of retiring legacy systems and building modern, effective, and secure software across the department.
Australia is in the process of building six cyber shields to defend its organizations and people against cyber threats. Slated to come into force by 2030, the six shields include educating people about cybersecurity, building digital products with minimum cybersecurity standards, threat intelligence sharing, limiting access to critical infrastructure, building cybersecurity skills, and increasing engagement with other countries to improve cybersecurity.

The Bad

Significant data breaches were reported exposing sensitive information and raising concerns about data security across verticals. Several healthcare organizations, including the Canadian Nurses Association, Better Outcomes Registry & Network, and Just Kids Dental disclosed incidents exposing the sensitive records of millions of patients. The crypto industry also witnessed intrusions resulting in the loss of hundreds of millions of dollars. Mixin Network and CoinEx were among the top victims. Meanwhile, a threat actor deployed a multi-step strategy to compromise hotel systems via a fake Booking[.]com payment page.

The infamous ALPHV ransomware group added three new organizations to its list of victims. These include Clarion, Phil-Data Business Systems Inc., and MNGI Digestive Health. While the information stolen from the firms is not clear, BlackCat gave MNGI a 48-hour deadline to contact them before it made the stolen data public.
The Better Outcomes Registry & Network (BORN), a healthcare organization funded by the government of Ontario, Canada, announced that it was impacted by the recent Clop ransomware-led MOVEit hacking spree. The investigation revealed that the threat actors copied files containing sensitive information of approximately 3.4 million people.
Hackers stole more than $200 million in assets from the centralized database of Mixin Network, a peer-to-peer transactional network for digital assets located in Hong Kong, forcing it to halt operations. The attack occurred on September 23 and is believed to be the work of Lazarus. The hackers are thought to have stolen at least $93.5 million in Ethereum and more than $23.5 million in Tether, according to cryptocurrency dealers.
Researchers from Sophos revealed that over $1 million was stolen in a pig-butchering cryptocurrency scam in just three months. The attackers used fake trading pools on DeFi trading applications to make profits by trading from one cryptocurrency to another. A total of 14 domains and dozens of nearly identical fraud sites were used as part of the attack.
The Canadian Nurses Association (CNA) confirmed a data theft incident from earlier this year. Two different ransomware groups—Snatch and Nokoyawa—took credit for the attack, with Snatch leaking 37GB of data stolen from CNA. The group further mentioned that it did not use ransomware during its attack on CNA.
North Korea’s Lazarus group stole at least $55 million in ETH, TRON, and Polygon coins by hacking the CoinEx cryptocurrency exchange. The attackers pilfered the digital assets from several hot wallet addresses associated with the platform. The affected wallet addresses were identified and isolated by the firm.
A vishing attack on the development platform Retool allowed attackers to access and take over the accounts of 27 cloud customers, all in the crypto industry. The spear-phishing email was sent to a number of employees, pretending to be from the company’s IT department. The recipients were asked to click on a fake Retool identity portal, designed to redirect the calls to attackers.
In another incident, Caesars Entertainment was apparently targeted by the BlackCat ransomware group. The company revealed that it was the victim of a social engineering attack on an outsourced IT support vendor associated with the company. A ransom of $15 million was paid to the cybercriminals.
Alabama-based Acadia Health LLC, which operates as Just Kids Dental, notified that the sensitive information of nearly 130,000 patients, parents, and employees was compromised in a recent cyberattack. The compromised details included names, addresses, email addresses, phone numbers, birthdates, Social Security numbers, driver's license numbers, health insurance policy information, and treatment information.
The ShinyHunters group claimed to have stolen more than 30 million customer order records from Pizza Hut Australia, in addition to the personal information of more than one million customers. Pizza Hut later confirmed that a cyberattack allowed hackers to gain unauthorized access to the personal information of its 193,000 customers including full names, delivery addresses, phone numbers, and masked credit card details.
Booking.com users were the target of a large-scale phishing attack, wherein their personal data, including names, booking dates, hotel details, and partial payment methods, was stolen by attackers. The attackers utilized the stolen data to craft personalized messages designed to play on the fears and urgency of potential victims.
Ten years’ worth of pathology referral letters and other sensitive details such as patient names, contact details, and Medicare numbers were exposed in a cybersecurity incident affecting the Melbourne-based pathology clinic TissuPath. Russia-based BlackCat claimed responsibility for the attack by threatening to release 4.95TB of data stolen from the firm.
A novel cloud-native cryptojacking operation, codenamed AMBERSQUID, targeted uncommon AWS offerings, such as AWS Amplify, AWS Fargate, and Amazon SageMaker, to illicitly mine cryptocurrency. The activity was first noticed in May and remained active throughout August.

New Threats

Many new malicious operations were uncovered in the last month. For instance, Chinese actors demonstrated increased sophistication and adaptability in a new operation targeting Chinese-speaking individuals, featuring emerging threats like ValleyRAT and Sainbox RAT. In other news, Xenomorph resurfaced after months of inactivity to launch a campaign aimed at over 30 U.S. and Portuguese banks. Additionally, a new ransomware variant called 3AM was spotted in an attack when a LockBit affiliate used it after failing to deploy the LockBit strain on the target network.

A newly discovered ValleyRAT malware was used alongside Sainbox RAT and Purple Fox malware in an attack campaign to target Chinese-speaking users. These malware were distributed via phishing emails including business-themed content—like invoices, payments, and new products—to lure recipients. Written in C++, ValleyRAT includes the functionalities of a basic RAT.
A previously undocumented backdoor malware named LightlessCan was attributed to the Lazarus group. The attackers use the malware as part of the Operation Dreamjob campaign to target employees of an aerospace company located in Spain. The malware is a successor to BlindingCan and is deployed alongside miniBlindingCan (another variant of BlindingCan) via the NickelLoader malware.
Two previously unknown trojans, AtlasAgent and DangerAds, were revealed in attacks by the recently identified AtlasCross hacking gang. These trojans were distributed using phishing lures that claimed to be from the American Red Cross, encouraging users to take part in a "September 2023 Blood Drive." Both Atlas Agent and DangerAds are intended to infect Windows devices.
A new variant of Xenomorph emerged in the threat landscape, adding overlays for multiple crypto wallets, and targeting over 30 banking institutions in the U.S. and Portugal. The malware variant was distributed via phishing pages posing as Chrome updates, which also propagated LummaC2 Stealer and RisePro Stealer at different time periods.
Chinese hacking group Earth Lusca was discovered using a new Linux backdoor, SprySOCKS, in a campaign targeting government agencies in multiple countries. The malware borrows much of its source code from the Trochilus open-source Windows backdoor. The structure of SprySOCK’s C2 protocol is similar to the one used by the RedLeaves backdoor.
The new Sandman APT group was identified using a new modular backdoor named LuaDream to target telecom service providers in Europe and Asia. The malware utilizes the LuaJIT platform to propagate on targeted organizations’ systems. According to SentinelOne, it shares similarities with another malware named DreamLand.
A previously unseen variant of MidgeDropper was found deploying additional malware payloads on Windows systems. The dropper is deployed via phishing emails that contain two files—”Notice to Work-From-Home groups.pdf” and “062023_PENTING_LIST OF SUPERVISORY OFFICERS WHO STILL HAVE NOT REPORT.pdf.exe”. Recipients are tricked into opening the files that initiate the dropper download.
A new version of the BBTok banking trojan was used to target clients of over 40 Mexican and Brazilian banks in a campaign that employed various file types, including ISO, ZIP, LNK, DOCX, JS, and XLL. The new variant replicates the interfaces of the banking sites and tricks victims into entering 2FA codes to steal payment card details from their bank accounts.
The Budworm APT used a previously unseen variant of SysUpdate backdoor, known as SysUpdate DLL inicore_v2.3.30.dll, to target a Middle Eastern telecommunications organization and an Asian government. The malware provides attackers with various capabilities, such as capturing screenshots, command execution, and service manipulation.
A phishing kit dubbed W3LL Panel served at least 500 cybercriminals in the last 10 months to compromise more than 56,000 Microsoft 365 corporate accounts in the U.S., Australia, and Europe. The phishing kit is used along with 16 other tools that are primarily designed for BEC attacks. Some of these tools include SMTP senders (PunnySender and W3LL Sender), a malicious link stager (W3LL Redirect), a vulnerability scanner (OKELO), an automated account discovery instrument (CONTOOL), and reconnaissance tools.
A new ransomware family, dubbed 3AM, was detected in an attack by a LockBit affiliate who attempted to deploy the ransomware when LockBit was blocked on the targeted network. Written in Rust language, the ransomware gets its name from the fact that it appends encrypted files with the .threeamtime extension.
Symantec’s Threat Hunter Team shared details of an attack where the Redfly threat group used the ShadowPad trojan to compromise the national grid in an Asian country for as long as six months and steal network credentials. The attack is the latest in a series of espionage intrusions against Critical Nation Infrastructure (CNI) targets.

Related Threat Briefings

Jul 1, 2025

Cyware Monthly Threat Intelligence, June 2025

Jun 1, 2025

Cyware Monthly Threat Intelligence, May 2025

May 1, 2025

Cyware Monthly Threat Intelligence, April 2025

Apr 2, 2025

Cyware Monthly Threat Intelligence, March 2025

ETSI has rolled out a new quantum-safe encryption standard featuring Covercrypt, a novel key encapsulation scheme with built-in access controls. By tying decryption permissions to user attributes, Covercrypt delivers speed and post-quantum security. The code caves of GitHub got a cleanup crew courtesy of Microsoft. A sprawling malvertising campaign that snagged nearly a million devices worldwide has been knocked down a peg. The race to outpace quantum threats is officially on. The NCSC has issued guidance to help organizations transition to post-quantum cryptography by 2035, with a focus on NIST-approved algorithms and planned support for critical sectors. A fresh face in the cybercrime underworld is juggling a bag of nasty surprises. EncryptHub is hitting users of QQ Talk, WeChat, Google Meet, and more with trojanized apps and slick multi-stage attacks. Lucid isn’t just phishing - it’s engineering trust through your inbox. This advanced PhaaS platform weaponizes the built-in features of iMessage and RCS to create hyper-realistic scams. A botnet is turning home routers into attack platforms. The Ballista botnet is exploiting an unpatched TP-Link Archer router flaw (CVE-2023-1389) to spread stealthily, using Tor domains and remote command execution to launch DDoS attacks worldwide.

Mar 4, 2025

Cyware Monthly Threat Intelligence, February 2025

Google ramped up its defenses against the quantum threat. The company rolled out quantum-resistant digital signatures in Cloud KMS, following NIST’s post-quantum cryptography standards. Cyber defenders sharpened their tools, this month, and EARLYCROW is the latest weapon against stealthy APT operations. This method detects C2 activity over HTTP(S) using a novel traffic analysis format called PAIRFLOW. PyPI adopted a "dead but not gone" approach to abandoned software with Project Archival, a new system that flags inactive projects while keeping them accessible. Developers will see warnings about outdated dependencies, helping them make smarter security choices and avoid relying on unmaintained code. China’s Salt Typhoon made itself right at home in global telecom networks. The group was caught using JumbledPath, a custom-built spying tool, to infiltrate ISPs in the U.S., Italy, South Africa, and Thailand. Russia’s Sandworm hackers are using pirated software as bait. Their latest attack on Ukrainian Windows users disguises malware inside trojanized KMS activators and fake Windows updates. The CISA flagged major security holes in Microsoft Outlook and Sophos XG Firewall. One flaw allows remote code execution in Outlook, while another exposes firewall users to serious risks. A new payment card skimming campaign turned Stripe’s old API into a weapon. Hackers inserted malicious scripts into checkout pages, validating stolen card details through Stripe before exfiltration. A new malware named Ratatouille is stirring up trouble by bypassing UAC and using I2P for anonymous communications. Spreading through phishing emails and fake CAPTCHA pages, it tricks victims into running an embedded PowerShell script. A new version of ValleyRAT was also spotted, using stealthy techniques to infiltrate systems. Researchers found the malware being spread through fake Chrome downloads.

Feb 10, 2025

Cyware Monthly Threat Intelligence, January 2025

The U.K took a proactive stance on cyber resilience with its Cyber Local initiative, injecting £1.9 million into 30 projects across England and Northern Ireland. The effort focuses on closing the cyber skills gap, fortifying small businesses, and supporting underrepresented groups. India tightened its grip on data privacy with new draft rules designed to give citizens more control over their personal information. The proposed regulations mandate clearer data processing disclosures, stricter security protocols, and swift breach reporting. Hackers turned to SparkRAT, an open-source GoLang RAT, to target macOS users and government entities. Initially released in 2022, its modular design and cross-platform capability have made it a cybercriminal favorite. More than 10,000 WordPress sites were hijacked in a large-scale malware campaign delivering AMOS to macOS users and SocGholish to Windows users. Attackers exploited outdated plugins to inject fake browser update prompts. Lumma Stealer is made its way through GitHub in a new malware campaign that abuses the platform’s release infrastructure. Attackers deployed malware like SectopRAT and Vidar, using secure-looking download links to exfiltrate data while evading detection. Cybercriminals deployed the Coyote banking trojan against financial firms in Brazil, using malicious Windows LNK files to execute PowerShell scripts. This malware established secure connections with C2 servers, enabling keylogging and data theft. A two-year-long phishing campaign targeted Microsoft’s advertising platform users through malicious Google Search ads. A Mirai-based botnet exploited zero-day vulnerabilities in industrial routers and smart home devices. With 15,000 active nodes daily, it launched high-intensity DDoS attacks surpassing 100 Gbps, posing a growing threat across multiple countries.

Jan 3, 2025

Cyware Monthly Threat Intelligence, December 2024

The cloud revolution isn’t just about convenience anymore; it’s now the frontline of defense. With CISA's new directive mandating cloud environment fortification, federal agencies face a race against time to safeguard Microsoft 365 and other services. Meanwhile, proposed updates to the HIPAA security rules push healthcare organizations toward stronger PHI protection with advanced technical controls and detailed incident planning. On the global front, Operation PowerOFF turned the tables on DDoS attackers, dismantling 27 illegal platforms and curbing festive-season chaos. The cyber battlefield sees no intermission as new threats take center stage. A phishing campaign, dubbed Aggressive Inventory Zombies (AIZ), exploited brand trust by mimicking retail giants and crypto platforms. Meanwhile, the resurrected BADBOX botnet has compromised 192,000 Android devices globally, sneaking into supply chains to wreak havoc with ad fraud and account abuse. Adding to the turbulence, Poison Ivy (APT-C-01) resurged, targeting critical sectors with advanced phishing techniques and deploying Sliver RAT to breach systems and steal sensitive data. This month, new threats targeted IoT, banking, and app ecosystems, with threat actors unleashing diverse attacks. Iranian hackers deployed IOCONTROL malware to compromise IoT and OT systems, targeting critical infrastructure like gas stations. Meanwhile, the DroidBot banking malware infiltrates cryptocurrency and banking apps across Europe, leveraging MaaS operations for tailored attacks. Adding to the chaos, SpyLoan malware apps, with over eight million installs, exploited users in South America, Southeast Asia, and Africa, highlighting the escalating risks within app marketplaces. For detailed Cyber Threat Intel, click ‘Read More’.

Dec 4, 2024

Cyware Monthly Threat Intelligence, November 2024

The TSA reshaped the cybersecurity landscape for pipeline and railroad operators with proposed rules mandating incident reporting and risk management plans. Estimated to cost $2.1 billion over the next decade, the rules aimed to address growing cyber threats while balancing flexibility with resilience. Meta dismantled a sprawling web of over two million accounts tied to pig butchering scams in Southeast Asia and the UAE. Africa’s cybercrime ecosystem faced a decisive blow with Operation Serengeti, as over 1,000 suspects were arrested, and 134,000 malicious networks taken offline. TAG-110, a Russia-aligned threat group, launched a cyber-espionage campaign targeting governments and organizations in Asia and Europe. Using malware like HATVIBE and CHERRYSPY, it aimed to monitor geopolitical developments and assert influence. A botnet powered by Ngioweb malware converted 35,000 IoT devices into residential proxies. These compromised devices, found largely in the U.S., were sold on platforms like NSOCKS for malicious purposes. Water Barghest compromised over 20,000 IoT devices by exploiting known vulnerabilities. The group used Shodan to identify targets and deployed Ngioweb malware to connect them to its monetized network. LIMINAL PANDA, a Chinese cyberespionage group, has been targeting telecoms in South Asia and Africa since 2020. Using tools like SIGTRANslator and PingPong, the group exploits telecom protocols to steal critical data while staying undetected. NodeStealer has resurfaced, targeting Facebook Ads Manager accounts to steal credit card details and browser credentials. It uses Windows Restart Manager and Python scripts to execute its attacks, with stolen data sent via Telegram. BabbleLoader, a stealthy malware loader, delivers WhiteSnake and Meduza stealers. Disguised as accounting software, it targets English and Russian speakers, evading antivirus systems with advanced techniques.

Sep 30, 2024