Cyware Weekly Threat Intelligence, April 14–18, 2025

The U.S. is drawing a hard line on data outflows. The DOJ’s new Data Security Program aims to block foreign adversaries, specifically nations like China and Russia, from acquiring sensitive American data through commercial channels. SSL certificates are about to expire a lot faster. In a move to tighten digital trust, the CA/Browser Forum has approved a gradual reduction in certificate lifespans - from the current 398 days to just 47 by 2029.

One email, three stages, and no files to catch. Agent Tesla is being deployed through spam campaigns that use archive attachments with embedded JavaScript. They look like browser helpers, but they act like spyware. A set of 57 Chrome extensions have been found snooping on users. XorDDoS is now compromising Docker servers and deploying new features tied to a “VIP” variant. Most of the recent activity is hitting U.S. infrastructure.

UNC5174 is keeping a low profile, but its targets aren’t. Active since late 2024, the Chinese state-linked group has been compromising Linux systems using a malicious bash script that drops SNOWLIGHT malware and a fileless VShell RAT. A wine-tasting invite with a side of malware. APT29, the Russian state-aligned group, is targeting European diplomatic networks with phishing lures disguised as event announcements.

The Good

• The DOJ launched the Data Security Program to prevent foreign adversaries, particularly designated "countries of concern" like China and Russia, from commercially purchasing sensitive U.S. data. The program prohibits unauthorized transactions, such as data brokerage, involving bulk personal (genomic, biometric, health, financial) and government-related data transfers to these nations. This initiative aims to counter espionage, surveillance, and data misuse by adversaries. 

• To enhance digital security, the CA/Browser Forum has voted to drastically shorten SSL/TLS certificate lifespans. Currently valid for up to 398 days, the maximum validity will drop incrementally: to 200 days by March 2026, 100 days by 2027, and finally 47 days by March 2029. This reduces the time attackers can exploit compromised certificates and encourages certificate management automation and crypto-agility, aiding quantum-readiness. 

• The CISA has extended funding to MITRE to ensure continuity of the Common Vulnerabilities and Exposures (CVE) program, avoiding a potential lapse in critical services. CISA announced the 11-month extension on April 16, utilizing an existing option period in the $57.8 million contract and ensuring the CVE program's continuity until at least March 16, 2026.

• Prodaft has launched a unique initiative called SYS, offering to purchase user accounts on five prominent cybercrime-focused dark web forums: XSS, Exploit in, RAMP4U, Verified, and Breachforums. The program encourages users looking to leave cybercrime to sell their accounts. While Prodaft guarantees seller anonymity, it states that the purchased accounts will be reported to its law enforcement partners for transparency. 

The Bad

• Researchers have identified malicious spam campaigns distributing Agent Tesla malware through multi-stage attacks. The attack begins with emails carrying archive attachments containing a JavaScript file. This file downloads a PowerShell script, which subsequently loads and executes the Agent Tesla malware directly into system memory, bypassing traditional file-based antivirus detection. The malware further evades scrutiny by injecting itself into legitimate running processes. 

• A set of 57 Chrome extensions, impacting six million users, have been found with risky capabilities like monitoring browsing behavior, accessing cookies, and potentially running remote scripts. Many of these extensions are 'hidden' (unlisted) and share obfuscated code linked to the domain "unknow[.]com", potentially evading detection while being pushed via ads. Despite claiming legitimate functions, they have excessive permissions and are considered potential spyware. While some have been removed from the Chrome Web Store following the report, others persist, posing a significant security risk. 

• XorDDoS malware, a long-standing threat targeting Linux systems for DDoS attacks, is experiencing a significant resurgence and now also compromises Docker servers. The activity has surged since 2020, with over 71% of attacks from late 2023 to early 2025 directed at the U.S. The primary infection vector remains SSH brute-force attacks. Once installed, XorDDoS ensures persistence and uses a hardcoded XOR key to decrypt its C2 configuration. The appearance of a new "VIP" version and builder tools in 2024 suggests commercial distribution, likely by Chinese-speaking operators.

• Microsoft is warning about an ongoing malvertising campaign, active since October 2024, that uses Node.js to deliver info-stealing malware. Lures related to cryptocurrency trading trick users into installing fake software containing a malicious DLL. This initial payload sets up persistence via scheduled tasks, which then use PowerShell scripts to download Node[.]js and compiled JavaScript. The malware gathers extensive system information, exfiltrates it, and likely steals browser data. An alternate infection uses the "ClickFix" social engineering trick and inline JavaScript executed via Node[.]js for network discovery and persistence, disguising C2 traffic to evade detection.

• In a recent campaign, the Chinese APT Mustang Panda deployed an updated ToneShell backdoor, enhancing its payload execution capabilities and using a modified FakeTLS protocol for C&C communication to evade detection. Newly observed tools include StarProxy, designed for lateral movement by proxying traffic over FakeTLS; two keyloggers, Paklog (logs keystrokes/clipboard locally) and Corklog (encrypts data, sets persistence); and the SplatCloakdriver. Delivered via SplatDropper, SplatCloak specifically identifies and disables Windows Defender and Kaspersky defenses. 

• CloudSEK uncovered a phishing campaign where threat actors mimicked the legit pdfcandy[.]com site to distribute malware. Users were tricked into running a PowerShell command, triggering the download of a ZIP payload containing ArechClient2, an advanced SectopRAT variant. This info-stealer harvests sensitive data and leverages MSBuild for stealthy execution. The attack combined fake captchas, UI cloning, and redirection chains. 

• The North Korean hacking group, Slow Pisces, has been linked to a malicious campaign targeting cryptocurrency developers. The group engages with developers on LinkedIn, posing as potential employers and sending malware disguised as coding challenges. This malware, named RN Loader and RN Stealer, infects the developers' systems. The multi-stage attack chain involves sending a malicious payload only to validated targets, likely based on IP address, geolocation, time, and HTTP request headers. This information stealer harvests sensitive information from infected Apple macOS systems.

New Threats

• Sysdig uncovered a new campaign by Chinese state-linked group UNC5174, active since late 2024. The group used a malicious bash script to deliver the SNOWLIGHT malware and fileless VShell RAT via domain-squatting-based infrastructure. UNC5174 targeted Linux systems, using WebSockets for stealthy C2. Their techniques, victims, and infrastructure pointed to espionage and access brokering, with operations traced back to November 2024.

• Check Point Research uncovered a phishing campaign by Russian APT29, targeting European diplomatic entities using fake wine-tasting event invites. The attackers impersonated a European foreign ministry and used a new loader, GRAPELOADER, to deploy a variant of their WINELOADER backdoor. GRAPELOADER handled fingerprinting, persistence, and payload delivery, while the updated WINELOADER acted as a modular backdoor. Both shared stealth techniques and obfuscation methods. 

• A new RAT dubbed GYware is causing widespread concern among cybersecurity professionals and researchers. The malware, advertised as the "best of 2025" by its creator, is currently being sold on a popular hacker forum for $35 per month. GYware's alarming features include advanced self-spreading capabilities, full undetectability, and a web-based management panel that allows cybercriminals to remotely control infected devices.

• A new cyberattack campaign, active since March, has been using Microsoft Teams chats to infiltrate Windows PCs with malware, primarily targeting the finance and professional services sectors. This attack, linked to the Storm-1811 group known for deploying the Black Basta ransomware, begins with attackers impersonating internal IT support staff via Microsoft Teams. They target high-level employees, often during late afternoons, and coax them into launching a remote support session using Windows’s built-in Quick Assist tool. The malware deploys a heavily obfuscated PowerShell backdoor, which sends a unique identifier to the attackers via a Telegram bot, signaling successful infection and opening a persistent channel for C2.