Cookie Settings

This website uses cookies and similar technologies to provide essential functionality and improve your experience. Some features, such as demo scheduling and chat support, require marketing cookies to function. By clicking "Accept All", you consent to all cookies. Alternatively, you can customize your preferences, but note that declining marketing cookies will limit certain website features.

Cyware Weekly Threat Intelligence - April 15–19

Cyware Weekly Threat Intelligence - April 15–19 - Featured Image

Weekly Threat Briefing Apr 19, 2024

The Good

The week has been blessed with quite a few strides toward a secure cyber landscape. In a significant victory for justice, European police have dismantled the JuicyFields investment fraud scheme, arresting nine and seizing millions. Microsoft is spearheading the fight against email spam with a new policy that introduces a daily limit of 2,000 external recipients for Exchange Online users starting January 2025.

  • European police arrested nine people and seized millions of euros in an operation to dismantle the JuicyFields investment fraud scheme. The scheme, which operated as a Ponzi scheme, targeted 550,000 Europeans by promising high returns from investing in a non-existent cannabis cultivation operation. The ringleaders used social media ads and physical offices to give the illusion of legitimacy.

  • The Five Eyes agencies have released a joint cybersecurity information sheet that offers guidance and recommendations on deploying and operating externally developed AI systems. The document, titled "Deploying AI Systems Securely: Best Practices for Deploying Secure and Resilient AI Systems," provides methodologies for protecting data and AI systems, with a focus on securing the deployment environment, continuously protecting the AI system, and secure AI operation and maintenance.

  • Microsoft is taking steps to combat spam by implementing a daily limit of 2,000 external recipients for Exchange Online users starting in January 2025. This limit will be enforced in two phases, affecting both new and existing tenants. Users exceeding this limit can switch to Azure Communication Services for Email. Additionally, Google has also tightened its spam thresholds and authentication guidelines for bulk email senders, requiring email authentication and responsiveness to unsubscription requests to prevent rejection of emails.

  • Law enforcement from 19 countries, coordinated by Europol, disrupted the LabHost phishing-as-a-service platform. The operation led to the arrest of 37 suspects across the world and the shutdown of LabHost's infrastructure. Despite its user-friendly appearance, the use of LabHost constitutes illegal activity, and law enforcement now possesses a vast amount of data to target malicious users of the platform in ongoing international operations.

The Bad

Alarm bells ring as a deceptive ad for Whales Market appears in Google search results, luring unsuspecting users to a sophisticated phishing site designed to mimic its legitimate counterpart. Cryptocurrency enthusiasts beware: A new, intricate phishing scheme has been uncovered, deploying the FatalRAT trojan along with Clipper and Keylogger malware to target users. A critical zero-day flaw in Palo Alto Networks' PAN-OS software is under active assault by MidnightEclipse, deploying the Python-based UPSTYLE backdoor.

  • A phishing ad for the decentralized OTC trading platform Whales Market is being displayed in Google search results. The ad redirects visitors to a wallet-draining phishing site that replicates the legitimate website, including its trading platform. Once a wallet is connected, malicious scripts drain it of all assets.

  • Researchers uncovered a sophisticated phishing operation targeting cryptocurrency users with the notorious FatalRAT alongside Clipper and Keylogger malware. Employing DLL side-loading tactics, attackers crafted a deceptive website resembling the Exodus wallet interface, primarily targeting Chinese-speaking individuals. Technical analysis revealed a multi-staged attack orchestrating data theft and clipboard manipulation to intercept cryptocurrency transactions.

  • The zero-day flaw disclosed last week in Palo Alto Networks PAN-OS software is under attack by an operation named MidnightEclipse. Threat actors, tracked as UTA0218, utilize a Python-based backdoor named UPSTYLE to create a reverse shell, download tools, pivot into networks, and exfiltrate data. The flaw allows an attacker to execute arbitrary code with root privileges on affected firewalls.

  • The LightSpy iOS espionage campaign has reemerged, targeting Southern Asia, possibly indicating political motives. F_Warehouse, its latest iteration, features extensive spying capabilities, including file theft and audio recording. Evidence suggested Chinese origins, raising concerns about state-sponsored activity. Advanced techniques like certificate pinning enhance its stealth. The hyper-focused attacks pose risks to journalists, activists, and politicians globally.

  • The Blackjack hacker group reportedly unleashed the destructive Fuxnet malware to target one of Moscow's internet providers and a military infrastructure, damaging emergency detection and response systems. This sophisticated malware aimed to disable 87,000 sensors and control systems. Fuxnet was deployed to lock devices, erase filesystems, disable services, and rewrite flash memory, rendering them inoperable. The malware's final objective was to disrupt sensors by flooding serial channels.

New Threats

Beware gamers and developers: A new information-stealing malware known as Cheat Lab is infiltrating Microsoft's GitHub repository. Disguised as fake game cheat demos, this malware is connected to the Redline family. Researchers identified a cunning malvertising campaign that utilizes typosquatting domains and deceptive Google Ads to push a dangerous new backdoor called MadMxShell. The notorious cybercrime group FIN7 has once again made headlines by targeting a major U.S. car manufacturer with the Anunak backdoor.

  • A new information-stealing malware, disguised as a game cheat called Cheat Lab is being spread through fake demos of cheating tools on Microsoft's GitHub repository. The malware, linked to Redline, promises a free copy if users convince their friends to install it. The malware injects into legitimate processes for stealth, using Lua bytecode to evade detection and take advantage of Just-In-Time (JIT) compilation performance.

  • Zscaler ThreatLabz uncovered a sophisticated malvertising campaign in March, utilizing typosquatting domains and Google Ads to distribute a novel backdoor dubbed MadMxShell. The threat actor registered multiple sites masquerading as legitimate IP and port scanner software programs. Employing DLL sideloading and DNS tunneling for C2 communication, the backdoor evades memory forensics and endpoint security.

  • The financially motivated group FIN7 employed the Anunak backdoor to target a leading U.S. car manufacturer. The attack utilized spear-phishing tactics, luring high-level IT personnel with a counterfeit Advanced IP Scanner tool. Through a multi-stage process, the malicious executable 'WsTaskLoad.exe' deployed the Anunak backdoor, enabling persistent access by installing OpenSSH, and created a scheduled task.

  • An Android malware campaign, tracked as eXotic Visit by cybersecurity firm ESET, has been actively targeting users in South Asian countries since November 2021. Operating under the name Virtual Invaders, the campaign distributed malware via dedicated websites and the Google Play Store. Downloaded apps also include code from the open-source Android XploitSPY RAT which could gather sensitive data from infected devices.

  • Juniper Networks published multiple advisories detailing more than a hundred vulnerabilities in Junos OS, Junos OS Evolved, and other products. Patches were released for over 80 bugs, including critical issues in Junos cRPD and Cloud Native Router. Additionally, high-severity flaws, such as information leaks and denial-of-service vulnerabilities, were addressed in Paragon Active Assurance Control Center and Junos OS.

  • The FBI warned about a widespread SMS phishing campaign targeting Americans with fraudulent messages claiming unpaid road toll fees. The scam, which started in March 2024, has already affected thousands of individuals across multiple states. The malicious texts contain links disguised as state toll service websites, aiming to trick recipients into clicking and providing personal information.

  • A flaw in TP-Link Archer AX21 router models is being exploited by multiple botnet operators, such as Moobot, Miori, and AGoent (a Gafgyt Variant), found FortiGuard Labs. The vulnerability enables unauthenticated command injection through the web management interface, allowing attackers to execute arbitrary code. Various botnets utilize different infection tactics, such as fetching script files, establishing connections with C2 servers, and launching DDoS attacks.

  • The TA558 hacking group launched a new campaign called SteganoAmor, with over 320 attacks impacting multiple sectors across different countries. The attackers exploit the CVE-2017-11882 flaw in Microsoft Office. The group uses long chains of tools and malware, including AgentTesla, FormBook, Remcos, LokiBot, Guloader, SnakeKeylogger, and XWorm. The attackers use compromised legitimate FTP servers for C2, and SMTP servers for C2 and phishing. The group also uses legitimate services to store malware strings and images with embedded malicious code.

  • WithSecure researchers uncovered a new backdoor, Kapeka, attributed to the Russian nation-state group Sandworm. Used in espionage campaigns across Eastern and Central Europe since the Russia-Ukraine conflict, Kapeka facilitates intelligence collection and potential sabotage, including ransomware attacks and modular payload execution. The malware bears similarities to GreyEnergy, indicating Sandworm's involvement.

  • A recent investigation by Sophos X-Ops delves into a new trend in the cybercrime landscape: the emergence of junk gun ransomware. Drawing parallels to cheap, unreliable firearms from the past, this ransomware is independently produced, inexpensive, and sold as a one-time purchase. Unlike typical ransomware-as-a-service models, these variants lack complex infrastructure and corporate-like hierarchies.

  • Microsoft warned of a series of chained vulnerabilities in the OpenMetadata platform on Kubernetes clusters, allowing Chinese hackers to execute code and install cryptomining software remotely. The flaws, including CVE-2024-28255 and CVE-2024-28847, affect versions before 1.3.1. Attackers left a plea for victims not to remove the malware, citing financial hardship. The attack sequence involves reconnaissance, exploitation, and installation of cryptomining software.

Related Threat Briefings

Feb 14, 2025

Cyware Weekly Threat Intelligence, February 10–14, 2025

Cyber defenders are sharpening their tools, and EARLYCROW is the latest weapon against stealthy APT operations. This method detects C2 activity over HTTP(S) using a novel traffic analysis format called PAIRFLOW. India is taking digital banking security up a notch. The RBI is launching a dedicated domain to curb financial fraud and enhance trust in online banking. Starting April 2025, financial institutions will register under this domain. China’s RedMike hackers are dialing into telecom networks - literally. Between December 2024 and January 2025, they targeted over 1,000 unpatched Cisco devices. Their primary focus? Global telecoms and university networks in Argentina, Bangladesh, and the U.S. Russia’s Sandworm hackers are using pirated software as bait. Their latest attack on Ukrainian Windows users disguises malware inside trojanized KMS activators and fake Windows updates. Love is in the air, but so are phishing scams. In late January, cybercriminals launched a Valentine’s-themed phishing campaign, offering fake gift baskets in exchange for stolen credentials. Cybercriminals are upping their game with Astaroth, a phishing kit that doesn’t just steal credentials but also hijacks entire sessions. By using a reverse proxy, Astaroth intercepts logins and 2FA tokens in real time, allowing attackers to bypass security measures undetected. South America’s foreign ministry was caught in the crosshairs of an advanced cyber-espionage campaign. In November 2024, attackers linked to REF7707 deployed the PATHLOADER and FINALDRAFT malware to infiltrate diplomatic networks. A new malware named Ratatouille is stirring up trouble by bypassing UAC and using I2P for anonymous communications. Spreading through phishing emails and fake CAPTCHA pages, it tricks victims into running an embedded PowerShell script.

Feb 7, 2025

Cyware Weekly Threat Intelligence, February 03–07, 2025

PyPI is taking a "dead but not gone" approach to abandoned software with Project Archival, a new system that flags inactive projects while keeping them accessible. Developers will see warnings about outdated dependencies, helping them make smarter security choices and avoid relying on unmaintained code. The U.K is bringing earthquake-style metrics to cybersecurity with its new Cyber Monitoring Centre, designed to track digital disasters as precisely as natural ones. Inspired by the Richter scale, the CMC will quantify cyber incidents based on financial impact and affected users, offering clearer insights for national security planning. Kimsuky is back with another phishing trick, this time using fake Office and PDF files to sneak forceCopy malware onto victims' systems. Its latest campaign delivers PEBBLEDASH and RDP Wrapper by disguising malware as harmless shortcuts, ultimately hijacking browser credentials and sensitive data. Hackers have found a new way to skim credit card data - by hiding malware inside Google Tag Manager scripts. CISA is flagging major security holes in Microsoft Outlook and Sophos XG Firewall, urging agencies to patch them before February 27. One flaw allows remote code execution in Outlook, while another exposes firewall users to serious risks. Bitcoin scammers are switching tactics, swapping static images for video attachments in MMS to make their schemes more convincing. A recent case involved a tiny .3gp video luring victims into WhatsApp groups where scammers apply pressure to extract money or personal data. XE Group has shifted from credit card skimming to zero-day exploitation, now targeting manufacturing and distribution companies. A new version of ValleyRAT is making the rounds, using stealthy techniques to infiltrate systems. Morphisec found the malware being spread through fake Chrome downloads from a fraudulent Chinese telecom site.

Jan 10, 2025

Cyware Weekly Threat Intelligence, January 06–10, 2025

The U.K is fortifying its digital defenses with the launch of Cyber Local, a £1.9 million initiative to bridge cyber skills gaps and secure the digital economy. Spanning 30 projects across England and Northern Ireland, the scheme emphasizes local business resilience, neurodiverse talent, and cybersecurity careers for youth. Across the Atlantic, the White House introduced the U.S. Cyber Trust Mark, a consumer-friendly cybersecurity labeling program for smart devices. Overseen by the FCC, the initiative tests products like baby monitors and security systems for compliance with rigorous cybersecurity standards, ensuring Americans can make safer choices for their connected homes. China-linked threat actor RedDelta has ramped up its cyber-espionage activities across Asia, targeting nations such as Mongolia, Taiwan, Myanmar, and Vietnam with a modified PlugX backdoor. Cybercriminals have weaponized trust by deploying a fake PoC exploit tied to a patched Microsoft Windows LDAP vulnerability. CrowdStrike reported a phishing operation impersonating the company, using fake job offers to lure victims into downloading a fraudulent CRM application. Once installed, the malware deploys a Monero cryptocurrency miner. A new Mirai-based botnet, dubbed Gayfemboy, has emerged as a formidable threat, leveraging zero-day exploits in industrial routers and smart home devices. With 15,000 active bot nodes daily across China, the U.S., and Russia, the botnet executes high-intensity DDoS attacks exceeding 100 Gbps. In the Middle East, fraudsters are posing as government officials in a social engineering scheme targeting disgruntled customers. Cybercriminals have weaponized WordPress with a malicious plugin named PhishWP to create realistic fake payment pages mimicking services like Stripe. The plugin not only captures payment details in real time but also sends fake confirmation emails to delay detection.

Dec 20, 2024

Cyware Weekly Threat Intelligence, December 16–20, 2024

In a digital age where borders are blurred, governments are sharpening their strategies to outpace cyber adversaries. The draft update to the National Cyber Incident Response Plan (NCIRP) introduces a comprehensive framework for managing nationwide cyberattacks that impact critical infrastructure and the economy. Meanwhile, the fiscal year 2025 defense policy bill, recently approved by the Senate, emphasizes strengthening cybersecurity measures both at home and abroad. A deceptive health app on the Amazon Appstore turned out to be a Trojan horse for spyware. Masquerading as BMI CalculationVsn, the app recorded device screens, intercepted SMS messages, and scanned for installed apps to steal sensitive data. Malicious extensions targeting developers and cryptocurrency projects have infiltrated the VSCode marketplace and NPM. Disguised as productivity tools, these extensions employed downloader functionality to deliver obfuscated PowerShell payloads. The BADBOX botnet has resurfaced, compromising over 192,000 Android devices, including high-end smartphones and smart TVs, directly from the supply chain. Industrial control systems are facing heightened risks as malware like Ramnit and Chaya_003 targets engineering workstations from Mitsubishi and Siemens. Both malware families exploit legitimate services, complicating detection and mitigation efforts in ICS environments. The Chinese hacking group Winnti has been leveraging a PHP backdoor called Glutton, targeting organizations in China and the U.S. This modular ELF-based malware facilitates tailored attacks across industries and even embeds itself into software packages to compromise other cybercriminals. A tax-themed phishing campaign, dubbed FLUX#CONSOLE, is deploying backdoor payloads to compromise systems in Pakistan. Threat actors employ phishing emails with double-extension files masquerading as PDFs.

Dec 13, 2024

Cyware Weekly Threat Intelligence, December 09–13, 2024

Cybercrime’s web of deception unraveled in South Korea as authorities dismantled a fraud network responsible for extorting $6.3 million through fake online trading platforms. Dubbed Operation Midas, the effort led to the arrest of 32 individuals and the seizure of 20 servers. In a significant move to combat surveillance abuses, the U.S. defense policy bill for 2025 introduced measures to shield military and diplomatic personnel from commercial spyware threats. The legislation calls for stringent cybersecurity standards, a review of spyware incidents, and regular reporting to Congress. The subtle art of deception found a new stage with a Microsoft Teams call, as attackers used social engineering to manipulate victims into granting remote access. By convincing users to install AnyDesk, they gained control of systems, executing commands to download the DarkGate malware. Russian APT Secret Blizzard has resurfaced and used the Amadey bot to infiltrate Ukrainian military devices and deploy their Tavdig backdoor. In a phishing spree dubbed "Aggressive Inventory Zombies (AIZ)," scammers impersonated brands like Etsy, Amazon, and Binance to target retail and crypto audiences. Surveillance has reached unsettling new depths with the discovery of BoneSpy and PlainGnome, two spyware families linked to the Russian group Gamaredon. Designed for extensive espionage, these Android malware tools track GPS, capture audio, and harvest data. A new Android banking trojan has already caused havoc among Indian users, masquerading as utility and banking apps to steal sensitive financial information. With 419 devices compromised, the malware intercepts SMS messages, exfiltrates personal data via Supabase, and even tricks victims into entering details under the pretense of bill payment. Iranian threat actors have set their sights on critical infrastructure, deploying IOCONTROL malware to infiltrate IoT and OT/SCADA systems in Israel and the U.S.

Dec 6, 2024

Cyware Weekly Threat Intelligence, December 02–06, 2024

NIST sharpened the tools for organizations to measure their cybersecurity readiness, addressing both technical and leadership challenges. The two-volume guidance blends data-driven assessments with managerial insights, emphasizing the critical role of leadership in applying findings. The Manson Market, a notorious hub for phishing networks, fell in a sweeping Europol-led takedown. With over 50 servers seized and 200TB of stolen data recovered, the operation spanned multiple countries, including Germany and Austria. Russian APT group BlueAlpha leveraged Cloudflare Tunnels to cloak its GammaDrop malware campaign from prying eyes. The group deployed HTML smuggling and DNS fast-fluxing to bypass detection, targeting Ukrainian organizations with precision. Earth Minotaur intensified its surveillance operations against Tibetan and Uyghur communities through the MOONSHINE exploit kit. The kit, now updated with newer exploits, enables the installation of the DarkNimbus backdoor on Android and Windows devices. Cloudflare Pages became an unwitting ally in the sharp rise of phishing campaigns, with a staggering 198% increase in abuse cases. Cybercriminals exploited the platform's infrastructure to host malicious pages, fueling a surge from 460 incidents in 2023 to over 1,370 by October 2024. DroidBot has quietly infiltrated over 77 cryptocurrency exchanges and banking apps, building a web of theft across Europe. Active since June 2024, this Android malware operates as a MaaS platform, enabling affiliates to tailor attacks. Rockstar 2FA, a phishing platform targeting Microsoft 365 users, has set the stage for large-scale credential theft. With over 5,000 phishing domains launched, the platform is marketed on Telegram. The Gafgyt malware is shifting gears, targeting exposed Docker Remote API servers through legitimate Docker images, creating botnets capable of launching DDoS attacks.

Nov 15, 2024

Cyware Weekly Threat Intelligence - November 11–15

As cyber threats to critical infrastructure surge, the TSA has proposed formal rules for pipeline and railroad operators, while the World Economic Forum introduced a new framework to enhance public-private collaboration against cybercrime. These efforts highlight the urgency of uniting resources and governance to fortify cybersecurity resilience on all fronts. This week, several emerging threats highlighted the diversity of attack tactics. The new Glove Stealer exploits browser encryption to pilfer cookies and crypto wallets, whereas the Lazarus group’s RustyAttr trojan targets macOS users using the Tauri framework. A Chinese threat actor, SilkSpecter, was found scamming online shoppers via 4,695 fake domains, impersonating popular brands to steal credit card details during Black Friday hunts. This week, several emerging threats highlighted the diversity of attack tactics. The new Glove Stealer exploits browser encryption to pilfer cookies and crypto wallets, whereas the Lazarus group’s RustyAttr trojan targets macOS users using the Tauri framework. A Chinese threat actor, SilkSpecter, was found scamming online shoppers via 4,695 fake domains, impersonating popular brands to steal credit card details during Black Friday hunts.

Sep 20, 2024

Cyware Weekly Threat Intelligence - September 16–20

The Good German law enforcement has dealt a double blow to cybercriminals, first by dismantling infrastructure used by the Vanir Locker ransomware group. In a separate operation, they took down 47 cryptocurrency exchanges used for illegal money

Sep 13, 2024

Cyware Weekly Threat Intelligence - September 09–13

The Good The U.K government has elevated data centers to a new level of importance, officially designating them as critical national infrastructure - ensuring these digital fortresses get the protection and support they need during crises. Choo

Sep 6, 2024

Cyware Weekly Threat Intelligence - September 02–06

The Good As cyber threats loom larger than ever, the White House released a comprehensive roadmap to secure the Border Gateway Protocol (BGP), a key component of internet routing. The initiative focuses on implementing Resource Public Key Infra

Aug 30, 2024

Cyware Weekly Threat Intelligence - August 26–30

The Good In response to the rising tide of cyber threats, organizations and governments are stepping up their efforts to protect critical infrastructure and personal data. NASA's Katherine Johnson IV&V Facility expanded its mission to include c

Aug 23, 2024

Cyware Weekly Threat Intelligence - August 19–23

The Good With global cyber threats on the rise, over a dozen cyber authorities have endorsed new guidance to set baseline standards for logging and threat detection. This guidance aims to enhance cybersecurity monitoring, helping to prevent inc