Cyware Weekly Threat Intelligence, August 04–08, 2025
In the wake of recent cyberattacks, the US federal judiciary is locking down sensitive court documents with a fortified approach to cybersecurity. Courts nationwide are enforcing stricter access controls, monitored handling procedures, and a mandatory IT security “scorecard” for annual self-assessments to pinpoint vulnerabilities. DARPA is raising the stakes at DEF CON, pitting seven AI-powered cyber reasoning systems against each other to secure the open-source software underpinning critical infrastructure. These autonomous tools, designed to detect and patch vulnerabilities in code vital to water systems and financial institutions, analyzed 7.8 million lines in preliminary rounds, catching 59% of synthetic flaws and uncovering real ones.
Akira ransomware is striking with surgical precision, exploiting a suspected zero-day flaw in SonicWall SSL VPN devices, even those fully patched. Since mid-July 2025, attackers have used Virtual Private Server logins to bypass MFA, hitting multiple targets in rapid succession. A stealthy Python-based PXA Stealer is sweeping across 62 countries, pilfering sensitive data from unsuspecting victims. This infostealer campaign has exfiltrated hundreds of thousands of passwords and more. Phishing emails disguised as court summons are delivering a malicious payload to Ukrainian government and defense sectors, courtesy of UAC-0099.
A cunning Android RAT, PlayPraetor, is sweeping through six countries, already compromising over 11,000 devices with its deceptive tactics. It masquerades as legitimate apps via fake Google Play Store pages and Meta Ads. ClickTok is luring TikTok Shop users into a trap with a crafty blend of phishing and malware. This global campaign deploys over 10,000 fake TikTok websites and 5,000 malicious apps, impersonating TikTok’s e-commerce platforms to steal cryptocurrency wallet credentials. Ghost Calls, a new evasion tactic, is turning Zoom and Microsoft Teams into covert channels for malicious activity, slipping past traditional defenses with ease.
The Good
The US federal judiciary has implemented several measures to enhance cybersecurity for sensitive court documents following recent cyberattacks on its case management system. Courts nationwide have adopted more rigorous procedures to restrict access to sensitive documents, ensuring they are handled under carefully controlled and monitored circumstances. The judiciary has also introduced a mandatory IT security “scorecard” for courts to conduct annual self-assessments, identifying vulnerabilities and strengthening defenses. Centralized services, including nationally managed firewalls, vulnerability scanning, patch management, and enterprise hosting, have been expanded to improve security and manageability.
The Defense Advanced Research Projects Agency (DARPA) is set to host a competition at DEF CON in Las Vegas to evaluate seven finalist teams’ AI-powered cyber reasoning systems, designed to autonomously detect and patch vulnerabilities in open-source software critical to infrastructure like water systems and financial institutions. These systems address the inherent risks of open-source tools, whose publicly available code makes them susceptible to exploitation, potentially impacting public health and safety. In preliminary rounds, teams analyzed 7.8 million lines of code, identifying 59% of synthetic vulnerabilities and patching 43%, while also uncovering real vulnerabilities. The competition, inspired partly by a Chinese hacking campaign targeting U.S. telecommunications, requires teams to open-source their systems to promote widespread adoption. With a prize pool of $4 million for first, $3 million for second, and $1.5 million for third, winners will be announced next Friday.
The Bad
CISA has mandated that all FCEB agencies address a critical vulnerability in Microsoft Exchange, tracked as CVE-2025-53786, by Monday morning. This flaw affects Microsoft Exchange Server 2016, 2019, and the Subscription Edition, allowing attackers with administrative access to on-premises servers to attack cloud environments, potentially leading to complete domain compromise. The vulnerability exploits a shared trust relationship in hybrid configurations, making detection difficult, especially since cloud-based logging may not capture malicious activities originating from on-premises servers. This issue follows previous guidance and a hotfix released by Microsoft in April.
VexTrio Viper, a malicious ad tech group, has been discovered developing fake applications that masquerade as VPNs, spam blockers, and device monitoring tools on official app stores. These apps, published under various developer names, trick users into signing up for hard-to-cancel subscriptions while inundating them with ads and harvesting personal information. VexTrio operates sophisticated traffic distribution services to redirect users to scam sites, leveraging compromised websites and cloaked links. The organization controls both the publishing and advertising aspects of affiliate networks, facilitating a range of fraudulent schemes, including crypto scams. Their operations involve using lookalike domains and cloaking services to obscure their activities, targeting victims based on their device and location, which has contributed to their success in the cybercrime landscape.
Malware disguised as a cryptocurrency exchange is being distributed through Facebook ads, specifically targeting cryptocurrency users. This malware prompts victims to download a malicious file named “installer.msi” from a fake website resembling Binance. Once installed, the malware opens a listening port on the victim's system and communicates with the disguised website to execute various commands. It collects sensitive system information, including browser data and screen captures, using specific parameters. If the system is not virtual, additional PowerShell scripts are executed, allowing further malicious downloads. The malware ultimately performs keylogging and gathers information related to the victim's online activities, posing significant security risks.
CERT-UA issued a warning about cyberattacks by the threat actor UAC-0099, which is targeting Ukrainian government agencies, defense forces, and enterprises in the defense-industrial sector. These attacks utilize phishing emails featuring court summons lures to deliver various malware families, including MATCHBOIL, MATCHWOK, and DRAGSTARE. The infection process involves shortened URLs leading to HTA files that execute obfuscated Visual Basic scripts, ultimately creating scheduled tasks for persistence. MATCHWOK can execute PowerShell commands and transmit results to remote servers, while DRAGSTARE collects sensitive system information and files.
McAfee discovered Android malware targeting Indian banking users, stealing financial data and mining Monero cryptocurrency. The malware impersonates legitimate financial apps and is distributed through phishing websites resembling official banking sites. It employs dropper techniques with multi-stage encryption to evade static detection and analysis. The malware collects sensitive financial information and sends it to attackers while displaying fake interfaces. Hidden cryptomining is triggered remotely via Firebase Cloud Messaging, utilizing XMRig-compatible arguments.
Researchers uncovered an ongoing infostealer campaign using the Python-based PXA Stealer. The campaign has infected systems in over 62 countries, exfiltrating 200,000 passwords, hundreds of credit card records, and millions of browser cookies. The attackers are linked to Vietnamese-speaking cybercriminal circles, monetizing stolen data through a Telegram-powered subscription ecosystem. Delivery methods include sideloading legitimate signed software (e.g., Haihaisoft PDF Reader, Microsoft Word 2013) with concealed malicious DLLs. The malware targets a wide range of browsers, cryptocurrency wallets, VPNs, and applications, as well as specific financial and cryptocurrency-related websites.
Akira ransomware has recently targeted SonicWall SSL VPN devices, exploiting a likely zero-day vulnerability even on fully-patched systems. This surge in attacks began around July 15, with multiple pre-ransomware intrusions occurring in quick succession. Researchers noted that the malicious logins often originated from Virtual Private Server hosting rather than typical broadband networks, indicating a sophisticated approach by the attackers. Since its emergence in March 2023, Akira ransomware has extorted approximately $42 million from over 250 victims, with a notable focus on Italian companies.
Attackers are leveraging link-wrapping services from companies like Proofpoint and Intermedia to disguise phishing links aimed at stealing Microsoft 365 login credentials. By compromising email accounts protected by these services, they are able to create seemingly legitimate URLs that redirect victims to phishing pages. The attackers employed techniques such as URL shortening and fake notifications, including alerts for voicemail or shared Microsoft Teams documents, to entice users into clicking the malicious links. Once clicked, these links lead to fraudulent Microsoft Office 365 login pages designed to harvest user credentials. This method of exploiting link-wrapping features represents a new tactic in the evolving landscape of phishing attacks.
New Threats
A new EDR killer tool, an evolution of EDRKillShifter developed by RansomHub, has been identified in attacks by eight different ransomware gangs. This tool enables operators to disable security products on compromised systems, facilitating the deployment of ransomware without detection. It utilizes a heavily obfuscated binary that is injected into legitimate applications, searching for a digitally signed driver with a random name to execute a BYOVD attack. The malicious driver masquerades as a legitimate file, allowing it to terminate processes and services of various security tools, including those from major vendors like Microsoft Defender and Kaspersky. Evidence suggests that this tool is collaboratively developed among threat groups, with each attack employing different builds, indicating a shared framework rather than a single leaked binary.
GreedyBear is a sophisticated cybercriminal group that has redefined large-scale crypto theft through a coordinated campaign involving over 150 malicious Firefox extensions, nearly 500 malicious executables, and numerous phishing websites. Utilizing a technique known as Extension Hollowing, the group initially uploads seemingly innocuous extensions to build user trust before weaponizing them to capture wallet credentials. Additionally, they distribute a variety of malicious Windows executables, including credential stealers and ransomware, primarily through cracked software sites. The campaign also features scam websites that impersonate legitimate crypto products, deceiving users into revealing sensitive information. All components of this operation are managed from a centralized server, indicating a well-organized infrastructure.
The North Korean state-sponsored Lazarus Group, particularly the Famous Chollima subgroup, has introduced a new Python-based RAT called PyLangGhost. This malware is a reimplementation of the earlier GoLangGhost RAT and employs advanced social engineering tactics to target developers and executives in technology, finance, and cryptocurrency sectors. Attackers orchestrate fake job interviews or business calls, presenting deceptive error messages that prompt victims to execute scripts that grant remote access. The malware's architecture includes various modules for system reconnaissance, file operations, and credential theft, utilizing techniques such as privilege escalation. PyLangGhost establishes persistence through registry keys and communicates with its C2 infrastructure using weak obfuscation methods, posing significant risks to its targets.
Researchers have identified a significant vulnerability in Amazon Elastic Container Service (ECS), dubbed ECScape, which enables privilege escalation and credential theft among tasks on shared EC2 instances. This flaw exploits an undocumented internal protocol and a metadata service, allowing a low-privileged container to hijack IAM credentials from higher-privileged containers on the same host. By impersonating the ECS agent, attackers can harvest credentials for all tasks running on the instance, facilitating lateral movement and the potential for broader control over the cloud environment.
A new tactic known as Ghost Calls exploits TURN servers used by Zoom and Microsoft Teams to facilitate C2 operations. By leveraging legitimate WebRTC credentials, attackers can create a tunnel that disguises malicious traffic as regular video conferencing data. This method allows them to bypass traditional security measures, as the traffic appears to be normal enterprise communication. The open-source tool "TURNt" enables attackers to perform SOCKS proxying, port forwarding, and data exfiltration through these conferencing platforms. Ghost Calls effectively blends into legitimate traffic patterns, making it difficult for security systems to detect unauthorized activities.
A newly discovered Android RAT named PlayPraetor has infected over 11,000 devices, primarily targeting users in Portugal, Spain, France, Morocco, Peru, and Hong Kong. This malware exploits Android's accessibility services to gain remote control and can overlay fake login screens on nearly 200 banking apps and cryptocurrency wallets, facilitating account hijacking. PlayPraetor is distributed through fraudulent Google Play Store pages and Meta Ads, tricking users into downloading malicious APKs. It operates under a Chinese C2 panel and features five variants, each with distinct functionalities, including phishing and full device control. The malware establishes a bidirectional communication channel with its C2 server, allowing real-time commands and data theft, while also livestreaming the infected device's screen.
A new Linux backdoor, dubbed Plague, has been identified by cybersecurity researchers, having evaded detection for over a year. This malicious Pluggable Authentication Module (PAM) allows attackers to bypass system authentication and gain persistent SSH access without raising alarms. Plague features static credentials for covert access and employs advanced techniques to resist analysis, such as anti-debugging and string obfuscation. It enhances its stealth by erasing evidence of SSH sessions, manipulating environment variables, and redirecting command logs to avoid detection. Multiple samples of this malware have been uploaded to VirusTotal since July 2024, indicating ongoing development by unknown threat actors.