Cyware Weekly Threat Intelligence, August 25–29, 2025
The Good
From cryptocurrency scams to software vulnerabilities, recent global efforts showcase robust responses to sophisticated cyber threats. Cryptocurrency firms, including Chainalysis, Binance, OKX, and Tether, froze $46.9 million in funds stolen through Southeast Asia-based "romance baiting" scams, targeting victims via fake investment schemes. Meanwhile, the CISA introduced the new ‘Software Acquisition Guide: Supplier Response Web Tool’ to empower organizations to integrate cybersecurity into their procurement processes, addressing software supply chain vulnerabilities.
The FBI and Dutch Police shut down VerifTools, a major marketplace for fake IDs, seizing servers in Amsterdam and the domain veriftools.net. The platform, generating an estimated $6.4 million in illegal proceeds, sold counterfeit documents for bypassing identity verification, aiding crimes like bank fraud and phishing. Authorities seized two physical and 21 virtual servers, with ongoing investigations potentially leading to arrests.
Cryptocurrency firms Chainalysis, Binance, OKX, and Tether collaborated to freeze $46.9 million in funds stolen through "romance baiting" scams, also known as pig butchering. Chainalysis identified wallets linked to a Southeast Asia-based operation, where scammers groomed victims on dating sites before defrauding them with fake investment schemes. Tether froze the funds in June 2024 after transferring findings to an APAC law enforcement agency.
The CISA launched the ‘Software Acquisition Guide: Supplier Response Web Tool’ to enhance security in software procurement. This free, interactive platform helps IT leaders, procurement officers, and vendors integrate cybersecurity into the acquisition process. Built on the CISA’s Software Acquisition Guide, it offers tailored questions, exportable summaries, and supports secure-by-design principles. With over 10,000 users of the original guide, the tool addresses rising software supply chain vulnerabilities, promoting resilient procurement practices.
The Bad
Posing as a golden ticket from the Bangladesh Education Board, SikkahBot is preying on students with fake scholarship lures. Active since July 2024, this Android malware grabs high-risk permissions to intercept SMS and steal financial data. A data theft campaign attributed to UNC6395 targeted Salesforce instances via compromised OAuth tokens linked to the Salesloft Drift app, exfiltrating sensitive credentials. Blind Eagle's shadow looms over Colombia, with five activity clusters unleashing RATs and phishing on government sectors from May 2024 to July 2025.
SikkahBot is an Android malware campaign that has been active since July 2024, specifically targeting students in Bangladesh. Disguised as applications from the Bangladesh Education Board, it lures victims with false promises of scholarships, coercing them into sharing sensitive personal and financial information. Once installed, SikkahBot requests high-risk permissions, including Accessibility Service and SMS access, enabling it to intercept bank-related messages and execute unauthorized transactions. The malware is distributed through shortened links, likely circulated via smishing attacks, and maintains low detection rates on VirusTotal. As it evolves, newer variants exhibit enhanced automation features, demonstrating the ongoing development by threat actors.
Google Threat Intelligence Group has identified a widespread data theft campaign, attributed to the actor UNC6395, targeting Salesforce customer instances through compromised OAuth tokens associated with the Salesloft Drift third-party application. Between August 8 and August 18, 2025, the actor exfiltrated large volumes of data from numerous corporate Salesforce instances, primarily seeking credentials such as AWS access keys and Snowflake-related access tokens. In response, Salesloft and Salesforce have revoked all active access tokens with the Drift application and removed it from the Salesforce AppExchange.
A campaign exploiting VS Code extensions revealed a loophole in the VS Code Marketplace, allowing attackers to reuse names of previously removed packages to distribute ransomware. The malicious extension “shiba” executed a multi-stage attack, encrypting files and demanding ransom in Shiba Inu tokens, though no payment wallet address was provided. The loophole arises because removed extensions free up their names for reuse, contradicting VS Code Marketplace's documentation stating extension names must be unique. Attackers repeatedly used the name-reuse tactic from late 2024 to mid-2025.
The Underground ransomware gang has been conducting targeted attacks against various companies globally, including those in South Korea, since July 2023. Utilizing a sophisticated encryption process that combines random number generation, AES symmetric encryption, and RSA asymmetric encryption, the malware ensures that decryption is impossible without the corresponding RSA private key. The gang conducts thorough reconnaissance to select specific targets, breaching systems prior to deploying customized ransomware. By deleting shadow copies and restricting remote desktop connections, the malware prevents recovery efforts. It selectively encrypts files based on their size, employing a stripe method for larger files, while excluding certain folders and file types to avoid system damage.
Cybersecurity researchers have identified five distinct activity clusters linked to the threat actor Blind Eagle, which has targeted Colombian government entities from May 2024 to July 2025. These attacks employed various tactics, including RATs and phishing lures, primarily aimed at local, municipal, and federal levels. Blind Eagle's operations reflect both cyber espionage and financially motivated activities, with significant focus on sectors such as judiciary, education, and healthcare. Attack chains often utilized spear-phishing emails impersonating government agencies to deliver malicious documents. The group leveraged compromised email accounts and dynamic DNS services to obscure their infrastructure. Notably, they employed well-known RATs like Lime RAT and AsyncRAT, indicating a persistent and evolving threat landscape in the region, with a majority of their activities concentrated in Colombia.
Seventy-seven malicious Android apps with over 19 million installs were removed from Google Play after a discovery by Zscaler's ThreatLabs. These apps primarily delivered adware, with Joker malware being the most prevalent, affecting nearly 25% of the analyzed applications. Joker can steal sensitive information, send texts, and subscribe users to premium services. Another variant, Harly, hides its malicious payload within seemingly legitimate apps like games and photo editors. The Anatsa banking trojan has also evolved, expanding its target list to 831 banking and cryptocurrency apps while using advanced evasion techniques. This latest campaign has shifted from remote code loading to direct payload installation, employing malformed APKs to evade detection.
A China-nexus threat actor known as UNC6384 has been linked to a series of sophisticated attacks targeting diplomats in Southeast Asia and beyond. Utilizing advanced social engineering techniques, the group employs valid code signing certificates and AitM attacks to deliver PlugX malware. The attack begins with a captive portal redirect, leading victims to download a malicious executable disguised as an Adobe Plugin update, called STATICPLUGIN. This downloader retrieves a malicious MSI package that deploys the SOGU.SEC backdoor in memory. The operation leverages legitimate-looking websites and HTTPS connections to trick users, showcasing the evolving capabilities of UNC6384. The malware is signed by Chengdu Nuoxin Times Technology Co., Ltd, with numerous samples linked to Chinese cyber activities dating back to early 2023.
Android.Backdoor.916.origin is a sophisticated malware disguised as an antivirus application linked to Russia's FSB, specifically targeting business executives. This multifunctional backdoor allows attackers to execute commands, conduct surveillance, and steal sensitive information, including chats, browser data, and live audio/video streams. The malware is distributed through private messages under the guise of a legitimate security app named "GuardCB," which mimics real antivirus tools to avoid detection. Upon installation, it requests extensive permissions, granting attackers full control over the device. The malware exploits the Accessibility Service to log keystrokes and extract data from popular applications like Telegram and WhatsApp.
New Threats
Click Studios is sounding the alarm on a dangerous flaw in Passwordstate’s password manager. This authentication bypass lets attackers access the admin section via a crafted URL. Truesec uncovered a cybercrime campaign distributing a trojanized "AppSuite PDF Editor" via Google ads, installing "TamperedChef" malware that steals credentials and web cookies. The Sangoma FreePBX Security Team has warned about an actively exploited zero-day vulnerability in FreePBX servers with the Administrator Control Panel (ACP) exposed to the internet.
ESET has discovered PromptLock, the first AI-driven ransomware that utilizes OpenAI’s gpt-oss:20b model to generate and execute malicious Lua scripts for scanning, stealing, and encrypting files on multiple platforms, including Windows, Linux, and macOS. This ransomware employs the SPECK 128-bit encryption algorithm and has been identified as a work-in-progress, with a potential data destruction feature that has not yet been implemented.
A new malware campaign is exploiting Indonesia's state pension fund, TASPEN, by deploying a malicious Android application disguised as an official portal. Targeting pensioners and civil servants, the banking trojan and spyware leverages legacy system vulnerabilities to steal sensitive data, including banking credentials and biometric information. The operation begins with a phishing website that tricks victims into downloading the APK, employing advanced evasion tactics to avoid detection. The malware, packed with DEX encryption, unpacks at runtime and uses various services to intercept one-time passwords and monitor user activity. Communication with command-and-control servers occurs through encrypted channels, indicating potential links to Chinese-speaking threat actors. This attack not only threatens individual financial security but also undermines public trust in Indonesia's digital ecosystem.
A zero-day vulnerability in FreePBX, identified as CVE-2025-57819, poses a significant threat to systems with exposed administrator control panels. This vulnerability, which has a maximum CVSS score of 10.0, allows unauthenticated users to access the FreePBX Administrator, leading to potential arbitrary database manipulation and remote code execution. Exploitation began on or before August 21, 2025, affecting FreePBX versions 15, 16, and 17. Attackers have exploited insufficient IP filtering and access control lists to gain unauthorized access, eventually seeking root-level control. The Sangoma FreePBX Security Team has confirmed active exploitation in the wild, with evidence of backdoors being installed post-compromise.
Mosyle revealed a new Mac malware strain called JSCoreRunner, which evades detection and spreads through a fake PDF conversion site, fileripple[.]com. The malware operates in two stages: "FileRipple.pkg," a signed package now blocked by macOS, and "Safari14.1.2MojaveAuto.pkg," an unsigned package that bypasses Gatekeeper protections. JSCoreRunner hijacks Chrome browser settings, redirecting searches to fraudulent sites, enabling phishing attacks, and facilitating data theft. The malware modifies Chrome profiles, hides crash logs, and avoids detection while targeting search engine settings.
Truesec has identified a large cybercrime campaign promoting a trojanized PDF editor called "AppSuite PDF Editor" through Google advertising. The malicious PDF Editor.exe file installs an information-stealing malware dubbed "TamperedChef," which harvests sensitive data, including credentials and web cookies. The campaign began on June 26, 2025, and the malicious capabilities were activated on August 21, 2025. The threat actor has used digital certificates from various companies to sign the malware.
A new phishing campaign is exploiting fake voicemails and purchase orders to distribute the UpCrypter malware loader, primarily targeting sectors such as manufacturing, technology, healthcare, and retail since August 2025. Cybersecurity researchers have noted that the campaign uses deceptive emails containing malicious URLs leading to convincing phishing pages. These pages entice victims to download JavaScript files that serve as droppers for UpCrypter, which then facilitates various RATs like PureHVNC and DCRat. The infection process begins with phishing emails designed to appear legitimate, prompting users to download seemingly harmless files. UpCrypter employs advanced techniques, including steganography and anti-analysis measures, to evade detection and minimize forensic traces.