Cyware Weekly Threat Intelligence, February 10–14, 2025
The Good
Cyber defenders are sharpening their tools, and EARLYCROW is the latest weapon against stealthy APT operations. This method detects C2 activity over HTTP(S) using a novel traffic analysis format called PAIRFLOW. India is taking digital banking security up a notch. The RBI is launching a dedicated domain to curb financial fraud and enhance trust in online banking. Starting April 2025, financial institutions will register under this domain.
Researchers at Imperial College London developed EARLYCROW, a new method for detecting APT command-and-control activities over HTTP(S). EARLYCROW identifies malicious network traffic using summaries derived from network packet captures. It introduces a new format called PAIRFLOW, which collects various attributes of network traffic to spot malicious patterns, even in encrypted communications.
The Dutch Police shut down the ZServers/XHost bulletproof hosting operation by taking offline 127 servers used for illegal activities. Authorities in the U.S. , Australia, and the U.K also imposed sanctions on this provider for its role in cybercrime. Zservers was accused of enabling LockBit ransomware attacks and assisting in money laundering. Run by Russian nationals, it supported botnets and malware distribution.
India's central bank, the Reserve Bank of India (RBI), is launching a special bank[.]in internet domain for banks to fight digital financial fraud. This initiative aims to boost security and build trust in digital banking services. The Institute for Development and Research in Banking Technology (IDRBT) will register these domains starting in April 2025. The RBI will also create a "fin[.]in" domain for non-bank financial entities. Additionally, the RBI is introducing Additional Factor of Authentication (AFA) for cross-border online transactions, which requires more than one method to confirm user identity.
A global law enforcement operation, Phobos Aetor, targeting the Phobos ransomware gang resulted in the arrest of two suspected hackers in Phuket, Thailand, and the seizure of dark web sites belonging to the 8Base operation. The suspects, two Russian men, are accused of hacking over 1,000 victims worldwide and extorting $16 million in Bitcoin.
The Bad
China’s RedMike hackers are dialing into telecom networks - literally. Between December 2024 and January 2025, they targeted over 1,000 unpatched Cisco devices. Their primary focus? Global telecoms and university networks in Argentina, Bangladesh, and the U.S. Russia’s Sandworm hackers are using pirated software as bait. Their latest attack on Ukrainian Windows users disguises malware inside trojanized KMS activators and fake Windows updates. Love is in the air, but so are phishing scams. In late January, cybercriminals launched a Valentine’s-themed phishing campaign, offering fake gift baskets in exchange for stolen credentials.
Between December 2024 and January 2025, Recorded Future found a campaign targeting unpatched Cisco network devices used mainly by global telecommunications companies. Researchers linked these activities to a Chinese state-sponsored threat group called RedMike, also known as Salt Typhoon. RedMike exploited two vulnerabilities, CVE-2023-20198 and CVE-2023-20273, to gain unauthorized access and control over the Cisco devices. RedMike attempted to exploit over 1,000 Cisco devices globally, focusing on those connected to telecommunications networks and various universities in countries such as Argentina, Bangladesh, and the U.S.
The Sandworm Russian military cyber-espionage group is attacking Windows users in Ukraine by using trojanized Microsoft Key Management Service (KMS) activators and fake Windows updates. The attackers use a BACKORDER loader to deploy DarkCrystal RAT (DcRAT) malware, connected to previous Sandworm activities. Researchers identified seven malware distribution campaigns with similar tactics. Sandworm exploits the high usage of pirated software in Ukraine to embed malware in common programs.
In late January, Check Point Research found a phishing email campaign offering a Valentine basket. The identical emails had different store names and encouraged recipients to answer questions for a basket, but linked to malicious sites aimed at stealing personal information. The researchers also noted that over 18,000 new Valentine's-related websites were created, a 5% rise from the month before. Among these, 1 in 72 were found to be malicious. There was also a 123% increase in newly registered Valentine’s websites.
Cybersecurity researchers found two malicious ML models on Hugging Face, which used unusual "broken" pickle files to avoid detection. These files contained malicious Python content at the start, creating a reverse shell connection to a specific IP address. This method, called nullifAI, tries to bypass security measures against malicious models. The models are believed to be proof-of-concept rather than part of an active attack. The detected models are in PyTorch format, compressed with 7z, avoiding detection by security tools.
A sophisticated cyberattack abused vulnerabilities in SimpleHelp RMM software. Attackers exploited these bugs to access target networks and deploy the Sliver backdoor. The attack involved fast execution of various tactics, such as discovering the network and creating administrator accounts. It started with a threat actor breaching a SimpleHelp RMM client called JWrapper-Remote Access from an IP address in Estonia, which avoided detection by standard security measures.
Threat actors are targeting IIS servers in Asia to manipulate SEO and install BadIIS malware. This campaign seems financially motivated, redirecting users to illegal gambling sites for profit. The IIS servers affected are in countries like India, Thailand, and Japan, linked to governments, universities, and tech companies. The compromised servers serve altered content, including links to malware and credential harvesting pages. Researchers believe a Chinese-speaking group known as DragonRank is behind the attacks, similar to a group called Group 11. BadIIS can change HTTP response headers and redirect users to illegal gambling sites based on specific search terms.
New Threats
Cybercriminals are upping their game with Astaroth, a phishing kit that doesn’t just steal credentials but also hijacks entire sessions. By using a reverse proxy, Astaroth intercepts logins and 2FA tokens in real time, allowing attackers to bypass security measures undetected. South America’s foreign ministry was caught in the crosshairs of an advanced cyber-espionage campaign. In November 2024, attackers linked to REF7707 deployed the PATHLOADER and FINALDRAFT malware to infiltrate diplomatic networks. A new malware named Ratatouille is stirring up trouble by bypassing UAC and using I2P for anonymous communications. Spreading through phishing emails and fake CAPTCHA pages, it tricks victims into running an embedded PowerShell script.
A new phishing kit named Astaroth is capable of bypassing 2FA through session hijacking and credential interception. Astaroth uses a reverse proxy to manipulate traffic between victims and real authentication services, including Gmail, Microsoft, Yahoo, and AOL. By acting as a middleman, it captures login details and 2FA tokens in real time, making traditional security measures less effective. The kit also includes features such as custom hosting that helps avoid law enforcement interventions. It is mainly distributed via Telegram and cybercrime forums.
Threat hunters discovered a new attack targeting the foreign ministry of an unnamed South American country using custom malware for remote access. Detected in November 2024, this activity is linked to a group called REF7707, which also targeted a telecommunications firm and a university in Southeast Asia. The first executed file, known as PATHLOADER, allows for running encrypted commands from an external server. The injected malware, FINALDRAFT, is a sophisticated remote administration tool that utilizes Microsoft's Outlook for communication and can execute PowerShell commands discreetly.
A newly identified malware called Ratatouille (or I2PRAT) is causing concern due to its clever ways of bypassing UAC and using I2P for anonymous communications. The malware spreads through phishing emails or fake CAPTCHA pages. When a victim runs an embedded PowerShell script, a loader is activated, using advanced techniques to raise privileges and evade defenses. Although it initially exploited a Windows RPC mechanism, recent security patches have needed it to switch to other methods like process migration.
A new Android RAT called BTMOB RAT has been discovered, targeting users through phishing sites. This malware is an upgraded version of SpySolr RAT, focusing on remote control, credential theft, and data exfiltration, posing a serious risk to Android users. BTMOB RAT is spread mainly through fake sites mimicking popular services, like iNat TV and bogus cryptocurrency platforms. A malicious APK named lnat-tv-pro.apk was found on the phishing site hxxps://tvipguncelpro[.]com/. The malware features live screen sharing, file management, audio recording, keylogging, and credential theft via web injections, utilizing Android’s Accessibility Service for control.
A MageCart attack was identified on a Magento-based eCommerce site, where malicious JavaScript was embedded within an HTML tag. The script, hidden in a Base64-encoded image path, activated during checkout to steal credit card details and transmit them to a remote server. Attackers leveraged the “onerror” function to execute the script when an image failed to load, making detection difficult. This technique bypassed security measures and remained unnoticed by users.
A phishing campaign is using fake PDF documents hosted on the Webflow CDN to steal credit card information. The attacker targets users searching for documents on search engines and leads them to malicious PDFs that have an embedded CAPTCHA image linked to a phishing site. Once users complete the CAPTCHA, they are taken to a page with a "download" button but are then prompted to enter personal and credit card details.
A new gang called Triplestrength has been found infecting computers with ransomware and taking over cloud accounts to mine cryptocurrency. Triplestrength has been involved in ransomware attacks since at least 2020, targeting on-premises systems instead of cloud infrastructure. The team has used Windows malware such as LokiLocker, Phobos, and RCRU64, which are leased under a RaaS model. The group also uses tools like Mimikatz and NetScan.
Threat analysts have discovered a new risk: a version of the SystemBC RAT that is now targeting Linux-based systems. The updated SystemBC RAT is designed to be stealthy and hard to detect, using encrypted communication to avoid detection and allow attackers to navigate compromised systems freely. The SystemBC RAT acts as a proxy implant, facilitating lateral movement within a network without needing easily detectable tools. It typically works alongside other malware, raising the risk of ransomware attacks and data theft in Linux environments.
A new cybersecurity threat called FinStealer has emerged, targeting customers of a major Indian bank through fake mobile applications. This malware uses advanced methods to steal sensitive financial and personal information, including banking login details and credit card numbers. It spreads through phishing links and unofficial app stores, mimicking real banking apps to trick users. The goal of this campaign is financial gain through credential theft and unauthorized transactions. Researchers have found connections to a website hosting fake bank apps, enhancing the risks to users.