Cyware Weekly Threat Intelligence, February 17–21, 2025
The Good
Google is stepping up its defenses against the quantum threat. The company is rolling out quantum-resistant digital signatures in Cloud KMS, following NIST’s post-quantum cryptography standards. Supply chain attacks just got harder to pull off. Apiiro has released two open-source tools to detect malicious code in software projects. With high detection rates across PyPI and npm packages, these tools add a crucial layer of security for developers.
Google has announced its plan to implement NIST’s new post-quantum cryptography standards by adding quantum-resistant digital signature support to its Cloud KMS. The new PQC feature is now in preview as software-based, customer-managed encryption keys. This enhancement allows customers to perform PQC migrations and ensures that quantum computers cannot decrypt the new digital signatures. To aid organizations in adapting to these standards, Google is releasing open-source implementations through its crypto libraries BoringCrypto and Tink.
Apiiro's security researchers have introduced two open-source tools to detect and prevent malicious code in software projects, aiming to mitigate supply chain attacks. The first tool is a comprehensive ruleset for Semgrep and Opengrep, designed to identify harmful code patterns with low false positives. The second tool, PRevent, is a GitHub-integrated scanner that detects and alerts on suspicious code in pull requests. The ruleset boasts a 94.3% detection accuracy for PyPI packages and 88.4% for npm packages, while PRevent successfully flags 91.5% of malicious pull requests.
The Bad
China’s Salt Typhoon is making itself at home in global telecom networks. The group has been caught using JumbledPath, a custom-built spying tool, to infiltrate ISPs in the U.S., Italy, South Africa, and Thailand. ShadowPad malware is once again causing havoc in Europe. Trend Micro flagged 21 targeted companies across 15 countries, with manufacturing firms bearing the brunt. A RAT is hiding in plain sight. SectopRAT has been spotted disguised as a fake Google Docs Chrome extension. It steals browser data, targets VPNs and cryptocurrency wallets, and injects malicious scripts into web pages.
The China-linked cyber espionage group, Salt Typhoon, has been using a custom-built utility called JumbledPath to spy on U.S. telecommunication providers, according to a report by Cisco Talos researchers. The group has breached multiple telecom networks, including ISPs in the U.S. and Italy, a U.K-affiliated U.S. telecom, and providers in South Africa and Thailand. The group has also manipulated network settings and used JumbledPath to remotely capture packets, clear logs, and exfiltrate encrypted data.
Trend Micro detected a series of cybersecurity incidents in Europe involving the Shadowpad malware, which is associated with various Chinese threat actors. The malware targeted at least 21 companies across 15 countries, with more than half of the targets being in the manufacturing industry. In some cases, the threat actor also deployed ransomware from an unreported family. The threat actors gained access through remote network attacks, exploiting weak passwords and bypassing multi-factor authentication mechanisms. The malware is modular and has been updated with features such as anti-debugging techniques, encryption of the payload in the registry, and usage of DNS over HTTPS.
SectopRAT, also known as Arechclient2, is an advanced RAT built with the .NET framework. It uses sophisticated obfuscation techniques, making it hard to detect. Recently, it was found disguised as a legitimate Google Chrome extension named Google Docs, improving its stealth and data theft capabilities. It employs a calli obfuscator that complicates analysis, concealing its main functions. Researchers found it can steal browser data, profile systems, target applications like VPNs and game launchers, and scan for cryptocurrency wallets. It communicates with its C2 server through encrypted channels on specific ports. The fake Google Chrome extension injects malicious scripts into web pages and captures sensitive information while pretending to enable offline editing for Google Docs.
Microsoft has released security updates for two critical vulnerabilities affecting Bing and Power Pages. CVE-2025-21355 (CVSS score: 8.6) allows unauthorized attackers to execute code on Microsoft Bing, while CVE-2025-24989 (CVSS score: 8.2) involves improper access control in Power Pages, allowing elevation of privileges. Microsoft has confirmed that the vulnerabilities have been exploited, but does not provide details on the attacks.
The Ghost ransomware group has been exploiting software and firmware vulnerabilities as recently as January, according to an alert from the FBI and CISA. This group, also known as Cring and operating from China, targets internet-facing services with unpatched issues. They have compromised organizations in over 70 countries, including China. Vulnerabilities include unpatched Fortinet appliances, Adobe ColdFusion servers, and exposed Microsoft Exchange servers. Victims have included critical infrastructure, schools, healthcare, and small businesses. Ghost typically spends only days on victim networks, using common hacking tools and malware.
The threat actors UNC5792 and UNC4221 have been identified as two Russian cyber-espionage groups targeting Signal, focusing on individuals likely involved in sensitive military and government communications related to the war in Ukraine. Currently, this activity seems confined to persons of interest to Russia's intelligence services. UNC5792 uses malicious QR codes in invitations to Signal groups, while UNC4221 employs a phishing kit mimicking a military app to deceive users. Google also mentions that similar tactics have been directed at Telegram and WhatsApp, where Russian groups, including Star Blizzard, have targeted accounts of government officials.
ASEC has observed an increase in the distribution of the ACRStealer info-stealer, which is often disguised as illegal software such as cracks and keygens. This malware uses a technique called Dead Drop Resolver (DDR) to obtain the actual C2 domain address, with Google Docs being a common intermediary C2 platform. The malware targets various data including browser data, cryptocurrency wallet files, and VPN information, which are then transmitted to the C2.
CloudSEK found a large-scale Search Engine Poisoning (SEP) campaign that targets Indian government, educational, and financial websites. This attack misleads users by changing search engine rankings, redirecting them to scam sites related to rummy and investments. More than 150 Indian government portals are impacted. The attack involves various black-hat SEO tactics in this campaign, such as manipulating referrer headers, cloaking, keyword stuffing, and exploiting system vulnerabilities. A notable tactic includes redirecting users based on their device type, with malicious scripts embedded in government sites determining these redirects. Mobile users might be sent to rummy scam sites, while desktop users may receive error pages.
New Threats
Darcula Suite is taking PhaaS to the next level. The upcoming update, currently in beta, will let users generate their own phishing kits by cloning real websites and customizing attack elements. A new payment card skimming campaign is turning Stripe’s old API into a weapon. Hackers are injecting malicious scripts into checkout pages, validating stolen card details through Stripe before exfiltration. LummaC2 is spreading through cracked software downloads again. ASEC found it disguised as a pirated Total Commander installer, hiding behind Google Collab Drive and Reddit links.
The Darcula PhaaS platform is set to release its third major version, Darcula Suite, currently in beta, which features a do-it-yourself phishing kit generator. This new feature allows users to target any brand by cloning legitimate sites and customizing phishing elements. The upcoming release also offers a user-friendly admin dashboard, IP and bot filtering, campaign performance measurement, and automated credit card theft/digital wallet loading, among other features.
A new, highly sophisticated payment card skimming campaign has been discovered, which exploits Stripe's deprecated API to verify card details before stealing them, ensuring only valid information is taken while maintaining a normal user experience to evade detection. The attack begins with a compromised first-party script that uses two known malicious domains as initial distribution points for the skimming payload. The attack is notable for its selective validation process, which intercepts legitimate payment form submissions, creates a perfect visual replica of the Stripe payment elements, validates captured card data through Stripe’s API before exfiltration, and maintains the original purchase flow to avoid detection.
ASEC has discovered a new distribution method for the LummaC2 malware, which is disguised as a cracked version of the Total Commander file management tool for Windows. The malware is distributed through a series of page transitions on Google Collab Drive and Reddit, with the attack specifically targeting users looking to download cracked software. The malware is heavily obfuscated and compressed using NSIS and AutoIt scripts. When executed, it infects the system with LummaC2. The malware is primarily disguised as illegal programs such as cracks and serials, and when a system is infected, sensitive information such as browser-stored account credentials and email credentials are sent to the threat actor's C&C server.
A new ransomware called NailaoLocker has been found in attacks on European healthcare organizations from June to October 2024. These attacks used a vulnerability in Check Point Security Gateway (CVE-2024-24919) to access networks and deploy ShadowPad and PlugX malware, linked to Chinese state-sponsored threat groups. NailaoLocker is considered basic because it doesn't shut down security processes and lacks advanced evasion techniques.The malware is delivered through DLL sideloading and encrypts files with the AES-256-CTR method.
A new, advanced version of the Snake Keylogger malware has been discovered, which has led to over 280 million blocked infection attempts globally. The malware is primarily spread through phishing emails with malicious links or attachments, collects data by capturing keystrokes and extracting credentials from popular browsers, and transmits this data to C2 servers via encrypted channels. It also uses AutoIt scripting to bypass antivirus. The threat is global, with the highest concentrations of infection reported in China, Turkey, Indonesia, Taiwan, and Spain.
Trend Micro spotted a new Earth Preta campaign that has been using a tool called Microsoft Application Virtualization Injector to inject malicious payloads into a program called waitfor.exe when ESET antivirus is detected. The attack drops multiple files, including both legitimate and malicious programs, and uses a fake PDF to mislead the victim. The malware, which is a modified version of a backdoor called TONESHELL, is disguised as a legitimate Electronic Arts application and connects with a command-and-control server to send out data.
The China-linked threat actor known as Winnti started a new campaign called RevivalStone that targeted Japanese companies in manufacturing, materials, and energy sectors in March 2024. The latest attack chain exploited an SQL injection vulnerability in an ERP system to drop web shells and deliver an improved version of the Winnti malware. The intrusion was expanded to breach a managed service provider and propagate the malware further. The new Winnti malware has been updated with obfuscation, updated encryption algorithms, and evasion by security products.
Proofpoint discovered a new malware campaign that distributes a new Apple macOS malware called FrigidStealer. This campaign is attributed to a previously undocumented threat actor known as TA2727, which also distributes malware for other platforms such as Windows and Android. The malware campaign targets users based on their geography or device, serving different payloads accordingly. FrigidStealer is installed on macOS devices and requires users to explicitly launch the unsigned app to bypass Gatekeeper protections. It then steals sensitive information from web browsers, Apple Notes, and cryptocurrency related apps.