Cyware Weekly Threat Intelligence, July 21–25, 2025
The Good
The BlackSuit ransomware crew just lost its home turf. As part of Operation Checkmate, international law enforcement has seized the group’s dark web extortion and negotiation sites. New York is taking aim at cyber threats to its water systems. A newly proposed set of regulations outlines mandatory IT and OT cybersecurity measures for water and wastewater infrastructure, aligning with federal guidelines and introducing funding to support modernization across the state.
Law enforcement agencies have successfully seized the dark web extortion sites associated with the BlackSuit ransomware operation as part of Operation Checkmate. This coordinated effort involved multiple authorities, including the U.S. Homeland Security Investigations, the Secret Service, and Europol, among others. The takedown included not only the main extortion sites but also negotiation platforms used to extract ransoms from victims. BlackSuit, which has undergone several rebrandings, is believed to be linked to over 350 attacks globally since September 2022, resulting in ransom demands exceeding $500 million.
A network of ATM fraudsters responsible for approximately €580,000 ($681,360) in profits has been dismantled by law enforcement agencies in Romania and the U.K, with support from Europol and Eurojust. Following extensive investigations, two coordinated raids were executed, resulting in two arrests and the seizure of luxury cars, real estate, electronic devices, and cash. The fraudsters employed the Transaction Reversal Fraud (TRF) method, which involves canceling ATM transactions just before cash is dispensed, allowing them to extract money illicitly.
New York has proposed new cybersecurity regulations for water and wastewater systems to enhance their resilience against rising cyber threats. These regulations include specific OT security requirements from the Department of Health and the Department of Environmental Conservation, alongside IT security measures from the Department of Public Service. The rules aim to align with federal guidelines and establish a funding program to assist water systems in modernizing their cybersecurity infrastructure. Public comments on the proposals are open until September 2025, with compliance deadlines set for January 2026 and January 2027.
The Bad
Not every scam needs sophistication; sometimes all it takes is a lonely heart and a convincing profile picture. SarangTrap, a massive mobile spyware campaign, is luring victims on Android and iOS through fake dating apps. Storm-2603 is slipping through SharePoint’s cracks and locking the doors behind it. The suspected China-based threat group is exploiting two SharePoint vulnerabilities to deploy Warlock ransomware. A trusted source turned treacherous. Hackers launched a supply chain attack on Arch Linux by slipping malware into three AUR packages. These packages silently deployed a RAT that gave attackers persistent control over infected machines.
A large-scale malware campaign, named SarangTrap, uses fake dating and social networking apps to steal sensitive personal data on Android and iOS platforms. The apps mimic legitimate services, employing emotionally manipulative tactics like fake profiles and invitation codes to lure victims. Once installed, the apps exfiltrate data such as contacts, images, SMS content, and device identifiers to attacker-controlled servers. Over 250 malicious Android apps and 88 phishing domains have been linked to the campaign, with some indexed by search engines to appear credible.
A threat actor known as Fire Ant has been targeting VMware ESXi and vCenter environments in a sophisticated cyber espionage campaign, leveraging vulnerabilities such as CVE-2023-34048 and CVE-2023-20867. This group, linked to the China-based UNC3886, demonstrates advanced capabilities by establishing persistent control over compromised systems, extracting credentials, and deploying backdoors. Fire Ant's tactics include bypassing network segmentation, deploying unregistered virtual machines, and tampering with logging processes to evade detection.
Storm-2603, a suspected China-based threat actor, is actively exploiting vulnerabilities in SharePoint to deploy Warlock ransomware on unpatched systems. The attacks leverage CVE-2025-49706, a spoofing vulnerability, and CVE-2025-49704, an RCE vulnerability, enabling initial access through a web shell payload. Once inside, the threat actor executes commands using the w3wp.exe process to validate privileges and disable Microsoft Defender protections. Storm-2603 employs techniques such as creating scheduled tasks and modifying IIS components to ensure persistent access. Credential harvesting is conducted using Mimikatz, while lateral movement is achieved with tools like PsExec. The campaign has already compromised at least 400 victims, with connections to other Chinese hacking groups like APT27 and APT31.
Two cyber campaigns, Operation GhostChat and Operation PhantomPrayers, targeted the Tibetan community around the Dalai Lama's 90th birthday. These campaigns were attributed to a China-nexus APT group. Attackers compromised legitimate websites and redirected users to malicious sites, distributing malware such as Ghost RAT and PhantomNet backdoors through multi-stage infection chains. Operation GhostChat involved a fake webpage mimicking tibetfund[.]org, tricking users into downloading a backdoored version of the Element messaging app. Operation PhantomPrayers used a malicious application disguised as "prayer check-in" software, employing social engineering and advanced encryption techniques.
Wiz Research identified the Soco404 cryptomining campaign, which exploits vulnerabilities across cloud environments to deploy platform-specific malware. Attackers disguise malicious activity using techniques like process masquerading and persistence mechanisms such as cron jobs and shell initialization files. Payloads are embedded in fake 404 HTML pages hosted on compromised websites, including those built using Google Sites. The campaign targets PostgreSQL instances, leveraging their COPY ... FROM PROGRAM functionality to achieve remote code execution. Attackers use automated scans and various tools (e.g., wget, curl, PowerShell) to exploit entry points and deliver payloads.
Hackers executed a supply chain attack targeting Arch Linux users by injecting malicious packages into the Arch User Repository (AUR). Three compromised packages—librewolf-fix-bin, firefox-patch-bin, and zen-browser-patched-bin—were uploaded, containing RAT that allowed attackers to gain persistent remote access to infected systems. The malware was designed to execute silently during installation, which enabled extensive system control without user awareness. The breach remained undetected for approximately 46 hours before the Arch Linux security team identified and removed the malicious packages.
Cisco has reported that three critical remote code execution vulnerabilities in the Cisco ISE are actively being exploited. These vulnerabilities, identified as CVE-2025-20281, CVE-2025-20282, and CVE-2025-20337, allow unauthenticated attackers to execute arbitrary commands, upload malicious files, and gain root access through specially crafted API requests. All three vulnerabilities carry a maximum severity rating with a CVSS score of 10.0, making them particularly attractive targets for hackers seeking unauthorized access to corporate networks.
New Threats
A browser tweak here, a fake mod there, and suddenly your crypto wallet spills its secrets. In a new campaign, the Scavenger trojan exploits DLL Search Order Hijacking to infiltrate password managers and wallets. A new RaaS group called Chaos is conducting high-impact ransomware campaigns through a number of tactics, using remote management tools for long-term access. Mimo is getting stealthier and greedier. The financially motivated group has moved from targeting Craft CMS to Magento, exploiting PHP-FPM vulnerabilities to deploy malware via fileless techniques.
A new malware campaign involving the Scavenger trojan targets crypto wallets and password managers by exploiting DLL Search Order Hijacking. This technique allows attackers to introduce malicious files disguised as legitimate components, enabling them to extract sensitive information from applications like MetaMask, Exodus, and Bitwarden. The trojan is distributed through fake game mods and browser vulnerabilities, employing a multi-stage loader chain. Once activated, it manipulates browser security features, disables sandboxing, and alters popular extensions to harvest data such as mnemonic phrases and stored passwords. The malware also targets the Exodus wallet, leveraging DLL hijacking to access private keys and other critical information, all while evading detection by checking for virtual environments.
Coyote malware has emerged as a significant threat by exploiting Microsoft’s UI Automation (UIA) framework to steal credentials from Brazilian users linked to 75 banking institutions and cryptocurrency exchanges. This marks the first confirmed instance of UIA abuse in the wild, allowing Coyote to parse UI elements of applications to identify sensitive information. During its infection process, Coyote collects detailed victim data, including financial services used, by comparing active window titles and utilizing UIA to access sub-elements when no direct match is found.
A new Linux malware named Koske uses AI and polyglot files to deploy cryptocurrency miners via seemingly benign JPEG images of panda bears. Koske exploits misconfigured JupyterLab instances for initial access and uses images that contain both valid JPEG headers and malicious scripts. The malware executes two payloads: a C-based rootkit compiled in memory and a shell script for persistence and stealth. It adapts to host resources, evaluating CPU/GPU to optimize mining for 18 different cryptocurrencies, switching to backups if needed. Researchers suspect Koske was developed using LLMs or automation frameworks due to its advanced adaptability.
Chaos is a new RaaS group conducting big-game hunting and double extortion attacks, using spam flooding, voice-based social engineering, and RMM tools for persistent access. The ransomware employs multi-threaded selective encryption, anti-analysis techniques, and targets both local and network resources. Victims are primarily in the U.S., with fewer cases in the U.K, New Zealand, and India, and Chaos avoids targeting BRICS/CIS countries, hospitals, and government entities. Chaos is actively promoted in Russian-speaking dark web forums and offers cross-platform compatibility for Windows, ESXi, Linux, and NAS systems. The ransomware uses unique encryption keys for files, rapid encryption speeds, and automated panels for managing targets and communications.
The cybercriminal group Mimo has shifted from Craft CMS to Magento CMS, employing advanced techniques for persistence and evasion. Mimo exploits PHP-FPM vulnerabilities in Magento installations, using tools like GSocket and disguised scripts for persistence. Fileless execution via memfd_create() syscall allows malware to operate without disk storage, enhancing stealth. Docker infrastructure is targeted via misconfigured APIs, with malware propagating laterally by brute-forcing SSH access and extracting keys. Mimo employs cryptojacking (Monero mining) and proxyjacking (IPRoyal Pawns proxyware) for dual monetization strategies. Mimo targets AWS environments by attempting SSH connections using hard-coded usernames, including "ec2-user."
ACRStealer is an infostealer that exploits Google Docs and Steam for C2 communications using the Dead Drop Resolver (DDR) technique. It has recently been modified with enhanced detection evasion and analysis obstruction techniques. The malware employs the Heaven’s Gate technique to evade detection and uses low-level NT functions for C2 communication, bypassing library-based monitoring. Some samples use legitimate domain names as disguise host addresses, potentially misleading monitoring tools. Recent variants have introduced random string paths for C2 communication and switched from GET to POST methods for requesting configuration data. ACRStealer has been rebranded as AmateraStealer, with ongoing updates making it one of the most active infostealer malware variants.
Four new Android spyware samples linked to Iran's Ministry of Intelligence and Security (MOIS) have emerged, disguised as VPN apps, targeting WhatsApp data, audio/video recordings, and sensitive files. The spyware, attributed to the MuddyWater espionage group, reflects Iran's evolving surveillance tactics amid Middle Eastern tensions. Researchers identified these samples shortly after the Iran-Israel conflict began, with distribution methods including Telegram channels, phishing emails, and messaging apps.
A critical vulnerability (CVE-2025-54309) in CrushFTP servers affects at least 10,000 instances globally, allowing remote attackers to gain admin access via HTTPS. The flaw involves AS2 validation mishandling and impacts servers without the DMZ proxy feature. CrushFTP disclosed the vulnerability on July 18, assigning it a CVSS score of 9, and urged users to update to fixed versions (11.3.4_26 and 10.8.5_12).