Cyware Weekly Threat Intelligence, June 09–13, 2025
The Good
A global sweep just knocked out thousands of malicious command centers. INTERPOL’s Operation Secure led to the dismantling of over 20,000 malicious IPs tied to 69 malware strains across 26 countries. NIST has published new guidance to help organizations put Zero Trust Architecture into action, offering 19 real-world implementations built with industry partners.
INTERPOL dismantled over 20,000 malicious IP addresses linked to 69 malware variants during Operation Secure, conducted between January and April 2025. The operation involved 26 countries and led to the takedown of 79% of identified suspicious IPs, the seizure of 41 servers, over 100 GB of data, and the arrest of 32 suspects. Vietnamese authorities arrested 18 individuals, while Sri Lanka and Nauru saw 12 and 2 arrests respectively. Confiscated items included devices, SIM cards, and $11,500 in cash. Hong Kong authorities identified 117 command-and-control servers used for phishing, fraud, and social media scams, hosted across 89 internet service providers.
The NIST has released new guidance for implementing Zero Trust Architecture (ZTA), moving beyond the conceptual framework established in 2020. This publication aims to help organizations address implementation challenges, as ZTA adoption increases due to regulatory demands. The guidance includes 19 example implementations developed through collaboration with 24 industry partners, covering various models such as enhanced identity governance, software-defined perimeter, and microsegmentation. It emphasizes the need for customized ZTA solutions tailored to individual organizational environments and clarifies that the mention of commercial technologies does not imply endorsement by NIST.
U.S. legislators introduced a bipartisan Healthcare Cybersecurity Bill to enhance the federal government’s role in preventing and addressing data breaches in the healthcare sector. The bill mandates collaboration between the CISA and the HHS to improve cybersecurity in healthcare and public health sectors. Key provisions include real-time cyber threat intelligence sharing, cybersecurity training for healthcare providers, creating a risk management plan, and identifying high-risk assets in the healthcare sector. The bill emphasizes proactive measures like infrastructure building, patient privacy protection, and national security defense.
The Bad
Unpatched IT tools are once again opening the door to ransomware attacks. CISA has warned about vulnerabilities in SimpleHelp RMM software being exploited by groups like Play and DragonForce in double-extortion campaigns. Fog ransomware operators are blurring the line between admin tools and attack chains. In a recent incident, they deployed a mix of open-source and legitimate software to gain persistence and exfiltrate data undetected. Over 20 phishing applications impersonating popular crypto wallets have been found stealing mnemonic phrases to drain users’ funds.
Attackers exploited Discord’s invite system by hijacking expired or deleted invite links, redirecting users to malicious servers. The attack used a fake verification bot and phishing sites to trick users into running harmful commands, downloading malware like AsyncRAT and Skuld Stealer. The malware spread through multi-stage infection chains using trusted services like GitHub and Pastebin to evade detection. Over 1,300 downloads were tracked globally, targeting cryptocurrency users and stealing credentials and wallet data. A parallel campaign targeted gamers, embedding malware in a Trojanized cheat tool for The Sims 4.
The CISA issued an advisory regarding ransomware actors exploiting unpatched vulnerabilities in SimpleHelp RMM software, particularly versions 5.5.7 and earlier, which include CVE-2024-57727, a path traversal vulnerability. Since January, these vulnerabilities have been leveraged to compromise customers of a utility billing software provider. This vulnerability was leveraged in double-extortion attacks by Play ransomware gang and DragonForce, where sensitive data was stolen and files encrypted. CISA added CVE-2024-57727 to its KEV Catalog in February. Organizations using SimpleHelp are urged to assess their systems for unpatched versions and take appropriate actions to secure their networks against potential disruptions and data breaches.
GreyNoise detected a significant coordinated attack on Apache Tomcat Manager interfaces, involving nearly 400 unique IP addresses. The attack included brute force attempts, with 250 IPs engaged in password-guessing attacks and 298 attempting unauthorized logins, far exceeding normal baseline activity. Most of the IPs were classified as malicious, primarily originating from DigitalOcean's infrastructure and spanning multiple countries, including the U.S., the U.K, and Germany. This campaign highlights a troubling trend of reconnaissance activities that often precede targeted exploitation, particularly given the critical Apache Tomcat remote code execution vulnerability, CVE-2025-24813, which has been actively exploited since March 2025.
A recent cyber campaign has been identified that injects obfuscated JavaScript, known as JSFireTruck, into legitimate websites, redirecting users to malicious content such as malware and phishing pages. This obfuscation technique utilizes a limited set of characters and JavaScript's type coercion to conceal its true purpose, making the code difficult to analyze. Over 269,000 infected webpages were detected between March and April, indicating a widespread infection. The malicious scripts check for referrer sources, primarily targeting visitors from search engines, and deploy iframes to overlay content, facilitating clickjacking and further exploitation.
Fog ransomware operators have adopted a highly unusual toolset combining open-source penetration testing tools with legitimate software to enhance stealth and persistence. In a recent attack on a financial institution in Asia, researchers uncovered the use of Syteca (formerly Ekran), an employee monitoring software that captures screen activity and keystrokes. Syteca was covertly delivered via Stowaway, an open-source proxy tool, and executed using SMBExec, part of the Impacket framework. The attackers also used GC2, a rare backdoor that leverages Google Sheets or Microsoft SharePoint for C2 and exfiltration, previously seen only in APT41 campaigns. Additional tools included Adapt2x C2 (a post-exploitation Cobalt Strike alternative), Process Watchdog (to keep key processes running), PsExec, and Impacket SMB for lateral movement. Data exfiltration was handled via 7-Zip, MegaSync, and FreeFileSync.
The FIN6 hacking group, known for financial fraud and ransomware, is now targeting recruiters by impersonating job seekers. They approach recruiters on platforms like LinkedIn and Indeed, using convincing resumes and phishing emails with non-clickable URLs to deliver malware. These phishing sites, hosted on AWS, employ environmental fingerprinting to ensure only specific targets can access the malicious content. Victims are tricked into downloading a ZIP file that contains a Windows shortcut file, which executes a script to install the More Eggs backdoor, enabling credential theft and further attacks. The group’s tactics highlight a shift in social engineering strategies within employment scams.
Silent Push identified over 4,000 domains in the GhostVendors fake marketplace scam network impersonating major brands. Threat actors exploit Meta's ad policy to remove evidence of their campaigns by stopping ads, making tracking difficult. The campaign impersonates brands known for significant online ad purchases and smaller brands relying on online sales. Examples include spoofed ads for Milwaukee Tools, GE Appliances, and Wayfair, with domains redirecting users to different scam sites. The researchers also found multiple Facebook pages linked to the scam, such as "Millaeke," "Rabx-B," and "Tools Clearance," which repeatedly launched and removed campaigns.
Over 20 malicious cryptocurrency phishing applications were identified on the Google Play Store, targeting users by impersonating popular wallets like SushiSwap and PancakeSwap. These apps steal users' mnemonic phrases, allowing attackers to access and drain cryptocurrency funds. They were distributed through compromised developer accounts and utilized phishing URLs embedded in privacy policies. The threat actors employed frameworks for rapid app deployment and operated a coordinated campaign linked to over 50 phishing domains. Some apps directly loaded phishing sites in WebView, further deceiving users into providing sensitive information.
Kimsuky, a North Korea-aligned APT group, launched a sophisticated cyber-espionage campaign named AppleSeed, targeting defense sectors, activists, and cryptocurrency exchanges through Facebook, email, and Telegram. The group employed impersonation tactics on Facebook, spear-phishing emails with malicious EGG archives, and Telegram for delivering malware disguised as support for North Korean defectors. The malware payload involved encoded scripts, malicious DLLs, and registry modifications for persistence, using advanced techniques like VMProtect and encryption to evade detection.
New Threats
CyberEye lowers the barrier for cybercrime with a plug-and-play toolkit. This .NET-based RAT uses Telegram for command and control while offering modules for keylogging, credential theft, and platform-specific data grabbing. The TokenBreak attack manipulates how text is tokenized in classification models to sneak past defenses. A Mirai variant is actively exploiting a command injection vulnerability in TBK DVR-4104 and DVR-4216 devices, to conscript them into a botnet for DDoS attacks.
CyberEye is a .NET-based RAT with modular features like keyloggers, file grabbers, and clipboard hijackers, leveraging Telegram for C2 operations. The malware disables Windows Defender using PowerShell and registry manipulations to evade detection. CyberEye's builder GUI allows attackers to customize payloads with minimal technical expertise. Anti-analysis mechanisms detect sandbox, virtual machine, or debugging environments, terminating the malware to avoid detection. Credential theft modules target browsers, extracting passwords, cookies, and credit card information using decryption techniques. Specific modules like TelegramGrabber, DiscordGrabber, and SteamGrabber steal session data from popular platforms.
Apple disclosed a zero-click vulnerability in its Messages app (CVE-2025-43200) that was exploited to target journalists with Paragon's Graphite spyware. This flaw, which allowed attackers to access sensitive data without user interaction, was patched on February 10. Notably, the spyware was used in sophisticated attacks against Italian journalist Ciro Pellegrino and another unnamed European journalist. Apple informed the victims of the targeted attacks, which were linked to state-sponsored entities. The spyware could be deployed via iMessages from a single Apple account, raising concerns about the misuse of such surveillance tools.
The TokenBreak attack exploits vulnerabilities in text classification models by manipulating tokenization strategies. Specifically, it targets models using BPE (Byte Pair Encoding) and WordPiece tokenizers, which are prone to false negatives, allowing malicious input to bypass detection. In contrast, models employing Unigram tokenization remain unaffected. The attack works by subtly altering input text, preserving its meaning while evading protective models. Testing showed that models like BERT and RoBERTa are susceptible, while DeBERTa-v2 and v3 are not. This divergence between detection models and target LLMs highlights a significant security concern in content moderation systems, as manipulated prompts can lead to successful prompt injections.
Proofpoint researchers uncovered an active account takeover campaign, UNK_SneakyStrike, leveraging the TeamFiltration pentesting tool to target Microsoft Entra ID accounts. The campaign exploited Microsoft Teams API, AWS servers, and applications like OneDrive and Outlook for user enumeration, password spraying, and data exfiltration. TeamFiltration, initially developed for legitimate penetration testing, has been weaponized for malicious activities, including persistent access via OneDrive and user account compromise. The UNK_SneakyStrike campaign has targeted over 80,000 accounts across 100 organizations since December 2024, using burst attacks and focusing on specific user subsets. The campaign’s primary source geographies include the the U.S., Ireland, and Great Britain, with malicious activity linked to AWS-hosted IP addresses.
A critical zero-click AI vulnerability named EchoLeak was discovered in Microsoft 365 Copilot, allowing attackers to exfiltrate sensitive data without user interaction. The flaw was reported to Microsoft in January and assigned the CVE-2025-32711 identifier. Microsoft fixed the issue server-side in May, stating there was no evidence of real-world exploitation. The attack involves a malicious email containing a hidden prompt injection that bypasses security measures, tricking the LLM into extracting internal data when the user interacts with Copilot. This vulnerability highlights a new class of risks associated with large language models, known as 'LLM Scope Violation,' which can lead to silent data exfiltration in enterprise environments.
Myth Stealer is a Rust-based information stealer malware that spreads through fake gaming websites, targeting users of Chromium- and Gecko-based browsers like Chrome and Firefox. Initially offered for free on Telegram, it has transitioned to a Malware-as-a-Service model. Upon execution, it displays a fake window to appear legitimate while secretly stealing passwords, cookies, and autofill data. The malware employs anti-analysis techniques, including string obfuscation, and is regularly updated to evade antivirus detection. It has been found distributed through compromised websites, including those hosted on Google’s Blogger, and is capable of exfiltrating stolen data to remote servers or Discord webhooks.
Blitz malware targets gamers by distributing backdoored cheat packages for the mobile game Standoff 2, compromising systems, stealing data, and mining cryptocurrency. The malware uses legitimate platforms like Hugging Face Spaces for C2 operations and stores malicious payloads. Distributed through Telegram, the malware operates in two stages: a downloader and a bot capable of keylogging, screenshot capture, file transfer, DDoS attacks, and cryptojacking. Researchers identified 289 active infections across 26 countries, with Russia, Ukraine, Belarus, and Kazakhstan being most affected.
DuplexSpy RAT is a newly emerged modular remote access trojan developed in C# and available on GitHub. It features a GUI for surveillance, persistence, and anti-analysis, mimicking legitimate processes to avoid detection. Key capabilities include keylogging, live streaming, audio spying, remote command execution, and system shutdowns. The RAT uses AES/RSA encryption and DLL injection for secure, in-memory payload execution. It mimics legitimate system processes, such as "Windows Update," to avoid suspicion.
A new variant of the Mirai botnet is exploiting a command injection vulnerability (CVE-2024-3721) in TBK DVR-4104 and DVR-4216 devices to hijack them. This flaw, disclosed in April 2024, enables shell command execution through crafted POST requests. The exploit uses a PoC to drop malware and connect devices to a botnet for DDoS attacks and malicious traffic proxying. An estimated 50,000 devices remain exposed globally, with infections primarily affecting countries such as China, India, and Brazil.