Weekly Threat Briefing
Diamond Trail

Cyware Weekly Threat Intelligence, June 16–20, 2025

Image of city with icons

The Good

As cybercriminals weave intricate webs in the digital underworld, global defenders are cutting through the chaos. Six nations toppled Archetyp Market, a darknet drug bazaar with €250 million ($288 million) in Monero deals, nabbing its admin and vendors while seizing €7.8 million ($9 million) in assets. The U.K unveiled a Cyber Growth Action Plan, injecting £16m ($21.2m) to fortify its £13.2bn ($17.5bn) cybersecurity industry after attacks bled retailers like M&S. Stateside, the U.S. reclaimed $225 million in crypto from investment scams, marking the Secret Service’s biggest digital heist bust yet.

  • Law enforcement from six countries dismantled Archetyp Market, a darknet drug marketplace operating since May 2020, with over 612,000 users and €250 million ($288 million) in Monero transactions. The operation, "Deep Sentinel," led to the arrest of a German admin in Spain, a moderator, and six top vendors in Germany and Sweden. Authorities seized 47 smartphones, 45 computers, narcotics, and €7.8 million ($9 million) in assets.

  • The UK government launched a Cyber Growth Action Plan to bolster cybersecurity and economic growth following recent high-profile cyberattacks on retailers like M&S, costing £300m ($404m). Led by experts from Bristol and Imperial College, the plan will review cyber goods, services, and emerging tech like AI. It includes £16m ($21.5m) for CyberASAP (£10m/$13.5m) and Cyber Runway (£6m/$8m) to support startups, aiming for 25 new spin-outs and £30m ($40.4m) in investment by 2030. The UK’s cybersecurity sector, generating £13.2bn ($17.8bn) in 2024, will feed into the National Cyber Strategy.

  • The U.S. Department of Justice, with the FBI, Secret Service, Tether, and TRM Labs, seized over $225 million in cryptocurrency, the largest U.S. Secret Service crypto seizure, linked to investment scams and money laundering. Blockchain analysis traced funds from over 400 victims through a complex network of addresses. Tether froze and reissued the funds for forfeiture. The scam involved 144 OKX accounts, with one victim, a bank CEO, losing $47.1 million. Funds were laundered through 93 deposit addresses, 35 intermediary wallets, and seven final USDT wallet groups, incurring up to $125,000 in gas fees to obscure traceability.

The Bad

Cloud services are being quietly turned into covert attack channels. The Serpentine#Cloud campaign is abusing Cloudflare Tunnels and Python to deploy fileless malware via invoice-themed phishing lures. A popular WordPress plugin is exposing sites to full takeover. It affects the AI Engine plugin, impacting over 100,000 websites and opening the door to site-wide compromise. An official-looking email from the tax department may be anything but. Silver Fox APT is targeting Taiwanese users with phishing emails posing as the National Taxation Bureau, delivering malware like Winos 4.0, HoldingHands RAT, and Gh0stCringe.

  • The Serpentine#Cloud malware campaign has been exploiting Cloudflare tunnels to inject Python-based malware and gain persistent access to systems. Threat actors lure users via phishing emails containing malicious .lnk files disguised as invoices or payment-themed documents. The infection chain involves multiple stages, including batch files, VBScript, and Python scripts, to deploy shellcode and Donut-packed PE payloads entirely in memory. Persistence is established by placing malicious scripts in Windows startup directories, ensuring the malware executes upon user login. The campaign exploits legitimate tools like Cloudflare Tunnels and Python, blending malicious activity with legitimate traffic to evade detection. The campaign targets Western countries, including the U.S., the U.K, and Germany.

  • Trellix researchers discovered a malware infection using a corrupted version of the jQuery Migrate library, distributed through a compromised WordPress site. The attack leveraged the Parrot TDS, which selectively delivered malware based on user attributes such as device and browser. The malicious script was hidden within the legitimate jQuery Migrate library, using obfuscated code to evade detection and dynamically execute payloads. The malware could perform various actions, including stealing cookies, session data, and credentials, logging keystrokes, phishing, and deploying additional malicious scripts. The infection exploited WordPress's Autoptimize plugin, which left cache folders vulnerable to manipulation, allowing malware to be served from trusted domains.

  • A critical vulnerability (CVE-2025-5071) has been discovered in the AI Engine plugin for WordPress, affecting versions 2.8.0 to 2.8.3. This flaw allows authenticated users with subscriber-level access or higher to escalate privileges and execute administrative commands via the Model Context Protocol (MCP) module. The vulnerability has a CVSS score of 8.8 and impacts over 100,000 WordPress sites. Exploitation of this vulnerability can lead to full site compromise, including unauthorized user creation, content manipulation, and backdoor installation. However, this vulnerability only affects sites where the Dev Tools and MCP module have been manually enabled, as both are disabled by default.

  • The Banana Squad threat group has been exploiting GitHub repositories with trojanized files. Over 60 GitHub repositories containing hundreds of malicious Python files were discovered. These files were disguised as hacking tools but contained backdoors. The group used techniques like long spaces in code to hide malicious backdoor content from visual detection. The malicious repositories were created using fake GitHub accounts, each hosting only one repository. The primary domain associated with this campaign is "dieserbenni[.]ru," with a new domain, "1312services[.]ru," identified in June. The campaign, which began in April 2023, resulted in nearly 75,000 downloads before the malicious packages were removed from GitHub.

  • A rise in cyber campaigns is utilizing the ClickFix social engineering technique to deploy malware, particularly the GHOSTPULSE loader and ARECHCLIENT2 infostealer. ClickFix manipulates users into executing malicious PowerShell commands by disguising them as benign prompts, often appearing as CAPTCHA verifications. The GHOSTPULSE loader, continuously updated, employs multi-stage payload delivery and DLL sideloading techniques to enhance evasion. ARECHCLIENT2, a .NET-based remote access trojan, targets sensitive information such as credentials and financial data. The attack chain begins with phishing pages that deliver obfuscated scripts, leading to the execution of malware. The infrastructure behind these campaigns leverages compromised servers, with C2 nodes frequently changing to evade detection.

  • Silver Fox APT launched a phishing campaign targeting Taiwan, which impersonates the National Taxation Bureau to distribute malware, including Winos 4.0, HoldingHands RAT, and Gh0stCringe. Emails use topics like tax forms and invoices, embedding malicious links or files leading to malware downloads. The attack employs multi-stage side-loading methods with files like TaskServer.exe and Dokan2.dll, which decrypt and execute malicious payloads. The malware utilizes anti-virtualization techniques, privilege escalation, and evasion strategies against security tools like Kaspersky. HoldingHands RAT communicates with C2 servers, collecting system data and supporting remote operations through modules like Remote Desktop and File Manager.

  • Cybercriminals are using HijackLoader and DeerStealer in phishing campaigns, redirecting victims to malicious pages that execute PowerShell commands to download malware. HijackLoader employs steganography to hide configuration data in PNG images and exploits legitimate binaries to run unsigned malicious code, injecting DeerStealer into memory. DeerStealer is an advanced infostealer capable of extracting data from over 50 web browsers, hijacking cryptocurrency wallets, and stealing credentials from various applications. It also features stealthy remote access and encrypted communication. The attack process involves the use of a signed binary from COMODO, which loads a manipulated DLL to decrypt and inject DeerStealer into legitimate processes.

New Threats

A new Android trojan is turning devices into data-harvesting tools under attackers’ full control. Attributed to the LARVA-398 group, AntiDot has infected thousands of devices through phishing and malicious ads. A fake job offer could now come bundled with custom-built spyware. PylangGhost is targeting crypto professionals in India. Delivered through spoofed job sites, the malware includes registry tampering, remote control, and data exfiltration modules aimed at compromising Windows systems. One compromised travel site is now a launchpad for infostealer infections. A new ClickFix variant, LightPerlGirl, is using fake Cloudflare CAPTCHA prompts and clipboard hijacking to deliver the Lumma infostealer.

  • The AntiDot Android trojan, attributed to the LARVA-398 threat group, has infected over 3,775 devices through 273 distinct attacks, focusing on personal and financial data theft. It operates on a MaaS model, disseminated via malicious ads and targeted phishing campaigns. AntiDot leverages the Android MediaProjection API and Accessibility Services to record screens, intercept SMS messages, and execute keylogging. It can replace authentic app interfaces with counterfeit login pages to capture credentials and sets itself as the default SMS application to monitor and manipulate communications. The malware is controlled through a C2 panel developed on the MeteorJS framework, enabling attackers to configure attacks and manage infected devices effectively.

  • The Godfather Android malware has evolved to utilize virtualization, creating isolated environments on devices to hijack over 500 banking, cryptocurrency, and e-commerce applications worldwide. It employs an embedded virtualization framework, leveraging tools like VirtualApp and Xposed for API hooking, allowing it to intercept sensitive data such as credentials, PINs, and transaction details while displaying the legitimate app interface to the user. By using a StubActivity, the malware tricks Android into believing the real app is running, capturing user interactions and manipulating transactions.

  • Cisco Talos discovered a Python-based RAT named PylangGhost, used by the North Korean-aligned group Famous Chollima. PylangGhost is functionally similar to the GolangGhost RAT but is tailored for Windows, while the Golang version targets MacOS. The threat actors target professionals in cryptocurrency and blockchain industries, mostly in India, using fake job interviews. Fake job sites impersonate legitimate companies like Coinbase and Robinhood, tricking users into executing malicious commands. PylangGhost consists of six Python modules, including "nvidia.py," which handles system registry modifications, communication with the C2 server, and remote control functionalities.

  • A newly disclosed vulnerability in Apache Traffic Server (ATS), tracked as CVE-2025-49763, allows attackers to exploit the Edge Side Includes (ESI) plugin to trigger denial-of-service (DoS) attacks via memory exhaustion. The issue impacts ATS versions 9.0.0–9.2.10 and 10.0.0–10.0.5. Apache has released patched versions (9.2.11 and 10.0.6) with new configuration options, such as the --max-inclusion-depth setting, to address the flaw. 

  • A new ClickFix malware variant, LightPerlGirl, was discovered exploiting PowerShell and clipboard hijacking to deliver the Lumma infostealer. The malware uses a compromised WordPress travel site in a watering hole attack, tricking users with fake Cloudflare CAPTCHA prompts. The attack process involves clipboard manipulation, obfuscated PowerShell commands, and connection to a C2 domain for malware delivery. The Lumma infostealer could lead to broader enterprise compromises by targeting individuals' personal devices. 

  • A new variant of the Flodrix botnet exploits a critical vulnerability (CVE-2025-3248, CVSS score: 9.8) in Langflow, a Python-based AI framework, to execute DDoS attacks. The vulnerability, caused by missing authentication, allows unauthenticated attackers to execute arbitrary code via crafted HTTP requests. Langflow patched this issue in March 2025 with version 1.3.0. Threat actors use a publicly available PoC to target unpatched Langflow servers, deploying downloader scripts that fetch and install Flodrix malware. The botnet introduces new encrypted DDoS attack types, complicating analysis, and enumerates running processes to identify high-value targets. The campaign is still under active development, with threat actors hosting multiple downloader scripts on the same server.

Discover Related Resources