Cyware Weekly Threat Intelligence, June 30–July 04, 2025
The Good
It looked like a crypto investment until €460 million vanished. Operation BORRELLI dismantled a global fraud ring that scammed over 5,000 victims, with arrests in Madrid and the Canary Islands. A fake workforce was quietly funding a real regime. The DoJ disrupted a North Korean scheme where remote IT workers used stolen identities to get jobs at over 100 U.S. companies. The operation funneled $5 million to the DPRK, exposed military tech, and led to raids across 16 states.
A recent coordinated effort by European and U.S. authorities has successfully disrupted a significant cryptocurrency investment fraud scheme that had defrauded over 5,000 victims worldwide, accumulating €460 million ($540 million). This operation, branded as Operation BORRELLI, resulted in five arrests across Spain, specifically in Madrid and the Canary Islands. The fraudulent network was sophisticated, involving a global web of associates who laundered illicit funds through various means, including a corporate setup in Hong Kong that facilitated the concealment of proceeds via digital assets.
The DoJ disrupted a North Korean scheme involving remote IT workers using stolen or fake identities to obtain jobs at over 100 U.S. companies, funneling salaries to the DPRK regime. The operation generated $5 million in illicit revenue, caused $3 million in damages to U.S. companies, and led to the exfiltration of sensitive data, including regulated U.S. military technology. Law enforcement actions under the DPRK RevGen: Domestic Enabler Initiative led to searches at 29 suspected “laptop farms” across 16 states, seizing financial accounts, fake websites, and computers. Several individuals, including Chinese and Taiwanese nationals, were indicted for their roles.
The Bad
Sometimes, the app that looks harmless is just a decoy. Recent investigations uncovered massive Android fraud schemes, including IconAds and Kaleidoscope, which used icon hiding, fake apps, and third-party distribution to flood ad networks with billions of fake requests. Two different names - same tactics, same tools, same playbook. Researchers have found striking overlaps between TA829 and the lesser-known UNK_GreenSec, both of which use phishing lures and REM Proxy services through compromised MikroTik routers. It starts with what looks like an official message from the Colombian government. Behind it is a phishing campaign delivering DCRAT, a modular remote access tool designed for theft and system control.
Recent investigations have revealed several massive Android fraud operations, including IconAds, Kaleidoscope, and various malware campaigns. IconAds involved 352 malicious apps that hid their icons and displayed intrusive ads, generating 1.2 billion bid requests daily before being removed from the Play Store. Kaleidoscope utilized the evil twin technique, where legitimate-looking apps served as decoys while malicious counterparts distributed through third-party stores generated fraudulent ad revenue. Additionally, malware like NGate and Ghost Tap exploited NFC technology to facilitate financial fraud, allowing attackers to withdraw cash remotely. Another significant threat is the Qwizzserial SMS stealer, which infected nearly 100,000 devices in Uzbekistan, targeting financial data through fake government apps.
Cybersecurity researchers have identified tactical similarities between TA829 and UNK_GreenSec, two threat actor groups involved in malware campaigns using TransferLoader and RomCom RAT. TA829 conducts both espionage and financially motivated attacks, exploiting zero-day vulnerabilities in Firefox and Windows. Both groups use REM Proxy services on compromised MikroTik routers for traffic relay and phishing email campaigns. The campaigns utilize phishing emails with embedded links or PDFs that redirect victims to spoofed Google Drive or OneDrive pages, leading to malware payloads. TA829 employs SlipScreen malware, while UNK_GreenSec uses TransferLoader, which delivers additional malware like Metasploit and Morpheus ransomware.
ASEC identified attacks on poorly managed Linux SSH servers using weak credentials, aiming to install proxies like TinyProxy or Sing-box for malicious purposes. Attackers install TinyProxy by manipulating configuration files to allow unrestricted external access, enabling exploitation of infected systems as proxy nodes. Sing-box, an open-source proxy tool, is being installed by attackers to bypass restrictions on services like ChatGPT and Netflix, with unauthorized access to systems for illegal or profit-driven activities.
An Arbitrary File Deletion vulnerability was identified in the Forminator WordPress plugin, affecting versions 1.44.2 and earlier, with over 600,000 active installations. The flaw, rated 8.8 (High) on the CVSS scale, stems from insufficient validation in file deletion processes, enabling attackers to target critical files like wp-config.php, which could lead to remote code execution. The patch restricts deletions to legitimate upload fields and ensures files reside within the uploads directory, with added sanitization and path normalization. Site administrators are urged to update Forminator to version 1.44.3 or higher.
Fortinet spotted a phishing campaign that has been distributing DCRAT by impersonating a Colombian government entity. This malware utilizes a modular architecture, enabling attackers to customize its functionality for tasks such as data theft and system manipulation. The attack begins with a phishing email containing a ZIP file that executes an obfuscated VBS script, which then downloads a malicious executable. DCRAT employs various evasion techniques, including obfuscation, steganography, and multi-stage payloads. Once installed, it can steal sensitive information, alter system settings, and ensure persistence on infected machines.
New Threats
Botnet operators are now turning broken routers into system wreckers. RondoDox is a new Linux-based botnet exploiting CVE-2024-3721 and CVE-2024-12856 to gain remote access to TBK DVRs and Four-Faith routers. That Zoom update request on Telegram? It could be a trap. North Korean actors are deploying NimDoor malware to infiltrate Web3 and crypto platforms using social engineering via Telegram. Google has patched CVE-2025-6554, a critical zero-day in Chrome’s V8 engine that was exploited in the wild to execute arbitrary code.
RondoDox is a new botnet threat that exploits two critical vulnerabilities: CVE-2024-3721 (TBK DVR models) and CVE-2024-12856 (Four-Faith router models). These vulnerabilities allow remote attackers to execute arbitrary commands. RondoDox targets various Linux architectures and disrupts critical system functions by renaming executable files to random strings, impairing system stability and recovery efforts. It connects to a C2 server for receiving instructions to launch DDoS attacks using HTTP, UDP, and TCP protocols while disguising malicious traffic as legitimate services like OpenVPN and gaming platforms.
Eight malicious Firefox extensions have emerged, exploiting user trust by impersonating popular games and stealing OAuth tokens. The threat actor, known as mre1903, has been active since 2018, employing deceptive tactics to redirect users to gambling sites and scam pages. Notable extensions include Little Alchemy 2 and 1v1.LOL, which leverage familiar game names to lure users. Additionally, GimmeGimme hijacks shopping sessions for affiliate revenue, while VPN Grab A Proxy Free employs invisible tracking techniques. The most concerning is CalSyncMaster, which steals Google Authentication tokens, granting unauthorized access to sensitive data.
North Korean threat actors are leveraging a malware named NimDoor to target Web3 and cryptocurrency platforms. This campaign utilizes Nim-compiled binaries and employs advanced techniques such as process injection, encrypted WebSocket communication, and a novel persistence mechanism based on signal handling. The attack begins with social engineering through Telegram, tricking victims into executing a malicious AppleScript disguised as a Zoom SDK update. The malware comprises multiple stages, including C++ and Nim binaries that facilitate data exfiltration and long-term access. Key functionalities include stealing browser data, credentials, and Telegram user information, while using C2 servers that mimic legitimate domains.
Google has released a security update to address a critical zero-day vulnerability in Chrome's V8 engine, identified as CVE-2025-6554, which was actively exploited in the wild. This type confusion flaw allowed remote attackers to execute arbitrary code via specially crafted HTML pages. The bug may have been used in targeted attacks, possibly by nation-state actors. Users are urged to update their Chrome browsers to versions 138.0.7204.96/.97 for Windows, 138.0.7204.92/.93 for macOS, and 138.0.7204.96 for Linux.
A stealthy malware campaign has been discovered targeting WordPress websites to deliver a Windows-based RAT through a PHP backdoor. The infection chain involves obfuscated PHP scripts, IP-based evasion, and a malicious ZIP archive containing the trojan executable. The malware was found embedded in compromised WordPress environments, using legitimate-looking PHP files to deliver a trojan payload. The infection chain includes the use of header.php and man.php scripts, a batch file (update.bat), and a ZIP archive (psps.zip) containing client32.exe. The trojan establishes a covert connection to a C2 server at 5[.]252[.]178[.]123 on port 443.
Netskope identified a phishing campaign using fake installers for software like WPS Office and Sogou to deliver malware targeting Chinese speakers. The malware includes Sainbox RAT, a Gh0stRAT variant, and Hidden rootkit, which provide attackers with control and stealth capabilities. The infection process involves MSI files executing legitimate software alongside malicious DLLs and shellcode payloads. The rootkit protects malware processes, conceals files, and evades security tools, granting attackers extensive control over compromised systems. Attribution to the Silver Fox group is based on consistent tactics and tools, though adversary attribution remains complex.