Weekly Threat Briefing
Diamond Trail

Cyware Weekly Threat Intelligence, March 03–07, 2025

people, person, connected, network, social, link, red, blue, green, yellow, abstract, concept

The Good

The code caves of GitHub just got a cleanup crew courtesy of Microsoft. A sprawling malvertising campaign that snagged nearly a million devices worldwide has been knocked down a peg. Cheap Android gadgets are getting a breather from a relentless digital pest. The BadBox 2.0 botnet, a souped-up sequel backed by multiple threat crews, saw 24 shady apps booted from Google Play and half a million infected devices cut off from their puppet masters, thanks to some crafty sinkholing and Google’s cleanup sweep.

  • A Russian cryptocurrency exchange called Garantex, known for its use by the Conti ransomware group and other criminals for money laundering, has been shut down. This action was carried out by a coalition of international law enforcement agencies, including the U.S. Secret Service, the DOJ, the FBI, Europol, and several others. The seizure warrant for the domain was obtained by the U.S. Attorney's Office for the Eastern District of Virginia. 

  • Microsoft recently took down several GitHub repositories that were part of a large malvertising campaign, which affected nearly one million devices globally. The campaign was discovered in early December 2024, with threat analysts noticing devices downloading malware from GitHub repositories, which were then used to deploy additional malicious payloads.

  • The BadBox Android malware botnet, which primarily targets low-cost Android devices, has been disrupted by removing 24 malicious apps from Google Play and sinkholing communications for half a million infected devices. The botnet, now referred to as 'BadBox 2.0,' is supported by multiple threat groups. Researchers sinkholed an undisclosed number of BadBox 2.0 domains, preventing over 500,000 infected devices from communicating with command-and-control servers. Google removed 24 apps from Google Play, added a Play Protect enforcement rule, and terminated publisher accounts associated with the BadBox operation. 

The Bad

A sneaky gatecrasher has turned WordPress into a redirect rollercoaster. A malicious JavaScript injection lurking in a theme file has snagged at least 31 sites, pulling visitors through a two-step detour to shady third-party domains. Japan’s digital defenses are under siege from a shadowy crew with a taste for chaos. Since January, unknown threat actors have been prying open organizations in tech, telecom, entertainment, and more, exploiting CVE-2024-4577 in PHP-CGI on Windows. Crooks posing as the Electronic Frontier Foundation are targeting Albion Online players with phishing emails and fake PDFs, claiming account trouble. It’s a ruse to drop Stealc malware and Pyramid C2.

  • A malicious JavaScript injection was discovered on a WordPress website, causing visitors to be redirected to unwanted third-party domains. The infection was found in a theme file and operated through a two-stage redirection process. The malware was injected into a specific theme file and loaded an external JavaScript file, which then created a hidden link and forced a redirect to malicious content. At least 31 infected websites were identified, and the domains are currently on the VirusTotal blocklist. The malware could lead to loss of traffic and reputation, SEO blacklisting, and further malware infections. 

  • Threat actors of unknown origin have been targeting organizations in Japan since January, exploiting the vulnerability CVE-2024-4577 in PHP-CGI on Windows to gain initial access. They use the Cobalt Strike kit 'TaoWu' for post-exploitation activities. Targeted sectors include technology, telecommunications, entertainment, education, and e-commerce. The attackers use tools like JuicyPotato, RottenPotato, SweetPotato, Fscan, and Seatbelt for reconnaissance, privilege escalation, and lateral movement. They establish persistence via Windows Registry modifications, scheduled tasks, and bespoke services. The attackers erase event logs for stealth and use Mimikatz to dump and exfiltrate passwords and NTLM hashes.

  • Researchers discovered a targeted cybercriminal campaign that impersonates the Electronic Frontier Foundation (EFF) to target Albion Online players. The attackers used phishing strategies and decoy documents to steal in-game assets, employing the Stealc malware and Pyramid C2 infrastructure. The threat actors exploited the game's player-driven economy, where in-game assets are traded for real money through third-party markets. The campaign involved phishing emails that tricked victims into downloading malicious PDF reports, supposedly from the EFF, which claimed unauthorized transactions on their accounts. Once opened, the document launched a malware infection chain designed to steal sensitive data. 

  • An advanced cyber-espionage campaign, named Operation Sea Elephant, has been found primarily targeting research institutions, universities, and government organizations in South Asia. The campaign, allegedly orchestrated by the CNC group, utilizes custom plug-ins and malware for surveillance, data theft, and lateral movement within networks. The attack begins with targeted phishing emails containing malicious attachments, exploiting trusted relationships within academic and research communities. Once a target is compromised, the malware spreads laterally by hijacking WeChat and QQ accounts to distribute trojanized programs. The CNC group employs various custom plug-ins for specific attack objectives, including RCE backdoors, a GitHub API-based trojan (windowsfilters.exe), a keylogger, a USB worm (YoudaoGui.exe), and file theft modules.

  • The Black Basta and Cactus ransomware groups have added the BackConnect malware to maintain persistent control and exfiltrate sensitive data from compromised machines. In a campaign, the attackers gained initial access through social engineering, abusing Microsoft Teams for impersonation and privilege escalation, and manipulating users into granting unauthorized access via Quick Assist and similar remote access software. The BackConnect malware was then used to control the compromised machine persistently. The malware has links to QakBot, a loader malware subject to a takedown effort in 2023. 

New Threats

A fresh face in the cybercrime underworld is juggling a bag of nasty surprises. EncryptHub is hitting users of QQ Talk, WeChat, Google Meet, and more with trojanized apps and slick multi-stage attacks. The Eleven11bot botnet, loosely tied to Iran, has taken over 86,000 IoT devices to slam telecoms and gaming servers with relentless DDoS barrages. Social media’s sunny side has a dark shadow creeping across the Middle East and North Africa. Since September 2024, Desert Dexter has been slinging a tweaked AsyncRAT via legit file-sharing sites and Telegram.

  • EncryptHub is a rising cybercriminal entity that has been observed using multi-stage attack chains, distributing trojanized versions of popular applications, and employing third-party PPI distribution services. It has been targeting QQ Talk, WeChat, DingTalk, VooV Meeting, Google Meet, Microsoft Visual Studio 2022, and Palo Alto Global Protect users. The attackers are also developing a product called EncryptRAT and have been observed incorporating popular vulnerabilities into their campaigns.

  • A new botnet, Eleven11bot, has infected over 86,000 IoT devices, primarily security cameras and network video recorders, to conduct DDoS attacks. The botnet, which is loosely linked to Iran, has already targeted telecommunication service providers and online gaming servers. The Shadowserver Foundation reported that most infected devices are in the U.S., the U.K, Mexico, Canada, and Australia. The botnet's attacks have reached several hundred million packets per second in volume, often lasting for multiple days. The malware spreads by brute-forcing weak admin credentials, leveraging default credentials for specific IoT models, and scanning networks for exposed Telnet and SSH ports. 

  • Positive Technologies uncovered a malicious campaign targeting the Middle East and North Africa since September 2024. The campaign, named Desert Dexter, leverages social media to distribute a modified version of the AsyncRAT malware, which targets cryptocurrency wallets and communicates with a Telegram bot. The attackers host the malware in legitimate online file-sharing accounts or Telegram channels set up for this purpose. Approximately 900 victims have been identified across various countries, with Egypt, Libya, the UAE, Russia, Saudi Arabia, and Turkey being the most targeted. 

  • Socket has discovered a malicious PyPI package called set-utils that steals Ethereum private keys by exploiting common account creation functions. The package is disguised as a simple utility for Python sets and mimics popular libraries, tricking developers into installing it. Since January 29, it has been downloaded over 1,000 times, targeting Ethereum developers and organizations working with Python-based blockchain applications. The package intercepts Ethereum account creation and exfiltrates private keys via the blockchain using a C2 server. 

  • A new malicious campaign has been discovered that uses a sophisticated attack on booking websites to deliver LummaStealer samples via fake CAPTCHAs. This info-stealer operates under a MaaS model and is now focusing on malvertising, using booking websites as a new approach for spreading malware. The campaign affects users worldwide, with observed victims in countries such as the Philippines and Germany. 

  • A new, highly targeted phishing campaign has been discovered, aimed at less than five entities in the UAE, particularly in the aviation and satellite communications sectors. The campaign delivered a previously undocumented Golang backdoor named Sosano. The attackers used a compromised email account from an Indian electronics company, INDIC Electronics, to send phishing messages, leveraging its trusted business relationship with the targets. The emails contained URLs leading to a fake domain, hosting a ZIP archive with an XLS file and two PDF files. The XLS file was a Windows shortcut, and the PDF files were polyglots, capable of being interpreted as two different valid formats. The campaign is suspected to be the work of an Iranian-aligned adversary, possibly affiliated with the IRGC.

  • A new campaign using Njrat has been discovered, exploiting Microsoft's Dev Tunnels service for C2 communication. The campaign identified two Njrat samples using different Dev Tunnel URLs but sharing the same Import Hash. These samples connect to specific C2 servers and send status updates about their capabilities. Notably, this version of Njrat can spread through USB devices if certain settings are activated.

Discover Related Resources