Cyware Weekly Threat Intelligence, March 17–21, 2025
The Good
The race to outpace quantum threats is officially on. The NCSC has issued guidance to help organizations transition to post-quantum cryptography by 2035, with a focus on NIST-approved algorithms and planned support for critical sectors. A nationwide fraud crackdown ends with hundreds behind bars. Operation Henhouse led to 422 arrests and the seizure of millions in assets, as U.K. police target the country’s most widespread and costly crime - fraud.
The NCSC has released new guidance on transitioning to Post-Quantum Cryptography (PQC) by 2035, to mitigate future security risks posed by quantum computing. The guidance sets specific milestones for organizations, with critical organizations expected to complete the migration by 2035. The NCSC recommends using NIST-approved PQC algorithms, such as ML-KEM, ML-DSA, SLH-DSA, and HQC, for the migration. The NCSC acknowledges challenges in the migration process and plans to launch a pilot scheme to connect U.K organizations with cryptography specialists for assistance.
British law enforcement recently conducted Operation Henhouse, a major crackdown on fraud, resulting in 422 arrests and the seizure of £7.5 million in cash and assets, a 91% increase from the previous year. The operation was coordinated by the National Economic Crime Centre and the City of London Police. Fraud is currently the most common crime in the UK, accounting for 41% of all police reports and costing an estimated £6.8 billion annually. The operation saw several successes, including the return of nearly £1 million to a scam victim and the arrest of individuals involved in multimillion-pound investment and money laundering schemes.
The Bad
A threat actor briefly exposed their entire playbook. Researchers found a public server hosting tools tied to a campaign targeting South Korea, including a Rust-compiled payload delivering Cobalt Strike Cat and a list of over 1,000 potential targets. Phishing messages on Signal are leading to full system compromise. CERT-UA warns of DarkCrystal RAT attacks targeting Ukraine’s defense sector, using fake contacts and malicious files to trick victims into executing spyware. Ransomware slipped into VSCode under the radar. Two malicious extensions were discovered on the VSCode Marketplace, bypassing checks to deliver test-stage ransomware demanding ShibaCoin for decryption.
Hunt researchers discovered a publicly exposed web server containing tools linked to a cyber intrusion campaign targeting South Korean organizations. The server, which was accessible for less than 24 hours, hosted a Rust-compiled Windows executable delivering Cobalt Strike Cat (CS Cat), a modified version of the popular penetration testing tool. The actor also used open-source tools such as SQLMap, Web-SurvivalScan, and dirsearch to identify and exploit vulnerable web applications. The attacker compiled a list of over 1,000 Korean domains associated with government agencies, local municipalities, and private businesses for target selection.
Ukraine's CERT-UA issued a security alert about targeted cyberattacks using the DarkCrystal RAT against defense industry workers and military entities. These attacks, ongoing since March 2025, use the Signal messenger to spread phishing messages containing harmful files. Attackers use social engineering, often sending messages pretending to be from trusted contacts. The harmful files include a bogus “.pdf” and an executable named DarkTortilla, which launches the remote administration tool DarkCrystal RAT (DCRAT) to give attackers remote access to systems.
Two malicious extensions, "ahban.shiba" and "ahban.cychelloworld," were found on the VSCode Marketplace that were capable of deploying ransomware. These extensions were able to bypass Microsoft's safety review processes and remained on the store for an extended period. The ransomware, however, appeared to be in development, only encrypting files in a specific test folder and demanding 1 ShibaCoin for recovery.
WhatsApp reported addressing a zero-click, zero-day vulnerability in December 2024, which allowed remote exploitation without user interaction. This flaw, patched server-side without a client update or CVE-ID, was uncovered after Citizen Lab’s findings on Paragon’s Graphite spyware attacks, though specifics remain undisclosed. The vulnerability enabled attackers to bypass interaction, potentially through a crafted PDF, targeting devices via WhatsApp group chats.
Cisco Smart Licensing Utility (CSLU) instances are being targeted by attackers due to a vulnerability that exposes a built-in backdoor admin account. This Windows application, used for managing licenses and linked products on-premises, had a security flaw (CVE-2024-20439) which Cisco patched in September. This flaw could allow unauthenticated attackers remote access with admin privileges over the CSLU app's API. A second critical vulnerability (CVE-2024-20440) was also addressed, which could let attackers access sensitive data in log files. These vulnerabilities only affect systems running vulnerable CSLU releases and are exploitable only if the CSLU app is started.
Researchers spotted a phishing scam targeting cryptocurrency trading communities on Reddit with links to cracked versions of the TradingView software, laced with Lumma Stealer and AMOS malware. The scam targets both Windows and macOS users. Hosted on a compromised Dubai cleaning company site, the double-zipped, password-protected payload files steal personal data and crypto wallets, with command servers linked to Russia and the Seychelles, exploiting victims and spreading phishing links further.
Cybercriminals are using malicious Microsoft OAuth apps that pretend to be Adobe and DocuSign apps to deliver malware and steal Microsoft 365 account credentials. These apps request access to less sensitive permissions to avoid detection. The phishing campaigns, which are highly targeted, were sent from compromised email accounts and targeted multiple U.S. and European industries. The attacks use RFPs and contract lures to trick recipients into opening links.
New Threats
Fake ads are being weaponized to steal Google credentials. A campaign targeting Semrush users is redirecting victims to spoofed login pages, where attackers harvest Google account logins through a fake “Log in with Google” prompt. A fake browser update could cost you more than a few clicks. A new ClearFake campaign is using fake reCAPTCHA and Turnstile pages to deliver malware like Lumma and Vidar Stealer, with payloads fetched through Binance’s Smart Chain. Hackers are quietly poisoning AI-generated code. A new supply chain attack targets AI editors like Copilot and Cursor, exploiting rules files to inject malicious prompts that trick the tools into writing compromised code.
A new operation has been targeting Semrush as part of a malicious online marketing and advertising campaign. The criminals are using an indirect approach to hack Google advertisers and potentially gain access to Semrush accounts by creating malicious ads that redirect users to fraudulent Semrush login pages. The phishing pages only enable the "Log in with Google" option, forcing victims to authenticate with their Google account credentials, which are then harvested by the threat actors. The malicious ads use unique domain names, which redirect to static domains hosting the fake login pages.
A new ClearFake campaign was found using fake reCAPTCHA and Cloudflare Turnstile verifications to trick users into downloading malware like Lumma Stealer and Vidar Stealer. First observed in July 2023, it employs fake web browser update alerts on compromised WordPress sites for malware distribution. The campaign also relies on another technique called EtherHiding to fetch payloads by utilizing Binance's Smart Chain (BSC) contracts. Both Windows and macOS systems are targeted. Another attack chain infected over 9,300 websites and exposed around 200,000 users to malware lures.
Researchers revealed a new supply chain attack dubbed 'Rules File backdoor' that affects AI code editors like GitHub Copilot and Cursor, allowing hackers to inject malicious code. Hackers can add harmful instructions to configuration files used by these tools, leading to silently compromised AI-generated code. The technique manipulates the AI into producing vulnerable code by embedding malicious prompts and using invisible characters.
Microsoft found a new remote access trojan (RAT) named StilachiRAT that uses advanced methods to avoid detection and extract sensitive information. Although it is not widely spread, Microsoft shared details to help network defenders address this threat. StilachiRAT can steal data from browsers, digital wallets, and the clipboard, and collect system information. It can scan specific cryptocurrency wallets and monitor RDP sessions. The malware maintains persistence by using Windows services and can also block analysis attempts. It allows attackers to execute commands, clear logs, and manipulate systems.
The Black Basta ransomware group has developed an automated brute-forcing framework, named BRUTED, to breach edge networking devices such as firewalls and VPNs. This framework has allowed Black Basta to streamline initial network access and scale up their ransomware attacks on vulnerable internet-exposed endpoints. The ransomware group has been using BRUTED since 2023 to conduct large-scale credential-stuffing and brute-force attacks on edge network devices. The framework is specifically designed to target popular VPN and remote-access products such as SonicWall NetExtender, Palo Alto GlobalProtect, Cisco AnyConnect, Fortinet SSL VPN, Citrix NetScaler, Microsoft RDWeb, and WatchGuard SSL VPN.