Cyware Weekly Threat Intelligence, March 24–28, 2025
The Good
The U.K’s NCSC is putting domain abuse in its crosshairs. New guidance targets registrars with a push to curb malicious domain registrations and hijacks. The recommendations focus on tightening security at registration, offering enhanced protections to customers, and more. Europe is getting serious about the quantum future. ETSI has rolled out a new quantum-safe encryption standard featuring Covercrypt, a novel key encapsulation scheme with built-in access controls. By tying decryption permissions to user attributes, Covercrypt delivers speed and post-quantum security.
The NCSC-U.K issued new guidance to minimize malicious domain registrations and domain hijacking. This guidance is primarily for two types of domain registrars: those who sell wholesale at scale in an automated manner, and brand protection/domain investor businesses that maintain private lists of domains. The NCSC has made four recommendations: implementing security controls at customer registration, enhancing security controls at domain registration, offering stronger security features for customers, and using abuse detection tools, sharing threat data, and vulnerability notification mechanisms.
The European Telecommunications Standards Institute (ETSI) has released new quantum-safe encryption standards, introducing a key encapsulation mechanism with access control (KEMAC) scheme called Covercrypt. This system allows data encryption based on user attributes, ensuring only authorized users can decrypt the data. Covercrypt is efficient, taking only hundreds of microseconds to encapsulate and decapsulate session keys, and is designed to protect against current and future quantum-based threats.
In an international operation called Operation Red Card, authorities in seven African countries arrested 306 suspects and seized 1,842 devices to disrupt and dismantle cross-border cybercrime networks. The operation targeted mobile banking, investment, and messaging app scams, uncovering cases involving over 5,000 victims. Nigerian police arrested 130 individuals for cyber-enabled scams, while South African authorities apprehended 40 people for a SIM box fraud scheme. In Zambia, 14 suspected members of a criminal syndicate were arrested for hacking into victims' phones. Rwandan authorities detained 45 people for social engineering scams that defrauded victims of over USD 305,000.
The Bad
Medusa isn’t just encrypting files, it’s dismantling defenses first. The RaaS has been leveraging a malicious driver called ABYSSWORKER in BYOVD attacks to disable endpoint protections. FamousSparrow has returned with new tools and a familiar agenda. The Chinese APT group was behind a July 2024 attack targeting a U.S. trade group and a Mexican research institute, deploying a web shell on an IIS server to drop SparrowDoor and ShadowPad. A supply chain attack snuck through npm by modifying what developers thought they could trust. Threat actors used two packages to inject malware into the widely used ethers library.
The Medusa RaaS operation has been using a malicious driver, ABYSSWORKER, to disable anti-malware tools in a BYOVD attack. The ransomware is delivered through a loader packed using a packer-as-a-service called HeartCrypt. The ABYSSWORKER driver, signed with likely stolen, revoked certificates from Chinese companies, mimics a legitimate CrowdStrike Falcon driver. The malware's signed status allows it to bypass security systems. Once launched, ABYSSWORKER can add the process ID to a list of global protected processes and perform various operations, including file manipulation, process and driver termination, and disabling EDR systems.
The Chinese threat actor, FamousSparrow, has been associated with a cyberattack in July 2024 targeting a trade group in the U.S. and a research institute in Mexico. The attack involved the deployment of a web shell on an IIS server, leading to the installation of the SparrowDoor backdoor and ShadowPad malware. The group has also deployed two new versions of SparrowDoor, one of which is modular and supports nine different modules for various malicious activities.
A sophisticated malware campaign targeted the npm repository. It involved two main packages, ethers-provider2 and ethers-providerz, which were designed to deliver malware by patching a legitimate npm package, ethers, with malicious code. The malware operated in three stages: the first stage involved the installation of the malicious package, the second stage checked for the presence of the ethers package and replaced one of its files with a malicious version, and the third stage established a reverse shell connection to the threat actor's server. This approach allowed the malware to maintain persistence even if the initial malicious package was removed.
Threat actors are using a cybercrime tool called Atlantis AIO Multi-Checker to carry out credential stuffing attacks. This tool enables attackers to test millions of stolen credentials rapidly, posing a significant threat to various online platforms and services. Atlantis AIO offers pre-configured modules to target a range of platforms and cloud-based services, leading to fraud, data theft, and account takeovers. The tool can also conduct brute-force attacks and automate account recovery processes.
The CISA has added two security flaws impacting Sitecore CMS and Experience Platform (XP) to its KEV catalog due to evidence of active exploitation. The vulnerabilities, CVE-2019-9874 and CVE-2019-9875, are deserialization flaws in the Sitecore.Security.AntiCSRF module, which allow unauthenticated and authenticated attackers, respectively, to execute arbitrary code. Federal agencies must apply patches by April 16.
A GitHub repository, named FizzBuzz is being used to distribute an info-stealer disguised as a recruitment challenge, especially targeting Polish-speaking developers. The repository contains an ISO file that holds a JavaScript exercise and a malicious LNK shortcut. When the LNK file is executed, it runs a PowerShell script that installs a backdoor called FogDoor, which is designed for data theft, remote command execution, and persistence while avoiding detection. The malware communicates with a social media platform via a Dead Drop Resolver (DDR) technique to retrieve attack commands and uses geofencing to restrict execution to Polish victims. The malware systematically steals browser cookies, Wi-Fi credentials, and system data, staging them for exfiltration before deleting traces. The malware also uses remote debugging to extract Chrome cookies and harvest Firefox credentials from profile directories.
New Threats
Lucid isn’t just phishing - it’s engineering trust through your inbox. This advanced PhaaS platform weaponizes the built-in features of iMessage and RCS to create hyper-realistic scams. Known for years of corporate espionage, RedCurl has shifted gears with a new ransomware called QWCrypt. The malware was found in a North American network, targeting hypervisors for maximum disruption. PlayBoy Locker is offering ransomware with a user manual and tech support. The newly investigated RaaS platform operates on an affiliate model and comes packed with features. Targeting Windows, NAS, and ESXi systems, it moves laterally using LDAP scans and abuses Restart Manager DLLs to shut down active processes before encryption.
Lucid is a sophisticated Phishing-as-a-Service (PhaaS) platform developed by Chinese malware developers. Lucid exploits the advanced features of mobile messaging protocols like iMessage and Rich Communication Services (RCS) to bypass security measures and carry out effective phishing campaigns. The platform impersonates various organizations across the globe, luring victims into providing their credit card information through legitimate-looking landing pages. Lucid campaigns have a high success rate of approximately 5%, targeting individuals and organizations on six continents. Lucid takes advantage of end-to-end encryption in iMessage and RCS to avoid detection and constantly rotates phone numbers and domains to evade spam filters. The group behind Lucid, "XinXin" or "Black Technology," claims to harvest over 100,000 credit card numbers per day.
Bitdefender discovered a new ransomware named QWCrypt used by a long-running, stealthy hacking group known as RedCurl. This group, previously known for corporate espionage and data exfiltration, has now diversified into targeted ransomware attacks. The ransomware was found on an unnamed North American customer's system in mid-February. The new attack strategy involves the use of ransomware, with the group targeting hypervisors to inflict maximum damage with minimum effort. The attackers appear to have a deep understanding of the network before the attack, with the ransom note threatening to dump stolen data to a darkweb data-leak site.
Cybereason investigated PlayBoy Locker, a new Ransomware-as-a-Service (RaaS). PlayBoy Locker offers frequent updates, anti-detection features, and customer support for affiliates. The group has been active since September 2024 and operates on an affiliate model. It supports Windows, NAS, and ESXi systems. PlayBoy Locker performs LDAP scans to search for available machines in the network and then tries to copy the ransomware executable to the remote device. It exploits the Restart Manager DLL in a malicious way and stops services and processes to unlock and safely close open files before encrypting them. The list of targeted services and processes includes Telegram, Skype, Firefox, Chrome, and Oracle, among others.
The creators of the macOS malware loader, ReaderUpdate, have developed new versions using Crystal, Nim, Rust, and Go programming languages. The malware is distributed through free and third-party software download sites, targeting the x86 Intel architecture. The Go variant collects system hardware information upon execution, which is used to create a unique identifier and sent to the C2 server. The threat can also parse and execute responses from the server, suggesting it could execute any commands sent by its operator. Although ReaderUpdate infections have only been linked to adware, the loader could potentially deliver more malicious payloads. SentinelOne has identified nine samples of the Go variant, which is less common than the Nim, Crystal, and Rust variants.
A new phishing campaign using complex browser-in-the-browser attacks has been targeting the Steam Gaming Platform and Counter-Strike 2 players while abusing the brand of the pro eSports team Navi. The campaign employs fake but realistic-looking browser pop-up windows to trick victims into logging into the scams, with the likely intention of reselling the compromised accounts through online marketplaces. The campaign primarily targets English-speaking users, with one Chinese site in Mandarin and some English words.
A new malicious browser extension called Rilide has been discovered. Rilide, first reported in April 2023, targets Chromium-based browsers like Google Chrome and Microsoft Edge, and is designed to steal sensitive information such as screenshots, passwords, and credentials for cryptocurrency wallets. It infiltrates systems through malicious advertisements or phishing pages, often impersonating well-known extensions like Google Drive and Palo Alto. Rilide has been distributed through various campaigns, including PowerPoint Lure, Twitter Lure, and Mixed Campaign. The newer versions of Rilide work with Chrome Extension Manifest V3 and have been adapted to avoid detection. The extension masquerades as a Google Drive utility but interacts with cookies, clipboard data, and system information.
A new threat actor, UAT-5918, has been discovered targeting critical infrastructure entities in Taiwan since 2023. This group aims to establish long-term access for information theft and uses web shells and open-sourced tooling for post-compromise activities. The targeted sectors include IT, telecommunications, academia, and healthcare. UAT-5918 shares similarities with several Chinese hacking crews. The group employs Fast Reverse Proxy and Neo-reGeorge for reverse proxy tunnels and tools like Mimikatz, LaZagne, and BrowserDataLite for credential harvesting. UAT-5918 also uses Chopper web shell, Crowdoor, and SparrowDoor, and engages in systematic data theft.