Cyware Weekly Threat Intelligence, March 31–April 04, 2025
The Good
The EU is putting serious weight behind its digital ambitions. A €1.3 billion investment will fund cybersecurity and AI initiatives across the bloc from 2025 to 2027. Projects include the rollout of the EU Digital Identity Wallet, AI development hubs, and efforts to harden critical infrastructure. Canada’s privacy watchdog is giving organizations a way to think before they panic. A new online tool helps assess the risk of significant harm after a data breach, guiding users through questions about the sensitivity of exposed data and its potential misuse.
The EU announced a €1.3 billion ($1.4 billion) investment to fund cybersecurity and AI projects from 2025 to 2027 as part of the Digital Europe Programme (DIGITAL). The funding will support initiatives such as enhancing the cyber resilience of critical systems, deploying the EU Digital Identity Wallet, developing AI Factories, supporting European Digital Innovation Hubs (EDIHs), building the Destination Earth initiative, improving digital skills in education, and creating interoperable digital public services. The Strategic Technologies for Europe Platform (STEP) will introduce the STEP Seal, a quality label for promising projects.
The DOJ seized over $8.2 million in USDT cryptocurrency that was stolen through 'romance baiting' scams, also known as 'pig butchering'. The FBI, with the help of blockchain intelligence platform TRM Labs, traced the funds and filed for their seizure under wire fraud and money laundering charges. The seized assets will be used for restitution to known victims and others yet to be identified. The scam operation is believed to be linked to human trafficking syndicates in Cambodia and Myanmar. The worst individual loss was around $663,352.
The Privacy Commissioner of Canada, Philippe Dufresne, has introduced an online tool to aid businesses and federal institutions in assessing the risk of significant harm to individuals following a privacy breach. This tool, a web-based application, guides users through a series of questions to evaluate the sensitivity of the compromised personal information and the likelihood of its misuse. The tool helps organizations conduct a risk assessment post-breach and decide on necessary actions, including notifying affected individuals. Organizations under Canada's federal private-sector privacy law, PIPEDA, and federal government institutions, must report breaches posing a real risk of significant harm to the Office of the Privacy Commissioner of Canada and notify affected individuals.
The Bad
A fake research invite is the front for something far more invasive. Operation HollowQuill is targeting Russian academic and defense networks with booby-trapped PDFs that deploy Cobalt Strike. The Bybit breach didn’t end with the heist - it opened the floodgates. In the weeks following the crypto theft, nearly 600 phishing domains emerged, many impersonating the exchange or posing as refund services. Phishing lures dressed as tax documents are making the rounds again but this time with sharper teeth. Microsoft warns that campaigns tied to the RaccoonO365 platform are using QR codes, URL shorteners, and cloud services to deliver malware.
A sophisticated cyber-espionage campaign named Operation HollowQuill has been discovered by SEQRITE Labs. It targets academic, governmental, and defense-related networks in Russia, particularly the Baltic State Technical University (BSTU “VOENMEKH”), using malicious PDFs to deliver Cobalt Strike payload. The attack begins with a malicious RAR archive containing a .NET-based malware dropper disguised as research invitations. This archive includes a legitimate OneDrive executable, a Golang-based shellcode loader, and a decoy PDF. The final stage involves deploying a Cobalt Strike beacon that connects to a C2 server.
In the wake of the Bybit heist, a significant number of phishing campaigns surfaced, aiming to steal cryptocurrency from its users. Researchers identified 596 dubious domains from at least 13 countries within three weeks of the largest crypto theft in history. Some of these domains impersonated the cryptocurrency exchange itself, employing typosquatting techniques and incorporating keywords like "refund," "wallet," "information," "check," and "recovery." The U.K registered the highest number of confirmed malicious domains. Many phishing websites posed as recovery services for customers who may have lost funds in the heist. The ultimate objective was to deceive victims into revealing their Bybit/crypto passwords.
Microsoft has warned of multiple phishing campaigns that use tax-related themes to distribute malware and steal credentials. These campaigns employ redirection methods such as URL shorteners and QR codes in malicious attachments, and abuse legitimate services to evade detection. The phishing pages are delivered via a PhaaS platform known as RaccoonO365. The campaigns spread Remcos RAT, along with other malware and post-exploitation frameworks such as Latrodectus, AHKBot, GuLoader, and BruteRatel C4 (BRc4). One campaign spotted in February 2025 targeted the U.S. ahead of the tax filing season, sending hundreds of emails in an attempt to deliver BRc4 and Latrodectus.
CERT-UA reported three cyberattacks against state administration bodies and critical infrastructure facilities in Ukraine. The attacks aimed to steal sensitive data using compromised email accounts to send phishing messages with links to legitimate services like DropMeFiles and Google Drive. The links led to the download of a VBS loader, named WRECKSTEEL, which harvested files and captured screenshots. The activity, attributed to threat cluster UAC-0219, has been ongoing since at least fall 2024.
The scam involves a spoofed email that appears to be from Spotify, informing users of a payment failure and urging them to update their account information. The email, while appearing legitimate, has several red flags, such as a mismatched 'Return-Path' field and a suspicious URL embedded in the "Update Data" button. Upon clicking the link, users are redirected to a Linktree page, which then leads to a phishing landing page designed to mimic Spotify's login page. Any credentials entered are sent to a PHP C2 managed by the threat actors. After entering their credentials, users are prompted to update their credit card information, which is also sent to the malicious C2. Finally, users are asked for their "password issued by the bank," potentially giving the attackers access to their financial accounts.
Socket spotted a malicious Python package named "disgrasya" on PyPI. This package contains an automated carding script targeting WooCommerce stores using CyberSource as their payment gateway. Unlike typical supply chain attacks, disgrasya made no attempt to appear legitimate. The script simulates real transactions to test stolen credit card numbers, making it hard to detect. It has been downloaded over 34,000 times.
On November 29, 2024, a malware attack was discovered where threat actors impersonated a recruitment email from the developer community, Dev[.]to. The attack involved a BitBucket link containing a project with malicious code. The project included BeaverTail malware disguised as "tailwind.config.js" and a downloader malware named car.dll. BeaverTail was found to be distributed primarily through phishing attacks disguised as job offers. The "car.dll" downloader shares similarities with the LightlessCan malware of the Lazarus group. The Tropidoor malware operates in memory through the downloader and connects to 4 C&C server addresses.
Researchers discovered a malicious campaign targeting the First Ukrainian International Bank using the Emmenhtal Loader, also known as Peaklight, which has been active since early 2024. The campaign uses a 7-Zip archive file delivered via email, which contains a bait PDF file and a PDF shortcut that downloads a file from a remote server. The downloaded file exploits the Target field to execute Mshta via PowerShell, which in turn downloads and executes a binary sample with malicious HTA script from a remote file server. The Emmenhtal Loader is then used to deploy SmokeLoader, a modular malware that can download and execute additional malware, steal credentials, execute remote commands, evade detection, and use anti-analysis and anti-debugging techniques. The use of the Emmenhtal Loader in this campaign is part of an ongoing trend in malware development that leverages LOLBAS techniques, and it allows threat actors to deploy secondary payloads while using advanced evasion techniques.
New Threats
Cloudflare branding, Telegram tracking, and malware in disguise - this phishing campaign checks all the boxes. Hosted on legitimate Cloudflare platforms, fake DMCA takedown pages lure victims into downloading PDFs rigged to launch malware. Credit card skimming has moved beyond compromised websites. RolandSkimmer is targeting Windows users in Bulgaria through malicious browser extensions on Chrome, Edge, and Firefox. Microsoft Teams is being turned against the workplace. In a new campaign, attackers are sending phishing messages through Teams chats to deliver PowerShell-based malware.
A new, sophisticated phishing campaign misuses Cloudflare services and Telegram for malicious purposes. The attacks use Cloudflare-branded phishing pages and advanced tactics to evade detection. The phishing pages, hosted on Cloudflare’s Pages[.]dev and Workers[.]dev platforms, impersonate DMCA takedown notices and trick victims into downloading malicious files disguised as PDFs. The attackers exploit the "search-ms" protocol to initiate a malware infection chain. The malware establishes persistence and communicates with Pyramid C2 servers. A significant evolution in this campaign is the integration of Telegram for victim tracking.
A sophisticated cyber threat called RolandSkimmer has been targeting Microsoft Windows users, particularly in Bulgaria. This threat is a form of web-based credit card skimming that uses malicious browser extensions on Chrome, Edge, and Firefox to collect sensitive financial data from affected users. The attack is initiated through a deceptive LNK file, which executes obfuscated scripts to establish covert and persistent access to the victim's system. The malware then systematically harvests and exfiltrates sensitive data, often without detection.
A new malware campaign targets Microsoft Teams users to gain access to corporate systems. The attack begins with a phishing message sent via Microsoft Teams, tricking users into clicking on malicious links or running embedded scripts. The attackers then use PowerShell scripts to bypass traditional defenses and deliver malware capable of stealing credentials and establishing persistent backdoors. The attack unfolds in several stages, including initial delivery via Teams message, abuse of remote assistance tools, DLL sideloading to evade detection, and establishing C2 through a Node.js-based backdoor.
The Gootloader malware has re-emerged with a new campaign that combines traditional social engineering tactics with modern ad-based delivery methods. The operators are now using Google Ads to target individuals searching for legal document templates. The attack chain begins with a Google search, where a sponsored ad from a seemingly legitimate legal document provider, lawliner[.]com, appears among the top results. Upon clicking, users are prompted to enter their email address to access the document. They then receive an email containing a link to download a ZIP archive with a JavaScript file. When executed, this file performs classic Gootloader behavior, creating a scheduled task, dropping another .js file, and launching PowerShell scripts that attempt to reach out to a series of compromised WordPress blogs.
Researchers identified a new version of KoiLoader, used for C&C and deploying Koi Stealer, an information stealer. The attack initiates with a phishing email containing a ZIP attachment, which holds a deceptive .lnk file. Upon clicking, it triggers a hidden PowerShell command that downloads two malicious JScript files. These scripts establish scheduled tasks, create an illusion of system-trusted processes, and download further payloads. The second script acts as the infection's engine room, retrieving system info, creating a unique file path for persistence, and downloading two PowerShell scripts. The first script disables AMSI, and the second loads the KoiLoader binary into memory. Finally, KoiLoader downloads and executes the KoiStealer malware, which is designed to extract saved passwords, system credentials, session cookies, and browser and application data. KoiLoader uses a custom HTTP-based C2 protocol and offers various command options.