Cyware Weekly Threat Intelligence, May 05–09, 2025

The Good

Another blow to DDoS-for-hire networks. Europol has shut down six services used to launch global cyberattacks, arresting suspects in Poland and seizing domains in the U.S. The UN has launched a new framework to help policymakers make sense of cyber intrusions. Called UNIDIR Intrusion Path, it complements models like MITRE ATT&CK but simplifies the technical details. It breaks down attacker activity into three layers, making it easier to evaluate threats in a policy context.

• Europol has successfully dismantled six DDoS-for-hire services used globally for cyberattacks. The operation involved arrests in Poland, seizure of domains in the U.S., and collaboration with Dutch and German authorities as part of Operation PowerOFF. These services, disguised as stress-testing tools, allowed non-technical users to launch DDoS attacks by renting infrastructure. 

• The UN has introduced the UNIDIR Intrusion Path framework to assess cyber-attacks, complementing existing models like the MITRE ATT&CK framework. The framework simplifies technical language, aiming to help policymakers and non-technical stakeholders better understand malicious IT activities and promote informed cyber diplomacy. It categorizes activities across three network layers: outside the perimeter (external systems like the dark web), on the perimeter (boundary systems like firewalls), and inside the perimeter (internal networks with sensitive data).

• Security researchers released GPOHound, an open-source tool for analyzing Active Directory Group Policy Objects (GPOs) to identify misconfigurations and privilege escalation risks. GPOHound automates detecting insecure settings, such as exposed credentials, weak permissions, and unauthorized group memberships, providing actionable insights for security teams. Key features include privileged group analysis, registry and protocol checks, privilege rights escalation detection, and integration with BloodHound for enhanced attack path visualization.

• The PIVOTT Act (Providing Individuals Various Opportunities for Technical Training to Build a Skills-Based Cyber Workforce Act of 2025) was reintroduced to address the cybersecurity workforce gap, offering scholarships for two-year degrees in exchange for government service. The Act targets entry-level talent and career changers, aiming to prepare professionals for government service, including roles requiring high security clearance.

The Bad

Old routers are becoming cybercrime goldmines. The FBI has warned that end-of-life routers are being hijacked with malware like TheMoon and sold on proxy networks such as 5Socks and Anyproxy. These compromised devices are used for crypto theft, cybercrime-as-a-service, and even espionage. Crypto users on Discord are the latest targets of a phishing campaign tied to Inferno Drainer. Attackers were found impersonating the Collab.Land bot to trick users into signing malicious transactions. The Play ransomware group has joined the list of actors exploiting CVE-2025-29824. This Windows zero-day in the CLFS driver enables privilege escalation via a race condition during file operations. Linked to the Balloonfly group, the attacks targeted a U.S. organization and included deployment of the Grixba infostealer. 

• FBI warned that cybercriminals are exploiting End-of-Life (EoL) routers to deploy malware and convert them into proxies for malicious activities. These compromised routers are sold on networks like 5Socks and Anyproxy, enabling illegal actions such as cryptocurrency theft and cybercrime-for-hire. Chinese state-sponsored actors have also used these vulnerabilities for espionage, including targeting U.S. infrastructure. The agency also confirmed that the routers are compromised with a strain of TheMoon malware.

• The npm package rand-user-agent was compromised in a supply chain attack, injecting a RAT into versions 1.0.110, 2.0.83, and 2.0.84, which averaged 45,000 weekly downloads. The malicious code created hidden directories, modified module paths, and connected to an attacker-controlled server. The attack exploited an outdated automation token without 2-factor authentication, allowing unauthorized releases. The legitimate version (2.0.82) remains safe, and the malicious versions have been removed from the npm repository.

• Check Point Research uncovered a phishing campaign using Discord to target crypto users, redirecting them from legitimate sites to phishing pages linked to Inferno Drainer. It operates as a drainer-as-a-service, creating malicious scripts and infrastructure for other cybercriminals to use. The phishing campaign impersonates the Collab.Land bot on Discord, tricking users into signing malicious transactions. Inferno Drainer uses advanced techniques such as single-use smart contracts, encrypted configurations, and proxy communication to bypass wallet security and blacklists. Over 30,000 wallets have been compromised in the last six months, causing losses exceeding $9 million.

• Play ransomware was observed exploiting a Windows zero-day vulnerability (CVE-2025-29824) in the CLFS driver, enabling privilege escalation. The attacks, linked to the cybercrime group Balloonfly, targeted a U.S. organization, deploying the Grixba infostealer and persistence mechanisms. The exploit manipulated the CLFS driver by exploiting a race condition during file handle operations, leading to kernel memory modification and privilege escalation. Multiple actors, including the Storm-2460 group, also exploited this vulnerability, with some attacks involving the PipeMagic malware.

• A coordinated supply chain attack compromised 21 popular eCommerce applications, with backdoors injected into software from vendors like Tigren, Meetanshi, and Magesolution (MGS). The malware lay dormant for six years and became active recently, affecting 500-1000 stores, including a $40 billion multinational. The backdoor exploits a fake license check in files like License.php or LicenseApi.php, allowing attackers to execute malicious code. Earlier versions required no authentication, while later ones used secret keys. Each backdoor is unique per vendor, varying in authorization checksum, backdoor path, and license filename.

• Chinese hacking group Chaya_004 is exploiting the critical SAP NetWeaver vulnerability CVE-2025-31324 that allows remote code execution via the ‘/developmentserver/metadatauploader’ endpoint. This flaw has affected hundreds of SAP systems globally across various sectors since its exploitation began in early 2025. The group has deployed a Golang-based reverse shell called SuperShell and is using various tools hosted on Chinese cloud services, indicating a likely origin in China. Malicious infrastructure includes IP addresses, servers, and tools such as NPS, SuperShell, SoftEther VPN, NHAS, Cobalt Strike, and others, indicating a coordinated campaign.

• Malicious npm packages (sw-cur, sw-cur1, aiide-cur) have been discovered targeting macOS users of the Cursor IDE, stealing credentials and embedding backdoors. These packages disguise themselves as developer tools offering cheaper API access, exploiting developers' trust in their IDEs. Upon execution, they modify critical files, disable auto-updates, and maintain persistent access by executing attacker-controlled code. The packages have been downloaded over 3,200 times and are linked to threat actors using npm aliases gtr2018 and aiide.

• Cisco Talos identified a spam campaign in Brazil targeting users with RMM tools, leveraging the Brazilian electronic invoice system (NF-e) as a lure. Threat actors exploit free trial periods of RMM tools (e.g., N-able and PDQ Connect) to distribute malicious agents, gaining full control over victims' machines. Victims include C-level executives and financial or human resources accounts across industries such as education and government. The campaign utilizes Dropbox-hosted malicious files disguised as financial documents to trick users into downloading RMM tools.

New Threats

COLDRIVER’s latest malware, LOSTKEYS, is now in play. The Russian state-backed group is deploying this tool to steal files and system data from advisors, journalists, NGOs, and individuals linked to Ukraine. Agenda’s playbook just got upgraded. The ransomware group has added two new tools: SmokeLoader and a stealthy .NET-based loader called NETXLOADER. The latter leverages techniques like JIT hooking and AES decryption to deploy ransomware. Corporate HR teams are the latest target in a spear-phishing spree by Venom Spider. Disguised as job applications, these emails deliver More_eggs backdoor, now upgraded with advanced features. 

• Russian hackers linked to the COLDRIVER group are deploying a new malware called LOSTKEYS, targeting advisors, journalists, and NGOs, particularly those connected to Ukraine. LOSTKEYS is designed to steal files, system information, and running processes, marking an evolution in COLDRIVER's toolset. The group is also known for credential phishing and hack-and-leak campaigns. The malware is delivered through a multi-stage infection chain starting with a fake CAPTCHA page, known as ClickFix, that socially engineers users into executing PowerShell commands.

• The Agenda ransomware group has incorporated SmokeLoader malware and a new loader, NETXLOADER, into its arsenal. NETXLOADER is a highly obfuscated .NET-based loader that deploys additional malware payloads, including Agenda ransomware and SmokeLoader, through advanced techniques like JIT hooking and AES decryption. SmokeLoader incorporates anti-analysis methods and injects payloads into processes like explorer.exe. Agenda ransomware is delivered using reflective DLL loading, allowing it to execute in memory without being written to disk.

• Mamona is a newly identified commodity ransomware strain that operates entirely offline, with no C2 communication or data exfiltration. The ransomware encrypts files locally using custom cryptographic routines, without relying on standard libraries like Windows CryptoAPI or OpenSSL. Mamona lacks network activity, making it harder to detect using traditional network-based defenses. Its encryption key is generated locally or hardcoded. A decryption tool for Mamona is available, despite its outdated interface, and successfully restores encrypted files.

• Windows Deployment Services (WDS) in Microsoft’s enterprise IT infrastructure is vulnerable to a newly discovered pre-authentication DoS flaw. This 0-click UDP vulnerability allows attackers to crash systems remotely by exhausting memory through spoofed UDP packets on port 69. The exploit creates endless session objects without limits, leading to server memory exhaustion and system failure. Researchers demonstrated that a Windows Server with 8GB RAM could crash within minutes of an attack.

• The CoGUI phishing kit is actively targeting Japanese organizations, impersonating well-known consumer and finance brands to steal credentials and payment data. CoGUI employs advanced evasion techniques like geofencing, browser fingerprinting, and header fencing to avoid detection, selectively targeting specific regions. High-volume campaigns have been observed, with the majority targeting Japan, and impersonating brands like Amazon, Rakuten, PayPay, and financial institutions. Campaigns often use urgency-based lures and URLs leading to credential phishing pages, stealing usernames, passwords, and payment information.

• Arctic Wolf Labs has identified a new campaign by the financially motivated threat group Venom Spider targeting corporate HR departments via spear-phishing emails. The campaign uses fake resumes to deliver a backdoor malware called More_eggs, which has been enhanced with new features for evasion and effectiveness. The malware uses advanced techniques like server-side polymorphism, code obfuscation, and encrypted payloads to evade detection and analysis.The More_eggs_Dropper library generates polymorphic JavaScript payloads and uses time-delayed execution to avoid sandboxing.