Cyware Weekly Threat Intelligence, May 19–23, 2025
The Good
Operation Endgame just dealt a major blow to the ransomware supply chain. Europol led the charge in dismantling malware infrastructure tied to multiple malware families, seizing 300 servers and more. Japan has officially gone on the cyber offense. The new Active Cyberdefense Law allows preemptive strikes against foreign cyber threats. It enables traffic analysis and takedowns of hostile servers.
A major Europol-coordinated operation, part of Operation Endgame, dismantled initial access malware used in ransomware attacks, targeting strains like Bumblebee, DanaBot, QakBot, and TrickBot. Authorities seized 300 servers, 650 domains, and €3.5 million ($3.9 million) in cryptocurrency, issuing international arrest warrants for 20 individuals involved in ransomware operations. U.S. authorities issued federal indictments against individuals linked to QakBot and DanaBot malware, including 16 Russians and a lead developer from Moscow.
Microsoft, alongside global law enforcement and cybersecurity partners, has dismantled the Lumma Stealer network, responsible for widespread credential theft, financial fraud, and ransomware attacks. Over 2,300 domains linked to nearly 400,000 infections were seized, disrupting the malware's operations. Legal actions included redirecting malicious domains to Microsoft-controlled servers for intelligence gathering.
Japan has enacted the Active Cyberdefense Law, allowing offensive cyber operations to counter threats preemptively, marking a departure from its pacifist stance. The law enables law enforcement to neutralize hostile servers and empowers the Self-Defence Forces to manage sophisticated cyber incidents. It permits the analysis of foreign internet traffic while protecting domestic communications, raising privacy concerns. An independent oversight panel will authorize data collection and offensive actions. This legislation responds to increasing cyber threats, including high-profile breaches by Chinese hackers and significant financial cybercrimes totaling $2 billion in unauthorized trades.
The Netherlands has updated its espionage law, introducing stricter penalties for cyber-related offenses, with sentences up to 12 years for severe cases. The law broadens punishable actions to include leaking sensitive non-classified information, diaspora espionage, and political manipulation. It also addresses indirect foreign influence through bribery and psychological pressure. Key sectors like telecommunications and biotechnology are prioritized for protection against cyber threats. Additionally, the law allows prosecution for foreign monitoring of diaspora communities and emphasizes the importance of safeguarding sensitive data, including trade secrets and political insights.
The Bad
Think twice before clicking on that Ledger update. A new macOS malware campaign is deploying fake versions of the Ledger Live app to steal cryptocurrency seed phrases. A Turkish phishing lure leads straight to SnakeKeylogger. Fake AI tools are the new phishing lures and they’re convincing. Cybercriminals cloned Kling AI’s brand through Facebook ads and spoofed websites to trick users into downloading malware. The DBatLoader (aka ModiLoader) malware is making the rounds again - this time disguised as a Turkish bank email.
Hackers are using fake Ledger apps to target macOS users, aiming to steal seed phrases that secure access to cryptocurrency wallets. The malware impersonates the legitimate Ledger app and tricks users into entering their seed phrases on phishing pages. The campaign has evolved since August 2024, with the latest malware, Odyssey, replacing the Ledger Live app on victims' devices. It includes a phishing page that prompts users to enter their 24-word seed phrase after a fake error message. The malware can also steal macOS usernames and exfiltrate data to a C2 server. Copycat attacks have emerged, including the AMOS stealer, which uses a DMG file to bypass security and install a trojanized Ledger Live clone.
Datadog identified three malicious VS Code extensions targeting Solidity developers: solaibot, among-eth, and blankebesxstnion. These extensions disguise themselves as legitimate tools while concealing harmful code. The extensions deliver multi-stage, obfuscated malware, including payloads hidden inside image files hosted online, to exfiltrate data and establish persistence on Windows systems. The malware campaign is attributed to a single threat actor, MUT-9332, who previously distributed a Monero cryptominer via backdoored VS Code extensions. The malicious extensions were downloaded fewer than 50 times before being removed from the VS Code Marketplace, and metadata suggests they impersonated legitimate publishers. The browser extension in extension.zip exfiltrates Ethereum wallet credentials by injecting scripts into Chromium-based browsers.
Sophisticated formjacking malware has been discovered targeting WooCommerce checkout pages on WordPress sites. The malware injects fake payment forms to steal sensitive customer data, including credit card details. The malware uses browser localStorage to store stolen data persistently across sessions, ensuring resilience and anti-forensic capabilities. The infection likely originated from a compromised WordPress admin account, with malicious JavaScript injected via a plugin like Simple Custom CSS and JS.
Cybercriminals impersonated Kling AI, a popular AI media generation platform, through fake Facebook ads and websites to distribute malware. The malicious campaign uses filename masquerading, where files appear as media files but are actually executables. The malware employs .NET Native AOT compilation to complicate analysis and evade traditional detection methods. The infection chain begins with social media malvertising, directing users to spoofed Kling AI websites. The fake websites prompt users to upload images or generate media, delivering disguised executables in zip archives. The second-stage payload, PureHVNC RAT, includes extensive stealing capabilities targeting browser extensions and cryptocurrency wallets. Vietnamese threat actors are suspected due to references in the code and other indicators like language and phone numbers.
A campaign has been discovered involving over 100 malicious Chrome extensions that impersonate legitimate tools like VPNs and YouTube to steal browser cookies and execute remote scripts. These extensions, promoted through fake domains, request risky permissions to hijack accounts and modify network traffic. Despite Google's removal of many extensions, some remain accessible, posing significant threats to users. The malicious extensions can retrieve and send cookies to remote servers, enabling attackers to breach corporate networks and access sensitive information.
Threat actors have distributed a trojanized version of the KeePass password manager, called KeeLoader, to install Cobalt Strike beacons, steal credentials, and deploy ransomware. The malicious KeePass installer was promoted via Bing advertisements and fake software sites, utilizing modified open-source code. KeeLoader includes functionality to export KeePass database data (including credentials) in cleartext, which is then stolen. Cobalt Strike watermarks in this campaign are linked to an Initial Access Broker associated with Black Basta ransomware attacks. The activity is attributed to UNC4696, a threat actor group previously linked to Nitrogen Loader campaigns and BlackCat/ALPHV ransomware.
Cybersecurity researchers have identified a phishing campaign using the W3LL phishing kit, targeting Microsoft 365 Outlook credentials through AitM techniques that bypass multi-factor authentication. The kit operates as a PhaaS tool, allowing attackers to create tailored campaigns using deceptive webpages, such as cloned Adobe login pages. Stolen credentials are sent to a remote PHP script on teffcopipe[.]com. The kit employs obfuscated PHP files and utilizes valid Let’s Encrypt certificates to enhance its legitimacy.
The DBatLoader (ModiLoader) malware is being distributed via phishing emails impersonating a Turkish bank, prompting users to open malicious attachments containing BAT files. DBatLoader executes SnakeKeylogger, a .NET-based malware that exfiltrates data through emails, FTP, SMTP, or Telegram. The malware uses obfuscated and decrypted BAT scripts, DLL side-loading, and disguised file names to evade detection and execute malicious activities. It manipulates legitimate processes (e.g., easinvoker.exe, powershell.exe) and tools (cmd.exe, extrac32.exe, etc.) for malicious purposes like bypassing Windows Defender and injecting SnakeKeylogger.
New Threats
The copyright threat in your inbox might be bait. A phishing campaign sweeping across central and eastern Europe is using fake legal complaints to deliver the Rhadamanthys Stealer. Two years of silence, 6,200 downloads later - the malware is finally found. A malicious campaign targeting JavaScript developers slipped past detection by disguising harmful npm packages as plugins for frameworks like React, Vue.js, Vite, and Quill Editor. Researchers uncovered a stealthy new backdoor paired with a Monero coinminer, using the PyBitmessage library for encrypted peer-to-peer communications.
A phishing campaign targeting central and eastern Europe uses copyright infringement lures to distribute Rhadamanthys Stealer. Threat actors exploit DLL side-loading techniques by hijacking the execution flow of a legitimate PDF reader, delivering malicious payloads through emails that impersonate legal departments. These emails accuse recipients of copyright violations, leading to downloads from services like Mediafire. The malware establishes persistence via Windows Registry Run keys and exfiltrates sensitive information. The campaign primarily targets multimedia professionals, leveraging localized language to enhance credibility and engagement.
Socket identified malicious npm packages targeting JavaScript frameworks such as React, Vue.js, Vite, and Quill Editor, which remained undetected for over two years, accumulating over 6,200 downloads. The threat actor, using the alias "xuxingfeng," published both malicious and legitimate packages to build trust and evade detection. Attackers used typosquatting and mimicry to trick developers into installing malicious packages by mimicking legitimate plugin names like vite-plugin-react-extend and quill-image-downloader.
A threat actor named Hazy Hawk has been exploiting DNS misconfigurations since December 2023 to hijack abandoned cloud resources from high-profile organizations, including federal agencies, universities, healthcare entities, and corporations. Hazy Hawk uses hijacked subdomains to distribute scams and malware, leveraging the trustworthiness of compromised domains to bypass security controls and improve search engine rankings. The campaign targets multiple cloud providers like Azure, Amazon, Cloudflare, and others, exploiting vulnerable DNS CNAME records associated with abandoned resources. The actor employs advanced techniques like URL redirection, obfuscation, and content cloning to execute malware distribution chains, leading victims to scams and fraudulent content. They clone legitimate websites, like PBS[.]org, to deceive content crawlers and lure victims with enticing material, such as fake videos. Push notifications are employed as a persistence mechanism, inundating victims with scam-related alerts after approval.
The SideWinder APT targeted high-level government institutions in Sri Lanka, Bangladesh, and Pakistan using spear-phishing emails and exploiting vulnerabilities CVE-2017-0199 and CVE-2017-11882 in Microsoft Office. The attackers deployed the StealerBot malware through malicious documents, which enabled them to maintain persistent access and collect sensitive data. The operation involved geofenced payloads to ensure that only specific victims received the malicious content.
ASEC detected a new backdoor malware distributed with a Monero coinminer, leveraging the PyBitmessage library for encrypted P2P communication to evade detection. The malware hides C2 commands within legitimate Bitmessage network messages, making it difficult for security products to classify its behavior as malicious. The malware decrypts and executes Monero coin miners and backdoor functions using XOR operations, exploiting infected systems for cryptocurrency mining. PyBitmessage-based backdoor malware downloads necessary files from GitHub or a suspected Russian personal drive and disguises itself as legitimate software.
The Defendnot tool disables Microsoft Defender by spoofing antivirus registration using an undocumented Windows Security Center API. It bypasses system safeguards by injecting its DLL into a trusted process (Taskmgr.exe), allowing it to register a fake antivirus product. Once registered, Microsoft Defender shuts down, leaving the device without active protection. The tool includes configuration options and creates persistence via Windows Task Scheduler.