Cyware Weekly Threat Intelligence, May 26–30, 2025
The Good
Under the hood of vulnerability management, NIST just added a sharper diagnostic tool. The new Likely Exploited Vulnerabilities metric offers deeper insight into which CVEs are likely being used in the wild, complementing EPSS with more contextual signals. Digital warfare is no longer a future threat, it's a current investment. The U.K. Ministry of Defence has unveiled a £1 billion Cyber and Electromagnetic Command to protect military networks and support offensive cyber missions. With AI-driven systems like the Digital Targeting Web in development, the goal is seamless coordination across weapons platforms.
NIST introduced a new metric called Likely Exploited Vulnerabilities (LEV) to assess the likelihood of vulnerability exploitation, complementing the existing Exploit Prediction Scoring System (EPSS). LEV provides detailed data for vulnerability managers, including CVE name, publish date, description, probability of past exploitation, peak EPSS scores, and affected products. Two versions of the LEV equation are presented: one using EPSS scores for 30-day windows and another dividing EPSS scores for single-day predictions, requiring more computational resources.
The U.K Ministry of Defence has established a new Cyber and Electromagnetic Command, backed by a £1 billion investment to enhance digital warfare capabilities. This command will defend military networks and coordinate offensive operations with the National Cyber Force. A key initiative is the development of a Digital Targeting Web, aimed at connecting weapons systems through AI for improved communication and rapid response. The move responds to rising cyber threats, with the U.K experiencing 90,000 cyber-attacks in the past two years, prompting accelerated recruitment of cybersecurity specialists.
Governments in the U.S., the U.K, Australia, Canada, and others have issued a joint advisory urging organizations to adopt SIEM and SOAR platforms. These systems centralize cybersecurity data for effective incident detection and response. The advisory provides guidance for both executives and practitioners, addressing challenges like alert fatigue and significant implementation costs. Organizations managing sensitive data should consider in-house deployment, while those outsourcing must carefully evaluate service providers, particularly regarding hidden costs related to data ingestion.
The Bad
A quiet but relentless campaign has been unfolding across multiple industries. The Chinese group Earth Lamia is targeting finance, government, logistics, and more by exploiting known web app vulnerabilities. APT41 hides malware commands where no one’s looking: your calendar. In a creative twist on C2 infrastructure, China-backed APT41 embedded encrypted instructions inside Google Calendar events. AyySSHush doesn’t make noise, it builds armies. More than 9,000 ASUS routers have been compromised by this botnet, which quietly slips in through a CVE-2023-39780 exploit.
Trellix discovered a highly targeted spear-phishing operation aimed at CFOs and finance executives in banks, energy companies, insurers, and investment firms across Europe, Africa, Canada, the Middle East, and South Asia. The attackers abused NetBird, an open-source remote-access tool, without exploiting any flaws in the software itself. The phishing emails impersonated Rothschild & Co recruiters, offering fake financial leadership opportunities to lure victims. The phishing link redirects victims to a Firebase-hosted webpage with a custom CAPTCHA, which decrypts a secondary link upon solving the puzzle. The second-stage VBS script installs NetBird and OpenSSH silently, sets up persistence, and removes visible traces of compromise.
The PureHVNC RAT is being distributed through a complex multi-layer infection chain that uses fake high-level job offers from fashion and beauty brands as lures. The attack begins with a malicious LNK file disguised as a PDF, executing PowerShell commands to deliver the malware. Techniques such as obfuscation, base64 encoding, and Process Hollowing are employed to evade detection. The final payload, a .NET-based PureHVNC RAT, provides attackers with full system access. Multiple C2 addresses and campaign IDs are utilized to manage infections, indicating a sophisticated and targeted approach.
Socket discovered a supply chain attack on PyPI involving the malicious package "semantic-types" and five related packages (e.g., solana-keypair, solana-publickey). The malware uses transitive dependencies to execute hidden payloads, even if "semantic-types" is not directly imported. The attack monkey-patches Solana key-generation methods, capturing private keys and encrypting them with a hardcoded RSA-2048 public key. Exfiltrated keys are sent via Solana Devnet memo transactions, bypassing traditional detection mechanisms. The malicious packages were downloaded over 25,900 times, exposing thousands of developer environments to wallet theft.
The Chinese hacking group Earth Lamia has been active since at least 2023, targeting sectors such as finance, government, IT, logistics, retail, and education. They exploit known vulnerabilities in web applications, primarily SQL injection flaws, including CVE-2017-9805 (Apache Struts), CVE-2021-22205 (GitLab), CVE-2024-9047 (WordPress), CVE-2024-27198/27199 (TeamCity), CVE-2024-51378/51567 (CyberPanel), CVE-2024-56145 (Craft CMS), and CVE-2025-31324 (SAP NetWeaver). Post-compromise actions include deploying webshells, escalating privileges, creating admin accounts, and stealing data. The group uses tools like BypassBoss, open-source utilities, and a modular .NET backdoor called Pulsepack to execute attacks.
Chinese state-sponsored group APT41 exploited Google Calendar for malware command-and-control operations using the TOUGHPROGRESS malware. The attack targeted government entities and various industries globally. It involved spear-phishing emails with ZIP files that contained malware disguised as PDF documents. The malware operated through three components: PLUSDROP for decryption, PLUSINJECT for process hollowing, and TOUGHPROGRESS for C2 via Google Calendar. Encrypted commands were stored in calendar events, allowing attackers to control compromised Windows hosts effectively.
Over 9,000 ASUS routers have been compromised by a botnet called AyySSHush, which exploits the CVE-2023-39780 command injection vulnerability to install a persistent SSH backdoor. The attackers use brute-forcing and authentication bypass techniques, allowing them to maintain access even after firmware updates. They disable logging and security features to evade detection, resulting in only 30 malicious requests recorded over three months despite the widespread infection. The campaign aims to build a network of backdoored routers for future malicious activities, although its exact objectives remain unclear.
Dark Partners, a cybercrime group, has been conducting large-scale cryptocurrency thefts by using fake websites that mimic popular AI, VPN, and crypto tools. These sites deliver malware like Poseidon Stealer (macOS) and Lumma Stealer (Windows) to steal sensitive data, including cryptocurrency wallet information. The group uses anti-sandbox modules, obfuscation, and advanced techniques like retrieving C2 server addresses via Google Calendar links. The malware can exfiltrate data from 76 wallets and desktop applications, with fake download pages designed to target specific operating systems.
A financially motivated threat actor, Mimo, exploited CVE-2025-32432, a critical remote code execution vulnerability in Craft CMS, to gain unauthorized access and deploy malicious payloads. The infection chain involves deploying a webshell, executing an infection script, and installing malicious tools such as a loader, cryptominer, and residential proxy software. The main payload, a loader named "4l4md4r," is packed with UPX and developed in Golang. It downloads and executes additional malicious components like "alamdar.so" and cryptomining tools. Two primary payloads deployed are IPRoyal (a residential proxyware) and XMRig.
A Vietnamese-linked hacking group, UNC6032, has been distributing malware via fake AI video generator websites since mid-2024, using social media ads to lure victims. The campaign involves fake websites mimicking legitimate AI tools like Luma AI and Canva Dream Lab, which deliver malware payloads such as STARKVEIL, XWORM, and FROSTRIFT. Over 30 fake websites have been identified, with ads reaching millions of users primarily on Facebook and LinkedIn. The malicious ads target users globally, rotating domains frequently to avoid detection. The malware payloads are modular and include mechanisms to ensure persistence even if some components are detected or blocked.
Russian hackers, identified as Void Blizzard, have breached over 20 NGOs in Europe and the U.S. using Evilginx phishing via fake Microsoft Entra pages. Active since April 2024, they target organizations linked to Russian government interests, employing stolen credentials purchased from online marketplaces. Their tactics include password spraying, spear-phishing emails, and utilizing tools like AzureHound for reconnaissance. In April 2025, Void Blizzard began using spear phishing campaigns involving fake emails and malicious QR codes to steal login credentials, including spoofing Microsoft Entra authentication portals. Recent attacks involved phishing emails impersonating the European Defense and Security Summit, leading to significant data theft from compromised organizations, including access to Microsoft Teams conversations. The group’s activities overlap with other Russian-affiliated actors, such as Forest Blizzard and Seashell Blizzard, indicating shared intelligence objectives.
New Threats
Fake CAPTCHA prompts are now doing more than testing if you're human—they're installing malware. EDDIESTEALER, a new Rust-based infostealer, spreads through deceptive CAPTCHA pages that trigger malicious PowerShell scripts. Threat actors are wrapping their tools in layers of obfuscation, and DOUBLELOADER is no exception. This new backdoor uses the ALCATRAZ obfuscator—once seen in the game-hacking scene—to disguise its presence. A new Go-based botnet called PumaBot is clawing its way through Linux IoT devices. It brute-forces SSH credentials, impersonates Redis files for stealth, and deploys rootkits to mine crypto and steal credentials.
A new Rust-based infostealer called EDDIESTEALER has been identified, spreading through fake CAPTCHA verification pages to deceive users into executing malicious PowerShell scripts. The malware uses advanced Rust features, such as memory safety and compiler optimizations, to evade detection and enhance stealth. EDDIESTEALER’s attack chain involves downloading malicious JavaScript and executable files via fake CAPTCHA prompts, targeting sensitive data like credentials, browser information, and cryptocurrency wallets. The malware employs sophisticated obfuscation techniques, including XOR-encrypted strings, custom WinAPI resolution, and self-deletion mechanisms to avoid analysis and detection.
The Interlock ransomware gang has deployed a new RAT named NodeSnake, targeting universities for persistent access to networks. NodeSnake is delivered via phishing emails and utilizes PowerShell or CMD scripts for persistence, creating a deceptive Registry entry. The malware features heavy code obfuscation, randomization of filenames, and cycles through C2 addresses. Once installed, it collects metadata about the user and system, exfiltrating data to the C2, while also allowing the execution of commands and loading additional payloads.
A new botnet named PumaBot, written in Go, targets Linux-based IoT devices by brute-forcing SSH credentials and deploying additional malware. The malware retrieves a list of target IP addresses from a command-and-control server and avoids honeypots or unsuitable systems. PumaBot disguises itself as a legitimate Redis system file for persistence and executes commands to mine cryptocurrency illicitly. The botnet uses various tools and scripts, including rootkits like "pam_unix.so," to steal credentials and exfiltrate data.
Elastic Security Labs identified a new malware family called DOUBLELOADER, which uses the ALCATRAZ obfuscator for evasion and pairs with the RHADAMANTHYS infostealer. DOUBLELOADER operates as a backdoor, injecting code into explorer.exe and communicating with a hardcoded IP address while collecting host information. The ALCATRAZ obfuscator, originally from the game-hacking scene, enables obfuscation of compiled binaries and has been adopted by threat actors for advanced malware techniques. DOUBLELOADER employs multiple obfuscation techniques such as entry point obfuscation, anti-disassembly, instruction mutation, constant unfolding, LEA obfuscation, and control flow flattening, making detection and analysis challenging.
A malware campaign has been uncovered that uses fake software installers mimicking popular tools like LetsVPN and QQ Browser to deliver the Winos 4.0 malware framework. This operation employs a memory-resident loader named Catena to evade antivirus detection. The campaign targets Chinese-speaking environments and is linked to the threat actor Silver Fox. The malware, based on the Gh0st RAT, is capable of data harvesting, remote access, and DDoS attacks. The infection chain involves trojanized NSIS installers, reflective DLL injection, and communication with C2 servers.