Weekly Threat Briefing
Diamond Trail

Cyware Weekly Threat Intelligence, October 13–17, 2025

shutterstock 2359950063

The Good

A coordinated crackdown by Spanish Guardia Civil unraveled an AI-driven phishing empire, which since 2023 had cloned over 250 bank and agency sites to steal millions in credentials across Spanish-speaking regions and beyond. Operating as a crime-as-a-service via Telegram, the network supplied kits, Android malware for OTP interception, and voice-scam tools to hundreds of criminals. U.S. and U.K. authorities struck a blow against the Prince Group, seizing over $15 billion in Bitcoin—the DOJ's largest crypto haul—from a syndicate running 100+ front businesses in 30 countries for investment scams, money laundering, and human trafficking.

  • Spanish authorities recently dismantled an advanced AI-driven phishing network orchestrated by a Brazilian developer known as “GoogleXcoder.” This operation, a significant victory against banking credential theft in Spain, targeted major banks and public agencies, leading to millions of euros in stolen funds since 2023. Operating under a crime-as-a-service model, GoogleXcoder sold phishing kits that allowed criminals to easily clone websites and execute scams. The investigation revealed extensive use of Telegram for communications and transactions. Authorities arrested him in Cantabria, seizing electronic devices containing vital evidence. Ongoing forensic analysis aims to uncover further details about the network and identify additional individuals involved in these phishing activities, with collaboration from the Brazilian Federal Police and cybersecurity experts proving crucial in the operation.

  • U.S. and U.K authorities have executed a landmark operation against a massive transnational cybercrime syndicate, seizing over $15 billion in Bitcoin from the Prince Group - a criminal enterprise accused of orchestrating one of the largest investment fraud operations in history. This marks the largest cryptocurrency seizure ever conducted by the DOJ. According to the DOJ, the group operated more than 100 businesses across 30 countries, using them as fronts for investment scams, money laundering, and human trafficking. The US Department of the Treasury’s Office of Foreign Assets Control (OFAC) has sanctioned 146 individuals and entities linked to the Prince Group. The U.K has also imposed financial sanctions, freezing assets including a £12 million mansion and a £100 million office building in London.

The Bad

A sly .NET loader, PhantomVAI is hitting manufacturing, education, and government sectors globally via phishing emails with obfuscated scripts. It hides DLLs in images using steganography, checks for virtual machines, and drops multiple infostealers. A subtle tweak turned deadly as China-backed Flax Typhoon repurposed a legitimate ArcGIS Java SOE into a persistent web shell. A massive botnet, rallying 100,000+ IPs across multiple countries, began targeting U.S. RDP services. Researchers noted a unified TCP fingerprint suggesting single-entity control.

  • PhantomVAI Loader, a multi-stage .NET loader, is actively involved in global phishing campaigns targeting various sectors, including manufacturing, education, and government. Initially known as Katz Stealer Loader, it has evolved to deliver a range of infostealers such as AsyncRAT, XWorm, FormBook, and DCRat. The attack chain starts with phishing emails that contain heavily obfuscated scripts, which, when executed, download further malicious payloads. Utilizing steganography, the loader conceals DLL files within seemingly innocuous images, allowing it to bypass detection. Once executed, PhantomVAI Loader performs virtual-machine checks and, if successful, establishes persistence on the infected system, ultimately injecting the payload into legitimate processes like MSBuild.exe, thereby evading many endpoint defenses.

  • An ongoing phishing campaign is targeting LastPass and Bitwarden users with fake emails claiming that the companies have been hacked. These emails urge recipients to download a supposedly more secure desktop version of the password manager, which actually installs Syncro, a remote monitoring tool. LastPass has clarified that they have not experienced any security incidents and that these messages are part of a social engineering effort to create urgency. The phishing emails are well-crafted and impersonate both LastPass and Bitwarden, leading users to malicious downloads. The malware installs the Syncro MSP platform, allowing attackers to gain remote access to victims' computers. This campaign follows another targeting 1Password users.

  • Flax Typhoon, a China-backed APT group, executed a sophisticated attack on an ArcGIS system by repurposing a legitimate Java server object extension (SOE) into a web shell. This method enabled the attackers to maintain long-term access while evading detection, as their activities appeared to be normal system operations. By embedding the compromised SOE in backups and using a hardcoded key for access, they ensured persistence even after attempts at remediation. The group leveraged this foothold for malicious command execution, lateral movement, and credential harvesting across various hosts. 

  • A security vulnerability in the widely used Slider Revolution plugin has been uncovered, affecting over four million WordPress sites. Tracked as CVE-2025-9217, this flaw allows users with contributor-level permissions or higher to read sensitive files on the server, including critical configuration files like wp-config.php. The issue arises from insufficient validation in two parameters, “used_svg” and “used_images,” which manage file exports. A patched version, 6.7.37, was released to address the weaknesses in file handling, enhancing validation checks to prevent unauthorized access to server files. The vulnerability was rated medium severity with a CVSS score of 6.5.

  • McAfee researchers have identified a sophisticated Astaroth banking malware campaign that leverages GitHub repositories to host critical configuration files, moving away from traditional C2 servers. This malware employs steganography to conceal configuration data within seemingly benign image files, allowing it to update its operational parameters every two hours while maintaining persistent operations. The infection chain begins with phishing emails that lure victims into downloading malicious Windows shortcut files, which execute obfuscated JavaScript commands. Primarily targeting South American countries, particularly Brazil, Astaroth monitors banking and cryptocurrency-related browser windows to capture credentials through keylogging. 

  • A botnet comprising over 100,000 IP addresses from multiple countries has been targeting RDP services in the U.S. since October 8. GreyNoise researchers identified this large-scale campaign after observing an unusual spike in traffic, particularly from Brazilian IPs. The attacks utilize two main vectors: RD Web Access timing attacks and RDP web client login enumeration. Evidence suggests that a single entity controls the botnet, as most IPs share a similar TCP fingerprint. The coordinated nature of the attacks, along with the centralized control indicated by the shared attack methods, raises concerns about the botnet's capabilities and intentions. Countries involved in the attack include Brazil, Argentina, Iran, China, Mexico, Russia, and South Africa.

  • A financially motivated threat actor known as UNC5142 is utilizing blockchain smart contracts and compromised WordPress sites to distribute various information-stealing malware, including Atomic and Vidar, targeting both Windows and macOS systems. This group employs a technique called "EtherHiding" to conceal malicious code on public blockchains, specifically leveraging the BNB Smart Chain. Google’s Threat Intelligence Group reported approximately 14,000 web pages injected with JavaScript linked to UNC5142, indicating widespread targeting of vulnerable sites. The attack employs a multi-stage JavaScript downloader named CLEARSHORT, which retrieves malicious payloads through interactions with smart contracts. 

  • APT28, a Russian state-sponsored threat actor, has launched a sophisticated cyberattack targeting Ukrainian military personnel through weaponized Office documents. This campaign utilizes advanced malware frameworks, including BeardShell and Covenant, which are delivered via malicious documents distributed through Signal Desktop, exploiting its lack of security mechanisms. Once opened, these documents execute embedded macros that initiate a multi-stage infection process, allowing attackers to maintain persistent access and evade detection. The malware employs steganography to hide payloads within PNG files and utilizes cloud services like Koofr for command and control communications.

New Threats

Mimicking India’s mParivahan app, GhostBat RAT has been targeting Android users, with 40+ samples stealing UPI credentials and more. Spread through WhatsApp and dodgy sites, it uses multi-stage droppers and heavy obfuscation. TA585 runs its own infrastructure to deliver email attacks and deploy MonsterV2 — a RAT, stealer, and loader. A new Rust-based menace, ChaosBot, lurks in phishing emails, using malicious LNK files to hijack Microsoft Edge binaries and sideload a rogue DLL.

  • GhostBat RAT is a new Android malware campaign targeting Indian users by masquerading as legitimate Regional Transport Office (RTO) applications, such as mParivahan. This malware steals financial data, mines cryptocurrency, and exfiltrates SMS messages using Telegram bots for device management. Since September 2025, over 40 unique malware samples have been identified, employing advanced techniques like multi-stage droppers and heavy obfuscation to avoid detection. Attackers utilize social engineering tactics to deliver malicious APKs through platforms like WhatsApp and compromised websites. Once installed, the fake RTO app requests extensive permissions, initiating phishing flows to collect sensitive UPI credentials and surveilling SMS content for banking-related messages, which are then forwarded to the attackers' servers.

  • Microsoft's October 2025 Patch Tuesday released security updates for 172 vulnerabilities, including six zero-day flaws. This update marks the end of free support for Windows 10, as users must now subscribe to Extended Security Updates to continue receiving patches. Among the critical vulnerabilities fixed are those affecting Windows SMB Server and Microsoft SQL Server. Notable issues include the removal of a vulnerable Agere Modem driver, which could allow elevation of privileges, and a Secure Boot bypass vulnerability in IGEL OS. Additionally, Microsoft is addressing a memory integrity flaw in AMD EPYC processors. 

  • TA585 is a newly identified threat actor managing its attack chain, including infrastructure, email delivery, and malware installation. MonsterV2 malware acts as a RAT, stealer, and loader, capable of exfiltrating sensitive data, enabling remote desktop access, and executing additional payloads. TA585 avoids infecting systems in Commonwealth of Independent States (CIS) countries and uses MonsterV2, sold on cybercriminal forums. TA585 employs the ClickFix technique, which involves malicious scripts prompting users to execute PowerShell commands for malware delivery. 

  • A vulnerability called "Pixnapping" can exploit Android devices from Google and Samsung to steal sensitive data like 2FA codes and Google Maps timelines without user knowledge. Pixnapping bypasses browser mitigations and targets Android APIs and hardware side-channels, allowing malicious apps to capture 2FA codes in under 30 seconds. The attack leverages Android's rendering pipeline and semi-transparent activities to extract pixel data from victim apps, even without special permissions. The vulnerability is linked to a side-channel known as GPU.zip, which exploits GPU compression features combined with Android's window blur API. 

  • Researchers uncovered a new Rust-based malware, ChaosBot, used for reconnaissance and executing commands on compromised systems. ChaosBot utilizes Discord channels for C2 operations and is distributed via phishing messages containing malicious Windows shortcut (LNK) files. The malware sideloads a malicious DLL using a legitimate Microsoft Edge binary and employs a fast reverse proxy for persistent network access. ChaosBot includes features like executing shell commands, capturing screenshots, and uploading/downloading files, while using evasion techniques to bypass Windows Event Tracing and virtual machines. 

  • Oracle has issued a security alert regarding a critical vulnerability, tracked as CVE-2025-61884, in its E-Business Suite that could allow unauthorized access to sensitive data without requiring any login credentials. This high-severity flaw affects versions 12.2.3 through 12.2.14 and has a CVSS score of 7.5, indicating its potential for exploitation. The vulnerability can be accessed remotely via HTTP, making it crucial for users to apply the necessary updates promptly. Although Oracle has not reported any active exploitation of this vulnerability, it poses a significant risk as it could be weaponized to compromise sensitive resources.

PhantomVAIFlax TyphoonGhostBat RATMonsterV2ChaosBot

Discover Related Resources