Cyware Weekly Threat Intelligence, September 02–05, 2025
The Good
Forging a united front, 15 nations have rallied behind a new guide to bolster software supply chain security with SBOMs. This joint effort pushes for transparency in software components, defining roles and urging broad adoption across industries. ISC2 is arming professionals with a new Threat Handling Foundations Certificate to tackle rising cyber incidents. Covering DFIR through four courses, it sharpens skills across four courses, addressing visibility gaps and supply chain risks with practical, tool-focused training.
In a significant collaboration, cybersecurity and intelligence agencies from 15 countries have released joint guidance on Software Bills of Materials (SBOMs) to enhance global supply chain security. The document outlines essential definitions, the value of SBOMs, and implementation strategies, emphasizing the need for transparency in software components. It identifies the roles of SBOM producers and end-users while encouraging widespread adoption across sectors. The guidance reflects a growing international consensus on the importance of software transparency, with notable support from agencies such as the CISA and the NSA. Signatories include organizations from Australia, Canada, Japan, and several European nations, marking a pivotal step toward improving software security through enhanced visibility and collaboration.
ISC2 introduced the Threat Handling Foundations Certificate to enhance Digital Forensics and Incident Response (DFIR) skills amid increasing cybersecurity incidents and breaches. The certificate includes four courses covering DFIR program building, digital forensics foundations, incident management, and network threat hunting. Topics include security program management, evidence handling, communication, security operations, and distinguishing between incidents and breaches. The program addresses challenges like visibility issues, vulnerability patching, and supply chain risks, while teaching evaluation of emerging tools and technologies.
Amazon recently disrupted the Russian state-sponsored hacking group APT29, also known as Midnight Blizzard, which aimed to access Microsoft 365 accounts through a sophisticated watering hole campaign. The hackers compromised legitimate websites, redirecting approximately 10% of visitors to fake Cloudflare verification pages designed to trick users into authorizing attacker-controlled devices via a malicious Microsoft device code authentication flow. Amazon's threat intelligence team identified the malicious domains and isolated the associated EC2 instances, collaborating with Cloudflare and Microsoft to dismantle the operation.
The Bad
A zero-day flaw in Sitecore deployments is opening doors for hackers to unleash WeepSteel malware. By exploiting a reused ASP.NET key, attackers achieve remote code execution. Iran’s Homeland Justice APT is casting a wide phishing net, targeting over 50 global embassies and organizations. Using 100+ hijacked email accounts and malicious Word docs, they exploit trusted identities to deliver malware. Lazarus Group is playing a dangerous game of impersonation, wielding three new RATs against a DeFi target. Using fake Telegram profiles and sham scheduling sites, they deploy PondRAT for initial access.
Hackers exploited a zero-day vulnerability (CVE-2025-53690) in legacy Sitecore deployments caused by the reuse of a sample ASP.NET machine key, leading to RCE. Attackers used the '/sitecore/blocked.aspx' endpoint to drop WeepSteel reconnaissance malware, which collects system, process, disk, and network information disguised as standard ViewState responses. The multi-stage attack involved deploying tools like Earthworm (network tunneling), Dwagent (remote access), and 7-Zip for data exfiltration and archiving. Privilege escalation was achieved by creating local administrator accounts, dumping cached credentials, and using tools like GoTokenTheft for token impersonation. Persistence was ensured through disabling password expiration and registering Dwagent as a SYSTEM service.
Cybersecurity researchers have uncovered a malware campaign utilizing SVG files to carry out phishing attacks that impersonate the Colombian judicial system. These SVG files, distributed via email, contain embedded JavaScript payloads that decode and inject Base64-encoded phishing pages, mimicking the Fiscalía General de la Nación's official portal. This deceptive page simulates a document download process while secretly downloading a ZIP file in the background. VirusTotal identified 44 unique SVG files that evade antivirus detection through techniques like obfuscation and junk code. Additionally, the campaign is part of a larger trend where attackers are increasingly targeting macOS users with the Atomic macOS Stealer (AMOS), which extracts sensitive data, including credentials and cryptocurrency information.
A recently disclosed macOS vulnerability (CVE-2025-24204) allowed attackers to read the memory of any process, even with System Integrity Protection enabled. This issue arose from Apple mistakenly granting the gcore utility elevated permissions in macOS 15.0, which was later revoked in macOS 15.3. Security researcher Koh M. Nakagawa discovered the flaw while testing Microsoft's ProcDump-for-Mac tool, which utilizes gcore. The vulnerability enabled the extraction of sensitive information, including the Master Key for decrypting the login Keychain without a password, and allowed access to decrypted FairPlay-encrypted iOS app binaries.
XWorm, a sophisticated backdoor malware, has transitioned from predictable distribution methods to more deceptive and intricate infection chains. Initially relying on email-based attacks, it now employs .lnk files to initiate complex infections that drop disguised executables like discord.exe and system32.exe. This multi-stage deployment evades detection by using legitimate-looking filenames and advanced packing techniques. Once executed, XWorm disables Windows Firewall, checks for security applications, and establishes persistence through scheduled tasks and registry entries. It employs cryptographic methods, including Rijndael and Base64 encoding, to conceal communication with its command and control servers.
Proofpoint researchers have observed a significant increase in phishing campaigns utilizing Stealerium, an open-source infostealer launched on GitHub in 2022. Initially overlooked, Stealerium has gained traction among cybercriminals who modify it for real-world attacks, leading to the emergence of variants like Phantom Stealer and Warp Stealer. Recent campaigns have targeted various sectors, employing tactics such as impersonating charitable organizations, travel booking requests, and legal threats. Stealerium is equipped with advanced features for credential theft, system reconnaissance, and cryptocurrency wallet targeting, alongside a sextortion capability that captures sensitive content. Its diverse exfiltration methods, including SMTP, Discord webhooks, and Telegram, complicate detection efforts, underscoring the growing appeal of open-source malware in the cybercriminal landscape.
Iranian state hackers, associated with the Homeland Justice APT group, launched a phishing campaign targeting over 50 embassies, ministries, and international organizations worldwide. Utilizing more than 100 compromised email accounts, the attackers sent emails disguised as official communications, often containing malicious Word document attachments that required users to enable macros. This tactic, although considered outdated, proved effective due to the credibility of the compromised accounts. The campaign began on August 19 and involved sophisticated evasion techniques, such as hiding malware within the victim's Documents folder. Targets spanned various regions, including the Middle East, Europe, Africa, Asia, and the Americas, with notable organizations like the UN and the World Bank among those affected.
A sophisticated malware campaign known as TinyLoader is actively targeting Windows systems through various attack methods, including network share exploitation and USB device propagation. This malware functions primarily as a delivery mechanism for other threats, such as Redline Stealer and DCRat, and is designed to steal cryptocurrency by monitoring clipboard activity. TinyLoader replaces legitimate cryptocurrency wallet addresses with those controlled by attackers during transactions, making detection nearly impossible. The malware spreads by creating deceptive shortcuts that appear legitimate and by scanning local networks for accessible shared folders, allowing it to propagate rapidly within corporate environments. Its infrastructure spans multiple countries, indicating a well-organized operation.
The North Korea-linked Lazarus Group has expanded its malware arsenal with three new tools: PondRAT, ThemeForestRAT, and RemotePE. These were deployed in a social engineering campaign targeting a DeFi organization, where the attackers impersonated an employee on Telegram and used fake scheduling websites to gain access. Once inside, they utilized PondRAT, a basic remote access tool, to establish a foothold and deploy more sophisticated malware. ThemeForestRAT was then used for advanced operations, including monitoring remote desktop sessions and executing commands. The final stage involved RemotePE, a more complex RAT designed for high-value targets.
New Threats
Slipping through digital cracks, China-aligned GhostRedirector is hijacking Windows servers with a stealthy C++ backdoor called Rungan. Paired with the Gamshen IIS module for SEO fraud, it boosts gambling sites on Google. Lurking in your inbox, Russia’s APT28 is wielding NotDoor to turn Outlook into an espionage tool. This VBA backdoor, triggered by email keywords, uses obfuscation and DLL side-loading to dodge detection. A fake PDF editor peddled through Google ads is dishing out the TamperedChef infostealer to unsuspecting users.
GhostRedirector is a newly identified China-aligned threat actor targeting Windows servers. It uses a passive C++ backdoor named Rungan for remote command execution. A malicious IIS module, Gamshen, is used for SEO fraud, manipulating Google search rankings to promote gambling websites. GhostRedirector exploits public vulnerabilities like EfsPotato and BadPotato for privilege escalation. The campaign compromised at least 65 Windows servers, mainly in Brazil, Thailand, Vietnam, and the U.S., affecting diverse sectors such as healthcare, education, and retail. GhostRedirector deploys tools like Zunput to collect website information and install webshells.
Hackers are increasingly exploiting vulnerabilities using HexStrike-AI, an AI-powered security framework designed for penetration testing. This tool automates the exploitation of newly disclosed n-day flaws, such as Citrix vulnerabilities CVE-2025-7775, CVE-2025-7776, and CVE-2025-8424, significantly reducing the time required for attacks from days to mere minutes. With nearly 8,000 endpoints still vulnerable as of early September, attackers have begun discussing HexStrike-AI on hacking forums, sharing methods to deploy it for unauthorized access. The tool’s open-source nature has made it popular among malicious actors, enabling them to achieve remote code execution and maintain persistence through automated processes.
Russian state-sponsored hackers, known as APT28 or Fancy Bear, have developed a sophisticated malware called NotDoor that specifically targets Microsoft Outlook users. This stealthy backdoor, written in VBA, activates when it detects certain keywords in incoming emails, allowing attackers to execute malicious commands. NotDoor employs advanced evasion techniques, including code obfuscation and DLL side-loading, to avoid detection by security software. It modifies Outlook's registry settings to ensure persistence and suppress security alerts. Once activated, the malware exfiltrates sensitive data to an attacker-controlled email address while confirming its execution through web callbacks. NotDoor has already compromised multiple organizations across NATO member countries.
Obscura is a newly identified ransomware variant that emerged on August 29. This ransomware targets domain controllers, executing from the NETLOGON folder, and employs scheduled tasks to facilitate its spread across networks. It disables recovery options by deleting shadow copies and utilizes a ransom note to threaten data exposure while demanding payment for decryption assistance. Obscura requires administrative privileges to operate, performing system reconnaissance and terminating security processes to prepare for encryption. It uses advanced encryption techniques, specifically XChaCha20, and appends a unique footer to encrypted files. The variant also includes a filtering mechanism to exclude certain file types, ensuring system functionality remains intact while maximizing damage to user data.
Cybercriminals are distributing the TamperedChef infostealer through a fraudulent PDF editing application called AppSuite PDF Editor, promoted via Google ads across multiple websites. This campaign, which began on June 26, involves over 50 domains and utilizes apps signed with fake certificates from various companies. Initially, the app functions normally, but an update on August 21 activates its malicious capabilities, allowing it to collect sensitive data such as credentials and web cookies. Researchers discovered that the malware checks for security agents on the host system and queries installed web browsers using Windows' Data Protection API. The threat actors employed a strategy to maximize downloads before activating the infostealer, suggesting a well-coordinated operation.