Cyware Weekly Threat Intelligence, September 15–19, 2025
The Good
In a bold takedown, Microsoft and Cloudflare have dismantled the RaccoonO365 phishing empire targeting Microsoft 365 users. This PhaaS racket, raking in $100,000 in crypto, hit sectors like healthcare, prompting a lawsuit with Health-ISAC and the seizure of 330 domains to protect public safety. Brazil is setting a new benchmark for kids' online safety with a landmark law demanding strict age verification. The Digital ECA bans targeted ads for children, requires parental tools, and ditches self-declaration for reliable checks, making Brazil the first in Latin America to shield minors from harmful content.
Microsoft and Cloudflare have successfully disrupted the RaccoonO365 phishing service, which has been used by cybercriminals to steal Microsoft 365 credentials from thousands of users worldwide. Operating under a phishing-as-a-service model, RaccoonO365 generated significant revenue, with estimates of at least $100,000 earned in cryptocurrency. The service targeted various sectors, including healthcare, prompting Microsoft to file a lawsuit in partnership with Health-ISAC due to the risks posed to public safety. In a coordinated effort, Microsoft’s Digital Crimes Unit seized over 330 domains linked to the operation, while Cloudflare banned associated domains and removed malicious scripts.
Brazil has enacted a groundbreaking law mandating online age verification and stringent privacy protections for children and adolescents. Signed by President Luiz Inácio Lula da Silva, the Digital ECA requires digital service providers to implement reliable age verification methods, moving away from self-declaration. The law aims to prevent minors from accessing harmful content, including violence and sexual exploitation, and prohibits the processing of children's personal data for targeted advertising. Additionally, it mandates parental supervision tools to help adults manage their children's online activities. Set to take effect in March 2026, this legislation positions Brazil as the first country in Latin America to establish dedicated protections for children's online privacy and safety.
The Bad
Researchers have uncovered joint activity involving the use of Gamaredon's custom tools to deploy Kazuar, a powerful Turla-developed backdoor known for its stealth and persistence. In a recent FileFix campaign, threat actors are hiding malicious PowerShell scripts and encrypted binaries inside seemingly innocent image files. Unlike earlier proof-of-concept variants, this iteration ups the ante by using multilingual phishing pages and deeply obfuscated JavaScript. AppSuite, OneStart, and ManualFinder are a malware triple threat. Posing as legit tools like PDF editors, they use Electron and PowerShell to track users and install sneaky extensions.
Russian hacking groups Gamaredon and Turla have joined forces to target Ukrainian entities, deploying the Kazuar backdoor through a series of sophisticated cyberattacks. Evidence from ESET indicates that Gamaredon utilized tools like PteroGraphin and PteroOdd to execute Turla's Kazuar malware, suggesting a collaborative effort to gain access to specific machines in Ukraine. The attacks have primarily focused on the Ukrainian defense sector, intensifying since Russia's invasion in 2022. Kazuar, a frequently updated malware, has evolved through various versions, with v3 introducing additional capabilities for data gathering and exfiltration.
A recent FileFix campaign has emerged, utilizing steganography to conceal malicious PowerShell scripts and encrypted executables within JPG images. This attack encourages victims to paste harmful commands into a file upload interface, triggering an obfuscated PowerShell chain that extracts payloads from the images. Notably, this iteration of the campaign deviates from earlier proof of concept versions by employing multilingual phishing pages and extensive JavaScript minification, enhancing its deceptive tactics. The phishing site mimics a Meta support page, pressuring users into executing commands disguised as file paths. The infection chain begins with a PowerShell one-liner that downloads an image from BitBucket, ultimately leading to the deployment of StealC, an infostealer capable of harvesting sensitive data from various applications and services.
Two malicious Python packages, "sisaws" and "secmeasure," were found in the PyPI repository, delivering the SilentSync RAT targeting Windows systems. SilentSync is capable of executing remote commands, exfiltrating files, and stealing browser data, including credentials and cookies from popular web browsers. The "sisaws" package masquerades as a tool for interfacing with Argentina's healthcare APIs but contains a backdoor that downloads malware using hardcoded tokens. Similarly, "secmeasure" claims to provide string manipulation functions while primarily serving as a malware distributor. SilentSync enables remote command execution, file exfiltration, and browser data theft, communicating with a C2 server via a REST API.
Developers of the PureHVNC RAT have been exposed for using GitHub repositories to host critical components and plugin source code for their Pure malware family. The campaign started with a phishing attack tricking victims into running a PowerShell payload via a fake job listing, leading to a Rust-based loader that installed PureHVNC RAT instances identified as “2a” and “amazon3.” Attackers deployed malicious JavaScript files, established persistence through scheduled tasks, and executed the Sliver C2 framework, while the RAT exfiltrated system details like antivirus software, user privileges, and OS information via SSL-secured, compressed payloads up to 16 KB. Forensic analysis revealed the RAT's command set, modular plugin system with runtime decompression, and integration with PureCrypter for customizable encryption and injection. The builder supports English, Russian, and Chinese, with the Rust loader hooking LdrLoadDll to disable AMSI scanning and executing shellcode.
A coordinated malware campaign involving AppSuite, OneStart, and ManualFinder has been uncovered, revealing a shared infrastructure and overlapping tactics. These programs, often disguised as legitimate software like PDF editors or browsers, have evolved over time to include various components such as Electron, Node.js, and PowerShell scripts. The actors behind these threats have been active since at least 2018, leveraging deceptive installers and randomized domains to distribute and control malware. OneStart, derived from the Chromium browser, installs extensions that track user behavior and can silently add additional software. Older versions of OneStart employed PowerShell scripts and node.exe to execute malicious JavaScript, linking them to ManualFinder infections. Additionally, earlier iterations like SecureBrowser and DesktopBar were distributed under different names, showcasing the actors' evolving tactics.
New Threats
Malware deployment is getting more modular and more menacing. CountLoader is a newly developed malware loader tied to Russia-affiliated ransomware groups like LockBit, BlackBasta, and Qilin. Google has shipped an urgent patch to plug a critical flaw in Chrome. Tracked as CVE-2025-10585, the newly patched vulnerability stems from a type confusion bug in the V8 JavaScript engine. Maranhão Stealer is hunting gamers through pirated software. Built with Node.js and Inno Setup, it mimics Microsoft components to hide, using DLL injection for persistence.
Silent Push has identified a new malware loader named CountLoader, closely linked to Russian ransomware gangs such as LockBit, BlackBasta, and Qilin. This evolving threat is delivered in three versions: .NET, PowerShell, and JScript, and has been utilized in phishing campaigns targeting individuals in Ukraine, often impersonating Ukrainian police. CountLoader is capable of dropping various malware agents, including Cobalt Strike and Adaptix C2, and employs sophisticated techniques for persistence and communication. It gathers extensive system information from victims and utilizes multiple methods for file downloading and execution. The malware's infrastructure is designed to blend into legitimate enterprise traffic.
Raven Stealer is a lightweight and sophisticated information-stealing malware developed in Delphi and C++. It primarily targets Chromium-based browsers, extracting sensitive data such as passwords, cookies, payment details, and autofill entries. Utilizing a modular design, it allows attackers to easily embed configuration details like Telegram bot tokens for seamless data exfiltration. The malware operates stealthily by employing techniques such as in-memory execution and process injection, which help it evade detection by traditional security measures. Once active, it aggregates stolen credentials and system information, transmitting them directly to the attacker via Telegram, thereby posing significant risks to both personal and enterprise environments.
Google has released a critical update for Chrome, addressing the sixth zero-day vulnerability of 2025, tracked as CVE-2025-10585. This vulnerability, a type confusion issue in the V8 JavaScript engine, allows attackers to exploit crafted HTML pages for remote code execution and other malicious activities. Alongside this, the update resolves two additional use-after-free vulnerabilities and a heap buffer overflow in the ANGLE graphics engine. The latest Chrome version is now being rolled out across Windows, macOS, and Linux platforms.
A sophisticated worm named Shai-Hulud has infiltrated the npm ecosystem, targeting popular packages with millions of weekly downloads. The 3MB+ JavaScript malware compromises npm developer accounts, injecting itself into maintained packages to spread further. Each infected package triggers a malicious bundle.js script upon installation, designed to steal npm, GitHub, AWS, and GCP tokens, while also deploying TruffleHog to detect up to 800 secrets. The worm creates public GitHub repositories named “Shai-Hulud” to store stolen secrets and uses GitHub Actions to exfiltrate tokens to a remote server. Additionally, it converts private repositories to public, exposing sensitive code and vulnerabilities. Impacting over 700 GitHub repositories, this campaign is linked to the earlier s1ngularity/Nx supply chain attack, amplifying its reach through compromised developer accounts and stolen tokens.
XillenStealer, a Python-based information stealer targets sensitive data across Windows, Linux, and macOS. Written in Russian, it uses a Tkinter GUI builder (V3.0) with password-protected access to customize and compile modular scripts that harvest system metadata, browser credentials, cryptocurrency wallets, Discord and Steam tokens, Telegram sessions, and game launcher data. Featuring anti-debugging, virtual machine detection, and process injection into explorer.exe, it ensures stealth, while persistence is achieved through scheduled tasks or cron jobs. Stolen data is compiled into structured text and HTML reports, segmented into smaller archives for reliable Telegram bot exfiltration.
A sophisticated malware campaign known as Maranhão Stealer has emerged, targeting gaming enthusiasts through malicious pirated software distributed on cloud-hosted platforms. Utilizing Node[.]js and Inno Setup installers, this malware employs advanced evasion techniques and social engineering to compromise user accounts and cryptocurrency wallets. Once installed, it creates a deceptive directory structure resembling legitimate Microsoft components, ensuring persistence through registry modifications and reflective DLL injection. Maranhão Stealer conducts extensive reconnaissance of infected systems, collecting hardware specifications, network details, and geolocation information. Its primary focus is on stealing credentials from popular cryptocurrency wallet applications, reflecting a shift towards targeting high-value digital assets.