Cyware Weekly Threat Intelligence, September 22–26, 2025
The Good
European authorities have crushed a €100 million crypto fraud ring, nabbing five suspects across multiple countries. Active since 2018, this scam lured victims in 23 nations with fake investment platforms. Operation HAECHI VI has clawed back $439 million from global cybercrime, striking a blow against financial fraud. Spanning 40 countries, this effort blocked 68,000 bank accounts and 400 crypto wallets, recovering $16 million in illicit crypto and $342 million in currencies.
Law enforcement agencies in Europe have successfully dismantled a cryptocurrency fraud ring responsible for over €100 million ($118 million) in losses affecting more than 100 victims. This operation, which began in September 2020, involved coordinated efforts from investigative teams across Spain, Portugal, Bulgaria, Italy, Lithuania, and Romania, with support from Eurojust and Europol. Five suspects were arrested during simultaneous searches in multiple countries, where bank accounts and financial assets linked to the fraud were frozen. The main perpetrator had been promising high returns on investments through sophisticated online platforms, diverting funds into accounts under their control. This extensive fraud scheme has been active since at least 2018, targeting investors across 23 countries and leaving many victims with significant financial losses.
An international law enforcement initiative, Operation HAECHI VI, led to the recovery of $439 million in cash and cryptocurrency assets from global cybercrime operations. Conducted between April and August 2025, the operation involved authorities from 40 countries and targeted a wide range of cyber-enabled financial crimes. In total, 68,000 bank accounts were blocked and 400 cryptocurrency wallets were frozen, contributing to the recovery of $16 million in illicit crypto profits. These were part of the $97 million in physical and virtual assets recovered, alongside $342 million in government-backed currencies.
The Royal Canadian Mounted Police (RCMP) shut down the TradeOgre cryptocurrency exchange and seized over $40 million, marking the largest asset seizure in Canadian history. The Money Laundering Investigative Team (MLIT) began investigating TradeOgre in June 2024 after a Europol tip, leading to the platform’s shutdown by July 2024. RCMP confirmed the platform operated illegally, failing to register with FINTRAC and allowing cybercriminals to launder money due to its anonymity.
The Bad
China’s UNC5221 is sneaking Brickstorm into network appliances, lurking undetected. This Go-based backdoor, mimicking legit software, hits SaaS and tech firms with custom C2 servers. Cloaked in fake copyright notices, the Lone None group is sneaking Pure Logs and Lone None Stealer into systems. With fake job portals as bait, Iran’s Nimbus Manticore targets Europe’s defense and telecom sectors. Their spear-phishing campaign uses multi-stage DLL sideloading to deploy MiniJunk and MiniBrowse.
A China-linked cyber-espionage group, UNC5221, is exploiting network appliances that lack traditional EDR support to deploy a sophisticated backdoor called Brickstorm. Brickstorm mimics legitimate software, employs unique C2 servers per victim, and enables long-term stealth, with attackers persisting undetected for an average of 393 days. UNC5221 targets organizations like SaaS providers, tech companies, and BPOs, often exploiting both known and zero-day vulnerabilities in Linux and BSD-based systems. The malware is cross-platform, written in Go, and includes advanced features like SOCKS proxy functionality and delayed activation timers for stealth. Brickstorm uses obfuscation tools like Garble and dynamic domains for C2 servers, making detection and tracking difficult.
Cisco ASA firewalls have been compromised by state-sponsored attackers exploiting recently disclosed zero-day vulnerabilities, CVE-2025-20362 and CVE-2025-20333. These attacks have led to the deployment of advanced malware known as RayInitiator and LINE VIPER, which utilize sophisticated techniques to evade detection, including disabling logging and intercepting commands. The threat actors, linked to a suspected China-based group, UAT4356, have targeted government agencies since May. The malware is designed to maintain persistence by modifying firmware and can execute commands, exfiltrate data, and bypass security measures. Additionally, a third critical vulnerability, CVE-2025-20363, has been identified but remains unexploited in the wild.
Threat actors from the Lone None group are leveraging copyright takedown notices to distribute sophisticated malware, including Pure Logs Stealer and the newly identified Lone None Stealer. This campaign begins with spoofed emails that appear to come from legitimate legal firms, referencing real social media accounts to enhance credibility. The malware is delivered through obfuscated Python installers and malicious attachments disguised as legitimate applications. Lone None Stealer specifically targets cryptocurrency transactions by monitoring clipboard activity and replacing copied wallet addresses with those controlled by attackers. The campaign employs a novel C2 mechanism using Telegram bots, with payloads featuring multiple layers of obfuscation to evade detection.
Nimbus Manticore, an Iranian APT group, is executing a sophisticated malware campaign targeting defense, telecommunications, and aerospace sectors in Europe. Utilizing advanced spear-phishing techniques, the group impersonates HR recruiters through fake job portals, delivering malware via multi-stage DLL sideloading. Their main tools, the MiniJunk backdoor and MiniBrowse stealer, are designed to evade detection through heavy obfuscation and legitimate digital signatures. The infection chain begins with phishing links leading to malicious archives disguised as hiring-related software. The malware exploits low-level Windows APIs to manipulate DLL search paths, ensuring stealthy execution.
A recent patch for the Steam game BlockBlasters has been found to contain malware that steals sensitive user information, including crypto wallet data. This malicious update bypassed security measures and has potentially affected hundreds of players. The patch includes a trojan batch file that collects various data points such as IP addresses and Steam login credentials, uploading them to a C2 server. Additionally, the malware unpacks hidden executables that disable Microsoft Defender scans and execute further malicious payloads. The infection has drawn significant attention, particularly after a live streaming incident where a user was infected during a charity event.
North Korean hackers are increasingly using ClickFix-style lures to deliver malware such as BeaverTail and InvisibleFerret, primarily targeting marketing and trading roles in the cryptocurrency and retail sectors. This marks a shift from their traditional focus on software developers. The malware is distributed through fake hiring platforms that entice victims with job offers, leading them to download malicious software under the guise of technical assessments. Recent campaigns have also employed deepfake technology and trusted platforms like GitHub to enhance their tactics. Additionally, the Kimsuky group has been observed using phishing techniques involving forged military IDs to compromise individuals associated with South Korean defense.
New Threats
North Korean hackers are reeling in crypto developers with fake LinkedIn job offers, hiding AkdoorTea malware. This Contagious Interview campaign uses BeaverTail and Tropidoor to pilfer data across platforms. Russia’s COLDRIVER is baiting victims with a fake CAPTCHA in the ClickFix campaign. Using BAITSWITCH to download SIMPLEFIX, a PowerShell backdoor, this multi-stage attack targets Russian civil society and Western groups, gathering system data via stealthy C2 communication. Since 2022, a stealthy campaign has been hijacking DLLs to unleash a PlugX variant on Asia’s telecom and manufacturing sectors. It uses malicious documents and shared cryptographic tools to deploy RainyDay and Turian-like backdoors.
North Korean hackers associated with the Contagious Interview campaign are using a new backdoor called AkdoorTea to target cryptocurrency and Web3 developers across various operating systems. This campaign involves impersonating recruiters to lure victims with fake job offers on platforms like LinkedIn, leading them to install malware through deceptive video assessments or GitHub projects. Key tools employed include BeaverTail, InvisibleFerret, and TsunamiKit, which facilitate data exfiltration and cryptocurrency theft. The sophisticated malware Tropidoor, linked to the Lazarus Group, enhances stealth capabilities for file manipulation and monitoring.
Zscaler ThreatLabz identified a multi-stage ClickFix campaign linked to the Russia-based APT group COLDRIVER, targeting members of Russian civil society and Western organizations. This campaign utilizes social engineering techniques, tricking users into executing malicious commands through a fake CAPTCHA interface. The infection chain begins with BAITSWITCH, a downloader that establishes persistence and retrieves payloads to deploy SIMPLEFIX, a PowerShell-based backdoor. BAITSWITCH communicates with a C2 server using a specific user-agent and executes commands via PowerShell. SIMPLEFIX supports various reconnaissance commands, allowing the threat actor to gather information about the victim's system.
Cisco has released patches for 14 vulnerabilities in its IOS and IOS XE software, including a critical zero-day flaw, CVE-2025-20352, which is being actively exploited. This vulnerability allows remote attackers with administrative privileges to execute arbitrary code as the root user by exploiting a stack overflow in the Simple Network Management Protocol (SNMP) subsystem. All devices running vulnerable versions of IOS and IOS XE, along with certain Meraki and Catalyst switches, are affected. The updates also address additional high-severity vulnerabilities that could result in denial-of-service conditions, command execution with root privileges, and authentication bypass, among other risks.
Cisco Talos has identified a sophisticated malware campaign that has been active since 2022, utilizing DLL search order hijacking to deploy a new variant of PlugX, which shares characteristics with the RainyDay and Turian backdoors. This operation primarily targets telecommunications and manufacturing sectors across Central and South Asia, revealing a convergence of functionalities and infrastructure among the Naikon and BackdoorDiplomacy groups. Analysts discovered that the malware families employ the same XOR-RC4-RtlDecompressBuffer decryption algorithm and identical RC4 keys, indicating a shared cryptographic toolkit. The campaign's initial infection typically begins with a malicious document or email, leading to the execution of a legitimate binary vulnerable to DLL hijacking.
ShadowV2 is a newly identified DDoS-as-a-Service botnet that enables customers to self-manage DDoS attacks. It leverages misconfigured Docker containers and a Python-based C2 infrastructure hosted on GitHub CodeSpaces. The platform represents a shift from traditional botnet operations by offering a modular, user-driven attack interface. The ShadowV2 operation was observed targeting Docker daemons exposed on AWS cloud instances. The attackers deploy a generic setup container, install tools, and create a customized image for live deployment. The infection chain begins with a Python script hosted on GitHub CodeSpaces, which interacts with Docker to spawn containers. These containers act as wrappers for the Go-based malware, enabling the botnet to propagate across cloud environments.
Researchers have discovered MalTerminal, the earliest known malware that incorporates GPT-4 capabilities, enabling it to dynamically generate ransomware code or reverse shell commands. MalTerminal utilizes a deprecated OpenAI API, suggesting it may serve as a proof-of-concept or red team tool. This malware exemplifies a new category of threats known as LLM-embedded malware, which poses significant challenges for cybersecurity defenses. Additionally, cybercriminals are employing sophisticated phishing techniques that utilize hidden prompts in emails to bypass AI security systems. These tactics exploit vulnerabilities like Follina, leading to the execution of malicious payloads.