Cyware Weekly Threat Intelligence, September 29–October 03, 2025
The Good
Like a blueprint for digital fortresses, seven nations have rolled out OT security guidance. Built on five principles, it demands clear records of OT components and robust risk management to shield critical systems from supply chain threats. With a global dragnet, Interpol’s Operation Contender 3.0 nabbed 260 suspects across 14 African countries, smashing romance scams and sextortion rings.
National cybersecurity agencies from seven countries, including the Five Eyes nations, released OT security guidance aimed at cybersecurity practitioners managing OT systems. The guidance is structured around five core principles: maintaining a definitive record, establishing an OT security management program, asset categorization, documentation of system connectivity, and third-party risk management. The guidance emphasizes creating a definitive record of OT components, including devices, software, connectivity, and supply chain relationships, while addressing operational constraints and security risks.
Interpol's Operation Contender 3.0 led to the arrest of 260 cybercrime suspects across 14 African countries, targeting romance scams and sextortion networks. Authorities dismantled 81 cybercrime infrastructure networks and seized devices such as USB drives, SIM cards, and forged documents, with losses estimated at $2.8 million from 1,500 victims. Operation Contender 3.0 was part of a larger Interpol crackdown, Operation Serengeti 2.0, which arrested 1,209 alleged cybercriminals and disrupted cybercrime networks causing $485 million in losses.
The Bad
Through cunning DNS trickery, Detour Dog is spreading Strela Stealer via TXT records and compromised sites. A VMware zero-day flaw, exploited by China’s UNC5174 since last October, is granting attackers root access. A cunning malvertising scheme lures victims with a fake Microsoft Teams installer to unleash Oyster malware.
Detour Dog is a sophisticated threat actor leveraging DNS-based malware to conduct campaigns that distribute Strela Stealer. This actor uses DNS TXT records for C2 operations, allowing for multi-stage payload delivery through compromised websites. Initially focused on redirecting users to scams, Detour Dog evolved to host and distribute malware by executing remote code via DNS. Collaborating with Hive0145, the operator of Strela Stealer, Detour Dog employs botnets like REM Proxy to facilitate spam delivery. Recent sinkholing efforts have revealed a significant global footprint, with over 30,000 infected hosts generating substantial bot traffic. The use of encoded IP addresses in DNS queries indicates sophisticated tactics aimed at evading detection.
CERT-UA has reported targeted cyberattacks utilizing a backdoor known as CABINETRAT, linked to the threat cluster UAC-0245. This malware is distributed through XLL files, masquerading as documents shared via ZIP archives on the Signal messaging app. Once executed, CABINETRAT creates malicious executables on the compromised host and modifies the Windows Registry for persistence. It employs anti-virtual machine techniques to avoid detection, checking for specific hardware configurations. Designed in C, CABINETRAT collects system information, captures screenshots, and facilitates file operations while communicating with a remote server over TCP.
A critical VMware vulnerability, tracked as CVE-2025-41244, has been exploited as a zero-day since October 2024, allowing attackers to execute code with elevated privileges on virtual machines. This flaw affects both VMware Aria Operations and VMware Tools, enabling privilege escalation to root on systems that have these tools installed. Broadcom recently released patches but did not disclose the ongoing exploitation by the Chinese state-sponsored group UNC5174, which has reportedly used this vulnerability for over a year. The vulnerability impacts various discovery features within VMware, including both credential-based and credential-less modes. The open-source version, open-vm-tools, used in major Linux distributions, is also susceptible.
Hackers are probing systems for CVE-2024-3400, a critical vulnerability in Palo Alto PAN-OS GlobalProtect, enabling file creation and possible OS command injection. The vulnerability affects PAN-OS versions 10.2, 11.0, and 11.1 configured with GlobalProtect, but not Cloud NGFW, Panorama, or Prisma Access. A CVSS score of 10.0 and public proof-of-concept code heighten the urgency for patching and mitigation. Palo Alto Networks has released fixes and hotfixes for affected versions, along with threat prevention signatures to block exploit attempts.
Arctic Wolf has observed a significant increase in Akira ransomware attacks targeting SonicWall firewalls through malicious SSL VPN logins. Threat actors exploit the CVE-2024-40766 vulnerability, allowing them to gain initial access and bypass multi-factor authentication using valid credentials. Following the breaches, they quickly execute lateral movement within compromised networks, utilizing tools for internal scanning and Active Directory enumeration. The campaign features rapid deployment of ransomware, often within hours of initial access, with tactics including credential harvesting and data exfiltration.
A sophisticated malvertising campaign has targeted organizations using a weaponized Microsoft Teams installer to deliver the Oyster malware. This attack employs a multi-stage approach, starting with SEO poisoning that redirects victims from legitimate Bing searches to a malicious domain, teams-install.icu, disguised as a Microsoft property. The installer, digitally signed with a valid but short-lived certificate, allows attackers to bypass traditional security measures. Once executed, the malware establishes a backdoor for persistent access and attempts command-and-control communication with a server, but Microsoft Defender successfully blocks this connection. The rapid attack sequence is capable of compromising users in under 15 seconds.
A critical vulnerability (CVE-2025-10035) in Fortra's GoAnywhere MFT software is being actively exploited as a zero-day, allowing remote command injection without authentication. The flaw, a deserialization vulnerability in the License Servlet, can be exploited using a forged license response signature to gain unauthorized access. WatchTowr Labs confirmed evidence of exploitation dating back to September 10, eight days before Fortra's public advisory. Attackers used the vulnerability to create backdoor admin accounts and execute secondary payloads. System administrators are urged to upgrade to patched versions (7.8.4 or 7.6.3) and mitigate exposure by removing public internet access to the GoAnywhere Admin Console.
New Threats
Luring UAE users with fake Signal and ToTok apps, Android/Spy.ProSpy and ToSpy are pilfering sensitive data. Spread through phishing sites, these spyware variants steal SMS, contacts, and chat histories. Posing as an IPTV and VPN app, Klopatra is snaring over 3,000 European Android devices. Hiding behind trusted EV certificates, hackers are slipping undetectable DMG payloads into macOS systems. This campaign mimics legitimate developers to deploy Odyssey Stealer.
ESET researchers have identified two Android spyware campaigns, Android/Spy.ProSpy and Android/Spy.ToSpy, targeting users in the UAE who favor secure communication apps like Signal and ToTok. These spyware families are distributed through deceptive websites that impersonate legitimate apps, employing phishing tactics to lure victims into manual installations. ProSpy masquerades as both Signal and ToTok, while ToSpy focuses solely on ToTok users, specifically targeting .ttkmbackup files to extract chat history. Once installed, the spyware exfiltrates sensitive data, including SMS messages, contacts, and files, while maintaining persistence on devices through various methods. Both campaigns remain active, with ongoing distribution and control servers still operational.
A new Android malware named Klopatra, disguised as an IPTV and VPN app, has infected over 3,000 devices in Europe. It is a banking RAT with advanced features like real-time screen monitoring, input capture, and a hidden VNC mode. The malware is distributed through a dropper app called "Modpro IP TV + VPN" outside the Google Play Store. It employs advanced evasion techniques like code protection, anti-debugging mechanisms, and emulator detection. Klopatra exploits Android's Accessibility Service to gain permissions, simulate user actions, and monitor sensitive information. It also features a black-screen VNC mode for performing unauthorized actions, such as bank transactions, while appearing idle to the victim. Researchers link Klopatra to a Turkish-speaking cybercrime group, with evidence of active development since March, including 40 different builds.
MatrixPDF is a new phishing and malware distribution toolkit that transforms ordinary PDF files into interactive lures, bypassing email security and redirecting victims to credential theft or malware downloads. The toolkit is marketed as a phishing simulation and blackteaming tool, featuring drag-and-drop PDF import, real-time preview, and customizable security overlays for crafting professional-grade phishing scenarios. MatrixPDF allows attackers to add malicious features to legitimate PDFs, such as blurred content, fake prompts, and clickable overlays leading to external payload URLs. Embedded JavaScript actions in MatrixPDF can trigger malicious actions, like opening external sites or phishing pages, when users interact with the document.
Security researchers have discovered a new macOS malware campaign where hackers are misusing Extended Validation (EV) code-signing certificates to distribute fully undetectable DMG payloads. A recently identified DMG sample appears legitimate due to the rigorous verification process associated with EV certificates. However, the malware employs tactics such as mimicking legitimate developer names and executing a credential-harvesting trojan known as Odyssey Stealer. This trojan downloads and runs malicious binaries without triggering security alerts, undermining the trust model of Apple’s code-signing system.
Cybersecurity researchers discovered a new Android banking trojan called Datzbro, targeting elderly users through AI-generated Facebook travel event scams. Victims are tricked into downloading malicious APK files via fraudulent links, leading to device takeover and financial fraud. The malware uses advanced techniques like Android accessibility services, keylogging, and overlay attacks to steal credentials and conduct transactions. Datzbro's remote control mode allows attackers to recreate the victim's device layout for effective exploitation.
Klopatra, a new Android banking trojan is enabling full remote control of devices and large-scale financial fraud. It uses Virbox for advanced obfuscation and native C/C++ libraries to evade detection. Infection begins with a dropper disguised as a streaming app, exploiting "Install Unknown Apps" and Accessibility Services permissions. Hidden VNC allows attackers to operate devices stealthily, even simulating a "black screen" to avoid user suspicion.