Cyware Daily Threat Intelligence, April 03, 2025

shutterstock 2348394705 (1)

Daily Threat Briefing April 3, 2025

Payment forms are being hijacked with surgical precision. A web skimming campaign is abusing an old Stripe API to validate stolen credit card data before exfiltrating it. The attack mimics legitimate payment screens and targets merchants running WooCommerce, WordPress, and PrestaShop, with cryptocurrency payment options thrown in for extra misdirection.

The Bruno API client just got hit with two high-severity vulnerabilities. One allows malicious collections to bypass Safe Mode and run arbitrary code, while the other abuses environment naming for cross-site scripting that could lead to file theft or remote code execution. Both flaws are now patched in version 1.39.1.

Cloudflare’s infrastructure is being turned against users in a phishing campaign that’s anything but basic. Attackers are using branded takedown notices hosted on Pages.dev and Workers.dev to lure victims into downloading malware. The payload sets up persistence and communicates via Pyramid C2, with Telegram now added for victim tracking.

Top Malware Reported in the Last 24 Hours

Recruitment emails drop BeaverTail and Tropidoor

On November 29, 2024, a malware attack was discovered where threat actors impersonated a recruitment email from the developer community, Dev[.]to. The attack involved a BitBucket link containing a project with malicious code. The project included BeaverTail malware disguised as "tailwind.config.js" and a downloader malware named car.dll. BeaverTail was found to be distributed primarily through phishing attacks disguised as job offers. The "car.dll" downloader shares similarities with the LightlessCan malware of the Lazarus group. The Tropidoor malware operates in memory through the downloader and connects to 4 C&C server addresses. 

Web skimmer campaign abuses Stripe API

A sophisticated web skimmer campaign has been identified by threat hunters, which uses a legacy Stripe API to validate stolen payment information before it's exfiltrated. The campaign has affected around 49 merchants so far, with 15 having removed the malicious script injections. The activity has been ongoing since at least August 20, 2024. The attack chain employs malicious domains to distribute the JavaScript skimmer, which intercepts and hides the legitimate payment form, serves a replica of the Stripe payment screen, validates it, and then transmits it to a remote server. The threat actors are likely exploiting vulnerabilities and misconfigurations in WooCommerce, WordPress, and PrestaShop to implant the initial stage script. The skimmer scripts have also been found impersonating a Square payment form and adding other payment options using cryptocurrencies. 

Malicious PyPI package targets WooCommerce

Socket spotted a malicious Python package named "disgrasya" on PyPI. This package contains an automated carding script targeting WooCommerce stores using CyberSource as their payment gateway. Unlike typical supply chain attacks, disgrasya made no attempt to appear legitimate. The script simulates real transactions to test stolen credit card numbers, making it hard to detect. It has been downloaded over 34,000 times. 

New RolandSkimmer campaign targets Bulagaria

A sophisticated cyber threat called RolandSkimmer has been targeting Microsoft Windows users, particularly in Bulgaria. This threat is a form of web-based credit card skimming that uses malicious browser extensions on Chrome, Edge, and Firefox to collect sensitive financial data from affected users. The attack is initiated through a deceptive LNK file, which executes obfuscated scripts to establish covert and persistent access to the victim's system. The malware then systematically harvests and exfiltrates sensitive data, often without detection.

Top Vulnerabilities Reported in the Last 24 Hours

High-severity bugs in Bru API client

The Bruno project has issued a security advisory, revealing two critical vulnerabilities in its API client. The first vulnerability, CVE-2025-30354, is a Safe-Mode bypass in Assert expressions with a CVSSv4 score of 8.7. It could allow attackers to execute arbitrary code on a user's system by tricking them into opening a malicious Bruno Collection within the app. The second vulnerability, CVE-2025-30210, also with a CVSSv4 score of 8.7, is an XSS vulnerability related to how environment names are handled. This could allow an attacker to read any files on the user's system and potentially achieve RCE. Affected versions for CVE-2025-30354 are <= 1.26.0, and for CVE-2025-30210 are >= 1.38.0 < 1.39.1. Both vulnerabilities are patched in version 1.39.1. 

Vulnerability in Verizon Call Filter API

A security vulnerability in Verizon's Call Filter feature allowed unauthorized access to the incoming call logs of other Verizon Wireless users through an unsecured API request. The flaw was fixed by Verizon in March, but the total period of exposure is unknown. The researcher found that the API endpoint used to retrieve call history did not verify the user's phone number, enabling anyone to access another user's call logs by manipulating the API request. This poses significant privacy risks, particularly for high-profile individuals.

Top Scams Reported in the Last 24 Hours

New phishing campaign exploits Cloudflare

A new, sophisticated phishing campaign misuses Cloudflare services and Telegram for malicious purposes. The attacks use Cloudflare-branded phishing pages and advanced tactics to evade detection. The phishing pages, hosted on Cloudflare’s Pages[.]dev and Workers[.]dev platforms, impersonate DMCA takedown notices and trick victims into downloading malicious files disguised as PDFs. The attackers exploit the "search-ms" protocol to initiate a malware infection chain. The malware establishes persistence and communicates with Pyramid C2 servers. A significant evolution in this campaign is the integration of Telegram for victim tracking. 

Phishing scam targets Spotify users

The scam involves a spoofed email that appears to be from Spotify, informing users of a payment failure and urging them to update their account information. The email, while appearing legitimate, has several red flags, such as a mismatched 'Return-Path' field and a suspicious URL embedded in the "Update Data" button. Upon clicking the link, users are redirected to a Linktree page, which then leads to a phishing landing page designed to mimic Spotify's login page. Any credentials entered are sent to a PHP C2 managed by the threat actors. After entering their credentials, users are prompted to update their credit card information, which is also sent to the malicious C2. Finally, users are asked for their "password issued by the bank," potentially giving the attackers access to their financial accounts.

Related Threat Briefings

Apr 10, 2025

Cyware Daily Threat Intelligence, April 10, 2025

A torrent download might be doing more than delivering cracked software. A campaign has been distributing ViperSoftX to Korean users, likely run by Arabic-speaking threat actors. The malware quickly expands its footprint by downloading multiple payloads. It even manipulates Windows Defender settings to stay hidden, making cleanup far more difficult once it’s embedded. Dell users have a new reason to check their patch status. Six vulnerabilities in PowerScale OneFS could expose systems to compromise, including one high-severity flaw that warrants immediate attention. While version 9.10.1.1 addresses the issues, Dell has provided workaround steps and targeted patches for older releases. What looks like a harmless file-sharing notification is actually the start of a RAT deployment. A new phishing campaign mimics messages from files[.]fm, warning users of file deletion to create urgency. Clicking through leads to a real landing page, ultimately triggering malware. The payload often includes ConnectWise RAT, giving attackers persistent, remote access to compromised systems.

Apr 9, 2025

Cyware Daily Threat Intelligence, April 09, 2025

Invasive spyware campaigns are zeroing in on high-risk communities. MOONSHINE and BADBAZAAR are being deployed through trojanized mobile apps to surveil Uyghur, Tibetan, and Taiwanese individuals, as well as civil society groups. Some of the apps mimic popular platforms, while others are tailored to target interests. The campaign reflects a broader strategy to monitor groups viewed as threats to state control. A zero-day in Windows' core logging system has made its way into active exploitation. A use-after-free bug in the CLFS driver is being targeted by the PipeMagic trojan to escalate privileges and gain system-level access. Once exploited, attackers can bypass security protections, deploy additional malware, and harvest sensitive data. Search for QuickBooks during tax season, and you might land on a trap. Threat actors are placing deceptive Google Ads that link to phishing pages almost identical to the real QuickBooks login portal. The tactic preys on urgency and familiarity, making it easy for distracted users to miss small red flags.

Apr 8, 2025

Cyware Daily Threat Intelligence, April 08, 2025

What looked like useful dev tools were actually mining rigs in disguise. Several malicious extensions on the VSCode Marketplace were found silently installing XMRig miner. Over 300,000 installs flew under the radar before discovery. A wave of Mirai-linked scanning is hitting video surveillance systems. GreyNoise has tracked a spike in exploitation attempts targeting TVT NVMS9000 DVRs, with over 2,500 IPs launching attacks. The flaw could grant attackers admin access to DVRs. Two USB-related vulnerabilities in the Linux kernel have been weaponized in real-world attacks. Google patched them, both tied to information disclosure and privilege escalation. The latter was previously used in a targeted Android exploit late last year. All known active exploitation paths have now been patched in the latest round of 62 fixes.

Apr 7, 2025

Cyware Daily Threat Intelligence, April 07, 2025

It starts with a PDF search and ends with malware on your machine. A new campaign is using fake CAPTCHAs and Cloudflare Turnstile to lure users into downloading LegionLoader. Victims are tricked into enabling browser notifications, setting off a silent infection chain that’s already impacted tech and finance users across multiple regions. Seed phrases aren’t supposed to come from strangers. The PoisonSeed campaign is targeting crypto holders and enterprise users by compromising bulk email services. Victims are lured with fake wallet setup instructions that embed attacker-controlled recovery phrases - giving threat actors full access once the wallets are used. One toll text turns into ten. A surge in phishing attacks is spoofing toll agencies, bombarding users with urgent text notifications. The messages link to fake payment sites designed to steal credit card and personal info, while rotating sender addresses help them bypass spam filters undetected.

Apr 4, 2025

Cyware Daily Threat Intelligence, April 04, 2025

Phishing lures are slipping through trusted channels. CERT-UA reports that attackers are using compromised government emails to send malicious links via trusted file-sharing platforms. The goal: to deliver WRECKSTEEL, a VBS loader that steals documents and screenshots. A tiny schema bug, massive consequences. A critical flaw in Apache Parquet allows attackers to run arbitrary code just by processing a malicious file. The issue affects data pipelines that rely on Parquet imports and has been patched in version 1.15.1. Scammers are feeding off crypto chaos. In the aftermath of the Bybit breach, nearly 600 phishing domains emerged, many mimicking the exchange or offering fake refund services. Most were designed to steal login credentials from users desperate to recover lost funds.

Apr 2, 2025

Cyware Daily Threat Intelligence, April 02, 2025

Searching for a legal doc shouldn't get you malware but Gootloader is counting on it. In its latest campaign, the threat actors are using Google Ads to lure users into downloading malicious templates. One click leads to a ZIP file with a JavaScript payload that kicks off scheduled tasks and PowerShell scripts, pulling in further payloads from compromised WordPress blogs. Ukrainian banking customers are the latest target in a campaign using Emmenhtal Loader to drop SmokeLoader. Delivered via a booby-trapped 7-Zip archive, the attack blends PDF lures with LOLBAS tactics to execute payloads, slipping through defenses with anti-analysis tricks while quietly loading modular malware. Old routers don’t die, they just become attack surfaces. A 2017 Netgear model, long past its support window, was found riddled with zero-days. Eight vulnerabilities, including command injection and buffer overflows, expose critical functions like UPnP and email settings, giving attackers multiple ways in.

Apr 1, 2025

Cyware Daily Threat Intelligence, April 01, 2025

Someone clicks a shortcut in a phishing email, and just like that, the whole machine turns. A new version of KoiLoader is making the rounds, delivering Koi Stealer through a layered infection chain that quietly builds persistence before pulling down malware designed to scoop up passwords, cookies, and system data. The final payload rides on a custom C2 channel and slips through with a script that even disables AMSI on its way in. It’s hiding in plain sight - just not where anyone usually looks. Threat actors have been tucking malicious code into the mu-plugins folder on WordPress sites, a spot that doesn’t show up in the regular plugin dashboard. Redirects, webshells, and SEO spam are all part of the toolkit, with infections showing up through subtle changes in traffic, files, or system load before anyone notices what’s off. Apple’s patch day wasn’t routine this time. Two zero-days, including a WebKit flaw and a USB bypass bug, were among dozens of vulnerabilities addressed across iOS, iPadOS, and macOS. While one bug could let attackers escape browser sandboxes, the other allowed physical access to sidestep device protections. Both are now patched - assuming your devices are up to date.

Mar 31, 2025

Cyware Daily Threat Intelligence, March 31, 2025

A deceptive Zoom installer was the entry point for a carefully executed ransomware attack involving BlackSuit. Attackers spent nine days inside the network. The full operation spanned more than 190 hours, combining stealth, staging, and social engineering. The CISA has released an analysis of a new malware named RESURGE, which targets a known vulnerability in Ivanti Connect Secure appliances. RESURGE operates like a rootkit, allowing attackers to create web shells, steal credentials, and establish persistence through SSH tunnels. The malware enables unauthenticated remote code execution and has been added to KEV catalog. A new Android banking trojan called Crocodilus is using fake alerts to trick users into handing over their crypto wallet seed phrases. Disguised as a warning about backing up recovery keys, the malware uses social engineering to gain full access to wallets. The threat has so far targeted users in Turkey and Spain.

Mar 28, 2025

Cyware Daily Threat Intelligence, March 28, 2025

Researchers have uncovered a supply chain compromise involving cryptocurrency-related packages on the npm registry. Several long-standing packages, some over nine years old, were found to contain rogue scripts that exfiltrate environment variables and API keys to remote servers. The incident is suspected to have stemmed from compromised maintainer accounts and highlights ongoing risks in third-party package management. Researchers emphasized the need for two-factor authentication and tighter controls over software dependencies. Splunk has issued security patches across multiple products, addressing a range of vulnerabilities including two high-severity flaws. One vulnerability allows remote code execution via file upload by low-privileged users, while another exposes user tokens that could be leveraged in phishing attacks. Updates cover both Splunk Enterprise and the Secure Gateway App. Although no active exploitation has been reported, users are strongly encouraged to apply the patches without delay. A now-retired Microsoft Stream domain was hijacked on March 27, 2025, leading to embedded videos across SharePoint sites displaying a fake Amazon page advertising a Thailand casino. The affected domain, microsoftstream[.]com, had been deprecated in favor of SharePoint but remained active for legacy content. Following the hijack, Microsoft shut down the domain to block the spam content and is working to prevent similar issues with embedded media from deprecated services.

Mar 26, 2025

Cyware Daily Threat Intelligence, March 26, 2025

The macOS malware loader ReaderUpdate is evolving fast, with new versions now written in Crystal, Nim, Rust, and Go. Originally distributed through free software sites, the loader continues to target Intel-based macOS systems, quietly collecting system data and generating unique identifiers. While its past activity has mostly involved adware, the loader’s ability to parse and execute remote commands leaves the door open for more serious threats. A zero-day exploit in the Microsoft Management Console has been linked to a threat actor known as EncryptHub, who’s actively using it in the wild. The flaw allows for security bypass via malicious MSC files, enabling attackers to deploy multiple payloads. This campaign is still in development, cycling through various delivery techniques and toolsets. In the gaming world, phishers have stepped up their game with a browser-in-the-browser attack targeting Steam users and Counter-Strike 2 players. The campaign spoofs a login window branded with a well-known pro eSports team, to lure victims into handing over credentials. With stolen accounts likely resold on underground markets, this scheme is aimed squarely at the gaming community.

Mar 25, 2025

Cyware Daily Threat Intelligence, March 25, 2025

A stealthy browser extension called Rilide has resurfaced with improved evasion capabilities and support for Chrome’s latest extension framework. Disguised as a utility for Google Drive, it quietly collects data, particularly those tied to cryptocurrency wallets. Ongoing campaigns have used lures ranging from fake PowerPoint documents to spoofed Twitter notifications, all aimed at embedding the extension into Chromium-based browsers. On GitHub, a seemingly innocent coding challenge is being used as a delivery mechanism for malware. A malicious repository targets Polish-speaking developers and installs FogDoor, a backdoor capable of data theft, remote command execution, and persistence. The campaign uses clever techniques, while quietly harvesting sensitive information. Kubernetes environments are facing serious risk after the discovery of IngressNightmare - a collection of five critical flaws in the Ingress NGINX Controller. These bugs open the door to unauthenticated remote code execution and expose thousands of clusters to full compromise. In the wrong hands, this vulnerability could allow attackers to exfiltrate secrets across all namespaces, effectively granting full control over affected clusters.

Mar 24, 2025

Cyware Daily Threat Intelligence, March 24, 2025

A newly surfaced threat actor, UAT-5918, has been quietly embedding itself into Taiwan’s critical infrastructure since 2023. With a focus on information theft, the group has been targeting multiple sectors using a mix of off-the-shelf tools and stealthy web shells. The threat actor also boasts of an extensive toolkit. Meanwhile, the Medusa ransomware operation is refining its ability to bypass defenses using a malicious driver disguised as a legitimate security component. Dubbed ABYSSWORKER, the driver is signed with compromised certificates. Once deployed, it disables anti-malware tools and clears the path for ransomware delivery through a loader. On the plugin front, a critical vulnerability in WP Ghost has put thousands of WordPress sites at risk. If certain non-default settings are enabled, the bug can be used to load arbitrary files - opening the door to remote code execution. Though a patch has been issued in version 5.4.02, the exposure window combined with the plugin’s wide install base makes this a notable concern for site admins still lagging on updates.