Cyware Daily Threat Intelligence, April 15, 2025

shutterstock 2496152847 (1)

Daily Threat Briefing April 15, 2025

Cryptocurrency developers are the latest targets in a calculated cyber offensive orchestrated by a North Korean threat group known as Slow Pisces. The group is leveraging seemingly legitimate coding challenges embedded with malware, in a calculated effort to breach systems, steal sensitive information, and funnel funds back to the DPRK government.

A severe security vulnerability has surfaced in the widely-used BentoML framework, posing a significant threat to Python-based production environments. Tracked as CVE-2025-27520, the flaw allows remote attackers to take full control of affected servers without authentication.

In a long-awaited move, Google has rolled out a fix in Chrome version number 136 for a 20-year-old privacy loophole that allowed websites to track users' browsing history using visited link styles.

Top Malware Reported in the Last 24 Hours

North Korean hackers target cryptocurrency developers

The North Korean hacking group, Slow Pisces, has been linked to a malicious campaign targeting cryptocurrency developers. The group engages with developers on LinkedIn, posing as potential employers and sending malware disguised as coding challenges. This malware, named RN Loader and RN Stealer, infects the developers' systems. The multi-stage attack chain involves sending a malicious payload only to validated targets, likely based on IP address, geolocation, time, and HTTP request headers. This information stealer harvests sensitive information from infected Apple macOS systems.

New affordable RAT raises alarm

A new RAT dubbed GYware is causing widespread concern among cybersecurity professionals and researchers. The malware, advertised as the "best of 2025" by its creator, is currently being sold on a popular hacker forum for $35 per month. GYware's alarming features include advanced self-spreading capabilities, full undetectability, and a web-based management panel that allows cybercriminals to remotely control infected devices.

Microsoft Teams chats deliver malware

A new cyberattack campaign, active since March, has been using Microsoft Teams chats to infiltrate Windows PCs with malware, primarily targeting the finance and professional services sectors. This attack, linked to the Storm-1811 group known for deploying the Black Basta ransomware, begins with attackers impersonating internal IT support staff via Microsoft Teams. They target high-level employees, often during late afternoons, and coax them into launching a remote support session using Windows’s built-in Quick Assist tool. The malware deploys a heavily obfuscated PowerShell backdoor, which sends a unique identifier to the attackers via a Telegram bot, signaling successful infection and opening a persistent channel for C2.

Top Vulnerabilities Reported in the Last 24 Hours

High-severity security flaw in BentoML

CVE-2025-27520, a critical RCE vulnerability with a CVSSv3 base score of 9.8, has been recently discovered in the BentoML Python library on PyPI. This vulnerability, caused by Insecure Deserialization, allows unauthenticated attackers to execute arbitrary code and potentially take control of a server by sending maliciously crafted HTTP requests.

Google fixes 20 year old privacy flaw 

Google has been resolving a longstanding privacy issue in version number 136 that has enabled websites to track users' browsing activity for about 20 years. This flaw allowed websites to apply distinct styling, such as a different color, to previously clicked links using the ':visited' pseudo-class. This issue introduced significant security risks, including tracking, profiling, and phishing. Google will implement a "triple-key partitioning" of visited links to mitigate these threats and finally address this 20-year-old problem.

Security flaw in Jupyter Remote Desktop Proxy extension

A critical security vulnerability (CVE-2025-32428, CVSSv4 score 9.0) has been discovered in the Jupyter Remote Desktop Proxy extension. The flaw emerges when the extension is used with TigerVNC, unintentionally exposing VNC services over the network. This exposure contradicts the extension's intended design, as the VNC server initiated by the extension remains accessible via the network even when configured to use UNIX sockets solely accessible to the current user.

Related Threat Briefings

Apr 18, 2025

Cyware Daily Threat Intelligence, April 18, 2025

Six million users and 57 extensions they probably shouldn’t trust. A wave of Chrome add-ons, many unlisted and quietly distributed through ads, have been caught with invasive capabilities. Laced with obfuscated code, several have been removed from the Chrome Web Store, but others still linger. A trio of exploited vulnerabilities just made CISA’s KEV list. Two affect Apple device, both patched in the latest iOS and macOS updates. The third, a Windows NTLM hash leak, has reportedly been used by groups like APT28. All three are now confirmed as actively exploited and fully patchable. Reward points and toll notices are the new bait. Researchers have flagged a surge in global SMS phishing attacks through two campaigns: PointyPhish and TollShark. Both rely on urgency, fake branding, and thousands of rapidly deployed domains via the Darcula Suite platform. From iMessage to RCS, no inbox is safe.

Apr 17, 2025

Cyware Daily Threat Intelligence, April 17, 2025

Mustang Panda has updated its arsenal and stealth is a priority. In a new campaign, it rolled out an upgraded version of its backdoor. Alongside it, new tools like StarProxy, Paklog, Corklog, and SplatCloakdriver were delivered through a dropper engineered to hunt down security products. Researchers have observed a fresh wave of Agent Tesla attacks using multi-stage loaders. The chain starts with a JavaScript file hidden in an archive, then pivots to PowerShell for in-memory execution. The malware finishes the job by injecting into trusted processes, effectively vanishing from traditional antivirus scans. A long-patched flaw is back in the spotlight and now it’s being exploited. SonicWall has updated its advisory for CVE-2021-20035, confirming active abuse in the wild. The bug affects SMA 100 series devices and allows authenticated users to execute arbitrary commands.

Apr 16, 2025

Cyware Daily Threat Intelligence, April 16, 2025

UNC5174 is keeping it quiet and clean. Since late 2024, the Chinese state-linked group has been targeting Linux environments using a domain-squatting infrastructure to deliver SNOWLIGHT malware and a new RAT. The campaign leans on stealth, — WebSockets for C2, bash scripts for delivery, and zero on-disk footprint — pointing to a mix of espionage and access brokering. It looks like a PDF tool, acts like malware. A new phishing campaign is spoofing a legitimate website to deliver a stealthy SectopRAT variant. Victims are funneled through cloned interfaces and fake CAPTCHAs before unknowingly executing PowerShell commands that drop the payload. Browser security just got a round of urgent fixes. Chrome 135 and Firefox 137 patch several critical bugs, including memory corruption issues that could lead to remote code execution. Thunderbird updates close off serious risks too.

Apr 11, 2025

Cyware Daily Threat Intelligence, April 11, 2025

Bots don’t sleep and AkiraBot proves it. Since late 2024, this spam operation has flooded over 400,000 websites, zeroing in on small businesses using platforms like Shopify, Wix, and Squarespace. The messages push shady SEO services, powered by AI-generated content to dodge filters. With rotating domains, CAPTCHA bypass tools, and an expanding reach into live chats and comment sections, AkiraBot is becoming harder to pin down. One bug, admin access - just like that. A critical flaw in the OttoKit WordPress plugin is being actively exploited, allowing attackers to create admin accounts and take over sites. Only some configurations are vulnerable, but where it hits, it hits hard. When a checkout page starts asking for your card details twice, something’s wrong. A WordPress site was found hosting a fake credit card form. The malicious script captured payment info and funneled it to a freshly registered domain, designed to look harmless, but built to steal.

Apr 10, 2025

Cyware Daily Threat Intelligence, April 10, 2025

A torrent download might be doing more than delivering cracked software. A campaign has been distributing ViperSoftX to Korean users, likely run by Arabic-speaking threat actors. The malware quickly expands its footprint by downloading multiple payloads. It even manipulates Windows Defender settings to stay hidden, making cleanup far more difficult once it’s embedded. Dell users have a new reason to check their patch status. Six vulnerabilities in PowerScale OneFS could expose systems to compromise, including one high-severity flaw that warrants immediate attention. While version 9.10.1.1 addresses the issues, Dell has provided workaround steps and targeted patches for older releases. What looks like a harmless file-sharing notification is actually the start of a RAT deployment. A new phishing campaign mimics messages from files[.]fm, warning users of file deletion to create urgency. Clicking through leads to a real landing page, ultimately triggering malware. The payload often includes ConnectWise RAT, giving attackers persistent, remote access to compromised systems.

Apr 9, 2025

Cyware Daily Threat Intelligence, April 09, 2025

Invasive spyware campaigns are zeroing in on high-risk communities. MOONSHINE and BADBAZAAR are being deployed through trojanized mobile apps to surveil Uyghur, Tibetan, and Taiwanese individuals, as well as civil society groups. Some of the apps mimic popular platforms, while others are tailored to target interests. The campaign reflects a broader strategy to monitor groups viewed as threats to state control. A zero-day in Windows' core logging system has made its way into active exploitation. A use-after-free bug in the CLFS driver is being targeted by the PipeMagic trojan to escalate privileges and gain system-level access. Once exploited, attackers can bypass security protections, deploy additional malware, and harvest sensitive data. Search for QuickBooks during tax season, and you might land on a trap. Threat actors are placing deceptive Google Ads that link to phishing pages almost identical to the real QuickBooks login portal. The tactic preys on urgency and familiarity, making it easy for distracted users to miss small red flags.

Apr 8, 2025

Cyware Daily Threat Intelligence, April 08, 2025

What looked like useful dev tools were actually mining rigs in disguise. Several malicious extensions on the VSCode Marketplace were found silently installing XMRig miner. Over 300,000 installs flew under the radar before discovery. A wave of Mirai-linked scanning is hitting video surveillance systems. GreyNoise has tracked a spike in exploitation attempts targeting TVT NVMS9000 DVRs, with over 2,500 IPs launching attacks. The flaw could grant attackers admin access to DVRs. Two USB-related vulnerabilities in the Linux kernel have been weaponized in real-world attacks. Google patched them, both tied to information disclosure and privilege escalation. The latter was previously used in a targeted Android exploit late last year. All known active exploitation paths have now been patched in the latest round of 62 fixes.

Apr 7, 2025

Cyware Daily Threat Intelligence, April 07, 2025

It starts with a PDF search and ends with malware on your machine. A new campaign is using fake CAPTCHAs and Cloudflare Turnstile to lure users into downloading LegionLoader. Victims are tricked into enabling browser notifications, setting off a silent infection chain that’s already impacted tech and finance users across multiple regions. Seed phrases aren’t supposed to come from strangers. The PoisonSeed campaign is targeting crypto holders and enterprise users by compromising bulk email services. Victims are lured with fake wallet setup instructions that embed attacker-controlled recovery phrases - giving threat actors full access once the wallets are used. One toll text turns into ten. A surge in phishing attacks is spoofing toll agencies, bombarding users with urgent text notifications. The messages link to fake payment sites designed to steal credit card and personal info, while rotating sender addresses help them bypass spam filters undetected.

Apr 4, 2025

Cyware Daily Threat Intelligence, April 04, 2025

Phishing lures are slipping through trusted channels. CERT-UA reports that attackers are using compromised government emails to send malicious links via trusted file-sharing platforms. The goal: to deliver WRECKSTEEL, a VBS loader that steals documents and screenshots. A tiny schema bug, massive consequences. A critical flaw in Apache Parquet allows attackers to run arbitrary code just by processing a malicious file. The issue affects data pipelines that rely on Parquet imports and has been patched in version 1.15.1. Scammers are feeding off crypto chaos. In the aftermath of the Bybit breach, nearly 600 phishing domains emerged, many mimicking the exchange or offering fake refund services. Most were designed to steal login credentials from users desperate to recover lost funds.

Apr 3, 2025

Cyware Daily Threat Intelligence, April 03, 2025

Payment forms are being hijacked with surgical precision. A web skimming campaign is abusing an old Stripe API to validate stolen credit card data before exfiltrating it. The attack mimics legitimate payment screens and targets merchants running WooCommerce, WordPress, and PrestaShop, with cryptocurrency payment options thrown in for extra misdirection. The Bruno API client just got hit with two high-severity vulnerabilities. One allows malicious collections to bypass Safe Mode and run arbitrary code, while the other abuses environment naming for cross-site scripting that could lead to file theft or remote code execution. Both flaws are now patched in version 1.39.1. Cloudflare’s infrastructure is being turned against users in a phishing campaign that’s anything but basic. Attackers are using branded takedown notices hosted on Pages.dev and Workers.dev to lure victims into downloading malware. The payload sets up persistence and communicates via Pyramid C2, with Telegram now added for victim tracking.

Apr 2, 2025

Cyware Daily Threat Intelligence, April 02, 2025

Searching for a legal doc shouldn't get you malware but Gootloader is counting on it. In its latest campaign, the threat actors are using Google Ads to lure users into downloading malicious templates. One click leads to a ZIP file with a JavaScript payload that kicks off scheduled tasks and PowerShell scripts, pulling in further payloads from compromised WordPress blogs. Ukrainian banking customers are the latest target in a campaign using Emmenhtal Loader to drop SmokeLoader. Delivered via a booby-trapped 7-Zip archive, the attack blends PDF lures with LOLBAS tactics to execute payloads, slipping through defenses with anti-analysis tricks while quietly loading modular malware. Old routers don’t die, they just become attack surfaces. A 2017 Netgear model, long past its support window, was found riddled with zero-days. Eight vulnerabilities, including command injection and buffer overflows, expose critical functions like UPnP and email settings, giving attackers multiple ways in.

Apr 1, 2025

Cyware Daily Threat Intelligence, April 01, 2025

Someone clicks a shortcut in a phishing email, and just like that, the whole machine turns. A new version of KoiLoader is making the rounds, delivering Koi Stealer through a layered infection chain that quietly builds persistence before pulling down malware designed to scoop up passwords, cookies, and system data. The final payload rides on a custom C2 channel and slips through with a script that even disables AMSI on its way in. It’s hiding in plain sight - just not where anyone usually looks. Threat actors have been tucking malicious code into the mu-plugins folder on WordPress sites, a spot that doesn’t show up in the regular plugin dashboard. Redirects, webshells, and SEO spam are all part of the toolkit, with infections showing up through subtle changes in traffic, files, or system load before anyone notices what’s off. Apple’s patch day wasn’t routine this time. Two zero-days, including a WebKit flaw and a USB bypass bug, were among dozens of vulnerabilities addressed across iOS, iPadOS, and macOS. While one bug could let attackers escape browser sandboxes, the other allowed physical access to sidestep device protections. Both are now patched - assuming your devices are up to date.