Cyware Daily Threat Intelligence, May 28, 2025

Daily Threat Briefing • May 28, 2025

Threat actors are faking Bitdefender to peddle VenomRAT. Using deceptive domains and phishing lures that mimic banks and IT services, this campaign delivers modular malware bundled with tools like SilentTrinity and StormKitty for credential theft, lateral movement, and persistence.

A new Go-based botnet called PumaBot is clawing its way through Linux IoT devices. It brute-forces SSH credentials, impersonates Redis files for stealth, and deploys rootkits to mine crypto and steal credentials, while avoiding honeypots and non-targets along the way.

A critical flaw in the TI WooCommerce Wishlist plugin lets attackers upload arbitrary files without authentication when paired with WC Fields Factory. With over 100,000 installs affected and no patch in sight, WordPress site owners are exposed.

Top Malware Reported in the Last 24 Hours

Malicious campaign drops VenomRAT

A malicious campaign has been found using a fake Bitdefender website to distribute VenomRAT. This campaign utilizes open-source tools like SilentTrinity and StormKitty for credential theft and persistent access. The threat actors exploit modular malware, allowing them to adapt and efficiently target individuals and organizations. The campaign employs deceptive domains and phishing traps impersonating banks and IT services.

UNC6032 weaponizes fake AI-themed sites

A Vietnamese-linked hacking group, UNC6032, has been distributing malware via fake AI video generator websites since mid-2024, using social media ads to lure victims. The campaign involves fake websites mimicking legitimate AI tools like Luma AI and Canva Dream Lab, which deliver malware payloads such as STARKVEIL, XWORM, and FROSTRIFT. Over 30 fake websites have been identified, with ads reaching millions of users primarily on Facebook and LinkedIn. The malicious ads target users globally, rotating domains frequently to avoid detection. The malware payloads are modular and include mechanisms to ensure persistence even if some components are detected or blocked.

New PumaBot targets Linux IoT devices

A new botnet named PumaBot, written in Go, targets Linux-based IoT devices by brute-forcing SSH credentials and deploying additional malware. The malware retrieves a list of target IP addresses from a command-and-control server and avoids honeypots or unsuitable systems. PumaBot disguises itself as a legitimate Redis system file for persistence and executes commands to mine cryptocurrency illicitly. The botnet uses various tools and scripts, including rootkits like "pam_unix.so," to steal credentials and exfiltrate data.

Top Vulnerabilities Reported in the Last 24 Hours

Mimo hackers abuse Craft CMS bug

A financially motivated threat actor, Mimo, exploited CVE-2025-32432, a critical remote code execution vulnerability in Craft CMS, to gain unauthorized access and deploy malicious payloads. The infection chain involves deploying a webshell, executing an infection script, and installing malicious tools such as a loader, cryptominer, and residential proxy software. The main payload, a loader named "4l4md4r," is packed with UPX and developed in Golang. It downloads and executes additional malicious components like "alamdar.so" and cryptomining tools. Two primary payloads deployed are IPRoyal (a residential proxyware) and XMRig.

Critical bug in TI WooCommerce Wishlist plugin

The TI WooCommerce Wishlist plugin, used by over 100,000 installations, has a critical unauthenticated arbitrary file upload vulnerability (CVE-2025-47577) in versions 2.9.2 and below. This flaw allows attackers to upload malicious files by bypassing file type validation in the `tinvwl_upload_file_wc_fields_factory` function when the WC Fields Factory plugin is active. No patched version is currently available.

CISA publishes ICS advisory

The CISA released an advisory about a critical vulnerability (CVE-2025-26383) in the Johnson Controls iSTAR Configuration Utility (ICU) Tool, used in critical infrastructure sectors. The flaw, caused by the "Use of Uninitialized Variable" (CWE-457), can lead to memory leakage, exposing sensitive data like credentials and cryptographic materials. The vulnerability has a CVSS v3.1 base score of 7.4 (high risk) and a CVSS v4.0 score of 6.3, emphasizing confidentiality risks but not affecting system integrity or availability. Exploitation requires local or network proximity. Johnson Controls released ICU Tool version 6.9.5 to address the issue.

Related Threat Briefings

Jun 9, 2025

Cyware Daily Threat Intelligence, June 09, 2025

What looks like support for defectors may actually be spyware in disguise. Kimsuky launched a stealthy campaign, targeting defense entities, activists, and crypto exchanges through Facebook impersonations, spear-phishing emails, and Telegram messages. Malware is delivered via EGG archives and disguised outreach, using encoded scripts, malicious DLLs, and registry tweaks. Malicious packages are creeping into trusted ecosystems under familiar names. A new supply chain attack compromised 16 packages linked to GlueStack, enabling command execution, data theft, and file deletion. The packages posed as developer tools or Instagram growth apps, stealing credentials and relaying them to external bot services. An old botnet just found a new way in. A Mirai variant is actively exploiting a command injection vulnerability in TBK DVR-4104 and DVR-4216 devices, to conscript them into a botnet for DDoS attacks. The exploit enables attackers to run shell commands via POST requests.

Jun 6, 2025

Cyware Daily Threat Intelligence, June 06, 2025

A silent takeover is unfolding through cheap, everyday smart devices. The FBI has reported over a million infections tied to BADBOX 2.0, a malware campaign targeting uncertified Android-based smart TVs, tablets, and IoT devices. Preinstalled malware and rogue updates turn these devices into residential proxies, with infections spanning 222 countries. A harmless-looking paste site is quietly fueling major malware campaigns. Cybercriminals are leveraging Paste[.]ee to host malicious scripts that deliver strains like XWorm and AsyncRAT through phishing emails. The platform’s anonymity helps attackers avoid detection while executing keylogging, credential theft, and remote system manipulation. A spearphishing campaign is exploiting a critical flaw in Roundcube to compromise webmail users. Threat actor UNC1151 targeted Polish organizations using CVE-2024-42009 to execute JavaScript via XSS and plant a persistent Service Worker. The vulnerability affects multiple Roundcube versions and carries a CVSS score of 9.3.

Jun 5, 2025

Cyware Daily Threat Intelligence, June 05, 2025

Not all GitHub projects are built with good intentions. Researchers uncovered a widespread campaign involving more than 130 repositories booby-trapped with malware disguised as game cheats, hacking tools, and utilities. Hidden behind obfuscated code and automated workflows, the campaign deploys backdoors while using Telegram bots and paste sites to manage infections behind the scenes. Destruction masquerading as maintenance tools is hitting Ukraine’s infrastructure. Researchers attributed a new wiper malware called PathWiper to a Russia-linked APT group, targeting critical systems by leveraging legitimate administrative frameworks. The malware erases storage media and key file system data. Though reminiscent of HermeticWiper, PathWiper shows a more advanced method of drive targeting and destruction. Cisco is closing two critical gaps before attackers can exploit them further. A patch has been issued for CVE-2025-20129 in Cisco’s CCP chat interface, a flaw that could let attackers intercept sensitive data through manipulated HTTP requests. Another vulnerability, CVE-2025-20130 in Cisco ISE, allowed file uploads due to weak validation, now fixed in the latest patches for ISE versions up to 3.3.

Jun 4, 2025

Cyware Daily Threat Intelligence, June 04, 2025

Cybercriminals are turning CAPTCHA prompts into malware gateways. A recent multi-stage malware campaign is using spoofed sites like fake Git repositories and bogus Docusign pages to lure users into executing PowerShell scripts that drop NetSupport RAT. By layering downloaders that each fetch the next stage, the attackers dodge detection and prolong infection. In a similar vein, a free software download could end up costing your entire crypto wallet. ViperSoftX is back in circulation, targeting crypto users with malicious PowerShell scripts bundled into cracked apps, keygens, and torrent packages. Beyond wallet theft, it pulls in additional payloads like Quasar RAT and PureHVNC, while using scheduled tasks and registry tricks to quietly maintain persistence. Meanwhile, Google’s June 2025 Android security update fixed a slate of high-severity issues, including a critical privilege escalation vulnerability in the System component affecting Android 13, 14, and 15. While most bugs haven't been exploited in the wild, three Qualcomm-related flaws made it to CISA’s KEV Catalog. For detailed Cyber Threat Intel, click ‘Read More’.

Jun 3, 2025

Cyware Daily Threat Intelligence, June 03, 2025

A geopolitical ripple just triggered a global software supply chain scare. Socket has exposed a malicious campaign in the RubyGems ecosystem where two lookalike Fastlane plugins were used to siphon off Telegram bot tokens and messages. Timed around Vietnam’s Telegram ban, the attacker used typosquatting and subtle code tweaks - targeting affected developers and putting downstream users at risk worldwide. A silent zero-day is loose in the wild, and Google’s racing to contain it. Chrome users are urged to update immediately after Google issued an emergency patch for a high-severity flaw in the V8 JavaScript engine that’s already being exploited. Some attackers mine crypto, JINX-0132 mines misconfigurations. This threat actor is running a stealthy cryptojacking campaign against DevOps platforms, exploiting exposed defaults and overlooked RCE flaws. They stay under the radar while deploying XMRig miners across poorly secured cloud setups, many of which are still internet-facing and misconfigured.

Jun 2, 2025

Cyware Daily Threat Intelligence, June 02, 2025

A casual scroll through gaming forums or social media might land users in a trap they didn’t see coming. Cybercriminals are hijacking web traffic to lure users onto fake Booking[.]com sites with malicious CAPTCHA prompts that silently trigger harmful commands. The URLs shift constantly, and any site asking users to paste clipboard commands should raise serious red flags. A few swapped letters could be all it takes to get owned. A new supply chain attack targets Python and npm developers through typo-squatting and name confusion. The campaign spans both ecosystems, dropping platform-specific payloads that harvest environment data, evade antivirus tools, and create persistence. What began as one bug unraveled into a deeper security mess. Researchers uncovered multiple privilege escalation flaws in SonicWall’s NetExtender VPN client, letting local users achieve SYSTEM-level access or sabotage services. The discovery of CVE-2025-23007 led to a deeper dive, exposing two more high-risk vulnerabilities now patched in version 10.3.2.

May 30, 2025

Cyware Daily Threat Intelligence, May 30, 2025

Fake CAPTCHA prompts are now doing more than testing if you're human—they're installing malware. EDDIESTEALER, a new Rust-based infostealer, spreads through deceptive CAPTCHA pages that trigger malicious PowerShell scripts. The malware downloads obfuscated JavaScript and executable payloads designed to harvest credentials, browser data, and cryptocurrency wallets. A quiet but relentless campaign has been unfolding across multiple industries. The Chinese group Earth Lamia is targeting finance, government, logistics, and more by exploiting known web app vulnerabilities, including flaws in Apache Struts, GitLab, and WordPress. After gaining access, they deploy webshells, create admin accounts, and move laterally using a plethora of tools. Even Google's trusted ecosystem isn’t off-limits anymore. Attackers are misusing Google Apps Script to host phishing pages that convincingly imitate real login portals. The method allows them to slip through email filters by operating under Google's domain, tricking victims into handing over credentials before redirecting them to legitimate sites to avoid suspicion.

May 29, 2025

Cyware Daily Threat Intelligence, May 29, 2025

APT41 hides malware commands where no one’s looking: your calendar. In a creative twist on C2 infrastructure, China-backed APT41 embedded encrypted instructions inside Google Calendar events. Targets received ZIPs masquerading as PDFs, which deployed a multistage malware suite. The result: stealthy, long-term access across governments and industries. AyySSHush doesn’t make noise, it builds armies. More than 9,000 ASUS routers have been compromised by this botnet, which quietly slips in through a CVE-2023-39780 exploit. Attackers install persistent SSH backdoors, disable logging, and remain invisible through firmware updates. The campaign’s low network footprint hides a growing infrastructure of hijacked devices ready for future use. OneDrive’s permissions flaw lets apps peek at everything. A design issue in Microsoft’s OneDrive File Picker lets apps access more data than intended. Vague consent prompts and overly broad OAuth scopes mean entire OneDrive contents could be exposed. Microsoft hasn’t patched it yet, so users should tread carefully.

May 27, 2025

Cyware Daily Threat Intelligence, May 27, 2025

Chinese threat group UAT-6382 is digging deep into local U.S. government systems, exploiting a flaw in Cityworks to breach Microsoft IIS servers. Their playbook includes web shells, Cobalt Strike, and custom backdoors, all aimed at maintaining quiet, long-term access for espionage or potential ransomware deployment. A critical flaw in Siemens’ SiPass integrated access control system could allow unauthenticated attackers to crash the service remotely. The vulnerability stems from an out-of-bounds read issue in how it handles network packets. Siemens has patched the issue in version V2.95.3.18 and urges immediate upgrades. Void Blizzard, a Russian hacking group with ties to multiple Kremlin-aligned actors, has ramped up its espionage operations by breaching over 20 NGOs across Europe and the U.S. Their weapon of choice: Evilginx phishing kits, fake Microsoft Entra login portals, and malicious QR codes. Targets included policy groups and defense-focused organizations, with attackers siphoning off credentials, emails, and Teams conversations.

May 26, 2025

Cyware Daily Threat Intelligence, May 26, 2025

Threat actors are wrapping their tools in layers of obfuscation, and DOUBLELOADER is no exception. This new backdoor uses the ALCATRAZ obfuscator—once seen in the game-hacking scene—to disguise its presence. It reaches out to hardcoded IPs and paves the way for the RHADAMANTHYS infostealer. In a campaign likely aimed at Chinese-speaking users, fake installers for QQ Browser and LetsVPN are being used to quietly deliver Winos 4.0. Behind the scenes, a memory-resident loader named Catena helps the malware dodge AV tools. Linked to the Silver Fox threat group, the payload uses reflective DLL injection to steal data and provide remote access. A critical bug in D-Link routers could give attackers an easy way in. The flaw affects DIR-605L and DIR-816L models, exposing hardcoded Telnet credentials through the firmware. Once inside, attackers can run arbitrary commands, change configs, or pivot deeper into a network - all without needing to brute-force anything.

May 23, 2025

Cyware Daily Threat Intelligence, May 23, 2025

The copyright threat in your inbox might be bait. A phishing campaign sweeping across central and eastern Europe is using fake legal complaints to deliver the Rhadamanthys Stealer. Attackers use DLL side-loading to hijack legitimate PDF readers and establish persistence via Registry Run keys. Meanwhile, researchers flagged three critical vulnerabilities in the Versa Concerto platform that could allow authentication bypass, privilege escalation, and remote code execution. The vulnerabilities affect popular SD-WAN and SASE deployments, leaving organizations exposed if patches haven’t been manually applied. Think twice before clicking on that Ledger update. A new macOS malware campaign is deploying fake versions of the Ledger Live app to steal cryptocurrency seed phrases. The latest malware strain, dubbed Odyssey, impersonates the real app and tricks users into typing their 24-word passphrase after simulating an error. Click to read more!

May 22, 2025

Cyware Daily Threat Intelligence, May 22, 2025

Two years of silence, 6,200 downloads later - the malware is finally found. A malicious campaign targeting JavaScript developers slipped past detection by disguising harmful npm packages as plugins for frameworks like React, Vue.js, Vite, and Quill Editor. The attacker combined typosquatting with a blend of legitimate and malicious modules to build trust and exploit developer habits. Fake AI tools are the new phishing lures and they’re convincing. Cybercriminals cloned Kling AI’s brand through Facebook ads and spoofed websites to trick users into downloading malware. Victims who interacted with fake image-generation tools unknowingly installed PureHVNC RAT. A single flaw in Samlify could let attackers waltz into admin panels. The bug lets adversaries inject unsigned assertions into signed SAML responses. The result? Easy privilege escalation via forged credentials. The issue has been patched in Samlify v2.10.0.