Cyware Monthly Threat Intelligence

The Good

Did you know vulnerabilities in Google products are exploited in the wild within seven days of discovery? As worrying as it can get for billions of users worldwide, Google has decided to do its bit for those who act as the liaisons between it and the users - the security community. The organization has introduced multiple initiatives aimed at bolstering the vulnerability management ecosystem and assisting the security community in mitigating cyber risks. In another progressive step, a coalition of Five Eyes security agencies issued guidance urging tech manufacturers to prioritize customer safety and built-in cybersecurity features.

Google collaborated with several other companies to form a new group, called the Hacking Policy Council, that will advocate better regulations and policies for vulnerability management and disclosure. The council is an initiative of the Center for Cybersecurity Policy and Law. It will also be putting aside an undisclosed legal defense fund for researchers that are sued or prosecuted for pursuing “good faith research in cases that would advance cybersecurity for the public interest.”
The NIST released a new post-quantum cryptography guidance draft that is open for public comments until June 8. The document is meant to help organizations understand the security architecture in their networks and implement post-quantum security measures where it is necessary. The new draft follows NIST’s ongoing effort to finalize quantum-resistant algorithms in 2024 after identifying other encryption algorithms in 2022.
The DOD launched a new website, www.hackthepentagon[.]mil, to enhance and support the Hack the Pentagon program that was launched in 2016. The website includes educational materials that can be used as a foundation step for launching a bug bounty program. The platform will also enable the engagement and recruitment of technical talent.
New guidance to enhance the security of software and technology products was issued by the CISA in collaboration with the FBI, the NSA, and security agencies from the Five Eyes Intelligence Alliance. The authorities urged manufacturers to ship only those products to customers that follow secure-by-design and secure-by-default approaches.

The Bad

Moving on. Crypto is favored by cybercriminals due to its liquidity, borderless nature, and ability to evade sanctions and regulations. Crypto exchanges GDAC and Bitrue were targeted in two separate incidents that incurred a total loss of $36 million. With the ransomware threat actors upping the game every season, there were some headline-grabbing incidents last month. Top victims include a London-based corporation, a U.S.-based payment processing giant, and a Taiwanese PC parts maker.

Hackers broke into South Korea-based GDAC and stole nearly $13 million worth of Bitcoin, Ethereum, and Wemix tokens from the firm. Moreover, crypto exchange Bitrue’s hot wallet was accessed by cybercriminals, which resulted in the theft of $23 million worth of ETH, GALA, QNT, SHIB, MATIC, and HOT. The firm temporarily suspended its operations, including withdrawals.
Hackers dumped the private data of around 400,000 Kodi users on several hacking forums. The media player maker suffered a data breach on February 16 and 21 after threat actors compromised the account of an inactive administrator and accessed the web-based MyBB admin console.
Taiwanese PC parts maker MSI was struck with a $4 million ransomware attack by a newly-formed ransomware group called Money Message. The threat actors threatened to publish 1.5 TB of data they allegedly stole from the firm. To claim the attack, the group posted screenshots of the hardware vendor’s CTMS and ERP databases containing software source code, private keys, and BIOS firmware.
Around 250 million software artifacts and over 65,000 container images were found to be exposed via thousands of internet-facing registries and repositories. Some 1400 hosts also allowed access to secret keys, passwords, and other sensitive information that could enable attackers to mount a supply chain attack or poison a software development environment. These hosts were linked to addresses of several Fortune 500 companies such as Siemens, Cisco, Alibaba, and IBM.
A misconfigured database exposed more than 1.2 million police records on the internet. The database also included 800 GB of information on people who applied for employment in law enforcement in the Philippines, along with documents on tax identification numbers of officers. It is believed that the database had been left exposed for at least six weeks.
London-based Capita admitted to a ransomware attack that compromised nearly 4% of its server infrastructure to steal data of its staff, potential customers, and vendors. Black Basta claimed responsibility for the attack and put up for sale sensitive data stolen from the firm. This includes bank account information, addresses, and passport photos.
Payment processing giant NCR disclosed that it was a victim of a ransomware attack that occurred last weekend. This caused a PoS outage and affected multiple companies using the service. One of the affected systems was Aloha, the payments service which is used by multiple restaurants.
Sensitive details of several banks, including QBANK, Defence Bank, Bloom Money, Admiral Money, MA Money, Reed, HSBC, and Westpac, were leaked due to a misconfiguration issue in a digital identification tool provided by OCR Labs. The leaked data included access credentials to AWS, application tokens, and various API keys.
The Medusa ransomware group added the Open University of Cyprus to its data leak site, giving the institute 14 days time to respond. The hackers demanded $100,000 in ransom to prevent the further leak of data that includes the PII of students, and the financial details of research contractors.
An online marketplace Z2U was found exposing 600,000 customer support attachments due to an unprotected database. The attachments included images of individuals holding credit cards, passports, and other ID documents. Other exposed information were email addresses, passwords, and IBAN numbers of users.

New Threats

A lot happened in the cyber landscape in the last couple of fortnights. Let’s brush through the top threats that you may need to defend against in the near future. Researchers have reported the first-ever exploitation of Kubernetes (K8s) Role-Based Access Control (RBAC) to create persistent cluster backdoors. Meanwhile, Rilide, ViperSoftX, and CryptoClippy malware emerged as threats to the crypto industry. Apple devices also remained a focus of cybercriminals with Atomic and RustBucket targeting users in their own unique ways.

Threat actors devised a new attack method to abuse Kubernetes role-based access control (RBAC) to deploy backdoors for persistence. Dubbed RBAC Buster, the attack method can also enable attackers to launch cryptojacking attacks on targeted Kubernetes clusters by exploiting misconfigured API servers linked to the clusters.
ViperSoftX, a cryptocurrency and info-stealer malware, was updated to include more sophisticated encryption and data-stealing methods. So far, the variant has infected a significant number of victims in consumer and enterprise sectors across Australia, Japan, the U.S., India, Taiwan, Malaysia, France, and Italy.
Charming Kitten APT was observed using a previously unseen custom dropper malware, BellaCiao, to target users located in the U.S., Turkey, India, Europe, and the Middle East. The attackers possibly exploited known vulnerabilities in internet-exposed applications such as Zoho ManageEngine or Microsoft Exchange Server to drop the malware.
An ongoing attack campaign, tracked as OCX#HARVESTER, was found distributing More-eggs backdoor, along with other malicious payloads. The More-eggs backdoor was observed in the wild from December 2022 through March 2023. The attack chain leveraged specially crafted phishing emails to lure victims in the financial sector, especially those organizations involved with cryptocurrencies.
Researchers observed a new variant of LockBit ransomware that focuses on disrupting macOS systems. While the variant is in active development, it is revealed that the malware enables threat actors to encrypt files stored on ARM-powered Macs.
Threat actors were abusing Eval PHP, an abandoned WordPress plugin, to take over and backdoor websites. The plugin allowed attackers to insert malicious PHP code into pages and posts on WordPress sites. These malicious codes are executed every time the posts or the pages are opened in a browser.
A new commercial spyware, dubbed KingsPawn, was used to compromise the iPhones of high-profile individuals. The spyware was distributed using a zero-click exploit, named ENDOFDAYS, that targeted a zero-day flaw affecting iPhones running iOS 1.4 up to 14.4.2. The targeted victims include journalists, political opposition figures, and NGO workers in North America, Central Asia, Southeast Asia, Europe, and the Middle East.
A newly discovered CryptoClippy clipper malware was found targeting Portuguese cryptocurrency users. The attack leverages SEO poisoning techniques to entice users searching for ‘WhatsApp web’ to rogue domains hosting the malware. The malware monitors a victim’s clipboard to replace the actual wallet address with a wallet address controlled by threat actors.
A new malware strain named Rilide used Chromium-based browsers to steal cryptocurrency assets. The malware is disguised as a Google Drive extension and enables threat actors to carry out a broad spectrum of malicious activities such as taking screenshots and monitoring browsing history.
Poorly secured MS-SQL servers were found being hacked to deploy Trigona ransomware and encrypt all files. The servers were breached via brute-force attacks. After connecting to a server, the attackers deployed a malware dubbed CLR Shell in the first stage and Trigona ransomware in the last stage of the attack.
A new macOS info-stealing malware named Atomic (aka AMOS) is being sold on private Telegram channels. The malware steals keychain passwords, files from local filesystems, passwords, cookies, and credit card details stored in browsers. It can steal from 50 cryptocurrency extensions. North Korea-based BlueNoroff threat actor also introduced a new macOS malware called RustBucket. The malware masquerades as a legitimate Apple bundle identifier that helps the attackers override Gatekeeper on Macs. Written in Rust language, it is capable of gathering system information.

Cyware Monthly Threat Intelligence, March 2025

ETSI has rolled out a new quantum-safe encryption standard featuring Covercrypt, a novel key encapsulation scheme with built-in access controls. By tying decryption permissions to user attributes, Covercrypt delivers speed and post-quantum security. The code caves of GitHub got a cleanup crew courtesy of Microsoft. A sprawling malvertising campaign that snagged nearly a million devices worldwide has been knocked down a peg. The race to outpace quantum threats is officially on. The NCSC has issued guidance to help organizations transition to post-quantum cryptography by 2035, with a focus on NIST-approved algorithms and planned support for critical sectors. A fresh face in the cybercrime underworld is juggling a bag of nasty surprises. EncryptHub is hitting users of QQ Talk, WeChat, Google Meet, and more with trojanized apps and slick multi-stage attacks. Lucid isn’t just phishing - it’s engineering trust through your inbox. This advanced PhaaS platform weaponizes the built-in features of iMessage and RCS to create hyper-realistic scams. A botnet is turning home routers into attack platforms. The Ballista botnet is exploiting an unpatched TP-Link Archer router flaw (CVE-2023-1389) to spread stealthily, using Tor domains and remote command execution to launch DDoS attacks worldwide.

Cyware Monthly Threat Intelligence, February 2025

Google ramped up its defenses against the quantum threat. The company rolled out quantum-resistant digital signatures in Cloud KMS, following NIST’s post-quantum cryptography standards. Cyber defenders sharpened their tools, this month, and EARLYCROW is the latest weapon against stealthy APT operations. This method detects C2 activity over HTTP(S) using a novel traffic analysis format called PAIRFLOW. PyPI adopted a "dead but not gone" approach to abandoned software with Project Archival, a new system that flags inactive projects while keeping them accessible. Developers will see warnings about outdated dependencies, helping them make smarter security choices and avoid relying on unmaintained code. China’s Salt Typhoon made itself right at home in global telecom networks. The group was caught using JumbledPath, a custom-built spying tool, to infiltrate ISPs in the U.S., Italy, South Africa, and Thailand. Russia’s Sandworm hackers are using pirated software as bait. Their latest attack on Ukrainian Windows users disguises malware inside trojanized KMS activators and fake Windows updates. The CISA flagged major security holes in Microsoft Outlook and Sophos XG Firewall. One flaw allows remote code execution in Outlook, while another exposes firewall users to serious risks. A new payment card skimming campaign turned Stripe’s old API into a weapon. Hackers inserted malicious scripts into checkout pages, validating stolen card details through Stripe before exfiltration. A new malware named Ratatouille is stirring up trouble by bypassing UAC and using I2P for anonymous communications. Spreading through phishing emails and fake CAPTCHA pages, it tricks victims into running an embedded PowerShell script. A new version of ValleyRAT was also spotted, using stealthy techniques to infiltrate systems. Researchers found the malware being spread through fake Chrome downloads.

Cyware Monthly Threat Intelligence, January 2025

The U.K took a proactive stance on cyber resilience with its Cyber Local initiative, injecting £1.9 million into 30 projects across England and Northern Ireland. The effort focuses on closing the cyber skills gap, fortifying small businesses, and supporting underrepresented groups. India tightened its grip on data privacy with new draft rules designed to give citizens more control over their personal information. The proposed regulations mandate clearer data processing disclosures, stricter security protocols, and swift breach reporting. Hackers turned to SparkRAT, an open-source GoLang RAT, to target macOS users and government entities. Initially released in 2022, its modular design and cross-platform capability have made it a cybercriminal favorite. More than 10,000 WordPress sites were hijacked in a large-scale malware campaign delivering AMOS to macOS users and SocGholish to Windows users. Attackers exploited outdated plugins to inject fake browser update prompts. Lumma Stealer is made its way through GitHub in a new malware campaign that abuses the platform’s release infrastructure. Attackers deployed malware like SectopRAT and Vidar, using secure-looking download links to exfiltrate data while evading detection. Cybercriminals deployed the Coyote banking trojan against financial firms in Brazil, using malicious Windows LNK files to execute PowerShell scripts. This malware established secure connections with C2 servers, enabling keylogging and data theft. A two-year-long phishing campaign targeted Microsoft’s advertising platform users through malicious Google Search ads. A Mirai-based botnet exploited zero-day vulnerabilities in industrial routers and smart home devices. With 15,000 active nodes daily, it launched high-intensity DDoS attacks surpassing 100 Gbps, posing a growing threat across multiple countries.

Cyware Monthly Threat Intelligence, December 2024

The cloud revolution isn’t just about convenience anymore; it’s now the frontline of defense. With CISA's new directive mandating cloud environment fortification, federal agencies face a race against time to safeguard Microsoft 365 and other services. Meanwhile, proposed updates to the HIPAA security rules push healthcare organizations toward stronger PHI protection with advanced technical controls and detailed incident planning. On the global front, Operation PowerOFF turned the tables on DDoS attackers, dismantling 27 illegal platforms and curbing festive-season chaos. The cyber battlefield sees no intermission as new threats take center stage. A phishing campaign, dubbed Aggressive Inventory Zombies (AIZ), exploited brand trust by mimicking retail giants and crypto platforms. Meanwhile, the resurrected BADBOX botnet has compromised 192,000 Android devices globally, sneaking into supply chains to wreak havoc with ad fraud and account abuse. Adding to the turbulence, Poison Ivy (APT-C-01) resurged, targeting critical sectors with advanced phishing techniques and deploying Sliver RAT to breach systems and steal sensitive data. This month, new threats targeted IoT, banking, and app ecosystems, with threat actors unleashing diverse attacks. Iranian hackers deployed IOCONTROL malware to compromise IoT and OT systems, targeting critical infrastructure like gas stations. Meanwhile, the DroidBot banking malware infiltrates cryptocurrency and banking apps across Europe, leveraging MaaS operations for tailored attacks. Adding to the chaos, SpyLoan malware apps, with over eight million installs, exploited users in South America, Southeast Asia, and Africa, highlighting the escalating risks within app marketplaces. For detailed Cyber Threat Intel, click ‘Read More’.

Cyware Monthly Threat Intelligence, November 2024

The TSA reshaped the cybersecurity landscape for pipeline and railroad operators with proposed rules mandating incident reporting and risk management plans. Estimated to cost $2.1 billion over the next decade, the rules aimed to address growing cyber threats while balancing flexibility with resilience. Meta dismantled a sprawling web of over two million accounts tied to pig butchering scams in Southeast Asia and the UAE. Africa’s cybercrime ecosystem faced a decisive blow with Operation Serengeti, as over 1,000 suspects were arrested, and 134,000 malicious networks taken offline. TAG-110, a Russia-aligned threat group, launched a cyber-espionage campaign targeting governments and organizations in Asia and Europe. Using malware like HATVIBE and CHERRYSPY, it aimed to monitor geopolitical developments and assert influence. A botnet powered by Ngioweb malware converted 35,000 IoT devices into residential proxies. These compromised devices, found largely in the U.S., were sold on platforms like NSOCKS for malicious purposes. Water Barghest compromised over 20,000 IoT devices by exploiting known vulnerabilities. The group used Shodan to identify targets and deployed Ngioweb malware to connect them to its monetized network. LIMINAL PANDA, a Chinese cyberespionage group, has been targeting telecoms in South Asia and Africa since 2020. Using tools like SIGTRANslator and PingPong, the group exploits telecom protocols to steal critical data while staying undetected. NodeStealer has resurfaced, targeting Facebook Ads Manager accounts to steal credit card details and browser credentials. It uses Windows Restart Manager and Python scripts to execute its attacks, with stolen data sent via Telegram. BabbleLoader, a stealthy malware loader, delivers WhiteSnake and Meduza stealers. Disguised as accounting software, it targets English and Russian speakers, evading antivirus systems with advanced techniques.

The Good

The Bad

New Threats

Related Threat Briefings

Jul 1, 2025