Cyware Monthly Threat Intelligence

The Good

When thinking about satellite operations and not paying attention to the cyber resilience of ground networks is like sending an open invitation to cyber threats. The final version of the cybersecurity framework concerning the ground segment of space operations was released by the NIST. Cyberattacks on K-12 schools have major implications for teaching and learning. To overcome these challenges, the CISA released a guide to help safeguard K 12 Schools from ever-rising attacks in the sector. That’s not it! The FBI raided and seized Hive’s Tor payment and data leak sites in a major crackdown.

The NIST published the final version of its cybersecurity framework for the ground segment of space operations. The framework is designed to help organizations in the space sector manage their cybersecurity risks by implementing security measures on satellites and other critical infrastructure.
President Joe Biden approved a set of new laws under the VA Cybersecurity Act of 2022 to boost cybersecurity across the Department of Veterans Affairs. As part of the new law, the department needs to conduct an independent audit of its IT systems and cybersecurity programs. This is intended to boost data security for veterans.
The CISA released a report and toolkit to bolster the cyber defense of K-12 schools and districts. The report is mandated by the K-12 Cybersecurity Act and includes three recommendations to help educational institutions build, operate, and maintain resilient cybersecurity programs.
Europol and Eurojust took action against a fake crypto scam that defrauded victims of at least $2.2 million through call centers. They would lure them to invest in fake cryptocurrency schemes. In another major catch, the FBI busted the network of the prolific Hive ransomware gang that raked in over $100 million in cryptocurrency payments.

The Bad

Cybercriminals continue to up their game with new strategies and tactics to extort from a range of industries. Several top firms and brands, such as PayPal, Toyota, Nissan, Zacks Investment Research, and Solar Industries India, suffered critical breaches in the last month. Healthcare institutions also fell prey to hackers as in the case of the 550 GB data theft from Consulate Health Care. That was the work of Hive before the disruption. BayCare Clinic also exposed the PHI of over 100K individuals, however, that was in light of an online information tracking pixel installed on its partner’s website.

U.S. rail and locomotive company Wabtec Corporation confirmed being hit by the LockBit ransomware gang. The incident took place in June 2022 and impacted its operations in the U.S. Canada, U.K., and Brazil. It was further revealed that the ransomware was introduced onto certain systems as early as March 15, 2022.
The Hive ransomware group leaked 550 GB of data, including employee and customer PII, stolen from Consulate Health Care. The leaked samples include stolen contracts, agreement documents, and the company’s private info. This also included email addresses, phone numbers, credit card details, Social Security numbers, and medical records of employees.
Bay Bridge Administrators notified around 250,000 individuals of a September 2022 data breach. The compromised information includes names, addresses, birth dates, Social Security numbers, ID and driver’s license numbers, and medical and health insurance information.
PayPal disclosed that the login credentials of 35,000 US customers were accessed in an unauthorized manner in a credential-stuffing attack spree between December 6 and 8, 2022. While there has been evidence of unauthorized transactions, threat actors may have also accessed personal information such as names, social security numbers, addresses, and dates of birth of customers.
Toyota Motor Corporation revealed a data breach at Toyota Kirloskar Motor, a joint venture with Indian giant Kirloskar Group, that compromised the personal information of over 290,000 customers. The breach was reported after an access key was left exposed to the public on GitHub for over five years.
Costa Rica’s Ministry of Public Works and Transport (MOPT) suffered another ransomware attack just months after several ministries were crippled in a wide-ranging attack by Conti ransomware. Cybersecurity experts were called in to address the situation.
A data breach at a third-service provider resulted in the compromise of the personal information of roughly 18,000 Nissan customers in North America. The car manufacturer learned about the attack in June 2022. The compromised information includes birth dates and NMAC account numbers.
Nearly one million active and inactive Norton LifeLock accounts have been targeted in multiple credential-stuffing attacks. The attacks started on December 1, with a large number of failed login attempts observed on December 12, 2022. The company took several actions to secure the accounts.
Wisconsin-based BayCare Clinic revealed that the PHI of 134,000 patients was inadvertently disclosed to unauthorized third parties as a result of the use of tracking pixels by its partner, Advocate Aurora Health. Previously Advocate Aurora Health had disclosed that the personal and protected health information of up to three million patients was disclosed to third parties such as Google and Meta.
Zacks Investment Research (Zacks) suffered a data breach that exposed the personal information of 820,000 customers. The incident occurred between November 2021 and August 2022. Upon discovery, the firm took immediate action to implement additional security measures to protect its network.
The BlackCat ransomware group added Solar Industries India to its list of victims. The group claims to have stolen 2TB of data, including secret military data related to weapons production. Other stolen data includes personal information about the company’s employees, blueprints, and engineering documentation of weapons.
Confidential data from 14 U.K schools was leaked online by hackers. These include SEN information and passport scans of children, along with contract details and pay scales of staff members. The attacks and leaks were believed to be perpetrated by the Vice Society ransomware group.
Access to the websites of the Danish Central Bank and seven private banks in the country was briefly disrupted following a DDoS attack. Attackers redirected unwanted traffic to the targeted servers in a bid to knock them offline. Among the banks affected were Jyske Bank and Sydbank.

New Threats

Cybercriminals are mindful of the fact that they won’t survive unless they innovate. The Gootloader malware received an update weeks after being spotted using SEO poisoning techniques against the Australian healthcare industry. Meanwhile, the cyber landscape witnessed a rise in new RAT deployment in the form of PoweRAT, SparkRAT, SpyNote, and others. Furthermore, some major car brands, including Toyota, Mercedes, and BMW may have exposed car owners’ personal info owing to a sensitive bug.

Symantec researchers documented the activities of Bluebottle (aka OPERA1ER), a cybercrime group that targeted banks in French-speaking nations in Africa. The initial infection vector is unknown but in some cases, job-themed file lures written in the French language were leveraged to trick victims.
Numerous financial institutions, including Deutsche Bank, HSBC U.K., Kotak Mahindra Bank, and Nubank, are being targeted by a new version of the SpyNote Android malware. The attack campaign has been active since October 2022 and the malware comes with a plethora of data-stealing capabilities.
A cybercrime group tracked as Scattered Spider was observed exploiting an old vulnerability (CVE-2015-2291) in an Intel Ethernet diagnostics driver to target telecom and BPO firms. The attack was launched using phishing and social engineering techniques to obtain victims’ credentials and OTPs.
A new round of supply chain attacks deploying the PoweRAT malware on victims’ systems was observed. The attacks leveraged several PyPI packages—EasyTimeStamp, Discorder, Discord-dev, Style.py, and PythonStyles—to drop the malware that is capable of stealing browser cookies, passwords, Discord tokens, and Telegram data.
Gootkit loader (aka Gootloader) resurfaced in a new spate of attacks that targeted the Australian healthcare industry. The malware operators leveraged SEO poisoning attacks for initial infection. In other news, the group behind it appears to have restructured Gootkit by adding new components and implementing new obfuscation techniques.
A new Android malware dubbed Hook is being sold on underground forums for $5000/month. The malware is promoted by the creators of Ermac and can help threat actors steal credentials from over 460 banking and crypto apps via overlaid login pages. Researchers claim that the malware borrows its source code from Ermac.
The Roaming Mantis attack campaign was found implementing a new DNS changer to control infected Android devices and steal sensitive information. The changes were done to deploy the Wroba Android malware (aka Moqhao, XLoader) to steal user credentials.
Threat actors were observed leveraging Google Ads to deploy Vidar Stealer and IcedID trojan on victims’ systems. The campaign has been active since November 2022 and uses fake websites of Audacity, Blender, and GIMP to target users. In a similar campaign, hackers targeted Bitwarden and other password managers via Google Ads phishing to steal users’ password vault credentials.
Bitdefender security analysts stumbled across a malware threat campaign dropping the EyeSpy spyware. The campaign started in May 2022 and has been targeting 20Speed VPN users through trojanized installers. Users in Iran, the U.S., and Germany are targeted by the spyware.
Researchers at SentinelLabs tracked a new attack campaign by a Chinese hacking group, dubbed DragonSpark, that deployed SparkRAT malware on victims’ systems. The attack was targeted against organizations in East Asia and used compromised infrastructures located in China and Taiwan to launch the Golang malware.
Critical flaws discovered in vehicles of popular car brands, including Honda, Nissan, BMW, Rolls Royce, Ford, Ferrari, and Toyota, could allow attackers to perform malicious activities. Some of these flaws can be exploited to achieve remote code execution or access the memory of some systems.
The ASEC analysis team discovered a new attack that targeted systems vulnerable to Sunlogin vulnerability to deploy Sliver backdoor and BYOVD malware that disabled security products and installed a reverse shell. In 2022, the flaw was exploited to distribute Gh0st RAT, XMRig coin miner, and Powercat.

Cyware Monthly Threat Intelligence, March 2025

ETSI has rolled out a new quantum-safe encryption standard featuring Covercrypt, a novel key encapsulation scheme with built-in access controls. By tying decryption permissions to user attributes, Covercrypt delivers speed and post-quantum security. The code caves of GitHub got a cleanup crew courtesy of Microsoft. A sprawling malvertising campaign that snagged nearly a million devices worldwide has been knocked down a peg. The race to outpace quantum threats is officially on. The NCSC has issued guidance to help organizations transition to post-quantum cryptography by 2035, with a focus on NIST-approved algorithms and planned support for critical sectors. A fresh face in the cybercrime underworld is juggling a bag of nasty surprises. EncryptHub is hitting users of QQ Talk, WeChat, Google Meet, and more with trojanized apps and slick multi-stage attacks. Lucid isn’t just phishing - it’s engineering trust through your inbox. This advanced PhaaS platform weaponizes the built-in features of iMessage and RCS to create hyper-realistic scams. A botnet is turning home routers into attack platforms. The Ballista botnet is exploiting an unpatched TP-Link Archer router flaw (CVE-2023-1389) to spread stealthily, using Tor domains and remote command execution to launch DDoS attacks worldwide.

Cyware Monthly Threat Intelligence, February 2025

Google ramped up its defenses against the quantum threat. The company rolled out quantum-resistant digital signatures in Cloud KMS, following NIST’s post-quantum cryptography standards. Cyber defenders sharpened their tools, this month, and EARLYCROW is the latest weapon against stealthy APT operations. This method detects C2 activity over HTTP(S) using a novel traffic analysis format called PAIRFLOW. PyPI adopted a "dead but not gone" approach to abandoned software with Project Archival, a new system that flags inactive projects while keeping them accessible. Developers will see warnings about outdated dependencies, helping them make smarter security choices and avoid relying on unmaintained code. China’s Salt Typhoon made itself right at home in global telecom networks. The group was caught using JumbledPath, a custom-built spying tool, to infiltrate ISPs in the U.S., Italy, South Africa, and Thailand. Russia’s Sandworm hackers are using pirated software as bait. Their latest attack on Ukrainian Windows users disguises malware inside trojanized KMS activators and fake Windows updates. The CISA flagged major security holes in Microsoft Outlook and Sophos XG Firewall. One flaw allows remote code execution in Outlook, while another exposes firewall users to serious risks. A new payment card skimming campaign turned Stripe’s old API into a weapon. Hackers inserted malicious scripts into checkout pages, validating stolen card details through Stripe before exfiltration. A new malware named Ratatouille is stirring up trouble by bypassing UAC and using I2P for anonymous communications. Spreading through phishing emails and fake CAPTCHA pages, it tricks victims into running an embedded PowerShell script. A new version of ValleyRAT was also spotted, using stealthy techniques to infiltrate systems. Researchers found the malware being spread through fake Chrome downloads.

Cyware Monthly Threat Intelligence, January 2025

The U.K took a proactive stance on cyber resilience with its Cyber Local initiative, injecting £1.9 million into 30 projects across England and Northern Ireland. The effort focuses on closing the cyber skills gap, fortifying small businesses, and supporting underrepresented groups. India tightened its grip on data privacy with new draft rules designed to give citizens more control over their personal information. The proposed regulations mandate clearer data processing disclosures, stricter security protocols, and swift breach reporting. Hackers turned to SparkRAT, an open-source GoLang RAT, to target macOS users and government entities. Initially released in 2022, its modular design and cross-platform capability have made it a cybercriminal favorite. More than 10,000 WordPress sites were hijacked in a large-scale malware campaign delivering AMOS to macOS users and SocGholish to Windows users. Attackers exploited outdated plugins to inject fake browser update prompts. Lumma Stealer is made its way through GitHub in a new malware campaign that abuses the platform’s release infrastructure. Attackers deployed malware like SectopRAT and Vidar, using secure-looking download links to exfiltrate data while evading detection. Cybercriminals deployed the Coyote banking trojan against financial firms in Brazil, using malicious Windows LNK files to execute PowerShell scripts. This malware established secure connections with C2 servers, enabling keylogging and data theft. A two-year-long phishing campaign targeted Microsoft’s advertising platform users through malicious Google Search ads. A Mirai-based botnet exploited zero-day vulnerabilities in industrial routers and smart home devices. With 15,000 active nodes daily, it launched high-intensity DDoS attacks surpassing 100 Gbps, posing a growing threat across multiple countries.

Cyware Monthly Threat Intelligence, December 2024

The cloud revolution isn’t just about convenience anymore; it’s now the frontline of defense. With CISA's new directive mandating cloud environment fortification, federal agencies face a race against time to safeguard Microsoft 365 and other services. Meanwhile, proposed updates to the HIPAA security rules push healthcare organizations toward stronger PHI protection with advanced technical controls and detailed incident planning. On the global front, Operation PowerOFF turned the tables on DDoS attackers, dismantling 27 illegal platforms and curbing festive-season chaos. The cyber battlefield sees no intermission as new threats take center stage. A phishing campaign, dubbed Aggressive Inventory Zombies (AIZ), exploited brand trust by mimicking retail giants and crypto platforms. Meanwhile, the resurrected BADBOX botnet has compromised 192,000 Android devices globally, sneaking into supply chains to wreak havoc with ad fraud and account abuse. Adding to the turbulence, Poison Ivy (APT-C-01) resurged, targeting critical sectors with advanced phishing techniques and deploying Sliver RAT to breach systems and steal sensitive data. This month, new threats targeted IoT, banking, and app ecosystems, with threat actors unleashing diverse attacks. Iranian hackers deployed IOCONTROL malware to compromise IoT and OT systems, targeting critical infrastructure like gas stations. Meanwhile, the DroidBot banking malware infiltrates cryptocurrency and banking apps across Europe, leveraging MaaS operations for tailored attacks. Adding to the chaos, SpyLoan malware apps, with over eight million installs, exploited users in South America, Southeast Asia, and Africa, highlighting the escalating risks within app marketplaces. For detailed Cyber Threat Intel, click ‘Read More’.

Cyware Monthly Threat Intelligence, November 2024

The TSA reshaped the cybersecurity landscape for pipeline and railroad operators with proposed rules mandating incident reporting and risk management plans. Estimated to cost $2.1 billion over the next decade, the rules aimed to address growing cyber threats while balancing flexibility with resilience. Meta dismantled a sprawling web of over two million accounts tied to pig butchering scams in Southeast Asia and the UAE. Africa’s cybercrime ecosystem faced a decisive blow with Operation Serengeti, as over 1,000 suspects were arrested, and 134,000 malicious networks taken offline. TAG-110, a Russia-aligned threat group, launched a cyber-espionage campaign targeting governments and organizations in Asia and Europe. Using malware like HATVIBE and CHERRYSPY, it aimed to monitor geopolitical developments and assert influence. A botnet powered by Ngioweb malware converted 35,000 IoT devices into residential proxies. These compromised devices, found largely in the U.S., were sold on platforms like NSOCKS for malicious purposes. Water Barghest compromised over 20,000 IoT devices by exploiting known vulnerabilities. The group used Shodan to identify targets and deployed Ngioweb malware to connect them to its monetized network. LIMINAL PANDA, a Chinese cyberespionage group, has been targeting telecoms in South Asia and Africa since 2020. Using tools like SIGTRANslator and PingPong, the group exploits telecom protocols to steal critical data while staying undetected. NodeStealer has resurfaced, targeting Facebook Ads Manager accounts to steal credit card details and browser credentials. It uses Windows Restart Manager and Python scripts to execute its attacks, with stolen data sent via Telegram. BabbleLoader, a stealthy malware loader, delivers WhiteSnake and Meduza stealers. Disguised as accounting software, it targets English and Russian speakers, evading antivirus systems with advanced techniques.

The Good

The Bad

New Threats

Related Threat Briefings

Jul 1, 2025