Cyware Weekly Threat Intelligence, July 28–August 01, 2025
The Good
Picture this: a tool so fast it dissects malware at lightning speed, giving your team the edge in a digital arms race. Meet Thorium, the CISA’s latest open-source gem. This platform automates cyberattack investigations, processing over 1,700 jobs per second and ingesting 10 million files per hour per permission group. Meanwhile, as AI reshapes the battlefield, OWASP is arming professionals with fresh guidance to secure agentic AI applications driven by LLMs. It’s a playbook for locking down user authentication with OAuth 2.0, encrypting sensitive data, and bolstering supply chain security.
The CISA has released Thorium, an open-source platform designed for malware and forensic analysis, developed with Sandia National Laboratories. Thorium automates cyberattack investigation tasks, handling over 1,700 jobs per second and ingesting 10 million files per hour per permission group. It supports software analysis, digital forensics, and incident response, enhancing cybersecurity teams' efficiency in assessing malware threats. Key features include tool import/export, Docker integration, tag-based filtering, strict access control, and scalability with Kubernetes and ScyllaDB.
The CISA released the Eviction Strategies Tool to help organizations respond to cyber incidents and remove adversaries from compromised systems. Developed with MITRE, the tool enables rapid creation of tailored playbooks using structured frameworks like MITRE ATT&CK or free-text descriptions of threat behavior. The tool integrates two resources: COUN7ER, a database of over 100 post-compromise countermeasures, and Cyber Eviction Strategies Playbook NextGen, a web-based interface for aligning findings with countermeasures. Key features include exporting plans in various formats, integrating knowledge from frameworks like MITRE D3FEND, and open-source access under the MIT License.
OWASP has released comprehensive guidance for securing agentic AI applications powered by LLMs, aimed at developers, engineers, and security professionals. The guidance emphasizes securing agentic architectures with strong user authentication controls and safeguards against manipulation during design and development. Additional measures include enhanced security actions like OAuth 2.0, managed identity services, and encryption of sensitive data to mitigate risks. Operational risks from connecting agentic AI to APIs, databases, and other systems are addressed, along with supply chain security to reduce vulnerabilities from third-party code.
The FBI has seized approximately 20.29 Bitcoins, valued at over $2.4 million, from a member of the Chaos ransomware group known as "Hors." This seizure involved tracing the cryptocurrency to a specific address linked to cyberattacks against Texas companies. Following the seizure, the U.S. DOJ filed a civil complaint on July 24, seeking to permanently forfeit the funds, a process that allows the government to claim assets connected to criminal activities without needing a criminal conviction. The Chaos ransomware operation is believed to be a rebrand of the BlackSuit group, which itself emerged from the notorious Conti ransomware gang.
The Bad
Cybercriminals are donning digital disguises, impersonating trusted enterprises with fake Microsoft OAuth applications to steal credentials and bypass multi-factor authentication. Hackers exploited a critical SAP NetWeaver flaw to deploy the Auto-Color Linux malware. This malware, equipped with a rootkit and adaptive evasion tactics, adjusts its behavior based on user privileges. Operation CargoTalon, tied to threat cluster UNG0901, targeted organizations with EAGLET malware hidden in fake invoice files, quietly siphoning off sensitive data to a C2 server.
North Korean hacking group UNC4899 targeted organizations by using job lures and social engineering techniques via LinkedIn and Telegram, convincing employees to execute malicious Docker containers. The group exploited cloud environments like Google Cloud and AWS by employing stolen credentials and session cookies to manipulate cryptocurrency transactions. Although MFA initially hindered their efforts, they managed to disable it to gain administrative access. Their sophisticated attacks involved uploading malicious JavaScript files to exploit cloud services, ultimately leading to the theft of millions in cryptocurrency. The group’s activities have also included embedding malware into open-source package registries, indicating a strategic pivot in their approach to cybercrime.
Threat actors are impersonating enterprises with fake Microsoft OAuth applications to steal credentials and bypass MFA. Proofpoint identified malicious campaigns using redirects to phishing URLs via OAuth applications impersonating services like RingCentral, DocuSign, and Adobe. Observed email campaigns often use compromised accounts and lure themes such as RFQs or business agreements to target victims. Threat actors use CAPTCHA pages and counterfeit Microsoft authentication pages to intercept MFA tokens and session cookies. Proofpoint identified nearly 3,000 attempted account compromises across 900 Microsoft 365 environments in 2025, with a confirmed success rate exceeding 50%.
Russian state hackers, known as Secret Blizzard, have launched a cyberespionage campaign targeting foreign embassies in Moscow using sophisticated adversary-in-the-middle (AiTM) attacks. Central to this operation is a malware tool named ApolloShadow, which manipulates system certificates and masquerades as trusted applications to maintain stealthy persistence. The attack initiates at the ISP level, redirecting users through a fake captive portal that prompts them to download ApolloShadow. Once installed, the malware alters network settings, collects sensitive information, and creates a new administrative user with a hardcoded password for ongoing access.
The North Korean Lazarus Group distributed over 200 malicious open source packages through npm and PyPI, potentially compromising around 36,000 victims. This campaign marks a strategic shift for the group, targeting developers who often install packages without proper verification. Many of the detected packages were designed to mimic legitimate libraries and executed multi-stage attacks to maintain stealth and exfiltrate sensitive data. Among the 234 malicious packages, 120 served as droppers for additional malware, while 90 were specifically aimed at stealing secrets. The targets primarily included DevOps-heavy organizations, where compromised developer machines and build pipelines could lead to significant intellectual property theft and reputational damage.
Hackers exploited a critical vulnerability in SAP NetWeaver, tracked as CVE-2025-31324, to deploy the Auto-Color Linux malware against a U.S.-based chemicals company. The attack began on April 25, with the malware delivering a Linux executable file that features advanced evasion tactics and stealthy persistence mechanisms, including a rootkit. Auto-Color adjusts its behavior based on user privilege levels and can suppress its malicious activities if it cannot connect to its C2 server, making it appear benign in sandboxed environments. Auto-Color has been linked to exploitation attempts by various threat actors, including ransomware groups and state-sponsored hackers, following the vulnerability's disclosure.
Operation CargoTalon is a targeted cyber-espionage campaign attributed to threat cluster UNG0901, aimed at Russia’s aerospace and defense sectors. The campaign specifically targeted the Voronezh Aircraft Production Association (VASO) using spear-phishing emails to deliver the EAGLET malware. The operation employs advanced malware capabilities and social engineering tactics to infiltrate and exfiltrate sensitive data. The infection begins with spear-phishing emails containing a ZIP file that is actually a disguised DLL file. A similarly named LNK shortcut file is also included. When executed, these files trigger the EAGLET implant. The ZIP file, named in Russian as a TTN (goods and transport invoice), serves as a decoy to lure victims into executing the payload. EAGLET is a PE-based implant that generates a unique GUID to identify victims, collects system information, creates a hidden directory, and communicates with a C2 server via HTTP using disguised requests.
Scattered Spider hackers are aggressively targeting VMware ESXi hypervisors in various sectors, including retail and transportation, using sophisticated social engineering tactics. They initiate attacks by impersonating employees to convince IT help desks to reset Active Directory passwords, allowing them to gain initial access. This access enables them to identify and exploit high-value targets, such as domain administrators. The attackers then escalate their privileges by impersonating these users to gain control over the VMware vCenter Server Appliance, enabling SSH connections and executing a "disk-swap" attack to extract sensitive Active Directory data. Ultimately, they deploy ransomware to encrypt virtual machine files, achieving complete control over the virtualized environment in just a few hours.
New Threats
A newly discovered cyberattack technique, dubbed Man in the Prompt, is turning browser extensions into unwitting accomplices in data theft from generative AI tools. DoubleTrouble is targeting users through Discord-hosted APKs, disguising itself as a legitimate app to slip past defenses. A stealthy Android banking trojan, RedHook, is targeting Vietnamese users through phishing sites mimicking trusted agencies. Spread via a malicious APK on an exposed AWS S3 bucket, it exploits accessibility services to steal credentials and banking details, with over 500 infections tied to Chinese-speaking actors.
A newly identified cyberattack method, dubbed Man in the Prompt, enables malicious browser extensions to manipulate or exfiltrate data from generative AI tools such as ChatGPT and Google Gemini. This attack exploits the Document Object Model (DOM) access granted to browser extensions, allowing them to act as intermediaries in AI interactions without requiring elevated permissions. The attack poses a significant threat to organizations using browser-based AI tools, especially those processing sensitive or proprietary data. The widespread use of browser extensions and the common practice of allowing users to freely install them significantly increases the risk of exploitation. A single compromised extension can silently extract confidential information, turning AI tools into vectors for data theft. The attack allows extensions to act as a “man in the middle” for AI interactions. In the case of Gemini, the exploit worked even when the Gemini sidebar was closed.
A sophisticated Android banking Trojan named DoubleTrouble has expanded its delivery methods and technical features, targeting users across Europe through Discord-hosted APKs. The malware disguises itself as a legitimate app, uses Android’s accessibility services, and employs advanced techniques like session-based installation to evade detection. DoubleTrouble’s capabilities include real-time screen recording, phishing overlays, keylogging, and bypassing multi-factor authentication by mirroring the device screen. Captured data, including credentials from banking apps, password managers, and crypto wallets, is sent to a remote C2 server.
Russian state-sponsored group APT28 (Fancy Bear) has developed LameHug, the first AI-powered malware using large language models (LLMs) for automated command generation and execution. LameHug targets organizations by exploiting compromised official email accounts to deliver spearphishing emails containing malicious ZIP archives. The malware uses Hugging Face's Qwen 2.5-Coder-32B-Instruct model to translate natural language prompts into executable system commands, enabling flexible automation of reconnaissance and data exfiltration tasks. The malware introduces risks like prompt injection vulnerabilities and API abuse, blending malicious activity with legitimate processes for stealth.
JSCEAL is a sophisticated malware campaign targeting cryptocurrency app users through malicious advertisements that promote fake applications. Leveraging Node.js and compiled JavaScript files, JSCEAL steals sensitive data, including credentials and crypto wallets, while employing advanced anti-analysis techniques to evade detection. The campaign impersonates nearly 50 popular cryptocurrency brands and utilizes a multi-layered infection flow, starting with malicious advertisements leading to fake websites. The infection process involves MSI installers that require simultaneous execution with the malicious site, complicating detection efforts. With an estimated global reach exceeding 10 million users, JSCEAL has demonstrated low detection rates on platforms like VirusTotal, making it a significant threat in the cybersecurity landscape.
Cyble researchers discovered RedHook, an Android banking trojan targeting Vietnamese users via phishing sites impersonating trusted agencies. The malware is distributed through a trojanized APK hosted on an exposed AWS S3 bucket, active since November 2024. RedHook abuses Android accessibility services and MediaProjection API to capture keystrokes, contacts, SMS, and screen images, maintaining persistent communication with its C2 server. The trojan collects device information, logs credentials, and prompts victims to upload citizen IDs and banking details, indicating over 500 infections. Chinese-language artifacts suggest the malware originates from Chinese-speaking threat actors, evolving from cosmetic scams to sophisticated banking trojans.
Gunra ransomware has introduced a Linux variant that significantly enhances its encryption capabilities, allowing it to run up to 100 encryption threads in parallel and enabling partial file encryption. This development marks a strategic shift towards cross-platform targeting, expanding the group's reach beyond its original focus. Since its emergence in April, Gunra has victimized various sectors, including healthcare, manufacturing, and IT, across multiple countries. Unlike its Windows counterpart, the Linux variant does not drop a ransom note, prioritizing quick and efficient encryption instead. It renames encrypted files with a .ENCRT extension and offers attackers the option to store RSA-encrypted keys separately, showcasing its advanced and flexible approach to ransomware attacks.