Malware Activity
A Series of Newly Discovered Malware Campaigns and Phishing Attacks Have Been Identified
A complex landscape of emerging cyber threats has been unearthed, characterized by the proliferation of malware campaigns and phishing attacks that are increasingly sophisticated and targeted. The SparkCat campaign, for instance, has been leveraging fake apps on both Apple's App Store and Google Play to steal victims' mnemonic phrases associated with cryptocurrency wallets, with over 242,000 downloads, while the FatBoyPanel campaign has been targeting Indian Android device owners via WhatsApp, harvesting sensitive personal and financial information. Meanwhile, cybercriminals are utilizing legitimate HTTP client tools, such as Axios and Node Fetch, to facilitate account takeover (ATO) attacks on Microsoft 365 environments, with a significant surge in attacks observed since March 2024, resulting in the compromise of over 51% of targeted organizations and 43% of targeted user accounts. Additionally, a previously undocumented threat actor known as Silent Lynx has been linked to cyber-attacks targeting entities in Kyrgyzstan and Turkmenistan, with a focus on economic decision-making and banking sector organizations, employing tactics such as spear-phishing emails and malicious RAR archive attachments to deliver payloads and establish remote access. Furthermore, a malware campaign has been observed delivering a remote access trojan (RAT) named AsyncRAT by utilizing Python payloads and TryCloudflare tunnels, highlighting the use of legitimate infrastructures to trick recipients into believing the legitimacy of the attack, and demonstrating the ongoing evolution of phishing tactics and the need for increased vigilance and security measures to prevent these types of attacks, which are becoming increasingly prevalent and sophisticated. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
- TheHackerNews: Sparkcat Malware Uses OCR article
- TheHackerNews: Cybercriminals Use AXIOS and Node Fetch article
- TheHackerNews: Silent Lynx Using Powershell Golang article
- TheHackerNews: Asyncrat Campaign Uses Python Payloads article
Threat Actor Activity
Large-Scale InfoStealer Campaign Targets Russian Organizations with Nova Malware
Russian cybersecurity firms have released reports detailing a large-scale information-stealing campaign targeting local organizations using Nova malware. Nova is a commercial stealer sold on dark web marketplaces, priced from $50 for a monthly license to $630 for lifetime access. Nova is a variant of the widely used SnakeLogger malware, known for its capabilities in capturing saved authentication data, recording keystrokes, taking screenshots, and extracting clipboard data. To infiltrate victims’ devices, hackers use phishing emails with malicious files disguised as zipped archives. These emails are crafted to appeal to employees managing large volumes of emails, increasing the chances of infection. The origin of Nova's development remains uncertain, though its code contains Polish strings, and a Telegram group promoting it was established in August 2024. The exact impact and objectives of the Nova malware campaign in Russia are still unclear. However, the data harvested through Nova could facilitate targeted ransomware attacks and other malicious activities, posing a significant threat to the affected sectors. The campaign comes amidst a backdrop of increased cyberattacks on Russian entities, often attributed to politically motivated, state-sponsored hackers, especially in light of the ongoing war in Ukraine and sanctions against Moscow. With Western cybersecurity companies pulling out of Russia, local firms have become primary sources of threat intelligence, though their reports often lack the independent verification typical of international researchers.
Vulnerabilities
Cisco Patches Critial RCE Vulnerabilities in its Identity Services Engine
Cisco has released security updates to address two (2) critical vulnerabilities in its Identity Services Engine (ISE) that could allow remote attackers to execute arbitrary commands, escalate privileges, and modify system configurations on affected devices. The first vulnerability, tracked as CVE-2025-20124 (CVSS 9.9/10), is an insecure Java deserialization flaw within an API of Cisco ISE, which enables authenticated remote attackers to execute commands as the root user by sending a crafted serialized Java object. The second vulnerability, tracked as CVE-2025-20125 (CVSS 9.1/10), is an authorization bypass flaw that allows attackers with valid read-only credentials to obtain sensitive information, modify node configurations, and restart affected nodes by sending a malicious HTTP request to a specific API endpoint. These vulnerabilities are independent of each other, and there are currently no available workarounds. Cisco has addressed the flaws in its latest software releases, with fixes implemented in ISE versions 3.1P10, 3.2P7, and 3.3P4, while version 3.4 is not vulnerable. While Cisco has stated that there is no evidence of active exploitation, CTIX analysts strongly advise users to update their systems immediately to mitigate potential threats.
© Copyright 2025. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice
