Malware Activity
The Rising Tide of Malicious Tools and Techniques
A disturbing trend in cybersecurity has emerged, highlighted by a malicious carding tool that masqueraded as a legitimate library on the Python Package Index (PyPI) and has been downloaded over 34,000 times. This tool enables cybercriminals to automate the testing of stolen credit card information, significantly increasing the risk of fraud. Alongside this threat, multiple malicious Python packages have infiltrated the Python Package Index (PyPI), putting developers at risk of supply chain attacks. These harmful packages, disguised as legitimate libraries, are designed to steal sensitive information or execute unwanted actions on compromised systems. Meanwhile, North Korean hackers have unveiled a new malware called "Beavertail," which targets sensitive information through advanced phishing techniques and software exploitation, exemplifying the ongoing threat posed by state-sponsored cybercriminals. Adding to the complexity, U.S. allies have cautioned about threat actors utilizing fast-flux techniques to obscure their servers' locations, complicating tracking efforts. Additionally, a new AI-powered toolkit named Xanthorox has appeared on the darknet, designed to assist cybercriminals by automating tasks and creating sophisticated social engineering attacks that exploit vulnerabilities. These developments underscore the evolving landscape of cybersecurity risks, necessitating greater vigilance and proactive measures to safeguard sensitive information. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
- BleepingComputer: Carding Tool Abusing WooCommerce API article
- TheHackerNews: Malicious Python Packages on PyPi article
- TheHackerNews: North Korean Hackers Deploy BeaverTail Malware article
- SecurityWeek: US Allies Warn of Threat Actors Using Fast Flux to Hide Server Locations article
- InfosecurityMagazine: Darknets Xanthorox AI Hackers Tools article
Threat Actor Activity
E-Zpass Toll Payment Scam Texts Resurging
A phishing campaign impersonating E-ZPass and other toll agencies has intensified, with recipients bombarded by multiple iMessage and SMS texts designed to steal personal and credit card information. These messages contain links that redirect victims to phishing sites mimicking E-ZPass, The Toll Roads, FasTrak, Florida Turnpike, and other toll authorities. This scam, although not new, has seen a recent surge, prompting warnings from researchers and the FBI, who had previously highlighted the issue in April 2024. The phishing texts bypass anti-spam measures, originating from seemingly random email addresses, indicating an automated attack. They employ urgent language, warning recipients of impending fines, suspended licenses, or the need to settle toll payments quickly. For example, one scam message reads: "Your toll payment for E-ZPass Lane must be settled by April 4, 2025, to avoid fines and the suspension of your driving privileges." To circumvent Apple's iMessage security, which disables links from unknown senders, scammers instruct users to reply to the message, enabling the links to become clickable. Clicking the link takes victims to a phishing site resembling legitimate toll agency websites, though the site only loads on mobile devices, bypassing desktop detection. The sheer volume of scam texts has led to widespread frustration, with some users receiving several messages a day. While the origin of these messages remains unclear, the campaign is linked to a phishing-as-a-service platform called Lucid, which uses encrypted iMessage and RCS messages to bypass traditional anti-spam filters and send large volumes of texts without incurring standard SMS costs. CTIX Analysts recommend that recipients block and report these messages to Apple, avoiding any interaction that might flag them for future scams. Those concerned about legitimate outstanding payments should directly access their toll authority's website to verify balances. Additionally, the FBI recommends filing a complaint through the IC3 portal if targeted by such scams.
Vulnerabilities
Vulnerability in WinRAR Allows for Windows Security Bypass
The flaw tracked as CVE-2025-31334 is a medium-severity vulnerability affecting all versions of WinRAR prior to 7.11, which allows attackers to bypass Windows' Mark of the Web (MotW) security warnings by exploiting how the utility handles symbolic links (symlinks). If a specially crafted archive containing a symlink to an executable is opened from the WinRAR shell, the MotW metadata (meant to alert users about potentially dangerous files downloaded from the internet) is ignored, allowing the executable to run without warning. While the exploit requires administrator privileges, making it less trivial to abuse, the vulnerability presents a significant security risk given WinRARโs vast user base of over 500 million and the history of threat actors, including Russian hackers, leveraging similar MotW bypasses in other archiving tools like 7-Zip to deploy malware. The issue was responsibly disclosed by Taihei Shimamine of Mitsui Bussan Secure Directions and coordinated through Japanโs IPA. Although no active exploitation has been reported, users are strongly advised to update to version 7.11 manually, as WinRAR does not support automatic updates. Notably, WinRAR version 7.10 also introduced features to limit the privacy risks associated with MotW metadata. CTIX analysts urge readers to follow the Windows guidance and ensure that their instances are patched to prevent the exploitation of this vulnerability.
๐ง Never Miss a Briefing
Stay informed and secure. Subscribe to Ankura's Cyber Flash Update, a bi-weekly briefing curated by our top cybersecurity experts. Receive timely insights on emerging threats, vulnerabilities and malicious actors to keep your systems secure.
Join the Cyber Flash Update community today.
ยฉ Copyright 2025. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
