The Silobreaker Weekly Geopolitical Risk Briefs

Download Report

Weekly Cyber Round-up

Intelligence Report

May 8, 2025

Lampion malware campaign leverages ClickFix technique to target Portuguese organisations

Between late 2024 and early 2025, Palo Alto Networks Unit 42 researchers observed a malicious campaign leveraging ClickFix lures to deliver Lampion malware to Portuguese organisations within the government, finance, and transportation sectors. The campaign adopts similar patterns used in previous Lampion campaigns, including the use of highly obfuscated VBScripts and social engineering themes. The infection chain used in the campaign was divided into several non-consecutive stages and executed as separate processes that would appear benign in isolation. Victims were initially sent a phishing email with a ZIP attachment containing an HTML file, which redirected to a website spoofing a Portuguese tax authorityAfter execution of the first stage, an obfuscated second-stage downloader, disguised as a PHP file, is written in the TEMP folder. The third stage is responsible for reconnaissance and detection evasion measures, and creates an execution method for the fourth stage, a DLL loader.

Get the alert delivered directly to your inbox

CoGUI phishing kit targets organisations in Japan

Proofpoint researchers observed an increase in high-volume Japanese language phishing campaigns targeting organisations in Japan to deliver a phishing kit called CoGUI. The campaigns primarily impersonate popular consumer or payment brands, such as Amazon, PayPal, Rakuten, and others, and aim to steal usernames, passwords, and payment data. Several other campaigns were also observed targeting users in Australia, New Zealand, Canada, and the United States. CoGUI has been active since at least October 2024 and uses several advanced defence evasion techniques. Before serving the phishing page, CoGUI uses victim profiling, though this often varies by campaign.CoGUI is likely used by multiple different Chinese-speaking threat actors. The researchers also observed similarities between CoGUI and recent Darcula road toll smishing attacks but stated that Darcula is unrelated to CoGUI and its presence in road toll smishing is notably different. 

Mystery box subscription scams leverage Facebook pages and ads for financial gain

Bitdefender researchers identified an increase in campaigns leveraging sophisticated fraudulent websites to facilitate subscription scams. The threat actors create Facebook pages and ads impersonating content creators to promote the ‘mystery box’ scam, alongside other variants. The scam has recently evolved to include a subscription model that, for a recurring payment, seemingly provides the user with exclusive deals and savings. Several techniques have also been adopted to evade automatic detection, including leveraging multiple versions of an ad, with only one being malicious, uploading images directly from Google Drive, using cropped images to alter visual patterns, featuring text only in images, and leveraging classic homoglyph techniques. Over 200 websites have been observed as part of the campaign, some of which are still in operation. Some of the account pages are newly created, while others are being hacked and taken over by the attackers.

Venom Spider leverages server polymorphism in More_eggs deployment

Since at least October 2023, Arctic Wolf researchers have observed a spear phishing campaign by the financially motivated threat group Venom Spider targeting hiring managers and corporate human resources departments. The campaign abuses legitimate messaging services and job platforms to apply for real jobs using fake resumes that deliver an enhanced version of the More_eggs backdoor. Spear phishing emails sent directly to the victim contain links that redirect to an attacker-controlled website where they are asked to complete a CAPTCHA challenge. If completeda ZIP file is downloaded, containing a decoy image and a malicious LNK file disguised as a resume. The LNK launches a batch script which triggers a JavaScript payload that drops a complex executable library, dubbed More_eggs_DropperOnce active, More_Eggs establishes C2 communication to facilitate the execution of various commands.

MacReaper watering hole campaign targets macOS users with Atomic Stealer

BadByte researchers discovered a watering hole campaign, dubbed MacReaper, targeting macOS users with Atomic Stealer malware. The campaign was initially discovered on May 4th, 2025, through a compromised Brazilian news site. The researchers identified approximately 2,800 potentially compromised websites, suggesting the presence of a coordinated operation that is likely exploiting vulnerabilities in website hosting or content management systems. The campaign targets users with a ClickFix fake reCAPTCHA interface, which triggers a Binance Smart Contract leveraging the EtherHiding technique to deliver a base-64 encoded command to the clipboard. Users are prompted to run the command via macOS-specific shortcuts, which downloads a script that retrieves Atomic Stealer.

Ransomware

LockBit ransomware gang hacked, victim negotiations exposedBleeping Computer – May 08 2025New DOGE Big Balls Ransomware Tools in the WildNetskope – Threat Labs – May 07 2025Ransomware Attackers Leveraged Privilege Escalation Zero-daySymantec Enterprise Blogs – May 07 2025Agenda Ransomware Group Adds SmokeLoader and NETXLOADER to Their ArsenalTrend Micro – May 07 2025Mamona ransomware lowers the bar with offline encryptionSC World US – May 06 2025Peru government hit with ransomware attack, Rhysida gang suspected – CybernewsCyberNews – May 03 2025Gunra Ransomware – A Brief Analysis CYFIRMA – May 03 2025IP cluster linking ransomware activity and Eye Pyramid C2Intrinsec – Apr 28 2025

Financial Services

Inferno Drainer Reloaded: Deep Dive into the Return of the Most Sophisticated Crypto DrainerCheckPoint – Research – May 07 2025Smishing on a Massive Scale: ‘Panda Shop’ Chinese Carding SyndicateSecurity Affairs – May 06 2025Luna Moth extortion hackers pose as IT help desks to breach US firmsBleeping Computer – May 05 2025Darcula PhaaS steals 884,000 credit cards via SMS phishing textsBleeping Computer – May 05 2025How Investigating an ICICI Bank Phishing Site Uncovered a Malware OperationMedium Cybersecurity – May 01 2025

Geopolitics

Iranian Cyber Actors Impersonate Model Agency in Suspected Espionage OperationUnit 42 – Palo Alto Networks Blog – May 07 2025Stolen voices: Russia-aligned operation manipulates audio and images to impersonate expertsISDGlobal.org – May 06 2025New ClickFix Attack Imitates Ministry of Defence Website to Target Windows & Linux SystemsGBHackers On Security – May 06 2025Russian hacker group attacks Romanian government websites on election dayPolitico.eu – May 04 2025FortiGuard Incident Response Team Detects Intrusion into Middle East Critical National Infrastructure Fortinet – May 01 2025

High Priority Vulnerabilities

name Software Base
Score		 Temp
Score
CVE-2025-27363 FreeType 8.1 5.6
Related: Google patches actively exploited flaw in Android devices
CVE-2024-7399 MagicINFO 9 Server 8.8 8.4
Related: Unauthenticated RCE flaw in Samsung MagicINFO 9 Server actively exploited
CVE-2025-3248 langflow 9.8 7.0
Related: Critical Langflow Flaw Added to CISA KEV List Amid Ongoing Exploitation Evidence
CVE-2024-6047 GVLX 4 V3 9.8 9.8
Related: Critical command injection flaws in discontinued GeoVision devices actively exploited
CVE-2025-34028 Command Center Innovation 10.0 7.3
Related: Commvault CVE-2025-34028 Added to CISA KEV After Active Exploitation Confirmed

Get the full report
delivered to your inbox​

By filling out and submitting this request you give us your consent to use and store the information  you have provided for the purpose set out above or in connection with it. For more information, see our Privacy Policy.