< Back
network around a world map

Tags:

Threat intelligence
07 May 2025

Weekly summary cyberattacks May 1-7

New wave of cyberattacks in Portugal uses ClickFix spoofing technique   

Cybersecurity researchers have identified a new cyber campaign targeting dozens of Portuguese organizations in the government, financial and transportation sectors. The attack is linked to the Lampion malware, an infostealer that mainly steals banking data, which has been active since 2019. This time, the attackers have incorporated a social engineering technique called ClickFix, which induces users to copy malicious commands believing they fix system problems. The infection starts with phishing emails and ZIP archives containing highly obfuscated Visual Basic scripts, which are executed in several phases to evade detection. Although the final malware was not activated in this campaign, researchers were able to reconstruct the entire infection chain, which includes evasion techniques, obtaining system data and downloading a DLL of more than 700 MB. The use of Portuguese comments within the code suggests that the attack was designed specifically for Portuguese-speaking users.  

Google fixes serious Android security flaw already exploited by attackers   

Google has released its May security update for Android, fixing 46 vulnerabilities, including a critical one already actively exploited: CVE-2025-27363. This vulnerability, with a CVSS score of 8.1, affects the system component and allows local code execution without requiring additional permissions or user interaction. The source of the flaw is in the open source FreeType library, used to render fonts. The vulnerability, an out-of-bounds script when rendering TrueType GX and variable fonts, was disclosed by Facebook in March after detecting its use in real attacks. While Google notes that the scope of the exploit is limited and targeted, it recommends updating as soon as possible. 

New version of StealC malware detected with new infostealer capabilities   

StealC, a well-known information stealing and malware downloading malware, has released its second major version with significant improvements in stealth and data mining capabilities. Although this update was distributed in March 2025, researchers have just published a detailed analysis. Since its appearance in 2023, StealC has gained popularity on the Dark Web for its low cost and effectiveness, and in 2024 it was used in massive malvertising campaigns and system crashes. Its new version includes support for EXE files, MSI packages and PowerShell scripts, RC4 encryption to make detection more difficult, custom build generation and real-time notifications via Telegram bots. It can also take screenshots in multi-monitor setups. Some features, such as anti-VM checks, have been removed, possibly to lighten the code. Its recent distribution has been detected using the Amadey loader. Experts recommend not storing sensitive data in browsers and using multi-factor authentication. 

FBI Shuts Down LabHost Phishing Operation with 42,000 Domains   

The FBI has dismantled LabHost, a major phishing-as-a-service (PhaaS) platform linked to 42,000 phishing domains. Active from 2021 to 2024, LabHost enabled nearly 10,000 users to impersonate banks, government agencies, and other organizations to steal personal and financial data. It offered phishing sites, SMS phishing, and tools to bypass two-factor authentication. Authorities recovered over one million stolen credentials and nearly 500,000 compromised credit cards. The FBI released domain data to help organizations identify past compromises and advises reviewing network logs for related activity. This action highlights the scale of commercialized cybercrime and reinforces the importance of global law enforcement collaboration in cyber threat prevention.  

Malware detected in PyPI targeting Discord developers 

A research team has discovered a malicious package in the PyPI software repository posing as a debugging tool for Discord bot developers. Under the name discordpydebug, the package contained a remote access Trojan (RAT) capable of executing commands, reading and modifying files, and exfiltrating data without the user's knowledge. Since its release on March 21, 2022, it was downloaded more than 11,000 times, potentially affecting thousands of systems. The malware communicated with a server controlled by the attackers and operated via a continuous polling routine, allowing it to act as a fully externally controlled bot. The lack of documentation and the ease with which it spread, even in trusted environments such as Discord development servers, highlight the risks in the software supply chain. Although the package has since been removed from PyPI, the incident underscores the urgent need for improved oversight of open-source repositories.