< Back
Red padlock on grey background

Tags:

Threat intelligence
21 May 2025

Weekly Summary Cyberattacks May 15 to 21

New infostealer detected using Telegram: PupkinStealer   

Cybersecurity researchers have identified a new malware called PupkinStealer, an infostealer developed in .NET that steals browser passwords, desktop files and sessions from applications such as Telegram and Discord. This malware, which leaves no persistent traces on the system and executes its theft within seconds, exfiltrates data via the Telegram API, hiding its activity under encrypted web traffic. Although not technically complex, its impact is significant: it allows inexperienced actors to steal stored credentials and access active accounts without the need for passwords. Its design is based on previous open-source malware, and all indications are that it originates from Russian-speaking environments, with clear signs of attribution to the “Ardent” alias. It is distributed through social engineering, as hacked software, and has already been used to harvest thousands of credentials globally.  

Cybercriminals use Skitnet malware to steal data and maintain remote control   

Ransomware groups have begun using Skitnet malware in their attacks to steal sensitive data and maintain remote access to compromised systems. Since early 2025, actors such as Black Basta have employed it in phishing campaigns targeting enterprise environments, taking advantage of its stealthy and flexible architecture. Also known as Bossnet, Skitnet is a multi-stage threat developed by the LARVA-306 group. It uses languages such as Rust and Nim to execute reverse shell connections via DNS, avoiding detection by security systems. The malware integrates persistence mechanisms, remote access tools, data exfiltration commands and can download more payloads. Its advanced design and use of encryption techniques make it a dangerous tool in the ransomware ecosystem. 

Paychecks stolen in cyberattack using fake mobile login portals   

An investigation has revealed a sophisticated SEO poisoning cyberattack targeting mobile devices, in which cybercriminals created fake login portals to steal employee credentials and access payroll systems. Through fraudulent pages that appeared in the top search results, the attackers captured login data and modified direct deposit information to divert salaries to accounts controlled by them. To evade detection, they employed compromised mobile networks and home routers, along with legitimate tools such as Pusher, which notified them in real time of new stolen credentials. This campaign, which particularly affects devices outside the corporate perimeter, represents a growing threat due to the difficulty of tracking access from residential IP addresses.  

Focused Phishing: Attack Targets Victims with Trusted Sites and Live Validation   

Keep Aware researchers observed a sophisticated phishing attack using legitimate domains, email precision validation, and evasive tactics to steal credentials via browser-based interactions. A compromised 9-year-old domain hosted a fake login page disguised as a document portal, which pre-filled victims’ email addresses via URL fragments. If users entered their emails manually, they were redirected to malicious domains and had their data sent to an API for real-time validation. Depending on the email type—personal, generic corporate, or targeted—the site displayed blank pages, generic Microsoft login pages, or customized fake portals with branding. Additional evasion tactics included anti-analysis JavaScript and CAPTCHAs. These attacks emphasize the growing sophistication of phishing and the need for real-time, browser-level detection and protection, as traditional email filters and static inspection fail to catch such dynamic threats. Keep Aware recommends real-time browser protections to detect and block phishing pages before user credentials are compromised.  

Global cyberespionage campaign compromises government emails via XSS vulnerabilities   

A cyber-espionage campaign dubbed RoundPress has compromised webmail servers of governments and critical organizations around the world. The attack, attributed with medium confidence to the Russian group APT28, began in 2023 and continued into 2024, exploiting known and unknown (zero-day and n-day) vulnerabilities in platforms such as Roundcube, Horde, MDaemon and Zimbra. The technique used requires only that the victim opens a malicious email, which activates a JavaScript code that steals credentials, messages, contacts and settings without the need for clicks or downloads. The attack relies on XSS vulnerabilities, allowing the execution of the script directly in the browser session. Although no RoundPress activity has been detected in 2025, experts warn that the method is still in use with the continued emergence of similar vulnerabilities.