< Back
A padlock in a shield

Tags:

Threat intelligence
09 April 2025

Weekly Summary Cyberattacks April 03-09

Threat group uses SSH attacks to mine cryptocurrencies on Linux servers   

A cryptocurrency mining botnet called Outlaw, which spreads automatically by attacking SSH servers with weak credentials, has recently been identified. This malware, active since at least 2018, employs brute force to infiltrate Linux systems, establish persistence and deploy cryptocurrency miners. The threat group responsible, of possible Romanian origin, uses a multi-stage infection process. After gaining access to a system, it downloads and executes a malicious script that installs the miner and removes traces of previous attacks. It also employs a component called BLITZ, which allows it to self-propagate by scanning and attacking other vulnerable servers. In addition, the campaign exploits old vulnerabilities such as Dirty COW and attacks systems with weak Telnet credentials. Once inside, it deploys SHELLBOT, a Trojan that facilitates remote system control, credential theft and the execution of DDoS attacks. To optimize mining, the malware adjusts CPU settings and employs disguised binaries to maintain communication with attackers.  

Critical flaw in Apache Parquet allows remote attackers to execute arbitrary code   

A maximum severity security vulnerability (CVE-2025-30065) has been disclosed in Apache Parquet's Java Library that, if successfully exploited, could allow a remote attacker to execute arbitrary code on susceptible instances. Apache Parquet is a free and open-source columnar data file format designed for efficient data processing and retrieval. The vulnerability affects all versions up to and including 1.15.0 and has been addressed in version 1.15.1. Successful exploitation requires tricking a vulnerable system into reading a specially crafted Parquet file, potentially impacting data pipelines and analytics systems that import Parquet files from external or untrusted sources.  

Carding Tool Abusing WooCommerce API Downloaded 34K Times on PyPI   

A malicious Python package named ‘disgrasya’ was downloaded more than 34,000 times from the Python Package Index (PyPI), designed specifically to abuse WooCommerce stores using the CyberSource payment gateway to validate stolen credit card numbers. This carding tool automated the process of emulating a legitimate checkout by scraping product IDs, using fake customer data, stealing CSRF tokens and checkout contexts, then passing the card details to an attacker-controlled server pretending to be CyberSource. It then submitted the transaction to check if the card was valid. Unlike other supply chain attacks that disguise their malicious intent, disgrasya made no effort to appear legitimate. Its description blatantly advertised its purpose: "A utility for checking credit cards through multiple gateways using multi-threading and proxies." Security researchers highlighted how the package’s version 7.36.9 contained the malicious code and emphasized the difficulty in detecting these activities due to how well they blend into normal traffic. Suggested mitigations include blocking low-value orders, monitoring high failure rates, implementing CAPTCHA during checkout, and using rate limiting to curb abuse.  

Neptune RAT: an advanced threat that steals passwords and can destroy Windows systems   

A recent analysis has revealed the dangers of Neptune RAT, an advanced remote access tool (RAT) targeting Windows systems. Distributed on platforms such as GitHub and Telegram, this version has been designed to infiltrate using PowerShell commands that download and execute malicious scripts hosted on services such as catbox.moe. Neptune RAT incorporates multiple persistence techniques, obfuscation with Arabic characters, and analysis evasion, making it difficult to detect. Among its most alarming functionalities are the theft of passwords for more than 270 applications, real-time desktop monitoring, ransomware capabilities, Windows registry modification, and operating system sabotage by corrupting the MBR (Master Boot Record). In addition, it uses modular DLLs to execute specific tasks such as disabling antivirus or intercepting cryptocurrency addresses copied to the clipboard. The creator of Neptune RAT, who identifies himself as part of the “Freemasonry” group and claims to live in Saudi Arabia, offers a free version of the malware while suggesting an even more dangerous paid version.  

Malware disguised as legitimate software detected on SourceForge   

Researchers have discovered a malicious campaign that uses SourceForge, a popular software hosting platform, to distribute malware under the guise of legitimate applications. The fraudulent project, called “officepackage”, redirects users from an apparently official page to a site offering fake software installers. The downloaded file, artificially inflated to look legitimate, contains a complex infection system that installs two threats: a cryptocurrency miner and ClipBanker, a Trojan that replaces digital wallet addresses copied to the clipboard. The process includes multiple layers of concealment, automated scripting, and advanced persistence techniques such as registry key creation, fake services, and the use of legitimate system tools such as WMIC. Ninety percent of victims have been identified as being in Russia, with more than 4,600 users affected between January and March. Experts recommend avoiding downloading software from unofficial sources.