< Back
dark blue background

Tags:

Threat intelligence
30 April 2025

Weekly summary cyberattacks April 24 - 30

Cybersecurity researchers release new analysis of MintsLoader malware  

MintsLoader, a malicious loader discovered in 2024, has been used in various phishing and drive-by download campaigns. This malware, which employs advanced techniques to evade detection, such as JavaScript and PowerShell obfuscation, allows it to deploy secondary payloads such as GhostWeaver, StealC and modified BOINC clients. MintsLoader infiltrates systems through fraudulent emails and compromised websites, especially in industrial and legal sectors. Its ability to generate C2 domains through a domain generation algorithm (DGA) and its evasion of virtualized environments complicate static detection. Although it has been used primarily by the TAG-124 threat group, its use has spread to other threat groups. MintsLoader's persistent adaptation to new techniques and its resilient infrastructure mean that it remains a significant threat, evidencing the increasing professionalization of cybercriminals.  


Threat group impersonates French real estate companies to steal rent payments   

A group identified as TA2900 has been caught running a French-language email fraud campaign focused on rent payments, mainly in France and to a lesser extent in Canada. The attackers send messages posing as real estate agencies, claiming that the tenant has not made the rent payment and must urgently send it to a new bank account. These emails often include or request bank details (IBAN) that change frequently, making them difficult to trace. The bank accounts used belong to low-cost branches of French banks and the mails are often sent from compromised accounts of educational institutions. Victims are induced to reply with proof of payment or direct debit authorizations, thus facilitating the fraud. The report suggests that they may be using artificial intelligence tools to compose the messages, which adds a degree of sophistication to the scam.  


New version of Triada Trojan detected with full control over Android phones   

A new version of the Triada Trojan has been detected, infecting Android devices via modified firmware on counterfeit handsets sold online. This threat incorporates modules designed to spy on and control popular applications such as WhatsApp, LINE, Skype, TikTok and Facebook. Its capabilities include stealing sessions, sending fraudulent messages, intercepting calls, controlling premium SMS, and stealing social network credentials and cryptocurrencies. In addition, Triada can turn infected devices into proxy servers for malicious activities. It is estimated that attackers have stolen more than $264,000 in cryptocurrencies. Most cases have been detected in Russia, the UK, the Netherlands, Germany and Brazil. Experts recommend reinstalling clean firmware and using reliable security solutions to mitigate damage.  


ToyMaker facilitates access to CACTUS ransomware using LAGTOY malware   

Cybersecurity researchers have revealed that the Initial Access Broker (IAB) ToyMaker is facilitating entry to ransomware groups such as CACTUS using the LAGTOY custom malware. This malware allows reverse shells to be created and commands to be executed on infected devices. Financially motivated ToyMaker exploits known vulnerabilities in Internet-exposed applications to gain access, perform reconnaissance and steal credentials in a matter of days. It then turns that access over to ransomware gangs for double extortion. LAGTOY, first documented in 2023, connects to command and control (C2) servers to receive instructions and operate with specific privileges. After a brief pause, researchers observed how CACTUS used credentials stolen by ToyMaker to infiltrate companies, install tools such as OpenSSH and AnyDesk, and proceed with data exfiltration and encryption. Experts stress that ToyMaker has no espionage motives and acts purely for financial gain.

 
Google warns of surge in zero-day vulnerability exploitation in 2024   

Google Threat Intelligence Group (GTIG) has published an analysis of 75 zero-day vulnerabilities exploited in 2024, revealing a worrying increase in their use by state and criminal actors. North Korea matched China for the first time in the number of such attacks, with five vulnerabilities each, combining espionage with financial operations. Notable attacks included APT37, which used a vulnerability in Microsoft to infect South Korean users via malicious advertisements. Other vulnerabilities allowed kernel-level security tools to be disabled. In addition, groups such as FIN11 and CIGAR exploited flaws in browsers and file systems to steal data or escalate privileges. The report highlights how these threats are spreading to new products and industries, urging manufacturers to reinforce secure coding and intrusion detection practices in the face of an ever-evolving threat.