Malware Activity
Cryptocurrency Heists to Hardware Attacks, Cybercriminals are employing increasingly sophisticated tactics
GreedyBear is a group that has stolen over $1 million in cryptocurrency through malicious browser extensions and fake websites. Their operations leverage social engineering, malware, and convincing mimicry of legitimate platforms to deceive users into revealing sensitive information or transferring funds. Concurrently, new hardware-level vulnerabilities like the "BadCam" or "BadUSB" attack exploit firmware modifications in Linux-compatible webcams, turning them into stealthy backdoors that are difficult to detect or remove. These developments highlight the evolving landscape of cyber threats, emphasizing the need for heightened vigilance, rigorous security protocols, and supply chain integrity to protect digital assets and infrastructure from both software-based deception and hardware-based exploits. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
- SecurityOnline: GreedyBear Unmasked How Stealthy Firefox Extensions and Fake Sites Stole 1m-In Crypto article
- SecurityWeek: BadCam New BadUSB Attack Turns Linux Webcams Into Persistent Threats article
Threat Actor Activity
Royal and BlackSuit Ransomware Gang Dismantled After $370M Crime Spree, Likely Rebranding as Chaos
The U.S. Department of Homeland Security revealed that the cybercrime group behind the Royal and BlackSuit ransomware operations had compromised over 450 U.S. organizations including healthcare, education, energy, government, and public safety sectors, before being taken down in a global law enforcement action dubbed Operation Checkmate. Since emerging from the Conti-linked Quantum ransomware group in 2022, the gang extorted more than $370 million using double-extortion tactics, encrypting systems while threatening to leak stolen data. Initially operating as Royal ransomware, the group rebranded as BlackSuit in 2023 after high-profile attacks, including against the City of Dallas. Following the July 2025 seizure of BlackSuit's infrastructure, Cisco Talos intelligence suggests the actors are now rebranding as Chaos ransomware, continuing double-extortion attacks that use voice-based social engineering and target both local and remote storage. Researchers link Chaos to BlackSuit/Royal through shared tactics, ransom note structure, and tool usage, signaling the group's persistence despite law enforcement disruption. CTIX analysts will continue to monitor and report on threat actor activity.
Vulnerabilities
WinRAR Zero-Day Exploited by RomCom and Paper Werewolf in Targeted Cyber Campaigns
A critical WinRAR zero-day vulnerability patched in version 7.13 was actively exploited in phishing campaigns by Russian-linked threat groups RomCom (aka Storm-0978, Tropical Scorpius, UNC2596) and Paper Werewolf (aka GOFFEE) to achieve remote code execution (RCE) via path traversal. The flaw, tracked as CVE-2025-8088 (CVSS 8.8/10), allowed malicious RAR archives to place executables in Windows autorun directories, enabling automatic execution on login. ESET researchers observed RomCom deploying custom backdoors (including SnipBot, RustyClaw, and Mythic agent) against financial, manufacturing, defense, and logistics sectors in Europe and Canada using resume-themed phishing lures, with persistence established through LNK files and alternate data streams (ADSes) for path traversal. RustyClaw also delivered the MeltingClaw downloader, used to drop payloads like ShadyHammock and DustyHammock. Paper Werewolf is suspected of acquiring the exploit (advertised on a Russian dark web forum for $80,000) and using it alongside CVE-2025-6218 in July 2025 attacks against Russian organizations. While telemetry suggests no successful compromises, the incidents highlight both groups' rapid adoption of zero-days and alignment with Russian cyber-espionage and cybercrime objectives. CTIX analysts will continue to report on new and active vulnerabilities.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
