Vercara’s Open-Source Intelligence (OSINT) Report – May 1 – May 9, 2025

Malicious npm Packages Infect 3,200+ Cursor Users With Backdoor, Steal Credentials 

(TLP: CLEAR) A recent cybersecurity report has revealed a malicious npm package campaign that has compromised over 3,200 developers using the Cursor code editor on macOS. The attack involved three rogue npm packages—sw-cur, sw-cur1, and aiide-cur—masquerading as developer tools offering “the cheapest Cursor API.” These packages were downloaded a combined total of 3,241 times. 

(TLP: CLEAR) Comments:  
Malicious Payload Delivery: Upon installation, the packages fetched encrypted payloads from attacker-controlled servers (t.sw2031[.]com and api.aiide[.]xyz). These payloads were used to overwrite Cursor’s main.js file, effectively injecting malicious code into the editor. 

Persistence Mechanism: The sw-cur package went a step further by disabling Cursor’s auto-update feature and terminating all running Cursor processes. It then restarted the application to ensure the malicious modifications took effect, granting the attacker persistent access. 

Credential Harvesting: The compromised packages were designed to steal user credentials associated with the Cursor editor, potentially exposing sensitive developer information. 
(TLP: CLEAR) Recommended best practices/regulations: NIST SP 800-53 Rev5 SI-3: “MALICIOUS CODE PROTECTION  

Control:  

• Implement [Selection (one or more): signature based; non-signature based] malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code. 
• Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures. 
• Configure malicious code protection mechanisms to: 1. Perform periodic scans of the system [Assignment: organization-defined frequency] and real-time scans of files from external sources at [Selection (one or more): endpoint; network entry and exit points] as the files are downloaded, opened, or executed in accordance with organizational policy; and 2. [Selection (one or more): block malicious code; quarantine malicious code; take [Assignment: organization-defined action]]; and send alert to [Assignment: organization defined personnel or roles] in response to malicious code detection.
• Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.

NIST requires malware detection and prevention solutions. This can be on the device, as with anti-virus agents, but also can be augmented by Protective DNS provided by the network that the device is on or across the Internet. This provides defense-in-depth and support for devices such as Internet of Things (IoT) or some servers that cannot run an endpoint client. 
(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), filters internal DNS responses from users as well as machines using both defined categories, including botnet Command and Control (C2), as well as machine learning to detect previously uncategorized malicious associations and help prevent data exfiltration or malware detonation. 
Source: https://thehackernews.com/2025/05/malicious-npm-packages-infect-3200.html,   

https://hackread.com/lazarus-group-backdoor-fake-npm-packages-attack/   

Chinese Hackers Exploit SAP RCE Flaw CVE-2025-31324, Deploy Golang-Based SuperShell 

(TLP: CLEAR)  A recent report by Forescout Vedere Labs reveals that a China-linked threat actor, identified as Chaya_004, has been exploiting a critical SAP NetWeaver vulnerability (CVE-2025-31324) to deploy a Golang-based web shell named SuperShell. This vulnerability, discovered on April 29, 2025, allows attackers to achieve remote code execution by uploading malicious payloads through the “/developmentserver/metadatauploader” endpoint. The flaw has a CVSS score of 10.0, indicating its severity. 
(TLP: CLEAR) Comments: The exploitation of this vulnerability has led to the compromise of SAP systems across various industries, including energy, manufacturing, media, oil and gas, pharmaceuticals, retail, and government sectors. The threat actor has been observed hosting the SuperShell on an IP address (47.97.42[.]177), which also hosts other tools such as SoftEther VPN, Cobalt Strike, and various reconnaissance utilities. The infrastructure analysis indicates the use of Chinese cloud providers and several Chinese-language tools, suggesting a China-based origin for the threat actor. 

In response to this threat, cybersecurity experts recommend that organizations apply the available patches immediately, restrict access to the vulnerable metadata uploader endpoint, disable the Visual Composer service if not in use, and monitor for any suspicious activities. The rapid adoption of this exploit by multiple threat actors underscores the urgency for organizations to address this critical vulnerability to prevent further compromises. 
(TLP: CLEAR) Recommended best practices/regulations:  

OWASP API Top 10, API9:2023 “Improper Inventory Management”:   

• Inventory all API hosts and document important aspects of each one of them, focusing on the API environment (e.g. production, staging, test, development), who should have network access to the host (e.g. public, internal, partners) and the API version.  
• Inventory integrated services and document important aspects such as their role in the system, what data is exchanged (data flow), and their sensitivity.  
• Document all aspects of your API such as authentication, errors, redirects, rate limiting, cross-origin resource sharing (CORS) policy, and endpoints, including their parameters, requests, and responses.  
• Generate documentation automatically by adopting open standards. Include the documentation build in your CI/CD pipeline.  
• Make API documentation available only to those authorized to use the API.  
• Use external protection measures such as API security specific solutions for all exposed versions of your APIs, not just for the current production version.  
• Avoid using production data with non-production API deployments. If this is unavoidable, these endpoints should get the same security treatment as the production ones.  
• When newer versions of APIs include security improvements, perform a risk analysis to inform the mitigation actions required for the older versions. For example, whether it is possible to backport the improvements without breaking API compatibility or if you need to take the older version out quickly and force all clients to move to the latest version. 

(TLP: CLEAR) Vercara: Vercara UltraAPI offers a comprehensive solution to the complex challenges security teams face in safeguarding API applications against cyber threats. It provides thorough discovery of the entire API landscape, including external and internal APIs, assesses API risk posture to highlight critical vulnerabilities needing remediation, and delivers real-time protection to prevent API attacks, ensuring data safety, preventing fraud, and avoiding business disruptions. This solution stands out by addressing every phase of the API security lifecycle, promoting best practices in security and governance to eliminate risks effectively. 

Source: https://thehackernews.com/2025/05/chinese-hackers-exploit-sap-rce-flaw.html,  https://threatpost.com/sap-critical-rce-flaw-manufacturing/164666/    

38,000+ FreeDrain Subdomains Found Exploiting SEO to Steal Crypto Wallet Seed Phrases 

(TLP: CLEAR) A recent investigation by SentinelOne and Validin has uncovered a large-scale cryptocurrency phishing operation named FreeDrain, which has compromised over 38,000 subdomains to steal wallet seed phrases. This campaign employs sophisticated SEO manipulation, free-tier cloud services, and layered redirection techniques to deceive cryptocurrency users. 
(TLP: CLEAR) Comments: Infrastructure: FreeDrain utilizes free-tier platforms such as GitBook, Webflow, and GitHub Pages to host phishing pages. These subdomains mimic legitimate cryptocurrency wallet interfaces, making them appear trustworthy to users. 

SEO Manipulation: The attackers optimize their pages to rank highly in search engine results for wallet-related queries like “Trezor wallet balance.” They also employ spamdexing techniques, flooding poorly maintained websites with comments to boost the visibility of their lure pages. 

Redirection Chain: Victims searching for wallet information are redirected through multiple intermediary sites before landing on a phishing page that prompts them to enter their seed phrase. Once submitted, the attackers quickly drain the associated wallet.  
(TLP: CLEAR) Recommended best practices/regulations: Cybersecurity & Infrastructure Security Agency Selecting a Protective DNS (PDNS) Service: “A core capability of PDNS is the ability to categorize domain names based on threat intelligence. PDNS services typically leverage open source, commercial, and governmental information feeds of known malicious domains. These feeds enable coverage of domain names found at numerous points of the network exploitation lifecycle. Some solutions may also detect novel malicious domains based on pattern recognition. The types of domains typically addressed by a PDNS system include the following: 

• Phishing: Sites known to host applications that maliciously collect personal or organizational information, including credential harvesting scams. These domains may include typo-squats – or close lookalikes of common domains. PDNS can protect users from accidentally connecting to a potentially malicious link.
• Malware distribution and command and control: Sites known to serve malicious content or used by threat actors to command-and-control malware. For example, these may include sites hosting malicious JavaScript® files or domains that host advertisements that collect information for undesired profiling. PDNS can block and alert on known malicious connection attempts.
• Domain generation algorithms: Sites with programmatically generated domain names that are used by malware to circumvent static blocking. Advanced malware – including some botnets – depend on the ability to communicate with command and control (C2) infrastructure. Cyber threat actors use domain generation algorithms (DGAs) for malware to circumvent static blocking – either by domain name or IP – through programmatically generating domain names according to a pre-set seed. PDNS can offer protection from malware DGAs by analyzing every domain’s textual attribute and tagging those associated with known DGA attributes, such as high entropy. 
• Content filtering: Sites whose content is in certain categories that are against an organization’s access policies. Although an ancillary benefit to malware protection, PDNS can use a categorization of various domains’ use cases (e.g., ‘gambling’) and warn or block on those that are deemed a risk for a given environment.

(TLP: CLEAR) Vercara: Vercara’s Protective DNS solution, UltraDDR (DNS Detection and Response), supports 2 modes of onboarding DNS queries and protecting endpoints from phishing and malware: forwarding from an on-network resolver, such as a firewall or Active Directory domain controller, or via an endpoint client that captures and forwards DNS queries to UltraDDR’s servers.
Source: https://thehackernews.com/2025/05/38000-freedrain-subdomains-found.html  

Europol Shuts Down Six DDoS-for-Hire Services Used in Global Attacks 

(TLP: CLEAR) In May 2025, Europol, in collaboration with Polish and U.S. authorities, dismantled six major Distributed Denial-of-Service (DDoS)-for-hire platforms—cfxapi, cfxsecurity, neostress, jetstress, quickdown, and zapcut. These platforms facilitated cyberattacks targeting schools, government services, businesses, and gaming platforms globally between 2022 and 2025. The takedown resulted in the arrest of four individuals in Poland and the seizure of nine associated domains in the United States. 
(TLP: CLEAR) Comments:  
User Interface & Accessibility: Each service provided a user-friendly interface, enabling individuals with minimal technical expertise to initiate DDoS attacks by specifying a target IP address, selecting an attack type, and paying a fee. 

Service Models & Pricing: 

cfxsecurity: Offered three subscription tiers—Starter ($20/month), Premium ($50/month), and Enterprise ($130/month). 

QuickDown: Provided plans ranging from $20/month to $379/month, with an option for a botnet add-on introduced in September 2023. 

Infrastructure: 

Hybrid Architecture: QuickDown incorporated both botnet-based and dedicated server infrastructures, enhancing its attack capabilities 

Centralized Operations: Unlike traditional botnets, these platforms centralized DDoS operations through rented infrastructure, allowing for scalable and efficient attacks. 
(TLP: CLEAR) Recommended best practices/regulations: Critical Infrastructure and Security Agency (CISA), FBI, and Multi-State ISAC publication “Understanding and Responding to Distributed Denial-of-Service Attacks”: “Enroll in a DDoS protection service. Many internet service providers (ISPs) have DDoS protections, but a dedicated DDoS protection service may have more robust protections against larger or more advanced DDoS attacks. Protect systems and services by enrolling in a DDoS protection service that can monitor network traffic, confirm the presence of an attack, identify the source, and mitigate the situation by rerouting malicious traffic away from your network.” 

(TLP: CLEAR) Vercara: Vercara UltraDDoS Protect provides flexible, automated, and always-on protection across 15 Points of Presence (PoPs) and >15Tbps of DDoS mitigation capacity to enable customer availability and performance under even the largest and most complex DDoS attacks (layer 3 through layer 7). An automated intelligence feed that is constantly updating mitigation devices allows protection against emerging attack vectors and common attack sources. 
Source: https://thehackernews.com/2025/05/europol-shuts-down-six-ddos-for-hire.html