SuperCard X: MaaS for Instant Financial Fraud

In the past week, critical cybersecurity threats have emerged, with significant vulnerabilities being reported across various platforms. Recent cybersecurity incidents highlight the growing sophistication of threat actors and the diverse methods they employ. Researchers uncovered SuperCard X, an Android malware distributed via a Malware-as-a-Service (MaaS) model, enabling real-time NFC relay attacks for financial fraud using stealthy apps and mTLS-based data exfiltration. In parallel, a DKIM replay phishing campaign was observed abusing Google’s infrastructure, delivering credential-theft emails via OAuth abuse and deceptive Google Sites portals. Cloud environments remain under pressure, with critical privilege escalation vulnerabilities discovered across GCP, Azure, and AWS—including misconfigurations and flaws enabling lateral movement and unauthorized access. Meanwhile, Operation SyncHole, attributed to the Lazarus Group, targeted South Korean industries using watering hole attacks and zero-day exploits in trusted software to deploy malware like ThreatNeedle and SIGNBT. Separately, researchers identified DslogdRAT, a stealthy malware deployed through a zero-day in Ivanti Connect Secure (CVE-2025-0282), capable of command execution and traffic proxying, signaling a new wave of espionage-focused campaigns exploiting enterprise VPNs. These developments underscore the urgent need for organizations to stay vigilant and apply security updates promptly.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Sophisticated NFC Relay Android Malware Leveraging MaaS for Instant Financial Fraud

Cybersecurity researchers have uncovered SuperCard X, a new Android malware distributed via a Malware-as-a-Service (MaaS) model that enables real-time NFC relay attacks for card fraud. Victims are tricked through social engineering into installing a malicious “Reader” app that silently captures payment card data. This data is then transmitted via secure mTLS channels to attacker devices running a “Tapper” app, allowing fraudulent POS transactions and ATM withdrawals. SuperCard X minimizes detection by requiring only NFC permissions and shares code similarities with NGate malware and NFCGate tools. Active primarily in Italy, the malware’s scalable MaaS model could drive global expansion. Researchers advise avoiding apps from unknown sources, disabling NFC when not in use, maintaining updated device software, using reputable antivirus solutions, and being vigilant for signs of malware such as unusual battery drain, overheating, or performance issues. The full fraud scheme reveals advanced real-time relay tactics that bypass traditional contactless security.

2. Phishing Attack Abuses Google Infrastructure to Deliver Credential Theft Emails

A sophisticated DKIM replay phishing attack exploiting Google’s infrastructure has been discovered. Hackers sent emails appearing from “no-reply@google.com”, passing DKIM verification and leading users to a fake Google support portal hosted on Google Sites. The phishing attack used OAuth abuse, manipulating legitimate security alerts to deliver malicious content. Victims were tricked into granting access to rogue applications, compromising credentials. This method bypassed standard email security filters by leveraging real DKIM-signed messages. To stay protected: always verify URLs (login only through accounts.google.com), expand email security checks to include envelope verification, avoid clicking links in unsolicited alerts, and monitor OAuth app permissions. Organizations should enable DMARC enforcement, educate users on spotting phishing patterns (excessive white space, suspicious sender details), and report suspicious emails promptly. Restricting or monitoring public platform usage like Google Sites can also minimize exposure.

3. Critical Cloud Vulnerabilities Uncovered in GCP, Azure, and AWS

Researchers have identified multiple privilege escalation and misconfiguration vulnerabilities across major cloud platforms, including Google Cloud Platform (GCP), Microsoft Azure, and Amazon Web Services (AWS). In GCP, a flaw in Cloud Composer could allow attackers with composer.environments.update permissions to inject malicious PyPI packages and escalate privileges. Azure vulnerabilities included a Destructive Stored URL Injection in SQL Server and a flaw in Entra ID’s Restricted Administrative Units that allowed attackers to immunize accounts against admin actions.

On AWS, misconfigured applications enabled Server-Side Request Forgery (SSRF) attacks targeting EC2 instance metadata, risking lateral movement. Users should update GCP’s Cloud Composer to version 2.10.2 or higher, restrict permissions, and audit service accounts. Azure users must limit T-SQL permissions, monitor firewall rules, and review Entra ID privileges. AWS users should enforce IMDSv2, sanitize input against SSRF, and rotate IAM credentials. Across platforms, enforcing least privilege access, monitoring audit logs, and reviewing CI/CD practices remains critical.

4. South Korean Organizations Targeted Using Watering Hole Attacks and Zero-Day Exploits

Operation SyncHole, a targeted cyber-espionage campaign by the Lazarus Group aimed at multiple South Korean industries has been uncovered. Using watering hole attacks, attackers compromised local media websites to redirect select visitors to exploit-laden domains. They exploited trusted software like Cross EX and Innorix Agent to deploy malware such as ThreatNeedle, SIGNBT, and Agamemnon, which featured stealth techniques like Hell’s Gate for in-memory evasion. The group used SyncHost.exe to inject shellcode and gain persistence, enabling lateral movement and credential theft. To defend against such threats, organizations should patch Cross EX and Innorix Agent immediately, monitor unusual process executions, and block known command-and-control (C2) domains. Enable network segmentation, limit admin privileges, and use EDR/XDR tools to detect anomalies like DLL injection or shellcode activity. Regular IOC scans, traffic analysis, and employee awareness around suspicious sites are essential. Harden public-facing web assets to prevent future watering hole exploitation.

5. Malware Exploits Ivanti ICS Zero-Day CVE-2025-0282 in Targeted Espionage

Researchers have identified DslogdRAT, a new malware deployed through CVE-2025-0282, a critical remote code execution vulnerability in Ivanti Connect Secure (ICS). Exploited in December 2024 by a China-linked group, the flaw allowed attackers to deliver DslogdRAT via a Perl-based web shell. Once installed, the malware enables command execution, file transfers, and proxy-based traffic relay. A sharp increase in network reconnaissance, with over 1,000 IPs scanning ICS and Pulse Secure devices, signals potential coordinated campaigns. To stay protected, immediately patch CVE-2025-0282 and CVE-2025-22457, audit appliances for web shells, and monitor for outbound C2 connections or proxy behavior. Block known malicious IPs and TOR exit nodes, especially those flagged for scanning. Deploy EDR or XDR tools to detect post-exploitation behavior like file drops or remote shell activity. Organizations should remain alert to signs of stealthy access, especially in internet-facing infrastructure vulnerable to zero-day exploitation.