Sophisticated Web Skimmer Exploits Deprecated Stripe API to Steal Payment Data

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. CoffeeLoader: A New Malware Loader Exploiting GPU for Stealth and Persistence

CoffeeLoader is an advanced malware loader designed to evade detection while delivering secondary payloads like Rhadamanthys shellcode. It uses a range of evasion tactics including call stack spoofing, sleep obfuscation, and Windows fibers, and executes code via GPU-based packers (Armoury) to bypass virtualized analysis. Delivered via a dropper DLL, it escalates privileges using UAC bypass and maintains persistence through scheduled tasks. CoffeeLoader communicates with its C2 server over HTTPS and employs a Domain Generation Algorithm (DGA) as a fallback mechanism, with certificate pinning for secure connections. Its similarity to SmokeLoader suggests it could be its successor.

Detection is challenging due to its stealth techniques, modular design, and anti-analysis measures. Organizations are advised to deploy behavior-based EDR, monitor GPU and DLL activity, restrict untrusted binaries, and track evolving indicators of compromise. CoffeeLoader highlights the growing sophistication of modern loaders targeting financial and enterprise environments.

2. RESURGE Malware Uses Rootkit and Web Shell to Target Ivanti Appliances

CISA has identified RESURGE, a new malware variant deployed by China-linked group UNC5337, targeting a critical vulnerability (CVE-2025-0282) in Ivanti Connect Secure, Policy Secure, and ZTA Gateways. The vulnerability allows remote code execution, enabling full system compromise. RESURGE is part of the SPAWN malware ecosystem, which includes modules for persistence, tunneling, and command execution.

An evolution of SPAWNCHIMERA, RESURGE incorporates rootkit, bootkit, and backdoor features, and hooks into system components like ld.so.preload for stealth. It also installs persistent web shells and modifies Ivanti’s coreboot image to survive reboots. Other components, such as SPAWNSLOTH, tamper with Ivanti logs to evade detection.

The attackers patch the same vulnerability they exploit, blocking other threat actors from access. Organizations should immediately patch affected Ivanti products, reset credentials, monitor for unauthorized shell access, and deploy EDR solutions to detect indicators tied to this campaign.

3. Crocodilus: New Android Trojan Hijacks Devices to Steal Banking & Crypto Credentials

Crocodilus is a newly identified Android banking trojan targeting users in Spain and Turkey. Disguised as Google Chrome, it bypasses Android 13+ security measures and grants itself Device Admin privileges for persistence. Once active, it uses Accessibility Services to log user actions, deploys black screen overlays, and mutes sound to hide its activity. The malware can capture banking credentials, Google Authenticator codes, and cryptocurrency seed phrases, enabling full account takeovers.

Crocodilus supports remote control, allows attackers to launch apps, post push notifications, retrieve contacts, hijack SMS messages, and remove itself to evade detection. It communicates with a remote server that can update C2 settings dynamically.

To protect against Crocodilus, users should avoid granting accessibility permissions to unknown apps, verify apps before installation, and never back up crypto seed phrases through in-app prompts. Organizations are advised to deploy Mobile Threat Defense solutions and use behavioral analysis to detect overlay attacks.

4. Sophisticated Web Skimmer Exploits Deprecated Stripe API to Steal Payment Data

A sophisticated web skimming campaign has been targeting e-commerce platforms like WooCommerce, WordPress, and PrestaShop, injecting malicious scripts that replace legitimate checkout forms with fake replicas. Active since August 2024, the attackers exploit a deprecated Stripe API to validate stolen card data before exfiltrating it, improving efficiency and evasion. The campaign also impersonates Square payment forms and integrates cryptocurrency options such as Bitcoin and Ethereum to further deceive users.

Once embedded, the skimmer hides Stripe’s legitimate iframe and clones the “Place Order” button to capture payment details while blocking real transactions. An error message is then shown to cover up the fraud. The attack is customized per site, suggesting automation.

Security teams should update to the latest Stripe API, enforce Content Security Policies, deploy Web Application Firewalls, and monitor for unauthorized scripts. Affected merchants are urged to remove malicious code, conduct forensic reviews, and report incidents to payment providers.

5. Outlaw Botnet Exploits Weak SSH Credentials to Deploy Cryptojacking Malware

Outlaw, also known as Dota, is a Linux-based botnet that has been active since 2018, primarily targeting systems with exposed SSH or Telnet services. It uses brute-force attacks to gain access, deploying a dropper script that installs a modified XMRig miner and establishes persistence by manipulating SSH keys and cron jobs. The malware self-propagates using a component called BLITZ, scans for new targets, and uses exploits like Dirty COW (CVE-2016-5195) to compromise unpatched systems.

Outlaw also deploys SHELLBOT, which connects to an IRC-based C2 server for remote command execution, DDoS attacks, and data exfiltration. Despite its relatively simple techniques, the botnet remains effective due to its worm-like spread and focus on commodity tools.

To defend against Outlaw, organizations should harden SSH configurations, patch known Linux vulnerabilities, monitor for unauthorized mining activity, and restrict cron job execution. Using IDS/IPS and limiting SSH access by IP can also reduce exposure.

To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories