Cyware Daily Threat Intelligence, December 01, 2025

A sophisticated new Android threat named Albiriox is turning user devices into tools for fraud. Operating under a MaaS model, it targets over 400 applications by abusing accessibility services to manipulate screens and steal credentials right under the user's nose.

The hunt for a new job could cost developers their digital identity. North Korean hackers have flooded the npm registry with nearly 200 malicious packages as part of their relentless Contagious Interview campaign. These downloads deploy the OtterCookie malware.

A pro-Russian hacktivist group proved just how dangerous industrial vulnerabilities can be, even when they hit the wrong target. CISA has added a flaw in OpenPLC ScadaBR to its exploitation catalog after the group TwoNet used it to compromise what they thought was a water treatment facility.

Top Malware Reported in the Last 24 Hours

New Albiriox malware targets 400 apps

A new Android malware named Albiriox has emerged, operating under a MaaS model to facilitate on-device fraud and screen manipulation across over 400 applications, including banking and cryptocurrency platforms. Distributed through social engineering tactics, Albiriox employs dropper applications and advanced packing techniques to evade detection. It uses accessibility services to bypass Android's security measures, enabling attackers to conduct credential theft and manipulate device screens without raising alarms. Additionally, it executes overlay attacks and utilizes fake websites to lure victims into downloading malicious APKs. 

North Korean hackers exploit npm packages

North Korean hackers have intensified their cyberattacks by flooding the npm registry with 197 malicious packages, which have been downloaded over 31,000 times. This Contagious Interview campaign aims to deliver a variant of OtterCookie malware that combines features from previous versions and BeaverTail. The malware evades detection mechanisms, establishes command-and-control channels, and steals sensitive information such as clipboard contents, keystrokes, and browser credentials. It connects to a hard-coded Vercel URL to fetch the payload from a now-inaccessible GitHub repository. Additionally, the hackers employ fake job recruitment tactics to lure victims into executing malicious code under the guise of coding exercises. Another malware variant, GolangGhost, is used to gather system information and maintain persistence through deceptive applications, further complicating the threat landscape.

Operation Hanoi Thief uses clever malware tactics

Operation Hanoi Thief is a sophisticated cyber-espionage campaign targeting Vietnam's technology and recruitment sectors. It employs spear-phishing tactics through a malicious email containing a ZIP file disguised as a job applicant's CV. This ZIP file includes a pseudo-polyglot payload—a combination of an image, a PDF document, and a malicious script—designed to deceive victims. When the LNK file is executed, it triggers a legitimate Windows tool, ftp.exe, to run hidden commands, ultimately extracting a Base64 encoded blob that decodes into the LOTUSHARVEST malware. This information stealer targets browser data from Google Chrome and Microsoft Edge, exfiltrating sensitive information to attacker-controlled domains. 

Top Vulnerabilities Reported in the Last 24 Hours

CISA adds actively exploited bug to KEV catalog

CISA has updated its KEV catalog to include CVE-2021-26829, an XSS vulnerability affecting OpenPLC ScadaBR software on both Windows and Linux platforms. This vulnerability has been actively exploited, notably by the pro-Russian hacktivist group TwoNet, which targeted a honeypot system, mistaking it for a water treatment facility. Within 26 hours, the attackers gained access using default credentials, defaced the HMI login page, and modified system settings to disable alarms. TwoNet has expanded its operations from DDoS attacks to include ransomware-as-a-service and industrial system targeting. 

Vulnerable code in legacy Python packages

Cybersecurity researchers have identified vulnerabilities in legacy Python bootstrap scripts within multiple PyPI packages, which could lead to domain takeover attacks. The issue stems from outdated "bootstrap.py" scripts using a discontinued Distribute module, which fetches code from an unclaimed domain now available for sale. Attackers could exploit the hard-coded domain setup to deliver malicious code, as seen in past cases like the npm package fsevents compromise. The scripts often attempt to install the obsolete Distribute package, which has not been properly decommissioned, exposing numerous projects to risk. Although some packages have removed these vulnerable scripts, others, like slapos[.]core and certain versions of Tornado, continue to include them, perpetuating the threat.