Cyware Daily Threat Intelligence, December 04, 2025

Iran-aligned hackers are playing dangerous games with critical infrastructure, quite literally. The MuddyWater group has intensified its operations against Israel and Egypt using a malware loader disguised as the classic Snake video game to evade detection. This sophisticated campaign deploys the MuddyViper backdoor to steal credentials and marks a strategic shift toward stealthier tactics.

Developers are being targeted by a wolf in sheep's clothing inside their own code editors. A fake VSCode extension has been caught initiating a supply-chain attack to deliver the powerful OctoRAT.

Taking control of a website has become alarmingly easy due to critical flaws in popular WordPress plugins. A vulnerability in King Addons for Elementor allows attackers to instantly register themselves as administrators with a simple crafted request.

Top Malware Reported in the Last 24 Hours

MuddyWater enhances tactics in latest campaign

MuddyWater, an Iran-aligned cyberespionage group, has intensified its operations, primarily targeting critical infrastructure in Israel and Egypt. This latest campaign showcases the group's evolution, marked by the deployment of sophisticated custom malware, including the Fooder loader and the MuddyViper backdoor. Fooder cleverly disguises itself as the classic Snake game, employing delays to evade detection, while MuddyViper facilitates extensive data collection and credential theft. The group has refined its tactics, shifting from noisy, easily detectable methods to more stealthy approaches. Additionally, MuddyWater has demonstrated collaboration with the Lyceum group, indicating a strategic focus on government and military sectors. 

Bad VSCode extension drops malware

A fake VSCode extension, "prettier-vscode-plus," impersonated the legitimate Prettier formatter and was used to initiate a supply-chain attack. The extension delivered a multi-stage malware chain, starting with the Anivia loader and ending with OctoRAT, a fully featured remote access toolkit. Both Anivia and OctoRAT used AES-encrypted payloads, in-memory execution, and process hollowing to evade detection. The malicious GitHub repository "vscode" was used to host VBScript payloads, with active payload rotation to avoid detection. The Anivia loader decrypted and executed payloads in memory, employing advanced techniques like process hollowing into legitimate Windows binaries. OctoRAT provided over 70 commands, including surveillance, file theft, privilege escalation, and cryptocurrency wallet theft.  

Operation DupeHike targets Russian corporations

Operation DupeHike is a cyber campaign targeting Russian corporate employees, particularly in HR and payroll sectors, using spear-phishing techniques. Attackers deploy malicious LNK files disguised as documents related to employee bonuses, which lead to the installation of the DUPERUNNER implant and the AdaptixC2 beacon. The infection begins with a ZIP file containing a decoy document that outlines internal HR policies, effectively luring victims. Upon execution, the LNK file utilizes PowerShell to download and run the DUPERUNNER implant, which performs various malicious activities, including process injection and data gathering. The AdaptixC2 beacon serves as a loader for further payloads, employing sophisticated techniques such as reflective loading and dynamic API resolution. 

Top Vulnerabilities Reported in the Last 24 Hours

Actively exploited WordPress plugin flaw

A critical vulnerability (CVE-2025–8489) has been identified in the King Addons for Elementor plugin for WordPress, allowing attackers to gain administrative permissions during the registration process. This flaw enables malicious users to create rogue admin accounts by sending a crafted request that specifies their user role as "administrator." Since the issue's public disclosure on October 30, Wordfence has blocked over 48,400 exploit attempts, with significant activity peaking between November 9 and 10. Additionally, another severe vulnerability (CVE-2025-13486) was found in the Advanced Custom Fields: Extended plugin, affecting more than 100,000 WordPress sites. This flaw allows unauthenticated attackers to execute arbitrary code remotely, posing a serious threat to website security.

RSC vulnerabilities in React and Next[.]js

A critical security vulnerability has been discovered in React Server Components (RSC) and Next[.]js, allowing unauthenticated remote code execution with a CVSS score of 10.0. Tracked as CVE-2025-55182 and CVE-2025-66478, these flaws arise from unsafe deserialization processes in React's Flight protocol. They impact specific versions of the React packages and any libraries that bundle RSC, including Vite and RedwoodJS. Exploiting these vulnerabilities requires only network access, making standard deployments immediately vulnerable. With millions of servers potentially affected, this issue poses a significant threat to applications using modern frameworks like React and Next.js.