Cyware Daily Threat Intelligence, December 05, 2025

Threat actors continue to evolve their deception techniques, blending false identities, poisoned search results, and malware-laced executables. The Chinese APT group “Silver Fox” is impersonating Russian threat actors by embedding Cyrillic false flags in a Microsoft Teams SEO poisoning campaign targeting Chinese-speaking users. Victims are tricked into downloading ValleyRAT malware from fake domains delivered through tampered Teams installers.

Cryptomining attacks are becoming quieter, smarter, and harder to detect. A stealthy CoinMiner strain is spreading via USB drives in South Korea, using malicious shortcut (.lnk) files and DLL side-loading tactics. The malware creates convincing fake directories, leverages trusted Windows components to evade detection, and ultimately deploys a payload known as PrintMiner.

Even widely trusted open-source tools can become attack vectors when overlooked vulnerabilities surface. A high-severity flaw in Vim for Windows (CVE-2025-66476) enables arbitrary code execution through an uncontrolled search path vulnerability affecting versions earlier than 9.1.1947. 

Top Malware Reported in the Last 24 Hours

SEO poisoning campaign targets China

The Chinese APT group "Silver Fox" uses false flags, such as Cyrillic characters, to impersonate Russian threat actors while targeting organizations in China through a Microsoft Teams SEO poisoning campaign. Silver Fox deploys ValleyRAT malware for espionage and financial fraud, enabling remote control of infected systems, data exfiltration, and long-term persistence. The campaign uses fake domains like "teamscn[.]com" to lure Chinese-speaking users into downloading malware disguised as Microsoft Teams software. The infection chain involves a trojanized Microsoft Teams executable, PowerShell commands to modify antivirus exclusions, and malicious DLL files loaded into legitimate Windows processes.

Rise of stealthy cryptominers in South Korea

A new strain of CoinMiner malware is spreading via USB drives in South Korea, targeting workstations for Monero cryptocurrency mining. The infection process involves a malicious shortcut file (.lnk) that executes scripts to load malware using DLL Side-Loading techniques. The malware creates deceptive directories and employs trusted Windows components to bypass antivirus detection. The payload, PrintMiner, maximizes mining efficiency while employing stealth tactics like bypassing Windows Defender and pausing activity during high-resource tasks.

Top Vulnerabilities Reported in the Last 24 Hours

Vim for Windows flaw exposes users to code execution risks

A high-severity vulnerability (CVE-2025-66476) has been discovered in Vim for Windows, allowing attackers to execute arbitrary code through an uncontrolled search path issue. The flaw, rated with a CVSS score of 7.8, affects versions earlier than 9.1.1947. It enables attackers to plant malicious executables in directories, which Vim may execute instead of legitimate system binaries. The vulnerability can be exploited without administrative privileges, posing a significant threat to users. The issue has been resolved in version 9.1.1947, and users are urged to update immediately.

HTTP Request Smuggling flaw fixed in Akamai edge servers

Akamai has resolved a critical HTTP Request Smuggling vulnerability (CVE-2025-66373) in its edge servers. The flaw, linked to improper handling of chunked transfer encoding in HTTP requests, could allow attackers to smuggle hidden requests, potentially bypassing security controls or hijacking sessions. Akamai fixed the issue on November 17, 2025, after being notified via its Bug Bounty Program, and no customer action is required as the mitigation was handled internally.