Cyware Daily Threat Intelligence, December 08, 2025

Predator is now turning online ad space into an infection vector, using an “Aladdin” zero-click technique that compromises devices without any user action. The campaign leverages ad networks across multiple countries by targeting public IPs, alongside additional vectors.

A fake security app posing as mBank is doing more than phishing—it is silently hijacking Polish Android devices through a new malware strain called FvncBot. The trojan features keylogging, web-inject attacks, screen streaming, and hidden VNC control to steal credentials and conduct financial fraud.

Cybercriminals are racing through a backdoor in the Sneeit Framework WordPress plugin (CVE-2025-6389), enabling remote code execution, malicious admin creation, and widespread backdoor installation with more than 131,000 attacks logged since late November. 

Top Malware Reported in the Last 24 Hours

Predator spyware exploits ads to launch zero-click attacks

The Predator spyware, developed by Intellexa, uses “Aladdin,” a zero-click infection method, delivered via malicious ads that infect devices without user interaction. The ads are funneled through a network of advertising firms across multiple countries, exploiting public IP addresses to target victims. Additional delivery vectors, such as “Triton,” exploit Samsung Exynos devices, and other methods like “Thor” and “Oberon” are suspected to exist. Intellexa has been linked to numerous zero-day exploits and remains active despite sanctions and investigations.

A new Android banking trojan targets Polish users

FvncBot, a new Android banking trojan, has been targeting Polish users, disguised as a security app developed by mBank. The malware payload includes features like keylogging, web-inject attacks, screen streaming, and hidden virtual network computing (HVNC) for financial fraud. FvncBot’s code is entirely new and not derived from other Android trojans like Ermac or Hook. The malware uses Android’s accessibility services to capture sensitive user data, including passwords and one-time passwords (OTPs). It implements advanced H.264 video compression for low-latency screen streaming, which is more efficient than traditional JPEG streaming. 

Top Vulnerabilities Reported in the Last 24 Hours

Critical security flaws in WordPress and ICTBroadcast

A critical security vulnerability in the Sneeit Framework plugin for WordPress (CVE-2025-6389) is being actively exploited, allowing unauthenticated attackers to execute remote code, create malicious admin accounts, and inject backdoors. Exploitation began on November 24, 2025, with over 131,000 attack attempts recorded. Additionally, a flaw in ICTBroadcast (CVE-2025-2611) is being used to deliver the "Frost" botnet for targeted DDoS attacks, leveraging advanced exploitation techniques.

Command injection flaw in ArrayOS AG VPNs

Hackers are exploiting a command injection vulnerability in Array Networks AG Series VPN devices to plant webshells and create unauthorized user accounts. The vulnerability, which was fixed in May 2025, lacks an identifier, complicating tracking and patching. Japan's CERT reported attacks originating from a specific IP address targeting organizations in Japan. The flaw affects ArrayOS AG 9.4.5.8 and earlier versions, particularly those using the DesktopDirect feature. Security experts recommend updating to version 9.4.5.9 or applying specific workarounds. Despite these attacks, global attention to the issue remains limited.