Cyware Daily Threat Intelligence, December 15, 2025
That handy new tool on GitHub might be a backdoor in disguise. A new campaign is abusing the platform to distribute a previously undocumented implant called PyStoreRAT by hiding it inside repositories that pose as legitimate development or OSINT utilities. Attackers are manipulating download metrics and using social media to lure analysts into running the code.
Trying to pirate the latest Leonardo DiCaprio flick could cost you your digital identity. A fake torrent for the movie "One Battle After Another" is using malicious subtitle files to conceal a complex infection chain. The attack relies on a deceptive shortcut to trigger hidden PowerShell scripts, eventually deploying Agent Tesla RAT.
Your iPhone and Mac are under fire from the same bugs that recently hit Google Chrome. Apple has issued urgent security updates to address two critical WebKit vulnerabilities that are being actively exploited in the wild. These flaws, likely used in sophisticated spyware attacks, mark the eighth and ninth zero-day vulnerabilities Apple has had to patch this year.
Top Malware Reported in the Last 24 Hours
GitHub repositories spread new PyStoreRAT
A new campaign is leveraging GitHub-hosted Python repositories to distribute a previously undocumented JavaScript-based RAT called PyStoreRAT. These repositories, disguised as development utilities or OSINT tools, contain minimal code that silently downloads and executes a remote HTA file. PyStoreRAT is a modular implant capable of executing various payloads, including an information stealer named Rhadamanthys. The malware is spread through loader stubs embedded in repositories that appear appealing to developers and analysts. The threat actors utilize social media for promotion and manipulate repository metrics to appear legitimate. Once executed, PyStoreRAT can profile systems, check for administrator privileges, and scan for cryptocurrency wallet files.
Fake torrent hides malware in subtitles
A fake torrent for the movie "One Battle After Another," featuring Leonardo DiCaprio, has been found to conceal malicious PowerShell scripts within its subtitle files. This torrent includes various files, such as a movie file and images, but the real threat lies in a shortcut that executes commands to extract and run the malware. The PowerShell script reconstructs additional scripts that ultimately deploy the Agent Tesla RAT, a notorious information-stealing malware. This infection chain is particularly complex, involving multiple stages that create hidden tasks and extract data from seemingly innocuous files.
Top Vulnerabilities Reported in the Last 24 Hours
Actively exploited Sierra Wireless router bug
The CISA has added a critical vulnerability, CVE-2018-4063, affecting Sierra Wireless AirLink ALEOS routers to its Known Exploited Vulnerabilities catalog. This high-severity flaw, with a CVSS score of 8.8/9.9, allows remote code execution through malicious HTTP requests. Active exploitation of this six-year-old vulnerability has been reported, particularly by a threat group known as Chaya_005, which weaponized it to deliver malicious payloads. The vulnerability stems from an unrestricted file upload capability in the ACEManager interface, enabling attackers to upload executable files with elevated privileges.
Apple patches critical WebKit vulnerabilities
Apple has issued security updates for iOS, iPadOS, macOS, tvOS, watchOS, visionOS, and Safari to address two critical WebKit vulnerabilities that have been exploited in the wild. The vulnerabilities, identified as CVE-2025-43529 and CVE-2025-14174, pose significant risks, with the latter being linked to a memory corruption issue that affects various devices. CVE-2025-14174 was previously patched by Google in Chrome, indicating a shared vulnerability between the platforms. These flaws were likely utilized in sophisticated, targeted spyware attacks. With these updates, Apple has now resolved nine zero-day vulnerabilities that have been actively exploited in 2025.