Cryptominers are hiding in plain sight, this time inside encrypted chat traffic. ASEC uncovered a stealthy new backdoor paired with a Monero coinminer, using the PyBitmessage library for encrypted peer-to-peer communications. The malware evades typical detection methods. Payloads are decrypted using XOR and pulled from sources like GitHub or suspected Russian drives, while mimicking legitimate software to stay under the radar.

Millions of Node[.]js apps just got riskier. Two critical bugs in the Multer middleware can crash servers or slowly bleed memory through malformed requests and unclosed streams. With no workarounds available, developers are urged to upgrade to version 2.0.0. Until then, close monitoring of system performance is the only safeguard.

Hazy Hawk is weaponizing your forgotten cloud. Since late 2023, this threat actor has been hijacking abandoned subdomains to launch scams and malware campaigns. By exploiting misconfigured DNS records across platforms like Azure and AWS, they repurpose trusted domains from federal agencies and major organizations to sidestep defenses and hijack SEO.

Top Malware Reported in the Last 24 Hours

New PyBitmessage backdoor deployed with coinminer

ASEC detected a new backdoor malware distributed with a Monero coinminer, leveraging the PyBitmessage library for encrypted P2P communication to evade detection. The malware hides C2 commands within legitimate Bitmessage network messages, making it difficult for security products to classify its behavior as malicious. The malware decrypts and executes Monero coin miners and backdoor functions using XOR operations, exploiting infected systems for cryptocurrency mining. PyBitmessage-based backdoor malware downloads necessary files from GitHub or a suspected Russian personal drive and disguises itself as legitimate software. 

Fake Chrome extensions hijack sessions

Over 100 fake Chrome extensions have been identified, stealing credentials, hijacking sessions, and injecting ads while appearing as legitimate tools. The extensions exploit excessive permissions and manipulate the browser DOM to bypass security policies and execute malicious activities. Lure websites impersonate legitimate services like DeepSeek, Manus, and FortiVPN to trick users into downloading these extensions. Threat actors use phishing, social media, and Facebook tracking IDs to attract users to malicious sites.

New SideWinder APT campaign targets South Asia

The SideWinder APT targeted high-level government institutions in Sri Lanka, Bangladesh, and Pakistan using spear-phishing emails and exploiting vulnerabilities CVE-2017-0199 and CVE-2017-11882 in Microsoft Office. The attackers deployed the StealerBot malware through malicious documents, which enabled them to maintain persistent access and collect sensitive data. The operation involved geofenced payloads to ensure that only specific victims received the malicious content.

Top Vulnerabilities Reported in the Last 24 Hours

Multer bugs put Node[.]js apps at risk

Two high-severity vulnerabilities (CVE-2025-47944 and CVE-2025-47935) in Multer middleware can cause DoS and memory leaks in millions of Node[.]js applications. CVE-2025-47944 can crash applications by sending malformed multipart/form-data requests, scoring 7.5 on the CVSS v3.1 scale. CVE-2025-47935 causes memory leaks due to unclosed streams when HTTP request errors occur, potentially leading to server crashes. No workarounds exist; the only solution is upgrading to Multer version 2.0.0. Temporary monitoring of crash logs and resources is advised for those unable to update immediately.

Critical OpenPGP[.]js bugs spotted

A critical vulnerability (CVE-2025-47934) in the OpenPGP.js library has been discovered and patched. This flaw allows attackers to spoof message signature verification, potentially misleading systems into accepting unsigned or altered content as legitimate. The vulnerability impacts versions 5 and 6 of OpenPGP.js, and updates (versions 5.11.3 and 6.1.1) are now available to address the issue. The library is widely used in various projects like FlowCrypt and Passbolt, making the patch crucial for users.

Threats in Spotlight

Hazy Hawk targets DNS bugs, hijacks cloud resources

A threat actor named Hazy Hawk has been exploiting DNS misconfigurations since December 2023 to hijack abandoned cloud resources from high-profile organizations, including federal agencies, universities, healthcare entities, and corporations. Hazy Hawk uses hijacked subdomains to distribute scams and malware, leveraging the trustworthiness of compromised domains to bypass security controls and improve search engine rankings. The campaign targets multiple cloud providers like Azure, Amazon, Cloudflare, and others, exploiting vulnerable DNS CNAME records associated with abandoned resources. The actor employs advanced techniques like URL redirection, obfuscation, and content cloning to execute malware distribution chains, leading victims to scams and fraudulent content. They clone legitimate websites, like PBS[.]org, to deceive content crawlers and lure victims with enticing material, such as fake videos. Push notifications are employed as a persistence mechanism, inundating victims with scam-related alerts after approval.