Cyware Daily Threat Intelligence, November 05, 2025

Attackers are now hiding inside virtual machines to stay invisible. A group named Curly COMrades is leveraging Hyper-V on compromised Windows systems to deploy tiny Alpine Linux VMs. This novel technique allows them to run their malware and evade detection by traditional security software.

A simple message in Microsoft Teams may not be from who you think it is. Researchers have found four vulnerabilities that allow attackers to impersonate colleagues and even alter message content. This creates a significant risk, as users could be tricked into clicking malicious links or sharing sensitive data.

A popular WordPress plugin has become a wide-open door for hackers. A critical flaw in Post SMTP, installed on over 400,000 sites, is being actively exploited to hijack administrator accounts. The vulnerability allows attackers to access password reset links directly from the plugin's email log.

Top Malware Reported in the Last 24 Hours

Curly COMrades deploys stealthy remote access tools

Curly COMrades, a threat group, has been observed leveraging Hyper-V virtualization features on compromised Windows 10 systems to establish covert access. By deploying lightweight Alpine Linux-based virtual machines (VMs), they host custom malware, specifically CurlyShell and CurlCat, which facilitate persistent reverse shell and proxy operations. This innovative approach enables the attackers to evade traditional EDR solutions, as the minimal footprint of the VMs reduces detection risks. Their tactics include using PowerShell scripts for Kerberos ticket manipulation and local account persistence, allowing for lateral movement within the network. 

Operation SkyCloak targets Russia and Belarus

Operation SkyCloak is a cyber-espionage campaign targeting defense sectors in Russia and Belarus, utilizing phishing emails that lure recipients with military document themes. This operation deploys a persistent backdoor through OpenSSH, leveraging a customized Tor hidden service for secure communication. The malware initiates a multi-step infection process, employing PowerShell commands and environmental checks to avoid detection in sandbox environments. It establishes persistence via scheduled tasks, allowing attackers to maintain access and exfiltrate system information through obfuscated Tor traffic. The campaign shows characteristics consistent with Eastern European espionage activities, sharing tactical similarities with previous operations attributed to the threat actor UAC-0125.

Top Vulnerabilities Reported in the Last 24 Hours

Microsoft Teams flaws expose users to attacks

Cybersecurity researchers have uncovered four vulnerabilities in Microsoft Teams, which could enable attackers to impersonate colleagues and manipulate conversations without detection. These flaws allow for the alteration of message content, modification of notifications to mislead users, and even changing display names in private chats and calls. As a result, attackers can trick victims into opening malicious links or sharing sensitive information, posing significant risks to organizational security. Microsoft addressed some of these issues through patches released from August 2024 to October 2025, notably under the CVE identifier CVE-2024-38197, which is classified as a medium-severity spoofing issue affecting Teams for iOS.

Actively exploited bug in Post SMTP plugin

Hackers are actively exploiting a critical vulnerability in the Post SMTP WordPress plugin, which is installed on over 400,000 sites, to hijack administrator accounts. This flaw, tracked as CVE-2025-11833, arises from inadequate authorization checks in the plugin's email log feature, allowing unauthorized access to sensitive information, including password reset links. The vulnerability received a critical severity score of 9.8. Following the disclosure, a patch was released on October 29, but many sites remain vulnerable. Since November 1, Wordfence has reported blocking over 4,500 exploit attempts, indicating the urgency of addressing this security issue. 

CISA adds Gladinet and CWP bugs to KEV catalog

The CISA included two vulnerabilities in its KEV catalog due to evidence of active exploitation. The vulnerabilities are CVE-2025-11371, a 7.5 CVSS-rated flaw in Gladinet CentreStack, which that risks unintended disclosure of system files, and CVE-2025-48703, a critical 9.0 CVSS-rated command injection vulnerability in Control Web Panel (CWP) allowing unauthenticated remote code execution. This follows reports from Huntress regarding attempts to exploit CVE-2025-11371. Additionally, three critical vulnerabilities affecting WordPress plugins were reported, including privilege escalation and authentication bypass issues, all of which pose significant risks to users relying on these platforms.