Cyware Daily Threat Intelligence, November 10, 2025

Malware is playing hide-and-seek in plain code. The GlassWorm malware has resurfaced with three new malicious extensions on the OpenVSX marketplace, which have already rocketed to over 10,000 downloads. The extensions use invisible Unicode characters to obfuscate their malicious code, making them difficult to spot in a review.

A single image sent through WhatsApp was all it took to infect some of the world's most popular phones. A zero-day in Samsung's image processing library was exploited to deliver the LandFall spyware via a malicious .DNG image file.

What happens at a hacking competition doesn't stay at the competition. QNAP is rushing out patches for seven zero-day vulnerabilities in its NAS devices after all of them were successfully exploited by researchers at the recent Pwn2Own Ireland event. The critical flaws impacted the core QTS and QuTS hero operating systems.

Top Malware Reported in the Last 24 Hours

GlassWorm malware returns with new extensions

GlassWorm malware has re-emerged in the OpenVSX marketplace, introducing three new malicious VSCode extensions that have collectively garnered over 10,000 downloads. This malware campaign, which initially targeted OpenVSX and Visual Studio Code last month, employs invisible Unicode characters to obfuscate its malicious code while targeting GitHub, NPM, and OpenVSX account credentials, as well as cryptocurrency wallet information. The newly identified extensions, which use the same obfuscation techniques as earlier variants, include ai-driven-dev, adhamu.history-in-sublime-merge, and yasuyuky.transient-emacs. 

NuGet packages act as time bombs

Several malicious NuGet packages have been discovered, containing sabotage payloads set to activate between 2027 and 2028. These packages, published under the name "shanhai666," include mostly legitimate code but contain a small malicious payload that exploits C# extension methods to inject harmful logic into database operations and Siemens S7 PLC communications. The most concerning package, Sharp7Extend, mimics the trusted Sharp7 library and can disrupt PLC operations by randomly terminating processes or corrupting data writes. The embedded malware uses a probabilistic trigger, meaning activation depends on specific conditions. With nearly 9,500 downloads before being delisted, these packages pose a significant threat, especially in industrial environments reliant on database and PLC functionality.

New LandFall spyware abused Samsung 0-day

A zero-day vulnerability in Samsung's Android image processing library (CVE-2025-21042) was exploited to deploy the LandFall spyware through malicious images sent via WhatsApp. The attack utilized malformed .DNG raw image files containing embedded ZIP archives to deliver the spyware. LandFall spyware includes components for elevating permissions, achieving persistence, and evading detection. It can record calls, track location, and access sensitive data such as photos, contacts, SMS, and browsing history. The spyware targeted Samsung Galaxy S22, S23, S24, Z Fold 4, and Z Flip 4 devices, but not the S25 series. The campaign has been active since at least July 2024, with evidence of targeting users in Iraq, Iran, Turkey, and Morocco.

Large-scale phishing attacks target hotels

A massive phishing campaign is targeting the hospitality industry, utilizing spear-phishing emails that impersonate Booking[.]com to deploy PureRAT. Attackers send malicious messages from compromised email accounts to hotel managers, tricking them into visiting ClickFix-style pages designed to harvest credentials. These pages often include fake reCAPTCHA challenges and redirect users to malicious sites that execute harmful PowerShell commands, leading to the installation of PureRAT. This modular malware enables remote access and data exfiltration, making it a significant threat. Additionally, attackers approach hotel customers via WhatsApp or email, directing them to fraudulent landing pages to steal banking information. 

Top Vulnerabilities Reported in the Last 24 Hours

Critical vulnerabilities exploited in runc tool

Three critical vulnerabilities in the runc container runtime, which underpins Docker and Kubernetes, have been disclosed, allowing attackers to escape container isolation and gain root access to host systems. Identified as CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881, these flaws exploit weaknesses in how runc handles mount operations and file protections during container creation. Attackers can leverage race conditions and symbolic link manipulation to bypass security restrictions, enabling them to write to crucial system files. For instance, CVE-2025-31133 allows malicious container images to replace sensitive host files with symlinks, while CVE-2025-52565 permits unauthorized access to protected procfs files.

RCE vulnerability in LangGraph

CVE-2025-64439 is a high-severity RCE vulnerability in LangGraph, a popular AI agent orchestration framework, affecting its JsonPlusSerializer component. The flaw allows attackers to exploit a fallback mechanism in the serializer's "json" mode to execute arbitrary Python code. The vulnerability arises when untrusted data is accepted into the checkpointing system, allowing malicious payload execution. LangGraph versions earlier than 3.0 are affected; users processing untrusted data are at significant risk.

QNAP patches seven NAS 0-days

QNAP has released security updates to fix seven zero-day vulnerabilities that were successfully exploited during the Pwn2Own Ireland 2025 hacking competition. The flaws impacted QNAP's QTS and QuTS hero NAS operating systems. Vulnerabilities were also found in several applications, including Hyper Data Protector, Malware Remover, and HBS 3 Hybrid Backup Sync. QNAP has released patches for all affected products and urges users to update their systems immediately. The company provided specific patched versions for the OS (QTS 5.2.7.3297, QuTS hero h5.2.7.3297, h5.3.1.3292) and the vulnerable applications. Additionally, QNAP patched a separate critical SQL injection vulnerability in its QuMagie photo management software.