Cyware Daily Threat Intelligence, November 11, 2025

Be careful what you download! South Korean Android users seeking calm found chaos instead. A new malware campaign, linked to North Korea’s KONNI APT group, masqueraded as stress-relief apps to hijack devices via Google’s Find Hub feature, enabling remote data wipes, tracking, and stealthy surveillance through social engineering on platforms like KakaoTalk.

A critical pre-auth flaw (CVE-2025-34299) in Monsta FTP lets attackers achieve full server takeover via RCE without authentication. WatchTowr reported the issue, and users are urged to update to version 2.11.3 immediately, as over 5,000 exposed instances remain at risk.

Mandiant uncovered CVE-2025-12480, an unauthenticated access flaw exploited by UNC6485 to bypass login, abuse the antivirus feature, and execute scripts with SYSTEM privileges. The group used tools like Zoho Assist and Anydesk for persistence, prompting urgent upgrades to version 16.7.10368.56560 and enhanced monitoring of admin and SSH activity.

Top Malware Reported in the Last 24 Hours

KONNI APT exploits Google's Find Hub

Android devices in South Korea have been targeted by a sophisticated malware campaign disguised as stress-relief applications. Linked to the North Korean KONNI APT group, attackers exploited Google’s Find Hub feature to remotely wipe sensitive data and track victims. The campaign used social engineering tactics, including impersonating mental health professionals and human rights activists, to gain trust and spread malware through platforms like KakaoTalk. The malware enabled advanced surveillance and data exfiltration while evading traditional security measures.

VanHelsing RaaS targets multiple platforms

A new ransomware operation named VanHelsing has emerged as a significant threat in the cybercriminal landscape. Functioning as a Ransomware-as-a-Service (RaaS) platform, it offers multi-platform support targeting Windows, Linux, BSD, ARM, and ESXi systems. Affiliates pay a $5,000 deposit for access and keep 80% of ransom payments. The ransomware uses advanced encryption techniques, anti-forensic methods, and lateral movement capabilities, making it highly effective and scalable. 

Top Vulnerabilities Reported in the Last 24 Hours

Monsta FTP flaw allows full server control

Monsta FTP has a critical pre-authentication flaw (CVE-2025-34299) enabling full server takeovers via remote code execution (RCE).  The vulnerability allows hackers to upload malicious files to servers without needing login credentials.  WatchTowr reported the flaw, and Monsta FTP developers released a patch (version 2.11.3) on August 26, 2025. Users must update immediately. At least 5,000 Monsta FTP instances are exposed on the internet, posing significant risks

Critical vulnerability in Triofox enables bypass of authentication

Mandiant discovered CVE-2025-12480, an unauthenticated access vulnerability in Triofox, allowing attackers to bypass authentication and execute arbitrary payloads. The vulnerability was exploited by UNC6485, using HTTP Host header attacks to gain unauthorized access to Triofox's configuration pages. Attackers abused Triofox's anti-virus feature to execute malicious scripts with SYSTEM privileges. Post-exploitation activities included deploying remote access tools (Zoho Assist, Anydesk), reconnaissance, and privilege escalation. Mandiant suggests upgrading Triofox to version 16.7.10368.56560, auditing admin accounts, and monitoring for anomalous SSH traffic.