Cyware Daily Threat Intelligence, November 12, 2025

A new banking malware is spreading by hijacking one of the world's most popular chat apps. The Maverick malware, targeting Brazil's largest banks, is being distributed through active WhatsApp Web sessions, sending malicious files to a victim's contacts.

Cybercriminals can now buy a ready-made toolkit for Android espionage. A new MaaS named Fantasy Hub is being sold on Telegram, allowing buyers to create fake Google Play pages for trojanized apps. The malware is designed to steal banking credentials with fake overlays and even intercepts 2FA codes.

It's that time of the month again, and this Patch Tuesday includes an urgent fix. Microsoft's November update addresses 63 vulnerabilities, including a critical zero-day in the Windows Kernel that is already being exploited in the wild.

Top Malware Reported in the Last 24 Hours

Maverick - Beware of this new WhatsApp malware

Maverick malware has emerged as a serious threat targeting Brazil's largest banks by hijacking browser sessions and spreading through WhatsApp Web. This malicious software shares similarities with the previously identified Coyote strain, both written in .NET and designed to monitor banking applications. Maverick is distributed via malicious ZIP files that contain payloads, enabling it to steal credentials by tracking specific banking URLs. Attributed to the threat actor Water Saci, the campaign employs advanced techniques, including PowerShell scripts, to disable security features and operate stealthily. By bypassing WhatsApp Web authentication, Maverick gains immediate access to victims' accounts, allowing it to propagate malicious files to their contacts.

New Fantasy Hub RAT sold as MaaS

Researchers revealed a new Android malware called Fantasy Hub sold as Malware-as-a-Service (MaaS) on Russian-speaking Telegram channels, enabling remote device control and data theft. Fantasy Hub targets financial workflows, intercepts 2-factor SMS, and poses threats to enterprise customers relying on mobile banking apps. Buyers receive instructions to create fake Google Play Store pages and upload APK files for trojanized versions embedded with malicious payloads. The malware abuses SMS privileges, masquerades as Google Play updates, and uses fake overlays to steal banking credentials, streaming real-time camera and microphone content.

Top Vulnerabilities Reported in the Last 24 Hours

Microsoft November 2025 Patch Tuesday

Microsoft's November 2025 Patch Tuesday update addresses 63 vulnerabilities, including a critical zero-day (CVE-2025-62215) affecting the Windows Kernel, which has a CVSS rating of 7.0. Exploitation of this vulnerability is complex, involving a race condition that allows attackers to gain system privileges. While a functional exploit exists in the wild, no public proof-of-concept has been released. Additionally, the update reveals a severe remote-code execution vulnerability (CVE-2025-60724) in the Microsoft Graphics Component, rated at 9.8, although it is considered less likely to be exploited. Microsoft also flagged several vulnerabilities related to the Windows Ancillary Function Driver for WinSock, emphasizing their inherent high risk due to their critical role in network functionalities. 

Tor Project issues fresh update

Tor Browser 15.0.1 has been released, addressing several high-risk security vulnerabilities to enhance user privacy and security. This update incorporates important security patches from the Firefox Extended Support Release and backports additional fixes from Firefox version 145. A significant change includes an upgrade to the NoScript extension, which now allows users to block potentially harmful scripts by default. The update also introduces a “No AI” version of DuckDuckGo for privacy-focused searches and organizes search engines alphabetically for easier access. Improvements have been made across all supported operating systems, including restored fonts for Linux and enhanced performance for Android through updates to the GeckoView engine. 

ICS Patch Tuesday

Industrial cybersecurity giants Siemens, Schneider Electric, Rockwell Automation, and Aveva have released Patch Tuesday advisories addressing critical vulnerabilities in their ICS/OT products. Siemens addressed vulnerabilities in Comos, Solid Edge, and other systems, including critical code execution and security bypass flaws. Rockwell Automation fixed high-severity issues in Verve Asset Manager, Studio 5000, and other products, including MFA bypass and persistent XSS vulnerabilities. Aveva and Schneider Electric patched shared vulnerabilities, including privilege escalation and path traversal issues, impacting multiple products.