Cyware Daily Threat Intelligence, November 13, 2025

A discontinued threat from the past has resurfaced, hiding behind the allure of cryptocurrency. The DarkComet RAT is being distributed through a fake Bitcoin wallet application that uses advanced packing to evade antivirus detection.

Legitimate IT management tools are being weaponized to turn user devices into open doors for hackers. Attackers are using fake download pages for popular software to secretly install legitimate RMM tools, which then deploy the powerful PatoRAT backdoor. This allows the threat actors to seize full control of the system to capture screens and log every keystroke.

Two of the biggest names in enterprise networking have been hit by a coordinated zero-day assault. Sophisticated hackers exploited critical vulnerabilities in both Citrix NetScaler and Cisco ISE to deploy a custom, stealthy web shell named IdentityAuditAction.

Top Malware Reported in the Last 24 Hours

Fake Bitcoin tools spread DarkComet RAT

A newly discovered malware campaign is leveraging fake Bitcoin tools to distribute the DarkComet RAT, which continues to pose a significant threat despite being discontinued by its creator. The malware is disguised as a legitimate application called "94k BTC wallet.exe" and employs UPX packing to evade antivirus detection. Once executed, it establishes persistence by copying itself to the user’s system and creating autostart registry entries, allowing it to maintain access after reboots. The RAT is capable of keystroke logging and exfiltrating sensitive information to a C2 server. Utilizing process injection techniques, DarkComet obscures its malicious activities by hiding within legitimate Windows processes.

Hackers exploit RMM tools for malware

Cybersecurity researchers have uncovered a sophisticated attack campaign utilizing legitimate RMM tools, specifically LogMeIn Resolve and PDQ Connect, to deploy backdoor malware on unsuspecting systems. Attackers create convincing fake websites that mimic official download pages for popular software, tricking users into downloading malicious installers disguised as applications like Notepad++ and VLC Media Player. Once executed, these installers not only install the RMM tools but also additional malware designed for data theft. The primary objective is to install PatoRAT, a powerful backdoor capable of extensive data exfiltration and remote control. This malware collects detailed system information and supports various malicious functions, including keylogging and screen capturing, ultimately allowing attackers to maintain control over compromised systems.

DanaBot resurfaces, infects Windows

DanaBot malware has reemerged after a six-month hiatus following the disruption of its operations by law enforcement's Operation Endgame in May. Security researchers have identified a new variant, version 669, which utilizes a C2 infrastructure based on Tor domains and backconnect nodes. Originally discovered as a Delphi-based banking trojan, DanaBot has evolved into a modular information stealer that targets credentials and cryptocurrency wallet data. Despite the previous crackdown, cybercriminals have rebuilt the malware's infrastructure. DanaBot infections typically occur through malicious emails, SEO poisoning, and malvertising campaigns.

Over 67,000 fake npm packages flood registry

A large-scale spam campaign has inundated the npm registry with over 67,000 fake packages since early 2024, dubbed "IndonesianFoods." This financially motivated effort aims to clutter the registry rather than engage in data theft. The bogus packages, which often masquerade as legitimate Next.js projects, employ a dormant JavaScript payload that requires manual execution, thus evading automated security detection. The attackers have created a self-replicating network by referencing each other as dependencies, leading to an exponential increase in spam package downloads. 

Top Vulnerabilities Reported in the Last 24 Hours

Hackers exploit Citrix Bleed 2

Hackers exploited critical vulnerabilities known as Citrix Bleed 2 (CVE-2025-5777) in Citrix NetScaler ADC and CVE-2025-20337 in Cisco Identity Service Engine (ISE) as zero-day attacks to deploy custom malware. The attackers utilized Citrix Bleed 2 to gain unauthorized access, subsequently leveraging the Cisco ISE flaw to execute arbitrary code and deploy a stealthy web shell named ‘IdentityAuditAction.’ This web shell intercepted HTTP requests and employed advanced techniques to minimize forensic traces, indicating a highly resourced threat actor. 

CISA adds WatchGuard Fireware bug to KEV catalog

CISA has identified a critical vulnerability in WatchGuard Fireware OS, designated CVE-2025-9242, which allows remote unauthenticated attackers to execute arbitrary code. This out-of-bounds write vulnerability affects multiple versions of Fireware, exposing over 54,000 Firebox devices globally, with approximately 18,500 located in the U.S. The issue arises from a missing length check during the IKE handshake process, enabling attackers to reach vulnerable code paths before authentication occurs. In addition to this vulnerability, CISA has also added CVE-2025-62215, a flaw in the Windows kernel, and CVE-2025-12480, an improper access control vulnerability in Gladinet Triofox, to its KEV catalog.