Cyware Daily Threat Intelligence, November 14, 2025

This new ransomware doesn't just encrypt; it first checks how much power it can use. The Kraken ransomware is targeting both Windows and Linux/VMware ESXi systems, employing a unique performance benchmark to encrypt files efficiently without overloading the machine.

A dangerous ransomware gang is expanding its list of victims. CISA is warning that the Akira ransomware group, which previously focused on VMware, is now actively encrypting Nutanix AHV virtual machines. The attackers are exploiting vulnerabilities and deleting backups to ensure their encryption of .qcow2 files is devastating.

Hackers are walking right in the front door of vulnerable Fortinet devices. A critical path traversal vulnerability in Fortinet FortiWeb is being actively exploited to create unauthorized administrator accounts. The flaw allows attackers to gain full control of a device with a simple HTTP request, and it requires no authentication to work.

Top Malware Reported in the Last 24 Hours

Kraken ransomware optimizes encryption process

Kraken ransomware has been targeting Windows and Linux/VMware ESXi systems, employing a unique performance benchmarking method to optimize data encryption without overloading the machines. This ransomware, a continuation of the HelloKitty operation, conducts double extortion attacks by stealing data and demanding ransom payments. It gains initial access by exploiting SMB vulnerabilities, extracting admin credentials, and using tools like Cloudflare and SSHFS for lateral movement and data exfiltration. Kraken features specialized encryption modules for SQL databases, network shares, local drives, and virtual machines, utilizing multi-threaded processes to enhance efficiency. After encrypting files, it executes a script to delete logs and traces, leaving a ransom note that demands payment in Bitcoin.

Akira ransomware encrypts Nutanix VMs

CISA and other U.S. agencies have issued a warning about the Akira ransomware, which has started encrypting Nutanix AHV virtual machines. Initially targeting VMware ESXi and Hyper-V, Akira has expanded its reach by exploiting vulnerabilities like CVE-2024-40766 in SonicWall. The ransomware primarily encrypts .qcow2 files, a format used by Nutanix AHV. Akira actors gain access to corporate networks through stolen or brute-forced VPN and SSH credentials, and they exploit unpatched Veeam Backup & Replication servers to delete backups. Within compromised networks, they utilize various tools for reconnaissance and lateral movement, while also establishing persistence. Notably, the group has been able to exfiltrate data rapidly, utilizing tunneling tools such as Ngrok for encrypted communication.

Fake Chrome extension steals Ethereum wallets

A malicious Chrome extension called "Safery: Ethereum Wallet" has been discovered, masquerading as a legitimate Ethereum wallet while secretly exfiltrating users' seed phrases. Uploaded to the Chrome Web Store on September 29, and updated recently, it remains available for download. The extension employs a backdoor to steal wallet mnemonic phrases by encoding them as fake Sui wallet addresses. It sends microtransactions from a hard-coded attacker-controlled wallet, allowing the threat actor to monitor the blockchain and reconstruct the original seed phrases. 

Top Vulnerabilities Reported in the Last 24 Hours

Actively exploited Fortinet FortiWeb bug

A critical path traversal vulnerability in Fortinet FortiWeb has been actively exploited, allowing threat actors to create unauthorized administrative accounts on exposed devices without authentication. This flaw, affecting versions 8.0.1 and earlier, was first identified by threat intelligence company Defused on October 6. Attackers send crafted HTTP POST requests to a specific endpoint, resulting in the creation of admin accounts with various usernames and passwords. Security researchers confirmed the exploit and demonstrated its execution. Despite the vulnerability being patched in version 8.0.2, reports indicate a surge in attacks originating from multiple IP addresses, raising concerns about the security of vulnerable devices in the wild.

Critical auth bypass flaw in ASUS routers

ASUS has issued a critical firmware update to address an authentication bypass vulnerability (CVE-2025-59367) affecting several models in its DSL series routers, including DSL-AC51, DSL-N16, and DSL-AC750. This flaw allows remote, unauthenticated attackers to gain access to unpatched devices, posing significant security risks. Although ASUS has released firmware version 1.1.2.3_1010 to rectify this issue, there are concerns about potential exploitation, as attackers frequently target router vulnerabilities to create botnets for DDoS attacks.