Cyware Daily Threat Intelligence, November 17, 2025

Attackers are digging deep into the computing history books to find new weapons. A decades-old Finger protocol, originally for Unix systems, is now being exploited in ClickFix malware attacks to execute commands on modern Windows devices and deliver remote access trojans.

A promising job offer on LinkedIn could be a sophisticated trap. North Korean hackers are running the Contagious Interview campaign, posing as recruiters to trick software developers. They are now using legitimate JSON storage services to deliver their malware, including the BeaverTail infostealer and the InvisibleFerret backdoor.

Some of the most critical security flaws are met with silence. CISA is warning about severe vulnerabilities in the Lynx+ Gateway used in industrial settings, including a 10.0-rated flaw that allows for unauthenticated device resets.

Top Malware Reported in the Last 24 Hours

ClickFix malware abuses Finger protocol

The decades-old Finger protocol, originally designed for retrieving user information on Unix and Linux systems, is being exploited in ClickFix malware attacks to execute commands on Windows devices. Threat actors are utilizing this protocol to deliver malicious scripts by tricking users into running commands that retrieve and execute harmful payloads. Recent campaigns have seen attackers impersonate verification prompts, luring victims into executing commands that download malware disguised as legitimate files. These tactics include using the 'finger' command to fetch and run scripts, which can lead to the installation of remote access tools like the NetSupport Manager RAT. 

RondoDox exploits XWiki servers

RondoDox botnet is exploiting an unpatched vulnerability (CVE-2025-24893) in XWiki servers, which allows attackers to execute arbitrary code remotely. This critical flaw, identified as an eval injection bug, was patched in February but has been actively targeted by threat actors since March. Recent reports indicate a significant increase in exploitation attempts, particularly in November, as multiple attackers began leveraging the vulnerability to incorporate more devices into the botnet. RondoDox not only facilitates DDoS attacks but also deploys cryptocurrency miners and establishes reverse shells. 

North Korean hackers exploit JSON services

North Korean hackers involved in the Contagious Interview campaign have adapted their tactics by utilizing JSON storage services to deliver malware. They target software developers through professional networking platforms like LinkedIn, presenting themselves as potential employers or collaborators. This approach often leads victims to download malicious code hosted on sites such as GitHub and GitLab. One notable payload is BeaverTail, a JavaScript malware that collects sensitive data and deploys a Python backdoor called InvisibleFerret. The backdoor has been updated to retrieve additional payloads like TsunamiKit, which can perform system fingerprinting and data collection. By using legitimate services and repositories, these threat actors aim to operate discreetly while exfiltrating sensitive information, including cryptocurrency wallet details, from unsuspecting targets.

Top Vulnerabilities Reported in the Last 24 Hours

Critical Cisco vulnerability allows privilege escalation

A critical security vulnerability (CVE-2025-20341) has been identified in the Cisco Catalyst Center Virtual Appliance, which runs on VMware ESXi. This flaw allows authenticated remote attackers with at least Observer role credentials to escalate their privileges to Administrator. By submitting crafted HTTP requests, these attackers can make unauthorized modifications to the system, including creating new user accounts and elevating their own privileges. The vulnerability exclusively affects Catalyst Center Virtual Appliances, while hardware appliances and those deployed on AWS are not impacted. Cisco has confirmed that versions earlier than 2.3.7.3-VA and version 3.1 are safe, but later versions require urgent upgrades to address this issue.

CISA warns of Lynx+ Gateway flaws

CISA has issued a warning about critical vulnerabilities in the Lynx+ Gateway manufactured by General Industrial Controls (GIC). These vulnerabilities include weak password requirements (CVE-2025-55034, CVSS 8.2), missing authentication for critical functions (CVE-2025-58083, CVSS 10.0), and cleartext transmission of sensitive information (CVE-2025-62765, CVSS 7.5). Successful exploitation could lead to unauthorized access, device resets, and exposure of sensitive data. The impacted versions, commonly used in industrial settings, are R08, V03, V05, and V18. Notably, GIC did not respond to CISA's attempts for coordinated disclosure, raising concerns about the security of devices relying on this technology.