Cyware Daily Threat Intelligence, November 18, 2025

Proving you are not a robot has become a dangerous trap in a new malware campaign known as EVALUSION. Attackers are using the "ClickFix" tactic to trick users into running malicious commands via fake reCAPTCHA checks, leading to infection with Amatera Stealer and the NetSupport RAT.

This malware doesn't just hide from antivirus software; it actively hunts it down and kills it. Dragon Breath is using a new loader named RONINGLOADER to deploy a modified Gh0st RAT, specifically targeting Chinese-speaking users through trojanized installers.

Google is racing to patch the engine that powers the web after discovering yet another actively exploited zero-day. The company has released urgent updates for Chrome to fix a critical type confusion vulnerability (CVE-2025-13223) in the V8 JavaScript engine.

Top Malware Reported in the Last 24 Hours

Seven npm packages exploit Adspect cloaking

Cybersecurity researchers uncovered seven malicious npm packages published by a threat actor known as "dino_reborn" that utilize Adspect cloaking to deceive victims into visiting crypto scam sites. These packages, released between September and November, employ a 39kB malware capable of fingerprinting systems and blocking developer tools, thus hindering analysis. One package, "signals-embed," serves as a decoy without malicious functionality, while the others redirect victims through a fake CAPTCHA to fraudulent cryptocurrency pages. Adspect, a cloaking service, markets itself as a protector against unwanted traffic and allows unrestricted advertising. 

New ClickFix campaign deploys malware

Cybersecurity researchers have uncovered a new malware campaign known as EVALUSION, which utilizes the ClickFix social engineering tactic to distribute Amatera Stealer and NetSupport RAT. First identified in June, Amatera is an evolution of the ACR Stealer and is sold through subscription plans. This malware targets sensitive data from crypto-wallets, browsers, and messaging applications while employing sophisticated evasion techniques to bypass security measures. Victims are tricked into executing malicious commands via fake reCAPTCHA checks, leading to the download of a .NET payload. The Amatera DLL is injected into the "MSBuild.exe" process to harvest data and potentially deploy NetSupport RAT based on the victim's system attributes. 

Dragon Breath uses RONINGLOADER, drops Gh0st RAT

Dragon Breath employs RONINGLOADER to deploy a modified Gh0st RAT, targeting Chinese-speaking users using trojanized NSIS installers. The malware utilizes advanced evasion techniques to disable endpoint security tools, including Microsoft Defender and Qihoo 360 Total Security. RONINGLOADER executes complex actions, such as tampering with system processes, injecting shellcode, and leveraging signed drivers to terminate security processes. The loader bypasses User Account Control (UAC) and manipulates firewall settings to block security software connections. Gh0st RAT enables remote control of infected systems, including registry modifications, event log clearing, keystroke capturing, and payload execution.

Top Vulnerabilities Reported in the Last 24 Hours

Google patches critical Chrome zero-day 

Google has released security updates for its Chrome browser to address two significant vulnerabilities, including the actively exploited zero-day flaw CVE-2025-13223. This vulnerability, identified as a type confusion issue in the V8 JavaScript engine, could allow remote attackers to execute arbitrary code or cause program crashes through specially crafted HTML pages. This flaw is the third type confusion bug found in V8 this year. Additionally, another type confusion vulnerability (CVE-2025-13224) was patched. With these updates, Google has now addressed seven zero-day vulnerabilities in Chrome since the beginning of the year.

W3 Total Cache vulnerability threatens websites

A critical security vulnerability (CVE-2025-9501) has been discovered in the W3 Total Cache WordPress plugin, affecting over 1 million websites. This flaw, present in versions prior to 2.8.13, allows attackers to execute arbitrary PHP code without authentication by embedding malicious code in comments on WordPress posts. Once exploited, the vulnerability grants attackers full control over the affected sites, enabling them to steal sensitive data, install malware, deface websites, or redirect visitors to malicious pages. The vulnerability was publicly disclosed on October 27, giving potential attackers a three-week window to exploit unpatched installations.