Daily Threat Briefing
Diamond Trail

Cyware Daily Threat Intelligence, November 19, 2025

shutterstock 2607762065

Images are no longer just pictures; they are becoming sophisticated hiding spots for dangerous code. An updated .NET loader is using advanced steganography to conceal the Lokibot malware inside seemingly harmless image files to evade detection. This technique allows the infostealer to bypass security scanners and harvest sensitive data.

That familiar login pop-up might be a high-tech illusion designed to steal your credentials. A new phishing kit called Sneaky 2FA is using Browser-in-the-Browser technology to create realistic fake windows that trick users into handing over their Microsoft account details.

Even lower-rated vulnerabilities can become major threats when attackers are already active in the wild. Fortinet has revealed that a medium-severity flaw in its FortiWeb product is currently being exploited to execute unauthorized operating system commands.

Top Malware Reported in the Last 24 Hours

Updated steganography loader delivers Lokibot

An updated .NET steganography loader has emerged, utilizing advanced evasion techniques to deliver Lokibot malware. This loader disguises itself as legitimate documents, employing steganography to conceal malicious payloads within image files. It features a module that decrypts and loads additional components at runtime, complicating static detection efforts. The Splunk Threat Research Team successfully extracted hidden payloads using their PixDig tool, revealing Lokibot, an information-stealer targeting Windows and Android systems. Lokibot harvests sensitive data, including credentials and cryptocurrency wallets, while employing various tactics from the MITRE ATT&CK framework. It manipulates access tokens for elevated privileges, injects itself into processes to evade detection, and creates scheduled tasks for persistence.

New ShadowRay attacks turn clusters into miners

A global campaign known as ShadowRay 2.0 exploits a critical vulnerability in Ray clusters, turning them into a self-propagating cryptomining botnet. The threat actor, identified as IronErn440, utilizes AI-generated payloads to compromise vulnerable Ray infrastructure accessible via the public internet. This campaign follows a previous one that ran from September 2023 to March 2024, both leveraging the same unpatched flaw, CVE-2023-48022. Researchers from Oligo discovered that the attacks not only focus on cryptocurrency mining but also involve data and credential theft, as well as launching DDoS attacks. With over 230,000 Ray servers now exposed online, the malicious payloads submit jobs to Ray’s unauthenticated Jobs API, enabling the malware to spread across clusters while maintaining stealth through deceptive tactics.

Sneaky 2FA phishing kit evolves tactics

A new phishing kit known as Sneaky 2FA has integrated Browser-in-the-Browser (BitB) functionality to enhance its attacks on Microsoft account credentials. This technique creates realistic pop-up windows that mimic legitimate login pages, effectively deceiving users into entering their information. The attackers employ bot protection measures, such as CAPTCHA and Cloudflare Turnstile, to filter out security tools and target specific victims. Additionally, they utilize conditional loading and obfuscation techniques to evade detection. Research indicates that these threat actors also exploit vulnerabilities in passkey authentication systems through malicious browser extensions, allowing them to intercept and manipulate login processes. 

Top Vulnerabilities Reported in the Last 24 Hours

Actively exploited Fortinet FortiWeb bug

Fortinet has revealed a medium-severity vulnerability in its FortiWeb product, tracked as CVE-2025-58034, which has already been exploited in the wild. This vulnerability, rated with a CVSS score of 6.7, allows authenticated attackers to execute unauthorized operating system commands through specially crafted HTTP requests or CLI commands. Successful exploitation necessitates prior authentication, which attackers can chain with this vulnerability to gain further access. Fortinet has released patches for several affected versions of FortiWeb, emphasizing the importance of updating to the latest versions to mitigate the risk. 

Cisco Catalyst Center flaw enables privilege escalation

A critical vulnerability, identified as CVE-2025-20341, has been discovered in the Cisco Catalyst Center Virtual Appliance, allowing authenticated remote attackers to escalate their privileges to Administrator. This flaw arises from insufficient validation of user-supplied input and affects only the appliance running on VMware ESXi. Attackers with at least Observer-level credentials can exploit this vulnerability by submitting crafted HTTP requests, enabling them to make unauthorized modifications, such as creating new user accounts or elevating their privileges. This risk is significant because it does not require initial Administrator access, broadening the attack surface for organizations utilizing this infrastructure. Cisco has confirmed that versions earlier than 2.3.7.3-VA and version 3.1 are not affected, while those needing an upgrade must transition to at least version 2.3.7.10-VA to address the vulnerability.

Cisco Catalyst Center Virtual ApplianceFortinet FortiWebSneaky 2FABrowser-in-the-BrowserShadowRay 2.0Lokibot malware

Discover Related Resources