Cyware Daily Threat Intelligence, November 20, 2025

A message from a friend might actually be an automated trap designed to empty your bank account. A new campaign is targeting Brazilian users with a WhatsApp worm that spreads the Eternidade Stealer. Once installed, it lies in wait for users to open banking or crypto apps to steal their sensitive financial data.

Cyber spies are corrupting the very mechanism meant to keep software secure: the update process. A China-aligned group named PlushDaemon is using a new backdoor called EdgeStepper to redirect legitimate software update traffic to malicious servers via DNS hijacking.

That quiet router in the corner of the office may have been recruited into a massive global spy network. A campaign dubbed Operation WrtHug has compromised tens of thousands of ASUS routers worldwide by exploiting known vulnerabilities in older, unpatched devices.

Top Malware Reported in the Last 24 Hours

TamperedChef malware spreads via fake installers

In a sophisticated global malvertising effort known as TamperedChef, cybercriminals are exploiting fake software installers to deploy JavaScript malware that provides remote access to compromised systems. This campaign relies heavily on social engineering tactics, utilizing familiar application names and optimizing search engine results to lure unsuspecting users into downloading malicious software. The attackers enhance the credibility of their counterfeit applications by signing them with code-signing certificates obtained from shell companies. Once installed, the malware establishes a backdoor to gather machine metadata, potentially leading to advertising fraud or data theft. Sectors such as healthcare, construction, and manufacturing have been particularly hard-hit, with a notable concentration of infections in the U.S. Users searching for product manuals online are especially at risk.

WhatsApp worm drops Eternidade Stealer

A new cyber campaign is targeting Brazilian users through a WhatsApp worm that distributes the Delphi-based banking trojan, Eternidade Stealer. This malware utilizes a Python script to hijack WhatsApp accounts and send malicious attachments to victims’ contacts. The attack begins with an obfuscated Visual Basic Script that drops a batch script, leading to the deployment of the trojan. Eternidade Stealer scans for strings related to banking applications and cryptocurrency wallets, activating only when these apps are opened. It communicates with C2 servers using email tactics for updates and persistence, enabling attackers to record keystrokes, capture screenshots, and steal sensitive files. 

EdgeStepper implant hijacks DNS for malware

PlushDaemon, a China-aligned cyber threat actor, has been using a new Go-based backdoor called EdgeStepper to conduct adversary-in-the-middle (AitM) attacks by hijacking DNS queries. This malware redirects legitimate software update traffic to malicious servers, enabling the deployment of harmful payloads like LittleDaemon, which subsequently downloads the more advanced SlowStepper backdoor. Active since at least 2018, PlushDaemon has targeted various sectors, including semiconductor, automotive, and electronics companies, across multiple countries including the U.S. and South Korea. SlowStepper is particularly versatile, capable of gathering system information, extracting credentials, and executing commands, making it a significant threat in global cyber espionage efforts.

Top Vulnerabilities Reported in the Last 24 Hours

Actively exploited 7-Zip bug

Hackers are actively exploiting a newly disclosed vulnerability in 7-Zip, identified as CVE-2025-11001, which allows remote code execution through symbolic links in ZIP files. This security flaw, with a CVSS score of 7.0, affects users who have not updated to 7-Zip version 25.00. The vulnerability enables attackers to execute arbitrary code by manipulating crafted data in ZIP files, potentially leading to unauthorized access. Additionally, another vulnerability, CVE-2025-11002, also patched in the latest version, involves improper handling of symbolic links that can result in directory traversal. Active exploitation of CVE-2025-11001 has been observed in the wild, although details regarding the attackers and the methods used remain unclear.

New campaign exploits EoL ASUS routers

A global espionage campaign, Operation WrtHug, has compromised thousands of ASUS routers worldwide using known vulnerabilities. Attackers exploited six specific vulnerabilities, including CVE-2023-39780 and CVE-2025-2492, to target ASUS AiCloud services and gain high-level privileges on devices. Over 50,000 compromised devices were identified, with a unique self-signed TLS certificate used as an indicator of compromise. The campaign is suspected to be run by China-linked actors as part of a larger state-sponsored initiative to establish global espionage networks. The attackers’ methods include multi-stage infections and exploiting Nth Day vulnerabilities, focusing on EoL devices and legacy software.