Cyware Daily Threat Intelligence, November 21, 2025

A silent listener has been hiding in Windows systems for three years. China-linked APT24 hackers have been deploying a stealthy new malware called BadAudio in a massive espionage campaign. The group used everything from fake software updates to compromised digital marketing firms to plant this heavily obfuscated backdoor on thousands of devices.

The UNC2891 group has been caught running a sophisticated multi-year ATM fraud campaign targeting Indonesian banks. By physically implanting small computers into ATMs and deploying the CAKETAP malware, the gang managed to bypass PIN verification and clone cards on a massive scale.

A single malicious packet is all it takes to knock some of the world's most popular firewalls offline. A critical vulnerability has been found in SonicWall's SonicOS SSLVPN service. This high-severity flaw allows unauthenticated attackers to crash Gen7 and Gen8 firewalls remotely by triggering a stack-based buffer overflow.

Top Malware Reported in the Last 24 Hours

BadAudio malware used in espionage campaign

China-linked APT24 hackers have been using the previously undocumented BadAudio malware in a three-year espionage campaign targeting Windows systems. Since 2022, they have employed various methods, including spearphishing, supply-chain compromises, and watering hole attacks, to deliver the malware. APT24 compromised over 20 legitimate websites to inject malicious JavaScript, luring visitors into downloading BadAudio through fake software update prompts. Additionally, they exploited a digital marketing company in Taiwan, injecting malicious code into widely used libraries, affecting over 1,000 domains. The malware is heavily obfuscated, utilizing techniques like DLL search order hijacking to evade detection. Once activated, BadAudio collects system information and communicates with a C2 server to download further payloads.

New Sturnus trojan targets messaging apps

A new Android banking trojan named Sturnus has been targeting encrypted messaging platforms such as Signal, WhatsApp, and Telegram. This malware is capable of capturing messages after they are decrypted, allowing attackers to access private conversations. Sturnus employs advanced encryption methods for communication with its C2 server and exploits Android's Accessibility services to monitor user activity in real time. Infection typically occurs through malicious APK files disguised as legitimate applications. Once installed, Sturnus gains extensive control over the device, including the ability to implement fake overlays that conceal its actions, such as transferring money or approving transactions. 

Extensive ATM fraud campaign revealed

Cybersecurity researchers have uncovered a multi-year ATM fraud campaign by the UNC2891 group, targeting two Indonesian banks through sophisticated methods. This operation involved recruiting money mules, creating cloned cards, and using Raspberry Pi devices to infiltrate ATMs. The group executed multiple attacks, employing advanced malware like CAKETAP to manipulate ATM transaction processes and bypass PIN verification. Persistent access was achieved via custom backdoors and various communication methods, including DNS tunneling. To cover their tracks, UNC2891 utilized anti-forensic tools to erase evidence and disguised their malware to evade detection. 

Top Vulnerabilities Reported in the Last 24 Hours

SonicWall urges patching for critical flaw

A critical vulnerability in SonicWall's SonicOS SSLVPN, tracked as CVE-2025-40601, has been identified, allowing remote unauthenticated attackers to exploit a stack-based buffer overflow and crash affected firewalls. This high-severity DoS flaw impacts Gen7 and Gen8 hardware and virtual firewalls, including models such as TZ and NSa series. Additionally, two other vulnerabilities affecting SonicWall Email Security appliances were patched, preventing potential arbitrary code execution and unauthorized access to sensitive information.

RCE bugs in EoL D-Link routers

D-Link has issued a warning regarding three remotely exploitable command execution vulnerabilities in its DIR-878 router, which has reached end-of-life status but remains available in various markets. Launched in 2017, the DIR-878 was a popular dual-band wireless router, but it will not receive security updates following its discontinuation in 2021. The vulnerabilities include CVE-2025-60672, CVE-2025-60673, and CVE-2025-60674, with the latter requiring physical access. Despite a medium-severity rating from the CISA, the existence of publicly available exploit code poses a significant risk, particularly as threat actors, including botnets like RondoDox, may exploit these flaws to expand their targeting capabilities.