Daily Threat Briefing
Diamond Trail

Cyware Daily Threat Intelligence, November 25, 2025

illustrated_resource_2151784445

Even encrypted chats aren't safe when the device itself is compromised. CISA has issued a warning about sophisticated spyware campaigns targeting Signal and WhatsApp users, particularly high-value individuals in government and military circles. Russia-aligned actors are exploiting the "linked devices" feature to hijack accounts.

A massive supply chain attack is turning trusted developer tools into weapons. The Shai-Hulud malware has compromised over 500 npm packages, including libraries for Zapier and PostHog. The malware not only exfiltrates credentials to thousands of auto-created GitHub repositories but also includes a destructive payload capable of wiping a victim's home directory.

The silent backbone of cloud logging has become a critical security risk. Researchers have discovered five severe vulnerabilities in FluentBit, which could allow attackers to hijack cloud infrastructure. The flaws enable adversaries to bypass authentication, execute arbitrary code, and manipulate data logs to hide their tracks.

Top Malware Reported in the Last 24 Hours

CISA warns of spyware targeting messaging apps

The CISA issued a warning about ongoing spyware campaigns that target users of mobile messaging applications like Signal and WhatsApp. These campaigns utilize sophisticated social engineering techniques and exploit vulnerabilities to gain unauthorized access to user accounts. Notable examples include Russia-aligned threat actors hijacking Signal accounts through its linked devices feature, as well as Android spyware campaigns impersonating popular apps to deliver malware. Additionally, targeted attacks have exploited security flaws in iOS and Samsung devices to compromise fewer than 200 WhatsApp users. CISA emphasizes that these threats primarily focus on high-value individuals, including current and former government officials, military personnel, and civil society members across the U.S., the Middle East, and Europe.

Kimsuky APT employs dual KimJongRAT payloads

Kimsuky has launched an advanced campaign utilizing dual variants of the KimJongRAT malware. This operation begins with phishing emails that impersonate South Korean agencies, delivering malicious LNK files and decoy PDFs to unsuspecting victims. The malware can dynamically switch between Portable Executable (PE) and PowerShell payloads based on the status of Windows Defender, enhancing its stealth. Once deployed, the malware conducts extensive data theft, including browser credentials, cryptocurrency wallet information, and system data. Additionally, Kimsuky has established phishing sites that mimic legitimate South Korean services, allowing them to capture login credentials without detection. 

Malicious Blender files spread StealC info-stealer

Malicious Blender model files are being exploited to deliver the StealC V2 information-stealing malware through 3D model marketplaces such as CGTrader. This campaign, linked to Russian actors, takes advantage of Blender’s Auto Run feature, allowing embedded Python scripts within .blend files to execute automatically. Once activated, these scripts download a malware loader from a Cloudflare Workers domain, which subsequently retrieves a PowerShell script that extracts two ZIP archives containing the StealC malware and an auxiliary Python stealer. The latest StealC variant enhances its data-stealing capabilities, targeting over 23 browsers, various cryptocurrency wallet extensions and applications, as well as popular messaging and VPN clients. Despite being documented since 2023, this version remains undetected by several antivirus solutions.

Shai-Hulud infects 500 npm packages

Shai-Hulud malware has compromised over 500 npm packages in a recent supply-chain attack, targeting well-known tools like Zapier and PostHog to steal developer and CI/CD secrets. The malware modifies legitimate packages by injecting malicious scripts and publishes them on npm using compromised maintainer accounts. Researchers have identified around 350 unique accounts involved in this campaign, which has resulted in the automatic creation of thousands of repositories on GitHub, where stolen secrets are leaked. The malware employs advanced obfuscation techniques and includes destructive payloads that can overwrite a victim's home directory under certain conditions.

Top Vulnerabilities Reported in the Last 24 Hours

Critical vulnerabilities in FluentBit

FluentBit, a widely used open-source log processing tool, has five critical vulnerabilities that pose significant threats to cloud infrastructure. CVE-2025-12972 allows for path traversal and unauthorized file access. CVE-2025-12970 involves a stack buffer overflow in the Docker input plugin, which could lead to arbitrary code execution. CVE-2025-12978 enables attackers to spoof trusted tags, allowing them to reroute logs and inject malicious data. CVE-2025-12977 features improper input validation, permitting harmful characters in tags that can corrupt logs. Finally, CVE-2025-12969 disables authentication in the in_forward plugin, allowing unauthorized log submissions. 

WordPress flaw under active exploitation

A critical RCE vulnerability (CVE-2025-6389) in the Sneeit Framework plugin is under active exploitation. The flaw resides in the sneeit_articles_pagination_callback() function, allowing attackers to execute arbitrary code without authentication. Exploits include uploading webshells, creating rogue admin accounts, modifying theme files, and taking over websites. Wordfence observed 491 attacks targeting this vulnerability in a single day, indicating widespread exploitation through botnets. Developers have issued Sneeit Framework version 8.4 to fix the vulnerability, urging users to update immediately.

FluentBitSneeit Framework pluginShai-Hulud malwareStealC info-stealerKimJongRAT malware

Discover Related Resources