Cyware Daily Threat Intelligence, November 26, 2025

A notorious Russia-aligned group is using a classic trick to breach U.S. infrastructure. RomCom has teamed up with the SocGholish cybercrime network to target a civil engineering firm using fake browser update alerts. This marks the first time RomCom's sophisticated Mythic Agent malware has been delivered through this common fake update infection route.

Mac users are facing a cunning new threat that turns system safeguards against them. A malware campaign dubbed FlexibleFerret is targeting macOS devices with a Go-based backdoor that mimics Chrome permission prompts to steal credentials. The malware uses sophisticated staged scripts to bypass security and exfiltrate stolen data directly to a Dropbox account.

A dangerous default setting in a popular infrastructure tool could leave sensitive secrets exposed. A vulnerability in HashiCorp Vault's Terraform Provider allows attackers to bypass LDAP authentication entirely without providing a password. The flaw stems from a misconfiguration that permits anonymous connections.

Top Malware Reported in the Last 24 Hours

RomCom malware targets U.S. engineering firm

RomCom, a Russia-aligned malware group, has targeted a U.S.-based civil engineering company using SocGholish fake update attacks to deliver the Mythic Agent malware. This attack marks the first instance of RomCom payloads being distributed through SocGholish, which serves as an initial access broker by tricking users into downloading malicious JavaScript via fake browser update alerts. The threat actors behind SocGholish, linked to financially motivated groups, exploit vulnerabilities in compromised websites to initiate infections. In this case, the attack involved a rapid infection timeline of under 30 minutes, culminating in the establishment of a reverse shell and the deployment of a custom Python backdoor. 

JackFix campaign uses fake updates for malware

Cybersecurity researchers have identified a new campaign named JackFix that employs fake Windows update pop-ups on adult websites to deliver malware. This attack utilizes a combination of ClickFix lures and malvertising, targeting users with convincing prompts to run malicious commands. The fake update screens hijack the victim’s display, instructing them to execute commands that trigger infections. The malware, primarily distributed through PowerShell scripts, includes various payloads such as stealers and remote access trojans, posing significant risks to sensitive data. The campaign is believed to be linked to Russian-speaking threat actors, who obfuscate their methods to evade detection.

New FlexibleFerret malware targets macOS 

A new malware campaign named FlexibleFerret has emerged, specifically targeting macOS systems. This sophisticated threat utilizes staged scripts and a persistent Go-based backdoor to bypass user safeguards and maintain long-term access to compromised devices. The malware employs a second-stage shell script that adapts its actions based on the system architecture, downloading various payloads accordingly. It masquerades as Chrome permission prompts to harvest user credentials, routing stolen data to a Dropbox account while avoiding detection through clever obfuscation techniques. The backdoor, known as CDrivers, facilitates numerous malicious tasks, including system information collection, file management, and automated credential theft. 

Top Vulnerabilities Reported in the Last 24 Hours

HashiCorp Vault bug allows credential bypass

A vulnerability in HashiCorp Vault, identified as CVE-2025-13357, allows attackers to bypass LDAP authentication without providing credentials due to a misconfigured default setting in the Terraform Provider. This flaw arises from the deny_null_bind parameter, which defaults to false unless explicitly set, permitting unauthenticated connections if the underlying LDAP server allows anonymous binds. As a result, Vault may accept empty passwords as valid authentication attempts, potentially exposing sensitive secrets and infrastructure data. The issue affects versions v4.2.0 through v5.4.0 of the Terraform Provider. 

Critical authentication bypass in SiRcom SMART Alert

A critical vulnerability (CVE-2025-13483) has been identified in the SiRcom SMART Alert (SiSA) system, version 3.0.48. This system is widely deployed in emergency and government services for public alerting via sirens. The vulnerability, rated CVSS v3.1 score 9.1 and CVSS v4 score 8.8, stems from a missing authentication mechanism that allows attackers to remotely exploit core functions. Successfully leveraging this flaw could enable malicious control of emergency siren infrastructure. Currently, there are no public reports of active exploitation or malicious use of this vulnerability. However, due to the vulnerability's critical nature and low attack complexity, potential exploitation risks remain high, especially in critical infrastructure environments.