Cyware Daily Threat Intelligence, November 28, 2025

A massive cloud outage may have been the perfect cover for a new botnet's dress rehearsal. A Mirai-based malware named ShadowV2 used the chaos of the recent AWS downtime to conduct a "test run" on vulnerable IoT devices. This opportunistic attack exploited known flaws in EoL devices to build a DDoS-capable botnet while the world was distracted.

Old tools are finding new life in the hands of a group hunting through Central Asia's government networks. The Bloody Wolf hacking group has intensified its campaigns in Kyrgyzstan and Uzbekistan, using spear-phishing to deliver the outdated but effective NetSupport RAT.

Your personal cloud might just be a wide-open back door for global espionage. ASUS has issued an urgent firmware update to fix a critical authentication bypass in its AiCloud feature that allows attackers to seize control of routers without a password.

Top Malware Reported in the Last 24 Hours

New ShadowV2 botnet targets IoT devices

A new Mirai-based botnet malware, named ShadowV2, has emerged, targeting IoT devices from vendors like D-Link and TP-Link by exploiting known vulnerabilities. Observed during the significant AWS outage in October, ShadowV2 appeared to conduct test runs, leveraging at least eight vulnerabilities, including critical flaws in D-Link devices that will not receive fixes due to their end-of-life status. The attacks, originating from a specific IP address, affected various sectors globally, including government and education. ShadowV2 is delivered through a downloader script and supports DDoS attacks across multiple protocols. Its C2 infrastructure facilitates these attacks, although the identity of the perpetrators and their monetization strategy remain unknown. 

Bloody Wolf expands cyber attacks in Central Asia

Bloody Wolf, a hacking group, has intensified its cyberattack campaign in Kyrgyzstan and Uzbekistan since mid-2025, primarily targeting the finance, government, and IT sectors. Utilizing spear-phishing tactics, the group impersonates trusted government ministries to distribute malicious JAR files disguised as official documents. Once downloaded, these files execute a loader that fetches the NetSupport RAT payload, establishing persistence on the infected systems. Notably, the campaign in Uzbekistan incorporates geofencing, redirecting external requests to legitimate sites while delivering malware to local users. The attackers employ outdated tools, such as Java 8 and an older version of NetSupport Manager from 2013.

Top Vulnerabilities Reported in the Last 24 Hours

Patch this Forge library flaw

A high-severity vulnerability, tracked as CVE-2025-12816, has been identified in the popular JavaScript cryptography library 'node-forge', which could allow attackers to bypass signature verifications. This flaw stems from issues in the library's ASN.1 validation mechanism, enabling the crafting of malformed data that appears valid. The vulnerability poses risks such as authentication bypass and signed data tampering, particularly affecting applications that rely on node-forge for cryptographic protocols. With approximately 26 million weekly downloads, the widespread use of node-forge amplifies the potential impact of this security issue.

Critical AiCloud bug, warns ASUS

ASUS has issued a firmware update to address nine security vulnerabilities, including a critical authentication bypass flaw (CVE-2025-59366) in routers with AiCloud enabled. This vulnerability allows remote attackers to exploit the Samba functionality, enabling unauthorized execution of specific functions through low-complexity attacks that do not require user interaction. The flaw can be exploited by chaining a path traversal and an OS command injection. ASUS has not specified which router models are affected but has previously dealt with similar vulnerabilities, including a critical flaw (CVE-2025-2492) that was exploited in a global campaign called Operation WrtHug, which targeted outdated devices. This campaign involved hijacking thousands of ASUS routers, potentially using them as operational relay nodes in cyberattacks.