Cyware Daily Threat Intelligence, October 06, 2025

shutterstock 1661078329

Daily Threat Briefing October 6, 2025

Revived from the shadows, new XWorm variants are flooding phishing campaigns with 35+ plugins. This modular RAT steals data, logs keystrokes, launches DDoS, and encrypts files with NoCry-like ransomware.

Oracle is scrambling with an emergency patch for a 9.8 CVSS flaw in its E-Business Suite. This unauthenticated RCE bug has fueled Cl0p ransomware's data theft spree, exploiting compromised emails to breach systems patched earlier this year.

Gamers beware: a Unity engine vulnerability is turning popular titles into attack vectors. It enables code execution on Android and privilege escalation on Windows in games like Hearthstone and DOOM.

Top Malware Reported in the Last 24 Hours

XWorm malware re-emerges with ransomware module

New variants of the XWorm malware, specifically versions 6.0, 6.4, and 6.5, have re-emerged in phishing campaigns, featuring over 35 plugins that enhance its malicious capabilities, including ransomware functionalities. Initially observed in 2022, XWorm is a modular remote access trojan known for its ability to steal sensitive data, track keystrokes, and launch DDoS attacks. Following the abandonment of the project by its original developer, XCoder, various cybercriminals have begun distributing cracked versions. Its ransomware module encrypts files, appending a .ENC extension, while providing victims with ransom instructions, demonstrating a notable overlap with the NoCry ransomware’s encryption techniques.

Malvertising campaign on WordPress sites

A recent malvertising campaign targeted WordPress websites by injecting malicious JavaScript into the theme’s functions.php file. This code fetched external scripts from attacker-controlled domains, resulting in forced redirects and pop-ups for unsuspecting visitors. The investigation revealed that the compromised function, ti_custom_javascript(), established a connection to a Command and Control server, allowing the attackers to deliver harmful payloads. The malicious script included techniques such as hidden iframes and mimicked legitimate Cloudflare actions to evade detection. 

Top Vulnerabilities Reported in the Last 24 Hours

Oracle issues emergency update

Oracle has released an emergency patch for a critical vulnerability in its E-Business Suite, tracked as CVE-2025-61882, which has a CVSS score of 9.8. This flaw allows unauthenticated attackers to execute remote code via HTTP, making it highly exploitable. The vulnerability has been linked to recent data theft attacks by the Cl0p ransomware group, which reportedly exploited multiple weaknesses in Oracle systems, including those patched earlier in 2025. Mandiant noted that Cl0p's operations involved a high-volume email campaign launched from compromised accounts, resulting in significant data breaches. 

Steam and Microsoft warn of Unity bug

A critical vulnerability in the Unity game engine, identified as CVE-2025-59489, poses significant risks to gamers by allowing code execution on Android devices and privilege escalation on Windows systems. This flaw affects all Unity versions starting from 2017.1 and has the potential to compromise numerous popular games, including Hearthstone and DOOM (2019). The vulnerability arises from Unity’s improper handling of Android Intents and command-line arguments, enabling malicious applications to execute code with the privileges of the vulnerable game. While Unity has acknowledged the issue and released fixes for supported versions, older versions will not receive any patches.

Related Threat Briefings

Oct 3, 2025

Cyware Daily Threat Intelligence, October 03, 2025

Beware of the new digital tricksters! The Impact Solutions phishing toolkit empowers even novice cybercriminals to craft sophisticated attacks using a user-friendly interface, enabling them to bypass security measures with deceptive tactics like fake invoices and malicious attachments.

Oct 2, 2025

Cyware Daily Threat Intelligence, October 02, 2025

Luring UAE users with fake Signal and ToTok apps, Android/Spy.ProSpy and ToSpy are pilfering sensitive data. Spread through phishing sites, these spyware variants steal SMS, contacts, and chat histories, maintaining persistent access with active C2 servers. Posing as an IPTV and VPN app, Klopatra is snaring over 3,000 European Android devices. This Turkish-linked banking RAT uses Accessibility Service and hidden VNC to monitor screens and steal bank data, evading detection with anti-debugging tricks. A OneLogin IAM flaw once left OIDC client secrets exposed to attackers with API credentials. Rated at CVSS 7.7, this bug allowed application impersonation, now patched in release 2025.3.0 to secure integrated services and block unauthorized access.

Oct 1, 2025

Cyware Daily Threat Intelligence, October 01, 2025

Hiding behind trusted EV certificates, hackers are slipping undetectable DMG payloads into macOS systems. This campaign mimics legitimate developers to deploy Odyssey Stealer, a trojan that harvests credentials and runs malicious binaries without triggering Apple’s security checks. Through cunning DNS trickery, Detour Dog is spreading Strela Stealer via TXT records and compromised sites. Partnering with Hive0145, this threat actor uses botnets like REM Proxy to deliver spam and malware, impacting over 30,000 hosts with encoded DNS queries. A VMware zero-day flaw, exploited by China’s UNC5174 since last October, is granting attackers root access. This critical bug in Aria Operations and VMware Tools enables privilege escalation, with patches now available but open-vm-tools on Linux also at risk.

Sep 30, 2025

Cyware Daily Threat Intelligence, September 30, 2025

Elderly folks are being sweet-talked by AI-crafted Facebook travel scams into installing fake APKs, then Datzbro slips in, hijacks their Androids with accessibility abuse, keylogging, overlays and a creepily efficient remote-control mode to swipe credentials and drain accounts.

Sep 29, 2025

Cyware Daily Threat Intelligence, September 29, 2025

Exploiting SonicWall firewalls like a battering ram, Akira ransomware is surging through malicious SSL VPN logins. By targeting CVE-2024-40766, attackers bypass MFA, swiftly move laterally, and deploy ransomware within hours, harvesting credentials and exfiltrating data. A cunning malvertising scheme lures victims with a fake Microsoft Teams installer to unleash Oyster malware. Using SEO poisoning via Bing, this signed installer creates a backdoor in under 15 seconds, though Microsoft Defender blocks its C2 communication attempts. A zero-day flaw in Fortra’s GoAnywhere MFT software opens the door to remote command injection. This deserialization bug, exploited since September 10, allows attackers to create backdoor admin accounts, urging immediate upgrades to patched versions and restricted console access.

Sep 26, 2025

Cyware Daily Threat Intelligence, September 26, 2025

China’s UNC5221 is sneaking Brickstorm into network appliances, lurking undetected for over a year. This Go-based backdoor, mimicking legit software, hits SaaS and tech firms with custom C2 servers, using zero-day exploits and obfuscation to maintain stealthy control. North Korean hackers are reeling in crypto developers with fake LinkedIn job offers, hiding AkdoorTea malware. This Contagious Interview campaign uses BeaverTail and Tropidoor to pilfer data across platforms, spreading via deceptive GitHub projects and video assessments. State-sponsored attackers are breaching Cisco ASA firewalls with zero-day exploits, unleashing RayInitiator and LINE VIPER. Linked to China’s UAT4356, these malware variants dodge detection by disabling logs, targeting government networks since May with persistent firmware tweaks.

Sep 25, 2025

Cyware Daily Threat Intelligence, September 25, 2025

Cloaked in fake copyright notices, the Lone None group is sneaking Pure Logs and Lone None Stealer into systems. Spoofing legal firms, their phishing emails use Telegram bots and obfuscated Python to steal crypto wallet addresses, targeting social media accounts with high credibility. Russia’s COLDRIVER is baiting victims with a fake CAPTCHA in the ClickFix campaign. Using BAITSWITCH to download SIMPLEFIX, a PowerShell backdoor, this multi-stage attack targets Russian civil society and Western groups, gathering system data via stealthy C2 communication. A critical zero-day flaw in Cisco’s IOS and IOS XE software is under active attack. This SNMP stack overflow bug lets admins run root-level code, affecting Meraki and Catalyst devices, with patches addressing 14 vulnerabilities to curb DoS and authentication risks.

Sep 24, 2025

Cyware Daily Threat Intelligence, September 24, 2025

Since 2022, a stealthy campaign has been hijacking DLLs to unleash a PlugX variant on Asia’s telecom and manufacturing sectors. Linked to Naikon and BackdoorDiplomacy, it uses malicious documents and shared cryptographic tools to deploy RainyDay and Turian-like backdoors. Salesforce CLI installer harbors a critical flaw, letting attackers seize SYSTEM-level control on Windows. This path-handling bug in versions before 2.106.6 enables code execution via rogue installers, now fixed with proper signing in the latest release. Exploiting a Linux Pandoc flaw, hackers are targeting AWS credentials through SSRF attacks. This vulnerability allows iframe-based credential theft from EC2 IMDSv1, urging users to adopt IMDSv2 and sandbox options to lock down systems.

Sep 23, 2025

Cyware Daily Threat Intelligence, September 23, 2025

With fake job portals as bait, Iran’s Nimbus Manticore targets Europe’s defense and telecom sectors. Their spear-phishing campaign uses multi-stage DLL sideloading to deploy MiniJunk and MiniBrowse, stealthy malware evading detection with obfuscation to hit aerospace and defense networks. The fezbox npm package, a wolf in utility library clothing, hides a cookie-stealing payload in QR codes. Linked to “janedu,” it uses steganography and reversed-string obfuscation to swipe usernames and passwords, quietly exfiltrating them to remote servers via HTTPS. Libraesva ESG’s email scanning engine has a chink in its armor, letting attackers slip through with crafted attachments. This command injection flaw, exploited by a state actor, triggered rapid patches for ESG 5.x to secure systems against unauthorized command execution.

Sep 22, 2025

Cyware Daily Threat Intelligence, September 22, 2025

A rogue patch for Steam’s BlockBlasters game is pilfering crypto wallets and user data. This trojan-laced update, slipped past security checks, grabs IP addresses and Steam credentials, disables Microsoft Defender, and uploads data to a C2 server, impacting hundreds of players. MalTerminal is breaking new ground as the first malware wielding GPT-4 to craft ransomware and backdoors. Using a deprecated OpenAI API, this LLM-embedded threat, paired with phishing that exploits Follina, dodges AI security to deliver malicious payloads. A critical Entra ID flaw let attackers impersonate Global Administrators across tenants. This maximum-severity bug, tied to legacy Azure AD Graph API, allowed MFA bypass and undetected access, now fixed to block unauthorized tenant compromise.

Sep 19, 2025

Cyware Daily Threat Intelligence, September 19, 2025

In a rare crossover of Russian APT playbooks, Gamaredon and Turla have joined forces to target Ukrainian defense entities with coordinated malware operations. Researchers have uncovered joint activity involving the use of Gamaredon's custom tools to deploy Kazuar, a powerful Turla-developed backdoor known for its stealth and persistence. Malware deployment is getting more modular and more menacing. CountLoader is a newly developed malware loader tied to Russia-affiliated ransomware groups like LockBit, BlackBasta, and Qilin. Disguised as Ukrainian police messages in phishing campaigns, CountLoader excels at blending into enterprise traffic, gathering detailed system data, and maintaining persistent access through varied execution techniques. No clicks, no downloads, no warnings - just data theft by design. A critical flaw in OpenAI’s ChatGPT Deep Research agent has been patched following the discovery of ShadowLeak, a zero-click vulnerability that enabled attackers to exfiltrate sensitive information from user inboxes via maliciously crafted emails. The exploit abused the agent’s autonomous email-processing capabilities to embed covert instructions.

Sep 18, 2025

Cyware Daily Threat Intelligence, September 18, 2025

A JPG file that looks like a simple image might now be the start of a full-blown infostealing operation. In a recent FileFix campaign, threat actors are hiding malicious PowerShell scripts and encrypted binaries inside seemingly innocent image files. Unlike earlier proof-of-concept variants, this iteration ups the ante by using multilingual phishing pages and deeply obfuscated JavaScript. When package managers become threat vectors, even a string manipulation library can be a trap. Two rogue Python packages have been removed from PyPI after researchers discovered they were dropping SilentSync RAT. SilentSync is capable of executing arbitrary commands, exfiltrating files, and stealing browser credentials, making it especially dangerous for unsuspecting developers. Another day, another zero-day. Google has shipped an urgent patch to plug a critical flaw in Chrome. Tracked as CVE-2025-10585, the newly patched vulnerability stems from a type confusion bug in the V8 JavaScript engine, which could allow attackers to remotely execute arbitrary code by luring users to maliciously crafted HTML pages. This marks the sixth actively exploited zero-day in Chrome this year.