Cyware Daily Threat Intelligence, October 07, 2025

Storm-1175 is tearing through GoAnywhere MFT with a devastating flaw to deploy Medusa ransomware. Attackers exploit this CVSS 10.0 deserialization bug for unauthenticated code execution, using tools like SimpleHelp to lock down networks swiftly.

A new Android RAT lurks on GitHub, controlling devices via a web interface. Undetectable by antivirus, it grabs calls, SMS, bank credentials, and GPS data, running lean to bypass Chinese ROM restrictions.

Redis’s 13-year-old Lua interpreter bug is exposing thousands to remote code execution. Known as RediShell, it threatens 330,000 instances with data theft, demanding urgent patches to secure vulnerable systems.

Top Malware Reported in the Last 24 Hours

Medusa exploits GoAnywhere 0-day

A critical vulnerability, CVE-2025-10035, in GoAnywhere MFT has been exploited by the Storm-1175 threat group, known for deploying Medusa ransomware. This deserialization flaw, with a CVSS score of 10.0, allows attackers to bypass signature verification and execute remote code on unpatched systems without requiring authentication. Storm-1175 employs a multi-stage attack that begins with exploiting the vulnerability, followed by establishing persistence using remote monitoring and management tools like SimpleHelp and MeshAgent. The group then conducts network discovery and lateral movement within compromised environments, ultimately leading to the deployment of Medusa ransomware. 

Mustang Panda refines tactics

Mustang Panda, a sophisticated China-linked threat actor, has refined its cyber espionage tactics by employing an advanced DLL side-loading technique aimed at the Tibetan community. This politically motivated campaign begins with a deceptive .ZIP file disguised as an executable related to the Dalai Lama, concealing a malicious DLL that remains hidden from standard file exploration. The malware, known as Claimloader, establishes persistence through both Windows registry modifications and scheduled tasks, complicating detection and removal efforts. Once activated, it deploys a secondary payload called Publoader, which utilizes advanced obfuscation methods to exfiltrate data while communicating with C2 servers. 

New fully undetectable Android RAT discovered

A new Android RAT, dubbed the "Most Powerful (FUD Android RAT) 2025," has emerged on GitHub, designed to evade antivirus detection and operate entirely through a web interface. This RAT allows attackers to manage compromised devices in real-time without needing a PC, utilizing advanced encryption methods to maintain secure communication. It features a wide array of malicious capabilities, including call recording, SMS interception, credential theft from banking apps, and live GPS tracking. Additionally, it can bypass restrictions on Chinese ROMs and remains persistent by consuming minimal resources. 

Top Vulnerabilities Reported in the Last 24 Hours

Redis issues patches for max severity bug

Redis has patched a critical vulnerability (CVE-2025-49844) that allows authenticated attackers to execute remote code on thousands of exposed instances using a crafted Lua script. The flaw, dubbed RediShell, stems from a 13-year-old use-after-free weakness in the Lua interpreter and could enable attackers to steal data, deploy malware, or gain access to other systems. Approximately 330,000 Redis instances are exposed online, with at least 60,000 lacking authentication, making them highly vulnerable to exploitation.

CISA alerts on critical Windows vulnerability

CISA has issued a warning regarding the active exploitation of a critical privilege escalation vulnerability in Microsoft Windows, identified as CVE-2021-43226. This flaw exists in the Common Log File System (CLFS) driver, allowing attackers with local access to bypass security controls and elevate their privileges, potentially leading to full system compromise. Although first disclosed by Microsoft in late 2021, recent intelligence indicates an increase in its use within ransomware campaigns. The vulnerability poses significant risks, especially as attackers often combine it with remote code execution flaws to infiltrate networks.