Cyware Daily Threat Intelligence, October 10, 2025

Security teams are racing against RondoDox, a botnet that's blasting through 56 vulnerabilities across 30+ vendors to hijack routers, DVRs, NVRs, and web servers. With a "shotgun" tactic exploiting command injections for shell access and multi-architecture payloads, it risks data leaks and downtime.

Russian Android users are in the crosshairs of ClayRat, a slick spyware masquerading as WhatsApp, TikTok, or YouTube apps spread via Telegram and phishing lures, with over 600 samples detected in just three months. It grabs call logs, SMS, photos, and notifications, even hijacks calls or messages, while auto-blasting malicious links to every contact.

Juniper's latest advisory drops fixes for nearly 220 flaws in Junos OS, Junos Space, and Security Director, spotlighting nine critical ones. High-severity DoS risks, file download exploits, and privilege escalations get patched too.

Top Malware Reported in the Last 24 Hours

RondoDox botnet exploits multiple vulnerabilities

The RondoDox botnet campaign has emerged as a significant threat, exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first identified in Pwn2Own contests. This campaign targets internet-facing devices such as routers, DVRs, NVRs, and web servers, posing risks of data exfiltration and operational disruptions. Active exploitation has been observed globally since mid-2025, with several vulnerabilities listed in CISA’s KEV catalog. RondoDox employs a "shotgun" approach, utilizing command-injection flaws to gain shell access and deploy multi-architecture payloads. The botnet has evolved through a "loader-as-a-service" model, co-packaging its exploits with other malware, thus increasing its effectiveness and urgency in the cybersecurity landscape.

New ClayRat spyware targets Russia

ClayRat is Android spyware targeting Russian users, spreading through Telegram and phishing sites while impersonating popular apps. The spyware collects sensitive data, takes photos, sends messages, and places calls from infected devices. ClayRat aggressively propagates by sending malicious links to all contacts in the victim's phone book. It uses advanced obfuscation techniques and session-based installation to bypass Android security measures. Abuse of the default SMS handler role allows ClayRat to access and manipulate SMS data without user consent.

Attackers use Velociraptor DFIR tool in attacks

Hackers are now leveraging the Velociraptor DFIR tool in ransomware attacks, particularly with LockBit and Babuk variants. This activity is linked to a China-based group known as Storm-2603, which is associated with nation-state actors. The attackers exploit an outdated version of Velociraptor, vulnerable to a privilege escalation issue (CVE-2025-6264), allowing them to create local admin accounts and gain persistent access to compromised systems. Once inside, they utilize Velociraptor to maintain control and execute commands remotely. Additionally, they deploy PowerShell scripts for file exfiltration and encryption, employing techniques to evade detection.

Top Vulnerabilities Reported in the Last 24 Hours

Juniper Network patches critical bugs

Juniper Networks has announced the release of patches for nearly 220 vulnerabilities across its Junos OS, Junos Space, and Security Director products, including nine critical-severity flaws. Among the significant issues addressed is a critical XSS vulnerability (CVE-2025-59978) that could allow attackers to execute commands with administrative privileges. The updates also resolve a high-severity DoS vulnerability, as well as medium-severity issues related to arbitrary file downloads and privilege escalation. Additionally, Juniper patched high-severity flaws in Security Director Policy Enforcer and various medium-severity vulnerabilities that could lead to sensitive information exposure. 

Active exploitation of Gladinet and Triofox flaw

Cybersecurity firm Huntress has reported active exploitation of a zero-day vulnerability (CVE-2025-11371) affecting Gladinet CentreStack and TrioFox products. This unauthenticated local file inclusion flaw, which has a CVSS score of 6.1, allows attackers to disclose system files and impacts all software versions up to 16.7.10368.56560. The vulnerability was first detected on September 27, 2025, with at least three customers affected. Additionally, both applications were previously vulnerable to CVE-2025-30406, a severe issue with a CVSS score of 9.0, that enabled remote code execution through ViewState deserialization. Attackers can leverage the machine key retrieved from the Web.config file to exploit the system further.