Cyware Daily Threat Intelligence, October 13, 2025

A new Rust-based menace, ChaosBot, lurks in phishing emails, using malicious LNK files to hijack Microsoft Edge binaries and sideload a rogue DLL. It leans on Discord for command-and-control, maintains network access with a fast reverse proxy.

Astaroth is back with a clever twist, stashing its configuration files in GitHub-hosted images using steganography to update itself every two hours without traditional C2 servers. Spread through phishing emails with malicious LNK files triggering obfuscated JavaScript, this banking malware targets South American users.

Oracle's sounding the alarm on a high-severity flaw in E-Business Suite versions 12.2.3 to 12.2.14, letting attackers access sensitive data over HTTP without credentials. While no exploits are confirmed yet, the remote-access nature of this vulnerability makes patching urgent to protect critical business systems from potential compromise.

Top Malware Reported in the Last 24 Hours

ChaosBot exploits Discord channels for C2

Researchers uncovered a new Rust-based malware, ChaosBot, used for reconnaissance and executing commands on compromised systems. ChaosBot utilizes Discord channels for C2 operations and is distributed via phishing messages containing malicious Windows shortcut (LNK) files. The malware sideloads a malicious DLL using a legitimate Microsoft Edge binary and employs a fast reverse proxy for persistent network access. ChaosBot includes features like executing shell commands, capturing screenshots, and uploading/downloading files, while using evasion techniques to bypass Windows Event Tracing and virtual machines. 

Astaroth banking trojan exploits GitHub 

McAfee researchers have identified a sophisticated Astaroth banking malware campaign that leverages GitHub repositories to host critical configuration files, moving away from traditional C2 servers. This malware employs steganography to conceal configuration data within seemingly benign image files, allowing it to update its operational parameters every two hours while maintaining persistent operations. The infection chain begins with phishing emails that lure victims into downloading malicious Windows shortcut files, which execute obfuscated JavaScript commands. Primarily targeting South American countries, particularly Brazil, Astaroth monitors banking and cryptocurrency-related browser windows to capture credentials through keylogging. 

Stealit malware exploits Node[.]js feature

The Stealit malware campaign uses Node.js' Single Executable Application (SEA) feature and the Electron framework to distribute malicious payloads via fake game and VPN installers shared on platforms like Mediafire and Discord. SEA enables standalone executables to run without requiring Node.js runtime or additional dependencies, making it effective for malware distribution. Stealit offers subscription-based "data extraction solutions," including RATs capable of file extraction, webcam control, live screen monitoring, ransomware deployment, and more for Android and Windows systems. The malware employs anti-analysis checks, writes an authentication key to a cache file, and configures Microsoft Defender exclusions to avoid detection.

Top Vulnerabilities Reported in the Last 24 Hours

New Oracle E-Business Suite flaw identified

Oracle has issued a security alert regarding a critical vulnerability, tracked as CVE-2025-61884, in its E-Business Suite that could allow unauthorized access to sensitive data without requiring any login credentials. This high-severity flaw affects versions 12.2.3 through 12.2.14 and has a CVSS score of 7.5, indicating its potential for exploitation. The vulnerability can be accessed remotely via HTTP, making it crucial for users to apply the necessary updates promptly. Although Oracle has not reported any active exploitation of this vulnerability, it poses a significant risk as it could be weaponized to compromise sensitive resources. 

Critical bug in Cherry Studio

A critical vulnerability, tracked as CVE-2025-61929 and rated CVSS 9.7, has been identified in Cherry Studio, a cross-platform desktop client for LLMs. This flaw enables attackers to execute arbitrary commands with a single click on a crafted "cherrystudio://" URL link. The issue arises from the application’s failure to properly validate base64-encoded configuration data, allowing malicious commands to be executed without user confirmation. The vulnerability affects all versions of Cherry Studio across Windows, macOS, and Linux platforms. A proof-of-concept demonstrates that clicking a specially crafted link can trigger harmful actions, such as launching the Windows calculator.