Cyware Daily Threat Intelligence, October 15, 2025

A subtle tweak turned deadly as China-backed Flax Typhoon repurposed a legitimate ArcGIS Java SOE into a persistent web shell. The APT group executed commands, moved laterally, and harvested credentials across hosts.

A massive botnet, rallying 100,000+ IPs across multiple countries, began targeting U.S. RDP services. Researchers noted a unified TCP fingerprint suggesting single-entity control.

As Windows 10 bows out of free support today, Microsoft's October Patch Tuesday plugs 172 holes, including six zero-days. Extended Security Updates are now a must for holdouts, with criticals demanding immediate attention to fend off the exploit chasers.

Top Malware Reported in the Last 24 Hours

Flax Typhoon exploits ArcGIS for persistence

Flax Typhoon, a China-backed APT group, executed a sophisticated attack on an ArcGIS system by repurposing a legitimate Java server object extension (SOE) into a web shell. This method enabled the attackers to maintain long-term access while evading detection, as their activities appeared to be normal system operations. By embedding the compromised SOE in backups and using a hardcoded key for access, they ensured persistence even after attempts at remediation. The group leveraged this foothold for malicious command execution, lateral movement, and credential harvesting across various hosts. 

Malicious VSCode extensions on OpenVSX

Malicious extensions targeting developers have resurfaced on the OpenVSX registry and Microsoft's VSCode marketplace, attributed to a threat actor known as TigerJack. These extensions, including C++ Playground and HTTP Format, have been linked to the theft of cryptocurrency and the exfiltration of source code. C++ Playground captures keystrokes in real-time, while HTTP Format secretly runs a cryptocurrency miner, utilizing the host's processing power without restrictions. Additionally, some extensions can execute arbitrary JavaScript code, allowing for credential theft and other malicious activities. Despite being removed from VSCode, these extensions continue to be available on OpenVSX.

Botnet campaign targets Microsoft RDP services

A botnet comprising over 100,000 IP addresses from multiple countries has been targeting RDP services in the U.S. since October 8. GreyNoise researchers identified this large-scale campaign after observing an unusual spike in traffic, particularly from Brazilian IPs. The attacks utilize two main vectors: RD Web Access timing attacks and RDP web client login enumeration. Evidence suggests that a single entity controls the botnet, as most IPs share a similar TCP fingerprint. The coordinated nature of the attacks, along with the centralized control indicated by the shared attack methods, raises concerns about the botnet's capabilities and intentions. Countries involved in the attack include Brazil, Argentina, Iran, China, Mexico, Russia, and South Africa.

Top Vulnerabilities Reported in the Last 24 Hours

Hackers exploit ICTBroadcast servers

A critical security vulnerability in ICTBroadcast, an autodialer software, has been actively exploited by hackers, allowing unauthenticated RCE. This vulnerability, identified as CVE-2025-2611, arises from improper input validation that permits attackers to inject shell commands through session cookies. Specifically, the flaw affects versions 7.4 and below, with around 200 instances exposed online. Cybersecurity researchers observed exploitation attempts beginning on October 11, where attackers first conducted time-based checks before establishing reverse shells. They utilized Base64-encoded commands in crafted HTTP requests to confirm command execution. Notably, connections were made to previously flagged URLs and IP addresses associated with malicious campaigns targeting organizations in Europe, indicating a potential reuse of techniques or tools among threat actors. Currently, there is no information regarding a patch for this vulnerability.

Two critical bugs in Red Lion Sixnet RTUs

Two critical vulnerabilities, CVE-2023-40151 and CVE-2023-42770, have been discovered in Red Lion Sixnet RTUs, both rated 10.0 on the CVSS scale. These flaws allow unauthenticated attackers to execute commands with root privileges, potentially leading to severe disruptions in industrial control systems. CVE-2023-42770 involves an authentication bypass due to the RTU software accepting TCP messages without authentication, while CVE-2023-40151 enables remote code execution through the Linux shell command execution feature. The vulnerabilities affect various Red Lion RTU models across sectors such as energy, water, and transportation.

Microsoft October 2025 Patch Tuesday

Microsoft's October 2025 Patch Tuesday released security updates for 172 vulnerabilities, including six zero-day flaws. This update marks the end of free support for Windows 10, as users must now subscribe to Extended Security Updates to continue receiving patches. Among the critical vulnerabilities fixed are those affecting Windows SMB Server and Microsoft SQL Server. Notable issues include the removal of a vulnerable Agere Modem driver, which could allow elevation of privileges, and a Secure Boot bypass vulnerability in IGEL OS. Additionally, Microsoft is addressing a memory integrity flaw in AMD EPYC processors.