Cyware Daily Threat Intelligence, October 16, 2025

A sly .NET loader, PhantomVAI is hitting manufacturing, education, and government sectors globally via phishing emails with obfuscated scripts. It hides DLLs in images using steganography, checks for virtual machines, and drops multiple infostealers.

Mimicking India’s mParivahan app, GhostBat RAT has been targeting Android users, with 40+ samples stealing UPI credentials and more. Spread through WhatsApp and dodgy sites, it uses multi-stage droppers and heavy obfuscation.

A gap in the Slider Revolution plugin risks over four million WordPress sites. Fixed in version 6.7.37, the update tightens checks, pressing admins to patch quickly to block unauthorized server file access.

Top Malware Reported in the Last 24 Hours

Phishing scams target LastPass and Bitwarden

An ongoing phishing campaign is targeting LastPass and Bitwarden users with fake emails claiming that the companies have been hacked. These emails urge recipients to download a supposedly more secure desktop version of the password manager, which actually installs Syncro, a remote monitoring tool. LastPass has clarified that they have not experienced any security incidents and that these messages are part of a social engineering effort to create urgency. The phishing emails are well-crafted and impersonate both LastPass and Bitwarden, leading users to malicious downloads. The malware installs the Syncro MSP platform, allowing attackers to gain remote access to victims' computers. This campaign follows another targeting 1Password users.

PhantomVAI Loader drops multiple infostealers

PhantomVAI Loader, a multi-stage .NET loader, is actively involved in global phishing campaigns targeting various sectors, including manufacturing, education, and government. Initially known as Katz Stealer Loader, it has evolved to deliver a range of infostealers such as AsyncRAT, XWorm, FormBook, and DCRat. The attack chain starts with phishing emails that contain heavily obfuscated scripts, which, when executed, download further malicious payloads. Utilizing steganography, the loader conceals DLL files within seemingly innocuous images, allowing it to bypass detection. Once executed, PhantomVAI Loader performs virtual-machine checks and, if successful, establishes persistence on the infected system, ultimately injecting the payload into legitimate processes like MSBuild.exe, thereby evading many endpoint defenses.

GhostBat RAT masquerades as mParivahan app

GhostBat RAT is a new Android malware campaign targeting Indian users by masquerading as legitimate Regional Transport Office (RTO) applications, such as mParivahan. This malware steals financial data, mines cryptocurrency, and exfiltrates SMS messages using Telegram bots for device management. Since September 2025, over 40 unique malware samples have been identified, employing advanced techniques like multi-stage droppers and heavy obfuscation to avoid detection. Attackers utilize social engineering tactics to deliver malicious APKs through platforms like WhatsApp and compromised websites. Once installed, the fake RTO app requests extensive permissions, initiating phishing flows to collect sensitive UPI credentials and surveilling SMS content for banking-related messages, which are then forwarded to the attackers' servers.

Top Vulnerabilities Reported in the Last 24 Hours

F5 issues patches for BIG-IP vulnerabilities

F5 has released security patches for 44 vulnerabilities in its BIG-IP software, including those stolen during a breach. State-sponsored hackers accessed F5's systems, stealing source code and information about undisclosed vulnerabilities, although no evidence suggests these flaws have been actively exploited. F5 confirmed that the updates address the impact of this incident and emphasized the urgency for customers to update their systems. Additionally, the CISA has directed federal agencies to install these patches by October 22, with an extended deadline for other F5 products until October 31. Exploiting these vulnerabilities could allow attackers to steal credentials, sensitive data, and compromise networks, making them a high-value target for cybercriminals and nation-state actors.

CISA adds AEM flaw to KEV catalog

A critical vulnerability in Adobe Experience Manager (AEM) Forms, identified as CVE-2025-54253, has been added to CISA’s KEV catalog due to active exploitation. This flaw, which has a perfect CVSS score of 10.0, is a misconfiguration in the /adminui/debug servlet, allowing attackers to execute arbitrary code through crafted HTTP requests. It affects AEM Forms on JEE versions 6.5.23.0 and earlier, with a patch released in version 6.5.0-0108 in August 2025. Additionally, CISA included an older vulnerability in SKYSEA Client View (CVE-2016-7836) in its catalog, noting that it has been exploited in real-world attacks.

Flaw in Slider Revolution plugin exposed

A security vulnerability in the widely used Slider Revolution plugin has been uncovered, affecting over four million WordPress sites. Tracked as CVE-2025-9217, this flaw allows users with contributor-level permissions or higher to read sensitive files on the server, including critical configuration files like wp-config.php. The issue arises from insufficient validation in two parameters, “used_svg” and “used_images,” which manage file exports. A patched version, 6.7.37, was released to address the weaknesses in file handling, enhancing validation checks to prevent unauthorized access to server files. The vulnerability was rated medium severity with a CVSS score of 6.5.