Cyware Daily Threat Intelligence, October 17, 2025

An APT28 campaign is exploiting Signal Desktop’s open file-sharing to hit Ukrainian military personnel with weaponized Office documents packing BeardShell and Covenant malware. These malicious files trigger macros for a multi-stage infection, using steganography in PNGs and Koofr cloud services for stealthy C2.

UNC5142 is turning blockchain into a malware hideout, using BNB Smart Chain smart contracts and compromised WordPress sites to spread Atomic and Vidar infostealers across Windows and macOS. With 14,000 web pages injected with the CLEARSHORT JavaScript downloader, this financially driven crew leverages EtherHiding to fetch payloads from public blockchains.

A critical flaw in ConnectWise Automate’s update system risks on-premises setups by allowing attackers to intercept and tamper with patches over unsecured channels. These high-severity vulnerabilities threaten data leaks, integrity breaches, and rogue code execution.

Top Malware Reported in the Last 24 Hours

APT28 targets Ukrainian military with malware

APT28, a Russian state-sponsored threat actor, has launched a sophisticated cyberattack targeting Ukrainian military personnel through weaponized Office documents. This campaign utilizes advanced malware frameworks, including BeardShell and Covenant, which are delivered via malicious documents distributed through Signal Desktop, exploiting its lack of security mechanisms. Once opened, these documents execute embedded macros that initiate a multi-stage infection process, allowing attackers to maintain persistent access and evade detection. The malware employs steganography to hide payloads within PNG files and utilizes cloud services like Koofr for command and control communications.

Hackers abuse Cisco SNMP bug, deploy rootkit

Hackers have successfully exploited a recently patched vulnerability (CVE-2025-20352) in Cisco networking devices, specifically targeting the SNMP in Cisco IOS and IOS XE. This flaw allows for remote code execution, primarily affecting Cisco 9400, 9300, and legacy 3750G series devices. The attacks, referred to as Operation Zero Disco, deploy rootkits on unprotected Linux systems, utilizing a universal access password containing the word "disco." The rootkit features a UDP controller that can manipulate logs, bypass security controls, and hide configuration items. Trend Micro researchers demonstrated that the malware could disable logging and perform ARP spoofing to impersonate devices.

Hackers exploit blockchain for malware distribution

A financially motivated threat actor known as UNC5142 is utilizing blockchain smart contracts and compromised WordPress sites to distribute various information-stealing malware, including Atomic and Vidar, targeting both Windows and macOS systems. This group employs a technique called "EtherHiding" to conceal malicious code on public blockchains, specifically leveraging the BNB Smart Chain. Google’s Threat Intelligence Group reported approximately 14,000 web pages injected with JavaScript linked to UNC5142, indicating widespread targeting of vulnerable sites. The attack employs a multi-stage JavaScript downloader named CLEARSHORT, which retrieves malicious payloads through interactions with smart contracts. 

Top Vulnerabilities Reported in the Last 24 Hours

ConnectWise Automate update addresses critical bugs

ConnectWise has issued a critical security update for its Automate™ platform after discovering vulnerabilities that could allow attackers to intercept and tamper with software updates. These flaws, found in on-premises installations using unsecured communication channels, expose organizations to the risk of deploying malicious code disguised as legitimate patches. The vulnerabilities, identified as CVE-2025-11492 and CVE-2025-11493, received high CVSS scores due to their potential impact on data confidentiality, integrity, and availability. The first vulnerability allows complete data disclosure and modification, while the second enables unauthorized code installation even with encryption in place.

Critical WatchGuard VPN vulnerability exposed

Researchers have uncovered a critical vulnerability in WatchGuard Fireware OS, identified as CVE-2025-9242, which allows unauthenticated attackers to execute arbitrary code. This out-of-bounds write vulnerability affects various versions of the software, particularly those configured with IKEv2 for mobile user and branch office VPNs. The flaw arises from a missing length check in the "ike2_ProcessPayload_CERT" function, enabling exploitation during the VPN handshake process. Despite the absence of an interactive shell, attackers can manipulate the flaw to control the instruction pointer register, potentially spawning a Python interactive shell over TCP.