Cyware Daily Threat Intelligence, October 20, 2025

Guess who’s hitching a ride in a ZIP file? The new .NET CAPI Backdoor targets Russian automobile and e-commerce organizations via phishing ZIPs containing a decoy Russian document and a malicious LNK that abuses rundll32.exe to stealthily execute the payload.

Attackers are abusing Google Ads to distribute malware disguised as the official Comet Browser installer, redirecting users to fake sites mimicking legitimate platforms. The malicious payload hosted on GitHub drops additional malware linked to DarkGate for password theft.

Microsoft has patched CVE-2025-55315, a critical HTTP request smuggling flaw in the ASP.NET Core Kestrel web server, the most severe ASP.NET Core vulnerability to date. The bug could let attackers hijack credentials, bypass security controls, or crash servers, prompting urgent updates across .NET and Visual Studio versions.

Top Malware Reported in the Last 24 Hours

Phishing campaign unleashes CAPI Backdoor

A new .NET malware, CAPI Backdoor, targets the Russian automobile and e-commerce sectors via phishing emails with ZIP files. The ZIP files contain a decoy Russian document and a malicious Windows shortcut (LNK) file that triggers the malware. The malware leverages a legitimate Microsoft binary (rundll32.exe) to execute its payload stealthily. CAPI Backdoor collects system information, steals browser data, takes screenshots, and exfiltrates data to a remote server.

Fake Homebrew and LogMeIn sites deliver AMOS and Odyssey malware

A malicious campaign targets macOS users with fake Homebrew, LogMeIn, and TradingView sites, spreading infostealing malware like AMOS and Odyssey. Over 85 fake domains impersonating these platforms were identified, with traffic driven by Google Ads. The malicious sites use convincing download portals and trick users into executing commands in the Terminal, installing malware. The malware bypasses macOS security measures, collects system information, and steals sensitive data, including browser credentials and cryptocurrency wallets. 

Fake Comet Browser ads target users with malware

Attackers are exploiting Google Ads with fake Comet Browser download links to spread malware disguised as Perplexity’s official installer, redirecting users to a fraudulent landing page. The malicious payload, named comet_latest.msi, is hosted on GitHub and drops additional malware upon execution, with links to DarkGate malware for password theft. The campaign abuses Google Ads to deceive users searching for the Comet browser, redirecting them to fake sites mimicking legitimate platforms. 

Top Vulnerabilities Reported in the Last 24 Hours

Microsoft addresses critical ASP.NET Core vulnerability

Microsoft has patched a critical vulnerability in the ASP.NET Core Kestrel web server, flagged as the most severe ASP.NET Core flaw to date. The vulnerability, identified as CVE-2025-55315, is an HTTP request smuggling bug that could allow attackers to hijack user credentials, bypass security controls, or crash servers. Microsoft has released updates for various versions of .NET and Visual Studio to address the issue, urging developers to update their applications promptly.

Zimbra releases emergency fix for SSRF Flaw

Zimbra discovered a critical SSRF vulnerability in its chat proxy configuration, affecting versions 10.1.5 through 10.1.11. The flaw allows attackers to manipulate servers for unauthorized requests, leading to risks such as data exposure, network reconnaissance, credential theft, and internal resource access. Zimbra has released version 10.1.12 on October 16, 2025, as an emergency patch to address the issue.