Cyware Daily Threat Intelligence, October 21, 2025

After losing its old tricks with the exposure of LOSTKEYS, Russia-backed COLDRIVER is back with a sharper playbook. The group’s new espionage campaign targets NATO governments, diplomats, and NGOs using NOROBOT, a fake CAPTCHA-based downloader that installs MAYBEROBOT backdoors for remote access and intelligence theft.

GlassWorm is targeting developer ecosystems by infecting VS Code extensions on OpenVSX and Microsoft’s marketplace. It hides malicious code with Unicode tricks, uses blockchain and Google Calendar for C2, and steals credentials, crypto, and system access.

CISA warns of active exploits targeting a critical Windows SMB flaw (CVE-2025-33073), enabling SYSTEM-level access. Microsoft patched it in June 2025, with CISA mandating federal agencies to fix it by November 10.

Top Malware Reported in the Last 24 Hours

COLDRIVER campaigns against NATO and NGOs

Russia-backed COLDRIVER group launched a new cyber espionage campaign targeting NATO governments, diplomats, and NGOs after their previous platform, LOSTKEYS, was exposed. The group introduced NOROBOT, a malware downloader using fake CAPTCHA lures, to initiate infections and deploy backdoors like MAYBEROBOT for remote control and intelligence gathering. COLDRIVER demonstrated rapid evolution and agility in its malware development, alternating between simplifying and complicating its infection chain to evade detection.

GlassWorm targets VS Code extensions

A sophisticated supply chain attack named GlassWorm is actively targeting developer ecosystems, particularly VS Code extensions on OpenVSX and Microsoft's marketplace. GlassWorm uses invisible Unicode characters for hiding malicious code, blockchain-based command and control (C2) infrastructure, and Google Calendar as a backup C2 mechanism. The malware harvests credentials, drains cryptocurrency wallets, and turns infected machines into criminal infrastructure nodes. It also includes advanced remote access trojan (RAT) capabilities, making it a significant threat to developers and enterprises worldwide.

Top Vulnerabilities Reported in the Last 24 Hours

Windows SMB flaw under active attack

CISA has reported that threat actors are actively exploiting a high-severity Windows SMB vulnerability (CVE-2025-33073). This flaw, which allows attackers to gain SYSTEM privileges on unpatched systems, affects all versions of Windows Server, Windows 10, and Windows 11 (up to version 24H2). Microsoft patched the vulnerability in June 2025, attributing its cause to improper access control. CISA has added the flaw to its Known Exploited Vulnerabilities (KEV) Catalog and mandated federal agencies to patch their systems by November 10, 2025. 

Remote code execution vulnerability in LANSCOPE Endpoint Manager

A critical security flaw in LANSCOPE Endpoint Manager's on-premise edition (CVE-2025-61932) allows remote code execution without user interaction. The vulnerability affects versions 9.4.7.1 and earlier, enabling attackers to execute commands with high privileges via specially crafted network packets. The Cloud Edition is unaffected. The flaw has a CVSS 3.0 score of 9.8, emphasizing its severity.