Cyware Daily Threat Intelligence, October 23, 2025

China-based threat actors are exploiting a critical SharePoint vulnerability known as ToolShell to attack organizations worldwide. The flaw allows for unauthenticated remote code execution. Attackers have used this access to deploy sophisticated malware like ShadowPad and Zingdoor within compromised networks.

Three critical vulnerabilities have been discovered in BIND 9, the most widely used DNS software on the internet. These flaws expose DNS infrastructure to severe threats. The vulnerabilities carry high CVSS scores, indicating a serious risk to millions of users globally.

A major scam operation has been found using deepfake videos to impersonate top Singaporean officials, including the Prime Minister. The campaign leveraged verified Google Ads and fake news websites to promote a fraudulent investment platform. These geo-targeted ads were designed specifically to deceive residents within Singapore.

Top Malware Reported in the Last 24 Hours

China-based attackers exploit ToolShell vulnerability

China-based threat actors have exploited the ToolShell vulnerability (CVE-2025-53770) to compromise various organizations worldwide, including telecom companies in the Middle East and government agencies in Africa and South America. ToolShell, affecting SharePoint servers, allowed attackers to gain unauthenticated access for remote code execution. The attackers deployed sophisticated malware such as Zingdoor and ShadowPad, utilizing techniques like DLL sideloading to maintain stealthy access. Additionally, KrustyLoader served as an initial-stage malware to deliver further payloads. Publicly available tools were also employed for credential theft and lateral movement within compromised networks. 

NuGet package attack steals cryptocurrency keys

A recent supply chain attack has targeted the NuGet package manager through a malicious typosquat of the Nethereum platform, named Netherеum.All. This deceptive package, uploaded by a user claiming to be associated with Nethereum, employs a Cyrillic homoglyph to mislead developers into downloading it. Once installed, the package can decode a C2 endpoint and exfiltrate sensitive data, including mnemonic phrases and private keys, to the attacker. The threat actors also inflated the download counts to 11.7 million to create a false sense of credibility. 

Top Vulnerabilities Reported in the Last 24 Hours

Over 250 Magento stores targeted by hackers

Over 250 Magento stores have fallen victim to cyberattacks exploiting a critical vulnerability in Adobe Commerce and Magento Open Source platforms, identified as CVE-2025-54236. This flaw, known as SessionReaper, allows attackers to take over customer accounts via the Commerce REST API. Despite Adobe releasing a patch last month, approximately 62% of Magento stores remain vulnerable, six weeks post-disclosure. Threat actors have been observed using the vulnerability to deploy PHP webshells and extract sensitive PHP configuration information. The recent wave of attacks has been linked to various IP addresses, indicating a coordinated effort by unknown threat actors. 

Critical vulnerabilities discovered in BIND 9

Three critical vulnerabilities have been disclosed in BIND 9, the most widely used DNS software, potentially impacting millions of users. These vulnerabilities, identified as CVE-2025-8677, CVE-2025-40778, and CVE-2025-40780, expose DNS infrastructure to serious threats, including cache poisoning and DoS attacks. CVE-2025-8677 allows attackers to cause resource exhaustion through malformed DNSKEY handling, while CVE-2025-40778 and CVE-2025-40780 enable cache poisoning by injecting forged DNS records into a resolver’s cache. The severity of these vulnerabilities is underscored by their CVSS scores of 7.5 and 8.6, indicating a high risk of exploitation without requiring authentication. 

Top Scams Reported in the Last 24 Hours

Jingle Thief group conducts gift card fraud

A cybercriminal group known as Jingle Thief has been exploiting cloud infrastructures of retail and consumer services organizations to commit gift card fraud. Utilizing phishing and smishing tactics, they steal credentials to gain unauthorized access and issue fraudulent gift cards, which are then resold on gray markets. Active since at least 2021, this group conducts extensive reconnaissance within compromised environments, particularly targeting Microsoft 365 accounts and internal systems related to gift card issuance. Their operations are characterized by stealth and persistence, often maintaining access for extended periods. By creating inbox rules and registering rogue authenticator apps, they effectively bypass MFA and cover their tracks, making detection difficult. 

Investment scam mimics Singapore officials

A large-scale scam operation impersonating Singapore officials, including Prime Minister Lawrence Wong and Minister K Shanmugam, was uncovered. The scam used verified Google Ads, fake news websites, and deepfake videos to promote a fraudulent investment platform. The scam targeted Singapore residents by configuring Google Ads to appear only to local IP addresses, redirecting victims to fake news pages and a Mauritius-registered forex investment platform. Investigators identified 28 verified advertiser accounts linked to individuals in Bulgaria and other countries, running malicious ads and redirecting users to 119 fake domains mimicking legitimate news outlets. The fraudulent platform appeared legitimate due to its regulatory license, but its parent company had faced suspensions and lost authorization in the U.K.