Cyware Daily Threat Intelligence, October 24, 2025

A massive malware campaign called the YouTube Ghost Network has used over 3,000 malicious videos to infect users since 2021. The network targets individuals searching for game hacks and cracked software, using a web of compromised accounts to post malware links and create fake engagement.

Researchers have discovered a self-propagating worm named GlassWorm that targets Visual Studio Code extensions in a significant supply chain attack. This sophisticated malware uses the Solana blockchain for its command-and-control infrastructure to steal developer credentials and cryptocurrency.

Microsoft has released an emergency patch for a critical remote code execution vulnerability in Windows Server Update Services. The flaw, tracked as CVE-2025-59287 with a CVSS score of 9.8, allows attackers to compromise update servers without authentication or user interaction.

Top Malware Reported in the Last 24 Hours

YouTube malware campaign targets unsuspecting users

A cybercriminal operation named the YouTube Ghost Network has been distributing malware via over 3,000 malicious YouTube videos since 2021, with activity tripling in 2025. The network uses three types of compromised accounts (video-accounts, post-accounts, interact-accounts) to upload malicious content, share download links, and create false legitimacy through engagement. The campaign targets users looking for "Game Hacks/Cheats" and "Software Cracks," with some videos amassing hundreds of thousands of views. The network’s malware preferences have shifted over time, adapting to law enforcement actions and using infostealers like Rhadamanthys to exfiltrate sensitive data. Specific campaigns targeted content creators with malware disguised as cracked software, using multi-stage deployment to evade security measures.

Lazarus Group targets European defense firms

North Korean Lazarus hackers executed a coordinated campaign known as Operation DreamJob, targeting three European defense companies involved in unmanned aerial vehicle technology. Using fake recruitment tactics, the hackers lured employees into downloading malicious files that granted access to the companies' systems. The attacks began in late March and involved trojanized open-source applications, employing DLL sideloading to deliver the ScoringMathTea RAT. This malware allows attackers to execute commands, manipulate files, and gather system information. The campaign aligns with North Korea’s strategic interest in enhancing its drone capabilities, particularly as these companies manufacture military equipment used in Ukraine. 

Self-propagating GlassWorm targets VS Code extensions

Researchers have identified a self-propagating worm named GlassWorm targeting VS Code extensions, marking a significant supply chain attack in the DevOps ecosystem. GlassWorm uses the Solana blockchain for C2 infrastructure and Google Calendar as a fallback mechanism, showcasing novel techniques for resilience and stealth. The worm exploits invisible Unicode characters to hide malicious code and aims to steal credentials, cryptocurrency funds, and turn developer machines into proxies for criminal activities. Infected extensions include 13 on Open VSX and one on the Microsoft Extension Marketplace, with over 35,800 downloads. The malware deploys a payload called Zombi, which enables full compromise by installing SOCKS proxies, WebRTC modules, HVNC servers, and leveraging decentralized command distribution techniques.

Top Vulnerabilities Reported in the Last 24 Hours

Microsoft releases urgent patch

Microsoft released a critical patch for a remote code execution vulnerability (CVE-2025-59287) in WSUS, with a CVSS score of 9.8. The vulnerability stems from deserialization of untrusted data in WSUS, allowing attackers to execute commands with WSUS service account privileges. The flaw requires no authentication or user interaction, making it highly dangerous and capable of compromising update infrastructures. Microsoft classified the vulnerability as critical with probable exploitability, urging organizations to apply the patch immediately.

Lanscope Endpoint Manager bug actively exploited

CISA has issued a warning regarding a critical vulnerability in the Motex Lanscope Endpoint Manager, tracked as CVE-2025-61932, which has a severity score of 9.3. This flaw allows unauthenticated attackers to execute arbitrary code by sending specially crafted packets, affecting versions 9.4.7.2 and earlier. Reports indicate that the vulnerability has already been exploited in the wild, with malicious packets detected in customer environments. The Japanese firm Motex, a subsidiary of Kyocera Communication Systems, confirmed the existence of unauthorized packet activity and emphasized the urgent need for updates. The CISA has added this vulnerability to its KEV catalog, mandating a patch deadline for federal agencies by November 12, amid rising exploitation activity in Japan linked to recent high-profile breaches.