Cyware Daily Threat Intelligence, October 27, 2025

A new Android malware named Baohuo is rapidly spreading by disguising itself as a counterfeit version of the Telegram X app. Once installed, it allows attackers to seize complete control of a user's Telegram account, including messages and contacts.

Hackers are conducting widespread attacks on WordPress sites by exploiting vulnerabilities in outdated plugins. These critical flaws allow attackers to achieve remote code execution and install malicious plugins.

A new phishing technique known as CoPhish has been discovered exploiting Microsoft Copilot Studio agents to steal sensitive OAuth tokens. The attack works by sending fraudulent consent requests that appear to originate from legitimate Microsoft domains.

Top Malware Reported in the Last 24 Hours

Hackers exploit RedTiger to steal Discord data

Hackers are utilizing the open-source RedTiger tool to create an infostealer that targets Discord accounts and sensitive data. This malware collects a range of information, including payment details, browser credentials, cryptocurrency wallet data, and game accounts. By injecting custom JavaScript into Discord’s index.js, it intercepts API calls to capture login attempts, purchases, and password changes. The infostealer also extracts saved passwords, cookies, and credit card information from web browsers while scanning for various file types on the victim’s system. After gathering this data, the malware uploads it to GoFile, a cloud storage service, using a Discord webhook to send the download link to the attackers. RedTiger's features include anti-sandbox mechanisms and the ability to spawn numerous processes, making it difficult to analyze and detect.

APT36 targets Indian government with DeskRAT

APT36, a Pakistan-based threat actor group, has been targeting Indian government entities through spear-phishing attacks that deliver a Golang-based malware known as DeskRAT. This campaign involves phishing emails containing ZIP file attachments or links to archives on legitimate cloud services, which execute malicious payloads while displaying decoy PDFs. DeskRAT specifically targets BOSS Linux systems, using WebSockets for command-and-control communication and employing various persistence methods, including systemd services and cron jobs. 

New Baohuo malware compromises Telegram accounts

A new Android malware named Baohuo is rapidly spreading through counterfeit versions of Telegram X, allowing attackers to seize control of users' accounts. Disguised as a legitimate app, Baohuo connects to remote servers and provides full access to the victim's Telegram messages and contacts. Once installed, it employs the Xposed framework to manipulate app behavior, enabling it to hide unauthorized logins and erase traces of activity. With over 58,000 devices infected, primarily in India, Brazil, and Indonesia, Baohuo stands out for using a Redis database for C2, marking a significant evolution in Android malware. It has been found in popular third-party app stores, often misrepresented as the official Telegram app.

Top Vulnerabilities Reported in the Last 24 Hours

OpenAI Atlas omnibox vulnerability discovered

Researchers have identified a vulnerability in OpenAI's Atlas omnibox, enabling attackers to disguise malicious prompts as URLs. This flaw arises from a parsing error, allowing the system to treat malformed URLs as trusted instructions, which can bypass security checks. For instance, a disguised prompt could be hidden behind a 'Copy Link' button, tricking users into copying a harmful link that leads to phishing sites. Another example involves destructive commands, such as instructing the system to delete files from Google Drive using the user's authenticated session. This jailbreak technique poses significant risks, as it can override user intent and execute harmful actions without detection.

Hackers exploit outdated WordPress plugins

Hackers are conducting widespread attacks on WordPress websites by exploiting critical vulnerabilities in outdated plugins, specifically GutenKit and Hunk Companion. These vulnerabilities, tracked as CVE-2024-9234, CVE-2024-9707, and CVE-2024-11972, allow attackers to achieve RCE and install malicious plugins without proper authentication. Wordfence reported blocking approximately 8.7 million attack attempts over just two days. Despite available patches released in late 2024, many sites continue to run vulnerable versions of these plugins. Attackers are leveraging obfuscated scripts from a malicious plugin hosted on GitHub to maintain persistence, steal data, and execute commands.

Top Scams Reported in the Last 24 Hours

New CoPhish attack exploits OAuth tokens

A new phishing technique known as CoPhish has emerged, exploiting Microsoft Copilot Studio agents to steal OAuth tokens through fraudulent consent requests sent via legitimate Microsoft domains. Developed by researchers at Datadog Security Labs, this method takes advantage of the customizable nature of Copilot Studio agents, which can be configured to mislead users into logging in. Attackers create malicious multi-tenant applications that redirect users to authentication providers while capturing session tokens. The attack can target both unprivileged users and administrators, with the latter remaining vulnerable despite Microsoft's planned updates. Users may unknowingly grant permissions to these malicious apps, leading to session hijacking without any notifications, as the token transmissions appear to come from trusted Microsoft IP addresses.

Smishing triad targets millions with phishing

A China-linked group known as the Smishing Triad has been linked to over 194,000 malicious domains in a large-scale phishing campaign since January 2024, targeting various services globally. This group uses fraudulent messages about toll violations and package misdeliveries to deceive users into revealing sensitive information, reportedly earning over $1 billion in the past three years. Their operations are supported by a PhaaS ecosystem that includes developers, data brokers, and spammers. Most of the domains are registered under a Hong Kong registrar and are often active for only a few days, demonstrating a strategy designed to evade detection. The campaign impersonates a wide range of services, with U.S. toll services being the most frequently targeted.