Cyware Daily Threat Intelligence, October 28, 2025

A sophisticated phishing campaign by the Gamaredon group is targeting government entities using a critical WinRAR vulnerability. The flaw allows attackers to deploy malware when a user simply opens a seemingly benign PDF document inside a RAR archive.

A new variant of the Gunra ransomware is targeting Linux systems with ELF binaries and ChaCha20 encryption. While it can encrypt both files and full disks, researchers have found a critical flaw in its random number generation.

The Apache Software Foundation has reported two significant vulnerabilities in Apache Tomcat. One is a critical directory traversal flaw that could lead to remote code execution. The other one involves improper log handling that attackers could use to deceive system administrators.

Top Malware Reported in the Last 24 Hours

Gamaredon exploits WinRAR bug in phishing

A sophisticated phishing campaign by the Gamaredon threat group is targeting government entities by exploiting a critical WinRAR vulnerability, CVE-2025-8088. This path traversal vulnerability allows attackers to deliver weaponized RAR archives that deploy malicious HTA files without user interaction, merely requiring the opening of a seemingly benign PDF document. Once executed, the malware gains persistence by placing itself in the Windows Startup folder, ensuring it runs automatically upon reboot. 

Water Saci malware evolves through WhatsApp

The Water Saci malware campaign has significantly evolved, utilizing WhatsApp as its primary infection vector to spread malicious ZIP files through hijacked web sessions. This campaign employs advanced techniques, including script-based automation via VBS and PowerShell, allowing for fileless execution and persistence. The malware features a sophisticated email-based C2 infrastructure that uses IMAP connections to retrieve operational commands, enabling real-time control over infected systems. Additionally, it can harvest WhatsApp contacts and automate message distribution, effectively converting compromised machines into coordinated botnet tools. 

New Gunra ransomware variant targets Linux

A new variant of the Gunra ransomware, active since April 2025, is targeting Linux systems using ELF binaries. This variant employs the ChaCha20 encryption algorithm. The ransomware is configurable via command-line arguments and supports both file and disk encryption. Gunra ransomware has been actively targeting organizations globally, including reported incidents in South Korea. The malware is distributed in both EXE (Windows) and ELF (Linux) formats. A critical flaw exists in the random number generation function used to create the ChaCha20 key and nonce. The function seeds rand() with time(), and due to rapid loop execution, identical seed values are often used. This results in repeated byte patterns in the key and nonce, making them cryptographically weak. 

Top Vulnerabilities Reported in the Last 24 Hours

QNAP warns of ASP[.]NET flaw

QNAP has issued a warning regarding a critical ASP[.]NET Core vulnerability, tracked as CVE-2025-55315, which affects its NetBak PC Agent, a Windows utility for backing up data to QNAP NAS devices. This security bypass flaw, identified in the Kestrel ASP.NET Core web server, allows attackers with low privileges to hijack user credentials or circumvent front-end security controls through HTTP request smuggling. If exploited, attackers could gain unauthorized access, escalate privileges, or perform injection attacks. Microsoft previously classified this vulnerability with the highest severity rating for ASP[.]NET Core flaws. 

Apache Tomcat bugs allow RCE

The Apache Software Foundation has identified two significant vulnerabilities in Apache Tomcat, affecting versions 9, 10, and 11. The first, tracked as CVE-2025-55752, is a critical directory traversal flaw that allows RCE on vulnerable servers when PUT requests are enabled. This weakness enables attackers to bypass security measures and upload malicious files to sensitive directories. The second vulnerability, CVE-2025-55754, involves improper handling of ANSI escape sequences in log messages, which can manipulate the console display and potentially deceive system administrators into executing harmful commands.