Cyware Daily Threat Intelligence, October 29, 2025

The Qilin ransomware group is using an innovative technique to evade security tools by leveraging WSL. This method allows the attackers to run their Linux-based encryptors directly on compromised Windows systems, bypassing conventional defenses.

A new Android malware family, named Herodotus, is simulating human typing to avoid detection by security software. The malware primarily spreads through SMS phishing and uses fake loading screens to trick users into granting it Accessibility permissions.

CISA is warning about two actively exploited vulnerabilities in Dassault Systèmes' DELMIA Apriso, a widely used manufacturing management solution. The first flaw allows unauthenticated attackers to gain privileged access, while the second enables remote code execution.

Top Malware Reported in the Last 24 Hours

Meet the new Atroposia RAT

Atroposia is a feature-rich RAT that enables low-skill attackers to execute complex cyberattacks, including stealthy remote desktop access, credential theft, and DNS hijacking. The malware uses encrypted command channels, privilege escalation, and persistence mechanisms to evade detection and remain active on infected systems. Atroposia's fileless data exfiltration capabilities and clipboard snooping allow attackers to steal sensitive information with minimal traces. The RAT includes a vulnerability scanner to identify exploitable weaknesses on compromised systems, further enhancing its attack potential.

Qilin ransomware runs Linux encryptors in Windows

Qilin ransomware is leveraging the Windows Subsystem for Linux (WSL) to run Linux encryptors on Windows systems, allowing it to evade traditional security tools. Emerging in 2022, Qilin has become one of the most active ransomware groups, attacking over 700 victims across 62 countries in 2025. Affiliates use a variety of legitimate applications, such as AnyDesk and Splashtop, to breach networks and steal data. They also employ BYOVD techniques to disable security software by exploiting signed but vulnerable drivers. The Linux encryptor targets VMware ESXi virtual machines and is transferred using WinSCP, executed via WSL, which helps it bypass detection by conventional Windows security solutions that primarily monitor Windows PE behavior.

New Herodotus malware fakes human typing

A new Android malware family, Herodotus, employs random delay injection in its input routines to simulate human typing and evade detection by security software. Offered as a MaaS, it is primarily targeting users in Italy and Brazil through SMS phishing attacks. The malware circumvents Accessibility permission restrictions in Android 13 and later by prompting users to enable the service and disguising the permission-granting process with fake loading screens. Once granted access, Herodotus can interact with the user interface, including entering text and tapping on screen coordinates. Its unique "humanizer" mechanism introduces random delays of 0.3 to 3 seconds between inputs, mimicking natural typing patterns. Additionally, Herodotus provides operators with features such as customizable SMS messages, overlays that mimic banking apps, and tools for intercepting 2FA codes.

Researchers spot 10 malicious npm packages

Socket researchers uncovered 10 malicious npm packages that executed credential-stealing malware upon installation. These packages used typosquatting to mimic legitimate libraries. The packages leveraged npm's postinstall hook to execute malicious code automatically during installation, avoiding detection. The malware utilized four layers of obfuscation, including self-decoding eval wrappers, XOR decryption, URL encoding, and control flow obfuscation, to evade static analysis. The malware employed social engineering techniques, such as fake CAPTCHA prompts, to appear legitimate and delay detection. The malware extracted sensitive information, including session cookies, SSH keys, OAuth tokens, and API keys, enabling access to various services and infrastructure.

Top Vulnerabilities Reported in the Last 24 Hours

Active exploitation of Dassault bugs, CISA warns 

The CISA has issued a warning about two actively exploited vulnerabilities in Dassault Systèmes' DELMIA Apriso, a solution used for manufacturing operations management. The first vulnerability, CVE-2025-6205, is a critical authorization flaw that allows unauthenticated attackers to gain privileged access, while the second, CVE-2025-6204, is a high-severity code injection vulnerability that enables attackers with elevated privileges to execute arbitrary code. Dassault Systèmes patched these vulnerabilities in August, affecting versions from Release 2020 to Release 2025. CISA added them to its KEV Catalog, urging all IT administrators to prioritize addressing these issues. DELMIA Apriso is widely utilized in sectors such as automotive, aerospace, and electronics.

CISA adds WSUS bug to KEV catalog

A critical vulnerability in Windows Server Update Services (WSUS), identified as CVE-2025-59287, is currently being exploited by threat actors. This flaw allows unauthenticated attackers to execute remote code with system privileges by sending malicious encrypted cookies to the GetCookie() endpoint. Microsoft released an emergency patch to address the issue, which has been added to the KEV catalog, emphasizing its significant risks to federal agencies. As WSUS is a popular tool for managing Microsoft product updates, its compromise could enable attackers to distribute malicious updates across entire networks, posing a serious threat to large enterprises.