Cyware Daily Threat Intelligence, October 31, 2025

A legitimate hacking tool has been turned into a weapon for cybercrime. Russian attackers are increasingly using AdaptixC2, an open-source penetration testing tool, to deploy ransomware and malware in live attacks.

A new vulnerability named Brash has been discovered that can instantly crash popular browsers like Google Chrome and Microsoft Edge. This flaw allows an attacker to completely freeze the browser using just a single malicious URL.

A widespread scam is exploiting the PayPal brand to panic victims. Attackers are sending fake invoices for $823, pressuring users to call a phone number where scammers wait to take remote control of their computers.

Top Malware Reported in the Last 24 Hours

AdaptixC2 tool exploited by Russian cybercriminals

Russian cybercriminals are increasingly using the open-source command-and-control framework AdaptixC2, originally designed for penetration testing, to carry out ransomware attacks worldwide. Research reveals that the tool, maintained by an individual known as “RalfHacker,” has been linked to various malicious activities, including the distribution of CountLoader malware and fraudulent PDFs impersonating Ukraine’s national police. Despite its legitimate purpose, AdaptixC2 has become a favorite among Russian threat actors, raising concerns about the intersection of ethical hacking and cybercrime. 

Surge in NFC relay malware threats

A significant increase in NFC relay malware has been observed in Eastern Europe, with researchers identifying over 760 malicious Android apps exploiting Near-Field Communication technology to steal credit card information. This malware utilizes Host Card Emulation to mimic or capture contactless payment data, enabling unauthorized transactions without the physical presence of the cardholder. The malware first emerged in Poland in 2023 and has since expanded to countries like Russia and the Czech Republic. Various techniques have been employed, including data harvesting and "ghost-tap" payments, with many of the malicious apps impersonating legitimate financial institutions. Additionally, more than 70 C2 servers and numerous Telegram channels facilitate the operation and data exfiltration associated with these campaigns.

Lampion trojan resurfaces with ClickFix

A Brazilian cybercriminal group has enhanced its long-running Lampion Stealer campaign, which targets Portuguese banks using sophisticated social engineering and multi-stage infection chains. Since its initial discovery in 2019, the malware has evolved significantly, incorporating ClickFix lures that trick victims into executing malicious commands. Phishing emails, crafted to appear legitimate with banking themes, have become a primary delivery method, often sent from compromised accounts. The infection process involves multiple obfuscated Visual Basic script stages, ultimately delivering a bloated 700MB DLL file that employs advanced obfuscation techniques to evade detection. 

Top Vulnerabilities Reported in the Last 24 Hours

CISA flags VMware zero-day vulnerability

The CISA identified a critical vulnerability, CVE-2025-41244, affecting Broadcom VMware Tools and VMware Aria Operations, which has been actively exploited by a China-linked threat actor known as UNC5174. This high-severity flaw, with a CVSS score of 7.8, allows attackers with non-administrative privileges to escalate their access to root-level permissions on virtual machines that have VMware Tools installed and are managed by Aria Operations with SDMP enabled. Although VMware addressed the vulnerability in October 2024, it had already been exploited as a zero-day by unknown actors. Additionally, CISA included a serious remote code execution vulnerability in XWiki in its catalog, linked to attempts by threat actors to deploy cryptocurrency miners.

Severe vulnerability identified in Chromium’s Blink

A new vulnerability named Brash has been discovered in the Blink rendering engine of Chromium-based browsers, enabling attackers to crash these browsers within seconds using a single malicious URL. This exploit takes advantage of the lack of rate limiting on the "document.title" API, allowing for an overwhelming number of DOM mutations—up to 24 million updates per second—leading to browser unresponsiveness. The attack occurs in three phases: generating unique hexadecimal strings, executing rapid title updates, and saturating the browser's main thread. Notably, Brash can be programmed to activate at specific times, functioning like a logic bomb. Affected browsers include Google Chrome, Microsoft Edge, and others, while Mozilla Firefox and Apple Safari remain unaffected.

Top Scams Reported in the Last 24 Hours

Beware of this fake PayPal invoice scam

A recent tech support scam involves fake PayPal invoices claiming that users owe $823, urging them to call a provided number. This tactic exploits urgency and employs unverified contact details, misleading victims into believing they must act quickly. Scammers often use generic sender addresses and empty email bodies, raising red flags about authenticity. Upon contacting the listed number, victims encounter scammers posing as tech support, who may gain remote access to their computers under false pretenses. These scammers typically install malicious software or sell fake protection services, leading to significant financial loss.