Cyware Daily Threat Intelligence, September 17, 2025

shutterstock 1534090004

Daily Threat Briefing September 17, 2025

Wriggling through npm like a digital sandworm, Shai-Hulud is hijacking developer accounts to poison popular packages. This JavaScript worm steals tokens, deploys TruffleHog to snatch secrets, and creates public “Shai-Hulud” GitHub repos, exposing sensitive code across over 700 repositories.

Slipping past defenses with Russian flair, XillenStealer is plundering data across Windows, Linux, and macOS. Using a Tkinter GUI, this Python malware grabs credentials, crypto wallets, and gaming tokens, employing anti-debugging and Telegram exfiltration to stay covert.

A BitLocker bypass dubbed BitPixie is cracking open encrypted drives with a sneaky PXE reboot trick. Exploiting a 2005-2022 Windows Boot Manager flaw, attackers extract keys from memory, with Microsoft’s May 2023 patch swapping certificates to block this downgrade attack.

Top Malware Reported in the Last 24 Hours

Supply chain worm affects npm packages

A sophisticated worm named Shai-Hulud has infiltrated the npm ecosystem, targeting popular packages with millions of weekly downloads. The 3MB+ JavaScript malware compromises npm developer accounts, injecting itself into maintained packages to spread further. Each infected package triggers a malicious bundle.js script upon installation, designed to steal npm, GitHub, AWS, and GCP tokens, while also deploying TruffleHog to detect up to 800 secrets. The worm creates public GitHub repositories named “Shai-Hulud” to store stolen secrets and uses GitHub Actions to exfiltrate tokens to a remote server. Additionally, it converts private repositories to public, exposing sensitive code and vulnerabilities. Impacting over 700 GitHub repositories, this campaign is linked to the earlier s1ngularity/Nx supply chain attack, amplifying its reach through compromised developer accounts and stolen tokens.

PureHVNC RAT abuses GitHub

Developers of the PureHVNC RAT have been exposed for using GitHub repositories to host critical components and plugin source code for their Pure malware family. The campaign started with a phishing attack tricking victims into running a PowerShell payload via a fake job listing, leading to a Rust-based loader that installed PureHVNC RAT instances identified as “2a” and “amazon3.” Attackers deployed malicious JavaScript files, established persistence through scheduled tasks, and executed the Sliver C2 framework, while the RAT exfiltrated system details like antivirus software, user privileges, and OS information via SSL-secured, compressed payloads up to 16 KB. Forensic analysis revealed the RAT's command set, modular plugin system with runtime decompression, and integration with PureCrypter for customizable encryption and injection. The builder supports English, Russian, and Chinese, with the Rust loader hooking LdrLoadDll to disable AMSI scanning and executing shellcode.

Python stealer XillenStealer targets sensitive data

XillenStealer, a Python-based information stealer targets sensitive data across Windows, Linux, and macOS. Written in Russian, it uses a Tkinter GUI builder (V3.0) with password-protected access to customize and compile modular scripts that harvest system metadata, browser credentials, cryptocurrency wallets, Discord and Steam tokens, Telegram sessions, and game launcher data. Featuring anti-debugging, virtual machine detection, and process injection into explorer.exe, it ensures stealth, while persistence is achieved through scheduled tasks or cron jobs. Stolen data is compiled into structured text and HTML reports, segmented into smaller archives for reliable Telegram bot exfiltration. 

Top Vulnerabilities Reported in the Last 24 Hours

Multiple flaws in Chaos Mesh

Critical vulnerabilities in Chaos Mesh, an open-source Chaos Engineering platform for Kubernetes, could enable remote code execution and full cluster takeover. Dubbed Chaotic Deputy, these flaws include CVE-2025-59358 (CVSS 7.5), exposing an unauthenticated GraphQL server for process termination, and CVE-2025-59359, CVE-2025-59360, and CVE-2025-59361 (CVSS 9.8 each), allowing command injection via GraphQL mutations. Exploitable with minimal in-cluster network access, attackers can execute arbitrary commands, disrupt services, steal sensitive data, or escalate privileges. The issues arise from inadequate authentication in the Chaos Controller Manager’s GraphQL server. Chaos Mesh addressed them in version 2.7.3.

BitPixie flaw bypasses BitLocker encryption

A critical vulnerability dubbed BitPixie (CVE-2023-21563) in Windows Boot Manager enables attackers to bypass BitLocker encryption and escalate privileges on systems from 2005 to 2022. The flaw arises from a bug in the PXE soft reboot feature, where the BitLocker Volume Master Key persists in memory post-reboot, allowing extraction via memory scanning for signatures like “-FVE-FS-.” Attackers perform a downgrade attack by loading an unpatched older boot manager, crafting a custom Boot Configuration Data file tailored to the target's identifiers, and using network-based PXE booting for a two-stage exploitation. This grants full access to encrypted drives, even those with BitLocker Pre-Boot Authentication and PIN protection. Microsoft addressed it via patch KB5025885 in May 2023, replacing the 2011 certificate with Windows UEFI CA 2023 to block downgrades and prepare for the old certificate's 2026 expiration.

Related Threat Briefings

Sep 16, 2025

Cyware Daily Threat Intelligence, September 16, 2025

Maranhão Stealer is hunting gamers through pirated software. Built with Node.js and Inno Setup, it mimics Microsoft components to hide, using DLL injection for persistence. It steals crypto wallet credentials, grabbing hardware and network data for targeted attacks. AppSuite, OneStart, and ManualFinder are a malware triple threat. Posing as legit tools like PDF editors, they use Electron and PowerShell to track users and install sneaky extensions. Active since 2018, they evolve with randomized domains for control. Phoenix is cracking DDR5 memory defenses wide open. This Rowhammer variant bypasses SK Hynix protections, flipping bits to gain root access in minutes. It targets RSA-2048 keys and binaries, impacting all DDR5 chips from 2021 to 2024.

Sep 15, 2025

Cyware Daily Threat Intelligence, September 15, 2025

From the shadows of the darknet, the Yurei ransomware group has emerged, targeting organizations in Sri Lanka, India, and Nigeria with a double-extortion scheme that encrypts files and leaks sensitive data. Operating from a suspected base in Morocco, the group’s darknet blog pressures victims with data leak threats, highlighting the growing risk of low-skill ransomware operations. Masquerading as legitimate tools, the WhiteCobra group has infiltrated VS Code and OpenVSX marketplaces with 24 malicious extensions aimed at stealing cryptocurrency and sensitive data. By inflating download counts, WhiteCobra exploits developer trust, exposing critical weaknesses in marketplace security. A flaw in the CUPS printing system has left Linux systems vulnerable to remote crashes and authentication bypasses. Stemming from unsafe deserialization in the libcups library, this vulnerability disrupts printing services and can be exploited with simple Python scripts, requiring only network adjacency.

Sep 12, 2025

Cyware Daily Threat Intelligence, September 12, 2025

Mustang Panda's latest ToneShell variant is digging deep into systems with slick persistence moves. Delivered via DLL sideloading in archives, it dodges analysis, enforces single-instance rules, and sets up scheduled tasks in user directories. XOR-obfuscated payloads communicate via fake TLS to C2 servers, generating unique GUIDs per machine for ongoing ops. Researchers uncovered a RAT storm hitting Chinese users since May. Phishing on GitHub Pages drops ValleyRAT, FatalRAT, and kkRAT, the latter echoing Ghost RAT with beefed-up encryption and commands. kkRAT sniffs sandboxes, hijacks clipboards for crypto swaps, and installs RMM tools like Sunlogin, all via multi-stage shellcodes. Akira ransomware is busting into networks through SonicWall's CVE-2024-40766 flaw. This unpatched SSL VPN hole lets them snag access, but SonicWall's August patch plus password resets can block it. ACSC warns of fresh exploits since September, with 40 incidents probed.

Sep 11, 2025

Cyware Daily Threat Intelligence, September 11, 2025

Slipping through macOS like a shadow in the fog, ChillyHell malware cloaks itself as a harmless app to wreak havoc. Using LaunchAgent, LaunchDaemon, and shell injections, it digs into systems at boot, stealing data and launching reverse shells while evading Apple’s notarization checks. A rogue Chrome extension, Madgicx Plus, is preying on Meta advertisers with a slick AI optimization pitch. This malware, spread through polished domains tied to past scams, hijacks Google and Facebook accounts, siphoning off valuable ad assets with deceptive ease. NVIDIA’s NVDebug tool is under siege from three high-severity flaws, opening doors to code execution and privilege escalation. These vulnerabilities, with the worst scoring 8.2, allow attackers to tamper with systems or steal data in multi-user setups, fixed in version 1.7.0.

Sep 10, 2025

Cyware Daily Threat Intelligence, September 10, 2025

Masquerading as harmless GitHub files, Kimsuky is sneaking malware into systems with malicious LNK files. These trigger PowerShell scripts to steal system metadata and upload it to private repositories, using scheduled tasks for persistent espionage targeting sensitive networks. Slipping into devices like a digital ghost, Buterat backdoor is hitting government and enterprise systems via phishing and trojanized downloads. It hides in processes, tweaks registry keys for persistence, and uses encrypted C2 channels to drop payloads and evade detection. Microsoft’s latest patch tackles 81 flaws, including two zero-day vulnerabilities in Windows SMB and Newtonsoft.Json. With nine critical fixes addressing remote code execution and privilege escalation, enabling SMB protections is urged, though compatibility hiccups may arise.

Sep 9, 2025

Cyware Daily Threat Intelligence, September 09, 2025

Slipping through phishing emails like a digital ninja, MostereRAT is targeting Japanese users with encrypted payloads. This malware grabs SYSTEM-level control, disables antivirus and Windows defenses, and uses AnyDesk and TightVNC to steal data and capture screens via secure C2 channels. SAP’s latest patch day is a wake-up call, tackling four critical vulnerabilities threatening enterprise systems. The worst, an insecure deserialization flaw in NetWeaver’s RMI-P4, allows unauthenticated attackers to run arbitrary commands, with patches addressing file uploads and access control issues. China-linked Salt Typhoon and UNC4841 are lurking behind 45 newly uncovered domains, some active since May 2020. Using fake identities and Proton Mail, these espionage groups exploit vulnerabilities like Barracuda’s, revealing a persistent threat to global networks.

Sep 8, 2025

Cyware Daily Threat Intelligence, September 08, 2025

Posing as Microsoft Teams with chilling accuracy, cybercriminals are tricking macOS users into downloading the Odyssey stealer. This malware grabs browser credentials and crypto wallet data, using social engineering to gain privileges and swap out legitimate apps for persistent theft. A gaping hole in Progress Software’s OpenEdge AdminServer is letting attackers run rogue code with ease. This high-severity flaw allows command injection via the Java RMI interface, now patched with better input sanitization and disabled remote RMI. iCloud Calendar invites are being hijacked to deliver phishing emails that dodge spam filters. Masquerading as payment alerts from Apple’s servers, they lure victims to fake support lines, enabling scammers to steal data or deploy malware via remote access.

Sep 5, 2025

Cyware Daily Threat Intelligence, September 05, 2025

Slipping through digital cracks, China-aligned GhostRedirector is hijacking Windows servers with a stealthy C++ backdoor called Rungan. Paired with the Gamshen IIS module for SEO fraud, it boosts gambling sites on Google while exploiting EfsPotato and BadPotato to compromise 65 servers across multiple countries. A zero-day flaw in Sitecore deployments is opening doors for hackers to unleash WeepSteel malware. By exploiting a reused ASP.NET key, attackers achieve remote code execution, using tools like Earthworm and Dwagent to steal data and maintain access through local admin accounts and SYSTEM services. A macOS flaw is exposing sensitive data despite System Integrity Protection. This vulnerability, tied to the gcore utility, allows attackers to read process memory, extract login Keychain Master Keys, and decrypt iOS app binaries, patched in macOS 15.3 after a researcher’s discovery.

Sep 4, 2025

Cyware Daily Threat Intelligence, September 04, 2025

Lurking in your inbox, Russia’s APT28 is wielding NotDoor to turn Outlook into an espionage tool. This VBA backdoor, triggered by email keywords, uses obfuscation and DLL side-loading to dodge detection, altering registry settings to steal sensitive data across NATO organizations. Critical flaws in Hikvision’s HikCentral software are leaving security systems wide open to unauthenticated attackers. These vulnerabilities, including a high-severity access control issue, allow privilege escalation to manipulate logs, disable surveillance, or unlock doors, with patches now available. Iran’s Homeland Justice APT is casting a wide phishing net, targeting over 50 global embassies and organizations. Using 100+ hijacked email accounts and malicious Word docs since August 19, they exploit trusted identities to deliver malware, hitting targets like the UN and World Bank.

Sep 3, 2025

Cyware Daily Threat Intelligence, September 03, 2025

Slithering through networks like a digital phantom, TinyLoader malware is hitting Windows systems with a crafty mix of network share and USB attacks. It delivers threats like Redline Stealer and DCRat, hijacking cryptocurrency transactions by swapping wallet addresses while spreading via deceptive shortcuts and shared folders. Lazarus Group is playing a dangerous game of impersonation, wielding three new RATs against a DeFi target. Using fake Telegram profiles and sham scheduling sites, they deploy PondRAT for initial access, ThemeForestRAT for advanced monitoring, and RemotePE for high-value control, showcasing their evolving tactics. Chrome 140 is locking down a critical flaw that could let attackers run rogue code in your browser. Fixing a severe use-after-free bug in the V8 engine, alongside issues in the Toolbar, Extensions, and Downloads, Google’s latest update is a must for Windows, macOS, and Linux users.

Sep 2, 2025

Cyware Daily Threat Intelligence, September 02, 2025

Masquerading as a scholarly newsletter, North Korea’s ScarCruft is targeting South Korean academics and ex-officials with RokRAT malware. Launched via spear-phishing emails with malicious LNK files, Operation HanKook Phantom uses PowerShell and obfuscated scripts to steal sensitive data, cloaking exfiltration as Chrome uploads to hit government and research sectors. A fake PDF editor peddled through Google ads is dishing out the TamperedChef infostealer to unsuspecting users. Promoted across 50 domains since June, AppSuite PDF Editor, signed with bogus certificates, activates its data-stealing tricks post-update, grabbing credentials and cookies while dodging security agents. WhatsApp and Apple are racing to patch critical zero-day flaws exposing users to spyware attacks. A WhatsApp vulnerability, paired with an Apple OS flaw, allows exploits via malicious image files and device sync messages, potentially targeting high-profile individuals in sophisticated campaigns.

Aug 29, 2025

Cyware Daily Threat Intelligence, August 29, 2025

Posing as a golden ticket from the Bangladesh Education Board, SikkahBot is preying on students with fake scholarship lures. Active since July 2024, this Android malware grabs high-risk permissions to intercept SMS and steal financial data, spread via smishing links, with evolving variants showing sharper automation. A sneaky loophole in the VS Code Marketplace is letting attackers recycle names of deleted extensions to push ransomware. The “shiba” extension, active from late 2024 to mid-2025, encrypts files and demands Shiba Inu tokens, exploiting the platform’s name-reuse flaw to dodge detection. Click Studios is sounding the alarm on a dangerous flaw in Passwordstate’s password manager. This authentication bypass lets attackers access the admin section via a crafted URL, threatening the credentials of 370,000 IT pros across 29,000 firms, with a fix in Build 9972.