Cyware Daily Threat Intelligence, September 18, 2025

shutterstock 2288211741

Daily Threat Briefing September 18, 2025

A JPG file that looks like a simple image might now be the start of a full-blown infostealing operation. In a recent FileFix campaign, threat actors are hiding malicious PowerShell scripts and encrypted binaries inside seemingly innocent image files. Unlike earlier proof-of-concept variants, this iteration ups the ante by using multilingual phishing pages and deeply obfuscated JavaScript.

When package managers become threat vectors, even a string manipulation library can be a trap. Two rogue Python packages have been removed from PyPI after researchers discovered they were dropping SilentSync RAT. SilentSync is capable of executing arbitrary commands, exfiltrating files, and stealing browser credentials, making it especially dangerous for unsuspecting developers.

Another day, another zero-day. Google has shipped an urgent patch to plug a critical flaw in Chrome. Tracked as CVE-2025-10585, the newly patched vulnerability stems from a type confusion bug in the V8 JavaScript engine, which could allow attackers to remotely execute arbitrary code by luring users to maliciously crafted HTML pages. This marks the sixth actively exploited zero-day in Chrome this year.

Top Malware Reported in the Last 24 Hours

FileFix campaign drops StealC infostealer 

A recent FileFix campaign has emerged, utilizing steganography to conceal malicious PowerShell scripts and encrypted executables within JPG images. This attack encourages victims to paste harmful commands into a file upload interface, triggering an obfuscated PowerShell chain that extracts payloads from the images. Notably, this iteration of the campaign deviates from earlier proof of concept versions by employing multilingual phishing pages and extensive JavaScript minification, enhancing its deceptive tactics. The phishing site mimics a Meta support page, pressuring users into executing commands disguised as file paths. The infection chain begins with a PowerShell one-liner that downloads an image from BitBucket, ultimately leading to the deployment of StealC, an infostealer capable of harvesting sensitive data from various applications and services.

Raven Stealer: New malware emerges 

Raven Stealer is a lightweight and sophisticated information-stealing malware developed in Delphi and C++. It primarily targets Chromium-based browsers, extracting sensitive data such as passwords, cookies, payment details, and autofill entries. Utilizing a modular design, it allows attackers to easily embed configuration details like Telegram bot tokens for seamless data exfiltration. The malware operates stealthily by employing techniques such as in-memory execution and process injection, which help it evade detection by traditional security measures. Once active, it aggregates stolen credentials and system information, transmitting them directly to the attacker via Telegram, thereby posing significant risks to both personal and enterprise environments.

Malicious PyPI packages drop new RAT

Two malicious Python packages, "sisaws" and "secmeasure," were found in the PyPI repository, delivering the SilentSync RAT targeting Windows systems. SilentSync is capable of executing remote commands, exfiltrating files, and stealing browser data, including credentials and cookies from popular web browsers. The "sisaws" package masquerades as a tool for interfacing with Argentina's healthcare APIs but contains a backdoor that downloads malware using hardcoded tokens. Similarly, "secmeasure" claims to provide string manipulation functions while primarily serving as a malware distributor. SilentSync enables remote command execution, file exfiltration, and browser data theft, communicating with a C2 server via a REST API.

Top Vulnerabilities Reported in the Last 24 Hours

Critical bug in Firebox firewalls

WatchGuard has issued security updates to address a critical remote code execution vulnerability (CVE-2025-9242) in its Firebox firewalls, caused by an out-of-bounds write weakness. This flaw affects Fireware OS versions 11.x, 12.x, and 2025.1, with fixes included in specific updates. Vulnerable configurations primarily involve the IKEv2 VPN, but devices may still be at risk even after such configurations are removed, particularly if branch office VPNs to static gateway peers are still active. Although this vulnerability has not yet been exploited in the wild, it poses a significant threat, as firewalls are attractive targets for attackers, exemplified by previous incidents involving other firewall vulnerabilities. 

Google patches sixth 0-day of the year

Google has released a critical update for Chrome, addressing the sixth zero-day vulnerability of 2025, tracked as CVE-2025-10585. This vulnerability, a type confusion issue in the V8 JavaScript engine, allows attackers to exploit crafted HTML pages for remote code execution and other malicious activities. Alongside this, the update resolves two additional use-after-free vulnerabilities and a heap buffer overflow in the ANGLE graphics engine. The latest Chrome version is now being rolled out across Windows, macOS, and Linux platforms.

Related Threat Briefings

Sep 17, 2025

Cyware Daily Threat Intelligence, September 17, 2025

Wriggling through npm like a digital sandworm, Shai-Hulud is hijacking developer accounts to poison popular packages. This JavaScript worm steals tokens, deploys TruffleHog to snatch secrets, and creates public “Shai-Hulud” GitHub repos, exposing sensitive code across over 700 repositories. Slipping past defenses with Russian flair, XillenStealer is plundering data across Windows, Linux, and macOS. Using a Tkinter GUI, this Python malware grabs credentials, crypto wallets, and gaming tokens, employing anti-debugging and Telegram exfiltration to stay covert. A BitLocker bypass dubbed BitPixie is cracking open encrypted drives with a sneaky PXE reboot trick. Exploiting a 2005-2022 Windows Boot Manager flaw, attackers extract keys from memory, with Microsoft’s May 2023 patch swapping certificates to block this downgrade attack.

Sep 16, 2025

Cyware Daily Threat Intelligence, September 16, 2025

Maranhão Stealer is hunting gamers through pirated software. Built with Node.js and Inno Setup, it mimics Microsoft components to hide, using DLL injection for persistence. It steals crypto wallet credentials, grabbing hardware and network data for targeted attacks. AppSuite, OneStart, and ManualFinder are a malware triple threat. Posing as legit tools like PDF editors, they use Electron and PowerShell to track users and install sneaky extensions. Active since 2018, they evolve with randomized domains for control. Phoenix is cracking DDR5 memory defenses wide open. This Rowhammer variant bypasses SK Hynix protections, flipping bits to gain root access in minutes. It targets RSA-2048 keys and binaries, impacting all DDR5 chips from 2021 to 2024.

Sep 15, 2025

Cyware Daily Threat Intelligence, September 15, 2025

From the shadows of the darknet, the Yurei ransomware group has emerged, targeting organizations in Sri Lanka, India, and Nigeria with a double-extortion scheme that encrypts files and leaks sensitive data. Operating from a suspected base in Morocco, the group’s darknet blog pressures victims with data leak threats, highlighting the growing risk of low-skill ransomware operations. Masquerading as legitimate tools, the WhiteCobra group has infiltrated VS Code and OpenVSX marketplaces with 24 malicious extensions aimed at stealing cryptocurrency and sensitive data. By inflating download counts, WhiteCobra exploits developer trust, exposing critical weaknesses in marketplace security. A flaw in the CUPS printing system has left Linux systems vulnerable to remote crashes and authentication bypasses. Stemming from unsafe deserialization in the libcups library, this vulnerability disrupts printing services and can be exploited with simple Python scripts, requiring only network adjacency.

Sep 12, 2025

Cyware Daily Threat Intelligence, September 12, 2025

Mustang Panda's latest ToneShell variant is digging deep into systems with slick persistence moves. Delivered via DLL sideloading in archives, it dodges analysis, enforces single-instance rules, and sets up scheduled tasks in user directories. XOR-obfuscated payloads communicate via fake TLS to C2 servers, generating unique GUIDs per machine for ongoing ops. Researchers uncovered a RAT storm hitting Chinese users since May. Phishing on GitHub Pages drops ValleyRAT, FatalRAT, and kkRAT, the latter echoing Ghost RAT with beefed-up encryption and commands. kkRAT sniffs sandboxes, hijacks clipboards for crypto swaps, and installs RMM tools like Sunlogin, all via multi-stage shellcodes. Akira ransomware is busting into networks through SonicWall's CVE-2024-40766 flaw. This unpatched SSL VPN hole lets them snag access, but SonicWall's August patch plus password resets can block it. ACSC warns of fresh exploits since September, with 40 incidents probed.

Sep 11, 2025

Cyware Daily Threat Intelligence, September 11, 2025

Slipping through macOS like a shadow in the fog, ChillyHell malware cloaks itself as a harmless app to wreak havoc. Using LaunchAgent, LaunchDaemon, and shell injections, it digs into systems at boot, stealing data and launching reverse shells while evading Apple’s notarization checks. A rogue Chrome extension, Madgicx Plus, is preying on Meta advertisers with a slick AI optimization pitch. This malware, spread through polished domains tied to past scams, hijacks Google and Facebook accounts, siphoning off valuable ad assets with deceptive ease. NVIDIA’s NVDebug tool is under siege from three high-severity flaws, opening doors to code execution and privilege escalation. These vulnerabilities, with the worst scoring 8.2, allow attackers to tamper with systems or steal data in multi-user setups, fixed in version 1.7.0.

Sep 10, 2025

Cyware Daily Threat Intelligence, September 10, 2025

Masquerading as harmless GitHub files, Kimsuky is sneaking malware into systems with malicious LNK files. These trigger PowerShell scripts to steal system metadata and upload it to private repositories, using scheduled tasks for persistent espionage targeting sensitive networks. Slipping into devices like a digital ghost, Buterat backdoor is hitting government and enterprise systems via phishing and trojanized downloads. It hides in processes, tweaks registry keys for persistence, and uses encrypted C2 channels to drop payloads and evade detection. Microsoft’s latest patch tackles 81 flaws, including two zero-day vulnerabilities in Windows SMB and Newtonsoft.Json. With nine critical fixes addressing remote code execution and privilege escalation, enabling SMB protections is urged, though compatibility hiccups may arise.

Sep 9, 2025

Cyware Daily Threat Intelligence, September 09, 2025

Slipping through phishing emails like a digital ninja, MostereRAT is targeting Japanese users with encrypted payloads. This malware grabs SYSTEM-level control, disables antivirus and Windows defenses, and uses AnyDesk and TightVNC to steal data and capture screens via secure C2 channels. SAP’s latest patch day is a wake-up call, tackling four critical vulnerabilities threatening enterprise systems. The worst, an insecure deserialization flaw in NetWeaver’s RMI-P4, allows unauthenticated attackers to run arbitrary commands, with patches addressing file uploads and access control issues. China-linked Salt Typhoon and UNC4841 are lurking behind 45 newly uncovered domains, some active since May 2020. Using fake identities and Proton Mail, these espionage groups exploit vulnerabilities like Barracuda’s, revealing a persistent threat to global networks.

Sep 8, 2025

Cyware Daily Threat Intelligence, September 08, 2025

Posing as Microsoft Teams with chilling accuracy, cybercriminals are tricking macOS users into downloading the Odyssey stealer. This malware grabs browser credentials and crypto wallet data, using social engineering to gain privileges and swap out legitimate apps for persistent theft. A gaping hole in Progress Software’s OpenEdge AdminServer is letting attackers run rogue code with ease. This high-severity flaw allows command injection via the Java RMI interface, now patched with better input sanitization and disabled remote RMI. iCloud Calendar invites are being hijacked to deliver phishing emails that dodge spam filters. Masquerading as payment alerts from Apple’s servers, they lure victims to fake support lines, enabling scammers to steal data or deploy malware via remote access.

Sep 5, 2025

Cyware Daily Threat Intelligence, September 05, 2025

Slipping through digital cracks, China-aligned GhostRedirector is hijacking Windows servers with a stealthy C++ backdoor called Rungan. Paired with the Gamshen IIS module for SEO fraud, it boosts gambling sites on Google while exploiting EfsPotato and BadPotato to compromise 65 servers across multiple countries. A zero-day flaw in Sitecore deployments is opening doors for hackers to unleash WeepSteel malware. By exploiting a reused ASP.NET key, attackers achieve remote code execution, using tools like Earthworm and Dwagent to steal data and maintain access through local admin accounts and SYSTEM services. A macOS flaw is exposing sensitive data despite System Integrity Protection. This vulnerability, tied to the gcore utility, allows attackers to read process memory, extract login Keychain Master Keys, and decrypt iOS app binaries, patched in macOS 15.3 after a researcher’s discovery.

Sep 4, 2025

Cyware Daily Threat Intelligence, September 04, 2025

Lurking in your inbox, Russia’s APT28 is wielding NotDoor to turn Outlook into an espionage tool. This VBA backdoor, triggered by email keywords, uses obfuscation and DLL side-loading to dodge detection, altering registry settings to steal sensitive data across NATO organizations. Critical flaws in Hikvision’s HikCentral software are leaving security systems wide open to unauthenticated attackers. These vulnerabilities, including a high-severity access control issue, allow privilege escalation to manipulate logs, disable surveillance, or unlock doors, with patches now available. Iran’s Homeland Justice APT is casting a wide phishing net, targeting over 50 global embassies and organizations. Using 100+ hijacked email accounts and malicious Word docs since August 19, they exploit trusted identities to deliver malware, hitting targets like the UN and World Bank.

Sep 3, 2025

Cyware Daily Threat Intelligence, September 03, 2025

Slithering through networks like a digital phantom, TinyLoader malware is hitting Windows systems with a crafty mix of network share and USB attacks. It delivers threats like Redline Stealer and DCRat, hijacking cryptocurrency transactions by swapping wallet addresses while spreading via deceptive shortcuts and shared folders. Lazarus Group is playing a dangerous game of impersonation, wielding three new RATs against a DeFi target. Using fake Telegram profiles and sham scheduling sites, they deploy PondRAT for initial access, ThemeForestRAT for advanced monitoring, and RemotePE for high-value control, showcasing their evolving tactics. Chrome 140 is locking down a critical flaw that could let attackers run rogue code in your browser. Fixing a severe use-after-free bug in the V8 engine, alongside issues in the Toolbar, Extensions, and Downloads, Google’s latest update is a must for Windows, macOS, and Linux users.

Sep 2, 2025

Cyware Daily Threat Intelligence, September 02, 2025

Masquerading as a scholarly newsletter, North Korea’s ScarCruft is targeting South Korean academics and ex-officials with RokRAT malware. Launched via spear-phishing emails with malicious LNK files, Operation HanKook Phantom uses PowerShell and obfuscated scripts to steal sensitive data, cloaking exfiltration as Chrome uploads to hit government and research sectors. A fake PDF editor peddled through Google ads is dishing out the TamperedChef infostealer to unsuspecting users. Promoted across 50 domains since June, AppSuite PDF Editor, signed with bogus certificates, activates its data-stealing tricks post-update, grabbing credentials and cookies while dodging security agents. WhatsApp and Apple are racing to patch critical zero-day flaws exposing users to spyware attacks. A WhatsApp vulnerability, paired with an Apple OS flaw, allows exploits via malicious image files and device sync messages, potentially targeting high-profile individuals in sophisticated campaigns.