Cyware Daily Threat Intelligence, September 24, 2025

shutterstock 1917841850

Daily Threat Briefing September 24, 2025

Since 2022, a stealthy campaign has been hijacking DLLs to unleash a PlugX variant on Asia’s telecom and manufacturing sectors. Linked to Naikon and BackdoorDiplomacy, it uses malicious documents and shared cryptographic tools to deploy RainyDay and Turian-like backdoors.

Salesforce CLI installer harbors a critical flaw, letting attackers seize SYSTEM-level control on Windows. This path-handling bug in versions before 2.106.6 enables code execution via rogue installers, now fixed with proper signing in the latest release.

Exploiting a Linux Pandoc flaw, hackers are targeting AWS credentials through SSRF attacks. This vulnerability allows iframe-based credential theft from EC2 IMDSv1, urging users to adopt IMDSv2 and sandbox options to lock down systems.

Top Malware Reported in the Last 24 Hours

Malware campaign targets telecom and manufacturing sectors

Cisco Talos has identified a sophisticated malware campaign that has been active since 2022, utilizing DLL search order hijacking to deploy a new variant of PlugX, which shares characteristics with the RainyDay and Turian backdoors. This operation primarily targets telecommunications and manufacturing sectors across Central and South Asia, revealing a convergence of functionalities and infrastructure among the Naikon and BackdoorDiplomacy groups. Analysts discovered that the malware families employ the same XOR-RC4-RtlDecompressBuffer decryption algorithm and identical RC4 keys, indicating a shared cryptographic toolkit. The campaign's initial infection typically begins with a malicious document or email, leading to the execution of a legitimate binary vulnerable to DLL hijacking. 

ShadowV2 botnet targets misconfigured AWS containers

ShadowV2 is a newly identified DDoS-as-a-Service botnet that enables customers to self-manage DDoS attacks. It leverages misconfigured Docker containers and a Python-based C2 infrastructure hosted on GitHub CodeSpaces. The platform represents a shift from traditional botnet operations by offering a modular, user-driven attack interface. The ShadowV2 operation was observed targeting Docker daemons exposed on AWS cloud instances. The attackers deploy a generic setup container, install tools, and create a customized image for live deployment.  The infection chain begins with a Python script hosted on GitHub CodeSpaces, which interacts with Docker to spawn containers. These containers act as wrappers for the Go-based malware, enabling the botnet to propagate across cloud environments.

Top Vulnerabilities Reported in the Last 24 Hours

Critical bug in Salesforce CLI installer

A critical vulnerability (CVE-2025-9844) in the Salesforce CLI installer allows attackers to execute arbitrary code with SYSTEM-level privileges on Windows machines. The flaw stems from improper handling of file paths during installation, enabling attackers to exploit it via social engineering. Unsuspecting users downloading compromised installers or rogue executables may inadvertently run malicious code. The vulnerability affects Salesforce CLI versions prior to 2.106.6, but users downloading from Salesforce’s official site are safe due to proper file signing. Exploitation can lead to privilege escalation, disabling security controls, spreading malware, and gaining complete system control. Salesforce addressed the issue in version 2.106.6, and users are advised to verify their CLI version and update if necessary.

SolarWinds releases hotfix for critical flaw

SolarWinds has released a third hotfix to address a critical unauthenticated RCE vulnerability in Web Help Desk, tracked as CVE-2025-26399. This vulnerability is a patch bypass of CVE-2024-28988, which itself bypassed the original CVE-2024-28986. The repeated patching underscores the persistence and complexity of the issue. The vulnerability affects SolarWinds Web Help Desk, a widely used IT support and ticketing platform deployed by medium-to-large organizations for request tracking, workflow automation, asset management, and compliance assurance. Successful exploitation could allow unauthenticated attackers to execute arbitrary commands on the host system, potentially leading to full system compromise. CVE-2025-26399 is caused by unsafe deserialization in the Ajax Proxy component of WHD version 12.8.7. 

Hackers abuse Pandoc vulnerability

A security flaw in the Linux utility Pandoc (CVE-2025-51591) has been exploited by hackers to target AWS Instance Metadata Service (IMDS) and steal EC2 IAM credentials. The vulnerability involves Server-Side Request Forgery (SSRF) using crafted HTML iframe elements, enabling attackers to compromise systems and harvest temporary AWS credentials. IMDSv1 is particularly vulnerable due to its request-response protocol, making it an attractive target for SSRF-based attacks. IMDSv2 mitigates this risk by requiring token-based authentication. Wiz researchers recommend using Pandoc's "-f html+raw_html" or "--sandbox" options to prevent iframe exploitation and enforcing IMDSv2 across EC2 instances to reduce risks.

Related Threat Briefings

Sep 23, 2025

Cyware Daily Threat Intelligence, September 23, 2025

With fake job portals as bait, Iran’s Nimbus Manticore targets Europe’s defense and telecom sectors. Their spear-phishing campaign uses multi-stage DLL sideloading to deploy MiniJunk and MiniBrowse, stealthy malware evading detection with obfuscation to hit aerospace and defense networks. The fezbox npm package, a wolf in utility library clothing, hides a cookie-stealing payload in QR codes. Linked to “janedu,” it uses steganography and reversed-string obfuscation to swipe usernames and passwords, quietly exfiltrating them to remote servers via HTTPS. Libraesva ESG’s email scanning engine has a chink in its armor, letting attackers slip through with crafted attachments. This command injection flaw, exploited by a state actor, triggered rapid patches for ESG 5.x to secure systems against unauthorized command execution.

Sep 22, 2025

Cyware Daily Threat Intelligence, September 22, 2025

A rogue patch for Steam’s BlockBlasters game is pilfering crypto wallets and user data. This trojan-laced update, slipped past security checks, grabs IP addresses and Steam credentials, disables Microsoft Defender, and uploads data to a C2 server, impacting hundreds of players. MalTerminal is breaking new ground as the first malware wielding GPT-4 to craft ransomware and backdoors. Using a deprecated OpenAI API, this LLM-embedded threat, paired with phishing that exploits Follina, dodges AI security to deliver malicious payloads. A critical Entra ID flaw let attackers impersonate Global Administrators across tenants. This maximum-severity bug, tied to legacy Azure AD Graph API, allowed MFA bypass and undetected access, now fixed to block unauthorized tenant compromise.

Sep 19, 2025

Cyware Daily Threat Intelligence, September 19, 2025

In a rare crossover of Russian APT playbooks, Gamaredon and Turla have joined forces to target Ukrainian defense entities with coordinated malware operations. Researchers have uncovered joint activity involving the use of Gamaredon's custom tools to deploy Kazuar, a powerful Turla-developed backdoor known for its stealth and persistence. Malware deployment is getting more modular and more menacing. CountLoader is a newly developed malware loader tied to Russia-affiliated ransomware groups like LockBit, BlackBasta, and Qilin. Disguised as Ukrainian police messages in phishing campaigns, CountLoader excels at blending into enterprise traffic, gathering detailed system data, and maintaining persistent access through varied execution techniques. No clicks, no downloads, no warnings - just data theft by design. A critical flaw in OpenAI’s ChatGPT Deep Research agent has been patched following the discovery of ShadowLeak, a zero-click vulnerability that enabled attackers to exfiltrate sensitive information from user inboxes via maliciously crafted emails. The exploit abused the agent’s autonomous email-processing capabilities to embed covert instructions.

Sep 18, 2025

Cyware Daily Threat Intelligence, September 18, 2025

A JPG file that looks like a simple image might now be the start of a full-blown infostealing operation. In a recent FileFix campaign, threat actors are hiding malicious PowerShell scripts and encrypted binaries inside seemingly innocent image files. Unlike earlier proof-of-concept variants, this iteration ups the ante by using multilingual phishing pages and deeply obfuscated JavaScript. When package managers become threat vectors, even a string manipulation library can be a trap. Two rogue Python packages have been removed from PyPI after researchers discovered they were dropping SilentSync RAT. SilentSync is capable of executing arbitrary commands, exfiltrating files, and stealing browser credentials, making it especially dangerous for unsuspecting developers. Another day, another zero-day. Google has shipped an urgent patch to plug a critical flaw in Chrome. Tracked as CVE-2025-10585, the newly patched vulnerability stems from a type confusion bug in the V8 JavaScript engine, which could allow attackers to remotely execute arbitrary code by luring users to maliciously crafted HTML pages. This marks the sixth actively exploited zero-day in Chrome this year.

Sep 17, 2025

Cyware Daily Threat Intelligence, September 17, 2025

Wriggling through npm like a digital sandworm, Shai-Hulud is hijacking developer accounts to poison popular packages. This JavaScript worm steals tokens, deploys TruffleHog to snatch secrets, and creates public “Shai-Hulud” GitHub repos, exposing sensitive code across over 700 repositories. Slipping past defenses with Russian flair, XillenStealer is plundering data across Windows, Linux, and macOS. Using a Tkinter GUI, this Python malware grabs credentials, crypto wallets, and gaming tokens, employing anti-debugging and Telegram exfiltration to stay covert. A BitLocker bypass dubbed BitPixie is cracking open encrypted drives with a sneaky PXE reboot trick. Exploiting a 2005-2022 Windows Boot Manager flaw, attackers extract keys from memory, with Microsoft’s May 2023 patch swapping certificates to block this downgrade attack.

Sep 16, 2025

Cyware Daily Threat Intelligence, September 16, 2025

Maranhão Stealer is hunting gamers through pirated software. Built with Node.js and Inno Setup, it mimics Microsoft components to hide, using DLL injection for persistence. It steals crypto wallet credentials, grabbing hardware and network data for targeted attacks. AppSuite, OneStart, and ManualFinder are a malware triple threat. Posing as legit tools like PDF editors, they use Electron and PowerShell to track users and install sneaky extensions. Active since 2018, they evolve with randomized domains for control. Phoenix is cracking DDR5 memory defenses wide open. This Rowhammer variant bypasses SK Hynix protections, flipping bits to gain root access in minutes. It targets RSA-2048 keys and binaries, impacting all DDR5 chips from 2021 to 2024.

Sep 15, 2025

Cyware Daily Threat Intelligence, September 15, 2025

From the shadows of the darknet, the Yurei ransomware group has emerged, targeting organizations in Sri Lanka, India, and Nigeria with a double-extortion scheme that encrypts files and leaks sensitive data. Operating from a suspected base in Morocco, the group’s darknet blog pressures victims with data leak threats, highlighting the growing risk of low-skill ransomware operations. Masquerading as legitimate tools, the WhiteCobra group has infiltrated VS Code and OpenVSX marketplaces with 24 malicious extensions aimed at stealing cryptocurrency and sensitive data. By inflating download counts, WhiteCobra exploits developer trust, exposing critical weaknesses in marketplace security. A flaw in the CUPS printing system has left Linux systems vulnerable to remote crashes and authentication bypasses. Stemming from unsafe deserialization in the libcups library, this vulnerability disrupts printing services and can be exploited with simple Python scripts, requiring only network adjacency.

Sep 12, 2025

Cyware Daily Threat Intelligence, September 12, 2025

Mustang Panda's latest ToneShell variant is digging deep into systems with slick persistence moves. Delivered via DLL sideloading in archives, it dodges analysis, enforces single-instance rules, and sets up scheduled tasks in user directories. XOR-obfuscated payloads communicate via fake TLS to C2 servers, generating unique GUIDs per machine for ongoing ops. Researchers uncovered a RAT storm hitting Chinese users since May. Phishing on GitHub Pages drops ValleyRAT, FatalRAT, and kkRAT, the latter echoing Ghost RAT with beefed-up encryption and commands. kkRAT sniffs sandboxes, hijacks clipboards for crypto swaps, and installs RMM tools like Sunlogin, all via multi-stage shellcodes. Akira ransomware is busting into networks through SonicWall's CVE-2024-40766 flaw. This unpatched SSL VPN hole lets them snag access, but SonicWall's August patch plus password resets can block it. ACSC warns of fresh exploits since September, with 40 incidents probed.

Sep 11, 2025

Cyware Daily Threat Intelligence, September 11, 2025

Slipping through macOS like a shadow in the fog, ChillyHell malware cloaks itself as a harmless app to wreak havoc. Using LaunchAgent, LaunchDaemon, and shell injections, it digs into systems at boot, stealing data and launching reverse shells while evading Apple’s notarization checks. A rogue Chrome extension, Madgicx Plus, is preying on Meta advertisers with a slick AI optimization pitch. This malware, spread through polished domains tied to past scams, hijacks Google and Facebook accounts, siphoning off valuable ad assets with deceptive ease. NVIDIA’s NVDebug tool is under siege from three high-severity flaws, opening doors to code execution and privilege escalation. These vulnerabilities, with the worst scoring 8.2, allow attackers to tamper with systems or steal data in multi-user setups, fixed in version 1.7.0.

Sep 10, 2025

Cyware Daily Threat Intelligence, September 10, 2025

Masquerading as harmless GitHub files, Kimsuky is sneaking malware into systems with malicious LNK files. These trigger PowerShell scripts to steal system metadata and upload it to private repositories, using scheduled tasks for persistent espionage targeting sensitive networks. Slipping into devices like a digital ghost, Buterat backdoor is hitting government and enterprise systems via phishing and trojanized downloads. It hides in processes, tweaks registry keys for persistence, and uses encrypted C2 channels to drop payloads and evade detection. Microsoft’s latest patch tackles 81 flaws, including two zero-day vulnerabilities in Windows SMB and Newtonsoft.Json. With nine critical fixes addressing remote code execution and privilege escalation, enabling SMB protections is urged, though compatibility hiccups may arise.

Sep 9, 2025

Cyware Daily Threat Intelligence, September 09, 2025

Slipping through phishing emails like a digital ninja, MostereRAT is targeting Japanese users with encrypted payloads. This malware grabs SYSTEM-level control, disables antivirus and Windows defenses, and uses AnyDesk and TightVNC to steal data and capture screens via secure C2 channels. SAP’s latest patch day is a wake-up call, tackling four critical vulnerabilities threatening enterprise systems. The worst, an insecure deserialization flaw in NetWeaver’s RMI-P4, allows unauthenticated attackers to run arbitrary commands, with patches addressing file uploads and access control issues. China-linked Salt Typhoon and UNC4841 are lurking behind 45 newly uncovered domains, some active since May 2020. Using fake identities and Proton Mail, these espionage groups exploit vulnerabilities like Barracuda’s, revealing a persistent threat to global networks.

Sep 8, 2025

Cyware Daily Threat Intelligence, September 08, 2025

Posing as Microsoft Teams with chilling accuracy, cybercriminals are tricking macOS users into downloading the Odyssey stealer. This malware grabs browser credentials and crypto wallet data, using social engineering to gain privileges and swap out legitimate apps for persistent theft. A gaping hole in Progress Software’s OpenEdge AdminServer is letting attackers run rogue code with ease. This high-severity flaw allows command injection via the Java RMI interface, now patched with better input sanitization and disabled remote RMI. iCloud Calendar invites are being hijacked to deliver phishing emails that dodge spam filters. Masquerading as payment alerts from Apple’s servers, they lure victims to fake support lines, enabling scammers to steal data or deploy malware via remote access.