Cyware Monthly Threat Intelligence, November 2025
The Good
New global initiatives are strengthening the cybersecurity ecosystem. In the U.S., the bipartisan AI Fraud Deterrence Act significantly raises penalties for AI-enabled impersonation and fraud. The UK’s Cyber Resilience Bill enhances national defenses with stricter reporting mandates and broader oversight of critical digital infrastructures. Meanwhile, CISA’s guidance on bulletproof hosting equips ISPs and organizations with clearer detection, filtering, and intelligence-sharing practices to curb cybercriminal abuse.
A new bipartisan bill, the AI Fraud Deterrence Act, aims to combat the increasing use of AI in fraud and impersonation. The legislation proposes significant increases in criminal penalties for those using AI tools to create convincing fake audio, video, or texts. Fines for various fraud types could rise to between $1-2 million, with maximum prison sentences extending to 20-30 years for offenders. The bill specifically addresses the alarming trend of scammers impersonating government officials, with penalties of up to $1 million and three years in prison for such actions. This initiative responds to a series of high-profile incidents involving AI-generated impersonations that pose serious risks to both individuals and national security.
The UK Cyber Resilience Bill aims to enhance national security in response to a 130% rise in significant cyber incidents in 2025. Introduced in Parliament, the bill seeks to address gaps in existing regulations by expanding its regulatory scope to include data centers, managed service providers, and large load controllers. It mandates that operators of essential services report incidents within 24 hours and provide comprehensive reports within 72 hours, improving the current incident reporting framework. Additionally, the bill strengthens regulatory powers, allowing for targeted actions against national security threats and introducing higher penalties for non-compliance.
The CISA released a new guide addressing the threat posed by bulletproof hosting (BPH) services, which are increasingly utilized by cybercriminals for activities such as ransomware, phishing, and malware distribution. Recommendations include identifying malicious resources, improving traffic visibility, using targeted filters, and sharing threat intelligence across sectors. CISA emphasizes the importance of automated blocklist reviews, network-edge filters, and feedback processes to reduce accidental blocking. ISPs are encouraged to notify customers of threats, provide filtering tools, and establish standards to prevent BPH abuse.
A coordinated enforcement operation led by Europol, in collaboration with the European Union Intellectual Property Office and Spain’s National Police, targeted online intellectual property violations, resulting in the identification of 69 suspect sites and the disruption of $55 million in cryptocurrency linked to piracy. This initiative, known as Intellectual Property Crime Cyber-Patrol Week, utilized advanced open-source intelligence methods and involved over 30 investigators. By purchasing illegal services using cryptocurrency, authorities were able to trace transactions and disrupt revenue streams supporting criminal activities. The operation also facilitated international cooperation, with contributions from more than 15 countries, enhancing the collective response to the evolving challenges of digital piracy and illegal streaming services across Europe.
ENISA has achieved a significant milestone by becoming a CVE Root within the global CVE Program, enhancing its role in coordinating vulnerability management across Europe. This designation allows ENISA to assign CVE Identifiers and publish CVE Records for vulnerabilities reported to EU CSIRTs. The agency will also guide manufacturers on compliance with the Cyber Resilience Act and contribute to the European Vulnerability Database.
The Bad
Threat activity continues to escalate globally, with groups like Bloody Wolf and RomCom launching increasingly sophisticated campaigns across Central Asia and the U.S. using spear-phishing, fake updates, and remote-access tools. Attackers are leveraging geofencing, rapid infection chains, and outdated yet effective malware to evade detection. CISA also warns of rising spyware operations targeting high-value individuals through WhatsApp, Signal, and mobile device vulnerabilities.
Bloody Wolf, a hacking group, has intensified its cyberattack campaign in Kyrgyzstan and Uzbekistan since mid-2025, primarily targeting the finance, government, and IT sectors. Utilizing spear-phishing tactics, the group impersonates trusted government ministries to distribute malicious JAR files disguised as official documents. Once downloaded, these files execute a loader that fetches the NetSupport RAT payload, establishing persistence on the infected systems. Notably, the campaign in Uzbekistan incorporates geofencing, redirecting external requests to legitimate sites while delivering malware to local users. The attackers employ outdated tools, such as Java 8 and an older version of NetSupport Manager from 2013.
RomCom, a Russia-aligned malware group, has targeted a U.S.-based civil engineering company using SocGholish fake update attacks to deliver the Mythic Agent malware. This attack marks the first instance of RomCom payloads being distributed through SocGholish, which serves as an initial access broker by tricking users into downloading malicious JavaScript via fake browser update alerts. The threat actors behind SocGholish, linked to financially motivated groups, exploit vulnerabilities in compromised websites to initiate infections. In this case, the attack involved a rapid infection timeline of under 30 minutes, culminating in the establishment of a reverse shell and the deployment of a custom Python backdoor.
The CISA issued a warning about ongoing spyware campaigns that target users of mobile messaging applications like Signal and WhatsApp. These campaigns utilize sophisticated social engineering techniques and exploit vulnerabilities to gain unauthorized access to user accounts. Notable examples include Russia-aligned threat actors hijacking Signal accounts through its linked devices feature, as well as Android spyware campaigns impersonating popular apps to deliver malware. Additionally, targeted attacks have exploited security flaws in iOS and Samsung devices to compromise fewer than 200 WhatsApp users. CISA emphasizes that these threats primarily focus on high-value individuals, including current and former government officials, military personnel, and civil society members across the U.S., the Middle East, and Europe.
Shai-Hulud malware has compromised over 500 npm packages in a recent supply-chain attack, targeting well-known tools like Zapier and PostHog to steal developer and CI/CD secrets. The malware modifies legitimate packages by injecting malicious scripts and publishes them on npm using compromised maintainer accounts. Researchers have identified around 350 unique accounts involved in this campaign, which has resulted in the automatic creation of thousands of repositories on GitHub, where stolen secrets are leaked. The malware employs advanced obfuscation techniques and includes destructive payloads that can overwrite a victim's home directory under certain conditions.
CISA and other U.S. agencies have issued a warning about the Akira ransomware, which has started encrypting Nutanix AHV virtual machines. Initially targeting VMware ESXi and Hyper-V, Akira has expanded its reach by exploiting vulnerabilities like CVE-2024-40766 in SonicWall. The ransomware primarily encrypts .qcow2 files, a format used by Nutanix AHV. Akira actors gain access to corporate networks through stolen or brute-forced VPN and SSH credentials, and they exploit unpatched Veeam Backup & Replication servers to delete backups. Within compromised networks, they utilize various tools for reconnaissance and lateral movement, while also establishing persistence. Notably, the group has been able to exfiltrate data rapidly, utilizing tunneling tools such as Ngrok for encrypted communication.
A critical path traversal vulnerability in Fortinet FortiWeb has been actively exploited, allowing threat actors to create unauthorized administrative accounts on exposed devices without authentication. This flaw, affecting versions 8.0.1 and earlier, was first identified by threat intelligence company Defused on October 6. Attackers send crafted HTTP POST requests to a specific endpoint, resulting in the creation of admin accounts with various usernames and passwords. Security researchers confirmed the exploit and demonstrated its execution. Despite the vulnerability being patched in version 8.0.2, reports indicate a surge in attacks originating from multiple IP addresses, raising concerns about the security of vulnerable devices in the wild.
A large-scale spam campaign has inundated the npm registry with over 67,000 fake packages since early 2024, dubbed "IndonesianFoods." This financially motivated effort aims to clutter the registry rather than engage in data theft. The bogus packages, which often masquerade as legitimate Next.js projects, employ a dormant JavaScript payload that requires manual execution, thus evading automated security detection. The attackers have created a self-replicating network by referencing each other as dependencies, leading to an exponential increase in spam package downloads.
GlassWorm malware has re-emerged in the OpenVSX marketplace, introducing three new malicious VSCode extensions that have collectively garnered over 10,000 downloads. This malware campaign, which initially targeted OpenVSX and Visual Studio Code last month, employs invisible Unicode characters to obfuscate its malicious code while targeting GitHub, NPM, and OpenVSX account credentials, as well as cryptocurrency wallet information. The newly identified extensions, which use the same obfuscation techniques as earlier variants, include ai-driven-dev, adhamu.history-in-sublime-merge, and yasuyuky.transient-emacs.
A malicious Visual Studio Code extension named "susvsex" was discovered, featuring basic ransomware capabilities and uploaded by a user identified as "suspublisher18." This extension, designed to automatically encrypt and exfiltrate files from specified directories upon launch, was promptly removed from the VS Code Extension Marketplace by Microsoft. It utilizes GitHub as a command-and-control channel, polling a private repository for commands and writing execution results back to it. Additionally, Datadog Security Labs identified 17 npm packages masquerading as legitimate SDKs that deploy Vidar Stealer malware. These packages, which were downloaded over 2,240 times before being taken down, execute malicious payloads through post-install scripts.
Russian state-backed hacker group Sandworm has intensified its attacks on Ukraine, deploying various data-wiping malware to disrupt critical sectors, particularly targeting the grain industry, government, and educational institutions. These operations occurred in June and September, reflecting a strategic shift towards undermining Ukraine's economic stability during the ongoing conflict. The malware, including variants like ZeroLot and Sting, aims to destroy digital information irretrievably, contrasting with ransomware that typically seeks financial gain through data theft. Initial access for these attacks was often facilitated by another group, UAC-0099, indicating a coordinated effort in cyber sabotage against Ukraine's vital economic resources.
A sophisticated phishing campaign has emerged, targeting Booking[.]com hotels and customers by exploiting compromised accounts and customer data. Threat actors deploy infostealing malware to gather credentials from hotel systems, which are then sold on cybercrime forums or used for fraudulent activities. The ClickFix infection chain is employed, utilizing spearphishing emails that mimic Booking[.]com to redirect victims to malicious websites. This chain involves redirection tactics and PowerShell commands to deliver PureRAT that enables remote control and data exfiltration.
Google has released an emergency update for Chrome to address five vulnerabilities, including critical and medium-severity flaws. The most severe issue is CVE-2025-12725, an out-of-bounds write vulnerability in the WebGPU implementation, which poses a significant risk of remote code execution. Other critical vulnerabilities include CVE-2025-12726 and CVE-2025-12727, both related to inappropriate implementations in the Views component and the V8 JavaScript engine, respectively. Additionally, two medium-severity vulnerabilities, CVE-2025-12728 and CVE-2025-12729, were identified in the Omnibox search and navigation bar. The update is being rolled out across all platforms, including Windows, Mac, Linux, Android, and iOS.
The Silent Lynx APT group has been actively targeting Central Asian nations, Russia, and China for espionage. This group employs spear-phishing campaigns and malicious implants to infiltrate governmental and critical infrastructure sectors. Two significant campaigns are analyzed: one focused on Russia-Azerbaijan relations during a summit in Dushanbe and the other on China-Central Asia relations during a summit in Astana. The research reveals the use of malicious RAR archives containing LNK files that execute PowerShell scripts from GitHub. Silent Lynx uses tools like Silent Loader, LAPLAS implant (TCP & TLS), and SilentSweeper (.NET-based implant) for deploying reverse shells and maintaining persistence.
The China-linked Bronze Butler (Tick) threat group exploited a zero-day vulnerability (CVE-2025-61932) in Motex LANSCOPE Endpoint Manager to gain unauthorized access and steal confidential information. This vulnerability enabled attackers to execute arbitrary commands with SYSTEM privileges. The group utilized Gokcpdoor malware, which established a command and control connection, and the Havoc C2 framework for remote access. Additionally, they employed legitimate tools like goddi, remote desktop applications, and 7-Zip for lateral movement and data exfiltration, leveraging cloud storage services for their operations.
Australia is facing ongoing cyberattacks targeting unpatched Cisco IOS XE devices, with the BadCandy webshell being used to compromise routers. Exploiting the CVE-2023-20198 vulnerability, attackers can create local admin users through the web interface, allowing them to take control of the devices. Despite Cisco addressing this flaw in October 2023, many devices remain unpatched, leading to over 400 reported infections by July 2025, with around 150 still compromised as of late October 2025. The BadCandy webshell enables remote attackers to execute commands with root privileges, and its presence can be reintroduced after device reboots if the vulnerability remains unaddressed. The Australian Signals Directorate has noted signs of re-exploitation, indicating a persistent threat from attackers, some of whom are believed to be state-sponsored actors.
New Threats
New malware activity is surging, with the Mirai-based ShadowV2 botnet exploiting unpatched IoT vulnerabilities to fuel global DDoS capability tests across multiple sectors. macOS users face rising risk from FlexibleFerret, a stealthy, multi-stage campaign deploying a persistent Go-based backdoor disguised as Chrome permission prompts for credential theft. Meanwhile, Kimsuky is conducting sophisticated phishing attacks delivering dual KimJongRAT variants that adapt to security controls and steal extensive user data.
A new Mirai-based botnet malware, named ShadowV2, has emerged, targeting IoT devices from vendors like D-Link and TP-Link by exploiting known vulnerabilities. Observed during the significant AWS outage in October, ShadowV2 appeared to conduct test runs, leveraging at least eight vulnerabilities, including critical flaws in D-Link devices that will not receive fixes due to their end-of-life status. The attacks, originating from a specific IP address, affected various sectors globally, including government and education. ShadowV2 is delivered through a downloader script and supports DDoS attacks across multiple protocols. Its C2 infrastructure facilitates these attacks, although the identity of the perpetrators and their monetization strategy remain unknown.
A new malware campaign named FlexibleFerret has emerged, specifically targeting macOS systems. This sophisticated threat utilizes staged scripts and a persistent Go-based backdoor to bypass user safeguards and maintain long-term access to compromised devices. The malware employs a second-stage shell script that adapts its actions based on the system architecture, downloading various payloads accordingly. It masquerades as Chrome permission prompts to harvest user credentials, routing stolen data to a Dropbox account while avoiding detection through clever obfuscation techniques. The backdoor, known as CDrivers, facilitates numerous malicious tasks, including system information collection, file management, and automated credential theft.
Kimsuky has launched an advanced campaign utilizing dual variants of the KimJongRAT malware. This operation begins with phishing emails that impersonate South Korean agencies, delivering malicious LNK files and decoy PDFs to unsuspecting victims. The malware can dynamically switch between Portable Executable (PE) and PowerShell payloads based on the status of Windows Defender, enhancing its stealth. Once deployed, the malware conducts extensive data theft, including browser credentials, cryptocurrency wallet information, and system data. Additionally, Kimsuky has established phishing sites that mimic legitimate South Korean services, allowing them to capture login credentials without detection.
A recently discovered vulnerability in Microsoft Windows Server Update Services (WSUS), identified as CVE-2025-59287, has been actively exploited by threat actors to distribute ShadowPad malware. This modular backdoor, associated with Chinese state-sponsored hacking groups, allows attackers to gain full system access by executing remote code with system privileges. The exploitation process involves using legitimate Windows utilities like PowerCat, certutil, and curl to download and install ShadowPad after initially breaching the system. ShadowPad employs DLL side-loading techniques, leveraging a legitimate binary to execute malicious payloads while incorporating various anti-detection methods.
Matrix Push C2 is a new C2 platform that utilizes browser notifications for fileless, cross-platform phishing attacks. By tricking users into allowing notifications through social engineering tactics, attackers can send alerts that appear to originate from the operating system or browser. These notifications often mimic legitimate messages, such as suspicious login alerts, leading victims to click on malicious links. This innovative approach bypasses traditional security measures, creating a persistent communication channel with victims across various platforms. Offered as a malware-as-a-service, Matrix Push C2 is sold through crimeware channels, allowing attackers to customize their phishing campaigns with templates that impersonate well-known brands. Additionally, the platform provides tools for tracking victim interactions and analyzing the effectiveness of their attacks.
China-linked APT24 hackers have been using the previously undocumented BadAudio malware in a three-year espionage campaign targeting Windows systems. Since 2022, they have employed various methods, including spearphishing, supply-chain compromises, and watering hole attacks, to deliver the malware. APT24 compromised over 20 legitimate websites to inject malicious JavaScript, luring visitors into downloading BadAudio through fake software update prompts. Additionally, they exploited a digital marketing company in Taiwan, injecting malicious code into widely used libraries, affecting over 1,000 domains. The malware is heavily obfuscated, utilizing techniques like DLL search order hijacking to evade detection. Once activated, BadAudio collects system information and communicates with a C2 server to download further payloads.
PlushDaemon, a China-aligned cyber threat actor, has been using a new Go-based backdoor called EdgeStepper to conduct adversary-in-the-middle (AitM) attacks by hijacking DNS queries. This malware redirects legitimate software update traffic to malicious servers, enabling the deployment of harmful payloads like LittleDaemon, which subsequently downloads the more advanced SlowStepper backdoor. Active since at least 2018, PlushDaemon has targeted various sectors, including semiconductor, automotive, and electronics companies, across multiple countries including the U.S. and South Korea. SlowStepper is particularly versatile, capable of gathering system information, extracting credentials, and executing commands, making it a significant threat in global cyber espionage efforts.
A new phishing kit known as Sneaky 2FA has integrated Browser-in-the-Browser (BitB) functionality to enhance its attacks on Microsoft account credentials. This technique creates realistic pop-up windows that mimic legitimate login pages, effectively deceiving users into entering their information. The attackers employ bot protection measures, such as CAPTCHA and Cloudflare Turnstile, to filter out security tools and target specific victims. Additionally, they utilize conditional loading and obfuscation techniques to evade detection. Research indicates that these threat actors also exploit vulnerabilities in passkey authentication systems through malicious browser extensions, allowing them to intercept and manipulate login processes.
Cybersecurity researchers have uncovered a new malware campaign known as EVALUSION, which utilizes the ClickFix social engineering tactic to distribute Amatera Stealer and NetSupport RAT. First identified in June, Amatera is an evolution of the ACR Stealer and is sold through subscription plans. This malware targets sensitive data from crypto-wallets, browsers, and messaging applications while employing sophisticated evasion techniques to bypass security measures. Victims are tricked into executing malicious commands via fake reCAPTCHA checks, leading to the download of a .NET payload. The Amatera DLL is injected into the "MSBuild.exe" process to harvest data and potentially deploy NetSupport RAT based on the victim's system attributes.
Dragon Breath employs RONINGLOADER to deploy a modified Gh0st RAT, targeting Chinese-speaking users using trojanized NSIS installers. The malware utilizes advanced evasion techniques to disable endpoint security tools, including Microsoft Defender and Qihoo 360 Total Security. RONINGLOADER executes complex actions, such as tampering with system processes, injecting shellcode, and leveraging signed drivers to terminate security processes. The loader bypasses User Account Control (UAC) and manipulates firewall settings to block security software connections. Gh0st RAT enables remote control of infected systems, including registry modifications, event log clearing, keystroke capturing, and payload execution.
Kraken ransomware has been targeting Windows and Linux/VMware ESXi systems, employing a unique performance benchmarking method to optimize data encryption without overloading the machines. This ransomware, a continuation of the HelloKitty operation, conducts double extortion attacks by stealing data and demanding ransom payments. It gains initial access by exploiting SMB vulnerabilities, extracting admin credentials, and using tools like Cloudflare and SSHFS for lateral movement and data exfiltration. Kraken features specialized encryption modules for SQL databases, network shares, local drives, and virtual machines, utilizing multi-threaded processes to enhance efficiency. After encrypting files, it executes a script to delete logs and traces, leaving a ransom note that demands payment in Bitcoin.
A malicious Chrome extension called "Safery: Ethereum Wallet" has been discovered, masquerading as a legitimate Ethereum wallet while secretly exfiltrating users' seed phrases. Uploaded to the Chrome Web Store on September 29, and updated recently, it remains available for download. The extension employs a backdoor to steal wallet mnemonic phrases by encoding them as fake Sui wallet addresses. It sends microtransactions from a hard-coded attacker-controlled wallet, allowing the threat actor to monitor the blockchain and reconstruct the original seed phrases.
Researchers revealed a new Android malware called Fantasy Hub sold as Malware-as-a-Service (MaaS) on Russian-speaking Telegram channels, enabling remote device control and data theft. Fantasy Hub targets financial workflows, intercepts 2-factor SMS, and poses threats to enterprise customers relying on mobile banking apps. Buyers receive instructions to create fake Google Play Store pages and upload APK files for trojanized versions embedded with malicious payloads. The malware abuses SMS privileges, masquerades as Google Play updates, and uses fake overlays to steal banking credentials, streaming real-time camera and microphone content.
A new ransomware operation named VanHelsing has emerged as a significant threat in the cybercriminal landscape. Functioning as a Ransomware-as-a-Service (RaaS) platform, it offers multi-platform support targeting Windows, Linux, BSD, ARM, and ESXi systems. Affiliates pay a $5,000 deposit for access and keep 80% of ransom payments. The ransomware uses advanced encryption techniques, anti-forensic methods, and lateral movement capabilities, making it highly effective and scalable.
Google has identified a new malware named PROMPTFLUX, which utilizes its Gemini AI model to autonomously rewrite its VB Script source code on an hourly basis, enhancing its obfuscation and evasion capabilities. This malware interacts with Gemini's API to request specific code modifications aimed at evading antivirus detection. Although currently in the development phase, PROMPTFLUX establishes persistence by saving its obfuscated versions in the Windows Startup folder and attempts to spread via removable drives. Additionally, other AI-driven malware variants, including FRUITSHELL and PROMPTLOCK, have emerged, demonstrating the growing trend of threat actors leveraging AI for malicious purposes.
Tenable uncovered critical vulnerabilities in OpenAI's ChatGPT models, including GPT-4 and GPT-5, which could enable attackers to steal private user data and launch zero-click attacks. These vulnerabilities exploit weaknesses in ChatGPT’s processing of external data and its memory feature, allowing malicious actors to inject harmful prompts through trusted websites and URL parameters. One alarming technique, known as “Conversation Injection,” can manipulate ChatGPT’s responses, while another vulnerability bypasses safety mechanisms, exfiltrating user data via tracking links. Attackers can achieve persistence by altering ChatGPT’s memory, leading to ongoing data leaks across multiple sessions. Additionally, a markdown rendering bug allows hidden malicious content to be processed undetected.