Cyware Weekly Threat Intelligence, December 01–05, 2025
The Good
International law enforcement is tightening the net around digital financial crime, seizing assets from high-tech launderers and dismantling predatory scam networks. In a major European coordinated effort, authorities executed Operation Olympia to shut down Cryptomixer, a service that laundered over €1.3 billion for cybercriminals, seizing domains and €24 million in Bitcoin. Meanwhile, the U.S. DOJ's new Scam Center Strike Force struck at the heart of Southeast Asian fraud rings, dismantling a fake trading site linked to a Myanmar compound that impersonated legitimate platforms to steal from investors.
Law enforcement from Switzerland and Germany, aided by Europol and Eurojust, successfully dismantled the Cryptomixer cryptocurrency-mixing service, which had laundered over €1.3 billion in Bitcoin since its inception in 2016. During Operation Olympia, authorities seized three servers, more than 12 terabytes of data, the service's clear web and dark web domains, and €24 million ($27–29 million) in Bitcoin. Cryptomixer operated by pooling users’ cryptocurrency to obscure transaction origins, making it a favored tool for cybercriminals involved in various illegal activities such as drug trafficking and ransomware attacks. This takedown follows previous actions against similar services, including ChipMixer and Blender.io, highlighting ongoing efforts to combat cryptocurrency-related crime.
The DOJ dismantled a fraudulent website, tickmilleas[.]com, which impersonated the legitimate TickMill trading platform to defraud victims. This action is part of a broader initiative by the newly formed Scam Center Strike Force, targeting scam operations linked to the Tai Chang compound in Myanmar, run by the Democratic Karen Benevolent Army. Victims were misled into believing they were making legitimate investments, often shown false returns and deposits. The DOJ has identified multiple victims who lost money through this scheme, which is part of a larger trend of scams stealing approximately $10 billion annually from Americans. Collaborating with tech companies like Meta, law enforcement has also removed thousands of scam-related accounts to combat these illicit operations.
The Bad
The China-linked threat group known as "Silver Fox" has been observed planting deceptive markers to masquerade as Russian cybercriminals while carrying out attacks against Chinese organizations. The MuddyWater group has intensified its operations against Israel and Egypt using a malware loader disguised as the classic Snake video game to evade detection. Developers are being targeted by a wolf in sheep's clothing inside their own code editors. A fake VSCode extension has been caught initiating a supply-chain attack to deliver the powerful OctoRAT.
The Chinese APT group "Silver Fox" uses false flags, such as Cyrillic characters, to impersonate Russian threat actors while targeting organizations in China through a Microsoft Teams SEO poisoning campaign. Silver Fox deploys ValleyRAT malware for espionage and financial fraud, enabling remote control of infected systems, data exfiltration, and long-term persistence. The campaign uses fake domains like "teamscn[.]com" to lure Chinese-speaking users into downloading malware disguised as Microsoft Teams software. The infection chain involves a trojanized Microsoft Teams executable, PowerShell commands to modify antivirus exclusions, and malicious DLL files loaded into legitimate Windows processes.
MuddyWater, an Iran-aligned cyberespionage group, has intensified its operations, primarily targeting critical infrastructure in Israel and Egypt. This latest campaign showcases the group's evolution, marked by the deployment of sophisticated custom malware, including the Fooder loader and the MuddyViper backdoor. Fooder cleverly disguises itself as the classic Snake game, employing delays to evade detection, while MuddyViper facilitates extensive data collection and credential theft. The group has refined its tactics, shifting from noisy, easily detectable methods to more stealthy approaches. Additionally, MuddyWater has demonstrated collaboration with the Lyceum group, indicating a strategic focus on government and military sectors.
A fake VSCode extension, "prettier-vscode-plus," impersonated the legitimate Prettier formatter and was used to initiate a supply-chain attack. The extension delivered a multi-stage malware chain, starting with the Anivia loader and ending with OctoRAT, a fully featured remote access toolkit. Both Anivia and OctoRAT used AES-encrypted payloads, in-memory execution, and process hollowing to evade detection. The malicious GitHub repository "vscode" was used to host VBScript payloads, with active payload rotation to avoid detection. The Anivia loader decrypted and executed payloads in memory, employing advanced techniques like process hollowing into legitimate Windows binaries. OctoRAT provided over 70 commands, including surveillance, file theft, privilege escalation, and cryptocurrency wallet theft.
Operation DupeHike is a cyber campaign targeting Russian corporate employees, particularly in HR and payroll sectors, using spear-phishing techniques. Attackers deploy malicious LNK files disguised as documents related to employee bonuses, which lead to the installation of the DUPERUNNER implant and the AdaptixC2 beacon. The infection begins with a ZIP file containing a decoy document that outlines internal HR policies, effectively luring victims. Upon execution, the LNK file utilizes PowerShell to download and run the DUPERUNNER implant, which performs various malicious activities, including process injection and data gathering. The AdaptixC2 beacon serves as a loader for further payloads, employing sophisticated techniques such as reflective loading and dynamic API resolution.
A malicious Rust package named evm-units has been discovered, capable of targeting Windows, macOS, and Linux systems while masquerading as an Ethereum Virtual Machine (EVM) helper tool. Uploaded to crates.io in April 2025, it garnered over 7,000 downloads before being removed. The malware checks for Qihoo 360 antivirus and executes OS-specific payloads to gain control of developer machines. On Linux, it downloads and runs a script, while on macOS, it uses osascript to execute a file. For Windows, it saves a PowerShell script in the temp directory and alters its execution based on the antivirus detection.
The Aisuru botnet has emerged as a significant threat, launching over 1,300 DDoS attacks in just three months, including a record peak of 29.7 Tbps. This botnet-for-hire service operates using millions of compromised routers and IoT devices worldwide, allowing cybercriminals to rent its capabilities for malicious purposes. The massive DDoS attacks have severely impacted various sectors, including gaming, telecommunications, and financial services, with the potential to disrupt internet service providers even when they are not direct targets. Notably, hyper-volumetric attacks have surged, with incidents exceeding 1Tbps more than doubling quarter-over-quarter.
A seven-year campaign by the group ShadyPanda has led to the infection of 4.3 million users of Google Chrome and Microsoft Edge through malicious browser extensions. Initially appearing legitimate, these extensions gained user trust before pushing updates that introduced spyware and backdoors. Five extensions, which infected 300,000 users, allowed for remote code execution, while another five remain active in the Edge marketplace, with one, WeTab, boasting three million installs. The malware enables comprehensive browser surveillance and data theft, sending sensitive information to servers in China. Earlier campaigns included extensions that tracked user behavior and monetized browsing data.
New Threats
South Korea is facing a new rise in stealthy cryptocurrency mining infections. A recently identified CoinMiner variant is propagating via USB removable drives, using malicious shortcut (.lnk) files that trigger scripts designed to abuse DLL side-loading techniques. Three critical vulnerabilities have been discovered in Picklescan, a security scanner for pickle files, that allow attackers to bypass detection using simple tricks like changing file extensions or exploiting CRC errors. Malware is once again infiltrating the very marketplaces developers trust to build their software. The Glassworm malware has resurfaced for a third wave, introducing 24 new malicious packages to OpenVSX and Visual Studio that use invisible Unicode characters to evade detection.
A new strain of CoinMiner malware is spreading via USB drives in South Korea, targeting workstations for Monero cryptocurrency mining. The infection process involves a malicious shortcut file (.lnk) that executes scripts to load malware using DLL Side-Loading techniques. The malware creates deceptive directories and employs trusted Windows components to bypass antivirus detection. The payload, PrintMiner, maximizes mining efficiency while employing stealth tactics like bypassing Windows Defender and pausing activity during high-resource tasks.
A high-severity vulnerability (CVE-2025-66476) has been discovered in Vim for Windows, allowing attackers to execute arbitrary code through an uncontrolled search path issue. The flaw, rated with a CVSS score of 7.8, affects versions earlier than 9.1.1947. It enables attackers to plant malicious executables in directories, which Vim may execute instead of legitimate system binaries. The vulnerability can be exploited without administrative privileges, posing a significant threat to users. The issue has been resolved in version 9.1.1947, and users are urged to update immediately.
Three critical vulnerabilities were discovered in Picklescan, a security scanner for Python pickle files, allowing malicious actors to execute arbitrary code by bypassing its detection mechanisms. The vulnerabilities (CVE-2025-10155, CVE-2025-10156, CVE-2025-10157) include file extension bypass, CRC error exploitation, and unsafe globals check circumvention, enabling attackers to execute malicious code and potentially launch supply chain attacks. A separate vulnerability (CVE-2025-46417) was found, allowing malicious pickle files to exfiltrate sensitive information via DNS, exploiting legitimate Python modules like linecache and ssl.
The Glassworm malware has resurfaced in its third wave, introducing 24 new malicious packages on the OpenVSX and Microsoft Visual Studio marketplaces. Initially detected in October, Glassworm employs invisible Unicode characters to conceal its code and targets developers by stealing credentials from GitHub, npm, and OpenVSX accounts, as well as cryptocurrency wallet data. It also establishes a SOCKS proxy for routing malicious traffic and installs an HVNC client for remote access. Despite previous containment efforts, the malware returned with new extensions and publisher accounts, targeting popular frameworks like Flutter and React Native. The latest wave demonstrates an evolution in its technical capabilities, now utilizing Rust-based implants while continuing to manipulate download counts to appear trustworthy and confuse users in search results.
A critical vulnerability, tracked as CVE-2025-64775, has been discovered in Apache Struts, a popular open-source web application framework. This flaw enables attackers to exploit improper cleanup of temporary files during multipart requests, potentially leading to disk exhaustion attacks. By generating numerous large temporary files, an attacker can fill a server’s disk space, causing significant disruptions such as slow performance or complete unavailability of the application. The vulnerability affects several versions of Struts, including those that are no longer supported.
A new Android malware named Albiriox has emerged, operating under a MaaS model to facilitate on-device fraud and screen manipulation across over 400 applications, including banking and cryptocurrency platforms. Distributed through social engineering tactics, Albiriox employs dropper applications and advanced packing techniques to evade detection. It uses accessibility services to bypass Android's security measures, enabling attackers to conduct credential theft and manipulate device screens without raising alarms. Additionally, it executes overlay attacks and utilizes fake websites to lure victims into downloading malicious APKs.
Operation Hanoi Thief is a sophisticated cyber-espionage campaign targeting Vietnam's technology and recruitment sectors. It employs spear-phishing tactics through a malicious email containing a ZIP file disguised as a job applicant's CV. This ZIP file includes a pseudo-polyglot payload—a combination of an image, a PDF document, and a malicious script—designed to deceive victims. When the LNK file is executed, it triggers a legitimate Windows tool, ftp.exe, to run hidden commands, ultimately extracting a Base64 encoded blob that decodes into the LOTUSHARVEST malware. This information stealer targets browser data from Google Chrome and Microsoft Edge, exfiltrating sensitive information to attacker-controlled domains.