Cyware Weekly Threat Intelligence, November 10–14, 2025

The Good

Governments on both sides of the Atlantic are launching major offensives to combat digital threats, from large-scale fraud to infrastructure vulnerabilities. The U.S. has established the Scam Center Strike Force to dismantle Southeast Asian criminal networks responsible for an estimated $10 billion in cryptocurrency fraud in 2024. Meanwhile, the U.K has introduced its Cyber Security and Resilience Bill, which will legally mandate that critical services like hospitals and energy systems meet new security standards and report any incidents within 24 hours.

1. The U.S. government has established the Scam Center Strike Force to combat cryptocurrency fraud perpetrated by Southeast Asian criminal networks. These scams, which often involve fake online trading platforms and romance scams, have resulted in Americans losing approximately $10 billion in 2024 alone. Led by U.S. Attorney Jeanine Pirro, the task force aims to dismantle these criminal operations by targeting their offshore infrastructure and U.S.-based facilitators. The initiative reflects a growing recognition of the need to address the surge in cyber fraud linked to organized crime, particularly in regions like Cambodia, Laos, and Burma.

2. Law enforcement disrupted over 1,000 servers linked to Rhadamanthys, VenomRAT, and Elysium malware operations during Operation Endgame. Searches were conducted in Germany, Greece, and the Netherlands, leading to arrests and domain seizures. The dismantled infrastructure included infected computers with stolen credentials and cryptocurrency wallets worth millions. Operation Endgame has previously targeted other malware operations, including ransomware infrastructures and botnets like Trickbot and SystemBC.

3. The U.K introduced the Cyber Security and Resilience Bill to enhance cybersecurity for critical services like hospitals, energy systems, and transport networks. IT service providers must comply with mandatory security standards, report incidents within 24 hours, and submit full reports within 72 hours. Regulators can enforce security measures and designate critical suppliers to address supply chain vulnerabilities. The bill includes penalties for serious breaches and extends protections to data centers and smart energy infrastructure.

The Bad

CISA is warning that the Akira ransomware group, which previously focused on VMware, is now actively encrypting Nutanix AHV virtual machines. The attackers are exploiting vulnerabilities and deleting backups to ensure their encryption of .qcow2 files is devastating. Attackers are using fake download pages for popular software to secretly install legitimate RMM tools, which then deploy the powerful PatoRAT backdoor. This allows the threat actors to seize full control of the system to capture screens and log every keystroke. A critical path traversal vulnerability in Fortinet FortiWeb is being actively exploited to create unauthorized administrator accounts.

1. CISA and other U.S. agencies have issued a warning about the Akira ransomware, which has started encrypting Nutanix AHV virtual machines. Initially targeting VMware ESXi and Hyper-V, Akira has expanded its reach by exploiting vulnerabilities like CVE-2024-40766 in SonicWall. The ransomware primarily encrypts .qcow2 files, a format used by Nutanix AHV. Akira actors gain access to corporate networks through stolen or brute-forced VPN and SSH credentials, and they exploit unpatched Veeam Backup & Replication servers to delete backups. Within compromised networks, they utilize various tools for reconnaissance and lateral movement, while also establishing persistence. Notably, the group has been able to exfiltrate data rapidly, utilizing tunneling tools such as Ngrok for encrypted communication.

2. A critical path traversal vulnerability in Fortinet FortiWeb has been actively exploited, allowing threat actors to create unauthorized administrative accounts on exposed devices without authentication. This flaw, affecting versions 8.0.1 and earlier, was first identified by threat intelligence company Defused on October 6. Attackers send crafted HTTP POST requests to a specific endpoint, resulting in the creation of admin accounts with various usernames and passwords. Security researchers confirmed the exploit and demonstrated its execution. Despite the vulnerability being patched in version 8.0.2, reports indicate a surge in attacks originating from multiple IP addresses, raising concerns about the security of vulnerable devices in the wild.

3. Cybersecurity researchers have uncovered a sophisticated attack campaign utilizing legitimate RMM tools, specifically LogMeIn Resolve and PDQ Connect, to deploy backdoor malware on unsuspecting systems. Attackers create convincing fake websites that mimic official download pages for popular software, tricking users into downloading malicious installers disguised as applications like Notepad++ and VLC Media Player. Once executed, these installers not only install the RMM tools but also additional malware designed for data theft. The primary objective is to install PatoRAT, a powerful backdoor capable of extensive data exfiltration and remote control. This malware collects detailed system information and supports various malicious functions, including keylogging and screen capturing, ultimately allowing attackers to maintain control over compromised systems.

4. A large-scale spam campaign has inundated the npm registry with over 67,000 fake packages since early 2024, dubbed "IndonesianFoods." This financially motivated effort aims to clutter the registry rather than engage in data theft. The bogus packages, which often masquerade as legitimate Next.js projects, employ a dormant JavaScript payload that requires manual execution, thus evading automated security detection. The attackers have created a self-replicating network by referencing each other as dependencies, leading to an exponential increase in spam package downloads. 

5. GlassWorm malware has re-emerged in the OpenVSX marketplace, introducing three new malicious VSCode extensions that have collectively garnered over 10,000 downloads. This malware campaign, which initially targeted OpenVSX and Visual Studio Code last month, employs invisible Unicode characters to obfuscate its malicious code while targeting GitHub, NPM, and OpenVSX account credentials, as well as cryptocurrency wallet information. The newly identified extensions, which use the same obfuscation techniques as earlier variants, include ai-driven-dev, adhamu.history-in-sublime-merge, and yasuyuky.transient-emacs. 

New Threats

The Kraken ransomware is targeting both Windows and Linux/VMware ESXi systems, employing a unique performance benchmark to encrypt files efficiently without overloading the machine. A discontinued threat from the past has resurfaced, hiding behind the allure of cryptocurrency. The DarkComet RAT is being distributed through a fake Bitcoin wallet application that uses advanced packing to evade antivirus detection. A new MaaS named Fantasy Hub is being sold on Telegram, allowing buyers to create fake Google Play pages for trojanized apps.

1. Kraken ransomware has been targeting Windows and Linux/VMware ESXi systems, employing a unique performance benchmarking method to optimize data encryption without overloading the machines. This ransomware, a continuation of the HelloKitty operation, conducts double extortion attacks by stealing data and demanding ransom payments. It gains initial access by exploiting SMB vulnerabilities, extracting admin credentials, and using tools like Cloudflare and SSHFS for lateral movement and data exfiltration. Kraken features specialized encryption modules for SQL databases, network shares, local drives, and virtual machines, utilizing multi-threaded processes to enhance efficiency. After encrypting files, it executes a script to delete logs and traces, leaving a ransom note that demands payment in Bitcoin.

2. A malicious Chrome extension called "Safery: Ethereum Wallet" has been discovered, masquerading as a legitimate Ethereum wallet while secretly exfiltrating users' seed phrases. Uploaded to the Chrome Web Store on September 29, and updated recently, it remains available for download. The extension employs a backdoor to steal wallet mnemonic phrases by encoding them as fake Sui wallet addresses. It sends microtransactions from a hard-coded attacker-controlled wallet, allowing the threat actor to monitor the blockchain and reconstruct the original seed phrases. 

3. A newly discovered malware campaign is leveraging fake Bitcoin tools to distribute the DarkComet RAT, which continues to pose a significant threat despite being discontinued by its creator. The malware is disguised as a legitimate application called "94k BTC wallet.exe" and employs UPX packing to evade antivirus detection. Once executed, it establishes persistence by copying itself to the user’s system and creating autostart registry entries, allowing it to maintain access after reboots. The RAT is capable of keystroke logging and exfiltrating sensitive information to a C2 server. Utilizing process injection techniques, DarkComet obscures its malicious activities by hiding within legitimate Windows processes.

4. Maverick malware has emerged as a serious threat targeting Brazil's largest banks by hijacking browser sessions and spreading through WhatsApp Web. This malicious software shares similarities with the previously identified Coyote strain, both written in .NET and designed to monitor banking applications. Maverick is distributed via malicious ZIP files that contain payloads, enabling it to steal credentials by tracking specific banking URLs. Attributed to the threat actor Water Saci, the campaign employs advanced techniques, including PowerShell scripts, to disable security features and operate stealthily. By bypassing WhatsApp Web authentication, Maverick gains immediate access to victims' accounts, allowing it to propagate malicious files to their contacts.

5. Researchers revealed a new Android malware called Fantasy Hub sold as Malware-as-a-Service (MaaS) on Russian-speaking Telegram channels, enabling remote device control and data theft. Fantasy Hub targets financial workflows, intercepts 2-factor SMS, and poses threats to enterprise customers relying on mobile banking apps. Buyers receive instructions to create fake Google Play Store pages and upload APK files for trojanized versions embedded with malicious payloads. The malware abuses SMS privileges, masquerades as Google Play updates, and uses fake overlays to steal banking credentials, streaming real-time camera and microphone content.

6. A new ransomware operation named VanHelsing has emerged as a significant threat in the cybercriminal landscape. Functioning as a Ransomware-as-a-Service (RaaS) platform, it offers multi-platform support targeting Windows, Linux, BSD, ARM, and ESXi systems. Affiliates pay a $5,000 deposit for access and keep 80% of ransom payments. The ransomware uses advanced encryption techniques, anti-forensic methods, and lateral movement capabilities, making it highly effective and scalable. 

7. A zero-day vulnerability in Samsung's Android image processing library (CVE-2025-21042) was exploited to deploy the LandFall spyware through malicious images sent via WhatsApp. The attack utilized malformed .DNG raw image files containing embedded ZIP archives to deliver the spyware. LandFall spyware includes components for elevating permissions, achieving persistence, and evading detection. It can record calls, track location, and access sensitive data such as photos, contacts, SMS, and browsing history. The spyware targeted Samsung Galaxy S22, S23, S24, Z Fold 4, and Z Flip 4 devices, but not the S25 series. The campaign has been active since at least July 2024, with evidence of targeting users in Iraq, Iran, Turkey, and Morocco.