Cyware Weekly Threat Intelligence, October 27–31, 2025
The Good
The MITRE ATT&CK framework has received a major update with the release of v18. This version introduces enhanced detection strategies for modern infrastructure like CI/CD pipelines and Kubernetes. CISA, the NSA, and international allies have released new guidance for securing Microsoft Exchange servers. The advisory addresses ongoing threats to unprotected systems, emphasizing the need to harden user authentication and network encryption.
MITRE has launched ATT&CK v18, introducing substantial updates to its cybersecurity framework. This version enhances detection strategies and analytics, focusing on modern infrastructure such as CI/CD pipelines, Kubernetes, and cloud databases. It incorporates new techniques related to ransomware preparation and threat intelligence monitoring, alongside updates in the Mobile section addressing adversaries exploiting linked device features in apps like Signal and WhatsApp. Additionally, the Industrial Control Systems (ICS) section sees the introduction of new assets, including distributed control system controllers and firewalls. To foster collaboration, MITRE has established the ATT&CK Advisory Council, bringing together insights from end users, vendors, and academia.
CISA, in partnership with the NSA and international cybersecurity allies, has released guidance on securing Microsoft Exchange servers. This initiative addresses the ongoing threats targeting these systems, particularly those that are unprotected or misconfigured, which leave organizations vulnerable to cyberattacks. The guidance emphasizes the importance of hardening user authentication, ensuring robust network encryption, and minimizing application attack surfaces. It also underscores the risks associated with retaining outdated Exchange servers, advocating for their decommissioning to mitigate potential exploitation. This release comes amid a backdrop of increasing cyber threats and aims to bolster the security posture of organizations utilizing Exchange infrastructure.
The Bad
A legitimate hacking tool has been turned into a weapon for cybercrime. Russian attackers are increasingly using AdaptixC2 to deploy ransomware and malware in live attacks. Researchers have discovered a sophisticated malware loader that deploys two separate backdoors, TorNet and PureHVNC. A sophisticated phishing campaign by the Gamaredon group is targeting government entities using a critical WinRAR vulnerability.
Russian cybercriminals are increasingly using the open-source command-and-control framework AdaptixC2, originally designed for penetration testing, to carry out ransomware attacks worldwide. Research reveals that the tool, maintained by an individual known as “RalfHacker,” has been linked to various malicious activities, including the distribution of CountLoader malware and fraudulent PDFs impersonating Ukraine’s national police. Despite its legitimate purpose, AdaptixC2 has become a favorite among Russian threat actors, raising concerns about the intersection of ethical hacking and cybercrime.
A Brazilian cybercriminal group has enhanced its long-running Lampion Stealer campaign, which targets Portuguese banks using sophisticated social engineering and multi-stage infection chains. Since its initial discovery in 2019, the malware has evolved significantly, incorporating ClickFix lures that trick victims into executing malicious commands. Phishing emails, crafted to appear legitimate with banking themes, have become a primary delivery method, often sent from compromised accounts. The infection process involves multiple obfuscated Visual Basic script stages, ultimately delivering a bloated 700MB DLL file that employs advanced obfuscation techniques to evade detection.
Researchers uncovered the PolarEdge botnet, which has compromised over 25,000 IoT devices and established 140 C2 servers. This sophisticated botnet exploits vulnerable edge devices and uses a novel RPX relay system to obscure attack sources, making detection difficult. Since its initial detection in May, the botnet has shown a sustained upward trend in infections, particularly in Southeast Asia and North America, with South Korea being the most affected. The malware employs a client-server architecture that facilitates remote command execution and proxy services, allowing attackers to maintain control and evade traditional security measures.
Researchers from IIJ discovered a sophisticated malware loader capable of simultaneously deploying two malware families, TorNet and PureHVNC, using advanced obfuscation techniques like API hashing with MurmurHash2. The loader disguises itself as a legitimate program within a ZIP file, using hidden files and DLL sideloading to execute malicious components. Persistence is achieved by copying itself to the %LOCALAPPDATA% directory and creating a registry Run key for automatic execution. The loader employs MurmurHash2 for API hashing, a rare technique in malware loaders, offering faster computation and greater resistance to static analysis. TorNet operates as a downloader using the TOR network for secure communication, while PureHVNC functions as a RAT with capabilities like keystroke logging and system control.
A vulnerability in the Anti-Malware Security and Brute-Force Firewall plugin for WordPress, used by over 100,000 sites, allows subscribers to access sensitive files on the server, including the wp-config.php file, which contains critical database credentials. Identified as CVE-2025-11705, the flaw arises from inadequate capability checks in the GOTMLS_ajax_scan() function, enabling low-privileged users to read arbitrary files. Although the vulnerability is not deemed critical since authentication is necessary for exploitation, many sites with user subscriptions are at risk.
Qilin ransomware is leveraging the Windows Subsystem for Linux (WSL) to run Linux encryptors on Windows systems, allowing it to evade traditional security tools. Emerging in 2022, Qilin has become one of the most active ransomware groups, attacking over 700 victims across 62 countries in 2025. Affiliates use a variety of legitimate applications, such as AnyDesk and Splashtop, to breach networks and steal data. They also employ BYOVD techniques to disable security software by exploiting signed but vulnerable drivers. The Linux encryptor targets VMware ESXi virtual machines and is transferred using WinSCP, executed via WSL, which helps it bypass detection by conventional Windows security solutions that primarily monitor Windows PE behavior.
A sophisticated phishing campaign by the Gamaredon threat group is targeting government entities by exploiting a critical WinRAR vulnerability, CVE-2025-8088. This path traversal vulnerability allows attackers to deliver weaponized RAR archives that deploy malicious HTA files without user interaction, merely requiring the opening of a seemingly benign PDF document. Once executed, the malware gains persistence by placing itself in the Windows Startup folder, ensuring it runs automatically upon reboot.
The Water Saci malware campaign has significantly evolved, utilizing WhatsApp as its primary infection vector to spread malicious ZIP files through hijacked web sessions. This campaign employs advanced techniques, including script-based automation via VBS and PowerShell, allowing for fileless execution and persistence. The malware features a sophisticated email-based C2 infrastructure that uses IMAP connections to retrieve operational commands, enabling real-time control over infected systems. Additionally, it can harvest WhatsApp contacts and automate message distribution, effectively converting compromised machines into coordinated botnet tools.
New Threats
A new vulnerability named Brash has been discovered that can instantly crash popular browsers like Google Chrome and Microsoft Edge. This flaw allows an attacker to completely freeze the browser using just a single malicious URL. A new software supply chain campaign named PhantomRaven has been identified, involving 126 malicious npm packages. These packages have been downloaded over 86,000 times. A new Android malware family, named Herodotus, is simulating human typing to avoid detection by security software.
A new vulnerability named Brash has been discovered in the Blink rendering engine of Chromium-based browsers, enabling attackers to crash these browsers within seconds using a single malicious URL. This exploit takes advantage of the lack of rate limiting on the "document.title" API, allowing for an overwhelming number of DOM mutations—up to 24 million updates per second—leading to browser unresponsiveness. The attack occurs in three phases: generating unique hexadecimal strings, executing rapid title updates, and saturating the browser's main thread. Notably, Brash can be programmed to activate at specific times, functioning like a logic bomb. Affected browsers include Google Chrome, Microsoft Edge, and others, while Mozilla Firefox and Apple Safari remain unaffected.
A new campaign named PhantomRaven has emerged, involving 126 malicious npm packages that have collectively garnered over 86,000 downloads. These packages are designed to stealthily steal sensitive information, including npm tokens, GitHub credentials, and CI/CD secrets from developers worldwide. Utilizing advanced evasion techniques, such as Remote Dynamic Dependencies (RDD), the attackers have managed to bypass traditional security measures, allowing malicious code to execute without detection. By exploiting AI-generated package names, they mislead developers into installing these harmful packages, further compromising security. The attack exemplifies the growing sophistication of software supply chain threats, emphasizing the need for greater vigilance in the open-source ecosystem.
Atroposia is a feature-rich RAT that enables low-skill attackers to execute complex cyberattacks, including stealthy remote desktop access, credential theft, and DNS hijacking. The malware uses encrypted command channels, privilege escalation, and persistence mechanisms to evade detection and remain active on infected systems. Atroposia's fileless data exfiltration capabilities and clipboard snooping allow attackers to steal sensitive information with minimal traces. The RAT includes a vulnerability scanner to identify exploitable weaknesses on compromised systems, further enhancing its attack potential.
A new Android malware family, Herodotus, employs random delay injection in its input routines to simulate human typing and evade detection by security software. Offered as a MaaS, it is primarily targeting users in Italy and Brazil through SMS phishing attacks. The malware circumvents Accessibility permission restrictions in Android 13 and later by prompting users to enable the service and disguising the permission-granting process with fake loading screens. Once granted access, Herodotus can interact with the user interface, including entering text and tapping on screen coordinates. Its unique "humanizer" mechanism introduces random delays of 0.3 to 3 seconds between inputs, mimicking natural typing patterns. Additionally, Herodotus provides operators with features such as customizable SMS messages, overlays that mimic banking apps, and tools for intercepting 2FA codes.
A new variant of the Gunra ransomware, active since April 2025, is targeting Linux systems using ELF binaries. This variant employs the ChaCha20 encryption algorithm. The ransomware is configurable via command-line arguments and supports both file and disk encryption. Gunra ransomware has been actively targeting organizations globally, including reported incidents in South Korea. The malware is distributed in both EXE (Windows) and ELF (Linux) formats. A critical flaw exists in the random number generation function used to create the ChaCha20 key and nonce. The function seeds rand() with time(), and due to rapid loop execution, identical seed values are often used. This results in repeated byte patterns in the key and nonce, making them cryptographically weak.