Anomali Cyber Watch: "ROBOT" Malware Suite, GlassWorm, Vidar Stealer 2.0, and More
Russia-Linked COLDRIVER Deploys New “ROBOT” Malware Suite
(published: October 22, 2025)
COLDRIVER, a Russia-linked threat actor, has replaced its publicly exposed LOSTKEYS tooling with a compact suite dubbed NOROBOT, YESROBOT, and MAYBEROBOT. The campaign uses fake CAPTCHA pages to trick targets into executing a disguised DLL that deploys lightweight PowerShell or Python implants. COLDRIVER’s targets are typically high-value and include diplomats, defense advisors, journalists, and NGOs. The actor’s shift from credential harvesting to direct device infiltration and persistent data exfiltration reflects a deliberate move toward operational agility and long-term espionage capability.
Analyst Comment: Even though COLDRIVER’s usual targets sit at the top of the geopolitical food chain, it would be naive to think your organization is automatically out of scope. Their shift from phishing and credential theft to direct endpoint compromise shows an actor refining techniques that could easily filter into wider use. What stands out isn’t just the new malware but the pace of replacement after exposure. That speed reflects a well-resourced and agile adversary able to rebuild faster than static detections can keep up. For defenders, the takeaway is to prioritize behavioral visibility, because tools change quickly.
MITRE ATT&CK: T1566.002 - Phishing: Spearphishing Link | T1218.011 - Signed Binary Proxy Execution: Rundll32 | T1059.001 - Command and Scripting Interpreter: Powershell | T1059.003 - Command and Scripting Interpreter: Windows Command Shell | T1053.005 - Scheduled Task/Job: Scheduled Task | T1105 - Ingress Tool Transfer | T1197 - Bits Jobs | T1027 - Obfuscated Files Or Information | T1071.001 - Application Layer Protocol: Web Protocols | T1041 - Exfiltration Over C2 Channel
Self-Spreading GlassWorm Malware Hits OpenVSX & VS Code Registries
(published: October 20, 2025)
A new malware strain named GlassWorm has infected the Visual Studio Code and OpenVSX extension registries, compromising at least 35,000 developer installations. The worm embeds hidden malicious code using invisible Unicode characters, enabling it to bypass both automated and manual reviews. Once executed, it steals credentials from npm, GitHub, OpenVSX, and Git repositories, along with crypto-wallet data from nearly 50 wallet types. GlassWorm deploys SOCKS proxies and hidden VNC clients to maintain access and uses compromised developer systems to automatically publish new infected extensions, effectively allowing it to self-propagate. Its command-and-control operations leverage the Solana blockchain with backup infrastructure on Google Calendar, making takedown difficult. Some infected extensions reportedly remain online despite mitigation efforts.
Analyst Comment: GlassWorm hits where developers feel safest, inside their own tools. Because VS Code extensions auto-update, users didn’t have to click anything or install a fake package; the malware simply arrived through a trusted channel. That’s the kind of infection that slips past both instinct and policy. When you line it up next to last month’s Shai-Hulud incident on npm, you start to see the bigger picture. Attackers aren’t just targeting code anymore; they’re targeting the process of making it. They’ve realized that if you can compromise the tools, you don’t need to chase victims one by one, you let the ecosystem do the work for you.
MITRE ATT&CK: T1195 - Supply Chain Compromise | T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain | T1555.003 - Credentials from Password Stores: Credentials From Web Browsers | T1552.001 - Unsecured Credentials: Credentials In Files | T1102 - Web Service | T1041 - Exfiltration Over C2 Channel | T1105 - Ingress Tool Transfer | T1021.005 - Remote Services: Vnc | T1090 - Proxy
Reengineered Vidar 2.0 Boosts Speed and Stealth in Credential Theft
(published: October 21, 2025)
The latest iteration of the infostealer known as Vidar Stealer (version 2.0) was announced on 6 October 2025, and researchers have documented major enhancements. The malware has been fully rewritten in C (moving from its previous C++ codebase) and adopts a multithreaded architecture, increasing the speed and efficiency of data theft. It also includes advanced evasion mechanisms, better anti-analysis features, and new credential-extraction methods that bypass protections such as Chrome’s AppBound encryption. The timing of the release is notable: it coincides with a decline in activity of rival infostealer Lumma Stealer, suggesting Vidar is positioned to fill the resulting vacuum in the malware-as-a-service (MaaS) underground. Targeted victims include browser-stored credentials, cloud service logins, cryptocurrency wallets, gaming and communication platforms (Discord, Telegram) and more.
Analyst Comment: With reports of Lumma Stealer fading out, Vidar 2.0 may be stepping in just as the market looks for a reliable successor. That timing may show that the developer was watching the scene closely and moving fast to claim the gap. If you’re defending against infostealers, this is one to keep an eye on. It’s faster, leaner, and built for longevity, which means it’s unlikely to disappear anytime soon. Understanding how it behaves now, while it’s still gaining momentum, will pay off later if it becomes the go-to toolkit for the next wave of operators.
MITRE ATT&CK: T1027 - Obfuscated Files Or Information | T1055 - Process Injection | T1003 - Os Credential Dumping | T1041 - Exfiltration Over C2 Channel
AWS Internal Failure Highlights Cloud Dependency Risk
(published: October 20, 2025)
A major outage hit Amazon Web Services (AWS) in its US-EAST-1 region, triggered by an internal subsystem failure in the load-balancer health monitoring infrastructure and associated DNS resolution issues for its DynamoDB service. This disruption propagated broadly, affecting thousands of downstream services globally, financial platforms, streaming services, social apps and even AWS’s own internal operations. While AWS ruled out a cyberattack as the cause, analysts warn that the incident exposes how concentrated cloud dependencies create opportunities for far-more severe disruption if malicious actors were to exploit similar infrastructure weaknesses.
Analyst Comment: This outage is a good reminder that availability is still part of security. No one hacked AWS, but the impact looked the same as if they had. When a single internal fault can take down thousands of services, it shows how much we all rely on the same backbone. It’s worth taking a step back and asking how your own systems would handle that kind of disruption. Check your redundancies, not just in your own setup but in the providers you depend on.
Scattered LAPSUS$ Hunters Shift in Tactics
(published: October 22, 2025)
This week, researchers reported that the cybercriminal alliance known as Scattered LAPSUS$ Hunters, which merges elements of LAPSUS$, ShinyHunters and Scattered Spider, is moving toward an extortion-as-a-service (EaaS) model. The group has publicly claimed to have stolen more than one billion records from major enterprises via social-engineering, OAuth/token abuse and third-party application compromise targeting SaaS environments (notably Salesforce) rather than exploiting direct vulnerabilities. The new model emphasises data theft and public-threat leak sites over encrypt-and‐lock ransomware, potentially reducing exposure to traditional ransomware mitigation and law-enforcement tracking.
Analyst Comment: This shift by Scattered LAPSUS$ Hunters feels like the next logical move in the cat-and-mouse game between attackers and defenders. We’ve spent years getting better at handling ransomware encryption, and now they’ve taken encryption out of the equation entirely. By focusing on data theft and extortion, they’ve found a cleaner, faster way to apply pressure without triggering the same defenses. The risk has always been when data leaves the network, but this shift brings that threat back to the forefront. It doesn’t make ransomware any less relevant, it just means defenders need to double down.
MITRE ATT&CK: T1566 - Phishing | T1136 - Create Account | T1550 - Use Alternate Authentication Material | T1528 - Steal Application Access Token | T1530 - Data From Cloud Storage Object | T1567 - Exfiltration Over Web Service | T1657 - Financial Theft
Jaguar Land Rover Cyberattack Costs Estimated at £1.9 Billion
(published: October 22, 2025)
Jaguar Land Rover’s (JLR) August 2025 cyber incident has been modeled to cost the UK nearly £2 billion, making it potentially the country’s most expensive cyber event. The attack halted production across JLR’s Solihull, Halewood, and Wolverhampton plants, disrupted dealer and supplier systems, and prompted a £1.5 billion government support pledge. The Cyber Monitoring Centre (CMC) classified the event as a “Category 3 systemic incident,” with losses of ~£108 million per week. While details remain unclear, JLR reportedly lacked an active cyber-insurance policy, leaving it to absorb full operational and recovery costs. No public evidence suggests ransom payments were made.
Analyst Comment: It’s easy to focus on the headline number, but the real takeaway is how preventable parts of this impact were. The missing cyber insurance isn’t the only reason the bill hit nearly £2 billion, but it’s one that didn’t have to happen. While it’s still unclear who or what made it through JLR’s technical controls, the absence of cover turned a major disruption into a financial crisis. Cyber insurance doesn’t stop an attack, but it limits the impact when one lands. It’s a timely reminder to pressure-test your own risk posture and confirm that your insurance, suppliers, and recovery plans still hold up when things go wrong.
The Rise of Collaborative Tactics Among China-aligned Cyber Espionage Campaigns
(published: October 22, 2025)
Recent research from Trend Micro unveils a notable evolution in cyber espionage: a model dubbed “Premier Pass-as-a-Service,” where two China-aligned APT groups, Earth Estries and Earth Naga, collaborate in a scenario where Earth Estries acts as an access broker, handing over persisted and exploited assets to Earth Naga for follow-on operations. The blog defines a four-tier framework classifying these shared-access intrusions and highlights that these groups have targeted government, telecommunications and retail sectors across the Asia-Pacific, Middle East and NATO territories.
Analyst Comment: What’s interesting here isn’t just the collaboration itself but what it reveals about how these groups are evolving. Earth Estries acting as an access broker for Earth Naga shows that even state-linked operations are becoming more structured and efficient. It also means defenders can’t rely on the old assumption that one campaign equals one actor. You might be watching a relay, not a single team. That changes how attribution, detection, and long-term monitoring need to work. Once access becomes something that can be handed off, persistence turns into a shared resource, and that’s a much tougher challenge to defend against.
MITRE ATT&CK: T1190 - Exploit Public-Facing Application | T1059.003 - Command and Scripting Interpreter: Windows Command Shell | T1218 - Signed Binary Proxy Execution | T1053.005 - Scheduled Task/Job: Scheduled Task | T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | T1047 - Windows Management Instrumentation | T1567.002 - Exfiltration Over Web Service: Exfiltration To Cloud Storage | T1071.001 - Application Layer Protocol: Web Protocols | T1027 - Obfuscated Files Or Information | T1562.001 - Impair Defenses: Disable Or Modify Tools
Iran-Linked APT Group Uses Phoenix Backdoor to Target 100+ Government Entities
(published: October 22, 2025)
A state-sponsored Iranian threat actor identified as MuddyWater (also tracked as Static Kitten, Seedworm, TA450) has launched a cyber-espionage campaign against more than 100 government organisations across the Middle East and North Africa. Beginning 19 Aug 2025, the campaign utilised a compromised email account (accessed via NordVPN) to deliver phishing emails with malicious Word documents instructing recipients to enable macros. The macro dropper (“FakeUpdate” loader) decrypted and deployed the Phoenix backdoor version 4, which establishes persistence, profiles the system, and connects over WinHTTP to receive commands such as file upload/download and shell execution. Targets include embassies, diplomatic missions, foreign-affairs ministries and telecom firms.
Analyst Comment: Phoenix is an interesting backdoor and worth noting, but the delivery tells the real story. Emails came from a compromised, trusted account, so that familiarity likely lowered doubts about following the macro prompt. It’s a reminder that old entry points still work when users let their guard down. If your teams are in the Middle East or handle traffic with regional partners, take this as a nudge to revisit the basics: macro policies, attachment sandboxing, user reporting, and monitoring for unusual WinHTTP callbacks. Campaigns like this show attackers don’t abandon simple methods when they keep paying off.
MITRE ATT&CK: T1566.001 - Phishing: Spearphishing Attachment | T1204.002 - User Execution: Malicious File | T1059.005 - Command and Scripting Interpreter: Visual Basic | T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | T1059.001 - Command and Scripting Interpreter: Powershell | T1071.001 - Application Layer Protocol: Web Protocols | T1105 - Ingress Tool Transfer | T1041 - Exfiltration Over C2 Channel
Critical Windows Server WSUS Flaw Exploited in Active Attacks
(published: October 24, 2025)
Threat actors are actively exploiting CVE-2025-59287, a critical unauthenticated remote-code execution vulnerability in Windows Server Update Services (WSUS). The flaw arises from unsafe deserialization of AuthorizationCookie objects within the /ClientWebService/Client.asmx endpoint, where AES-128-CBC decrypted data is passed directly to .NET BinaryFormatter.Deserialize(). Successful exploitation allows attackers to execute arbitrary commands as NT AUTHORITY\SYSTEM. The vulnerability affects Windows Server 2012 through 2025 installations running the WSUS Server role on default ports 8530/8531. Following proof-of-concept code publication, researchers observed exploitation attempts leading to wsusservice.exe or w3wp.exe spawning cmd.exe and powershell.exe for system enumeration and payload retrieval. Microsoft issued an emergency out-of-band patch after confirming real-world attacks. Organizations are urged to apply updates immediately, restrict WSUS exposure, and monitor for suspicious PowerShell or process-spawn chains in IIS logs.
Analyst Comment: This is exactly how fast the gap between disclosure and exploitation closes now. Within a day of the proof-of-concept appearing, scanners were sweeping for WSUS servers and real compromises were confirmed. The numbers might look small, just a few thousand exposed systems, but that’s enough for attackers to make an impact, especially when those servers sit at the core of patch management. It’s a reminder that patching isn’t just best practice, it’s survival. If you can’t apply the fix right away, don’t leave the door open, disable the WSUS role or block ports 8530 and 8531 until it’s done.
MITRE ATT&CK: T1190 - Exploit Public-Facing Application | T1059 - Command And Scripting Interpreter | T1574 - Hijack Execution Flow | T1548 - Abuse Elevation Control Mechanism | T1490 - Inhibit System Recovery
CoPhish Attack Exploits Microsoft Copilot Studio to Hijack OAuth Tokens
(published: October 25, 2025)
A newly documented phishing method called “CoPhish” leverages the Microsoft Copilot Studio chatbot platform to steal OAuth tokens from targeted users. Researchers at Datadog Security Labs describe how attackers create a Copilot Studio agent hosted on a legitimate Microsoft domain, prompt the victim to click a “Login” button that initiates an OAuth consent flow, and then quietly exfiltrate the access token via the agent’s sign-in topic to a malicious URL. The stolen token may allow the attacker to act as the user, accessing email, chats, or files depending on granted scopes. Microsoft acknowledges the issue and is working on updates.
Analyst Comment: This was a interesting read and I’d encourage anyone to dig deeper into the original article and research. Yes, CoPhish introduces a clever new method to steal OAuth tokens, but at its core it still relies on social engineering. The attacker relies on trust, convincing a user that a genuine Microsoft Copilot chatbot is safe and prompting them to click “Sign in.” That single moment of misplaced confidence hands over access without a password ever being typed. Technical controls like consent governance and app-permission limits help, but awareness can close the gap. If users are aware and understand that even legitimate Microsoft interfaces can be turned against them, they’re far less likely to grant access on instinct.
Discover More About Anomali
Get the latest news about cybersecurity, threat intelligence, and Anomali's Security and IT Operations platform.
Propel your mission with amplified visibility, analytics, and AI.
Learn how Anomali can help you cost-effectively improve your security posture.
