Executive Summary

The cyber threat landscape has entered a new era of sophistication and scale, as evidenced by four critical developments: the BIND 9 DNS poisoning flaw (CVE-2025-40778), the unprecedented JavaScript NPM supply-chain heist, the emergence of Rust-based malware such as EDDIESTEALER, and a surge in new Remote Access Trojans (RATs) leveraging modern programming languages and cross-platform capabilities. These threats collectively target the foundational layers of digital trust—DNS infrastructure, open-source software supply chains, endpoint security, and remote access controls—posing systemic risks to organizations across all sectors. This advisory provides a deep technical analysis of each threat, outlines exploitation evidence, identifies APT group involvement, details affected product versions, and offers actionable mitigation strategies. Executives and technical teams alike must recognize the urgency of these developments and act decisively to protect their organizations.

Threat Actor Profile

The current threat landscape is defined by the convergence of advanced exploitation techniques, supply-chain compromise, and the weaponization of modern programming languages. Below, we dissect each threat in detail.

DNS Poisoning Flaw: BIND 9 (CVE-2025-40778)

The CVE-2025-40778 vulnerability in BIND 9 represents a critical flaw in one of the internet’s most widely deployed DNS resolvers. Affecting versions 9.11.0 through 9.21.12 (including Supported Preview Editions), this vulnerability allows remote, unauthenticated attackers to inject forged DNS records into resolver caches. The attack leverages BIND’s acceptance of unsolicited resource records, effectively bypassing traditional DNS cache poisoning mitigations such as randomized query IDs and source ports. Successful exploitation enables adversaries to redirect user traffic to attacker-controlled infrastructure, facilitating phishing, malware delivery, and traffic interception at scale. The only effective mitigation is to upgrade to patched versions: 9.18.41, 9.20.15, or 9.21.14. No workarounds exist, and the public release of proof-of-concept (PoC) code has dramatically increased the risk of mass exploitation.

Supply-Chain Heist: The Great NPM Attack

In September 2025, the JavaScript ecosystem suffered the largest supply-chain attack in its history. A phishing-enabled account takeover of prolific maintainer Josh Junon (alias "Qix-") led to the compromise of at least 18 core NPM packages, including debug, chalk, ansi-styles, strip-ansi, and color-convert. These packages collectively account for over 2 billion weekly downloads. The attacker published malicious versions that injected obfuscated JavaScript designed to hijack cryptocurrency wallet APIs (such as MetaMask and Phantom) and replace crypto addresses in browser sessions. The malware was engineered to evade detection in CI/CD pipelines and only executed in browser environments, demonstrating a high degree of operational security. The primary targets were cryptocurrency users and Web3 infrastructure, but the scale of the attack means that any organization or developer using these packages was at risk. The attack was detected and contained within hours, but the incident underscores the fragility of open-source supply chains and the need for robust dependency management and maintainer security.

Rust Malware Trick: EDDIESTEALER and the Rise of Rust Infostealers

EDDIESTEALER exemplifies the new breed of malware written in Rust, a language prized for its performance, safety, and cross-platform capabilities. Distributed via fake CAPTCHA pages on compromised websites, the attack chain begins with a PowerShell command that downloads and executes a JavaScript loader (gverify.js), which in turn retrieves the Rust-based infostealer. EDDIESTEALER is highly modular, receiving task lists from its C2 server and targeting browser data, crypto wallets, password managers, FTP clients, and messaging apps. It employs advanced evasion techniques, including custom WinAPI lookups, string obfuscation, self-deletion via NTFS alternate data streams, and AES-encrypted C2 communications. Credential theft is performed using the Chrome DevTools Protocol and direct memory scraping, making detection and remediation challenging. The malware’s loader and C2 infrastructure are distributed across multiple domains and IPs, and active campaigns have been observed in the wild by Elastic Security Labs.

New RATs Rising: Splinter, KrustyLoader, Myth Stealer, and Akira Ransomware

The proliferation of new Remote Access Trojans (RATs) written in Rust, Go, and other modern languages marks a significant escalation in post-exploitation tooling. Notable examples include Splinter (a Rust-based post-exploitation tool analyzed by Unit 42), KrustyLoader (linked to exploitation of Ivanti ConnectSecure vulnerabilities CVE-2024-21887 and CVE-2023-46805), Myth Stealer (spread via fake gaming sites), and the Akira Ransomware Rust variant (targeting Linux servers). These RATs offer capabilities such as file exfiltration, credential theft, process injection, C2 over HTTP(S), and anti-analysis features. Distribution vectors include phishing, supply-chain attacks, fake software installers, and exploitation of recent vulnerabilities. The cross-platform nature of these tools, combined with their modularity and evasion techniques, makes them particularly dangerous for organizations with heterogeneous environments.

Technical Analysis of Malware/TTPs

DNS Poisoning Flaw: BIND 9 (CVE-2025-40778)

• Vulnerability: CVE-2025-40778 in BIND 9 (versions 9.11.0 through 9.21.12).

• Attack Vector: Remote, unauthenticated attackers can poison DNS caches by injecting forged DNS records.

• Mechanism: Exploits BIND’s acceptance of unsolicited resource records, bypassing traditional DNS cache poisoning mitigations.

• Impact: Redirection of user traffic to attacker-controlled infrastructure, enabling phishing, malware delivery, and traffic interception.

• No Workarounds: Only mitigation is to upgrade to patched versions (9.18.41, 9.20.15, 9.21.14).

Supply-Chain Heist: The Great NPM Attack (September 2025)

• Incident: Compromise of 18+ core JavaScript NPM packages, affecting over 2 billion weekly downloads.

• Initial Vector: Phishing-enabled account takeover of a prolific maintainer (Josh Junon, "Qix-").

• Primary Target: Cryptocurrency wallets and transactions.

• Attack Flow:

• Phishing email from npmjs.help led to credential theft.

• Malicious updates published to packages such as

  debug

  ,

  chalk

  ,

  ansi-styles

  , strip-ansi, and more.

• Injected malware replaced crypto addresses in browser and hijacked wallet APIs (MetaMask, Phantom).

• Obfuscated code avoided detection in CI/CD pipelines and only executed in browser environments.

Rust Malware Trick: EDDIESTEALER and the Rise of Rust Infostealers

• Malware: EDDIESTEALER (Rust-based infostealer)

• Campaign: Distributed via fake CAPTCHA pages on compromised websites.

• Targets: Windows hosts, browser data, crypto wallets, password managers, FTP clients, messaging apps.

• Initial Access: Fake CAPTCHA prompts users to run a PowerShell command, which downloads and executes a JavaScript loader (

  gverify.js

  ), which in turn downloads EDDIESTEALER.

• Stealer Capabilities:

• Receives task list from C2 server (configurable targets).

• Exfiltrates files from paths associated with wallets, browsers, password managers, etc.

• Uses custom WinAPI lookup, string obfuscation, and self-deletion via NTFS alternate data streams.

• C2 communication over HTTP, AES-encrypted payloads.

• Advanced browser credential theft using Chrome DevTools Protocol and memory scraping.

New RATs Rising

• Trend: Surge in new Remote Access Trojans (RATs) leveraging Rust, Go, and cross-platform frameworks.

• Notable Examples:

• Splinter: Rust-based post-exploitation tool (Unit 42, 2024)

• KrustyLoader: Rust malware linked to Ivanti ConnectSecure exploits (CVE-2024-21887, CVE-2023-46805)

• Myth Stealer: Rust-based infostealer spread via fake gaming sites (TheHackerNews, 2025)

• Akira Ransomware: Rust variant with Linux focus (Check Point Research, 2024)

• Capabilities: File exfiltration, credential theft, process injection, C2 over HTTP(S), anti-analysis features.

• Distribution: Phishing, supply-chain attacks, fake software installers, and exploitation of recent vulnerabilities (e.g., Ivanti ConnectSecure).

Exploitation in the Wild

The public release of PoC code for CVE-2025-40778 has triggered mass scanning activity, although no confirmed in-the-wild exploitation has been reported as of October 28, 2025. However, the scale of exposure and historical precedent suggest that opportunistic and targeted attacks are imminent.

The NPM supply-chain attack was detected within five minutes of the first malicious package publication, thanks to vigilant monitoring by Aikido Security and the broader security community. Despite the rapid response, the sheer number of downloads and the ubiquity of the affected packages mean that secondary infections and downstream compromise are likely.

EDDIESTEALER campaigns have been observed in the wild, with active C2 infrastructure and multiple malware samples identified by Elastic Security Labs. The loader domains and C2 IPs remain operational, and the malware continues to evolve.

The new wave of RATs—including Splinter, KrustyLoader, Myth Stealer, and Akira—has been linked to both opportunistic and targeted attacks. KrustyLoader has been directly associated with exploitation of unpatched Ivanti ConnectSecure appliances, while Splinter and Myth Stealer have been used in targeted post-exploitation scenarios.

Victimology and Targeting

• Supply-Chain Heist (NPM Attack): Cryptocurrency, Web3, and software development sectors globally, with a focus on organizations and individuals using JavaScript and Node.js. North Korean APTs (notably Lazarus Group/Marstech1) have targeted cryptocurrency infrastructure across Windows, macOS, and Linux, with a global reach.

• DNS Poisoning Flaw: Historically, APT34 (OilRig, Middle East focus) and APT28 (Fancy Bear, Russia) have used DNS manipulation in campaigns targeting government, energy, and critical infrastructure sectors.

• Rust Malware & New RATs: Campaigns are global, targeting Windows endpoints, browser data, crypto wallets, password managers, and critical infrastructure, with evidence of APT and cybercriminal involvement.

Mitigation and Countermeasures

• DNS Poisoning Flaw: Upgrade BIND 9 to patched versions (9.18.41, 9.20.15, 9.21.14). Monitor DNS logs for anomalies.

• Supply-Chain Heist: Use

  npm ci

  in CI/CD, pin dependencies, audit lock files, enable dependency scanning, and educate maintainers on phishing.

• Rust Malware & RATs: Block known C2 domains/IPs, monitor for suspicious PowerShell/JavaScript execution, deploy EDR with YARA rules, and educate users on phishing and fake CAPTCHAs.

• General: Implement defense-in-depth, zero trust for dependencies, and rapid incident response playbooks.

References

Field Effect Security Blog: https://fieldeffect.com/blog/bind-9-vulnerability-reopens-dns-poisoning-threat-poc-published ISC BIND Security Advisory: https://kb.isc.org/docs/cve-2025-40778 NVD Entry: https://nvd.nist.gov/vuln/detail/CVE-2025-40778 Breached Company: The Great NPM Heist: https://breached.company/the-great-npm-heist-how-2-billion-weekly-downloads-were-weaponized-in-historys-largest-javascript-supply-chain-attack/ Aikido Security Twitter: https://twitter.com/aikidosec Tal Be'ery Twitter: https://twitter.com/TalBeerySec Elastic Security Labs: EDDIESTEALER: https://www.elastic.co/security-labs/eddiestealer YARA Rule: Windows.Infostealer.EddieStealer: https://www.elastic.co/security-labs/eddiestealer Unit 42: Splinter: https://thehackernews.com/2024/09/cybersecurity-researchers-warn-of-new.html Synacktiv: KrustyLoader: https://www.synacktiv.com/en/publications/krustyloader-rust-malware-linked-to-ivanti-connectsecure-compromises Check Point: Akira Ransomware: https://research.checkpoint.com/2024/inside-akira-ransomwares-rust-experiment/ TheHackerNews: Myth Stealer: https://thehackernews.com/2025/06/rust-based-myth-stealer-malware-spread.html MITRE ATT&CK: https://attack.mitre.org/

About Rescana

At Rescana, we understand that the complexity and velocity of today’s cyber threats demand more than point solutions—they require a holistic, proactive approach to third-party risk management and supply-chain security. Our TPRM platform empowers organizations to continuously monitor, assess, and mitigate risks across their entire digital ecosystem, providing actionable intelligence and automated workflows to stay ahead of emerging threats. Whether you are responding to a critical vulnerability, investigating a supply-chain compromise, or strengthening your cyber resilience, Rescana is your trusted partner. We are happy to answer any questions at ops@rescana.com.