AI blog APT blog Attack blog BigBrother blog BotNet blog Cyber blog Cryptocurrency blog Exploit blog Hacking blog ICS blog Incident blog IoT blog Malware blog OS Blog Phishing blog Ransom blog Safety blog Security blog Social blog Spam blog Vulnerebility blog
2025 January(29) February(72) March(67) April(108) May(118) June(159) July(143) August(131) September(61) October(97) November(0) December(0)
DATE |
NAME |
Info |
CATEG. |
WEB |
| 8.11.25 | How PowerShell Gallery simplifies attacks | PowerShell Gallery’s Install-Module command presents one key link in the kill chain of a possible attack. | Hacking blog | REVERSINGLABS |
| 8.11.25 | China-linked Actors Maintain Focus on Organizations Influencing U.S. Policy | Recent compromise of a non-profit organization reflects continued interest in U.S. policy. | APT blog | SECURITY.COM |
| 8.11.25 | Mastering DORA’s Five Pillars with Preemptive Cyber Defense | The Digital Operational Resilience Act (DORA) represents a paradigm shift for the EU’s financial sector. No longer is a reactive security posture enough. DORA mandates a comprehensive, proactive, and testable framework for managing ICT risk and ensuring digital operational resilience. | Cyber blog | Silent Push |
| 8.11.25 | Every November, we make it our mission to equip organizations with the knowledge needed to stay ahead of threats we anticipate in the coming year. The Cybersecurity Forecast 2026 report, released today, provides comprehensive insights to help security leaders and teams prepare for those challenges. | Cyber blog | Google Threat Intelligence | |
| 8.11.25 | Privileged access stands as the most critical pathway for adversaries seeking to compromise sensitive systems and data. Its protection is not only a best practice, it is a fundamental imperative for organizational resilience | Cyber blog | Google Threat Intelligence | |
| 8.11.25 | Google Threat Intelligence Group (GTIG) is tracking a cluster of financially motivated threat actors operating from Vietnam that leverages fake job postings on legitimate platforms to target individuals in the digital advertising and marketing sectors. | APT blog | Google Threat Intelligence | |
| 8.11.25 | Key Highlights XLoader 8.0 malware is one of the most evasive and persistent information stealers ... | Malware blog | CHECKPOINT | |
| 8.11.25 | Trust alone isn’t a security strategy. That’s the key lesson from new research by Check ... | Exploit blog | CHECKPOINT | |
| 8.11.25 | Introduction Over the past few months, we identified an emerging online threat that combines fraud, ... | AI blog | CHECKPOINT | |
| 8.11.25 | Australia Strengthens Regional Cyber Partnerships to Bolster Security Across the Asia-Pacific | Australia, through ACSC and Cyber Affairs and Critical Technology, strengthens Asia-Pacific cybersecurity via PaCSON, APCERT, and regional threat-sharing initiatives. | BigBrother blog | Cyble |
| 8.11.25 | South Africa Launches Pilot for Secure Data Exchange Among Government Agencies | South Africa’s MzansiXchange initiative, led by the National Treasury, is pioneering secure data exchange across government. | BigBrother blog | Cyble |
| 8.11.25 | Software Supply Chain Attacks Surge to Record High in October 2025 | Software supply chain attacks in October were 32% above previous records, according to Cyble data. | Hacking blog | Cyble |
| 8.11.25 | The Week in Vulnerabilities: Cyble Urges Apache, Microsoft Fixes | This week’s vulnerability report examines 15 IT and ICS flaws at high risk of exploitation by threat actors. | Vulnerebility blog | Cyble |
| 8.11.25 | Securing India’s Financial Future: Why the DPDP Act is a Game-Changer for BFSI | India’s Banking, Financial Services, and Insurance (BFSI) industry stands at the intersection of innovation and risk. From UPI and digital wallets to AI-based lending and predictive underwriting, digital transformation is no longer a differentiator — it’s the operating model. | Cyber blog | Seqrite |
| 8.11.25 | Operation Peek-a-Baku: Silent Lynx APT makes sluggish shift to Dushanbe | Introduction Timeline Key Targets. Industries Affecte d. Geographical Focus. Infection Chain. Initial Findings. Technical Analysis. Campaign – I The LNK Way. Malicious SILENT LOADER Malicious LAPLAS Implant – TCP & TLS. Malicious .NET Implant – SilentSweeper Campaign –.. | APT blog | Seqrite |
| 8.11.25 | TRACKING RANSOMWARE : OCTOBER 2025 | EXECUTIVE SUMMARY In October 2025, ransomware activity surged globally, marking a significant resurgence after a period of mid-year stability. Victim counts climbed to 738, | Ransom blog | Cyfirma |
| 8.11.25 | Fortnightly Vulnerability Summary | Fortnightly Vulnerability Summary CHECK OUT THESE FAST FACTS ON FORTNIGHTLY OBSERVED VULNERABILITIES. Fortnight's Most Impacted Products D-Link | Tenda | Jira Increase in | Vulnerebility blog | Cyfirma |
| 8.11.25 | Rising Cyber Threats to Rwanda : Hacktivists and Data Breaches | EXECUTIVE SUMMARY Between January and October 2025, Rwanda’s government infrastructure experienced a series of coordinated cyber incidents involving data leaks, credential | Cyber blog | Cyfirma |
| 8.11.25 | Cyber Threat Landscape – The United Republic of Tanzania | EXECUTIVE SUMMARY Tanzania’s cyber threat landscape has escalated in 2025, reflecting its growing digital transformation, expanding telecom sector, and increasing reliance on online platforms for governance, commerce, and public services.… | Cyber blog | Cyfirma |
| 8.11.25 | Survey of AFCEA Attendees Shows Government Shutdown Has Major Impact on Cybersecurity Readiness | The results are in from the Eclypsium survey of over 100 government employees and affiliated entities about cybersecurity risk to the U.S. Federal government and Department of Defense. | Cyber blog | Eclypsium |
| 8.11.25 | The Future of F5 Risk In The Enterprise | The major F5 security incident disclosed on October 15 is still sending ripples (or tsunamis) through the enterprises and governments worldwide. While F5 has issued patches for 44 vulnerabilities that were leaked to attackers during the breach, major concerns still linger about undiscovered or undisclosed risks to F5’s customers. | Cyber blog | Eclypsium |
| 8.11.25 | Crossed wires: a case study of Iranian espionage and attribution | In June, Proofpoint Threat Research began investigating a benign email discussing economic uncertainty and domestic political unrest in Iran. While coinciding with the escalations in the Iran-Israel conflict, there was no indication that the observed activity was directly correlated with Israel’s attacks on Iranian nuclear facilities or Iran’s actions in response. | BigBrother blog | PROOFPOINT |
| 8.11.25 | Insiders, AI, and data sprawl converge: essential insights from the 2025 Data Security Landscape report | Data security is at a critical inflection point. Organizations today are struggling with explosive data growth, sprawling IT environments, persistent insider risks, and the adoption of generative AI (GenAI). What’s more, the rapid emergence of AI agents is giving rise to a new, more complex agentic workspace, where both humans and agents interact with sensitive data. | AI blog | PROOFPOINT |
| 8.11.25 | Remote access, real cargo: cybercriminals targeting trucking and logistics | Proofpoint is tracking a cluster of cybercriminal activity that targets trucking and logistics companies and infects them with RMM tooling for financial gain. Based on our ongoing investigations paired with open-source information, Proofpoint assesses with high confidence that the threat actors are working with organized crime groups to compromise entities in the surface transportation industry — in particular trucking carriers and freight brokers — to hijack cargo freight, leading to the theft of physical goods. | Cyber blog | PROOFPOINT |
| 8.11.25 | SesameOp: Novel backdoor uses OpenAI Assistants API for command and control | Microsoft Incident Response – Detection and Response Team (DART) researchers uncovered a new backdoor that is notable for its novel use of the OpenAI Assistants Application Programming Interface (API) as a mechanism for command-and-control (C2) communications. | AI blog | Microsoft blog |
| 8.11.25 | LANDFALL: New Commercial-Grade Android Spyware in Exploit Chain Targeting Samsung Devices | Unit 42 researchers have uncovered a previously unknown Android spyware family, which we have named LANDFALL. To deliver the spyware, attackers exploited a zero-day vulnerability (CVE-2025-21042) in Samsung’s Android image processing library. The specific flaw LANDFALL exploited, CVE-2025-21042, is not an isolated case but rather part of a broader pattern of similar issues found on multiple mobile platforms. | Malware blog | Palo Alto |
| 8.11.25 | Know Ourselves Before Knowing Our Enemies: Threat Intelligence at the Expense of Asset Management | Cyber threat intelligence is often touted as a way to help defend an organization's IT environment. If we better understand the threats that might target our networks, we can better defend ourselves against those threats. This is true, but threat intelligence is only effective if an organization also properly manages its IT assets. | Cyber blog | Palo Alto |
| 8.11.25 | Microsoft WSUS Remote Code Execution (CVE-2025-59287) Actively Exploited in the Wild (Updated November 3) | On Oct. 14, 2025, a critical, unauthenticated remote code execution (RCE) vulnerability was identified in Microsoft's Windows Server Update Services (WSUS), a core enterprise component for patch management | Vulnerebility blog | Palo Alto |
| 8.11.25 | Exploiting Microsoft Teams: Impersonation and Spoofing Vulnerabilities Exposed | Check Point Research uncovered four vulnerabilities in Microsoft Teams that allow attackers to impersonate executives, manipulate messages, alter notifications, and forge identities in video and audio calls. | Exploit blog | CHECKPOINT |
| 8.11.25 | Drawn to Danger: Windows Graphics Vulnerabilities Lead to Remote Code Execution and Memory Exposure | Check Point Research (CPR) identified three security vulnerabilities in the Graphics Device Interface (GDI) in Windows. We promptly reported these issues to Microsoft, and they were addressed in the Patch Tuesday updates in May, July, and August 2025. | Vulnerebility blog | CHECKPOINT |
| 8.11.25 | Beating XLoader at Speed: Generative AI as a Force Multiplier for Reverse Engineering | XLoader remains one of the most challenging malware families to analyze. Its code decrypts only at runtime and is protected by multiple layers of encryption, each locked with a different key hidden somewhere else in the binary. Even sandboxes are no help: evasions block malicious branches, and the real C2 (command and control) domains are buried among dozens of fakes. With new versions released faster than researchers can investigate, analysis is almost always a (losing) race against time. | AI blog | CHECKPOINT |
| 8.11.25 | Do robots dream of secure networking? Teaching cybersecurity to AI systems | This blog demonstrates a proof of concept using LangChain and OpenAI, integrated with Cisco Umbrella API, to provide AI agents with real-time threat intelligence for evaluating domain dispositions. | AI blog | CISCO TALOS |
| 8.11.25 | Remember, remember the fifth of November | This edition, Hazel explores the origins of Guy Fawkes Day and how heeding an anonymous warning prevented an assassination. | Cyber blog | CISCO TALOS |
| 8.11.25 | Dynamic binary instrumentation (DBI) with DynamoRio | Learn how to build your own dynamic binary instrumentation (DBI) tool with open-source DynamoRIO to enable malware analysis, security auditing, reverse engineering, and more. | Hacking blog | CISCO TALOS |
| 8.11.25 | In memoriam: David Harley | Former colleagues and friends remember the cybersecurity researcher, author, and mentor whose work bridged the human and technical sides of security | Cyber blog | Eset |
| 8.11.25 | The who, where, and how of APT attacks in Q2 2025–Q3 2025 | ESET Chief Security Evangelist Tony Anscombe highlights some of the key findings from the latest issue of the ESET APT Activity Report | APT blog | Eset |
| 8.11.25 | ESET APT Activity Report Q2 2025–Q3 2025 | An overview of the activities of selected APT groups investigated and analyzed by ESET Research in Q2 2025 and Q3 2025 | APT blog | Eset |
| 8.11.25 | Sharing is scaring: The WhatsApp screen-sharing scam you didn’t see coming | How a fast-growing scam is tricking WhatsApp users into revealing their most sensitive financial and other data | Social blog | Eset |
| 8.11.25 | How social engineering works | Unlocked 403 cybersecurity podcast (S2E6) | Think you could never fall for an online scam? Think again. Here's how scammers could exploit psychology to deceive you – and what you can do to stay one step ahead | Cyber blog | Eset |
| 8.11.25 | Ground zero: 5 things to do after discovering a cyberattack | When every minute counts, preparation and precision can mean the difference between disruption and disaster | Cyber blog | Eset |
| 8.11.25 | Tycoon 2FA Phishing Kit Analysis | In this Threat Alert, Cybereason analyzes Tycoon 2FA phishing kit, a sophisticated phishing-as-a-service platform designed to bypass two-factor authentication. | Phishing blog | Cybereason |
| 8.11.25 | Defeating KASLR by Doing Nothing at All | I've recently been researching Pixel kernel exploitation and as part of this research I found myself with an excellent arbitrary write primitive…but without a KASLR leak. As necessity is the mother of all invention, on a hunch, I started researching the Linux kernel linear mapping. | Vulnerebility blog | Project Zero |
| 1.11.25 | Tracking an evolving Discord-based RAT family | RL's analysis of an STD Group-operated RAT yielded file indicators to better detect the malware and two YARA rules. | Malware blog | REVERSINGLABS |
| 1.11.25 | Ukrainian organizations still heavily targeted by Russian attacks | Attackers are gaining access using a custom, Sandworm-linked webshell and are making heavy use of Living-off-the-Land tactics to maintain persistent access. | BigBrother blog | SECURITY.COM |
| 1.11.25 | BRONZE BUTLER exploits Japanese asset management software vulnerability | The threat group targeted a LANSCOPE zero-day vulnerability (CVE-2025-61932) | APT blog | SOPHOS |
| 1.11.25 | Cloud Abuse at Scale | FortiGuard Labs analyzes TruffleNet, a large-scale campaign abusing AWS SES with stolen credentials and linked to Business Email Compromise (BEC). | Spam blog | FORTINET |
| 1.11.25 | Stolen Credentials and Valid Account Abuse Remain Integral to Financially Motivated Intrusions | FortiGuard IR analysis of H1 2025 shows financially motivated actors increasingly abusing valid accounts and legitimate remote access tools to bypass detection, emphasizing the need for identity-centric defenses. | Hacking blog | FORTINET |
| 1.11.25 | Silent Push Unearths AdaptixC2's Ties to Russian Criminal Underworld, Tracks Threat Actors Harnessing Open-Source Tool for Malicious Payloads | Silent Push Threat Analysts have uncovered threat actors using AdaptixC2, a free and open-source Command and Control (C2) framework commonly used by penetration testers, to deliver malicious payloads. | Hacking blog | Silent Push |
| 1.11.25 | Silent Push 2026 Predictions | The Silent Push Threat Intelligence team discussed what we see as some of the greatest threats and motivators the global community will encounter in the New Year. Here are our 2026 predictions: | Security blog | Silent Push |
| 1.11.25 | Privileged access stands as the most critical pathway for adversaries seeking to compromise sensitive systems and data. Its protection is not only a best practice, it is a fundamental imperative for organizational resilience. | Security blog | Google Threat Intelligence | |
| 1.11.25 | A new ideologically-motivated threat actor has emerged and growing technical capabilities: Hezi Rash. This Kurdish ... | APT blog | CHECKPOINT | |
| 1.11.25 | Weaponized Military Documents Deliver Advanced SSH-Tor Backdoor to Defense Sector | Military-themed lure targeting using weaponized ZIPs and hidden tunneling infrastructure | Malware blog | Cyble |
| 1.11.25 | Hacktivist Attacks on Critical Infrastructure Surge: Cyble Report | Hacktivist attacks on industrial control systems (ICS) nearly doubled over the course of the third quarter. | Hacking blog | Cyble |
| 1.11.25 | The Week in Vulnerabilities: Oracle, Microsoft & Adobe Fixes Urged by Cyble | Critical vulnerabilities from Oracle, Microsoft and Adobe are just a few of the flaws meriting high-priority attention by security teams. | Vulnerebility blog | Cyble |
| 1.11.25 | When Money Moves, Hackers Follow: Europe’s Financial Sector Under Siege | Europe’s BFSI sector faces growing deepfake and ransomware threats. CISOs focus on intelligence, resilience, and rapid response to stay ahead. | Ransom blog | Cyble |
| 1.11.25 | APT-C-60 Escalates SpyGlace Campaigns Targeting Japan with Evolved Malware, Advanced Evasion TTPs | APT-C-60 intensified operations against Japanese organizations during Q3 2025, deploying three updated SpyGlace backdoor versions with refined tracking mechanisms, modified encryption, and sophisticated abuse of GitHub, StatCounter, and Git for stealthy malware distribution. | APT blog | Cyble |
| 1.11.25 | From Human-Led to AI-Driven: Why Agentic AI Is Redefining Cybersecurity Strategy | Agentic AI marks the next leap in cybersecurity—autonomous systems that detect, decide, and act in real time, transforming how organizations defend against threats. | AI blog | Cyble |
| 1.11.25 | Operation SkyCloak: Tor Campaign targets Military of Russia & Belarus | Authors: Sathwik Ram Prakki and Kartikkumar Jivani Contents Introduction Key Targets Industries Geographical Focus Infection and Decoys Technical Analysis PowerShell Stage Persistence Configuration Infrastructure and Attribution Conclusion SEQRITE Protection IOCs MITRE ATT&CK Introduction SEQRITE Labs has identified a campaign... | Hacking blog | Seqrite |
| 1.11.25 | Investigation Report: Android/BankBot-YNRK Mobile Banking Trojan | Investigation Report: Android/BankBot-YNRK Mobile Banking Trojan Executive Summary This report covers the analysis and findings related to three Android application packages (APKs) | Malware blog | Cyfirma |
| 1.11.25 | AI Security: NVIDIA BlueField Now with Vision One™ | Launching at NVIDIA GTC 2025 - Transforming AI Security with Trend Vision One™ on NVIDIA BlueField | AI blog | Trend Micro |
| 1.11.25 | Active Water Saci Campaign Spreading Via WhatsApp Features Multi-Vector Persistence and Sophisticated C&C | Continuous investigation on the Water Saci campaign reveals innovative email-based C&C system, multi-vector persistence, and real-time command capabilities that allow attackers to orchestrate coordinated botnet operations, gather detailed campaign intelligence, and dynamically control malware activity across multiple infected machines. | Hacking blog | Trend Micro |
| 1.11.25 | Oracle E-Business Suite Under Siege: Active Exploitation of Dual Zero-Days | The SonicWall Capture Labs threat research team became aware of multiple remote code execution vulnerabilities in Oracle E-Business Suite, assessed their impact and developed mitigation measures. | Exploit blog | SonicWall |
| 1.11.25 | HijackLoader Delivered via SVG files | The SonicWall Capture Labs threat research team has recently been monitoring new variants of the HijackLoader malware that are being delivered through SVG files. | Malware blog | SonicWall |
| 1.11.25 | Bots, Bread and the Battle for the Web | Meet Sarah, an artisanal baker who opens Sarah’s Sourdough. To improve her search engine optimization (SEO), she builds a beautiful website and shares authentic baking content. | BotNet blog | Palo Alto |
| 1.11.25 | Suspected Nation-State Threat Actor Uses New Airstalk Malware in a Supply Chain Attack | We have discovered a new Windows-based malware family we've named Airstalk, which is available in both PowerShell and .NET variants. We assess with medium confidence that a possible nation-state threat actor used this malware in a likely supply chain attack. We have created the threat activity cluster CL-STA-1009 to identify and track any further related activity. | Hacking blog | Palo Alto |
| 1.11.25 | When AI Agents Go Rogue: Agent Session Smuggling Attack in A2A Systems | We discovered a new attack technique, which we call agent session smuggling. This technique allows a malicious AI agent to exploit an established cross-agent communication session to send covert instructions to a victim agent. | AI blog | Palo Alto |
| 1.11.25 | Cybersecurity on a budget: Strategies for an economic downturn | This blog offers practical strategies, creative defenses, and talent management advice to help your business stay secure when every dollar counts. | Cyber blog | CISCO TALOS |
| 1.11.25 | Trick, treat, repeat | Thor gets into the Halloween spirit, sharing new CVE trends, a “treat” for European Windows 10 users, and a reminder that patching is your best defense against zombie vulnerabilities. | Vulnerebility blog | CISCO TALOS |
| 1.11.25 | Dynamic binary instrumentation (DBI) with DynamoRio | Learn how to build your own dynamic binary instrumentation (DBI) tool with open-source DynamoRIO to enable malware analysis, security auditing, reverse engineering, and more. | Cyber blog | CISCO TALOS |
| 1.11.25 | Uncovering Qilin attack methods exposed through multiple cases | Cisco Talos investigated the Qilin ransomware group, uncovering its frequent attacks on the manufacturing sector, use of legitimate tools for credential theft and data exfiltration, and sophisticated methods for lateral movement, evasion, and persistence. | Ransom blog | CISCO TALOS |
| 1.11.25 | Think passwordless is too complicated? Let's clear that up | We’ve relied on passwords for years to protect our online accounts, but they’ve also become one of the easiest ways attackers get in. Cisco Duo helps clear up some of the biggest passwordless myths. | Cyber blog | CISCO TALOS |
| 1.11.25 | Strings in the maze: Finding hidden strengths and gaps in your team | In this week’s newsletter, Bill explores how open communication about your skills and experience can help your security team uncover hidden gaps, strengthen your defenses, and better prepare for ever-present threats. | Cyber blog | CISCO TALOS |
| 1.11.25 | This month in security with Tony Anscombe – October 2025 edition | From the end of Windows 10 support to scams on TikTok and state-aligned hackers wielding AI, October's headlines offer a glimpse of what's shaping cybersecurity right now | Social blog | Eset |
| 1.11.25 | Fraud prevention: How to help older family members avoid scams | Families that combine open communication with effective behavioral and technical safeguards can cut the risk dramatically | Spam blog | Eset |
| 1.11.25 | Cybersecurity Awareness Month 2025: When seeing isn't believing | Deepfakes are blurring the line between real and fake and fraudsters are cashing in, using synthetic media for all manner of scams | Security blog | Eset |
| 1.11.25 | Recruitment red flags: Can you spot a spy posing as a job seeker? | Security blog | Eset | |
| 1.11.25 | How MDR can give MSPs the edge in a competitive market | With cybersecurity talent in short supply and threats evolving fast, managed detection and response is emerging as a strategic necessity for MSPs | Security blog | Eset |
| 1.11.25 | From Scripts to Systems: A Comprehensive Look at Tangerine Turkey Operations | In this Threat Analysis Report, investigates the flow of a Tangerine Turkey campaign | Hacking blog | Cybereason |
| 1.11.25 | The Bug Report - October 2025 Edition | October's cybersecurity horror show is here! Zero-days in WSUS (CVE-2025-59287) and SessionReaper (Adobe) are under active attack. Patch these RCE and LPE monsters now or risk full possession of your network. | Vulnerebility blog | Trelix |
| 25.10.25 | CrowdStrike 2025 APJ eCrime Landscape Report: A New Era of Threats Emerges | CrowdStrike Intelligence observes a thriving Chinese-language underground ecosystem and the rise of AI-developed ransomware operations. | Cyber blog | CROWDSTRIKE |
| 25.10.25 | New User Experience Transforms Interaction with the Falcon Platform | The Falcon platform’s new dynamic user experience, powered by CrowdStrike Enterprise Graph and Charlotte AI, transforms how users interact with the platform. | Cyber blog | CROWDSTRIKE |
| 25.10.25 | How Falcon Exposure Management’s ExPRT.AI Predicts What Attackers Will Exploit | ExPRT.AI is built into Falcon Exposure Management to eliminate noise and prioritize which vulnerabilities present the greatest risk. | Vulnerebility blog | CROWDSTRIKE |
| 25.10.25 | From Domain User to SYSTEM: Analyzing the NTLM LDAP Authentication Bypass Vulnerability (CVE-2025-54918) | In September 2025, a critical vulnerability (CVE-2025-54918) was discovered affecting domain controllers running LDAP or LDAPS services. This vulnerability allows attackers to elevate privileges from a standard domain user to SYSTEM level access, potentially compromising entire Active Directory environments. | Vulnerebility blog | CROWDSTRIKE |
| 25.10.25 | Ransomware Reality: Business Confidence Is High, Preparedness Is Low | The CrowdStrike State of Ransomware Survey finds a substantial gap between perceived ransomware readiness and actual preparedness, with 76% of respondents struggling to match the speed of AI-powered attacks. | Ransom blog | CROWDSTRIKE |
| 25.10.25 | Warlock Ransomware: Old Actor, New Tricks? | The China-based actor behind the Warlock ransomware may not be a new player and has links to malicious activity dating as far back as 2019. | Ransom blog | SECURITY.COM |
| 25.10.25 | Silent Push Detects Salt Typhoon Infrastructure Months Before It Went Live, New IOFA™ Feeds Provide Customers With Early Detection Ahead of Operational Use | Back in June, Silent Push provided our enterprise customers with unpublished infrastructure related to the Chinese APT group Salt Typhoon, giving our customers the early visibility and historical reach-back they needed for both security and their own investigations. | APT blog | Silent Push |
| 25.10.25 | Google Threat Intelligence Group (GTIG) observed multiple instances of pro-Russia information operations (IO) actors promoting narratives related to the reported incursion of Russian drones into Polish airspace that occurred on Sept. 9-10, 2025. | APT blog | Google Threat Intelligence | |
| 25.10.25 | Google Threat Intelligence Group (GTIG) is tracking a cluster of financially motivated threat actors operating from Vietnam that leverages fake job postings on legitimate platforms to target individuals in the digital advertising and marketing sectors. | APT blog | Google Threat Intelligence | |
| 25.10.25 | LockBit Returns — and It Already Has Victims | Key Takeaways LockBit is back. After being disrupted in early 2024, the ransomware group has ... | Ransom blog | CHECKPOINT |
| 25.10.25 | Newcomers Fuel Ransomware Explosion in 2025 as Old Groups Fade | Ransomware attacks surged 50% in 2025, with groups like Qilin and newcomers exploiting vulnerabilities, targeting the U.S., South Korea, and other global regions. | Ransom blog | Cyble |
| 25.10.25 | CISA Adds Oracle, Microsoft, Apple, Kentico Bugs to KEV Catalog | CISA has added five critical vulnerabilities impacting Oracle, Microsoft, Apple, and Kentico products to its Known Exploited Vulnerabilities catalog. Organizations must apply vendor patches before November 10, 2025, to mitigate exploitation risks. | Vulnerebility blog | Cyble |
| 25.10.25 | Anatomy of the Red Hat Intrusion: Crimson Collective and SLSH Extortions | Introduction In August 2025, a Telegram channel named “Scattered LAPSUS$ Hunters” surfaced, linking itself to notorious cybercrime groups: Scattered Spider, ShinyHunters, and LAPSUS$. The group quickly began posting stolen data, ransom demands, and provocative statements, reviving chaos once driven.. | Hacking blog | Seqrite |
| 25.10.25 | GHOSTGRAB ANDROID MALWARE | Sophisticated Android malware that mines crypto and silently steals banking credentials. EXECUTIVE SUMMARY CYFIRMA is dedicated to providing advanced warning and strategic | Malware blog | Cyfirma |
| 25.10.25 | CVE-2025-6541 : TP-Link Omada Gateway Remote Command Injection Vulnerability Analysis | EXECUTIVE SUMMARY CVE-2025-6541 is a critical Remote Command Injection vulnerability in TP-Link Omada Gateway devices, caused by improper input validation in the web | Vulnerebility blog | Cyfirma |
| 25.10.25 | Proofpoint releases innovative detections for threat hunting: PDF Object Hashing | The PDF format is widely used by threat actors to kickstart malicious activity. In email campaigns, Proofpoint researchers observe PDFs distributed in many ways. | Malware blog | PROOFPOINT |
| 25.10.25 | Beyond credentials: weaponizing OAuth applications for persistent cloud access | Cloud account takeover (ATO) attacks have become a significant concern in recent years, with cybercriminals and state-sponsored actors increasingly adopting malicious OAuth applications as a means to gain persistent access within compromised environments. | Cyber blog | PROOFPOINT |
| 25.10.25 | Inside the attack chain: Threat activity targeting Azure Blob Storage | Azure Blob Storage is a high-value target for threat actors due to its critical role in storing and managing massive amounts of unstructured data at scale across diverse workloads and is increasingly targeted through sophisticated attack chains that exploit misconfigurations, exposed credentials, and evolving cloud tactics. | Hacking blog | Microsoft blog |
| 25.10.25 | The Rise of Collaborative Tactics Among China-aligned Cyber Espionage Campaigns | Trend™ Research examines the complex collaborative relationship between China-aligned APT groups via the new “Premier Pass-as-a-Service” model, exemplified by the recent activities of Earth Estries and Earth Naga. | APT blog | Trend Micro |
| 25.10.25 | Agenda Ransomware Deploys Linux Variant on Windows Systems Through Remote Management Tools and BYOVD Techniques | Trend™ Research identified a sophisticated Agenda ransomware attack that deployed a Linux variant on Windows systems. This cross-platform execution can make detection challenging for enterprises. | Ransom blog | Trend Micro |
| 25.10.25 | How Trend Micro Empowers the SOC with Agentic SIEM | By delivering both XDR leadership and Agentic SIEM innovation under one platform, Trend is redefining what security operations can be. | Security blog | Trend Micro |
| 25.10.25 | Fast, Broad, and Elusive: How Vidar Stealer 2.0 Upgrades Infostealer Capabilities | Trend™ Research examines the latest version of the Vidar stealer, which features a full rewrite in C, a multithreaded architecture, and several enhancements that warrant attention. Its timely evolution suggests that Vidar is positioning itself to occupy the space left after Lumma Stealer’s decline. | Malware blog | Trend Micro |
| 25.10.25 | Shifts in the Underground: The Impact of Water Kurita’s (Lumma Stealer) Doxxing | A targeted underground doxxing campaign exposed alleged core members of Lumma Stealer (Water Kurita), resulting in a sharp decline in its activity and a migration of customers to rival infostealer platforms. | Malware blog | Trend Micro |
| 25.10.25 | Operation Zero Disco: Attackers Exploit Cisco SNMP Vulnerability to Deploy Rootkits | Trend™ Research has uncovered an attack campaign exploiting the Cisco SNMP vulnerability CVE-2025-20352, allowing remote code execution and rootkit deployment on unprotected devices, with impacts observed on Cisco 9400, 9300, and legacy 3750G series. | Vulnerebility blog | Trend Micro |
| 25.10.25 | LockBit 5.0: Understanding the Latest Developments in Ransomware Threats | LockBit ransomware is one of the most active and notorious ransomware-as-a-service (RaaS) operations, first appearing in 2019 and having evolved through versions that we have analyzed and written about here and here. Last year, it was reported that law enforcement seized LockBit’s infrastructure and arrested affiliates, but several copycats and spinoffs still surfaced. | Ransom blog | SonicWall |
| 25.10.25 |
Cloud Discovery With AzureHound |
AzureHound is a data collection tool intended for penetration testing that is part of the BloodHound suite. Threat actors misuse this tool to enumerate Azure resources and map potential attack paths, enabling further malicious operations. Here, we help defenders understand the tool and protect against illegitimate use of it. | Cyber blog | Palo Alto |
| 25.10.25 |
The Smishing Deluge: China-Based Campaign Flooding Global Text |
We investigated a campaign waged by financially motivated threat actors operating out of Morocco. We refer to this campaign as Jingle Thief, due to the attackers’ modus operandi of conducting gift card fraud during festive seasons. Jingle Thief attackers use phishing and smishing to steal credentials, to compromise organizations that issue gift cards. | APT blog | Palo Alto |
| 25.10.25 |
Jingle Thief: Inside a Cloud-Based Gift Card Fraud Campaign |
We are attributing an ongoing smishing (phishing via text message) campaign of fraudulent toll violation and package misdelivery notices to a group widely known as the Smishing Triad. Our analysis indicates this campaign is a significantly more extensive and complex threat than previously reported. Attackers have impersonated international services across a wide array of critical sectors. | Hacking blog | Palo Alto |
| 25.10.25 | Dissecting YouTube’s Malware Distribution Network | Check Point Research uncovered and analyzed the YouTube Ghost Network, a sophisticated and coordinated collection of malicious accounts operating on YouTube. These accounts systematically take advantage of YouTube’s features to promote malicious content, ultimately distributing malware while creating a false sense of trust among viewers. | Malware blog | CHECKPOINT |
| 25.10.25 | IR Trends Q3 2025: ToolShell attacks dominate, highlighting criticality of segmentation and rapid response | Cisco Talos Incident Response observed a surge in attacks exploiting public-facing applications — mainly via ToolShell targeting SharePoint — for initial access, with post-exploitation phishing and evolving ransomware tactics also persisting this quarter. | Exploit blog | CISCO TALOS |
| 25.10.25 | Think passwordless is too complicated? Let's clear that up | We’ve relied on passwords for years to protect our online accounts, but they’ve also become one of the easiest ways attackers get in. Cisco Duo helps clear up some of the biggest passwordless myths. | Cyber blog | CISCO TALOS |
| 25.10.25 | Strings in the maze: Finding hidden strengths and gaps in your team | In this week’s newsletter, Bill explores how open communication about your skills and experience can help your security team uncover hidden gaps, strengthen your defenses, and better prepare for ever-present threats. | Cyber blog | CISCO TALOS |
| 25.10.25 | Reducing abuse of Microsoft 365 Exchange Online’s Direct Send | Cisco Talos has observed increased activity by malicious actors leveraging Direct Send as part of phishing campaigns. Here's how to strengthen your defenses. | Cyber blog | CISCO TALOS |
| 25.10.25 | Ransomware attacks and how victims respond | This edition highlights the detailed studies that have been recently published on how ransomware attacks affect victims, from PTSD to burnout, and discusses ways to help deal with the fallout of victimization. | Ransom blog | CISCO TALOS |
| 25.10.25 | BeaverTail and OtterCookie evolve with a new Javascript module | Cisco Talos has uncovered a new attack linked to Famous Chollima, a threat group aligned with North Korea (DPRK). | Malware blog | CISCO TALOS |
| 25.10.25 | Laura Faria: Empathy on the front lines | Laura opens up about her journey through various cybersecurity roles, her leap into incident response, and what it feels like to support customers during their toughest moments — including high-stakes situations impacting critical infrastructure. | Cyber blog | CISCO TALOS |
| 25.10.25 | Open PLC and Planet vulnerabilities | Cisco Talos’ Vulnerability Discovery & Research team recently disclosed one vulnerability in the OpenPLC logic controller and four vulnerabilities in the Planet WGR-500 router. For Snort coverage that can detect the exploitation of these vulnerabilities, download the lates | ICS blog | CISCO TALOS |
| 25.10.25 | Microsoft Patch Tuesday for October 2025 — Snort rules and prominent vulnerabilities | Microsoft has released its monthly security update for October 2025, addressing 175 Microsoft CVEs and 21 non-Microsoft CVEs. Among these, 17 vulnerabilities are considered critical and 11 are flagged as important and considered more likely to be exploited. | OS Blog | CISCO TALOS |
| 25.10.25 | Cybersecurity Awareness Month 2025: Cyber-risk thrives in the shadows | Shadow IT leaves organizations exposed to cyberattacks and raises the risk of data loss and compliance failures | Cyber blog | Eset |
| 25.10.25 | Gotta fly: Lazarus targets the UAV sector | ESET research analyzes a recent instance of the Operation DreamJob cyberespionage campaign conducted by Lazarus, a North Korea-aligned APT group | APT blog | Eset |
| 25.10.25 | SnakeStealer: How it preys on personal data – and how you can protect yourself | Here’s what to know about the malware with an insatiable appetite for valuable data, so much so that it tops this year's infostealer detection charts | Malware blog | Eset |
| 25.10.25 | Cybersecurity Awareness Month 2025: Building resilience against ransomware | Ransomware rages on and no organization is too small to be targeted by cyber-extortionists. How can your business protect itself against the threat? | Ransom blog | Eset |
| 25.10.25 | Minecraft mods: Should you 'hack' your game? | Some Minecraft mods don’t help build worlds – they break them. Here’s how malware can masquerade as a Minecraft mod. | Hacking blog | Eset |
| 25.10.25 | SideWinder's Shifting Sands: Click Once for Espionage | SideWinder APT evolves with PDF and ClickOnce attacks targeting South Asia. Discover their new TTPs and how to protect your organization. | APT blog | Trelix |
| 18.10.25 | Jewelbug: Chinese APT Group Widens Reach to Russia | Russian IT company among group’s latest targets. Attackers may have been attempting to target company’s customers in Russia with software supply chain attack. | APT blog | SECURITY.COM |
| 18.10.25 | This issue of the Counter Threat Unit’s high-level bimonthly report discusses noteworthy updates in the threat landscape during July and August | Cyber blog | SOPHOS | |
| 18.10.25 | F5 network compromised | On October 15, 2025, F5 reported that a nation-state threat actor had gained long-term access to some F5 systems and exfiltrated data, including source code and information about undisclosed product vulnerabilities. This information may enable threat actors to compromise F5 devices by developing exploits for these vulnerabilities. | Incident blog | SOPHOS |
| 18.10.25 | October Patch Tuesday beats January ’25 record | Microsoft throws a farewell party for Win10, Office 2016, and Office 2019… a very big party | OS Blog | SOPHOS |
| 18.10.25 | Tracking Malware and Attack Expansion: A Hacker Group’s Journey across Asia | FortiGuard Labs has tracked a hacker group expanding attacks from China to Malaysia, linking campaigns through shared code, infrastructure, and tactics. | Malware blog | FORTINET |
| 18.10.25 | The Week in Vulnerabilities: Cyble Urges Adobe, Microsoft Fixes | Vulnerabilities in products from Microsoft, Adobe, Fortinet, OpenSSL and more are getting attention this week. Patch now. | Vulnerebility blog | Cyble |
| 18.10.25 | Europe and UK Face Relentless Ransomware Onslaught in Q3 2025, Qilin Leads the Charge | Europe recorded 288 ransomware attacks in Q3 2025, with Qilin maintaining dominance at 65 victims and SafePay rapidly ascending to second place. | Ransom blog | Cyble |
| 18.10.25 | GhostBat RAT: Inside the Resurgence of RTO-Themed Android Malware | GhostBat RAT resurfaces via fake RTO apps, stealing banking data, mining crypto, and registering devices through Telegram bots—targeting Indian Android users. | Malware blog | Cyble |
| 18.10.25 | Operation MotorBeacon : Threat Actor targets Russian Automotive Sector using .NET Implant | Contents Introduction Key Targets. Industries Affected. Geographical Focus. Infection Chain. Initial Findings. Looking into the decoy-document Technical Analysis Stage 1 – Malicious LNK Script Stage 2 – Malicious .NET Implant Hunting and Infrastructure. Conclusion Seqrite Protection. IOCs MITRE ATT&CK.... | Hacking blog | Seqrite |
| 18.10.25 | Operation Silk Lure: Scheduled Tasks Weaponized for DLL Side-Loading (drops ValleyRAT) | Authors: Dixit Panchal, Soumen Burma & Kartik Jivani Table of Contents Introduction: Initial Analysis: Analysis of Decoy: Infection Chain: Technical Analysis: Infrastructure Hunting: Conclusion: Seqrite Coverage: IoCs: MITRE ATT&CK: Introduction: Seqrite Lab has been actively monitoring global cyber threat... | Hacking blog | Seqrite |
| 18.10.25 | Judicial Notification Phish Targets Colombian Users – .SVG Attachment Deploys Info-stealer Malware | Content Overview Introduction Initial Vector Infection Chain Analysis of .SVG Attachment Analysis of .HTA file Analysis of .VBS file Analysis of .ps1 file Analysis of Downloader/Loader Anti-VM Technique Persistence Technique Download and Loader Function AsyncRAT Payload File MD5’s Quick... | Phishing blog | Seqrite |
| 18.10.25 | Crystal Ball Series : Consolidated Instalments | CRYSTAL BALL SERIES IN THIS INSTALMENT WE EXPLORE AI ADVANCEMENTS 2025 AND BEYOND Digital Twin Cybersecurity Neurosymbolic Al Deepfakes: A new era | AI blog | Cyfirma |
| 18.10.25 | Cyber Threats to Oman’s Multiple Sectors | Executive Summary Oman is experiencing a rise in cyber incidents, with threat actors actively targeting organizations across multiple sectors. Recent breaches have exposed | Cyber blog | Cyfirma |
| 18.10.25 | F5 Systems Compromised, BIG IP Vulnerabilities Exfiltrated: What To Do Next | F5 recently disclosed that a nation-state actor accessed a proprietary BIG-IP development network, including source code and details about vulnerabilities still under development. | Incident blog | Eclypsium |
| 18.10.25 | BombShell: The Signed Backdoor Hiding in Plain Sight on Framework Devices | One of our fears, as individuals who have spent years examining firmware security, is stumbling upon a vulnerability that reveals the fundamental flaws in our trust models. | Malware blog | Eclypsium |
| 18.10.25 | When the monster bytes: tracking TA585 and its arsenal | TA585 is a sophisticated cybercriminal threat actor recently named by Proofpoint. It operates its entire attack chain from infrastructure to email delivery to malware installation. | Hacking blog | PROOFPOINT |
| 18.10.25 | Trend Micro launches new integration with Zscaler to deliver real-time, Risk-Based Zero Trust Access | Discover how Trend Vision One™ integrates with Zscaler to unify detection and access enforcement, accelerate threat containment, reduce dwell time, and deliver seamless Zero Trust protection for modern enterprises. | Cyber blog | Trend Micro |
| 18.10.25 | Operation Zero Disco: Attackers Exploit Cisco SNMP Vulnerability to Deploy Rootkits | Trend™ Research has uncovered an attack campaign exploiting the Cisco SNMP vulnerability CVE-2025-20352, allowing remote code execution and rootkit deployment on unprotected devices, with impacts observed on Cisco 9400, 9300, and legacy 3750G series. | Vulnerebility blog | Trend Micro |
| 18.10.25 | Shifts in the Underground: The Impact of Water Kurita’s (Lumma Stealer) Doxxing | A targeted underground doxxing campaign exposed alleged core members of Lumma Stealer (Water Kurita), resulting in a sharp decline in its activity and a migration of customers to rival infostealer platforms. | Malware blog | Trend Micro |
| 18.10.25 | Microsoft Security Bulletin Coverage for October 2025 | Microsoft’s October 2025 Patch Tuesday has 176 vulnerabilities, of which 84 are Elevation of Privilege. The SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of October 2025 and has produced coverage for 13 of the reported vulnerabilities. | OS Blog | SonicWall |
| 18.10.25 | Threat Brief: Nation-State Actor Steals F5 Source Code and Undisclosed Vulnerabilities | On Oct. 15, 2025, F5 — a U.S. technology company — disclosed that a nation-state threat actor conducted a significant long-term compromise of their corporate networks. In this incident, attackers stole source code from their BIG-IP suite of products and information about undisclosed vulnerabilities. | Incident blog | Palo Alto |
| 18.10.25 | PhantomVAI Loader Delivers a Range of Infostealers | Unit 42 researchers have been tracking phishing campaigns that use PhantomVAI Loader to deliver information-stealing malware through a multi-stage, evasive infection chain. | Malware blog | Palo Alto |
| 18.10.25 | Anatomy of an Attack: The "BlackSuit Blitz" at a Global Equipment | Unit 42 recently assisted a prominent manufacturer who experienced a severe ransomware attack orchestrated by Ignoble Scorpius, the group that distributes BlackSuit ransomware. | Ransom blog | Palo Alto |
| 18.10.25 | Denial of Fuzzing: Rust in the Windows kernel | Check Point Research (CPR) identified a security vulnerability in January 2025 affecting the new Rust-based kernel component of the Graphics Device Interface (commonly known as GDI) in Windows. | Vulnerebility blog | CHECKPOINT |
| 18.10.25 | BeaverTail and OtterCookie evolve with a new Javascript module | Cisco Talos has uncovered a new attack linked to Famous Chollima, a threat group aligned with North Korea (DPRK). | Malware blog | CISCO TALOS |
| 18.10.25 | Ransomware attacks and how victims respond | This edition highlights the detailed studies that have been recently published on how ransomware attacks affect victims, from PTSD to burnout, and discusses ways to help deal with the fallout of victimization. | Ransom blog | CISCO TALOS |
| 18.10.25 | Laura Faria: Empathy on the front lines | Laura opens up about her journey through various cybersecurity roles, her leap into incident response, and what it feels like to support customers during their toughest moments — including high-stakes situations impacting critical infrastructure. | Cyber blog | CISCO TALOS |
| 18.10.25 | Minecraft mods: When game 'hacks' turn risky | Some Minecraft 'hacks' don’t help build worlds – they break them. Here’s how malware can masquerade as a Minecraft mod. | Hacking blog | Eset |
| 18.10.25 | IT service desks: The security blind spot that may put your business at risk | Could a simple call to the helpdesk enable threat actors to bypass your security controls? Here’s how your team can close a growing security gap. | Cyber blog | Eset |
| 18.10.25 | Cybersecurity Awareness Month 2025: Why software patching matters more than ever | As the number of software vulnerabilities continues to increase, delaying or skipping security updates could cost your business dearly. | Cyber blog | Eset |
| 18.10.25 | AI-aided malvertising: Exploiting a chatbot to spread scams | Cybercriminals have tricked X’s AI chatbot into promoting phishing scams in a technique that has been nicknamed “Grokking”. Here’s what to know about it. | AI blog | Eset |
| 18.10.25 | The Silent Threat in Active Directory: How AS-REP Roasting Steals Passwords Without a Trace and Trellix NDR’s Rapid Detection | The Silent Threat in Active Directory: How AS-REP Roasting Steals Passwords Without a Trace and Trellix NDR’s Rapid Detection. | Hacking blog | Trelix |
| 18.10.25 | Dark Web Roast - September 2025 Edition | September 2025 brought us a delightful buffet of underground incompetence, and we're grateful for the content. | Cyber blog | Trelix |
|
11.10.25 |
Block ransomware proliferation and easily restore files with AI in Google Drive | Ransomware remains one of the most damaging cyber threats facing organizations today. These attacks can lead to substantial financial losses, operational downtime, and data compromise, impacting organizations of all sizes and industries, including healthcare, retail, education, manufacturing, and government. | AI blog | Google Threat Intelligence |
|
11.10.25 |
Operations with Untamed LLMs | Starting in June 2025, Volexity detected a series of spear phishing campaigns targeting several customers and their users in North America, Asia, and Europe. The initially observed campaigns were tailored | AI blog | VOLEXITY |
|
11.10.25 |
New Stealit Campaign Abuses Node.js Single Executable Application | A new Stealit campaign uses Node.js Single Executable Application (SEA) to deliver obfuscated malware. FortiGuard Labs details tactics and defenses. | Malware blog | FORTINET |
|
11.10.25 |
The Evolution of Chaos Ransomware: Faster, Smarter, and More Dangerous | FortiGuard Labs details Chaos-C++, a ransomware variant using destructive encryption and clipboard hijacking to amplify damage and theft. | Ransom blog | FORTINET |
|
11.10.25 |
Beginning Sept. 29, 2025, Google Threat Intelligence Group (GTIG) and Mandiant began tracking a new, large-scale extortion campaign by a threat actor claiming affiliation with the CL0P extortion brand. | Vulnerebility blog | Google Threat Intelligence | |
|
11.10.25 |
Cyber Threats in the EU Escalate as Diverse Groups Target Critical Sectors | The 2025 ENISA Threat Landscape shows rising cyber threats in the EU, with DDoS, ransomware, phishing, and supply chain attacks on critical infrastructure. | Cyber blog | Cyble |
|
11.10.25 |
Australian Data Breaches Are Up 48% So Far This Year. What’s Behind The Eye-Popping Surge? | Australian data breaches have surged 48% so far this year, the latest data point that suggests that threat actors are finding rich targets Down Under. | Cyber blog | Cyble |
|
11.10.25 |
Cybersecurity Awareness Month 2025: Don’t Just Be Aware, Be Ahead | This Cybersecurity Awareness Month, it’s time to move beyond awareness. Organizations face AI-powered attacks, supply chain vulnerabilities, and brand threats that demand proactive defense strategies—not just reactive responses. | Cyber blog | Cyble |
|
11.10.25 |
DPRK SANCTIONS VIOLATIONS IN CYBER OPERATIONS POST UN PANEL DEMISE | EXECUTIVE SUMMARY Since the termination of the United Nations (UN) Panel of Experts in April 2024 due to Russia's veto, the landscape of Democratic People's Republic of Korea | BigBrother blog | Cyfirma |
|
11.10.25 |
CYBER THREAT LANDSCAPE REPORT – Saudi Arabia | Executive Summary In 2025, Saudi Arabia witnessed a notable rise in cybercriminal activity, particularly within the dark web landscape. Threat actors increasingly targeted key sectors, | Cyber blog | Cyfirma |
|
11.10.25 |
APT PROFILE – HAFNIUM | Hafnium is a Chinese state-sponsored advanced persistent threat (APT) group, also referred to as Silk Typhoon, and is known for sophisticated cyber espionage targeting critical | APT blog | Cyfirma |
|
11.10.25 |
CYBER THREAT LANDSCAPE REPORT – UNITED ARAB EMIRATES UAE | Executive Summary In 2025, the United Arab Emirates (UAE) experienced a significant surge in cybercriminal activity, particularly in the dark web ecosystem. Threat actors targeted | Cyber blog | Cyfirma |
|
11.10.25 |
TRACKING RANSOMWARE : SEPTEMBER 2025 | EXECUTIVE SUMMARY In September 2025, ransomware activity remained elevated, with 504 global victims, heavily impacting consumer services, professional services, and manufacturing | Ransom blog | Cyfirma |
|
11.10.25 |
Investigating active exploitation of CVE-2025-10035 GoAnywhere Managed File Transfer vulnerability | Storm-1175, a financially motivated actor known for deploying Medusa ransomware and exploiting public-facing applications for initial access, was observed exploiting the deserialization vulnerability in GoAnywhere MFT’s License Servlet, tracked as CVE-2025-10035. | Vulnerebility blog | Microsoft blog |
|
11.10.25 |
Disrupting threats targeting Microsoft Teams | Threat actors seek to abuse Microsoft Teams features and capabilities across the attack chain, underscoring the importance for defenders to proactively monitor, detect, and respond effectively. | Cyber blog | Microsoft blog |
|
11.10.25 |
A Cascade of Insecure Architectures: Axis Plugin Design Flaw Expose Select Autodesk Revit Users to Supply Chain Risk | We discovered Azure Storage Account credentials exposed in Axis Communications’ Autodesk Revit plugin, allowing unauthorized modification of cloud-hosted files. This exposure, combined with vulnerabilities in Autodesk Revit, could enable supply-chain attacks targeting end users. | Vulnerebility blog | Trend Micro |
|
11.10.25 |
How Your AI Chatbot Can Become a Backdoor | In this post of THE AI BREACH, learn how your Chatbot can become a backdoor. | AI blog | Trend Micro |
|
11.10.25 |
Weaponized AI Assistants & Credential Thieves | Learn the state of AI and the NPM ecosystem with the recent s1ngularity' weaponized AI for credential theft. | AI blog | Trend Micro |
|
11.10.25 |
RondoDox: From Targeting Pwn2Own Vulnerabilities to Shotgunning Exploits | Trend™ Research and ZDI Threat Hunters have identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors, including flaws first seen in Pwn2Own contests. | Exploit blog | Trend Micro |
|
11.10.25 |
Invoice Ninja Deserialization Flaw (CVE-2024-55555) | The SonicWall Capture Labs threat research team became aware of the threat CVE-2024-55555, assessed its impact, and developed mitigation measures for this vulnerability. | Vulnerebility blog | SonicWall |
|
11.10.25 |
Responding to Cloud Incidents: A Step-by-Step Guide From the 2025 Unit 42 Global Incident Response Report | Cloud incidents like ransomware attacks and account compromise can bring operations to a halt and create a situation in which costs, reputation and customer trust are at stake. | Incident blog | Palo Alto |
|
11.10.25 |
The ClickFix Factory: First Exposure of IUAM ClickFix Generator | Attackers are packaging a highly effective social engineering technique known as ClickFix into easy-to-use phishing kits, making it accessible to a wider range of threat actors. | Hacking blog | Palo Alto |
|
11.10.25 |
When AI Remembers Too Much – Persistent Behaviors in Agents’ Memory | This article presents a proof of concept (PoC) that demonstrates how adversaries can use indirect prompt injection to silently poison the long-term memory of an AI Agent. We use Amazon Bedrock Agent for this demonstration. | AI blog | Palo Alto |
|
11.10.25 |
The Golden Scale: Bling Libra and the Evolving Extortion Economy | In recent months, threat actors claiming to be part of a new conglomerate dubbed Scattered Lapsus$ Hunters (aka SP1D3R HUNTERS, SLSH) have asserted responsibility for laying siege to customer Salesforce tenants as part of a coordinated effort to steal data and hold it for ransom. | Ransom blog | Palo Alto |
|
11.10.25 |
Velociraptor leveraged in ransomware attacks | Cisco Talos has confirmed that ransomware operators are leveraging Velociraptor, an open-source digital forensics and incident response (DFIR) tool. | Ransom blog | CISCO TALOS |
|
11.10.25 |
Why don’t we sit around this computer console and have a sing-along? | Martin muses on why computers are less fun than campfires, why their dangers seem less real, and why he’s embarking on a lengthy research project to study this. | Cyber blog | CISCO TALOS |
|
11.10.25 |
What to do when you click on a suspicious link | As the go-to cybersecurity expert for your friends and family, you’ll want to be ready for those “I clicked a suspicious link — now what?” messages. Share this quick guide to help them know exactly what to do next. | Cyber blog | CISCO TALOS |
|
11.10.25 |
Too salty to handle: Exposing cases of CSS abuse for hidden text salting | A simple yet effective tactic, known as hidden text salting, is increasingly used by cybercriminals over the past few months to evade even the most advanced email security solutions, including those powered by machine learning and large language models. | Cyber blog | CISCO TALOS |
|
11.10.25 |
Family group chats: Your (very last) line of cyber defense | Amy gives an homage to parents in family group chats everywhere who want their children to stay safe in this wild world. | APT blog | CISCO TALOS |
|
11.10.25 |
UAT-8099: Chinese-speaking cybercrime group targets high-value IIS for SEO fraud | Cisco Talos is disclosing details on UAT-8099, a Chinese-speaking cybercrime group mainly involved in SEO fraud and theft of high-value credentials, configuration files, and certificate data. | APT blog | CISCO TALOS |
|
11.10.25 |
Nvidia and Adobe vulnerabilities | Cisco Talos’ Vulnerability Discovery & Research team recently disclosed five vulnerabilities in Nvidia and one in Adobe Acrobat. The vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerabili | Vulnerebility blog | CISCO TALOS |
|
11.10.25 |
How Uber seems to know where you are – even with restricted location permissions | Is the ride-hailing app secretly tracking you? Not really, but this iOS feature may make it feel that way. | Cyber blog | Eset |
|
11.10.25 |
Cybersecurity Awareness Month 2025: Passwords alone are not enough | Never rely on just a password, however strong it may be. Multi-factor authentication is essential for anyone who wants to protect their online accounts from intruders. | Cyber blog | Eset |
|
11.10.25 |
The case for cybersecurity: Why successful businesses are built on protection | Company leaders need to recognize the gravity of cyber risk, turn awareness into action, and put security front and center | Cyber blog | Eset |
|
11.10.25 |
Beware of threats lurking in booby-trapped PDF files | Looks can be deceiving, so much so that the familiar icon could mask malware designed to steal your data and money. | Cyber blog | Eset |
|
11.10.25 |
Addressing CL0P Extortion Campaign Targeting Oracle EBS CVE-2025-61882 | Addressing CL0P Extortion Campaign Targeting Oracle EBS CVE-2025-61882 | Vulnerebility blog | Cybereason |
|
11.10.25 |
The Bug Report – September 2025 Edition | September's Bug Report is here! Learn about critical CVEs affecting Chrome, Windows, Django, and FreePBX. Stay secure—patch now. | Vulnerebility blog | Trelix |
|
11.10.25 |
The Evolution of Russian Physical-Cyber Espionage | From Rio to The Hague: How Russia’s evolving close-access cyber ops raise new risks. Learn what’s next—and how defenders can respond. | APT blog | Trelix |
| 4.10.25 | Confucius Espionage: From Stealer to Backdoor | FortiGuard Labs has uncovered a shift in the tactics of threat actor Confucius, from stealers to Python backdoors, highlighting advanced techniques used in South Asian cyber espionage. Read more. | Malware blog | FORTINET |
| 4.10.25 | Protecting software-as-a-service (SaaS) platforms and applications requires a comprehensive security strategy. Drawing from analysis of UNC6040’s specific attack methodologies, this guide presents a structured defensive framework encompassing proactive hardening measures, comprehensive logging protocols, and advanced detection capabilities. | Cyber blog | Google Threat Intelligence | |
| 4.10.25 | The Week in Vulnerabilities: PoCs and Zero-Days Merit Rapid Patching | A high percentage of Proof-of-Concept exploits and new zero days this week should have security teams on high alert. | Vulnerebility blog | Cyble |
| 4.10.25 | The Week in Vulnerabilities: MFT, Help Desk Fixes Urged by Cyble | The week’s top vulnerabilities include several that could attract the attention of threat actors, and some that already have. | Vulnerebility blog | Cyble |
| 4.10.25 | Exploiting Legitimate Remote Access Tools in Ransomware Campaigns | Introduction Ransomware is one of the most disruptive cyber threats, encrypting critical organizational data and demanding ransom payments for restoration. While early campaigns relied on mass phishing or opportunistic malware distribution, modern ransomware operations have evolved into highly sophisticated | Exploit blog | Seqrite |
| 4.10.25 | TYPHOON IN THE FIFTH DOMAIN : CHINA’S EVOLVING CYBER STRATEGY | EXECUTIVE SUMMARY China’s cyber operations have evolved from economic espionage to strategic, politically driven campaigns that pose significant threats to Western critical | APT blog | Cyfirma |
| 4.10.25 | YUREI RANSOMWARE : THE DIGITAL GHOST | EXECUTIVE SUMMARY At CYFIRMA, we are committed to delivering timely insights into emerging cyber threats and the evolving tactics of cybercriminals targeting individuals and | Ransom blog | Cyfirma |
| 4.10.25 | Rising Cyber Threats to Bahrain: Hacktivists and Data Breaches | EXECUTIVE SUMMARY In this report, our researchers analyzed recent cyber activity targeting Bahrain, including politically motivated hacktivism, credential leaks, government email | BigBrother blog | Cyfirma |
| 4.10.25 | CYBER THREAT ASSESSMENT ON NIGERIA | EXECUTIVE SUMMARY Between January and September 2025, Nigeria experienced a surge in data breaches and cybercrime activities across banking, telecom, government, healthcare, | Cyber blog | Cyfirma |
| 4.10.25 | Cisco SNMP Vulnerability CVE-2025-20352 Exploited in the Wild | CVE-2025-20352 is a critical SNMP vulnerability in Cisco IOS and IOS XE software, which has been actively exploited in the wild (added to the CISA KEV on September 29th), resulting in reported attacks affecting up to 2 million devices globally. | Vulnerebility blog | Eclypsium |
| 4.10.25 | The Hunt for RedNovember: A Depth Charge Against Network Edge Devices | Network edge devices such as routers, switches, firewalls, VPNs, and access points are being targeted by waves of cyberattacks. | Cyber blog | Eclypsium |
| 4.10.25 | HybridPetya Ransomware Shows Why Firmware Security Can't Be an Afterthought | Like many in our field, I thought we’d seen the last of Petya-style attacks after the chaos of 2017. As it turns out, that was wishful thinking. | Ransom blog | Eclypsium |
| 4.10.25 | Self-Propagating Malware Spreading Via WhatsApp, Targets Brazilian Users | Trend™ Research has identified an active campaign spreading via WhatsApp through a ZIP file attachment. When executed, the malware establishes persistence and hijacks the compromised WhatsApp account to send copies of itself to the victim’s contacts. | Malware blog | Trend Micro |
| 4.10.25 | Deserialization Leads to Command Injection in GoAnywhere MFT: CVE-2025-10035 | The SonicWall Capture Labs threat research team has identified a critical command injection vulnerability in GoAnywhere MFT. Tracked as CVE-2025-10035, this flaw allows attackers with a forged license response signature to deserialize malicious objects, potentially compromising the entire network access control infrastructure. | Vulnerebility blog | SonicWall |
| 4.10.25 | Exploited in the Wild: DELMIA Apriso Insecure Deserialization (CVE-2025-5086) | The SonicWall Capture Labs threat research team became aware of a deserialization of untrusted data vulnerability in DELMIA Apriso, assessed its impact and developed mitigation measures. DELMIA Apriso, developed by Dassault Systèmes, is a Manufacturing Operations Management (MOM) software that helps manufacturers digitize and manage global production. | Exploit blog | SonicWall |
| 4.10.25 | TOTOLINK X6000R: Three New Vulnerabilities Uncovered | We have uncovered three vulnerabilities in the firmware of the TOTOLINK X6000R router, version V9.4.0cu.1360_B20241207, released on March 28, 2025: | Vulnerebility blog | Palo Alto |
| 4.10.25 | Phantom Taurus: A New Chinese Nexus APT and the Discovery of the NET-STAR Malware Suite | Phantom Taurus is a previously undocumented nation-state actor whose espionage operations align with People’s Republic of China (PRC) state interests. Over the past two and a half years, Unit 42 researchers have observed Phantom Taurus targeting government and telecommunications organizations across Africa, the Middle East, and Asia. | APT blog | Palo Alto |
| 4.10.25 | Rhadamanthys 0.9.x – walk through the updates | Rhadamanthys is a popular, multi-modular stealer, released in 2022. Since then, it has been used in multiple campaigns by various actors. Most recently, it is being observed in the ClickFix campaigns. | Malware blog | CHECKPOINT |
| 4.10.25 | UAT-8099: Chinese-speaking cybercrime group targets high-value IIS for SEO fraud | Cisco Talos is disclosing details on UAT-8099, a Chinese-speaking cybercrime group mainly involved in SEO fraud and theft of high-value credentials, configuration files, and certificate data. | Cyber blog | CISCO TALOS |
| 4.10.25 | Family group chats: Your (very last) line of cyber defense | Amy gives an homage to parents in family group chats everywhere who want their children to stay safe in this wild world. | Cyber blog | CISCO TALOS |
| 4.10.25 | What happens when you engage Cisco Talos Incident Response? | What happens when you bring in a team of cybersecurity responders? How do we turn chaos into control, and what is the long-term value that Talos IR provides to the organizations we work with? | Cyber blog | CISCO TALOS |
| 4.10.25 | Manufacturing under fire: Strengthening cyber-defenses amid surging threats | Manufacturers operate in one of the most unforgiving threat environments and face a unique set of pressures that make attacks particularly damaging | Cyber blog | Eset |
| 4.10.25 | New spyware campaigns target privacy-conscious Android users in the UAE | ESET researchers have discovered campaigns distributing spyware disguised as Android Signal and ToTok apps, targeting users in the United Arab Emirates | Social blog | Eset |
| 4.10.25 | Cybersecurity Awareness Month 2025: Knowledge is power | We're kicking off the month with a focus on the human element: the first line of defense, but also the path of least resistance for many cybercriminals | Cyber blog | Eset |
| 4.10.25 | This month in security with Tony Anscombe – September 2025 edition | The past 30 days have seen no shortage of new threats and incidents that brought into sharp relief the need for well-thought-out cyber-resilience plans | Cyber blog | Eset |
| 4.10.25 | XWorm V6: Exploring Pivotal Plugins | XWorm V6, a potent malware, has resurfaced with new plugins and persistence methods. Stay informed and enhance your defenses against evolving cyber threats. Protect your organization now! | Malware blog | Trelix |
| 27.9.25 | HeartCrypt’s wholesale impersonation effort | How the notorious Packer-as-a-Service operation built itself into a hydra | Malware blog | SOPHOS |
| 27.9.25 | GOLD SALEM’s Warlock operation joins busy ransomware landscape | The emerging group demonstrates competent tradecraft using a familiar ransomware playbook and hints of ingenuity | Ransom blog | SOPHOS |
| 27.9.25 | SVG Phishing hits Ukraine with Amatera Stealer, PureMiner | A phishing campaign in Ukraine uses malicious SVG files to drop Amatera Stealer and PureMiner, enabling data theft and cryptomining. Learn more. | Phishing blog | FORTINET |
| 27.9.25 | CountLoader: Silent Push Discovers New Malware Loader Being Served in 3 Different Versions | Silent Push has discovered a new malware loader that is strongly associated with Russian ransomware gangs that we are naming: “CountLoader.” | Malware blog | Silent Push |
| 27.9.25 | Google Threat Intelligence Group (GTIG) is tracking BRICKSTORM malware activity, which is being used to maintain persistent access to victim organizations in the United States. | Malware blog | Google Threat Intelligence | |
| 27.9.25 | Iranian Threat Actor Nimbus Manticore Expands Campaigns into Europe with Advanced Malware and Fake Job Lures | Check Point Research is actively tracking Iranian threat actor Nimbus Manticore. Our latest findings show it is expanding operations into Europe and now targeting the defense, telecom, and aerospace sectors. | APT blog | CHECKPOINT |
| 27.9.25 | Australia Ransomware Landscape 2025: Rich Targets Attract Ransomware Groups | Australia’s high per-capita GDP has led to an outsized number of ransomware attacks. Here are the numbers – and 10 major attacks that hit the ANZ region. | Ransom blog | Cyble |
| 27.9.25 | Cyble Honeypots Detect Exploit Attempts of Nearly Two Dozen Vulnerabilities | Recent Cyble reports have detailed dozens of vulnerabilities under active attack by threat actors and ransomware groups. | Vulnerebility blog | Cyble |
| 27.9.25 | Australia Urges Immediate Action on Post-Quantum Cryptography as CRQC Threat Looms | ACSC urges early action as CRQC threatens current encryption. Organizations must adopt post-quantum cryptography by 2030 to protect critical data. | Cyber blog | Cyble |
| 27.9.25 | Countdown to DPDP Rules: What to Expect from the Final DPDP Rules | The wait is almost over. The final Digital Personal Data Protection (DPDP) Rules are just days away, marking the next big step after the enactment of the DPDPA in 2023. With only a few days left, organizations must gear... | Cyber blog | Seqrite |
| 27.9.25 | Why Regional and Cooperative Banks Can No Longer Rely on Legacy VPNs | Virtual Private Networks (VPNs) have been the go-to solution for securing remote access to banking systems for decades. They created encrypted tunnels for employees, vendors, and auditors to connect with core banking applications. But as cyber threats become more... | Cyber blog | Seqrite |
| 27.9.25 | CYBER THREAT LANDSCAPE- SOUTH AFRICA | Executive Summary South Africa’s cyber threat landscape has intensified sharply in 2025, reflecting the country’s position as Africa’s most digitally integrated economy and a prime targe | Cyber blog | Cyfirma |
| 27.9.25 | Investigation Report on Jaguar Land Rover Cyberattack | Executive Summary CYFIRMA analyzed the September 2, 2025, Jaguar Land Rover (JLR) cyber incident, which caused widespread disruption by shutting down global IT systems and | Incident blog | Cyfirma |
| 27.9.25 | Qatar Threat Landscape Report | Executive Summary In this report, our researchers analysed recent cyber activity targeting Qatar, including data leaks, the sale of initial access, and ransomware incidents. We explain | Cyber blog | Cyfirma |
| 27.9.25 | From MUSE to Manual: Cyberattack Analysis on European Airport Operations | Executive Summary On 19 September 2025, multiple major European airports, including London Heathrow (LHR), Brussels (BRU), and Berlin Brandenburg (BER), experienced severe | Cyber blog | Cyfirma |
| 27.9.25 | Eclypsium Acknowledged for the Firmware Protection as A Service Category in two Gartner® Hype Cycle™ R | Firmware protection is gaining increased urgency as cyberattackers from ransomware gangs to nation state APTs target firmware vulnerabilities to maintain persistence in target environments. Eclypsium has been mentioned as a sample vendor in two Gartner Hype Cycles in 2025 under the Firmware Protection as a Service product category. | APT blog | Eclypsium |
| 27.9.25 | HybridPetya Ransomware Shows Why Firmware Security Can't Be an Afterthought | Like many in our field, I thought we’d seen the last of Petya-style attacks after the chaos of 2017. | Ransom blog | Eclypsium |
| 27.9.25 | XCSSET evolves again: Analyzing the latest updates to XCSSET’s inventory | Microsoft Threat Intelligence has uncovered a new variant of the XCSSET malware, which is designed to infect Xcode projects, typically used by software developers building Apple or macOS-related applications. | Malware blog | Microsoft blog |
| 27.9.25 | AI-Powered App Exposes User Data, Creates Risk of Supply Chain Attacks | Trend™ Research’s analysis of Wondershare RepairIt reveals how the AI-driven app exposed sensitive user data due to unsecure cloud storage practices and hardcoded credentials, creating risks of model tampering and supply chain attacks. | AI blog | Trend Micro |
| 27.9.25 | Domino Effect: How One Vendor's AI App Breach Toppled Giants | A single AI chatbot breach at Salesloft-Drift exposed data from 700+ companies, including security leaders. The attack shows how AI integrations expand risk, and why controls like IP allow-listing, token security, and monitoring are critical. | AI blog | Trend Micro |
| 27.9.25 | This Is How Your LLM Gets Compromised | Poisoned data. Malicious LoRAs. Trojan model files. AI attacks are stealthier than ever—often invisible until it’s too late. Here’s how to catch them before they catch you. | AI blog | Trend Micro |
| 27.9.25 | New LockBit 5.0 Targets Windows, Linux, ESXi | Trend™ Research analyzed source binaries from the latest activity from notorious LockBit ransomware with their 5.0 version that exhibits advanced obfuscation, anti-analysis techniques, and seamless cross-platform capabilities for Windows, Linux, and ESXi systems. | Ransom blog | Trend Micro |
| 27.9.25 | CNAPP is the Solution to Multi-cloud Flexibility | Cloud-native application protection platform (CNAPP) not only helps organizations protect, but offers the flexibility of multi-cloud. | Cyber blog | Trend Micro |
| 27.9.25 | Decrypting Gremlin: A Deep Dive Into The Info Stealer's Data Harvesting Engine | The SonicWall Capture Labs threat research team has recently been tracking the latest variants of Gremlin malware, a sophisticated .NET-based information stealer designed for comprehensive data exfiltration from infected Windows systems. | Malware blog | SonicWall |
| 27.9.25 | Exploited in the Wild: DELMIA Apriso Insecure Deserialization (CVE-2025-5086) | The SonicWall Capture Labs threat research team became aware of a deserialization of untrusted data vulnerability in DELMIA Apriso, assessed its impact and developed mitigation measures. | Vulnerebility blog | SonicWall |
| 27.9.25 | Nimbus Manticore Deploys New Malware Targeting Europe | Check Point Research is tracking a long‑running campaign by the Iranian threat actor Nimbus Manticore, which overlaps with UNC1549, Smoke Sandstorm, and the “Iranian Dream Job” operations. The ongoing campaign targets defense manufacturing, telecommunications, and aviation that are aligned with IRGC strategic priorities. | APT blog | Checkpoint |
| 27.9.25 | How RainyDay, Turian and a new PlugX variant abuse DLL search order hijacking | Talos discovered that a new PlugX variant’s features overlap with both the RainyDay and Turian backdoors | Malware blog | CISCO TALOS |
| 27.9.25 | Great Scott, I’m tired | Hazel celebrates unseen effort in cybersecurity and shares some PII. Completely unrelated, but did you know “Back to the Future” turns 40 this year? | Cyber blog | CISCO TALOS |
| 27.9.25 | What happens when you engage Cisco Talos Incident Response? | What happens when you bring in a team of cybersecurity responders? How do we turn chaos into control, and what is the long-term value that Talos IR provides to the organizations we work with? | Cyber blog | CISCO TALOS |
| 27.9.25 | ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices | Cisco is aware of new activity targeting certain Cisco Adaptive Security Appliances (ASA) 5500-X Series and has released three CVEs related to the event. We assess with high confidence this activity is related to same threat actor as ArcaneDoor in 2024. | Malware blog | CISCO TALOS |
| 27.9.25 | Put together an IR playbook — for your personal mental health and wellbeing | This edition pulls the curtain aside to show the realities of the VPN Filter campaign. Joe reflects on the struggle to prevent burnout in a world constantly on fire. | Cyber blog | CISCO TALOS |
| 27.9.25 | Alex Ryan: From zero chill to quiet confidence | Discover how a Cisco Talos Incident Response expert transitioned from philosophy to the high-stakes world of incident command, offering candid insights into managing burnout and finding a supportive team. | Cyber blog | CISCO TALOS |
| 27.9.25 | Roblox executors: It’s all fun and games until someone gets hacked | You could be getting more than you bargained for when you download that cheat tool promising quick wins | Cyber blog | Eset |
| 27.9.25 | DeceptiveDevelopment: From primitive crypto theft to sophisticated AI-based deception | Malware operators collaborate with covert North Korean IT workers, posing a threat to both headhunters and job seekers | AI blog | Eset |
| 27.9.25 | Watch out for SVG files booby-trapped with malware | What you see is not always what you get as cybercriminals increasingly weaponize SVG files as delivery vectors for stealthy malware | Malware blog | Eset |
| 27.9.25 | Pointer leaks through pointer-keyed data structures | Some time in 2024, during a Project Zero team discussion, we were talking about how remote ASLR leaks would be helpful or necessary for exploiting some types of memory corruption bugs, specifically in the context of Apple devices. | Hacking blog | Project Zero |
| 27.9.25 | npm Account Hijacking and the Rise of Supply Chain Attacks | Trellix provides an in-depth examination of the Shai-Hulud worm campaign, with guidance for organizations to better protect themselves | Hacking blog | Trelix |
| 27.9.25 | When AD Gets Breached: Detecting NTDS.dit Dumps and Exfiltration with Trellix NDR | This blog describes a real-world scenario in which threat actors gained access to a system, dumped the NTDS.dit file, and attempted to exfiltrate it while avoiding common defenses. | Cyber blog | Trelix |
| 27.9.25 | Unmasking Hidden Threats: Spotting a DPRK IT-Worker Campaign | In the North Korean IT worker employment campaign, skilled operatives from the DPRK (North Korea) pose as remote IT professionals to get hired at Western companies. | APT blog | Trelix |
| 20.9.25 | Self-replicating Shai-hulud worm spreads token-stealing malware on npm | RL researchers have detected the first self-replicating worm compromising popular npm packages with cloud token-stealing malware. | Malware blog | REVERSINGLABS |
| 20.9.25 | Ethereum smart contracts used to push malicious code on npm | RL discovered how the crypto contracts were abused — and how this incident is tied to a larger campaign to promote malicious packages on top repositories. | Cryptocurrency blog | REVERSINGLABS |
| 20.9.25 | The emerging group demonstrates competent tradecraft using a familiar ransomware playbook and hints of ingenuity | Ransom blog | SOPHOS | |
| 20.9.25 | CountLoader: Silent Push Discovers New Malware Loader Being Served in 3 Different Versions | Silent Push has discovered a new malware loader that is strongly associated with Russian ransomware gangs that we are naming: “CountLoader.” | Malware blog | Silent Push |
| 20.9.25 | Advanced Queries For Real Malware Detection in Silent Push | The Silent Push platform is capable of powerful queries for threat hunting and preemptive discovery of malicious infrastructure. Our team uses this platform every day to proactively hunt and discover infrastructure for our customers, enabling blocking and discovery of threats before they are fully operationalized. | Malware blog | Silent Push |
| 20.9.25 | The Week in Vulnerabilities: 1000+ Bugs with 135 Publicly Known PoCs | This week, critical vulnerabilities in Apple, Zimbra, Samsung, and Adobe demand urgent attention as exploits surface in the wild and underground communities weaponize flaws. | Vulnerebility blog | Cyble |
| 20.9.25 | Ransomware Landscape August 2025: Qilin Dominates as Sinobi Emerges | Qilin led in ransomware attacks in all global regions in August, but the rapid rise of Sinobi and The Gentlemen also merits attention by security teams. | Ransom blog | Cyble |
| 20.9.25 | Inside Maranhão Stealer: Node.js-Powered InfoStealer Using Reflective DLL Injection | Vulnerabilities in SAP, Sophos, Adobe and Android were among the fixes issued by vendors during a very busy Patch Tuesday week. | Malware blog | Cyble |
| 20.9.25 | DeerStealer Malware Campaign: Stealth, Persistence, and Rootkit-Like Capabilities | Executive Summary At CYFIRMA, we are dedicated to providing current insights into prevalent threats and the strategies employed by malicious entities targeting both organizations | Malware blog | Cyfirma |
| 20.9.25 | CYFIRMA : Defence Industry Threat Report | EXECUTIVE SUMMARY Between May and August 2025, CYFIRMA observed sustained cyber operations against the global defence sector, driven by both state-aligned groups and | Cyber blog | Cyfirma |
| 20.9.25 | UNMASKING A PYTHON STEALER – “XillenStealer” | EXECUTIVE SUMMARY Cyfirma’s threat intelligence assessment of XillenStealer identifies it as an open-source, Python-based information stealer publicly available on GitHub. The malware is designed to harvest sensitive system and user… | Malware blog | Cyfirma |
| 20.9.25 | DIGITAL FRONTLINES : INDIA UNDER MULTI-NATION HACKTIVIST ATTACK | DIGITAL FRONTLINES : INDIA UNDER MULTI-NATION HACKTIVIST ATTACK EXECUTIVE SUMMARY At CYFIRMA, we are committed to offering up-to-date insights into prevalent threats and tactics | Hacking blog | Cyfirma |
| 20.9.25 | Surge in Cisco ASA Scanning Hints At Coming Cyberattacks | A massive surge in scans targeting Cisco Adaptive Security Appliance (ASA) devices was observed by GreyNoise in late August 2025, with over 25,000 unique IPs probing ASA login portals in a single burst. | Hacking blog | Eclypsium |
| 20.9.25 | Going Underground: China-aligned TA415 Conducts U.S.-China Economic Relations Targeting Using VS Code Remote Tunnels | Throughout July and August 2025, TA415 conducted spearphishing campaigns targeting United States government, think tank, and academic organizations utilizing U.S.-China economic-themed lures. | APT blog | PROOFPOINT |
| 20.9.25 | EvilAI Operators Use AI-Generated Code and Fake Apps for Far-Reaching Attacks | Combining AI-generated code and social engineering, EvilAI operators are executing a rapidly expanding campaign, disguising their malware as legitimate applications to bypass security, steal credentials, and persistently compromise organizations worldwide. | AI blog | Trend Micro |
| 20.9.25 | What We Know About the NPM Supply Chain Attack | Trend™ Research outlines the critical details behind the ongoing NPM supply chain attack and offers essential steps to stay protected against potential compromise. | Hacking blog | Trend Micro |
| 20.9.25 | How AI-Native Development Platforms Enable Fake Captcha Pages | Cybercriminals are abusing AI-native platforms like Vercel, Netlify, and Lovable to host fake captcha pages that deceive users, bypass detection, and drive phishing campaigns. | AI blog | Trend Micro |
| 20.9.25 | Critical ViewState Deserialization Zero-Day in Sitecore (CVE-2025-53690) | The SonicWall Capture Labs threat research team identified CVE-2025-53690 and assessed its impact. Sitecore is a widely used digital experience platform (DXP) that provides content management, personalization and e-commerce capabilities for enterprises. | Vulnerebility blog | SonicWall |
| 20.9.25 | The Risks of Code Assistant LLMs: Harmful Content, Misuse and Deception | We recently looked into AI code assistants that connect with integrated development environments (IDEs) as a plugin, much like GitHub Copilot. | Cyber blog | Palo Alto |
| 20.9.25 | Myth Busting: Why "Innocent Clicks" Don't Exist in Cybersecurity | Picture this: You snag the last spot in a parking lot and find the QR code to pay on the lamppost directly in front of you. Score! You go to pay on the website, but wait…the page is full of ads and looks very suspicious. | Cyber blog | Palo Alto |
| 20.9.25 | "Shai-Hulud" Worm Compromises npm Ecosystem in Supply Chain Attack (Updated September 19) | Palo Alto Networks Unit 42 is investigating an active and widespread software supply chain attack targeting the Node Package Manager (npm) ecosystem. | Malware blog | Palo Alto |
| 20.9.25 | Under the Pure Curtain: From RAT to Builder to Coder | Check Point Research conducted a forensic analysis of a ClickFix campaign that lured victims with fake job offers that resulted in an eight-day intrusion. | Malware blog | Checkpoint |
| 20.9.25 | Why a Cisco Talos Incident Response Retainer is a game-changer | With a Cisco Talos IR Retainer, your organization can stay resilient and ahead of tomorrow's threats. Here's how. | Cyber blog | CISCO TALOS |
| 20.9.25 | Put together an IR playbook — for your personal mental health and wellbeing | This edition pulls the curtain aside to show the realities of the VPN Filter campaign. Joe reflects on the struggle to prevent burnout in a world constantly on fire. | Cyber blog | CISCO TALOS |
| 20.9.25 | Alex Ryan: From zero chill to quiet confidence | Discover how a Cisco Talos Incident Response expert transitioned from philosophy to the high-stakes world of incident command, offering candid insights into managing burnout and finding a supportive team. | Cyber blog | CISCO TALOS |
| 20.9.25 | Maturing the cyber threat intelligence program | The Cyber Threat Intelligence Capability Maturity Model (CTI-CMM) helps organizations assess and improve their threat intelligence programs by outlining 11 key areas and specific missions where CTI can support decision-making. | Cyber blog | CISCO TALOS |
| 20.9.25 | Beaches and breaches | Thor examines why supply chain and identity attacks took center stage in this week’s headlines, rather than AI and ransomware. | Cyber blog | CISCO TALOS |
| 20.9.25 | Microsoft Patch Tuesday for September 2025 – Snort rules and prominent vulnerabilities | Microsoft has released its monthly security update for September 2025, which includes 86 vulnerabilities affecting a range of products. | Vulnerebility blog | CISCO TALOS |
| 20.9.25 | Gamaredon X Turla collab | Notorious APT group Turla collaborates with Gamaredon, both FSB-associated groups, to compromise high‑profile targets in Ukraine | APT blog | Eset |
| 20.9.25 | Small businesses, big targets: Protecting your business against ransomware | Long known to be a sweet spot for cybercriminals, small businesses are more likely to be victimized by ransomware than large enterprises | Ransom blog | Eset |
| 20.9.25 | HybridPetya: The Petya/NotPetya copycat comes with a twist | HybridPetya is the fourth publicly known real or proof-of-concept bootkit with UEFI Secure Boot bypass functionality | Vulnerebility blog | Eset |
| 20.9.25 | Dark Web Roast - August 2025 Edition | The August 2025 edition of the Advanced Research Center Dark Web Roast delivers a masterclass in how not to run a criminal enterprise, showcasing threat actors who've somehow managed to combine the worst aspects of amateur hour operations with delusions of professional grandeur. | Cyber blog | Trelix |
| 13.9.25 | Go Get ‘Em: Updates to Volexity Golang Tooling | This blog post was the final deliverable for a summer internship project, which was completed under the direction of the Volexity Threat Intelligence team. If you’d like more information about | Cyber blog | VELOXITY |
| 13.9.25 | SEO Poisoning Attack Targets Chinese-Speaking Users with Fake Software Sites | FortiGuard Labs uncovered an SEO poisoning campaign targeting Chinese users with fake software sites delivering Hiddengh0st and Winos malware. | Attack blog | FORTINET |
| 13.9.25 | MostereRAT Deployed AnyDesk/TightVNC for Covert Full Access | FortiGuard Labs uncovers MostereRAT’s use of phishing, EPL code, and remote access tools like AnyDesk and TightVNC to evade defenses and seize full system control. | Malware blog | FORTINET |
| 13.9.25 | Advanced Queries For Real Malware Detection in Silent Push | The Silent Push platform is capable of powerful queries for threat hunting and preemptive discovery of malicious infrastructure. Our team uses this platform every day to proactively hunt and discover infrastructure for our customers, enabling blocking and discovery of threats before they are fully operationalized. | Cyber blog | Silent Push |
| 13.9.25 | Salt Typhoon and UNC4841: Silent Push Discovers New Domains; Urges Defenders to Check Telemetry and Log Data | It’s extremely rare for our team to publicly share details on how we found the technical fingerprints for an Advanced Persistent Threat (APT) group. We are making these details public now due to our belief that these are legacy fingerprints unlikely to appear again. | APT blog | Silent Push |
| 13.9.25 | ViewState Deserialization Zero-Day Vulnerability in Sitecore Products (CVE-2025-53690) | In a recent investigation, Mandiant Threat Defense discovered an active ViewState deserialization attack affecting Sitecore deployments leveraging a sample machine key that had been exposed in Sitecore deployment guides from 2017 and earlier. An attacker leveraged the exposed ASP.NET machine key to perform remote code execution. | Vulnerebility blog | Google Threat Intelligence |
| 13.9.25 | The Week in Vulnerabilities: ‘Patch Tuesday’ Yields 1,200 New Flaws | Vulnerabilities in SAP, Sophos, Adobe and Android were among the fixes issued by vendors during a very busy Patch Tuesday week. | Vulnerebility blog | Cyble |
| 13.9.25 | Australian Cyber Authorities Warn of Active Exploitation of SonicWall SSL Vulnerability (CVE-2024-40766) | ASD’s ACSC warns of active CVE-2024-40766 exploits in SonicWall SSL VPNs, allowing unauthorized access and firewall crashes across multiple device generations. | Vulnerebility blog | Cyble |
| 13.9.25 | Canadian Government’s IT Arm Flags Digital Risks, Cyber Threats, and Strategic Priorities | Shared Services Canada urges IT modernization as it blocks 6.5T cyber threats yearly, highlighting urgent cybersecurity needs across federal systems. | Cyber blog | Cyble |
| 13.9.25 | LunoBotnet: A Self-Healing Linux Botnet with Modular DDoS and Cryptojacking Capabilities | LunoBotnet is an actively evolving Linux botnet combining crypto-mining and DDoS with modular updates and monetization. | BotNet blog | Cyble |
| 13.9.25 | International Guidance Promotes SBOM Adoption to Enhance Software Supply Chain Security | New global SBOM guidance aims to boost software supply chain security, enhance transparency, and improve vulnerability and risk management across industries. | Security blog | Cyble |
| 13.9.25 | TRACKING RANSOMWARE : August 2025 | EXECUTIVE SUMMARY In Aug 2025, ransomware activity remained elevated with 522 global victims, a slight decline from July but still far above 2023–2024 levels. Professional services, consumer services, and manufacturing… | Ransom blog | Cyfirma |
| 13.9.25 | Deconstructing a Cyber Deception: An Analysis of the Clickfix HijackLoader Phishing Campaign | Table of Contents Introduction The Evolving Threat of Attack Loaders Objective of This Blog Technical Methodology and Analysis Initial Access and Social Engineering Multi-Stage Obfuscation and De-obfuscation Anti-Analysis Techniques The Final Payload Conclusion IOCs Quick Heal \ Seqrite Protection ... | Hacking blog | Seqrite |
| 13.9.25 | Echoleak- Send a prompt , extract secret from Copilot AI!( CVE-2025-32711) | Introduction: What if your Al assistant wasn’t just helping you – but quietly helping someone else too? A recent zero-click exploit known as EchoLeak revealed how Microsoft 365 Copilot could be manipulated to exfiltrate sensitive information – without the... | AI blog | Seqrite |
| 13.9.25 | Malware Campaign Leverages SVGs, Email Attachments, and CDNs to Drop XWorm and Remcos via BAT Scripts | Table of Content: Introduction Infection Chain Process Tree Campaign 1: – Persistence – BATCH files – PowerShell script – Loader – Xworm/Remcos Campaign 2 Conclusion IOCS Detections MITRE ATTACK TTPs Introduction: Recent threat campaigns have revealed an evolving use... | Malware blog | Seqrite |
| 13.9.25 | SAP NetWeaver Metadata Uploader Vulnerability (CVE-2025-31324) | Executive Summary CVE-2025-31324 is a critical remote code execution (RCE) vulnerability affecting the SAP NetWeaver Development Server, one of the core components used in enterprise environments for application development and integration. The vulnerability stems from improper validation of uploaded... | Vulnerebility blog | Seqrite |
| 13.9.25 | The Rise of SBOM Requirements In Cybersecurity Guidelines and Laws | Software bills of materials (SBOMs) have been around for years, but they’re historically ill defined, hard to generate, update, and use. So most organizations don’t. | Cyber blog | Eclypsium |
| 13.9.25 | Golden Dome Requires Firmware Bills of Materials, SBOMs, and Other Supply Chain Security Measures | In May, 2025 the U.S. Secretary of Defense announced support for the Golden Dome for America (GDA). The project is a next-generation missile defense shield to be integrated with existing U.S. air and missile defense systems. | Cyber blog | Eclypsium |
| 13.9.25 | Securing Higher Education: Top College Switches from Abnormal to Proofpoint | When you represent a historic educational institution with a reputation to protect, you can’t afford gaps in email security. This is the reality for many higher education security teams. It was also the case for one liberal arts college on the East Coast that recently made the switch from Abnormal AI to Proofpoint’s API-deployed Core Email Protection. | Cyber blog | PROOFPOINT |
| 13.9.25 | Insider Threats Unfold in Two Ways—With Impact or Intervention | Every insider threat has a cause, whether it’s a lapse in judgment or rushed mistake, growing resentment, a change in ideology, or desire for personal gain. Left unchecked, these small cracks can widen into corporate crises that make headlines. | Cyber blog | PROOFPOINT |
| 13.9.25 | Apache NiFi Code Injection (CVE-2023-34468) | The SonicWall Capture Labs threat research team became aware of the threat CVE-2023-34468, assessed its impact and developed mitigation measures for this vulnerability. | Vulnerebility blog | SonicWall |
| 13.9.25 | Microsoft Security Bulletin Coverage for September 2025 | Microsoft’s September 2025 Patch Tuesday has 81 vulnerabilities, of which 38 are Elevation of Privilege. The SonicWall Capture Labs threat research team has analyzed and addressed Microsoft’s security advisories for the month of September 2025 and has produced coverage for seven of the reported vulnerabilities. | OS Blog | SonicWall |
| 13.9.25 | Trusted Connections, Hidden Risks: Token Management in the Third-Party Supply Chain | You are about to log off for the weekend when a high-severity alert flashes on your cloud security tool’s dashboard. A single, unfamiliar OAuth token is making hundreds of connections from three different IP addresses, two of which are flagged as belonging to an unknown VPN service. | Hacking blog | Palo Alto |
| 13.9.25 | AdaptixC2: A New Open-Source Framework Leveraged in Real-World Attacks | In early May 2025, Unit 42 researchers observed that AdaptixC2 was used to infect several systems. | Hacking blog | Palo Alto |
| 13.9.25 | Data Is the New Diamond: Latest Moves by Hackers and Defenders | There have been several notable developments in recent weeks related to data theft activity from cybercriminals targeting Salesforce instances, including via the Salesloft Drift supply chain attack detailed in a recent Unit 42 Threat Brief. | Cyber blog | Palo Alto |
| 13.9.25 | Yurei & The Ghost of Open Source Ransomware | First observed on September 5, Yurei is a newly emerged ransomware group that targeted a Sri Lankan food manufacturing company as its first leaked victim. The group follows a double-extortion model: they encrypt the victim’s files and exfiltrate sensitive data, and then demand a ransom payment to decrypt and refrain from publishingthe stolen information. | Ransom blog | Checkpoint |
| 13.9.25 | Stopping ransomware before it starts: Lessons from Cisco Talos Incident Response | Explore lessons learned from over two years of Talos IR pre-ransomware engagements, highlighting the key security measures, indicators and recommendations that have proven effective in stopping ransomware attacks before they begin. | Ransom blog | CISCO TALOS |
| 13.9.25 | Beaches and breaches | Thor examines why supply chain and identity attacks took center stage in this week’s headlines, rather than AI and ransomware. | Incident blog | CISCO TALOS |
| 13.9.25 | Maturing the cyber threat intelligence program | The Cyber Threat Intelligence Capability Maturity Model (CTI-CMM) helps organizations assess and improve their threat intelligence programs by outlining 11 key areas and specific missions where CTI can support decision-making. | Cyber blog | CISCO TALOS |
| 13.9.25 | Introducing HybridPetya: Petya/NotPetya copycat with UEFI Secure Boot bypass | UEFI copycat of Petya/NotPetya exploiting CVE-2024-7344 discovered on VirusTotal | Vulnerebility blog | Eset |
| 13.9.25 | Are cybercriminals hacking your systems – or just logging in? | As bad actors often simply waltz through companies’ digital front doors with a key, here’s how to keep your own door locked tight | Hacking blog | Eset |
| 13.9.25 | Preventing business disruption and building cyber-resilience with MDR | Given the serious financial and reputational risks of incidents that grind business to a halt, organizations need to prioritize a prevention-first cybersecurity strategy | Cyber blog | Eset |
| 13.9.25 | Behind the Mask of Madgicx Plus: A Chrome Extension Campaign Targeting Meta Advertisers | In this Threat Analysis Report, Cybereason analyzes an investigation into a new malicious Chrome extension campaign | Hacking blog | Cybereason |
| 13.9.25 | Silent Pivot: Detecting Fileless Lateral Movement via Service Manager with Trellix NDR | The tactics of cyber adversaries continue to evolve as they attempt to bypass security vendors. | APT blog | Trelix |
| 6.9.25 | ViewState Deserialization Zero-Day Vulnerability in Sitecore Products (CVE-2025-53690) | In a recent investigation, Mandiant Threat Defense discovered an active ViewState deserialization attack affecting Sitecore deployments leveraging a sample machine key that had been exposed in Sitecore deployment guides from 2017 and earlier. An attacker leveraged the exposed ASP.NET machine key to perform remote code execution. | Vulnerebility blog | Google Threat Intelligence |
| 6.9.25 | Massive IPTV Piracy Network Uncovered by Silent Push | Security analysts face the constant challenge of gaining immediate and accurate context on IP addresses that pop up during an investigation, to minimize risk and prevent loss. | Hacking blog | Silent Push |
| 6.9.25 | Unmasking SocGholish: Silent Push Untangles the Malware Web Behind the “Pioneer of Fake Updates” and Its Operator, TA569 | SocGholish, operated by TA569, actually functions as a Malware-as-a-Service (MaaS) vendor, selling access to compromised systems to various financially motivated cybercriminal clients. | Malware blog | Silent Push |
| 6.9.25 | IP Tagging in Silent Push: VPN, Proxy and Sinkhole Detection | Silent Push has uncovered a massive Internet Protocol Television (IPTV)-based piracy network that has been active for several years and is currently hosted across more than 1,000 domains and over 10,000 IP addresses. | Malware blog | Silent Push |
| 6.9.25 | Hexstrike-AI: When LLMs Meet Zero-Day Exploitation | Key Findings: Newly released framework called Hexstrike-AI provides threat actors with an orchestration “brain” that ... | AI blog | Checkpoint |
| 6.9.25 | The Week in Vulnerabilities: Apple, Citrix Flaws Draw Threat Actor Interest | Several vulnerabilities this week were the focus of intense online discussion and face active exploitation. | Vulnerebility blog | Cyble |
| 6.9.25 | How Chinese State-Sponsored APT Actors Exploit Routers for Stealthy Cyber Espionage | Chinese state-sponsored APT groups target global telecom, government, and military networks, exploiting router vulnerabilities for stealthy, long-term cyber espionage since 2021. | APT blog | Cyble |
| 6.9.25 | Supply Chain Attacks Have Doubled. What’s Driving the Increase? | Threat actors have been able to access the most sensitive data of suppliers and their customers, serving as a wakeup call for third-party risks. | Hacking blog | Cyble |
| 6.9.25 | Google Salesforce Breach: A Deep dive into the chain and extent of the compromise | Executive Summary In early June 2025, Google’s corporate Salesforce instance (used to store contact data for small‑ and medium‑sized business clients) was compromised through a sophisticated vishing‑extortion campaign orchestrated by the threat‑group tracked as UNC6040 & UNC6240 (online cybercrime collective known | Vulnerebility blog | Seqrite |
| 6.9.25 | PromptLock: The First AI-Powered Ransomware & How It Works | Introduction AI-powered malware has become quite a trend now. We have always been discussing how threat actors could perform attacks by leveraging AI models, and here we have a PoC demonstrating exactly that. Although it has not yet been | AI blog | Seqrite |
| 6.9.25 | TYPHOON IN THE FIFTH DOMAIN : CHINA’S EVOLVING CYBER STRATEGY | EXECUTIVE SUMMARY China’s cyber operations have evolved from economic espionage to strategic, politically driven campaigns that pose significant threats to Western critical | APT blog | Cyfirma |
| 6.9.25 | Unmasked: Salat Stealer – A Deep Dive into Its Advanced Persistence Mechanisms and C2 Infrastructure | EXECUTIVE SUMMARY CYFIRMA has identified Salat Stealer (also known as WEB_RAT), a sophisticated Go-based infostealer targeting Windows systems. The malware exfiltrates browser credentials, cryptocurrency wallet data, and session | Malware blog | Cyfirma |
| 6.9.25 | EOL Devices: Exploits Will Continue Until Security Improves | Something that has caught my attention lately, both in the news and from recent leaks of threat actor groups, is that attackers continue to use what works. The technique could be something elaborate or straightforward. | Exploit blog | Eclypsium |
| 6.9.25 | Not Safe for Work: Tracking and Investigating Stealerium and Phantom Infostealers | Proofpoint researchers observed an increase in opportunistic cybercriminals using malware based on Stealerium, an open-source malware that is available “for educational purposes.” | Malware blog | PROOFPOINT |
| 6.9.25 | Three Critical Facts About Cyber Risk Management | For CISOs responsible for cyber risk management, these three insights will help build a strong and reliable foundation for your proactive security strategy. | Cyber blog | Trend Micro |
| 6.9.25 | An MDR Analysis of the AMOS Stealer Campaign Targeting macOS via ‘Cracked’ Apps | Trend™ Research analyzed a campaign distributing Atomic macOS Stealer (AMOS), a malware family targeting macOS users. Attackers disguise the malware as “cracked” versions of legitimate apps, luring users into installation. | Malware blog | Trend Micro |
| 6.9.25 | LummaC Attacks Directly and Indirectly | This week, the SonicWall Capture Labs threat research team analyzed a sample of LummaC, a prolific infostealer. The multi-stage infection uses a combination of techniques to avoid detection, create persistence, and exfiltrate data using encryption and network methods. It is also built to resist analysis, with layers of obfuscation and code traps designed to break tools. | Malware blog | SonicWall |
| 6.9.25 | Apache NiFi Code Injection (CVE-2023-34468) | The SonicWall Capture Labs threat research team became aware of the threat CVE-2023-34468, assessed its impact and developed mitigation measures for this vulnerability. | Vulnerebility blog | SonicWall |
| 6.9.25 | Threat Brief: Salesloft Drift Integration Used To Compromise Salesforce Instances | Unit 42 has observed activity consistent with a specific threat actor campaign leveraging the Salesloft Drift integration to compromise customer Salesforce instances. This brief provides information about our observations and guidance for potentially affected organizations. | Cyber blog | Palo Alto |
| 6.9.25 | Model Namespace Reuse: An AI Supply-Chain Attack Exploiting Model Name Trust | Our research uncovered a fundamental flaw in the AI supply chain that allows attackers to gain Remote Code Execution (RCE) and additional capabilities on major platforms like Microsoft’s Azure AI Foundry, Google’s Vertex AI and thousands of open-source projects. We refer to this issue as Model Namespace Reuse. | Cyber blog | Palo Alto |
| 6.9.25 | Under lock and key: Safeguarding business data with encryption | As the attack surface expands and the threat landscape grows more complex, it’s time to consider whether your data protection strategy is fit for purpose | Eset | |
| 6.9.25 | GhostRedirector poisons Windows servers: Backdoors with a side of Potatoes | ESET researchers have identified a new threat actor targeting Windows servers with a passive C++ backdoor and a malicious IIS module that manipulates Google search results | Malware blog | Eset |
| 6.9.25 | ToolShell Unleashed: Decoding the SharePoint Attack Chain | A wave of active exploitation is targeting recently disclosed vulnerabilities in Microsoft SharePoint Server (CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771). Collectively referred to as ToolShell, these vulnerabilities impact self-hosted SharePoint Server 2016, 2019, and Subscription Edition, enabling unauthenticated remote code execution and security bypasses. | Vulnerebility blog | Trelix |
| 6.9.25 | XWorm’s Evolving Infection Chain: From Predictable to Deceptive | The Trellix Advanced Research Center has uncovered a new XWorm backdoor campaign using evolved deployment methods. Unlike previous versions, this campaign employs sophisticated, deceptive techniques to bypass detection. Moving beyond simple email attacks, it now uses authentic-looking .exe filenames and blends social engineering with technical attack vectors. | Malware blog | Trelix |