Daily Digest

Microsoft Patches 3 Zero-Days Under Active Attack; Cl0p, Qilin, and Flax Typhoon Launch Major Campaigns

Microsoft Patches 3 Zero-Days Under Active Attack; Cl0p, Qilin, and Flax Typhoon Launch Major Campaigns

October 6, 2025
10 articles (10 new)
30 min read

Summary

In the period of October 5-6, 2025, the cybersecurity landscape was dominated by Microsoft's massive October Patch Tuesday, which addressed 175 vulnerabilities including three actively exploited zero-days. Concurrently, major threat actors launched significant campaigns: the Cl0p ransomware group exploited a zero-day in Oracle E-Business Suite for mass extortion, the Qilin gang crippled Asahi Breweries demanding a $10M ransom, and the Chinese APT Flax Typhoon was found using a novel ArcGIS server backdoor for long-term espionage. Other key events include a major escalation in the SonicWall data breach, a novel phishing technique abusing the NPM registry, and new warnings from CISA regarding widespread ICS vulnerabilities.

Filter by Category

New Articles (10)

Microsoft Patches 3 Zero-Days Under Active Attack in Massive October Update

CRITICAL

Microsoft's October 2025 Patch Tuesday Addresses 175 Vulnerabilities, Including Three Actively Exploited Zero-Days

Microsoft has released its October 2025 Patch Tuesday update, a colossal release addressing 175 security flaws across its product suite. The update is highlighted by emergency patches for three zero-day vulnerabilities confirmed to be actively exploited in the wild. These critical flaws, now added to CISA's KEV catalog, include two privilege escalation bugs in Windows components (CVE-2025-59230 and CVE-2025-24990) and a Secure Boot bypass (CVE-2025-47827). The update also fixes a critical 9.8 CVSS RCE vulnerability in WSUS (CVE-2025-59287), posing a significant supply-chain risk. Administrators are urged to apply these updates immediately to mitigate active threats.

October 6, 2025
5 min read
Patch TuesdayZero-DayPrivilege EscalationRCESecure Boot +2 more
Microsoft Patches 3 Zero-Days Under Active Attack in Massive October Update

Chinese APT Flax Typhoon Weaponizes ArcGIS Server as Persistent Backdoor in Year-Long Spy Campaign

HIGH

Flax Typhoon APT Exploited Esri ArcGIS Server for Over a Year as a Backdoor into Government Networks

The China-linked threat group Flax Typhoon (also known as Ethereal Panda) conducted a sophisticated, year-long espionage campaign against a government agency by compromising an Esri ArcGIS server. According to researchers at ReliaQuest, the attackers modified a legitimate Java server object extension (SOE) to create a persistent web shell. This backdoor, combined with extensive use of living-off-the-land techniques like PowerShell and a renamed SoftEther VPN client, allowed the APT group to maintain long-term access, move laterally, and harvest credentials while evading detection by hiding within legitimate server traffic.

October 6, 2025
5 min read
APTFlax TyphoonWeb ShellLiving-off-the-landEspionage +2 more
Chinese APT Flax Typhoon Weaponizes ArcGIS Server as Persistent Backdoor in Year-Long Spy Campaign

Qilin Ransomware Cripples Asahi Breweries, Demands $10 Million Ransom

HIGH

Qilin Ransomware Group Claims Attack on Asahi, Halting Production and Demanding $10M Ransom

The Qilin ransomware group has claimed responsibility for a devastating cyberattack against Asahi Group Holdings, one of Japan's largest beverage companies. The attack, which occurred in late September, forced the company to halt production at 30 factories and suspend shipments, leading to significant operational and financial disruption. The threat actors are now reportedly demanding a $10 million ransom to prevent the public release of exfiltrated company data, employing a classic double extortion tactic. The incident highlights the increasing trend of ransomware gangs targeting the manufacturing sector to maximize impact and pressure victims into paying large ransoms.

October 6, 2025
5 min read
RansomwareQilinDouble ExtortionManufacturingJapan
Qilin Ransomware Cripples Asahi Breweries, Demands $10 Million Ransom

CISA Warns of Widespread Flaws in Industrial Control Systems from Major Vendors

HIGH

CISA Issues Multiple Advisories for Vulnerabilities in Rockwell, Hitachi, and Mitsubishi ICS Products

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released a series of advisories warning of numerous vulnerabilities in Industrial Control Systems (ICS) from prominent vendors, including Rockwell Automation, Hitachi Energy, Mitsubishi Electric, and Delta Electronics. These flaws affect products widely deployed in the energy sector and other critical infrastructure domains. CISA is urging administrators to review the advisories and apply patches and mitigations immediately to prevent potential exploitation that could lead to operational disruptions or cyberattacks against critical national infrastructure.

October 6, 2025
4 min read
ICSOT SecurityCISAVulnerabilityCritical Infrastructure +2 more
CISA Warns of Widespread Flaws in Industrial Control Systems from Major Vendors

Phishing Campaign Abuses NPM and UNPKG CDN to Steal Credentials

MEDIUM

Novel "Beamglea" Phishing Campaign Weaponizes NPM Registry and UNPKG CDN to Deliver Malware

A sophisticated phishing campaign, dubbed "Beamglea," is abusing the public NPM registry and the trusted unpkg.com CDN to host and deliver credential-stealing malware. Researchers at Socket discovered over 175 malicious, disposable NPM packages created solely to serve a malicious JavaScript file. Attackers send HTML lures to victims that load the script from the reputable unpkg.com domain, bypassing traditional domain-based security filters. This technique, which has targeted over 135 organizations in Europe, represents a dangerous evolution in supply chain abuse, turning developer infrastructure into a tool for direct phishing attacks.

October 6, 2025
4 min read
PhishingSupply Chain AttackNPMCDN AbuseCredential Theft
Phishing Campaign Abuses NPM and UNPKG CDN to Steal Credentials

UK's NCSC Warns of 'Alarming' Rise in Cyberattacks, Doubling in Past Year

INFORMATIONAL

UK's National Cyber Security Centre Reports "Nationally Significant" Cyberattacks More Than Doubled

The UK's National Cyber Security Centre (NCSC) revealed in its 2025 annual review that it managed 204 "nationally significant" cyberattacks over the past year, more than double the 89 incidents from the previous year. The agency attributed the alarming surge to increasing threats from state-sponsored actors, particularly Russia and China, as well as the proliferation of sophisticated ransomware gangs. The NCSC has urged UK businesses to treat cybersecurity as a matter of survival and to elevate cyber resilience to a board-level responsibility to combat the growing threat.

October 6, 2025
4 min read
NCSCUKThreat ReportState-Sponsored HackingRansomware +1 more
UK's NCSC Warns of 'Alarming' Rise in Cyberattacks, Doubling in Past Year

G7 Cyber Experts Issue Statement on Managing AI Risks in Financial Sector

INFORMATIONAL

G7 Cyber Expert Group Publishes Statement on Managing Artificial Intelligence Risks in the Financial Sector

The G7 Cyber Expert Group (CEG) has issued a formal statement on the cybersecurity implications of Artificial Intelligence (AI) within the financial sector. Released on October 6, 2025, the document highlights the dual nature of AI, acknowledging its potential to bolster cyber defenses while also warning that it can amplify existing threats and introduce new vulnerabilities. The G7 CEG urges financial institutions and regulators to proactively develop robust governance and risk management frameworks to ensure the secure and resilient adoption of AI, promoting collaboration to establish global best practices.

October 6, 2025
4 min read
AIArtificial IntelligenceG7FinanceCyber Risk +1 more
G7 Cyber Experts Issue Statement on Managing AI Risks in Financial Sector

Cl0p Ransomware Exploits Oracle E-Business Suite Zero-Day in Mass Attack

CRITICAL

Cl0p Ransomware Gang Exploits Unauthenticated RCE Zero-Day (CVE-2025-61882) in Oracle E-Business Suite

The notorious Cl0p ransomware gang is conducting a widespread extortion campaign by exploiting a critical, unauthenticated remote code execution (RCE) zero-day vulnerability (CVE-2025-61882) in Oracle E-Business Suite. The campaign, active since at least August, involves Cl0p breaching vulnerable systems to steal data and then sending extortion emails to thousands of accounts. Oracle has released an emergency patch for the flaw, which affects versions 12.2.3 through 12.2.14, and is urging customers to update immediately. This attack follows Cl0p's established pattern of leveraging high-impact zero-days in enterprise software for mass compromise.

October 6, 2025
5 min read
Cl0pRansomwareZero-DayOracleData Breach +1 more
Cl0p Ransomware Exploits Oracle E-Business Suite Zero-Day in Mass Attack

SonicWall Breach Escalates: 100% of Cloud Backups Confirmed Stolen

HIGH

SonicWall Confirms 100% of Cloud Backup Customers Had Firewall Configurations Stolen

Firewall vendor SonicWall has dramatically escalated the severity of a recent data breach, confirming that an investigation found that 100% of customers using its cloud backup service had their firewall configuration files stolen. This admission, made on October 6, 2025, after an investigation with Mandiant, starkly contrasts with the company's initial September statement that only 5% of its user base was affected. The stolen files, accessed via the MySonicWall portal, contain sensitive network architecture details and encrypted credentials, posing a significant reconnaissance risk for future attacks against all affected customers.

October 6, 2025
5 min read
Data BreachSonicWallSupply Chain AttackCloud SecurityFirewall
SonicWall Breach Escalates: 100% of Cloud Backups Confirmed Stolen

"Maverick": New Banking Trojan Spreads via WhatsApp in Brazil

HIGH

New "Maverick" Banking Trojan Spreads via WhatsApp in Massive Campaign Targeting Brazilian Users

A new and sophisticated fileless banking Trojan named "Maverick" is spreading rapidly in Brazil through a large-scale WhatsApp campaign. According to Kaspersky researchers, the malware is delivered via ZIP archives containing malicious LNK files, a method that bypasses the platform's file-blocking. Maverick operates entirely in memory to evade detection, using PowerShell and encrypted shellcode to steal credentials for 26 Brazilian banks and multiple cryptocurrency exchanges. The Trojan also features a worm-like self-propagation mechanism, hijacking the victim's WhatsApp Web session to automatically send the malicious payload to all their contacts.

October 6, 2025
5 min read
MalwareBanking TrojanMaverickWhatsAppFileless +2 more
"Maverick": New Banking Trojan Spreads via WhatsApp in Brazil

📢 Share This Publication

Help others stay informed about cybersecurity threats

📅 Daily Edition

Curated and deduplicated every day from dozens of trusted sources — giving you one clean, consolidated view of what matters in cybersecurity.

🔢 Deduplication Applied

Related stories are merged into a single evolving article rather than repeated as separate entries — cutting through noise so you only read what's new.

🔗 Full Articles Linked

Every entry links to its full enriched article — complete with MITRE ATT&CK mappings, extracted IOCs, and actionable detection and mitigation guidance.