Cl0p Exploits Oracle Zero-Day in Massive Extortion Spree; SonicWall Breach Hits All Cloud Backup Users

'CamoLeak' Vulnerability in GitHub Copilot Chat Enabled Covert Data Theft via Prompt Injection

A critical vulnerability, dubbed 'CamoLeak,' has been discovered and patched in **[GitHub Copilot Chat](https://github.com/features/copilot)**. The flaw, rated 9.6 CVSS by researcher Omer Mayraz of Legit Security, allowed attackers to silently steal private source code, API keys, and other secrets from developers' repositories. The attack involved a novel prompt injection technique where malicious instructions were hidden in a pull request's markdown. When a developer used Copilot to review the PR, the AI would execute the hidden commands. The stolen data was then exfiltrated character-by-character using a clever trick involving **[GitHub](https://github.com/)**'s own image proxy service, Camo, bypassing standard security controls. GitHub has mitigated the flaw by disabling image rendering in Copilot Chat.

prompt injectionAI securityGitHub Copilotdata exfiltrationsource code leak +1 more

GitHub Patches 'CamoLeak' Flaw in Copilot That Allowed Silent Code and Secret Exfiltration

Vulnerability

Cloud Security

Supply Chain Attack

Crypto Platform Shuffle.com Discloses Major Data Breach via Third-Party CRM Provider

Shuffle.com User Data, Including KYC Documents, Exposed in Breach at CRM Partner Fast Track

Crypto betting platform **[Shuffle.com](https://shuffle.com/)** has confirmed a significant data breach affecting a majority of its users. The incident occurred not on Shuffle's own systems, but at its third-party CRM provider, **Fast Track**. On October 10, Shuffle announced that attackers compromised Fast Track and gained access to a trove of sensitive user data. The exposed information includes full names, emails, phone numbers, home addresses, transaction histories, and, most critically, Know Your Customer (KYC) identity documents like passports and driver's licenses. While user funds and passwords are safe, the breach creates a severe risk of identity theft and targeted phishing for affected customers. Shuffle has revoked the provider's access and is urging users to enable 2FA.

supply chain attackdata breachcryptoKYCPII +1 more

Data Breach

Supply Chain Attack

Phishing

New 'White Lock' Ransomware Emerges, Demanding 4 Bitcoin and Threatening Data Leaks

'White Lock' Ransomware Surfaces with Double Extortion Tactics, Appends '.fbin' Extension to Files

A new ransomware strain named **White Lock** has been identified by cybersecurity researchers. Operating as a double-extortion threat, the malware first exfiltrates sensitive data before encrypting files on the victim's Windows system, appending the `.fbin` extension. A ransom note, `c0ntact.txt`, is dropped in each affected folder, demanding a payment of 4 Bitcoin within a stringent four-day deadline. The operators threaten to notify the victim's customers, sell the stolen data to competitors, and ultimately leak it publicly if the ransom is not paid. Victims are instructed to use the **[Tor](https://www.torproject.org/)** browser to communicate with the attackers, suggesting a focus on high-value enterprise targets.

ransomwaredouble extortiondata exfiltrationWindows malwareTor

Ransomware

Malware

Humiliation for Pro-Russian Hackers 'TwoNet' After Attacking Decoy Water Utility Honeypot

INFORMATIONAL

Hacktivist Group TwoNet Publicly Brags About Hacking Dutch Water Utility, Only to Find It Was a Forescout Honeypot

The pro-Russian hacktivist group **TwoNet** has been publicly embarrassed after cybersecurity firm **[Forescout](https://www.forescout.com/)** revealed the group was duped into attacking a sophisticated decoy system. In September, TwoNet boasted on Telegram about disrupting a Dutch water utility's control systems. However, Forescout's research, published on October 10, confirmed the 'attack' was against one of their industrial control system (ICS) honeypots. The attacker, 'Barlati,' gained access using default credentials (`admin`/`admin`), defaced the HMI, and changed settings, believing it was a real facility. The incident highlights the naivety of some hacktivist groups and provides valuable intelligence on their TTPs against critical infrastructure.

hacktivismhoneypotICSOT securitycritical infrastructure +2 more

Humiliation for Pro-Russian Hackers 'TwoNet' After Attacking Decoy Water Utility Honeypot

Industrial Control Systems

Threat Intelligence

US Cyber Threat Sharing Law 'CISA 2015' Expires, Creating Potential Intelligence Gap

MEDIUM

Cybersecurity Information Sharing Act of 2015 Sunsets, Sparking Industry Fears of Reduced Public-Private Collaboration

The Cybersecurity Information Sharing Act of 2015 (CISA 2015), a foundational U.S. law that provided liability protections to encourage private companies to share cyber threat data with the government, expired on October 1, 2025. Amidst a government shutdown and a block by Senator Rand Paul, lawmakers failed to reauthorize the act. Security and legal experts warn this could have a chilling effect on threat intelligence sharing, with one law firm predicting a potential 80% drop. The lapse creates uncertainty and could hinder national cybersecurity efforts. In response, new legislation, the PACT Act, has been introduced to retroactively restore and extend the protections, but its future is uncertain.

cybersecurity lawinformation sharingthreat intelligenceUS governmentpolicy +1 more

US Cyber Threat Sharing Law 'CISA 2015' Expires, Creating Potential Intelligence Gap

Policy and Compliance

Regulatory

Threat Intelligence

New Chinese APT 'Phantom Taurus' Targets Global Geopolitical Intel with 'NET-STAR' Malware

China-Aligned 'Phantom Taurus' APT Group Linked to Long-Term Espionage Campaigns Against Government and Telecom Sectors

A newly designated, sophisticated threat group aligned with China, named **Phantom Taurus**, has been identified conducting long-term cyber-espionage campaigns. Active for over two years, the group targets government, military, and telecommunications organizations across Africa, the Middle East, and Asia. Its operations focus on strategic intelligence gathering that aligns with China's geopolitical interests. **Phantom Taurus** is distinguished by its stealth and use of a custom malware suite called **NET-STAR**, which targets **[Microsoft Internet Information Services (IIS)](https://www.iis.net/)** servers. While showing some infrastructure overlap with known APTs like **[APT27](https://attack.mitre.org/groups/G0045/)** and **[Mustang Panda](https://attack.mitre.org/groups/G0129/)**, its unique tools and TTPs mark it as a distinct and advanced threat.

APTcyber-espionageChinaIISmalware +1 more

6 min read

New Chinese APT 'Phantom Taurus' Targets Global Geopolitical Intel with 'NET-STAR' Malware

Cyberattack

Threat Intelligence

Killsec Ransomware Claims Attack on Indonesian FinTech WalletKu, Threatens to Leak KYC Data

Killsec Ransomware Group Adds Indonesian Digital Payment App WalletKu to Victim List, Exposing Customer KYC Data

The **Killsec** ransomware group has claimed responsibility for an attack on **WalletKu Indompet Indonesia**, a financial technology firm based in Jakarta. WalletKu provides a digital payment application primarily for micro, small, and medium enterprises. According to a post on an underground forum, Killsec has compromised the company and is threatening to release a significant amount of sensitive customer data. The exposed data reportedly includes Know Your Customer (KYC) information, such as full names, photos, government-issued IDs, and addresses. The attack highlights the growing trend of ransomware groups targeting FinTech companies, where the theft of KYC data poses a severe risk of identity theft and fraud for customers.

ransomwareFinTechKYCdata breachIndonesia +1 more

Ransomware

Data Breach

'Datzbro' Android Trojan Targets Seniors in Global AI-Powered Facebook Scam

Cybercriminals Use AI-Generated Content in Fake Facebook Groups to Lure Seniors into Installing 'Datzbro' Banking Trojan

A global malicious campaign is using AI-generated content to create fake **[Facebook](https://www.facebook.com/)** groups that target seniors. The campaign, detailed in a CYFIRMA report, sets up convincing-looking communities for social events to lure victims into downloading a malicious Android application. This app is a potent banking trojan and spyware known as **Datzbro**. The malware can grant attackers full remote control of the device, enabling them to record audio and video, steal files, and use phishing overlays to capture banking credentials. The campaign has been observed targeting users in Australia, Canada, the UK, and Southeast Asia. The threat is amplified by the fact that the builder for the Datzbro trojan was previously leaked online, allowing any criminal to use it.

Android malwarebanking trojansocial engineeringAIFacebook +2 more

'Datzbro' Android Trojan Targets Seniors in Global AI-Powered Facebook Scam

Malware

Phishing

Mobile Security

Updated Articles (1)

Cl0p Gang Exploits Oracle EBS Zero-Day in Massive Data Theft Spree

CRITICAL

Cl0p Ransomware Linked to Widespread Data Theft via Critical Oracle E-Business Suite Zero-Day (CVE-2025-61882)

Update:

The FBI has issued an emergency warning regarding the Cl0p campaign exploiting CVE-2025-61882 in Oracle EBS, with Harvard University confirmed as a victim. New intelligence from Google and Mandiant reveals the use of a sophisticated, fileless malware suite including GOLDVEIN (validator), SAGEGIFT (keylogger), SAGELEAF (recon), and SAGEWAVE (backdoor/exfil). A related vulnerability, CVE-2025-61884, was also patched. Expanded technical indicators and TTPs provide deeper insight into the attack chain and post-exploitation activities, emphasizing the severe and widespread impact across critical sectors.

October 9, 2025

Updated: October 10, 2025