Daily Digest

Citrix Zero-Day Hits US Gov; APTs & Sophisticated Malware Campaigns Surge Globally

Citrix Zero-Day Hits US Gov; APTs & Sophisticated Malware Campaigns Surge Globally

October 21, 2025
8 articles (8 new)
24 min read

Summary

This intelligence brief for October 21, 2025, covers a series of high-impact cybersecurity events. A critical Citrix zero-day, 'CitrixBleed 2.0', led to a major data breach at the U.S. Department of Homeland Security, exposing employee data. Nation-state activity remains high, with China-linked Salt Typhoon targeting European telecoms and Russia-linked COLDRIVER rapidly deploying new malware after public disclosure. A novel supply chain attack, 'GlassWorm', is targeting VS Code developers using advanced obfuscation and a blockchain-based C2. Meanwhile, new reports highlight a 34% surge in ransomware attacks on critical infrastructure and the growing challenge of AI-powered cyberattacks outpacing organizational defenses.

Filter by Category

New Articles (8)

DHS Breach: 'CitrixBleed 2.0' Zero-Day Exposes FEMA & CBP Employee Data

CRITICAL

U.S. Department of Homeland Security Confirms Data Breach Affecting FEMA and CBP Employees via Citrix 'CitrixBleed 2.0' Zero-Day

A critical zero-day vulnerability in Citrix NetScaler Gateway, dubbed 'CitrixBleed 2.0' (CVE-2025-5777), was exploited to breach the U.S. Department of Homeland Security. The attack, which began in June 2025, compromised the personal and employment data of staff at the Federal Emergency Management Agency (FEMA) and U.S. Customs and Border Protection (CBP). The threat actor gained initial access through FEMA's Region 6 network and moved laterally, leading to significant federal scrutiny and subsequent staff dismissals.

October 21, 2025
5 min read
CitrixBleedZeroDayDataBreachDHSFEMA +2 more
DHS Breach: 'CitrixBleed 2.0' Zero-Day Exposes FEMA & CBP Employee Data
Data Breach
Vulnerability
Cyberattack

Chinese APT Salt Typhoon Targets European Telecom with SNAPPYBEE Backdoor

HIGH

China-Linked Salt Typhoon APT Exploits Citrix Vulnerability to Deploy SNAPPYBEE Backdoor in Attack on European Telecom Firm

The Chinese state-sponsored group Salt Typhoon has been observed targeting a European telecommunications firm by exploiting a known Citrix NetScaler vulnerability for initial access. Post-exploitation, the attackers deployed a backdoor known as SNAPPYBEE (or Deed RAT) using DLL side-loading techniques, hiding the malicious payload alongside legitimate antivirus executables to evade detection. The attack, which was part of a broader cyber-espionage campaign, was detected in its early stages by Darktrace before significant data exfiltration occurred.

October 21, 2025
5 min read
SaltTyphoonAPTChinaSNAPPYBEEDLLSideloading +2 more
Chinese APT Salt Typhoon Targets European Telecom with SNAPPYBEE Backdoor
Threat Actor
Cyberattack
Malware

'GlassWorm' Worm Uses Unicode Obfuscation and Solana C2 in VS Code Supply Chain Attack

CRITICAL

Sophisticated 'GlassWorm' Malware Targets Visual Studio Code Developers via OpenVSX Marketplace in Novel Supply Chain Attack

A highly sophisticated, self-propagating worm named 'GlassWorm' is targeting Visual Studio developers through malicious extensions on the OpenVSX marketplace. The malware employs advanced evasion techniques, including using invisible Unicode characters to obfuscate its code and leveraging the Solana blockchain for a resilient command-and-control (C2) infrastructure. The worm is designed to steal NPM, GitHub, and Git credentials, as well as drain cryptocurrency from 49 different wallet extensions.

October 21, 2025
5 min read
GlassWormSupplyChainAttackMalwareVSCodeSolana +2 more
'GlassWorm' Worm Uses Unicode Obfuscation and Solana C2 in VS Code Supply Chain Attack
Supply Chain Attack
Malware
Threat Intelligence

Russian APT COLDRIVER Rapidly Deploys New NOROBOT Malware After Public Disclosure

HIGH

Russian State-Sponsored Group COLDRIVER (UNC4057) Deploys NOROBOT and MAYBEROBOT Malware Days After LOSTKEYS Tool Was Exposed

The Russian state-sponsored threat group COLDRIVER, also known as Star Blizzard and UNC4057, has demonstrated remarkable operational agility by deploying new malware families just five days after its LOSTKEYS malware was publicly disclosed in May 2025. According to Google's Threat Intelligence Group (GTIG), the group has ceased using LOSTKEYS and is now actively using a new toolset, including the NOROBOT DLL and a PowerShell backdoor called MAYBEROBOT, to target high-value individuals such as NGOs, policy advisors, and dissidents.

October 21, 2025
5 min read
COLDRIVERUNC4057StarBlizzardAPTRussia +3 more
Russian APT COLDRIVER Rapidly Deploys New NOROBOT Malware After Public Disclosure
Threat Actor
Malware
Cyberattack

Ransomware Attacks on Critical Industries Skyrocket by 34%, KELA Reports

HIGH

KELA Report Finds Ransomware Attacks on Critical Infrastructure Surged 34% in 2025, with U.S. as Top Target

A new report from cyber intelligence firm KELA reveals a staggering 34% year-over-year increase in ransomware attacks targeting critical industries between January and September 2025. These vital sectors, including manufacturing, healthcare, and energy, accounted for half of all 4,701 recorded global incidents. The United States was the most heavily targeted nation. The report also highlights the consolidation of the ransomware ecosystem, with just five groups—Qilin, Clop, Akira, Play, and SafePay—responsible for nearly a quarter of all attacks.

October 21, 2025
5 min read
RansomwareKELACriticalInfrastructureQilinClop +2 more
Ransomware Attacks on Critical Industries Skyrocket by 34%, KELA Reports
Ransomware
Threat Intelligence
Cyberattack

UK Regulators Issue Cyber Recovery Guide for Financial Firms

INFORMATIONAL

Bank of England, FCA, and PRA Jointly Publish Guide on Effective Cyber Response and Recovery for UK Financial Sector

The United Kingdom's top financial regulators—the Bank of England (BoE), the Financial Conduct Authority (FCA), and the Prudential Regulation Authority (PRA)—have jointly published a guide on effective cyber response and recovery practices. The guidance, aimed at all financial firms, emphasizes the critical need for the ability to recover from severe attacks by using immutable backups, maintaining segregated recovery environments, and conducting rigorous testing of both internal and third-party resilience.

October 21, 2025
4 min read
UKFinanceRegulatoryComplianceBankOfEngland +3 more
UK Regulators Issue Cyber Recovery Guide for Financial Firms
Policy and Compliance
Regulatory
Incident Response

EU Launches Cybersecurity Reserve to Bolster Incident Response Across Member States

INFORMATIONAL

European Union Establishes European Cybersecurity Reserve with €36M Budget to Aid Member States During Major Cyber Incidents

The European Union has officially established the European Cybersecurity Reserve as a key component of its Cyber Solidarity Act. Managed by the EU Agency for Cybersecurity (ENISA), the reserve has a €36 million budget and consists of 45 pre-vetted, trusted private providers, such as Airbus Protect and Spike Reply. This 'cyber reinforcement team' is designed to be deployed to assist EU member states and institutions during large-scale cyber incidents affecting critical infrastructure.

October 21, 2025
3 min read
EUCybersecurityENISACyberSolidarityActIncidentResponse +1 more
EU Launches Cybersecurity Reserve to Bolster Incident Response Across Member States
Policy and Compliance
Regulatory
Incident Response

'Cavalry Werewolf' APT Targets Russian Critical Infrastructure with Custom Malware

HIGH

APT Group Cavalry Werewolf (YoroTrooper) Targets Russian Public Sector and Critical Industries with Custom Malware and SOCKS5 Proxying

The Advanced Persistent Threat (APT) group known as Cavalry Werewolf (also tracked as YoroTrooper and Silent Lynx) conducted a targeted cyberattack campaign against Russia's public sector and critical industries between May and August 2025. The group leveraged spear-phishing emails to deliver custom malware, including FoalShell and StallionRAT. Post-compromise activities focused on reconnaissance and establishing persistence via Windows Registry modifications, while using SOCKS5 proxies for command-and-control and data exfiltration.

October 21, 2025
5 min read
CavalryWerewolfYoroTrooperAPTRussiaCriticalInfrastructure +2 more
'Cavalry Werewolf' APT Targets Russian Critical Infrastructure with Custom Malware
Threat Actor
Cyberattack
Malware

📢 Share This Publication

Help others stay informed about cybersecurity threats