Citrix Zero-Day Hits US Gov; APTs & Sophisticated Malware Campaigns Surge Globally

Publication Date: October 21, 2025

Summary

This intelligence brief for October 21, 2025, covers a series of high-impact cybersecurity events. A critical Citrix zero-day, 'CitrixBleed 2.0', led to a major data breach at the U.S. Department of Homeland Security, exposing employee data. Nation-state activity remains high, with China-linked Salt Typhoon targeting European telecoms and Russia-linked COLDRIVER rapidly deploying new malware after public disclosure. A novel supply chain attack, 'GlassWorm', is targeting VS Code developers using advanced obfuscation and a blockchain-based C2. Meanwhile, new reports highlight a 34% surge in ransomware attacks on critical infrastructure and the growing challenge of AI-powered cyberattacks outpacing organizational defenses.

Today New Articles

DHS Breach: 'CitrixBleed 2.0' Zero-Day Exposes FEMA & CBP Employee Data

A critical zero-day vulnerability in Citrix NetScaler Gateway, dubbed 'CitrixBleed 2.0' (CVE-2025-5777), was exploited to breach the U.S. Department of Homeland Security. The attack, which began in June 2025, compromised the personal and employment data of sta...

Chinese APT Salt Typhoon Targets European Telecom with SNAPPYBEE Backdoor

The Chinese state-sponsored group Salt Typhoon has been observed targeting a European telecommunications firm by exploiting a known Citrix NetScaler vulnerability for initial access. Post-exploitation, the attackers deployed a backdoor known as SNAPPYBEE (or D...

'GlassWorm' Worm Uses Unicode Obfuscation and Solana C2 in VS Code Supply Chain Attack

A highly sophisticated, self-propagating worm named 'GlassWorm' is targeting Visual Studio developers through malicious extensions on the OpenVSX marketplace. The malware employs advanced evasion techniques, including using invisible Unicode characters to obfu...

Russian APT COLDRIVER Rapidly Deploys New NOROBOT Malware After Public Disclosure

The Russian state-sponsored threat group COLDRIVER, also known as Star Blizzard and UNC4057, has demonstrated remarkable operational agility by deploying new malware families just five days after its LOSTKEYS malware was publicly disclosed in May 2025. Accordi...

Ransomware Attacks on Critical Industries Skyrocket by 34%, KELA Reports

A new report from cyber intelligence firm KELA reveals a staggering 34% year-over-year increase in ransomware attacks targeting critical industries between January and September 2025. These vital sectors, including manufacturing, healthcare, and energy, accoun...

UK Regulators Issue Cyber Recovery Guide for Financial Firms

The United Kingdom's top financial regulators—the Bank of England (BoE), the Financial Conduct Authority (FCA), and the Prudential Regulation Authority (PRA)—have jointly published a guide on effective cyber response and recovery practices. The guidance, aimed...

EU Launches Cybersecurity Reserve to Bolster Incident Response Across Member States

The European Union has officially established the European Cybersecurity Reserve as a key component of its Cyber Solidarity Act. Managed by the EU Agency for Cybersecurity (ENISA), the reserve has a €36 million budget and consists of 45 pre-vetted, trusted pri...

'Cavalry Werewolf' APT Targets Russian Critical Infrastructure with Custom Malware

The Advanced Persistent Threat (APT) group known as Cavalry Werewolf (also tracked as YoroTrooper and Silent Lynx) conducted a targeted cyberattack campaign against Russia's public sector and critical industries between May and August 2025. The group leveraged...