Daily Digest

Critical WSUS Zero-Day Exploited, Prosper Breach Hits 17.6M, and Iranian APT Deploys 'Phoenix' Backdoor

Critical WSUS Zero-Day Exploited, Prosper Breach Hits 17.6M, and Iranian APT Deploys 'Phoenix' Backdoor

October 24, 2025
10 articles (6 new, 4 updated)
30 min read

Summary

This reporting period, October 23-24, 2025, has been marked by significant and active threats. A critical, actively exploited zero-day vulnerability (CVE-2025-59287) in Microsoft's WSUS has prompted an emergency patch and a CISA KEV alert, posing a severe risk to enterprise networks. In the financial sector, a massive data breach at Prosper Marketplace has exposed the highly sensitive personal and financial data of 17.6 million users. Concurrently, nation-state activity surged with an Iranian-linked APT group targeting over 100 government institutions globally using a new 'Phoenix' backdoor. Other major incidents include Google patching its sixth actively exploited Chrome zero-day of the year and multiple high-impact ransomware attacks affecting manufacturing, education, and critical infrastructure sectors.

Filter by Category

New Articles (6)

Google Patches 6th Actively Exploited Chrome Zero-Day of 2025

CRITICAL

Google Patches Actively Exploited Chrome V8 Zero-Day (CVE-2025-10585)

Google has issued an emergency security update for its Chrome web browser to address CVE-2025-10585, a high-severity type confusion vulnerability in the V8 JavaScript engine. This marks the sixth time in 2025 that Google has patched a Chrome zero-day vulnerability that was being actively exploited in the wild. The flaw could allow an attacker to achieve arbitrary code execution on a victim's machine by tricking them into visiting a malicious website. All users of Chrome and other Chromium-based browsers are urged to update immediately.

October 24, 2025
5 min read
ChromeZero-DayV8 EngineRCEBrowser Security +1 more
Google Patches 6th Actively Exploited Chrome Zero-Day of 2025
Vulnerability
Patch Management

Agenda Ransomware Evolves, Hits Critical Infrastructure

HIGH

Agenda (Qilin) Ransomware Abuses Legitimate Tools in Attacks on Critical Infrastructure

The Agenda ransomware group, also known as Qilin, is escalating its attacks by targeting critical infrastructure sectors with evolved tactics. According to research from Trend Micro, the ransomware-as-a-service (RaaS) operation is using a cross-platform approach, abusing legitimate remote management tools and deploying Linux-based ransomware on Windows hosts to evade security. The group also employs Bring Your Own Vulnerable Driver (BYOVD) attacks to neutralize endpoint defenses and steals backup credentials to hinder recovery, primarily targeting high-value organizations in the U.S., Canada, and the U.K.

October 24, 2025
5 min read
Agenda RansomwareQilinRaaSBYOVDCritical Infrastructure
Agenda Ransomware Evolves, Hits Critical Infrastructure
Ransomware
Threat Actor
Industrial Control Systems

Tengu Ransomware Hits Brazilian Education Provider

HIGH

Tengu Ransomware Group Claims Attack on Brazilian Education Provider UniCursos

The Tengu ransomware group has claimed responsibility for a cyberattack against UniCursos, a prominent education provider in Brazil. The attack, which was posted to the group's leak site on October 23, 2025, follows the common double-extortion model, where the attackers threaten to publish sensitive stolen data if their ransom demands are not met. The incident highlights the continued targeting of the education sector by ransomware gangs, who view them as valuable targets due to the sensitive student and staff data they hold.

October 24, 2025
4 min read
Tengu RansomwareBrazilEducation SectorDouble Extortion
Tengu Ransomware Hits Brazilian Education Provider
Ransomware
Data Breach
Cyberattack

Ransomware Hits Jewett-Cameron, Steals Financial Data

HIGH

Jewett-Cameron Manufacturing Disrupted by Ransomware Attack, Financial Data Stolen

Jewett-Cameron, an Oregon-based manufacturing and distribution company, has confirmed in an SEC filing that it suffered a ransomware attack on October 15, 2025. The attack caused significant disruption to its business operations and resulted in the theft of sensitive corporate data. The exfiltrated information reportedly includes IT and financial data being prepared for the company's upcoming Form 10-K filing, as well as screen captures from video meetings. The unidentified attackers have demanded a ransom and threatened to leak the stolen material.

October 24, 2025
4 min read
RansomwareManufacturingSEC FilingData Exfiltration
Ransomware Hits Jewett-Cameron, Steals Financial Data
Ransomware
Data Breach
Cyberattack

Lawsuit Hits SC School District After Ransomware Breach

MEDIUM

Lawsuit Filed Against SC School District Following Ransomware Attack Exposing 31,000+ Records

South Carolina's Lexington-Richland School District 5 (LR5) is facing a class-action lawsuit following a ransomware attack in June 2025 that exposed the personally identifiable information (PII) of over 31,000 students, staff, and alumni. The lawsuit alleges that the school district was negligent in protecting sensitive data and violated state law by failing to provide timely and complete notification of the breach. The compromised data included names, birthdates, Social Security numbers, and financial files, making it one of the most significant breaches for an educational institution in the region.

October 24, 2025
4 min read
Data BreachRansomwareEducation SectorLawsuitPII
Lawsuit Hits SC School District After Ransomware Breach
Data Breach
Ransomware
Regulatory

Lazarus Group's 'Operation DreamJob' Targets EU Drone-Makers

HIGH

North Korean Lazarus Group Targets European Drone Companies in 'Operation DreamJob'

The notorious North Korea-linked APT group, Lazarus, is conducting a cyber-espionage campaign dubbed 'Operation DreamJob' targeting European defense and aerospace companies. The campaign specifically focuses on firms involved in Unmanned Aerial Vehicle (UAV) technology. The attackers use sophisticated social engineering, creating fake recruiter profiles and job offers to lure employees. The ultimate goal is to compromise the target's network to steal sensitive intellectual property related to advanced drone technology.

October 24, 2025
5 min read
Lazarus GroupOperation DreamJobAPTCyber-espionageDefense Industry
Lazarus Group's 'Operation DreamJob' Targets EU Drone-Makers
Threat Actor
Cyberattack
Phishing

Updated Articles (4)

Critical RCE Flaw in WSUS Allows Unauthenticated SYSTEM Takeover

CRITICAL

Critical Unauthenticated RCE Vulnerability (CVE-2025-59287, CVSS 9.8) Disclosed in Microsoft WSUS

Update:

The critical WSUS RCE vulnerability, CVE-2025-59287, previously disclosed with a patch in October 2025, is now confirmed to be actively exploited in the wild. Microsoft has released an emergency out-of-band security update to address this. The U.S. CISA has added this flaw to its Known Exploited Vulnerabilities (KEV) catalog, mandating immediate patching for federal agencies. A public Proof-of-Concept (PoC) exploit is also reportedly available, significantly increasing the threat level. This active exploitation elevates the urgency for all organizations to apply the latest patches to their WSUS servers to prevent widespread network compromise.

October 19, 2025
Updated: October 24, 2025
4 min read
CVE-2025-59287WSUSRCEPatch Tuesdaydeserialization +2 more
Critical RCE Flaw in WSUS Allows Unauthenticated SYSTEM Takeover
Vulnerability
Patch Management
Supply Chain Attack

Massive Prosper Data Breach Exposes Social Security Numbers of 17.6 Million Users

CRITICAL

Prosper Lending Platform Confirms Major Data Breach Affecting 17.6 Million Individuals

Update:

New details confirm the Prosper data breach exposed additional sensitive PII, including government-issued IDs, dates of birth, employment status, and credit standing, beyond previously reported SSNs and addresses. The attack involved unauthorized parties gaining direct access to company databases and executing queries to exfiltrate data, suggesting methods like compromised credentials or SQL injection. This expanded scope of compromised data significantly heightens the risk of identity theft, financial fraud, and targeted phishing for the 17.6 million affected individuals. The incident was detected on September 2, 2025. Organizations are urged to implement robust Database Activity Monitoring and strong access controls.

October 20, 2025
Updated: October 24, 2025
7 min read
Data BreachPIIIdentity TheftFintechSocial Security Number +1 more
Massive Prosper Data Breach Exposes Social Security Numbers of 17.6 Million Users
Data Breach
Phishing
Cloud Security

Iran's MuddyWater APT Targets 100+ Governments with Phoenix Backdoor

HIGH

MuddyWater Cyber-Espionage Campaign Uses Compromised Mailbox and Macros to Deploy Phoenix v4 Backdoor

Update:

New intelligence indicates the Iranian APT campaign, leveraging the Phoenix backdoor against over 100 government institutions, has expanded its targeting from primarily MENA to a worldwide scope. Initial access methods now include credential spraying (T1110.003) in addition to spear-phishing (T1566). The Phoenix backdoor is further described as a custom, multi-stage malware, employing dropper and loader stages to deploy its core payload for reconnaissance, privilege escalation, and persistence, highlighting an evolving and more versatile attack chain.

October 22, 2025
Updated: October 24, 2025
6 min read
MuddyWaterAPTIranPhoenixcyber-espionage +3 more
Iran's MuddyWater APT Targets 100+ Governments with Phoenix Backdoor
Threat Actor
Cyberattack
Phishing

Unit 42 Exposes 'Smishing Deluge' from China and 'Jingle Thief' Gift Card Fraud

MEDIUM

Palo Alto Networks' Unit 42 Details Global Smishing Campaign and Cloud-Based Gift Card Fraud

Update:

New intelligence reveals the 'Jingle Thief' group's advanced tactics. Beyond credential stuffing, they now gain initial access via phishing/smishing, then infiltrate corporate Microsoft 365 environments. Attackers move laterally within M365, abusing SharePoint and OneDrive to locate gift card issuance systems. A critical new development is their method of persistence: registering rogue multi-factor authentication applications in M365, allowing them to maintain access even after password changes. This enables them to issue fraudulent gift cards, indicating a more sophisticated and impactful operation than previously understood.

October 23, 2025
Updated: October 24, 2025
5 min read
SmishingPhishingFraudGift CardUnit 42 +2 more
Unit 42 Exposes 'Smishing Deluge' from China and 'Jingle Thief' Gift Card Fraud
Phishing
Threat Intelligence
Cloud Security

📢 Share This Publication

Help others stay informed about cybersecurity threats