Critical WSUS Zero-Day Exploited, Prosper Breach Hits 17.6M, and Iranian APT Deploys 'Phoenix' Backdoor

The critical WSUS RCE vulnerability, CVE-2025-59287, previously disclosed with a patch in October 2025, is now confirmed to be actively exploited in the wild. Microsoft has released an emergency out-of-band security update to address this. The U.S. CISA has added this flaw to its Known Exploited Vulnerabilities (KEV) catalog, mandating immediate patching for federal agencies. A public Proof-of-Concept (PoC) exploit is also reportedly available, significantly increasing the threat level. This active exploitation elevates the urgency for all organizations to apply the latest patches to their WSUS servers to prevent widespread network compromise.

New details confirm the Prosper data breach exposed additional sensitive PII, including government-issued IDs, dates of birth, employment status, and credit standing, beyond previously reported SSNs and addresses. The attack involved unauthorized parties gaining direct access to company databases and executing queries to exfiltrate data, suggesting methods like compromised credentials or SQL injection. This expanded scope of compromised data significantly heightens the risk of identity theft, financial fraud, and targeted phishing for the 17.6 million affected individuals. The incident was detected on September 2, 2025. Organizations are urged to implement robust Database Activity Monitoring and strong access controls.

New intelligence indicates the Iranian APT campaign, leveraging the Phoenix backdoor against over 100 government institutions, has expanded its targeting from primarily MENA to a worldwide scope. Initial access methods now include credential spraying (T1110.003) in addition to spear-phishing (T1566). The Phoenix backdoor is further described as a custom, multi-stage malware, employing dropper and loader stages to deploy its core payload for reconnaissance, privilege escalation, and persistence, highlighting an evolving and more versatile attack chain.

New intelligence reveals the 'Jingle Thief' group's advanced tactics. Beyond credential stuffing, they now gain initial access via phishing/smishing, then infiltrate corporate Microsoft 365 environments. Attackers move laterally within M365, abusing SharePoint and OneDrive to locate gift card issuance systems. A critical new development is their method of persistence: registering rogue multi-factor authentication applications in M365, allowing them to maintain access even after password changes. This enables them to issue fraudulent gift cards, indicating a more sophisticated and impactful operation than previously understood.