Daily Digest

China-Linked Actors Exploit Windows & VMware Zero-Days; Ransomware Gangs Hit Major Corporations

China-Linked Actors Exploit Windows & VMware Zero-Days; Ransomware Gangs Hit Major Corporations

November 1, 2025
7 articles (5 new, 2 updated)
21 min read

Summary

This cybersecurity brief for November 1, 2025, covers a surge in state-sponsored cyber-espionage and critical zero-day exploitation. Chinese-linked threat actors are actively leveraging an unpatched Windows vulnerability (CVE-2025-9491) to spy on European diplomats and a now-patched VMware flaw (CVE-2025-41244) for privilege escalation. Concurrently, ransomware remains a dominant threat, with the Akira group claiming a breach at Apache OpenOffice, RansomHouse hitting Japanese retailer Askul, and a massive data breach at Conduent affecting over 10.5 million individuals. Other significant developments include the discovery of new malware families 'KYBER' and 'Airstalk', a supply chain attack on the npm registry, and an ongoing campaign targeting Cisco devices in Australia.

Filter by Category

New Articles (5)

China-Backed Group Exploits Unpatched Windows Flaw to Spy on EU Diplomats

HIGH

UNC6384 (Mustang Panda) Leverages Unpatched Windows Vulnerability CVE-2025-9491 to Deploy PlugX RAT Against European Targets

A China-linked cyber-espionage group, UNC6384, associated with Mustang Panda, is actively exploiting an unpatched Windows UI misrepresentation vulnerability, CVE-2025-9491, to conduct espionage against European diplomatic entities. The campaign, active since September 2025, uses sophisticated phishing emails containing malicious LNK files themed around EU and NATO events. These files trigger a multi-stage attack that deploys the PlugX RAT via DLL side-loading. Despite being reported in 2024 and publicly disclosed in March 2025, Microsoft has decided not to issue a security patch, stating the flaw does not meet its bar for servicing.

November 1, 2025
5 min read
UNC6384Mustang PandaPlugXCVE-2025-9491ZeroDay +4 more
China-Backed Group Exploits Unpatched Windows Flaw to Spy on EU Diplomats
Threat Actor
Cyberattack
Vulnerability

Akira Ransomware Claims Breach of Apache OpenOffice, Threatens Data Leak

HIGH

Akira Ransomware Gang Alleges Theft of 23GB of Sensitive Corporate Data from Apache OpenOffice

The prolific Akira ransomware group has listed Apache OpenOffice, a popular open-source office suite, as a victim on its dark web data leak site. The threat actors claim to have exfiltrated 23 gigabytes of data from the Apache Software Foundation, including financial records, internal documents, and employee personally identifiable information (PII). As of November 1, 2025, the alleged breach has not been confirmed by the Apache Software Foundation, leaving the scope and authenticity of the claim unverified.

November 1, 2025
4 min read
AkiraRansomwareData BreachApache OpenOfficeApache Software Foundation +1 more
Akira Ransomware Claims Breach of Apache OpenOffice, Threatens Data Leak
Ransomware
Data Breach
Threat Actor

Ukrainian Conti Ransomware Affiliate Extradited to US

MEDIUM

Alleged Conti Ransomware Member Oleksii Lytvynenko Extradited from Ireland to US to Face Cybercrime Charges

Oleksii Lytvynenko, a 43-year-old Ukrainian national, has been extradited from Ireland to the United States for his alleged role in the notorious Conti ransomware syndicate. He pleaded not guilty in a Tennessee federal court to charges of conspiracy to commit computer fraud and extortion. Lytvynenko is accused of participating in attacks by the Conti group, which extorted over $150 million from more than 1,000 victims worldwide. If convicted, he faces a potential prison sentence of up to 25 years.

November 1, 2025
4 min read
ContiRansomwareCybercrimeExtraditionDOJ +1 more
Ukrainian Conti Ransomware Affiliate Extradited to US
Threat Actor
Ransomware
Regulatory

New 'KYBER' Ransomware Emerges with Advanced Encryption and Data-Driven Extortion Model

HIGH

Researchers Discover 'KYBER' Ransomware Utilizing Kyber1024 Algorithm and Threatening Data Leaks

Cybersecurity researchers at CYFIRMA have identified a new ransomware strain named KYBER, which employs a sophisticated hybrid encryption scheme including the post-quantum Kyber1024 algorithm. The ransomware, discovered on underground forums, follows a double-extortion model, threatening to leak stolen data if victims do not establish contact within two weeks. KYBER targets Windows systems in English-speaking countries, with a focus on high-value sectors like Aerospace & Defense and technology. Researchers warn it may evolve into a full-fledged Ransomware-as-a-Service (RaaS) operation.

November 1, 2025
4 min read
KYBERRansomwareMalwarePost-Quantum CryptographyData Extortion +1 more
New 'KYBER' Ransomware Emerges with Advanced Encryption and Data-Driven Extortion Model
Ransomware
Malware
Threat Intelligence

Australia Warns of 'BADCANDY' Malware Targeting Unpatched Cisco Devices

CRITICAL

Australian Signals Directorate Issues Alert on BADCANDY Implant Targeting Cisco IOS XE Vulnerability CVE-2023-20198

The Australian Signals Directorate (ASD) has issued an urgent warning about an ongoing cyberattack campaign deploying a new malware implant called 'BADCANDY' on unpatched Cisco IOS XE devices. The attackers are exploiting the critical remote code execution vulnerability CVE-2023-20198 (CVSS 10.0) to gain full control of routers and switches. The ASD reports a recent spike in activity, with 150 Australian devices infected in October 2025 alone. The malware, a non-persistent web shell, is being actively redeployed by attackers even after removal.

November 1, 2025
4 min read
BADCANDYCiscoIOS XECVE-2023-20198Web Shell +2 more
Australia Warns of 'BADCANDY' Malware Targeting Unpatched Cisco Devices
Cyberattack
Vulnerability
Malware

Updated Articles (2)

New "Airstalk" Malware Abuses VMware API in Nation-State Supply Chain Attack

HIGH

Suspected Nation-State Actor Deploys "Airstalk" Malware in Supply Chain Attack, Abusing VMware Workspace ONE API

Update:

Further analysis of the Airstalk malware reveals it specifically targets the Business Process Outsourcing (BPO) sector, posing a severe supply chain risk. The malware, found in both PowerShell and .NET variants, is designed to steal sensitive browser data, including cookies, history, and bookmarks, and capture screenshots. This capability allows attackers to potentially bypass multi-factor authentication and gain access to client environments. Additionally, a stolen digital certificate from 'Aoteng Industrial Automation (Langfang) Co., Ltd.' was used to sign some samples, enhancing its evasion capabilities. These new findings indicate a more targeted and impactful espionage campaign.

October 29, 2025
Updated: November 1, 2025
5 min read
AirstalkSupply Chain AttackNation-StateVMwareWorkspace ONE +2 more
New "Airstalk" Malware Abuses VMware API in Nation-State Supply Chain Attack
Supply Chain Attack
Malware
Threat Actor

Data Breaches Hit Toys 'R' Us Canada, Askul, and Verisure

HIGH

Multiple Retail and Service Companies Disclose Data Breaches, Exposing Customer PII

Update:

Japanese retailer Askul has confirmed a major data breach, with the Russian-linked group RansomHouse claiming responsibility for stealing 1.1 terabytes of customer data, including names, emails, and purchase histories. This confirms the suspected data exfiltration mentioned previously. RansomHouse, known for data extortion rather than encryption, leaked samples on October 30. Askul is investigating and warning customers of potential fraud, escalating the incident's confirmed impact and attribution.

October 27, 2025
Updated: November 1, 2025
4 min read
Data BreachPIIRansomwareRetailVendor Breach +1 more
Data Breaches Hit Toys 'R' Us Canada, Askul, and Verisure
Data Breach
Ransomware

📢 Share This Publication

Help others stay informed about cybersecurity threats