China-Linked Actors Exploit Windows & VMware Zero-Days; Ransomware Gangs Hit Major Corporations

Publication Date: November 1, 2025

Summary

This cybersecurity brief for November 1, 2025, covers a surge in state-sponsored cyber-espionage and critical zero-day exploitation. Chinese-linked threat actors are actively leveraging an unpatched Windows vulnerability (CVE-2025-9491) to spy on European diplomats and a now-patched VMware flaw (CVE-2025-41244) for privilege escalation. Concurrently, ransomware remains a dominant threat, with the Akira group claiming a breach at Apache OpenOffice, RansomHouse hitting Japanese retailer Askul, and a massive data breach at Conduent affecting over 10.5 million individuals. Other significant developments include the discovery of new malware families 'KYBER' and 'Airstalk', a supply chain attack on the npm registry, and an ongoing campaign targeting Cisco devices in Australia.

Today New Articles

China-Backed Group Exploits Unpatched Windows Flaw to Spy on EU Diplomats

A China-linked cyber-espionage group, UNC6384, associated with Mustang Panda, is actively exploiting an unpatched Windows UI misrepresentation vulnerability, CVE-2025-9491, to conduct espionage against European diplomatic entities. The campaign, active since S...

Akira Ransomware Claims Breach of Apache OpenOffice, Threatens Data Leak

The prolific Akira ransomware group has listed Apache OpenOffice, a popular open-source office suite, as a victim on its dark web data leak site. The threat actors claim to have exfiltrated 23 gigabytes of data from the Apache Software Foundation, including fi...

Ukrainian Conti Ransomware Affiliate Extradited to US

Oleksii Lytvynenko, a 43-year-old Ukrainian national, has been extradited from Ireland to the United States for his alleged role in the notorious Conti ransomware syndicate. He pleaded not guilty in a Tennessee federal court to charges of conspiracy to commit...

New 'KYBER' Ransomware Emerges with Advanced Encryption and Data-Driven Extortion Model

Cybersecurity researchers at CYFIRMA have identified a new ransomware strain named KYBER, which employs a sophisticated hybrid encryption scheme including the post-quantum Kyber1024 algorithm. The ransomware, discovered on underground forums, follows a double-...

Australia Warns of 'BADCANDY' Malware Targeting Unpatched Cisco Devices

The Australian Signals Directorate (ASD) has issued an urgent warning about an ongoing cyberattack campaign deploying a new malware implant called 'BADCANDY' on unpatched Cisco IOS XE devices. The attackers are exploiting the critical remote code execution vul...

Article Updates

Data Breaches Hit Toys 'R' Us Canada, Askul, and Verisure

Update:Japanese retailer Askul has confirmed a major data breach, with the Russian-linked group RansomHouse claiming responsibility for stealing 1.1 terabytes of customer data, including names, emails, and purchase histories. This confirms the suspected data exfiltra...

New "Airstalk" Malware Abuses VMware API in Nation-State Supply Chain Attack

Update:Further analysis of the Airstalk malware reveals it specifically targets the Business Process Outsourcing (BPO) sector, posing a severe supply chain risk. The malware, found in both PowerShell and .NET variants, is designed to steal sensitive browser data, inc...