China-Linked Actors Exploit Windows &amp; VMware Zero-Days; Ransomware Gangs Hit Major Corporations

UNC6384 (Mustang Panda) Leverages Unpatched Windows Vulnerability CVE-2025-9491 to Deploy PlugX RAT Against European Targets

A China-linked cyber-espionage group, UNC6384, associated with Mustang Panda, is actively exploiting an unpatched Windows UI misrepresentation vulnerability, CVE-2025-9491, to conduct espionage against European diplomatic entities. The campaign, active since September 2025, uses sophisticated phishing emails containing malicious LNK files themed around EU and NATO events. These files trigger a multi-stage attack that deploys the PlugX RAT via DLL side-loading. Despite being reported in 2024 and publicly disclosed in March 2025, Microsoft has decided not to issue a security patch, stating the flaw does not meet its bar for servicing.

UNC6384Mustang PandaPlugXCVE-2025-9491ZeroDay +4 more

5 min read

China-Backed Group Exploits Unpatched Windows Flaw to Spy on EU Diplomats

Akira Ransomware Claims Breach of Apache OpenOffice, Threatens Data Leak

Akira Ransomware Gang Alleges Theft of 23GB of Sensitive Corporate Data from Apache OpenOffice

The prolific Akira ransomware group has listed Apache OpenOffice, a popular open-source office suite, as a victim on its dark web data leak site. The threat actors claim to have exfiltrated 23 gigabytes of data from the Apache Software Foundation, including financial records, internal documents, and employee personally identifiable information (PII). As of November 1, 2025, the alleged breach has not been confirmed by the Apache Software Foundation, leaving the scope and authenticity of the claim unverified.

AkiraRansomwareData BreachApache OpenOfficeApache Software Foundation +1 more

Akira Ransomware Claims Breach of Apache OpenOffice, Threatens Data Leak

Ukrainian Conti Ransomware Affiliate Extradited to US

MEDIUM

Alleged Conti Ransomware Member Oleksii Lytvynenko Extradited from Ireland to US to Face Cybercrime Charges

Oleksii Lytvynenko, a 43-year-old Ukrainian national, has been extradited from Ireland to the United States for his alleged role in the notorious Conti ransomware syndicate. He pleaded not guilty in a Tennessee federal court to charges of conspiracy to commit computer fraud and extortion. Lytvynenko is accused of participating in attacks by the Conti group, which extorted over $150 million from more than 1,000 victims worldwide. If convicted, he faces a potential prison sentence of up to 25 years.

ContiRansomwareCybercrimeExtraditionDOJ +1 more

Ukrainian Conti Ransomware Affiliate Extradited to US

New 'KYBER' Ransomware Emerges with Advanced Encryption and Data-Driven Extortion Model

Researchers Discover 'KYBER' Ransomware Utilizing Kyber1024 Algorithm and Threatening Data Leaks

Cybersecurity researchers at CYFIRMA have identified a new ransomware strain named KYBER, which employs a sophisticated hybrid encryption scheme including the post-quantum Kyber1024 algorithm. The ransomware, discovered on underground forums, follows a double-extortion model, threatening to leak stolen data if victims do not establish contact within two weeks. KYBER targets Windows systems in English-speaking countries, with a focus on high-value sectors like Aerospace & Defense and technology. Researchers warn it may evolve into a full-fledged Ransomware-as-a-Service (RaaS) operation.

KYBERRansomwareMalwarePost-Quantum CryptographyData Extortion +1 more

New 'KYBER' Ransomware Emerges with Advanced Encryption and Data-Driven Extortion Model

Australia Warns of 'BADCANDY' Malware Targeting Unpatched Cisco Devices

CRITICAL

Australian Signals Directorate Issues Alert on BADCANDY Implant Targeting Cisco IOS XE Vulnerability CVE-2023-20198

The Australian Signals Directorate (ASD) has issued an urgent warning about an ongoing cyberattack campaign deploying a new malware implant called 'BADCANDY' on unpatched Cisco IOS XE devices. The attackers are exploiting the critical remote code execution vulnerability CVE-2023-20198 (CVSS 10.0) to gain full control of routers and switches. The ASD reports a recent spike in activity, with 150 Australian devices infected in October 2025 alone. The malware, a non-persistent web shell, is being actively redeployed by attackers even after removal.

BADCANDYCiscoIOS XECVE-2023-20198Web Shell +2 more

Australia Warns of 'BADCANDY' Malware Targeting Unpatched Cisco Devices

Updated Articles (2)

New "Airstalk" Malware Abuses VMware API in Nation-State Supply Chain Attack

Updated: November 1, 2025

Suspected Nation-State Actor Deploys "Airstalk" Malware in Supply Chain Attack, Abusing VMware Workspace ONE API

Update:

Further analysis of the Airstalk malware reveals it specifically targets the Business Process Outsourcing (BPO) sector, posing a severe supply chain risk. The malware, found in both PowerShell and .NET variants, is designed to steal sensitive browser data, including cookies, history, and bookmarks, and capture screenshots. This capability allows attackers to potentially bypass multi-factor authentication and gain access to client environments. Additionally, a stolen digital certificate from 'Aoteng Industrial Automation (Langfang) Co., Ltd.' was used to sign some samples, enhancing its evasion capabilities. These new findings indicate a more targeted and impactful espionage campaign.

October 29, 2025

5 min read

AirstalkSupply Chain AttackNation-StateVMwareWorkspace ONE +2 more

New "Airstalk" Malware Abuses VMware API in Nation-State Supply Chain Attack

Data Breaches Hit Toys 'R' Us Canada, Askul, and Verisure

Updated: November 1, 2025

Multiple Retail and Service Companies Disclose Data Breaches, Exposing Customer PII

Update:

Japanese retailer Askul has confirmed a major data breach, with the Russian-linked group RansomHouse claiming responsibility for stealing 1.1 terabytes of customer data, including names, emails, and purchase histories. This confirms the suspected data exfiltration mentioned previously. RansomHouse, known for data extortion rather than encryption, leaked samples on October 30. Askul is investigating and warning customers of potential fraud, escalating the incident's confirmed impact and attribution.

October 27, 2025