Microsoft's October 2025 Patch Tuesday marked the end of free security updates for Windows 10, addressing 183 vulnerabilities, including six zero-days, with the final cumulative update **KB5066791**. The update also introduced critical fixes for components like Windows SMB Server, Microsoft SQL Server, and Remote Access Connection Manager, alongside third-party vulnerabilities in AMD EPYC processors and IGEL OS. However, a newly disclosed **February 2026 Patch Tuesday** update fixed **CVE-2026-20841**, a high-severity remote code execution flaw in **Windows 11 Notepad** that allowed attackers to execute arbitrary programs via malicious Markdown links without security warnings. The flaw, affecting Notepad versions 11.2510 and earlier, exploited improper command neutralization to launch unverified protocols (e.g., `file://`, `ms-appinstaller://`). Microsoft mitigated the risk by adding execution warnings for non-HTTP(S) URIs, with updates distributed automatically via the Microsoft Store. Prior milestones included out-of-band patches for a critical **WSUS vulnerability (CVE-2025-59287)** with public exploit code, smart card authentication issues caused by cryptographic service changes, and a **RasMan zero-day** (DoS vulnerability) affecting all Windows versions. Windows 10 reached end-of-life, with Extended Security Updates (ESU) available for purchase, while Exchange Server 2016/2019 and Skype for Business 2016 also ended support. The October 2025 update remains the largest on record, with 183 CVEs pushing Microsoft’s annual vulnerability count past 1,021.

The Lazarus Group, a North Korea-linked threat actor, has expanded its operations to target European defense companies in 2025, leveraging a coordinated Operation DreamJob campaign. The attack involved fake recruitment lures and the deployment of various malware, including the ScoringMathTea RAT. This campaign follows earlier attacks on a decentralized finance (DeFi) organization in 2024, where the group deployed multiple cross-platform malware variants, including PondRAT, ThemeForestRAT, and RemotePE. In 2026, North Korean hackers have been observed using AI-generated video and the ClickFix technique to deliver malware for macOS and Windows to targets in the cryptocurrency sector. The threat actor's goal is financial, as suggested by the role of the tools used in an attack on a fintech company investigated by Google's Mandiant researchers. The attack had a strong social engineering component, with the victim being contacted over Telegram from a compromised executive account. The hackers used a Calendly link to a spoofed Zoom meeting page and showed a deepfake video of a CEO to facilitate the attack. Mandiant researchers found seven distinct macOS malware families attributed to UNC1069, a threat group they've been tracking since 2018. UNC1069 has been active since at least April 2018 and is also tracked under the monikers CryptoCore and MASAN. The group has used generative AI tools like Gemini to produce lure material and other messaging related to cryptocurrency. They have attempted to misuse Gemini to develop code to steal cryptocurrency and have leveraged deepfake images and video lures mimicking individuals in the cryptocurrency industry. The group has shifted from spear-phishing techniques and traditional finance (TradFi) targeting towards the Web3 industry since at least 2023, targeting centralized exchanges (CEX), software developers at financial institutions, high-technology companies, and individuals at venture capital funds. In the latest intrusion documented by Google's threat intelligence division, UNC1069 deployed as many as seven unique malware families, including several new malware families such as SILENCELIFT, DEEPBREATH, and CHROMEPUSH. The attack involved a social engineering scheme using a compromised Telegram account, a fake Zoom meeting, a ClickFix infection vector, and reported usage of AI-generated video to deceive the victim. The group used a fake website masquerading as Zoom to deceive victims and reused videos of previous victims to deceive new victims. The attack proceeded with a ClickFix-style troubleshooting command to deliver malware, leading to the deployment of various malicious components designed to gather system information, provide hands-on keyboard access, and steal sensitive data.

Microsoft has identified a multi-stage adversary-in-the-middle (AitM) phishing and business email compromise (BEC) campaign targeting organizations in the energy sector. The attackers abused SharePoint file-sharing services to deliver phishing payloads and created inbox rules to maintain persistence and evade detection. The campaign involved leveraging compromised internal identities to conduct large-scale phishing attacks within and outside the victim organizations. Additionally, the AgreeTo Outlook add-in was hijacked and turned into a phishing kit, stealing over 4,000 Microsoft account credentials. The threat actor deployed a fake Microsoft sign-in page, password collection page, exfiltration script, and redirect, exploiting the add-in's ReadWriteItem permissions. This is the first known instance of malware found on the official Microsoft Marketplace. The add-in was abandoned by its developer and the attacker exploited the abandoned domain to serve the phishing kit. The incident highlights the need for better monitoring of add-ins and their associated URLs.

The Crazy ransomware gang has been observed abusing legitimate employee monitoring software (Net Monitor for Employees Professional) and the SimpleHelp remote support tool to maintain persistence in corporate networks, evade detection, and prepare for ransomware deployment. The attackers used these tools to gain full interactive access to compromised systems, transfer files, execute commands, and monitor system activity in real time. They also attempted to disable Windows Defender and set up monitoring rules to detect cryptocurrency-related activities and remote access tools. The use of multiple remote access tools provided redundancy for the attackers, ensuring they retained access even if one tool was discovered or removed. The breaches were enabled through compromised SSL VPN credentials, highlighting the need for organizations to enforce MFA on all remote access services.

The Netherlands Police arrested a 21-year-old man from Dordrecht for selling access to the JokerOTP phishing automation tool, which intercepts one-time passwords (OTPs) to hijack accounts. The arrest is part of a three-year investigation that led to dismantling the JokerOTP phishing-as-a-service (PhaaS) operation in April 2025. The service caused at least $10 million in financial losses across 28,000 attacks in 13 countries. The seller advertised access via Telegram, allowing cybercriminals to automate calls to victims and capture sensitive data. The tool targeted users of PayPal, Venmo, Coinbase, Amazon, and Apple. The investigation is ongoing, with dozens of buyers identified for prosecution.

Wazuh, a SIEM and XDR platform, enhances cyber resilience through comprehensive visibility, early detection of suspicious activity, automated incident response, and AI-driven security analysis. It supports various environments, including virtualized, on-premises, cloud-based, and containerized systems, and integrates advanced AI models for improved threat detection and response. The platform also focuses on improving IT hygiene and security posture through continuous asset visibility, vulnerability detection, and configuration assessment.

GrayBravo, previously tracked as TAG-150, has developed CastleRAT, a remote access trojan available in both Python and C variants. The threat actor is characterized by rapid development cycles, technical sophistication, and an expansive, evolving infrastructure. GrayBravo has been active since at least March 2025, using CastleLoader to deliver various secondary payloads, including other RATs, information stealers, and loaders. CastleRAT is part of a multi-tiered infrastructure and uses Steam Community profiles as dead drop resolvers for command-and-control (C2) servers. The C variant of CastleRAT includes additional functionalities such as keylogging, screenshot capture, and cryptocurrency clipping. The threat actor employs phishing attacks and fraudulent GitHub repositories to initiate infections. Recent developments include the discovery of TinyLoader, TinkyWinkey, and Inf0s3c Stealer, which are used to deliver additional malware and steal information. CastleLoader has been linked to a Play Ransomware attack against a French organization, and GrayBravo operates with a limited and sophisticated user base, likely promoting its services within closed circles. Four distinct threat activity clusters have been observed leveraging CastleLoader: TAG-160, TAG-161, and two unnamed clusters. TAG-160 targets the logistics sector using phishing and ClickFix techniques, while TAG-161 uses Booking.com-themed ClickFix campaigns to distribute CastleLoader and Matanbuchus 3.0. The third cluster uses infrastructure impersonating Booking.com in conjunction with ClickFix and Steam Community pages as a dead drop resolver to deliver CastleRAT via CastleLoader. The fourth cluster uses malvertising and fake software update lures masquerading as Zabbix and RVTools to distribute CastleLoader and NetSupport RAT. GrayBravo leverages a multi-tiered infrastructure to support its operations, including Tier 1 victim-facing C2 servers and multiple VPS servers as backups. A surge in LummaStealer infections has been observed, driven by social engineering campaigns leveraging the ClickFix technique to deliver the CastleLoader malware. LummaStealer, also known as LummaC2, is an infostealer operation running as a malware-as-a-service (MaaS) platform that was disrupted in May 2025 when multiple tech firms and law enforcement authorities seized 2,300 domains and the central command structure supporting the malicious service. Although the law enforcement operation severely disrupted the LummaStealer activity, the MaaS operation started to resume in July 2025. A new report from cybersecurity company Bitdefender warns that LummaStealer operations have scaled significantly between December 2025 and January 2026, now being delivered through a malware loader called CastleLoader, and increasingly relying on ClickFix techniques.

The **Aisuru/Kimwolf botnet ecosystem** continues to evolve, now **disrupting critical anonymity infrastructure** alongside its record-breaking DDoS campaigns. In **February 2026**, Kimwolf operators **accidentally crippled the I2P anonymity network** by attempting to onboard **700,000 infected devices** as nodes, overwhelming the network’s typical **15,000–20,000-device capacity** and triggering a **Sybil attack** that halved I2P’s functionality. This follows the botnet’s **31.4 Tbps DDoS attack** (November 2025) and **holiday-themed "The Night Before Christmas" campaign** (December 19, 2025), which peaked at **24 Tbps, 9 Bpps, and 205 Mrps**—part of a **100% YoY increase in DDoS volume** (47.1 million attacks mitigated in 2025). With **over 6 million infected devices** (1–4M IoT for Aisuru; **>2M Android TVs/boxes** for Kimwolf), the botnets blend **hyper-volumetric DDoS** with **residential proxy monetization**, targeting sectors beyond gaming to include **telecom, IT, finance, AI, and now anonymity networks**. The **January 2026 takedown of IPIDEA**—a key proxy enabler—reduced millions of exit nodes, but **persistent infections** and **new evasion tactics** (e.g., **I2P/Tor C2 experimentation, ENS-based domains**) highlight the botnets’ **adaptive resilience**. Despite **internal operator conflicts** reducing Kimwolf’s scale by **600,000+ devices**, the ecosystem remains a **systemic risk to global internet stability, enterprise security, and privacy infrastructure**.

APT36, also known as Transparent Tribe, is targeting both Windows and BOSS Linux systems in ongoing attacks against Indian government and defense entities. The campaign, active since June 2025, involves phishing emails delivering malicious .desktop files disguised as PDFs. The malware facilitates data exfiltration, persistent espionage access, and includes anti-debugging and anti-sandbox checks. The malware also targets the Kavach 2FA solution used by Indian government agencies. The attack leverages the .desktop file's 'Exec=' field to execute a sequence of shell commands that download and run a Go-based ELF payload. The payload establishes persistence through cron jobs and systemd services, and communicates with a C2 server via a WebSocket channel. The technique allows APT36 to evade detection by abusing a legitimate Linux feature that is not typically monitored for threats. The campaign demonstrates APT36's evolving tactics, becoming more evasive and sophisticated. The campaign uses dedicated staging servers for malware distribution, transitioning from cloud storage platforms. The malware includes multiple persistence methods and supports commands for file browsing, collection, and remote execution. The campaign is part of a broader trend of targeted activity by South and East Asian threat actors, reflecting a trend toward purpose-built malware and infrastructure. Indian government entities have been targeted in two campaigns codenamed Gopher Strike and Sheet Attack. Gopher Strike leveraged phishing emails to deliver PDF documents with a blurred image and a fake Adobe Acrobat Reader DC update dialog. The campaign uses server-side checks to prevent automated URL analysis tools from fetching the ISO file, ensuring delivery only to intended targets in India. The malicious payload is a Golang-based downloader called GOGITTER, which creates a VBScript file to fetch commands from C2 servers. GOGITTER sets up persistence using a scheduled task to run the VBScript file every 50 minutes. GOGITTER downloads a ZIP file from a private GitHub repository and executes a lightweight Golang-based backdoor called GITSHELLPAD. GITSHELLPAD polls the C2 server every 15 seconds for commands and supports six different commands including cd, run, upload, and download. The results of command execution are stored in a file called "result.txt" and uploaded to the GitHub account. The threat actor also downloads RAR archives containing utilities to gather system information and drop GOSHELL, a bespoke Golang-based loader. GOSHELL's size was artificially inflated to approximately 1 gigabyte to evade detection by antivirus software. GOSHELL only executes on specific hostnames by comparing the victim's hostname against a hard-coded list. APT36 and SideCopy are launching cross-platform RAT campaigns against Indian entities using malware families like Geta RAT, Ares RAT, and DeskRAT. The campaigns use phishing emails with malicious attachments or download links to deliver the malware, which provides persistent remote access, system reconnaissance, data collection, and command execution. Geta RAT supports various commands including system information collection, process enumeration, credential gathering, and file operations. Ares RAT is a Python-based RAT that can run commands issued by the threat actor. DeskRAT is delivered via a rogue PowerPoint Add-In file with embedded macros. The campaigns target Indian defense, government, and strategic sectors, demonstrating a well-resourced, espionage-focused threat actor deliberately targeting these sectors through defense-themed lures, impersonated official documents, and regionally trusted infrastructure.

On February 2026 Patch Tuesday, over 60 software vendors released security updates addressing critical vulnerabilities in their products. Microsoft patched 59 flaws, including six actively exploited zero-days in Windows components. Adobe, SAP, Intel, and Google also issued fixes for critical vulnerabilities in their respective products. The updates cover a wide range of software, including operating systems, cloud platforms, and network devices. The vulnerabilities addressed include security bypass, privilege escalation, denial-of-service (DoS), code injection, and missing authorization checks. Some of the flaws could lead to full database compromise and unauthorized remote function calls. The patches are crucial for maintaining the security of systems and preventing potential exploitation by threat actors.

A Chinese national, Daren Li, has been sentenced to 20 years in prison for his role in a global crypto-investment fraud scheme that defrauded victims of over $73 million. Li pleaded guilty to conspiring to launder funds obtained through cryptocurrency scams and related fraud. The scheme involved romance baiting and tech support scams, with victims contacted through social media, online dating sites, and cold calls. Li and his co-conspirators used spoofed websites and domains to appear legitimate and laundered proceeds through US shell companies.

CISA released its 2025 Year in Review, highlighting achievements in cyber and physical security. The report details CISA's efforts to modernize operations, accelerate threat responses, and collaborate with partners to safeguard critical infrastructure. Key accomplishments include publishing over 1,600 security products, triaging 30,000+ incidents, blocking billions of malicious connections, and conducting 148 security exercises with 10,000+ participants. Additionally, CISA introduced the Be Air Aware™ suite to manage Unmanned Aircraft System Threats.

The Forum of Incident Response and Security Teams (FIRST) forecasts a record-breaking 59,427 new CVEs in 2026, with a 90% confidence interval ranging from 30,012 to 117,673. This prediction is based on a new statistical model using historical CVE data and publication trends. FIRST advises organizations to prepare for this surge by assessing their capacity, prioritizing vulnerabilities, and leveraging forecasting tools. The forecast suggests that CVE disclosures will continue to grow beyond 2026, with a median of 51,018 CVEs in 2027 and 53,289 in 2028.

Threat actors are exploiting misconfigured security testing applications, such as DVWA, OWASP Juice Shop, Hackazon, and bWAPP, to gain access to cloud environments of Fortune 500 companies and security vendors. These applications, intended to be intentionally vulnerable for training and testing, pose a significant risk when exposed on the public internet and executed from privileged cloud accounts. Pentera researchers discovered 1,926 live, vulnerable applications linked to overly privileged IAM roles, deployed on AWS, GCP, and Azure. Many instances used default credentials and exposed cloud credential sets, allowing attackers to deploy crypto miners, webshells, and gain admin access to cloud environments. Active exploitation was confirmed, with evidence of crypto mining using XMRig, deployment of webshells, and advanced persistence mechanisms. Security vendors such as F5, Cloudflare, and Palo Alto Networks were among those affected. Pentera Labs verified nearly 2,000 live, exposed training application instances, with close to 60% hosted on customer-managed infrastructure running on AWS, Azure, or GCP. Approximately 20% of instances were found to contain artifacts deployed by malicious actors, including crypto-mining activity, webshells, and persistence mechanisms.

Microsoft's February 2026 Patch Tuesday addresses 59 vulnerabilities, including 6 actively exploited zero-days and 3 publicly disclosed flaws. The updates include fixes for 5 critical vulnerabilities, with three being security feature bypass flaws in various Microsoft products. The zero-days span components such as Windows Shell, MSHTML Framework, Microsoft Word, Desktop Window Manager, Windows Remote Access Connection Manager, and Windows Remote Desktop Services. Microsoft issued an out-of-band patch for one of the zero-days, CVE-2026-21514, highlighting its urgency. The updates also cover a range of other vulnerabilities, including elevation of privilege, security feature bypass, remote code execution, information disclosure, denial of service, and spoofing flaws. Additionally, Microsoft has begun rolling out updated Secure Boot certificates to replace expiring 2011 certificates. Other vendors, including Adobe, BeyondTrust, CISA, Cisco, Fortinet, Google, n8n, and SAP, have also released security updates or advisories.

A new Linux botnet named SSHStalker has been documented, utilizing the outdated IRC protocol for command-and-control (C2) operations. The botnet employs classic IRC mechanics, including multiple C-based bots and multi-server/channel redundancy, prioritizing resilience and scale over stealth. It achieves initial access through automated SSH scanning and brute-forcing, using a Go binary disguised as nmap. Once infected, hosts are used to scan for additional SSH targets, and the botnet includes exploits for 16 CVEs targeting older Linux kernel versions. The botnet also performs AWS key harvesting, website scanning, and includes cryptomining kits and DDoS capabilities. Notably, SSHStalker maintains persistent access without immediate follow-on post-exploitation behavior, suggesting it may be used for staging, testing, or strategic access retention. The threat actor is suspected to be of Romanian origin, with operational overlaps with the hacking group Outlaw (aka Dota).

Microsoft's November 2025 Patch Tuesday addressed 63 vulnerabilities, including one actively exploited zero-day vulnerability (CVE-2025-62215), a critical Remote Code Execution flaw (CVE-2025-60724), and several other notable vulnerabilities. The updates also included fixes for multiple elevation of privilege, remote code execution, information disclosure, denial-of-service, and spoofing vulnerabilities. Microsoft has released the first extended security update (ESU) for Windows 10, advising users to upgrade to Windows 11 or enroll in the ESU program. The KB5068781 update, the first Windows 10 extended security update since the operating system reached end of support on October 14, 2025, includes fixes for 63 flaws and one actively exploited elevation-of-privilege vulnerability. The September 2025 Patch Tuesday addressed 80 vulnerabilities, including 13 critical vulnerabilities. The updates fixed a range of issues, including privilege escalation, remote code execution, information disclosure, and denial-of-service vulnerabilities. The patches also covered a critical flaw in Azure Networking and addressed a new lateral movement technique dubbed BitLockMove. Additionally, security updates were released by multiple vendors, including Adobe, Cisco, Google, and others. The September 2025 update included 38 elevation of privilege (EoP) vulnerabilities. The two zero-day vulnerabilities were CVE-2025-55234 in Windows SMB Server and CVE-2024-21907 in Microsoft SQL Server. The SMB vulnerability was exploited through relay attacks, while the SQL Server flaw involved improper handling of exceptional conditions in Newtonsoft.Json. The updates also included hardening features for SMB Server to mitigate relay attacks, with recommendations for administrators to enable auditing to assess compatibility issues. The KB5065429 cumulative update for Windows 10 22H2 and 21H2 included fourteen fixes or changes, addressing unexpected UAC prompts and severe lag and stuttering issues with NDI streaming software. The update enabled auditing SMB client compatibility for SMB Server signing and SMB Server EPA, and included an opt-in feature for administrators to allow outbound network traffic from Windows 10 devices. In February 2026, Microsoft released updates to fix six actively exploited zero-day vulnerabilities, three of which have been publicly disclosed. These include CVE-2026-21510, CVE-2026-21513, CVE-2026-21514, CVE-2026-21519, CVE-2026-21525, and CVE-2026-21533. None of the actively exploited vulnerabilities are rated critical. In total, 25 CVEs disclosed by Microsoft were EoP, followed by remote code execution (12), spoofing (7), information disclosure (6), and security feature bypass (5). SAP also released 26 new security notes and one update to a previously released note, including critical vulnerabilities CVE-2026-0509 and CVE-2026-0488.

Microsoft has released Windows 11 26H1, but it is exclusively for new devices with Snapdragon X2 processors and other upcoming ARM chips. This release is not a feature update for existing PCs but is designed to support new ARM-based hardware. Windows 11 26H2 is expected to follow the annual update cadence and will be available for all other PCs later this year.

SolarWinds has released security updates to address multiple critical vulnerabilities in SolarWinds Web Help Desk, including CVE-2025-40536, CVE-2025-40537, CVE-2025-40551, CVE-2025-40552, CVE-2025-40553, and CVE-2025-40554. These vulnerabilities could result in authentication bypass and remote code execution (RCE). CVE-2025-40551 is actively exploited in attacks and has been added to CISA's KEV catalog. SolarWinds Web Help Desk is used by more than 300,000 customers worldwide, including government agencies, large corporations, healthcare organizations, and educational institutions. SolarWinds has previously released a third patch to address a critical deserialization vulnerability (CVE-2025-26399) in Web Help Desk 12.8.7 and earlier versions. This flaw allows unauthenticated remote code execution (RCE) on affected systems. The vulnerability was discovered by an anonymous researcher and reported through Trend Micro's Zero Day Initiative (ZDI). The flaw is a patch bypass for CVE-2024-28988, which itself was a bypass for CVE-2024-28986. The original vulnerability was exploited in the wild and added to the KEV catalog by CISA. SolarWinds advises users to update to version 12.8.7 HF1 to mitigate the risk. SolarWinds Web Help Desk is a help desk and ticketing suite used by medium-to-large organizations for IT support request tracking, workflow automation, asset management, and compliance assurance. The vulnerability affects the AjaxProxy component, and the hotfix requires replacing specific JAR files. Microsoft has revealed that it observed a multi-stage intrusion that involved the threat actors exploiting internet-exposed SolarWinds Web Help Desk (WHD) instances to obtain initial access and move laterally across the organization's network to other high-value assets. The attackers used legitimate components associated with Zoho ManageEngine to enable persistent remote control over the infected system. They enumerated sensitive domain users and groups, established persistence via reverse SSH and RDP access, and conducted a DCSync attack to request password hashes and other sensitive information from an Active Directory (AD) database. Threat actors have been exploiting CVE-2025-40551 and CVE-2025-26399 to deploy legitimate tools for malicious purposes, such as Zoho ManageEngine and Velociraptor. The attackers targeted at least three organizations and leveraged Cloudflare tunnels for persistence. The malicious activity was spotted by researchers at Huntress Security and is believed to be part of a campaign that started on January 16. The attackers used Velociraptor for command and control (C2) and Zoho ManageEngine for remote monitoring and management. The attackers installed the Zoho ManageEngine Assist agent via an MSI file fetched from the Catbox file-hosting platform and configured the tool for unattended access. They registered the compromised host to a Zoho Assist account tied to an anonymous Proton Mail address. The attackers used Velociraptor as a command-and-control (C2) framework that communicates with attackers via Cloudflare Workers. The attackers used an outdated version of Velociraptor (0.73.4), which is vulnerable to a privilege escalation flaw. The attackers installed Cloudflared from Cloudflare's official GitHub repository as a secondary tunnel-based access channel for C2 redundancy. The attackers disabled Windows Defender and Firewall via registry modifications to ensure that fetching additional payloads would not be blocked. The attackers downloaded a fresh copy of the VS Code binary approximately a second after disabling Defender. System administrators are recommended to upgrade SolarWinds Web Help Desk to version 2026.1 or later, remove public internet access to SolarWinds WHD admin interfaces, and reset all credentials associated with the product. The Shadowserver Foundation's Internet scans for CVE-2025-40551 show approximately 170 vulnerable WHD instances. Organizations should put their WHD instances behind firewalls or VPNs and remove direct Internet access to administrator paths. Customers should update their WHD instances to version 2026.1 or later and review hosts for any unauthorized remote access tools like Zoho Assist and Velociraptor. Microsoft recommended evicting any remote monitoring and management (RMM) tools in the network like Zoho ManageEngine and rotating credentials for WHD service and administrator accounts.

A new commercial spyware platform, ZeroDayRAT, is being advertised on Telegram, offering full remote control over compromised Android (versions 5–16) and iOS (up to version 26) devices. The malware provides extensive surveillance capabilities, including real-time tracking, data theft, and financial fraud. It can log app usage, SMS messages, and notifications, activate cameras and microphones, and steal cryptocurrency and banking credentials. ZeroDayRAT is marketed through Telegram channels and infections are initiated by persuading victims to install malicious binaries via smishing, phishing emails, counterfeit app stores, and links shared through WhatsApp or Telegram. The malware includes a dedicated web-based dashboard displaying device details, app usage, SMS messages, and live activity timeline. It also includes a crypto stealer and targets online banking apps, UPI platforms, and payment services like Apple Pay and PayPal. The malware is sold openly on Telegram with access to a panel featuring sales, customer support, and platform updates channels. ZeroDayRAT support spans Android 5 through 16 and iOS up to 26, and it provides a complete overview of the phone's makeup, including device model, SIM, location data, carrier info, live activity timeline, and recent SMS messages. The malware includes features such as SMS control, keylogger, microphone feed, screen recorder, bank stealer, and crypto stealer. ZeroDayRAT is priced at $2,000, indicating higher-than-average ambitions and targeting specific individuals or enterprises. The malware represents a convergence of nation-state-level capabilities with criminal economics, widening the target market for surveillance malware.

Security operations centers (SOCs) must evolve to address future cybersecurity threats, with AI and specialized staffing being critical components. CISOs face pressure to transform SOCs to meet future needs, focusing on AI integration for threat detection and response, as well as developing advanced skills within SOC teams. The protection of AI assets has become a specialized area, requiring dedicated staff and strategies. Additionally, the structure and location of SOC teams are being re-evaluated to improve efficiency and reduce attrition.

A fake 7-Zip website distributes a malicious installer that turns infected computers into residential proxy nodes. The campaign uses a trojanized version of the 7-Zip tool, which includes legitimate functionality but also installs proxy malware. The malware communicates with command-and-control (C2) servers using obfuscated messages and avoids detection by checking for virtualization and debuggers. The threat actor registered the domain 7zip[.]com, mimicking the legitimate 7-Zip website. The malware modifies firewall rules to allow inbound and outbound connections and collects system information, which is sent to a remote server. The campaign also involves trojanized installers for other popular applications like HolaVPN, TikTok, WhatsApp, and Wire VPN.

Microsoft has released the Windows 10 KB5075912 extended security update to address vulnerabilities, including six zero-days, and to continue rolling out replacements for expiring Secure Boot certificates. This update is available for Windows 10 Enterprise LTSC and ESU program participants. It fixes several known issues, including a problem preventing devices from shutting down or hibernating if System Guard Secure Launch is enabled. The update also includes changes to Chinese fonts to meet GB18030-2022A compliance and addresses a stability issue affecting certain GPU configurations. Microsoft has been warning about the expiration of multiple Windows Secure Boot certificates since June 2025, which could allow threat actors to bypass security protections if not updated. This update continues the phased rollout of new Secure Boot certificates to targeted systems.

Microsoft has released cumulative updates KB5077181 and KB5075941 for Windows 11. These updates address various issues and introduce new features, including enhancements to Secure Boot, Cross-Device Resume, MIDI services, Narrator, and Smart App Control. The updates also improve gaming, networking, and voice accessibility features.

North Korean state actors have been using fake or stolen identities to secure IT jobs in various companies, particularly in the blockchain and technology sectors. These actors have stolen virtual currency and funneled money to North Korea's weapons program. The practice has escalated with the rise of remote work and AI, enabling fraudsters to impersonate employees and gain privileged access to company networks. Labyrinth Chollima, a prolific North Korean-linked cyber threat group, has recently evolved into three distinct hacking groups: Labyrinth Chollima, Golden Chollima, and Pressure Chollima. Labyrinth Chollima continues to focus on cyber espionage, targeting industrial, logistics, and defense companies, while Golden Chollima and Pressure Chollima have shifted towards targeting cryptocurrency entities. Each group uses distinct toolsets in their malware campaigns, all evolutions of the same malware framework used by Labyrinth Chollima in the 2000s and 2010s. A joint investigation led by Mauro Eldritch, founder of BCA LTD, conducted together with threat-intel initiative NorthScan and ANY.RUN, uncovered a network of remote IT workers tied to Lazarus Group's Famous Chollima division. Researchers captured live activity of Lazarus operators on what they believed were real developer laptops, which were actually fully controlled, long-running sandbox environments created by ANY.RUN. Thousands of North Korean IT workers have infiltrated the job market over the past two years, exploiting vulnerabilities in hiring processes and remote work environments. Over 320 cases of North Korean operatives infiltrating companies by posing as remote IT workers were identified in August 2025. The Justice Department has shut down several laptop farms used by these actors, but the problem persists, with security experts warning of significant security risks and financial losses for affected companies. The U.S. Treasury's Office of Foreign Assets Control (OFAC) has recently sanctioned two individuals and two entities for their role in these schemes, identifying financial transfers worth nearly $600,000 and over $1 million in profits generated since 2021. Japan, South Korea, and the United States are collaborating to combat North Korean IT worker schemes. The three countries held a joint forum on August 26, 2025, in Tokyo to improve collaboration, with both Japan and South Korea issuing updated advisories on the threat. The United States sanctioned four entities for their roles in the IT worker fraud schemes, accusing them of working to help the Democratic People's Republic of Korea (DPRK) to generate revenue. Recently, five U.S. citizens pleaded guilty to assisting North Korea's illicit revenue generation schemes by enabling IT worker fraud. The scheme impacted more than 136 U.S. victim companies, generated more than $2.2 million in revenue for the DPRK regime, and compromised the identities of more than 18 U.S. persons. The US government has seized $15m worth of gains in Tether (USDT) from APT38 actors, seeking to return the funds to their rightful owners. North Korean IT recruiters target and lure developers into renting their identities for illicit fundraising. Famous Chollima, part of North Korea’s state-sponsored Lazarus group, uses deep fake videos and avoids appearing on camera during interviews. Legitimate engineers are recruited to act as figureheads in DPRK agents’ operations to secure remote jobs at targeted companies. Compromised engineers receive a percentage of the salary, between 20% and 35%, for the duration of the contract. DPRK agents use compromised engineers' computers as proxies for malicious activities to hide their location and traces. North Korean recruiters use AI-powered tools like AIApply, Simplify Copilot, Final Round AI, and Saved Prompts to autofill job applications and create resumes. The threat actor used Astrill VPN, a popular service among North Korean fake IT workers, for remote connections. The Famous Chollima team involved in this operation consisted of six members, who used the names Mateo, Julián, Aaron, Jesús, Sebastián, and Alfredo. The DPRK IT worker scheme is also tracked as Jasper Sleet, PurpleDelta, and Wagemole. The scheme aims to generate revenue, conduct espionage, and in some cases, demand ransoms. DPRK IT workers transfer cryptocurrency through various money laundering techniques, including chain-hopping and token swapping. Norwegian businesses have been impacted by IT worker schemes, with salaries likely funding North Korea's weapons and nuclear programs. A campaign dubbed Contagious Interview uses fake hiring flows to lure targets into executing malicious code. The campaign employs EtherHiding, a technique using blockchain smart contracts to host and retrieve command-and-control infrastructure. New variants of the Contagious Interview campaign use malicious Microsoft VS Code task files to execute JavaScript malware. The Koalemos RAT campaign involves malicious npm packages to deploy a modular JavaScript remote access trojan (RAT) framework.

Conduent, a business services provider, has confirmed that a data breach in 2024 impacted over 10.5 million individuals. The breach, initially disclosed in January 2025, affected government agencies in multiple US states. The attackers accessed Conduent's network on October 21, 2024, and were evicted on January 13, 2025. The compromised data includes names, addresses, dates of birth, Social Security numbers, health insurance details, and medical information. Conduent serves over 600 government and transportation organizations, and roughly half of Fortune 100 companies. The company has not provided an exact number of affected individuals, but breach notices indicate at least 10.5 million people were impacted, with the largest number in Oregon (10.5 million) and over 4 million in Texas. The Safepay ransomware group claimed responsibility for the attack in February 2025 and claimed to have stolen 8.5TB of data. Conduent provides services to several other states where specific data breach figures aren't published, potentially increasing the actual impact. As of October 24, 2025, there is no evidence that the stolen data has been misused. Additionally, Volvo Group North America disclosed that nearly 17,000 customers and/or staff had their personal details exposed in the Conduent data breach. Conduent is sending notifications to impacted parties, offering free membership to identity monitoring services for at least a year, along with credit and dark web monitoring, and identity restoration. Volvo Group North America has recently suffered a new data breach caused by a third-party supplier, Miljödata, exposing staff data such as full names and Social Security Numbers. The breach at Miljödata in August 2025 exposed the information of 1.5 million people, including Volvo Group employees in Sweden and the U.S. Ingram Micro, a major IT services provider, revealed a ransomware attack in July 2025 that affected over 42,000 individuals. The SafePay ransomware group was behind this attack, claiming to have stolen 3.5TB of documents. The attack triggered a massive outage and highlighted SafePay's growing activity as a significant ransomware threat.

Microsoft has started rolling out new Secure Boot certificates through monthly Windows updates to replace the original 2011 certificates that will expire in late June 2026. These certificates are crucial for ensuring that only trusted bootloaders can load on UEFI firmware, preventing malicious software like rootkits from executing during system startup. The update process involves firmware updates across millions of device configurations from various hardware manufacturers and OEMs. Devices that do not receive the updated certificates will enter a 'degraded security state' with limited boot-level protections. Microsoft advises customers to upgrade to Windows 11, as unsupported versions like Windows 10 will not receive the new certificates.

A high-volume phishing campaign using the Phorpiex malware has been observed delivering Global Group ransomware. The campaign employs emails with the subject line "Your Document" and weaponized Windows Shortcut (.lnk) files to initiate a multi-stage infection chain. The ransomware operates offline, generating encryption keys locally and avoiding command-and-control (C2) server communication, making it effective in isolated environments. The malware uses the ChaCha20-Poly1305 algorithm, appends the .Reco extension to encrypted files, and deletes itself after execution, complicating forensic analysis and recovery.

Microsoft 365 applications are experiencing an outage preventing some users, particularly administrators with business or enterprise subscriptions, from accessing the Microsoft 365 admin center in North America and Canada regions. The incident was acknowledged by Microsoft, which is reviewing telemetry data to identify the root cause and develop a remediation plan. The disruption follows two other major incidents last week that impacted Microsoft 365 services due to MFA issues and Azure Front Door CDN problems. Previous outages in September were caused by an Exchange Online coding bug.

A pre-built Tines workflow automates AWS incident investigation by integrating CLI data retrieval directly into the case management system. This eliminates manual data gathering, reduces Mean Time to Resolution (MTTR), and mitigates security risks associated with broad read-access to production environments. The workflow uses Tines agents to execute CLI commands securely and efficiently, providing analysts with immediate, formatted insights.