Weekly Threat Landscape Digest – Week 43

1. Phishing Risk – Fake Investment or IPO-themed Campaigns

Following recent media coverage surrounding Binghatti’s clarification on IPO prospectus and price range reports (Khaleej Times – October 17, 2025), threat actors are likely to exploit this trending topic to launch phishing and social engineering campaigns targeting investors, financial institutions, and the general public.

Threat Details:

• Attackers may distribute emails or messages claiming to offer early investment access to Binghatti’s IPO.
• Phishing emails may contain malicious links or fake PDF “prospectus” attachments designed to steal credentials.
• Fraudulent websites can impersonate legitimate investment portals or brokers to collect personal or banking information.
• Social engineering lures such as “limited IPO slots” or “urgent registration” are used to create urgency and manipulate victims.

Potential Impact:

• Exposure of personal or financial data of investors and employees.
• Unauthorized access to trading or email accounts.
• Financial losses and reputational harm due to fraudulent transactions.
• Increased phishing attempts targeting executives and enterprise users.

Recommendations:

• Treat unsolicited investment or IPO-related offers with caution.
• Verify authenticity of investment communications via official Binghatti channels.
• Do not enter credentials or financial data into unverified links or forms.
• Report suspicious messages to IT or security teams immediately.
• Enable phishing protection and link scanning across email and browsers.
• Monitor for lookalike domains impersonating real estate or financial organizations.
• Circulate this alert across teams and partner networks to raise awareness.

Reference:
• https://www.khaleejtimes.com/business/property/binghatti-denies-report-on-ipo-prospectus-price-range?_refresh=true

2. Cisco Critical Security Updates Across Product Lines

Cisco has released security patches addressing multiple high-severity vulnerabilities affecting desk phones, IP phones, IOS XE (secure boot), Snort 3, and TelePresence/RoomOS endpoints. Successful exploitation could result in remote code execution, denial-of-service, secure boot bypass, or information disclosure.

Vulnerability Details:

1. Cisco SIP Software on Desk/IP/Video Phones
   • CVE-2025-20350, CVE-2025-20351
   • Impact: Unauthenticated remote attackers could trigger DoS or execute arbitrary code through crafted SIP messages.
2. Cisco IOS XE Secure Boot Bypass
   • CVE-2025-20313, CVE-2025-20314
   • Impact: A local user with root privileges could bypass secure boot and load unauthorized firmware or software.
3. Snort 3 MIME Processing DoS
   • CVE-2025-20359, CVE-2025-20360
   • Impact: Crafted MIME content can crash Snort 3 processes, disrupting intrusion detection operations.
4. TelePresence / RoomOS Information Disclosure
   • CVE-2025-20329
   • Impact: Authenticated remote attackers may access sensitive configuration data via improper access controls.

Affected Products:

• Cisco Desk Phone 9800, IP Phone 7800/8800, Video Phone 8875
• Cisco IOS XE (all supported releases)
• Snort 3 sensor deployments
• Cisco TelePresence and RoomOS devices

Recommendations:

• Apply Cisco patches immediately from official advisories.
• Confirm firmware versions and upgrade to secure builds.
• Isolate voice/video devices on segmented VLANs separate from core networks.
• Restrict SIP and administrative ports to trusted subnets.
• For IOS XE: disable unnecessary root access and validate secure boot integrity.
• Audit and tighten access controls on TelePresence/RoomOS endpoints; rotate credentials and review management logs.

References:
• https://sec.cloudapps.cisco.com/security/center/publicationListing.x
• https://assets.adgm.com/download/assets/20251016+-+Security+Updates+-+Cisco.pdf/5f03f112ab1511f0a34c42598250f84a

3. ConnectWise Automate – Critical Update Fixes Credential Interception and Code Injection Flaws

ConnectWise has released a critical update for its Automate platform (version 2025.9) to fix two severe vulnerabilities that could allow attackers to intercept sensitive communications or inject malicious updates into managed endpoints. Exploitation could lead to credential theft, remote code execution, and potential supply-chain compromise.

Vulnerability Details:

1. CVE-2025-11492 – Cleartext Transmission of Sensitive Information
   • CWE-319 | Severity: Critical (CVSS 9.6)
   • Impact: Unencrypted agent communications allow attackers to intercept credentials or configuration data.
2. CVE-2025-11493 – Download of Code Without Integrity Check
   • CWE-494 | Severity: High (CVSS 8.8)
   • Impact: Absence of integrity verification allows attackers to replace update packages with malicious binaries.

Affected Product:

• ConnectWise Automate (on-premises)
• Affected Versions: All versions prior to 2025.9
• Fixed Version: 2025.9 (Released October 16, 2025)
• Root Cause: Use of HTTP and missing cryptographic validation for agent update mechanisms.

Recommendations:

• Upgrade immediately to version 2025.9 to enforce HTTPS-only and signed update processes.
• Confirm patch deployment across all agents and servers.
• Enable TLS 1.2 or higher; disable SSL 3.0 and TLS 1.0/1.1.
• Ensure all Automate agent traffic uses HTTPS (port 443); block HTTP in firewalls and proxies.
• Cloud-hosted Automate instances are auto-patched and require no action.

Reference:
• https://cybersecuritynews.com/connectwise-vulnerabilities/

4. Major AWS Outage Disrupts Global Services; Impact Felt Across Middle East

On October 20, 2025, Amazon Web Services (AWS) experienced a major outage centered on the US-EAST-1 region, causing widespread latency and service disruptions across global and regional platforms. The incident impacted numerous organizations, including banks, consumer apps, and enterprise workloads, with ripple effects reaching users in the Middle East.

Incident Details:

• AWS confirmed elevated error rates and service latency in US-EAST-1, affecting control and data plane operations.
• The root cause is associated with DNS and DynamoDB API instability, leading to cascading service failures.
• Multiple high-profile services such as Snapchat, Fortnite, Alexa, Coinbase, Robinhood, and Lloyds Bank apps experienced partial or full outages.
• Middle East media reported regional user disruptions, highlighting dependency on AWS-hosted workloads outside the region.

Impact:

• Service outages and degraded performance across globally distributed applications.
• Interruptions to authentication, payments, and messaging workflows.
• Business continuity risks including transaction failures, login errors, SLA breaches, and operational slowdowns.
• Global scope: impact confirmed in US, UK, EU, ANZ, and Middle East markets.

Affected Systems:

• AWS control/data plane in US-EAST-1 (DNS/DynamoDB API involvement).
• Downstream consumer and enterprise apps relying on AWS infrastructure.
• Global workloads dependent on affected availability zones.

Reference:
• https://www.reuters.com/business/retail-consumer/amazons-cloud-unit-reports-outage-several-websites-down-2025-10-20

5. Cisco IOS/IOS XE SNMP Zero-Day (CVE-2025-20352) – Active Exploitation and CISA KEV Deadline

A critical vulnerability (CVE-2025-20352) affecting the SNMP subsystem of Cisco IOS and IOS XE software allows remote attackers to execute arbitrary code or disrupt device operations. The flaw is now listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog, with an immediate remediation deadline.

Vulnerability Overview:

• Stack-overflow vulnerability in SNMP processing across IOS/IOS XE.
• Exploitation possible via crafted SNMP packets (IPv4/IPv6) to devices with SNMP enabled.
• Attackers can leverage SNMPv1/v2c community strings or SNMPv3 credentials to trigger exploitation.

Impact:

• Denial-of-Service or full device takeover on network infrastructure.
• Enables lateral movement, traffic manipulation, and persistent network access.
• High-risk for telecom, finance, energy, and government sectors across the Middle East and beyond.

Affected Products / Scope:

• Cisco IOS and IOS XE (various versions per Cisco advisory).
• Devices running SNMPv1/v2c or misconfigured SNMPv3.
• Globally exposed network assets, including Middle Eastern enterprise and carrier networks.

Recommendations:

• Apply Cisco’s fixed releases immediately—prioritize edge and core routing assets.
• Disable legacy SNMP v1/v2c; enforce SNMPv3 with strong authentication and encryption.
• Rotate SNMP credentials and remove unused community strings.
• Harden management plane: use out-of-band networks, ACLs, and RBAC.
• Enable syslog/SNMP traps and monitor changes via NETCONF/SSH logs.

References:
• https://sec.cloudapps.cisco.com/security/center/publicationListing.x
• https://assets.adgm.com/download/assets/20251016+-+Security+Updates+-+Cisco.pdf/5f03f112ab1511f0a34c42598250f84a

6. Privilege Escalation Vulnerability in Fortinet FortiOS CLI (CVE-2025-58325)

A new high-severity vulnerability (CVE-2025-58325) has been identified in Fortinet FortiOS, allowing locally authenticated users to bypass CLI command restrictions and execute privileged system commands. While no active exploitation has been confirmed, the flaw poses a serious risk to environments with multiple administrative users or exposed CLI access.

Vulnerability Details:

• CWE-684: Incorrect Provision of Specified Functionality.
• A local authenticated user with CLI access can craft specific command syntax to bypass security controls and run unauthorized system-level commands.
• The flaw affects:
  • FortiOS 7.6.0
  • FortiOS 7.4.0–7.4.5
  • FortiOS 7.2.5–7.2.10
  • FortiOS 7.0.0–7.0.15
  • All FortiOS 6.4 versions

Recommendations:

• Update FortiOS to the latest versions containing the patch.
• Restrict CLI access to trusted administrators only.
• Enforce multi-factor authentication (MFA) for all privileged accounts.
• Continuously monitor administrative session activity and command logs.

Reference:
• https://fortiguard.fortinet.com/psirt/FG-IR-24-361

7. Microsoft: Extortion and Ransomware Drive Over Half of Cyber-Attacks in the Middle East

Microsoft’s 2025 Digital Defense Report highlights that 52% of cyber incidents in the Middle East are financially motivated — primarily ransomware and extortion attacks — overtaking espionage as the dominant regional threat. Adversaries are exploiting patching gaps, weak credential hygiene, and hybrid cloud misconfigurations to execute double-extortion operations.

Vulnerability Overview:
The report indicates that while global ransomware activity has plateaued, the Middle East remains a high-value target region due to rapid digital transformation, reliance on critical infrastructure, and increased cloud and IoT adoption.
Threat actors employ multi-extortion tactics combining encryption, data theft, and reputation-based blackmail.
Prominent ransomware families in the region include LockBit, Akira, BlackCat (ALPHV), and 8Base, with local affiliates actively compromising government and energy organizations.

Impact:

• Business disruption and large-scale data exfiltration across both public and private sectors.
• Increased ransom demands correlated with target size and geopolitical importance.
• Attackers abusing legitimate IT tools (Living-off-the-Land) for stealthy lateral movement.
• Reputational and regulatory impact following exposure on leak sites.

Affected Regions / Sectors:

• Primary: GCC states — UAE, Saudi Arabia, Qatar, Oman, Kuwait, Bahrain.
• Secondary: Levant and North Africa — Egypt, Jordan, Morocco.
• High-Risk Industries: Energy, finance, telecom, logistics, and government entities.

Recommendations:

• Implement Zero-Trust Architecture and enforce MFA for all privileged accounts.
• Maintain offline backups and routinely test restoration capabilities.
• Patch exposed assets — particularly VPNs, RDP, and Citrix gateways.
• Segment critical systems from general user networks.
• Monitor dark-web leak sites for exposure of corporate or vendor data.
• Conduct tabletop exercises simulating ransomware/extortion scenarios.

Reference:
• https://news.microsoft.com/source/emea/2025/10/middle-east-extortion-and-ransomware-drive-over-half-of-cyberattacks

8. MuddyWater (Iran-Linked APT) Targets Middle East and North Africa with “Phoenix” Backdoor Campaign

A new MuddyWater (APT-C-23) espionage campaign, attributed to Iran’s Ministry of Intelligence and Security (MOIS), is deploying the Phoenix backdoor against government, energy, and international organizations across the Middle East and North Africa. The campaign emphasizes credential theft, internal reconnaissance, and covert data exfiltration via living-off-the-land techniques.

Attack Details:

• Active since August 2025, the operation uses spear-phishing with malicious documents or archives embedding PowerShell-based payloads.
• Upon execution, the payload installs Phoenix, enabling remote command execution, lateral movement, and persistent access.
• The backdoor leverages HTTP-based C2 channels and obfuscated PowerShell scripts for stealth.
• Infrastructure and TTPs overlap with previous MuddyWater campaigns, including Static Kitten and Seedworm, indicating continuity of MOIS-linked operations.

Impact:

• Unauthorized access to sensitive government and enterprise networks.
• Exfiltration of diplomatic, energy, and defense-related data.
• Compromise of internal credentials and email systems.
• Potential staging for follow-up destructive or wiper attacks.

Affected Regions / Sectors:

• Regions: Saudi Arabia, UAE, Jordan, Kuwait, Egypt, and Morocco.
• Sectors: Government, telecommunications, defense contractors, energy providers, and NGOs.

Indicators of Compromise (IOCs):

Recommendations:

• Train staff to identify phishing emails impersonating government or vendor communications.
• Restrict PowerShell usage; enforce execution policies and audit for encoded commands.
• Inspect endpoints for persistence mechanisms and unusual scheduled tasks.
• Segment internal networks and enforce least-privilege access.
• Enable centralized EDR/SIEM logging and hunt for known MuddyWater IoCs.
• Patch OS and disable outdated SMB/RDP services on external-facing hosts.

References:
• https://www.group-ib.com/blog/muddywater-espionage/
• https://www.group-ib.com/blog/muddywater-infrastructure-malware

9. Symantec: China-linked Hackers Exploit “ToolShell” Vulnerability (CVE-2025-53770) to Target Telecom and Government Networks

Symantec researchers have reported that China-linked threat actors exploited the ToolShell vulnerability (CVE-2025-53770) to compromise a Middle Eastern telecommunications provider, followed by intrusions targeting multiple government networks across Africa and South America. The campaign leveraged the vulnerability shortly after it was patched, underscoring rapid exploitation trends by advanced actors.

Vulnerability Overview:
The ToolShell flaw enabled unauthorized remote access to vulnerable systems. Attackers initially infiltrated telecom infrastructure before conducting lateral movement into connected government environments, escalating privileges and expanding control.

Impact:

• Compromise of critical telecommunications and government networks.
• Potential for data theft, espionage, or service disruption across public-sector infrastructure.

Affected Regions / Sectors:

• Regions: Middle East (telecom), Africa and South America (government).
• Sectors: Telecommunications and public-sector organizations.

Affected Products:

• On-premises SharePoint Server Subscription Edition (before KB5002768)
• SharePoint Server 2019 (before version 16.0.10417.20027 / KB5002754)
• SharePoint Server 2016 (all supported builds)

Recommendations:

• Ensure CVE-2025-53770 patches are fully applied across affected assets.
• Segment telecom infrastructure from general IT networks to limit cross-domain compromise.
• Conduct post-patch validation and monitor for signs of lateral movement or credential abuse.

Reference:
• https://industrialcyber.co/ransomware/china-linked-hackers-exploit-toolshell-to-hit-telecom-government-networks-globally

10. CISA Warns of Active Exploitation of Windows SMB Privilege Escalation Flaw (CVE-2025-33073)

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert for CVE-2025-33073, a Windows SMB privilege escalation vulnerability currently being exploited in the wild. While not yet directly tied to ransomware, similar vulnerabilities have been integrated into ransomware intrusion chains, enabling domain-level compromise.

Vulnerability Overview:
CVE-2025-33073 allows attackers to escalate privileges locally, potentially gaining full domain administrator access when chained with other exploits. The flaw affects Windows systems with SMB services enabled and poses heightened risk to enterprises with exposed or misconfigured SMB shares.

Impact:

• Domain compromise and lateral movement within enterprise networks.
• Potential exposure of sensitive data and Active Directory credentials.

Affected Regions / Sectors:

• Global exposure; particularly enterprise and critical infrastructure running Windows with SMB enabled.

Recommendations:

• Apply Microsoft’s latest security updates addressing CVE-2025-33073 immediately.
• Disable SMB exposure to the internet; restrict SMB to internal trusted networks only.
• Monitor EDR and SIEM alerts for anomalous privilege escalation events or SMB traffic patterns.

Reference:
• https://cyberpress.org/cisa-warns-smb-vulnerability/

11. Oracle Critical Patch Update (October 2025) – 170 CVEs Fixed Including Two Exploited EBS Zero-Days

Oracle’s October 2025 Critical Patch Update (CPU) addresses 170 vulnerabilities across 29 product families, including two zero-days (CVE-2025-61882 and CVE-2025-61884) actively exploited in the wild against Oracle E-Business Suite (EBS).

Vulnerability Overview:

• Total patches: 374 (12 Critical, 57 High, 91 Medium, 10 Low).
• Most affected products:
  • Oracle TimesTen In-Memory Database – 73 patches (47 remotely exploitable).
  • Oracle Spatial Studio – 64 patches (46 remotely exploitable).
  • Oracle E-Business Suite (EBS) – 20 patches (17 remotely exploitable).
• Exploited EBS flaws (CVE-2025-61882, CVE-2025-61884) allowed unauthenticated remote access and data theft.

Impact:

• Remote, unauthenticated compromise of enterprise Oracle systems.
• Data exfiltration, operational disruption, and potential integration into ransomware campaigns.

Affected Regions / Sectors:

• Global; organizations using Oracle EBS, TimesTen, or Spatial Studio.
• High-risk sectors: finance, manufacturing, retail, government.

Recommendations:

• Patch all affected Oracle products immediately per the October 2025 CPU advisory.
• Prioritize EBS, TimesTen, and Spatial Studio environments due to remote exploitability.
• For EBS, ensure both zero-days (CVE-2025-61882, CVE-2025-61884) are patched.
• Perform full asset discovery to identify Oracle software across environments.
• Segregate Oracle servers, enforce MFA, and monitor for anomalous database access.

Reference:
• https://www.tenable.com/blog/oracle-october-2025-critical-patch-update-addresses-170-cves

12. CISA Confirms Exploitation of Oracle EBS Zero-Day (CVE-2025-61884)

CISA has officially added CVE-2025-61884, a remote unauthenticated vulnerability in Oracle E-Business Suite, to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation.
According to recent reports, dozens of Oracle customers have suffered data theft and extortion attempts, allegedly by the Cl0p ransomware group.

Vulnerability Overview:

• CVE-2025-61884 allows remote attackers to access sensitive Oracle EBS data without authentication.
• CVE-2025-61882, initially believed to be exploited, may also be linked to ongoing campaigns.
• Victims reportedly include major academic, airline, and industrial institutions.

Impact:

• Data theft and extortion via leak sites.
• Exposure of sensitive corporate or customer data.

Affected Regions / Sectors:

• Global exposure.
• Confirmed victims: higher education, airline/transportation, and industrial sectors.

Recommendations:

• Apply Oracle’s patches for CVE-2025-61884 and CVE-2025-61882 immediately.
• If patching is delayed, isolate EBS systems, restrict access, and enforce MFA for privileged users.
• Investigate potential compromise and monitor for outbound exfiltration activity.
• Ensure backups are tested and securely stored offline.

Affected Products:

• Oracle E-Business Suite versions 12.2.3 – 12.2.14

Reference:
• https://www.securityweek.com/cisa-confirms-exploitation-of-latest-oracle-ebs-vulnerability/

13. 3,000 YouTube Videos Exposed as Malware Traps in Massive “Ghost Network” Operation

Security researchers at Check Point uncovered a large-scale malicious network dubbed the YouTube Ghost Network, which used over 3,000 compromised YouTube accounts to distribute malware under the guise of legitimate software or gaming content. The campaign, active since 2021, has seen its activity triple in 2025, exploiting user trust signals such as views, likes, and comments to lure victims.

Threat Overview:
The network abused compromised YouTube accounts to post tutorial-style videos promoting pirated software and Roblox game cheats, leading users to malware downloads hosted on platforms such as MediaFire, Dropbox, Google Drive, Google Sites, Blogger, and Telegraph.
Accounts within the network were organized by operational role:

• Video-accounts: Uploaded phishing videos with malicious links.
• Post-accounts: Published YouTube community posts containing malicious URLs.
• Interact-accounts: Liked and commented on videos to enhance credibility.

Malware Distributed:

• Lumma Stealer
• Rhadamanthys Stealer
• StealC Stealer
• RedLine Stealer
• Phemedrone Stealer
• Various Node.js-based loaders and downloaders

Notably, compromised channels such as @Sound_Writer (9,690 subscribers) and @Afonesio1 (129,000 subscribers) were hijacked to deliver Rhadamanthys malware via trojanized installers.

Impact:

• Large-scale malware distribution and credential theft via trusted platforms.
• Increased sophistication and persistence through a role-based operational model.
• Abuse of legitimate engagement mechanisms (likes, comments) to evade detection.

Recommendations:

• Avoid downloading software from unofficial video links or file-sharing services.
• Implement URL filtering and sandboxing on endpoints.
• Educate users about phishing through social and media platforms.
• Monitor for infection indicators tied to Lumma, Rhadamanthys, and related stealers.

Reference:
• https://thehackernews.com/2025/10/3000-youtube-videos-exposed-as-malware.html

14. Over 250 Magento Stores Compromised via Adobe Commerce Flaw (CVE-2025-54236 “SessionReaper”)

Researchers at Sansec have detected active exploitation of a critical Adobe Commerce / Magento Open Source vulnerability (CVE-2025-54236, CVSS 9.1) dubbed SessionReaper, leading to mass compromise of over 250 e-commerce stores within 24 hours.

Vulnerability Overview:
CVE-2025-54236 is an improper input validation flaw in the Commerce REST API, allowing attackers to hijack customer sessions and execute arbitrary code. Despite being patched in September 2025, 62% of Magento sites remain unpatched. Attackers are exploiting the flaw to upload PHP webshells or probe PHP configuration files via /customer/address_file/upload.

Observed Attack Activity:

• Originating IPs include:
  34.227.25[.]4, 44.212.43[.]34, 54.205.171[.]35, 155.117.84[.]134, 159.89.12[.]166
• Dropped payloads: PHP-based backdoors, information probes, and deserialization-based RCEs.
• Identified as a nested deserialization flaw, enabling remote code execution.

Impact:

• Account hijacking and webshell deployment on Magento/Adobe Commerce servers.
• Theft of customer and payment data.
• Potential integration into card skimming or ransomware chains.

Recommendations:

• Immediately patch Adobe Commerce / Magento systems to mitigate CVE-2025-54236.
• Audit file uploads and web directories for unauthorized PHP files.
• Implement Web Application Firewalls (WAFs) and disable unnecessary API endpoints.
• Monitor for unusual network activity originating from listed IPs.

Reference:
• https://thehackernews.com/2025/10/over-250-magento-stores-hit-overnight.html

15. Critical Lanscope Endpoint Manager Bug Exploited in Ongoing Attacks (CVE-2025-61932)

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has confirmed active exploitation of a critical vulnerability in Motex Lanscope Endpoint Manager (CVE-2025-61932, CVSS 9.3). The flaw allows attackers to execute arbitrary code through improper communication source verification in on-premises installations.

Vulnerability Overview:
CVE-2025-61932 affects Client Program and Detection Agent components in Lanscope versions 9.4.7.1 and earlier. Attackers can send crafted network packets to execute arbitrary code.
Confirmed exploitation was reported by Japan’s JPCERT/CC and JVN, where multiple customers received malicious packets exploiting the flaw.

Fixed Versions:

• 9.3.2.7
• 9.3.3.9
• 9.4.0.5 – 9.4.7.3

Impact:

• Remote code execution on affected systems.
• Potential installation of backdoors and unauthorized remote access.
• Confirmed exploitation within Japan-based enterprise environments.

Recommendations:

• Upgrade Lanscope Endpoint Manager to patched versions (9.4.7.3 or higher).
• Restrict access to Lanscope management interfaces.
• Monitor network logs for suspicious inbound traffic to Lanscope ports.
• Apply CISA’s KEV remediation deadline: November 12, 2025.

Reference:
• https://thehackernews.com/2025/10/critical-lanscope-endpoint-manager-bug.html

16. Google Identifies Three New Russian Malware Families Created by COLDRIVER Hackers

Google’s Threat Intelligence Group (GTIG) has uncovered three new malware families — NOROBOT, YESROBOT, and MAYBEROBOT — attributed to the Russia-linked APT group COLDRIVER (aka Star Blizzard, Callisto Group). The discovery signals an escalation in operational tempo and tooling sophistication since May 2025.

Threat Overview:
Following the public disclosure of COLDRIVER’s LOSTKEYS stealer in early 2025, the group pivoted to developing a modular “ROBOT” malware suite distributed through ClickFix-style HTML lures masquerading as CAPTCHA verification prompts. These social-engineering lures trick users into running malicious PowerShell commands through the Windows Run dialog.

• NOROBOT – First-stage loader DLL, executed via rundll32.exe, responsible for dropping next-stage payloads.
• YESROBOT – Python-based HTTPS backdoor for command retrieval and document exfiltration (limited observed deployments).
• MAYBEROBOT – Advanced PowerShell implant supporting command execution, file retrieval, and payload download from C2.

Technical Observations:

• Delivery chain uses an HTML lure “COLDCOPY” to deliver NOROBOT DLLs.
• Early versions installed full Python 3.8 environments — replaced in later builds with PowerShell implants for stealth.
• Malware evolution includes key splitting and cryptographic restructuring to evade detection.

Impact:

• Persistent espionage against NGOs, policy institutions, and high-value government targets.
• Advanced modular implants supporting multi-stage reconnaissance and exfiltration.
• Evidence of rapid development cycles (new variants within days of public exposures).

Recommendations:

• Block execution of PowerShell commands via Run dialog and restrict unsigned script execution.
• Inspect for NOROBOT- or MAYBEROBOT-related artifacts (e.g., suspicious rundll32 executions).
• Monitor for HTML attachments with ClickFix/COLDCOPY lure patterns.
• Implement EDR telemetry to detect lateral movement and PowerShell misuse.

Reference:
• https://thehackernews.com/2025/10/google-identifies-three-new-russian.html

17. Silver Fox Expands “Winos 4.0” Attacks to Japan and Malaysia via HoldingHands RAT

Researchers at Fortinet FortiGuard Labs report that the Chinese cybercrime group Silver Fox (aka SwimSnake, Valley Thief, Void Arachne) has broadened its Winos 4.0 operations to Japan and Malaysia, deploying a new remote access trojan (RAT) dubbed HoldingHands RAT.

Attack Overview:
Phishing campaigns deliver PDF documents posing as official tax or finance notices. Embedded links lead to ZIP archives that drop HoldingHands RAT through multi-stage loaders exploiting DLL side-loading of TimeBrokerClient.dll.

Technical Details:

• Initial infection: malicious PDFs → ZIP → executable → side-loaded DLL → sw.dat payload.
• Payload capabilities: anti-VM checks, process termination (Avast, Norton, Kaspersky), privilege escalation via TrustedInstaller impersonation, and persistence through Task Scheduler restarts.
• C2 Communication: maintains heartbeat every 60 seconds, supports arbitrary command execution, payload download, and dynamic C2 updates via Windows Registry entries.
• Related campaign “Operation Silk Lure” targets Chinese fintech and trading sectors using malicious .LNK résumé attachments to deploy Winos 4.0 via DLL loaders.

Impact:

• Espionage-focused intrusions targeting finance, tax, and government-related entities.
• System compromise with privilege escalation and data theft capabilities.
• Cross-regional expansion of a well-established Chinese threat ecosystem.

Recommendations:

• Block macro-enabled Office and embedded PDF links from untrusted senders.
• Deploy sandbox inspection for email attachments.
• Monitor for unauthorized scheduled tasks and side-loaded DLLs in C:\Windows\System32.
• Isolate infected systems and conduct forensic analysis for HoldingHands RAT artifacts.

Reference:
• https://thehackernews.com/2025/10/silver-fox-expands-winos-40-attacks-to.html

18. Researchers Uncover WatchGuard VPN Bug Allowing Remote Code Execution (CVE-2025-9242)

Security researchers from watchTowr Labs have detailed an out-of-bounds write vulnerability in WatchGuard Fireware OS (CVE-2025-9242, CVSS 9.3) that could allow unauthenticated remote code execution on affected VPN appliances.

Vulnerability Overview:
The flaw resides in the IKEv2 process (iked), where improper validation in ike2_ProcessPayload_CERT leads to stack buffer overflow during the IKE_SA_AUTH phase. The bug is exploitable before authentication and affects both mobile user VPN and branch office VPN configurations using dynamic gateways.

Affected Versions:

• Fireware 11.10.2 – 11.12.4_Update1
• Fireware 12.0 – 12.11.3
• Fireware 2025.1 (fixed in 2025.1.1)

Impact:

• Pre-auth remote code execution enabling complete device takeover.
• Potential for ransomware operators to exploit exposed perimeter VPNs.
• ~73,000 vulnerable instances observed globally (per Shadowserver).

Recommendations:

• Upgrade immediately to patched versions: 12.11.4 / 2025.1.1.
• Restrict IKEv2 exposure to trusted IP ranges.
• Monitor VPN logs for anomalous pre-auth IKE handshake failures.
• Implement intrusion prevention for IKEv2 exploit patterns.

Reference:
• https://thehackernews.com/2025/10/researchers-uncover-watchguard-vpn-bug.html

19. TP-Link Patches Four Omada Gateway Vulnerabilities, Two Allow Remote Code Execution

TP-Link has issued firmware updates for multiple Omada Gateway models, addressing four vulnerabilities (two critical) that allow arbitrary command execution and root privilege escalation.

Vulnerability Summary:

• CVE-2025-6541 (CVSS 8.6) – Authenticated OS command injection via web management.
• CVE-2025-6542 (CVSS 9.3) – Remote unauthenticated command injection.
• CVE-2025-7850 (CVSS 9.3) – Command injection via WireGuard VPN key parameter.
• CVE-2025-7851 (CVSS 8.7) – Improper privilege management enabling root SSH login.

Affected Devices:
ER8411, ER7412-M2, ER707-M2, ER7206, ER605, ER706W, ER706W-4G, ER7212PC, G36, G611, FR365, FR205, FR307-M2 (various firmware builds < October 2025).

Technical Insights:
Research from Forescout Vedere Labs found that partial fixes from earlier issues (CVE-2024-21827) introduced new attack paths. CVE-2025-7850 enables remote code execution without valid credentials; CVE-2025-7851 exposes hidden CLI functionality granting root SSH.

Impact:

• Full device compromise enabling network pivoting or interception.
• Elevated privileges and persistence via root shell access.
• Significant risk to enterprise and SMB deployments of Omada Gateways.

Recommendations:

• Apply latest firmware updates immediately.
• Disable unnecessary remote administration interfaces.
• Validate post-upgrade configurations and restrict SSH access.
• Conduct firmware integrity and vulnerability scans regularly.

Reference:
• https://thehackernews.com/2025/10/tp-link-patches-four-omada-gateway.html

20. Self-Spreading “GlassWorm” Infects VS Code Extensions in Massive Supply Chain Attack

Security researchers from Koi Security have uncovered a self-propagating malware campaign dubbed GlassWorm, which spreads autonomously through Visual Studio Code (VS Code) extensions on both the Open VSX Registry and the Microsoft Extension Marketplace. The campaign highlights a new era of self-replicating supply chain worms targeting developers and CI/CD ecosystems.

Threat Overview:
GlassWorm leverages Solana blockchain transactions and Google Calendar events for decentralized command-and-control (C2) communications—making the infrastructure resilient to takedowns. The worm conceals its malicious code using invisible Unicode characters (variation selectors), rendering payloads invisible in code editors.

Infection Mechanism:

• Compromised VS Code extensions inject hidden JavaScript payloads.
• The malware checks Solana blockchain transactions tied to attacker wallets.
• Base64-encoded data in transaction memos reveals C2 servers (217.69.3[.]218, 199.247.10[.]166).
• Payload retrieves “Zombi” module for secondary exploitation.
• Auto-update functionality in VS Code extensions ensures autonomous propagation.

Infected Extensions (partial list):

• codejoy.codejoy-vscode-extension (v1.8.3–1.8.4)
• SIRILMP.dark-theme-sm (v3.11.4)
• CodeInKlingon.git-worktree-menu (v1.0.9–1.0.91)
• grrrck.positron-plus-1-e (v0.0.71)
• cline-ai-main.cline-ai-agent (v3.1.3 – Microsoft Marketplace)
  (Total: 14 infected extensions; ~35,800 downloads)

Payload Capabilities:

• Credential and token theft (npm, GitHub, VSX).
• Cryptocurrency wallet draining (49 wallet types).
• SOCKS proxy and HVNC (Hidden VNC) deployment for remote control.
• Decentralized C2 distribution via BitTorrent DHT and WebRTC P2P.

Impact:

• Large-scale compromise of developer environments and CI/CD pipelines.
• Credential theft, supply chain poisoning, and cryptocurrency theft.
• Self-replicating worm capable of infecting the global developer ecosystem.

Recommendations:

• Immediately remove and reinstall affected VS Code extensions from verified sources.
• Disable auto-update in VS Code extensions temporarily until full cleanup.
• Audit developer environments for unauthorized network connections and malicious files.
• Rotate credentials (npm, GitHub, Open VSX) potentially exposed during compromise.
• Monitor for outbound connections to the listed IP addresses and blockchain-linked indicators.

Reference:
• https://thehackernews.com/2025/10/self-spreading-glassworm-infects-vs.html