Weekly Threat Landscape Digest – Week 44

1. Microsoft Azure & Microsoft 365 Outage Impacts Thousands (Including UAE Users)

Microsoft’s Azure and Microsoft 365 experienced a global outage, with spikes in UAE user reports observed on Downdetector between 8:00–8:30 pm local time. Microsoft confirmed investigations were underway, noting issues accessing the Azure Portal, Microsoft 365 admin center, and Outlook. The incident follows a recent AWS global outage, underscoring cloud dependency risks.

Details:

• Azure user reports: ~16,600; Microsoft 365: ~9,000 (Downdetector).
• Symptoms included Azure Portal access failures, Microsoft 365 admin center issues, Outlook add-in and network connectivity errors.
• Microsoft stated it was reviewing impact across Azure and related services.

Impact:

• Inability or delays accessing Azure/M365 services and admin portals.
• Disruptions to Outlook connectivity and add-in functionality.
• Operational slowdowns for enterprises relying on M365 and Azure services (global, incl. UAE).

Recommendations:

• Avoid configuration/deployment changes until service stability is confirmed.
• Use local/offline copies of critical docs and cached email.
• Notify affected teams and activate continuity playbooks; monitor vendor status pages.

Reference:
• https://www.khaleejtimes.com/business/tech/microsoft-azure-365-outage?_refresh=true

2. Predatory Sparrow Hacktivist Attacks on Middle East Critical Infrastructure

The Predatory Sparrow group conducted destructive cyberattacks against railways, steel plants, and fuel distribution networks in Iran and Syria, reportedly using the “Meteor” wiper to paralyze operations and destroy data.

Details:

• Targets: rail, steel, financial, and fuel infrastructure.
• Tactics: wiper malware for destructive impact; likely multi-stage intrusions against IT/OT environments.

Impact:

• Service disruptions at national scale (rail stations, fuel supply).
• Cascading failures across interconnected operational networks.

Recommendations:

• Test and harden backup/restore procedures (offline, immutable snapshots).
• Deploy IDS/monitoring on OT/ICS; watch for wiper patterns (log tampering, NIC disable).
• Enforce strict IT-OT segmentation; validate supplier/third-party component security.

Reference:
• https://cybersecuritynews.com/predatory-sparrow-group-attacking-critical-infrastructure

3. Malicious npm Packages Steal Developer Credentials Across Windows/macOS/Linux

Researchers identified 10 typosquatted npm packages (≈9,900 downloads) delivering a large multi-OS information-stealer targeting developer credentials, tokens, and keyrings.

Details:

• Malicious names mimicking popular libs: deezcord.js, dezcord.js, dizcordjs, etherdjs, ethesjs, ethetsjs, nodemonjs, react-router-dom.js, typescriptjs, zustand.js.
• Attack chain: postinstall → install.js → obfuscated app.js opens a new terminal window → downloads ~24 MB PyInstaller stealer from 195.133.79[.]43 → exfiltrates system keyrings, browser creds, tokens.
• Targets developers and CI/CD across Windows, macOS, Linux.

Impact:

• Theft of credentials/SSH keys; developer and pipeline compromise.
• Risk of unauthorized code changes and broader supply-chain intrusion.

Recommendations:

• Immediately audit lockfiles and dependency trees; remove listed packages.
• Rotate tokens/SSH keys; enforce scoped access and short-lived credentials.
• Pin trusted versions; enable allow-lists and package provenance checks in CI/CD.
• Monitor egress for 195.133.79[.]43 and related indicators.

Reference:
• https://thehackernews.com/2025/10/10-npm-packages-caught-stealing.html

4. WSUS Deserialization RCE Under Active Exploitation (CVE-2025-59287)

A deserialization flaw in Windows Server Update Services (WSUS) enables unauthenticated RCE via crafted requests to exposed WSUS servers (ports 8530/8531). Researchers report ~2,800 exposed instances and active exploitation.

Details:

• Attackers scan for WSUS endpoints, exploiting to gain SYSTEM privileges.
• Threat includes malicious update distribution and lateral movement via trusted patch channels.

Impact:

• Full compromise of enterprise update infrastructure; mass payload push to clients.
• Elevated risk for large enterprises, service providers, and government networks.

Recommendations:

• Apply Microsoft’s out-of-band patch for CVE-2025-59287 immediately.
• If delayed: temporarily disable WSUS role, block 8530/8531, isolate Internet-facing WSUS.
• Reboot post-patch; hunt for exploitation signs (unexpected PowerShell, suspicious outbound).
• Ensure WSUS is not unnecessarily Internet-facing; review ACLs and proxy rules.

Affected Products:

• Windows Server 2012/2012 R2/2016/2019/2022 (incl. 23H2 Core) and 2025 with WSUS role.

Reference:
• https://cybersecuritynews.com/hackers-exploiting-microsoft-wsus-vulnerability/

5. BIND 9 Recursive Resolver Cache-Poisoning (CVE-2025-40778)

A vulnerability in BIND 9 recursive resolvers allows off-path cache poisoning, enabling redirection of client traffic to attacker infrastructure.

Details:

• Accepts unsolicited DNS resource records, breaking bailiwick enforcement.
• Risk: phishing, MITM, supply-chain redirection at scale.

Impact:

• ~706,000+ Internet-facing vulnerable resolvers; high risk for ISPs, telecoms, cloud providers, and large enterprises.

Recommendations:

• Upgrade to 9.18.41, 9.20.15, 9.21.14 or later.
• Restrict recursion to trusted clients; disable public recursion if not required.
• Enable DNSSEC validation; monitor resolver logs and cache anomalies; apply rate-limits.

Affected Products:

• BIND 9: 9.11.0–9.16.50, 9.18.0–9.18.39, 9.20.0–9.20.13, 9.21.0–9.21.12 (recursive only).

Reference:
• https://nvd.nist.gov/vuln/detail/CVE-2025-40778

6. Microsoft Issues Emergency Out-of-Band Windows Update as Attacks Begin

On October 26, 2025, Microsoft released an out-of-band update after attacks began exploiting newly patched vulnerabilities. Issues included WinRE malfunctions (e.g., USB keyboard/mouse failures) on Windows 11 that could hinder recovery.

Details:

• Addresses critical issues introduced by KB5066835 for Windows 11 24H2/25H2; update KB5070773 (or later) required.
• Unpatched Windows 10 systems remain at risk, especially those out of mainstream support.

Impact:

• Potential inability to use recovery tools; increased risk of persistent compromise.
• Immediate exploitation observed against unpatched systems.

Recommendations:

• Apply emergency update via Windows Update/WSUS.
• Verify KB5070773+ on Windows 11 24H2/25H2; accelerate Windows 10 migrations or ESU enrollment.
• Test WinRE functionality post-patch; monitor endpoints for persistence indicators.

Reference:
• https://www.forbes.com/sites/daveywinder/2025/10/26/act-now—microsoft-issues-emergency-windows-update-as-attacks-begin/

7. Russian Ransomware Gangs Weaponize Open-Source AdaptixC2 for Advanced Attacks

The open-source command-and-control (C2) framework AdaptixC2 is increasingly being adopted by threat actors linked to Russian ransomware operations, including Fog and Akira groups. Originally developed as a red-teaming framework, AdaptixC2 has been repurposed for cybercrime, demonstrating the recurring trend of dual-use tool exploitation.

Details:

• AdaptixC2, released in August 2024 by developer “RalfHacker”, is a Golang-based C2 with a cross-platform C++ QT GUI client.
• Provides encrypted communications, command execution, credential and screenshot managers, and remote terminal control.
• Threat actors linked to Russian underground channels use the framework in fake help-desk scams via Microsoft Teams, and in AI-generated PowerShell attack scripts.
• Investigations by Silent Push revealed Telegram channels “AdaptixFramework” and “RalfHackerChannel” (28,000+ subscribers) promoting the tool.
• Evidence suggests rising use of AdaptixC2 by Russian threat actors and initial access brokers delivering tools like CountLoader.

Impact:

• Weaponization of legitimate red-team frameworks for real-world ransomware and espionage operations.
• Increases the accessibility and stealth of post-exploitation activity among low-skill operators.

Recommendations:

• Detect and block C2 traffic associated with AdaptixC2; monitor Golang-based C2 signatures.
• Implement EDR rules for unauthorized PowerShell execution and Teams-based lures.
• Limit external command-and-control communications at egress points.

Reference:
• https://thehackernews.com/2025/10/russian-ransomware-gangs-weaponize-open.html

8. New “Brash” Exploit Crashes Chromium Browsers Instantly with a Single URL

A vulnerability dubbed “Brash” in Chromium’s Blink rendering engine can crash Chrome and other Chromium-based browsers within seconds using a specially crafted URL.

Details:

• Discovered by researcher Jose Pino, the flaw abuses uncontrolled document.title API updates, causing massive DOM mutation storms (up to 24M updates/sec).
• The exploit proceeds in three phases:
  1. Hash generation – loads multiple 512-character strings to memory.
  2. Burst injection – executes consecutive title updates at 1 ms intervals.
  3. UI thread saturation – overworks the browser main thread, freezing the process.
• The attack can include time-delayed triggers, functioning as a logic bomb capable of targeted disruption.
• Affects all Chromium-based browsers: Chrome, Edge, Brave, Opera, Vivaldi, Arc, ChatGPT Atlas, and Perplexity Comet.
• Firefox and Safari (WebKit) remain unaffected.

Impact:

• Enables remote denial-of-service (DoS) through crafted web pages or malicious links.
• Potential use in coordinated browser disruption or anti-analysis payloads.

Recommendations:

• Avoid clicking untrusted URLs until a patch is released.
• Administrators should enforce browser content filtering and sandbox isolation.
• Monitor vendor advisories from Google for a remediation update.

Reference:
• https://thehackernews.com/2025/10/new-brash-exploit-crashes-chromium.html

9. PhantomRaven Malware Found in 126 npm Packages Stealing GitHub Tokens

Researchers uncovered a large-scale npm supply chain campaign dubbed PhantomRaven, involving 126 malicious packages stealing developer credentials and CI/CD secrets.

Details:

• Detected by Koi Security, active since August 2025, totaling 86,000+ downloads.
• Packages (e.g., op-cli-installer, unused-imports, polyfill-corejs3, eslint-comments) fetch dependencies from attacker-controlled domains such as packages.storeartifact[.]com.
• Hidden Remote Dynamic Dependencies (RDD) bypass npm security checks—tools report “0 Dependencies” despite hidden payloads.
• Upon installation, a pre-install hook triggers a payload that exfiltrates GitHub tokens, CI/CD environment data, system fingerprints, and IPs.
• Exploits “slopsquatting” — registering packages with names hallucinated by LLMs to trick developers.

Impact:

• Theft of sensitive environment secrets from developer machines.
• Bypass of dependency scanners; delayed activation allows stealth infiltration.

Recommendations:

• Audit npm dependencies for non-npmjs sources; remove suspicious packages.
• Restrict outbound HTTP from developer endpoints.
• Implement strict dependency allowlists and integrity verification in CI/CD.

Reference:
• https://thehackernews.com/2025/10/phantomraven-malware-found-in-126-npm.html

10. Russian Hackers Target Ukrainian Organizations Using Living-Off-the-Land Tactics

Russian-origin threat actors targeted Ukrainian government and business organizations using stealthy living-off-the-land (LotL) methods to exfiltrate data and maintain long-term persistence.

Details:

• Investigation by Symantec and Carbon Black Threat Hunter Team identified web shell deployment via unpatched vulnerabilities.
• LocalOlive web shell (previously used by Sandworm) leveraged to deliver payloads such as Chisel, plink, and rsockstun.
• Intrusions included PowerShell commands excluding antivirus paths, credential harvesting via registry dumps, and remote access via OpenSSH.
• Attackers used dual-use tools (RDPclip, RDRLeakDiag, WinBox64) and scheduled tasks for persistence.
• CERT-UA linked similar tactics to prior Sandworm campaigns.

Impact:

• Persistent access and data theft from Ukrainian business and government networks.
• Escalated geopolitical cyber activity attributed to Russian operators.

Recommendations:

• Patch public-facing servers and disable unnecessary remote access.
• Monitor for web shell artifacts, registry exports, and unauthorized scheduled tasks.
• Implement PowerShell logging and enforce least-privilege access on domain accounts.

Reference:
• https://thehackernews.com/2025/10/russian-hackers-target-ukrainian.html

11. North Korea’s BlueNoroff Targets Web3 Sector via GhostCall and GhostHire Campaigns

The BlueNoroff subgroup of Lazarus Group has been linked to two concurrent malware operations — GhostCall and GhostHire — targeting blockchain, fintech, and Web3 companies worldwide.

Details:

• GhostCall targets macOS users through Telegram-based social engineering and fake Zoom/Teams meeting invitations.
• The infection chain uses malicious AppleScripts and a dropper named DownTroy, leading to multiple payloads: CosmicDoor, RooTroy, RealTimeTroy, SneakMain, and SysPhon.
• GhostHire targets developers on Telegram posing as recruiters; victims are lured to download GitHub-hosted malicious projects with booby-trapped Go modules.
• Payloads enable credential theft, environment scanning, file exfiltration, and full system control.
• Kaspersky notes the actor’s increasing use of generative AI tools to enhance development speed and authenticity of lures.

Impact:

• Credential and data theft from crypto and Web3 firms.
• Multi-platform compromise across Windows, Linux, and macOS.
• Advanced deception techniques exploiting professional networking trust.

Recommendations:

• Warn employees of recruitment or investment scams involving compressed project files or SDK updates.
• Block traffic to known C2 endpoints used by BlueNoroff malware families.
• Review build environments for unauthorized Go modules or dependencies.

Reference:
• https://thehackernews.com/2025/10/researchers-expose-ghostcall-and.html

12. Microsoft Azure and 365 Copilot Outage Attributed to Configuration Error

Microsoft confirmed that a configuration error caused widespread outages across Azure and Microsoft 365 Copilot, impacting thousands of users globally on October 29, 2025.

Details:

• Incident began at 16:00 UTC, disrupting services that rely on Azure Front Door (AFD).
• Root cause: an inadvertent configuration change triggering latencies, timeouts, and access errors.
• Microsoft reverted to the last known good configuration and manually rebalanced traffic to restore service.
• Impacted services included: Azure Active Directory B2C, App Service, Databricks, SQL Database, Purview, Sentinel, Entra ID, Defender EASM, and Virtual Desktop.
• Peak disruption: ~20,000 Azure and 11,500 Copilot users reporting failures (Downdetector).
• Secondary impact affected Vodafone (UK), Heathrow Airport, Alaska Airlines, and Dutch rail systems due to dependency on Azure DNS infrastructure.

Impact:

• Service interruptions across multiple Azure regions and dependent Microsoft 365 workloads.
• Business operations disruption across aviation, telecom, and healthcare sectors.
• Downtime lasting several hours before gradual recovery by 7:30 p.m. ET.

Recommendations:

• Review business continuity plans for critical cloud dependencies.
• Implement failover strategies across cloud providers to mitigate single-vendor risk.
• Monitor Azure Service Health dashboards and subscribe to automatic outage alerts.

Reference:
• https://cybernews.com/news/microsoft-azure-365-copilot-outage-configuration-error/

13. F5 Networks Breach Impacts Government Clients, Expected to Weigh on Revenue

Cybersecurity firm F5 Networks disclosed a major breach involving persistent unauthorized access to internal systems, impacting its customers—including U.S. and U.K. government entities.

Details:

• Attackers maintained long-term access to systems containing source code for core security products.
• Attribution: China-backed threat actors, according to Reuters sources.
• F5 confirmed that BIG-IP customers were most affected—some forced into rapid patching; a small subset experienced data exfiltration.
• The company warned investors of sales disruption as customers paused deployments to assess exposure.
• U.S. officials urged immediate remediation across federal networks.

Impact:

• Possible compromise of critical network defense software used by governments and Fortune 500 firms.
• Reputational and financial damage to F5, with shares dropping ~6% after-hours.
• Risk of supply chain exploitation if source code tampering occurred.

Recommendations:

• F5 customers should upgrade to the latest BIG-IP firmware and review for indicators of compromise.
• Segment management interfaces and disable Internet exposure.
• Conduct code integrity verification and monitor for anomalous administrative access.

Reference:
• https://www.reuters.com/technology/f5-forecasts-first-quarter-revenue-below-estimates-2025-10-27/

14. Palo Alto Networks Unveils AI-Driven Security Platforms to Counter Cyberattacks

Palo Alto Networks launched new AI-powered platforms to strengthen enterprise cyber defense, expanding automation and threat detection capabilities amid a surge in global breaches.

Details:

• Introduced Cortex Cloud 2.0 and Prisma AIRS 2.0, integrating agentic AI automation and multi-cloud command visibility.
• Prisma AIRS 2.0 includes technology from Protect AI, enabling protection of AI models from data poisoning and adversarial manipulation.
• Cortex AgentiX agents trained on 1.2 billion real-world incidents, enabling adaptive incident response with human oversight.
• CEO Nikesh Arora highlighted the need for AI to “find vulnerabilities in other AI systems.”
• Announcement followed breaches at F5 and UnitedHealth Group, underscoring market demand for proactive AI-based defense tools.

Impact:

• Strengthens Palo Alto’s market position in AI-driven security.
• Reflects growing industry focus on AI-assisted defense automation.

Recommendations:

• Evaluate integration of Prisma AIRS 2.0 within AI model lifecycle pipelines.
• Align enterprise detection systems with agentic AI platforms for continuous monitoring.
• Adopt human-in-the-loop oversight when using AI for security decision-making.

Reference:
• https://www.reuters.com/business/media-telecom/palo-alto-launches-ai-driven-security-offerings-tackle-cyberattacks-2025-10-28/

15. Chrome Zero-Day Exploited to Deliver Italian Spyware “LeetAgent” (CVE-2025-2783)

A Chrome zero-day vulnerability (CVE-2025-2783) was exploited in a targeted espionage campaign delivering LeetAgent, spyware developed by Italian vendor Memento Labs.

Details:

• Vulnerability: Sandbox escape flaw (CVSS 8.3) used to achieve remote code execution.
• Attack chain: phishing emails → malicious short-lived links → Chrome exploit → LeetAgent deployment.
• Targets: media outlets, government agencies, universities, and financial institutions in Russia and Belarus.
• Spyware capabilities include file theft, command execution, keylogging, and code injection.
• Attribution: Operation ForumTroll, also tracked as TaxOff/Team 46, and linked to Prosperous Werewolf group.
• Memento Labs confirmed one of its government clients misused an outdated Dante spyware version—now banned.

Impact:

• Demonstrates ongoing misuse of commercial surveillance tools by state actors.
• Highlights global proliferation of exploit-based spyware delivery chains.

Recommendations:

• Apply Chrome updates patching CVE-2025-2783.
• Restrict access to suspicious domains and short-lived tracking links.
• Monitor browser processes for sandbox escape attempts and COM persistence patterns.

Reference:
• https://thehackernews.com/2025/10/chrome-zero-day-exploited-to-deliver.html

16. SideWinder Targets South Asian Diplomats Using New ClickOnce-Based Attack Chain

APT group SideWinder deployed a new ClickOnce-based malware delivery chain, targeting diplomatic entities in India, Sri Lanka, Pakistan, and Bangladesh.

Details:

• Delivered spear-phishing emails from spoofed Ministry of Defense domains (e.g., mod.gov.bd.pk-mail[.]org).
• Lures included documents titled “Inter-ministerial meeting Credentials.pdf” and “India-Pakistan Conflict Analysis.docx”.
• Infection flow: malicious PDF → prompts “Adobe Reader update” → downloads signed ClickOnce app → sideloads rogue DLL (DEVOBJ.dll).
• Payloads: ModuleInstaller (system profiler and loader) → StealerBot (steals credentials, screenshots, files).
• Infrastructure hosted on filenest[.]live, with region-locked C2 traffic.

Impact:

• Intelligence gathering from South Asian diplomatic missions and embassies.
• Evasion via legitimate signing and dynamic path obfuscation.

Recommendations:

• Block .ClickOnce deployment domains and enforce strict application control.
• Train diplomatic personnel to identify PDF/Word phishing with update prompts.
• Monitor for StealerBot and ModuleInstaller indicators of compromise.

Reference:
• https://thehackernews.com/2025/10/sidewinder-adopts-new-clickonce-based.html

17. ChatGPT Atlas Browser Exploit Enables Persistent AI Memory Manipulation

Researchers identified a CSRF vulnerability in OpenAI’s ChatGPT Atlas browser that allows attackers to inject malicious instructions into the AI’s persistent memory, achieving cross-session compromise.

Details:

• Exploit leverages a cross-site request forgery to write hidden instructions to ChatGPT memory.
• Injected code persists across devices, sessions, and browsers, executing on subsequent prompts.
• Enables attackers to perform code execution, privilege escalation, and data exfiltration without user awareness.
• Comparison tests showed Atlas blocked only 5.8% of phishing attacks, far less than Chrome (47%) or Edge (53%).
• Discovered by LayerX Security, dubbed “Tainted Memories” exploit.

Impact:

• High-risk vulnerability affecting enterprise users of ChatGPT Atlas browser.
• Enables long-term compromise of AI-driven workflows.

Recommendations:

• Clear ChatGPT memory immediately if compromise suspected.
• Restrict access to untrusted links while authenticated to ChatGPT.
• Await OpenAI security patch; use alternative browsers for sensitive AI work.

Reference:
• https://thehackernews.com/2025/10/new-chatgpt-atlas-browser-exploit-lets.html

18. Qilin Ransomware Uses Linux Payload and BYOVD Exploit in Hybrid Attacks

The Qilin ransomware group (aka Agenda, Gold Feather, Water Galura) has launched hybrid attacks combining Linux payloads with bring-your-own-vulnerable-driver (BYOVD) exploits to bypass security defenses.

Details:

• Active since 2022, Qilin operates as a ransomware-as-a-service (RaaS) model, averaging 40–100 victims per month throughout 2025.
• Primary targets: manufacturing (23%), professional/scientific services (18%), and wholesale trade (10%) sectors across U.S., Canada, U.K., France, and Germany.
• Affiliates gain access via leaked VPN credentials and use RDP for lateral movement.
• Credential theft involves Mimikatz, BypassCredGuard, SharpDecryptPwd, and WebBrowserPassView.exe.
• Tools abused for persistence and exfiltration: Cyberduck, Cobalt Strike, SystemBC, and RMM platforms (AnyDesk, ScreenConnect, Splashtop).
• Linux variant deployed through Windows hosts using Splashtop Remote Service, enabling cross-platform encryption.
• Attack chain includes use of eskle.sys (BYOVD exploit) to disable endpoint protection and COROXY SOCKS proxy to conceal C2 traffic.

Impact:

• Cross-environment ransomware capable of encrypting both Windows and Linux systems.
• Targeting of Veeam backups and hyperconverged infrastructure (Nutanix AHV) demonstrates sophisticated anti-recovery tactics.

Recommendations:

• Patch vulnerable drivers and restrict kernel-level driver loading.
• Harden RDP/VPN access and enforce MFA for admin accounts.
• Implement EDR capable of detecting BYOVD and RMM misuse.
• Protect backup infrastructure via isolation and credential rotation.

Reference:
• https://thehackernews.com/2025/10/qilin-ransomware-combines-linux-payload.html

19. Smishing Triad Linked to 194,000 Malicious Domains in Global Phishing Campaign

The China-linked Smishing Triad has registered over 194,000 malicious domains since January 2024 in a vast global phishing-as-a-service (PhaaS) operation.

Details:

• Campaign impersonates postal, toll, financial, and government services to harvest credentials and payment data.
• Domains primarily registered via Dominet (HK) Limited and hosted on U.S. cloud providers (mainly Cloudflare).
• Roughly 71% of domains active for less than one week, aiding evasion through rapid churn.
• Common lures: “toll violation,” “package delivery,” and “bank account alert.”
• Financial damages exceed $1 billion over three years (WSJ).
• Recent trend: increased focus on brokerage accounts for stock manipulation (“ramp and dump”).

Impact:

• Massive mobile phishing exposure across finance, logistics, and public-sector users.
• Expansion of PhaaS ecosystem involving kit developers, domain sellers, brokers, and spammers.

Recommendations:

• Block domains registered under Dominet (HK) and monitor for fast-flux IP rotation.
• Educate users to distrust SMS-based links and verify sources via official apps.
• Implement mobile threat defense (MTD) to detect SMS phishing at device level.

Reference:
• https://thehackernews.com/2025/10/smishing-triad-linked-to-194000.html

20. APT36 Targets Indian Government Using Golang-Based DeskRAT Malware

Pakistan-based APT36 (Transparent Tribe) is conducting espionage operations against Indian government entities with a new Golang remote access trojan (RAT) dubbed DeskRAT.

Details:

• Active campaigns observed in August–September 2025, with phishing emails delivering malicious Desktop files disguised as PDFs from fake modgovindia[.]com.
• Designed to target BOSS Linux systems, though cross-platform variants identified for Windows.
• DeskRAT functions include file browsing, data exfiltration, persistence setup, and remote code execution over WebSocket-based C2.
• C2 domains such as modgovindia[.]space:4000 act as stealth servers hidden from public DNS.
• Overlaps with campaigns tracked by QiAnXin XLab using StealthServer variants for both Linux and Windows.
• Broader context: parallel espionage from Bitter APT, SideWinder, OceanLotus, and Mysterious Elephant against regional targets.

Impact:

• Cross-platform surveillance targeting Indian defense, government, and military communication channels.
• Demonstrates Golang adoption for multi-OS payload flexibility.

Recommendations:

• Block and monitor access to suspicious .desktop files and phishing domains.
• Restrict outbound WebSocket traffic from endpoints.
• Deploy behavioral detection for Golang binaries on Linux systems.

Reference:
• https://thehackernews.com/2025/10/apt36-targets-indian-government-with.html

21. ChatGPT Atlas Browser Vulnerable to Fake URL Prompt Injection Attacks

The ChatGPT Atlas browser has been found susceptible to a prompt injection technique that disguises malicious commands as URL-like strings, allowing attackers to execute hidden actions.

Details:

• Discovered by NeuralTrust, the exploit abuses Atlas’s omnibox, which interprets inputs as either URLs or natural-language commands.
• Crafted inputs (e.g. https://my-wesite.com/es/…+follow+this+instruction) bypass validation and are treated as trusted user intent.
• Can redirect victims to attacker-controlled sites or execute file-deletion commands in linked services (e.g., Google Drive).
• Attackers can embed such prompts in fake “Copy link” buttons on phishing pages.
• Additional risk: AI Sidebar Spoofing, where fake AI assistant panels trick users into executing malicious actions.

Impact:

• High-severity threat affecting AI browser security model.
• Enables data exfiltration, malware installation, and persistent system compromise.

Recommendations:

• Avoid entering unverified URLs or prompts in the Atlas omnibox.
• Validate browser extensions and disable third-party sidebars.
• OpenAI users should stay updated as Atlas hardens prompt parsing logic.

Reference:
• https://thehackernews.com/2025/10/chatgpt-atlas-browser-can-be-tricked-by.html

22. X (Twitter) Warns Security Key Users to Re-Enroll Before November 10

X (formerly Twitter) has urged users utilizing hardware security keys (e.g., YubiKey) for 2FA to re-enroll before November 10, 2025, to prevent lockouts due to domain migration.

Details:

• The change migrates key associations from twitter[.]com to x[.]com, retiring the old domain.
• Affected users include those using passkeys or hardware tokens; app-based 2FA remains unaffected.
• Failure to re-enroll results in account lockout until re-registration or 2FA method change.
• Steps: navigate to Settings → Security → Two-factor authentication → Security key and re-register under the new domain.

Impact:

• Temporary risk of account lockouts for enterprise or government users relying on hardware-based authentication.

Recommendations:

• Re-enroll 2FA security keys immediately.
• Maintain alternative 2FA methods for redundancy.
• Review organizational SSO configurations referencing twitter[.]com.

Reference:
• https://thehackernews.com/2025/10/x-warns-users-with-security-keys-to-re.html