The UK National Cyber Security Centre (NCSC) has warned that state-sponsored hackers have exploited recently discovered zero-day vulnerabilities in Cisco firewalls to deliver new malware families named RayInitiator and LINE VIPER. The attacks, which began in May 2025, targeted Cisco ASA 5500-X Series devices and are linked to a threat group known as ArcaneDoor, believed to be associated with the China-linked group UAT4356 (aka Storm-1849). Cisco's investigation uncovered a memory corruption flaw in its Secure Firewall ASA Software, which, when combined with other vulnerabilities (CVE-2025-20362, CVE-2025-20333) allowed attackers to bypass authentication, execute malicious commands, and potentially exfiltrate data.
In addition, the Australian Cyber Security Centre, the Canadian Centre for Cyber Security, and the US Cybersecurity and Infrastructure Security Agency (CISA) have released security advisories urging organizations to take protective measures against the malware campaign as soon as possible.
Cisco has also released fixes to address a code execution vulnerability (CVE-2025-20352) in its IOS and IOS XE Software that is currently being exploited in attacks.
Fortra has released security updates to address a vulnerability (CVE-2025-10035) in its GoAnywhere MFT software that could allow attackers to remotely execute commands through the product’s License Servlet. Cybersecurity firm watchTowr said it has evidence of “in-the-wild exploitation of Fortra GoAnywhere CVE-2025-10035 dating back to September 10, 2025. That is eight days before Fortra’s public advisory, published September 18, 2025”. For more details see watchTowr’s full report: part 1, part 2.
Italian cybersecurity firm Libraesva has issued a critical security update for its Email Security Gateway (ESG) solution, addressing a command injection vulnerability that has been actively exploited by a state-sponsored threat actor. The flaw, tracked as CVE-2025-59689, impacts ESG versions 4.5 through 5.5.x, up to but not including 5.5.7. The company confirmed that the issue stems from improper sanitization of active code within compressed email attachments. When exploited, it allows attackers to execute arbitrary shell commands as a non-privileged user.
SolarWinds has issued hotfixes to address a critical vulnerability (CVE-2025-26399) in its Web Help Desk software. The flaw, present in version 12.8.7 and earlier, involves the deserialization of untrusted data, potentially allowing attackers to execute arbitrary commands on affected systems. Users are strongly advised to apply the hotfixes immediately to mitigate the risk.
SonicWall has released a firmware update designed to help customers detect and remove rootkit malware found on its SMA 100 series devices, following targeted attacks by an advanced threat group. The update, version 10.2.2.2-92sv, introduces enhanced file-checking capabilities that can eliminate known malware components, including the OVERSTEP rootkit. The company urges all users of the SMA 100 series, including SMA 210, 410, and 500v models, to upgrade as soon as possible.
The Cybersecurity and Infrastructure Security Agency (CISA) has shared details of a security incident at an unnamed US federal agency in which hackers breached the organization’s network by exploiting a critical vulnerability in an unpatched GeoServer instance. The exploited flaw (CVE-2024-36401) is a remote code execution vulnerability that was patched on June 18, 2024. The attackers accessed two federal GeoServer servers within a month after the vulnerability was publicly disclosed.
Cloud security company Wiz says it has discovered active exploitation of a vulnerability in the Linux utility Pandoc, tracked as CVE-2025-51591. This Server-Side Request Forgery (SSRF) flaw allows attackers to inject a malicious HTML <iframe> element to target and access the AWS Instance Metadata Service (IMDS). The attacks are part of broader attempts to infiltrate cloud infrastructure via this flaw.
A suspected Chinese state-sponsored hacker group is believed to be behind a cyber espionage campaign targeting US organizations in the technology, legal, SaaS, and BPO sectors, according to Google Threat Intelligence Group (GTIG). The attackers used a Go-based backdoor known as “Brickstorm,” first detected in April 2024, to infiltrate systems and exfiltrate sensitive data. The malware remained undetected for an average of 393 days and was primarily deployed on edge devices lacking endpoint detection, such as VMware vCenter and ESXi. Brickstorm offers extensive functionality, including acting as a web server, proxy, remote shell, and more.
North Korean threat actors behind the Contagious Interview campaign (DEV#POPPER, UNC5342, Famous Chollima, Void Dokkaebi) have been linked to a new backdoor called AkdoorTea, along with tools like TsunamiKit and Tropidoor, according to ESET, which tracks the group as DeceptiveDevelopment. The campaign targets software developers in crypto and Web3 across Windows, macOS, and Linux, using fake job offers on platforms like LinkedIn and Upwork. Victims are tricked into completing coding tasks or video assessments that lead to malware installation. Delivered malware includes BeaverTail, InvisibleFerret, OtterCookie, GolangGhost, and PylangGhost.
Zscaler ThreatLabz has uncovered a new multi-stage ClickFix campaign potentially targeting Russian civil society groups, NGOs, and think tanks. The operation is believed to be the work of the Russia-linked advanced persistent threat (APT) group Coldriver, also known as Star Blizzard, Callisto, and UNC4057. The multi-stage approach represents an evolution in Coldrivers's tactics, which previously relied mostly on credential phishing.
In a separate report, Zscaler examines a new malware family tracked as YiBackdoor, first observed in June 2025. The malware contains significant code overlaps with IcedID and Latrodectus. While it’s not clear yet how these malware families are connected, the researchers believe YiBackdoor may be used in conjunction with Latrodectus and IcedID during attacks. YiBackdoor enables threat actors to collect system information, capture screenshots, execute arbitrary commands, and deploy plugins.
An Iranian government-linked threat actor, tracked as Nimbus Manticore by Check Point Research, is conducting a long-term espionage campaign targeting defense manufacturing, telecommunications, and aviation sectors aligned with IRGC interests. The activity overlaps with other known operations like UNC1549, Smoke Sandstorm, and the “Iranian Dream Job” campaigns. Recently, the group has intensified its focus on Western Europe, more specifically Denmark, Sweden, and Portugal. Using impersonated brands from aerospace and defense industries, the attackers lure victims through spear-phishing emails disguised as job offers.
PAN’s Unit42 analyzes Bookworm, a well-known malware family used by the Chinese Stately Taurus APT group active since at least 2012. The group conducts cyber-espionage campaigns targeting government and commercial entities across Europe and Asia.
A suspected Chinese state-sponsored cyber espionage group RedNovember (also tracked by Microsoft as Storm-2077) has been targeting government and private sector organizations across Africa, Asia, North America, South America, and Oceania. Initially monitored by Recorded Future as TAG-100, the group operated between June 2024 and July 2025, focusing on compromising perimeter appliances to gain initial access. RedNovember used tools like the Go-based backdoor Pantegana and Cobalt Strike in its operations, targeting devices such as SonicWall, Cisco ASA, F5 BIG-IP, Palo Alto GlobalProtect, Sophos SSL VPN, Fortinet FortiGate, Outlook Web Access (OWA), and Ivanti Connect Secure (ICS) VPNs.
Microsoft Threat Intelligence has discovered a new variant of the XCSSET malware, which targets Xcode projects used by macOS and Apple developers. This variant comes with key updates, including enhanced browser targeting (now including Firefox), improved clipboard hijacking, and additional persistence via LaunchDaemon entries. It also uses sophisticated encryption, obfuscation, and stealthy execution methods such as run-only compiled AppleScripts. The malware spreads by infecting shared Xcode project files.
Microsoft also said it discovered an unrelated credential phishing campaign that likely leveraged AI-generated code to evade detection. The attackers used a large language model (LLM) to help obfuscate malicious content within an SVG file, embedding business-related language and synthetic code structures to disguise the payload and bypass traditional security defenses.
Cyber assessment company Outpost24 has published a deep-dive into activities of the pro-Palestinian hacktivist group zerodayx1, which recently has launched its own Ransomware-as-a-Service (RaaS) operation called ‘BQTLock.’ Active since at least 2023 and likely Lebanese, zerodayx1 initially focused on DDoS and defacement attacks but has evolved toward data exfiltration. While BQTLock includes ransom demands, the group’s actions suggest that its motivation is ideological rather than financial.
Two malicious Rust packages, faster_log and async_println, with nearly 8,500 combined downloads, were found stealing cryptocurrency private keys and other sensitive data from developers' systems. Published on Crates.io on May 25, the packages were discovered by security firm Socket, which reported them to the platform. Crates.io removed the packages and suspended the associated accounts, rustguruman and dumbnbased, on September 24.
A new disinformation campaign targeting Moldova’s upcoming elections on September 28, 2025, has been uncovered, with analysts linking it to a previous Russian propaganda effort from 2022. The connection was made through a unique technical fingerprint found across multiple disinformation websites, which also links to absatz[.]media, a known Russian propaganda outlet, whose editor-in-chief is believed to be Mikhail Shakhnazarov, sanctioned in Ukraine for spreading pro-Russian narratives.
In a separate action, Moldovan law enforcement agencies have raided a media company suspected of spreading Russian propaganda and being illegally financed by the outlawed political party of fugitive oligarch Ilan Șor.
In the meantime, Dominican authorities have arrested Dmitrii Novikov, a 25-year-old Russian linked to the Kremlin-backed “Lakhta” project, for leading a digital disinformation and cyber-influence network. Novikov allegedly used social media manipulation to spread political disinformation in the region, while concealing his identity as a Russian national. He reportedly received funding via cryptocurrencies and may be connected to money laundering and arms trafficking.
Ukraine’s Security Service (SBU) has detained two Russian agents in the Kyiv region who were involved in covert operations helping Russia’s military drone attacks on Ukraine. According to the investigation, the suspects, both residents of the capital region, one of whom is a former law enforcement officer, were acting on instructions from Russia’s Federal Security Service (FSB). Their main task was to procure and smuggle Ukrainian SIM cards to Russia, where they were used to enhance the communication and navigation systems of Russian combat drones.
In a five-month global operation called HAECHI VI, Interpol and law enforcement agencies from 40 countries seized over $439 million in cash and cryptocurrency linked to cyber-enabled financial crimes. The crackdown, spanning April to August 2025, targeted various scams including phishing, investment fraud, online sextortion, and money laundering linked to illegal gambling. Authorities confiscated 400 cryptocurrency wallets and froze more than 68,000 bank accounts connected to these crimes, protecting thousands of victims worldwide.
Separately, a major police operation across Europe neutralized an investment fraud with cryptocurrencies. As part of the operation, five suspects were arrested, including the alleged main perpetrator behind the scam. Via an online investment platform, he defrauded over a hundred victims in Germany, France, Italy and Spain, among others, of at least 100 million euros.
The UK's National Crime Agency arrested a suspect connected to a ransomware attack that disrupted multiple European airports. The cyberattack targeted Collins Aerospace's MUSE passenger processing software. The suspect was released on conditional bail as the investigation continues.