Google security researchers said that the Clop extortion gang has stolen data from ‘dozens of organizations’ by exploiting multiple vulnerabilities in Oracle’s E-Business Suite software. One of the flaws, tracked as CVE-2025-61882, was discovered in the BI Publisher Integration component of Oracle EBS's Concurrent Processing module and allows unauthenticated attackers to remotely execute code on vulnerable systems. The campaign, which began as early as July 10, targeted corporate executives with extortion emails and remained undetected for months. Despite Oracle’s earlier claims that the issue had been patched, the company later acknowledged that hackers were still exploiting a zero-day vulnerability that allows unauthorized access over a network without login credentials.
A critical vulnerability in Fortra’s GoAnywhere Managed File Transfer (MFT) tool is being actively exploited by threat actors to launch ransomware attacks. The flaw, tracked as CVE-2025-10035, affects the License Servlet Admin Console component of GoAnywhere MFT. It allows attackers to bypass signature verification and deserialize attacker-controlled objects, potentially leading to remote code execution (RCE). As per Microsoft, the vulnerability has already been exploited as a zero-day by threat group it tracks as ‘Storm-1175’ since September 11, a full week before Fortra released a patch on September 18. Fortra also released the results of its investigation into CVE-2025-10035.
SonicWall has confirmed that all customers using its cloud backup service to store firewall configuration files were affected by a recent data breach. The breach, which occurred in early September and was initially reported weeks later, was originally believed to have impacted less than 5% of customers. However, a new update on October 8 revealed that threat actors accessed configuration files for all firewalls backed up to the MySonicWall cloud service.
Threat actors are actively exploiting a critical vulnerability (CVE-2025-11371) in Gladinet CentreStack and TrioFox products. The flaw is an unauthenticated local file inclusion bug that can expose sensitive system files and affects all software versions up to 16.7.10368.56560. Huntress first detected the attacks on September 27, 2025, and confirmed that three of its customers have been impacted.
Researchers at cybersecurity firm StrikeReady have uncovered a campaign targeting users of Zimbra Collaboration Suite (ZCS), exploiting a cross-site scripting (XSS) vulnerability in calendar invite (.ICS) files. The flaw, tracked as CVE-2025-27915, was used in attacks earlier this year, months before a fix was publicly released. The vulnerability affects ZCS versions 9.0, 10.0, and 10.1, and stems from insufficient sanitization of HTML content within ICS attachments.
The Redis database project released a security update to fix the CVE-2025-49844 aka ‘RediShell’ flaw, which allows remote attackers to execute malicious code and potentially take over affected systems. The issue affects all Redis versions from the past 13 years. Researchers also reported that nearly 330,000 Redis instances are exposed online, with around 60,000 lacking any authentication.
Threat actors are leveraging the Velociraptor digital forensics and incident response (DFIR) tool to deploy LockBit and Babuk ransomware. Cisco Talos researchers attribute the attacks with medium confidence to a China-based group known as Storm-2603. The attackers used an outdated version of Velociraptor vulnerable to CVE-2025-6264, a privilege escalation flaw that allows arbitrary command execution and full host control.
LAB52 has discovered a new Outlook backdoor, which it linked to the Russia-aligned threat actor known as APT28 or Fancy Bear. The backdoor, dubbed 'NotDoor' because it embeds the word “Nothing” in its code, is a VBA macro that turns Outlook into a stealthy remote access and data-exfiltration channel.
A Russia-aligned hacktivist group TwoNet was tricked into attacking a honeypot posing as a water treatment utility. Believing the system was real, the group claimed responsibility on its Telegram channel. Using default admin credentials, TwoNet accessed the HMI, attempted database enumeration, and created a user account named 'BARLATI' for ongoing access. The attack, traced to a German IP, was conducted via Firefox on Linux. Active since January 2025, TwoNet previously focused on DDoS attacks using the MegaMedusa Machine malware.
OpenAI said it disrupted three coordinated cyber activity clusters abusing its ChatGPT platform for malicious purposes, including malware development and phishing operations. The company said the operations originated from Russia, North Korea, and China, and involved efforts to build or improve tools for cyberattacks.
Threat actors believed to be linked to China are misusing a legit open-source tool called Nezha to launch cyberattacks. The monitoring tool is now being used to deliver a dangerous malware known as Gh0st RAT, which allows attackers to take control of infected computers.
According to cybersecurity firm Recorded Future, the Chinese technology company Beijing Institute of Electronics Technology and Application (BIETA) is likely operating under the direction of China’s Ministry of State Security (MSS). The report highlights that at least four BIETA affiliates, Wu Shizhong, He Dequan, You Xingang, and Zhou Linna, have confirmed or potential links to MSS operatives. BIETA also maintains a long-standing relationship with the University of International Relations, believed to be connected to the MSS. Additionally, BIETA and its subsidiary, Beijing Sanxin Times Technology Co., Ltd. (CIII), are reportedly involved in activities that "almost certainly" support Chinese intelligence, counterintelligence, and military operations.
A China-aligned threat group known as UTA0388 has been linked to spear-phishing campaigns targeting regions in North America, Asia, and Europe. The attacks deploy a Go-based malware implant called Govershell. The campaigns use fake personas posing as senior researchers from fictional organizations to trick victims into downloading malicious files. The threat actor has used various lures in multiple languages, including English, Chinese, Japanese, French, and German.
Attackers are now bundling a social engineering tactic called ClickFix into easy-to-use phishing kits to trick victims into manually running malware like info-stealers and RATs. Palo Alto Networks' Unit 42 discovered a kit named 'IUAM ClickFix Generator,' which creates convincing phishing pages that mimic browser checks and include advanced features like OS detection and clipboard injection. At least one campaign using this kit has been linked to the deployment of DeerStealer malware.
A new Fortinet’s report examines an evolution of the Chaos ransomware, which resurfaced with a C++ variant in 2025. The researchers believe this marks the first time it was not written in .NET. Apart from encryption and ransom demands, it adds destructive extortion tactics and clipboard hijacking for cryptocurrency theft.
A separate report from Trellix analyzes a new variant of the XWorm malware first spotted in 2022. In 2024, the RAT’s developer abandoned the malware, leading security researchers to believe that this was a final version. However, in June, the XWorm V6.0 variant was released, which is able to capture plugins and execute additional malware.
A new Android spyware campaign called ‘ClayRat’ is targeting users in Russia, mainly via Telegram channels and phishing websites. Discovered by Zimperium zLabs, the malware impersonates popular apps like WhatsApp, TikTok, Google Photos, and YouTube to trick users into installing it. Once installed, ClayRat can steal call logs, SMS, and notifications, take photos, and even send messages or make calls from the infected device.
Microsoft’s threat intelligence team has discovered a campaign by a financially motivated threat actor, it tracks as ‘Storm-2657’, targeting US-based organizations, in particular, in sectors like higher education. Dubbed ‘Payroll Pirates,’ the attackers compromise employee accounts to access HR SaaS platforms like Workday and redirect salary payments to accounts they control.
Hackers have stolen partial payment information and sensitive personal data from a number of Discord users after compromising a third-party customer support system used by the company. Discord says that about 70,000 users had their government IDs stolen. The company also said that it will not be paying threat actors who claim to have stolen the data of 5.5 million unique users from the company's Zendesk support system instance.
Researchers have discovered that high-performance computer mice, especially those used by gamers and designers, can be turned into listening devices. In a project called Mic-E-Mouse, they showed that the mice can detect subtle desk vibrations caused by nearby speech. By analyzing raw motion data and using a neural network, the team was able to reconstruct intelligible conversations with up to 61% accuracy.
The FBI, in collaboration with French authorities, has seized all domains of the BreachForums hacking site, which was operated by the ShinyHunters group and used to leak data stolen in ransomware and extortion attacks. The takedown occurred before a hacker from the Scattered Lapsus$ Hunters group could leak stolen Salesforce data from non-paying victims. ShinyHunters confirmed the seizure in a Telegram message. It’s unclear at this point, if any arrests were made in connection with the case.
Two 17-year-old boys have been arrested in connection with a major cyberattack targeting a chain of nurseries across London. The teenagers are being held on suspicion of computer misuse and blackmail and remain in custody as police continue their investigation. During the intrusion, which occurred in September, the attackers stole sensitive personal data belonging to approximately 8,000 children enrolled at Kido, a nursery group operating 18 locations in London. Stolen information included names, photographs, and home addresses.
