As part of its October 2025 Patch Tuesday, Microsoft has released security updates addressing over 180 vulnerabilities, including three zero-days actively exploited in the wild. This marks the final security update for Windows 10, unless devices are enrolled in the Extended Security Updates (ESU) program. The three exploited flaws include: CVE-2025-24990 (an elevation-of-privilege bug in the Agere Modem Driver (ltmdm64.sys)); CVE-2025-59230 (a privilege escalation flaw in RasMan, the Remote Access Connection Manager); CVE-2025-47827 (a Secure Boot bypass vulnerability in IGEL OS versions before 11).
US cybersecurity company F5 has revealed it has suffered a major security breach, which saw sensitive data such as information on undisclosed BIG-IP vulnerabilities and source code stolen. The company says that the intruders had a long-term access to its internal systems. The attackers reportedly maintained persistent access to critical systems, including the company’s BIG-IP product development environment and its engineering knowledge management platform. The company released security updates to address more than 40 BIG-IP security flaws that had been stolen during the breach. Although not publicly, F5 has linked the attack to China in private advisories shared with customers.
As per Bloomberg, in a threat-hunting guide F5 mentions the Brickstorm malware, a Go-based backdoor first detailed by Google in April 2024 during an investigation into cyber intrusions by the UNC5291 threat group, believed to be linked to China. UNC5291 has also been associated with exploiting Ivanti zero-days and deploying custom malware like Zipline and Spawnant in attacks on government agencies.
Meanwhile, the Shadowserver Foundation is currently tracking 266,978 IP addresses with an F5 BIG-IP fingerprint, with the majority located in the United States, Europe, and Asia.
The US Cybersecurity and Infrastructure Security Agency (CISA) has warned that malicious actors are exploiting a critical vulnerability in Adobe Experience Manager (AEM), tracked as CVE-2025-54253. The flaw affects AEM Forms on JEE versions 6.5.23 and earlier. It allows unauthenticated attackers to remotely execute arbitrary code with no user interaction, potentially bypassing existing security controls.
US-based software company Gladinet has rolled out security updates for its CentreStack business solution that fix an actively exploited local file inclusion vulnerability (CVE-2025-11371). According to cybersecurity firm Huntress, the flaw was a bypass for mitigations Gladinet implemented for the deserialization vulnerability (CVE-2025-30406) leading to remote code execution (RCE).
Threat actors are exploiting a recently patched remote code execution vulnerability (CVE-2025-20352) in Cisco IOS and IOS XE, affecting SNMP and requiring root access. The attackers targeted Cisco 9400, 9300, and legacy 3750G series devices to deploy rootkits on older, unprotected Linux systems. Trend Micro, which tracks the campaign as Operation Zero Disco, reported that the malware sets a universal access password containing the word ‘disco.’ Cisco confirmed the vulnerability was exploited as a zero-day. Attackers also attempted to exploit the older CVE-2017-3881 vulnerability in IOS/IOS XE systems.
A Chinese-affiliated threat actor known as ‘Jewelbug’ has been linked to a five-month-long cyber intrusion targeting a Russian IT service provider, according to a new report from Broadcom-owned cybersecurity firm Symantec. In the intrusion, Jewelbug utilized a renamed version of Microsoft's Console Debugger (cdb.exe) to execute shellcode and bypass application allowlisting. Other tactics included credential dumping, persistence through scheduled tasks, and log tampering to cover tracks.
A Chinese state-backed hacking group exploited a little-known feature in a widely used mapping software to stay hidden inside a target organization’s network for more than a year, according to cybersecurity firm ReliaQuest. The researchers believe with moderate confidence that a threat actor known as Flax Typhoon is behind the operation. As part of the intrusion, the attackers turned a legitimate component of the ArcGIS geographic information system (GIS) into a covert web shell.
North Korean hackers, tracked as UNC5342 by Google’s Threat Intelligence Group (GTIG), are now using a new technique called ‘EtherHiding’ to deliver malware via smart contracts in cryptocurrency theft campaigns. Since February, the group has used the method in Contagious Interview social engineering operations. GTIG notes this is the first known use of EtherHiding by a state-sponsored threat actor.
Cisco Talos has spotted a new campaign it has linked to Famous Chollima, a North Korea-aligned group known for tricking job seekers into installing malware. In this case, a user was likely deceived by a fake job offer and installed a trojanized Node.js app called ‘Chessfi,’ delivered via the NPM package ‘node-nvm-ssh.’ The group’s tools, BeaverTail and OtterCookie, now include keylogging and screenshot functions. Talos also found a malicious VS Code extension with similar code, suggesting the group may be testing new malware delivery methods.
The Ukrainian national cybersecurity team (CERT-UA) has spotted a new wave of targeted cyberattacks since mid-September 2025, primarily aimed at Ukraine's Defense Forces and local government entities across several regions. The campaign, attributed to the threat actor group UAC-0239, leverages the OrcaC2 command-and-control framework and a custom file stealer known as Filemess. In the meantime, Ukraine’s parliament has passed a bill in its first reading that would create a dedicated Cyber Force within the Armed Forces. If passed in a second vote and signed by President Volodymyr Zelenskyy, the legislation will, for the first time, unify Ukraine’s offensive and defensive military cyber capabilities under a single command.
Microsoft announced it disrupted a wave of Rhysida ransomware attacks by revoking over 200 certificates used to sign malicious Microsoft Teams installers. The threat group behind the attacks, known as Vanilla Tempest, used domains mimicking Teams to distribute fake installer files that delivered the Oyster backdoor. The attacks were linked to a broader malvertising campaign in late September, which used search ads and SEO poisoning to trick users into downloading the malware.
A recent investigation by Synacktiv uncovered a new GNU/Linux rootkit called LinkPro, used in the compromise of an AWS-hosted infrastructure. The rootkit uses two eBPF modules, one of which is used to hide its presence and another to activate remotely via a ‘magic packet.’ Attackers initially exploited a vulnerable Jenkins server (CVE-2024-23897), then deployed a malicious Docker Hub image across multiple Kubernetes clusters to spread the infection.
Sekoia has published a deep dive into the PolarEdge botnet backdoor first discovered in January 2025, with threat actors attempting to exploit CVE-2023-20118 in Cisco routers.
A coordinated cyber campaign has been targeting Remote Desktop Protocol (RDP) services across the US since October 8, threat intelligence firm GreyNoise has warned. The campaign involves more than 100,000 unique IP addresses spanning over 100 countries, in what GreyNoise described as a centralized botnet attack.
Cybersecurity researchers have uncovered a widespread campaign targeting SonicWall SSLVPN accounts, with over 100 compromised across 16 different environments. The campaign, first observed by cybersecurity firm Huntress on October 4, involves attackers using stolen, valid credentials to gain access, bypassing traditional brute-force methods.
A new campaign is distributing the Stealit information-stealer via malicious installers masquerading as games and VPN. Once executed, the Stealit malware harvests data from web browsers, including Google Chrome and Microsoft Edge, and from a wide range of apps like game platforms and marketplaces (Steam, Minecraft, Growtopia and Epic Games Launcher), messaging apps (WhatsApp and Telegram) and cryptocurrency wallets (Atomic, Exodus and browser-extension wallets).
Researchers at Carnegie Mellon University have detailed a new Android attack called ‘Pixnapping’ that can let malicious apps steal sensitive data. The team demonstrated the exploit on Google and Samsung phones. Google has issued a patch and is developing an additional fix to protect devices. The attack only requires tricking a user into installing a malicious app and it needs no Android permissions to carry out the attack.
A new study has found that it takes only 250 malicious documents to mess up a large AI model’s responses, which is much fewer than previously believed. The research looked at a type of attack called data poisoning, where attackers slip harmful or misleading information into the training data used to teach AI models. The goal is to make the model to change behavior, for example, giving nonsense answers or breaking safety rules. Until now, it was believed the attacks only worked if the attacker controlled a big chunk of the training data. But in fact, even just 250 poisoned documents (out of billions of training pieces) can trick the AI into responding with gibberish when it sees a certain trigger word.
Spanish authorities have dismantled a notorious cybercrime group known as the “GXC Team” and arrested the gang’s 25-year-old Brazilian leader, known online as “GoogleXcoder.” The GXC Team sold phishing kits, malware for Android devices, and voice scam tools via Telegram and Russian-language forums. The tools were used in large-scale credential theft, business email compromise (BEC) scams, and identity fraud, primarily targeting victims in Spain, the UK, and other EU countries.
The US authorities have charged a Cambodian executive in a massive cryptocurrency fraud scheme, seizing over $15 billion in bitcoin, one of the largest digital asset confiscations in history. In addition to the criminal charges, which include conspiracy to commit wire fraud and money laundering, US and UK officials imposed sanctions on Chen and his businesses. The US Treasury Department labeled Prince Holding Group a transnational criminal organization and sanctioned 146 related entities and individuals. The seized bitcoin, totaling 127,271 coins currently valued at over $14 billion, may be used to compensate victims, pending court approval. According to blockchain analysis company Elliptic, the Bitcoins were “stolen” in 2020 from LuBian, a bitcoin mining business with operations in China and Iran.
Matthew D. Lane, a 19-year-old college student from Worcester, Massachusetts, the US, was sentenced to four years in prison for leading a cyberattack on PowerSchool in December 2024. Lane and his accomplices used stolen credentials to access PowerSchool's support systems and downloaded sensitive data from over 6,500 school districts, affecting 9.5 million teachers and 62.4 million students. Along with the prison sentence, Lane was ordered to pay $14 million in restitution and a $25,000 fine.
Tokyo police have arrested 31-year-old Hiroya Yokoi for allegedly creating and selling fake sexual images of female celebrities using generative AI. This marks Japan's first crackdown on AI-generated deepfake pornography involving public figures. Yokoi, who admitted to the offenses, reportedly produced around 20,000 explicit images of 262 women and earned ¥1.2 million (~$8,000) over the past year to cover living expenses and repay student loans.
Operation SIMCARTEL shut down a network that supplied SIMs and fake accounts used in cybercrimes across Europe. Law enforcement arrested seven suspects, took down five servers and seized 1 200 SIM box devices alongside 40 000 active SIM cards.
