Microsoft has rolled out an out-of-band security update to address a critical remote code execution vulnerability (CVE-2025-59287) in Windows Server Update Services (WSUS) that is currently being exploited in the wild. While the issue was initially fixed during last week’s Patch Tuesday release, Microsoft released the additional emergency update following a publicly available proof-of-concept exploit and evidence of active exploitation.
Threat actors are actively exploiting a number of critical vulnerabilities in Dassault Systèmes DELMIA Apriso and XWiki. The DELMIA Apriso flaws are CVE-2025-6204, a code injection vulnerability that allows remote execution of arbitrary code, and CVE-2025-6205, a missing authorization issue that could allow attackers to gain privileged access to the application. Both of the flaws affect DELMIA Apriso versions from Release 2020 through Release 2025. Another exploited bug is CVE-2025-24893, an eval injection flaw in XWiki, which allows unauthenticated users to execute arbitrary code remotely.
Also, the US Cybersecurity and Infrastructure Security Agency (CISA) has flagged CVE-2025-41244 as actively exploited. The vulnerability is an improper access control issue in WMware tools that can be locally exploited to achieve privilege escalation. The agency has also added a high-severity privilege escalation flaw (CVE-2024-1086) in the Linux kernel, which is now being exploited in ransomware attacks
CISA and National Security Agency (NSA), along with cybersecurity authorities from Australia and Canada, have issued new guidance to strengthen on-premises Microsoft Exchange Server security. The recommendations include restricting administrative access, enabling multi-factor authentication, enforcing strict transport security, and adopting zero trust principles.
Suspected Russian hackers breached Ukrainian networks over the summer using legitimate administrative tools rather than custom malware, allowing them to steal data and remain largely undetected. According to Symantec’s investigation, the intrusions targeted two separate Ukrainian entities, a major business services company and a local government agency, in a pair of stealthy operations earlier this year. Researchers said the attackers relied on so-called “living-off-the-land” techniques, which involve abusing software already installed on victims’ systems to carry out malicious actions.
Pro-Russian information campaigns are actively exploiting the topic of drone incursions across European airspace to undermine trust in local governments and weaken public support for Ukraine, a new report from Google’s Threat Intelligence Team (GTIG) says. GTIG observed multiple coordinated disinformation operations across Europe following several recent drone incidents, including the September 2025 violation of Polish airspace by at least three Russian drones, which were subsequently shot down. GTIG’s report details three Russia-linked operations, including Portal Kombat, Doppelganger, and Niezależny Dziennik Polityczny, that used the incidents to manipulate public perception via fake news websites and social media networks.
A major US telecommunications supplier Ribbon Communications has been compromised by nation-state hackers who infiltrated its network and remained undetected for nearly nine months. The attackers reportedly gained unauthorized access to Ribbon’s IT network in December 2023, exfiltrating files belonging to three of its customers before being detected. According to the firm, the intrusion impacted “several customer files saved outside of the main network on two laptops.” Ribbon confirmed that the affected customers, described only as “smaller clients,” have been notified.
A China-linked hacking group known as UNC6384 has allegedly targeted Hungarian and Belgian diplomatic entities with the PlugX malware. The attacks, discovered by cybersecurity firm Arctic Wolf, involved the exploitation of a Windows shortcut vulnerability (tracked as CVE-2025-9491) patched in March, and began with spearphishing emails referencing European Commission meetings, NATO workshops, and multilateral diplomatic events. Besides Hungary and Belgium, the group also targeted Serbian government aviation departments and diplomatic institutions in Italy and the Netherlands, focusing on cross-border policy, defense cooperation, and multilateral coordination.
The China-linked group Bronze Butler (aka Tick) exploited a zero-day (CVE-2025-61932) in Motex LANSCOPE Endpoint Manager to execute commands with SYSTEM privileges and steal confidential information. The attackers deployed the Gokcpdoor malware to maintain a C2 backdoor and accessed cloud storage services via remote desktop sessions, likely for data exfiltration.
China-linked advanced persistent threat (APT) groups are joining efforts bringing cyber espionage to a new level of coordination in what Trend Micro Research describes as “Premier Pass-as-a-Service” trend, where multiple APT groups share information and resources, making it harder to attribute the attack. In particular, Trend Micro has observed such collaboration between two China-linked groups: Earth Estries and Earth Naga (also known as Flax Typhoon, RedJuliett, or Ethereal Panda). According to the researchers, Earth Estries handed over hacked systems to Earth Naga, meaning what first looked like one attack was actually a coordinated handoff between the two groups.
Palo Alto Networks’ Unit 42 has uncovered a new Windows-based malware family called Airstalk, which comes in PowerShell and .NET variants. The malware is suspected to be used by a nation-state threat actor in a supply chain attack. Airstalk exploits the AirWatch (now Workspace ONE UEM) API for mobile device management to create a covert command-and-control (C2) channel. It abuses legitimate features for managing custom device attributes and uploading files.
In a separate report, Unit42 examines activities related to the AdaptixC2 red teaming tool, which the researchers say has been increasingly used by multiple cybercriminal groups, including the Fog and Akira ransomware operations, as well as an initial access broker using CountLoader to deploy post-exploitation tools. AdaptixC2 is a modular and versatile platform capable of fully controlling compromised systems. Threat actors have also used it in fake help desk scams conducted via Microsoft Teams and through AI-generated PowerShell scripts.
In addition, the researchers warned that a large-scale smishing campaign impersonating critical services, online platforms, and cryptocurrency exchanges has been targeting users worldwide since April 2024. The operation, which has been linked to a Chinese-speaking threat group known as Smishing Triad, has used over 194,000 malicious domains since the beginning of 2024. The campaign initially focused on toll and package delivery impersonations but has since expanded to mimic healthcare providers, banks, cryptocurrency exchanges, law enforcement agencies, social media platforms, and government services.
Cybercriminals are abusing the open-source red-team toolkit RedTiger to build an info-stealer that harvests Discord account data, stored payment information and other sensitive credentials. RedTiger is a Python-based penetration-testing suite for Windows and Linux that bundles network scanning, password-cracking and OSINT utilities, and a malware builder. Although it labels dangerous features “legal use only,” the tool is free and lacks built-in safeguards, which makes it easy to abuse. According to cybersecurity firm Netskope, threat actors have compiled RedTiger with PyInstaller into standalone Windows binaries, renamed them to appear as gaming or Discord related tools, and deployed an info-stealer component.
Security researchers at Datadog Security Labs have detailed a new phishing technique, dubbed ‘CoPhish,’ that abuses Microsoft Copilot Studio agents to deliver fraudulent OAuth consent requests via legitimate Microsoft domains.
A weakness in agentic web browsers like OpenAI ChatGPT Atlas allows context poisoning attacks on AI models via the technique dubbed “AI-targeted cloaking.” It involves setting up websites that serve different content to human users versus AI crawlers. Similar to search engine cloaking, the technique can manipulate AI outputs by making crawlers treat altered content as authoritative, potentially influencing summaries, overviews, and autonomous reasoning.
A security issue in OpenAI’s ChatGPT Atlas browser allows attackers to inject malicious instructions into the AI assistant’s persistent memory, leading to arbitrary code execution and potential system compromise. As per LayerX Security, the flaw exploits a cross-site request forgery (CSRF) issue that allows hackers to modify ChatGPT’s memory without user consent. Once ‘tainted,’ the malicious memories can persist across sessions, devices, and browsers giving attackers access privileges.
NFC relay malware has surged in popularity in Eastern Europe, with researchers identifying over 760 malicious Android apps in recent months targeting users’ payment card information. According to Zimperium, previously documented campaigns are now expanding to countries including Russia, Poland, the Czech Republic, and Slovakia. The malware is often distributed through apps impersonating Google Pay or banks such as Santander, VTB, Tinkoff, ING, Bradesco, and Promsvyazbank.
Cybersecurity researchers have spotted a new software supply chain attack on the npm registry, involving 126 malicious packages that can steal authentication tokens, CI/CD secrets, and GitHub credentials. Dubbed “PhantomRaven” by Koi Security, the campaign began in August 2025 and has already seen over 86,000 installs. The attack is hiding malicious code in dependencies, fetching it from a custom HTTP URL on an untrusted site whenever a package is installed.
The Eclipse Foundation, which manages the open-source Open VSX project, has revoked a small number of leaked tokens found in some Visual Studio Code (VS Code) extensions. The action follows a report from cloud security company Wiz, which discovered that extensions from both Microsoft’s VS Code Marketplace and Open VSX had inadvertently exposed access tokens in public repositories, potentially enabling attackers to distribute malware through the extension supply chain. Registry maintainers have also removed all extensions recently flagged by Koi Security in a campaign called “GlassWorm.”
A new Internet of Things (IoT) botnet, dubbed ‘Aisuru,’ has been linked to record-breaking distributed denial-of-service (DDoS) attacks exceeding 20 terabits per second (Tbps). Aisuru is related to “TurboMirai” malware, general class of Mirai-variant DDoS botnets capable of generating multi-tb/sec and -gpps direct-path DDoS attacks. Operating as a DDoS-for-hire service, Aisuru has primarily targeted online gaming platforms, avoiding government, military, and law enforcement networks. The botnet is made up largely of consumer-grade IoT devices such as home routers, CCTV cameras, and DVR systems running similar OEM firmware.
A team of academic researchers from Georgia Tech and Purdue University has detailed a new side-channel attack, dubbed TEE.Fail, that can extract cryptographic secrets from the Trusted Execution Environments (TEEs) embedded in modern CPUs. The attack targets the secure regions of processors such as Intel SGX and TDX and AMD SEV-SNP that are designed to safeguard sensitive data from even the operating system.
MITRE announced the release of version 18 of its ATT&CK framework, introducing changes to the framework. The October 2025 update delivers improvements across multiple sections, including techniques, groups, campaigns, and software. According to MITRE, the most notable changes focus on strengthening the framework’s defensive capabilities.
Peter Williams, 39, an Australian and former US defense contractor general manager, pleaded guilty to selling stolen US national security software to a Russian cyber-tools broker. It is said that he stole at least eight sensitive cyber-exploit components intended for the US government and allies. Prosecutors said he used his secure access to download the material and sold it to a broker that re-sold the exploits to various clients, including entities linked to Russian government.
Russian authorities arrested three IT specialists in Moscow for creating and distributing the “Meduza” malware, which steals credentials and cryptocurrency data. The group allegedly also developed malware for bypassing security and creating botnets. Authorities seized equipment and digital evidence, and further accomplices and criminal activities are under investigation.
A Conti ransomware affiliate was extradited from Ireland to the US to face criminal charges. Oleksii Oleksiyovych Lytvynenko, 43, a Ukrainian national, allegedly helped deploy Conti ransomware to hack networks, encrypt data, and extort over $500,000 in cryptocurrency from US victims. Conti infected more than 1,000 victims worldwide, causing at least $150 million in losses and targeting more critical infrastructure in 2021 than any other ransomware. Lytvynenko was arrested in Ireland in July 2023 at the request of US authorities and extradited this month. Prosecutors allege he continued cybercrime activities until just before his arrest.