The Australian government has warned about ongoing attacks targeting unpatched Cisco IOS XE devices across the country. Threat actors are exploiting a critical vulnerability to install the BadCandy webshell, allowing them to take full control of affected routers. The exploited flaw, tracked as CVE-2023-20198, is an improper privilege management issue that allows remote, unauthenticated attackers to create a local administrative user through the web interface and seize control of the device. Cisco patched the issue in October 2023, but the flaw came under widespread exploitation following the release of a public exploit.
The US Cybersecurity & Infrastructure Security Agency (CISA) has issued a warning about active exploitation of a critical vulnerability in CentOS Web Panel (CWP), tracked as CVE-2025-48703, which allows unauthenticated attackers to execute arbitrary shell commands remotely.
In a separate warning, Cisco has alerted users to ongoing exploitation of vulnerabilities in Cisco Secure Firewall ASA and FTD Software, specifically CVE-2025-20333, which enables remote code execution as root via crafted HTTP requests, and CVE-2025-20362, which allows unauthorized access to restricted URLs.
Russian state-backed hacker group Sandworm (APT44) has launched multiple data-wiping cyberattacks against Ukraine’s government, education, logistics, energy, and grain sectors, according to a new ESET report. ESET found that Sandworm used several wiper malware families, including ZeroLot and Sting, designed to irreversibly destroy data and disrupt operations. Some attacks originated through another threat actor, UAC-0099, which provided access for APT44 to deploy the wipers. The researchers also noted that a new Russia-aligned threat group, dubbed ‘InedibleOchotense,’ is impersonating ESET in phishing attacks targeting Ukrainian organizations. The attackers distributed spear-phishing emails and Signal messages that contained links to a trojanized ESET installer.
The report also notes ongoing activity from Iran-aligned hackers targeting Israel’s energy and engineering sectors with Go-based wipers, and China-aligned groups conducting espionage campaigns in Asia, Latin America, and Europe to advance Beijing’s geopolitical objectives.
Symantec spotted a suspected Chinese threat actor targeting a US non-profit organization with influence over government policy on international issues. The group’s tactics, techniques, and procedures (TTPs) overlapped with several known Chinese threat groups, including Kelp, Space Pirates, and APT41, making precise attribution difficult. The attackers used a legitimate file vetysafe.exe to sideload a malicious DLL (sbamres.dll). The intrusion began on April 5, 2025, with mass scanning and exploitation attempts against multiple vulnerabilities, including Atlassian OGNL Injection (CVE-2022-26134), Log4j (CVE-2021-44228), Apache Struts (CVE-2017-9805), and GoAhead RCE (CVE-2017-17562).
A North Korea-linked threat actor known as Kimsuky has deployed a previously undocumented backdoor, dubbed ‘HttpTroy,’ in a likely spear-phishing campaign aimed at a single victim in South Korea. HttpTroy employs multiple layers of obfuscation, with API calls being concealed using custom hashing techniques, and strings obfuscated through a combination of XOR operations and SIMD instructions. The backdoor doesn’t reuse API hashes and strings, instead, it dynamically reconstructs them during runtime using varied combinations of arithmetic and logical operations, further complicating static analysis.
On the same note, the US authorities have imposed sanctions on eight individuals and two North Korean companies accused of laundering money earned through cybercrime and a fraudulent international IT worker scheme that funneled funds back to Pyongyang.
Network security company SonicWall has concluded its investigation into the September cybersecurity incident that exposed customers’ firewall configuration backup files, confirming that a state-sponsored threat actor was responsible for the breach. According to the vendor, Mandiant’s investigation determined that the malicious activity was limited to unauthorized access of cloud backup files from a specific cloud environment via an API call. Mandiant found no evidence that SonicWall’s products, firmware, systems, tools, source code, or customer networks were affected.
A previously undocumented threat cluster, dubbed ‘UNK_SmudgedSerpent,’ has been linked to a wave of sophisticated phishing and credential theft campaigns aimed at academics and foreign policy experts between June and August 2025. Proofpoint researchers said UNK_SmudgedSerpent used politically charged lures to entice victims. The campaign’s tactics, techniques, and procedures (TTPs) are largely similar to known Iranian cyber espionage groups, including TA455 (Smoke Sandstorm), TA453 (Charming Kitten), and TA450 (MuddyWater).
Threat actors are distributing weaponized attachments via phishing e-mails to deliver a persistent backdoor that leverages OpenSSH and a customized Tor hidden service in a campaign they say appears to target defense and government organizations in Russia and Belarus. The campaign was spotted by security vendor Seqrite Labs, which has dubbed the activity “Operation SkyCloak.”
A Russia-aligned hacking group known as ‘Curly COMrades’ has been using Microsoft’s Hyper-V virtualization in Windows to hide malware inside Alpine Linux virtual machines, allowing the threat actors to bypass host-based endpoint detection and response (EDR) controls. The attackers deployed two custom tools: a reverse shell for remote command execution called ‘CurlyShell,’ and ‘CurlCat,’ a reverse proxy used for covert communication.
A new wave of cyberattacks is targeting the trucking and logistics sector, using remote monitoring and management (RMM) tools to compromise networks and steal physical cargo. In the ongoing campaign, attackers have used a combination of spear-phishing emails, hijacked business conversations, and compromised accounts to post fake freight listings on load boards. The emails contain malicious links leading to infected installers or executables that deploy legitimate RMM tools such as ScreenConnect, SimpleHelp, PDQ Connect, Fleetdeck, N-able, and LogMeIn Resolve.
Microsoft’s DART team has uncovered a previously undocumented backdoor named ‘SesameOp’ that uses the OpenAI Assistants Application Programming Interface (API) as a command-and-control (C&C) channel to stealthily manage compromised systems.
Google’s Threat Intelligence Group has discovered an experimental Visual Basic Script malware family named ‘PROMPTFLUX’ that utilizes an AI model API to rewrite its own code, apparently to avoid detection. GTIG said PROMPTFLUX is written in VBScript and uses a hard-coded API key to query Google’s Gemini model (Gemini 1.5 Flash or later) with highly specific, machine-parsable prompts that request obfuscation and evasion techniques (instructing the model to return code only) so the script can periodically replace itself with a newly obfuscated version.
Decentralized finance protocol Balancer has confirmed a major security breach in its V2 pools, with estimated losses exceeding $128 million, making it one of the largest cryptocurrency thefts of 2025. The company disclosed that the exploit specifically targeted its V2 Composable Stable Pools. Other Balancer pools, including those under V3, were reportedly unaffected. More technical details are available in Check Point’s report on the Balancer hack.
Cybersecurity researchers have flagged a malicious Visual Studio Code extension called 'susvsex' that appears to be created with the help of AI. The extension automatically activates on events like installation or launch, zips a target directory, exfiltrates it to a remote server, and replaces the original files with encrypted versions, functioning as basic ransomware.
An international law enforcement operation, codenamed “Operation Chargeback” has targeted three major fraud and money laundering networks involved in a global credit card fraud scheme affecting 4.3 million victims in 193 countries, with losses exceeding EUR 300 million. Over 60 searches and 18 arrests were carried out. The suspects allegedly used shell companies in the UK and Cyprus to process fake transactions and conceal their activities. Between 2016 and 2021, they created 19 million fake online subscriptions on adult and streaming sites, disguising small monthly charges. The operation targeted 44 suspects, including payment service executives and intermediaries. In Germany, 29 sites were searched, five arrests made, and EUR 35 million in assets seized. Additionally, the US authorities have arrested five people suspected to be involved in the scheme.
Three former employees of cybersecurity firms DigitalMint and Sygnia have been indicted for allegedly helping carry out BlackCat (ALPHV) ransomware attacks on five US companies in 2023. Kevin Tyler Martin, Ryan Clifford Goldberg, and an unnamed accomplice face charges of extortion conspiracy and computer damage, carrying up to 50 years in prison. Prosecutors say the trio, acting as BlackCat affiliates, hacked networks, stole data, and demanded $300,000–$10 million in cryptocurrency ransoms. Victims included medical, pharmaceutical, and tech firms. One company reportedly paid $1.27 million after refusing an initial $10 million demand.
A Ukrainian national accused in 2012 of collaborating with a notorious hacking group to steal tens of millions of dollars from US companies has been apprehended in Italy and extradited to the US. 41-year-old Yuriy Igorevich Rybtsov, from the Russia-controlled city of Donetsk, Ukraine, was previously identified in US federal documents only by his online alias, “MrICQ.” Prosecutors allege that MrICQ worked as a developer for the cybercrime organization known as “Jabber Zeus.”