Cyware Monthly Threat Intelligence, October 2025
The Good
In a series of positive cybersecurity developments, MITRE has unveiled ATT&CK v18, featuring enhanced detection and analytics for modern infrastructures like CI/CD pipelines, Kubernetes, and cloud databases, along with new ransomware, ICS, and mobile threat updates. It also launched the ATT&CK Advisory Council to foster collaboration across industry and academia. Meanwhile, CISA and NSA, with global partners, issued new guidance to secure Microsoft Exchange servers, emphasizing stronger authentication, encryption, and decommissioning outdated systems. In a landmark win against cybercrime, U.S. and U.K. authorities dismantled the Prince Group, seizing over $15 billion in Bitcoin and sanctioning 146 individuals and entities in one of the largest financial takedowns in history.
MITRE has launched ATT&CK v18, introducing substantial updates to its cybersecurity framework. This version enhances detection strategies and analytics, focusing on modern infrastructure such as CI/CD pipelines, Kubernetes, and cloud databases. It incorporates new techniques related to ransomware preparation and threat intelligence monitoring, alongside updates in the Mobile section addressing adversaries exploiting linked device features in apps like Signal and WhatsApp. Additionally, the Industrial Control Systems (ICS) section sees the introduction of new assets, including distributed control system controllers and firewalls. To foster collaboration, MITRE has established the ATT&CK Advisory Council, bringing together insights from end users, vendors, and academia.
CISA, in partnership with the NSA and international cybersecurity allies, has released guidance on securing Microsoft Exchange servers. This initiative addresses the ongoing threats targeting these systems, particularly those that are unprotected or misconfigured, which leave organizations vulnerable to cyberattacks. The guidance emphasizes the importance of hardening user authentication, ensuring robust network encryption, and minimizing application attack surfaces. It also underscores the risks associated with retaining outdated Exchange servers, advocating for their decommissioning to mitigate potential exploitation. This release comes amid a backdrop of increasing cyber threats and aims to bolster the security posture of organizations utilizing Exchange infrastructure.
Spanish authorities recently dismantled an advanced AI-driven phishing network orchestrated by a Brazilian developer known as “GoogleXcoder.” This operation, a significant victory against banking credential theft in Spain, targeted major banks and public agencies, leading to millions of euros in stolen funds since 2023. Operating under a crime-as-a-service model, GoogleXcoder sold phishing kits that allowed criminals to easily clone websites and execute scams. The investigation revealed extensive use of Telegram for communications and transactions. Authorities arrested him in Cantabria, seizing electronic devices containing vital evidence. Ongoing forensic analysis aims to uncover further details about the network and identify additional individuals involved in these phishing activities, with collaboration from the Brazilian Federal Police and cybersecurity experts proving crucial in the operation.
U.S. and U.K authorities have executed a landmark operation against a massive transnational cybercrime syndicate, seizing over $15 billion in Bitcoin from the Prince Group - a criminal enterprise accused of orchestrating one of the largest investment fraud operations in history. This marks the largest cryptocurrency seizure ever conducted by the DOJ. According to the DOJ, the group operated more than 100 businesses across 30 countries, using them as fronts for investment scams, money laundering, and human trafficking. The US Department of the Treasury’s Office of Foreign Assets Control (OFAC) has sanctioned 146 individuals and entities linked to the Prince Group. The U.K has also imposed financial sanctions, freezing assets including a £12 million mansion and a £100 million office building in London.
The FBI, in collaboration with French law enforcement, has seized the BreachForums hacking forum, operated by the ShinyHunters group, which was used for leaking corporate data and extorting companies. This action comes as the group threatened to release data from Salesforce breaches unless ransoms were paid. The seizure includes all database backups since 2023, confirming that the gang's operations have been compromised. Despite this, their dark web data leak site remains active, with plans to expose sensitive information from major companies like FedEx, Disney, and Google. The ShinyHunters stated that they would not attempt to relaunch BreachForums, cautioning that such forums should now be viewed as traps for cybercriminals.
The Bad
Cybercriminal activity continues to escalate as Russian threat actors increasingly exploit the open-source AdaptixC2 framework—originally built for penetration testing—to conduct ransomware attacks, distribute CountLoader malware, and spread fake PDFs posing as Ukraine’s national police. At the same time, a Brazilian cybercriminal group has advanced its Lampion Stealer campaign against Portuguese banks, using convincing ClickFix lures, phishing emails, and multi-stage infection chains to deliver highly obfuscated malware. Adding to growing concerns, a phishing campaign is impersonating LastPass and Bitwarden, deceiving users into downloading a fake “secure” desktop version that installs the Syncro remote monitoring tool, giving attackers remote access to victims’ devices.
Russian cybercriminals are increasingly using the open-source command-and-control framework AdaptixC2, originally designed for penetration testing, to carry out ransomware attacks worldwide. Research reveals that the tool, maintained by an individual known as “RalfHacker,” has been linked to various malicious activities, including the distribution of CountLoader malware and fraudulent PDFs impersonating Ukraine’s national police. Despite its legitimate purpose, AdaptixC2 has become a favorite among Russian threat actors, raising concerns about the intersection of ethical hacking and cybercrime.
A Brazilian cybercriminal group has enhanced its long-running Lampion Stealer campaign, which targets Portuguese banks using sophisticated social engineering and multi-stage infection chains. Since its initial discovery in 2019, the malware has evolved significantly, incorporating ClickFix lures that trick victims into executing malicious commands. Phishing emails, crafted to appear legitimate with banking themes, have become a primary delivery method, often sent from compromised accounts. The infection process involves multiple obfuscated Visual Basic script stages, ultimately delivering a bloated 700MB DLL file that employs advanced obfuscation techniques to evade detection.
Researchers uncovered the PolarEdge botnet, which has compromised over 25,000 IoT devices and established 140 C2 servers. This sophisticated botnet exploits vulnerable edge devices and uses a novel RPX relay system to obscure attack sources, making detection difficult. Since its initial detection in May, the botnet has shown a sustained upward trend in infections, particularly in Southeast Asia and North America, with South Korea being the most affected. The malware employs a client-server architecture that facilitates remote command execution and proxy services, allowing attackers to maintain control and evade traditional security measures.
Qilin ransomware is leveraging the Windows Subsystem for Linux (WSL) to run Linux encryptors on Windows systems, allowing it to evade traditional security tools. Emerging in 2022, Qilin has become one of the most active ransomware groups, attacking over 700 victims across 62 countries in 2025. Affiliates use a variety of legitimate applications, such as AnyDesk and Splashtop, to breach networks and steal data. They also employ BYOVD techniques to disable security software by exploiting signed but vulnerable drivers. The Linux encryptor targets VMware ESXi virtual machines and is transferred using WinSCP, executed via WSL, which helps it bypass detection by conventional Windows security solutions that primarily monitor Windows PE behavior.
A sophisticated phishing campaign by the Gamaredon threat group is targeting government entities by exploiting a critical WinRAR vulnerability, CVE-2025-8088. This path traversal vulnerability allows attackers to deliver weaponized RAR archives that deploy malicious HTA files without user interaction, merely requiring the opening of a seemingly benign PDF document. Once executed, the malware gains persistence by placing itself in the Windows Startup folder, ensuring it runs automatically upon reboot.
The Water Saci malware campaign has significantly evolved, utilizing WhatsApp as its primary infection vector to spread malicious ZIP files through hijacked web sessions. This campaign employs advanced techniques, including script-based automation via VBS and PowerShell, allowing for fileless execution and persistence. The malware features a sophisticated email-based C2 infrastructure that uses IMAP connections to retrieve operational commands, enabling real-time control over infected systems. Additionally, it can harvest WhatsApp contacts and automate message distribution, effectively converting compromised machines into coordinated botnet tools.
PhantomVAI Loader, a multi-stage .NET loader, is actively involved in global phishing campaigns targeting various sectors, including manufacturing, education, and government. Initially known as Katz Stealer Loader, it has evolved to deliver a range of infostealers such as AsyncRAT, XWorm, FormBook, and DCRat. The attack chain starts with phishing emails that contain heavily obfuscated scripts, which, when executed, download further malicious payloads. Utilizing steganography, the loader conceals DLL files within seemingly innocuous images, allowing it to bypass detection. Once executed, PhantomVAI Loader performs virtual-machine checks and, if successful, establishes persistence on the infected system, ultimately injecting the payload into legitimate processes like MSBuild.exe, thereby evading many endpoint defenses.
An ongoing phishing campaign is targeting LastPass and Bitwarden users with fake emails claiming that the companies have been hacked. These emails urge recipients to download a supposedly more secure desktop version of the password manager, which actually installs Syncro, a remote monitoring tool. LastPass has clarified that they have not experienced any security incidents and that these messages are part of a social engineering effort to create urgency. The phishing emails are well-crafted and impersonate both LastPass and Bitwarden, leading users to malicious downloads. The malware installs the Syncro MSP platform, allowing attackers to gain remote access to victims' computers. This campaign follows another targeting 1Password users.
Flax Typhoon, a China-backed APT group, executed a sophisticated attack on an ArcGIS system by repurposing a legitimate Java server object extension (SOE) into a web shell. This method enabled the attackers to maintain long-term access while evading detection, as their activities appeared to be normal system operations. By embedding the compromised SOE in backups and using a hardcoded key for access, they ensured persistence even after attempts at remediation. The group leveraged this foothold for malicious command execution, lateral movement, and credential harvesting across various hosts.
A security vulnerability in the widely used Slider Revolution plugin has been uncovered, affecting over four million WordPress sites. Tracked as CVE-2025-9217, this flaw allows users with contributor-level permissions or higher to read sensitive files on the server, including critical configuration files like wp-config.php. The issue arises from insufficient validation in two parameters, “used_svg” and “used_images,” which manage file exports. A patched version, 6.7.37, was released to address the weaknesses in file handling, enhancing validation checks to prevent unauthorized access to server files. The vulnerability was rated medium severity with a CVSS score of 6.5.
McAfee researchers have identified a sophisticated Astaroth banking malware campaign that leverages GitHub repositories to host critical configuration files, moving away from traditional C2 servers. This malware employs steganography to conceal configuration data within seemingly benign image files, allowing it to update its operational parameters every two hours while maintaining persistent operations. The infection chain begins with phishing emails that lure victims into downloading malicious Windows shortcut files, which execute obfuscated JavaScript commands. Primarily targeting South American countries, particularly Brazil, Astaroth monitors banking and cryptocurrency-related browser windows to capture credentials through keylogging.
A botnet comprising over 100,000 IP addresses from multiple countries has been targeting RDP services in the U.S. since October 8. GreyNoise researchers identified this large-scale campaign after observing an unusual spike in traffic, particularly from Brazilian IPs. The attacks utilize two main vectors: RD Web Access timing attacks and RDP web client login enumeration. Evidence suggests that a single entity controls the botnet, as most IPs share a similar TCP fingerprint. The coordinated nature of the attacks, along with the centralized control indicated by the shared attack methods, raises concerns about the botnet's capabilities and intentions. Countries involved in the attack include Brazil, Argentina, Iran, China, Mexico, Russia, and South Africa.
A financially motivated threat actor known as UNC5142 is utilizing blockchain smart contracts and compromised WordPress sites to distribute various information-stealing malware, including Atomic and Vidar, targeting both Windows and macOS systems. This group employs a technique called "EtherHiding" to conceal malicious code on public blockchains, specifically leveraging the BNB Smart Chain. Google’s Threat Intelligence Group reported approximately 14,000 web pages injected with JavaScript linked to UNC5142, indicating widespread targeting of vulnerable sites. The attack employs a multi-stage JavaScript downloader named CLEARSHORT, which retrieves malicious payloads through interactions with smart contracts.
APT28, a Russian state-sponsored threat actor, has launched a sophisticated cyberattack targeting Ukrainian military personnel through weaponized Office documents. This campaign utilizes advanced malware frameworks, including BeardShell and Covenant, which are delivered via malicious documents distributed through Signal Desktop, exploiting its lack of security mechanisms. Once opened, these documents execute embedded macros that initiate a multi-stage infection process, allowing attackers to maintain persistent access and evade detection. The malware employs steganography to hide payloads within PNG files and utilizes cloud services like Koofr for command and control communications.
Volexity has identified UTA0388, a China-aligned threat actor conducting sophisticated spear phishing campaigns since April, targeting organizations globally with a focus on Asian geopolitical issues, particularly Taiwan. Utilizing OpenAI's ChatGPT, UTA0388 crafts convincing phishing emails and develops a custom malware family known as GOVERSHELL, which has five distinct variants, each with evolving capabilities and communication methods. The phishing emails often exhibit incoherence, featuring fabricated personas and nonsensical details, indicative of LLM usage. The GOVERSHELL malware employs techniques like search order hijacking and scheduled tasks for persistence, while its infrastructure has shifted from direct-to-IP connections to more complex DNS-based domains.
Chinese hackers with suspected ties to the state have begun exploiting the open-source Nezha monitoring tool to deliver the Gh0st RAT. This campaign, identified by Huntress, utilizes log poisoning techniques to implant web shells on vulnerable servers, primarily targeting systems with exposed phpMyAdmin panels. The attackers have compromised over 100 machines globally, with significant infections reported in Taiwan, Japan, South Korea, and Hong Kong. By leveraging Nezha, the hackers execute commands and bypass antivirus protections, showcasing a concerning trend of using legitimate tools for malicious activities. The operation is characterized by its technical sophistication, as the threat actors manipulate SQL commands to drop PHP web shells, enabling further exploitation of the affected systems.
A critical vulnerability, CVE-2025-10035, in GoAnywhere MFT has been exploited by the Storm-1175 threat group, known for deploying Medusa ransomware. This deserialization flaw, with a CVSS score of 10.0, allows attackers to bypass signature verification and execute remote code on unpatched systems without requiring authentication. Storm-1175 employs a multi-stage attack that begins with exploiting the vulnerability, followed by establishing persistence using remote monitoring and management tools like SimpleHelp and MeshAgent. The group then conducts network discovery and lateral movement within compromised environments, ultimately leading to the deployment of Medusa ransomware.
Mustang Panda, a sophisticated China-linked threat actor, has refined its cyber espionage tactics by employing an advanced DLL side-loading technique aimed at the Tibetan community. This politically motivated campaign begins with a deceptive .ZIP file disguised as an executable related to the Dalai Lama, concealing a malicious DLL that remains hidden from standard file exploration. The malware, known as Claimloader, establishes persistence through both Windows registry modifications and scheduled tasks, complicating detection and removal efforts. Once activated, it deploys a secondary payload called Publoader, which utilizes advanced obfuscation methods to exfiltrate data while communicating with C2 servers.
New Threats
A critical vulnerability called Brash in Chromium’s Blink engine can crash Chromium-based browsers (Chrome, Edge, etc.) within seconds via a single malicious URL by abusing the unrestricted document.title API to flood the DOM and saturate the main thread—its three-phase attack can even be timed like a logic bomb (Firefox and Safari are unaffected). At the same time, a campaign dubbed PhantomRaven has pushed 126 malicious npm packages (≈86,000+ downloads) that steal npm tokens, GitHub credentials, and CI/CD secrets while using Remote Dynamic Dependencies and AI-generated names to evade detection. Finally, a new Python polymorphic RAT leverages self-modifying code, XOR in-memory decryption, and randomized junk to change its signature each run, enabling network scanning, payload delivery, data exfiltration, self-propagation, and command-and-control via platforms like Discord and Slack.
A new vulnerability named Brash has been discovered in the Blink rendering engine of Chromium-based browsers, enabling attackers to crash these browsers within seconds using a single malicious URL. This exploit takes advantage of the lack of rate limiting on the "document.title" API, allowing for an overwhelming number of DOM mutations—up to 24 million updates per second—leading to browser unresponsiveness. The attack occurs in three phases: generating unique hexadecimal strings, executing rapid title updates, and saturating the browser's main thread. Notably, Brash can be programmed to activate at specific times, functioning like a logic bomb. Affected browsers include Google Chrome, Microsoft Edge, and others, while Mozilla Firefox and Apple Safari remain unaffected.
A new campaign named PhantomRaven has emerged, involving 126 malicious npm packages that have collectively garnered over 86,000 downloads. These packages are designed to stealthily steal sensitive information, including npm tokens, GitHub credentials, and CI/CD secrets from developers worldwide. Utilizing advanced evasion techniques, such as Remote Dynamic Dependencies (RDD), the attackers have managed to bypass traditional security measures, allowing malicious code to execute without detection. By exploiting AI-generated package names, they mislead developers into installing these harmful packages, further compromising security. The attack exemplifies the growing sophistication of software supply chain threats, emphasizing the need for greater vigilance in the open-source ecosystem.
Atroposia is a feature-rich RAT that enables low-skill attackers to execute complex cyberattacks, including stealthy remote desktop access, credential theft, and DNS hijacking. The malware uses encrypted command channels, privilege escalation, and persistence mechanisms to evade detection and remain active on infected systems. Atroposia's fileless data exfiltration capabilities and clipboard snooping allow attackers to steal sensitive information with minimal traces. The RAT includes a vulnerability scanner to identify exploitable weaknesses on compromised systems, further enhancing its attack potential.
A new variant of the Gunra ransomware, active since April 2025, is targeting Linux systems using ELF binaries. This variant employs the ChaCha20 encryption algorithm. The ransomware is configurable via command-line arguments and supports both file and disk encryption. Gunra ransomware has been actively targeting organizations globally, including reported incidents in South Korea. The malware is distributed in both EXE (Windows) and ELF (Linux) formats. A critical flaw exists in the random number generation function used to create the ChaCha20 key and nonce. The function seeds rand() with time(), and due to rapid loop execution, identical seed values are often used. This results in repeated byte patterns in the key and nonce, making them cryptographically weak.
GhostBat RAT is a new Android malware campaign targeting Indian users by masquerading as legitimate Regional Transport Office (RTO) applications, such as mParivahan. This malware steals financial data, mines cryptocurrency, and exfiltrates SMS messages using Telegram bots for device management. Since September 2025, over 40 unique malware samples have been identified, employing advanced techniques like multi-stage droppers and heavy obfuscation to avoid detection. Attackers utilize social engineering tactics to deliver malicious APKs through platforms like WhatsApp and compromised websites. Once installed, the fake RTO app requests extensive permissions, initiating phishing flows to collect sensitive UPI credentials and surveilling SMS content for banking-related messages, which are then forwarded to the attackers' servers.
Microsoft's October 2025 Patch Tuesday released security updates for 172 vulnerabilities, including six zero-day flaws. This update marks the end of free support for Windows 10, as users must now subscribe to Extended Security Updates to continue receiving patches. Among the critical vulnerabilities fixed are those affecting Windows SMB Server and Microsoft SQL Server. Notable issues include the removal of a vulnerable Agere Modem driver, which could allow elevation of privileges, and a Secure Boot bypass vulnerability in IGEL OS. Additionally, Microsoft is addressing a memory integrity flaw in AMD EPYC processors.
TA585 is a newly identified threat actor managing its attack chain, including infrastructure, email delivery, and malware installation. MonsterV2 malware acts as a RAT, stealer, and loader, capable of exfiltrating sensitive data, enabling remote desktop access, and executing additional payloads. TA585 avoids infecting systems in Commonwealth of Independent States (CIS) countries and uses MonsterV2, sold on cybercriminal forums. TA585 employs the ClickFix technique, which involves malicious scripts prompting users to execute PowerShell commands for malware delivery.
ClayRat is Android spyware targeting Russian users, spreading through Telegram and phishing sites while impersonating popular apps. The spyware collects sensitive data, takes photos, sends messages, and places calls from infected devices. ClayRat aggressively propagates by sending malicious links to all contacts in the victim's phone book. It uses advanced obfuscation techniques and session-based installation to bypass Android security measures. Abuse of the default SMS handler role allows ClayRat to access and manipulate SMS data without user consent.
A new Python-based RAT employs advanced polymorphic and self-modifying techniques, altering its code signature with each execution to evade detection. The RAT uses functions like self_modifying_wrapper(), decrypt_and_execute(), and polymorph_code() for on-the-fly mutation, leveraging Python’s introspection and serialization capabilities. The malware wraps critical code in a self-modifying layer, encrypts and decrypts code using XOR encryption, and executes it from memory, bypassing traditional file-based scanning. The polymorph_code() function introduces random junk code, renames variables, shuffles functions, and injects no-op routines to create unique file signatures for every execution. The RAT includes offensive features like network scanning, payload delivery, data theft, self-propagation, and bot command interaction via platforms like Discord and Slack.
The Vietnamese threat actor group BatShadow is conducting a new campaign targeting job seekers and digital marketing professionals using social engineering tactics to distribute a Go-based malware named "Vampire Bot." Malicious files disguised as job descriptions and corporate documents are delivered via ZIP archives containing decoy PDFs and harmful LNK or executable files. Victims are tricked into opening these files, triggering an infection chain involving PowerShell scripts to download additional payloads, including remote desktop software for persistent access. The attackers exploit browser-specific behaviors, instructing victims to use Microsoft Edge to bypass security restrictions and download malicious files.
Google has released Chrome version 141.0.7390.65/.66 to address three critical security vulnerabilities that could allow attackers to execute arbitrary code. These flaws include CVE-2025-11458, a high-severity heap buffer overflow in Chrome Sync and CVE-2025-11460, another high-severity issue involving a use-after-free error in the Storage component. Additionally, CVE-2025-11211 is a medium-severity out-of-bounds read in WebCodecs, reported by Jakob Košir. All three vulnerabilities require user interaction with specially crafted web content to be exploited, making them particularly dangerous.