“`html
This week’s cybersecurity summary emphasizes increasing dangers stemming from misconfigurations, software vulnerabilities, and sophisticated malware. Significant events require prompt action from IT departments and leadership.
ISC resolved CVE-2025-5470 in BIND 9 (versions 9.16.0–9.18.26), a DoS issue (CVSS 8.6) that enables server failures through incorrectly formatted DNS queries. It poses risks of amplification attacks on worldwide infrastructure—promptly update DNS servers.
Google addressed CVE-2025-5482, a zero-day vulnerability in the Chrome V8 engine (versions prior to 131.0.6778.76) that permits sandbox escapes and code execution via harmful websites. Currently exploited across multiple platforms, automatic updates are being deployed to mitigate phishing risks.
The Aardvark Agent backdoor, associated with state-sponsored groups, targets the financial sector through spear-phishing. Mimicking administrative tools, it assists in data exfiltration and lateral movement; indicators of compromise include particular C2 domains. Enhance endpoint detection and implement zero-trust frameworks.
Threats
Android Banking Trojan Herodotus Evades Detection
A recently emerged Android malware named Herodotus operates as a highly advanced banking trojan, imitating human typing behaviors to trick behavioral biometrics during remote access sessions. Distributed through side-loading and SMiShing, it employs a unique dropper to navigate Android 13+ limitations on Accessibility Services, utilizing overlays for credential harvesting and SMS interception. Targeting individuals in Italy and Brazil as Malware-as-a-Service, Herodotus divides text entries into characters with randomized delays ranging between 300-3000ms, simulating genuine keystrokes to evade fraud alerts.
Read more: https://cybersecuritynews.com/new-android-malware-herodotus-mimic-human-behaviour/
Stealthy Atroposia RAT Enables Hidden Access
Atroposia, a modular remote access trojan available for $200 monthly, lowers entry barriers for cybercriminals by bundling functionalities such as concealed remote desktops, credential theft, and vulnerability assessments in a user-friendly interface. Its HRDP Connect feature creates invisible shadow sessions for covert system interaction, allowing monitoring and data exfiltration without raising user alerts or generating standard RDP logs. With enhancements for privilege escalation, persistence across system reboots, and a file grabber for in-memory extraction, Atroposia integrates seamlessly into systems to avoid detection by antivirus and DLP solutions.
Read more: https://cybersecuritynews.com/new-atroposia-rat-with-stealthy-remote-desktop/
Gunra Ransomware Hits Dual Platforms
Gunra ransomware, operational since April 2025, targets both Windows and Linux platforms employing dual encryption techniques and double-extortion strategies to encrypt files and threaten data publication via a Tor website. It adds .ENCRT extensions to encrypted files, releases R3ADM3.txt ransom notifications, deletes shadow copies using WMI, and utilizes anti-debugging measures like IsDebuggerPresent to avoid detection. Modeled after Conti, Gunra affects diverse industries, including real estate and pharmaceuticals globally, compelling victims in Japan, Egypt, and Italy to pay within five days to prevent exposure.
Read more: https://cybersecuritynews.com/gunra-ransomware-leveraging-attacking-windows/
Gentlemen’s RaaS Recruits Affiliates
The Gentlemen’s RaaS, promoted on hacking forums by the operator zeta88, provides cross-platform encryption for Windows, Linux, and ESXi systems utilizing Go and C code, offering a 90% revenue share for affiliates. This advantageous model attracts seasoned actors by allowing complete negotiation control while managing backend operations, broadening ransomware’s impact on enterprise infrastructures, including NAS and virtual environments. The compact 32KB ESXi locker underscores stealth, representing a shift in RaaS commercialization beyond conventional platforms.
Read more: https://cybersecuritynews.com/new-gentlemens-raas-advertised-on-hacking-forums/
PolarEdge Botnet Expands IoT Control
The PolarEdge botnet has compromised over 25,000 IoT devices in 40 nations, establishing 140 C2 servers by taking advantage of vulnerabilities in devices such as Cisco routers, Asus, and KT CCTV systems. Revealed in February 2025, it constructs an Operational Relay Box network for APT actors, facilitating anonymous proxying through multi-hop architecture and utilizing ports 55555/55560 for commands and traffic. Predominantly found in South Korea (42%) and China (20%), the botnet leverages VPS from Alibaba and Tencent Cloud for its infrastructure-as-a-service in DDoS, exfiltration, and other types of attacks.
Read more: https://cybersecuritynews.com/polaredge-botnet-infected-25000-devices/
PhantomRaven Targets npm Developers
The PhantomRaven campaign has deployed 126 malicious npm packages since August 2025, achieving 86,000 downloads by concealing code within dependencies retrieved from URLs controlled by attackers, such as packages.storeartifact.com, thus evading scanners. These slopsquatted packages purloin npm tokens, GitHub credentials, and CI/CD secrets, using obvious publisher names like npmhell for operational traceability. Initially, 21 packages were removed, but attackers adjusted their tactics for 80 additional ones, enabling personalized malware delivery and supply chain intrusions in JavaScript projects.
Read more: https://cybersecuritynews.com/phantomraven-attack-involves-126-malicious-npm-packages/
Fake ChatGPT Apps Enable Surveillance
Malicious applications posing as ChatGPT on third-party platforms request extensive permissions for SMS, contacts, and logs, utilizing Ijiami obfuscation along with native libraries to maintain persistent keylogging and credential theft. They exfiltrate OTPs, banking codes, and contact lists through domain fronting on AWS and Google Cloud, imitating legitimate AI interfaces to integrate their traffic. Resembling Triout and AndroRAT spyware, these trojans take advantage of AI enthusiasm for monitoring, urging users to rely solely on official OpenAI services.
Read more: https://cybersecuritynews.com/beware-of-malicious-chatgptt-apps/
Cyberattacks
New Phishing Attack Using Invisible Characters
Cybercriminals are utilizing MIME encoding and Unicode soft hyphens in email subject lines to circumvent security filters, fragmenting keywords like “password” while appearing regular to recipients. This tactic targets credential theft through fraudulent webmail pages and has been…
“““html
spotted in campaigns steering victims towards compromised websites. This tactic encompasses message contents, circumventing content filters and revealing deficiencies in keyword-based detection.
Read more: https://cybersecuritynews.com/new-phishing-attack-using-invisible-characters/.cybersecuritynews
10 Malicious npm Packages Featuring Auto-Execution
Ten typosquatted npm packages resembling libraries such as discord.js have infiltrated over 9,900 developer environments by running through postinstall hooks across Windows, Linux, and macOS. These packages implement multi-stage credential collectors utilizing obfuscation techniques, fraudulent CAPTCHAs, and PyInstaller binaries to capture browser information, SSH keys, and cloud credentials. The malware exfiltrates information to the attacker’s servers, facilitating account takeovers in corporate and cloud systems.
Read more: https://cybersecuritynews.com/10-malicious-npm-packages-with-auto-run-feature/.cybersecuritynews
Threat Actors Utilize Judicial Documents as Weapons
Malicious actors are mimicking Colombia’s Attorney General’s office in phishing emails containing SVG attachments that lead to ZIP files harboring Hijackloader malware, eventually deploying the PureHVNC RAT. This initiative targets Latin American users with judicial-themed bait, applying DLL side-loading and evasion strategies such as stack spoofing to ensure persistence. The transition to PureHVNC delivery signifies an advancement in regional assaults, exploiting faith in legal communications.
Read more: https://cybersecuritynews.com/threat-actors-weaponizes-judicial-documents/.cybersecuritynews
CISA Offers Threat Detection Guidance for WSUS Vulnerability
CISA has revised its recommendations concerning the detection of exploitation for CVE-2025-59287, a severe RCE vulnerability in Windows Server Update Services affecting versions from 2012 to 2025. Attackers employ crafted SOAP requests for deserialization-based code execution with SYSTEM privileges, facilitating credential theft and lateral movement via proxies. Organizations should implement the out-of-band patch released on October 23, monitor for unusual wsusservice.exe processes, and restrict ports 8530/8531 as countermeasures.
Read more: https://cybersecuritynews.com/cisa-threat-detections-wsus-vulnerability/.cybersecuritynews
12 Malicious Extensions Discovered in VSCode Marketplace
Security experts uncovered 12 harmful VSCode extensions in the marketplace and OpenVSX, with four still active, that steal source code, credentials, and allow for backdoors despite a total of 613 million dubious downloads. These extensions utilize stealthy operations like unauthorized downloads and network scans, leveraging the IDE’s capabilities for supply chain attacks. The ecosystem’s 5.6% suspicious download rate underscores the risks associated with AI-assisted development tools.
Read more: https://cybersecuritynews.com/12-malicious-extension-in-vscode-marketplace/.cybersecuritynews
RediShell RCE Vulnerability Exposes 8500 Redis Instances
CVE-2025-49844, a use-after-free defect in Redis’s Lua scripting engine, permits sandbox escape and host-level RCE on over 8,500 exposed instances, many operating without authentication in cloud settings. Attackers craft harmful Lua scripts to execute arbitrary commands, risking the installation of malware and data theft since the defect has been present since 2012. Redis has addressed the flaw and encourages immediate updates for all versions with Lua enabled.
Read more: https://cybersecuritynews.com/redishell-rce-vulnerability-exposes-8500-redis/.teamwin
New Lampion Stealer Implements ClickFix Attack
Brazilian threat actors behind the Lampion banking trojan have embraced ClickFix tactics in phishing efforts, misleading users into executing PowerShell commands that download obscured VBScripts for multi-stage infections targeting Portuguese financial institutions. The malware evades detection through fragmented execution, anti-analysis measures, and persistence via startup folders, capturing banking credentials since its initial appearance in 2019. This progression involves ZIP attachments and scheduled reboots to maintain stealth within government and financial sectors.
Read more: https://cybersecuritynews.com/new-lampion-stealer-uses-clickfix-attack/.
Cisco IOS XE BadCandy Web Shell
Attackers are exploiting CVE-2023-20198 in unpatched Cisco IOS XE devices to install the BadCandy Lua-based web shell, establishing privileged accounts for command execution through concealed Nginx endpoints. Recorded in over 400 Australian breaches since July 2025, the non-persistent implant hides behind temporary patches but ensures persistence via stolen credentials. Mitigation necessitates applying Cisco’s patch from October 2023, disabling HTTP servers, and overseeing unauthorized users and configuration alterations.
Read more: https://cybersecuritynews.com/cisco-ios-xe-badcandy-web-shell/
Vulnerabilities
Magento SessionReaper Vulnerability
A significant input validation issue in Adobe Commerce (previously Magento), labeled as CVE-2025-54236, lets attackers seize user sessions and carry out remote code execution without authentication, impacting unpatched versions with a CVSS score of 9.8. Detected on September 9, 2025, the vulnerability saw a surge in exploitation following a proof-of-concept release on October 22, compromising over 250 stores with web shells and reconnaissance tools. Mitigation includes prompt patching from Adobe and deploying web application firewalls such as Akamai’s to prevent PHP uploads and injection attempts.
Read more: https://cybersecuritynews.com/magento-input-validation-vulnerability/
BIND 9 DNS Cache Poisoning Flaw
CVE-2025-40778 in BIND 9 grants unauthenticated attackers the ability to fabricate DNS records and contaminate caches, circumventing protections like randomized query IDs, affecting recursive resolvers from versions 9.11.0 to 9.21.12 with a CVSS score of 8.6. Publicly disclosed by ISC on October 22, 2025, the flaw facilitates traffic redirection for phishing or malware spread, with no known widespread exploitation observed but a public proof-of-concept augmenting risks. The patched versions include 9.18.41, 9.20.15, and 9.21.14; administrators should activate DNSSEC and disable recursive queries on authoritative servers.
Read more: https://cybersecuritynews.com/bind-9-vulnerability-poc-released/
HikvisionExploiter Toolkit Targets IP Cameras
The open-source HikvisionExploiter tool automates assaults on susceptible Hikvision cameras, taking advantage of CVE-2021-36260 for command injection and credential extraction on firmware versions prior to V5.5.0, affecting models such as the DS-2CD series with a CVSS score of 9.8. While it was released in 2024, it has remained active in 2025, capturing snapshots via unauthenticated endpoints, decrypting configurations with AES/XOR, and facilitating multithreaded scans for thousands of targets. Listed by CISA due to real-world misuse, it allows for the hijacking of surveillance; update to V5.7.0+, segment networks, and scan using tools like Shodan.
Read more: https://cybersecuritynews.com/hikvisionexploiter-exploitation-toolkit/
TEE.Fail Side-Channel Attack on DDR5
The TEE.Fail attack exposes
“““html
security weaknesses in Intel SGX/TDX and AMD SEV-SNP trusted execution environments by intervening on DDR5 memory buses to retrieve enclave secrets through predictable ciphertext patterns, necessitating physical access. Released in late October 2025, it compromises hardware encryption within data centers for cryptographic keys or AI models devoid of software bugs. Suppliers recommend improved physical security and cryptographic randomization; while remote exploitation is not feasible, internal threats remain concerning.
Read more: https://cybersecuritynews.com/new-tee-fail-attack-breaks-trusted-environments/
Chrome 142 Addresses 20 Vulnerabilities
On October 28, 2025, Google launched Chrome 142, rectifying 20 vulnerabilities including severe V8 JavaScript issues such as type confusion (CVE-2025-12428) and race conditions that permit remote code execution, alongside use-after-free and policy bypasses in extensions. Impacting Windows, Mac, Linux, Android, and ChromeOS, the update features Omnibox UI enhancements to thwart phishing attempts. Activate auto-updates without delay, as unpatched browsers are susceptible to malicious code execution.
Read more: https://cybersecuritynews.com/chrome-142-released-fix-20-vulnerabilities/
Ghost SPNs Facilitate Kerberos Reflection
CVE-2025-58726 takes advantage of ghost Service Principal Names in Windows SMB servers for authentication reflection, permitting low-privileged attackers to attain SYSTEM access through Kerberos ticket relaying without SMB signing. Revealed in June 2025 and rectified on October 14, it employs DNS hijacking of unresolved SPNs along with coercion tools like PetitPotam for domain escalation. Enforce SMB signing, audit SPNs using setspn -D, and limit DNS writes to avert reflection attacks.
Read more: https://cybersecuritynews.com/ghost-spns-and-kerberos-reflection-attack/
Chromium Blink Flaw
The Brash vulnerability in Chromium’s Blink engine lacks rate limiting on document.title alterations, allowing attackers to inundate DOM mutations and crash browsers such as Chrome and Edge within 15-60 seconds through UI thread saturation. Publicly disclosed in October 2025 with a proof of concept, it affects all Chromium-based browsers by injecting millions of updates every second from harmful sites. Apply a patch urgently and watch for unusual DOM activities to prevent denial-of-service occurrences.
Read more: https://cybersecuritynews.com/chromium-blink-vulnerability/
Exploitation of VMware Tools and Aria 0-Day
CVE-2025-41244, a local privilege escalation flaw in VMware Tools and Aria Operations, enables unprivileged attackers to execute root commands through guest service vulnerabilities, exploited as a zero-day since mid-October 2024. Added to CISA’s KEV catalog in October 2025, it poses significant risks of ransomware within virtual environments. Implement patches instantly, monitor for irregularities, and segment virtualized systems.
Data Exposure
Tata Motors Data Exposure
Security investigator Eaton Zveare unveiled vulnerabilities in Tata Motors’ systems, revealing over 70 terabytes of confidential data, including personal customer information, financial statements, and fleet management specifics from 2023. Hardcoded AWS access keys on public platforms such as the E-Dukaan allowed unauthorized entry to cloud storage buckets containing database backups, invoices inclusive of PAN numbers, and market intelligence. The FleetEdge system suffered from decryptable credentials, facilitating potential malware uploads, while a backdoor in E-Dukaan enabled passwordless access to dashboards; these concerns were reported to CERT-In and resolved by January 2024 without public disclosure.
Read more: Tata Motors Data Leak
HSBC USA Alleged Breach
A threat actor asserted on a dark web forum to have infiltrated HSBC USA, claiming possession of customer PII such as names, SSNs, addresses, and transaction histories, potentially encompassing corporate accounts. Screenshots displayed recent data samples, intensifying concerns amid HSBC’s U.S. market struggles following a DoS attack. HSBC refuted the allegations, asserting that investigations showed the sample was not derived from their systems and that no customer data had been compromised, with enhanced monitoring now in place; experts recommend vigilance against identity theft risks.
Read more: Hackers Allegedly Claim Breach of HSBC USA
EY Data Exposure
A 4TB SQL Server backup file from Ernst & Young (EY) was discovered publicly accessible on Microsoft Azure during a routine examination by Neo Security. The unencrypted .BAK file likely included database dumps with schemas, user information, and embedded credentials such as API keys, uncovered via metadata checks and DNS records linked to EY. EY swiftly addressed the matter after disclosure, confirming no client or personal information was affected, as it pertained to an acquired Italian entity; the incident underscores the necessity for persistent cloud asset mapping to guard against automated threats.
Read more: EY Data Leak
Windows
Windows Narrator DLL Hijacking
Researchers detected a DLL hijacking vulnerability within the Windows Narrator accessibility tool, enabling attackers to run malicious code with elevated privileges. The vulnerability arises from insecure DLL loading paths, which can be exploited upon the launch of Narrator, potentially circumventing security features in enterprise settings. Microsoft has yet to release a fix, but mitigation strategies involve limiting Narrator usage and monitoring for suspicious DLLs; this emphasizes the ongoing threats found in built-in Windows tools.
Read more: Windows Narrator DLL Hijack
AzureHound Enumeration Tool
The open-source tool AzureHound, part of the BloodHound suite, is being weaponized by threat actors like the Iranian group Peach Sandstorm and ransomware operators Storm-0501 to map Azure Entra ID environments remotely through Microsoft Graph and Azure APIs. It gathers identity and resource information in JSON format for visualizing privilege escalation paths, enabling efficient discovery without internal network access. Defenses should encompass monitoring API activities for anomalies and bolstering access controls, as misuse generates detectable logs in cloud environments.
Read more: AzureHound Enumerate Azure Entra ID
Microsoft 365 Copilot Researcher
Microsoft launched “Researcher with Computer Use” in 365 Copilot, an AI feature capable of browsing websites autonomously, accessing authenticated materials, and executing tasks such as creating presentations in a sandboxed virtual machine. Operating via visual and text interfaces on Windows 365, it integrates work data along with user controls and safety measures to prevent injections, thus enhancing research productivity by 44% on benchmarks. Security protocols involve debuggable actions, no credential sharing, and administrative controls for domain lists, addressing risks in autonomous AI while boosting productivity.
Read more: Microsoft 365 Copilot Researcher
WSUS Vulnerability Under Exploitation
A critical vulnerability in Windows Server Update Services (WSUS) is currently being actively exploited, allowing
“““html
remote code execution on domain controllers through altered update approvals. Attackers can link it with additional vulnerabilities for persistence within enterprise networks, aiming at unpatched systems in hybrid settings. Microsoft urges prompt patching and configuration strengthening, with indicators such as atypical WSUS traffic; this exploit heightens supply chain threats in update practices.
Read more: WSUS Vulnerability Actively Exploited
Other News
Google Introduces Guide for Defenders
Google’s Mandiant division released an extensive guide to oversee and safeguard privileged accounts, tackling credential theft that accounted for 16% of 2024 breaches. The framework highlights deterrence via access tiering, detection through behavioral analytics, and swift response strategies like credential rotations, positioning privileged access management as vital for cloud environments. It champions multifactor authentication, just-in-time administration, and solutions like CyberArk to minimize dwell times, which averaged 11 days in breaches.
Read more: https://cybersecuritynews.com/googles-guide-for-defenders/
Microsoft DNS Outage Disrupts Services
A DNS-related outage impacted Microsoft on October 29, 2025, disrupting Azure and Microsoft 365 accessibility globally, with users experiencing authentication failures and delays in portals like Exchange admin center. The problem, arising from internal infrastructure connectivity issues, affected tens of thousands, including healthcare and transportation sectors, underscoring DNS vulnerabilities in cloud environments. Microsoft alleviated the situation by rerouting traffic and recommended programmatic access during recovery, categorizing it as an isolated incident without cyberattack involvement.
Read more: https://cybersecuritynews.com/microsoft-dns-outage/
AWS US East-1 Region Experiences Delays
Amazon Web Services noted increased latencies in its US East-1 region on October 28, 2025, primarily impacting EC2 instance launches and affecting container services like ECS. The disruption posed operational challenges for businesses dependent on the region’s high-traffic infrastructure, highlighting the interconnected risks within cloud platforms. AWS rectified the issue through traffic redistribution, yet it served as a reminder of the importance of diversified deployments and enhanced monitoring for sustained resilience.
Read more: https://cybersecuritynews.com/aws-us-east-1-region-suffers-delays/
CISA Releases Exchange Server Hardening Guide
The Cybersecurity and Infrastructure Security Agency, with NSA and international partners, published optimal practices for securing on-premises Microsoft Exchange servers in October 2025, amid ongoing exploitation of end-of-life versions. The guide advises limiting admin access, enabling multifactor authentication, and configuring TLS with extended protection to counter threats like adversary-in-the-middle attacks. It emphasizes proactive measures, including DKIM for email and zero-trust models, to safeguard communications from compromise.
Read more: https://cybersecuritynews.com/microsoft-exchange-server-hardening-guide/
WhatsApp Launches Passkey Encryption
WhatsApp rolled out passkey-based end-to-end encryption for chat backups, enabling users to secure message histories with biometrics or device locks instead of complicated passwords. Launched in late October 2025, the feature streamlines protection against data loss on new devices, enhancing privacy for end-to-end encrypted content. Users can activate it through settings, ensuring that only they can decrypt backups stored on cloud services.
Read more: https://cybersecuritynews.com/whatsapp-passkey-encryption-for-chat/
OpenAI Introduces Aardvark GPT-5 Agent
OpenAI unveiled Aardvark, a GPT-5-powered autonomous agent on October 29, 2025, designed to identify, validate, and rectify software vulnerabilities in code repositories. Functioning in a multi-stage pipeline, it generates threat models, scans commits, tests exploits in sandbox environments, and proposes remedies via pull requests, addressing over 40,000 CVEs reported in 2024. Currently in private beta, it aims to scale security analysis for developers without disrupting workflows.
Read more: https://cybersecuritynews.com/aardvark-gpt-5-agent/
“`