The US Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability in Motex Lanscope Endpoint Manager (CVE-2025-61932) to its Known Exploited Vulnerabilities (KEV) catalog. The flaw affects on-premises versions of the software’s Client program and Detection Agent, and it has been actively exploited in the wild. Successful exploitation could allow attackers to execute arbitrary code on affected systems.
TP-Link has issued security updates to fix four vulnerabilities affecting Omada gateway devices, including a critical flaw that could allow arbitrary code execution. The addressed issues are CVE-2025-6541 (an OS command injection vulnerability that can be exploited by an authenticated user via the web management interface), CVE-2025-6542 (a command injection flaw), CVE-2025-7850 (another command injection issue), and CVE-2025-7851 (an improper privilege management flaw that may allow attackers to gain root access under certain conditions).
Hackers are actively exploiting a critical vulnerability in Adobe Commerce (formerly Magento), tracked as CVE-2025-54236 aka SessionReaper. Sansec researchers have confirmed that the bug has been in active exploitation for roughly six weeks after Adobe issued an emergency patch.
A threat actor breached the Kansas City National Security Campus (KCNSC) in August, exploiting two Microsoft SharePoint vulnerabilities (CVE-2025-53770 and CVE-2025-49704). It remains unclear whether Chinese or Russian actors were behind the intrusion. Microsoft has linked the broader SharePoint exploitation campaign to three Chinese groups, Linen Typhoon, Violet Typhoon, and Storm-2603, which it says were preparing to deploy Warlock ransomware. However, a source familiar with the Kansas City incident said a Russian actor was responsible.
Hackers believed to be linked to China have exploited a critical Microsoft SharePoint vulnerability known as ToolShell (CVE-2025-53770) in a series of attacks against government departments, universities, telecommunications providers and finance firms across multiple continents. Symantec says it has observed activity targeting a Middle Eastern telecommunications provider that began on July 21, when attackers exploited CVE-2025-53770 to plant webshells and establish persistent access. The campaign then used DLL side-loading to deploy a Go-based backdoor dubbed Zingdoor and what researchers believe to be the ShadowPad trojan, followed by the Rust-based KrustyLoader and the Sliver post-exploitation framework.
A hacker group known as Cavalry Werewolf aka YoroTrooper and Silent Lynx, has carried out a cyber espionage campaign against Russian government agencies and industrial firms between May and August 2025, according to a report from Picus Security. The attackers used phishing emails disguised as Kyrgyz government correspondence to deliver malicious RAR files containing two custom implants FoalShell and StallionRAT. FoalShell provided remote access to compromised systems, while StallionRAT leveraged the Telegram app as a command-and-control channel (C2) to execute commands, steal data, and exfiltrate sensitive information.
Picus Security researchers have also discovered a Rust-based piece of malware, dubbed ’ChaosBot,’ that uses the Discord platform for its command-and-control operations. ChaosBot operates by validating its credentials with the Discord API, then creating a private text channel named after its victim's computer, which serves as an interactive, covert shell.
A targeted spearphishing campaign, dubbed ‘PhantomCaptcha,’ hit Ukrainian regional government offices and critical war relief organizations, including the International Committee of the Red Cross, UNICEF, and various NGOs, in a one-day blitz on October 8. The attack used sophisticated social engineering tactics and malicious infrastructure. The operation employed advanced techniques to deliver a custom WebSocket Remote Access Trojan (RAT) for espionage and data theft.
Seqrite Labs has uncovered a new targeted cyber-espionage campaign dubbed ‘Operation MotorBeacon,’ aimed at compromising entities in Russia’s automotive and automobile-commerce industry. The campaign leverages a previously undocumented .NET-based malware implant named ‘CAPI Backdoor,’ capable of stealing sensitive data and establishing long-term persistence on infected systems.
A Russia-linked threat actor tracked as Coldriver (UNC4057, Star Blizzard, and Callisto) has been increasingly using a new malware family after its Lostkeys malware was exposed in May 2025. According to a new analysis from Google’s Threat Intelligence Group (GTIG), the group moved quickly to refine and retool its arsenal just five days after public disclosure shifting to a related delivery chain that Google has codenamed Norobot, Yesrobot and Mayberobot.
Threat actors behind the Winos 4.0 malware family (also tracked as ValleyRAT) have expanded the operations beyond China and Taiwan to target victims in Japan and Malaysia. The campaign now deploys a second remote access trojan (RAT), tracked as HoldingHands RAT (aka Gh0stBins), alongside Winos 4.0. Fortinet researchers said the attacks begin with phishing e-mails carrying malicious PDF attachments that contain embedded malicious links.
Cybersecurity firm Darktrace has discovered a campaign targeting a European telecommunications provider, which it linked to the China-affiliated espionage group known as Salt Typhoon. The attack was first detected in early July and is believed to have started with the exploitation of a Citrix NetScaler Gateway appliance.
A new Trellix’s report examines the tactics, techniques, and procedures (TTPs) employed by SideWinder, an advanced persistent threat (APT) group notorious for its espionage activities in Asia. In its most recent campaign the group has targeted a European embassy located in India, as well as multiple institutions from various countries, including Sri Lanka, Pakistan, and Bangladesh. The attacks used phishing emails to deploy the ModuleInstaller and StealerBot malware for espionage purposes.
North Korean Lazarus hackers carried out a coordinated Operation DreamJob campaign in late March, compromising three European defense companies involved in unmanned aerial vehicle (UAV) development. Posing as recruiters, the group lured employees of companies with job offers for a high-profile role to steal proprietary information and manufacturing know-how, trojanizing open-source GitHub projects and deploying the ScoringMathTea malware. In this wave of attacks the threat actors used new libraries for DLL proxying and different open-source projects chosen for trojanization.
Check Point Research has warned that the notorious LockBit ransomware group has resurfaced after its disruption in early 2024. The operation, now using a new variant called LockBit 5.0 (“ChuongDong”), has already targeted at least a dozen organizations in September 2025. The attacks span Windows, Linux, and ESXi systems across Europe, the Americas, and Asia.
In a separate report, Check Point detailed a malicious operation, dubbed the ‘YouTube Ghost Network,’ that has been exploiting YouTube to spread malware through over 3,000 infected videos since 2021. The campaign uses hacked accounts to post videos promoting pirated software and Roblox cheats, which trick users into downloading stealer malware. Google has since removed most of the malicious content.
Security researchers warn that infections from Vidar Stealer are likely to surge following the release of Vidar 2.0, which comes with new capabilities. The new version, rewritten in C, introduces multi-threaded data theft, improved evasion techniques, and the ability to bypass Chrome’s app-bound encryption. Vidar 2.0 can steal a wide range of data, including browser credentials, cryptocurrency wallets, cloud logins, and messaging app data, and exfiltrates it via Telegram bots and Steam profile URLs.
Malware analysis company ANY.RUN published a technical report on the Tykit (Typical phishing kit) phishing tool. First spotted in May 2025, the kit mimics Microsoft 365 login pages, targeting corporate account credentials of numerous organizations, and uses various evasion tactics like hiding code in SVGs or layering redirects.
Scattered LAPSUS$ Hunters cybercrime group appears to be shifting its operational tactics, according to Palo Alto Networks’ Unit 42. Analysts say recent activity on the group’s Telegram channel suggests that malicious actors are working on launching of their extortion-as-a-service (EaaS) operation.
A joint research from Infoblox and the UN Office on Drugs and Crime has revealed that the Universe Browser, marketed as a privacy-focused web browser, in reality is sophisticated malware linked to Asian cybercrime networks. The browser secretly routes all user traffic through Chinese servers and installs hidden programs, including keyloggers, screenshot tools, and monitoring systems that collect sensitive data. It also installs malicious extensions capable of uploading screenshots to external domains. Investigators traced the operation to the Vault Viper threat group, which has connections to major gambling company BBIN and Southeast Asia’s multibillion-dollar cybercrime ecosystem.
Cybersecurity researchers have uncovered a large-scale campaign involving 131 rebranded clones of a Google Chrome extension designed to automate WhatsApp Web, collectively used to spam thousands of Brazilian users.
OpenAI’s Atlas and Perplexity’s Comet browsers are vulnerable to a security issue dubbed ‘AI Sidebar Spoofing’ by researchers at browser security firm SquareX. The flaw allows attackers to fake the browsers’ built-in AI sidebars, potentially tricking users into following malicious instructions. By injecting JavaScript through a malicious browser extension, attackers can overlay a fake sidebar on top of the real one.
A new supply chain attack has been observed that is targeting Microsoft Visual Studio and OpenVSX marketplaces with self-propagating malware dubbed GlassWorm. The malware, estimated to have been installed on 35,800 developer systems, is being spread through compromised extensions and uses a variety of techniques to avoid detection. The most notable technique is the use of invisible Unicode characters to hide malicious code in source files. Once installed, the malware attempts to steal credentials for GitHub, npm, and OpenVSX, enabling it to spread further by publishing infected versions of extensions the victim can access. The malware also searches for cryptocurrency wallet data in at least 49 known extensions.