Cyber OSINT Overview, Oct 20 - Oct 26, 2025 #

This brief consolidates key updates from 80+ sources, including government organizations, cybersecurity vendors, threat intelligence teams, security research labs, and blogs from cybersecurity communities and professionals. It highlights the most significant threats, vulnerabilities, and developments from the past week to keep you informed.

Most Discussed Topics #

• Multiple critical vulnerabilities have been reported in the Linux Kernel across numerous advisories. These flaws can be exploited by local or remote attackers for various malicious purposes. The most common impacts include denial-of-service (DoS) attacks, privilege escalation, arbitrary code execution, and bypassing security mechanisms. System administrators are urged to apply the necessary updates provided by their respective Linux distributions to mitigate these widespread risks.

• A critical remote code execution vulnerability (CVE-2025-59287) in Microsoft’s Windows Server Update Services (WSUS) is being actively exploited. The flaw, which stems from an insecure deserialization of untrusted data, allows unauthenticated attackers to execute code with system-level privileges. Microsoft issued an initial patch on Patch Tuesday, but later released an out-of-band update after the first was found to be insufficient. CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, urging organizations to apply the updated patch immediately or implement mitigations like disabling the WSUS role or blocking ports 8530 and 8531 at the host firewall.

• Phishing and smishing campaigns continue to evolve, with threat actors leveraging sophisticated social engineering and technical tactics. A financially motivated group from Vietnam is using fake job postings on legitimate platforms to deliver malware and phishing kits targeting corporate advertising accounts. Another large-scale smishing campaign, attributed to the ‘Smishing Triad,’ is impersonating toll services and other critical sectors to harvest credentials globally. Attackers are also impersonating password managers like LastPass and Bitwarden with fake breach notifications to steal master passwords, underscoring the need for heightened user awareness and verification of all unsolicited communications.

• Artificial Intelligence (AI) is increasingly being weaponized by attackers while also presenting new security challenges for defenders. Threat actors are using AI to enhance social engineering, automate reconnaissance, and scale phishing campaigns. Concurrently, security flaws in AI-powered tools, like AI browsers and assistants, are being discovered, such as prompt injection vulnerabilities that can lead to data exfiltration. Reports also highlight the risk of ‘data poisoning,’ where a small number of malicious documents can corrupt an AI model’s training data. This dual-use nature requires security leaders to both leverage AI for defense and develop strategies to secure their own AI systems against misuse and attack.

• Oracle’s October 2025 Critical Patch Update (CPU) addressed 170 CVEs across multiple product families, with 40 patches rated as critical. The update was preceded by two out-of-band security alerts for actively exploited zero-day vulnerabilities in the Oracle E-Business Suite (CVE-2025-61882 and CVE-2025-61884). These vulnerabilities, linked to data theft campaigns by groups like Cl0p, allow for remote code execution and server-side request forgery. CISA has added CVE-2025-61884 to its Known Exploited Vulnerabilities catalog, emphasizing the urgency for organizations to apply the patches.

Critical Vulnerabilities #

• Microsoft has released an emergency out-of-band patch for a critical remote code execution vulnerability (CVE-2025-59287, CVSS 9.8) in Windows Server Update Services (WSUS). The vulnerability, caused by insecure deserialization of untrusted data, is actively being exploited by threat actors to execute code with system privileges on affected servers. The initial patch from the October Patch Tuesday was incomplete, necessitating this urgent update. Organizations are strongly advised to apply the new patch immediately or implement temporary mitigations, such as disabling the WSUS role or blocking inbound traffic on ports 8530 and 8531 at the host firewall.

• A critical vulnerability named ‘SessionReaper’ (CVE-2025-54236) in Adobe Commerce and Magento is being actively exploited. The flaw allows unauthenticated attackers to hijack customer sessions and potentially achieve remote code execution. Despite a patch being available since September, reports indicate that a large percentage of online stores remain vulnerable. The public release of a proof-of-concept exploit has led to a surge in attacks, with threat actors deploying web shells to compromise servers. CISA has added this vulnerability to its KEV catalog, urging immediate patching.

• Oracle issued an out-of-band security advisory for a critical Server-Side Request Forgery (SSRF) vulnerability (CVE-2025-61884) in its E-Business Suite, which is being actively exploited in the wild. This flaw, along with another RCE vulnerability (CVE-2025-61882), has been linked to data theft attacks by the Cl0p ransomware group. CISA has added CVE-2025-61884 to its Known Exploited Vulnerabilities (KEV) Catalog, requiring federal agencies to remediate it promptly. Organizations using Oracle E-Business Suite versions 12.2.3 to 12.2.14 are urged to apply the necessary patches immediately.

• CISA has released multiple advisories for vulnerabilities affecting Industrial Control Systems (ICS) from various vendors, including Rockwell Automation, Siemens, Delta Electronics, and ASKI Energy. The flaws pose significant risks, such as remote code execution, denial-of-service, and missing authentication for critical functions. One vulnerability in ASKI Energy products (CVE-2025-9574) carries a CVSS score of 10.0 and could allow an attacker to gain full control of the device. Organizations in critical manufacturing and energy sectors are advised to review the advisories and apply mitigations, especially as some affected products are end-of-life and will not receive patches.

• Multiple high-severity vulnerabilities have been discovered in ISC BIND 9, a widely-used DNS software. The most critical flaw, CVE-2025-40778 (CVSS 8.6), allows for cache poisoning by enabling the resolver to accept and cache unsolicited resource records. This could permit off-path attackers to inject forged DNS data, redirecting users to malicious sites for phishing or data interception. With over 706,000 vulnerable instances exposed online and a proof-of-concept exploit publicly available, administrators are strongly urged to apply the necessary patches provided by ISC immediately.

• Vulnerabilities have been identified in various Zyxel firewall and ATP products. The flaws include post-authentication command injection and missing authorization vulnerabilities in ZLD firewalls, which could be exploited by an authenticated attacker. Another advisory details an authentication bypass (CVE-2025-9133) and a remote code execution via command injection (CVE-2025-8078). Successful exploitation could lead to arbitrary code execution, disclosure of sensitive information, or data manipulation. Administrators are advised to review the security advisories and apply the necessary firmware updates.

Major Incidents #

• F5 has disclosed a significant security breach involving a sophisticated nation-state actor that maintained persistent, long-term access to its product development environments. The attackers exfiltrated parts of BIG-IP source code, information on undisclosed vulnerabilities, and some customer configuration data. This breach poses a substantial supply-chain risk, as the compromised information could be used to develop exploits targeting thousands of F5 customers worldwide. CISA has issued an emergency directive in response, highlighting the critical need for organizations to assess their exposure and apply recommended mitigations.

• A widespread supply chain attack, dubbed Shai-Hulud, has compromised over 500 packages in the NPM ecosystem. The self-propagating malware spreads by stealing credentials from developer environments and CI/CD platforms, then automatically publishes trojanized versions of other packages. The campaign escalated significantly when it compromised packages published by cybersecurity firm CrowdStrike. This incident highlights the systemic risks within open-source package registries and the effectiveness of credential theft in propagating supply chain attacks, prompting both GitHub and CISA to issue security advisories.

• The Medusa ransomware group has claimed responsibility for a data breach at Comcast, alleging the theft of 834 GB of data and demanding a $1.2 million ransom. After the deadline passed without payment, the group leaked 186 GB of compressed data on its dark web site. In a separate incident, the Everest ransomware group claimed to have stolen 1.5 million passenger records from Dublin Airport and personal data from 18,000 Air Arabia employees. These events highlight the continued focus of ransomware gangs on large enterprises and critical infrastructure, using data exfiltration and public leaks as primary extortion tactics.

• A cyberattack on Russia’s agricultural and food safety agency, Rosselkhoznadzor, caused significant disruption to food shipments across the country. The large-scale DDoS attack impacted critical systems used for tracking agricultural products and issuing electronic veterinary certifications. This led to several hours of delivery delays for major food producers, who were unable to legally ship goods without the required digital documents. The incident underscores the vulnerability of critical supply chains to cyber disruptions and the potential for cascading economic impacts, even from non-destructive attacks.

• A widespread AWS outage in the US-East-1 region caused significant disruption to a multitude of online services globally. The incident, attributed to a networking misconfiguration, impacted key APIs and led to DNS and database failures for dependent platforms like Netflix and Slack. While not a malicious attack, the outage highlights the systemic risk of reliance on a single cloud region and has prompted security experts to warn of potential phishing attacks that may leverage the event. The disruption underscores the importance of multi-region redundancy and robust failover strategies for maintaining service availability.

Emerging Threats #

• The North Korean threat actor Lazarus Group is actively targeting European defense contractors involved in drone manufacturing. This espionage campaign, known as ‘Operation DreamJob’, uses fake job offers as lures to deliver a custom backdoor called ‘ScoringMathTea’. The objective appears to be the theft of proprietary information and technical know-how related to UAVs, potentially to aid North Korea’s own drone development and support its military allies. The attacks coincide with the deployment of North Korean troops to the war in Ukraine, where they have encountered advanced drone technology on the battlefield.

• A large-scale malware distribution campaign, dubbed the ‘YouTube Ghost Network’, is abusing compromised and fake YouTube accounts to spread infostealers. The operation has used over 3,000 malicious videos targeting users searching for game cheats and cracked software for popular applications like Adobe Photoshop. These videos contain links to download malware such as Rhadamanthys and Lumma Stealer. The network uses fake likes and comments to build a false sense of trust, and the campaign has significantly increased in volume in 2025.

• A China-based cybercrime group known as the ‘Smishing Triad’ is behind a massive, global smishing campaign flooding users with fraudulent text messages. The campaign impersonates toll services, postal services, banks, and other critical sectors to harvest sensitive personal and financial information. The operation is highly decentralized, using a Phishing-as-a-Service (PhaaS) model and a vast network of over 194,000 malicious domains to evade detection. This industrial-scale operation has reportedly netted over $1 billion from Americans by stealing credit card data and laundering it through mobile wallets and gift card purchases.

• The notorious LockBit ransomware operation has returned with a new variant, LockBit 5.0, after being disrupted by law enforcement earlier this year. The new version targets Windows, Linux, and ESXi environments and features enhanced encryption and evasion capabilities to maximize impact and hinder analysis. The Ransomware-as-a-Service (RaaS) group has already compromised a dozen organizations across Europe, the Americas, and Asia in September 2025. This rapid resurgence demonstrates the high resilience of established cybercriminal enterprises and their ability to quickly rebuild infrastructure and recruit new affiliates.

• A new malware loader, named ‘Caminho,’ attributed to Brazilian operators, is using Least Significant Bit (LSB) steganography to conceal .NET payloads within image files hosted on legitimate platforms like archive.org. The Loader-as-a-Service (LaaS) operation begins with spear-phishing emails containing malicious script files. This fileless execution technique allows the loader to inject final payloads, such as REMCOS RAT and XWorm, directly into memory, evading disk-based detection. The campaign has targeted victims across South America, Africa, and Eastern Europe, indicating a growing global reach.

• Iranian APT group MuddyWater is conducting a sophisticated phishing campaign targeting over 100 government entities across the Middle East and North Africa. The campaign uses a compromised mailbox to distribute the ‘Phoenix’ backdoor malware. This activity is part of a broader trend of increased cyber-espionage and financially motivated attacks from actors in the Middle East and Africa, who are targeting government, financial, and retail sectors. These groups leverage both custom malware and common tools to achieve their objectives.

• A new self-propagating worm named GlassWorm is targeting the VS Code supply chain, having already compromised over 35,800 extension installations on the OpenVSX Marketplace. The malware hides its malicious code using invisible Unicode characters, allowing it to evade static analysis and visual code reviews. Once active, GlassWorm steals credentials for npm, GitHub, and 49 different cryptocurrency wallets. It then hijacks additional extensions to continue its spread, turning infected developer systems into proxy nodes for further attacks and leveraging the Solana blockchain for a resilient C2 infrastructure.

Regulatory and Policy Updates #

• The U.S. government’s cybersecurity posture and leadership are facing significant challenges. A report from CSC 2.0, the successor to the Cyberspace Solarium Commission, states that the nation’s ability to protect itself is ‘slipping’ due to budget and workforce cuts at CISA, a lack of stable leadership, and the expiration of key legislation. The new National Cyber Director, Sean Cairncross, has emphasized the need to counter Chinese surveillance and cyberattacks, but his office reportedly lacks the authority to enforce decisions across government agencies. These issues create uncertainty and potential weaknesses in the nation’s cyber defense strategy.

• The Cybersecurity Information Sharing Act of 2015 (CISA 2015) has expired, raising concerns about the legal protections for sharing threat intelligence between the private sector and the government. Despite bipartisan support for its renewal, legislative efforts have been stalled. The new National Cyber Director has called on Congress to renew the act for 10 years. The ongoing U.S. government shutdown has further complicated the situation, with reports of CISA staff being furloughed and facing layoffs, potentially weakening the nation’s cyber defense coordination.

• The UN is set to sign a landmark global cybercrime convention in Hanoi, aimed at creating a framework for international law enforcement cooperation. However, the treaty faces strong opposition from human rights groups and tech companies, who argue it grants broad electronic surveillance powers without adequate data protection safeguards. Critics fear it could be used by authoritarian governments to justify digital repression and undermine cybersecurity. The U.S. will attend the signing but has not confirmed if it will be an initial signatory, stating it is still reviewing the treaty.

• The U.S. Director of National Intelligence (DNI) has issued the first exclusion and removal order under the Federal Acquisition Supply Chain Security Act (FASCSA). The order prohibits the Intelligence Community from procuring or using products and services from Acronis AG, a Swiss cybersecurity company. This action marks a significant step in the U.S. government’s efforts to secure its supply chain from perceived foreign threats. It highlights the increasing scrutiny on software vendors and the potential for regulatory action to impact company operations and government contracts.

• The New York Department of Financial Services (NYDFS) has updated its guidance on managing third-party risks for financial institutions. The updated guidance clarifies existing rules and introduces provisions related to Artificial Intelligence (AI). It calls for increased oversight of how third-party vendors use AI, including how their models are trained and secured. This move reflects a growing regulatory focus on the security implications of AI and signals that financial institutions will be expected to extend their risk management frameworks to cover AI-related supply chain risks.

• Japan’s ‘Freelance Protection Act,’ which came into effect in late 2024, is now being enforced, with several major companies receiving official warnings in 2025. The law mandates clear, written contracts specifying work content, remuneration, and payment deadlines to protect freelancers from unfair practices like unilateral pay cuts and delayed payments. Cases involving major publishers and a large musical instrument retailer highlight that traditional, informal business practices are now considered legal violations. This signals a significant shift in legal and compliance requirements for any company engaging with freelancers in Japan.

Security Operations #

• Security teams are encouraged to shift from reactive to proactive defense, especially as threat actors increasingly target neglected network perimeter devices like old routers, VPNs, and firewalls. This requires rigorous asset and lifecycle management to ensure no end-of-life hardware remains on the network. Proactive measures include maintaining a complete asset inventory, promptly patching supported devices, and assuming compromise if a vulnerability is found on a critical device, necessitating the rotation of all associated credentials. Centralized logging and monitoring for anomalous outbound traffic from network appliances are also essential for early detection.

• Software Bill of Materials (SBOM) is becoming a mandatory requirement for ensuring software supply chain security, driven by government regulations and increasing cyberattacks like the Log4j incident. An SBOM provides a comprehensive inventory of all components, libraries, and dependencies within a piece of software, enabling rapid vulnerability identification and license compliance management. For security operations, integrating SBOM generation into the CI/CD pipeline allows for automated and continuous visibility into software assets. This facilitates quick correlation of new CVEs with the software portfolio and allows for more precise risk assessment when combined with VEX (Vulnerability Exploitability eXchange) data.

• To mature a Security Operations Center (SOC) for the AI era, organizations must establish strong data foundations and mature process frameworks. This requires ensuring all security telemetry and context data are accessible via APIs for automated querying at scale and that data quality is maintained to prevent ‘Garbage In, Garbage Out’ scenarios with AI tools. Furthermore, SOC workflows must be well-documented and not reliant on ad-hoc human communication, as AI agents require structured processes to function effectively. An ‘AI-ready’ SOC also cultivates a culture of human-AI collaboration, focusing on augmentation rather than replacement of analysts.

• Tabletop exercises are a critical component of a mature incident response (IR) strategy, helping to transform theoretical IR plans into practical, tested procedures. These discussion-based simulations allow stakeholders from security, legal, leadership, and other departments to walk through hypothetical scenarios like ransomware or BEC attacks. Unlike technical drills, tabletop exercises focus on validating decision-making, communication flows, and cross-departmental coordination under pressure. Conducting exercises tailored to organization-specific risks helps identify gaps in the IR plan and strengthens overall resilience before a real incident occurs.

• Security operations teams should be aware of ‘subdomain takeover’ risks, where attackers exploit abandoned DNS records pointing to decommissioned cloud services. By reclaiming these orphaned endpoints on services like AWS S3 or Azure Web Apps, attackers can host malicious content on a legitimate, trusted subdomain. This technique is used for phishing, malware distribution, and brand impersonation, as demonstrated by recent incidents affecting Japanese government domains. Proactive defense requires rigorous lifecycle management of all DNS records, especially CNAMEs, and utilizing cloud provider-specific prevention features to verify domain ownership.

• Threat intelligence platform VirusTotal has integrated its analysis results directly into the Hugging Face platform, a popular hub for AI models and datasets. This collaboration provides security context to AI developers and researchers, helping them identify potential risks in model files, dependencies, and other artifacts before use. The integration displays VirusTotal’s findings on the Hugging Face interface and supports specialized tools like picklescan and ModelScan to detect unsafe deserialization and other AI-specific threats. This initiative aims to improve security and build trust within the open-source AI ecosystem.

Wins #

• The Pwn2Own Ireland 2025 competition concluded with researchers successfully demonstrating 73 unique zero-day exploits against a range of devices, including printers, NAS appliances, smart home hubs, and mobile phones. A total of $1,024,750 was awarded for the newly discovered vulnerabilities over the three-day event. The ‘Summoning Team’ was crowned Master of Pwn for their consistent success across multiple categories. This event highlights the valuable contributions of the security research community in proactively identifying and helping to secure flaws in widely used consumer and SOHO products before they can be exploited by malicious actors.

• Canadian financial regulators have imposed a significant fine of $176 million against the cryptocurrency payments platform Cryptomus for violations of anti-money laundering laws. The platform was found to have facilitated transactions for numerous Russian crypto exchanges and cybercrime services without submitting required suspicious transaction reports. This enforcement action follows research that identified Cryptomus as a key financial intermediary for services advertised on cybercrime forums, including bulletproof hosting and anonymous SMS services. The fine represents a major step by regulators to disrupt the financial infrastructure supporting illicit online activities.

• An international law enforcement operation successfully dismantled a massive SIM box criminal network. The network provided fake phone numbers from over 80 countries, which were used by criminals to facilitate various forms of fraud and bypass security verifications. In Latvia, authorities seized over 40,000 SIM cards that were used to create approximately 49 million fake accounts. This takedown disrupts a key piece of infrastructure used by cybercriminals for account creation, anonymity, and large-scale automated scams.

• WhatsApp has secured a permanent injunction against NSO Group following a six-year legal battle. The Israeli spyware firm is now prohibited from reverse-engineering WhatsApp or creating new accounts on the platform. The lawsuit stemmed from allegations that NSO Group exploited a zero-day vulnerability in WhatsApp to deploy its Pegasus spyware against journalists, activists, and government officials. As part of the ruling, NSO Group is also required to pay $4 million in damages, marking a significant victory for user privacy and a legal precedent against spyware vendors.

• The popular infostealer operation Lumma Stealer has reportedly collapsed due to sabotage from other cybercriminals. This internal strife within the cybercrime ecosystem led to the disruption of the malware-as-a-service (MaaS) platform, which was widely used for stealing passwords and other sensitive data. The takedown was not the result of law enforcement action, but rather a case of criminals turning on each other. This event may cause a shift in the infostealer market, with affiliates potentially migrating to other services like Vidar Stealer.

• Indian cryptocurrency exchange WazirX is set to resume operations after a 15-month suspension following a major cyberattack in July 2024, where it lost assets valued at $234 million. The relaunch was made possible after Singapore’s High Court approved a restructuring plan supported by 95.7% of the platform’s creditors. The plan aims to restore nearly 85% of users’ balances. This successful negotiation and court-sanctioned recovery process marks a positive development in the crypto industry’s ability to navigate and recover from significant security breaches.

Disclaimer #

The summaries in this brief are generated autonomously by a LLM based on provided system and user prompts. While every effort is made to consolidate accurate and relevant insights, the model may occasionally misinterpret, misrepresent, or hallucinate information. Readers are strongly advised to verify all key points by consulting the original sources linked in the brief for complete context and accuracy.

The brief is created in collaboration with BlackStork and is based on a free template.

Reach out if you have questions or suggestions.