Threat Intel

CL0P-Linked Hackers Breach Dozens of Organizations Through Oracle Software Flaw

Cl0p-linked hackers exploited a zero-day flaw in Oracle’s E-Business Suite (EBS) software since August 9, 2025, impacting dozens of organizations. The attackers leveraged multiple vulnerabilities, including a zero-day flaw (CVE-2025-61882), to breach networks and exfiltrate sensitive data. The campaign, which began in earnest on September 29, 2025, involved a high-volume email campaign demanding ransom for the stolen information.

SaaS Breaches Start with Tokens - What Security Teams Must Watch

Token theft is a leading cause of SaaS breaches, with OAuth and API tokens often being overlooked. Security teams must strengthen token hygiene to prevent attacks, as recent breaches involving Slack, CircleCI, Cloudflare/Okta, and Salesloft/Drift demonstrate the severe impact of stolen tokens.

Polymorphic Python Malware isc.sans.edu/diary/rss…

Today, I spoted on VirusTotal an interesting Python RAT. They are tons of them but this one attracted my attention based on some function names present in the code: self_modifying_wrapper(), decrypt_and_execute() and polymorph_code(). A polymorphic malware is a type of malware that has been developed to repeatedly mutate its appearance or signature files at every execution time. The file got a very low score of 2/64 on VT! (SHA256:7173e20e7ec217f6a1591f1fc9be6d0a4496d78615cc5ccdf7b9a3a37e3ecc3c).

To be able to modify its code on the fly, the program must have access to its own source code. Many languages have this capability. I covered the same technque in JavaScript a long time ago[1]. With Python, there is a very interesting module that can add the same capability: inspect[2].

How we trained an ML model to detect DLL hijacking securelist.com/building-…

DLL hijacking is a common technique in which attackers replace a library called by a legitimate process with a malicious one. It is used by both creators of mass-impact malware, like stealers and banking Trojans, and by APT and cybercrime groups behind targeted attacks. In recent years, the number of DLL hijacking attacks has grown significantly.

We have observed this technique and its variations, like DLL sideloading, in targeted attacks on organizations in Russia, Africa, South Korea, and other countries and regions. Lumma, one of 2025’s most active stealers, uses this method for distribution. Threat actors trying to profit from popular applications, such as DeepSeek, also resort to DLL hijacking.

Detecting a DLL substitution attack is not easy because the library executes within the trusted address space of a legitimate process. So, to a security solution, this activity may look like a trusted process. Directing excessive attention to trusted processes can compromise overall system performance, so you have to strike a delicate balance between a sufficient level of security and sufficient convenience.

How Your AI Chatbot Can Become a Backdoor www.trendmicro.com/en_us/res…

Generative AI (GenAI), particularly large language model (LLM) chatbots, transformed how businesses interact with customers. These AI systems offer unprecedented efficiency and personalization. However, this power comes with a significant risk: they represent a sophisticated new attack surface that adversaries are actively exploiting. A compromised AI application can quickly escalate from a simple tool to a critical backdoor into your most sensitive data and infrastructure.

The key to safely harnessing the potential of AI is understanding that no single protection layer in the AI stack is a silver bullet. Protection requires a robust, multi-layered defense strategy that secures the entire AI ecosystem, from the user interaction down to the core data. As Trend Micro CEO and Co-Founder Eva Chen states, “Great advancements in technology always come with new cyber risk. Like cloud and every other leap in technology we have secured, the promise of the AI era is only powerful if it’s protected.”

Responding to Cloud Incidents A Step-by-Step Guide from the 2025 Unit 42 Global Incident Response Report https://unit42.paloaltonetworks.com/responding-to-cloud-incidents/

According to the Unit 42 2025 Global Incident Response Report, 29% of incident investigations conducted in 2024 involved cloud or SaaS environments. One in five incidents involved threat actors adversely impacting cloud environments and assets. With entire business models relying on cloud-native architecture, it is vital to protect cloud surfaces.

Traditional incident investigations focus heavily on endpoints and network activity, so cloud investigations require a mindset shift. When cloud environments are breached, investigations primarily focus on investigating identities, misconfigurations and service interactions.

Unit 42 Cloud Incident Response begins each investigation by asking several questions:

What is the overall impact?
What logs do we have or lack?
Are identity/service misuse, automated actions or API exploitation

contributing factors?

We’ll now go through the process, step by step.

Global Cyber Threats September 2025: Attack Volumes Ease Slightly, but GenAI Risks Intensify as Ransomware Surges 46% blog.checkpoint.com/security/…

In September 2025, the global cyber threat landscape reflected a temporary stabilization in overall attack volumes — yet beneath the surface, ransomware activity and data risks linked to generative AI (GenAI) surged to new highs. Organizations worldwide faced an average of 1,900 cyber-attacks per organization per week, representing a 4% decrease compared to August, but still a 1% increase year-over-year.

While total attack volumes may appear steady, the evolution of attack techniques, industries under fire, and the rapid expansion of GenAI-related risks underline a shifting and increasingly complex threat environment.

Discord says 70,000 users had government IDs exposed in third-party breach therecord.media/discord-g…

About 70,000 users of the social media platform Discord had their government IDs stolen, the company said Wednesday evening. Discord disclosed the breach last week, saying that hackers stole information about users who had communicated with their customer support or trust and safety teams.

In a statement to Recorded Future News, a Discord spokesperson sought to address recent claims made by the hackers behind the breach. “The numbers being shared are incorrect and part of an attempt to extort a payment from Discord,” they said. “Of the accounts impacted globally, we have identified approximately 70,000 users that may have had government-ID photos exposed, which our vendor used to review age-related appeals.”.

The comments from Discord follow reports from the prominent cybersecurity social media account vx-underground that the hackers behind the incident claimed to have stolen 1.5 terabytes of age verification-related photos, including more than 2 million images. The hackers have since disputed Discord’s claims that about 70,000 users were affected.

Hacktivists target critical infrastructure, hit decoy plant www.bleepingcomputer.com/news/secu…

A pro-Russian hacktivist group called TwoNet pivoted in less than a year from launching distributed denial-of-service (DDoS) attacks to targeting critical infrastructure. Recently, the threat actor claimed an attack on a water treatment facility that turned out to be a realistic honeypot system set up by threat researchers specifically to observe adversaries’ movements. The compromise at the decoy facility occurred in September and revealed that the threat actor moved from initial access to disruptive action in about 26 hours.

Kubernetes kicks down Azure Front Door www.theregister.com/2025/10/0…

If you struggled to access the Azure Portal or Microsoft Entra this [Thu] morning, you weren’t alone – Microsoft has blamed a Kubernetes crash for the outage. The Windows giant noted problems from 0740 UTC, with multiple regions around the world reporting issues with its services.

“We understand that this is due to a dependency on some underlying Kubernetes instances that crashed. We have ruled out any deployments that could have triggered this event.” That said, losing almost a third of one’s capacity due to crashing Kubernetes instances is less than ideal. A properly-architected solution should be able to recover from whatever woes befall the orchestrator, but apparently not Azure.

SonicWall breach hits every cloud backup customer after 5% claim goes up in smoke www.theregister.com/2025/10/0…

SonicWall has admitted that all customers who used its cloud backup service to store firewall configuration files were affected by a cybersecurity incident first disclosed in mid-September, walking back earlier assurances that only a small fraction of users were impacted.

In an updated statement published on Wednesday, the California-based network security vendor said its investigation had determined that “all customers” who utilized the MySonicWall cloud backup feature were affected, confirming that attackers had accessed configuration backup files stored on its systems. These backups typically include firewall settings, policies, and network configurations, making them a valuable target for anyone seeking to map internal infrastructure or pivot into connected environments.

According to Arctic Wolf, which has been tracking the incident, the backups contain data that could aid follow-on attacks.

RondoDox botnet targets 56 n-day flaws in worldwide attacks www.bleepingcomputer.com/news/secu…

A new large-scale botnet called RondoDox is targeting 56 vulnerabilities in more than 30 distinct devices, including flaws first disclosed during Pwn2Own hacking competitions.

The attacker focuses on a wide range of exposed devices, including DVRs, NVRs, CCTV systems, and web servers and have been active since June. The RondoDox botnet leverages what Trend Micro researchers call an “exploit shotgun” strategy, where numerous exploits are used simultaneously to maximize the infections, even if the activity is very noisy.

Since FortiGuard Labs discovered RondoDox, the botnet appears to have expanded the list of exploited vulnerabilities, which included CVE-2024-3721 and CVE-2024-12856. The security researchers note that the botnet developer pay close attention to exploits demonstrated during Pwn2Own events, and move quickly to weaponize them, as Mirai did with CVE-2023-1389 in 2023.

The Evolution of Chaos Ransomware: Faster, Smarter, and More Dangerous www.fortinet.com/blog/thre…

In 2025, Chaos ransomware resurfaced with a C++ variant. We believe this marks the first time it was not written in .NET. Beyond encryption and ransom demands, it adds destructive extortion tactics and clipboard hijacking for cryptocurrency theft. This evolution underscores Chaos’s shift toward more aggressive methods, amplifying both its operational impact and the financial risk it poses to victims.

This blog provides a comprehensive technical analysis of Chaos-C++, covering its execution flow, encryption process, and clipboard hijacking mechanism. In addition, we will compare different behaviors between Chaos’s earlier variants.

The ClickFix Factory: First Exposure of IUAM ClickFix Generator unit42.paloaltonetworks.com/clickfix-…

Attackers are packaging a highly effective social engineering technique known as ClickFix into easy-to-use phishing kits, making it accessible to a wider range of threat actors. This technique tricks victims into bypassing security measures by manually executing malware, typically information stealers and remote access Trojans (RATs). The commoditization of this technique follows the trend of phishing-as-a-service, lowering the skill and effort required to conduct successful attacks.

We have uncovered a phishing kit named the IUAM ClickFix Generator that automates the creation of these attacks. The kit is designed to generate highly customizable phishing pages that lure victims by mimicking browser verification challenges often used to block automated traffic. It includes advanced features such as operating system detection and clipboard injection, enabling low-effort, cross-platform malware deployment.

We have seen at least one campaign where attackers used pages generated by the IUAM ClickFix Generator to deploy the DeerStealer malware. Furthermore, our observation of several other pages with slight technical and visual differences points to a larger trend. This suggests adversaries are building a growing commercial ecosystem to monetize this technique through competing ClickFix-themed phishing kits.

New FileFix attack uses cache smuggling to evade security software www.bleepingcomputer.com/news/secu…

A new variant of the FileFix social engineering attack uses cache smuggling to secretly download a malicious ZIP archive onto a victim’s system and bypassing security software. The new phishing and social engineering attack impersonates a “Fortinet VPN Compliance Checker” and was first spotted by cybersecurity researcher P4nd3m1cb0y, who shared information about it on X.

For those not familiar with FileFix attacks, they are a variant of the ClickFix social engineering attack developed by Mr.d0x. Instead of tricking users into pasting malicious commands into operating system dialogs, it uses the Windows File Explorer address bar to execute PowerShell scripts stealthily.

In the new phishing attack, a website displays a dialog that poses as a Fortinet VPN “Compliance Checker, directing users to paste what looks like a legitimate network path to a Fortinet program on a network share. While the lure displays the path " \Public\Support\VPN\ForticlientCompliance.exe,” when copied to the clipboard, it is actually much longer, as it is padded with 139 spaces to hide a malicious PowerShell command.

When the visitor accessed the phishing page containing the FileFix lure, the website executed JavaScript that instructed the browser to retrieve an image [jpg] file. This content is actually a zip file […], which is extracted to ComplianceChecker.zip and unzipped. As the HTTP response states that the fetched image is of type “image/jpeg”, the browser automatically caches it on the file system, treating it as a legitimate image file, even though it is not. As this was done before the PowerShell command was executed through File Explorer, the file already existed in the cache, and the zip file could be extracted from it. The script then launches the FortiClientComplianceChecker.exe executable from the extracted archive to execute malicious code.

“This technique, known as cache smuggling, enables the malware to bypass many different types of security products,” explains [cybersecurity researcher Marcus] Hutchins.

In addition to the new cache-smuggling FileFix variant, researchers at Palo Alto Unit 42 discovered a new ClickFix kit called the “IUAM ClickFix Generator,” which automates the creation of ClickFix-style lures.

LockBit, Qilin & DragonForce Join Forces in Ransomware ‘Cartel’ www.darkreading.com/cyberatta…

Security vendor ReliaQuest today published its “Ransomware and Cyber Extortion in Q3 2025” threat intelligence report.

Three of the bigger names in ransomware and data extortion [LockBit, Qilin, DragonForce] recently announced that they’re making a cartel-style play, though it’s unclear what kind of impact that will have.

For all three groups, ReliaQuest posited the collaboration could facilitate technique, resource, and infrastructure sharing in order to strengthen each operation’s individual capabilities. “Similar partnerships have proven transformative in the past — such as in 2020, when LockBit joined forces with the Maze ransomware group. That collaboration introduced double extortion tactics, combining system encryption with data theft to heighten pressure on victims, and used Maze’s data-leak site to amplify impact,” researchers said.

For defenders and organizations, the primary concern is whether a new coalition by three of the larger ransomware operations will result in attacker innovations in the vein of double-extortion attacks.

Microsoft 365 outage blocks access to Teams, Exchange Online www.bleepingcomputer.com/news/micr…

Microsoft is working to resolve an ongoing outage preventing users from accessing Microsoft 365 services, including Microsoft Teams, Exchange Online, and the admin center.

While Redmond has yet to disclose which regions are currently affected, it currently tracks it on the Service Health Dashboard as an incident, which is commonly used to describe a critical service issue, typically involving noticeable user impact.

Employees regularly paste company secrets into ChatGPT www.theregister.com/2025/10/0…

Employees could be opening up to OpenAI in ways that put sensitive data at risk. According to a study by security biz LayerX, a large number of corporate users paste Personally Identifiable Information (PII) or Payment Card Industry (PCI) numbers right into ChatGPT, even if they’re using the bot without permission.

In its Enterprise AI and SaaS Data Security Report 2025, LayerX blames the growing, largely uncontrolled usage of generative AI tools for exfiltrating personal and payment data from enterprise environments.

With 45 percent of enterprise employees now using generative AI tools, 77 percent of these AI users have been copying and pasting data into their chatbot queries, the LayerX study says. A bit more than a fifth (22 percent) of these copy and paste operations include PII/PCI.

Crimson Collective hackers target AWS cloud instances for data theft www.bleepingcomputer.com/news/secu…

The ‘Crimson Collective’ threat group has been targeting AWS (Amazon Web Services) cloud environments for the past weeks, to steal data and extort companies. The hackers claimed responsibility for the recent Red Hat attack, saying that they exfiltrated 570 GB of data from thousands of private GitLab repositories, and pressured the software company to pay a ransom.

An analysis from researchers at Rapid7 provides more information about Crimson Collective’s activity, which involves compromising long-term AWS access keys and identity and access management (IAM) accounts for privilege escalation.

The attackers use the open-source tool TruffleHog to discover exposed AWS credentials. After gaining access, they create new IAM users and login profiles via API calls and generate new access keys. Next comes privilege escalation by attaching the ‘AdministratorAccess’ policy onto newly created users, granting Crimson Collective full AWS control. The threat actors take advantage of this level of access to enumerate users, instances, buckets, locations, database clusters, and applications, to plan the data collection and exfiltration phase.

Salesforce says it won’t pay extortion demand in 1 billion records breach arstechnica.com/security/…

Salesforce says it’s refusing to pay an extortion demand made by a crime syndicate that claims to have stolen roughly 1 billion records from dozens of Salesforce customers.

The threat group making the demands began their campaign in May, when they made voice calls to organizations storing data on the Salesforce platform, Google-owned Mandiant said in June. The English-speaking callers would provide a pretense that necessitated the target connect an attacker-controlled app to their Salesforce portal. Amazingly—but not surprisingly—many of the people who received the calls complied.

Earlier this month, the group created a website that named Toyota, FedEx, and 37 other Salesforce customers whose data was stolen in the campaign. In all, the number of records recovered, Scattered LAPSUS$ Hunters claimed, was “989.45m/~1B+.” The site called on Salesforce to begin negotiations for a ransom amount “or all your customers [sic] data will be leaked.” The site went on to say: “Nobody else will have to pay us, if you pay, Salesforce, Inc.” The site said the deadline for payment was Friday.

In an email Wednesday, a Salesforce representative said the company is spurning the demand.

Russian hackers turn to AI as old tactics fail, Ukrainian CERT says therecord.media/russian-h…

Russian hackers are increasingly using artificial intelligence and adopting new tactics in cyberattacks against Ukraine as Kyiv’s defenses grow stronger, Ukrainian government researchers said in a new report.

Since Russia’s invasion in 2022, cyberattacks on Ukraine have continued to rise, surpassing 3,000 cases in the first half of this year — about 20 percent more than the same period last year. At the same time, the number of high-impact incidents has declined as Ukraine’s defenses improve. That progress has forced Russian hackers to abandon outdated tactics, automate more of their operations and increasingly experiment with AI-generated malware, according to Ukraine’s computer emergency response team, CERT-UA.

In a report released Wednesday, the agency warned that attackers are now using AI not only to write phishing messages but also to generate malicious code itself. Researchers believe AI tools were used to create PowerShell scripts in malware known as Wrecksteel, attributed to the cyberespionage group UAC-0219. “The use of artificial intelligence in cyberattacks has reached a new level,” CERT-UA said. “We have investigated several viruses showing clear signs of being generated with AI, and attackers will certainly not stop there.”

Germany slams brakes on EU’s Chat Control device-scanning snoopfest www.theregister.com/2025/10/0…

Germany has committed to oppose the EU’s controversial “Chat Control” regulations following huge pressure from multiple activists and major organizations. Jens Spahn, a member of the Bundestag for Germany’s Christian Democratic Union (CDU) – part of the ruling coalition in the country – confirmed in a statement on Tuesday that the German government would not allow the proposed regulations, which are commonly referred to as Chat Control, to become law.

Too salty to handle: Exposing cases of CSS abuse for hidden text salting blog.talosintelligence.com/too-salty…

Cisco Talos has been closely monitoring the abuse of cascading style sheets (CSS) properties to include irrelevant content (or salt) in different parts of messages, a technique known as hidden text salting. This blog is a follow-up to our previous reports in January and March 2025 on CSS abuse in emails and shares highlights from a talk given at Blue Team Con 2025.

Talos explores why hidden text salting is used, where it typically appears in emails, the types of content and techniques involved, how common content concealment (including hidden text salting) is in both spam and legitimate messages, and the impact that hidden text salting has on email security solutions.

There is widespread use of hidden text salting in malicious emails to bypass detection. Attackers embed hidden salt in the preheader, header, attachments and body — using characters, paragraphs and comments — by manipulating text, visibility and sizing properties. Talos has observed that hidden content is far more often found in spam and other email threats than in legitimate emails, posing a substantial challenge to both basic and advanced email defense solutions that leverage machine learning.

Security Concerns Shadow Vibe Coding Adoption www.darkreading.com/applicati…

In a recent online poll, Dark Reading asked readers about how vibe coding fits into their organization’s application development strategy. The results reflect a complex present, one where AI coding assistants show promise but exist in a world of substantial risk.

Although some companies may not admit to using AI-generated code or AI tools because of a potential stigma associated with AI (such as from an intellectual property standpoint), “shadow AI” is the more relevant issue. In an effort to skip the tedium of official company software procurement workflows and work more efficiently, some developers have integrated unmonitored, unsanctioned AI tools into their development processes without permission. This is not only a compliance issue, but a security one as well.

Hospital Insider Breach Lasted 10 Years, Led to FBI Inquiry www.databreachtoday.com/hospital-…

Harris Health is contacting 5,000 patients about a breach involving a former employee who improperly accessed electronic health records for over a decade. The Texas healthcare organization said it learned of the incident and reported it to the FBI four years ago.