Weekly Cybersecurity Intelligence Report Cyber Threats & Breaches 22 Oct – 28 Oct, 2025

October 22–28 saw sophisticated multi-platform APT operations, critical zero-day exploitation, supply chain worm propagation, and ransomware targeting enterprise infrastructure. North Korean APT BlueNoroff deployed AI-enhanced social engineering against crypto firms. Italian spyware exploited Chrome zero-days for espionage. Japanese logistics suffered ransomware paralysis. A hardware side-channel attack broke all major CPU confidential computing. Self-propagating malware infected 35,800+ developer workstations. Microsoft WSUS and Oracle EBS vulnerabilities faced active exploitation hours after patches. Adobe Commerce stores endured mass automated attacks.

>>Outpace Attackers With AI-Based Automated Penetration Testing

1. BlueNoroff APT: GhostCall & GhostHire Campaigns

Disclosure: 27 October 2025
Active Period: April–October 2025
Targets: Crypto/Web3, blockchain firms (Asia-Pacific, Europe, Turkey)
Threat Actor: BlueNoroff (DPRK APT38/Lazarus)

Overview

Kaspersky disclosed two campaigns targeting cryptocurrency executives (GhostCall) and blockchain developers (GhostHire) using AI-generated personas, fake investment meetings with replayed video, and malicious GitHub repos. Cross-platform loaders delivered multi-stage implants for credential theft and financial exfiltration.

Technical Details

Attack Chain:

• Initial Access: Telegram spearphish with fake VC/recruiter personas, malicious Zoom/Teams update sites
• Execution: AppleScript (macOS), PowerShell (Windows) droppers; fake meeting apps prompt password entry
• Payloads: DownTroy, ZoomClutch, CosmicDoor (C++ w/ GillyInjector), RooTroy (Go), RealTimeTroy (WSS C2), SysPhon (RustBucket variant)
• Credential Harvesting: SilentSiphon bash scripts targeting 50+ dev tools (GitHub, AWS, npm, Docker, Solana, SSH keys)

MITRE ATT&CK:
T1566.002 (Spearphish Link), T1195.002 (Supply Chain), T1059.001/.002 (PowerShell/AppleScript), T1055 (Process Injection), T1555.003 (Password Stores), T1552.001 (Credentials in Files)

IOCs:

• Domains: teams-download[.]buzz, zoom-sdk-update[.]online
• WebSocket C2 over port 443
• Persistent loaders: CoreKitAgent, Nimcore

Impact

Mass crypto wallet theft, dev environment compromise enabling supply chain attacks, cloud credential exfiltration for lateral movement.

CISO Takeaway

Deploy AppleScript/PowerShell execution monitoring, enforce MFA with hardware tokens, segment crypto ops from corporate nets, scan GitHub dependencies, rotate all dev platform credentials.

2. Chrome Zero-Day CVE-2025-2783: Italian Spyware Dante

Exploitation: March 2025 (disclosed 27 October)
Patched: March 2025 (v134.0.6998.177)
Threat Actor: Mem3nt0 mori (linked to Memento Labs/ex-Hacking Team)
Victims: Russian media, universities, gov’t, finance (Operation ForumTroll)

Overview

Chrome sandbox escape via Windows pseudo-handle manipulation delivered LeetAgent and Dante commercial spyware. Targeted espionage using fake Primakov Readings forum invites.

Technical Details

Exploit: Logical flaw converting pseudo-handles to real handles in Chrome IPC, bypassing sandbox without malicious syscalls.

Malware:

• LeetAgent: Shellcode execution, keylogging, file theft (.docx/.xlsx/.pdf)
• Dante: Advanced spyware (Memento Labs), encrypted C2, anti-analysis

MITRE ATT&CK:
T1203 (Exploit for Client Execution), T1140 (Deobfuscate), T1056.001 (Keylogging), T1005 (Data from Local System)

Impact

Persistent espionage access, credential theft, document exfiltration from sensitive orgs.

CISO Takeaway

Update Chrome to 134.0.6998.177+, deploy browser isolation for high-risk users, monitor pseudo-handle abuse patterns.

3. TEE.Fail: Confidential Computing Broken

Disclosure: 27 October 2025
Researchers: Georgia Tech, Purdue, Synkhronix
Affected: Intel SGX/TDX, AMD SEV-SNP, NVIDIA H100 (all DDR5)
Cost: <$1,000 hardware

Overview

DDR5 memory bus interposition extracts cryptographic keys from CPU secure enclaves via deterministic AES-XTS side-channel, with no vendor fix planned.

Technical Details

Attack:

1. DDR5 bus probe with logic analyzer + FPGA
2. Intel ADXL maps physical addresses to DIMM channels
3. Cache eviction forces enclave data to memory bus
4. Deterministic encryption enables chosen-plaintext attacks
5. ECDSA key reconstruction from observed ciphertext patterns

Demo: Forged Ethereum BuilderNet attestations, enabling undetectable frontrunning.

MITRE ATT&CK:
T1005 (Data from Local System), T1552.004 (Private Keys), T1600.001 (Weaken Encryption)

Impact

Cloud confidential VMs compromised, crypto wallet keys extractable, AI model IP unprotected. Vendors classify physical attacks “out of scope”—no mitigations.

CISO Takeaway

Don’t rely on TEEs for regulatory-grade isolation. Use HSMs with FIPS 140-2 Level 3+, frequent key rotation, multi-party computation across geographically distributed enclaves.

4. Microsoft WSUS RCE CVE-2025-59287

Initial Patch: 14 October 2025
Emergency Patch: 23 October 2025
Exploitation Confirmed: 24 October (UK NCSC)
CISA KEV: 24 October, deadline 12 November

Overview

Unauthenticated RCE via unsafe deserialization in WSUS GetCookie()/ReportingWebService. Attackers gain SYSTEM privileges, can distribute malicious “updates” enterprise-wide. PoC public within hours of emergency patch.

Technical Details

Vuln: BinaryFormatter/SoapFormatter deserialize untrusted AuthorizationCookie objects → .NET gadget chain execution.

Attack Vectors:

• HTTP POST to /GetCookie or /ReportingWebService
• No auth required, CVSS 9.8
• SYSTEM-level code execution

Weaponization:

• Replace legitimate updates with ransomware/malware
• Extract domain creds from LSASS
• Lateral movement to all managed endpoints

MITRE ATT&CK:
T1190 (Exploit Public App), T1203 (Exploitation for Client Exec), T1003.001 (LSASS Memory), T1486 (Data Encrypted), T1570 (Lateral Tool Transfer)

Impact

Trusted update infrastructure hijacked for mass malware deployment, domain compromise, persistent backdoors. Active targeting by APTs post-patch.

CISO Takeaway

Apply 23 October emergency patch immediately. Hunt IIS logs for suspicious GetCookie/ReportingWebService requests. Run WSUS with minimal privileges (not Domain Admin). Consider migration to cloud-based patch management.

5. Qilin Ransomware: Linux-on-Windows Evasion

Disclosed: 22 October 2025
Victims: 591 in 2025 (84/month avg, peak 100 in June)
Sectors: Manufacturing, tech, finance, healthcare (US, Canada, UK)

Overview

Qilin deployed Linux ELF ransomware on Windows via WinSCP+Splashtop, evading Windows-centric EDR. Combined with BYOVD (eskle.sys) for defense disable and Veeam backup credential theft.

Technical Details

TTP:

• Initial Access: RMM abuse (AnyDesk/Atera, ScreenConnect, MeshCentral)
• Credential Theft: Veeam database extraction tools
• Defense Evasion: BYOVD driver (eskle.sys) kills EDR processes
• Lateral Movement: PuTTY SSH to Linux hosts
• Execution: Splashtop Remote executes Linux ELF binary on Windows

MITRE ATT&CK:
T1219 (Remote Access Software), T1003 (Credential Dumping), T1562.001 (Impair Defenses), T1486 (Data Encrypted)

Impact

Cross-platform attacks bypass security controls, backup sabotage prevents recovery, 700+ victims since Jan 2025.

CISO Takeaway

Restrict RMM tools to authorized hosts, deploy EDR detecting Linux binary execution on Windows, segment backup infrastructure, use offline/immutable backups.

Outpace Attackers With AI-Based Automate Penetration Testing With FireCompass:

FireCompass is a single platform for AI-Powered Continuous Automated Red Teaming (CART), Pen Testing & NextGen Attack Surface Management 

>>FireCompass Free Trial