This week’s cybersecurity roundup highlights escalating threats from misconfigurations, software flaws, and advanced malware. Key incidents demand immediate attention from IT teams and executives.
ISC patched CVE-2025-5470 in BIND 9 (versions 9.16.0â9.18.26), a DoS vulnerability (CVSS 8.6) allowing server crashes through malformed DNS queries. It risks amplification attacks on global infrastructureâupdate DNS servers urgently.
Google fixed CVE-2025-5482, a Chrome V8 engine zero-day (below 131.0.6778.76) enabling sandbox escapes and code execution via malicious sites. Exploited in the wild across platforms, auto-updates are rolling out to counter phishing threats.
The Aardvark Agent backdoor, tied to state actors, targets finance via spear-phishing. Mimicking admin tools, it facilitates exfiltration and movement; IOCs include specific C2 domains. Bolster endpoint detection and zero-trust models.
Threats
Android Banking Trojan Herodotus Evades Detection
A new Android malware called Herodotus has surfaced, acting as a sophisticated banking trojan that mimics human typing patterns to bypass behavioral biometrics during remote control sessions. Distributed via side-loading and SMiShing, it uses a custom dropper to circumvent Android 13+ restrictions on Accessibility Services, deploying overlays for credential harvesting and SMS interception. Targeting users in Italy and Brazil as Malware-as-a-Service, Herodotus splits text input into characters with randomized 300-3000ms delays, simulating natural keystrokes to avoid anti-fraud alerts.â
Read more: https://.com/new-android-malware-herodotus-mimic-human-behaviour/
Stealthy Atroposia RAT Enables Hidden Access
Atroposia, a modular remote access trojan priced at $200 monthly, lowers barriers for cybercriminals by bundling features like hidden remote desktop, credential theft, and vulnerability scanning in an intuitive panel. Its HRDP Connect creates invisible shadow sessions for undetected system interaction, allowing surveillance and data exfiltration without user notifications or standard RDP logs. With privilege escalation, persistence across reboots, and a file grabber for in-memory extraction, Atroposia blends into systems to evade antivirus and DLP tools.â
Read more: https://.com/new-atroposia-rat-with-stealthy-remote-desktop/
Gunra Ransomware Hits Dual Platforms
Gunra ransomware, active since April 2025, targets Windows and Linux systems using dual encryption methods and double-extortion tactics to encrypt files and threaten data leaks via a Tor site. It appends .ENCRT extensions to files, drops R3ADM3.txt ransom notes, deletes shadow copies via WMI, and employs anti-debugging like IsDebuggerPresent to evade analysis. Based on Conti, Gunra affects industries like real estate and pharmaceuticals globally, with victims in Japan, Egypt, and Italy urged to pay within five days or face publication.â
Read more: https://.com/gunra-ransomware-leveraging-attacking-windows/
Gentlemenâs RaaS Recruits Affiliates
The Gentlemenâs RaaS, advertised on hacking forums by operator zeta88, offers cross-platform encryption for Windows, Linux, and ESXi systems using Go and C code, with a 90% affiliate revenue share. This favorable model attracts experienced actors by granting full negotiation control while handling backend operations, expanding ransomware’s reach to enterprise infrastructures like NAS and virtual environments. The small 32KB ESXi locker emphasizes stealth, marking an evolution in RaaS commercialization beyond traditional platforms.â
Read more: https://.com/new-gentlemens-raas-advertised-on-hacking-forums/
PolarEdge Botnet Expands IoT Control
The PolarEdge botnet has infected over 25,000 IoT devices across 40 countries, building 140 C2 servers by exploiting vulnerabilities in devices like Cisco routers, Asus, and KT CCTV systems. Disclosed in February 2025, it creates an Operational Relay Box network for APT actors, providing anonymous proxying via multi-hop architecture and ports 55555/55560 for traffic and commands. Concentrated in South Korea (42%) and China (20%), the botnet uses VPS on Alibaba and Tencent Cloud for infrastructure-as-a-service in DDoS, exfiltration, and other attacks.â
Read more: https://.com/polaredge-botnet-infected-25000-devices/
PhantomRaven Targets npm Developers
PhantomRaven campaign deploys 126 malicious npm packages since August 2025, garnering 86,000 downloads by hiding code in dependencies fetched from attacker-controlled URLs like packages.storeartifact.com, evading scanners. These slopsquatted packages steal npm tokens, GitHub credentials, and CI/CD secrets, using obvious publisher names like npmhell for operational traceability. Initially 21 packages removed, attackers adapted for 80 more, enabling tailored malware delivery and supply chain compromises in JavaScript projects.â
Read more: https://.com/phantomraven-attack-involves-126-malicious-npm-packages/
Fake ChatGPT Apps Enable Surveillance
Malicious apps impersonating ChatGPT on third-party stores request broad permissions for SMS, contacts, and logs, using Ijiami obfuscation and native libraries for persistent keylogging and credential theft. They exfiltrate OTPs, banking codes, and address books via domain fronting on AWS and Google Cloud, mimicking legitimate AI interfaces to blend traffic. Resembling Triout and AndroRAT spyware, these trojans exploit AI hype for surveillance, urging users to stick to official OpenAI sources.â
Read more: https://.com/beware-of-malicious-chatgptt-apps/
Cyberattacks
New Phishing Attack Using Invisible Characters
Cybercriminals are employing MIME encoding and Unicode soft hyphens in email subject lines to bypass security filters, fragmenting keywords like “password” while appearing normal to users. This technique targets credential theft via fake webmail pages and has been observed in campaigns directing victims to compromised domains. The method extends to message bodies, evading content scanners and highlighting gaps in keyword-based detection.â
Read more: https://.com/new-phishing-attack-using-invisible-characters/.â
10 Malicious npm Packages with Auto-Run Feature
Ten typosquatted npm packages mimicking libraries like discord.js have infected over 9,900 developer environments by executing via postinstall hooks across Windows, Linux, and macOS. These packages deploy multi-stage credential harvesters using obfuscation layers, fake CAPTCHAs, and PyInstaller binaries to steal browser data, SSH keys, and cloud credentials. The malware exfiltrates data to attacker servers, enabling account takeovers in corporate and cloud systems.â
Read more: https://.com/10-malicious-npm-packages-with-auto-run-feature/.â
Threat Actors Weaponize Judicial Documents
Threat actors are impersonating Colombia’s Attorney General’s office in phishing emails with SVG attachments that lead to ZIP files containing Hijackloader malware, ultimately deploying the PureHVNC RAT. This campaign targets Latin American users with judicial-themed lures, using DLL side-loading and evasion tactics like stack spoofing to establish persistence. The shift to PureHVNC delivery marks an evolution in regional attacks, exploiting trust in legal communications.â
Read more: https://.com/threat-actors-weaponizes-judicial-documents/.â
CISA Shares Threat Detections for WSUS Vulnerability
CISA has updated guidance on detecting exploitation of CVE-2025-59287, a critical RCE flaw in Windows Server Update Services affecting versions from 2012 to 2025. Attackers use crafted SOAP requests for deserialization-based code execution with SYSTEM privileges, enabling credential theft and lateral movement via proxies. Organizations should apply the October 23 out-of-band patch, monitor for anomalous wsusservice.exe processes, and block ports 8530/8531 as mitigations.â
Read more: https://.com/cisa-threat-detections-wsus-vulnerability/.â
12 Malicious Extensions in VSCode Marketplace
Security researchers identified 12 malicious VSCode extensions in the marketplace and OpenVSX, with four still active, stealing source code, credentials, and enabling backdoors despite 613 million suspicious downloads overall. These extensions use concealed operations like unauthorized downloads and network scans, exploiting the IDE’s privileges for supply chain attacks. The ecosystem’s 5.6% suspicious rate highlights risks in AI-assisted development tools.â
Read more: https://.com/12-malicious-extension-in-vscode-marketplace/.â
RediShell RCE Vulnerability Exposes 8500 Redis Instances
CVE-2025-49844, a use-after-free flaw in Redis’s Lua scripting engine, allows sandbox escape and host-level RCE on over 8,500 exposed instances, many without authentication in cloud environments. Attackers craft malicious Lua scripts to execute arbitrary commands, risking malware installation and data exfiltration since the flaw dates back to 2012. Redis has patched the vu...
评论 (4)