Skip to main content
Skip to footer
SideWinder targets Asia with ClickOnce attack chain to deliver ModuleInstaller and StealerBot
In September 2025, Trellix researchers observed a phishing campaign, attributed to SideWinder, leveraging the ClickOnce infection chain to target multiple institutions in India, Sri Lanka, Pakistan, and Bangladesh with ModuleInstaller and StealerBot. The campaign occurred in multiple waves throughout 2025, with each instance featuring unique themes designed to target specific diplomatic targets. The first wave, taking place between March and April 2025, involved emails attached with PDF documents that required the recipient to download the latest version of Adobe Reader via a provided link. A second, third, and fourth wave took place between April and May 2025, June through September 2025, and September 2025. The May and September waves used a Word document containing an exploit for CVE-2017-0199 to deliver malware. All waves included the replacement of JSON configuration files with a malicious DLL, which serves as a sideloading vector. Once executed, the DLL locates the encrypted ModuleInstaller file dropped alongside the ClickOnce installer, which ultimately downloads the ‘TapiUnattended’ executable responsible for loading StealerBot.
Lampion Stealer campaign leverages new infection chain to target Portuguese banks
Bitsight researchers detailed a spam campaign, active since at least June 2024 and attributed to a Brazilian hacker group, that delivers Lampion Stealer to target Portuguese banks. The campaign’s infection chain typically involves phishing emails followed by a multi-step chain of obfuscated VBS scripts used to drop a DLL, with slight changes observed throughout the campaign. The first change to the infection chain occurred in September 2024, with the threat actor shifting from the use of a link to a ZIP file in phishing emails to using ZIP attachments, before introducing ClickFix lures in December 2024. The latest change took place in June 2025, with the first-stage VBS script now added to the Windows Startup folder for persistence. The main Lampion stealer component is now a single packed DLL that contains previously undocumented features, including being compiled using Embarcadero Delphi Professional, 13 sections, and two encrypted ZIP files, which make up most of the size of the binary.
Smishing Triad phishing campaign leverages fake toll violations and package misdelivery notices
Palo Alto Networks Unit 42 Networks researchers identified a new Smishing Triad campaign leveraging fake toll violation and package misdelivery notices. The smishing campaign is believed to be more extensive and complex than initially thought, with the infrastructure used suggesting the activity is powered by a well-resourced phishing-as-a-service (PhaaS) operation. While the attackers have targeted United States residents since April 2024, Smishing Triad have expanded their reach to target global services, including critical sectors, such as banking, cryptocurrency platforms, e-commerce platforms, and more. Since May 2025, Smishing Triad’s Telegram channel has evolved from a dedicated phishing kit marketplace to an active community that gathers diverse threat actors within the PhaaS ecosystem that specialize in upstreaming, midstreaming, downstreaming, and support. The attack domains are hosted on different IP addresses that are geolocated to various countries and mostly host infrastructure designed to resemble login and identity verification portals, toll payment and other service charge payment pages. Since January 1st, 2024, 194,345 domains across 136,933 root domains have been linked to the operation.
Water Saci campaign leverages new script-based attack chain to deploy SORVEPOTEL
On October 8th, 2025, Trend Micro researchers observed a new attack chain within the ongoing Water Saci campaign deploying SORVEPOTEL that utilizes an email-based C2 infrastructure, employs multi-vector persistence, and incorporates advanced checks to evade analysis and restrict activity to specific targets. The new attack chain further features a sophisticated remote C2 system that provides threat actors real-time management and can convert infected machines into a botnet tool for coordinated operations across multiple endpoints. The infection chain begins via the download of a ZIP archive file via WhatsApp Web that contains an obfuscated VBS downloader. The downloader issues a PowerShell command that carries out fileless execution to download and execute a PowerShell script in memory. The PowerShell script is used to hijack WhatsApp Web sessions, harvest all contacts from the victim’s account, and automatically distribute ZIP files to the contacts while maintaining persistent C2 communication for large-scale social engineering campaigns. The PowerShell script features a consistent use of Portuguese, suggesting a focus on Brazil. Overlaps and developments of the infection chain suggest a possible link to past Coyote banking trojan campaigns.
BlueNoroff GhostCall and GhostHire campaigns deliver various backdoors and stealers
Kaspersky researchers observed two separate BlueNoroff campaigns, namely GhostCall and GhostHire, which are collectively conducted under the SnatchCrypto Operation and active since at least mid-2023. GhostHire shares structural similarities within the attack chain of GhostCall, with identical malware being deployed in both. BlueNoroff has been observed to leverage artificial intelligence in various aspects of the attacks. GhostCall targets macOS devices of tech and venture capitalist executives via fake Zoom or Microsoft Teams meetings with supposed entrepreneurs or investors. On the fake meeting site, users are prompted to enable their camera, allowing JavaScript logic to record and send a video chunk to BlueNoroff every second, after which an error message is presented that prompts the user to download a malicious SDK update. GhostHire targets Web3 developers and engineers, delivering malicious projects via GitHub and Telegram bots under the guise of skill assessments for job applications. At least seven multi-stage execution chains have been identified delivering various backdoors, keyloggers, and stealers. Among the observed malware are CosmicDoor, RooTroy, DownTroy, RealTimeTroy, ZoomClutch, TeamsClutch, SilentSiphon, SneakMain, a lightweight version of RustBucket, dubbed SysPhon, SugarLoader, and Buf loader. The CosmicDoor, RooTroy, and RealTimeTroy infection chains additionally make use of the GillyInjector.
Ransomware
Global Group: ransomware rebranding stories Intrinsec – Oct 30 2025Ransomware Spotlight: DragonForceTrend Micro – Security News – Oct 29 2025Some lower-tier ransomware gangs have formed a new RaaS alliance — or have they?DataBreaches.net – Oct 28 2025Decrypted: Midnight RansomwareGen Digital – Oct 28 2025Uncovering Qilin attack methods exposed through multiple casesTalos Intelligence Blog – Oct 27 2025Everest Ransomware Says It Stole 1.5M Dublin Airport Passenger RecordsHackRead – Oct 26 2025Agenda Ransomware Deploys Linux Variant on Windows Systems Through Remote Management Tools and BYOVD TechniquesTrend Micro – Oct 23 2025
Financial Services
Rogue WordPress Plugin Conceals Multi-Tiered Credit Card Skimmers in Fake PNG FilesWordfence – Oct 29 2025Investigation Report: Android/BankBot-YNRK Mobile Banking Trojan CYFIRMA – Oct 29 2025New Android Malware Herodotus Mimics Human Behaviour to Evade DetectionThreat Fabric Blog – Oct 28 2025Mexican Bank Debtor Database Leaked on Dark WebDaily Dark Web – Oct 28 2025New GhostGrab Android Malware Silently Steals Banking Login Details and Intercept SMS for OTPsGBHackers On Security – Oct 28 2025
Geopolitics
Ukrainian organizations still heavily targeted by Russian attacksSymantec Enterprise Blogs – Oct 29 2025New Gamaredon Phishing Attack Targeting Govt Entities Exploiting WinRAR VulnerabilityCyberSecurityNews.com – Oct 28 2025Chatbots parrot Putin’s propaganda about the illegal invasion of UkraineTheRegister.com – Oct 28 2025Mem3nt0 mori – The Hacking Team is back!Kaspersky Lab – Oct 27 2025Russian Rosselkhoznadzor hit by DDoS attack, food shipments across Russia delayedSecurity Affairs – Oct 25 2025
High Priority Vulnerabilities
| Name | Software | Base Score |
Temp Score |
|
|---|---|---|---|---|
| CVE-2025-59287 | Windows | 9.8 | 9.4 | |
| Related: Critical Microsoft WSUS remote code execution flaw actively exploited | ||||
| CVE-2025-6205 | DELMIA Apriso | 9.1 | 7.3 | |
| Related: Critical and high-severity flaws in DELMIA Apriso actively exploited | ||||
| CVE-2025-24893 | xwiki-platform | 9.8 | 6.6 | |
| Related: Critical XWiki vulnerability actively exploited | ||||
| CVE-2024-9234 | GutenKit Plugin | 9.8 | 7.1 | |
| Related: Critical flaws in GutenKit and Hunk Companion WordPress plugins actively exploited | ||||
| CVE-2025-11533 | WP Freeio Plugin | 9.8 | 7.1 | |
| Related: Attackers Actively Exploiting Critical Vulnerability in WP Freeio Plugin | ||||