Skip to main content Skip to footer 
Oracle EBS zero-day likely exploited by GRACEFUL SPIDER in mass exploitation campaign
CrowdStrike researchers observed a mass exploitation campaign leveraging CVE-2025-61882 to target Oracle E-Business Suite (EBS) applications to exfiltrate data. The first known exploitation took place on August 9th, 2025, but other incidents may have taken place before. On September 29th, 2025, GRACEFUL SPIDER sent Clop-branded emails to multiple organizations, claiming they had accessed and exfiltrated data from the recipients’ Oracle EBS applications. On October 3rd, 2025, a Telegram post alluded to the collaboration between Scattered Spider, SLIPPY SPIDER, and ShinyHunters, with a post referencing the exploit of Oracle EBS, while criticizing GRACEFUL SPIDER’s tactics. The researchers assess with moderate confidence that GRACEFUL SPIDER is the operator behind the emails sent on September 29th, 2025. Assessments are based on the use of GRACEFUL SPIDER’s known email addresses, the group reportedly providing evidence of the stolen data, and the group’s previous mass exploitation of internet-exposed applications. The exploited vulnerability has since been patched.
UAT-0899 leverages RDP to target high-value IIS servers and deploy new BadIIS variant
In April 2025, Cisco Talos researchers discovered a new Chinese-speaking threat group, tracked as UAT-8099, targeting a range of vulnerable high-value Internet Information Services (IIS) servers across specific regions for financial gain. UAT-8099 conducts search engine optimization fraud, additionally leveraging remote desktop protocol (RDP) to access IIS servers and search for valuable data, such as logs, credentials, configuration files, and sensitive certificates that can be resold or used for further exploitation. Affected IIS servers typically belong to universities, technology companies, and telecommunications providers within India, Thailand, Vietnam, Cambodia, and Brazil. UAT-8099 leverages a new variant of BadIIS that has altered code structure and functional workflows to evade antivirus detection.
Water Saci leverages WhatsApp to target Brazilian Windows users with SORVEPOTEL malware
Trend Micro researchers observed the threat actor Water Saci leveraging WhatsApp to distribute ZIP file attachments to target Windows systems in Brazil with SORVEPOTEL malware. The WhatsApp messages prompt recipients to open the message via their desktop, suggesting the specific targeting of enterprises rather than customers themselves. Extracting the ZIP file reveals a LNK file that, when executed, launches a command-line or PowerShell script that downloads the primary malware payload from attacker-controlled domains, executing it in memory. The payload is used to initiate the infection chain, resulting in the Maverick Stage Two spyware and a downloader DLL being delivered. Maverick Stage Two specifically targets Brazilian banking customers, executing malicious payloads when specific websites are visited, and further deploys Maverick Agent, which has information and credential stealing capabilities. The WhatsApp hijacker drops Selenium to control the browser and JavaScript to send messages and ZIP files via WhatsApp. Following infection, the malware continues to operate as a self-propagating threat.
SideWinder APT leverages free hosting platforms to steal credentials in Operation SouthNet
Hunt[.]io researchers observed a SideWinder APT campaign, dubbed Operation SouthNet, leveraging free hosting platforms to deploy credential-harvesting portals and weaponized lure documents, staging malware in open repositories for later retrieval. Over 50 malicious domains have been observed across Netlify, pages[.]dev, and more, to host fake Outlook or Zimbra portals and credential harvesting pages. The campaign distributes maritime and port-themed lures to target government and military entities within Pakistan and Sri Lanka, with supporting activity targeting Nepal, Bangladesh, and Myanmar. At least 12 weaponized documents were observed between August and September 2025, with eight distinct malware samples observed within open directories linked to Pakistan’s marine sector. On average, new phishing domains emerge every three to five days, with at least one of the observed phishing pages still active as of September 30th, 2025. The campaign features infrastructure overlaps tied to SideWinder’s legacy C2 assets, confirming the recycling of infrastructure across multiple years.
UTA0388 spear phishing campaigns deliver GOVERSHELL
Between June and August 2025, Volexity researchers observed a series of spear phishing campaigns targeting North American, Asian, and European companies and their customers to deliver the GOVERSHELL backdoor. The campaigns were initially tailored to the targets, with the messages designed to appear as though they were sent by senior researchers and analysts from legitimate-sounding organizations. As the campaign progressed, emails were sent in various languages, with the actors leveraging rapport-building phishing in August 2025. In all cases, the emails contained a link leading to a ZIP or RAR archive containing a legitimate executable, that when executed loaded a malicious DLL via search order hijacking. The executable deployed GOVERSHELL, enabling the operators to remotely execute commands on infected devices. The operators are believed to leverage large language models based on the inclusion of odd files in the ZIP and RAR archives and inconsistencies within the phishing emails. The threat actor behind the campaign is tracked as UTA0388 and is believed to be a China-aligned threat actor. GOVERSHELL is believed to be used exclusively by UTA3088, with five distinct variants observed that are actively being developed at the time of writing.
Ransomware
The Evolution of Chaos: Ransomware’s New Era of Speed and IntelligenceGBHackers On Security – Oct 09 2025Ransomware and Cyber Extortion in Q3 2025ReliaQuest – Oct 08 2025Teens arrested in London preschool ransomware attackTheRegister.com – Oct 07 2025Investigating active exploitation of CVE-2025-10035 GoAnywhere Managed File Transfer vulnerabilityWindows Security blog – Oct 06 2025YUREI RANSOMWARE : THE DIGITAL GHOST CYFIRMA – Oct 03 2025FunkSec’s FunkLocker: How AI Is Powering the Next Wave of RansomwareThreat Intelligence on Medium – Oct 01 2025
Financial Services
Massive data leak risk averted, government fixes major flaw in income tax portalIndia Today – Oct 08 2025 Don’t connect your wallet: Best Wallet cryptocurrency scam is making the rounds Malwarebytes Labs Blog – Oct 07 2025North Korea’s crypto hackers have stolen over $2 billion in 2025Elliptic Blog – Oct 07 2025 Crypto hack losses fall 37% in Q3 as tactics shift to wallets Cointelegraph – Oct 03 2025Lazarus Group Strikes Again, SBI Crypto Hit with $21 Million HackAnalytics Insight – Oct 02 2025
Geopolitics
From Phishing to Malware: AI Becomes Russia’s New Cyber Weapon in War on UkraineThe Hacker News – Oct 09 2025An Insider Look At The IRGC-linked APT35 Operations CloudSEK Blog – Oct 07 2025We Say You Want a Revolution: PRISONBREAK – An AI-Enabled Influence Operation Aimed at Overthrowing the Iranian RegimeThe Citizen Lab – Oct 03 2025Cavalry Werewolf raids Russia’s public sector with trusted relationship attacksBi-Zone Blog – Oct 02 2025New spyware campaigns target privacy-conscious Android users in the UAEWeLiveSecurity – Oct 02 2025
High Priority Vulnerabilities
| Name | Software | Base Score | Temp Score | |
|---|---|---|---|---|
| CVE-2025-27915 | Collaboration Suite | 5.4 | 3.5 | |
| Related: Zimbra Collection Suite flaw exploited in attacks targeting Brazilian military | ||||
| CVE-2021-43798 | Grafana | 7.5 | 4.8 | |
| Related: Coordinated Grafana Exploitation Attempts on 28 September | ||||
| CVE-2017-1000353 | Communications Cloud Native Core Automated Test Suite | 9.8 | 9.4 | |
| Related: Multiple actively exploited flaws added to CISA KEV | ||||
| CVE-2025-5947 | Service Finder Bookings Plugin | 9.8 | 7.1 | |
| Related: Critical flaw in Service Finder Bookings WordPress plugin actively exploited | ||||
| CVE-2025-6388 | Spirit Framework Plugin | 9.8 | 7.1 | |
| Related: Critical flaw in Spirit Framework WordPress plugin activity exploited | ||||