Skip to main content
Skip to footer
Muddy Water APT targets international organizations with Phoenix Backdoor
Group-IB researchers observed the Iran-nexus advanced persistent threat (APT) group Muddy Water targeting international organizations across the Middle East and North Africa with an updated variant of Phoenix backdoor since August 2025. The campaign involves the compromise of mailboxes via NordVPN, which are used to distribute phishing emails containing macro-laden Microsoft Word documents. Once the target enables the macros to view the content, a malicious VBA script is executed, which acts as a dropper and writes the FakeUpdate injector to disk. FakeUpdate is used to decrypt the Phoenix backdoor via Advanced Encryption Standard and injects it into its own process. Phoenix backdoor registers the infected host with the attacker’s C2 infrastructure, initiating continuous beaconing and polling for commands, enabling remote control and further post-exploitation activities. Infrastructure tied to the campaign revealed a custom tool and several remote monitoring and management tools used, including Chromium Stealer, Action1, and PDQ RMM.
UNC5142 and North Korea-linked UNC5342 leverage EtherHiding to distribute payloads
Google and Mandiant researchers detailed UNC5142, a financially motivated threat actor that distributes information stealers like ATOMIC, VIDAR, LUMMAC, and RADTHIEF. The group uses compromised WordPress websites and leverages the EtherHiding technique to obscure malicious code within blockchain smart contracts. UNC5142 activity has been tracked since late 2023, with constant changes to its tactics, techniques, and procedures observed, though no activity has been observed since late July 2025. The researchers also observed the threat actor UNC5342 leveraging EtherHiding as part of its social engineering campaign, Contagious Interview. In the observed campaign, UNC5342 uses JADESNOW malware to deploy a JavaScript variant of INVISIBLEFERRET.
Operation MotorBeacon targets Russian automobile and e-commerce sectors with CAPI backdoor
On October 3rd, 2025, Seqrite researchers discovered a campaign, dubbed Operation MotorBeacon, targeting the Russian automobile and e-commerce industries with a previously unknown .NET malware, dubbed CAPI backdoor. The backdoor is delivered via a spear phishing email containing tax-related decoy PDF documents and a ZIP file containing a malicious LNK file. The LNK file is responsible for executing the CAPI backdoor in the form of a .NET DLL implant. Upon execution, the CAPI backdoor checks for administrator privileges and antivirus software, opens the decoy PDF document, and connects to the attacker’s C2 server. CAPI backdoor performs three functions related to browser data theft and establishes persistence via a scheduled task or copying itself to the user’s roaming Application Data folder. Infrastructure where the implant was giving a callback and exfiltrating all the information stolen from the victim was hosted under the organization P.a.k.t LLC.
GlassWorm distributed in supply chain attack targeting OpenVSX marketplace
Koi Security researchers discovered an ongoing supply chain attack targeting VS Code extensions on the OpenVSX marketplace using a self-propagating worm, dubbed GlassWorm. The malware harvests npm, GitHub, and Git credentials for supply chain propagation, and targets 49 different cryptocurrency wallet extensions. To evade detection, GlassWorm uses Unicode variation selectors to make characters appear invisible and appear as legitimate code. GlassWorm also uses the Solana blockchain as its C2 infrastructure, allowing the attacker to remain anonymous, avoid take down, blend in with legitimate network traffic, and rotate their infrastructure at minimal cost, with Google Calendar also used as a backup C2. GlassWorm’s final stage is the ZOMBI module, which transforms infected computers into a SOCKS proxy server, installs WebRTC P2P for direct, firewall-bypassing control, BitTorrent DHT for unkillable command distribution, and hidden VNC for remote desktop access, and provides automatic restart and update capabilities.
Transparent Tribe leverages ZIP archives to deploy DeskRAT against Indian military entities
In August and September 2025, Sekoia researchers observed an infection chain orchestrated by Transparent Tribe to deliver a Golang-based remote access trojan (RAT), dubbed DeskRAT, to Indian military organizations. The infection chain is believed to be an adaptation of a campaign initially observed in July 2025 targeting Linux-based operating systems, specifically Bharat Operating System Solutions distributions, of Indian government entities. While the initial phishing email was not obtained, it is believed to contain a URL redirecting to a ZIP archive hosted on a staging server. The ZIP archive contains a DESKTOP file embedding malicious commands that, when executed, runs a Bash one-liner that downloads a TXT file containing a Base64-encoded binary payload, decodes, writes, and executes the final DeskRAT payload, and opens a decoy PDF document. Once executed, DeskRAT establishes C2 communications via WebSocket. DeskRAT’s development is likely assisted via a large language model. The malware also uses four different persistence techniques that are unique to the Linux environment.
Ransomware
Warlock Ransomware Exploits SharePoint ToolShell Zero-Day in New Attack CampaignGBHackers On Security – Oct 23 2025Retail giant Muji halts online sales after ransomware attack on supplierBleeping Computer – Oct 20 2025‘Catastrophic’ attack as Russians hack files on EIGHT MoD bases and post them on the dark webMail Online UK – Oct 18 2025Emulating the Prominent Global Group RansomwareSecurity Boulevard – Oct 16 2025Microsoft Revokes Over 200 Certificates to Disrupt Ransomware CampaignSecurity Week – Oct 16 2025
Financial Services
Deep analysis of the flaw in BetterBank reward logicKaspersky Lab – Oct 22 2025Jingle Thief: Inside a Cloud-Based Gift Card Fraud CampaignUnit 42 – Palo Alto Networks Blog – Oct 22 2025Malicious NuGet Packages Typosquat Nethereum to Exfiltrate Wallet KeysSocket – Oct 22 2025Home Depot Halloween Phishing Scam Uses Fake Giveaway to Steal Personal and Financial InformationTechNadu – Oct 21 2025‘Phantom hacker’ scam that targets the elderly has stolen over $1B in the past 12 monthsThe Independent – Oct 17 2025
Geopolitics
PhantomCaptcha | Multi-Stage WebSocket RAT Targets Ukraine in Single-Day Spearphishing OperationSentinelLabs – Oct 22 2025Pro-Russia Information Operations Leverage Russian Drone Incursions into Polish Airspace Google Cloud Threat Intelligence – Oct 21 2025DDoS Attacks Target Multiple Indian Government & Academic WebsitesTechNadu – Oct 20 2025Tracking Malware and Attack Expansion: A Hacker Group’s Journey across Asia Fortinet – Oct 17 2025Apparent hackers take over PA systems at 4 North American airportsWSVN 7News – Oct 16 2025
High Priority Vulnerabilities
| Name | Software | Base Score |
Temp Score |
|
|---|---|---|---|---|
| CVE-2025-54236 | Commerce | 9.1 | 7.0 | |
| Related: Critical SessionReaper flaw in Adobe Commerce and Magento Open Source actively exploited | ||||
| CVE-2025-61932 | Lanscope Endpoint Manager and Detection Agent | 9.8 | 9.8 | |
| Related: Critical remote code execution flaw in MOTEX Lanscope Endpoint Manager actively exploited | ||||
| CVE-2025-53770 | SharePoint Enterprise Server | 9.8 | 9.4 | |
| Related: China-based attackers exploit ToolShell flaw to target Middle East telecommunications company | ||||
| CVE-2025-61884 | Configurator | 7.5 | 5.1 | |
| Related: Recently patched Oracle EBS vulnerability actively exploited | ||||
| CVE-2025-41703 | QUINT4-UPS | 7.5 | 5.1 | |
| Related: Flaws in Phoenix Contact QUINT4-UPS could put devices in permanent DoS condition | ||||