Skip to main content
Skip to footer
Mysterious Elephant APT adapts tooling to target Asia Pacific government entities
Kaspersky researchers detailed the Mysterious Elephant advanced persistent threat (APT) group, which has consistently evolved and adapted its tactics, techniques, and procedures since being discovered in 2023. The group leverages a range of tools and techniques to primarily infiltrate Pakistani, Afghan, and Bangladeshi government entities and foreign affairs sectors and exfiltrate sensitive data, with the use of WhatsApp notably used to steal documents, pictures, and archive files. Mysterious Elephant’s latest campaign, beginning early 2025, leverages a combination of exploit kits, phishing emails, and malicious documents for initial access, before deploying a range of custom-made tools and open-source tools, including BabShell and MemLoader modules to enable connections to compromised systems, gather information, and more.
Malicious npm packages used to target companies in global phishing campaign
Socket researchers discovered 175 malicious npm packages that have collectively accumulated more than 26,000 downloads. The packages serve as infrastructure for a widespread phishing campaign, dubbed Beamglea, targeting over 135 industrial, technology, and energy companies worldwide. The packages use randomized, six-character names, and uses npm’s public registry and ‘unpkg[.]com’s’ content delivery network (CDN) to host redirect scripts over HTTPS that funnel victims to credential harvesting pages. The threat actors may distribute HTML files mimicking purchase orders and project documents to targeted victims, which, once opened, load JavaScript from the unpkg[.]com CDN that redirects victims to a credential phishing page. A Python tool is used to automate the campaign and only requires a JavaScript template file, the victim’s email address, and the phishing URL. The tool then authenticates to npm, injects the victim’s email and phishing URL into JavaScript, creates and publishes a package to npm, and generates a HTML lure. More than 630 HTML files were identified across the packages, as well as seven phishing domains and nine npm author accounts.
F5 BIG-IP source code and info on undisclosed vulnerabilities stolen by nation-state hackers
In August 2025, F5 discovered that a highly sophisticated nation-state threat actor maintained long-term persistent access to, and downloaded files from, certain F5 systems. Among the impacted systems are BIG-IP product development environment and engineering knowledge management platforms, with exfiltrated data including BIG-IP source code and information about undisclosed vulnerabilities. According to Bloomberg, the attackers were in F5’s network for at least 12 months and the intrusion involved BRICKSTORM, a malware attributed to the China-nexus cyberespionage group UNC5221.Users are advised to apply the recent updates for BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and APM clients as soon as possible. The United States Cybersecurity and Infrastructure Security Agency has also issued an emergency directive that requires all Federal Civilian Executive Branch agencies to check if the networked management interfaces are accessible from the internet and apply the newly released updates by October 22nd, 2025.
Oracle E-Business Suite zero-day possibly exploited as early as July 2025
Google and Mandiant researchers detailed the recent exploitation of CVE-2025-61882 in Oracle E-Business Suite (EBS), which has been attributed to a threat actor claiming affiliation with CLOP ransomware. While the attacker was believed to have exploited the flaw as early as August 9th, 2025, suspicious activity targeting EBS environments has been observed as early as July 10th, 2025. Multiple different exploit chains have been observed, however, the specific vulnerabilities or exploit chains linked to CVE-2025-61882 are currently unknown. The July 2025 activity targeted the ‘UiServlet’ component, with some overlaps observed with an exploit leaked on the SCATTERED LAPSUS$ HUNTERS Telegram channel on October 3rd, 2025, though the researchers do not associate Shiny Hunters with the observed exploitation activity. Activity observed in August 2025 targeted the ‘SyncServlet’ component and leveraged at least two different chains of Java payloads embedded in the XSL payloads, notably a variant of the GOLDVEIN downloader and SAGEGIFT, SAGELEAF, and SAGEWAVE.
GhostBat RAT impersonates RTO to steal Indian users’ sensitive information
Cyble researchers observed an increase in Android malware campaigns impersonating Indian Regional Transport Office (RTO) applications to target Indian users with the remote access trojan (RAT) GhostBat RAT. GhostBat RAT is primarily distributed via WhatsApp and SMS messages containing shortened URLs that appear as the RTO app, mParivahan, which redirect to GitHub-hosted APKs via compromised websites. Once installed, GhostBat RAT uses phishing pages to capture banking credentials and UPI PINs, while exfiltrating SMS messages containing banking-related keywords to its C2 server. GhostBat RAT implements multi-stage droppers, ZIP header manipulation, and heavy string obfuscation to bypass antivirus detection and reverse engineering. The campaign was also observed using native libraries to dynamically resolve API calls and deploy payloads such as banking credential infostealers and cryptominers.
Ransomware
Europe Ransomware Attacks Q3 2025: Qilin Dominates, SafePay SurgesCyble Blog – Oct 15 2025Qilin Ransomware and the Ghost Bulletproof Hosting ConglomerateResecurity – Oct 15 2025Harvard Confirms Cl0p Data Breach Tied to Oracle EBS VulnerabilityTechNadu – Oct 14 2025The Fight Against Ransomware Heats Up on the Factory FloorDark Reading – Oct 10 2025New Chaos-C++ Ransomware Targets Windows by Wiping Data, Stealing CryptoHackRead – Oct 09 2025Velociraptor leveraged in ransomware attacksTalos Intelligence Blog – Oct 09 2025
Financial Services
Malicious crypto-stealing VSCode extensions resurface on OpenVSXBleeping Computer – Oct 14 2025Fake ‘Inflation Refund’ texts target New Yorkers in new scamBleeping Computer – Oct 12 2025Astaroth: Banking Trojan Abusing GitHub for ResilienceMcAfee – Oct 10 2025Microsoft: Hackers target universities in “payroll pirate” attacksBleeping Computer – Oct 09 2025Inside a Crypto Scam NexusCTI Grapevine – Oct 09 2025
Geopolitics
Taiwan flags rise in Chinese cyberattacks, warns of ‘online troll army’Yahoo! News – Oct 14 2025UK’s MI5 warns politicians they are targets of Russia and Chinese spyingReuters – Oct 13 2025October 7: Post-Threat AnalysisThreat Reports – Radware – Oct 13 2025North Korea’s Contagious Interview Campaign Escalates: 338 Malicious npm Packages, 50,000 DownloadsSocket – Oct 10 2025Poland says cyberattacks on critical infrastructure rising, blames RussiaThe Straits Times All News – Oct 10 2025
High Priority Vulnerabilities
| Name | Software | Base Score |
Temp Score |
|
|---|---|---|---|---|
| CVE-2025-24990 | Windows | 7.8 | 7.5 | |
| Related: Vulnerabilities in Windows, IGEL OS, SKYSEA Client View, and Velociraptor actively exploited | ||||
| CVE-2025-11371 | TrioFox | 6.2 | 4.3 | |
| Related: Active Exploitation of Gladinet CentreStack and Triofox Local File Inclusion Flaw (CVE-2025-11371) | ||||
| CVE-2025-54253 | Experience Manager | 10.0 | 7.0 | |
| Related: CISA Flags Adobe AEM Flaw with Perfect 10.0 Score — Already Under Active Attack | ||||
| CVE-2025-2611 | ICTBroadcast | 7.3 | 7.0 | |
| Related: Command injection flaw in ICTBroadcast actively exploited | ||||
| CVE-2025-20352 | IOS XE Catalyst SD-WAN | 7.7 | 6.2 | |
| Related: Operation Zero Disco: Attackers Exploit Cisco SNMP Vulnerability to Deploy Rootkits | ||||