Author: Staff Writer

Fast Facts A new botnet, RondoDox, utilizes over 50 exploits across 30+ vendors, targeting routers, DVRs, and network devices to conduct DDoS, cryptomining, and hacking activities. It exploits multiple CVEs, including critical command injection vulnerabilities, with some added to CISA’s KEV list, emphasizing urgent patching needs. RondoDox broadens its reach by using loader-as-a-service infrastructure, distributing alongside Mirai and Morte payloads to evade detection. The campaign demonstrates a persistent threat to internet-exposed infrastructure, employing sophisticated methods like traffic impersonation and rapid infrastructure rotation. The Issue A new and aggressive botnet named RondoDox emerged in mid-2025, employing a wide-ranging “shotgun” strategy that…

Summary Points Token Security Risk: Token theft, particularly OAuth and API tokens, is emerging as a primary vector in SaaS breaches, allowing attackers to bypass multi-factor authentication and access sensitive systems with ease. Recent Breaches: High-profile incidents, such as those affecting Slack and CircleCI, demonstrate how stolen tokens have led to unauthorized access, emphasizing the critical need for robust token management. SaaS Sprawl Challenges: The proliferation of SaaS applications and the lack of visibility into integrations create blind spots for security teams, compounding issues related to token oversight and management. Token Hygiene Practices: Organizations can mitigate risks by establishing a…

Quick Takeaways Cybersecurity researchers have uncovered an active malware campaign called Stealit, which uses Node.js’ SEA feature and the Electron framework to distribute malicious payloads via counterfeit game and VPN installers on file-sharing sites. The malware offers "professional data extraction" services, including remote access tools (RATs) capable of file theft, webcam control, and ransomware, with prices ranging from $29.99 to $1,999.99 depending on the subscription. Stealit malware installs through fake executables that authenticate with command-and-control servers via Base64-encoded keys, and it actively bypasses antivirus detection by configuring Defender exclusions. The malware’s components perform targeted data exfiltration from browsers, messenger apps,…

Summary Points SonicWall confirmed hackers accessed and potentially exposed encrypted credentials and configurations in backup files for all users of its MySonicWall cloud service, raising security concerns despite encryption. The investigation, conducted with Mandiant, reveals discrepancies — earlier claims indicated only 5% of backups were affected, but now all are considered compromised, prompting questions about transparency. The breach poses significant risks, as configuration files contain sensitive data like user, group, DNS, and log settings, which threat actors such as nation-states and ransomware groups could exploit for future attacks. SonicWall is actively notifying impacted customers, providing remediation tools, and working with…

Top Highlights Targeted Attack: A hacking campaign against Oracle E-Business Suite, linked to the Clop ransomware group, exploited vulnerabilities starting as early as July 2023, leading to significant data theft. Zero-Day Vulnerability: Attackers utilized a zero-day vulnerability (CVE-2025-61882) to achieve remote code execution without authentication, compromising Oracle’s Concurrent Processing module. Multistage Malware: The campaign featured advanced fileless malware techniques, indicating substantial planning and resources from the hackers, and possibly affecting dozens of organizations. Emergency Response: Oracle issued an emergency patch on October 4, urging users to update their systems immediately, as researchers identified over 500 vulnerable IP addresses linked to…

Top Highlights Multiple vulnerabilities, including Gladinet and Zimbra, are actively exploited in the wild, with Gladinet’s CVE-2025-11371 allowing unauthenticated local file inclusion, and Zimbra’s CVE-2025-27915 enabling malicious actions through XSS exploits. Cybercriminal groups are targeting US universities with social engineering tactics and lack of MFA to hijack payroll accounts, and a UK nursery chain was targeted with data leaks and ransom demands involving thousands of sensitive records. Data breaches at Brightstar and Decisely have compromised over 100,000 individuals’ information, and WordPress sites remain at risk due to exploits like CVE-2025-5947 in the Service Finder Bookings plugin. State-linked threat actors from…

Quick Takeaways The campaign evolved from Python-based info-stealers to deploying the sophisticated, commercial PureRAT, demonstrating increased threat complexity, modularity, and persistence methods, including registry hijacking and defense evasion techniques like AMSI patching and process hollowing. Attack stages involved layered obfuscation with DLL sideloading, in-memory loaders, multi-layer cryptography, and in-memory code execution, culminating in a highly encrypted C2 communication using TLS pinned with a covert X.509 certificate originating from Vietnam. The final PureRAT payload is a feature-rich backdoor capable of extensive surveillance (webcam, microphone, keylogging), device fingerprinting, and modular plugin execution, with ties to known malware families like PureHVNC and PXA…

Quick Takeaways Fortra’s investigation confirmed active exploitation of CVE-2025-10035 in GoAnywhere MFT since September 11, 2025, primarily impacting publicly accessible admin consoles. A critical patch was released promptly, with full versions 7.6.3 and 7.8.4 available by September 15, 2025, addressing the deserialization vulnerability that enables command injection without authentication. Threat actor Storm-1175 has been exploiting this vulnerability to deploy Medusa ransomware, with reports of unauthorized activity, although how they obtained necessary keys remains unclear. Fortra advises restricting admin console internet access, enabling monitoring, and updating software immediately to mitigate ongoing risks and limit exposure. Underlying Problem In October 2025, Fortra…

Essential Insights Multimodal AI enhances human-like understanding but introduces complex vulnerabilities that can be exploited through subtle manipulations across images, text, and audio, posing significant risks in critical sectors. Attackers exploit shortcuts and heuristics inherited by AI, using covert signals within visual, textual, and auditory data to bypass defenses and manipulate system outputs. Threats include embedding malicious prompts in images, converting prompts into benign audio, and manipulating documents, often involving cascading signals that compromise entire data workflows. To counter these risks, organizations must implement comprehensive governance, rigorous testing—including cross-modal adversarial scenarios—and include AI specialists in incident response strategies. The Core…

Quick Takeaways Evolving Cyber Threat Landscape: Cyber threats are rapidly advancing, employing AI, social engineering, and exploiting cloud vulnerabilities, which increases the attack surface across various platforms and connected devices. Misuse of Communication Tools: Threat actors are exploiting tools like Microsoft Teams for financial theft through tactics including extortion and social engineering, necessitating stronger identity protection and endpoint security measures. High-Profile Attacks and Campaigns: North Korean hackers are linked to a historic $2B cryptocurrency theft in 2025, while a coordinated disinformation campaign by Israel aims to destabilize the Iranian regime through AI-generated content. Regulatory Challenges for Privacy: The Signal Foundation…