WhatsApp Worm, Crucial CVEs, Oracle 0-Day, Ransomware Cartel & Extra

Oct 13, 2025Ravie LakshmananCybersecurity / Hacking Information

Each week, the cyber world reminds us that silence does not imply security. Assaults typically start quietly — one unpatched flaw, one missed credential, one backup left unencrypted. By the point alarms sound, the injury is completed.

This week’s version seems to be at how attackers are altering the sport — linking totally different flaws, working collectively throughout borders, and even turning trusted instruments into weapons. From main software program bugs to AI abuse and new phishing tips, every story exhibits how briskly the risk panorama is shifting and why safety wants to maneuver simply as rapidly.

⚡ Risk of the Week

Dozens of Orgs Impacted by Exploitation of Oracle EBS Flaw — Dozens of organizations could have been impacted following the zero-day exploitation of a safety flaw in Oracle’s E-Enterprise Suite (EBS) software program since August 9, 2025, in line with Google Risk Intelligence Group (GTIG) and Mandiant. The exercise, which bears some hallmarks related to the Cl0p ransomware crew, is assessed to have customary collectively a number of distinct vulnerabilities, together with a zero-day flaw tracked as CVE-2025-61882 (CVSS rating: 9.8), to breach goal networks and exfiltrate delicate information. The assault chains have been discovered to set off two totally different payload chains, dropping malware households like GOLDVEIN.JAVA, SAGEGIFT, SAGELEAF, and SAGEWAVE. Oracle has additionally launched updates to EBS to deal with one other vulnerability in the identical product (CVE-2025-61884) that might result in unauthorized entry to delicate information. The corporate didn’t point out if it was being exploited within the wild.

🔔 High Information

• Storm-1175 Linked to Exploitation of GoAnywhere MFT Flaw — A cybercriminal group Microsoft tracks as Storm-1175 exploited a maximum-severity vulnerability in GoAnywhere MFT (CVE-2025-10035) to provoke multi-stage assaults, together with Medusa ransomware. Storm-1175’s assaults are opportunistic, and have affected organizations within the transportation, schooling, retail, insurance coverage, and manufacturing sectors. The exercise blends reputable instruments with stealthy methods to remain below the radar and monetize entry by way of extortion and information theft, utilizing the entry to put in distant monitoring instruments corresponding to SimpleHelp and MeshAgent, drop net shells, and transfer laterally throughout networks utilizing built-in Home windows utilities. Fortra has since disclosed that it started its investigation on September 11 following a “potential vulnerability” reported by a buyer, uncovering “probably suspicious exercise” associated to the flaw.
• OpenAI Disrupted Three Clusters from China, North Korea, and Russia — OpenAI stated it disrupted three exercise clusters for misusing its ChatGPT synthetic intelligence (AI) instrument to facilitate malware improvement. This features a Russian‑language risk actor, who is alleged to have used the chatbot to assist develop and refine a distant entry trojan (RAT), a credential stealer with an goal to evade detection. The second cluster of exercise originated from North Korea, which used ChatGPT for malware and command-and-control (C2) improvement, specializing in creating macOS Finder extensions, configuring Home windows Server VPNs, or changing Chrome extensions to their Safari equivalents. The third set of banned accounts shared overlaps with a cluster tracked as UNK_DropPitch (aka UTA0388), a Chinese language hacking group which employed the AI chatbot to generate content material for phishing campaigns in English, Chinese language, and Japanese; help with tooling to speed up routine duties corresponding to distant execution and visitors safety utilizing HTTPS; and seek for data associated to putting in open-source instruments like nuclei and fscan.
• Over 175 npm Packages Used for Phishing Marketing campaign — In an uncommon twist, risk actors have been noticed to push throwaway npm packages that, as soon as put in, are designed to create and publish an npm package deal of its personal with the sample “redirect-xxxxxx” or “mad-xxxxxx,” which, in flip, auto-redirects victims to credential-harvesting websites when opened from crafted HTML enterprise paperwork. “In contrast to the extra acquainted tactic of merely importing malicious packages to compromise builders throughout package deal set up, this marketing campaign takes a unique path,” Snyk stated. “As an alternative of infecting customers through npm set up, the attackers leverage the browser supply path by way of UNPKG, turning reputable open supply internet hosting infrastructure right into a phishing mechanism.” It is believed that the HTML information generated by way of the npm packages are distributed to victims, who’re then redirected to the credential phishing websites after they try and open them. Within the packages analyzed by Snyk, the pages masquerade as Cloudflare safety checks earlier than main victims to an attacker-controlled URL fetched from a distant GitHub-hosted file.
• LockBit, Qilin, and DragonForce Be a part of Forces — Three of probably the most infamous ransomware-as-a-service operations, LockBit, Qilin, and DragonForce, have shaped a legal cartel aimed toward coordinating assaults and sharing assets. The partnership was introduced early final month, shortly following the emergence of LockBit 5.0. “Create equal competitors situations, no conflicts and no public insults,” DragonForce wrote in a put up on a darkish net discussion board. “This manner, we will all improve our revenue and dictate market situations. Name it no matter you want – coalition, cartel, and so on. The principle factor is to remain in contact, be pleasant to one another, and be robust allies, not enemies.” The teaming up of the three teams comes amid mounting strain from legislation enforcement disruptions, prompting them to assault sectors beforehand thought-about off-limits, corresponding to nuclear energy vegetation, thermal energy vegetation, and hydroelectric energy vegetation. It additionally follows the same consolidation sample amongst primarily English-speaking cybercrime collectives like Scattered Spider, ShinyHunters, and LAPSUS$, which started collaborating below the title Scattered LAPSUS$ Hunters. That stated, the cartelization of ransomware additionally comes at a time of document fragmentation within the broader ecosystem, with the variety of lively information leak websites reaching an all-time excessive of 81 within the third quarter of 2025.
• China-Nexus Hackers Weaponize Open-Supply Nezha Instrument in Assaults — Risk actors with suspected ties to China have turned a reputable open-source monitoring instrument known as Nezha into an assault weapon, utilizing it to ship a identified malware known as Gh0st RAT to targets. The marketing campaign is alleged to have possible compromised greater than 100 sufferer machines since August 2025, with a majority of the infections reported in Taiwan, Japan, South Korea, and Hong Kong. The exercise is yet one more indication of how risk actors proceed to twist reputable instruments for malicious functions and mix in with regular community visitors. In a single occasion noticed by Huntress, the attackers focused an uncovered phpMyAdmin panel to deploy an online shell by the use of a log poisoning assault. The entry obtained by way of the net shell was then used to drop Nezha and in the end drop Gh0st RAT, however not earlier than laying the required groundwork to keep away from detection.

‎️‍🔥 Trending CVEs

Hackers transfer quick. They typically exploit new vulnerabilities inside hours, turning a single missed patch into a serious breach. One unpatched CVE might be all it takes for a full compromise. Beneath are this week’s most crucial vulnerabilities gaining consideration throughout the trade. Evaluation them, prioritize your fixes, and shut the hole earlier than attackers take benefit.

This week’s listing consists of — CVE-2025-61884 (Oracle E-Enterprise Suite), CVE-2025-11371 (Gladinet CentreStack and TrioFox), CVE-2025-5947 (Service Finder theme), CVE-2025-53967 (Framelink Figma MCP server), CVE-2025-49844 (Redis), CVE-2025-27237 (Zabbix Agent), CVE-2025-59489 (Unity for Android and Home windows), CVE-2025-36604 (Dell UnityVSA), CVE-2025-37728 (Elastic Kibana Connector), CVE-2025-56383 (Notepad++), CVE-2025-11462 (AWS Consumer VPN for macOS), CVE-2025-42701, CVE-2025-42706 (CrowdStrike Falcon), CVE-2025-11001, CVE-2025-11002 (7-Zip), CVE-2025-59978 (Juniper Networks Junos Area), CVE-2025-11188, CVE-2025-11189, CVE-2025-11190 (SynchroWeb Kiwire Captive Portal), CVE-2025-3600 (Progress Telerik UI for ASP.NET AJAX), a cross-site scripting (XSS) vulnerability in REDCap, and unpatched safety vulnerabilities in Ivanti Endpoint Supervisor (from ZDI-25-935 by way of ZDI-25-947).

📰 Across the Cyber World

• TwoNet Targets Forescout Honeypot — An ICS/OT honeypot run by Forescout, designed to imitate a water remedy facility, was focused final month by a Russia-linked group named TwoNet. The financially motivated hacktivist group subsequently tried to deface the related human machine interface (HMI), disrupt processes, and manipulate different ICS. Forescout’s honeypots additionally noticed assault makes an attempt which have been linked to Russia and Iran. TwoNet first emerged in January, primarily targeted on DDoS assaults utilizing the MegaMedusa Machine malware, per Intel471. By means of an affiliated group, CyberTroops, TwoNet introduced it was ceasing operations on September 30, 2025. “This underscores the ephemeral nature of the ecosystem the place channels and teams are short-lived, whereas operators sometimes persist by rebranding, shifting alliances, becoming a member of different teams, studying new methods, or focusing on different organizations,” Forescout stated. “Teams shifting from DDoS/defacement to OT/ICS typically misinterpret targets, journey over honeypots, or overclaim. That does not make them innocent; it exhibits the place they’re headed.”
• Sophos Probes WhatsApp Worm’s Hyperlinks to Coyote — A just lately disclosed marketing campaign dubbed Water Saci concerned the risk actors utilizing self-propagating malware dubbed SORVEPOTEL that spreads through the favored messaging app WhatsApp. Sophos stated it is investigating to find out if the marketing campaign might be associated to prior reported campaigns that distributed a banking trojan named Coyote focusing on customers in Brazil, and if the malware used within the assaults, Maverick, is an evolution of Coyote. The WhatsApp messages include a zipped LNK file that, when launched, initiates a collection of malicious PowerShell instructions to drop next-stage PowerShell, which then makes an attempt to change native safety controls. In some instances, Sophos stated it noticed a further payload, the reputable Selenium browser automation instrument, that enabled management of operating browser periods on the contaminated host. It is suspected that Selenium is delivered alongside Maverick through the identical command-and-control (C2) infrastructure.
• North Korean IT Employees Search Jobs in New Sectors — The notorious North Korean IT staff are actually looking for distant jobs within the industrial design and structure fields, in line with safety firm KELA. “Their involvement might pose dangers associated to espionage, sanctions evasion, security considerations, and entry to delicate infrastructure designs,” it stated, describing the risk as a “a extremely organized, state-backed community that extends far past IT roles.” One among IT staff, Hailong Jin, has been recognized as related to the event of a malicious recreation known as DeTankZone, whereas additionally sharing ties with one other IT employee named Lian Hung, who has claimed to be a cellular app developer in Tanzania. It is believed that Hailong Jin and Lian Hung could be the similar individual, the Chollima Group stated, including Bells Inter Buying and selling Restricted is a North Korean run entrance firm using IT Employees in Tanzania. The corporate, for its half, has been linked to a number of VPN apps revealed on each Apple and Google’s iOS and Android app shops. “Quite than viewing them as a monolithic entity, North Korean IT Employees are extra akin to particular person entrepreneurs working below the blessing of a higher-status boss,” the Chollima Group famous. “As an IT Employee features extra standing and respect, they can climb the group’s ranks and finally grow to be bosses themselves. From there they could kind their very own entrance corporations and achieve the standing essential to tackle extra malicious exercise (in the event that they so select). We imagine Lian Hung and Hailong Jin, each showing to be of their 30s-40s, could also be working as center managers or maintain larger statuses on this construction, which can clarify their titles of alternative being ‘Mission Supervisor.'”
• FBI Seizes Website Utilized by Salesforce Extortionists — The U.S. Federal Bureau of Investigation (FBI) seized an internet site (“breachforums[.]hn”) that was being utilized by Scattered LAPSUS$ Hunters to extort Salesforce and its prospects. The motion marks one other chapter within the ongoing cat-and-mouse recreation to dismantle the persistent information leak website. That stated, the darkish net model of the leak website continues to be up and operating. “BreachForums was seized by the FBI and worldwide companions in the present day. All our domains have been taken from us by the U.S. Authorities. The period of boards is over,” the Scattered Lapsus$ Hunters group stated in a PGP-encrypted assertion on Telegram. Whereas the teams initially claimed they have been shutting down their operations, the web site resurfaced merely a number of days later, transitioning from a hacking discussion board to a devoted extortion website. The group additionally admitted that the BreachForums servers and backups have been destroyed, and that database archives and escrow information from way back to 2023 have been compromised. Scattered LAPSUS$ Hunters (aka the Trinity of Chaos) is a newly shaped alliance comprising Scattered Spider (aka Muddled Libra), LAPSUS$, and ShinyHunters (aka Bling Libra). In current weeks, the risk actors breached Salesloft’s methods and used the entry to acquire prospects’ Salesforce information. Final month, Salesloft revealed that the information breach linked to its Drift utility began with the compromise of its GitHub account. BreachForums has a protracted and turbulent historical past, punctuated by quite a few takedowns and resurrections since its authentic administrator was arrested in March 2023.
• NSO Group Acquired by U.S. Funding Group — Israeli spyware and adware maker NSO Group has disclosed {that a} U.S. funding group has acquired the controversial firm. An organization’s spokesperson informed TechCrunch that “an American funding group has invested tens of thousands and thousands of {dollars} within the firm and has acquired controlling possession.”
• Apple Revises its Bug Bounty Program — Apple introduced vital updates to its bug bounty program, with the corporate now providing as much as $2 million for exploit chains that may obtain comparable objectives as subtle mercenary spyware and adware assaults. It is also rewarding one-click WebKit sandbox escapes with as much as $300,000, and as much as $1 million for wi-fi proximity exploits over any radio, broad unauthorized iCloud entry, and WebKit exploit chains resulting in unsigned arbitrary code execution. “Since we launched the general public Apple Safety Bounty program in 2020, we’re proud to have awarded over $35 million to greater than 800 safety researchers, with a number of particular person experiences incomes $500,000 rewards,” the corporate stated. The brand new payouts will go into impact in November 2025.
• Spanish Guardia Civil Disrupts GXC Workforce — Spanish authorities dismantled the GXC Workforce and arrested its alleged mastermind, a 25-year-old Brazilian nationwide who went on-line as GoogleXcoder. Based on Group-IB, GXC Workforce operated a crime-as-a-service (CaaS) platform providing AI-powered phishing kits, Android malware, and voice rip-off instruments through Telegram and a Russian-speaking hacker discussion board to cybercriminals focusing on banks, transportation, and e-commerce, in Spain, Slovakia, the UK, US, and Brazil.”To keep away from seize, the suspect adopted a ‘digital nomad’ life-style, often relocating between Spanish provinces and utilizing stolen identities to safe housing, cellphone traces, and fee playing cards,” Group-IB stated.
• Inside Russian Market — Rapid7 stated Russian Market has advanced its operations over time, pivoting from promoting RDP entry to stolen bank card information and, extra just lately, infostealer logs. “Stolen credentials originate from organizations worldwide, with 26% originating within the US and 23% in Argentina,” the corporate stated. “Most sellers have adopted a multi-stealer method through the years, leveraging varied malware variants of their operations, with Lumma rising as a extensively used instrument. The commonest sorts of infostealers being utilized by sellers in Russian Market through the years have been Raccoon, Vidar, Lumma, RedLine, and Stealc, with Rhadamanthys and Acreed gaining reputation within the first half of 2025.” The findings got here as Pink Canary revealed that Atomic, Poseidon, and Odyssey have emerged because the three distinguished stealer households focusing on Apple macOS methods, whereas additionally sharing many tactical similarities. Odyssey Stealer is a successor to Poseidon that was first detected in March 2025.
• Austria Says Microsoft Violated E.U. Legal guidelines — Austria’s privateness regulator discovered that Microsoft violated E.U. legislation by illegally monitoring college students by way of Microsoft 365 Schooling utilizing monitoring cookies with out their consent. The choice was reached following noyb’s criticism in 2024. The Austrian Information Safety Authority (DSB) has ordered the deletion of the related private information. “The choice by the Austrian DPA actually highlights the dearth of transparency with Microsoft 365 Schooling,” noyb stated. “It’s virtually inconceivable for faculties to tell college students, mother and father and academics about what is occurring with their information.”
• AI Fashions Can Purchase Backdoors from About 250 Malicious Paperwork — A brand new tutorial research from Anthropic, the U.Okay. AISI’s Safeguards group, and The Alan Turing Institute has discovered that it takes roughly 250 malicious paperwork to ascertain a easy “backdoor” in massive language fashions. The analysis challenges the concept attackers want to regulate or poison a big portion of the coaching information to be able to affect an LLM’s output. “Poisoning assaults require a near-constant variety of paperwork no matter mannequin and coaching information measurement,” it stated. “If attackers solely have to inject a hard and fast, small variety of paperwork quite than a proportion of coaching information, poisoning assaults could also be extra possible than beforehand believed.” A 2024 research by researchers at Carnegie Mellon College, ETH Zürich, Meta, and Google DeepMind confirmed that attackers controlling 0.1 % of pre-training information might introduce backdoors for varied malicious aims. “Our outcomes recommend that injecting backdoors by way of information poisoning could also be simpler for giant fashions than beforehand believed because the variety of poisons required doesn’t scale up with mannequin measurement,” the researchers stated, “highlighting the necessity for extra analysis on defences to mitigate this danger in future fashions.” The disclosure coincided with OpenAI’s stating that its GPT-5 mannequin reveals decrease ranges of political bias than any earlier fashions.

🎥 Cybersecurity Webinars

• Drowning in Vulnerability Alerts? Here is Tips on how to Lastly Regain Management – Most safety groups face the identical downside — too many vulnerabilities and never sufficient time. Dynamic Assault Floor Discount (DASR) helps repair this by discovering and shutting dangers mechanically, earlier than attackers can use them. As an alternative of chasing countless alerts, groups can concentrate on what actually issues: retaining methods protected and operating easily. It is a smarter, quicker strategy to keep one step forward.
• How Main Groups Are Utilizing AI to Simplify Compliance and Scale back Danger – AI is altering how organizations deal with Governance, Danger, and Compliance (GRC). It will probably make compliance quicker and smarter—nevertheless it additionally brings new dangers and guidelines to comply with. This session will present you the way to use AI safely and successfully, with actual examples, classes from early adopters, and sensible tricks to put together your group for the way forward for compliance.
• From Firefighting to Safe-by-Design: A Sensible Playbook – AI is altering quick, however safety cannot lag behind. The neatest groups now deal with safety controls as launchpads, not roadblocks — enabling AI brokers to maneuver rapidly and safely. By shifting from reactive firefighting to a secure-by-design mindset, organizations achieve each velocity and confidence. With the suitable framework, you may management AI dangers whereas accelerating innovation as an alternative of slowing it down.

🔧 Cybersecurity Instruments

• P0LR Espresso – A brand new open-source instrument from Permiso that helps safety groups rapidly analyze multi-cloud logs throughout stay response. It normalizes information from platforms like AWS, Azure, and GCP to ship clear timelines, behavioral insights, and IOC evaluation—making it simpler to identify compromised identities and perceive what actually occurred.
• Ouroboros – A brand new open-source decompiler in-built Rust that makes use of symbolic execution to get better high-level code construction from compiled binaries. In contrast to conventional decompilers that depend on static project fashions, Ouroboros tracks constraints and information circulation to know how registers and reminiscence change throughout execution. This method helps it reconstruct logical code patterns corresponding to loops, situations, and management circulation areas, making it a sensible instrument for reverse engineering, program evaluation, and safety analysis.

Disclaimer: These instruments are for instructional and analysis use solely. They have not been totally security-tested and will pose dangers if used incorrectly. Evaluation the code earlier than making an attempt them, take a look at solely in protected environments, and comply with all moral, authorized, and organizational guidelines.

🔒 Tip of the Week

Do not Depart Your Backups Unlocked — Backups are your security internet — but when they don’t seem to be encrypted, they’ll grow to be your greatest danger. Anybody who will get entry to an unencrypted backup can learn every little thing inside: passwords, emails, monetary information, buyer data — all of it.

The Easy Repair: At all times encrypt your backups earlier than saving or sending them anyplace (USB, cloud, or server). Encryption locks your information so solely you may open it.

🔐 Simple, Trusted Open-Supply Instruments:

• Restic: Quick, easy, and encrypts every little thing mechanically. Works with many cloud companies.
• BorgBackup: Compresses, deduplicates, and encrypts your backups — good for long-term storage.
• Duplicity: Makes use of GPG encryption and helps encrypted backups to native or distant storage.
• rclone: Syncs information securely to cloud storage with built-in encryption choices.

Professional Tip: Take a look at your backup commonly — be sure to can decrypt and restore it. A locked or damaged backup is as unhealthy as no backup in any respect.

Conclusion

The week’s tales present either side of cybersecurity — the creativity of attackers and the resilience of defenders. Our energy lies in consciousness, collaboration, and motion. Let’s use each lesson discovered to make subsequent week’s information rather less alarming.