This Week In Cyber Threats From Data Leaks To Zero Days

This week’s cybersecurity roundup highlights a landscape of escalating threats stemming from cloud misconfigurations, critical software flaws, and increasingly sophisticated malware. Several key incidents have emerged that demand immediate attention from IT teams and corporate leadership.

Among the most urgent issues, ISC has patched a severe Denial-of-Service (DoS) vulnerability in BIND 9 (CVE-2025-5470). With a CVSS score of 8.6, this flaw allows attackers to crash servers with malformed DNS queries, posing a significant risk of amplification attacks on global infrastructure. Administrators are urged to update their DNS servers immediately.

Meanwhile, Google addressed a zero-day vulnerability in its Chrome V8 engine (CVE-2025-5482). This flaw, affecting versions below 131.0.6778.76, could allow attackers to escape the browser sandbox and execute arbitrary code by luring users to malicious websites. The vulnerability is being actively exploited in the wild, and auto-updates are being rolled out to mitigate phishing threats.

In the realm of advanced persistent threats, the Aardvark Agent backdoor, linked to state-sponsored actors, is targeting the financial sector through spear-phishing campaigns. By mimicking legitimate admin tools, it facilitates data exfiltration and lateral movement within compromised networks. Security teams should bolster endpoint detection and adopt zero-trust models to counter this threat.

Threats

Android Banking Trojan Herodotus Evades Detection

A new Android malware named Herodotus is operating as a sophisticated banking trojan. It cleverly mimics human typing patterns to bypass behavioral biometrics during remote control sessions. Distributed through side-loading and SMiShing, it uses a custom dropper to circumvent Android 13+ restrictions, deploying overlays to harvest credentials and intercept SMS messages. Currently targeting users in Italy and Brazil, Herodotus splits text input into individual characters with randomized delays to appear like natural keystrokes and avoid anti-fraud detection. You can learn more about how Herodotus mimics human behavior.

Stealthy Atroposia RAT Enables Hidden Access

Atroposia, a modular remote access trojan (RAT) available for $200 per month, is lowering the barrier for cybercriminals with a suite of features including hidden remote desktop access, credential theft, and vulnerability scanning. Its HRDP Connect feature creates invisible shadow sessions, allowing for undetected system interaction and data exfiltration without triggering user notifications or standard RDP logs. This RAT is designed to blend into systems and evade antivirus tools. More details on this stealthy RAT are available here.

Gunra Ransomware Hits Dual Platforms

Active since April 2025, Gunra ransomware is targeting both Windows and Linux systems with dual encryption methods and double-extortion tactics. It encrypts files, appends a .ENCRT extension, and threatens to leak stolen data on a Tor site. The malware also deletes shadow copies and employs anti-debugging techniques to evade analysis. Victims in industries like real estate and pharmaceuticals have been identified globally, with attackers demanding payment within five days. Further information can be found on the Gunra ransomware attack.

Gentlemen’s RaaS Recruits Affiliates

The Gentlemen’s Ransomware-as-a-Service (RaaS) is being advertised on hacking forums, offering cross-platform encryption for Windows, Linux, and ESXi systems. With a highly attractive 90% revenue share for affiliates, the service is designed to attract experienced operators. This model allows affiliates to manage negotiations while the service handles backend operations, expanding ransomware's reach into enterprise infrastructures. Get more info on the Gentlemen's RaaS model.

PolarEdge Botnet Expands IoT Control

The PolarEdge botnet has successfully infected over 25,000 IoT devices in 40 countries, leveraging a network of 140 command-and-control servers. By exploiting vulnerabilities in devices from Cisco, Asus, and others, it creates an anonymous proxy network for APT actors. Concentrated in South Korea and China, the botnet uses cloud infrastructure for DDoS attacks, data exfiltration, and other malicious activities. Read about the expansion of the PolarEdge botnet.

PhantomRaven Targets npm Developers

A campaign dubbed PhantomRaven has deployed 126 malicious npm packages since August 2025, resulting in over 86,000 downloads. The packages hide malicious code in dependencies fetched from attacker-controlled URLs, allowing them to evade scanners while stealing npm tokens, GitHub credentials, and CI/CD secrets. This attack highlights significant supply chain risks in JavaScript projects. The PhantomRaven attack is detailed here.

Fake ChatGPT Apps Enable Surveillance

Malicious applications impersonating ChatGPT are appearing on third-party app stores, tricking users into granting broad permissions to access SMS, contacts, and logs. These trojans use obfuscation and native libraries for persistent keylogging and credential theft, exfiltrating sensitive data like OTPs and banking codes. Users are strongly advised to only download AI applications from official sources. Learn to beware of malicious ChatGPT apps.

Cyberattacks

New Phishing Attack Using Invisible Characters

Cybercriminals are using MIME encoding and Unicode soft hyphens in email subject lines to bypass security filters. This technique fragments keywords like “password,” making them invisible to scanners while appearing normal to the human eye. The goal is to lure victims to fake webmail pages for credential theft, highlighting a gap in keyword-based detection methods. Read about this new phishing technique.

10 Malicious npm Packages with Auto-Run Feature

Over 9,900 developer environments have been infected by ten typosquatted npm packages that mimic popular libraries. These packages execute automatically via postinstall hooks and deploy multi-stage credential harvesters to steal browser data, SSH keys, and cloud credentials. The attacks enable account takeovers in both corporate and cloud systems. Discover the 10 malicious npm packages.

Threat Actors Weaponize Judicial Documents

Attackers are impersonating Colombia’s Attorney General’s office in phishing emails that deliver the PureHVNC RAT via Hijackloader malware. This campaign targets Latin American users with judicial-themed lures, using DLL side-loading and other evasion tactics to establish persistence and exploit trust in legal communications. Details on how actors weaponize judicial documents are available.

CISA Shares Threat Detections for WSUS Vulnerability

CISA has updated its guidance on detecting the exploitation of CVE-2025-59287, a critical RCE flaw in Windows Server Update Services (WSUS). Attackers can use crafted SOAP requests to execute code with SYSTEM privileges, enabling credential theft and lateral movement. Organizations should apply the out-of-band patch and monitor for anomalous activity. Check CISA's WSUS threat detection guidance.

12 Malicious Extensions in VSCode Marketplace

Researchers have identified 12 malicious extensions in the VSCode Marketplace, with four still active. These extensions have been downloaded millions of times and are capable of stealing source code, credentials, and creating backdoors by exploiting the IDE’s privileges. This discovery highlights the growing risk of supply chain attacks in AI-assisted development tools. Find out about the malicious VSCode extensions.

RediShell RCE Vulnerability Exposes 8500 Redis Instances

A critical use-after-free flaw in Redis’s Lua scripting engine (CVE-2025-49844) allows for sandbox escape and remote code execution on over 8,500 exposed instances. Attackers can execute arbitrary commands by crafting malicious Lua scripts, posing a significant risk of malware installation and data exfiltration. Redis has patched the vulnerability, and immediate updates are urged. Learn more about the RediShell RCE vulnerability.

New Lampion Stealer Uses ClickFix Attack

The threat actors behind the Lampion banking trojan are now using ClickFix lures in phishing campaigns. Users are tricked into running PowerShell commands that download obfuscated scripts for multi-stage infections targeting Portuguese banks. The malware evades detection through various anti-analysis checks and persistence techniques. The Lampion stealer's new attack method is explained further here.

Cisco IOS XE BadCandy Web Shell

Attackers are exploiting CVE-2023-20198 in unpatched Cisco IOS XE devices to deploy the "BadCandy" Lua-based web shell. This implant creates privileged accounts for command execution via hidden Nginx endpoints. While non-persistent, it enables attackers to steal credentials to maintain access. Mitigation requires applying Cisco’s patch and disabling the HTTP server. More on the BadCandy web shell is available here.

Vulnerabilities and Data Breaches

Magento SessionReaper Vulnerability

A critical input validation flaw in Adobe Commerce (Magento), tracked as CVE-2025-54236, allows unauthenticated attackers to hijack user sessions and execute remote code. With a CVSS score of 9.8, this vulnerability has led to the compromise of over 250 stores. Immediate patching and the deployment of a web application firewall are recommended. Details on the Magento vulnerability can be found here.

BIND 9 DNS Cache Poisoning Flaw

CVE-2025-40778 in BIND 9 enables unauthenticated attackers to forge DNS records and poison caches, bypassing standard protections. This flaw, with a CVSS of 8.6, could be used to redirect traffic for phishing or malware distribution. A public proof-of-concept increases the risk, and administrators should update to patched versions immediately. Read more on the BIND 9 cache poisoning flaw.

HikvisionExploiter Toolkit Targets IP Cameras

An open-source tool, HikvisionExploiter, automates attacks on vulnerable Hikvision cameras by exploiting a command injection flaw (CVE-2021-36260, CVSS 9.8). The toolkit allows for credential extraction and snapshot capture from unauthenticated endpoints, enabling surveillance hijacking. Updating firmware and segmenting networks are key mitigations. Get more information on the HikvisionExploiter toolkit.

TEE.Fail Side-Channel Attack on DDR5

The TEE.Fail attack exposes vulnerabilities in Intel and AMD trusted execution environments by intercepting data on DDR5 memory buses. Requiring physical access, this attack can extract secrets like encryption keys or AI models from hardware enclaves. Vendors advise enhancing physical security and cryptographic randomization to counter insider threats. Explore the TEE.Fail side-channel attack.

Chrome 142 Patches 20 Vulnerabilities

Google has released Chrome 142, fixing 20 flaws, including several high-severity issues in the V8 JavaScript engine that could lead to remote code execution. The update also includes UI fixes to prevent phishing. Users should ensure auto-updates are enabled to protect against these risks. The Chrome 142 update details are here.

Ghost SPNs Enable Kerberos Reflection

A vulnerability (CVE-2025-58726) in Windows SMB servers allows attackers with low privileges to gain SYSTEM access via Kerberos ticket relaying. The attack exploits ghost Service Principal Names (SPNs) and can be used for domain escalation. Enforcing SMB signing and auditing SPNs are recommended mitigations. Learn about the Ghost SPNs attack.

Chromium Blink Brash Vulnerability

The "Brash" flaw in Chromium’s Blink engine allows malicious pages to crash browsers like Chrome and Edge by flooding the UI thread with DOM mutations. The lack of rate limiting on document.title updates can be exploited for denial-of-service attacks. A prompt patch is the primary defense. Read about the Chromium Blink vulnerability.

VMware Tools and Aria 0-Day Exploitation

A zero-day local privilege escalation flaw (CVE-2025-41244) in VMware Tools and Aria Operations is being actively exploited. It allows unprivileged attackers to execute code with root privileges, posing a significant risk for ransomware attacks in virtual environments. This vulnerability has been added to CISA’s KEV catalog, and immediate patching is critical.

Tata Motors Data Leak

A security researcher discovered vulnerabilities in Tata Motors' systems that exposed over 70 terabytes of sensitive data, including customer PII and financial reports. The leak was caused by hardcoded AWS access keys on public websites, which allowed unauthorized access to cloud storage buckets. The issues were remediated without public notification. Read more about the Tata Motors data leak.

HSBC USA Alleged Breach

A threat actor claimed on a dark web forum to have breached HSBC USA and to be in possession of customer PII, including SSNs and transaction histories. While screenshots of data were shared, HSBC denied the claims, stating that an investigation found the data did not originate from their systems. Nevertheless, experts advise customers to monitor for identity theft. More on the alleged HSBC breach is here.

EY Data Leak

A 4TB SQL Server backup file from Ernst & Young (EY) was found publicly accessible on Microsoft Azure. The unencrypted file contained database dumps, schemas, user data, and potentially embedded credentials. EY remediated the issue quickly after being notified and confirmed that no client or personal data was impacted, as the data belonged to an acquired Italian entity. The EY data leak story is available here.

Windows

Windows Narrator DLL Hijack

Researchers have found a DLL hijacking vulnerability in the Windows Narrator accessibility tool. This flaw allows attackers to execute malicious code with elevated privileges by exploiting insecure DLL loading paths. Microsoft has not yet patched the issue, highlighting ongoing risks in built-in Windows utilities. Details on the Windows Narrator DLL hijack are here.

AzureHound Enumeration Tool

The open-source tool AzureHound is being weaponized by threat actors to map Azure Entra ID environments remotely. It collects identity and resource data to visualize privilege escalation paths, enabling efficient discovery without needing internal network access. Defenses include monitoring API activity and strengthening access controls. Learn how attackers enumerate Azure Entra ID with AzureHound.

Microsoft 365 Copilot Researcher

Microsoft has introduced “Researcher with Computer Use” in 365 Copilot, an AI feature that can autonomously browse websites and perform tasks in a sandboxed virtual machine. The feature integrates user controls and safety classifiers to prevent malicious injections while improving research efficiency. Security measures include auditable actions and admin controls. More on the Microsoft 365 Copilot Researcher feature.

WSUS Vulnerability Exploited

A critical vulnerability in Windows Server Update Services (WSUS) is being actively exploited, allowing for remote code execution on domain controllers. Attackers can chain this flaw to achieve persistence in enterprise networks, amplifying supply chain risks through the update mechanism. Microsoft urges immediate patching. Read about the active exploitation of the WSUS vulnerability.

Other News

Google Unveils Guide for Defenders

Google’s Mandiant division has released a comprehensive guide for securing privileged accounts, addressing the credential theft that accounted for 16% of intrusions in 2024. The framework emphasizes prevention, detection, and rapid response, advocating for multifactor authentication and just-in-time administration. Find Google's guide for defenders here.

Microsoft DNS Outage Disrupts Services

A DNS-related outage at Microsoft impacted Azure and Microsoft 365 services worldwide, causing authentication failures and delays. The issue stemmed from internal infrastructure problems, highlighting the critical vulnerabilities of DNS in cloud ecosystems. Microsoft mitigated the issue by rerouting traffic. More on the Microsoft DNS outage.

AWS US East-1 Region Faces Delays

Amazon Web Services reported elevated latencies in its US East-1 region, primarily affecting EC2 instance launches and container services. The disruption created operational challenges for businesses reliant on the region and served as a reminder of the need for diversified deployments for resilience. The AWS US East-1 delays are covered here.

CISA Issues Exchange Server Hardening Guide

CISA, along with the NSA, has published best practices for securing on-premises Microsoft Exchange servers amid persistent exploits. The guide recommends restricting admin access, enabling MFA, and configuring TLS with extended protection to counter modern threats. Check out the Microsoft Exchange Server hardening guide.

WhatsApp Rolls Out Passkey Encryption

WhatsApp has introduced passkey-based end-to-end encryption for chat backups. This feature allows users to secure message histories with biometrics or a device lock instead of a password, simplifying protection and enhancing privacy for cloud backups. Learn about WhatsApp's new passkey encryption.

OpenAI Launches Aardvark GPT-5 Agent

OpenAI has debuted Aardvark, a GPT-5-powered autonomous agent designed to detect, validate, and patch software vulnerabilities in code repositories. Operating in a multi-stage pipeline, it can generate threat models, test exploits, and propose fixes via pull requests, aiming to scale security analysis for developers. More on the Aardvark GPT-5 agent is available here.