This week’s cybersecurity roundup highlights escalating threats from misconfigurations, software flaws, and advanced malware. Key incidents demand immediate attention from IT teams and executives.

ISC patched CVE-2025-5470 in BIND 9 (versions 9.16.0–9.18.26), a DoS vulnerability (CVSS 8.6) allowing server crashes through malformed DNS queries. It risks amplification attacks on global infrastructure—update DNS servers urgently.

Google fixed CVE-2025-5482, a Chrome V8 engine zero-day (below 131.0.6778.76) enabling sandbox escapes and code execution via malicious sites. Exploited in the wild across platforms, auto-updates are rolling out to counter phishing threats.

The Aardvark Agent backdoor, tied to state actors, targets finance via spear-phishing. Mimicking admin tools, it facilitates exfiltration and movement; IOCs include specific C2 domains. Bolster endpoint detection and zero-trust models.

Threats

Android Banking Trojan Herodotus Evades Detection

A new Android malware called Herodotus has surfaced, acting as a sophisticated banking trojan that mimics human typing patterns to bypass behavioral biometrics during remote control sessions. Distributed via side-loading and SMiShing, it uses a custom dropper to circumvent Android 13+ restrictions on Accessibility Services, deploying overlays for credential harvesting and SMS interception. Targeting users in Italy and Brazil as Malware-as-a-Service, Herodotus splits text input into characters with randomized 300-3000ms delays, simulating natural keystrokes to avoid anti-fraud alerts.​

Read more: https://cybersecuritynews.com/new-android-malware-herodotus-mimic-human-behaviour/

Stealthy Atroposia RAT Enables Hidden Access

Atroposia, a modular remote access trojan priced at $200 monthly, lowers barriers for cybercriminals by bundling features like hidden remote desktop, credential theft, and vulnerability scanning in an intuitive panel. Its HRDP Connect creates invisible shadow sessions for undetected system interaction, allowing surveillance and data exfiltration without user notifications or standard RDP logs. With privilege escalation, persistence across reboots, and a file grabber for in-memory extraction, Atroposia blends into systems to evade antivirus and DLP tools.​

Read more: https://cybersecuritynews.com/new-atroposia-rat-with-stealthy-remote-desktop/

Gunra Ransomware Hits Dual Platforms

Gunra ransomware, active since April 2025, targets Windows and Linux systems using dual encryption methods and double-extortion tactics to encrypt files and threaten data leaks via a Tor site. It appends .ENCRT extensions to files, drops R3ADM3.txt ransom notes, deletes shadow copies via WMI, and employs anti-debugging like IsDebuggerPresent to evade analysis. Based on Conti, Gunra affects industries like real estate and pharmaceuticals globally, with victims in Japan, Egypt, and Italy urged to pay within five days or face publication.​

Read more: https://cybersecuritynews.com/gunra-ransomware-leveraging-attacking-windows/

Gentlemen’s RaaS Recruits Affiliates

The Gentlemen’s RaaS, advertised on hacking forums by operator zeta88, offers cross-platform encryption for Windows, Linux, and ESXi systems using Go and C code, with a 90% affiliate revenue share. This favorable model attracts experienced actors by granting full negotiation control while handling backend operations, expanding ransomware’s reach to enterprise infrastructures like NAS and virtual environments. The small 32KB ESXi locker emphasizes stealth, marking an evolution in RaaS commercialization beyond traditional platforms.​

Read more: https://cybersecuritynews.com/new-gentlemens-raas-advertised-on-hacking-forums/

PolarEdge Botnet Expands IoT Control

The PolarEdge botnet has infected over 25,000 IoT devices across 40 countries, building 140 C2 servers by exploiting vulnerabilities in devices like Cisco routers, Asus, and KT CCTV systems. Disclosed in February 2025, it creates an Operational Relay Box network for APT actors, providing anonymous proxying via multi-hop architecture and ports 55555/55560 for traffic and commands. Concentrated in South Korea (42%) and China (20%), the botnet uses VPS on Alibaba and Tencent Cloud for infrastructure-as-a-service in DDoS, exfiltration, and other attacks.​

Read more: https://cybersecuritynews.com/polaredge-botnet-infected-25000-devices/

PhantomRaven Targets npm Developers

PhantomRaven campaign deploys 126 malicious npm packages since August 2025, garnering 86,000 downloads by hiding code in dependencies fetched from attacker-controlled URLs like packages.storeartifact.com, evading scanners. These slopsquatted packages steal npm tokens, GitHub credentials, and CI/CD secrets, using obvious publisher names like npmhell for operational traceability. Initially 21 packages removed, attackers adapted for 80 more, enabling tailored malware delivery and supply chain compromises in JavaScript projects.​

Read more: https://cybersecuritynews.com/phantomraven-attack-involves-126-malicious-npm-packages/

Fake ChatGPT Apps Enable Surveillance

Malicious apps impersonating ChatGPT on third-party stores request broad permissions for SMS, contacts, and logs, using Ijiami obfuscation and native libraries for persistent keylogging and credential theft. They exfiltrate OTPs, banking codes, and address books via domain fronting on AWS and Google Cloud, mimicking legitimate AI interfaces to blend traffic. Resembling Triout and AndroRAT spyware, these trojans exploit AI hype for surveillance, urging users to stick to official OpenAI sources.​

Read more: https://cybersecuritynews.com/beware-of-malicious-chatgptt-apps/

Cyberattacks

New Phishing Attack Using Invisible Characters

Cybercriminals are employing MIME encoding and Unicode soft hyphens in email subject lines to bypass security filters, fragmenting keywords like “password” while appearing normal to users. This technique targets credential theft via fake webmail pages and has been observed in campaigns directing victims to compromised domains. The method extends to message bodies, evading content scanners and highlighting gaps in keyword-based detection.​
Read more: https://cybersecuritynews.com/new-phishing-attack-using-invisible-characters/.cybersecuritynews​

10 Malicious npm Packages with Auto-Run Feature

Ten typosquatted npm packages mimicking libraries like discord.js have infected over 9,900 developer environments by executing via postinstall hooks across Windows, Linux, and macOS. These packages deploy multi-stage credential harvesters using obfuscation layers, fake CAPTCHAs, and PyInstaller binaries to steal browser data, SSH keys, and cloud credentials. The malware exfiltrates data to attacker servers, enabling account takeovers in corporate and cloud systems.​
Read more: https://cybersecuritynews.com/10-malicious-npm-packages-with-auto-run-feature/.cybersecuritynews​

Threat Actors Weaponize Judicial Documents

Threat actors are impersonating Colombia’s Attorney General’s office in phishing emails with SVG attachments that lead to ZIP files containing Hijackloader malware, ultimately deploying the PureHVNC RAT. This campaign targets Latin American users with judicial-themed lures, using DLL side-loading and evasion tactics like stack spoofing to establish persistence. The shift to PureHVNC delivery marks an evolution in regional attacks, exploiting trust in legal communications.​
Read more: https://cybersecuritynews.com/threat-actors-weaponizes-judicial-documents/.cybersecuritynews​

CISA Shares Threat Detections for WSUS Vulnerability

CISA has updated guidance on detecting exploitation of CVE-2025-59287, a critical RCE flaw in Windows Server Update Services affecting versions from 2012 to 2025. Attackers use crafted SOAP requests for deserialization-based code execution with SYSTEM privileges, enabling credential theft and lateral movement via proxies. Organizations should apply the October 23 out-of-band patch, monitor for anomalous wsusservice.exe processes, and block ports 8530/8531 as mitigations.​
Read more: https://cybersecuritynews.com/cisa-threat-detections-wsus-vulnerability/.cybersecuritynews​

12 Malicious Extensions in VSCode Marketplace

Security researchers identified 12 malicious VSCode extensions in the marketplace and OpenVSX, with four still active, stealing source code, credentials, and enabling backdoors despite 613 million suspicious downloads overall. These extensions use concealed operations like unauthorized downloads and network scans, exploiting the IDE’s privileges for supply chain attacks. The ecosystem’s 5.6% suspicious rate highlights risks in AI-assisted development tools.​
Read more: https://cybersecuritynews.com/12-malicious-extension-in-vscode-marketplace/.cybersecuritynews​

RediShell RCE Vulnerability Exposes 8500 Redis Instances

CVE-2025-49844, a use-after-free flaw in Redis’s Lua scripting engine, allows sandbox escape and host-level RCE on over 8,500 exposed instances, many without authentication in cloud environments. Attackers craft malicious Lua scripts to execute arbitrary commands, risking malware installation and data exfiltration since the flaw dates back to 2012. Redis has patched the vulnerability, urging immediate updates for all versions with Lua enabled.​
Read more: https://cybersecuritynews.com/redishell-rce-vulnerability-exposes-8500-redis/.teamwin​

New Lampion Stealer Uses ClickFix Attack

Brazilian threat actors behind the Lampion banking trojan have adopted ClickFix lures in phishing campaigns, tricking users into running PowerShell commands that download obfuscated VBScripts for multi-stage infections targeting Portuguese banks. The malware evades detection through dispersed execution, anti-analysis checks, and persistence via startup folders, stealing banking credentials since its 2019 debut. This evolution includes ZIP attachments and scheduled restarts to maintain stealth across government and financial sectors.​
Read more: https://cybersecuritynews.com/new-lampion-stealer-uses-clickfix-attack/.​

Cisco IOS XE BadCandy Web Shell

Attackers exploit CVE-2023-20198 in unpatched Cisco IOS XE devices to deploy the BadCandy Lua-based web shell, creating privileged accounts for command execution via hidden Nginx endpoints. Observed in over 400 Australian compromises since July 2025, the non-persistent implant hides via temporary patches but enables persistence through stolen credentials. Mitigation requires applying Cisco’s October 2023 patch, disabling HTTP servers, and monitoring for unauthorized users and config changes.​
Read more: https://cybersecuritynews.com/cisco-ios-xe-badcandy-web-shell/

​Vulnerabilities​

Magento SessionReaper Vulnerability

A critical input validation flaw in Adobe Commerce (formerly Magento), tracked as CVE-2025-54236, enables attackers to hijack user sessions and execute remote code without authentication, affecting unpatched versions with a CVSS score of 9.8. Discovered on September 9, 2025, the vulnerability surged in exploitation after a proof-of-concept release on October 22, compromising over 250 stores with web shells and reconnaissance tools. Mitigation involves immediate patching from Adobe and deploying web application firewalls like Akamai’s to block PHP uploads and injection attempts.​

Read more: https://cybersecuritynews.com/magento-input-validation-vulnerability/

BIND 9 DNS Cache Poisoning Flaw

CVE-2025-40778 in BIND 9 allows unauthenticated attackers to forge DNS records and poison caches, bypassing protections like randomized query IDs, impacting recursive resolvers from versions 9.11.0 to 9.21.12 with a CVSS score of 8.6. Disclosed by ISC on October 22, 2025, the flaw enables traffic redirection for phishing or malware distribution, with no known wild exploitation yet but a public proof-of-concept increasing risks. Patched versions include 9.18.41, 9.20.15, and 9.21.14; administrators should enable DNSSEC and disable recursive queries on authoritative servers.​

Read more: https://cybersecuritynews.com/bind-9-vulnerability-poc-released/

HikvisionExploiter Toolkit Targets IP Cameras

The open-source HikvisionExploiter tool automates attacks on vulnerable Hikvision cameras, exploiting CVE-2021-36260 for command injection and credential extraction on firmware before V5.5.0, affecting models like DS-2CD series with CVSS 9.8. Released in 2024 but active in 2025, it captures snapshots via unauthenticated endpoints, decrypts configs with AES/XOR, and supports multithreaded scans for thousands of targets. CISA-listed for real-world abuse, it enables surveillance hijacking; update to V5.7.0+, segment networks, and scan with tools like Shodan.​

Read more: https://cybersecuritynews.com/hikvisionexploiter-exploitation-toolkit/

TEE.Fail Side-Channel Attack on DDR5

The TEE.Fail attack exposes vulnerabilities in Intel SGX/TDX and AMD SEV-SNP trusted execution environments by interposing on DDR5 memory buses to extract enclave secrets via deterministic ciphertext patterns, requiring physical access. Disclosed in late October 2025, it undermines hardware encryption in data centers for keys or AI models without software flaws. Vendors advise enhanced physical security and cryptographic randomization; no remote exploitation possible, but insiders pose risks.​

Read more: https://cybersecuritynews.com/new-tee-fail-attack-breaks-trusted-environments/

Chrome 142 Patches 20 Vulnerabilities

Google released Chrome 142 on October 28, 2025, fixing 20 flaws including high-severity V8 JavaScript issues like type confusion (CVE-2025-12428) and race conditions enabling remote code execution, plus use-after-free and policy bypasses in extensions. Affecting Windows, Mac, Linux, Android, and ChromeOS, the update includes Omnibox UI fixes to prevent phishing. Enable auto-updates immediately, as unpatched browsers risk malicious code execution.​

Read more: https://cybersecuritynews.com/chrome-142-released-fix-20-vulnerabilities/

Ghost SPNs Enable Kerberos Reflection

CVE-2025-58726 exploits ghost Service Principal Names in Windows SMB servers for authentication reflection, allowing low-privilege attackers to gain SYSTEM access via Kerberos ticket relaying without SMB signing. Disclosed June 2025 and patched October 14, it uses DNS hijacking of unresolved SPNs and coercion tools like PetitPotam for domain escalation. Enforce SMB signing, audit SPNs with setspn -D, and restrict DNS writes to prevent reflection attacks.​

Read more: https://cybersecuritynews.com/ghost-spns-and-kerberos-reflection-attack/

Chromium Blink Brash Vulnerability

The Brash flaw in Chromium’s Blink engine lacks rate limiting on document.title updates, enabling attackers to flood DOM mutations and crash browsers like Chrome and Edge in 15-60 seconds via UI thread saturation. Disclosed October 2025 with a public PoC, it affects all Chromium-based browsers by injecting millions of updates per second from malicious pages. Patch promptly and monitor for anomalous DOM activity to avoid denial-of-service impacts.​

Read more: https://cybersecuritynews.com/chromium-blink-vulnerability/

VMware Tools and Aria 0-Day Exploitation

CVE-2025-41244, a local privilege escalation in VMware Tools and Aria Operations, allows unprivileged attackers to execute root code via guest service flaws, exploited as zero-day since mid-October 2024. Added to CISA’s KEV catalog in October 2025, it risks ransomware in virtual environments. Apply patches immediately, monitor for anomalies, and segment virtualized systems.​

Data Leak

Tata Motors Data Leak

Security researcher Eaton Zveare disclosed vulnerabilities in Tata Motors’ systems that exposed over 70 terabytes of sensitive data, including customer personal information, financial reports, and fleet management details from 2023. Hardcoded AWS access keys on public websites like the E-Dukaan platform allowed unauthorized access to cloud storage buckets containing database backups, invoices with PAN numbers, and market intelligence. The FleetEdge system suffered from decryptable credentials, enabling potential malware uploads, while a backdoor in E-Dukaan granted passwordless access to dashboards; issues were reported to CERT-In and remediated by January 2024 without public notification.​

Read more: Tata Motors Data Leak

HSBC USA Alleged Breach

A threat actor claimed on a dark web forum to have breached HSBC USA, alleging possession of customer PII like names, SSNs, addresses, and transaction histories, potentially targeting corporate accounts. Screenshots showed recent data samples, raising concerns amid HSBC’s U.S. market challenges following a DoS attack. HSBC denied the claims, stating investigations found the sample not from their systems and no customer data exposed, with enhanced monitoring in place; experts advise monitoring for identity theft risks.​

Read more: Hackers Allegedly Claim Breach of HSBC USA

EY Data Leak

A 4TB SQL Server backup file from Ernst & Young (EY) was found publicly accessible on Microsoft Azure during a routine scan by Neo Security. The unencrypted .BAK file likely contained database dumps with schemas, user data, and embedded credentials like API keys, discovered via metadata checks and DNS records linking to EY. EY remediated the issue quickly after disclosure, confirming no client or personal data impacted, as it involved an acquired Italian entity; the incident underscores the need for continuous cloud asset mapping against automated threats.​

Read more: EY Data Leak

Windows

Windows Narrator DLL Hijack

Researchers identified a DLL hijacking vulnerability in the Windows Narrator accessibility tool, allowing attackers to execute malicious code with elevated privileges. The flaw stems from insecure DLL loading paths, exploitable when Narrator is launched, potentially bypassing security features in enterprise environments. Microsoft has not yet patched it, but mitigation involves restricting Narrator usage and monitoring for suspicious DLLs; this highlights ongoing risks in built-in Windows utilities.

Read more: Windows Narrator DLL Hijack

AzureHound Enumeration Tool

Open-source tool AzureHound, part of the BloodHound suite, is being weaponized by threat actors like Iranian group Peach Sandstorm and ransomware operators Storm-0501 to map Azure Entra ID environments remotely via Microsoft Graph and Azure APIs. It collects identity and resource data in JSON for visualization of privilege escalation paths, enabling efficient discovery without internal network access. Defenses include monitoring API activity for anomalies and strengthening access controls, as misuse leaves detectable logs in cloud setups.​

Read more: AzureHound Enumerate Azure Entra ID

Microsoft 365 Copilot Researcher

Microsoft introduced “Researcher with Computer Use” in 365 Copilot, an AI feature that autonomously browses websites, accesses authenticated content, and performs tasks like creating presentations in a sandboxed virtual machine. Operating via visual and text browsers on Windows 365, it integrates work data with user controls and safety classifiers to prevent injections, improving research efficiency by 44% on benchmarks. Security measures include auditable actions, no credential sharing, and admin controls for domain lists, addressing risks in autonomous AI while enhancing productivity.

Read more: Microsoft 365 Copilot Researcher

WSUS Vulnerability Exploited

A critical vulnerability in Windows Server Update Services (WSUS) is under active exploitation, allowing remote code execution on domain controllers via manipulated update approvals. Attackers can chain it with other flaws for persistence in enterprise networks, targeting unpatched systems in hybrid environments. Microsoft urges immediate patching and configuration hardening, with indicators including unusual WSUS traffic; this exploit amplifies supply chain risks in update mechanisms.

Read more: WSUS Vulnerability Actively Exploited

Other News

Google Unveils Guide for Defenders

Google’s Mandiant division released a comprehensive guide to monitor and secure privileged accounts, addressing credential theft that contributed to 16% of 2024 intrusions. The framework emphasizes prevention through access tiering, detection via behavioral analytics, and rapid response tactics like credential rotations, positioning privileged access management as essential for cloud environments. It advocates for multifactor authentication, just-in-time administration, and tools like CyberArk to reduce dwell times, which averaged 11 days in breaches.

Read more: https://cybersecuritynews.com/googles-guide-for-defenders/

Microsoft DNS Outage Disrupts Services

A DNS-related outage struck Microsoft on October 29, 2025, impacting Azure and Microsoft 365 access worldwide, with users facing authentication failures and delays in portals like Exchange admin center. The issue, stemming from internal infrastructure connectivity problems, affected tens of thousands, including healthcare and transportation sectors, highlighting DNS vulnerabilities in cloud ecosystems. Microsoft mitigated by rerouting traffic and advised programmatic access during recovery, marking it as an isolated incident without cyberattack involvement.

Read more: https://cybersecuritynews.com/microsoft-dns-outage/

AWS US East-1 Region Faces Delays

Amazon Web Services reported elevated latencies in its US East-1 region on October 28, 2025, primarily affecting EC2 instance launches and cascading to container services like ECS. The disruption created operational hurdles for businesses reliant on the region’s high-traffic infrastructure, emphasizing the interconnected risks in cloud platforms. AWS resolved the issue through traffic redistribution, but it served as a reminder for diversified deployments and enhanced monitoring to maintain resilience.

Read more: https://cybersecuritynews.com/aws-us-east-1-region-suffers-delays/

CISA Issues Exchange Server Hardening Guide

The Cybersecurity and Infrastructure Security Agency, alongside NSA and international partners, published best practices for securing on-premises Microsoft Exchange servers in October 2025, amid persistent exploits of end-of-life versions. The guide recommends restricting admin access, enabling multifactor authentication, and configuring TLS with extended protection to counter threats like adversary-in-the-middle attacks. It stresses proactive measures, including DKIM for email and zero-trust models, to protect communications from compromise.

Read more: https://cybersecuritynews.com/microsoft-exchange-server-hardening-guide/

WhatsApp Rolls Out Passkey Encryption

WhatsApp introduced passkey-based end-to-end encryption for chat backups, allowing users to secure message histories with biometrics or device locks instead of complex passwords. Rolled out starting late October 2025, the feature simplifies protection against data loss on new devices, enhancing privacy for end-to-end encrypted content. Users can enable it via settings, ensuring only they decrypt backups stored on cloud services.

Read more: https://cybersecuritynews.com/whatsapp-passkey-encryption-for-chat/

OpenAI Launches Aardvark GPT-5 Agent

OpenAI debuted Aardvark, a GPT-5-powered autonomous agent on October 29, 2025, to detect, validate, and patch software vulnerabilities in code repositories. Operating in a multi-stage pipeline, it generates threat models, scans commits, tests exploits in sandboxes, and proposes fixes via pull requests, addressing over 40,000 CVEs reported in 2024. Currently in private beta, it aims to scale security analysis for developers without workflow disruptions.

Read more: https://cybersecuritynews.com/aardvark-gpt-5-agent/

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Cybersecurity News Weekly Newsletter – EY Data Leak, Bind 9, Chrome Vulnerability, and Aardvar ChatGPT Agent appeared first on Cyber Security News.