Executive Summary Recent threat intelligence from leading cybersecurity vendors, including ESET , has confirmed that North Korean state-sponsored actors, specifically the Lazarus Group (also known as APT38 or HIDDEN COBRA ), are actively targeting European companies in the unmanned aerial vehicle (UAV) and drone technology sector. This campaign, identified as a new wave of Operation DreamJob , employs advanced social engineering, trojanized open-source software, and custom

Executive Summary A critical and highly sophisticated supply chain attack has emerged, leveraging a self-propagating malware known as GlassWorm to infect Visual Studio Code (VS Code) extensions. The campaign primarily targets the OpenVSX marketplace but has also breached the official Microsoft VS Code Marketplace . GlassWorm employs advanced evasion techniques, including invisible Unicode character obfuscation, and utilizes decentralized, blockchain-based command and cont

Executive Summary A critical vulnerability, CVE-2025-59287 , has been identified in Microsoft Windows Server Update Services (WSUS) , prompting the vendor to issue an emergency out-of-band patch on October 24, 2025. This remote code execution (RCE) flaw, with a CVSS score of 9.8, enables unauthenticated attackers to execute arbitrary code with SYSTEM privileges on affected Windows Server installations running the WSUS role. The vulnerability is being actively exploited in

Executive Summary A sophisticated new phishing campaign, known as CoPhish , has emerged, exploiting the integration capabilities of Microsoft Copilot Studio to steal OAuth tokens from unsuspecting users. By leveraging the trusted Microsoft domain and the low-code agent creation features of Copilot Studio , adversaries are able to craft highly convincing phishing workflows that redirect users to malicious OAuth consent pages. Once a user grants consent, their OAuth tokens are

Executive Summary The latest campaign attributed to APT36 (also known as Transparent Tribe , Mythic Leopard , and EarthKarkaddan ) demonstrates a significant escalation in the group’s technical sophistication and operational focus. Leveraging a custom Golang-based DeskRAT malware, the threat actor has targeted Indian government and defense entities, specifically those operating Linux-based infrastructure. The infection vector is a highly convincing spearphishing email conta

Executive Summary Between 2022 and 2024, the Chinese Ministry of State Security publicly accused the US National Security Agency (NSA) of conducting a series of cyberattacks against China’s National Time Service Center . According to official statements released on October 19-20, 2025, the attacks allegedly began with the exploitation of vulnerabilities in the messaging service of a foreign mobile phone brand used by staff at the center, resulting in the theft of sensitive i

Executive Summary On October 19 and 20, 2025, the Chinese Ministry of State Security ( MSS ) publicly accused the U.S. National Security Agency ( NSA ) of conducting a sophisticated, multi-stage cyberattack against the National Time Service Center ( NTSC ) in Xi’an, China. The NTSC is responsible for generating, maintaining, and distributing the national standard of time, known as Beijing Time , which underpins critical sectors including communications, finance, power, transp

Executive Summary A critical vulnerability, CVE-2025-54957 , has been identified in the Dolby DDPlus Unified Decoder that enables zero-click remote code execution (RCE) attacks, with the most severe impact observed on Android devices. This flaw, discovered by Google Project Zero , can be exploited by sending a specially crafted audio file through messaging applications that support RCS (Rich Communication Services) . The vulnerability is present in the Dolby decoder librar

Executive Summary The proliferation of TikTok as a global social media platform has introduced a new and highly effective vector for cybercriminals to distribute information-stealing malware, commonly referred to as infostealers. Recent intelligence has identified a surge in the use of the so-called ClickFix attack technique, wherein threat actors publish short, engaging TikTok videos that purport to offer free activation or cracked versions of popular software such as Wind

Executive Summary ConnectWise has issued urgent security updates for its Automate remote monitoring and management (RMM) platform, remediating two critical vulnerabilities— CVE-2025-11492 and CVE-2025-11493 —that enable adversary-in-the-middle (AiTM) update attacks. These flaws allow attackers to intercept, manipulate, and inject malicious updates into agent communications, potentially resulting in full compromise of managed endpoints. The vulnerabilities are especially da

Executive Summary In October 2025, Microsoft executed a significant disruption of a sophisticated ransomware campaign that exploited the trust model of code-signing by abusing over 200 Azure and third-party certificates. The campaign, orchestrated by the threat group Vanilla Tempest (also tracked as VICE SPIDER and Vice Society ), leveraged fraudulent certificates to sign malicious installers masquerading as legitimate Microsoft Teams applications. These installers deliv

Executive Summary Envoy Air, a regional airline and subsidiary of American Airlines , has confirmed a data breach resulting from the exploitation of a critical zero-day vulnerability in the Oracle E-Business Suite (EBS) application. The attack, attributed to the Clop ransomware gang, led to the compromise of a limited amount of business information and commercial contact details. No sensitive or customer data was affected, and there was no impact on flight or airport ground

Executive Summary A critical vulnerability in WatchGuard 's Fireware OS —tracked as CVE-2025-9242 and assigned a CVSS score of 9.3—has been uncovered by security researchers, enabling unauthenticated remote attackers to execute arbitrary code and potentially take full control of affected devices. The flaw resides in the IKEv2 VPN implementation and is particularly dangerous due to its pre-authentication attack vector, meaning attackers do not require valid credentials to exp

Executive Summary On October 10, 2025, European law enforcement agencies, coordinated by Europol , dismantled a sophisticated SIM box operation known as SIMCARTEL . This criminal network provided cybercriminals with access to over 40,000 phone numbers from more than 80 countries, enabling the creation of approximately 49 million fraudulent online accounts and facilitating at least 3,200 confirmed fraud cases. The operation resulted in seven arrests, the seizure of 1,200 SIM b

Executive Summary North Korean advanced persistent threat (APT) groups have significantly escalated their offensive cyber capabilities by merging the functionalities of BeaverTail and OtterCookie into a highly modular, advanced JavaScript malware suite. This new threat, observed in the "Contagious Interview" campaign, leverages sophisticated social engineering, supply chain attacks via malicious npm packages, and innovative command-and-control (C2) techniques utilizing blo

Executive Summary A newly discovered .NET-based backdoor, known as CAPI Backdoor , is actively targeting Russian automobile and e-commerce organizations through a sophisticated phishing campaign. The attack leverages ZIP archives delivered via email, containing a malicious Windows shortcut (LNK) and a decoy Russian-language document. Upon execution, the LNK file deploys a .NET stealer and backdoor, enabling credential theft, system reconnaissance, and persistent remote access

Executive Summary A critical exploitation vector has emerged targeting Zendesk customer service platforms, wherein threat actors leverage lax authentication configurations to orchestrate large-scale “email bomb” attacks. By exploiting the default or permissive settings that allow anonymous ticket creation and unverified email addresses, adversaries can automate the submission of thousands of support tickets using a victim’s email address. This results in the victim’s inbox b

Executive Summary In October 2025, Microsoft took decisive action to revoke over 200 fraudulent code-signing certificates that had been systematically abused in a sophisticated campaign orchestrated by the threat actor known as Vanilla Tempest (also tracked as Vice Society , VICE SPIDER , and Storm-0832 ). These certificates were used to sign malicious binaries, most notably trojanized installers for Microsoft Teams , which were then distributed via search engine optimizati

Executive Summary The advanced persistent threat group known as Silver Fox has significantly escalated its cyber-espionage operations by expanding the deployment of the Winos 4.0 malware platform and the HoldingHands RAT to new geographies, specifically targeting organizations in Japan and Malaysia. Previously focused on China and Taiwan, Silver Fox now leverages highly sophisticated phishing campaigns, SEO poisoning, and advanced persistence and evasion techniques to com

Executive Summary Publication Date: October 2025 Researchers have recently exposed the capabilities and attack chain of the cybercriminal group TA585 and its use of the advanced malware suite MonsterV2 . This report provides a comprehensive analysis of the technical innovations, operational risks, and security implications associated with MonsterV2 and the unique tactics employed by TA585 . The findings highlight the growing sophistication of cybercrime operations and under