Executive Summary On October 30, 2025, a threat actor gained unauthorized access to the University of Pennsylvania’s ( Penn ) internal systems by compromising an employee’s PennKey Single Sign-On (SSO) account. This breach enabled the attacker to access multiple critical platforms, including Salesforce Marketing Cloud , Qlik , SAP , and SharePoint , resulting in the exfiltration of sensitive data belonging to approximately 1.2 million donors, alumni, and students. The compro

Executive Summary On October 31, 2025, the University of Pennsylvania experienced a coordinated campaign in which offensive emails with the subject "We got hacked (Action Required)" were sent to students, alumni, and faculty from various university email addresses, including those associated with the Graduate School of Education. The emails claimed that university data had been stolen and threatened to leak sensitive information, while also containing highly offensive languag

Executive Summary Ribbon Communications , a major U.S. telecommunications and networking provider, experienced a prolonged network breach attributed to a nation-state actor. The intrusion began as early as December 2024 and was detected in September 2025, with public disclosure following on October 23, 2025 ( TechCrunch , BleepingComputer , GovInfoSecurity ). The attackers accessed Ribbon’s IT network for nearly a year, compromising files belonging to several customers store

Executive Summary A critical zero-day vulnerability in Motex Lanscope Endpoint Manager (tracked as CVE-2025-61932 ) has been exploited in the wild by a sophisticated China-linked threat actor known as Tick (also referred to as Bronze Butler , Daserf , REDBALDKNIGHT , Stalker Panda , Stalker Taurus , and Swirl Typhoon ). This vulnerability enables remote, unauthenticated attackers to execute arbitrary commands with SYSTEM privileges on vulnerable on-premise installations of

Executive Summary A newly identified malware family, Airstalk , has emerged as a significant threat in the cybersecurity landscape, representing a sophisticated supply chain attack attributed to a suspected nation-state actor. Airstalk leverages the trusted AirWatch (now VMware Workspace ONE UEM) MDM API as a covert command-and-control (C2) channel, enabling attackers to exfiltrate sensitive browser data and screenshots from compromised endpoints. The malware is distributed

Executive Summary Russian law enforcement authorities have arrested three individuals in Moscow and the surrounding region, suspected to be the primary developers and operators of the Meduza Stealer malware. This action follows a significant breach in May 2025, where the group used Meduza Stealer to exfiltrate confidential data from a government institution in Astrakhan, Russia. The malware, which has been active since mid-2023, is a sophisticated information stealer distri

Executive Summary A highly sophisticated cyber-espionage campaign orchestrated by the Chinese-affiliated threat group UNC6384 has been observed targeting European diplomatic entities. The campaign leverages a recently disclosed Windows shortcut vulnerability, ZDI-CAN-25373 (now tracked as CVE-2025-9491 ), to deliver the notorious PlugX remote access trojan ( RAT ) through advanced spearphishing and social engineering tactics. The operation demonstrates rapid vulnerability

Executive Summary Russian ransomware gangs have escalated their operational sophistication by weaponizing the open-source AdaptixC2 command-and-control (C2) framework for advanced cyberattacks. Originally developed for legitimate red teaming and penetration testing, AdaptixC2 has been rapidly adopted by threat actors due to its modular, cross-platform architecture, robust encryption, and flexible post-exploitation capabilities. Intelligence from multiple OSINT sources confi

Executive Summary The Qilin ransomware group, also known as Agenda , has recently escalated its threat profile by orchestrating sophisticated hybrid attacks that combine a Linux-based ransomware payload with a Bring Your Own Vulnerable Driver (BYOVD) exploit. This dual-pronged approach enables adversaries to target both Windows and Linux environments, bypassing traditional endpoint defenses and maximizing operational disruption. The group’s latest campaigns leverage cross-p

Executive Summary The Smishing Triad represents a sophisticated, China-linked cybercrime syndicate orchestrating one of the largest global phishing operations ever observed, leveraging over 194,000 malicious domains since early 2024. This campaign primarily exploits SMS-based phishing, or smishing, to target mobile users across more than 120 countries, including the United States, Germany, the United Kingdom, France, and numerous others. By impersonating trusted entities su

Executive Summary Recent threat intelligence from leading cybersecurity vendors, including ESET , has confirmed that North Korean state-sponsored actors, specifically the Lazarus Group (also known as APT38 or HIDDEN COBRA ), are actively targeting European companies in the unmanned aerial vehicle (UAV) and drone technology sector. This campaign, identified as a new wave of Operation DreamJob , employs advanced social engineering, trojanized open-source software, and custom

Executive Summary A critical and highly sophisticated supply chain attack has emerged, leveraging a self-propagating malware known as GlassWorm to infect Visual Studio Code (VS Code) extensions. The campaign primarily targets the OpenVSX marketplace but has also breached the official Microsoft VS Code Marketplace . GlassWorm employs advanced evasion techniques, including invisible Unicode character obfuscation, and utilizes decentralized, blockchain-based command and cont

Executive Summary A critical vulnerability, CVE-2025-59287 , has been identified in Microsoft Windows Server Update Services (WSUS) , prompting the vendor to issue an emergency out-of-band patch on October 24, 2025. This remote code execution (RCE) flaw, with a CVSS score of 9.8, enables unauthenticated attackers to execute arbitrary code with SYSTEM privileges on affected Windows Server installations running the WSUS role. The vulnerability is being actively exploited in

Executive Summary A sophisticated new phishing campaign, known as CoPhish , has emerged, exploiting the integration capabilities of Microsoft Copilot Studio to steal OAuth tokens from unsuspecting users. By leveraging the trusted Microsoft domain and the low-code agent creation features of Copilot Studio , adversaries are able to craft highly convincing phishing workflows that redirect users to malicious OAuth consent pages. Once a user grants consent, their OAuth tokens are

Executive Summary The latest campaign attributed to APT36 (also known as Transparent Tribe , Mythic Leopard , and EarthKarkaddan ) demonstrates a significant escalation in the group’s technical sophistication and operational focus. Leveraging a custom Golang-based DeskRAT malware, the threat actor has targeted Indian government and defense entities, specifically those operating Linux-based infrastructure. The infection vector is a highly convincing spearphishing email conta

Executive Summary Between 2022 and 2024, the Chinese Ministry of State Security publicly accused the US National Security Agency (NSA) of conducting a series of cyberattacks against China’s National Time Service Center . According to official statements released on October 19-20, 2025, the attacks allegedly began with the exploitation of vulnerabilities in the messaging service of a foreign mobile phone brand used by staff at the center, resulting in the theft of sensitive i

Executive Summary On October 19 and 20, 2025, the Chinese Ministry of State Security ( MSS ) publicly accused the U.S. National Security Agency ( NSA ) of conducting a sophisticated, multi-stage cyberattack against the National Time Service Center ( NTSC ) in Xi’an, China. The NTSC is responsible for generating, maintaining, and distributing the national standard of time, known as Beijing Time , which underpins critical sectors including communications, finance, power, transp

Executive Summary A critical vulnerability, CVE-2025-54957 , has been identified in the Dolby DDPlus Unified Decoder that enables zero-click remote code execution (RCE) attacks, with the most severe impact observed on Android devices. This flaw, discovered by Google Project Zero , can be exploited by sending a specially crafted audio file through messaging applications that support RCS (Rich Communication Services) . The vulnerability is present in the Dolby decoder librar

Executive Summary The proliferation of TikTok as a global social media platform has introduced a new and highly effective vector for cybercriminals to distribute information-stealing malware, commonly referred to as infostealers. Recent intelligence has identified a surge in the use of the so-called ClickFix attack technique, wherein threat actors publish short, engaging TikTok videos that purport to offer free activation or cracked versions of popular software such as Wind

Executive Summary ConnectWise has issued urgent security updates for its Automate remote monitoring and management (RMM) platform, remediating two critical vulnerabilities— CVE-2025-11492 and CVE-2025-11493 —that enable adversary-in-the-middle (AiTM) update attacks. These flaws allow attackers to intercept, manipulate, and inject malicious updates into agent communications, potentially resulting in full compromise of managed endpoints. The vulnerabilities are especially da