Executive Summary A highly sophisticated cyber-espionage campaign orchestrated by the Chinese-affiliated threat group UNC6384 has been observed targeting European diplomatic entities. The campaign leverages a recently disclosed Windows shortcut vulnerability, ZDI-CAN-25373 (now tracked as CVE-2025-9491 ), to deliver the notorious PlugX remote access trojan ( RAT ) through advanced spearphishing and social engineering tactics. The operation demonstrates rapid vulnerability

Executive Summary Russian ransomware gangs have escalated their operational sophistication by weaponizing the open-source AdaptixC2 command-and-control (C2) framework for advanced cyberattacks. Originally developed for legitimate red teaming and penetration testing, AdaptixC2 has been rapidly adopted by threat actors due to its modular, cross-platform architecture, robust encryption, and flexible post-exploitation capabilities. Intelligence from multiple OSINT sources confi

Executive Summary The Canadian Centre for Cyber Security has confirmed that multiple critical infrastructure facilities in Canada, including a water treatment plant, an oil and gas company, and an agricultural operation, were targeted by hacktivists who successfully tampered with Industrial Control Systems ( ICS ). These incidents resulted in operational disruptions such as degraded water service, false alarms in oil storage systems, and unsafe environmental conditions in agr

Executive Summary Russian ransomware gangs have recently escalated their operational sophistication by weaponizing the open-source AdaptixC2 command-and-control (C2) framework. Originally developed for legitimate red teaming and adversarial simulation, AdaptixC2 is now being actively abused to orchestrate advanced ransomware campaigns, facilitate initial access, maintain persistence, and deploy secondary payloads such as CountLoader . This development marks a significant ev

Executive Summary A newly disclosed vulnerability, designated as Brash , has emerged as a critical threat to all Chromium-based browsers . This exploit leverages a flaw in the Blink rendering engine ’s handling of the document.title API, enabling a remote attacker to crash the browser instantly with a single malicious URL. The exploit is trivial to weaponize, requires no user interaction beyond visiting a crafted web page, and is already being observed in the wild. Public pr

Executive Summary A highly sophisticated supply chain attack, designated as PhantomRaven , has been uncovered within the npm ecosystem, representing a significant escalation in the threat landscape for software development organizations and open-source contributors. This campaign involves at least 126 malicious npm packages that have been collectively downloaded over 86,000 times . The primary objective of PhantomRaven is the exfiltration of GitHub tokens , CI/CD secrets ,

Executive Summary The cyber threat landscape has entered a new era of sophistication and scale, as evidenced by four critical developments: the BIND 9 DNS poisoning flaw (CVE-2025-40778) , the unprecedented JavaScript NPM supply-chain heist , the emergence of Rust-based malware such as EDDIESTEALER , and a surge in new Remote Access Trojans (RATs) leveraging modern programming languages and cross-platform capabilities. These threats collectively target the foundational layer

Executive Summary Date: October 30, 2025 A highly sophisticated phishing campaign is currently targeting finance executives through LinkedIn direct messages, leveraging fake board invitations as a lure. The attackers impersonate reputable investment funds and asset management branches, enticing high-value targets such as CFOs, VPs, and directors to engage with malicious links. The primary objective is to harvest Microsoft credentials and session cookies using advanced...

Executive Summary Between October 21, 2024, and January 13, 2025, Conduent Business Solutions LLC experienced a significant data breach that resulted in unauthorized access to sensitive information belonging to over 10.5 million individuals. The breach was first discovered in January 2025 following service disruptions reported by state agencies, including the Wisconsin Child Support Trust Fund. Subsequent forensic investigations traced the initial intrusion to October 2024.

Executive Summary Recent media reports claimed a massive data breach affecting millions of Gmail accounts, suggesting a direct compromise of Google infrastructure. However, after thorough analysis of official statements, technical evidence, and independent news coverage, there is no substantiated evidence of a direct breach of Gmail or Google systems. The data in question originated from infostealer malware logs and credential stuffing lists, which aggregate credentials s

Executive Summary A highly sophisticated cyber-espionage campaign has been identified leveraging a previously unknown zero-day vulnerability in Google Chrome (CVE-2025-2783) to deliver advanced spyware attributed to Memento Labs (formerly known as Hacking Team ). This operation, tracked as Operation ForumTroll , has primarily targeted organizations in Russia and Belarus, including media, academic, governmental, and financial sectors. The attack chain utilizes spear-phishing

Executive Summary A critical security vulnerability, TARmageddon (CVE-2025-62518, CVSS 8.1), has been identified in the widely used Rust library async-tar and its derivatives, most notably the now-abandoned tokio-tar . This flaw enables attackers to "smuggle" additional archive entries during TAR extraction, resulting in file overwrites and the potential for remote code execution (RCE). The vulnerability has a broad impact, affecting major projects such as uv (Astral's Pyt

Executive Summary A newly uncovered cyber-espionage campaign has been attributed to the Italian spyware vendor Memento Labs (formerly known as Hacking Team and InTheCyber Group ), leveraging a critical Google Chrome zero-day vulnerability, CVE-2025-2783 , to deliver advanced surveillance malware. This campaign, tracked as Operation ForumTroll , has been active since at least February 2024 and is characterized by highly targeted spear-phishing attacks against organizations i

Executive Summary The SideWinder advanced persistent threat (APT) group has recently demonstrated a significant evolution in its cyber-espionage operations, targeting South Asian diplomatic and governmental entities with a novel attack chain leveraging the ClickOnce deployment technology. This campaign, active throughout 2024 and into 2025, marks a departure from SideWinder’s traditional reliance on Microsoft Office exploits, instead utilizing malicious PDF lures that dire

Executive Summary The Qilin ransomware group, also known as Agenda , has recently escalated its threat profile by orchestrating sophisticated hybrid attacks that combine a Linux-based ransomware payload with a Bring Your Own Vulnerable Driver (BYOVD) exploit. This dual-pronged approach enables adversaries to target both Windows and Linux environments, bypassing traditional endpoint defenses and maximizing operational disruption. The group’s latest campaigns leverage cross-p

Executive Summary The Smishing Triad represents a sophisticated, China-linked cybercrime syndicate orchestrating one of the largest global phishing operations ever observed, leveraging over 194,000 malicious domains since early 2024. This campaign primarily exploits SMS-based phishing, or smishing, to target mobile users across more than 120 countries, including the United States, Germany, the United Kingdom, France, and numerous others. By impersonating trusted entities su

Executive Summary Recent threat intelligence from leading cybersecurity vendors, including ESET , has confirmed that North Korean state-sponsored actors, specifically the Lazarus Group (also known as APT38 or HIDDEN COBRA ), are actively targeting European companies in the unmanned aerial vehicle (UAV) and drone technology sector. This campaign, identified as a new wave of Operation DreamJob , employs advanced social engineering, trojanized open-source software, and custom

Executive Summary A critical and highly sophisticated supply chain attack has emerged, leveraging a self-propagating malware known as GlassWorm to infect Visual Studio Code (VS Code) extensions. The campaign primarily targets the OpenVSX marketplace but has also breached the official Microsoft VS Code Marketplace . GlassWorm employs advanced evasion techniques, including invisible Unicode character obfuscation, and utilizes decentralized, blockchain-based command and cont

Executive Summary A critical vulnerability, CVE-2025-59287 , has been identified in Microsoft Windows Server Update Services (WSUS) , prompting the vendor to issue an emergency out-of-band patch on October 24, 2025. This remote code execution (RCE) flaw, with a CVSS score of 9.8, enables unauthenticated attackers to execute arbitrary code with SYSTEM privileges on affected Windows Server installations running the WSUS role. The vulnerability is being actively exploited in

Executive Summary A sophisticated new phishing campaign, known as CoPhish , has emerged, exploiting the integration capabilities of Microsoft Copilot Studio to steal OAuth tokens from unsuspecting users. By leveraging the trusted Microsoft domain and the low-code agent creation features of Copilot Studio , adversaries are able to craft highly convincing phishing workflows that redirect users to malicious OAuth consent pages. Once a user grants consent, their OAuth tokens are