Welcome to your biweekly digest of curated cybersecurity intelligence.
Every two weeks, we bring you expert insights and handpicked articles covering the latest threats, threat actor activity, vulnerabilities, incident trends, and defensive strategies. Whether you’re on the front lines or shaping your organization’s security posture, Security Signals delivers the information you need to stay informed and ready.
For more articles, check out our #onpatrol4malware blog.
Turn Insights Into Action with Free Threat Intel
Security Signals gives you the insights and our Risk Indicators OSINT feeds help you apply them.
This Edition’s Articles
Late September to early October 2025 cybersec news: Oracle, Red Hat, Cisco and Discord! High-profile corporate breaches and exploited vulnerabilties, persistent APT campaigns, and novel malware variants dominated the threat landscape. Enterprise vendors patched critical flaws, ransomware crews refined their tactics, and state-linked actors expanded their global reach, all underscoring the need for continuous vigilance.
YiBackdoor: A New Malware Family With Links to IcedID and Latrodectus
Source: Zscaler
(Published: 23 September 2025)
Zscaler ThreatLabz has identified a new malware family that we named YiBackdoor, which was first observed in June 2025. Read more.
Lazarus Group: A Criminal Syndicate With a Flag
Source: Barracuda
(Published: 23 September 2025)
The Lazarus Group is a notorious state-sponsored cybercrime organization linked to the Democratic People’s Republic of Korea (DPRK). Read more.
Fighting Telecom Cyberattacks: Investigating a Campaign Against UK Companies
Source: ANY.RUN
(Published: 24 September 2025)
Telecommunications companies are the digital arteries of modern civilization. Read more.
ED 25-03: Identify and Mitigate Potential Compromise of Cisco Devices
Source: Cybersecurity and Infrastructure Security Agency (CISA)
(Published: 25 September 2025)
This page contains a web-friendly version of CISA Emergency Directive 25-03: Identify and Mitigate Potential Compromise of Cisco Devices. Read more.
Smash and Grab: Aggressive Akira Campaign Targets SonicWall VPNs, Deploys Ransomware in an Hour or Less
Source: Arctic Wolf
(Published: 26 September 2025)
Since late July 2025, Arctic Wolf has observed an ongoing surge in Akira ransomware activity targeting SonicWall firewalls through malicious SSL VPN logins. Read more.
Cavalry Werewolf raids Russia’s public sector with trusted relationship attacks
Source: BI.ZONE
(Published: 2 October 2025)
BI.ZONE Threat Intelligence recorded Cavalry Werewolf activity from May to August 2025. Read more.
CERT-UA warns UAC-0245 targets Ukraine with CABINETRAT backdoor
Source: Security Affairs
(Published: 2 October 2025)
The Computer Emergency Response Team of Ukraine (CERT-UA) warned of cyberattacks by the group UAC-0245 using the CABINETRAT backdoor. Read more.
Update on a Security Incident Involving Third-Party Customer Service
Source: Discord
(Published: 3 October 2025)
At Discord, protecting the privacy and security of our users is a top priority. Read more.
Palo Alto Scanning Surges ~500% in 48 Hours, Marking 90-Day High
Source: GreyNoise
(Published: 3 October 2025)
On October 3, 2025, GreyNoise observed a ~500% increase in IPs scanning Palo Alto Networks login portals, the highest level recorded in the past 90 days. Read more.
Lunar Spider Expands Their Web via FakeCaptcha
Source: NVISO Labs
(Published: 1 October 2025)
Lunar Spider is increasingly using phishing kits disguised as CAPTCHA widgets to drive credential theft. Read more.
Silent Smishing: The Hidden Abuse of Cellular Router APIs
Source: SEKOIA
(Published: 2 October 2025)
Attackers are increasingly exploiting APIs in cellular routers to perform silent smishing without user awareness. Read more.
UAT-8099: Chinese-Speaking Cybercrime Group SEO Fraud Campaign
Source: Talos
(Published: 3 October 2025)
Talos has observed a campaign dubbed UAT-8099 in which a Chinese-speaking threat group uses SEO-fraud techniques to drive traffic to malicious sites. Read more.
Detour Dog DNS Malware Powers Strela Stealer Campaigns
Source: Infoblox Threat Intelligence
(Published: 3 October 2025)
A new DNS-based malware loader named Detour Dog is being used to deliver Strela Stealer in targeted attacks. Read more.
BrickStorm: New Espionage Campaign Targeting Cloud Assets
Source: Google Cloud Blog
(Published: 4 October 2025)
BrickStorm is a newly uncovered espionage campaign that targets cloud infrastructure with credential harvesting and lateral movement. Read more.
UNC6040: Proactive Hardening Recommendations
Source: Google Cloud Blog
(Published: 5 October 2025)
The UNC6040 cluster has been active in recent months; here are recommended proactive hardening steps to reduce exposure. Read more.
Inside Vietnamese Threat Actor “Lone None’s” Copyright Takedown Spoofing Campaign
Source: Cofense
(Published: 6 October 2025)
A Vietnamese threat actor dubbed “Lone None” has been using fraudulent copyright takedown notices to trick companies into redirecting their domains. Read more.
Raytheon Confirms Ransomware Attack on Airline Check-In Systems
Source: CyberInsider
(Published: 7 October 2025)
Raytheon Technologies has publicly acknowledged a ransomware intrusion into airline check-in infrastructure. Read more.
BreachStars Emerges as BreachForums Replacement Marketplace
Source: CyberNews
(Published: 7 October 2025)
BreachStars is positioning itself as a successor to the shuttered BreachForums, offering data-leak marketplace services. Read more.
NIST Warns of Flawed DeepSeek: Security CCP Narratives
Source: CyberNews
(Published: 4 October 2025)
The U.S. National Institute of Standards and Technology (NIST) has flagged flaws in DeepSeek that may amplify CCP information narratives. Read more.
Inside Salt Typhoon: China’s State-Corporate Advanced Persistent Threat
Source: DomainTools Investigations (DTI)
(Published: 24 September 2025)
Salt Typhoon is a Chinese state-sponsored cyber threat group aligned with the Ministry of State Security (MSS), specializing in long-term espionage operations targeting global telecommunications infrastructure. Read more.
Better Analyzing Foreign Adversary Threats to Open-Source Software
Source: Margin Research
(Published: 30 September 2025)
Global contributions to open-source software (OSS) add tremendous value: for years, they have forged connections between developers around the world, enabled dispersed and specialized talent to build better software for users, and collectively helped ensure that OSS remains available, updated, and relevant for users everywhere. Read more.
TradingView Scam Expands to Google Ads & YouTube
Source: HackRead
(Published: 26 September 2025)
A malicious advertising campaign that has been tricking content creators and unsuspecting users into downloading harmful software by offering “free access” to TradingView Premium has dramatically expanded its operations. Read more.
Operation SouthNet: SideWinder Expands Phishing & Malware in South Asia
Source: Hunt.io
(Published: 1 October 2025)
APT SideWinder, a highly active state-sponsored threat group known for its long-standing espionage campaigns across South Asia, has once again launched a targeted operation. Read more.
Breakingdown of Patchwork APT
Source: K7 Labs
(Published: October 2025)
It enforces the use of TLS 1.2 to ensure secure, encrypted transmission and sends the POST request containing the encoded victim data to the C2. Read more.
Patchwork APT Exploits Macros & Scheduled Tasks for Stealthy C2/Exfil
Source: Varutra / ThreatPost
(Published: 1 October 2025)
Patchwork (aka Dropping Elephant/Monsoon/Hangover Group) is an APT active since at least 2015 targeting political and military intelligence across South and Southeast Asia. Read more.
Phantom Taurus: A New Chinese Nexus APT and the Discovery of the NET-STAR Malware Suite
Source: Unit 42 / Palo Alto Networks
(Published: 30 September 2025)
After a two-and-a-half-year investigation, Palo Alto Networks Unit 42 has formally named a sophisticated, Chinese nation-state actor: Phantom Taurus. Read more.
DrayTek warns of remote code execution bug in Vigor routers
Source: BleepingComputer
(Published: 2 October 2025)
Networking hardware maker DrayTek released an advisory to warn about a security vulnerability in several Vigor router models that could allow unauthenticated actors to perform arbitrary code execution. Read more.
Oracle patches EBS zero-day exploited in Clop data theft attacks
Source: BleepingComputer
(Published: 3 October 2025)
Oracle has released emergency patches for a zero-day vulnerability in its EBS software suite that was being actively exploited by Clop ransomware actors in data theft campaigns. Read more.
Klopatra: Exposing a new Android banking Trojan operation with roots in Turkey
Source: Cleafy Labs
(Published: 30 September 2025)
A previously undocumented Android banking trojan called Klopatra has compromised over 3,000 devices, leveraging hidden VNC and overlay techniques to conduct fraudulent transactions. Read more.
Yurei Ransomware: The Digital Ghost
Source: Cyfirma
(Published: 1 October 2025)
The Yurei ransomware is unique in its modular architecture and stealthy data-exfiltration staging ahead of encryption. Read more.
Revisiting WarmCookie: Memory-Based Cookie Abuse Techniques
Source: Elastic Security Labs
(Published: 2 October 2025)
Elastic’s security labs analyzed “WarmCookie,” a technique that abuses in-memory cookie structures to facilitate stealthy session hijacking. Read more.
USD 439 Million Recovered in Global Financial Crime Operation
Source: INTERPOL
(Published: 2 October 2025)
INTERPOL announced the recovery of USD 439 million following coordinated takedowns of transnational financial crime networks. Read more.
Red Hat confirms major data breach
Source: The Cyber Security Hub / LinkedIn
(Published: 3 October 2025)
Red Hat has acknowledged a data breach affecting its infrastructure, exposing internal systems and potentially impacting enterprise customers. Read more.
XCSSET evolves again: analyzing the latest updates to XCSSET’s inventory
Source: Microsoft Security Blog
(Published: 25 September 2025)
Microsoft details the latest evolutions of the XCSSET iOS/macOS malware family, tracking new features and command modules. Read more.
Persistent malicious targeting of Cisco devices
Source: UK National Cyber Security Centre (NCSC)
(Published: 4 October 2025)
The UK NCSC warns of ongoing campaigns targeting Cisco network gear, including VPNs and switches, seeking to exploit known vulnerabilities. Read more.
RedNovember targets government, defense, and technology organizations
Source: Recorded Future
(Published: 4 October 2025)
The RedNovember campaign focuses on intelligence collection, using custom backdoors to infiltrate national governments and defense contractors. Read more.
LameHug: AI-Driven Malware & LLM Cyber Intrusion Analysis
Source: Splunk Security Blog
(Published: 4 October 2025)
Splunk researchers explore “LameHug,” a proof-of-concept malware that uses large language models to adapt actions based on environment feedback. Read more.
Self-propagating malware spreads via WhatsApp
Source: Trend Micro Research
(Published: 5 October 2025)
A new self-propagating worm exploits WhatsApp forwarding mechanics to spread, bypassing typical app store oversight. Read more.
US Secret Service blocks massive telecom attack in New York
Source: Trustwave SpiderLabs Blog
(Published: 5 October 2025)
The U.S. Secret Service intervened to disrupt a large-scale telecom infrastructure attack in New York orchestrated by a state-aligned actor. Read more.
Salesforce leak, extortion attempts tied to Scatterered / Lapsus Hunters
Source: UpGuard Blog
(Published: 6 October 2025)
UpGuard discloses a data leak and ongoing extortion campaign from the group “Scatterered / Lapsus Hunters,” with exposed Salesforce credentials circulating online. Read more.
Want more articles? Check out the previous edition of Security Signals here.