Welcome to your biweekly digest of curated cybersecurity intelligence.
Every two weeks, we bring you expert insights and handpicked articles covering the latest threats, threat actor activity, vulnerabilities, incident trends, and defensive strategies. Whether you’re on the front lines or shaping your organization’s security posture, Security Signals delivers the information you need to stay informed and ready.
For more articles, check out our #onpatrol4malware blog.
Turn Insights Into Action with Free Threat Intel
Security Signals gives you the insights and our Risk Indicators OSINT feeds help you apply them.
This Edition’s Articles
In these late October 2025 cyber threat reports, global research teams uncovered an active mix of espionage, phishing, and data-theft operations. Highlights this period include North Korea’s EtherHiding and Contagious Interview campaigns, new exploits such as the Oracle EBS zero-day, COLDRIVER and Lazarus-linked attacks, and mobile threats like Pixnapping targeting Android users. Together, these findings reveal how rapidly evolving malware, cloud intrusions, and supply-chain compromises continue to test defenders’ visibility and response.
An Insider Look At The IRGC-linked APT35 Operations: Ep1 & Ep2
Source: CloudSEK
(Published: 7 October 2025)
CloudSEK’s TRIAD team analyzed the available evidence and reconstructed recent APT35 operations across two episodes of our series. Read more.
Attacker says they breached Huawei, source code sold online
Source: Cybernews
(Published: 7 October 2025)
A hacker claims to have stolen Huawei’s internal source code and sold it on an underground cybercriminal forum. Read more.
Oops! It’s a kernel stack use-after-free: Exploiting NVIDIA’s GPU Linux drivers
Source: Quarkslab
(Published: 14 October 2025)
This article details two bugs in NVIDIA’s GPU kernel driver vmalloc handling that can be chained to gain code execution in kernel context. Read more.
BombShell: The Signed Backdoor Hiding in Plain Sight on Framework Devices
Source: Eclypsium
(Published: 14 October 2025)
UEFI shell vulnerabilities allow attackers to bypass Secure Boot. Read more.
DPRK Adopts EtherHiding: Nation-State Malware Hiding on Blockchains
Source: Google Cloud Blog
(Published: 16 October 2025)
Google Threat Intelligence Group (GTIG) has observed a new malware delivery technique-EtherHiding-appearing in DPRK-linked activity. Read more.
BeaverTail and OtterCookie evolve with a new Javascript module
Source: Cisco Talos Blog
(Published: 16 October 2025)
Cisco Talos has uncovered a new attack linked to Famous Chollima, a threat group aligned with North Korea (DPRK). Read more.
Odyssey Stealer and AMOS Campaign Targets macOS Developers Through Fake Tools
Source: Hunt
(Published: 16 October 2025)
In recent months, our threat hunting team has observed a surge in macOS-targeted campaigns employing new social engineering tactics and persistent infrastructure. Read more.
New Group on the Block: UNC5142 Leverages EtherHiding to Distribute Malware
Source: Google Cloud Blog
(Published: 16 October 2025)
Since late 2023, UNC5142 has leveraged EtherHiding infrastructure to deliver malicious payloads and obfuscate attribution. Read more.
Joint Intel Strike – DeepCode × AMLBot Trace “1688shuju,” a Darknet Seller of Verified Exchange Numbers
Source: AMLBot
(Published: 17 October 2025)
On 22 August 2025, the DeepCode intelligence team identified a darknet marketplace listing by the actor “1688shuju” offering large batches of verified phone numbers tied to major cryptocurrency exchanges. Read more.
Email Bombs Exploit Lax Authentication in Zendesk
Source: Krebs on Security
(Published: 17 October 2025)
Cybercriminals are abusing a widespread lack of authentication in the customer service platform Zendesk to flood targeted email inboxes with menacing messages that come from hundreds of Zendesk corporate customers simultaneously. Read more.
Tykit Analysis: New Phishing Kit Stealing Hundreds of Microsoft Accounts in Finance
Source: ANY.RUN
(Published: 21 October 2025)
Not long ago we reported a spike in phishing attacks that use an SVG file as the delivery vector. Read more.
To Be (A Robot) or Not to Be: New Malware Attributed to Russia State-Sponsored COLDRIVER
Source: Google Cloud Blog
(Published: 21 October 2025)
COLDRIVER, a Russian state-sponsored threat group known for targeting high profile individuals in NGOs, policy advisors and dissidents, swiftly shifted operations after the May 2025 public disclosure of its LOSTKEYS malware. Read more.
Red Hat data breach escalates as ShinyHunters joins extortion
Source: BleepingComputer
(Published: 6 October 2025)
Enterprise software giant Red Hat is now being extorted by the ShinyHunters gang, with samples of stolen customer engagement reports (CERs) leaked on their data leak site. Read more.
OpenAI has disrupted (more) Chinese accounts using ChatGPT to create social media surveillance tools
Source: Engadget
(Published: 7 October 2025)
OpenAI published a new threat report and banned additional China-linked accounts that used ChatGPT to design social media surveillance tools. Read more.
Maverick: Android banking trojan distributing via WhatsApp
Source: Securelist
(Published: 8 October 2025)
A malware campaign was recently detected distributing various versions of the Android banking trojan called ‘Maverick’ via WhatsApp. Read more.
Phishing campaign leveraging the npm ecosystem
Source: Snyk
(Published: 9 October 2025)
We have uncovered a large-scale phishing campaign abusing the npm ecosystem to deliver malware to developers through typosquatted packages and malicious maintainers. Read more.
Harvard University hit in Oracle EBS cyberattack, 1.3 TB of data leaked by Cl0p group
Source: Security Affairs
(Published: 10 October 2025)
Harvard University was hit in a cyberattack exploiting a zero-day in Oracle E-Business Suite (EBS), with the Cl0p ransomware gang leaking 1.3 TB of data. Read more.
PhantomVAI Loader Delivers a Range of Infostealers
Source: Unit 42 (Palo Alto Networks)
(Published: 15 October 2025)
Unit 42 researchers have been tracking phishing campaigns that use PhantomVAI Loader to deliver information-stealing malware through a multi-stage, evasive infection chain. Read more.
Pro-Hamas hackers breach B.C. and U.S. airport display systems
Source: Juno News
(Published: 15 October 2025)
A pro-Hamas Islamist group has taken credit for a series of cyberattacks at two B.C. airports and others in the U.S. Read more.
PassiveNeuron: campaign with APT implants and Cobalt Strike
Source: Securelist
(Published: 17 October 2025)
The PassiveNeuron (also known as ‘Evernight’) cyber espionage campaign relies on a broad arsenal of tools, including clusters of implants, Cobalt Strike, and modern living-off-the-land strategies. Read more.
SIMCartel operation: Europol takes down SIM box ring linked to 3,200 scams
Source: Security Affairs
(Published: 18 October 2025)
Europol has taken down a multi-country SIM boxing ring dubbed ‘SIMCartel,’ dismantling infrastructure linked to more than 3,200 scams. Read more.
F5 breach exposes 262,000 BIG-IP systems worldwide
Source: Security Affairs
(Published: 19 October 2025)
Security firm F5 disclosed a breach exposing telemetry data from 262,000 Big-IP systems worldwide after attackers accessed a support platform. Read more.
Russian Lynk group leaks sensitive UK MoD files, including info on eight military bases
Source: Security Affairs
(Published: 20 October 2025)
The Russian hacktivist group Lynk leaked sensitive UK Ministry of Defence files, including details on eight military bases. Read more.
Salty Much: Darktrace’s view on a recent Salt Typhoon intrusion
Source: Darktrace
(Published: 20 October 2025)
Salt Typhoon, a China-linked cyber espionage group, has been observed targeting global infrastructure using stealthy techniques such as DLL sideloading and zero-day exploits. Read more.
Disrupting threats targeting Microsoft Teams
Source: Microsoft Security Blog
(Published: 7 October 2025)
The extensive collaboration features and global adoption of Microsoft Teams make it a high-value target for both cybercriminals and state-sponsored actors. Read more.
Crimson Collective: A New Threat Group Observed Operating in the Cloud
Source: Rapid7 Labs
(Published: 7 October 2025)
Over the past few weeks, Rapid7 has observed increased activity of a new threat group attacking AWS cloud environments with the goal of data exfiltration and subsequent extortion. Read more.
Pixel-stealing “Pixnapping” attack targets Android devices
Source: Malwarebytes
(Published: 14 October 2025)
Researchers at US universities have demonstrated how a malicious Android app can trick the system into leaking pixel data. Read more.
Retro Phishing: Basic Auth URLs Make a Comeback in Japan
Source: Netcraft
(Published: 15 October 2025)
Netcraft recently uncovered a suspicious URL targeting GMO Aozora Bank, a Japanese financial institution. Read more.
Inside the attack chain: Threat activity targeting Azure Blob Storage
Source: Microsoft Security Blog
(Published: 20 October 2025)
Azure Blob Storage is a high-value target for threat actors due to its critical role in storing and managing massive amounts of unstructured data at scale. Read more.
North Korea’s Contagious Interview Campaign Escalates: 338 Malicious npm Packages, 50,000 Downloads
Source: Socket
(Published: 10 October 2025)
The Contagious Interview operation continues to weaponize the npm registry with a repeatable playbook. Read more.
Espionage Exposed: Inside a North Korean Remote Worker Network
Source: KELA
(Published: 10 October 2025)
Thousands of North Korean IT workers are hiding in plain sight, blending into the global freelance economy, building your apps, or even designing your infrastructure. Read more.
Microsoft revamps Internet Explorer Mode in Edge after August attacks
Source: Security Affairs
(Published: 13 October 2025)
Microsoft has revamped the Internet Explorer (IE) mode in the Edge browser to fix an issue that threat actors exploited for attacks in August 2025. Read more.
TigerJack’s Extensions Continue to Rob Developers Blind Across Different Marketplaces
Source: Koi
(Published: 13 October 2025)
Meet TigerJack – a threat actor we’ve been tracking since early 2025, who has systematically infiltrated developer marketplaces with at least 11 malicious VS Code extensions across multiple publisher accounts. Read more.
Oracle silently fixes zero-day exploit leaked by ShinyHunters
Source: BleepingComputer
(Published: 14 October 2025)
Oracle has silently fixed an Oracle E-Business Suite vulnerability (CVE-2025-61884) that was actively exploited to breach servers, with a proof-of-concept exploit publicly leaked by the ShinyHunters extortion group. Read more.
Want more articles? Check out the previous edition of Security Signals here.