Featured image of post Cybersecurity Week in Review: September 30 – October 6, 2025
NEWS

Cybersecurity Week in Review: September 30 – October 6, 2025

Cyberattacks, data breaches, zero-days, and global responses—discover the biggest cybersecurity headlines of this week.

By Samuel Monsempes

The week of September 30 to October 6, 2025 witnessed multiple critical zero-day exploitations, widespread data breaches affecting millions, and significant government responses to escalating cyber threats. Oracle E-Business Suite customers faced a massive extortion campaign leveraging a critical vulnerability, while major breaches at Red Hat, Salesforce, and healthcare organizations exposed sensitive data from thousands of enterprises. Federal agencies confronted both technical challenges in patching critical infrastructure and policy uncertainties as key information-sharing legislation approached expiration.

This period marked an inflection point in enterprise security, with threat actors demonstrating sophisticated exploitation chains that combined multiple vulnerabilities, social engineering through OAuth token theft, and targeted attacks on supply chain partners. The convergence of these incidents underscores the critical importance of timely patching, robust authentication mechanisms, and enhanced threat intelligence sharing across sectors.

Major data breaches and leaks

Oracle E-Business Suite mass extortion campaign dominated the cybersecurity landscape as threat actors claiming affiliation with the Cl0p ransomware gang launched a widespread extortion effort targeting potentially thousands of organizations. CrowdStrike attributed the campaign to GRACEFUL SPIDER, which exploited CVE-2025-61882 (CVSS 9.8), a critical unauthenticated remote code execution vulnerability in Oracle Concurrent Processing. The first exploitation occurred on August 9, 2025, with mass extortion emails sent to corporate executives beginning September 29, 2025, demanding ransoms up to $50 million. Oracle released an emergency patch on October 4, 2025, but proof-of-concept exploit code leaked on Telegram on October 3, further lowering the barrier to entry for additional attackers. Google Mandiant and Kroll investigations confirmed links to financially motivated threat group FIN11.

Red Hat GitLab instance breach exposed sensitive data from thousands of consulting customers after threat actor Crimson Collective compromised a GitLab instance used exclusively for Red Hat Consulting engagements. The attackers claimed theft of 570GB compressed data (approximately 1TB uncompressed) from 28,000+ internal development repositories, including approximately 800 customer engagement reports spanning 2020-2025. Affected organizations include Fortune 500 companies such as Walmart, HSBC, Bank of Canada, 3M, Accenture, Adobe, Boeing, Cisco, Deloitte, IBM, Sony, T-Mobile, and Verizon, as well as U.S. government agencies including the Air Force, Department of Homeland Security, FAA, NSA, and U.S. Senate. Exposed data includes credentials, CI/CD secrets, pipeline configurations, VPN profiles, and infrastructure blueprints. ShinyHunters gang subsequently joined the extortion efforts, setting an October 10 deadline. GitLab confirmed its managed systems were not compromised.

Salesforce customer data theft campaign resulted in the exposure of 1.5 billion records from 760 organizations using the Salesloft Drift AI chatbot integration. Threat actors known as Scattered Lapsus$ Hunters (ShinyHunters) launched a dedicated data leak site on October 3, 2025, publicly naming 39 victims including Cisco, Disney, KFC, IKEA, Marriott, McDonald’s, Walgreens, Albertsons, Saks Fifth Avenue, Home Depot, FedEx, Google, Toyota, Gap, Adidas, Cartier, Air France & KLM, TransUnion, HBO MAX, UPS, Chanel, and Instacart. The attacks occurred August 8-18, 2025, using stolen OAuth tokens from Salesloft’s GitHub repository. Attackers employed voice phishing (vishing) techniques, posing as IT support to trick employees into linking malicious OAuth applications. The FBI issued warnings about the campaign on September 12, 2025. Exposed data includes personally identifiable information, passport numbers, employment histories, shipping information, and customer support records.

Multiple healthcare and enterprise breaches impacted hundreds of thousands of individuals. WestJet Airlines disclosed a breach affecting 1.2 million individuals following a June 13, 2025 cyberattack that exposed names, addresses, dates of birth, government-issued ID details, travel accommodation requests, WestJet Rewards membership data, and credit card identifier information. Motility Software Solutions, a Reynolds and Reynolds subsidiary providing dealership software, suffered a ransomware attack on August 19, 2025, affecting 766,670 individuals with theft of Social Security numbers, driver’s license numbers, and personal information. Doctors Imaging Group disclosed that hackers maintained access between November 5-11, 2024, affecting 171,000+ individuals with exposure of comprehensive medical and financial data, though notification occurred nearly one year after the incident. Indianapolis Housing Agency experienced a ransomware attack discovered October 4, 2025 (breach starting September 23, 2025) affecting 212,910 residents, leaking names, addresses, dates of birth, and Social Security numbers while crippling the agency’s ability to send 8,000+ rent payments to Section 8 landlords.

Significant cyberattacks and incidents

Asahi Group Holdings ransomware attack severely disrupted operations at the major Japanese brewing company, which owns brands including Grolsch, Peroni, Pilsner Urquell, and Fullers/London Pride. The company experienced a week-long outage at domestic subsidiaries beginning September 30, 2025, with ransomware deployment and confirmed data exfiltration. System failures affected orders, shipments, production, and call center operations, forcing some factory production suspensions. The company reverted to manual order processing and shipment management, with estimated impact of $50-60 million. International operations remained unaffected, though Asahi holds approximately 40% market share in Japan. The ransomware group responsible had not been identified as of October 6.

GoAnywhere MFT exploitation in ransomware attacks saw threat group Storm-1175, a Medusa ransomware affiliate, actively exploiting CVE-2025-10035 (CVSS 10.0) in Fortra’s GoAnywhere MFT platform since September 11, 2025. The maximum-severity deserialization vulnerability enables remote exploitation in low-complexity attacks without user interaction. WatchTowr Labs provided evidence of exploitation beginning September 10, 2025, with over 500 GoAnywhere MFT instances exposed online. Fortra released patches on September 18, 2025.

Zimbra zero-day exploitation targeted Brazilian military organizations through malicious ICS calendar files. CVE-2025-27915 (CVSS 5.4), a stored cross-site scripting vulnerability in Zimbra Classic Web Client, was exploited as a zero-day earlier in 2025. Threat actors spoofed the Libyan Navy’s Office of Protocol, using JavaScript code designed to steal credentials, emails, contacts, and shared folders, exfiltrating data to external servers. Attackers created malicious email filters named “Correo” to forward messages to spam_to_junk@proton.me. Zimbra patched the vulnerability in versions 9.0.0 Patch 44, 10.0.13, and 10.1.5 on January 27, 2025. The tactics align with those used by APT28, Winter Vivern, and UNC1151 (Ghostwriter).

Record-breaking DDoS attack reached 3.8 Tbps, with Cloudflare successfully mitigating the 65-second assault. The attack formed part of a broader wave of 100+ hyper-volumetric Layer 3/4 DDoS attacks ongoing since early September 2024, primarily targeting financial services, Internet, and telecommunications industries. No specific threat actor attribution was available.

International law enforcement actions resulted in the arrest of four individuals and takedown of nine servers linked to LockBit (Bitwise Spider) ransomware operations. Aleksandr Ryzhenkov was identified as a high-ranking Evil Corp member and LockBit affiliate, with 16 Evil Corp individuals sanctioned by the U.K. Separately, the U.S. Department of Justice and Microsoft seized 107 internet domains used by Russian state-sponsored threat actor COLDRIVER for credential harvesting campaigns targeting NGOs, think tanks, government employees, and military and intelligence officials.

North Korean APT37 conducted a stealthy campaign targeting Cambodia and Southeast Asian countries, deploying a new backdoor/RAT called VeilShell distributed through suspected spear-phishing emails.

Chinese state-sponsored threat actor Salt Typhoon penetrated networks of major U.S. telecommunications providers including AT&T, Verizon, and Lumen, gaining access to systems used for court-authorized network wiretapping and collecting vast amounts of internet traffic from ISPs, affecting businesses and millions of Americans.

Supply chain and infrastructure attacks included a ransomware attack on Dimensional Control Systems (3DCS) by J GROUP ransomware gang, compromising a supplier to Boeing, Volkswagen, Siemens, Samsung, Airbus, GM, and Nissan. In the UK, the Dodd Group, an NHS contractor building hospitals and health centers, suffered a ransomware attack by Russian-linked Lynx gang claiming theft of 4TB of data including financial documents, client data, and secured repositories.

Critical vulnerabilities and patches

Oracle E-Business Suite CVE-2025-61882 emerged as the most critical actively exploited vulnerability of the week. The CVSS 9.8 unauthenticated remote code execution flaw in Oracle Concurrent Processing affects Oracle E-Business Suite versions 12.2.3 through 12.2.14. CrowdStrike reported that attackers chain together multiple vulnerabilities from Oracle’s July 2025 Critical Patch Update alongside this zero-day, using HTTP POST requests to /OA_HTML/SyncServlet for authentication bypass followed by code execution via malicious XSLT templates. Oracle published the emergency patch on October 4, 2025, but working exploit code leaked on October 3 via a Telegram channel associated with SCATTERED SPIDER, SLIPPY SPIDER, and ShinyHunters. The FBI and UK government issued a joint advisory on October 6 urging immediate patching. Oracle had released 309 security patches in its July 2025 update, including nine for E-Business Suite, three of which were remotely exploitable without authentication.

Cisco ASA zero-day vulnerabilities prompted CISA to issue Emergency Directive ED 25-03 for actively exploited flaws likely chained together by advanced threat actors. CVE-2025-20333 (CVSS 9.9) involves improper validation allowing authenticated remote code execution as root, while CVE-2025-20362 (CVSS 6.5) permits unauthenticated access to restricted endpoints. The campaign, linked to the ArcaneDoor threat cluster, involves attackers manipulating ROM to persist through reboots and system upgrades. Federal agencies received a 24-hour deadline to apply mitigations. Both vulnerabilities were added to CISA’s Known Exploited Vulnerabilities catalog. Separately, GreyNoise observed a 500% increase in IP addresses scanning Palo Alto Networks login portals, reaching 1,300 unique addresses (up from approximately 200), with 93% classified as suspicious and 7% as malicious.

VMware zero-day CVE-2025-41244 was exploited by Chinese state-sponsored threat actor UNC5174 since mid-October 2024, though Broadcom patched the high-severity privilege escalation vulnerability in May 2025 without disclosing active exploitation. The flaw in VMware Aria Operations and VMware Tools allows unprivileged local attackers to stage malicious binaries for privilege escalation, gaining root-level code execution on virtual machines. NVISO disclosed the exploitation, revealing that UNC5174, believed to be a Ministry of State Security contractor, also exploited other zero-days including F5 BIG-IP CVE-2023-46747 and ConnectWise ScreenConnect CVE-2024-1709.

Red Hat OpenShift AI CVE-2025-10725 (CVSS 9.9) represents a critical privilege escalation vulnerability classified as “Important” due to requiring authentication. An overly permissive ClusterRole allows low-privileged authenticated attackers to escalate to full cluster administrator, enabling complete compromise of confidentiality, integrity, and availability, potentially leading to sensitive data theft, service disruption, and infrastructure control.

Google Chrome CVE-2025-10585 marked the sixth actively exploited Chrome zero-day in 2025. The type confusion vulnerability in the V8 JavaScript/WebAssembly engine, discovered by Google TAG on September 16, 2025, can trigger arbitrary code execution and program crashes. Google released fixes in Chrome versions 140.0.7339.185/.186 for Windows/macOS and 140.0.7339.185 for Linux, with the vulnerability affecting all Chromium-based browsers including Edge, Brave, Opera, and Vivaldi.

Unity gaming engine CVE-2025-59489 (CVSS 8.4) impacts arbitrary library loading and code execution related to Unity’s application debugging support. The vulnerability allows local exploitation for remote code execution and information disclosure, presenting higher risk on Windows devices. Unity released fixes in Editor versions 6000.3.0b4, 6000.2.6f2, 6000.0.58f2, 2022.3.67f2, and 2021.3.56f2, with backports to discontinued versions dating to 2019.1. Microsoft and Steam took protective actions in response to the disclosure by RyotaK from GMO Flatt Security.

SAP S/4HANA CVE-2025-42957 (CVSS 9.9) presents a critical code injection vulnerability in SAP S/4HANA ERP affecting private cloud and on-premise instances. The flaw allows low-privileged users to inject ABAP code for complete system compromise with minimal effort, potentially enabling full compromise of SAP systems and host operating systems. SecurityBridge in Germany discovered the vulnerability, with Pathlock detecting a dramatic surge in exploitation attempts after patch release, indicating easy reverse engineering.

Microsoft September 2025 Patch Tuesday addressed 81 vulnerabilities (per CyberScoop) or 84 CVEs (per CrowdStrike), with no actively exploited zero-days but including two publicly disclosed vulnerabilities. CVE-2025-55234 (CVSS 8.8) in Windows Server Message Block protocol allows relay attacks and privilege escalation with proof-of-concept exploit code available. CVE-2025-54918 (CVSS 8.8) in Windows NTLM enables authenticated threat actors to escalate to SYSTEM privileges over networks with low exploit complexity, potentially facilitating ransomware deployment across multiple systems. CVE-2025-55232 (CVSS 9.8), a deserialization vulnerability in Microsoft High Performance Compute Pack, represents the most severe defect with potentially wormable characteristics enabling remote unauthenticated code execution without user interaction, though Microsoft assessed exploitation as less likely. Eight vulnerabilities were flagged as “more likely to be exploited,” including three affecting Windows Kernel.

Google Android September security update patched 120 software defects, the highest count in 2025, including two actively exploited zero-days: CVE-2025-38352 (high-severity escalation of privilege in Linux kernel) and CVE-2025-48543 (high-severity escalation of privilege in Android Runtime). Both vulnerabilities require no user interaction and could lead to privilege escalation without additional execution privileges, with limited targeted exploitation indicated. Additional critical vulnerabilities addressed include CVE-2025-48539 in system components enabling remote code execution, and three Qualcomm critical vulnerabilities (CVE-2025-21450, CVE-2025-21483, CVE-2025-27034). CISA added CVE-2025-21043, a Samsung Android zero-day exploited against WhatsApp users, to its Known Exploited Vulnerabilities catalog on September 2.

Meteobridge CVE-2025-4008 (CVSS 8.7) enables command injection in the web interface endpoint through a vulnerable CGI shell script. CISA added the vulnerability to its KEV catalog on October 2, 2025, mandating federal agencies patch by October 23, 2025. The flaw, patched in MeteoBridge version 6.2 on May 13, 2025, allows remote unauthenticated attackers to execute arbitrary commands with root privileges through user-controlled input parsed without sanitization in eval calls. The vulnerable CGI script resides in a public folder unprotected by authentication, exploitable via curl commands or malicious webpages.

Salesforce Agentforce AI vulnerability chain “ForcedLeak” (CVSS 9.4) represents cross-site scripting adapted for the AI era through indirect prompt injection against autonomous agents. Attackers can plant malicious prompts in online forms that, when processed by Agentforce agents, leak internal data to external systems. Salesforce released patches preventing output to untrusted URLs, with Noma discovering the vulnerability chain. Mitigation requires adding external URLs to Trusted URLs lists.

Additional critical vulnerabilities included Langflow CVE-2025-3248 (CVSS 9.8) enabling missing authentication and remote code execution via improper Python exec() invocations, affecting versions prior to 1.3.0 with active exploitation reported; Fortinet CVE-2025-24472 (Critical) allowing authentication bypass to gain super-admin privileges on FortiOS and FortiProxy, actively exploited by Mora_001 ransomware actor with links to LockBit; Samsung CVE-2025-21043 (CVSS 8.8) involving out-of-bounds write in libimagecodec.quram.so enabling remote code execution, exploited in attacks targeting WhatsApp users and likely chained with WhatsApp CVE-2025-55177, reported by Meta and WhatsApp security teams on August 13; and DrayTek router vulnerabilities (14 security flaws affecting 700,000+ routers enabling remote device takeover, patched following responsible disclosure).

Government and industry cyber responses

CISA Emergency Directive ED 25-03 issued in late September mandated federal agencies apply mitigations for actively exploited Cisco ASA vulnerabilities CVE-2025-20333 and CVE-2025-20362 within 24 hours. The directive reflected CISA’s awareness of widespread exploitation by advanced threat actors linked to the ArcaneDoor cluster, with both vulnerabilities added to the Known Exploited Vulnerabilities catalog.

CISA Known Exploited Vulnerabilities catalog updates during the week included CVE-2025-4008 (Meteobridge), CVE-2025-21043 (Samsung mobile devices), CVE-2017-1000353 (Jenkins), CVE-2015-7755 (Juniper ScreenOS), and CVE-2014-6278 (Shellshock/GNU Bash). Federal agencies received an October 23, 2025 deadline for patching CVE-2025-4008 and other newly added vulnerabilities per Binding Operational Directive requirements.

Cybersecurity Information Sharing Act of 2015 expiration created significant uncertainty for threat information sharing as the law’s sunset clause caused it to expire on September 30, 2025, without Congressional reauthorization. The law provided legal safeguards and liability protections for companies sharing threat data with the government. Industry groups and cyber experts expressed concerns about potential liability exposure for threat information reporting. Bipartisan senators introduced a bill for a 10-year extension, with a House bill still in development and short-term extension being considered. A CyberScoop report indicated the watchdog assessment found the cyber threat information-sharing program’s future uncertain.

Multi-State Information Sharing and Analysis Center (MS-ISAC) funding elimination took effect at midnight on October 1, 2025, ending 21 years of federal government support through a cooperative agreement. The Trump administration’s decision to eliminate funding jeopardizes cybersecurity services for thousands of cash-strapped counties, cities, and towns, with tens of thousands of jurisdictions losing access to vital cybersecurity services. CISA offered existing services, though a CISA employee acknowledged offering “nothing new” in the near future to offset the loss. The Center for Internet Security, which operates MS-ISAC, expressed disappointment in the government’s decision to abandon “this nation’s most successful public-private partnership.”

Federal judiciary cybersecurity response defended its security posture following the latest major breach of the electronic case filing system. In a September 30, 2025 letter from Administrative Office Director Robert Conrad Jr. to Sen. Ron Wyden, the courts outlined modernization efforts beginning in 2022 with implementation expected within two years. The judiciary faces unique challenges in rolling out multi-factor authentication to 5 million PACER users due to the diverse user base including law firms, journalists, citizens, and indigent litigants. The courts have briefed congressional Judiciary, Appropriations, and Intelligence committees on a classified basis regarding breaches deemed “sensitive from both law enforcement and national security perspective.”

FBI warning on Salesforce/Salesloft Drift attacks issued September 12, 2025, detailed UNC6040 threat cluster operations using stolen OAuth tokens and social engineering via phone calls posing as IT support to target Salesforce instances via Salesloft Drift integration, affecting approximately 700 Salesloft customers.

FBI and UK government joint advisory on October 6 urged organizations to patch Oracle E-Business Suite vulnerabilities following alleged Clop ransomware gang campaign exploiting CVE-2025-61882.

U.K. and U.S. joint warning addressed Iranian IRGC cyber actors conducting spear-phishing campaigns targeting individuals with nexus to Iranian and Middle Eastern affairs, using social engineering via email or messaging platforms to build rapport before soliciting document access through hyperlinks, deploying false email login pages to capture credentials, and potentially prompting for 2FA codes via messaging applications.

Google Mandiant defensive framework published October 1, 2025 in collaboration with Salesforce, provided proactive hardening recommendations for OAuth security, comprehensive logging protocols, and advanced detection capabilities in response to the ongoing UNC6040 campaign.

National Cybersecurity Awareness Month launched October 1, 2025 marking its 22nd anniversary with CISA’s theme “Building a Cyber Strong America,” focusing on government entities and small/medium businesses protecting critical infrastructure. Cybersecurity Ventures highlighted that more than 40% of cyberattacks target small and medium businesses, with global cybercrime damages projected to reach $12 trillion by 2030. Industry experts emphasized network-level security can block up to 97% of malicious traffic before entering networks, warning against relying solely on cyber insurance rather than implementing preventive measures.

NIST Special Publication 1334 released October 1, 2025, provides guidance for protecting industrial control systems against USB-borne threats, focusing on reducing cybersecurity risks from removable media in operational technology environments and creating/maintaining definitive views of OT architecture through multi-country agency collaboration.

Dutch law enforcement arrested two 17-year-old boys on September 29-30, 2025 for allegedly assisting Russian hackers, with one walking by law enforcement and embassy offices carrying Wi-Fi sniffing equipment, demonstrating international cooperation in combating state-sponsored cyber operations.

Miscellaneous

CrowdStrike Fall 2025 release announced October 1 introduced the Falcon agentic security platform defining the “agentic SOC” model where humans and AI agents work collaboratively. The platform features CrowdStrike Enterprise Graph, a new AI-ready data layer unifying telemetry across endpoints, identities, cloud, SaaS, XIoT, and third-party tools, and Charlotte AI AgentWorks for creating and customizing AI security agents using plain language. The company pioneered AI Detection and Response (AIDR) to protect how AI is built and used across enterprises, leveraging trillions of telemetry events and over a decade of annotated threats with enterprise-grade governance built into the platform.

Bitdefender 2025 Cybersecurity Assessment Report revealed concerning transparency trends, with 58% of security professionals told to keep breaches confidential, representing a 38% increase since 2023. The survey of 1,200+ IT and security professionals across six countries, combined with analysis of 700,000 cyber incidents by Bitdefender Labs, found that 84% of attacks exploit existing tools rather than introducing new malware. Organizations increasingly prioritize optics over transparency, with pressure particularly acute for CISOs and CIOs, underscoring growing urgency to shrink enterprise attack surfaces.

NIST National Vulnerability Database backlog crisis continued with 72.4% of CVEs (18,358 vulnerabilities) remaining unanalyzed as of September 21, 2024, including 46.7% of Known Exploited Vulnerabilities. Since NIST scaled back processing and enrichment operations on February 12, 2024, 25,357 new vulnerabilities have been added without analysis, creating significant challenges for security teams attempting to prioritize patching based on CVSS scores and vulnerability characteristics.

Cybersecurity Ventures 2026 trends forecast identified seven critical trends: agentic cyberattack and defense, deepfake and synthetic cyberattacks, evolving ransomware threats, strengthening the human factor, quantum security, regulatory and legislative overhaul, and cyberwarfare on the global stage. The report noted that if cybercrime were a nation in 2026, it would represent the world’s third-largest economy behind the United States and China, emphasizing that emerging technologies amplify both criminal capabilities and defensive opportunities.

ENISA 2025 Threat Landscape Report published October 1 by the European Union Agency for Cybersecurity highlighted a significant increase in attacks aimed at operational technology systems, with many attacks targeting the EU specifically focused on OT infrastructure rather than traditional IT systems.

Telegram policy shift impact on cybercriminals followed the platform’s decision to share IP addresses and phone numbers with authorities, prompting cybercrime groups to seek alternatives including Jabber, Tox, Matrix, Signal, and Session. The Bl00dy ransomware gang announced “quitting Telegram,” while hacktivist groups including Al Ahad, Moroccan Cyber Aliens, and RipperSec moved operations to Signal and Discord. Telegram CEO Pavel Durov downplayed changes, stating data sharing occurred since 2018, though transparency reports show Brazil disclosed data for 75 requests in Q1 2024 and India for 2,461 requests.

Major BGP/RPKI security flaws discovered by German researchers revealed current Resource Public Key Infrastructure implementations lack production-grade resilience and suffer from software vulnerabilities, inconsistent specifications, and operational challenges. Identified vulnerabilities include denial of service, authentication bypass, cache poisoning, and remote code execution affecting critical internet routing security infrastructure.

Battering RAM attack demonstrated by academic researchers uses a $50 passive interposer device to control Intel SGX enclaves, extract DCAP attestation keys, and break Intel and AMD security mechanisms through physical access. Both vendors stated the attack falls outside their threat models due to physical access requirements.

DrayTek router vulnerability disclosure (DRAY:BREAK) identified 14 security flaws affecting 700,000+ vulnerable routers in residential and enterprise environments, with potential for remote device takeover. Vulnerabilities were patched following responsible disclosure.

Fake trading applications proliferated in large-scale “pig butchering” fraud campaigns, with malicious apps published on both Apple App Store and Google Play Store targeting victims across Asia-Pacific, Europe, Middle East, and Africa. Truth Social users lost hundreds of thousands of dollars to similar scams, with the apps no longer available for download as of early October.

Industry funding and personnel changes included Mondoo raising $17.5 million in a funding round led by HV Capital (total funding exceeding $32 million) for vulnerability management platform expansion; Descope raising $35 million in a seed round extension for identity and access management with focus on agentic identity R&D; and John “Four” Flynn joining Google DeepMind as VP of Security on September 30, 2025, bringing experience from Amazon (CISO since May 2024), Uber (former CISO), and Facebook (former Director of Information Security).

Zeroday.Cloud competition announced October 6 by Wiz in partnership with Microsoft, Google, and AWS offers $4.5 million in prizes, inviting cloud security researchers to identify vulnerabilities in cloud infrastructure across major providers.

Emerging threat actors included Crimson Collective, which launched its Telegram channel on September 24, 2025 before announcing the Red Hat breach on October 2, with claimed victims including Nintendo website defacement and Claro Colombia (50M+ invoices). The group exploits misconfigured cloud storage and exposed secrets in codebases, focusing on data exfiltration and extortion while blending “ethical” warnings with profit-driven demands. J GROUP ransomware gang, first detected in early 2025, employs a data brokerage approach auctioning stolen data if ransomware negotiations fail, targeting organizations ranging from amusement parks to industrial suppliers including FAI Aviation Group (3TB claimed in September 2025).

Android banking trojan Klopatra emerged in late August 2025 after being active since March 2025, infecting 3,000+ devices in Spain and Italy. The Turkish-origin malware masquerades as “Mobdro Pro IP TV + VPN,” featuring VNC remote access and real-time device control using the commercial Virbox code protection suite to evade detection while targeting southern European banking applications.

© 2025 Senthorus Blog