Featured image of post Cybersecurity Week in Review: October 7 – 13, 2025
NEWS

Cybersecurity Week in Review: October 7 – 13, 2025

Cyberattacks, data breaches, zero-days, and global responses—discover the biggest cybersecurity headlines of this week.

By Senthorus SOC

The week of October 7-13, 2025 marked a critical period in cybersecurity with Clop ransomware exploiting Oracle zero-days since August, the FBI dismantling major extortion infrastructure, and record-breaking DDoS attacks reaching 29.6 terabits per second. The convergence of nation-state exploitation, ransomware campaigns, and supply chain attacks created unprecedented pressure on enterprise security teams, with ransom demands reaching $50 million and over 1.5 billion customer records exposed through coordinated extortion campaigns. This week demonstrated how zero-day vulnerabilities in widely-deployed enterprise software create cascading risks across entire industries, while law enforcement actions provided temporary disruption but failed to halt ongoing criminal operations.

Major Data Breaches and Leaks

Oracle E-Business Suite exploitation campaign exposes dozens of organizations

Clop ransomware operators exploited the critical Oracle E-Business Suite zero-day (CVE-2025-61882) since August 2025, compromising dozens of organizations worldwide before beginning mass extortion in late September. The campaign targeted organizations without July 2025 patches, successfully exfiltrating significant data volumes before victims received ransom demands reaching $50 million in cryptocurrency. Harvard University became the first publicly confirmed victim on October 5-6, acknowledging that a “limited number of parties associated with a small administrative unit” were impacted. Google Mandiant researchers confirmed the attacks began as early as July 10, 2025, with Clop using multiple different exploit chains involving Oracle EBS vulnerabilities. The ransomware group sent extortion emails from compromised business accounts and newly registered addresses, providing authentic contact points with operators and imposing 72-hour payment deadlines.

Salesforce customer data extortion targets 760 organizations with 1.5 billion records

A cybercrime group claiming affiliation with Scattered Spider, Lapsus$, and ShinyHunters launched a massive extortion campaign against Salesforce customers, claiming theft of over 1.5 billion records with personally identifiable information from 760 organizations. The attackers breached Salesloft’s GitHub repository between August 8-18, 2025, extracting OAuth tokens that provided access to Salesforce instances integrated with the Drift AI chatbot. Named victims included Toyota, FedEx, Disney/Hulu, UPS, Cisco, McDonald’s, Marriott, Walgreens, Gap, Qantas, and Vietnam Airlines. The group used voice phishing attacks in May 2025 to siphon more than 1 billion records from 39 Fortune 500 companies through compromised Salesforce Data Loader installations. After setting a ransom deadline of October 10, 2025, and receiving no payments, the attackers began leaking data on October 12. Vietnam Airlines suffered exposure of 7.3 million unique email addresses, along with names, phone numbers, dates of birth, and loyalty program membership numbers. Salesforce confirmed on October 9 it would “not engage, negotiate with or pay any extortion demand,” stating no vulnerability existed in Salesforce’s platform itself. The FBI issued warnings in September about these campaigns, identifying threat clusters UNC6040 and UNC6395. Salesforce and Salesloft revoked and refreshed all active OAuth tokens on August 20, 2025, and temporarily removed Drift from AppExchange.

Red Hat GitLab breach exposes 28,000 repositories and client secrets

The Crimson Collective extortion group compromised Red Hat’s self-hosted GitLab server, stealing 570 GB from more than 28,000 private code repositories and over 5,000 Customer Engagement Reports (CERs). The stolen data included critical credentials such as artifactory access tokens, git tokens, Azure credentials, Docker credentials, infrastructure details, and audit reports from approximately 800 client networks including Walmart, American Express, and HSBC. Red Hat detected unauthorized access on October 2 and disclosed the incident the same day, notifying affected customers. The attackers set a ransom deadline of October 10, which Red Hat refused to meet, prompting the group to begin posting data on October 7. The breach targeted Red Hat’s consulting arm’s internal collaboration environment and did not affect Red Hat’s software supply chain or products. Nearly 3.5 million files were compromised in the attack announced on the Scattered Lapsus$ Hunters extortion blog on October 5.

SonicWall cloud backup breach affects all MySonicWall customers

SonicWall completed an investigation with Mandiant revealing that hackers gained access to firewall configuration backup files for all customers using the MySonicWall cloud backup service, significantly expanding the scope from an initial September disclosure claiming only 5% of files were affected. The compromised data included encrypted credentials and configuration data, encompassing user/group/domain settings, DNS configurations, and log settings. The October 10 disclosure heightened concerns about targeted attacks, as nation-state actors and ransomware groups could leverage this information for future campaigns against SonicWall customers. CISA released an advisory in September urging users to check their accounts, and SonicWall released assessment and remediation tools while working with Mandiant to enhance cloud infrastructure security.

North Korean cryptocurrency theft reaches $2 billion in 2025

North Korean threat actors stole $2 billion in cryptocurrency during the first nine months of 2025, including a massive $1.46 billion from Bybit exchange in a single heist. Blockchain analysis firm Elliptic identified at least 33 other crypto heists attributed to North Korean operators, bringing total cumulative theft to over $6 billion to date. The attacks primarily used social engineering rather than infrastructure vulnerabilities, with sophisticated laundering tactics including multiple rounds of mixing, cross-chain transactions, obscure blockchains, and refund address exploitation. The stolen funds finance Pyongyang regime’s military programs, representing the 19th confirmed attack on the food/beverage manufacturing sector alone in 2025.

Additional significant breaches

Discord third-party breach exposed 70,000 government ID photos plus 1.5 terabytes of data affecting 2,185,151 photos total. The September 20 incident at Discord’s Zendesk customer service provider compromised names, usernames, email addresses, billing information, IP addresses, and support messages. Threat actors actively attempted to extort Discord following disclosure on October 3. Asahi Brewery suffered a Qilin ransomware attack that stole 27 gigabytes (over 9,000 files) including contracts, employee information, financial documents, and business forecasts. The attack disrupted operations at 30 factories across Japan, forcing production halts and delaying shipments of Asahi Super Dry beer and a dozen new products. Williams & Connolly, the Washington D.C. law firm representing Bill and Hillary Clinton, confirmed China-nexus hackers breached email accounts of a “small number of attorneys” using a zero-day vulnerability. BK Technologies, a Florida-based public safety communications provider, disclosed on October 7 that unauthorized actors accessed non-public information including current and former employee files. VTEX e-commerce platform exposed 6 million shoppers’ home addresses, phone numbers, and purchase histories, which remained unpatched from February 28 discovery until October 8. Huawei suffered an internal source code breach, with a hacker selling the code for $1,000 on an underground forum after the listing changed from “Selling” to “Sold” shortly after October 3 posting.

Significant Cyberattacks and Incidents

Aisuru botnet launches record-breaking 29.6 Tbps DDoS attack

The Aisuru botnet launched a 29.6 terabits per second (Tbps) DDoS attack on October 6, nearly 30 trillion bits of data per second, establishing a new record for distributed denial-of-service attacks. The brief attack targeted a server designed to measure large-scale DDoS events. On October 8, TCPShield, which protects over 50,000 Minecraft servers, sustained a 15+ Tbps attack that forced its upstream provider OVH to drop them as a customer due to network congestion. The botnet, estimated to control 300,000 compromised IoT devices worldwide, has systematically exceeded previous records throughout 2025: 6.35 Tbps in May against KrebsOnSecurity, over 11 Tbps days later, and 22 Tbps in late September.

The majority of Aisuru’s firepower now originates from compromised IoT devices on U.S. Internet providers. Analysis of the October 8 attack revealed 11 of the top 20 traffic sources were U.S.-based ISPs, with AT&T customers contributing the most attack traffic, followed by Charter Communications, Comcast, T-Mobile, and Verizon. Comcast’s network alone carried 500 gigabits of traffic during a single attack. The heavy concentration of infected devices complicated mitigation efforts, as the volume of packets from infected IoT hosts degraded quality of service for adjacent non-compromised customers.

The botnet comprises hacked consumer-grade routers, security cameras, digital video recorders, and other IoT devices operating with insecure or outdated firmware and factory-default settings. Operators, tracked by XLab security researchers as “Snow” (botnet development), “Tom” (finding vulnerabilities), and “Forky” (botnet sales), also sell the botnet as a distributed proxy network for anonymizing malicious traffic. Forky, identified as 21-year-old Kaike Southier Leite from São Paulo, Brazil, operates a DDoS mitigation service called Botshield. The FBI has seized Forky’s DDoS-for-hire domains multiple times. Aisuru reportedly uses multiple zero-day vulnerabilities and in April 2025 compromised the Totolink router firmware distribution website to distribute malicious scripts. The botnet’s growth accelerated after the U.S. Department of Justice charged the alleged Rapper Bot proprietor in August 2025, allowing Aisuru to commandeer vulnerable IoT devices from the dismantled competitor. Mitigation now requires “at least a million dollars a month” for network capacity, placing these attacks “well beyond the DDoS mitigation capabilities of most organizations connected to the Internet today.”

FBI seizes BreachForums infrastructure disrupting extortion operations

The FBI seized all BreachForums domains operated by the ShinyHunters group on the night of October 10-11, 2025, in collaboration with French law enforcement. The operation targeted the portal used for leaking corporate data stolen by ransomware and extortion gangs, including the ongoing Salesforce data extortion campaign. DNS records switched to ns1.fbi.seized.gov and ns2.fbi.seized.gov. ShinyHunters confirmed via PGP-signed Telegram message that database backups were also seized, declaring “The era of forums is over.” The seizure occurred before the threatened data leak deadline of 11:59 PM EST on October 11. Despite the disruption, Scattered Lapsus$ Hunters continued leaking data through alternative platforms including BreachStars (launched August 2025) and file-sharing platform Limewire.com, though some users reported dead links and removed content after payment.

GoAnywhere MFT zero-day exploitation enables Medusa ransomware deployment

Storm-1175, tracked by Microsoft as Medusa ransomware affiliates, exploited CVE-2025-10035 in Fortra’s GoAnywhere MFT starting September 11, 2025, eight days before patches were released on September 18. The critical deserialization vulnerability in the License Servlet allowed remote code execution without authentication, enabling attackers to create backdoor admin accounts (such as “admin-go” user) and deploy Medusa ransomware. Fortra confirmed on October 10 that a “limited number” of customers with admin consoles exposed to the public internet experienced unauthorized activity. Three cloud-based MFTaaS instances showed attempted exploitation and were isolated for investigation. The attack chain provided capabilities for system and user discovery, long-term access maintenance, lateral movement, and malware deployment.

Municipal and infrastructure attacks

Sugar Land, Texas (population ~110,000) reported a cyberattack on October 10 causing technology outages across multiple online services including bill pay, 311 contact center, utility billing, permit/inspection scheduling, and building applications. The city confirmed a breach of internal network infrastructure while stating critical infrastructure systems and emergency services (911, police, fire, medical) remained operational. The attack occurred amid a wave of Texas municipal cyberattacks in 2025, including Uvalde school district (forced closure, Qilin ransomware), and incidents in Matagorda County, Mission, Lubbock, and Abilene. Large-scale RDP botnet campaign launched October 8 using 100,000+ IP addresses from a multi-country botnet targeting Remote Desktop Protocol services in the United States. GreyNoise detected attacks including RD Web Access timing attacks for username enumeration and RDP web client login enumeration. SonicWall SSLVPN credential campaign compromised over 100 accounts through large-scale credential stuffing using stolen valid credentials rather than vulnerability exploitation.

Law enforcement operations and threat actor disruptions

Spanish authorities dismantled the GXC Team cybercrime syndicate on October 12, arresting the 25-year-old Brazilian leader known as “GoogleXcoder” during coordinated nationwide raids on May 20. The crime-as-a-service operation distributed AI-powered phishing kits, Android malware, and voice-scam tools via Telegram and Russian-speaking hacker forums. The phishing kits powered at least 250 phishing sites targeting banks, transport, and e-commerce companies in Spain, Slovakia, UK, US, and Brazil. Raids in Cantabria, Valladolid, Zaragoza, Barcelona, Palma de Mallorca, San Fernando, and La Línea de la Concepción seized electronic devices containing phishing kit source code, client communications, and financial records. Palo Alto Networks login portal scanning surged by 500% on October 3, with activity jumping from ~200 to 1,300 unique IP addresses. GreyNoise classified 93% as suspicious and 7% as malicious, primarily from U.S.-based IPs with clusters in UK, Netherlands, Canada, and Russia. The scanning shared characteristics with recent Cisco ASA scanning and a common TLS fingerprint tied to Netherlands infrastructure. New York smishing campaign targeted residents with text messages posing as the NY Department of Taxation and Finance offering “Inflation Refunds” to steal personal and financial data.

Critical Vulnerabilities and Patches

Oracle E-Business Suite CVE-2025-61882 enables pre-authentication remote code execution

Oracle released an emergency patch on Saturday, October 5, for CVE-2025-61882, a 9.8 CVSS score critical vulnerability in Oracle E-Business Suite versions 12.2.3 through 12.2.14 affecting the BI Publisher Integration component of Oracle Concurrent Processing. The flaw allows unauthenticated remote code execution without any username or password over the network. CrowdStrike and Google Mandiant confirmed Clop ransomware began exploiting the vulnerability in August 2025, at least one month before patches became available. The vulnerability actually involves five distinct bugs chained together including Server-Side Request Forgery (SSRF), CRLF injection, authentication bypass, and XSL template injection. Leaked exploit code appeared as “oracle_ebs_nday_exploit_poc_scattered_lapsus_retard_cl0p_hunters.zip” on extortion sites. Attackers also exploited previously patched vulnerabilities from the July 2025 Critical Patch Update against organizations that failed to apply those patches.

Installation requires applying the October 2023 Critical Patch Update as a prerequisite before installing the CVE-2025-61882 fix. FBI Assistant Director Brett Leatherman called it a “stop-what-you’re-doing and patch immediately” vulnerability. CISA added CVE-2025-61882 to the Known Exploited Vulnerabilities catalog on October 7, setting a federal deadline of October 27, 2025 for agencies to patch or discontinue use. UK NCSC and Singapore cybersecurity agencies also published emergency advisories. Oracle shared indicators of compromise for detection and containment efforts. On October 12, Oracle released a second emergency weekend patch for CVE-2025-61884 (CVSS 7.5), affecting the Oracle Configurator component in EBS versions 12.2.3-12.2.14, enabling unauthorized access to critical data without authentication via HTTP.

GoAnywhere MFT CVE-2025-10035 achieves maximum severity score

Fortra’s GoAnywhere MFT suffered exploitation of CVE-2025-10035, a 10.0 CVSS score (maximum severity) deserialization vulnerability in the License Servlet. The flaw allows attackers with a validly forged license response signature to deserialize arbitrary actor-controlled objects, leading to command injection without authentication. Microsoft detailed exploitation on October 6, noting Storm-1175 (Medusa ransomware affiliates) began exploiting the zero-day on September 11, 2025. Fortra received a customer alert on September 11, issued a hotfix on September 12, released fully patched versions (7.6.3, 7.8.4) on September 15, and formally published the CVE on September 18. The vulnerability only affects on-premises installations with admin consoles exposed to the public internet. Researchers also identified exploitation of CVE-2021-20038, CVE-2024-38475, CVE-2021-20035, CVE-2021-20039, and CVE-2025-32819 in related campaigns.

Redis RediShell CVE-2025-49844 represents 13-year-old critical flaw

Wiz Security discovered CVE-2025-49844 (“RediShell”), a 13-year-old use-after-free vulnerability in Redis database software affecting all versions with Lua scripting. The 10.0 CVSS score flaw enables remote code execution when attackers with authenticated access send malicious Lua scripts to escape the Lua sandbox and achieve arbitrary native code execution. Redis is used in approximately 75% of cloud environments, with over 330,000 Redis instances currently exposed to the Internet and 60,000 instances lacking authentication. Patches were released October 3 in versions 6.2.20, 7.2.11, 7.4.6, 8.0.4, and 8.2.2. Despite maximum severity, no evidence of wild exploitation has been observed. Workarounds include restricting EVAL and EVALSHA commands via ACL. The vulnerability enables credential theft, malware installation, data exfiltration, lateral movement, and privilege escalation, with 57% of cloud environments installing Redis as container images.

NVIDIA Triton Inference Server vulnerability chain enables AI model theft

Wiz Research discovered a vulnerability chain in NVIDIA Triton Inference Server requiring exploitation of three CVEs in sequence: CVE-2025-23319 (information leak allowing harvesting of unique internal private shared memory region names), CVE-2025-23320 (enables full read/write access to memory region using leaked name), and CVE-2025-23334 (data corruption leading to full remote code execution). These vulnerabilities were part of 17 critical, medium, and low-severity bugs patched by NVIDIA affecting the Python backend handling AI model inference tasks. Successful exploitation could result in AI model theft, sensitive data exposure, response manipulation, and network penetration. Mitigation requires updating to NVIDIA Triton Inference Server version 25.07.

Erlang/OTP SSH daemon CVE-2025-32433 under active exploitation

Palo Alto Networks Unit 42 documented active exploitation of CVE-2025-32433 beginning May 1, 2025, a 10.0 CVSS score critical vulnerability in Erlang/OTP (Open Telecom Platform) enabling unauthenticated remote code execution. The improper state enforcement in Erlang/OTP SSH daemon allows unauthenticated clients to execute commands by sending SSH connection protocol messages. Researchers observed 3,376 CVE-2025-32433 signatures triggered globally, with 2,363 (70%) originating from firewalls protecting operational technology networks. Industries disproportionately affected include healthcare, agriculture, media/entertainment, and high technology. Attackers use reverse shells to gain unauthorized remote access. Affected versions include Erlang/OTP prior to OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, with patches available in OTP-27.3.3, OTP-26.2.5.11, OTP-25.3.2.20 and later.

Additional critical vulnerabilities

Gladinet CentreStack/Triofox CVE-2025-11371 (CVSS 6.1): Unauthenticated Local File Inclusion affecting all versions through 16.7.10368.56560. Huntress detected exploitation on September 27 targeting at least 3 companies. The LFI allows retrieval of machine keys from Web.config files, enabling remote code execution via ViewState deserialization. Patches not yet available as of October 11, with mitigations requiring manual Web.config changes. Meteobridge CVE-2025-4008 (CVSS 8.7): Command injection in web interface template.cgi script allowing remote unauthenticated arbitrary command execution with root privileges. CISA added to KEV catalog with October 23 federal deadline. GitHub Copilot Chat vulnerability: Legit Security discovered CSP bypass combined with remote prompt injection enabling full control over Copilot’s responses, leaking AWS keys and zero-day bugs from private repositories through hidden HTML comments. Juniper Networks patched over 200 vulnerabilities including nine critical-severity flaws in Junos Space and Junos Space Security Director. Ivanti Endpoint Manager: Zero Day Initiative disclosed 13 unpatched vulnerabilities allowing arbitrary code execution and privilege escalation. Additional CISA KEV additions include CVE-2025-21043 (Samsung mobile out-of-bounds write, CVSS 8.8), CVE-2017-1000353 (Jenkins deserialization, CVSS 9.8), CVE-2015-7755 (Juniper ScreenOS authentication bypass, CVSS 9.8), and CVE-2014-6278 (GNU Bash Shellshock, CVSS 8.8).

Government and Industry Cyber Responses

CISA establishes federal patching deadline for Oracle vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency added CVE-2025-61882 to the Known Exploited Vulnerabilities catalog on October 7, mandating federal agencies patch or discontinue use by October 27, 2025. CISA noted the vulnerability’s use in ransomware campaigns, with FBI Assistant Director Brett Leatherman issuing a “stop-what-you’re-doing and patch immediately” warning. The UK’s National Cyber Security Centre urged all Oracle E-Business Suite users to perform compromise assessments, while Singapore cybersecurity agencies published similar advisories. Oracle cooperated with Google Mandiant during the investigation and shared indicators of compromise for detection and containment efforts. CISA also added five additional vulnerabilities to the KEV catalog on October 2, requiring federal patches by October 23, 2025, including Samsung CVE-2025-21043 (actively exploited in Android attacks), Jenkins CVE-2017-1000353, Juniper ScreenOS CVE-2015-7755, and GNU Bash Shellshock CVE-2014-6278.

Germany rejects EU Chat Control proposal ahead of key vote

German Federal Justice Minister Stefanie Hubig announced on October 8 that “Random chat monitoring must be taboo in a constitutional state,” signaling Germany would not vote for the EU Chat Control proposal ahead of the October 14 vote. Signal Foundation President Meredith Whittaker had threatened on October 6 to leave the EU market if Chat Control becomes law, describing the proposal as requiring “mass scanning of every message, photo, and video on a person’s device” using government-mandated databases or AI models. She characterized the proposal as a “mass surveillance free-for-all.” Denmark, holding the Council of EU presidency, strongly favored Chat Control, making Germany’s rejection a crucial swing vote that likely prevented passage. The vote was scheduled for October 14, one day after the end of this reporting period.

Recorded Future exposes China’s Ministry of State Security front organizations

Recorded Future published research on October 7 revealing Beijing Institute of Electronics Technology and Application (BIETA) and its subsidiary Beijing Sanxin Times Technology Co (CIII) as front organizations with ties to China’s Ministry of State Security (MSS). Likely established in 1983 (the same year as MSS), these organizations research, create, and sell technology supporting intelligence, counterintelligence, and military operations. Research areas include communication, multimedia security, electromagnetic technology, cryptography, forensics, networking, and steganography. The assessment characterized these as front organizations engaging in cyber operations on behalf of Chinese intelligence services.

GreyNoise identifies coordinated infrastructure campaign against network vendors

GreyNoise discovered on October 13 that attacks exploiting vulnerabilities in Cisco, Fortinet, and Palo Alto Networks devices were launched from the same infrastructure, indicating a coordinated campaign using shared attack infrastructure against multiple major network equipment vendors simultaneously. The finding suggested sophisticated threat actors systematically targeting network perimeter devices across vendor lines.

Additional regulatory and law enforcement actions

California enacted a privacy law on October 8 giving consumers the ability to universally opt out of data sharing, strengthening privacy protections for California residents. The Austrian privacy regulator found Microsoft violated EU law in handling of kids’ data on October 10. Police searched the national network of automatic license plate reading cameras in an abortion investigation, raising significant privacy concerns according to reporting on October 7. Multiple Scattered Spider arrests continued throughout 2025: UK prosecutors charged two members (aged 18 and 19) in late September for extorting at least $115 million in ransom payments; U.S. prosecutors charged 19-year-old UK national Thalha Jubair for alleged involvement in attacks on Marks & Spencer, Harrods, Co-op Group, MGM Resorts, and Caesars Entertainment; August 2025 saw 20-year-old Florida man Noah Michael Urban sentenced to 10 years in federal prison and $13 million restitution; April 2025 brought extradition of 23-year-old Scottish man Tyler Robert Buchanan from Spain to the U.S., allegedly controlling $26 million stolen from victims.

Miscellaneous

Bitdefender reports 58% of breached organizations pressured to maintain confidentiality

Bitdefender released its 2025 Cybersecurity Assessment Report on October 13, analyzing 1,200+ IT/security professionals across 6 countries and 700,000 cyber incidents. The research found 58% of security professionals were told to keep breaches confidential, representing a 38% increase since 2023. The report revealed 84% of attacks exploit existing tools rather than introducing new malware, with pressure to maintain confidentiality especially acute for CISOs and CIOs. Organizations face growing urgency to shrink enterprise attack surfaces, with significant gaps between leadership and frontline teams regarding AI security perceptions.

Cybersecurity M&A activity remains robust with 40 September deals

SecurityWeek reported on October 7 that 40 cybersecurity merger and acquisition deals were announced in September 2025. Notable transactions included Accenture acquiring IAMConcepts (Canada-based IAM specialist), marking Accenture’s 22nd cybersecurity acquisition in the past decade. Cato Networks acquired Aim Security (AI security company) in Cato’s first-ever acquisition. Additional deals came from Check Point, CrowdStrike, F5, Mitsubishi Electric, and SentinelOne. The 2024 total reached 405 cybersecurity-related M&A deals, indicating sustained industry consolidation.

Emerging botnet and vulnerability disclosure activities

RondoDox botnet was identified using an “exploit shotgun” approach with over 50 exploits targeting unpatched routers, DVRs, NVRs, CCTV systems, servers, and network devices. Apple updated its bug bounty program on October 10 with significant changes including new categories and target flags, maintaining a top payout of up to $2 million and reporting $35 million paid to date to security researchers. Windows 11 23H2 Home and Pro editions received 30-day end-of-support warnings on October 11, with support ending at the end of October 2025, meaning systems will no longer receive security updates after the deadline.

The Aisuru botnet operational details revealed a three-person team per XLab report: “Snow” (botnet development), “Tom” (finding vulnerabilities), and “Forky” (botnet sales). Forky, identified as 21-year-old Kaike Southier Leite from São Paulo, Brazil, operates DDoS mitigation service Botshield. The botnet operators use Telegram handle “@9gigsofram” and sell the botnet as a distributed proxy network for anonymizing malicious traffic. Based on Mirai IoT botnet code leaked in 2016, Aisuru reportedly uses multiple zero-day vulnerabilities and in April 2025 compromised the Totolink router firmware distribution website. After the U.S. Department of Justice charged the alleged Rapper Bot proprietor in August 2025, Aisuru commandeered vulnerable IoT devices from the dismantled competitor, with even rebooted/cleaned devices getting re-compromised within minutes.

DDoSecrets publishes two significant datasets

Distributed Denial of Secrets published the International Civil Defence Organization (ICDO) leak on October 7, containing 38 GB of documents, images, spreadsheets, emails, and other files from the intergovernmental organization that helps States provide protection and assistance to their populations. The dataset received Limited Distribution classification. On October 6 (one day before the reporting period), DDoSecrets published a Kansas City, Kansas Police Department leak containing over 500,000 files providing an extraordinary look inside law enforcement agency investigations, communications, and internal operations.

Threat intelligence and security research developments

Ukrainian CERT reported on October 8 that Russian hackers are turning to AI as old tactics fail, though specific details remained limited. Google Mandiant reported on September 24 about a campaign by UNC5221 (China-linked threat actor) using stealthy malware called “Brickstorm” to target technology companies, SaaS providers, and legal-services firms. The attacks involved pivoting from service providers to customer networks, searching emails, hunting for national security and trade information, and stealing source code. Google assessed UNC5221 as “most prevalent adversary in the United States over the past several years” and released scanning tools and YARA rules for detection. The concentration of infected IoT devices in U.S. ISP networks complicated DDoS mitigation efforts, with ISPs offering varying levels of security solutions including Charter Communications’ Advanced WiFi with Security Shield and Comcast’s Security Suite. Experts warned ISPs need universal outbound DDoS attack suppression as “network operators are learning the crying need for effective outbound attack mitigation.”

© 2025 Senthorus Blog