⚡ Weekly Recap: Cisco 0-Day, Record DDoS, LockBit 5.0, BMC Bugs, ShadowV2 Botnet & More

Cybersecurity never stops—and neither do hackers. While you wrapped up last week, new attacks were already underway.

From hidden software bugs to massive DDoS attacks and new ransomware tricks, this week's roundup gives you the biggest security moves to know. Whether you're protecting key systems or locking down cloud apps, these are the updates you need before making your next security decision.

Take a quick look to start your week informed and one step ahead.

⚡ Threat of the Week

Cisco 0-Day Flaws Under Attack — Cybersecurity agencies warned that threat actors have exploited two security flaws affecting Cisco firewalls as part of zero-day attacks to deliver previously undocumented malware families like RayInitiator and LINE VIPER. The RayInitiator and LINE VIPER malware represent a significant evolution on that used in the previous campaign, both in sophistication and its ability to evade detection. The activity involves the exploitation of CVE-2025-20362 (CVSS score: 6.5) and CVE-2025-20333 (CVSS score: 9.9) to bypass authentication and execute malicious code on susceptible appliances. The campaign is assessed to be linked to a threat cluster dubbed ArcaneDoor, which was attributed to a suspected China-linked hacking group known as UAT4356 (aka Storm-1849).

Future-Ready Protection for Microsoft

Rising attacks demand a plan. Get Veeam's Cyber Resilience Playbook for Microsoft 365 & Entra ID and learn 10 steps to stay future-ready and secure your SaaS data. Download the playbook now!

Read Now ➝

🔔 Top News

• Nimbus Manticore Uses MiniJunk in Critical Infra Attacks — An Iran-linked cyber-espionage group has expanded its operations beyond its traditional Middle Eastern hunting grounds to target critical infrastructure organizations across Western Europe using constantly improving malware variants and attack tactics. Nimbus Manticore, which overlaps with UNC1549 or Smoke Sandstorm, has been observed targeting defense manufacturing, telecommunications, and aviation companies in Denmark, Portugal, and Sweden. Central to the campaign are MiniJunk, an obfuscated backdoor that gives the attacker persistent access to infected systems, and MiniBrowse, a lightweight stealer with separate versions for stealing credentials from Chrome and Edge browsers. MiniJunk is an updated version of MINIBIKE (aka SlugResin), with the emails directing victims to fake job-related login pages that appear to be associated with companies like Airbus, Boeing, Flydubai, and Rheinmetall. In a further escalation of its tactics, Nimbus Manticore has been observed using the service SSL.com starting around May 2025 to sign their code and pass off malware as legitimate software programs, leading to a "drastic decrease in detections."
• ShadowV2 Targets Docker for DDoS Attacks — A novel ShadowV2 bot campaign is turning distributed denial-of-service (DDoS) attacks into a full-blown for-hire business by targeting misconfigured Docker containers on AWS. Instead of relying on prebuilt malicious images, the attackers build containers on the victim's machine itself to launch a Go-based RAT that can launch DDoS attacks. The exact rationale of the approach is unclear, though Darktrace researchers suggest it may have been a way to reduce forensic traces from importing a malicious container. Once installed, the malware sends a heartbeat signal to the C2 server every second, while also polling for new attack commands every five seconds.
• Cloudflare Mitigates Largest DDoS Attack on Record — Web performance and security company Cloudflare said its systems blocked a record-breaking distributed denial-of-service (DDoS) attack that peaked at 22.2 terabits per second (Tbps) and 10.6 billion packets per second (Bpps), and lasted only 40 seconds. The attack was aimed at a single IP address of an unnamed European network infrastructure company. It's believed that the attack may be powered by the AISURU botnet.
• Vane Viper Linked to Malicious Campaigns Distributing Malware — A high-volume cybercrime operation known as Vane Viper that's been active for more than a decade is supported by a commercial digital advertising platform with a checkered past. Vane Viper takes advantage of hundreds of thousands of compromised websites and malicious ads that redirect unsuspecting Web users to destinations such as exploit kits, malware, and sketchy websites. The findings suggest that Vane Viper is not acting as an unwitting intermediary but is a complicit enabler and active participant in malicious operations. It also shares parallels with VexTrio Viper in that both emerged from Eastern Europe around 2015 and are controlled by the Russian diaspora in Europe and Cyprus. "URL Solutions, Webzilla, and AdTech Holding form a closely connected trio of firms: domains registered en masse via a registrar steeped in cybercrime, hosted on infrastructure operated by a company that's hosted everything from Methbot to state-sponsored disinformation, and payloads delivered via an ad network long implicated in malvertising," Infoblox said. "Not only has PropellerAds turned a 'blind eye' to criminal abuse of their platform, but indicators [...] suggest – with moderate-to-high confidence – that several ad-fraud campaigns originated from infrastructure attributed to PropellerAds."
• 2 New Supermicro BMC Bugs Allow Implanting Malicious Firmware — Servers running on motherboards sold by Supermicro contain medium-severity vulnerabilities that can allow hackers to remotely install malicious firmware that runs even before the operating system, providing unprecedented persistence. That said, the caveat is that the threat actor needs to have administrative access to the BMC control interface to perform the update, or distribute them as part of a supply chain attack by compromising the servers used to host firmware updates and replacing the original images with malicious ones, all while keeping the signature valid. Supermicro said it has updated the BMC firmware to mitigate the vulnerabilities, adding that it's currently testing and validating affected products. The current status of the update is unknown.

‎️‍🔥 Trending CVEs

Hackers don't wait. They exploit newly disclosed vulnerabilities within hours, transforming a missed patch or a hidden bug into a critical point of failure. One unpatched CVE is all it takes to open the door to a full-scale compromise. Below are this week's most critical vulnerabilities, making waves across the industry. Review the list, prioritize patching, and close the window of opportunity before attackers do.

This week's list includes — CVE-2025-20362, CVE-2025-20333, CVE-2025-20363 (Cisco), CVE-2025-59689 (Libraesva ESG), CVE-2025-20352 (Cisco IOS), CVE-2025-10643, CVE-2025-10644 (Wondershare RepairIt), CVE-2025-7937, CVE-2025-6198 (Supermicro BMC), CVE-2025-9844 (Salesforce CLI), CVE-2025-9125 (Lectora Desktop), CVE-2025-23298 (NVIDIA Merlin), CVE-2025-59545 (DotNetNuke), CVE-2025-34508 (ZendTo), CVE-2025-27888 (Apache Druid Proxy), CVE-2025-10858, CVE-2025-8014 (GitLab), and CVE-2025-54831 (Apache Airflow).

📰 Around the Cyber World

• Microsoft Offers ESU for Free in the E.U. — Microsoft has decided to offer free extended security updates for Windows 10 users in the European Economic Area (EEA), following pressure from the Euroconsumers group. "We are pleased to learn that Microsoft will provide a no-cost Extended Security Updates (ESU) option for Windows 10 consumer users in the European Economic Area (EEA)," Euroconsumers said. In other regions, users will need to either enable Windows Backup or pay $30 for the year or redeem 1,000 Microsoft Reward points. It's worth noting that Windows 10 reached end of support (EoS) on October 14, 2025.
• Olymp Loader Spotted in the Wild — A new malware loader called Olymp Loader has been spotted in the wild, being propagated via GitHub repositories, or through tools disguised as popular software such as PuTTY, OpenSSL, Zoom, and even a Counter Strike mod called Classic Offensive. Written in assembly language, the malware-as-a-service (MaaS) solution provides built-in stealer modules, including a custom version of BrowserSnatch that's available on GitHub. Campaigns using Olymp have been found to deliver an array of information stealers and remote access trojans like Lumma, Raccoon, WebRAT (aka SalatStealer), and Quasar RAT. The tool was first advertised by a seller named OLYMPO in HackForums on June 5, 2025, as a botnet, before evolving into a loader and a crypter. "The malware seller has published a roadmap that treats Olymp as a bundle comprising Olymp Botnet, Olymp Loader, Olymp Crypter, an install service, and a file‑scanning tool for antivirus testing," Outpost24 said. "It remains to be seen whether OLYMPO can sustain and support a broader malware product suite over time." Regardless, the emergence of yet another bundled crimeware stack can further lower the entry barrier for less experienced threat actors, allowing them to mount widespread campaigns at scale within a short amount of time.
• Malicious Facebook Ads Lead to JSCEAL Malware — Cybersecurity researchers have disclosed an ongoing campaign that's using bogus ads on Facebook and Google to distribute premium versions of trading platforms like TradingView for free. According to Bitdefender, the activity has also expanded to YouTube, where sponsored ads on the platform are being used to direct users to malware-laced downloads that steal credentials and compromise accounts. These ads are posted via legitimate-but-compromised verified YouTube accounts to serve the ads. The attackers take pains to ensure that the hijacked channels mimic the official TradingView channel by reusing the latter's branding and playlists to build credibility. An unlisted video uploaded by the rebranded channel, titled "Free TradingView Premium – Secret Method They Don't Want You to Know," is estimated to have racked up more than 182,000 views through aggressive advertising. "The unlisted status is deliberate, of course. By not being publicly searchable, these malicious videos avoid casual reporting and platform moderation," Bitdefender said. "Instead, they are shown exclusively through ad placements, ensuring they reach their targets while remaining hidden from public view." The attacks ultimately led to the deployment of malware known as JSCEAL (aka WEEVILPROXY) to steal sensitive data.
• LockBit 5.0 Analyzed — The threat actors behind the LockBit ransomware have released a "significantly more dangerous" version, LockBit 5.0, on its sixth anniversary, with advanced obfuscation and anti-analysis techniques, while being capable of targeting Windows, Linux, and ESXi systems. "The 5.0 version also shares code characteristics with LockBit 4.0, including identical hashing algorithms and API resolution methods, confirming this is an evolution of the original codebase rather than an imitation," Trend Micro said. "The preservation of core functionalities while adding new evasion techniques demonstrates the group's strategy of incremental improvement to their ransomware platform." LockBit may not be the most prolific ransomware group it once was ever since its infrastructure was disrupted in a law enforcement operation early last year, but the findings show that it continues to be as aggressive as ever when it comes to refining and retooling its tactics. "The Windows binary uses heavy obfuscation and packing: it loads its payload through DLL reflection while implementing anti-analysis techniques like ETW patching and terminating security services," the company said. "Meanwhile, the newly discovered Linux variant maintains similar functionality with command-line options for targeting specific directories and file types. The ESXi variant specifically targets VMware virtualization environments, designed to encrypt entire virtual machine infrastructures in a single attack."
• Microsoft Blocks Access to Services Used by Israeli Military Unit — Microsoft has revealed that it "ceased and disabled" a set of services to Unit 8200 within the Israel Ministry of Defense (IMOD) that were used to enable mass surveillance of civilians in Gaza and the West Bank. It said it found evidence "relating to IMOD consumption of Azure storage capacity in the Netherlands and the use of AI services." The secretive contract came to light last month following a report by The Guardian, along with +972 Magazine and Local Call, that revealed how Microsoft's Azure service was being used to store and process millions of Palestinian civilian phone calls made each day in Gaza and the West Bank. The newspaper reported that the trove of intercepted calls amounted to 8,000 terabytes of data and was held in a Microsoft data center in the Netherlands. The collected data has been moved out of the country and is being planned to be transferred to the Amazon Web Services cloud platform.
• Ransomware Groups Use Stolen AWS Keys to Breach Cloud — Ransomware gangs are using Amazon Web Services (AWS) keys stored in local environments, such as Veeam backup servers, to pivot to a victim's AWS account and steal data with the help of the Pacu AWS exploitation framework, turning what started as an on-premise event into a cloud compromise. "Threat actors are becoming increasingly adept at exploiting cloud environments — leveraging compromised AWS keys, targeting backup servers, and using advanced attack frameworks to evade detection," Varonis said.
• Meta Unveils Ad-Free Option in the U.K. — Meta has launched an ad-free experience for Facebook and Instagram in the U.K., allowing users to pay £2.99 a month to access the platforms without ads on the web, and £3.99 a month for Android and iOS. "We will notify UK users over the age of 18 that they have the choice to subscribe to Facebook and Instagram for a fee to use these services without seeing ads," the company said. "A reduced, additional fee of £2/month on the web or £3/month on iOS and Android will automatically apply for each additional account listed in a user's Account Center." Meta has significant hurdles in rolling out the scheme in the E.U., causing it to walk back its ad model, offering users the choice to receive "less personalized ads" that are full-screen and temporarily unskippable. Earlier this May, the European Commission said the model does not comply with the Digital Markets Act (DMA) and fined Meta €200 million. In response, the company said it would need to make modifications to the model that "could result in a materially worse user experience for European users and a significant impact." In a report published in July 2025, privacy non-profit noyb said: "'Pay or Okay' has spread throughout the E.U. in recent years and can now be found on hundreds of websites. However, data protection authorities still haven't adopted a consistent E.U.-wide approach to deal with these systems. They should have agreed on this long ago."
• Dutch Teen Duo Arrested Over Alleged 'Wi-Fi Sniffing' for Russia — Two teenagers have been arrested in the Netherlands on suspicion of espionage, reportedly on behalf of Russian intelligence agencies. The boys, both aged 17, were arrested on Monday. One has been remanded in custody while the other has been released on home bail. The arrests are related to laws regarding state-sponsored interference, but additional details have been withheld due to the age of the suspects and the ongoing investigation. The teens are alleged to have been tasked with carrying a "Wi-Fi sniffer" along a route past buildings in The Hague, including the headquarters of Europol and Eurojust, as well as several embassies.
• Akira Ransomware Breaching MFA-Protected SonicWall VPN Accounts — Cybersecurity researchers have warned about an "aggressive" Akira ransomware campaign targeting SonicWall VPNs to rapidly deploy the locker as part of an attack wave that began on July 21, 2025. "In almost all intrusions, ransomware encryption took place in under four hours from initial access, with a staging interval as short as 55 minutes in some instances," Arctic Wolf said in a new report. Other commonly observed post-exploitation activities include internal network scanning, Impacket SMB activity tied to discovery, Active Directory discovery, and VPN client logins originating from Virtual Private Server (VPS) hosting providers. Targeting firewall and LDAP-synchronized, several intrusions have involved the threat actors leveraging the dedicated account used for Active Directory synchronization to log in via SSL VPN, despite not being intentionally configured for such access. In more than 50% of the analyzed intrusions, login attempts were observed against accounts with the One Time Password (OTP) feature enabled. "Malicious logins were followed within minutes by port scanning, Impacket SMB activity, and rapid deployment of Akira ransomware," the company noted. "Victims spanned across multiple sectors and organization sizes, suggesting opportunistic mass exploitation."
• Four People to Face Trial Over Greece Spyware Scandal — Four individuals, two Israeli and two Greek employees of spyware vendor Intellect, are expected to face trial in Greece over the use of the Predator surveillance tool by the ruling government in 2022 to eavesdrop on judges, senior military officers, journalists, and the opposition. But to date, no government officials have been charged in connection with the scandal.
• Phishing Emails Lead to DarkCloud Stealer — The information stealer known as DarkCloud is being distributed via phishing emails masquerading as financial correspondence that trick recipients into opening malicious ZIP archives. The stealer, besides adding new layers of encryption and evasion, targets web browser data, keystrokes, FTP credentials, clipboard contents, email clients, files, and cryptocurrency wallets. Stolen credentials/data are sent to attacker-controlled Telegram, FTP, SMTP, or Web Panel (PHP) endpoints. It's marketed on Telegram by a user named @BluCoder and on the clearnet through the domain darkcloud.onlinewebshop[.]net. It's advertised as the "best surveillance software for parents, spouses, and employers." Cybersecurity company eSentire said: "DarkCloud is an information-stealing malware written in VB6 and is actively being updated to target a wide range of applications, including email clients, FTP clients, cryptocurrency wallets, web browsers and supports numerous other information-stealing capabilities like keystroke/clipboard harvesting, clipboard hijacking, and file collection."
• Nupay Plugs "Configuration Gap" — Indian fintech company Nupay said it addressed a configuration gap after UpGuard flagged an unprotected Amazon S3 storage bucket containing more than 270,000 documents related to bank transfers of Indian customers. The exposed information included bank account numbers, transaction amounts, names, phone numbers, and email addresses. The data was linked to at least 38 different banks and financial institutions. It's currently not known how long the data was left publicly accessible on the internet, although misconfigurations of this kind are not uncommon. Nupay told TechCrunch the bucket exposed a "limited set of test records with basic customer details," and that a majority of the details were "dummy or test files."
• Top AI Chatbots Provide Answers with False Claims — Some of the top AI chatbots' tendency to repeat false claims on topics in the news increased nearly twice as much as they did last year, according to an audit by NewsGuard. The disinformation rates of the chatbots have almost doubled, going from 18% in August 2024 to 35% a year later, with the tools providing false claims to news prompts more than one-third of the time. "Instead of citing data cutoffs or refusing to weigh in on sensitive topics, the LLMs now pull from a polluted online information ecosystem — sometimes deliberately seeded by vast networks of malign actors, including Russian disinformation operations — and treat unreliable sources as credible," it said.
• Israel's PM Says His U.N. Speech Streamed Directly to Gaza Cellphones — Israeli Prime Minister Benjamin Netanyahu said his speech at the United Nations last week was also pushed to mobile phones of Gaza residents in an unprecedented operation. "Ladies and gentlemen, thanks to special efforts by Israeli intelligence, my words are now also being carried," Netanyahu said. "They're streamed live through the cell phones of Gaza." There is no evidence for how it would've worked or if this actually took place.
• Fake Teams Installers Lead to Oyster Malware — Threat actors are abusing SEO poisoning and malvertising to lure users searching for Teams online into downloading a fake installer that leads to malware called Oyster (aka Broomstick or CleanUpLoader). "Oyster is a modular, multistage backdoor that provides persistent remote access, establishes Command and Control (C2) communications, collects host information, and enables the delivery of follow-on payloads," Blackpoint said. "By hiding behind a widely used collaboration platform, Oyster is well positioned to evade casual detection and blend into the noise of normal enterprise activity." The activity has been attributed by Conscia to Vanilla Tempest (aka Storm-0832 or Vice Society).
• Flaw in Streamlit Framework Patched — Cybersecurity researchers discovered a vulnerability in the Streamlit app deployment framework that can allow attackers to hijack underlying cloud servers. "To do that, threat actors bypass file type restrictions and take full control of a misconfigured cloud instance running Streamlit applications," Cato Networks said. In a hypothetical attack scenario, bad actors can exploit a file upload vulnerability in the framework to rewrite server files and deploy new SSH configurations. Streamlit released a security patch in March.

🎥 Cybersecurity Webinars

• Beyond the Hype: Practical AI Workflows for Cybersecurity Teams — AI is transforming cybersecurity workflows, but the best results come from blending human oversight with automation. In this webinar, Thomas Kinsella of Tines shows how to pinpoint where AI truly adds value, avoid over-engineering, and build secure, auditable processes that scale.
• Halloween Special: Real Breach Stories and the Fix to End Password Horrors — Passwords are still a prime target for attackers—and a constant pain for IT teams. Weak or reused credentials, frequent helpdesk resets, and outdated policies expose organizations to costly breaches and reputational damage. In this Halloween-themed webinar from The Hacker News and Specops Software, you'll see real breach stories, discover why traditional password policies fail, and watch a live demo on blocking compromised credentials in real time—so you can end password nightmares without adding user friction.
• From Code to Cloud: Learn How to See Every Risk, Fix Every Weak Link — Modern AppSec needs end-to-end visibility from code to cloud. Without it, hidden flaws delay fixes and raise risk. This webinar shows how code-to-cloud mapping unites dev, DevOps, and security to prioritize and remediate faster, forming the backbone of effective ASPM.

🔧 Cybersecurity Tools

• Pangolin — It is a self-hosted reverse proxy that securely exposes private services to the internet without opening firewall ports. It creates encrypted WireGuard tunnels to connect isolated networks and includes built-in identity and access management, so you can control who reaches your internal apps, APIs, or IoT devices. Ideal for developers, DevOps teams, or organizations needing safe remote access, Pangolin simplifies sharing internal resources while keeping them protected behind strong authentication and role-based permissions.
• AI Red Teaming Playground — Microsoft's AI Red Teaming Playground Labs offers hands-on challenges to practice probing AI systems for security gaps. Built on Chat Copilot and powered by the open-source PyRIT framework, it lets you simulate prompt injections and other adversarial attacks to identify hidden risks in generative AI before deployment.

Disclaimer: The tools featured here are provided strictly for educational and research purposes. They have not undergone full security audits, and their behavior may introduce risks if misused. Before experimenting, carefully review the source code, test only in controlled environments, and apply appropriate safeguards. Always ensure your usage aligns with ethical guidelines, legal requirements, and organizational policies.

🔒 Tip of the Week

Hardening Active Directory Against Modern Attacks — Active Directory is a prime target—compromise it and attackers can own your network. Strengthen its defenses starting with Kerberos FAST (Flexible Authentication Secure Tunneling), which encrypts pre-authentication traffic to block offline password cracking and relay attacks. Deploy it in "Supported" mode, monitor KDC events (IDs 34, 35), then enforce "Required" once all clients are ready.

Run PingCastle for a rapid forest health check and use ADeleg/ADeleginator to uncover dangerous over-delegation in OUs or service accounts. Harden password security with Fine-Grained Password Policies (FGPP) and automate local admin password rotation using LAPS or Lithnet Password Protection to block breached credentials in real time.

Tighten other control layers: use AppLocker Inspector/Gen to lock down application execution and GPOZaurr to detect orphaned or risky Group Policy Objects. Scan AD Certificate Services with Locksmith to close misconfigurations and use ScriptSentry to catch malicious logon scripts that enable stealthy persistence.

Finally, apply CIS or Microsoft security baselines and generate custom Attack Surface Reduction rules with ASRGen to block exploit techniques that bypass standard policies. This layered, rarely implemented strategy raises the cost of compromise and forces even advanced adversaries to work far harder.

Conclusion

These headlines show how tightly connected our defenses must be in today's threat landscape. No single team, tool, or technology can stand alone—strong security depends on shared awareness and action.

Take a moment to pass these insights along, spark a conversation with your team, and turn this knowledge into concrete steps. Every patch applied, policy updated, or lesson shared strengthens not just your own organization, but the wider cybersecurity community we all rely on.