⚡ Weekly Recap: WhatsApp Worm, Critical CVEs, Oracle 0-Day, Ransomware Cartel & More

Every week, the cyber world reminds us that silence doesn't mean safety. Attacks often begin quietly — one unpatched flaw, one overlooked credential, one backup left unencrypted. By the time alarms sound, the damage is done.

This week's edition looks at how attackers are changing the game — linking different flaws, working together across borders, and even turning trusted tools into weapons. From major software bugs to AI abuse and new phishing tricks, each story shows how fast the threat landscape is shifting and why security needs to move just as quickly.

⚡ Threat of the Week

Dozens of Orgs Impacted by Exploitation of Oracle EBS Flaw — Dozens of organizations may have been impacted following the zero-day exploitation of a security flaw in Oracle's E-Business Suite (EBS) software since August 9, 2025, according to Google Threat Intelligence Group (GTIG) and Mandiant. The activity, which bears some hallmarks associated with the Cl0p ransomware crew, is assessed to have fashioned together multiple distinct vulnerabilities, including a zero-day flaw tracked as CVE-2025-61882 (CVSS score: 9.8), to breach target networks and exfiltrate sensitive data. The attack chains have been found to trigger two different payload chains, dropping malware families like GOLDVEIN.JAVA, SAGEGIFT, SAGELEAF, and SAGEWAVE. Oracle has also released updates to EBS to address another vulnerability in the same product (CVE-2025-61884) that could lead to unauthorized access to sensitive data. The company did not mention if it was being exploited in the wild.

Automated Session Termination & Activity Summaries: Goodbye Manual Log Reviews

Threats move fast. KeeperAI moves faster. With real-time, agentic AI threat detection and response, high-risk sessions are instantly terminated, and every action is categorized into risk levels and summarized. Automate insider threat detection and eliminate manual log reviews forever.

Start a Free Trial ➝

🔔 Top News

• Storm-1175 Linked to Exploitation of GoAnywhere MFT Flaw — A cybercriminal group Microsoft tracks as Storm-1175 exploited a maximum-severity vulnerability in GoAnywhere MFT (CVE-2025-10035) to initiate multi-stage attacks, including Medusa ransomware. Storm-1175's attacks are opportunistic, and have affected organizations in the transportation, education, retail, insurance, and manufacturing sectors. The activity blends legitimate tools with stealthy techniques to stay under the radar and monetize access through extortion and data theft, using the access to install remote monitoring tools such as SimpleHelp and MeshAgent, drop web shells, and move laterally across networks using built-in Windows utilities. Fortra has since disclosed that it began its investigation on September 11 following a "potential vulnerability" reported by a customer, uncovering "potentially suspicious activity" related to the flaw.
• OpenAI Disrupted Three Clusters from China, North Korea, and Russia — OpenAI said it disrupted three activity clusters for misusing its ChatGPT artificial intelligence (AI) tool to facilitate malware development. This includes a Russian‑language threat actor, who is said to have used the chatbot to help develop and refine a remote access trojan (RAT), a credential stealer with an aim to evade detection. The second cluster of activity originated from North Korea, which used ChatGPT for malware and command-and-control (C2) development, focusing on developing macOS Finder extensions, configuring Windows Server VPNs, or converting Chrome extensions to their Safari equivalents. The third set of banned accounts shared overlaps with a cluster tracked as UNK_DropPitch (aka UTA0388), a Chinese hacking group which employed the AI chatbot to generate content for phishing campaigns in English, Chinese, and Japanese; assist with tooling to accelerate routine tasks such as remote execution and traffic protection using HTTPS; and search for information related to installing open-source tools like nuclei and fscan.
• Over 175 npm Packages Used for Phishing Campaign — In an unusual twist, threat actors have been observed to push throwaway npm packages that, once installed, are designed to create and publish an npm package of its own with the pattern "redirect-xxxxxx" or "mad-xxxxxx," which, in turn, auto-redirects victims to credential-harvesting sites when opened from crafted HTML business documents. "Unlike the more familiar tactic of simply uploading malicious packages to compromise developers during package installation, this campaign takes a different path," Snyk said. "Instead of infecting users via npm install, the attackers leverage the browser delivery path through UNPKG, turning legitimate open source hosting infrastructure into a phishing mechanism." It's believed that the HTML files generated through the npm packages are distributed to victims, who are then redirected to the credential phishing sites when they attempt to open them. In the packages analyzed by Snyk, the pages masquerade as Cloudflare security checks before leading victims to an attacker-controlled URL fetched from a remote GitHub-hosted file.
• LockBit, Qilin, and DragonForce Join Forces — Three of the most notorious ransomware-as-a-service operations, LockBit, Qilin, and DragonForce, have formed a criminal cartel aimed at coordinating attacks and sharing resources. The partnership was announced early last month, shortly following the emergence of LockBit 5.0. "Create equal competition conditions, no conflicts and no public insults," DragonForce wrote in a post on a dark web forum. "This way, we can all increase our income and dictate market conditions. Call it whatever you like – coalition, cartel, etc. The main thing is to stay in touch, be friendly to each other, and be strong allies, not enemies." The teaming up of the three groups comes amid mounting pressure from law enforcement disruptions, prompting them to attack sectors previously considered off-limits, such as nuclear power plants, thermal power plants, and hydroelectric power plants. It also follows a similar consolidation pattern among primarily English-speaking cybercrime collectives like Scattered Spider, ShinyHunters, and LAPSUS$, which began collaborating under the name Scattered LAPSUS$ Hunters. That said, the cartelization of ransomware also comes at a time of record fragmentation in the broader ecosystem, with the number of active data leak sites reaching an all-time high of 81 in the third quarter of 2025.
• China-Nexus Hackers Weaponize Open-Source Nezha Tool in Attacks — Threat actors with suspected ties to China have turned a legitimate open-source monitoring tool called Nezha into an attack weapon, using it to deliver a known malware called Gh0st RAT to targets. The campaign is said to have likely compromised more than 100 victim machines since August 2025, with a majority of the infections reported in Taiwan, Japan, South Korea, and Hong Kong. The activity is yet another indication of how threat actors continue to twist legitimate tools for malicious purposes and blend in with normal network traffic. In one instance observed by Huntress, the attackers targeted an exposed phpMyAdmin panel to deploy a web shell by means of a log poisoning attack. The access obtained through the web shell was then used to drop Nezha and ultimately drop Gh0st RAT, but not before laying the necessary groundwork to avoid detection.

‎️‍🔥 Trending CVEs

Hackers move fast. They often exploit new vulnerabilities within hours, turning a single missed patch into a major breach. One unpatched CVE can be all it takes for a full compromise. Below are this week's most critical vulnerabilities gaining attention across the industry. Review them, prioritize your fixes, and close the gap before attackers take advantage.

This week's list includes — CVE-2025-61884 (Oracle E-Business Suite), CVE-2025-11371 (Gladinet CentreStack and TrioFox), CVE-2025-5947 (Service Finder theme), CVE-2025-53967 (Framelink Figma MCP server), CVE-2025-49844 (Redis), CVE-2025-27237 (Zabbix Agent), CVE-2025-59489 (Unity for Android and Windows), CVE-2025-36604 (Dell UnityVSA), CVE-2025-37728 (Elastic Kibana Connector), CVE-2025-56383 (Notepad++), CVE-2025-11462 (AWS Client VPN for macOS), CVE-2025-42701, CVE-2025-42706 (CrowdStrike Falcon), CVE-2025-11001, CVE-2025-11002 (7-Zip), CVE-2025-59978 (Juniper Networks Junos Space), CVE-2025-11188, CVE-2025-11189, CVE-2025-11190 (SynchroWeb Kiwire Captive Portal), CVE-2025-3600 (Progress Telerik UI for ASP.NET AJAX), a cross-site scripting (XSS) vulnerability in REDCap, and unpatched security vulnerabilities in Ivanti Endpoint Manager (from ZDI-25-935 through ZDI-25-947).

📰 Around the Cyber World

• TwoNet Targets Forescout Honeypot — An ICS/OT honeypot run by Forescout, designed to mimic a water treatment facility, was targeted last month by a Russia-linked group named TwoNet. The financially motivated hacktivist group subsequently attempted to deface the associated human machine interface (HMI), disrupt processes, and manipulate other ICS. Forescout's honeypots also saw attack attempts that have been linked to Russia and Iran. TwoNet first emerged in January, primarily focused on DDoS attacks using the MegaMedusa Machine malware, per Intel471. Through an affiliated group, CyberTroops, TwoNet announced it was ceasing operations on September 30, 2025. "This underscores the ephemeral nature of the ecosystem where channels and groups are short-lived, while operators typically persist by rebranding, shifting alliances, joining other groups, learning new techniques, or targeting other organizations," Forescout said. "Groups moving from DDoS/defacement to OT/ICS often misread targets, trip over honeypots, or overclaim. That doesn't make them harmless; it shows where they are headed."
• Sophos Probes WhatsApp Worm's Links to Coyote — A recently disclosed campaign dubbed Water Saci involved the threat actors using self-propagating malware dubbed SORVEPOTEL that spreads via the popular messaging app WhatsApp. Sophos said it's investigating to determine if the campaign could be related to prior reported campaigns that distributed a banking trojan named Coyote targeting users in Brazil, and if the malware used in the attacks, Maverick, is an evolution of Coyote. The WhatsApp messages contain a zipped LNK file that, when launched, initiates a series of malicious PowerShell commands to drop next-stage PowerShell, which then attempts to modify local security controls. In some cases, Sophos said it observed an additional payload, the legitimate Selenium browser automation tool, that enabled control of running browser sessions on the infected host. It's suspected that Selenium is delivered alongside Maverick via the same command-and-control (C2) infrastructure.
• North Korean IT Workers Seek Jobs in New Sectors — The infamous North Korean IT workers are now seeking remote jobs in the industrial design and architecture fields, according to security company KELA. "Their involvement could pose risks related to espionage, sanctions evasion, safety concerns, and access to sensitive infrastructure designs," it said, describing the threat as a "a highly organized, state-backed network that extends far beyond IT roles." One of IT workers, Hailong Jin, has been identified as connected to the development of a malicious game called DeTankZone, while also sharing ties with another IT worker named Lian Hung, who has claimed to be a mobile app developer in Tanzania. It's believed that Hailong Jin and Lian Hung may be the same person, the Chollima Group said, adding Bells Inter Trading Limited is a North Korean run front company employing IT Workers in Tanzania. The company, for its part, has been linked to several VPN apps published on both Apple and Google's iOS and Android app stores. "Rather than viewing them as a monolithic entity, North Korean IT Workers are more akin to individual entrepreneurs operating under the blessing of a higher-status boss," the Chollima Group noted. "As an IT Worker gains more status and respect, they are able to climb the organization's ranks and eventually become bosses themselves. From there they may form their own front companies and gain the status necessary to take on more malicious activity (if they so choose). We believe Lian Hung and Hailong Jin, both appearing to be in their 30s-40s, may be operating as middle managers or hold higher statuses in this structure, which may explain their titles of choice being 'Project Manager.'"
• FBI Seizes Site Used by Salesforce Extortionists — The U.S. Federal Bureau of Investigation (FBI) seized a website ("breachforums[.]hn") that was being used by Scattered LAPSUS$ Hunters to extort Salesforce and its customers. The action marks another chapter in the ongoing cat-and-mouse game to dismantle the persistent data leak site. That said, the dark web version of the leak site is still up and running. "BreachForums was seized by the FBI and international partners today. All our domains were taken from us by the U.S. Government. The era of forums is over," the Scattered Lapsus$ Hunters group said in a PGP-encrypted statement on Telegram. While the groups initially claimed they were shutting down their operations, the website resurfaced merely a few days later, transitioning from a hacking forum to a dedicated extortion site. The group also admitted that the BreachForums servers and backups were destroyed, and that database archives and escrow data from as far back as 2023 were compromised. Scattered LAPSUS$ Hunters (aka the Trinity of Chaos) is a newly formed alliance comprising Scattered Spider (aka Muddled Libra), LAPSUS$, and ShinyHunters (aka Bling Libra). In recent weeks, the threat actors breached Salesloft's systems and used the access to obtain customers' Salesforce data. Last month, Salesloft revealed that the data breach linked to its Drift application started with the compromise of its GitHub account. BreachForums has a long and turbulent history, punctuated by numerous takedowns and resurrections since its original administrator was arrested in March 2023.
• NSO Group Acquired by U.S. Investment Group — Israeli spyware maker NSO Group has disclosed that a U.S. investment group has acquired the controversial company. A company's spokesperson told TechCrunch that "an American investment group has invested tens of millions of dollars in the company and has acquired controlling ownership."
• Apple Revises its Bug Bounty Program — Apple announced significant updates to its bug bounty program, with the company now offering up to $2 million for exploit chains that can achieve similar goals as sophisticated mercenary spyware attacks. It's also rewarding one-click WebKit sandbox escapes with up to $300,000, and up to $1 million for wireless proximity exploits over any radio, broad unauthorized iCloud access, and WebKit exploit chains leading to unsigned arbitrary code execution. "Since we launched the public Apple Security Bounty program in 2020, we're proud to have awarded over $35 million to more than 800 security researchers, with multiple individual reports earning $500,000 rewards," the company said. The new payouts will go into effect in November 2025.
• Spanish Guardia Civil Disrupts GXC Team — Spanish authorities dismantled the GXC Team and arrested its alleged mastermind, a 25-year-old Brazilian national who went online as GoogleXcoder. According to Group-IB, GXC Team operated a crime-as-a-service (CaaS) platform offering AI-powered phishing kits, Android malware, and voice scam tools via Telegram and a Russian-speaking hacker forum to cybercriminals targeting banks, transportation, and e-commerce, in Spain, Slovakia, the UK, US, and Brazil."To avoid capture, the suspect adopted a 'digital nomad' lifestyle, frequently relocating between Spanish provinces and using stolen identities to secure housing, phone lines, and payment cards," Group-IB said.
• Inside Russian Market — Rapid7 said Russian Market has evolved its operations over time, pivoting from selling RDP access to stolen credit card data and, more recently, infostealer logs. "Stolen credentials originate from organizations worldwide, with 26% originating in the US and 23% in Argentina," the company said. "Most sellers have adopted a multi-stealer approach over the years, leveraging various malware variants in their operations, with Lumma emerging as a widely used tool. The most common types of infostealers being used by sellers in Russian Market over the years have been Raccoon, Vidar, Lumma, RedLine, and Stealc, with Rhadamanthys and Acreed gaining popularity in the first half of 2025." The findings came as Red Canary revealed that Atomic, Poseidon, and Odyssey have emerged as the three prominent stealer families targeting Apple macOS systems, while also sharing many tactical similarities. Odyssey Stealer is a successor to Poseidon that was first detected in March 2025.
• Austria Says Microsoft Violated E.U. Laws — Austria's privacy regulator found that Microsoft violated E.U. law by illegally tracking students through Microsoft 365 Education using tracking cookies without their consent. The decision was reached following noyb's complaint in 2024. The Austrian Data Protection Authority (DSB) has ordered the deletion of the relevant personal data. "The decision by the Austrian DPA really highlights the lack of transparency with Microsoft 365 Education," noyb said. "It is almost impossible for schools to inform students, parents and teachers about what is happening with their data."
• AI Models Can Acquire Backdoors from About 250 Malicious Documents — A new academic study from Anthropic, the U.K. AISI's Safeguards team, and The Alan Turing Institute has found that it takes approximately 250 malicious documents to establish a simple "backdoor" in large language models. The research challenges the idea that attackers need to control or poison a large portion of the training data in order to influence an LLM's output. "Poisoning attacks require a near-constant number of documents regardless of model and training data size," it said. "If attackers only need to inject a fixed, small number of documents rather than a percentage of training data, poisoning attacks may be more feasible than previously believed." A 2024 study by researchers at Carnegie Mellon University, ETH Zürich, Meta, and Google DeepMind showed that attackers controlling 0.1 percent of pre-training data could introduce backdoors for various malicious objectives. "Our results suggest that injecting backdoors through data poisoning may be easier for large models than previously believed as the number of poisons required does not scale up with model size," the researchers said, "highlighting the need for more research on defences to mitigate this risk in future models." The disclosure coincided with OpenAI's stating that its GPT-5 model exhibits lower levels of political bias than any previous models.

🎥 Cybersecurity Webinars

• Drowning in Vulnerability Alerts? Here's How to Finally Regain Control - Most security teams face the same problem — too many vulnerabilities and not enough time. Dynamic Attack Surface Reduction (DASR) helps fix this by finding and closing risks automatically, before attackers can use them. Instead of chasing endless alerts, teams can focus on what really matters: keeping systems safe and running smoothly. It's a smarter, faster way to stay one step ahead.
• How Leading Teams Are Using AI to Simplify Compliance and Reduce Risk - AI is changing how organizations handle Governance, Risk, and Compliance (GRC). It can make compliance faster and smarter—but it also brings new risks and rules to follow. This session will show you how to use AI safely and effectively, with real examples, lessons from early adopters, and practical tips to prepare your team for the future of compliance.
• From Firefighting to Secure-by-Design: A Practical Playbook - AI is changing fast, but security can't lag behind. The smartest teams now treat security controls as launchpads, not roadblocks — enabling AI agents to move quickly and safely. By shifting from reactive firefighting to a secure-by-design mindset, organizations gain both speed and confidence. With the right framework, you can control AI risks while accelerating innovation instead of slowing it down.

🔧 Cybersecurity Tools

• P0LR Espresso - A new open-source tool from Permiso that helps security teams quickly analyze multi-cloud logs during live response. It normalizes data from platforms like AWS, Azure, and GCP to deliver clear timelines, behavioral insights, and IOC analysis—making it easier to spot compromised identities and understand what really happened.
• Ouroboros - A new open-source decompiler built in Rust that uses symbolic execution to recover high-level code structure from compiled binaries. Unlike traditional decompilers that rely on static assignment models, Ouroboros tracks constraints and data flow to understand how registers and memory change during execution. This approach helps it reconstruct logical code patterns such as loops, conditions, and control flow regions, making it a practical tool for reverse engineering, program analysis, and security research.

Disclaimer: These tools are for educational and research use only. They haven't been fully security-tested and could pose risks if used incorrectly. Review the code before trying them, test only in safe environments, and follow all ethical, legal, and organizational rules.

🔒 Tip of the Week

Don't Leave Your Backups Unlocked — Backups are your safety net — but if they're not encrypted, they can become your biggest risk. Anyone who gets access to an unencrypted backup can read everything inside: passwords, emails, financial data, customer info — all of it.

The Simple Fix: Always encrypt your backups before saving or sending them anywhere (USB, cloud, or server). Encryption locks your data so only you can open it.

🔐 Easy, Trusted Open-Source Tools:

• Restic: Fast, simple, and encrypts everything automatically. Works with many cloud services.
• BorgBackup: Compresses, deduplicates, and encrypts your backups — perfect for long-term storage.
• Duplicity: Uses GPG encryption and supports encrypted backups to local or remote storage.
• rclone: Syncs files securely to cloud storage with built-in encryption options.

Pro Tip: Test your backup regularly — make sure you can decrypt and restore it. A locked or broken backup is as bad as no backup at all.

Conclusion

The week's stories show both sides of cybersecurity — the creativity of attackers and the resilience of defenders. Our strength lies in awareness, collaboration, and action. Let's use every lesson learned to make next week's news a little less alarming.