This week, the cybersecurity landscape showcased a surge in complex, fast-moving threats that tested the limits of trusted systems and secure infrastructures. From zero-day exploits and advanced phishing schemes to hardware-level vulnerabilities, threat actors demonstrated both speed and sophistication. No sector remained untouched — finance, cloud, critical infrastructure, and mobile ecosystems all faced high-impact attacks.
This summary highlights the most significant developments, newly discovered threats, and defensive insights from the week.
Threat of the Week: Motex Lanscope Flaw Exploited to Deploy Gokcpdoor
A suspected Chinese state-sponsored group, Tick, has been observed exploiting a critical vulnerability (CVE-2025-61932, CVSS 9.3) in Motex Lanscope Endpoint Manager to distribute a custom backdoor named Gokcpdoor. According to Sophos researchers, the attacks were limited and carefully aligned with the group’s espionage objectives, indicating a highly targeted campaign against specific sectors of interest.
Top Stories
TEE.Fail Side-Channel Attack Breaks Intel and AMD TEEs
A new physical side-channel attack dubbed TEE.Fail has successfully compromised the integrity of modern Trusted Execution Environments (TEEs) used by Intel and AMD. The exploit leverages deterministic encryption and DDR5 bus interposition to extract cryptographic secrets from Intel SGX/TDX and AMD SEV-SNP enclaves. While the attack requires physical access and kernel-level privileges, it highlights significant design concerns in next-generation hardware security.
Russian Hackers Breach Ukrainian Networks Using Legitimate Tools
Two Ukrainian organizations — a business services company and a local government agency — were infiltrated by suspected Russian threat actors employing living-off-the-land techniques. Instead of deploying custom malware, the attackers utilized legitimate administrative tools already present in the networks to maintain stealth and persistence. The incidents reinforce the growing shift toward low-footprint, stealthy intrusion methods.
North Korea Targets Web3 with GhostCall and GhostHire Campaigns
The BlueNoroff threat actor group (a sub-cluster of Lazarus Group) has reemerged with two advanced campaigns: GhostCall and GhostHire. These operations target Web3 developers and blockchain executives, using fake job offers and social engineering on platforms like LinkedIn and Telegram to deliver multi-stage malware. Kaspersky reports that BlueNoroff’s strategy has expanded from cryptocurrency theft to comprehensive data collection for supply-chain exploitation and secondary attacks.
New Android Banking Malware ‘Herodotus’ Mimics Human Behavior
A new Android banking trojan named Herodotus is drawing attention for its ability to simulate human typing behavior to evade behavioral detection. Distributed via SMS phishing, the malware overlays fake banking interfaces to steal credentials and intercepts OTPs. Its unique feature — mimicking real typing patterns — allows it to bypass heuristic detection mechanisms, posing a significant risk to mobile banking users.
Qilin Ransomware Adapts Linux Encryptors for Windows Attacks
The Qilin ransomware group has been observed leveraging Windows Subsystem for Linux (WSL) to execute Linux-based encryptors directly on Windows systems. This hybrid approach enables evasion of traditional endpoint protections. Trend Micro reported that over 700 victims across 62 countries have been impacted this year, solidifying Qilin’s position among the most active ransomware operators globally.
Trending Vulnerabilities (CVEs)
Threat actors continue to exploit newly disclosed vulnerabilities within hours of publication. The following CVEs are currently under active monitoring across the cybersecurity community:
- CVE-2025-61932 — Motex Lanscope Endpoint Manager
- CVE-2025-10680 — OpenVPN
- CVE-2025-55752 / 55754 — Apache Tomcat
- CVE-2025-52665 — Ubiquiti UniFi Access
- CVE-2025-12044 / 11621 — HashiCorp Vault
- CVE-2025-43995 — Dell Storage Manager
- CVE-2025-10932 — Progress MOVEit Transfer
- CVE-2025-5842 — Veeder-Root TLS4B System
- CVE-2025-6325 / 6327 — Elementor Plugin Addons
Organizations are strongly advised to review, prioritize, and patch affected systems immediately to prevent potential exploitation.
Global Cyber Highlights
Canada Warns of Hacktivist Attacks on Critical Infrastructure
Canada’s national cyber agency issued a warning following multiple hacktivist-driven attacks on industrial control systems (ICS). Incidents included tampering with water pressure systems, ATG sensors in oil facilities, and grain silos, emphasizing the urgent need for improved ICS security controls and segmentation.
Kinsing Exploits Apache ActiveMQ for Cryptojacking
The Kinsing threat actor continues to exploit CVE-2023-46604 in Apache ActiveMQ, deploying XMRig miners and the Sharpire .NET backdoor. The campaign showcases extensive use of post-exploitation frameworks such as CobaltStrike, Meterpreter, and PowerShell Empire, demonstrating the actor’s sophistication in maintaining access.
Flaws in Confidential Computing Systems
Researchers disclosed two vulnerabilities (CVE-2025-59054, CVE-2025-58356) in eight confidential computing platforms, including Oasis Protocol, Phala Network, and Fortanix Salmiac, which could allow data extraction and tampering in encrypted environments. Partial mitigations have been released in cryptsetup v2.8.1.
LinkedIn Phishing Targets Financial Executives
Attackers are using LinkedIn direct messages to distribute phishing links disguised as executive meeting invitations. Victims are redirected to fraudulent Microsoft login pages with bot protection, making detection more difficult. This highlights a growing trend of bypassing traditional email-based phishing filters.
Malicious Visual Studio Code Extensions Identified
Security researchers discovered 12 malicious VS Code extensions designed to exfiltrate sensitive data and maintain persistent remote access. The campaign leveraged Unicode steganography within JavaScript projects to conceal payloads, underlining the risks associated with supply chain attacks in developer ecosystems.
Proton Launches Data Breach Observatory
Proton, a Swiss privacy firm, launched a new Data Breach Observatory, which monitors dark web leaks involving over 306 million records across 794 breaches. Notably, small and medium-sized businesses (SMBs) represented over 70% of these breaches due to limited cybersecurity defenses.
Law Enforcement Actions
- Russia: Arrested three individuals linked to the Meduza Infostealer operation.
- U.S.: Extradited a Ukrainian national associated with the Conti ransomware group.
These arrests mark significant steps toward disrupting organized cybercrime operations, although global ransomware ecosystems remain resilient.
Emerging Threats
- Tangerine Turkey: A cross-platform cryptomining campaign using VB and batch scripts to spread via infected USB drives.
- Hezi Rash: A Kurdish nationalist hacktivist collective responsible for over 350 DDoS attacks targeting global sites between August and October 2025.
- Lampion Stealer: New phishing campaigns in Brazil leveraging ClickFix-based HTML lures to distribute this long-running banking trojan.
Security Insight: Why Attack Surface Reduction Matters
The week’s events reinforce one key message: attack surface reduction (ASR) is more crucial than ever. In modern networks filled with unused domains, open ports, and orphaned accounts, attackers often exploit what’s already visible rather than discovering new vulnerabilities. Proactive asset management, regular exposure mapping, and smart defensive automation can dramatically cut risk without hindering operational agility.
Conclusion
The key takeaway from this week is clear: Cyber threats are evolving to appear ordinary — hidden in trusted applications, recruitment platforms, and legitimate tools. Defending against them requires more than antivirus or patching. It demands constant visibility, disciplined response, and forward-thinking defense.
Cybersecurity is not a product or a single solution — it’s a continuous process. Every login, update, and patch plays a part in keeping systems secure.