Daily Security Review

A global smishing campaign of unprecedented scale has been uncovered by Palo Alto Networks, revealing the vast operations of a Chinese-speaking threat actor known as the Smishing Triad. Since January 2024, the group has deployed more than 194,000 malicious domains, impersonating legitimate organizations ranging from toll and postal services to banks, cryptocurrency exchanges, and delivery companies. This campaign, active across the U.S., Europe, Asia, and the Middle East, leverages personalized SMS messages designed to trick recipients into divulging sensitive personal or financial information.

Palo Alto Networks’ threat intelligence analysis describes the Smishing Triad as operating under a Phishing-as-a-Service (Ph...

A newly uncovered cyber-espionage operation known as Operation ForumTroll has revealed the resurgence of commercial spyware in state-sponsored surveillance campaigns. According to new research from Kaspersky, the campaign exploited a Google Chrome zero-day vulnerability (CVE-2025-2783) and targeted Russian and Belarusian organizations in government, research, and media sectors. The attacks were traced to tools developed by Memento Labs, the Italian surveillance vendor formerly known as the Hacking Team, whose legacy spyware once sparked global controversy for being sold to authoritarian regimes.

The operation began with highly tailored phishing emails disguised as invitations to the “Primakov Readings” — a major...

The global ransomware economy is collapsing under growing resistance from its targets. According to new data from cybersecurity firm Coveware, the third quarter of 2025 saw ransomware payments drop to a historic low, with just 23% of victims paying attackers—a continuation of a six-year downward trend. Even when ransoms were paid, the average payment plunged by 66%, marking one of the most dramatic contractions in cyber extortion profitability to date.

This shift is not coincidental. Companies have learned that paying the ransom rarely prevents data leaks, and law enforcement guidance increasingly supports a strict no-payment stance. Privacy attorneys are al...

Mozilla is taking a decisive step toward transparency and user control by requiring all Firefox extensions to disclose how they collect and handle personal data. The new mandate introduces a dedicated key—browser_specific_settings.gecko.data_collection_permissions—that every extension must include in its manifest file. Whether or not an extension collects data, developers must explicitly declare their practices, ensuring there is no room for ambiguity.

This policy introduces what many are calling a “privacy nutrition label” for browser add-ons, allowing users to see data collection details before installation. The information will be prominently displayed both on...

Chainguard, the Kirkland, Washington-based cybersecurity company, has announced a landmark $280 million growth funding round led by General Catalyst’s Customer Value Fund (CVF), pushing its total capital raised to nearly $900 million and valuing the firm at $3.5 billion. This new round marks a pivotal phase for Chainguard as it shifts from product-focused development to large-scale go-to-market execution, all while maintaining an ironclad focus on product innovation and security.

Founded on the mission to secure the open source software supply chain, Chainguard provides over 1,700 secure-by-default container images, curated language libraries, and purpose-built VM images designed to eliminate known vulnerabilities be...

The Pwn2Own Ireland 2025 hacking competition was set to feature one of its most anticipated moments — a $1 million zero-click remote code execution exploit against WhatsApp — but the demonstration never happened. Scheduled to be showcased by researcher Eugene of Team Z3, the exploit’s abrupt withdrawal stunned attendees and quickly became the most controversial event of the competition. Organized by Trend Micro’s Zero Day Initiative (ZDI), Pwn2Own had validated the exploit’s entry, fueling expectations that WhatsApp would face a serious zero-day challenge in front of a live audience. Yet when the researcher pulled out hours before the demo, offi...

A serious vulnerability has been discovered in the OpenAI Atlas omnibox, a hybrid interface designed to handle both URLs and user prompts. Researchers at NeuralTrust revealed that attackers can disguise malicious instructions as URLs to jailbreak the omnibox, taking advantage of how Atlas interprets malformed input. Unlike traditional browsers, Atlas sometimes misclassifies malformed URLs as trusted instructions after a failed inspection, leading the system to execute the embedded commands with elevated trust and fewer safety checks. This parsing flaw allows attackers to effectively hijack the agent’s behavior, transforming a simple navigation request into an opportunity for exploitation.

...

A critical remote code execution (RCE) flaw, tracked as CVE-2025-59287, has put thousands of enterprise networks at risk by exposing the Windows Server Update Service (WSUS) to active exploitation. The vulnerability, rooted in unsafe object deserialization, allows unauthenticated remote attackers to execute arbitrary code with System-level privileges — effectively granting full administrative control over targeted Windows servers. Because WSUS manages how updates are distributed across enterprise networks, a compromised instance can give attackers the ability to manipulate software updates, deploy malware, or hijack patch pipelines at scale.

Following the discovery of in-the-wild attacks, Microsoft released out-of-band security up...

The launch of Perplexity’s Comet AI browser — a major step forward in AI-assisted browsing — was almost immediately hijacked by cybercriminals. Within weeks of its July debut, threat intelligence firm BforeAI uncovered a coordinated impersonation campaign designed to exploit public interest in the new product. The campaign involved a web of fraudulent domains, fake mobile apps, and malicious advertisements, all working together to trick users into downloading counterfeit versions of Comet.

Attackers registered more than 40 fake domains using typosquatting and brand impersonation, targeting search terms like “Comet,” “AI,” “browser,” and “Perplexity.” These sites often mimicked the official download pages to capt...

A new wave of cyber-espionage attacks reveals North Korea’s deepening effort to steal critical defense technologies from Europe. In a sophisticated campaign dubbed Operation Dream Job, the Lazarus Group — also known as Diamond Sleet and Hidden Cobra — has launched targeted attacks on European defense contractors and UAV (unmanned aerial vehicle) developers. Beginning in March 2025, the hackers posed as recruiters offering lucrative positions to engineers and software developers, luring victims into opening trojanized PDF files. Once opened, these files secretly deployed the ScoringMathTea remote access trojan, giving the attackers full system control and long-term persistence.

Forensic evidence reveal...

Toys “R” Us Canada has confirmed a customer data breach after records from its database appeared on the dark web on July 30, 2025, prompting a full-scale cybersecurity investigation and disclosure to privacy regulators. The company’s internal review, conducted in partnership with third-party experts, verified that an unauthorized party accessed and copied portions of the customer database, exfiltrating personal information including names, mailing addresses, email addresses, and phone numbers.

Crucially, the company stated that no financial or highly sensitive data—such as account passwords or credit card details—was compromised. The incident began when security researchers discovered a threat act...

A dangerous zero-day vulnerability in Kyocera Communications subsidiary Motex’s Lanscope Endpoint Manager has triggered a global cybersecurity alert after being actively exploited in real-world attacks. Tracked as CVE-2025-61932, this flaw carries a CVSS severity score of 9.8, allowing remote, unauthenticated attackers to execute arbitrary code simply by sending specially crafted packets to a vulnerable system. In effect, it grants full control over enterprise endpoints, turning a trusted management tool into a weapon against its own network.

The flaw, caused by improper verification of communication sources, has already been exploited in attacks primarily targeting organizations in Asia — espe...

The Internet Systems Consortium (ISC) has released a series of critical BIND 9 updates to fix multiple high-severity vulnerabilities affecting DNS resolver systems worldwide. The flaws—tracked as CVE-2025-40780, CVE-2025-40778, and CVE-2025-8677—pose serious threats ranging from cache poisoning to denial-of-service (DoS) attacks. These vulnerabilities collectively endanger one of the internet’s most foundational components: the Domain Name System (DNS).

The two most severe issues, both scoring 8.6 on the CVSS scale, expose BIND resolvers to cache poisoning. One of them, CVE-2025-40780, originates from a weakness in the Pseudo Random Number Generator (PRNG) used for DNS qu...

A critical new vulnerability is wreaking havoc across the global e-commerce ecosystem. Tracked as CVE-2025-54236 and dubbed SessionReaper, this flaw affects Adobe Commerce and Magento Open Source platforms, allowing attackers to bypass security features and seize control of customer accounts through the Commerce REST API. Despite Adobe releasing emergency hotfixes on September 9, an alarming 62% of Magento sites remain unpatched, leaving tens of thousands of online stores exposed to active exploitation.

Security firm Sansec first observed a spike in real-world attacks involving PHP webshell payloads and phpinfo probes used for reconnaissance and persistence. The attacks began almost...

Cybersecurity firm SquareX has unveiled a new and alarming threat to users of AI-enabled browsers — a technique called AI Sidebar Spoofing. This sophisticated attack uses malicious browser extensions to create visually identical replicas of legitimate AI sidebars, tricking users into believing they are interacting with trusted AI assistants like ChatGPT Atlas, Perplexity’s Comet, or integrated browser agents such as Copilot in Edge and Gemini in Chrome. Once installed, these extensions inject JavaScript that seamlessly imitates the real AI interface, intercepting and altering prompts and responses.

The result? A user unknowingly follows manipulated AI instructions that can lead...

Oregon-based Jewett-Cameron Company, a manufacturer of fencing, kennels, and specialty wood products, has confirmed that it was the victim of a double-extortion ransomware attack on October 15, 2025, in an incident that disrupted operations and exposed sensitive corporate data. The attackers infiltrated the company’s IT network, deploying encryption and monitoring software, which temporarily halted key business functions and prevented access to core systems.

According to an internal memorandum from company leadership, the attackers not only encrypted systems but also stole sensitive data, including financial information intended for an upcoming SEC filing and even images captured from internal video me...

The Russian state-sponsored hacking group Star Blizzard — also tracked as ColdRiver, Seaborgium, and UNC4057 — has undergone a major transformation in its operations following public exposure earlier this year. After researchers at Google detailed its LostKeys malware and PowerShell-based infection chain in June 2025, the group swiftly abandoned those tools, pivoting to a completely rebuilt attack framework that emphasizes simplicity, flexibility, and stealth.

Between May and September 2025, Star Blizzard replaced its previous malware suite with a streamlined infection chain built around three new components: NoRobot, YesRobot, and MaybeRobot. This tactical shift underscores the group’s ability to adapt rapidly under...

San Francisco-based Keycard has officially emerged from stealth mode, announcing $38 million in funding across seed and Series A rounds to build what may become one of the most critical infrastructure layers of the AI era — identity and access management (IAM) for AI agents. Founded in 2025 by former senior executives from Snyk and Okta, Keycard is taking on the monumental task of securing how autonomous AI systems authenticate, access data, and execute tasks across production environments.

The company’s founding thesis is clear: as enterprises move beyond AI experimentation and begin deploying autonomous agents into real-world applications, they face...

Security researchers are urging immediate action after TP-Link disclosed multiple critical vulnerabilities in its Omada gateway line, affecting a wide range of ER, G, and FR series devices. The flaws—now patched by TP-Link—expose organizations to remote code execution, privilege escalation, and full network compromise, making them among the most severe threats to network infrastructure this year.

The most dangerous vulnerability, CVE-2025-6542, carries a CVSS score of 9.3 and allows remote, unauthenticated attackers to execute arbitrary operating system commands. In simple terms, it gives hackers the ability to take full control of affected gateways without needing any...

A critical new vulnerability known as TARmageddon (CVE-2025-62518) has sent shockwaves through the Rust developer community and the broader cybersecurity world. This high-severity desynchronization flaw, discovered in the Async-tar and Tokio-tar libraries, exposes millions of downstream applications to the risk of remote code execution and supply chain compromise. The flaw arises when these TAR parsers process nested archives with mismatched PAX and ustar headers, allowing attackers to smuggle unauthorized file entries that can overwrite critical files on a target system.

The discovery was made by Edera, a security research firm, which issued an urgent advisory after...

A new evolution in information-stealing malware has arrived — and it’s already drawing serious attention from researchers and defenders alike. The release of Vidar 2.0 represents a complete transformation of the long-running Vidar infostealer, which has been rewritten entirely in C and equipped with multi-threading and advanced anti-analysis mechanisms. This overhaul not only boosts performance but makes detection exponentially more difficult, setting the stage for a potential new era in cybercrime operations.

Security researchers warn that infections from Vidar 2.0 are expected to surge through Q4 2025, as this reengineered variant fills the vacuum left by the decline of Lumma Stea...

Dataminr, the AI powerhouse known for its real-time risk and event detection platform, has announced plans to acquire ThreatConnect, a cybersecurity firm specializing in threat intelligence aggregation and response, for $290 million in cash and equity. This strategic move marks a major milestone in the ongoing consolidation of the threat intelligence sector and signals a bold shift toward the next generation of Client-Tailored intelligence—highly contextualized, AI-driven insights designed to bridge the gap between awareness and action.

With over $1 billion in total investment, Dataminr has long been recognized for its ability to process vast amounts of public data—rang...

In one of the largest cybersecurity acquisitions of 2025, Veeam Software has announced plans to acquire Securiti AI for $1.725 billion in cash and stock, signaling a fundamental shift in how enterprises will secure, manage, and govern their data in the age of artificial intelligence. The deal, expected to close in the fourth quarter, will bring together two industry powerhouses: Veeam, the global leader in data resilience and recovery, and Securiti AI, a pioneer in data security posture management (DSPM) and governance.

Veeam’s move is not just a product expansion—it’s a bold repositioning. The company is evolvi...

California-based cybersecurity firm Defakto has raised $30.75 million in Series B funding, led by XYZ Venture Capital, bringing its total investment to roughly $50 million. The new capital will power the company’s rapid expansion in product development and global market reach for its identity and access management (IAM) platform—one specifically designed to secure non-human identities like AI agents, services, and workloads.

In a world where automated systems now outnumber human users, enterprises are facing an identity crisis. Traditional IAM tools—built for people, not machines—have left a dangerous gap filled with static credentials and overprivileged service accounts...

In a landmark move for the cybersecurity industry, Dr. Allan Friedman — often called the Father of SBOMs — has joined supply chain security firm NetRise as a strategic advisor. Friedman’s transition from his influential role at CISA marks a pivotal moment where public policy meets private innovation. His mission: to push the Software Bill of Materials (SBOM) initiative beyond regulatory mandates and into AI-powered operational reality.

At CISA, Friedman spearheaded the global conversation around SBOMs — the machine-readable inventories that give organizations visibility into what’s inside their software. Now, by joining forces with NetRise, a leader in AI-driven...

The upcoming Pwn2Own Automotive 2026 hacking contest, hosted by Trend Micro’s Zero Day Initiative (ZDI), is set to redefine the economics of automotive cybersecurity. With a record-breaking $3 million prize pool, the event provides a transparent, market-driven valuation of the most dangerous vulnerabilities facing the connected vehicle ecosystem. Through six major competition categories — including Tesla, in-vehicle infotainment (IVI), EV chargers, and automotive operating systems — researchers will compete to expose critical flaws in systems that control modern transportation.

The centerpiece of this year’s contest is once again Tesla, where the stakes are highest. Exploits that achieve remote control...

China’s Ministry of State Security (MSS) has publicly accused the U.S. National Security Agency (NSA) of conducting a multi-year cyber espionage campaign targeting its National Time Service Center, a critical component of China’s national infrastructure responsible for maintaining and distributing standard time. According to China, the attacks — allegedly conducted between 2022 and 2024 — involved the use of “special cyberattack weapons” and targeted both personnel and internal network systems to steal sensitive data.

The MSS asserts that the NSA’s operations threatened the stability of key national sectors including finance, power, defense, and transportation, all of which depend on sync...

A new wave of Cl0p ransomware attacks has struck organizations worldwide by exploiting vulnerabilities in Oracle’s E-Business Suite (EBS) — a mission-critical enterprise management platform used by corporations and universities across the globe. The ongoing campaign, attributed to FIN11, highlights the group’s shift toward exploiting high-value business systems for maximum leverage in data extortion schemes. Victims range from Envoy Air, a subsidiary of American Airlines, to prestigious academic institutions like Harvard University and the University of the Witwatersrand in South Africa.

The threat actors reportedly stole and leaked over 26GB of corporate data, claiming it origin...

After six years of intense litigation, WhatsApp has secured a decisive legal victory against the NSO Group, the controversial spyware maker accused of exploiting a zero-day vulnerability to infect more than 1,400 users with surveillance malware. On October 17, 2025, a U.S. District Court issued a permanent injunction that bars NSO from targeting WhatsApp users, reverse engineering the app, or creating new accounts. The ruling marks a historic moment in the battle between secure communication platforms and the spyware industry, effectively cutting NSO off from one of the world’s largest messaging ecosystems.

The court’s decision, led by Judg...

A newly discovered vulnerability in Dolby’s Unified Decoder has sent shockwaves through the cybersecurity world. Tracked as CVE-2025-54957, the flaw — uncovered by Google Project Zero — is a critical out-of-bounds write vulnerability that allows remote code execution (RCE) when a specially crafted audio file is decoded. The issue stems from an integer overflow in the decoder’s buffer length calculation, leading to memory corruption that can be exploited by attackers.

What makes this flaw particularly dangerous is its potential for zero-click exploitation on Android. Because Android automatically decodes incoming audio messages using Dolby’s Unified Decoder, attackers...

AISLE has entered the cybersecurity arena with an AI-native Cyber Reasoning System (CRS) built to do what most tools don’t: fix vulnerabilities—fast. While attackers increasingly use AI to weaponize new flaws in roughly five days, most organizations still average ~45 days to remediate critical issues. AISLE’s answer is an autonomous remediation pipeline that identifies, prioritizes, generates patches, and verifies the results against a continuously updated software-stack twin, collapsing MTTR from weeks to minutes.

At the heart of AISLE’s approach is a closed-loop workflow tuned for both known and zero-day vulnerabilities. The CRS continuously analyzes first-pa...

In early October 2025, Microsoft executed a targeted disruption against Vanilla Tempest—the threat actor also tracked as Vice Society—after uncovering a streamlined, high-impact campaign that deployed Rhysida ransomware through a cleverly staged infection chain. The operation leaned on SEO poisoning to funnel victims searching for “Microsoft Teams” installers to attacker-controlled domains (e.g., teams-download[.]buzz, teams-install[.]run). Once downloaded and launched, the fake Teams setup quietly pulled down a digitally signed copy of the Oyster backdoor, a foothold Vanilla Tempest has leveraged since at least mid-2023. With Oyster running, the actors had the persistent access needed to drop their en...

A new and fast-growing botnet dubbed RondoDox is shaking up the global cybersecurity landscape with its “shotgun” exploitation strategy, targeting over 50 known and unknown vulnerabilities across a vast array of internet-connected devices. First detected in mid-2025, the botnet has expanded rapidly, infecting routers, servers, cameras, and DVRs from more than 30 different vendors.

Researchers at Trend Micro and CloudSek describe RondoDox as a loader-as-a-service operation, distributing alongside notorious malware like Mirai and Morte. Once inside, compromised devices are hijacked for cryptocurrency mining, DDoS attacks, and as footholds for enterprise intrusions. The botnet’s operators rotate their command-and-control infrastructure and di...

A widespread smishing campaign is sweeping across New York, luring residents with fraudulent text messages about an “Inflation Refund” from the Department of Taxation and Finance. These deceptive messages claim that recipients are eligible for a refund and must click a link to “process” it — a ploy designed to harvest personal and financial information. Once clicked, the link leads victims to a phishing page that mimics an official New York government site, requesting details such as names, addresses, Social Security Numbers, and banking information.

The scam’s success hinges on confusion surrounding the legitimate New York Inflation Refund progr...

In one of the year’s most extensive patch cycles, Juniper Networks has released its October 2025 security advisories, addressing a staggering 220 vulnerabilities across its product suite — including Junos OS, Junos Space, Junos Space Security Director, and Junos OS Evolved. Of these, nine critical flaws in Junos Space and Security Director stood out, most notably a Cross-Site Scripting (XSS) vulnerability (CVE-2025-59978) that could allow attackers to execute arbitrary commands with administrative privileges.

The advisory highlights how more than 200 defects concentrated in Junos Space and Security Director expose the management plane, posing serious risk to network control systems. Succ...

Cyber intelligence firm GreyNoise has uncovered what appears to be a coordinated exploitation effort targeting network edge appliances from three major security vendors: Cisco, Fortinet, and Palo Alto Networks. After analyzing overlapping IP subnets, identical TCP fingerprints, and synchronized attack patterns, GreyNoise assessed with high confidence that these separate waves of scanning and brute-force attacks are linked to the same threat actor or group.

The report connects this activity to three ongoing campaigns:

A new wave of cyber extortion has rocked the enterprise world as the Scattered LAPSUS$ Hunters—a coalition formed from the notorious Lapsus$, Scattered Spider, and ShinyHunters groups—attempted to ransom Salesforce, claiming to have stolen data from 39 of its customers. When Salesforce refused to negotiate, the hackers retaliated by publishing the records of six companies, including Fujifilm, Albertsons, GAP, Qantas, and Vietnam Airlines.

The fallout has been severe. Vietnam Airlines saw 7.3 million customer accounts exposed, revealing names, emails, phone numbers, and loyalty details, while Qantas confirmed it was investigating an incident affecting millions of flyers. In cont...

Amsterdam-based cybersecurity startup Oneleet has raised $33 million in Series A funding, bringing its total capital to $35 million and positioning itself as one of Europe’s most ambitious new players in the security technology space. Founded in 2022, Oneleet is tackling one of cybersecurity’s biggest pain points: tool fragmentation. Its integrated platform aims to replace the clutter of multiple third-party vendors with a single, streamlined solution that provides attack surface management, code scanning, cloud posture monitoring, penetration testing, and compliance automation — all built and managed in-house.

The round, led by Dawn Capital with participation from Y Combinator and other...

The final chapter in the ParkMobile data breach saga has arrived—nearly four years after the 2021 cyberattack that compromised the personal information of 22 million users. The class-action lawsuit over the breach has concluded with a $32.8 million settlement, but for most victims, the payout is almost symbolic: a $1.00 credit, split into four $0.25 discounts on service fees, redeemable only through the ParkMobile app before October 2026.

The breach, one of the largest consumer data exposures of 2021, leaked names, email addresses, mobile numbers, license plate details, and bcrypt-hashed passwords. Threat actors posted the full 4.5 GB dataset online, allowing widespread access to us...

Discord has confirmed a significant data breach affecting users who interacted with its customer support teams, after hackers compromised a third-party service provider on September 20. The attack exposed a range of personally identifiable information (PII), including names, email addresses, messages, and, for a small number of users, photos of government-issued IDs such as passports and driver’s licenses. Partial billing details and payment histories were also affected.

According to the post-mortem, the threat actors—believed to be the Scattered Lapsus$ Hunters (SLH) group—claimed responsibility and demanded a ransom from Discord in exchange for not leaking the stolen...