Author: AresISEC Security Team

Security News

Security Highlights Of The Day [05/11/25]

Preparing for Threats to Come: Cybersecurity Forecast 2026
Google Cloud released its Cybersecurity Forecast 2026 report, providing insight into key security challenges expected in the coming year. The report highlights a major shift as adversaries fully embrace AI to accelerate and scale their operations. Another focus area is the rise of prompt injection attacks — manipulations of AI models to execute hidden malicious commands. The forecasts are based on real-world data and frontline intelligence from Google Cloud experts, analysts, and researchers.
Source: Google Cloud

U.S. Prosecutors Indict Cybersecurity Insiders Accused of BlackCat Ransomware Attacks
Federal prosecutors have charged three U.S. nationals — Ryan Clifford Goldberg, Kevin Tyler Martin, and an unnamed co-conspirator — for deploying BlackCat ransomware against five U.S. companies between May and November 2023. The defendants, who worked as incident response and ransomware negotiators, allegedly abused their positions to conduct extortion attacks targeting companies in healthcare, pharmaceuticals, and engineering. They are accused of stealing and encrypting data, demanding cryptocurrency ransoms, and publishing stolen information online.
Source: TheHackerNews

Hackers Exploit Critical Auth Bypass Flaw in JobMonster WordPress Theme
Threat actors are actively exploiting CVE-2025-5397, a critical authentication bypass flaw in the JobMonster WordPress theme, to hijack administrator accounts. The flaw, with a CVSS score of 9.8, stems from improper identity verification in the check_login() function. Wordfence detected multiple exploit attempts across client websites. JobMonster, a popular job board theme used by recruitment platforms, remains vulnerable in all versions up to 4.8.1.
Source: BleepingComputer

Fake Solidity VSCode Extension on Open VSX Backdoors Developers
A fake Solidity VSCode extension named “juan-bianco.solidity-vlang” uploaded to the Open VSX registry has been found distributing a remote access trojan dubbed SleepyDuck. Initially harmless, the extension gained malicious capabilities after an update and has since been downloaded more than 53,000 times. The malware uses an Ethereum smart contract as a covert command channel, allowing attackers to control infected developer systems.
Source: BleepingComputer

Apple Patches 19 WebKit Vulnerabilities
Apple released iOS 26.1 and macOS updates addressing over 100 security flaws, including 19 affecting the WebKit engine. Successful exploitation could allow attackers to steal cross-origin data, cause crashes, or monitor user keystrokes. Notably, many of these vulnerabilities were identified by Google’s “Big Sleep” AI agent, which autonomously finds exploitable bugs before threat actors can weaponize them.
Source: SecurityWeek

Security News

Security Highlights Of The Day [04/11/25]

North Korean Hackers Caught on Video Using AI Filters in Fake Job Interviews
North Korean state-sponsored hackers from the Famous Chollima APT group are using real-time AI deepfakes to impersonate software engineers during job interviews with cryptocurrency and Web3 companies. They steal legitimate identities and resumes, using AI-powered facial filters to disguise their faces and secure employment under false pretenses. The campaign aims to infiltrate Western firms for espionage and financial gain, with multiple infiltration attempts observed by Quetzal Team analysts targeting senior software engineering roles.
Source: HackRead

The Week in Vulnerabilities: Cyble Urges Apache, Microsoft Fixes
Cyble researchers tracked 1,128 vulnerabilities over the past week, 138 of which already have public Proof-of-Concept exploits, increasing the risk of real-world attacks. Sixty-seven flaws were rated critical under CVSS v3.1 and 22 under CVSS v4.0. Among them, CVE-2025-55754 affects Apache Tomcat and could allow indirect administrative command execution via console manipulation, posing a serious risk to system integrity if administrators are deceived into executing malicious commands.
Source: Cyble

Remote Access, Real Cargo: Cybercriminals Targeting Trucking and Logistics
Proofpoint identified a cybercriminal campaign targeting logistics and trucking companies using remote monitoring and management (RMM) tools to hijack cargo shipments. Attackers collaborate with organized crime to gain network access and bid on legitimate freight jobs, then steal the physical goods. The stolen items, ranging from electronics to beverages, are sold online or shipped overseas, causing millions in damages and major disruptions to supply chains.
Source: Proofpoint

Operation SkyCloak: Tor Campaign Targets Military of Russia & Belarus
SEQRITE Labs uncovered a Tor-based campaign targeting the military of Russia and Belarus, including the Russian Airborne Forces and Belarusian Special Forces. The infection chain exposes local services via Tor using obfs4 bridges for anonymous communication. Attackers used multi-stage PowerShell scripts, military-themed decoys, and hidden SSH services to maintain persistence. Similar regional campaigns, such as HollowQuill and CargoTalon, were also observed throughout 2025, focusing on aerospace and defense sectors.
Source: Seqrite

Leak Site Ransomware Victims Spike 13% in a Year
European ransomware victims increased by 13% between September 2024 and August 2025, with the UK being the most affected, according to CrowdStrike’s European Threat Landscape Report. The total number of leaked victims reached 1,380, with Germany, Italy, France, and Spain following closely behind. The most targeted sectors include manufacturing, technology, and professional services, reflecting a sustained trend of financially motivated attacks across Europe.
Source: Infosecurity Magazine

Security News

Security Highlights Of The Day [03/11/25]

Recruitment Red Flags: Can You Spot a Spy Posing as a Job Seeker?
Back in July 2024, cybersecurity vendor KnowBe4 began to observe suspicious activity linked to a new hire. The individual began manipulating and transferring potentially harmful files and tried to execute unauthorized software. He was subsequently found to be a North Korean worker who had tricked the firm’s HR team into gaining remote employment. The incident underscores that no organization is immune from the risk of inadvertently hiring a saboteur. Identity-based threats aren’t limited to stolen passwords or account takeovers, but extend to the very people joining your workforce. As AI gets better at faking reality, it’s time to improve your hiring processes.
Source: WeLiveSecurity

When AI Agents Go Rogue: Agent Session Smuggling Attack in A2A Systems
Researchers discovered a new attack technique, named agent session smuggling, allowing a malicious AI agent to exploit an established cross-agent communication session to send covert instructions to a victim agent. The attack abuses the Agent2Agent (A2A) protocol’s stateful behavior to inject hidden commands within normal communications. Unlike one-time data poisoning, this attack leverages ongoing interaction to build trust and manipulate victim agents over multiple exchanges, representing a growing threat in AI ecosystems.
Source: Unit42

Cloud Abuse at Scale
Identity compromise remains one of the most pressing threats to cloud infrastructure today. When attackers gain access to valid credentials, they can bypass security controls and abuse cloud services such as AWS Simple Email Service (SES) for large-scale spam or phishing operations. Fortinet researchers observed a campaign leveraging stolen AWS keys to conduct email operations using an infrastructure dubbed TruffleNet, built around the TruffleHog tool to systematically test and exploit compromised credentials.
Source: Fortinet

Weaponized Military Documents Deliver Advanced SSH-Tor Backdoor to Defense Sector
Cyble researchers identified a malware campaign distributing weaponized ZIP archives disguised as Belarusian military documents targeting drone operation units. The multi-stage infection uses anti-sandboxing and obfuscated PowerShell execution to deploy a backdoor combining OpenSSH for Windows with a Tor hidden service. The backdoor leverages obfs4 obfuscation and advanced evasion to maintain stealth and persistence within defense networks.
Source: Cyble

Hacktivist Attacks on Critical Infrastructure Surge: Cyble Report
Hacktivist activity targeting critical infrastructure increased significantly in Q3 2025, accounting for 25% of all hacktivist incidents by September. While DDoS and website defacements remain common, groups are increasingly targeting industrial control systems (ICS), data breaches, and ransomware operations. Notable threat actors include Z-Pentest, Dark Engine, Golden Falcon Team, and Sector 16, indicating a broad ideological and geopolitical expansion of hacktivist campaigns.
Source: Cyble

Security News

Security Highlights Of The Day [31/10/25]

LinkedIn Phishing Targets Finance Execs With Fake Board Invites
Hackers are abusing LinkedIn to target finance executives with direct-message phishing attacks that impersonate executive board invitations, aiming to steal their Microsoft credentials. The campaign was spotted by Push Security, which says it recently blocked one of these phishing attacks that began with a LinkedIn message containing a malicious link. BleepingComputer has learned that these phishing messages claim to be invitations for executives to join the executive board of a newly created “Common Wealth” investment fund.
Source: BleepingComputer

Malicious NPM Packages Fetch Infostealer for Windows, Linux, MacOS
Ten malicious packages mimicking legitimate software projects in the npm registry download an information-stealing component that collects sensitive data from Windows, Linux, and macOS systems. The packages were uploaded to npm on July 4 and remained undetected for a long period due to multiple layers of obfuscation that helped escape standard static analysis mechanisms. According to researchers at cybersecurity company Socket, the ten packages counted nearly 10,000 downloads and stole credentials from system keyrings, browsers, and authentication services.
Source: BleepingComputer

PhantomRaven Malware Found in 126 npm Packages Stealing GitHub Tokens From Devs
Cybersecurity researchers have uncovered yet another active software supply chain attack campaign targeting the npm registry with over 100 malicious packages that can steal authentication tokens, CI/CD secrets, and GitHub credentials from developers’ machines. The campaign has been codenamed PhantomRaven by Koi Security. The attack stands out for hiding malicious code in dependencies by pointing to a custom HTTP URL that fetches packages from an untrusted site, causing npm to download from a malicious source each time a package is installed.
Source: TheHackerNews

ThreatsDay Bulletin: DNS Poisoning Flaw, Supply-Chain Heist, Rust Malware Trick and New RATs Rising
Major U.S. energy companies are being impersonated in phishing attacks, with threat actors setting up fake domains masquerading as Chevron, ConocoPhillips, PBF Energy, and Phillips 66. Hunt[.]io said it logged more than 1,465 phishing detections linked to this sector over the past 12 months. Cyber threats are evolving faster than most defenses can adapt, and the line between criminal enterprise and nation-state tactics keeps blurring.
Source: TheHackerNews

Major US Telecom Backbone Firm Hacked by Nation-State Actors
Ribbon Communications, an American company that provides backbone technology for communication networks, has been targeted by hackers. The firm says its systems serve critical infrastructure and telecom providers worldwide. In a recent SEC filing, Ribbon confirmed discovering unauthorized access to its IT network in early September 2025, believed to be conducted by nation-state actors.
Source: SecurityWeek

Security News Security Uncategorized

Security Highlights Of The Day [30/10/25]

Russian Hackers Target Ukrainian Organizations Using Stealthy Living-Off-the-Land Tactics
“Organizations in Ukraine have been targeted by threat actors of Russian origin with an aim to siphon sensitive data and maintain persistent access to compromised networks. The activity, according to a new report from the Symantec and Carbon Black Threat Hunter Team, targeted a large business services organization for two months and a local government entity in the country for a week. The attacks mainly leveraged living-off-the-land (LotL) tactics and dual-use tools, coupled with minimal malware, to reduce digital footprints and stay undetected for extended periods of time. “The attackers gained access to the business services organization by deploying web shells on public-facing servers, most likely by exploiting one or more unpatched vulnerabilities,” the Broadcom-owned cybersecurity teams said in a report shared with The Hacker News.”
Source: TheHackerNews

10 npm Packages Caught Stealing Developer Credentials on Windows, macOS, and Linux
“Cybersecurity researchers have discovered a set of 10 malicious npm packages that are designed to deliver an information stealer targeting Windows, Linux, and macOS systems. “The malware uses four layers of obfuscation to hide its payload, displays a fake CAPTCHA to appear legitimate, fingerprints victims by IP address, and downloads a 24MB PyInstaller-packaged information stealer that harvests credentials from system keyrings, browsers, and authentication services across Windows, Linux, and macOS,” Socket security researcher Kush Pandya said.”
Source: TheHackerNews

Qilin Ransomware Abuses WSL to Run Linux Encryptors in Windows
“The Qilin ransomware operation was spotted executing Linux encryptors in Windows using Windows Subsystem for Linux (WSL) to evade detection by traditional security tools. The ransomware first launched as “Agenda” in August 2022, rebranding to Qilin by September and continuing to operate under that name to this day. Qilin has become one of the most active ransomware operations, with new research from Trend Micro and Cisco Talos stating that the cybercrime gang has attacked more than 700 victims across 62 countries this year. Both firms say the group has become one of the most active ransomware threats worldwide, publishing over 40 new victims per month in the second half of 2025.”
Source: BleepingComputer

CISA Warns of Two More Actively Exploited Dassault Vulnerabilities
“The Cybersecurity & Infrastructure Security Agency (CISA) warned today that attackers are actively exploiting two vulnerabilities in Dassault Systèmes’ DELMIA Apriso, a manufacturing operations management (MOM) and execution (MES) solution. The first one (CVE-2025-6205) is a critical-severity missing authorization security flaw that can allow unauthenticated threat actors to remotely gain privileged access to an unpatched application, while the second (CVE-2025-6204) is a high-severity code injection vulnerability that lets attackers with high privileges execute arbitrary code on vulnerable systems.”
Source: BleepingComputer

YouTube Ghost Network Utilizes Spooky Tactics to Target Users
“Threat actors are haunting YouTube, lurking in compromised accounts and using videos to trick unsuspecting users in downloading malware. In a recent investigation, Check Point Research discovered a collection of malicious YouTube accounts, known as YouTube Ghost Network, promoting malicious links and distributing a wide variety of malware. Though Ghost Network operates across multiple platforms, including GitHub, Checkpoint researchers identified at least 3,000 malicious videos on YouTube associated with the network, most of which have since been taken down. The group, which has been active since 2021, has been producing more and more content over the years, tripling its output in 2025.”
Source: SecurityWeek

Security Blog

Zero Trust in Small Businesses

Zero Trust in Small Businesses

Zero Trust is often associated with large enterprises, complex infrastructures, and big budgets. In reality, however, the Zero Trust model is not a luxury – it’s a necessity, even for small businesses.
In today’s environment, where employees access company resources remotely and from personal devices, the old assumption that “everything inside the network is safe” no longer applies.
Zero Trust means no implicit trust is granted to assets or users – every access request must be verified, regardless of origin.

Core Principles of Zero Trust

Zero Trust is based on three core principles:

  • Verify every request – Authenticate and authorize every user and device every time they request access.
  • Apply least-privilege access – Grant users and systems only the minimum permissions they need to perform their tasks.
  • Assume breach – Design systems with the mindset that an attacker may already be inside your network.

No user, device, or network zone is automatically trusted. Access decisions should be dynamic and contextual, based on user identity, device health, location, time, and behavior. Continuous monitoring and logging ensure visibility and rapid threat detection.

How to Start with Your Existing Infrastructure

Zero Trust can be implemented incrementally. Small and medium-sized businesses can start by focusing on the most critical areas:

  1. Map your data and access. Identify key systems, users, and data flows.
  2. Implement Multi-Factor Authentication (MFA). A simple and cost-effective first step toward Zero Trust.
  3. Segment your network. Separate administrative, user, and production systems to limit lateral movement.
  4. Use Role-Based Access Control (RBAC). Enforce least privilege and review access regularly.
  5. Monitor and log activity. Visibility enables early threat detection and faster response.
  6. Leverage existing tools. Many small businesses already have Zero Trust-ready features in Microsoft 365 or Google Workspace.
  7. Start small and scale up. Focus first on high-risk areas, then expand gradually.

Typical Obstacles and How to Avoid Them

While Zero Trust is powerful, small organizations often face unique challenges:

  • “It’s too complex for us.” Start small – MFA and segmentation alone can greatly improve your security posture.
  • Limited budget or expertise. Use existing cloud platforms or partner with external cybersecurity providers.
  • Employee resistance. Clearly communicate the reasons for new verification steps and provide short internal training sessions.
  • Legacy systems. Isolate older devices that can’t meet Zero Trust requirements and plan their replacement over time.
  • Perimeter-focused mindset. Move away from relying solely on firewalls – treat every connection as untrusted until verified.

Simple Implementation Examples

  • Small accounting firm: Introduces MFA and limits accounting software access to company devices only.
  • Marketing agency: Uses VPN or Zero Trust Network Access (ZTNA) and enforces conditional access for remote users.
  • IT service provider: Authenticates and logs all remote connections to client systems, applying strict privilege separation.
  • Retail SME: Uses a cloud identity provider and limits access for point-of-sale systems to only essential data.

Zero Trust is not just for large enterprises — it’s for every organization that wants to protect its data, operations, and reputation.
By starting with identity protection, access control, and segmentation, small businesses can achieve stronger security and long-term resilience without heavy investment.
Adopt Zero Trust step by step — verify explicitly, limit access, and assume breach — and you’ll build a foundation that scales as your business grows.

Sources:
NIST – Zero Trust Architecture
Microsoft – Zero Trust Overview
Cloud Security Alliance – Zero Trust for SMBs
CrowdStrike – What Is Zero Trust Security?
Akamai – What Is Zero Trust?
JumpCloud – Zero Trust for SMEs

Ready to take the next step toward Zero Trust? Our team can help you design and implement a security infrastructure built for your organization’s needs.

Request a security infrastructure assessment
Security News Security Uncategorized

Security Highlights Of The Day [29/10/25]

New Herodotus Android Malware Fakes Human Typing to Avoid Detection
A new Android malware family, Herodotus, uses random delay injection in its input routines to mimic human behavior on mobile devices and evade timing-based detection by security software. Herodotus, according to Threat Fabric, is offered as a malware-as-a-service (MaaS) to financially motivated cybercriminals, believed to be the same operators behind Brokewell. Although the malware is still in development, clients of the new MaaS platform are currently deploying it against Italian and Brazilian users through SMS phishing (smishing) text messages. The malicious SMS contains a link to a custom dropper that installs the primary payload and attempts to bypass Accessibility permission restrictions present in Android 13 and later.
Source: BleepingComputer

Google Disputes False Claims of Massive Gmail Data Breach
Google was once again forced to announce that it had not suffered a data breach after numerous news outlets published sensational stories about a fake breach that purportedly exposed 183 million accounts. This claim began over the weekend and into today, with news stories claiming that millions of Gmail accounts were breached, with some outlets saying it affected the full 183 million accounts. However, as the company explained in a series of posts on Monday, Gmail did not suffer a breach, and the compromised accounts were actually from a compilation of credentials stolen by information-stealing malware and other attacks over the years. “Reports of a ‘Gmail security breach impacting millions of users’ are false. Gmail’s defenses are strong, and users remain protected,” reads a post on X. “The inaccurate reports are stemming from a misunderstanding of infostealer databases, which routinely compile various credential theft activity occurring across the web. It’s not reflective of a new attack aimed at any one person, tool, or platform.” “Several inaccurate claims surfaced recently that incorrectly stated that we issued a broad warning to all Gmail users about a major Gmail security issue. This is entirely false,” Google added.
Source: BleepingComputer

SideWinder Adopts New ClickOnce-Based Attack Chain Targeting South Asian Diplomats
A European embassy located in the Indian capital of New Delhi, as well as multiple organizations in Sri Lanka, Pakistan, and Bangladesh, have emerged as the target of a new campaign orchestrated by a threat actor known as SideWinder in September 2025. The activity “reveals a notable evolution in SideWinder’s TTPs, particularly the adoption of a novel PDF and ClickOnce-based infection chain, in addition to their previously documented Microsoft Word exploit vectors,” Trellix researchers Ernesto Fernández Provecho and Pham Duy Phuc said in a report published last week. The attacks, which involved sending spear-phishing emails in four waves from March through September 2025, are designed to drop malware families such as ModuleInstaller and StealerBot to gather sensitive information from compromised hosts.
Source: TheHackerNews

New ChatGPT Atlas Browser Exploit Lets Attackers Plant Persistent Hidden Commands
Cybersecurity researchers have discovered a new vulnerability in OpenAI’s ChatGPT Atlas web browser that could allow malicious actors to inject nefarious instructions into the artificial intelligence (AI)-powered assistant’s memory and run arbitrary code. “This exploit can allow attackers to infect systems with malicious code, grant themselves access privileges, or deploy malware,” LayerX Security Co-Founder and CEO, Or Eshed, said in a report shared with The Hacker News. The attack, at its core, leverages a cross-site request forgery (CSRF) flaw that could be exploited to inject malicious instructions into ChatGPT’s persistent memory. The corrupted memory can then persist across devices and sessions, permitting an attacker to conduct various actions, including seizing control of a user’s account, browser, or connected systems, when a logged-in user attempts to use ChatGPT for legitimate purposes.
Source: TheHackerNews

Massive China-Linked Smishing Campaign Leveraged 194,000 Domains
Threat actors are impersonating critical and general services, online platforms, and cryptocurrency exchanges in a massive smishing campaign that has been ongoing since April 2024, Palo Alto Networks warns. The cybersecurity firm first warned of the campaign in early March, when it identified over 10,000 domains linked to the impersonation of toll and package delivery services. Roughly a month later, it warned of over 91,500 root domains employed in these attacks. Subsequent analysis revealed that the campaign is much more extensive, with over 194,000 malicious domains used in these attacks since January 1, 2024. In addition to toll and package delivery services, the attacks also impersonate healthcare organizations, banks, cryptocurrency platforms, ecommerce and online payment platforms, law enforcement, and social media platforms.
Source: SecurityWeek

Security Security News Uncategorized

Security Highlights Of The Day [28/10/25]

Qilin Ransomware Combines Linux Payload With BYOVD Exploit in Hybrid Attack
The ransomware group known as Qilin (aka Agenda, Gold Feather, and Water Galura) has claimed more than 40 victims every month since the start of 2025, barring January, with the number of postings on its data leak site touching a high of 100 cases in June. The development comes as the ransomware-as-a-service (RaaS) operation has emerged as one of the most active ransomware groups, accounting for 84 victims each in the months of August and September 2025. Qilin is known to be active since around July 2022. According to data compiled by Cisco Talos, the U.S., Canada, the U.K., France, and Germany are some of the countries most impacted by Qilin. The attacks have primarily singled out manufacturing (23%), professional and scientific services (18%), and wholesale trade (10%) sectors.
Source: TheHackerNews

Newly Patched Critical Microsoft WSUS Flaw Comes Under Active Exploitation
Microsoft on Thursday released out-of-band security updates to patch a critical-severity Windows Server Update Service (WSUS) vulnerability with a proof-of-concept (Poc) exploit publicly available and has come under active exploitation in the wild. The vulnerability in question is CVE-2025-59287 (CVSS score: 9.8), a remote code execution flaw in WSUS that was originally fixed by the tech giant as part of its Patch Tuesday update published last week. Three security researchers, MEOW, f7d8c52bec79e42795cf15888b85cbad, and Markus Wulftange with CODE WHITE GmbH, have been acknowledged for discovering and reporting the bug. The shortcoming concerns a case of deserialization of untrusted data in WSUS that allows an unauthorized attacker to execute code over a network. It’s worth noting that the vulnerability does not impact Windows servers that do not have the WSUS Server Role enabled.
Source: TheHackerNews

Hackers Launch Mass Attacks Exploiting Outdated WordPress Plugins
A widespread exploitation campaign is targeting WordPress websites with GutenKit and Hunk Companion plugins vulnerable to critical-severity, old security issues that can be used to achieve remote code execution (RCE). WordPress security firm Wordfence says that it blocked 8.7 million attack attempts against its customers in just two days, October 8 and 9. The campaign expoits three flaws, tracked as CVE-2024-9234, CVE-2024-9707, and CVE-2024-11972, all rated critical (CVSS 9.8). CVE-2024-9234 is an unauthenticated REST-endpoint flaw in the GutenKit plugin with 40,000 installs that allows installing arbitrary plugins without authentication.
Source: BleepingComputer

Hackers Steal Discord Accounts With RedTiger-based Infostealer
Attackers are using the open-source red-team tool RedTiger to build an infostealer that collects Discord account data and payment information. The malware can also steal credentials stored in the browser, cryptocurrency wallet data, and game accounts. RedTiger is a Python-based penetration testing suite for Windows and Linux that bundles options for scanning networks and cracking passwords, OSINT-related utilities, Discord-focused tools, and a malware builder. RedTiger’s info-stealer component offers the standard capabilities of snatching system info, browser cookies and passwords, crypto wallet files, game files, and Roblox and Discord data. It can also capture webcam snapshots and screenshots of the victim’s screen.
Source: BleepingComputer

Ransomware Payments Dropped in Q3 2025: Analysis
Ransomware payments dropped significantly in the third quarter of 2025, according to an analysis conducted by ransomware incident response firm Coveware. According to Coveware, ransomware payment rates dropped to a historical low of 23% in Q3 2025, indicating that “cyber extortion’s overall success rate is contracting”, which should be viewed as a success of the efforts of law enforcement, cyber defenders and legal specialists. Coveware reported that the average ransom payment in Q3 2025 was roughly $377,000, a 66% decrease compared to the previous quarter. The median ransom payment dropped by 65%, to $140,000. The company has largely attributed the drop in payment amounts to a couple of trends. The first is large enterprises increasingly refusing to pay ransoms after being targeted in a ransomware attack.
Source: SecurityWeek

Security Security News Uncategorized

Security Highlights Of The Day [27/10/25]

Windows Server Emergency Patches Fix WSUS Bug With PoC Exploit
Microsoft has released out-of-band (OOB) security updates to patch a critical-severity Windows Server Update Service (WSUS) vulnerability with publicly available proof-of-concept exploit code. WSUS is a Microsoft product that enables IT administrators to manage and deliver Windows updates to computers within their network. Tracked as CVE-2025-59287 and patched during this month’s Patch Tuesday, this remote code execution (RCE) security flaw affects only Windows servers with the WSUS Server Role enabled, a feature that isn’t enabled by default. The vulnerability can be exploited remotely in low-complexity attacks that do not require user interaction, allowing threat actors without privileges to target vulnerable systems and run malicious code with SYSTEM privileges. This makes it potentially wormable between WSUS servers.
Source: BleepingComputer

Zero Trust Has a Blind Spot—Your AI Agents
Agentic AI has arrived. From custom GPTs to autonomous copilots, AI agents now act on behalf of users and organizations, or even act as just another teammate, making decisions, accessing systems, and invoking other agents without direct human intervention. But, with this new level of autonomy comes an urgent security question: If AI is doing the work, how do we know when to trust it? In traditional systems, Zero Trust architecture assumes no implicit trust, where every user, endpoint, workload, and service must continuously prove who they are and what they’re authorized to do. However, in the agentic AI world, these principles break down fast. AI agents often operate under inherited credentials, with no registered owner or identity governance. The result is a growing population of agents that may look trusted but actually are not, one of many risks of autonomous AI agents in your infrastructure.
Source: BleepingComputer

3,000 YouTube Videos Exposed as Malware Traps in Massive Ghost Network Operation
A malicious network of YouTube accounts has been observed publishing and promoting videos that lead to malware downloads, essentially abusing the popularity and trust associated with the video hosting platform for propagating malicious payloads. Active since 2021, the network has published more than 3,000 malicious videos to date, with the volume of such videos tripling since the start of the year. It has been codenamed the YouTube Ghost Network by Check Point. Google has since stepped in to remove a majority of these videos. The campaign leverages hacked accounts and replaces their content with “malicious” videos that are centred around pirated software and Roblox game cheats to infect unsuspecting users searching for them with stealer malware. Some of these videos have racked up hundreds of thousands of views, ranging from 147,000 to 293,000.
Source: TheHackerNews

Toys ‘R’ Us Canada Customer Information Leaked Online
Toy store Toys “R” Us Canada this week notified its customers that a threat actor stole their personal information and leaked it on the dark web. The incident, the company said in notification emails to customers, copies of which have been shared on social media platforms, was discovered on July 30, after the information was posted on “the unindexed internet”. “We immediately hired third-party cybersecurity experts to assist with containment and to investigate the incident. The investigation revealed that the unauthorized third party copied certain records from our customer database which contains personal information,” the notification reads. The compromised information, the company told shoppers, includes names, addresses, email addresses, and phone numbers. It also said it was in the process of notifying the relevant authorities.
Source: SecurityWeek

Pwn2Own WhatsApp Hacker Says Exploit Privately Disclosed to Meta
A total of $1,024,750 has been paid out at the Pwn2Own Ireland 2025 hacking contest organized by Trend Micro’s Zero Day Initiative (ZDI), but the event has been overshadowed by the last-minute withdrawal of a researcher who was scheduled to demonstrate a WhatsApp exploit worth $1 million. The highest reward at Pwn2Own Ireland 2025, $100,000, was paid out for an exploit chain targeting the QNAP Qhora-322 router and the QNAP TS-453E NAS device. Two Samsung Galaxy S25 exploit chains were each rewarded with $50,000, and the same amount was earned for vulnerabilities in Synology ActiveProtect Appliance DP320 and the Sonos Era 300 smart speaker. Participants received up to $40,000 for hacking Ubiquiti cameras, QNAP and Synology NAS devices, Lexmark and Canon printers, and smart home systems such as Phillips Hue Bridge, Amazon Smart Plug, and Home Automation Green.
Source: SecurityWeek

Security Security News Uncategorized

Security Highlights Of The Day [22/10/25]

Over 75,000 WatchGuard Security Devices Vulnerable to Critical RCE

Nearly 76,000 WatchGuard Firebox network security appliances are exposed on the public web and remain vulnerable to a critical flaw (CVE-2025-9242) that allows unauthenticated remote code execution. Most affected devices are located in Europe and North America, with the U.S. leading (24,500 devices), followed by Germany, Italy, the U.K., Canada, and France.

Source: BleepingComputer

Self-Spreading GlassWorm Malware Hits OpenVSX, VS Code Registries

A new supply-chain attack targets developers on OpenVSX and Microsoft Visual Studio marketplaces using self-spreading malware called GlassWorm, installed an estimated 35,800 times. It hides malicious code with invisible characters and spreads via stolen accounts. The malware’s operators use Solana blockchain for C2, with Google Calendar as backup.

Source: BleepingComputer

To Be (A Robot) or Not to Be: New Malware Attributed to Russia State-Sponsored COLDRIVER

Google Threat Intelligence Group (GTIG) reports that COLDRIVER, a Russian state-sponsored group, has deployed new malware families following the public exposure of its LOSTKEYS malware in May 2025. The new malware shows a rapid increase in development and aggressive deployment, replacing LOSTKEYS entirely in recent operations.

Source: Google Cloud

Five New Exploited Bugs Land in CISA’s Catalog — Oracle and Microsoft Among Targets

CISA added five new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, including two actively exploited Oracle E-Business Suite flaws (CVE-2025-61884 and CVE-2025-61882). The vulnerabilities allow unauthenticated remote code execution and unauthorized data access. Oracle and Microsoft systems are among those impacted.

Source: TheHackerNews

Fast, Broad, and Elusive: How Vidar Stealer 2.0 Upgrades Infostealer Capabilities

Vidar Stealer v2.0 has been released, transitioning from C++ to C for improved speed and efficiency. The new version adds anti-analysis features, multithreaded data theft, and advanced credential extraction methods. It maintains a $300 lifetime price and continues to compete with other major infostealers like Lumma and StealC.

Source: TrendMicro

AresISEC d.o.o. · Zagreb, Croatia · OIB: 49411602130 · info@aresisec.hr

Privacy Policy  | Terms of Service Responsible Disclosure

© 2026 AresISEC

Facebook-f Linkedin Wpforms
Scroll to top