Major Incidents or Breaches

  • Over 100,000 WordPress sites are at risk due to a critical, unpatched vulnerability (CVSS 10.0) in the TI WooCommerce Wishlist plugin, allowing unauthenticated attackers to upload arbitrary files.
  • Over 9,000 ASUS routers have been compromised by the “AyySSHush” botnet, which adds a persistent SSH backdoor. The botnet also targets SOHO routers from Cisco, D-Link, and Linksys.
  • Cellcom experienced a cyberattack impacting regional mobile services in Wisconsin and Michigan, with outages lasting nearly a week and continued intermittent service.
  • A financially motivated threat actor known as “Mimo” has exploited CVE-2025-32432 (RCE) in Craft CMS to deploy cryptominers and proxyware payloads.
  • The Interlock ransomware gang has deployed a new remote access trojan (NodeSnake RAT) against universities, enabling persistent access to networks.
  • The “Dark Partner” cybercrime group is conducting large-scale cryptocurrency theft through a network of fake AI, VPN, and crypto software download sites.
  • Researchers observed 251 Amazon-hosted IPs used in coordinated exploit scans targeting ColdFusion, Apache Struts, and Elasticsearch exposure points.

Newly Discovered Vulnerabilities

  • A critical unpatched vulnerability in the TI WooCommerce Wishlist WordPress plugin (CVSS 10.0) allows unauthenticated file uploads, exposing over 100,000 sites.
  • A security flaw in Microsoft OneDrive File Picker allows web applications to access a user’s entire cloud storage content, not just the files selected for upload.
  • CVE-2025-32432, a recently disclosed remote code execution vulnerability in Craft CMS, is being actively exploited.

Notable Threat Actor Activity

  • The Chinese APT31 group was formally attributed by the Czech Republic for cyberattacks against the Ministry of Foreign Affairs and critical infrastructure in 2022.
  • APT41 (China-linked) is using new malware (“ToughProgress”) that leverages Google Calendar for stealthy command-and-control communications.
  • The Iranian national Sina Gholinejad pleaded guilty in the US for involvement in the Robbinhood ransomware attack on Baltimore, part of a $19 million international extortion scheme.
  • Pakistan authorities arrested 21 individuals associated with the “Heartsender” malware and spam dissemination service, which operated for over a decade.
  • The newly identified PumaBot botnet, written in Go, is targeting Linux-based IoT devices by brute-forcing SSH credentials to deploy cryptominers and facilitate further attacks.
  • The Interlock ransomware group is using the NodeSnake RAT to maintain persistent access to university networks.

Trends, Tools, or Tactics of Interest

  • Stealer malware campaigns are increasingly focused on capturing live sessions and moving rapidly to account takeover, rather than just stealing static credentials.
  • “Browser-in-the-Middle” attacks are being used to hijack user sessions in seconds, bypassing traditional credential theft methods.
  • Alternate Data Streams are highlighted as a defense evasion technique for adversaries, with detection guidance provided.
  • The “Dark Partner” group utilises fake software download sites to distribute malware and facilitate cryptocurrency theft.
  • The evolution of the Zanubis Android banking trojan includes the adoption of RC4 and AES encryption, expanded credential theft capabilities, and new targeting in Peru.
  • PumaBot and AyySSHush botnets demonstrate ongoing targeting of IoT and SOHO network devices, focusing on SSH brute-forcing and persistent backdoor installation.

Regulatory or Policy Developments Affecting the Security Industry

  • The Czech Republic publicly attributed the 2022 Ministry of Foreign Affairs cyberattack to China-linked APT31, marking a formal diplomatic accusation.
  • Microsoft introduced a new update orchestration platform for Windows, aiming to unify software, driver, and system component updates.
  • Microsoft launched Windows Backup for Organizations, designed to streamline enterprise backup and migration processes.
  • Apple reported blocking over $9 billion in fraudulent App Store transactions since 2020, with $2 billion prevented in 2024.
  • Zscaler announced an agreement to acquire Red Canary, aiming to integrate threat detection and AI-powered security operations capabilities.