Major Incidents or Breaches

  • Farmers Insurance disclosed a data breach affecting 1.1 million individuals, with the compromise traced to broader attacks on Salesforce environments.
  • French retailer Auchan reported a cyberattack that exposed sensitive loyalty account data of several hundred thousand customers.
  • Aspire Rural Health System confirmed a data breach impacting nearly 140,000 individuals, attributed to the BianLian ransomware group.
  • Data I/O, a chip programming firm, experienced a ransomware attack disrupting communications, shipping, and production operations.
  • Arch Linux Project has been subject to a week-long DDoS attack, affecting its website, repository, and forums.
  • US pharmaceutical company Inotiv suffered a cyberattack, as reported in threat intelligence bulletins.
  • Lab-Dookhtegen claimed responsibility for attacks disabling communications on more than 60 Iranian cargo ships and oil tankers.

Newly Discovered Vulnerabilities

  • Docker released patches for CVE-2025-9074, a critical container escape vulnerability (CVSS 9.3) in Docker Desktop for Windows and macOS, which allowed attackers to compromise host systems even with Enhanced Container Isolation enabled.
  • CISA added three actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, impacting Citrix Session Recording and Git.
  • Researchers described the “OneFlip” attack, a Rowhammer-based technique that flips a single bit in neural network weights, enabling stealthy backdoors in AI systems.
  • Multiple password manager flaws and an Apple 0-day were highlighted as being exploited in the wild.
  • Researchers detailed a new AI attack method that hides data-theft prompts in downscaled images processed by large language models.
  • The “ClickFix” attack was described, where AI-generated content summaries are abused to push malware.
  • Prompt injection vulnerabilities in AI browsers were reported, with potential for significant financial risk to users.

Notable Threat Actor Activity

  • The China-nexus threat actor UNC6384 was attributed to attacks against diplomats in Southeast Asia and globally, deploying PlugX malware via captive portal hijacks and valid certificates.
  • Transparent Tribe (APT36), a Pakistani state-sponsored group, targeted Indian government entities and Linux systems with malicious desktop shortcut files as part of a phishing campaign.
  • The Anatsa Android banking trojan expanded operations, now targeting 830 financial and cryptocurrency applications across additional countries.
  • A new phishing campaign was identified using fake voicemail and purchase order emails to deliver the UpCrypter malware loader, which installs remote access trojans (RATs) for persistent access.
  • Surge in coordinated scanning activity detected against Microsoft Remote Desktop Web Access and RDP authentication servers, involving nearly 2,000 IP addresses.
  • BianLian ransomware group was confirmed as responsible for the Aspire Rural Health System breach.

Trends, Tools, or Tactics of Interest

  • Seventy-seven malicious Android apps, totalling over 19 million installs, were removed from Google Play after being found to contain various types of malware.
  • Fast-spreading, complex phishing campaigns are increasingly delivering RATs, enabling both credential theft and long-term network persistence.
  • Attackers are leveraging malware persistence techniques such as scheduled tasks and startup scripts, with detection and blocking methods highlighted for platforms like Wazuh.
  • SIEM rule effectiveness was analysed using 160 million attack simulations, revealing common detection failures and the need for improved tuning.
  • Ongoing DDoS attacks continue to target open-source and infrastructure projects, as seen with the Arch Linux Project.

Regulatory or Policy Developments Affecting the Security Industry

  • Google announced forthcoming requirements to verify the identity of all Android app developers in four countries, extending to those distributing apps outside the Play Store.
  • CISA published updated guidance on the Minimum Elements for a Software Bill of Materials (SBOM) and requested public feedback.
  • The US Federal Trade Commission (FTC) chair issued letters to major tech companies, urging them not to weaken encryption in response to foreign government demands.