Major Incidents or Breaches

  • The U.S. Department of Justice, with UK cooperation, seized $15 billion in bitcoin from the leader of the Prince Group, a criminal syndicate responsible for large-scale “pig butchering” cryptocurrency investment fraud targeting US victims.
  • Harvard University was confirmed as a victim of the Oracle E-Business Suite zero-day vulnerability (CVE-2025-61884), with over 1TB of data allegedly stolen and leaked by the Cl0p ransomware group.
  • Chinese APT threat actors, attributed as “Flax Typhoon,” compromised an ArcGIS geo-mapping server, maintaining undetected persistence for over a year by modifying the software into a stealth backdoor.
  • Malicious crypto-stealing Visual Studio Code extensions, attributed to the “TigerJack” group, resurfaced on the OpenVSX registry and the Microsoft VSCode marketplace, targeting developers to exfiltrate cryptocurrency and sensitive data.

Newly Discovered Vulnerabilities

  • SAP released patches for 13 new vulnerabilities, including a maximum-severity bug in SAP NetWeaver AS Java that allows unauthenticated arbitrary command execution.
  • Oracle silently patched a zero-day vulnerability (CVE-2025-61884) in Oracle E-Business Suite, which had been publicly exploited with a proof-of-concept leaked by the ShinyHunters group.
  • A new side-channel attack, “Pixnapping,” was disclosed affecting Google and Samsung Android devices, enabling malicious apps with no permissions to steal 2FA codes, Google Maps timelines, and other sensitive data by extracting pixels from the display. Google has issued a partial patch.
  • AMD issued fixes for “RMPocalypse,” a vulnerability in Secure Encrypted Virtualization with Secure Nested Paging (SEV-SNP), which could allow attackers to undermine confidential computing guarantees with a single 8-byte write.
  • Nearly 200,000 Linux Framework laptops were shipped with signed UEFI shell components, exposing them to Secure Boot bypass attacks.
  • Adobe published advisories for over 35 vulnerabilities across its products, including a critical flaw in the Connect Collaboration Suite.

Notable Threat Actor Activity

  • Chinese state-backed actors (“Flax Typhoon”) exploited the ArcGIS server for year-long persistence and stealth access.
  • ShinyHunters leaked a proof-of-concept exploit for the Oracle E-Business Suite zero-day, leading to real-world breaches.
  • TigerJack continues to distribute malicious VSCode extensions to steal cryptocurrency from developers.

Trends, Tools, or Tactics of Interest

  • A new phishing campaign is leveraging AI tools to craft emails and evade detection, indicating increased sophistication in social engineering attacks.
  • Infostealers are increasingly targeting clipboard content, including images, for data exfiltration and on-the-fly modification (e.g., crypto-wallet address swapping).
  • Research into hacktivist campaigns identified over 2,000 unique hashtags across 11,000 posts, providing insight into hacktivist targeting and campaign organisation.
  • The emergence of autonomous AI agents in enterprise environments (“Shadow AI”) is shifting security risks, with agents now capable of opening tickets, fixing incidents, and making operational decisions independently.
  • Security firms FuzzingLabs and Gecko Security are in dispute over CVE reporting credit, highlighting ongoing issues around vulnerability disclosure attribution.

Regulatory or Policy Developments Affecting the Security Industry

  • Microsoft Windows 10 and Exchange Server 2016/2019 have reached end-of-support, with no further security updates provided. Microsoft is urging customers to migrate to supported platforms.
  • The US and UK coordinated law enforcement action against the Prince Group, marking one of the largest cryptocurrency seizures in history.
  • Cybereason is to be acquired by LevelBlue, continuing consolidation in the managed security services provider (MSSP) sector.