WhatsApp Worm, Critical CVE, Oracle 0-Day, Ransomware Cartel, and More

The cyber world reminds us every week that silence does not mean safe. Attacks often begin quietly. One unpatched flaw, one missed credential, and one unencrypted backup. By the time the alarm sounds, the damage is complete.

In this week’s issue, we look at how attackers are changing the landscape by linking flaws together, collaborating across borders, and even turning trusted tools into weapons. From critical software bugs to AI exploits to new phishing techniques, each story shows how rapidly the threat landscape is changing and why security needs to move just as quickly.

⚡ Threat of the Week

Dozens of organizations affected by Oracle EBS flaw exploitation — Since August 9, 2025, a zero-day exploit of a security flaw in Oracle’s E-Business Suite (EBS) software may have affected dozens of organizations, according to Google Threat Intelligence Group (GTIG) and Mandiant. This activity has several characteristics associated with the Cl0p ransomware cluster and is assessed to have combined several different vulnerabilities, including a zero-day flaw tracked as CVE-2025-61882 (CVSS score: 9.8), to infiltrate target networks and exfiltrate sensitive data. This attack chain is known to trigger two different payload chains and drop malware families such as GOLDVEIN.JAVA, SAGEGIFT, SAGELEAF, and SAGEWAVE. Oracle also released an update to EBS to address another vulnerability in the same product (CVE-2025-61884) that could lead to unauthorized access to sensitive data. The company did not say whether it was actually being exploited.

🔔 Top News

Storm-1175 is related to exploiting the GoAnywhere MFT flaw — Storm-1175 is being tracked by Microsoft for exploiting a maximum severity vulnerability (CVE-2025-10035) in GoAnywhere MFT to launch a multi-stage attack that included Medusa ransomware. Storm-1175 attacks are opportunistic and impact organizations in the transportation, education, retail, insurance, and manufacturing sectors. This activity combines legitimate tools and stealth techniques to install remote monitoring tools such as SimpleHelp and MeshAgent, drop a web shell, and use built-in Windows utilities to move access laterally across networks to covertly monetize access through extortion and data theft. Fortra subsequently revealed that it began an investigation on September 11 following a “potential vulnerability” reported by a customer and uncovered “potentially suspicious activity” related to the flaw.
OpenAI disrupted three clusters in China, North Korea, and Russia — OpenAI announced that it had suspended three activity clusters for abusing its ChatGPT artificial intelligence (AI) tool to facilitate malware development. This includes Russian-language attackers who are said to have used chatbots to help develop and refine remote access Trojans (RATs), credential stealers aimed at evading detection. The second cluster of activity originated from North Korea and used ChatGPT for malware and command-and-control (C2) development, focusing on developing macOS Finder extensions, configuring Windows Server VPNs, or converting Chrome extensions to Safari equivalents. The third shared set of banned accounts overlaps with the cluster tracked as UNK_DropPitch (aka UTA0388). UNK_DropPitch (also known as UTA0388) is a Chinese hacker group that used an AI chatbot to generate content for phishing campaigns in English, Chinese, and Japanese. Help tools to speed up everyday tasks like remote execution and traffic protection using HTTPS. Find information related to installing open source tools such as nuclei and fscan.
Over 175 npm packages used in phishing campaigns — In an unusual development, threat actors have been observed pushing disposable npm packages. Once installed, this package is designed to create and publish its own npm package with the pattern “redirect-xxxxxx” or “mad-xxxxxx”, which automatically redirects victims to a credential harvesting site when opened from a crafted HTML business document. “Unlike the well-known tactic of simply uploading malicious packages and compromising developers during package installation, this campaign takes a different path,” Snyk said. “Rather than infecting users via npm install, attackers leverage the browser delivery path via UNPKG to turn legitimate open source hosting infrastructure into a phishing mechanism.” It is believed that HTML files generated through npm packages are distributed to victims and redirected to a credential phishing site when victims attempt to open the files. In the packages analyzed by Snyk, the page disguises itself as a Cloudflare security check and directs victims to an attacker-controlled URL obtained from a file hosted on remote GitHub.
LockBit, Qilin and DragonForce team up — LockBit, Qilin, and DragonForce, three of the most notorious ransomware-as-a-service operations, have formed a criminal cartel to coordinate attacks and share resources. The partnership was announced early last month, shortly after the launch of LockBit 5.0. “We will create a level playing field and eliminate conflict and public humiliation,” DragonForce wrote in a post on a dark web forum. “In this way, we can all increase our income and determine the market situation. Call it a coalition, a cartel, whatever you like. The important thing is to stay in touch, be friendly to each other and be strong allies, not enemies.” The alliance of the three groups comes amid mounting pressure from law enforcement chaos, prompting attacks on hitherto off-limits sectors, such as nuclear power plants, thermal power plants and hydroelectric plants. It also follows a similar integration pattern among primarily English-speaking cybercriminal groups, such as Scattered Spider, ShinyHunters, and LAPSUS$, which began working together under the names Scattered LAPSUS$ Hunters. That said, ransomware cartelization also occurs at a time of record fragmentation in the broader ecosystem, with the number of active data breach sites reaching an all-time high of 81 in the third quarter of 2025.
Chinese and Nexus hackers exploit open source Nezha tool in attacks — Attackers with suspected ties to China turned a legitimate open source monitoring tool called Nezha into an attack weapon and used it to deliver known malware called Gh0st RAT to their targets. The campaign likely compromised more than 100 compromised machines since August 2025, with the majority of infections reported in Taiwan, Japan, South Korea, and Hong Kong. This activity is another sign of how threat actors continue to modify legitimate tools for malicious purposes and slip them into normal network traffic. In one example observed by Huntress, an attacker targeted an exposed phpMyAdmin panel and deployed a web shell with a log poisoning attack. The access gained through the web shell was then used to drop Nezha and eventually the Gh0st RAT, but not before laying the necessary groundwork to evade detection.

Hackers act quickly. New vulnerabilities are often exploited within hours, and one missed patch can lead to a major breach. One unpatched CVE may be enough for a complete compromise. Below are this week’s most critical vulnerabilities that are gaining attention across the industry. Review them, prioritize fixes, and close gaps before attackers can exploit them.

This week’s list includes CVE-2025-61884 (Oracle E-Business Suite), CVE-2025-11371 (Gladinet CentreStack and TrioFox), CVE-2025-5947 (Service Finder Theme), CVE-2025-53967 (Framelink Figma MCP Server), CVE-2025-49844 (Redis), CVE-2025-27237 (Zabbix agent), CVE-2025-59489 (Unity for Android and Windows), CVE-2025-36604 (Dell UnityVSA), CVE-2025-37728 (Elastic Kibana Connector), CVE-2025-56383 (Notepad++), CVE-2025-11462 (AWS Client VPN for macOS), CVE-2025-42701, CVE-2025-42706 (CrowdStrike Falcon), CVE-2025-11001, CVE-2025-11002 (7-Zip), CVE-2025-59978 (Juniper Networks Junos Space), CVE-2025-11188, CVE-2025-11189, CVE-2025-11190 (SynchroWeb Kiwire Captive Portal), CVE-2025-3600 (Progress Telerik UI for ASP.NET AJAX), REDCap Cross-Site Scripting (XSS) Vulnerability, and Ivanti Endpoint Manager Unpatched Security Vulnerability (from below) ZDI-25-947 via ZDI-25-935).

📰 Around the cyber world

TwoNet targets Forescout honeypots — An ICS/OT honeypot operated by Forescout designed to mimic water treatment plants was targeted last month by a Russian-linked group named TwoNet. Financially motivated hacktivist groups then attempted to tamper with associated human machine interfaces (HMIs), disrupt processes, and manipulate other ICSs. Forescout’s honeypots also identified Russian and Iranian-related attack attempts. According to Intel471, TwoNet first appeared in January and primarily focused on DDoS attacks using the MegaMedusa Machine malware. TwoNet announced through its affiliate group CyberTroops that it will cease operations on September 30, 2025. “This highlights the ephemeral nature of the ecosystem, where channels and groups typically have short-lived lives, while carriers typically survive by rebranding, changing alliances, joining other groups, learning new technology, or targeting other organizations,” Forescout said. “Groups moving from DDoS/tampering to OT/ICS often misread targets, stumble on honeypots, or overcharge. That doesn’t make them harmless. It shows where they’re going.”
Sophos investigates WhatsApp worm and coyote link — A recently uncovered campaign called Water Saci involved attackers using self-propagating malware called SORVEPOTEL, which spread via the popular messaging app WhatsApp. Sophos said it is investigating whether this campaign is related to a previously reported campaign that distributed a banking Trojan named Coyote that targeted users in Brazil, and whether the malware used in the attack, Maverick, is an evolved version of Coyote. The WhatsApp message contains a compressed LNK file that, when launched, initiates a series of malicious PowerShell commands that drop the next stage of PowerShell and attempt to modify local security controls. In some cases, Sophos said it has observed an additional payload that is a legitimate Selenium browser automation tool that allows it to take control of browser sessions running on infected hosts. It is suspected that Selenium is being provided with Maverick through the same command and control (C2) infrastructure.
North Korean IT workers seek jobs in new fields — North Korea’s notorious IT workers are now seeking remote jobs in industrial design and architecture, according to security firm KELA. “Their involvement may pose risks related to espionage, sanctions evasion, security concerns, and access to sensitive infrastructure designs,” the report said, describing the threat as “a highly organized state-sponsored network that goes well beyond the role of IT.” One of the IT employees, Hailong Jin, has been identified as involved in the development of a malicious game called DeTankZone. It also shares a relationship with another IT employee named Lian Hung who claims to be a mobile app developer from Tanzania. Hailong Jin and Lian Hung may be the same person, Cholima Group said, adding that Bells Inter Trading Limited is a North Korean-operated front company that employs IT workers in Tanzania. The company is linked to several VPN apps published on both Apple and Google’s iOS and Android app stores. “Rather than seeing North Korea’s IT workers as a monolithic entity, they are more like individual entrepreneurs who operate with the blessings of higher-ranking superiors,” Cheolma Group said. “As IT workers gain more status and respect, they can move up the organizational ranks and eventually become bosses themselves. From there, they may establish their own front companies and gain the necessary status to take on more malicious activities (if they wish). This may explain why their chosen title is ‘Project Manager’. ”
FBI seizes site used by Salesforce extortionists — The Federal Bureau of Investigation (FBI) has seized a website (“breachforums(.)hn”) used by Scattered LAPSUS$ Hunters to extort Salesforce and its customers. This action marks the latest chapter in the ongoing cat-and-mouse game to dismantle persistent data breach sites. However, the dark web version of the leak site is still up and running. “BreachForums was seized today by the FBI and our international partners. All of our domains have been taken by the US government. The days of forums are over,” the Scattered Lapsus$ Hunters group posted on Telegram in a PGP-encrypted statement. Although these groups initially claimed to be inactive, their websites resurfaced just days later, transitioning from hacking forums to extortion-only sites. The group also admitted that BreachForums’ servers and backups had been destroyed, and its database archives and escrow data dating back to 2023 had been compromised. The Scattered LAPSUS$ Hunters (aka Trinity of Chaos) are a newly formed alliance consisting of Scattered Spider (aka Muddled Libra), LAPSUS$, and ShinyHunters (aka Bling Libra). In recent weeks, attackers have breached Salesloft’s systems and used that access to obtain customer Salesforce data. Last month, Salesloft revealed that a data breach related to its Drift application began with a compromised GitHub account. BreachForums has a long and checkered history, with numerous deletions and reinstatements since the original administrator was arrested in March 2023.
NSO Group acquired by US investment group — Israeli spyware maker NSO Group has revealed that a US investment group has acquired the controversial company. A company spokesperson told TechCrunch that “a US investment group has invested tens of millions of dollars in the company and acquired a controlling stake.”
Apple revamps bug bounty program — Apple has announced a major update to its bug bounty program, with the company now offering up to $2 million for exploit chains that can achieve goals similar to sophisticated mercenary spyware attacks. We also reward up to $300,000 for escaping the WebKit sandbox with one click, and up to $1 million for WebKit exploit chains that lead to wireless proximity exploits over any radio, widespread unauthorized iCloud access, and unsigned arbitrary code execution. “Since launching the public Apple Security Bounty program in 2020, we are proud to have awarded more than $35 million to more than 800 security researchers, with multiple individual reports resulting in $500,000 in bounties,” the company said in a statement. The new benefits are expected to take effect in November 2025.
Guardia citizens of Spain disrupt GXC team — Spanish authorities dismantled the GXC team and arrested its alleged ringleader, a 25-year-old Brazilian who accessed the internet as GoogleXcoder. According to Group-IB, the GXC team operated a crime-as-a-service (CaaS) platform that provided AI-powered phishing kits, Android malware, and voice fraud tools to cybercriminals targeting banks, transportation, and e-commerce in Spain, Slovakia, the United Kingdom, the United States, and Brazil via Telegram and Russian-speaking hacker forums. “With a nomadic lifestyle, they frequently move between provinces in Spain, using stolen personal information to secure housing, telephone lines, and payment cards,” Group-IB said.
Inside the Russian market — Rapid7 said the Russian market has evolved its operations over time, pivoting away from selling RDP access to stolen credit card data and, more recently, information thieves’ logs. “The stolen credentials originated from organizations around the world, with 26% originating from the United States and 23% originating from Argentina,” the company said. “Most merchants have been adopting a multi-stealer approach for many years, leveraging various malware variants in their operations, with Lumma emerging as a widely used tool. The findings come after Red Canary revealed that Atomic, Poseidon, and Odyssey have emerged as three prominent stealer families targeting Apple macOS systems, while sharing many tactical similarities. Odyssey Stealer is the successor to Poseidon, first discovered in March 2025.
Austria claims Microsoft violated EU law — Austria’s privacy regulator has found that Microsoft illegally tracked students through Microsoft 365 Education using tracking cookies without their consent, in violation of EU law. This decision was taken in response to the 2024 noyb complaint. The Austrian Data Protection Board (DSB) has ordered the deletion of the relevant personal data. “The decision by the Austrian DPA highlights the lack of transparency in Microsoft 365 Education,” said noyb. “It is nearly impossible for schools to let students, parents, and teachers know what is happening to their data.”
AI model can retrieve backdoors from around 250 malicious documents — A new academic study by Anthropic, UK AISI’s Safeguards Team, and the Alan Turing Institute has found that it takes around 250 malicious documents to establish a simple “backdoor” into a large language model. This study challenges the idea that an attacker needs to control or contaminate a large portion of the training data in order to influence the output of an LLM. “A poisoning attack requires a roughly constant number of documents, regardless of the size of the model or training data,” the report said. “Poisoning attacks may be more feasible than previously thought if an attacker only needs to inject a small number of fixed documents rather than part of the training data.” A 2024 study by researchers at Carnegie Mellon University, ETH Zurich, Meta, and Google DeepMind showed that an attacker controlling 0.1% of the pre-training data could introduce backdoors for a variety of malicious purposes. “Because the number of poisons required does not increase with model size, this suggests that injecting backdoors through data poisoning may be easier in large models than previously thought, and highlights the need for further research into defenses to reduce this risk in future models,” the researchers said. The disclosure coincided with OpenAI saying its GPT-5 model has lower levels of political bias than any previous model.

🎥 Cybersecurity Webinar

Drowning in vulnerability alerts? Here’s how to finally take back control – Most security teams face the same problem: too many vulnerabilities and not enough time. Dynamic Attack Surface Reduction (DASR) solves this problem by automatically detecting and resolving risks before attackers can exploit them. Instead of endlessly chasing alerts, your team can focus on what really matters: keeping your systems secure and running smoothly. This is a smarter and faster way to stay ahead.
How leading teams are using AI to simplify compliance and reduce risk – AI is changing the way organizations handle governance, risk, and compliance (GRC). Compliance can be faster and smarter, but it also brings new risks and rules to follow. This session will teach you how to use AI safely and effectively, with real-world examples, lessons from early adopters, and practical tips to prepare your team for future compliance.
From Firefighting to Safe Design: A Practical Handbook – AI is changing rapidly, but security can’t keep up. The smartest teams are now treating security controls as a launching pad rather than an obstacle, allowing AI agents to act quickly and safely. By moving from reactive firefighting to a design-for-safety mindset, organizations gain both speed and confidence. With the right framework, you can accelerate innovation rather than slow it down while controlling AI risks.

🔧 Cyber Security Tools

P0LR Espresso – Permiso’s new open source tool that enables security teams to quickly analyze multicloud logs during live response. Normalize data from platforms like AWS, Azure, and GCP to provide clear timelines, behavioral insights, and IOC analysis. This makes it easier to identify compromised identities and understand what actually happened.
Ouroboros – A new open source decompiler built into Rust that recovers high-level code structure from binaries compiled using symbolic execution. Unlike traditional decompilers that rely on static allocation models, Ouroboros tracks constraints and data flow to understand how registers and memory change during execution. This approach helps reconstruct logical code patterns such as loops, conditionals, and control flow regions, making it a practical tool for reverse engineering, program analysis, and security research.

Disclaimer: These tools are for educational and research purposes only. They have not been thoroughly security tested and may pose a risk if used incorrectly. Please review the code before trying it, test only in a safe environment, and follow all ethical, legal, and organizational rules.

🔒 Tip of the week

Don’t leave your backups unlocked — Backups are a safety net, but if they’re not encrypted, they can be your biggest risk. Anyone with access to your unencrypted backup can read everything in it, including your passwords, emails, financial data, customer information, and more.

Simple solution: Make sure to encrypt your backups before storing them or sending them anywhere (USB, cloud, server). Encryption locks your data so only you can open it.

🔐 Easy and reliable open source tools:

restic: Fast, simple, and automatically encrypts everything. Works with many cloud services.
borg backup: Compress, dedupe, and encrypt your backups. Ideal for long-term storage.
duplicity: Uses GPG encryption and supports encrypted backups to local or remote storage.
rc loan: Securely sync your files to cloud storage using built-in encryption options.

Pro tip: Test your backups regularly to make sure they can be decrypted and restored. Having a locked or corrupted backup is just as bad as not having a backup at all.

conclusion

This week’s articles illustrate both sides of cybersecurity: the creativity of attackers and the resilience of defenders. Our strength lies in awareness, collaboration and action. Let’s use all the lessons we’ve learned to make next week’s news a little less scary.