Good morning. Yesterday's security developments from Thursday, October 02, 2025 include seven articles across multiple threat categories. All attribution is by the article authors. All article analysis is automated.
Red Hat disclosed a security incident involving their Red Hat Consulting GitLab instance. The breach involved unauthorized access to their internal GitLab infrastructure used by consulting services.
CERT-UA reports that threat actor UAC-0245 is conducting targeted cyberattacks using the CABINETRAT backdoor against Ukrainian Special Operations Command. The advisory CERT-UA#17479 details the use of this malware specifically targeting Ukrainian military infrastructure.
Microsoft is retiring support for inline SVG images in Outlook for Web and new Outlook for Windows starting September 2025 to mitigate security risks including cross-site scripting attacks. While this affects less than 0.1% of images, organizations should update documentation accordingly.
ESET researchers discovered two Android spyware campaigns targeting UAE residents interested in secure messaging apps Signal and ToTok. The campaigns distribute newly documented spyware families through fake websites impersonating legitimate services including the Samsung Galaxy Store, with command and control servers remaining active at time of publication.
ThreatFabric discovered Datzbro, a new Android Remote Access Trojan distributed through social engineering campaigns targeting seniors via fake Facebook groups promoting travel and social activities. The malware enables device takeover and is actively used for financial fraud across Australia, Singapore, Malaysia, Canada, South Africa, and the UK.
NVISO Labs reports that Lunar Spider, a Russian-speaking financially-motivated threat group, has expanded operations using FakeCaptcha frameworks injected into compromised European websites. The attack chain delivers Latrodectus V2 malware through MSI downloaders, providing initial access for ransomware deployment following the May 2024 takedown of their IcedID infrastructure.
Google Threat Intelligence Group tracks UNC6040, a financially motivated threat cluster conducting voice phishing campaigns to compromise Salesforce instances for data theft and extortion. The attackers impersonate IT support personnel to trick employees into authorizing malicious connected apps, specifically modified versions of Salesforce's Data Loader, with all observed attacks relying on social engineering rather than technical vulnerabilities.