Good morning. This is your security briefing for Sunday, October 05, 2025, covering sixteen articles across critical vulnerabilities, threat research, malware operations, attack techniques, nation-state activity, and security tools. All attribution is by the article authors. All article analysis is automated.
Oracle has issued a security alert for CVE-2025-61882, a critical vulnerability in Oracle E-Business Suite versions 12.2.3 through 12.2.14. This vulnerability is remotely exploitable without authentication and may result in remote code execution, with Oracle strongly recommending immediate patching.
GreyNoise detected a coordinated surge of 110 unique malicious IPs exploiting CVE-2021-43798, a Grafana path traversal vulnerability, on September 28th. The majority of attacks originated from Bangladesh, with 105 targeting U.S. endpoints in consistent patterns suggesting organized exploitation activity rather than opportunistic scanning.
Strike Ready reports a zero-day exploit in Zimbra's Collaboration Suite, tracked as CVE-2025-27915, was actively exploited in an industrial control systems attack in April 2025. The incident details were disclosed in September, indicating a significant delay between the attack occurrence and public disclosure.
The Eclectic Light Company published technical analysis of macOS Unified Log storage mechanisms, revealing that approximately 1,700 log entries per second are kept only in memory during high-activity periods. This explains why security tools like SilentKnight may fail to find XProtect Remediator scan entries when logs retain only 8 to 12 hours of data instead of the required 36 hours.
Trellix researchers have analyzed XWorm V6, a commodity remote access trojan, focusing on its plugin architecture and capabilities. The analysis explores pivotal plugins that extend XWorm's functionality for command and control operations.
Synthient reports on GhostSocks, a Malware-as-a-Service that converts compromised devices into residential proxies, advertised on Russian cybercrime forums since October 2023. The malware gained widespread adoption after partnering with LummaStealer in February 2024 and has been used by ransomware gangs including BlackBasta.
Seqrite has documented how modern ransomware campaigns exploit legitimate remote access tools including AnyDesk, UltraViewer, RustDesk, Splashtop, and TightVNC to establish persistent access. Attackers abuse these tools because they are often whitelisted in enterprise environments and use encrypted communications that bypass network monitoring.
Huntress reports a 631% increase in ClickFix-related incidents over six months, with threat actors using malicious copy-and-paste techniques as an initial access vector. The technique has evolved beyond Windows to target macOS and Linux platforms, with new variants like FileFix emerging.
Amazon Web Services reports two major supply chain attacks targeted npm in September. The Chalk/Debug compromise on September 8th saw threat actors inject cryptocurrency-stealing payloads into 18 popular packages with 2 billion weekly downloads, while the Shai-Hulud worm on September 15th autonomously spread through npm by harvesting credentials and self-propagating through package updates.
Hexacorn has documented a living-off-the-land technique using native Windows shortcut files to execute arbitrary payloads. By manipulating environment variables like percent-windir-percent before launching legitimate LNK files, attackers can redirect execution to malicious binaries placed in attacker-controlled directories.
Hunt.io reports that APT SideWinder has launched Operation SouthNet, a targeted espionage campaign focused on South Asia's maritime sector with Pakistan and Sri Lanka as primary targets. The campaign employs phishing and credential-harvesting techniques across multiple countries, targeting government agencies, research institutions, aerospace, and telecom sectors.
Chainalysis reports that North Korean IT workers continue infiltrating global IT companies to earn cryptocurrency income that finances weapons programs and ballistic missile development. The DPRK uses fictitious exchange accounts and unregulated OTC traders to launder proceeds, with recent OFAC sanctions targeting facilitators including Russian and Chinese nationals.
Malware Maloney reports that OneDriveExplorer tool has been updated to parse OneDrive's offline database, providing forensic visibility into files and folders accessible to users working offline via OneDrive for Business. The update enhances digital forensic capabilities by reconstructing folder structures from the offline cache created by Project Nucleus technology.
Mor David has released NetworkHound, an open-source Active Directory network topology analyzer on GitHub that provides advanced network discovery capabilities. The tool supports multiple authentication methods including password, NTLM, and Kerberos, and performs SMB validation for comprehensive AD environment mapping.
Uber has published details about improvements to their Identity and Access Management policy change process, focusing on adding determinism and safety controls. The article describes technical approaches to prevent misconfigurations and ensure reliable policy updates in their infrastructure.
Trail of Bits developed a CodeQL query to analyze implicit integer conversion vulnerabilities in C code, reducing 2,500 compiler warnings in OpenVPN2 to 20 actionable security findings. The query identifies dangerous conversions that could lead to vulnerabilities, filtering out benign cases that standard compiler flags cannot distinguish, and the methodology is publicly available on GitHub.