Good morning. This is your security briefing for Thursday, October 09, 2025, covering fifteen articles analyzed overnight. All attribution is by the article authors, and all article analysis is automated.
Springer-Verlag published an academic survey examining malware attacks targeting air-gapped industrial control systems. The research categorizes covert channel techniques into six vectors: acoustic, electromagnetic, optical, magnetic, power, and thermal, addressing the growing threat to physically isolated critical infrastructure.
Quarkslab researcher Luis Casvella demonstrated advanced Bring Your Own Vulnerable Driver attack techniques for achieving reflective driver loading in Windows kernel memory. The research shows how attackers exploit vulnerable drivers to gain Ring-0 access and bypass Driver Signature Enforcement for rootkit-like capabilities.
Microsoft Threat Intelligence identified Storm-2657 conducting 'payroll pirate' attacks against US universities in early 2025. The financially motivated actor uses social engineering to compromise accounts lacking phishing-resistant MFA, gaining access to HR platforms like Workday to divert salary payments.
Rapid7 reports threat actors are misusing Velociraptor, an open-source DFIR tool, to maintain persistence and execute ransomware campaigns. Attackers configure the tool with their own command and control servers to execute commands and download additional files on compromised systems.
Palo Alto Networks discovered the IUAM ClickFix Generator, a phishing kit that automates social engineering attacks. The kit generates customizable pages mimicking browser verification challenges to trick victims into executing malware, representing a commoditization of advanced phishing techniques.
Shelltrail researchers detailed multiple attack paths exploiting Active Directory domain join accounts exposed during automated system provisioning. Even when following Microsoft guidance, these accounts inherit over-privileged ACLs enabling LAPS credential disclosure, Resource-Based Constrained Delegation, and domain compromise.
Wordfence reports threat actors are actively exploiting a critical vulnerability in the Service Finder Bookings WordPress plugin. Exploitation attempts have been detected in the wild, posing an immediate threat to WordPress sites using the affected plugin.
Google Cloud reports threat actors claiming CL0P affiliation exploited CVE-2025-61882 as a zero-day in Oracle E-Business Suite starting August 9th, weeks before patches were available. The campaign resulted in widespread data exfiltration and extortion using a multi-stage Java implant framework.
Trend Micro identified a large-scale RondoDox botnet campaign exploiting over 50 vulnerabilities across more than 30 vendors. The campaign targets internet-facing routers, DVRs, and network devices using a shotgun approach with exploits including flaws first seen at Pwn2Own competitions.
Cisco Talos reports ransomware operators attributed to Storm-2603 are leveraging Velociraptor for persistent access during campaigns. The actors deployed multiple ransomware variants including Warlock, LockBit, and Babuk, using an outdated Velociraptor version vulnerable to CVE-2025-6264 for privilege escalation.
Forescout's honeypot captured Russia-aligned hacktivist group TwoNet attacking a decoy water treatment plant in September 2025. The attackers targeted HMI systems for defacement and process disruption, with additional attacks observed on PLCs and Modbus protocols.
CloudSEK's TRIAD team analyzed leaked internal documents from Iran-linked APT35, also known as Charming Kitten. The IRGC-affiliated group targeted government, legal, energy, and financial sectors using phishing, DNS manipulation, and supply-chain attacks with custom RATs and EDR evasion capabilities.
Archive.ph reports Chinese state-sponsored hackers have been targeting US law firms in a cyber espionage campaign. The attacks likely aim to access sensitive client information, legal strategies, and intellectual property handled by these professional services organizations.
The Kyiv Independent reports Ukraine's parliament approved legislation to establish dedicated Cyber Forces within its military structure. The new Cyber Forces Command will report directly to Ukraine's commander-in-chief and align capabilities with NATO standards.
SonicWall confirmed an unauthorized party accessed firewall configuration backup files for all customers who used their cloud backup service. This breach affects customer network configurations stored in the MySonicWall cloud backup system.
That concludes today's security briefing for Thursday, October 09, 2025.