Good morning. This is your security briefing for Wednesday, October 15, 2025, covering 10 critical developments from the past day. All attribution is by the article authors, and all article analysis is automated.
Dreadnode has published research on LOLMIL, exploring autonomous malware that uses large language models without traditional command and control infrastructure. The research references PromptLock, a proof-of-concept ransomware from NYU that leverages LLM providers to generate malicious code without human involvement.
Elastic Security Labs has released nightMARE version 0.16, a Python-based library designed to help malware researchers scale their analysis capabilities. The tool is built on the Rizin reverse engineering framework and includes a tutorial on implementing configuration extractors for malware families like LUMMA.
Cyble reports on GhostBat RAT, representing a resurgence of Android malware campaigns using Regional Transport Office themes as lures. This remote access trojan enables attackers to gain control over infected Android devices through fraudulent transportation-related applications.
Kyntra has published a deep dive into Singularity, a modern Linux kernel rootkit for Linux 6.x that uses ftrace-based hooking to evade detection. The rootkit provides process hiding, filesystem stealth, network concealment, and privilege escalation capabilities, with full source code now available on GitHub for security research purposes.
Eclypsium researchers discovered UEFI shell vulnerabilities in Framework laptop devices that allow attackers to bypass Secure Boot protections. The vulnerabilities involve a signed backdoor component hiding in the firmware that undermines fundamental trust models in the boot process.
F5 Incorporated has published a security incident notification article, though full details were not available due to loading errors. The official F5 knowledge base identifier indicates a documented security incident affecting F5 products or infrastructure.
Security.com reports that Chinese APT group Jewelbug has expanded operations to target a Russian IT service provider for five months in 2025, gaining access to code repositories and build systems. The group deployed a new backdoor and used techniques including renamed debugging executables for application whitelisting bypass, marking a notable shift as Chinese threat actors increasingly target Russian entities.
F5 disclosed in an SEC filing that a sophisticated nation-state threat actor maintained persistent access to their BIG-IP product development environment, exfiltrating source code and information about undisclosed vulnerabilities. The breach was discovered in August 2025, and F5 has engaged CrowdStrike, Mandiant, and law enforcement while releasing security updates for multiple products.
The National Cyber Security Centre has confirmed a compromise of F5 network infrastructure. This represents a confirmed security incident affecting F5 networking equipment, corroborating the earlier SEC disclosure.
The UK's Information Commissioner's Office has fined Capita plc and Capita Pension Solutions Limited a combined 14 million pounds following a cyber attack in April 2023. The attack resulted in hackers gaining unauthorized access to personal data belonging to over 6 million people, with the penalty reflecting inadequate data protection controls.