Cybersecurity News | Daily Recap [28 Oct 2025]

hendryadrian.com

hendryadrian.com

Malware & Mobile Threats

• An evolution of threatkits adds a local vuln scanner to the Atroposia malware, expanding its post-infection reconnaissance – Atroposia Malware
• New Android strains automate stealth techniques, with Herodotus faking human typing and Baohuo hijacking Telegram accounts via fake Telegram X apps to persist and evade detection – Herodotus Android, Baohuo Malware

Browser Zero-days & Spyware

• A Chrome zero-day (CVE-2025-2783) exploited in ForumTroll campaigns delivered Italian-made Memento Labs/LeetAgent spyware, with Kaspersky and multiple vendors detailing the chain – Chrome Zero-Day, Kaspersky CVE, Italian Spyware
• A new persistent client-side vector lets attackers plant hidden commands via the ChatGPT Atlas browser, raising concerns about long-lived injected controls in conversational UIs – Atlas Exploit

APTs & Targeted Campaigns

• SideWinder has shifted to a PDF/ClickOnce delivery chain to target South Asian diplomatic networks and deploy StealerBot, with multiple analyses describing the new TTPs – SideWinder APT, SideWinder ClickOnce

Ransomware & Incidents

• The Safepay ransomware group claims it hacked German video-surveillance provider Xortec, threatening supply-chain integrity and hardware backdoors – Safepay Xortec
• Everest ransomware says it exfiltrated 1.5M passenger records from Dublin Airport (and other aviation targets), though the data is currently password-protected by the actor – Everest Data
• Industrial suppliers Schneider Electric and Emerson were named among victims linked to an Oracle supply-chain compromise, highlighting risks to critical infrastructure vendors – Oracle Hack
• Sweden’s power-grid operator confirmed a data breach claimed by a ransomware gang, while Russian Rosselkhoznadzor was hit by a DDoS that delayed food shipments — incidents impacting national operations and logistics – Sweden Breach, Rosselkhoznadzor DDoS
• Researchers profile the Qilin ransomware group’s TTPs, adding context to recent ransomware trends and detection strategies – Qilin TTPs

Vulnerabilities & Advisories

• QNAP warns multiple products are affected — including NetBak PC Agent (CVE-2025-55315) and an ASP.NET flaw in its Windows backup software — urging immediate patching or mitigations – QNAP NetBak, QNAP ASP.NET
• A new BIND 9 vulnerability (CVE-2025-40778) threatens global DNS infrastructure and could affect roughly 706k servers if left unpatched, per vendor advisories – BIND9 Flaw
• Multiple Full Disclosure posts reveal consecutive Revive Adserver vulnerabilities that administrators should review and remediate urgently – Revive Flaw 1, Revive Flaw 2

Crime, Credential Trade & Campaigns

• Cybercriminals are trading roughly 183 million stolen credentials across Telegram and dark forums, amplifying credential-stuffing and account-takeover risks – Creds Trade
• A massive China-linked smishing campaign abused about 194,000 domains to distribute phishing and scam messages at scale, complicating takedown efforts – Smishing Campaign
• The Unicode BiDi Swap trick can render fake URLs visually identical to legitimate ones, enabling highly convincing spoofing attacks — a technique defenders must watch for in phishing detections – BiDi Swap

Policy, Governance & Access

• The US declined to join over 70 countries signing a UN cybercrime treaty, underscoring diplomatic divisions on international cyber norms and enforcement – UN Treaty
• Local and platform policy moves: North Canton advanced a municipal cybersecurity policy to meet new state law, while Microsoft now lets admins remove preinstalled Store apps via policy and Mozilla requires new Firefox extensions to disclose data collection practices – North Canton Policy, MS Store Policy, Firefox Extensions
• Platform access change: X warns users with security keys to re-enroll by November 10 to avoid lockouts after 2FA updates (reported across outlets) – X 2FA, X Re-enroll

Industry Moves & Funding

• Email security startup Sublime Security raised $150 million to expand its platform for phishing and email protection – Sublime $150M
• Supply-chain and software security firm Chainguard secured $280 million in growth funding to scale software supply-chain protections – Chainguard $280M

Research, Guidance & Product Updates

• New industry research surveys 3,000+ organizations on the state of exposure management in 2025, offering benchmarks for risk prioritization and remediation programs – Exposure Management
• Thought leadership emphasizes why early threat detection is critical for long-term business growth and operational resilience – Early Detection
• Advice and checks for admins on whether their Google Workspace configurations really meet security expectations, with mitigation recommendations – Google Workspace
• Microsoft is testing a Windows 11 feature that prompts users to run memory scans after BSODs to proactively detect memory issues and improve reliability on supported devices – Windows Memory
• Google rebutted false claims of a massive Gmail data breach, urging users and orgs to verify breach evidence before acting on alarmist reports – Gmail Claim

Privacy & Surveillance

• Cities are reversing course on automated license-plate reader (ALPR) cameras amid privacy and civil-liberties concerns, scaling back deployments and contracts – ALPR Cameras
• Long-read on the future of brain privacy explores risks and regulatory gaps as neurotech matures and raises novel data-protection questions – Brain Privacy

Cybersecurity News | Daily Recap – hendryadrian.com