The campaign, attributed to the notorious Clop ransomware group and linked to the financially motivated threat actor FIN11, exploited a zero-day vulnerability, CVE-2025-61882, to achieve unauthenticated remote code execution on internet-facing EBS portals.

With nearly 30 victims publicly named and data leaks containing hundreds of gigabytes to several terabytes of sensitive corporate information, this incident serves as a stark reminder of the evolving threat landscape facing modern enterprises.

The breach affected prominent organizations, including Harvard University, The Washington Post, Logitech, Schneider Electric, and American Airlines’ subsidiary Envoy Air, exposing financial records, human resources data, supply chain information, and customer details.​

The Oracle EBS campaign represents a textbook example of how threat actors exploit widely used enterprise software to achieve mass compromise.

Oracle E-Business Suite serves as the operational backbone for thousands of organizations worldwide, managing critical functions including finance, human resources, supply chain operations, procurement, and customer relationship management.

By compromising this centralized platform, attackers gained access to the most sensitive data repositories within victim organizations, effectively turning a trusted business tool into an attack vector.​

Google Threat Intelligence Group (GTIG) and Mandiant researchers traced the earliest exploitation activity to July 10, 2025, with confirmed data theft beginning by August 9, 2025, weeks before Oracle released emergency patches.

The sophisticated nature of the attack, involving fileless malware and multi-stage payloads, enabled the threat actors to evade traditional file-based detection systems while maintaining persistent access to compromised environments.

Charles Carmakal, CTO of Mandiant Consulting, emphasized the pre-patch exploitation timeline, noting that attackers leveraged the zero-day vulnerability before defensive measures became available.​

The campaign surfaced publicly on September 29, 2025, when executives at numerous organizations received extortion emails from actors claiming affiliation with the Clop brand.

These emails, sent from hundreds of compromised third-party accounts to bypass spam filters, alleged the theft of sensitive data from victims’ Oracle EBS environments and threatened public disclosure unless ransom demands were met.

The use of stolen credentials from infostealer malware logs represents a sophisticated social engineering tactic designed to add legitimacy to the extortion attempts.​

Technical Exploitation: A Five-Stage Attack Chain

CVE-2025-61882, assigned a critical CVSS score of 9.8, enabled unauthenticated attackers to achieve remote code execution on Oracle EBS versions 12.2.3 through 12.2.14 without requiring any user interaction.

The vulnerability resides in the Oracle Concurrent Processing component and was actively exploited in the wild before patches became available, qualifying it as a true zero-day threat.​

Security researchers from watchTowr Labs published a comprehensive technical analysis revealing that the exploit chains together five distinct vulnerabilities to achieve pre-authenticated remote code execution.

The attack begins with a Server-Side Request Forgery (SSRF) vulnerability in the /OA_HTML/configurator/UiServlet endpoint, which accepts XML documents from unauthenticated users via the getUiType parameter.

When the redirectFromJsp parameter is present, the servlet parses the XML to extract a return_url and creates an outbound HTTP request, allowing attackers to force the server to contact arbitrary hosts.​

With SSRF control established, attackers inject Carriage-Return Line-Feed (CRLF) sequences into the URL payload to manipulate request framing and insert malicious headers.

This CRLF injection enables adversaries to convert simple GET requests into crafted POST requests and smuggle additional data to downstream services. The exploit leverages HTTP connection reuse through keep-alive mechanisms, allowing staged requests to be pipelined over the same TCP socket for improved timing reliability.​

Armed with POST-capable SSRF and header injection, attackers target internal services that are normally unreachable from public interfaces. Oracle EBS installations frequently expose internal HTTP services bound to private IP addresses and ports, commonly on port 7201.

The exploit uses path-traversal techniques to bypass pathname-based authentication filters and retrieve restricted JSP pages, transforming internal-only resources into attacker-controllable execution paths. Researchers documented this technique by accessing the ieshostedsurvey.jsp endpoint via path manipulation: /OA_HTML/help/../ieshostedsurvey.jsp.​

Once attackers reach the vulnerable JSP endpoint, the application constructs an XSL stylesheet URL by concatenating the incoming Host header with /ieshostedsurvey.xsl.

The server creates a URL object and passes it to Java’s XSL processing pipeline, which downloads and executes the stylesheet from the attacker-controlled server.

Because Java XSLT supports extension functions and can invoke arbitrary Java classes, the attacker-supplied XSL file decodes payloads and invokes javax.script other extensions to execute arbitrary code within the Java Virtual Machine.

This final unsafe XSLT processing stage grants attackers complete remote code execution capability on the compromised system.​

Mandiant investigators identified a secondary exploitation chain targeting the /OA_HTML/SyncServlet component in the August 2025 activity. This alternate attack path demonstrated the threat actors’ sophisticated understanding of Oracle EBS architecture and their ability to develop multiple exploitation techniques.

The malware deployed following exploitation included GOLDVEIN.JAVA, an in-memory Java-based loader that fetches second-stage payloads, showing logical similarities to malware used in suspected Clop campaigns against Cleo managed file transfer systems in late 2024.​

As of November 2025, the Clop data leak site listed 29 alleged victims spanning multiple sectors, including education, media, manufacturing, aerospace, technology, professional services, mining, construction, insurance, financial services, transportation, automotive, energy, and HVAC industries.

Confirmed victims who publicly acknowledged the breach include Harvard University, Wits University in South Africa, American Airlines subsidiary Envoy Air, The Washington Post, and Logitech.

Major industrial corporations named on the leak site include Schneider Electric, Emerson, Cox Enterprises, Pan American Silver, LKQ Corporation, and Copeland, though most have not publicly confirmed the incidents.​

The Washington Post confirmed on November 6, 2025, that it was among the victims, though the organization declined to share specific details about the compromise. Logitech similarly disclosed a data breach shortly after being named on the Clop leak site.

In a particularly severe case, GlobalLogic reported on November 11, 2025, that personal information of 10,471 current and former employees was stolen, including names, addresses, phone numbers, emergency contacts, email addresses, dates of birth, nationalities, passport information, tax identifiers, salary information, and bank account details.​

Cybercriminals leaked data allegedly stolen from 18 victims, with some releases totaling hundreds of gigabytes and others reaching several terabytes. Limited structural analysis conducted by security researchers concluded that the leaked files likely originated from Oracle environments, lending credibility to the threat actors’ claims.

The extent of data exposure underscores the comprehensive access attackers achieved to victims’ EBS systems, which integrate finance, HR, supply chain, and procurement functions into centralized databases.​

Shadowserver researchers released data on October 8, 2025, showing 576 potentially vulnerable IP addresses based on internet scanning for the zero-day vulnerability.

This figure represents only internet-exposed Oracle EBS instances and does not account for organizations that may have been compromised but maintained the systems behind firewalls or other network security controls.​

Threat Actor Attribution and Tactics

The campaign bears the hallmarks of the Clop ransomware group, also tracked as FIN11 and TA505, a financially motivated threat actor with a documented history of mass exploitation campaigns targeting enterprise software vulnerabilities.

To substantiate their extortion claims, threat actors provided legitimate file listings from victim EBS environments to multiple organizations, with data timestamps dating back to mid-August 2025.

This tactic demonstrates the attackers’ possession of genuine stolen data and serves to pressure victims into negotiating ransom payments. Consistent with modern extortion operations, the threat actors typically specify payment amounts and methods only after victims contact them and indicate authorization to negotiate.​

The campaign methodology mirrors previous Clop operations, particularly the mass exploitation of vulnerabilities in MOVEit file transfer software in 2023, which affected hundreds of organizations globally.

The group was also linked to the exploitation of Cleo file transfer software flaws starting in late 2024 and previous attacks on Fortra file transfer products. This pattern of targeting widely deployed enterprise software to simultaneously compromise numerous organizations has become a signature tactic for the threat actor.​

Mandiant researchers identified overlaps between the Oracle EBS campaign and a leaked exploit code posted on October 3, 2025, by Scattered Lapsus$ Hunters, also known as ShinyHunters, a group linked to social engineering attacks against retailers and other companies.

The group claimed credit for a recent attack disrupting production at Jaguar Land Rover. However, researchers emphasized they could not definitively assess whether the July exploitation activity involved that specific exploit code or establish direct connections between the early Oracle activity and ShinyHunters.​

GTIG analysis noted that post-exploitation tooling showed “logical similarities” to malware deployed in other suspected Clop campaigns.

The use of compromised third-party email accounts for the extortion campaign represents a sophisticated operational security measure, as credentials sourced from infostealer malware logs on underground forums enable threat actors to send messages that bypass spam filters and appear more legitimate to recipients.​

Oracle’s Response and Patch Timeline

Oracle’s response to the vulnerability disclosure followed a multi-stage timeline that raised concerns about the gap between initial exploitation and patch availability.

The company released a Critical Patch Update in July 2025 that addressed several EBS vulnerabilities, but this update predated the emergency patch for CVE-2025-61882 by several months. Security researchers documented suspicious activity potentially related to exploitation dating back to July 10, 2025, even before the July patches were released.​

On October 2, 2025, Oracle reported that threat actors may have exploited vulnerabilities patched in the July 2025 update and recommended that customers apply the latest Critical Patch Updates.

Two days later, on October 4, 2025, Oracle released an emergency Security Alert specifically addressing CVE-2025-61882. The advisory confirmed that the vulnerability is remotely exploitable without authentication and, if successfully exploited, may result in remote code execution.

Oracle strongly recommends that customers apply the updates immediately, emphasizing its longstanding guidance to remain on actively supported versions and to apply all Security Alerts and Critical Patch Updates without delay.​

The emergency patch carried a critical prerequisite: organizations must first install the October 2023 Critical Patch Update before applying the CVE-2025-61882 patch.

This requirement can complicate and delay remediation efforts for organizations that do not maintain current patch levels. Oracle updated the guidance on October 11, 2025, with GTIG assessing that Oracle EBS servers updated through this patch were likely no longer vulnerable to known exploitation chains.​

On October 8, 2025, Oracle released an additional Security Alert for CVE-2025-61884, a high-severity vulnerability affecting the Runtime UI component of Oracle Configurator.

This vulnerability enables unauthenticated remote attackers with network access via HTTP to compromise Oracle Configurator and access sensitive resources. Rob Duhart, Oracle’s Chief Security Officer, noted that the vulnerability affects “some deployments” of Oracle E-Business Suite, suggesting configuration-dependent exposure.​

Oracle’s advisories included Indicators of Compromise (IOCs) derived from observed exploitation, including IP addresses, command patterns, and file hashes for suspected exploit scripts.

The publication of these IOCs enabled defensive teams to hunt for evidence of compromise in their environments, though the fileless nature of the malware complicated detection efforts.​

Zero-Day Exploitation Before Patches

The timeline between initial exploitation and patch availability represents one of the most concerning aspects of the Oracle EBS campaign. Mandiant confirmed that threat actors exploited CVE-2025-61882 as a zero-day vulnerability against Oracle EBS customers as early as August 9, 2025, with additional suspicious activity potentially dating back to July 10, 2025.

Oracle did not release the emergency patch until October 4, 2025, creating a window of approximately eight weeks between confirmed exploitation and patch availability, during which victims had no vendor-supplied defensive measures.​

This exploitation timeline highlights a fundamental challenge in enterprise software security: the asymmetry between attacker capabilities and defender readiness.

Sophisticated threat actors invest significant resources in vulnerability research and exploit development, often discovering flaws before vendors or security researchers identify them.

Once weaponized, these zero-day vulnerabilities give attackers a critical advantage, enabling them to compromise systems before defenses are in place.​

Charles Carmakal emphasized the gravity of the pre-patch exploitation timeline in his LinkedIn post, warning that organizations should proactively investigate for signs of compromise regardless of their current patching status.

This guidance recognizes that applying patches remediates future exploitation of vulnerabilities but does not address existing compromises that occurred during the zero-day window.​

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-61882 to its Known Exploited Vulnerabilities (KEV) catalog on October 6, 2025, confirming active exploitation in ransomware campaigns.

This designation triggers binding operational directive requirements for federal agencies to patch affected systems within specified timeframes and serves as a strong signal to private sector organizations about the critical nature of the threat.​

Several security experts recommend migrating from on-premises Oracle EBS to cloud-based Oracle Fusion Cloud Applications to enhance security.

SaaS models like Oracle Fusion shift some security responsibilities to the vendor, who continuously updates security controls. The Oracle Fusion Cloud Supply Chain Management platform integrates security measures and supports decision-making during disruptions.

Organizations on EBS should adopt a “security-first mindset” from the design phase, embedding security into architecture, access controls, and patch management. Regular security assessments, including vulnerability scanning and penetration testing, help identify weaknesses before they can be exploited.

The Oracle EBS campaign affecting around 30 organizations highlights systemic challenges against sophisticated threats. The exploitation of zero-day vulnerabilities and fileless malware showcases modern cyber threats, indicating that organizations must limit internet exposure, maintain patch discipline, and implement defense-in-depth strategies.

The impact of this campaign may reach beyond the identified victims, with assessments suggesting over 100 organizations could be affected. Organizations using specific Oracle EBS versions should check their patch status, look for indicators of compromise, and ensure their security controls are up to date.

This incident underscores the necessity of collective security responsibility among vendors, customers, and researchers. Organizations must evolve their defensive strategies from reactive to proactive, treating this event as an opportunity for significant security transformation.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Lessons from Oracle E-Business Suite Hack That Allegedly Compromises Nearly 30 Organizations Worldwide appeared first on Cyber Security News.

CVE-2025-13223 is a flaw in the Chromium V8 JavaScript engine that poses significant risks to users worldwide, potentially enabling remote code execution and data breaches.

The vulnerability stems from a type confusion error, classified under CWE-843, which tricks the browser into mishandling data types and corrupts the heap memory. Discovered and patched by Google on November 19, 2025, via its stable channel update, the issue affects Chrome versions before 131.0.6778.72.

Attackers have already leveraged it in the wild, though details on specific campaigns remain limited. CISA added it to its Known Exploited Vulnerabilities (KEV) catalog the same day, mandating federal agencies to apply mitigations by December 10, 2025.

Vulnerability Breakdown and Affected Systems

This zero-day targets the core of Chrome’s rendering engine, making it a prime vector for drive-by downloads and malicious interactions on websites.

While primarily affecting desktop users on Windows, macOS, and Linux, the flaw extends to Chromium-based browsers such as Microsoft Edge and Brave.

No confirmed ties to ransomware exist yet, but experts warn of potential escalation in phishing and supply chain attacks.

CISA urges immediate updates to the latest Chrome version, available through Google’s release notes. In cloud environments, agencies must align with Binding Operational Directive 22-01 and emphasize zero-trust principles. If patches aren’t feasible, discontinuing the product is advised to curb risks.

This incident underscores the relentless pace of browser threats, especially in V8’s complex codebase. With over 3 billion users, Chrome’s dominance amplifies the stakes, as unpatched systems could fuel widespread compromises.

Security researchers highlight the need for vigilant monitoring, as zero-days like this often precede larger campaigns.

As exploitation continues, organizations should scan networks for indicators of compromise and educate users on safe browsing. Google’s swift response mitigates much of the danger, but proactive patching remains key to staying ahead of adversaries.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post CISA Warns of Google Chrome 0-Day Vulnerability Exploited in Attacks appeared first on Cyber Security News.

According to Google’s Threat Intelligence Group (GTIG), the underground marketplace for illicit AI tools has matured significantly this year, with multiple offerings of multifunctional tools designed to support various stages of the attack lifecycle.

This evolution has fundamentally altered the accessibility and sophistication of cybercrime, lowering barriers to entry for less technical threat actors while amplifying the capabilities of experienced criminals.​

The underground AI marketplace has witnessed explosive growth throughout 2024 and 2025. Security researchers from KELA documented a 200% increase in mentions of malicious AI tools across cybercrime forums in 2024 compared to the previous year, with the trend continuing to accelerate into 2025.

AI Tools Promoted on Underground Forums

This surge represents not just increased chatter, but a fundamental shift in how cybercriminals conduct operations. Among the most prominent tools advertised in English and Russian-language underground forums are WormGPT, FraudGPT, Evil-GPT, Xanthorox AI, and NYTHEON AI, each offering distinct capabilities tailored to different aspects of cybercrime.​

WormGPT stands as one of the earliest and most widely recognized malicious AI tools in the underground ecosystem. Built on the GPT-J language model and promoted since July 2023, WormGPT was marketed as a “blackhat alternative” to commercial AI systems, specifically designed to support business email compromise (BEC) attacks and phishing campaigns.

The tool gained notoriety for its ability to generate convincing phishing emails that bypass spam filters, with pricing models ranging from $100 per month to $5,000 for private server setups.

Researchers demonstrated that WormGPT could craft strategically clever and exceedingly convincing emails impersonating company executives, a capability that significantly elevated the threat posed by less sophisticated actors.​

Following closely behind WormGPT, FraudGPT emerged in late July 2023 as an even more ambitious platform. Promoted by the user “CanadianKingpin12” across multiple forums and Telegram channels, FraudGPT offered subscription-based access at $200 per month or $1,700 annually.

The tool claimed capabilities extending beyond phishing to include writing malicious code, creating undetectable malware, discovering vulnerabilities, finding compromised credentials, and providing hacking tutorials.

This subscription model mirrored legitimate software-as-a-service offerings, complete with tiered pricing structures that unlocked additional features such as image generation, API access, and Discord integration at higher price points.​

By 2025, the underground AI marketplace will have evolved beyond simple jailbroken models to encompass sophisticated, multi-functional platforms. Xanthorox AI represents this next generation of malicious tools, marketing itself as the “Killer of WormGPT and all EvilGPT variants”.

First detected in Q1 2025, Xanthorox distinguishes itself through its modular, self-hosted architecture that operates entirely on private servers rather than relying on public cloud infrastructure.

This design drastically reduces detection and traceability risks while offering an all-in-one solution for phishing, social engineering, malware creation, deepfake generation, and vulnerability research.​

NYTHEON AI emerged as another sophisticated platform, leveraging multiple legitimate open-source models to provide comprehensive GenAI-as-a-service capabilities for cybercriminals.

Operated on the dark web and advertised through Telegram channels and Russian forums, NYTHEON consists of six specialized models, including Nytheon Coder for malicious code generation, Nytheon Vision for image recognition, and Nytheon R1 for reasoning tasks.

This integration of purpose-built AI models sets NYTHEON apart from earlier single-function tools, demonstrating the increasing sophistication of underground AI services.​

Cyberattacks Surge With Malicious AI platforms

Analysis of underground advertisements reveals striking commonalities across malicious AI platforms. Most notably, nearly every notable tool advertised in underground forums emphasized its ability to support phishing campaigns.

This universal focus reflects phishing’s continued dominance as the leading attack vector, with AI-generated phishing representing the top enterprise threat of 2025.

Security analysts documented a 1,265% surge in phishing attacks driven by generative AI capabilities, with AI-written phishing proving just as effective as human-crafted lures while requiring significantly less time and skill.​

Beyond phishing, underground AI tools commonly advertised capabilities spanning malware development, vulnerability research, technical support for code generation, and reconnaissance operations.

Several platforms, including WormGPT, FraudGPT, and MalwareGPT, promoted their ability to generate polymorphic malware that constantly changes to evade antivirus detection.

This capability represents a significant escalation in threat sophistication, as Google researchers recently identified five new malware families using AI to regenerate their own code and hide from security software.​

The pricing structures for illicit AI services closely mirror those of conventional cybercrime tools and legitimate software offerings. Underground developers have adopted familiar subscription-based models with tiered pricing that add technical features at higher price points.

Many platforms offer free versions with embedded advertisements, allowing potential customers to test capabilities before committing to paid subscriptions.

This approach, combined with developer-provided technical support and regular updates, creates an ecosystem that operates remarkably similarly to legitimate software markets.​

The low barrier to entry exemplified by tools like Evil-GPT, priced at just $10 per copy, demonstrates how AI has democratized sophisticated cybercrime capabilities.

This accessibility enables financially motivated threat actors with limited technical expertise to conduct operations that previously required years of training.

The FBI and multiple cybersecurity agencies have warned that AI greatly increases the speed, scale, and automation of phishing schemes while helping fraudsters craft highly convincing messages tailored to specific recipients.​

GTIG assesses with high confidence that financially motivated threat actors and others in the underground community will continue augmenting their operations with AI tools.

Given the increasing accessibility of these applications and growing AI discourse in underground forums, threat activity leveraging AI will increasingly become commonplace among cybercriminals.

By early 2025, AI-supported phishing campaigns reportedly represented more than 80% of observed social engineering activity worldwide, underscoring the transformation already underway.

As the underground AI marketplace continues to mature, organizations face an evolving threat landscape where sophisticated attack capabilities are available to anyone willing to pay modest subscription fees, fundamentally reshaping the cybersecurity challenge for the foreseeable future.​

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post List of AI Tools Promoted by Threat Actors in Underground Forums and Their Capabilities appeared first on Cyber Security News.

This development, detailed in GTIG’s latest AI Threat Tracker report released on November 4, 2025, highlights how adversaries are shifting from mere productivity tools to embedding large language models (LLMs) directly into malware for real-time adaptation and evasion.

While still in testing phases and not yet capable of widespread compromise, PROMPTFLUX represents the first observed instance of “just-in-time” AI integration in malicious software, potentially paving the way for more autonomous attacks.​

PROMPTFLUX operates as a VBScript-based dropper, initially masquerading as innocuous installers like “crypted_ScreenRec_webinstall” to trick users across various industries and regions.

Its core innovation lies in the “Thinking Robot” module, which uses a hard-coded Gemini API key to query the “gemini-1.5-flash-latest” model for obfuscated VBScript code designed to bypass antivirus detection.

PROMPTFLUX Malware Using Gemini API

The malware prompts the LLM to generate self-contained evasion scripts, outputting only the code without extraneous text, and logs responses in a temporary file for refinement.

In advanced variants, it rewrites its entire source code hourly, embedding the original payload, API key, and regeneration logic to create a recursive mutation cycle that ensures persistence via the Windows Startup folder.

GTIG notes that while features like the self-update function remain commented out, indicating early development, the malware also attempts lateral spread to removable drives and network shares.

This approach exploits AI’s generative power not just for creation, but for ongoing survival, differing from static malware that relies on fixed signatures easily detected by defenders.​

The emergence of PROMPTFLUX aligns with a maturing cybercrime marketplace where AI tools flood underground forums, offering capabilities from deepfake generation to vulnerability exploitation at subscription prices.

GTIG’s analysis reveals state-sponsored actors from North Korea, Iran, and China, alongside financially motivated criminals, increasingly abusing Gemini across the attack lifecycle from phishing lures to command-and-control setups.

For instance, related malware like PROMPTSTEAL, linked to Russia’s APT28, queries Hugging Face’s Qwen2.5 LLM to generate reconnaissance commands disguised as image tools.

Attackers are also employing social engineering in prompts, posing as CTF participants or students to circumvent AI safeguards and extract exploit code.

As these tools lower barriers for novice actors, GTIG warns of heightened risks, including adaptive ransomware like PROMPTLOCK that dynamically crafts Lua scripts for encryption.

In response, Google has swiftly disabled associated API keys and projects, while DeepMind enhances Gemini’s classifiers and model safeguards to block misuse prompts.

The company emphasizes its commitment to responsible AI via principles that prioritize robust guardrails, sharing insights through frameworks like Secure AI (SAIF) and tools for red-teaming vulnerabilities.

Innovations such as Big Sleep for vulnerability hunting and CodeMender for automated patching underscore efforts to counter AI threats proactively.

Though PROMPTFLUX poses no immediate compromise risk, GTIG predicts rapid proliferation, urging organizations to monitor API abuses and adopt behavioral detection over signatures.

As AI integrates deeper into operations, this report signals an urgent need for ecosystem-wide defenses to stay ahead of evolving adversaries.​

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Google Warns of New PROMPTFLUX Malware Using Gemini API to Rewrite Its Own Source Code appeared first on Cyber Security News.

The comprehensive response reveals how the platform is strengthening defenses across the entire VS Code extension ecosystem following the breach.

The security incident began when researchers at Wiz identified multiple extension publishing tokens inadvertently exposed by developers in public repositories.

Investigation confirmed that a limited number of tokens associated with Open VSX accounts had been compromised, creating a direct pathway for attackers to publish or modify extensions without authorization.

The Open VSX team emphasized that these exposures resulted from developer mistakes rather than infrastructure compromise, immediately revoking all affected tokens upon discovery. The exposure highlighted a critical vulnerability in the development workflow where sensitive credentials can easily slip into version control systems.

Understanding the Threat

Open VSX collaborated with Microsoft Security Response Center to introduce a new token prefix format specifically designed for easier and more accurate scanning of exposed tokens across public repositories, enabling developers and security teams to identify compromised credentials faster.

Security researchers at Koi Security subsequently identified a coordinated malware campaign called “GlassWorm” that leveraged the leaked tokens to publish malicious extensions to the platform.

While initial reports characterized this as a self-propagating worm comparable to the ShaiHulud incident on npm, Open VSX clarified that the malware operated differently.

The extensions were designed to steal developer credentials, enabling attackers to expand their reach across the ecosystem, but the malware did not autonomously replicate or propagate across systems.

The campaign resulted in several malicious extensions reaching the marketplace before removal. Open VSX removed all identified malicious extensions immediately upon notification and revoked or rotated associated tokens without delay.

However, reported download statistics require context. The cited figure of 35,800 downloads includes inflated counts generated by bot traffic and visibility-boosting tactics employed by threat actors, potentially overstating actual user impact.

As of October 21, 2025, Open VSX declared the incident fully contained with no indication of ongoing compromise or remaining malicious extensions on the platform.

The response led to concrete improvements strengthening platform security, including implementing shorter default token validity periods to limit leak impact, streamlining token revocation workflows for faster response times, and deploying automated security scanning at publication to detect malicious code patterns before extensions reach users.

Open VSX continues intensive collaboration with affected developers, ecosystem partners, and independent researchers to maintain transparency and reinforce preventive measures.

These improvements demonstrate how security incidents, while disruptive, can drive meaningful ecosystem hardening and establish stronger protections for the broader developer community relying on open-source extension marketplaces.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Open VSX Registry Addresses Leaked Tokens and Malicious Extensions in Wake of Security Scare appeared first on Cyber Security News.

The company detected abnormal activity within Merkle’s network infrastructure, which led to proactive security protocols being deployed to minimize operational impact.

Merkle, recognized as a leader in Customer Experience Management for Dentsu’s international operations, was targeted in the cyber incident that affected portions of its network systems.

Upon discovering the suspicious activity, Dentsu’s security teams immediately activated incident response procedures and made the strategic decision to shut down certain systems as a precautionary measure.

Investigation and Regulatory Compliance

The incident underscores the growing threat landscape facing major marketing and customer data management firms that handle sensitive client information across multiple industries.

Merkle serves numerous Fortune 500 companies and manages vast amounts of customer data, making it an attractive target for cybercriminals seeking valuable corporate and consumer information.

Dentsu has engaged an external cybersecurity firm with extensive experience handling similar breach investigations to assist with forensic analysis and remediation efforts.

The company emphasized its commitment to transparency by reporting the incident to relevant authorities in compliance with data protection regulations across different jurisdictions where it operates.

The ongoing investigation aims to determine the full extent of the breach, including what data may have been accessed or compromised, the attack vector used by threat actors, and whether any client information was exposed.

As organizations increasingly face sophisticated cyber threats, rapid detection and response have become critical components of enterprise security strategies. Dentsu has clarified that the cyberattack was isolated to Merkle’s U.S. operations and did not impact the company’s network systems in Japan.

This geographic containment suggests that Dentsu maintains segmented network infrastructure across its global operations, which helped prevent the incident from spreading to other regional divisions. However, the company acknowledged that financial repercussions are anticipated as a result of the breach.

Dentsu stated it is continuing to assess both the magnitude and timeline of the expected financial impact, which could include incident response costs, potential regulatory fines, customer notification expenses, and possible remediation investments to strengthen security controls.

The disclosure comes amid heightened scrutiny of cybersecurity practices across the marketing technology sector, where companies process massive volumes of consumer data for targeted advertising and personalized customer experiences.

As investigations continue, Dentsu remains focused on restoring full operational capabilities while implementing enhanced security measures to prevent future incidents.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Dentsu has Disclosed that its U.S.-based Subsidiary Merkle Suffers Cyberattack appeared first on Cyber Security News.

The German carmaker maintains that its core IT infrastructure remains unaffected; however, the company’s vague response leaves questions about the full scope of the incident and raises concerns about a possible third-party compromise.​

The ransomware operation 8Base, active since early 2023, surfaced in September 2024 with assertions of a major breach at Volkswagen, one of the world’s largest automakers.

The group, known for its Phobos ransomware variant and double-extortion tactics, claimed to have exfiltrated a trove of confidential files on September 23, 2024, and threatened public release by September 26.

Despite the deadline passing without leaked samples, 8Base listed the stolen data on its dark web site, including invoices, receipts, accounting documents, personal employee files, employment contracts, certificates, personnel records, and numerous confidentiality agreements.

This alleged claim could encompass financial records and sensitive personal information from Volkswagen’s global operations, spanning brands like Audi, Porsche, Bentley, Lamborghini, Skoda, SEAT, and Cupra.​

Security experts note that 8Base operates more as a data extortion crew than a traditional encryptor, focusing on theft and threats to pressure victims into payment.

The group has targeted over 400 organizations since its emergence, often gaining initial access via phishing or buying credentials from initial access brokers. ​

Volkswagen’s Response

Volkswagen’s spokesperson confirmed awareness of the “incident” but emphasized no impact on the company’s primary IT systems, hinting at a possible compromise through a supplier, partner, or subsidiary.

The automaker, headquartered in Wolfsburg, Germany, operates 153 production plants worldwide and employs hundreds of thousands, making any data exposure a high-stakes issue.

While no customer data breach has been reported, the inclusion of personal and financial details raises alarms under the EU’s GDPR, potentially leading to fines up to 4% of global revenue if substantiated.​

Cybersecurity firms urge enhanced third-party risk management and monitoring, as such attacks often exploit weaker links in supply chains.

As investigations continue, the incident underscores the escalating threats to critical industries like automotive manufacturing.​

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Volkswagen Allegedly Hit by Ransomware Attack as 8Base Claims Sensitive Data Theft appeared first on Cyber Security News.

This method exploits trusted Microsoft infrastructure, making the attacks harder to spot as the fraudulent pages appear secured by official SSL certificates issued by Microsoft itself.

ALI TAJRAN recently highlighted a surge in these campaigns, with alerts circulating widely on October 17, 2025, urging immediate vigilance among enterprises and individuals.​

How the Attack Leverages Azure Blob

The phishing scheme typically begins with deceptive emails that include links disguised as routine Microsoft Forms surveys or document shares, often starting with URLs like forms.office[.]com followed by a unique identifier.

Victims who click these links are redirected to what seems like a harmless PDF download prompt, but this quickly escalates to a demand for Microsoft 365 credentials on a fake login page.

The malicious URL terminates in windows.net, specifically utilizing subdomains under blob.core.windows.net, which hosts the phishing form as a simple HTML file stored in Azure’s blob storage service.​

This storage solution, designed for unstructured data like images or documents, inadvertently provides phishers with a veil of legitimacy since browsers and endpoint protection tools inherently trust Azure endpoints.

Once users enter their email and password, the credentials are captured and sent to attacker-controlled servers, potentially granting access to sensitive email, files, and tenant resources.

Attackers may then escalate privileges to intercept authentication tokens or infiltrate the entire organization. Historical reports from 2018 noted similar lures using themed PDF attachments pretending to be legal documents, a tactic that persists today with more sophisticated social engineering.​

To counter this threat, security experts recommend blocking all traffic to *.blob.core.windows.net endpoints in firewalls or web proxies, while whitelisting only specific, trusted storage accounts like <your-storage-account>.blob.core.windows.net.

This granular approach prevents broad access without disrupting legitimate Azure operations. Additionally, enabling multi-factor authentication (MFA) and monitoring for anomalous logins via Microsoft Entra ID can detect breaches early.​

A proactive step involves customizing company branding in your Microsoft 365 tenant, displaying your organization’s logo, colors, and name on official sign-in pages to help users distinguish genuine portals from impostors.

Without branding, a generic Microsoft login might blend seamlessly with phishing mimics, eroding user trust at critical moments resources from Microsoft guide administrators on implementing these customizations swiftly.​

This phishing variant underscores the dual-edged nature of cloud services: while Azure Blob Storage offers scalability and security for legitimate use, it becomes a weapon when abused by threat actors.

Organizations should prioritize user education on scrutinizing URLs, legitimate Office 365 logins always direct to login.microsoftonline.com, not blob storage paths.​

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post New Phishing Attack Leverages Azure Blob Storage to Impersonate Microsoft appeared first on Cyber Security News.

This action effectively disrupted an ongoing campaign where attackers impersonated Microsoft Teams installations to infiltrate corporate networks and deploy ransomware.

The operation, uncovered in late September, highlights the evolving tactics of ransomware operators who leverage legitimate-looking software to bypass security defenses.

Vanilla Tempest, also tracked by cybersecurity firms as VICE SPIDER and Vice Society, has emerged as a persistent menace in the ransomware landscape.

This financially driven actor specializes in data exfiltration for extortion, often pairing theft with encryption attacks to maximize payouts.

Over the years, the group has wielded a variety of ransomware strains, including BlackCat, Quantum Locker, and Zeppelin. However, in recent months, Rhysida ransomware has become their weapon of choice, targeting sectors like healthcare, education, and manufacturing for high-impact disruptions.

Fake Teams Downloads Via Search Engines

The latest campaign preyed on unsuspecting users seeking legitimate Microsoft Teams updates. Attackers hosted counterfeit MSTeamsSetup.exe files on deceptive domains such as teams-download[.]buzz, teams-install[.]run, and teams-download[.]top.

These sites likely gained traction through search engine optimization (SEO) poisoning, where manipulated search results direct victims to malicious downloads instead of official Microsoft resources.

Once executed, the bogus installers unleashed a multi-stage payload. An initial loader paved the way for the Oyster backdoor, a versatile malware tool that Vanilla Tempest began integrating into operations as early as June 2025.

By early September, the group escalated their stealth by fraudulently signing these backdoors and loaders with stolen or misused certificates from reputable providers like Trusted Signing, SSL.com, DigiCert, and GlobalSign.

This signing process lent the files an air of authenticity, tricking antivirus software and user scrutiny alike. From there, the infection chain culminated in Rhysida ransomware deployment, locking files and demanding ransoms while exfiltrating sensitive data for leverage.

Microsoft’s response was multifaceted. Beyond certificate revocation, the company bolstered its defenses through Microsoft Defender Antivirus, which now identifies and blocks the fake setup files, the Oyster backdoor, and Rhysida ransomware variants.

For enterprise users, Microsoft Defender for Endpoint offers behavioral detections tailored to Vanilla Tempest’s tactics, techniques, and procedures (TTPs), including anomalous network activity and privilege escalations.

This incident underscores the risks of supply chain-style attacks in everyday software updates. As remote work tools like Teams remain essential, attackers continue to exploit trust in familiar brands.

Microsoft’s proactive revocation prevented further abuse of the compromised certificates, but experts warn that similar tactics could resurface with new signing authorities.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Microsoft Disrupted Vanilla Tempest Attack by Revoking Certificates Used to Sign Fake Teams File appeared first on Cyber Security News.

The attack, detailed in a recent Unit 42 report from Palo Alto Networks, began with something as simple as compromised VPN credentials, escalating into widespread encryption and data theft that could have cost millions.

This incident underscores the escalating sophistication of ransomware actors and the urgent need for layered defenses in today’s threat landscape.

The breach kicked off with a classic voice phishing scam, or vishing. An attacker posed as the company’s IT help desk, convincing an unwitting employee to input their real VPN login on a fake phishing site.

Once inside, the intruder wasted no time. They launched a DCSync attack on a domain controller, siphoning off elite credentials like those of a key service account.

From there, lateral movement was swift: using Remote Desktop Protocol (RDP) and Server Message Block (SMB), the hackers deployed tools such as Advanced IP Scanner to chart the network and SMBExec to exploit vulnerabilities.

Persistence came next, with the attackers installing legitimate remote access software like AnyDesk alongside a custom remote access trojan (RAT) on a domain controller, disguised as a scheduled task to dodge reboots.

They hit a second domain controller hard, dumping the NTDS.dit database full of password hashes. Over 400 GB of sensitive data vanished via a rebranded rclone tool.

60+ VMware ESXi Hosts Breached

To erase their footprints, they ran CCleaner before the knockout punch: BlackSuit ransomware, automated through Ansible playbooks, locked down hundreds of virtual machines across about 60 VMware ESXi hosts.

Their probe revealed critical gaps, leading to targeted fixes: swapping outdated Cisco ASA firewalls for next-gen models, enforcing network segmentation, and limiting admin access to isolated VLANs.

On identity fronts, they pushed multifactor authentication (MFA) for all remote logins, NTLM disabling, credential rotations, and bans on service accounts for interactive sessions like RDP.

The client successfully avoided a $20 million ransom demand, thanks to Unit 42’s expertise, while also gaining enterprise-wide monitoring and ongoing managed detection services.

This story shows a harsh truth: one stolen credential can cause a chain reaction of problems. Groups like Ignoble Scorpius take advantage of such mistakes, using simple tools and ransomware to create maximum disruption.

Organizations need to prioritize multi-factor authentication, proactive assessments, and automated responses to effectively combat ransomware. As this threat evolves, it is essential to enhance defenses before the next vishing call leads to a similar outcome.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post BlackSuit Ransomware Actors Breached Corporate Environment, Including 60+ VMware ESXi Hosts appeared first on Cyber Security News.