⚡ Weekly Recap: F5 Breached, Linux Rootkits, Pixnapping Attack, EtherHiding & More
It's easy to think your defenses are solid — until you realize attackers have been inside them the whole time. The latest incidents show that long-term, silent breaches are becoming the norm. The best defense now isn't just patching fast, but watching smarter and staying alert for what you don't expect.
Here's a quick look at this week's top threats, new tactics, and security stories shaping the landscape.
⚡ Threat of the Week
F5 Exposed to Nation-State Breach — F5 disclosed that unidentified threat actors broke into its systems and stole files containing some of BIG-IP's source code and information related to undisclosed vulnerabilities in the product. The company said it learned of the incident on August 9, 2025, although it's believed that the attackers were in its network for at least 12 months. The attackers are said to have used a malware family called BRICKSTORM, which is attributed to a China-nexus espionage group dubbed UNC5221. GreyNoise said it observed elevated scanning activity targeting BIG-IP in three waves on September 23, October 14, and October 15, 2025, but emphasized the anomalies may not necessarily relate to the hack. Censys said it identified over 680,000 F5 BIG-IP load balancers and application gateways visible on the public internet, with the majority of hosts located in the U.S., followed by Germany, France, Japan, and China. Not all identified systems are necessarily vulnerable, but each represents a publicly accessible interface that should be inventoried, access-restricted, and patched proactively as a precautionary measure. "Edge infrastructure and security vendors remain prime targets for long-term, often state-linked threat actors," John Fokker, vice president of threat intelligence strategy at Trellix, said. "Over the years, we have seen nation-state interest in exploiting vulnerabilities in edge devices, recognizing their strategic position in global networks. Incidents like these remind us that strengthening collective resilience requires not only hardened technology but also open collaboration and intelligence sharing across the security community."
Zero Trust + AI: Thrive in the AI Era and Empower Your Workforce
It's no surprise, hackers are using AI in creative ways to compromise users and breach organizations. Zscaler Zero Trust + AI helps defeat ransomware and AI-power attacks today by enabling you to detect and block advanced threats, and discover and classify sensitive data everywhere.
Learn more about Zscaler Zero Trust + AI ➝
🔔 Top News
- N. Korea Uses EtherHiding to Hide Malware Inside Blockchain Smart Contracts — North Korean threat actors have been observed leveraging the EtherHiding technique to distribute malware and enable cryptocurrency theft, marking the first time a state-sponsored hacking group has embraced the method. The activity has been attributed to a cluster tracked as UNC5342 (aka Famous Chollima). The attack wave is part of a long-running campaign codenamed Contagious Interview, wherein the attackers approach potential targets on LinkedIn by posing as recruiters or hiring managers, and trick them into running malicious code under the pretext of a job assessment after shifting the conversation to Telegram or Discord. In the latest attack waves observed since February 2025, the threat actors use a JavaScript downloader that interacts with a malicious BSC smart contract to download JADESNOW, which subsequently queries the transaction history associated with an Ethereum address to fetch the JavaScript version of InvisibleFerret.
- LinkPro Linux Rootkit Spotted in the Wild — An investigation into the compromise of an Amazon Web Services (AWS)-hosted infrastructure led to the discovery of a new GNU/Linux rootkit dubbed LinkPro. The backdoor features functionalities relying on the installation of two extended Berkeley Packet Filter (eBPF) modules to conceal itself and to be remotely activated upon receiving a magic packet – a TCP SYN packet with a specific window size (54321) that signals the rootkit to await further instructions within a one-hour window, allowing it to evade traditional security defenses. The commands supported by LinkPro include executing /bin/bash in a pseudo-terminal, running a shell command, enumerating files and directories, performing file operations, downloading files, and setting up a SOCKS5 proxy tunnel. It's currently not known who is behind the attack, but it's suspected that the threat actors are financially motivated.
- Zero Disco Campaign Targets Cisco Devices with Rootkits — A new campaign has exploited a recently disclosed security flaw impacting Cisco IOS Software and IOS XE Software to deploy Linux rootkits on older, unprotected systems. The activity, codenamed Operation Zero Disco by Trend Micro, involves the weaponization of CVE-2025-20352 (CVSS score: 7.7), a stack overflow vulnerability in the Simple Network Management Protocol (SNMP) subsystem that could allow an authenticated, remote attacker to execute arbitrary code by sending crafted SNMP packets to a susceptible device. The operation primarily impacted Cisco 9400, 9300, and legacy 3750G series devices, Trend Micro said. The intrusions have not been attributed to any known threat actor or group.
- Pixnapping Attack Leads to Data Theft on Android Devices — Android devices from Google and Samsung have been found vulnerable to a side-channel attack that could be exploited to covertly steal two-factor authentication (2FA) codes, Google Maps timelines, and other sensitive data without the users' knowledge pixel-by-pixel. The attack has been codenamed Pixnapping. Google is tracking the issue under the CVE identifier CVE-2025-48561 (CVSS score: 5.5). Patches for the vulnerability were issued by the tech giant as part of its September 2025 Android Security Bulletin, with additional fixes forthcoming in December.
- Chinese Threat Actors Exploited ArcGIS Server as Backdoor — Threat actors with ties to China have been attributed to a novel campaign that compromised an ArcGIS system and turned it into a backdoor for more than a year. The activity is the handiwork of a Chinese state-sponsored hacking group called Flax Typhoon, which is also tracked as Ethereal Panda and RedJuliett. "The group cleverly modified a geo-mapping application's Java server object extension (SOE) into a functioning web shell," ReliaQuest said. "By gating access with a hardcoded key for exclusive control and embedding it in system backups, they achieved deep, long-term persistence that could survive a full system recovery." The attack chain involved the threat actors targeting a public-facing ArcGIS server that was linked to a private, internal ArcGIS server by compromising a portal administrator account to deploy a malicious SOE, thereby allowing them to blend in with normal traffic and maintain access for extended periods. The attackers then instructed the public-facing server to create a hidden directory to serve as the group's "private workspace." They also blocked access to other attackers and admins with a hard-coded key. The findings demonstrate Flax Typhoon's consistent modus operandi of quietly turning an organization's own tools against itself rather than using sophisticated malware or exploits.
️🔥 Trending CVEs
Hackers move fast. They often exploit new vulnerabilities within hours, turning a single missed patch into a major breach. One unpatched CVE can be all it takes for a full compromise. Below are this week's most critical vulnerabilities gaining attention across the industry. Review them, prioritize your fixes, and close the gap before attackers take advantage.
This week's list includes — CVE-2025-24990, CVE-2025-59230 (Microsoft Windows), CVE-2025-47827 (IGEL OS before 11), CVE-2023-42770, CVE-2023-40151 (Red Lion Sixnet RTUs), CVE-2025-2611 (ICTBroadcast), CVE-2025-55315 (Microsoft ASP.NET Core), CVE-2025-11577 (Clevo UEFI firmware), CVE-2025-37729 (Elastic Cloud Enterprise), CVE-2025-9713, CVE-2025-11622 (Ivanti Endpoint Manager), CVE-2025-48983, CVE-2025-48984 (Veeam), CVE-2025-11756 (Google Chrome), CVE-2025-49201 (Fortinet FortiPAM and FortiSwitch Manager), CVE-2025-58325 (Fortinet FortiOS CLI), CVE-2025-49553 (Adobe Connect collaboration suite), CVE-2025-9217 (Slider Revolution plugin), CVE-2025-10230 (Samba), CVE-2025-54539 (Apache ActiveMQ), CVE-2025-41703, CVE-2025-41704, CVE-2025-41706, CVE-2025-41707 (Phoenix Contact QUINT4), and CVE-2025-11492, CVE-2025-11493 (ConnectWise Automate).
📰 Around the Cyber World
- Microsoft Unveils New Security Improvements — Microsoft revealed that "parts of the kernel in Windows 11 have been rewritten in Rust, which helps mitigate against memory corruption vulnerabilities like buffer overflows and helps reduce attack surfaces." The company also noted that it's taking steps to secure AI-powered agentic experiences on the operating system by ensuring that they operate with limited permissions and only obtain access to resources users' explicitly provide permission to. In addition, Microsoft said agents that integrate with Windows must be cryptographically signed by a trusted source so that they can be revoked if found to be malicious. Each AI agent will also run under its own dedicated agent account that's distinct from the user account on the device. "This facilitates agent-specific policy application that can be different from the rules applied to other accounts like those for human users," it said.
- SEO Campaign Uses Fake Ivanti Installers to Steal Credentials — A new attack campaign has leveraged SEO poisoning to lure users into downloading a malicious version of the Ivanti Pulse Secure VPN client. The activity targets users searching for legitimate software on search engines like Bing, redirecting them to attacker-controlled lookalike websites (ivanti-pulsesecure[.]com or ivanti-secure-access[.]org). The goal of this attack is to steal VPN credentials from the victim's machine, enabling further compromise. "The malicious installer, a signed MSI file, contains a credential-stealing DLL designed to locate, parse, and exfiltrate VPN connection details," Zscaler said. "The malware specifically targets the connectionstore.dat file to steal saved VPN server URIs, which it combines with hardcoded credentials for exfiltration. Data is sent to a command-and-control (C2) server hosted on Microsoft Azure infrastructure."
- Qilin's Ties with BPH Providers Exposed — Cybersecurity researchers from Resecurity examined Qilin ransomware group's "close affiliation" with underground bulletproof hosting (BPH) operators, finding that the e-crime actor has not only relied on Cat Technologies Co. Limited. (which, in turn, is hosted on an IP address tied to Aeza Group) for hosting its data leak site, but also advertised services like BEARHOST Servers (aka Underground) on its WikiLeaksV2 site, where the group publishes content about their activities. BEARHOST has been operational since 2016, offering its services for anywhere from $95 to $500. While BEARHOST abruptly announced the stoppage of its service on December 28, 2024, it is assessed that the threat actors have taken the BPH service into private mode, catering only to trusted and vetted underground actors. On May 8, 2025, it resurfaced as Voodoo Servers, only for the operators to terminate the service again towards the end of the month, citing political reasons. "The actors decided to disappear through an 'exit scam' scenario, keeping the underground audience completely clueless," Resecurity said. "Notably, the legal entities behind the service continue their operations." Notably, Cat Technologies Co. Limited. also shares links to shadowy entities like Red Bytes LLC, Hostway, Starcrecium Limited, and Chang Way Technologies Co. Limited, the last of which has been associated with extensive malware activity, hosting command-and-control (C2) servers of Amadey, StealC, and Cobalt Strike used by cybercriminals. Another entity of note is Next Limited, which shares the same Hong Kong address as Chang Way Technologies Co. Limited and has been attributed to malicious activity in connection with Proton66.
- U.S. Judge Bars NSO Group from Targeting WhatsApp — A U.S. judge barred NSO Group from targeting WhatsApp users and cut the punitive damages verdict awarded to Meta by a jury in May 2025 to $4 million, because the court did not have enough evidence to determine that NSO Group's behavior was "particularly egregious." The permanent injunction handed out by U.S. District Judge Phyllis Hamilton means that the Israeli vendor cannot use WhatsApp as a way to infect targets' devices. As a refresher, Meta sued the NSO Group in 2019 over the use of Pegasus spyware by exploiting a then-zero-day flaw in the messaging app to spy on 1,400 people from 20 countries, including journalists and human rights activists. It was fined close to $168 million earlier this May. The proposed injunction requires NSO Group to delete and destroy computer code related to Meta's platforms, and she concluded that the provision is "necessary to prevent future violations, especially given the undetectable nature of defendants' technology."
- Google's Privacy Sandbox Initiative is Officially Dead — In 2019, Google launched an initiative called Privacy Sandbox to come up with privacy-enhancing alternatives to replace third-party cookies on the web. However, with the company abandoning its plans to deprecate third-party tracking cookies, the project appears to be winding down. To that end, the tech giant said it's retiring the following Privacy Sandbox technologies citing low levels of adoption: Attribution Reporting API (Chrome and Android), IP Protection, On-Device Personalization, Private Aggregation (including Shared Storage), Protected Audience (Chrome and Android), Protected App Signals, Related Website Sets (including requestStorageAccessFor and Related Website Partition), SelectURL, SDK Runtime and Topics (Chrome and Android). In a statement shared with Adweek, the company said it will continue to work to improve privacy across Chrome, Android, and the web, but not under the Privacy Sandbox branding.
- Russia Blocks Foreign SIM Cards — Russia said it's taking steps to temporarily block mobile internet for foreign SIM cards, citing national security reasons. The new rule imposes a mandatory 24-hour mobile internet blackout for anyone entering Russia with a foreign SIM card.
- Flaw in CORS headers in Web Browsers Disclosed — The CERT Coordination Center (CERT/CC) disclosed details of a vulnerability in cross-origin resource sharing (CORS) headers in Chromium, Google Chrome, Microsoft Edge, Safari, and Firefox that enables the CORS policy to be manipulated. This can be combined with DNS rebinding techniques to issue arbitrary requests to services listening on arbitrary ports, regardless of the CORS policy in place by the target. "An attacker can use a malicious site to execute a JavaScript payload that periodically sends CORS headers in order to ask the server if the cross-origin request is safe and allowed," CERT/CC explained. "Naturally, the attacker-controlled hostname will respond with permissive CORS headers that will circumvent the CORS policy. The attacker then performs a DNS rebinding attack so that the hostname is assigned the IP address of the target service. After the DNS responds with the changed IP address, the new target inherits the relaxed CORS policy, allowing an attacker to potentially exfiltrate data from the target." Mozilla is tracking the vulnerability as CVE-2025-8036.
- Phishing Campaigns Use Microsoft's Logo for Tech Support Scams — Threat actors are exploiting Microsoft's Name and branding in phishing emails to lure users into fraudulent tech support scams. The messages contain links that, when clicked, take the victims to a fake CAPTCHA challenge, after which they are redirected to a phishing landing page to unleash the next stage of the attack. "After passing the captcha verification, the victim is suddenly visually overloaded with several pop-ups that appear to be Microsoft security alerts," Cofense said. "Their browser is manipulated to appear locked, and they lose the ability to locate or control their mouse, which adds to the feeling that the system is compromised. This involuntary loss of control creates a faux ransomware experience, leading the user to believe their computer is locked and to take immediate action to remedy the infection." From there, users are instructed to call a number to reach Windows Support, at which they are connected to a bogus technician to take the attack forward. "The threat actor could exploit further by asking the user to provide account credentials or persuade the user to install remote desktop tools, allowing full access to their system," the company said.
- Taxpayers, Drivers Targeted in Refund and Road Toll Smishing Scams — A smishing campaign has leveraged at least 850 newly-registered domain names in September and early October to target people living in the U.S., the U.K., and elsewhere with phishing links that use tax refunds, road toll charges, or failed package deliveries as a lure. The websites, designed to be loaded only when launched from a mobile device, claim to provide information about their tax refund status or obtain a subsidy of up to £300 to help offset winter fuel costs (note: this is a real U.K. government initiative), only to prompt them to provide personal details such as name, home address, telephone number and email address, as well as payment card information. The entered data is exfiltrated to the attackers over the WebSocket protocol. Some of the scam websites have also been found to target Canadian, German, and Spanish residents and visitors, per Netcraft.
- Meta's New Collage Feature May Use Photos in Phone's Camera Roll — Meta is officially rolling out a new opt-in feature to Facebook users in the U.S. and Canada to suggest the best photos and videos from users' camera roll and create collages and edits. "With your permission and the help of AI, our new feature enables Facebook to automatically surface hidden gems – those memorable moments that get lost among screenshots, receipts, and random snaps – and edit them to save or share," the company said. The feature was first tested back in late June 2025. The social media company emphasized that the suggestions are private and that it does not use media obtained from users' devices via the camera roll to train its models, unless users opt to edit the media with their AI tools or publish those suggestions to Facebook. Users who wish to opt out of the feature can do so by navigating Settings and Privacy > Settings > Preferences > Camera Roll Sharing Suggestions.
- Fake Homebrew, TradingView, LogMeIn Sites Serve Stealer Malware Targeting Macs — Threat actors are employing social engineering tactics to trick users into visiting fake websites impersonating trusted platforms like as Homebrew, TradingView, and LogMeIn, where they are instructed to copy and run a malicious command on the Terminal app as part of ClickFix-style attacks, resulting in the deployment of stealer malware such as Atomic Stealer and Odyssey Stealer. "More than 85 phishing domains were identified, connected through shared SSL certificates, payload servers, and reused infrastructure," Hunt.io said. "The findings suggest a coordinated and ongoing campaign in which operators continuously adapt their infrastructure and tactics to maintain persistence and evade detection within the macOS ecosystem." It's suspected that users are driven to these websites via sponsored ads on search engines like Bing and Google.
- Dutch Data Protection Watchdog Fines Experian $3.2 Million for Privacy Violations — The Dutch Data Protection Authority (DPA) imposed a fine of €2.7 million ($3.2 million) on Experian Netherlands for collecting data in contravention of the E.U. General Data Protection Regulation (GDPR). The DPA said the consumer credit reporting company gathered information on people from both public and non-public sources and failed to make it clear why the collection of certain data was necessary. In addition to the penalty, Experian is expected to delete the database of personal data by the end of the year. The company has also ceased its operations in the country. "Until January 1, 2025, Experian provided credit assessments about individuals to its clients," the DPA said. "To do this, the company collected data such as negative payment behavior, outstanding debts, or bankruptcies. The AP found that Experian violated the law by unlawfully using personal data."
- Threat Actors Send Fake Password Manager Breach Alerts — Bad actors are sending phishing alerts claiming that their password manager accounts for 1Password and Lastpass have been compromised in order to trick users into providing their passwords and hijack their accounts. In response to the attack, LastPass said it has not been hacked and that it's an attempt on the part of the attackers to generate a false sense of urgency. In some cases spotted by Bleeping Computer, the activity has also been found to urge recipients to install a more secure version of the password manager, resulting in the deployment of a legitimate remote access software called Syncro. The software vendor has since moved to shut down the malicious accounts to prevent further installs.
- SocGholish MaaS Detailed — LevelBlue has published an analysis of a threat activity cluster known as SocGholish (aka FakeUpdates), which is known to be active since 2017, leveraging fake web browser update prompts on compromised websites as a lure to distribute malware. Victims are typically routed through Traffic Distribution Systems (TDS) like Keitaro and Parrot TDS to filter users based on specific factors such as geography, browser type, or system configuration, ensuring that only the intended targets are exposed to the payload. It's offered under a malware-as-a-service (MaaS) by a financially motivated cybercrime group called TA569. SocGholish stands out for its ability to turn legitimate websites into large-scale distribution platforms for malware. Acting as an initial access broker (IAB), its operations profit from follow-on compromises by other actors. "Once executed, its payloads range from loaders and stealers to ransomware, allowing for extensive follow-up exploitation," LevelBlue said. "This combination of broad reach, simple delivery mechanisms, and flexible use by multiple groups makes SocGholish a persistent and dangerous threat across industries and regions." One of its primary users is Evil Corp, with the malware also used to deliver RansomHub in early 2025.
🎥 Cybersecurity Webinars
- The Practical Framework to Govern AI Agents Without Slowing Innovation → AI is changing everything fast — but for most security teams, it still feels like a fight just to keep up. The goal isn't to slow innovation with more controls; it's to make those controls work for the business. By building security into AI from the start, you can turn what used to be a bottleneck into a real accelerator for growth and trust.
- The Future of AI in GRC: Turning Risk Into a Compliance Advantage – AI is changing how companies manage risk and compliance — fast. It brings big opportunities but also new challenges. This webinar shows you how to use AI safely and effectively in GRC, avoid common mistakes, and turn complex rules into a real business advantage.
- Workflow Clarity: How to Blend AI and Human Effort for Real Results – Too many teams are rushing to "add AI" without a plan — and ending up with messy, unreliable workflows. Join us to learn a clearer approach: how to use AI thoughtfully, simplify automation, and build systems that scale securely.
🔧 Cybersecurity Tools
- Beelzebub – It turns honeypot deployment into a powerful, low-code experience. It uses AI to simulate real systems, helping security teams detect attacks, track emerging threats, and share insights through a global threat intelligence network.
- NetworkHound – It maps your Active Directory network from the inside out. It discovers every device — domain-joined or shadow-IT — validates SMB and web services, and builds a full BloodHound-compatible graph so you can see and secure your environment clearly.
Disclaimer: These tools are for educational and research use only. They haven't been fully security-tested and could pose risks if used incorrectly. Review the code before trying them, test only in safe environments, and follow all ethical, legal, and organizational rules.
🔒 Tip of the Week
Most Cloud Breaches Aren't Hacks — They're Misconfigurations. Here's How to Fix Them — Cloud storage buckets like AWS S3, Azure Blob, and Google Cloud Storage make data sharing easy — but one wrong setting can expose everything. Most data leaks happen not because of hacking, but because someone left a public bucket, skipped encryption, or used a test bucket that never got locked down. Cloud platforms give you flexibility, not guaranteed safety, so you need to check and control access yourself.
Misconfigurations usually happen when permissions are too broad, encryption is disabled, or visibility is lost across multiple clouds. Doing manual checks doesn't scale — especially if you manage data in AWS, Azure, and GCP. The fix is using tools that automatically find, report, and even fix unsafe settings before they cause damage.
ScoutSuite is a strong starting point for cross-cloud visibility. It scans AWS, Azure, and GCP for open buckets, weak IAM roles, and missing encryption, then creates an easy-to-read HTML report. **Prowler** goes deeper into AWS, checking S3 settings against CIS and AWS benchmarks to catch bad ACLs or unencrypted buckets.
For ongoing control, Cloud Custodian lets you write simple policies that automatically enforce rules — for example, forcing all new buckets to use encryption. And CloudQuery can turn your cloud setup into a searchable database, so you can monitor changes, track compliance, and visualize risks in one place.
The best approach is to combine them: run ScoutSuite or Prowler weekly to find issues, and let Cloud Custodian handle automatic fixes. Even a few hours spent setting these up can stop the kind of data leaks that make headlines. Always assume every bucket is public until proven otherwise — and secure it like it is.
Conclusion
The truth is, no tool or patch will ever make us fully secure. What matters most is awareness — knowing what's normal, what's changing, and how attackers think. Every alert, log, or minor anomaly is a clue. Keep connecting those dots before someone else does.
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
Original Article Published at The Hackers News
________________________________________________________________________________________________________________________________