Author: Mark

OpenAI on Tuesday said it disrupted three activity clusters for misusing its ChatGPT artificial intelligence (AI) tool to facilitate malware development.

This includes a Russian‑language threat actor, who is said to have used the chatbot to help develop and refine a remote access trojan (RAT), a credential stealer with an aim to evade detection. The operator also used several ChatGPT accounts to prototype and troubleshoot technical components that enable post‑exploitation and credential theft.

“These accounts appear to be affiliated with Russian-speaking criminal groups, as we observed them posting evidence of their activities in a Telegram channel dedicated to those actors,” OpenAI said.

The AI company said while its large language models (LLMs) refused the threat actor’s direct requests to produce malicious content, they worked around the limitation by creating building-block code, which was then assembled to create the workflows.

Some of the produced output involved code for obfuscation, clipboard monitoring, and basic utilities to exfiltrate data using a Telegram bot. It’s worth pointing out that none of these outputs are inherently malicious on their own.

“The threat actor made a mix of high‑ and lower‑sophistication requests: many prompts required deep Windows-platform knowledge and iterative debugging, while others automated commodity tasks (such as mass password generation and scripted job applications),” OpenAI added.

“The operator used a small number of ChatGPT accounts and iterated on the same code across conversations, a pattern consistent with ongoing development rather than occasional testing.”

The second cluster of activity originated from North Korea and shared overlaps with a campaign detailed by Trellix in August 2025 that targeted diplomatic missions in South Korea using spear-phishing emails to deliver Xeno RAT.

OpenAI said the cluster used ChatGPT for malware and command-and-control (C2) development, and that the actors engaged in specific efforts such as developing macOS Finder extensions, configuring Windows Server VPNs, or converting Chrome extensions to their Safari equivalents.

The third set of banned accounts, OpenAI noted, shared overlaps with a cluster tracked by Proofpoint under the name UNK_DropPitch (aka UTA0388), a Chinese hacking group which has been attributed to phishing campaigns targeting major investment firms with a focus on the Taiwanese semiconductor industry, with a backdoor dubbed HealthKick (aka GOVERSHELL).

The accounts used the tool to generate content for phishing campaigns in English, Chinese, and Japanese; assist with tooling to accelerate routine tasks such as remote execution and traffic protection using HTTPS; and search for information related to installing open-source tools like nuclei and fscan. OpenAI described the threat actor as “technically competent but unsophisticated.”

Outside of these three malicious cyber activities, the company also blocked accounts used for scam and influence operations –

• Networks likely originating in Cambodia, Myanmar, and Nigeria are abusing ChatGPT as part of likely attempts to defraud people online. These networks used AI to conduct translation, write messages, and to create content for social media to advertise investment scams.
• Individuals apparently linked to Chinese government entities using ChatGPT to assist in surveilling individuals, including ethnic minority groups like Uyghurs, and analyzing data from Western or Chinese social media platforms. The users asked the tool to generate promotional materials about such tools, but did not use the AI chatbot to implement them.
• A Russian-origin threat actor linked to Stop News and likely run by a marketing company that used its AI models (and others) to generate content and videos for sharing on social media sites. The generated content criticized the role of France and the U.S. in Africa and Russia’s role on the continent. It also produced English-language content promoting anti-Ukraine narratives.
• A covert influence operation originating from China, codenamed “Nine—emdash Line” that used its models to generate social media content critical of the Philippines’ President Ferdinand Marcos, as well as create posts about Vietnam’s alleged environmental impact in the South China Sea and political figures and activists involved in Hong Kong’s pro-democracy movement.

In two different cases, suspected Chinese accounts asked ChatGPT to identify organizers of a petition in Mongolia and funding sources for an X account that criticized the Chinese government. OpenAI said its models returned only publicly available information as responses and did not include any sensitive information.

“A novel use for this [China-linked influence network was requests for advice on social media growth strategies, including how to start a TikTok challenge and get others to post content about the #MyImmigrantStory hashtag (a widely used hashtag of long standing whose popularity the operation likely strove to leverage),” OpenAI said.

“They asked our model to ideate, then generate a transcript for a TikTok post, in addition to providing recommendations for background music and pictures to accompany the post.”

OpenAI reiterated that its tools provided the threat actors with novel capabilities that they could not otherwise have obtained from multiple publicly available resources online, and that they were used to provide incremental efficiency to their existing workflows.

But one of the most interesting takeaways from the report is that threat actors are trying to adapt their tactics to remove possible signs that could indicate that the content was generated by an AI tool.

“One of the scam networks [from Cambodia] we disrupted asked our model to remove the em-dashes (long dash, –) from their output, or appears to have removed the em-dashes manually before publication,” the company said. “For months, em-dashes have been the focus of online discussion as a possible indicator of AI usage: this case suggests that the threat actors were aware of that discussion.”

The findings from OpenAI come as rival Anthropic released an open-source auditing tool called Petri (short for “Parallel Exploration Tool for Risky Interactions”) to accelerate AI safety research and better understand model behavior across various categories like deception, sycophancy, encouragement of user delusion, cooperation with harmful requests, and self-perseveration.

“Petri deploys an automated agent to test a target AI system through diverse multi-turn conversations involving simulated users and tools,” Anthropic said.

“Researchers give Petri a list of seed instructions targeting scenarios and behaviors they want to test. Petri then operates on each seed instruction in parallel. For each seed instruction, an auditor agent makes a plan and interacts with the target model in a tool use loop. At the end, a judge scores each of the resulting transcripts across multiple dimensions so researchers can quickly search and filter for the most interesting transcripts.”

Oct 07, 2025Ravie LakshmananMalware / Threat Intelligence

A Vietnamese threat actor named BatShadow has been attributed to a new campaign that leverages social engineering tactics to deceive job seekers and digital marketing professionals to deliver a previously undocumented malware called Vampire Bot.

“The attackers pose as recruiters, distributing malicious files disguised as job descriptions and corporate documents,” Aryaka Threat Research Labs researchers Aditya K Sood and Varadharajan K said in a report shared with The Hacker News. “When opened, these lures trigger the infection chain of a Go-based malware.”

The attack chains, per the cybersecurity company, leverage ZIP archives containing decoy PDF documents along with malicious shortcut (LNK) or executable files that are masked as PDF to trick users into opening them. When launched, the LNK file runs an embedded PowerShell script that reaches out to an external server to download a lure document, a PDF for a marketing job at Marriott.

The PowerShell script also downloads from the same server a ZIP file that includes files related to XtraViewer, a remote desktop connection software, and executes it likely with an aim to establish persistent access to compromised hosts.

Victims who end up clicking on a link in the lure PDF to supposedly “preview” the job description are directed to another landing page that serves a fake error message stating the browser is unsupported and that “the page only supports downloads on Microsoft Edge.”

“When the user clicks the OK button, Chrome simultaneously blocks the redirect,” Aryaka said. “The page then displays another message instructing the user to copy the URL and open it in the Edge browser to download the file.”

The instruction on the part of the attacker to get the victim to use Edge as opposed to, say, Google Chrome or other web browsers is likely down to the fact that scripted pop-ups and redirects are likely blocked by default, whereas manually copying and pasting the URL on Edge allows the infection chain to continue, as it’s treated as a user-initiated action.

The executable is a Golang malware dubbed Vampire Bot that can profile the infected host, steal a wide range of information, capture screenshots at configurable intervals, and maintain communication with an attacker-controlled server (“api3.samsungcareers[.]work”) to run commands or fetch additional payloads.

BatShadow’s links to Vietnam stem from the use of an IP address (103.124.95[.]161) that has been previously flagged as used by hackers with links to the country. Furthermore, digital marketing professionals have been one of the main targets of attacks perpetrated by various Vietnamese financially motivated groups, who have a track record of deploying stealer malware to hijack Facebook business accounts.

In October 2024, Cyble also disclosed details of a sophisticated multi-stage attack campaign orchestrated by a Vietnamese threat actor that targeted job seekers and digital marketing professionals with Quasar RAT using phishing emails containing booby-trapped job description files.

BatShadow is assessed to be active for at least a year, with prior campaigns using similar domains, such as samsung-work.com, to propagate malware families including Agent Tesla, Lumma Stealer, and Venom RAT.

“The BatShadow threat group continues to employ sophisticated social engineering tactics to target job seekers and digital marketing professionals,” Aryaka said. “By leveraging disguised documents and a multi-stage infection chain, the group delivers a Go-based Vampire Bot capable of system surveillance, data exfiltration, and remote task execution.”

Oct 07, 2025Ravie LakshmananArtificial Intelligence / Software Security

Google’s DeepMind division on Monday announced an artificial intelligence (AI)-powered agent called CodeMender that automatically detects, patches, and rewrites vulnerable code to prevent future exploits.

The efforts add to the company’s ongoing efforts to improve AI-powered vulnerability discovery, such as Big Sleep and OSS-Fuzz.

DeepMind said the AI agent is designed to be both reactive and proactive, by fixing new vulnerabilities as soon as they are spotted as well as rewriting and securing existing codebases with an aim to eliminate whole classes of vulnerabilities in the process.

“By automatically creating and applying high-quality security patches, CodeMender’s AI-powered agent helps developers and maintainers focus on what they do best — building good software,” DeepMind researchers Raluca Ada Popa and Four Flynn said.

“Over the past six months that we’ve been building CodeMender, we have already upstreamed 72 security fixes to open source projects, including some as large as 4.5 million lines of code.”

CodeMender, under the hood, leverages Google’s Gemini Deep Think models to debug, flag, and fix security vulnerabilities by addressing the root cause of the problem, and validate them to ensure that they don’t trigger any regressions.

The AI agent, Google added, also makes use of a large language model (LLM)-based critique tool that highlights the differences between the original and modified code in order to verify that the proposed changes do not introduce regressions, and self-correct as required.

Google said it also intended to slowly reach out to interested maintainers of critical open-source projects with CodeMender-generated patches, and solicit their feedback, so that the tool can be used to keep codebases secure.

The development comes as the company said it’s instituting an AI Vulnerability Reward Program (AI VRP) to report AI-related issues in its products, such as prompt injections, jailbreaks, and misalignment, and earn rewards that go as high as $30,000.

In June 2025, Anthropic revealed that models from various developers resorted to malicious insider behaviors when that was the only way to avoid replacement or achieve their goals, and that LLM models “misbehaved less when it stated it was in testing and misbehaved more when it stated the situation was real.”

That said, policy-violating content generation, guardrail bypasses, hallucinations, factual inaccuracies, system prompt extraction, and intellectual property issues do not fall under the ambit of the AI VRP.

Google, which previously set up a dedicated AI Red Team to tackle threats to AI systems as part of its Secure AI Framework (SAIF), has also introduced a second iteration of the framework to focus on agentic security risks like data disclosure and unintended actions, and the necessary controls to mitigate them.

The company further noted that it’s committed to using AI to enhance security and safety, and use the technology to give defenders an advantage and counter the growing threat from cybercriminals, scammers, and state-backed attackers.

Cybersecurity researchers have charted the evolution of XWorm malware, turning it into a versatile tool for supporting a wide range of malicious actions on compromised hosts.

“XWorm’s modular design is built around a core client and an array of specialized components known as plugins,” Trellix researchers Niranjan Hegde and Sijo Jacob said in an analysis published last week. “These plugins are essentially additional payloads designed to carry out specific harmful actions once the core malware is active.”

XWorm, first observed in 2022 and linked to a threat actor named EvilCoder, is a Swiss Army knife of malware that can facilitate data theft, keylogging, screen capture, persistence, and even ransomware operations. It’s primarily propagated via phishing emails and bogus sites advertising malicious ScreenConnect installers.

Some of the other tools advertised by the developer include a .NET-based malware builder, a remote access trojan called XBinder, and a program that can bypass User Account Control (UAC) restrictions on Windows systems. In recent years, the development of XWorm has been led by an online persona called XCoder.

In a report published last month, Trellix detailed shifting XWorm infection chains that have used Windows shortcut (LNK) files distributed via phishing emails to execute PowerShell commands that drop a harmless TXT file and a deceptive executable masquerading as Discord, which then ultimately launches the malware.

XWorm incorporates various anti-analysis and anti-evasion mechanisms to check for tell-tale signs of a virtualized environment, and if so, immediately cease its execution. The malware’s modularity means various commands can be issued from an external server to perform actions like shutting down or restarting the system, downloading files, opening URLs, and initiating DDoS attacks.

“This rapid evolution of XWorm within the threat landscape, and its current prevalence, highlights the critical importance of robust security measures to combat ever-changing threats,” the company noted.

XWorm’s operations have also witnessed their share of setbacks over the past year, the most important being XCoder’s decision to delete their Telegram account abruptly in the second half of 2024, leaving the future of the tool in limbo. Since then, however, threat actors have been observed distributing a cracked version of XWorm version 5.6 that contained malware to infect other threat actors who may end up downloading it.

This included attempts made by an unknown threat actor to trick script kiddies into downloading a trojanized version of the XWorm RAT builder via GitHub repositories, file-sharing services, Telegram channels, and YouTube videos to compromise over 18,459 devices globally.

This has been complemented by attackers distributing modified versions of XWorm – one of which is a Chinese variant codenamed XSPY – as well as the discovery of a remote code execution (RCE) vulnerability in the malware that allows attackers with the command-and-control (C2) encryption key to execute arbitrary code.

While the apparent abandonment of XWorm by XCoder raised the possibility that the project was “closed for good,” Trellix said it spotted a threat actor named XCoderTools offering XWorm 6.0 on cybercrime forums on Jun 4, 2025, for $500 for lifetime access, describing it as a “fully re-coded” version with fix for the aforementioned RCE flaw. It’s currently not known if the latest version is the work of the same developer or someone else capitalizing on the malware’s reputation.

Campaigns distributing XWorm 6.0 in the wild have used malicious JavaScript files in phishing emails that, when opened, display a decoy PDF document, while, in the background, PowerShell code is executed to inject the malware into a legitimate Windows process like RegSvcs.exe without raising any attention.

XWorm V6.0 is designed to connect to its C2 server at 94.159.113[.]64 on port 4411 and supports a command called “plugin” to run more than 35 DLL payloads on the infected host’s memory and carry out various tasks.

“When the C2 server sends the command ‘plugin,’ it includes the SHA-256 hash of the plugin DLL file and the arguments for its invocation,” Trellix explained. “The client then uses the hash to check if the plugin has been previously received. If the key is not found, the client sends a ‘sendplugin’ command to the C2 server, along with the hash.”

“The C2 server then responds with the command’savePlugin’ along with a base64 encoded string containing the plugin and SHA-256 hash. Upon receiving and decoding the plugin, the client loads the plugin into the memory.”

Some of the supported plugins in XWorm 6.x (6.0, 6.4, and 6.5) are listed below –

• RemoteDesktop.dll, to create a remote session to interact with the victim’s machine.
• WindowsUpdate.dll, Stealer.dll, Recovery.dll, merged.dll, Chromium.dll, and SystemCheck.Merged.dll, to steal the victim’s data, such as Windows product keys, Wi-Fi passwords, and stored credentials from web browsers (bypassing Chrome’s app-bound encryption) and other applications like FileZilla, Discord, Telegram, and MetaMask
• FileManager.dll, to facilitate filesystem access and manipulation capabilities to the operator
• Shell.dll, to execute system commands sent by the operator in a hidden cmd.exe process.
• Informations.dll, to gather system information about the victim’s machine.
• Webcam.dll, to record the victim and to verify if an infected machine is real
• TCPConnections.dll, ActiveWindows.dll, and StartupManager.dll, to send a list of active TCP connections, active windows, and startup programs, respectively, to the C2 server
• Ransomware.dll, to encrypt and decrypt files and extort users for a cryptocurrency ransom (shares code overlaps with NoCry ransomware)
• Rootkit.dll, to install a modified r77 rootkit
• ResetSurvival.dll, to survive device reset through Windows Registry modifications

XWorm 6.0 infections, besides dropping custom tools, have also served as a conduit for other malware families such as DarkCloud Stealer, Hworm (VBS-based RAT), Snake KeyLogger, Coin Miner, Pure Malware, ShadowSniff Stealer (open-source Rust stealer), Phantom Stealer, Phemedrone Stealer, and Remcos RAT.

“Further investigation of the DLL file revealed multiple XWorm V6.0 Builders on VirusTotal that are themselves infected with XWorm malware, suggesting that an XWorm RAT operator has been compromised by XWorm malware!,” Trellix said.

“The unexpected return of XWorm V6, armed with a versatile array of plugins for everything from keylogging and credential theft to ransomware, serves as a powerful reminder that no malware threat is ever truly gone.”

For years, security leaders have treated artificial intelligence as an “emerging” technology, something to keep an eye on but not yet mission-critical. A new Enterprise AI and SaaS Data Security Report by AI & Browser Security company LayerX proves just how outdated that mindset has become. Far from a future concern, AI is already the single largest uncontrolled channel for corporate data exfiltration—bigger than shadow SaaS or unmanaged file sharing.

The findings, drawn from real-world enterprise browsing telemetry, reveal a counterintuitive truth: the problem with AI in enterprises isn’t tomorrow’s unknowns, it’s today’s everyday workflows. Sensitive data is already flowing into ChatGPT, Claude, and Copilot at staggering rates, mostly through unmanaged accounts and invisible copy/paste channels. Traditional DLP tools—built for sanctioned, file-based environments—aren’t even looking in the right direction.

From “Emerging” to Essential in Record Time

In just two years, AI tools have reached adoption levels that took email and online meetings decades to achieve. Almost one in two enterprise employees (45%) already use generative AI tools, with ChatGPT alone hitting 43% penetration. Compared with other SaaS tools, AI accounts for 11% of all enterprise application activity, rivaling file-sharing and office productivity apps.

The twist? This explosive growth hasn’t been accompanied by governance. Instead, the vast majority of AI sessions happen outside enterprise control. 67% of AI usage occurs through unmanaged personal accounts, leaving CISOs blind to who is using what, and what data is flowing where.

Sensitive Data Is Everywhere, and It’s Moving the Wrong Way

Perhaps the most surprising and alarming finding is how much sensitive data is already flowing into AI platforms: 40% of files uploaded into GenAI tools contain PII or PCI data, and employees are using personal accounts for nearly four in ten of those uploads.

Even more revealing: files are only part of the problem. The real leakage channel is copy/paste. 77% of employees paste data into GenAI tools, and 82% of that activity comes from unmanaged accounts. On average, employees perform 14 pastes per day via personal accounts, with at least three containing sensitive data.

That makes copy/paste into GenAI the #1 vector for corporate data leaving enterprise control. It’s not just a technical blind spot; it’s a cultural one. Security programs designed to scan attachments and block unauthorized uploads miss the fastest-growing threat entirely.

The Instant Messaging Blind Spot

While AI is the fastest-growing channel of data leakage, instant messaging is the quietest. 87% of enterprise chat usage occurs through unmanaged accounts, and 62% of users paste PII/PCI into them. The convergence of shadow AI and shadow chat creates a dual blind spot where sensitive data constantly leaks into unmonitored environments.

Together, these findings paint a stark picture: security teams are focused on the wrong battlefields. The war for data security isn’t in file servers or sanctioned SaaS. It’s in the browser, where employees blend personal and corporate accounts, shift between sanctioned and shadow tools, and move sensitive data fluidly across both.

Rethinking Enterprise Security for the AI Era

The report’s recommendations are clear, and unconventional:

1. Treat AI security as a core enterprise category, not an emerging one. Governance strategies must put AI on par with email and file sharing, with monitoring for uploads, prompts, and copy/paste flows.
2. Shift from file-centric to action-centric DLP. Data is leaving the enterprise not just through file uploads but through file-less methods such as copy/paste, chat, and prompt injection. Policies must reflect that reality.
3. Restrict unmanaged accounts and enforce federation everywhere. Personal accounts and non-federated logins are functionally the same: invisible. Restricting their use – whether fully blocking them or applying rigorous context-aware data control policies – is the only way to restore visibility.
4. Prioritize high-risk categories: AI, chat, and file storage. Not all SaaS apps are equal. These categories demand the tightest controls because they are both high-adoption and high-sensitivity.

The Bottom Line for CISOs

The surprising truth revealed by the data is this: AI isn’t just a productivity revolution, it’s a governance collapse. The tools employees love most are also the least controlled, and the gap between adoption and oversight is widening every day.

For security leaders, the implications are urgent. Waiting to treat AI as “emerging” is no longer an option. It’s already embedded in workflows, already carrying sensitive data, and already serving as the leading vector for corporate data loss.

The enterprise perimeter has shifted again, this time into the browser. If CISOs don’t adapt, AI won’t just shape the future of work, it will dictate the future of data breaches.

The new research report from LayerX provides the full scope of these findings, offering CISOs and security teams unprecedented visibility into how AI and SaaS are really being used inside the enterprise. Drawing on real-world browser telemetry, the report details where sensitive data is leaking, which blind spots carry the greatest risk, and what practical steps leaders can take to secure AI-driven workflows. For organizations seeking to understand their true exposure and how to protect themselves, the report delivers the clarity and guidance needed to act with confidence.

Oct 07, 2025Ravie LakshmananVulnerability / Cloud Security

Redis has disclosed details of a maximum-severity security flaw in its in-memory database software that could result in remote code execution under certain circumstances.

The vulnerability, tracked as CVE-2025-49844 (aka RediShell), has been assigned a CVSS score of 10.0.

“An authenticated user may use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free, and potentially lead to remote code execution,” according to a GitHub advisory for the issue. “The problem exists in all versions of Redis with Lua scripting.”

However, for exploitation to be successful, it requires an attacker to first gain authenticated access to a Redis instance, making it crucial that users don’t leave their Redis instances exposed to the internet and secure them with strong authentication.

The issue impacts all versions of Redis. It has been addressed in versions 6.2.20, 7.2.11, 7.4.6, 8.0.4, and 8.2.2 released on October 3, 2025.

As temporary workarounds until a patch can be applied, it’s advised to prevent users from executing Lua scripts by setting an access control list (ACL) to restrict EVAL and EVALSHA commands. It’s also crucial that only trusted identities can run Lua scripts or any other potentially risky commands.

Cloud security company Wiz, which discovered and reported the flaw to Redis on May 16, 2025, described it as a use-after-free (UAF) memory corruption bug that has existed in the Redis source code for about 13 years.

It essentially permits an attacker to send a malicious Lua script that leads to arbitrary code execution outside of the Redis Lua interpreter sandbox, granting them unauthorized access to the underlying host. In a hypothetical attack scenario, it can be leveraged to steal credentials, drop malware, exfiltrate sensitive data, or pivot to other cloud services.

“This flaw allows a post auth attacker to send a specially crafted malicious Lua script (a feature supported by default in Redis) to escape from the Lua sandbox and achieve arbitrary native code execution on the Redis host,” Wiz said. “This grants an attacker full access to the host system, enabling them to exfiltrate, wipe, or encrypt sensitive data, hijack resources, and facilitate lateral movement within cloud environments.”

While there is no evidence that the vulnerability was ever exploited in the wild, Redis instances are a lucrative target for threat actors looking to conduct cryptojacking attacks and enlist them in a botnet. As of writing, there are about 330,000 Redis instances exposed to the internet, out of which about 60,000 of them lack any authentication.

“With hundreds of thousands of exposed instances worldwide, this vulnerability poses a significant threat to organizations across all industries,” Wiz said. “The combination of widespread deployment, default insecure configurations, and the severity of the vulnerability creates an urgent need for immediate remediation.”

Oct 07, 2025Ravie LakshmananVulnerability / Cloud Security

Microsoft on Monday attributed a threat actor it tracks as Storm-1175 to the exploitation of a critical security flaw in Fortra GoAnywhere software to facilitate the deployment of Medusa ransomware.

The vulnerability is CVE-2025-10035 (CVSS score: 10.0), a critical deserialization bug that could result in command injection without authentication. It was addressed in version 7.8.4, or the Sustain Release 7.6.3.

“The vulnerability could allow a threat actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection and potential remote code execution (RCE),” the Microsoft Threat Intelligence team said.

According to the tech giant, Storm-1175 is a cybercriminal group known for deploying Medusa ransomware and exploiting public-facing applications for initial access since September 11, 2025. It’s worth noting that watchTowr revealed last week that there were indications of active exploitation of the flaw since at least September 10.

Furthermore, successful exploitation of CVE-2025-10035 could allow attackers to perform system and user discovery, maintain long-term access, and deploy additional tools for lateral movement and malware.

The attack chain following initial access entails dropping remote monitoring and management (RMM) tools, such as SimpleHelp and MeshAgent, to maintain persistence. The threat actors have also been observed creating .jsp files within the GoAnywhere MFT directories, often at the same time as the dropped RMM tools.

In the next phase, commands for user, network, and system discovery are executed, followed by leveraging mstsc.exe (i.e., Windows Remote Desktop Connection) for lateral movement across the network.

The downloaded RMM tools are used for command-and-control (C2) using a Cloudflare tunnel, with Microsoft observing the use of Rclone in at least one victim environment for data exfiltration. The attack ultimately paves the way for the Medusa ransomware deployment.

“Organizations running GoAnywhere MFT have effectively been under silent assault since at least September 11, with little clarity from Fortra,” watchTowr CEO and Founder, Benjamin Harris, said. “Microsoft’s confirmation now paints a pretty unpleasant picture — exploitation, attribution, and a month-long head start for the attackers.

“What’s still missing are the answers only Fortra can provide. How did threat actors get the private keys needed to exploit this? Why were organizations left in the dark for so long? Customers deserve transparency, not silence. We hope they will share in the very near future so affected or potentially affected organizations can understand their exposure to a vulnerability that is being actively exploited in the wild.”

Oct 07, 2025Ravie LakshmananVulnerability / Cloud Security

Redis has disclosed details of a maximum-severity security flaw in its in-memory database software that could result in remote code execution under certain circumstances.

The vulnerability, tracked as CVE-2025-49844 (aka RediShell), has been assigned a CVSS score of 10.0.

“An authenticated user may use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free, and potentially lead to remote code execution,” according to a GitHub advisory for the issue. “The problem exists in all versions of Redis with Lua scripting.”

However, for exploitation to be successful, it requires an attacker to first gain authenticated access to a Redis instance, making it crucial that users don’t leave their Redis instances exposed to the internet and secure them with strong authentication.

The issue impacts all versions of Redis. It has been addressed in versions 6.2.20, 7.2.11, 7.4.6, 8.0.4, and 8.2.2 released on October 3, 2025.

As temporary workarounds until a patch can be applied, it’s advised to prevent users from executing Lua scripts by setting an access control list (ACL) to restrict EVAL and EVALSHA commands. It’s also crucial that only trusted identities can run Lua scripts or any other potentially risky commands.

Cloud security company Wiz, which discovered and reported the flaw to Redis on May 16, 2025, described it as a use-after-free (UAF) memory corruption bug that has existed in the Redis source code for about 13 years.

It essentially permits an attacker to send a malicious Lua script that leads to arbitrary code execution outside of the Redis Lua interpreter sandbox, granting them unauthorized access to the underlying host. In a hypothetical attack scenario, it can be leveraged to steal credentials, drop malware, exfiltrate sensitive data, or pivot to other cloud services.

“This flaw allows a post auth attacker to send a specially crafted malicious Lua script (a feature supported by default in Redis) to escape from the Lua sandbox and achieve arbitrary native code execution on the Redis host,” Wiz said. “This grants an attacker full access to the host system, enabling them to exfiltrate, wipe, or encrypt sensitive data, hijack resources, and facilitate lateral movement within cloud environments.”

While there is no evidence that the vulnerability was ever exploited in the wild, Redis instances are a lucrative target for threat actors looking to conduct cryptojacking attacks and enlist them in a botnet. As of writing, there are about 330,000 Redis instances exposed to the internet, out of which about 60,000 of them lack any authentication.

“With hundreds of thousands of exposed instances worldwide, this vulnerability poses a significant threat to organizations across all industries,” Wiz said. “The combination of widespread deployment, default insecure configurations, and the severity of the vulnerability creates an urgent need for immediate remediation.”

Oct 07, 2025Ravie LakshmananCyber Attack / Ransomware

CrowdStrike on Monday said it’s attributing the exploitation of a recently disclosed security flaw in Oracle E-Business Suite with moderate confidence to a threat actor it tracks as Graceful Spider (aka Cl0p), and that the first known exploitation occurred on August 9, 2025.

The exploitation involves the exploitation of CVE-2025-61882 (CVSS score: 9.8), a critical vulnerability that facilitates remote code execution without authentication.

The cybersecurity company also noted that it’s currently not known how a Telegram channel “insinuating” collaboration between Scattered Spider, LAPSUS$ (aka Slippy Spider), and ShinyHunters came into the possession of an exploit for the flaw, and if they and other threat actors have leveraged it in real-world attacks.

The Telegram channel has been observed sharing the purported Oracle EBS exploit, while criticizing Graceful Spider’s tactics.

The observed activity so far involves an HTTP request to /OA_HTML/SyncServlet, resulting in an authentication bypass. The attacker then targets Oracle’s XML Publisher Template Manager by issuing GET and POST requests to /OA_HTML/RF.jsp and /OA_HTML/OA.jsp to upload and execute a malicious XSLT template,

The commands in the malicious template are executed when it is previewed, resulting in an outbound connection from the Java web server process to attacker-controlled infrastructure over port 443. The connection is subsequently used to remotely load web shells to execute commands and establish persistence.

It’s believed that one or more threat actors are in possession of the CVE-2025-61882 exploit for purposes of data exfiltration.

“The proof-of-concept disclosure and the CVE-2025-61882 patch release will almost certainly encourage threat actors – particularly those familiar with Oracle EBS — to create weaponized POCs and attempt to leverage them against internet-exposed EBS applications,” it said.

In a separate analysis, WatchTowr Labs said, “The chain demonstrates a high level of skill and effort, with at least five distinct bugs orchestrated together to achieve pre-authenticated remote code execution.” The entire sequence of events is as follows –

• Send an HTTP POST request containing a crafted XML to /OA_HTML/configurator/UiServlet to coerce the backend server to send arbitrary HTTP requests by means of a Server-Side Request Forgery (SSRF) attack
• Use a Carriage Return/Line Feed (CRLF) Injection to inject arbitrary headers into the HTTP request triggered by the pre-authenticated SSRF
• Use this vulnerability to smuggle requests to an internet-exposed Oracle EBS application via “apps.example.com:7201/OA_HTML/help/../ieshostedsurvey.jsp” and load a malicious XSLT template

The attack, at its core, takes advantage of the fact that the JSP file can load an untrusted stylesheet from a remote URL, opening the door for an attacker to achieve arbitrary code execution.

“This combination lets an attacker control request framing via the SSRF and then reuse the same TCP connection to chain additional requests, increasing reliability and reducing noise,” the company said. “HTTP persistent connections, also known as HTTP keep-alive or connection reuse, let a single TCP connection carry multiple HTTP request/response pairs instead of opening a new connection for every exchange.”

CVE-2025-61882 has since been added to the Known Exploited Vulnerabilities (KEV) catalog by the Cybersecurity and Infrastructure Security Agency (CISA), noting that it has been used in ransomware campaigns, urging federal agencies to apply the fixes by October 27, 2025.

“Cl0p has been exploiting multiple vulnerabilities in Oracle EBS since at least August 2025, stealing large amounts of data from several victims, and has been sending extortion emails to some of those victims since last Monday,” Jake Knott, principal security researcher at watchTowr, said in a statement.

“Based on the evidence, we believe this is Cl0p activity, and we fully expect to see mass, indiscriminate exploitation from multiple groups within days. If you run Oracle EBS, this is your red alert. Patch immediately, hunt aggressively, and tighten your controls — fast.”

Oct 06, 2025Ravie LakshmananNetwork Security / Cyber Espionage

A Chinese company named the Beijing Institute of Electronics Technology and Application (BIETA) has been assessed to be likely led by the Ministry of State Security (MSS).

The assessment comes from evidence that at least four BIETA personnel have clear or possible links to MSS officers and their relationship with the University of International Relations, which is known to share links with the MSS, according to Recorded Future. The names of the four individuals include Wu Shizhong, He Dequan, You Xingang, and Zhou Linna.

“BIETA and its subsidiary, Beijing Sanxin Times Technology Co., Ltd. (CIII), research, develop, import, and sell technologies that almost certainly support intelligence, counterintelligence, military, and other missions relevant to China’s national development and security,” the company said in a report shared with The Hacker News.

“Their activities include researching methods of steganography that can likely support covert communications (COVCOM) and malware deployment; developing and selling forensic investigation and counterintelligence equipment; and acquiring foreign technologies for steganography, network penetration testing, and military communications and planning.”

According to information shared on its website, BIETA is a “research and development institution” that specializes in communication technology, multimedia information processing technology, multimedia information security technology, computer and network technology application research, and special circuit development. It’s said to have existed in some form since 1983.

One of BIETA’s core focus areas concerns the use of steganography across several media, with CIII also receiving copyrights for software related to the covert communication tactic. CIII has also developed various applications for uploading files to Baidu Cloud and OneDrive, communicating with friends, and carrying out network simulations and penetration testing against websites, mobile apps, enterprise systems, servers, databases, cloud platforms, and Internet of Things devices.

As recently as November 2021, the company has worked on a tool named Intelligent Discussion Android App and a cell phone positioning system that can identify, monitor, position, and block mobile phones within large venues, including the ability to harvest text messages and calls from phones under their control.

Other solutions advertised by CIII range from communication simulation to network functionality testing tools, as well as a program called Datacrypt Hummingbird online storage upload software. That said, there is limited public information on how these programs may have augmented the MSS.

The Mastercard-owned company noted both BIETA and CIII “almost certainly” are part of a set of front organizations that contribute to the development of tools to facilitate cyber-enabled intelligence operations by Beijing’s intelligence apparatus and its proxies.

“BIETA’s research is almost certainly used to create technologies that enable the MSS’s mission. The MSS then likely makes capabilities benefiting from BIETA’s achievements available to subordinate state security departments, bureaus, and officers, which in turn provide them to their contractors or proxies,” it said.

The disclosure comes a little over a month after cybersecurity company Spur uncovered a Chinese proxy and VPN service called WgetCloud (formerly GaCloud) that has been put to use in cyber campaigns allegedly orchestrated by a North Korean threat actor known as Kimsuky.

“Whether or not they purchased a subscription or acquired this particular Trojan proxy through other means is unknown,” it said. “This highlights the broader risk of APT proxy infrastructure blending into commercial offerings.”