Threat Advisories

LANDFALL is a previously undocumented Android spyware family observed targeting Samsung Galaxy devices via malformed DNG (Digital Negative) image files. The campaign exploited CVE-2025-21042, a zero-day in Samsung’s image-processing library, to achieve remote code execution—likely with a zero-click path when images were received over WhatsApp. Activity appears to have begun by July 2024 and continued into early 2025, predating Samsung’s April 2025 patch. Once resident, LANDFALL enabled full-spectrum surveillance, including microphone recording, location tracking, and exfiltration of photos, contacts, call logs and other device data. Targeting and infrastructure suggest a Middle East and North Africa focus. Attribution remains open; overlaps in tradecraft point toward commercial spyware ecosystems, but no vendor link is conclusive. 

SesameOp is a newly identified, stealthy .NET backdoor that exploits trusted cloud AI infrastructure—specifically OpenAI’s Assistants API—as a covert command-and-control (C2) channel. Discovered by Microsoft DART, this advanced threat blends into legitimate developer environments and HTTPS traffic, making detection extremely difficult. This advisory breaks down how the attack works, why it’s significant, and what defenders need to know to mitigate the risk.

On October 14, 2025, Microsoft attempted to patch a critical unauthenticated RCE in Windows Server Update Services (WSUS). The fix proved incomplete, and an out-of-band (OOB) update was released on October 23, 2025. Within hours, multiple firms observed active exploitation in the wild against Internet-exposed WSUS over TCP 8530/8531. CISA added the bug to the KEV catalog on October 24, 2025, and urged rapid remediation. Risk is severe: pre-auth RCE as SYSTEM on a central patching service enables lateral movement and potential internal supply-chain abuse.  

On 2025-10-26, ransomware operator “Everest Group” announced on their TOR-hosted web page that they had allegedly accessed the data of Dublin Airport regarding a large number of travellers to the airport. Early estimates for the potential number of affected victims range from 1-200K up to 1.5 Million, however no details have been positively confirmed.

Although unconfirmed it is likely that this data breach is related to the Collins Aerospace ransomware attack which occurred earlier in Sept 2025. A likely strategy for the Everest Group is to threaten individual airports and airlines, increasing the chance of successful payment. Everest Group has also threatened to release the data of Air Arabia on 2025-10-25, signaling that further aerospace organisations may face threats in the coming days.

Examination of the group’s TTPs suggests a heavy focus on social engineering and access broker techniques to gain initial access to victim’s environments. Research performed by the NCC group showed that Everest use legitimate, compromised accounts, removing the need for exploitation and privilege escalation which often raises suspicion among network defenders. The group has been operational since at least 2021, is linked to the “Blackbyte” and “Conti” ransomware groups and is a double extortion ransomware operator.

A notable communication by the group in 2023 showed the intention to recruit parties with access to systems which would be exchanged for monetary reward on completion of a successful attack. It is unclear whether this was intended for corporate employees, access brokers, or both.

Social engineering attacks abusing legitimate credentials appear to be common among modern high profile ransomware operators in that they can be used to bypass an organization's defenses if deployed correctly.

The Integrity360 Incident Response team recommends some practical steps to mitigate the risk of attacks which begin with social engineering:

F5 has revealed new details about a major cybersecurity incident involving a highly sophisticated nation-state threat actor who maintained prolonged access to parts of the company’s internal network. Discovered in August 2025, the breach allowed the attacker to infiltrate F5’s BIG-IP product development environment and engineering knowledge management platforms, where they exfiltrated files containing portions of BIG-IP source code and technical information about vulnerabilities that had not yet been disclosed. F5 emphasized that there is no evidence of any critical or remote code execution vulnerabilities being exploited, and no indication that the attackers gained access to F5’s customer relationship management, financial, support, or iHealth systems. 

Cyber security researchers have uncovered multiple malicious packages distributed through npm, PyPI, and RubyGems that secretly send stolen developer data to Discord channels. The attackers use Discord webhooks as a command-and-control (C2) mechanism, exploiting their simplicity and lack of authentication requirements. Since webhook URLs are “write-only,” defenders cannot easily review or delete the stolen data once it’s transmitted. 

CVE-2021-43226 is a local privilege-escalation vulnerability in the Microsoft Common Log File System (CLFS) driver that allows a local, authenticated attacker with standard user privileges to trigger a buffer-overflow in CLFS and obtain SYSTEM level code execution. CISA has confirmed evidence of active exploitation and placed the CVE in its KEV catalog. Organizations must prioritize patching and apply mitigations immediately. 

Redis has revealed a critical security flaw in its in-memory database software that carries the maximum possible severity rating, potentially allowing remote code execution in certain conditions. The vulnerability, identified as CVE-2025-49844 and nicknamed “RediShell,” has been assigned a CVSS score of 10.0. 

Oracle have released a new critical Advisory for a zero-day vulnerability, now tracked as “CVE-2025-61882” that is being actively exploited in the wild. This vulnerability, which affects the Oracle E-Business Suite has been assigned a CVSS 3.1 Base Score of 9.8 (CRITICAL). This allows an unauthenticated attacker with network access to compromise the system by enabling them to perform RCE (Remote Code Execution) on the affected host. 

A newly discovered Android banking trojan named Klopatra has infected more than 3,000 devices, with most cases observed in Spain and Italy. First identified by the Italian firm Cleafy in late August 2025, Klopatra is a sophisticated remote access trojan that leverages Hidden VNC to seize full control of compromised smartphones. It employs dynamic overlays to steal credentials and ultimately enables its operators to perform fraudulent financial transactions.