Threat Advisories

Cyber security analysts from Group-IB and UKUK have identified a continuing and expanding cyber-espionage operation run by the threat actor known as Bloody Wolf. Active since at least late 2023, the group has steadily evolved its methods while extending its reach across Central Asia. Their activity demonstrates a shift toward low-cost, legitimate remote-administration tools delivered through carefully crafted social-engineering campaigns. 

Scattered Lapsus$ Hunters group appears to be targeting Zendesk users in a new phishing campaign. 

Sha1-Hulud 2.0 is an aggressive evolution of the September 2025 Shai-Hulud npm supply chain attack. This second wave introduces preinstall-phase execution, enabling malware to run automatically during dependency installation, bypassing traditional static code scans. The campaign leverages compromised maintainer accounts to publish trojanized npm packages, impacting major projects like Zapier, ENS Domains, PostHog, and Postman 

SolarWinds has issued updates to address three critical vulnerabilities in its Serv-U file transfer software. If left unpatched, these flaws could allow an attacker with administrator-level access to execute arbitrary code on the underlying server. 

Summary (TL;DR) 
A Fortinet FortiWeb vulnerability is being actively exploited in the wild to create administrative accounts and gain persistent access to Internet-exposed FortiWeb appliances. Public proof-of-concept / exploit activity and weaponized code have appeared, and multiple monitoring/honeypot teams report exploitation since early November 2025. Exploitation yields full administrative control of the appliance (persistence, config tampering, credential access, logging disruption). Treat exposed FortiWeb management interfaces as high priority (critical) until patched or isolated. 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a heightened alert after confirming active exploitation of a critical security flaw impacting WatchGuard Firebox firewalls. The vulnerability, tracked as CVE-2025-9242 with a CVSS score of 9.3, has now been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, signaling its urgent priority for remediation. 

LANDFALL is a previously undocumented Android spyware family observed targeting Samsung Galaxy devices via malformed DNG (Digital Negative) image files. The campaign exploited CVE-2025-21042, a zero-day in Samsung’s image-processing library, to achieve remote code execution—likely with a zero-click path when images were received over WhatsApp. Activity appears to have begun by July 2024 and continued into early 2025, predating Samsung’s April 2025 patch. Once resident, LANDFALL enabled full-spectrum surveillance, including microphone recording, location tracking, and exfiltration of photos, contacts, call logs and other device data. Targeting and infrastructure suggest a Middle East and North Africa focus. Attribution remains open; overlaps in tradecraft point toward commercial spyware ecosystems, but no vendor link is conclusive. 

SesameOp is a newly identified, stealthy .NET backdoor that exploits trusted cloud AI infrastructure—specifically OpenAI’s Assistants API—as a covert command-and-control (C2) channel. Discovered by Microsoft DART, this advanced threat blends into legitimate developer environments and HTTPS traffic, making detection extremely difficult. This advisory breaks down how the attack works, why it’s significant, and what defenders need to know to mitigate the risk.

On October 14, 2025, Microsoft attempted to patch a critical unauthenticated RCE in Windows Server Update Services (WSUS). The fix proved incomplete, and an out-of-band (OOB) update was released on October 23, 2025. Within hours, multiple firms observed active exploitation in the wild against Internet-exposed WSUS over TCP 8530/8531. CISA added the bug to the KEV catalog on October 24, 2025, and urged rapid remediation. Risk is severe: pre-auth RCE as SYSTEM on a central patching service enables lateral movement and potential internal supply-chain abuse.  

On 2025-10-26, ransomware operator “Everest Group” announced on their TOR-hosted web page that they had allegedly accessed the data of Dublin Airport regarding a large number of travellers to the airport. Early estimates for the potential number of affected victims range from 1-200K up to 1.5 Million, however no details have been positively confirmed.

Although unconfirmed it is likely that this data breach is related to the Collins Aerospace ransomware attack which occurred earlier in Sept 2025. A likely strategy for the Everest Group is to threaten individual airports and airlines, increasing the chance of successful payment. Everest Group has also threatened to release the data of Air Arabia on 2025-10-25, signaling that further aerospace organisations may face threats in the coming days.

Examination of the group’s TTPs suggests a heavy focus on social engineering and access broker techniques to gain initial access to victim’s environments. Research performed by the NCC group showed that Everest use legitimate, compromised accounts, removing the need for exploitation and privilege escalation which often raises suspicion among network defenders. The group has been operational since at least 2021, is linked to the “Blackbyte” and “Conti” ransomware groups and is a double extortion ransomware operator.

A notable communication by the group in 2023 showed the intention to recruit parties with access to systems which would be exchanged for monetary reward on completion of a successful attack. It is unclear whether this was intended for corporate employees, access brokers, or both.

Social engineering attacks abusing legitimate credentials appear to be common among modern high profile ransomware operators in that they can be used to bypass an organization's defenses if deployed correctly.

The Integrity360 Incident Response team recommends some practical steps to mitigate the risk of attacks which begin with social engineering: