Executive Summary Amazon’s threat intelligence division has recently identified a highly sophisticated campaign leveraging zero-day vulnerabilities in Cisco Identity Services Engine (ISE) and Citrix NetScaler ADC/Gateway . These vulnerabilities, tracked as CVE-2025-20337 for Cisco ISE and CVE-2025-5777 for Citrix NetScaler (dubbed “Citrix Bleed 2”), were actively exploited in the wild prior to public disclosure and patch release. The attackers demonstrated advanced techn

Executive Summary Between September 15 and September 23, 2025, a large-scale, self-propagating supply chain attack—publicly known as Shai-Hulud —compromised the npm JavaScript package registry. Over 46,000 fake and trojanized packages were published, with more than 500 legitimate packages confirmed as compromised, including widely used libraries such as @ctrl/tinycolor and @crowdstrike/commitlint . The attack leveraged a worm-like malware that harvested sensitive credential

Executive Summary Recent releases of Mozilla Firefox 145 and Google Chrome 142 have addressed multiple high-severity vulnerabilities that pose significant risks to enterprise and individual users alike. These vulnerabilities, if left unpatched, could enable remote code execution, sandbox escapes, and security policy bypasses, potentially allowing attackers to gain unauthorized access to sensitive data or escalate privileges within affected systems. While there is currently

Executive Summary Recent threat intelligence has uncovered a sophisticated campaign orchestrated by the North Korean state-sponsored group APT37 (also known as ScarCruft ), in which adversaries are abusing the legitimate Google Find Hub (formerly known as Find My Device ) service to remotely wipe Android devices. This attack chain leverages advanced social engineering, credential theft, and the exploitation of cloud-based device management features to achieve destructive ou

Executive Summary The resurgence of GlassWorm marks a significant escalation in the threat landscape for software supply chains, particularly those leveraging the Open VSX Registry and GitHub as distribution and collaboration platforms. GlassWorm is a highly sophisticated, self-propagating malware campaign that exploits the trust inherent in the Visual Studio Code (VS Code) extension ecosystem. By leveraging advanced obfuscation techniques, blockchain-based command and c

Executive Summary A sophisticated Android spyware campaign leveraging the newly discovered LANDFALL malware has been identified targeting users of Samsung Galaxy devices. This campaign exploits a critical zero-day vulnerability, CVE-2025-21042 , in the Samsung image processing library, libimagecodec.quram.so , enabling remote code execution via malicious DNG (Digital Negative) image files. The attack vector is primarily through WhatsApp , where threat actors deliver weapon

Executive Summary A critical supply chain attack, identified as GlassWorm , has been uncovered within the Visual Studio Code (VS Code) extension ecosystem. This campaign leverages malicious extensions to infiltrate developer environments, exfiltrate sensitive credentials, and propagate itself in a worm-like fashion. The attack is characterized by advanced obfuscation techniques, including the use of invisible Unicode characters, and a resilient blockchain-based command and c

Executive Summary A critical security vulnerability in the Triofox enterprise file-sharing and remote access platform, developed by Gladinet , is being actively exploited by sophisticated threat actors. Attackers are leveraging an authentication bypass flaw (CVE-2025-12480, CVSS 9.1) to gain unauthorized administrative access to Triofox servers. By abusing the platform’s antivirus configuration feature, adversaries are able to execute arbitrary code with SYSTEM privileges,

Executive Summary A critical remote code execution (RCE) vulnerability, tracked as CVE-2025-12735 , has been identified in the popular JavaScript library expr-eval and its actively maintained fork, expr-eval-fork . This vulnerability enables attackers to execute arbitrary code on affected systems by supplying malicious input to the library’s evaluate() function. The flaw is rated as critical with a CVSS score of 9.8, reflecting its ease of exploitation and the potential fo

Executive Summary A highly sophisticated Android spyware campaign, identified as LANDFALL , has been uncovered targeting users of Samsung Galaxy devices. This operation leveraged a critical zero-day vulnerability, CVE-2025-21042 , within the Samsung image processing library, specifically libimagecodec.quram.so . The attack vector involved the delivery of malicious DNG (Digital Negative) image files, often transmitted via WhatsApp , which exploited the vulnerability in a zer

Executive Summary The GlassWorm malware campaign has re-emerged on the OpenVSX registry, targeting the Visual Studio Code (VSCode) ecosystem with three newly identified malicious extensions. These extensions, which have collectively been downloaded over 10,000 times, employ advanced obfuscation techniques—specifically, invisible Unicode characters—to evade both static and manual code analysis. The malware leverages the Solana blockchain for payload delivery and command-an

Executive Summary A new and highly sophisticated supply chain attack has been identified in the .NET ecosystem, leveraging malicious NuGet packages laced with hidden logic bombs set to detonate years after installation. These packages, published under the user shanhai666 between 2023 and 2024, target both database operations and industrial control systems (ICS) by embedding time-delayed sabotage mechanisms. The attack employs advanced techniques such as C# extension method

Executive Summary A critical zero-day vulnerability in Samsung Galaxy mobile devices, tracked as CVE-2025-21042 , has been actively exploited in the wild to deploy the advanced LANDFALL Android spyware. This campaign, uncovered by Palo Alto Networks Unit 42 and corroborated by multiple threat intelligence sources, leverages a flaw in the libimagecodec.quram.so image processing library. Attackers weaponized specially crafted DNG image files, often delivered via WhatsApp ,

Executive Summary The Congressional Budget Office (CBO) , a critical U.S. government agency responsible for providing nonpartisan budget and economic analysis to Congress, confirmed on November 6, 2025, that it had experienced a cybersecurity breach. The incident, which is under active investigation, potentially exposed sensitive government data to malicious actors. While the CBO has not officially attributed the breach to any specific threat actor, multiple independent sourc

Executive Summary Recent intelligence confirms that critical vulnerabilities in Cisco firewall products, specifically Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) , are being actively exploited in the wild. The vulnerabilities, tracked as CVE-2024-20353 , CVE-2024-20359 , and more recently CVE-2024-20362 , enable remote attackers to bypass authentication and execute arbitrary code, leading to full device compromise. Notably, these flaws a

Executive Summary ClickFix attacks represent a significant and rapidly evolving threat vector targeting macOS users, leveraging advanced social engineering and multi-platform payload delivery. These attacks utilize deceptive verification pages, dynamic OS detection, and psychological manipulation to coerce users into executing malicious terminal commands. The primary objective is credential theft, data exfiltration, and the deployment of sophisticated malware such as Atomic

Executive Summary A sophisticated cyber-espionage campaign has been identified targeting Ukrainian organizations through the use of trojanized ESET installers, which surreptitiously deploy the Kalambur backdoor. This operation, attributed to a Russia-aligned threat cluster known as InedibleOchotense , leverages highly convincing phishing lures that impersonate the reputable Slovak cybersecurity vendor ESET . The attackers utilize a combination of spear-phishing emails and i

Executive Summary Publication Date: November 3, 2025 Microsoft ’s Detection and Response Team (DART) has uncovered a sophisticated backdoor, named SesameOp , which leverages the OpenAI Assistants API as a covert command-and-control (C2) channel. This innovative approach allows attackers to blend malicious activity with legitimate API communications, significantly complicating detection and mitigation efforts. This report provides a comprehensive analysis of the technical mec

Executive Summary A new wave of cyberattacks is targeting the global logistics and freight sector, with threat actors weaponizing legitimate Remote Monitoring and Management ( RMM ) tools to hijack cargo freight operations. These attacks, first observed in mid-2025 and tracked by leading cybersecurity vendors such as Proofpoint and reported by TheHackerNews and BleepingComputer , exploit both unpatched vulnerabilities and the trusted status of RMM software to gain persisten

Executive Summary Between May 2023 and April 2025, three former employees of leading cybersecurity incident response firms— DigitalMint and Sygnia Cybersecurity Services —were indicted by U.S. prosecutors for orchestrating a series of high-impact ransomware attacks as affiliates of the ALPHV/BlackCat ransomware group. The defendants, including Kevin Tyler Martin and Ryan Clifford Goldberg, exploited their insider knowledge and access to conduct unauthorized intrusions, exfi