⚡ Weekly Recap: Lazarus Hits Web3, Intel/AMD TEEs Cracked, Dark Web Leak Tool & More

Cybersecurity / Hacking News

Cyberattacks are getting smarter and harder to stop. This week, hackers used sneaky tools, tricked trusted systems, and quickly took advantage of new security problems—some just hours after being found. No system was fully safe.

From spying and fake job scams to strong ransomware and tricky phishing, the attacks came from all sides. Even encrypted backups and secure areas were put to the test.

Keep reading for the full list of the biggest cyber news from this week—clearly explained and easy to follow.

****⚡ Threat of the Week****

Motex Lanscope Flaw Exploited to Drop Gokcpdoor — A suspected Chinese cyber espionage actor known as Tick has been attributed to a target campaign that has leveraged a recently disclosed critical security flaw in Motex Lanscope Endpoint Manager (CVE-2025-61932, CVSS score: 9.3) to infiltrate target networks and deploy a backdoor called Gokcpdoor. Sophos, which disclosed details of the activity, said it was “limited to sectors aligned with their intelligence objectives.”

****🔔 Top News****

• TEE.Fail Side-Channel Attack Extracts Secrets from Intel and AMD DDR5 Secure Enclaves — A low-cost physical side-channel attack has been found to break the confidentiality and security guarantees offered by modern Trusted Execution Environments (TEEs) from Intel and AMD, enabling full extraction of cryptographic keys and subversion of secure attestation mechanisms. The attack, codenamed TEE.fail, exploits deterministic encryption and DDR5 bus interposition to successfully bypass protections in Intel’s SGX and TDX, as well as AMD’s SEV-SNP, by eavesdropping on memory transactions using a homemade logic analyzer setup built for under $1,000. That having said, the attack requires physical access to the target as well as root-level privileges for Kernel driver modification.
• Russian Hackers Target Ukraine With Stealth Tactics — Suspected Russian hackers breached Ukrainian networks this summer using ordinary administrative tools to steal data and remain undetected, researchers have found. According to a report by Broadcom-owned Symantec and Carbon Black, the attackers targeted a large Ukrainian business services company and a local government agency in two separate incidents earlier this year. What makes these attacks notable is that the hackers deployed little custom malware and instead relied heavily on living-off-the-land tactics, i.e., using legitimate software already present in the victims’ networks, to carry out their malicious actions. The targeted organizations were not named, and it remains unclear what information, if any, was stolen.
• N. Korea Targets Web3 Sector with GhostCall and GhostHire — The North Korea-affiliated threat actor BlueNoroff, also known under aliases APT38 and TA444, has resurfaced with two new campaigns dubbed GhostCall and GhostHire, targeting executives, Web3 developers, and blockchain professionals. The campaigns rely on social engineering via platforms like Telegram and LinkedIn to send fake meeting invites and initiate multi-stage malware chains to compromise Windows, Linux, and macOS hosts. GhostCall marks a major leap in operational stealth compared to earlier BlueNoroff operations, with the attackers relying on multiple layers of staging to sidestep detection. The GhostHire operation takes a different approach, targeting Web3 developers through fake job offers and recruitment tests. BlueNoroff is a financially motivated sub-cluster of the Lazarus Group, North Korea’s state-sponsored cyber unit linked to the Reconnaissance General Bureau (RGB), and is believed to operate the long-running SnatchCrypto campaign. GhostCall and GhostHire are assessed to be the latest extensions of this campaign. The threat actor’s strategy is said to have evolved beyond cryptocurrency and browser credential theft to comprehensive data acquisition across a range of assets. “This harvested data is exploited not only against the initial target but also to facilitate subsequent attacks, enabling the actor to execute supply chain attacks and leverage established trust relationships to impact a broader range of users,” Kaspersky said.
• New Android Banking Malware Herodotus Mimics Human Behavior — Researchers have discovered a new Android banking malware called Herodotus that evades detection by mimicking human behavior when remotely controlling infected devices. The malware is advertised by a little-known hacker who goes by the name K1R0. Herodotus works like many modern Android banking trojans. Operators distribute it through SMS messages that trick users into downloading a malicious app. Once installed, the malware waits for a targeted application to be opened and then overlays a fake screen that mimics the real banking or payment interface to steal credentials. It also intercepts incoming SMS messages to capture one-time passcodes and exploits Android’s accessibility features to read what’s displayed on the device screen. What makes Herodotus unusual, ThreatFabric said, is that it tries to “humanize” the actions attackers undertake during remote control. Instead of pasting stolen details into form fields all at once — a behavior that can easily be flagged as automated — the malware types each character separately with random pauses of about 0.3 to 3 seconds between keystrokes, imitating how a real person would type.
• Qilin Ransomware Uses Linux Encryptors in Windows Attacks — The Qilin ransomware actors have been observed leveraging the Windows Subsystem for Linux (WSL) to launch Linux encryptors in Windows in an attempt to evade detection. Qilin, which emerged in mid-2022, has attacked more than 700 victims across 62 countries this year. The sustained rate of victims claimed on its data leak site underscores Qilin’s position as one of the most active and pernicious ransomware operations worldwide. In new attacks spotted by Trend Micro, Qilin affiliates have been seen using WinSCP to transfer the Linux ELF encryptor to compromised devices, which is then launched through the Splashtop remote management software. This is accomplished by enabling or installing WSL on the host, allowing them to natively run Linux binaries on Windows without the need for a virtual machine.

****‎️‍🔥 Trending CVEs****

Hackers move fast. They often exploit new vulnerabilities within hours, turning a single missed patch into a major breach. One unpatched CVE can be all it takes for a full compromise. Below are this week’s most critical vulnerabilities gaining attention across the industry. Review them, prioritize your fixes, and close the gap before attackers take advantage.

This week’s list includes — CVE-2025-55315 (QNAP NetBak PC Agent), CVE-2025-10680 (OpenVPN), CVE-2025-55752, CVE-2025-55754 (Apache Tomcat), CVE-2025-52665 (Ubiquiti UniFi Access), CVE-2025-12044, CVE-2025-11621 (HashiCorp Vault), CVE-2025-43995 (Dell Storage Manager), CVE-2025-5842 (Veeder-Root TLS4B Automatic Tank Gauge System), CVE-2025-24893 (XWiki), CVE-2025-62725 (Docker Compose), CVE-2025-12080 (Google Messages for Wear OS), CVE-2025-12450 (LiteSpeed Cache plugin), CVE-2025-11705 (Anti-Malware Security and Brute-Force Firewall plugin), CVE-2025-55680 (Microsoft Cloud Files Minifilter driver), CVE-2025-6325, CVE-2025-6327 (King Addons for Elementor plugin), CVE-2025-49401 (Quiz and Survey Master plugin), CVE-2025-54603 (Claroty Secure Remote Access), and CVE-2025-10932 (Progress MOVEit Transfer).

****📰 Around the Cyber World****

• Canada Warns of Hacktivist Attacks Targeting Critical Infra — The Canadian Centre for Cyber Security has issued an alert warning of attacks mounted by hacktivists targeting internet-exposed industrial control systems (ICS). “One incident affected a water facility, tampering with water pressure values and resulting in degraded service for its community,” the Cyber Centre said. “Another involved a Canadian oil and gas company, where an Automated Tank Gauge (ATG) was manipulated, triggering false alarms. A third one involved a grain drying silo on a Canadian farm, where temperature and humidity levels were manipulated, resulting in potentially unsafe conditions if not caught on time.” Organizations are being recommended to ensure all services are properly inventoried, documented, and protected.

• Kinsing Exploits Apache ActiveMQ Flaw — The threat actor known as Kinsing is exploiting CVE-2023-46604, a known flaw in Apache ActiveMQ, to conduct cryptojacking attacks on both Linux and Windows systems. The latest set of attacks, observed by AhnLab, is notable for the deployment of a .NET backdoor called Sharpire, along with XMRig and Stager. “Sharpire is a .NET backdoor that supports PowerShell Empire,” the South Korean cybersecurity company said. “During the process of taking control of the infected system, the threat actor uses CobaltStrike, Meterpreter, and PowerShell Empire together.” It’s worth noting that Kinsing was spotted exploiting the same flaw following its public disclosure in 2023.

• 2 Flaws in 8 Confidential Computing Systems — Two security flaws (CVE-2025-59054 and CVE-2025-58356) have been disclosed in eight different confidential computing systems (Oasis Protocol, Phala Network, Flashbots TDX, Fortanix Salmiac, Edgeless Constellation, Edgeless Contrast, and Cosmian VM) that use Linux Unified Key Setup version 2 (LUKS2) for disk encryption. A partial mitigation has been introduced in cryptsetup version 2.8.1. “Using these vulnerabilities, a malicious actor with access to storage disks can extract all confidential data stored on that disk and can modify the contents of the disk arbitrarily,” Trail of Bits researcher Tjaden Hess said. “The vulnerabilities are caused by malleable metadata headers that allow an attacker to trick a trusted execution environment guest into encrypting secret data with a null cipher.” That said, exploitation of this issue requires write access to encrypted disks. There is no evidence that the vulnerabilities were exploited in the wild.

• Hackers Abuse LinkedIn to Target Finance Executives — Hackers are abusing LinkedIn to target finance executives with direct-message phishing attacks that impersonate executive board invitations with an aim to steal their Microsoft credentials. The messages contain a malicious URL, clicking which triggers a redirect chain that leads victims to a fake landing page instructing them to sign in with their Microsoft account credentials to view a document. The phishing page also implements bot protection like Cloudflare Turnstile to block automated scanners. “Sending phishing lures via social media apps like LinkedIn is a great way to reach employees in a place that they expect to be contacted by people outside of their organization,” Push Security said. “By evading the traditional phishing control point altogether (email) attackers significantly reduce the risk of interception.”

• WhatsApp Adds Support for Passkey-Encrypted Backups — WhatsApp has announced a new way to access encrypted backups with passkey support. “Passkeys will allow you to use your fingerprint, face, or screen lock code to encrypt your chat backups instead of having to memorize a password or a cumbersome 64-digit encryption key,” WhatsApp said. “Now, with just a tap or a glance, the same security that protects your personal chats and calls on WhatsApp is applied to your chat backups so they are always safe, accessible, and private.” The change is expected to be rolled out gradually over the coming weeks and months. Passkeys are a passwordless authentication method based on the FIDO industry standard. They are designed to replace passwords with cryptographic keys stored on the user’s device and secured by biometric or device-lock methods. WhatsApp launched support for passkeys on Android in October 2023 and for iOS in April 2024.

• 12 Malicious VS Code Extensions Flagged — Cybersecurity researchers have flagged a set of 12 malicious components in the Visual Studio Code (VS Code) extension marketplace that come with capabilities to steal sensitive information or plant a backdoor that establishes a persistent connection with an attacker-controlled server address and executes arbitrary code on the user’s host. “Malware in IDE plugins is a supply chain attack channel that enterprise security teams need to take seriously,” HelixGuard said. The development comes as Aikido reported that the threat actors behind the GlassWorm campaign targeting the VS Code extension marketplace and Open VSX have moved to GitHub, employing the same Unicode steganography trick to hide their malicious payloads within JavaScript projects. The supply chain security company said the use of hidden malicious code injected with invisible Unicode Private Use Area (PUA) characters was first observed in a set of malicious npm packages back in March 2025. “These incidents highlight the need for better awareness around Unicode misuse, especially the dangers of invisible Private Use Area characters,” security researcher Ilyas Makari said. “Developers can only defend against what they can see, and right now, most tools are not showing them enough. Neither GitHub’s web interface nor VS Code displayed any sign that something was wrong.”

• Proton Releases Data Breach Observatory — Swiss privacy-focused company Proton has released Data Breach Observatory as a way to scan the dark web for leaks of sensitive data from enterprises. It said over 306.1 million records have been leaked from 794 breaches, with retail, technology, and media emerging as the most targeted sectors. “Small- and medium-sized businesses (companies with 1–249 employees) accounted for 70.5% of the breaches reported,” the company said. “Larger companies (250–999 employees) accounted for 13.5% of data breaches, and enterprise organizations of more than 1,000+ employees accounted for the remaining 15.9%. SMBs are perfect targets for hackers, because while they might offer a smaller payday than an enterprise organization, they’re much easier to breach because they have fewer security protections in place.”

• Russia Arrests 3 in Connection with Meduza infostealer — Russian authorities arrested three individuals who are believed to have created and sold the Meduza infostealer. The suspects were arrested last week in the Moscow metropolitan area, according to Russia’s Interior Ministry. Authorities said they seized computer equipment, phones, and bank cards during raids on the suspects’ homes. The Ministry’s spokesperson, Irina Volk, said the malware was used in attacks against at least one government network in the Astrakhan region. In a report published last September, Russian security firm BI.ZONE said Meduza was used in multiple attacks targeting Russian organizations last year.

• Ukrainian National Extradited to U.S. for Conti Attacks — A Ukrainian national believed to be a member of the Conti ransomware operation has been extradited to the U.S. “From in or around 2020 and continuing until about June 2022, Oleksii Oleksiyovych Lytvynenko, 43, of Cork, Ireland, conspired with others to deploy Conti ransomware to extort victims and steal their data,” the U.S. Justice Department said. “Lytvynenko controlled data stolen from numerous Conti victims and was involved in the ransom notes deployed on the victims’ systems.” Lytvynenko was arrested by Irish authorities in July 2023. He is charged with computer fraud conspiracy and wire fraud conspiracy. If convicted, he faces a maximum penalty of 5 years in prison for the computer fraud conspiracy and 20 years in prison for the wire fraud conspiracy. According to estimates, Conti was used to attack more than 1,000 victims worldwide, resulting in at least $150 million in ransom payments as of January 2022. While the group shut down the “Conti” brand in 2022, its members have split into smaller crews and moved to other ransomware or extortion operations. Four of Lytvynenko’s alleged co-conspirators, Maksim Galochkin, Maksim Rudenskiy, Mikhail Mikhailovich Tsarev and Andrey Yuryevich Zhuykov, were indicted in 2023.

• FCC to Eliminate Cybersecurity Requirements for U.S. Telcos — The U.S. Federal Communications Commission (FCC) said it will vote next month to eliminate new cybersecurity requirements for telecommunication providers. “Following extensive FCC engagement with carriers, the item announces the substantial steps that providers have taken to strengthen their cybersecurity defenses,” Brendan Carr, chairman of the FCC, said.

• Denmark Backs Off from E.U. Chat Control — The Danish government has formally withdrawn its Chat Control legislation after the controversial proposal failed to garner majority support among E.U. bloc members. The German government, on October 8, announced it would not support the plan. While Chat Control was presented as a way to combat the threat arising from Child Sexual Abuse Material (CSAM), critics of the proposal said it would mandate scanning of all private digital communications, including encrypted messages and photos, threatening privacy and security for all citizens in the region.

• Poland Arrests 11 for Running Investment Scam — Polish authorities have arrested 11 suspects who ran an investment scam scheme that relied on call centers located overseas to trick Polish citizens into investing their money in bogus investment websites. The gang allegedly made more than $20 million from at least 1,500 victims.

• 4 New RATs Use Discord for C2 — Cybersecurity researchers have shed light on four new remote access trojans (RATs) that utilize the Discord platform for command-and-control (C2). This includes UwUdisRAT, STD RAT, Minecraft RAT, and Propionanilide RAT. “Minecraft RAT […] is operated by a threat actor group who call themselves 'STD Group,’” ReversingLabs said. “They also operate a series of very closely related RATs that use Discord as their C2 mechanism. The RATs are so closely related that they may be the same code base, just rebranded.” Propionanilide RAT, on the other hand, features a packer called Proplock or STD Crypter to decrypt and launch the Discord RAT functionality.

• Security Weaknesses in Tata Motors Sites — A number of security issues have been uncovered in Tata Motors’ sites like E-Dukaan, FleetEdge, and cvtestdrive.tatamotors[.]com, including exposed Azuga API keys, two AWS keys, and an embedded “backdoor” account that granted unauthorized access to over 70 TB of sensitive information and infrastructure across hundreds of buckets, compromise its test drive fleet management system, gain admin access to a Tableau account managed by the conglomerate. Following responsible disclosure by security researcher Eaton Zveare in August 2023 in coordination with India’s Computer Emergency Response Team (CERT-In), the issues were eventually addressed by early January 2024. In recent months, Zveare has also demonstrated methods to break into Intel’s internal websites and identified flaws in an unnamed automaker’s centralized dealer platform that could have been abused to gain complete control over the systems of more than 1,000 car dealerships in the U.S. by creating a national admin account. The researcher also identified an API-level security defect in an unspecified platform that granted the ability to access commands to start and stop power generators. While the problem was rectified in October 2023, the platform is no longer active.

• Tangerine Turkey Uses Batch and Visual Basic Scripts to Drop Crypto Miners — A cryptocurrency mining campaign dubbed Tangerine Turkey has been found leveraging batch files and Visual Basic Scripts to gain persistence, evade defenses, and deploy XMRig miners across victim environments. Since its emergence in late 2024, the campaign is assessed to have expanded in scope, targeting organizations indiscriminately across multiple industries and geographies. “Initial access in the Tangerine Turkey malware campaign is achieved through an infected USB device,” Cybereason said. “The attack begins when the wscript.exe executes a malicious VB Script located on the removable drive. By leveraging living‑off-the‑land binaries such as wscript.exe and printui.exe, as well as registry modifications and decoy directories, the malware is able to evade traditional defenses and maintain persistence.”

• Hezi Rash Targets Global Sites in Hacktivist Campaign — A new ideologically-motivated threat actor known as Hezi Rash (meaning Black Force) has been linked to approximately 350 distributed denial-of-service (DDoS) attacks targeting countries perceived as hostile to Kurdish or Muslim communities between August and October 2025. Founded in 2023, the Kurdish nationalist hacktivist group has described itself as a digital collective defending Kurdish society against cyber threats, per Check Point, while pushing a mix of nationalism, religion, and activism in its messaging. It’s believed that the threat actor is using tools and services from more established threat actors such as EliteStress, a DDoS-as-a-service (DaaS) platform linked to Keymous+, KillNet, and Project DDoSia and Abyssal DDoS v3. “While the technical impact of these attacks, such as temporary website outages, is evident, the broader business consequences remain unclear,” Check Point said. “The attacks appear to be of the ‘usual variety,’ focusing on disruption rather than sophisticated exploitation.” The disclosure follows a report from Radware, highlighting a surge in claimed DDoS activity between October 6 and October 8, 2025, by hacktivist groups targeting Israel. Some of the key participating groups include Sylhet Gang, Keymous+, Arabian Ghosts, and NoName057(16). “On October 7 alone, more than 50 cyberattack claims against Israeli targets were recorded,” Radware said. “The weekly average number of attacks claimed spiked to almost three times the average compared to the weeks preceding October 7. This sharp escalation underscores how hacktivist campaigns continue to use symbolic anniversaries to amplify their visibility and coordinate global action.”

• Phishing Campaigns Distribute Lampion Stealer — A Brazilian threat group has been spotted employing bank transfer receipt lures containing ZIP files to drop the Lampion stealer by means of ClickFix-style pages present within HTML pages present in the archive. The banking trojan has been active since at least 2019. “The first change was around mid September 2024, where the TAs started using ZIP attachments instead of links to a ZIP; the second change was around mid December 2024 with the introduction of ClickFix lures as a new social engineering technique; the last change was at the end of June 2025, where persistence capabilities were added to the first stage,” Bitsight said. The command executed following ClickFix paves the way for three different VB Scripts that ultimately deploy the DLL stealer component of the malware.

• MITRE Releases ATT&CK v18 — The MITRE Corporation has released an updated version of the ATT&CK (v18) framework, which updates detections with two new objects: Detection Strategies for detecting specific attacker techniques and Analytics that provide platform-specific threat detection logic. “On the Mobile front, there’s coverage of state-sponsored abuse of Signal/WhatsApp-linked devices and enhanced account collection techniques,” MITRE said. “And in ICS, new and updated Asset objects expand the range of industrial equipment and attack scenarios ATT&CK can represent, including improved connections across sector-specific terminology through Related Assets.”

****🎥 Cybersecurity Webinars****

• Stop Drowning in Vulnerability Lists: Discover Dynamic Attack Surface Reduction — Tired of too many security problems and not enough time to fix them? Join The Hacker News and Bitdefender to learn about Dynamic Attack Surface Reduction (DASR)—a new way to quickly close security gaps using smart tools and automation. See how Bitdefender PHASR helps teams stay safe, reduce risk, and block threats before they cause harm.
• Securing Cloud Infrastructure: Strategies to Balance Agility, Compliance, and Security — As more companies move to the cloud, keeping data and access safe becomes harder. In this webinar, experts will share easy-to-follow tips to protect cloud systems, manage user access, and stay on top of global rules—all without slowing down your business. You’ll learn real steps you can take right away to keep your cloud secure and your team moving fast.

****🔧 Cybersecurity Tools****

• runZeroHound — A new handy open‑source toolkit from runZero that turns your asset data into visual “attack graphs” so you can see exactly how threats could move through your network. With this in hand, you’ll spot dangerous paths, close the gaps faster, and stay ahead of what attackers might try next.
• DroidRun — It is a security testing tool that helps researchers and analysts safely run and monitor Android malware in a sandboxed environment. It’s designed to make it easier to observe how malicious apps behave without risking your system. Perfect for dynamic analysis, it supports automation and gives detailed insights into malware activity.

Disclaimer: These tools are for educational and research use only. They haven’t been fully security-tested and could pose risks if used incorrectly. Review the code before trying them, test only in safe environments, and follow all ethical, legal, and organizational rules.

****🔒 Tip of the Week****

Why Attack Surface Reduction Matters More Than Ever — What if your biggest risk isn’t a new zero-day—but something already sitting quietly inside your system?

This week, the spotlight turns to Attack Surface Reduction (ASR)—a strategy that’s fast becoming a must-have, not a nice-to-have. As companies spin up more cloud apps, APIs, and accounts, hackers are finding easy ways in through what’s already exposed. Think forgotten subdomains, unused ports, old user accounts. The more you have, the more they have to work with.

The good news? Open-source tools are stepping up. EasyEASM helps map what’s live on the web. Microsoft’s Attack Surface Analyzer shows what changes after updates or installs. ASRGEN lets you test smart rules in Windows Defender to shut down risky behaviors before they’re exploited.

Here’s the truth: you don’t have to stop building fast—you just have to build smart. Shrinking your attack surface doesn’t slow innovation. It protects it.

Don’t wait for an alert. Take control before attackers do. Map it. Cut it. Lock it down.

****Conclusion****

The big lesson this week? Cyber threats don’t always look like threats. They can hide in normal apps, trusted websites, or even job offers. It’s no longer just about stopping viruses—it’s about spotting tricks, acting fast, and thinking ahead. Every click, update, and login matters.

Cybersecurity isn’t a one-time fix. It’s an everyday habit.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.