Palo Alto, California, 9th October 2025, CyberNewsWire

**Palo Alto, California, October 9th, 2025, CyberNewsWire**

As AI Browsers rapidly gain adoption across enterprises, SquareX has released critical security research exposing major vulnerabilities that could allow attackers to exploit AI Browsers to exfiltrate sensitive data, distribute malware and gain unauthorized access to enterprise SaaS apps. The timing of this disclosure is particularly significant as major companies including OpenAI, Microsoft, Google and The Browser Company have announced or released their own AI browsers. With Chrome and Edge alone representing 70% of the browser market share, it is very likely that the majority of consumer browsers in the future will be AI Browsers. Thus, it is critical for organizations to prepare for these security risks associated with this fundamental change.

> “Just like any AI Agent, AI Browsers are trained to complete tasks, not to be security aware. This makes it trivial for attackers to trick browsers like Comet into performing malicious tasks, by convincing them that it is a necessary part of the workflow they are completing,” warns Vivek Ramachandran, Founder of SquareX, “With two major consumer browsers publicly announcing their entry to the AI Browser race, it is inevitable that AI Browsers will be the primary way we interact with the internet in the future. Without the right browser-native solution that can implement guardrails on these AI Browsers that take into account agentic identity and agentic DLP, millions of users will be at risk.”

In the technical blog, SquareX discloses a few ways Comet was exploited, illustrating each with case studies. In one example, in completing a research task, Comet fell prey to an OAuth attack, providing attackers with full access to the victim’s email and Google Drive. This allowed attackers to exfiltrate every file stored on the victim’s account, including those shared by colleagues and customers. In another, the AI browser was completing tasks in the user’s inbox – a common use case advertised by Comet itself – when it ended up distributing a malicious link to the victim’s colleague through a calendar invite. Other examples include tricking Comet into downloading known malwares and emailing sensitive files to attackers. 

Unfortunately, existing solutions like EDRs and SASE/SSE have limited visibility into browsers. Today, there is no way to differentiate between activities performed by a user or Comet, as both network requests originate from the same browser. Thus, it is critical that enterprises have a browser-native solution that can differentiate between agentic and user identities, allowing them to apply differentiated guardrails on the data and actions that the AI browser can access or perform.

> In a commentary on SquareX’s research, Stephen Bennett, Group CISO at Domino’s Pizza Enterprises Ltd., says “Browsers have always been our universal gateway to the internet. AI browsers are the next logical step where instead of simply displaying information, the browser acts autonomously on our behalf. The trade off? Where we were once firmly in the driving seat, AI browsers will push us to be passengers.”

With the increasing integration of agentic AI into browsers, AI agents may soon dominate browsing activity over human users. This shift necessitates a collaboration between enterprises, browser developers, and cybersecurity companies to create robust security frameworks and protective measures to prevent attackers from exploiting AI Browsers. SquareX’s findings provide a crucial warning about the dangers of relying on traditional solutions to solve modern threats, and hopes to serve as an encouragement for an urgent industry-wide cooperation.

**About SquareX**

SquareX‘s browser extension turns any browser on any device into an enterprise-grade secure browser, including AI Browsers. SquareX’s industry-first Browser Detection and Response (BDR) solution empowers organizations to proactively defend against browser-native threats including rogue AI agents, Last Mile Reassembly Attacks, malicious extensions and identity attacks. Unlike dedicated enterprise browsers, SquareX seamlessly integrates with users’ existing consumer browsers, delivering security without compromising user experience. More information about SquareX’s research-led innovation is available at www.sqrx.com.

**Contact**

**Head of PR**  
**Junice Liew**  
**SquareX**  
**\[email protected\]**

SquareX Shows AI Browsers Fall Prey to OAuth Attacks, Malware Downloads and Malicious Link Distribution

Newark, United States, 9th October 2025, CyberNewsWire

**Newark, United States, October 9th, 2025, CyberNewsWire**

**Lightship Security****, an Applus+ Laboratories company and accredited cryptographic security test laboratory, and the** **OpenSSL Corporation****, the co-maintainer of the OpenSSL Library, announce the submission of OpenSSL version 3.5.4 to the Cryptographic Module Validation Program (CMVP) for FIPS 140-3 validation.**

This submission confirms that **the code is complete** and that **all included algorithms have successfully passed NIST testing and independent laboratory review**. The final **CMVP review and certificate issuance** remain as the last step in the process.

This submission marks a significant milestone in the ongoing collaboration between Lightship Security and the OpenSSL Corporation to provide validated cryptographic solutions that meet modern security and compliance requirements. The OpenSSL 3.5.4 FIPS Object Module provides an open-source, standards-compliant cryptographic module aligned with the FIPS 140-3 standard, enabling organisations across government and industry to deploy secure and compliant solutions once the validation certification is issued on the completion of the final step in the process.

**OpenSSL 3.5**, released in April 2025, introduced support for **post-quantum cryptographic (PQC) algorithms**, including ML-KEM, ML-DSA, and SLH-DSA, consistent with NIST’s PQC standardisation. This submission is the first step toward a FIPS-140 validated PQC-ready module, supporting organisations preparing for quantum-resistant cryptographic deployments.

Jason Lawlor, President of Lightship Security, said:

> “The submission of OpenSSL 3.5.4 to the CMVP marks an important step in sustaining validated, standards-based cryptography within one of the world’s most widely used open-source libraries—foundational to internet infrastructure, embedded systems, and enterprise applications. Lightship Security is proud to continue supporting OpenSSL’s FIPS 140-3 validation efforts to meet both current and emerging compliance requirements for global users.”

Tim Hudson, President of the OpenSSL Corporation, said:

> “OpenSSL 3.5.4 is not just a step toward future validation. It represents a completed, tested, and ready module that brings real value today. The final certificate will formalise what is already true: OpenSSL 3.5.4 meets the requirements of FIPS 140-3 while introducing post-quantum readiness for the years ahead.”

This effort continues the history of the OpenSSL Library FIPS 140 validated modules that are widely deployed across **government, defence, and commercial systems to support secure and compliant operations**.

**About The OpenSSL Corporation**

The OpenSSL Corporation is a global leader in cryptographic solutions, specializing in developing and maintaining the OpenSSL Library – an essential tool for secure digital communications. The OpenSSL Corporation provides a range of services tailored to assist businesses of all sizes to ensure the secure and efficient implementation of OpenSSL solutions. The OpenSSL Corporation also supports projects aligned with its Mission and Values by providing infrastructure, resources, expert advice, and engagement through advisory committees, particularly in the commercial sector. Collaboration among these projects fosters innovation, enhances security standards, and effectively addresses common challenges, benefiting all our communities.

**Contact**

**MarCom Manager**  
**Hana Andersen**  
**OpenSSL Software Services**  
**\[email protected\]**

Lightship Security and the OpenSSL Corporation Submit OpenSSL 3.5.4 for FIPS 140-3 Validation

FortiGuard Labs reveals Chaos-C++, a new Chaos ransomware variant that deletes files over 1.3 GB instead of encrypting them and uses clipboard hijacking to steal cryptocurrency.

Cybersecurity researchers at Fortinet’s FortiGuard Labs have found that the already destructive Chaos ransomware has taken a worrying turn, becoming faster and far more aggressive than before.

This new version, known as Chaos-C++ ransomware, emerged in 2025. It targets Microsoft Windows users and represents a significant shift, as it is believed to be the first version of the malware not written in the .NET programming language. Instead, its creation in C++ allows it to execute destructive actions at increased speed.

****The Evolution of Chaos Ransomware****

The Chaos ransomware family’s older variants, like Chaos\_2021, BlackSnake, and Lucky\_Gh0$t, were crude and unreliable; they frequently acted as unintentional wiper malware, simply deleting large files while encrypting small ones (< 2 MB in some cases). The new variant changes the game completely.

Instead of slowly encrypting everything, it surgically skips files between 50 MB and 1.3 GB. Its primary goal is speed, allowing it to hit the network and disappear before security systems can react. It focuses on massive, high-value files (like server backups) over 1.3 GB and instantly deletes them without any attempt at encryption. This ensures the maximum amount of damage with zero chance of recovery.

As per FortiGuard Labs’ analysis, shared with Hackread.com, this unusual strategy means the largest, most critical files are rendered unrecoverable, regardless of whether a ransom is paid. In short, Chaos-C++ is built for speed and maximum irreversible destruction.

The researchers note that this destructive variant has effectively perfected the wiper behaviour seen inconsistently in its predecessors, shifting the focus from financial extortion to maximising damage/speed.

Evolution of Chaos Ransomware’s File Handling Strategy and Ransom note (Source: FortiGuard Labs)

It is distributed via a fake tool called System Optimizer v2.1, tricking users into installing the malware while it runs in the background. The attack culminates with the malware dropping a ransom note in the affected directories, demanding payment and providing contact information.

****Stealing Cryptocurrency****

Further probing revealed that Chaos-C++ also introduces a new, sneaky function of clipboard hijacking. This is a mechanism mainly designed for cryptocurrency theft. When a user copies a Bitcoin wallet address to their clipboard, for example, to paste it for a payment, the ransomware checks the address’s format.

If it recognises a valid Bitcoin wallet, it automatically swaps it with a hardcoded address belonging to the attacker. As a result, any cryptocurrency payment a victim attempts to make is redirected straight to the criminal’s wallet.

It shows how ransomware continues to evolve to become “faster, smarter, and more dangerous,” researchers conclude. To avoid becoming a victim, users are advised to be extremely cautious of downloading and running any unauthorised software.

New Chaos-C++ Ransomware Targets Windows by Wiping Data, Stealing Crypto

Hackers are using fake Microsoft Teams installers found in search results and ads to deploy the Oyster backdoor. Learn how to protect your PC from this remote-access threat.

A major new threat is targeting everyday computer users by hiding a dangerous program inside what looks like a genuine Microsoft Teams installer. This malicious program, known as Oyster (or sometimes Broomstick), is a backdoor that gives cybercriminals secret, long-term access to a victim’s computer. The security group Blackpoint Cyber’s Advisory Pursuit team is actively watching this widespread campaign and shared its details with Hackread.com.

****How the Attack Works****

Attackers use a two-part trick in search engines to get users to download their malicious files. First, they use SEO poisoning to make their fake download pages rank high in search results. Second, they use malvertising, which means paying for malicious advertisements that pop up when people search for “Teams download.” After all, many people trust the first few results they see.

If you click one of these fake links, you land on a spoofed website. One of the observed domains was teams-install.top. Once there, you are tricked into downloading a file named MSTeamsSetup.exe.

Killchain Explained and The Malicious Domain (Source: Blackpoint Cyber)

Further probing revealed that the criminals even signed their fake installers with untrustworthy certificates, issued by companies like 4th State Oy and NRM NETWORK RISK MANAGEMENT INC., to make the file look legitimate and bypass basic security checks. When you run this file, the Oyster backdoor silently installs itself, and the real Microsoft Teams program might also launch to avoid suspicion.

****Oyster: The Invisible Spy****

Oyster is a versatile malware that establishes Command and Control (C2) communication. For your information, C2 is basically a secret line of contact that lets the attackers send instructions to the compromised machine from their own servers.

The research identified examples of these attacker-controlled servers, such as nickbush24.com or techwisenetwork.com. This remote control allows them to gather information about your system or even deliver more damaging viruses.

To maintain long-term access, the malware also secretly creates a recurring “scheduled task” on the machine, named CaptureService. It is linked to a hidden malicious file, guaranteeing the connection will start up again even after a restart.

It is worth noting that this particular attack has been effective because the malware can blend in easily with normal computer activity, even managing to get past some well-known security programs.

This kind of attack is not new, and, according to Jason Barnhizer, Director of Threat Operations at Blackpoint Cyber, “this activity mirrors earlier fake PuTTY campaigns, underscoring an ongoing trend of adversaries weaponising trusted software brands to gain initial access.”

Blackpoint Cyber researchers strongly advise everyone to download software cautiously. To stay safe, you should always go straight to the official vendor’s website (like Microsoft’s actual domain) or use a saved bookmark, rather than casually clicking on links that appear in search results or advertisements.

Watch Sam Decker and Nevan Beal from Blackpoint discuss the Oyster Backdoor.

Fake Teams Installers Dropping Oyster Backdoor (aka Broomstick)

Met Police arrested two teenagers over the Kido nursery ransomware attack, which exposed data for 8,000 children. Full details on the hack and police investigation.

The UK Metropolitan Police (Met) have arrested two 17-year-old boys in connection with the major ransomware attack that compromised the data of thousands of children at the Kido nursery chain.

The arrests, on suspicion of computer misuse and blackmail, took place on Tuesday, October 7, 2025, in Bishop’s Stortford, Hertfordshire. The operation was carried out by officers from the Met’s specialist Cyber Crime Unit.

****Details of the Extortion Campaign****

The ongoing police investigation was launched on September 25 after the ransomware group, Radiant, claimed to have stolen sensitive data on approximately 8,000 young children and their families.

The scope of the breach was alarming as the stolen information included names, home addresses, photographs, contact details for parents and carers, and critically, confidential medical records and safeguarding notes. Hackers reportedly gained access to the data through Famly, a third-party software service widely used by the nursery group.

Radiant employed extreme tactics to extort the company. They demanded a ransom of approximately £600,000 in Bitcoin, called parents directly to pressure the nursery into paying, and posted some children’s photos on the dark web.

However, the group faced massive backlash, including criticism from within the cybercriminal community, which resulted in a swift retreat. In a highly unusual turn, Radiant first blurred the images and then claimed to have deleted all the stolen files on October 2. One cybercriminal was quoted by the BBC as stating, “All child data is now being deleted. No more remains, and this can comfort parents.”

****Police and Nursery Responses****

Following the arrests, Will Lyne, the Met’s Head of Economic and Cybercrime, issued a statement reassuring the community that the force is taking the matter “extremely seriously” and working to bring those responsible to justice.

The Kido nursery group also released a statement welcoming the police action. A Kido spokesperson stated: “We welcome this swift action from the Met and recognise this is an important milestone in the process of bringing those responsible to justice.”

The two boys remain in custody for questioning as the investigation is ongoing.

****Education Sector’s Growing Vulnerability****

The Kido incident shows just how serious the cyber crisis is for the education sector, which is frequently held back by limited IT funding, making schools and nurseries prime targets for ransomware.

Cybersecurity firms AtlastVPN and Sophos’ June 2023 investigation, reported by Hackread, revealed that 80% of lower education providers were hit by ransomware in one year. Recent findings by Forcepoint’s X-Lab have warned of campaigns using the Remcos (RAT) Remote Access Trojan (RAT), delivered via deceptive phishing emails sent from compromised small business or school accounts to appear trustworthy.

The Kido attack, where children’s data was used for extortion, represents an “absolute new low” in cybercrime, claimed cybersecurity firm Check Point, showing that protecting student data is no longer an IT task but a critical safety and security priority.

UK Police Arrest Two Teens Over Kido Nursery Ransomware Attack

Tel Aviv, Israel, 8th October 2025, CyberNewsWire

**Tel Aviv, Israel, October 8th, 2025, CyberNewsWire**

Miggo Security, pioneer and innovator in Application Detection & Response (ADR) and AI Runtime Defense, today announced it has been recognized as a Gartner Cool Vendor in AI Security. To us, this recognition underscores Miggo’s mission to close the detection-to-mitigation gap that plagues security teams today by providing comprehensive, fast, and precise analysis and response for what applications actually do at runtime. 

Traditional security approaches are failing to match the dynamic, behavioral reality of modern applications. In fact, Gartner writes, “Through 2029, over 50% of successful cybersecurity attacks against AI agents will exploit access control issues, using direct or indirect prompt injection as an attack vector.” However, Miggo’s runtime behavioral security can handle any application from traditional to AI-incorporated features, to AI apps themselves and AI agents. We believe Miggo Security’s ADR platform is cool because of how it detects and responds to security flaws in applications in a matter of minutes, combining unique runtime context with AI-augmented reasoning, risk analysis and actionable defense.

Miggo’s predictive analysis, preemptive protection, and real-time response is built specifically for the risks of AI-driven environments.

> “This recognition by Gartner, in my opinion, validates the vision and innovation that define Miggo Security,” said Daniel Shechter, CEO and Co-Founder of Miggo Security. “We believe Application Detection & Response is the future of runtime security in the AI era to give CISOs and security teams the ability to know, prove, and shield AI-native threats in real time.”

Miggo’s differentiators include:

*   **DeepTracing Technology:** Detects AI-native threats, zero-days, and emerging attack patterns in real time.
*   **AppDNA & Predictive Vulnerability Database:** Cuts vulnerabilities backlog by 99% with deep context and automated AI proving engine. 
*   **Miggo WAF Copilot:** Generate custom WAF rules in minutes, protecting against emerging threats
*   **Agentless Integration:** Deploys seamlessly with Kubernetes, traces, and application profiles, eliminating friction.
*   **Force Multiplier for Teams:** Provides centralized AI-driven context, helping security and engineering teams align faster while reducing overhead by 30% or more.

The GARTNER COOL VENDOR badge is a trademark and service mark of Gartner, Inc., and/or its affiliates, and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Cool Vendors is a registered trademark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved.  

**About Miggo Security**

Miggo Security delivers real-time application detection and response (ADR), empowering enterprises to identify and neutralize application threats. With its AI-augmented platform, Miggo helps organizations secure both traditional and AI-driven applications at scale, reducing exposure windows by up to 99% and cutting operational overhead by 30% or more.

For more information, users can visit www.miggo.io.

**Contact**

**CEO**  
**Omri Hurwitz**  
**Omri Hurwitz Media**  
**\[email protected\]**

Miggo Security Named a Gartner® Cool Vendor in AI Security

OpenAI's new report warns hackers are combining multiple AI tools for cyberattacks, scams, and influence ops linked to China, Russia, and North Korea.

OpenAI’s latest “Disrupting Malicious Uses of AI” report shows that hackers and influence operators are moving toward a more organised use of artificial intelligence (**AI**). The findings reveal that adversaries are spreading their operations across multiple AI systems, for instance, using **ChatGPT** for reconnaissance and planning, while relying on other models for execution and automation.

The company noted that attackers haven’t changed their methods but have simply added AI to make their existing tactics faster and more efficient, whether that’s writing malware, refining phishing lures, or managing online scams.

While malicious AI tools such as **WormGPT and FraudGPT** are already known, **new ones** are now surfacing. SpamGPT helps cybercriminals bypass email security filters with targeted spam, while MatrixPDF turns ordinary PDF files into malware.

It is worth noting that this latest report comes four months after OpenAI’s **earlier publication**, which revealed that the company had shut down ten malicious AI operations linked to China, Russia, Iran, and North Korea, where adversaries heavily misused ChatGPT for malicious purposes.

****Russian, Korean and Chinese Operators Using AI for Targeted Attacks****

In one instance, Russian-speaking actors used ChatGPT to write and refine code for remote-access tools and **credential stealers**. The model refused direct malicious prompts, but the users extracted functional snippets to later assemble their tools elsewhere. OpenAI found no indication that these interactions gave the hackers capabilities they couldn’t already find through open-source code.

Korean-language operators used ChatGPT to assist with code debugging, credential theft routines, and phishing messages **related to cryptocurrency**. Each account handled specific technical tasks, such as browser extension conversion or VPN configuration, showing structured workflows similar to corporate development teams.

Chinese-language operators went further, asking the model to generate phishing content in multiple languages and help with malware debugging. Their activity coincided with campaigns reported by **Volexity** and **Proofpoint** that targeted academia, think tanks, and the semiconductor sector. According to OpenAI, these users aimed to increase efficiency rather than develop new attack methods.

****Organised Crime and Scam Operations****

The **report** also shows how AI is being exploited in established scam networks. Operations traced to Cambodia, Myanmar, and Nigeria used ChatGPT to translate messages, write fake investment pitches, and manage day-to-day logistics within “large-scale scam centers.”

In one example, scammers posed as financial advisors running fake trading groups on WhatsApp. They generated all the chat content with AI to make conversations seem authentic and convincing. Another network used ChatGPT to design fake online investment firm profiles, complete with fabricated employee biographies.

Interestingly, OpenAI found that ChatGPT is being used to detect scams about three times more often than it is used to create them, as people turn to the model to verify suspicious messages.

****State-Linked Abuses of AI****

OpenAI also reported accounts linked to Chinese government entities using ChatGPT to draft proposals for large-scale social media monitoring systems. One user requested help outlining a “High-Risk Uyghur-Related Inflow Warning Model,” which aimed to track individuals through travel and police data.

Other users focused on profiling and information gathering, asking ChatGPT to summarise posts by activists or identify petition organisers. The company said its models returned only public data, but the intent behind these requests raised concerns about surveillance-related use.

****Influence Operations in Russia and China****

The Russia-origin “Stop News” operation, previously disrupted by OpenAI and other tech firms, resurfaced using AI to write video scripts and promotional text. These were translated and turned into short videos shared on YouTube and TikTok, praising Russia and criticising Western nations. Although the campaign produced a steady stream of content, engagement remained low.

A separate operation, “Nine emdash Line,” appeared linked to China and focused on regional disputes in the **South China Sea**. The group generated English and Cantonese social media posts criticising the Philippines, Vietnam, and Hong Kong democracy activists. They also sought advice on boosting engagement through TikTok challenges and hashtags. Most of their posts gained little attention before the accounts were suspended.

****Expert Perspective****

“For the average reader, this might sound like a not particularly surprising trend. AI is being used in everything from generating cool chilli recipes to college essays, so why wouldn’t it be writing the code and other exploits needed for cyberattacks?” said **Evan Powell**, CEO of DeepTempo.

“What most may not realise is that cybersecurity defences are uniquely vulnerable to AI-powered attacks. Today’s defences are almost entirely based on static rules: if you see A and B while C, then that’s an attack and take action. Today’s AI attackers train their systems to avoid these fixed pattern detections, which allows them to slip into enterprises and government systems at an increasing rate,” he explained.

He added that attackers are now using AI not only to build tools but also to plan campaigns. “These types of campaigns, which combine detailed research, customised attacks, and repeated attempts to gain access, used to require expertise, patience, and a large team. Today, AI boosts the productivity of attackers, enabling even one person to carry out operations that once required a well-funded organisation or nation-state. The implications are terrifying.”

1.  **ShadowLeak Exploit Exposed Gmail Data via ChatGPT Agent**
2.  **Savvy Seahorse Using Fake ChatGPT in DNS Investment Scam**
3.  **Leaked ChatGPT Chats: Users Treat AI as Therapist, Lawyer, Confidant**
4.  **LegalPwn Tricks GenAI Tools Into Misclassifying Malware as Safe Code**
5.  **Malicious AI Models Are Behind a New Wave of Cybercrime, Cisco Talos**

OpenAI Finds Growing Exploitation of AI Tools by Foreign Threat Groups

Researchers warn of Shuyal Stealer, malware that gathers browser logins, system details, and Discord tokens, then erases evidence via Telegram.

Cybersecurity researchers at Point Wild’s Lat61 Threat Intelligence Team have found a new infostealer called Shuyal Stealer, a malware strain designed to steal login credentials from not one or two, but 17 different web browsers.

****How Shuyal Stealer Profiles and Exploits Systems****

Shuyal Stealer is also capable of profiling targeted machines in depth, collecting information about disks, input devices and display setups by using Windows Management Instrumentation commands. That kind of device mapping gives attackers a clear picture of a victim’s system, which can be used for targeted **identity theft** or other follow-on attacks.

The malware also captures contextual data that many infostealers ignore. It takes screenshots, records clipboard contents and extracts **Discord** authentication tokens. These capabilities let attackers have real context into what the victim is doing on their device, which can turn a straightforward password stealing into a complete account takeover and know more about the victim’s online activities than other malware would.

****Data Exfiltration and Persistence Methods****

According to the Lat61 **blog post** shared with HackRead.com, the malware compresses the collected files with PowerShell and sends them through a hardcoded **Telegram bot**. Researchers found a specific bot token and chat ID used to deliver the archive directly to the attacker’s account. After the transfer completes, Shuyal deletes the archive and clears traces to complicate forensic work.

Shuyal quietly copies its executable into the Windows Startup folder using the CopyFileA API. It also shuts down Task Manager processes and modifies the registry to disable Task Manager entirely, preventing users from spotting or stopping it.

Infection chain flow (Via Point Wild)

****Browser Targeting and Data Theft****

When analysing how it steals data, Point Wild’s researchers noted Shuyal’s efficiency. It specifically looks for the “Login Data” file found in browser directories, running a SQL query to extract URLs, usernames, and encrypted passwords.

Each stolen session or token is saved locally and then zipped for exfiltration. Files such as tokens.txt, clipboard.txt and ss.png document different parts of the victim’s digital life, from saved passwords to copied text and active windows. The malware keeps a history.txt log of which browsers and apps it scanned. Here is the list of targeted browsers:

1.  Tor
2.  Edge
3.  Epic
4.  Brave
5.  Opera
6.  Vivaldi
7.  Coc Coc
8.  Maxthon
9.  Chromium
10.  Waterfox
11.  Comodo
12.  Slimjet
13.  Yandex
14.  Falkon
15.  Chrome
16.  Opera GX
17.  360 Browser

****Self-Deletion, Expert Insight and Mitigation****

After exfiltration finishes, Shuyal runs a self-deletion routine. It launches a batch script named util.bat that removes the archive and related files, making incident response and attribution harder.

**Dr Zulfikar Ramzan**, CTO of Point Wild and head of the Lat61 Threat Intelligence Team, summarised the threat as a powerful infostealer that targets many browsers, disables Task Manager and quietly sends harvested data over Telegram, then removes its traces.

“Shuyal is an infostealer extraordinaire, built for breadth and stealth. It raids credentials from browsers, kills the Windows Task Manager, and quietly exfiltrates data over Telegram. It’s a smash-and-grab, then vanishes,” he said.

Unlike other infostealers, Shuyal Stealer is both a privacy and security risk because it takes credentials plus contextual data that help attackers turn stolen secrets into account takeovers. Its combination of system profiling, wide browser coverage and clean-up process places it among the more capable infostealers active today.

If you suspect an infection, Point Wild advises rebooting into Safe Mode with Networking and scanning with a **reliable antivirus**. The malware is detected as Trojan.W64.100925.Shuyal.YR.

New Shuyal Stealer Targets 17 Web Browsers for Login Data and Discord Tokens

Critical Redis flaw RediShell (CVE-2025-49844) exposes 60,000 servers to remote code execution. Patch immediately to prevent full system compromise.

A new vulnerability in **Redis**, now known as RediShell (CVE-2025-49844), has put tens of thousands of servers at risk of remote compromise. The flaw, rated with a maximum CVSS score of 10.0, has existed unnoticed in Redis code for over a decade and is now being called one of the most serious issues ever found in the open-source database.

The issue lies in a use-after-free bug in Redis’s Lua interpreter, which can be exploited through a malicious Lua script. Attackers can escape the interpreter’s sandbox and run arbitrary code on the host system. This level of access can allow theft of data, installation of malware, or the use of compromised servers for additional attacks.

Cybersecurity researchers from Wiz, who found the issue, estimate that about 330,000 Redis instances are currently exposed to the internet, with roughly 60,000 running without any authentication. Redis is commonly used in cloud environments for caching and session management, which means the reach of this vulnerability is far greater than typical software bugs.

The Redis team responded quickly, releasing a patched version and a security advisory on October 3. Wiz researchers had privately reported the issue in May after identifying it during **Pwn2Own Berlin**. The disclosure process was handled collaboratively, with Redis engineers coordinating fixes before public release.

The risk varies depending on how Redis is deployed. Instances exposed directly to the internet without authentication face the highest danger. In those setups, anyone could connect and run Lua scripts remotely, which provides a direct path for exploitation.

Even within internal networks, the bug poses significant exposure if authentication is weak or absent, as attackers already inside a corporate environment could exploit it for lateral movement.

Wiz’s **analysis** shared with Hackrad.com found that 57% of Redis deployments in cloud environments run as container images. Many of these containers are deployed without proper access controls or configuration checks, making them particularly vulnerable.

If exploited, an attacker could send a crafted Lua script to trigger the memory corruption, escape the sandbox, and establish full control over the host. Once inside, they could exfiltrate credentials, install miners or backdoors, and use stolen tokens to move across connected cloud systems.

Researchers are urging all Redis users to upgrade to the **latest version** and verify their configurations. Enabling authentication, disabling Lua scripting when not needed, restricting network access, and running Redis under a non-root account are key mitigation steps. Logging and monitoring should also be turned on to detect unusual activity.

“This newly disclosed Redis vulnerability is a reminder that technical debt doesn’t just live in code; it lives in configuration. Thirteen years of latent risk surfaced because default settings and weak segmentation went unobserved,” said **Anders Askasen**, VP of Product Marketing at Radiant Logic.

When foundational services like Redis run unauthenticated or exposed, they create invisible attack paths that can pivot directly into identity and access systems,” he added. “The answer isn’t just patching faster but seeing sooner. Identity observability provides the real-time visibility, control, validation, and remediation needed to uncover these blind spots before attackers do.”

The RediShell vulnerability shows how much modern infrastructure depends on open-source software and how old code can carry hidden risks for years. Redis is used by more than three-quarters of cloud environments, so patching and tightening security configurations should be treated as an immediate priority.

13-Year-Old RediShell Vulnerability Puts 60,000 Redis Servers at Risk

Latest reports suggest the critical GoAnywhere MFT vulnerability (CVE-2025-10035, CVSS 10.0) is actively exploited by the Medusa ransomware gang for unauthenticated RCE. Patch immediately.

A CVSS 10.0 deserialization vulnerability in Fortra’s GoAnywhere Managed File Transfer (MFT) solution is now being actively exploited by the Medusa ransomware group, according to a latest update from Microsoft.

The flaw, reported on September 25 by Hackread.com, is a dangerous deserialization vulnerability residing in the MFT’s License Servlet. This allows an attacker to achieve unauthenticated Remote Code Execution (RCE) and full system takeover.

By forging a license response signature, an attacker can bypass security checks, forcing the software to execute malicious code. This high-risk RCE capability makes all internet-exposed GoAnywhere instances highly vulnerable.

****The Exploitation Timeline and Independent Confirmation****

Although Fortra published an alert and patch on September 18, 2025, security researchers from watchTowr Labs found exploitation activity dating back to September 10, 2025, eight days before Fortra’s public advisory.

Detailed post-exploitation analysis from watchTowr Labs shows a consistent pattern: After achieving RCE, attackers established persistence by creating a covert administrative account named ‘admin-go’.

They then moved laterally by dropping binaries for legitimate Remote Monitoring and Management (RMM) tools like SimpleHelp and MeshAgent. The watchTowr team also suggested that Fortra’s advisory section on “Am I Impacted?” was a veiled method to share signs of compromise without fully admitting to the in-the-wild exploitation.

****Medusa Ransomware Confirmed****

The risk escalated significantly with an October 6, 2025, update from Microsoft Threat Intelligence. Microsoft confirmed that a cybercriminal group they track as Storm-1175, a known affiliate of Medusa ransomware, was observed actively targeting organisations starting on September 11, 2025.

In detailing this multi-stage attack, Microsoft confirmed the vulnerability exploitation led to command injection, system discovery, the use of RMM tools for persistent access, and ultimately, the successful deployment of Medusa ransomware in at least one compromised environment. Attackers were also observed using data transfer tools like Rclone for data exfiltration and setting up Cloudflare tunnels for secure Command and Control (C2).

“Just weeks after we confirmed evidence of in-the-wild exploitation of CVE-2025-10035, Microsoft has now linked the attacks to a known Medusa ransomware affiliate, confirming what we feared,” said watchTowr CEO and Founder, Benjamin Harris. Harris stressed that organisations using GoAnywhere MFT “have effectively been under silent assault since at least September 11, with little clarity from Fortra.”

****Immediate Action Required****

Fortra has urgently advised customers to upgrade to the patched versions: version 7.8.4 or the Sustain Release 7.6.3. The vulnerability’s severe nature has led to its addition to the CISA Known Exploited Vulnerabilities (KEV) Catalogue.

All organisations with exposed systems must apply the patch immediately to prevent future attacks. Given the confirmed exploitation activity, a full forensic review is necessary for systems that were exposed to determine if an initial compromise occurred before the update was applied.