SonicWall has confirmed that attackers accessed cloud backup configuration files for all customers using its backup service exposing encrypted credentials and network configurations.

In September 2025, SonicWall reported a data breach of its cloud backup service, stating that fewer than 5% of its customers were affected. At the time, the issue appeared contained and under investigation. That changed today after SonicWall and incident response firm Mandiant confirmed that the attackers had accessed backup configuration files for every customer using the service.

The breach began with a brute force attack targeting the MySonicWall cloud backup API, which stores encrypted firewall configuration files. These files include detailed network rules, credentials and routing data used to restore or replicate SonicWall firewalls. While the passwords and keys remain encrypted, the attackers now hold complete configuration data that could be valuable for mapping or exploiting customer networks.

> _“The investigation confirmed that an unauthorised party accessed firewall configuration backup files for all customers who have used SonicWall’s cloud backup service. The files contain encrypted credentials and configuration data; while encryption remains in place, possession of these files could increase the risk of targeted attacks.”_
> 
> SonicWall

SonicWall’s final investigation report says updated lists of affected devices are now available in the MySonicWall portal. Customers can see whether their firewalls are labelled “Active – High Priority,” “Active – Lower Priority,” or “Inactive,” depending on exposure level.

The company has also added new monitoring tools, strengthened its cloud infrastructure, and published detailed remediation guidance. Customers are advised to focus first on high-priority devices with internet-facing services, using the support tool provided to identify which configurations need immediate review.

SonicWall says it continues to work with Mandiant to reinforce its systems and assist affected customers. The company’s updated communication emphasises transparency and prevention after what has become one of its most extensive security incidents to date.

Ryan Dewhurst, Head of Proactive Threat Intelligence at watchTowr, said the breach is serious because of the type of data exposed. “Attackers gained access to a treasure trove of sensitive information, including firewall rules and encrypted credentials,” he said. “Even though passwords are encrypted, if they were weak, they can be cracked offline. And even without that, the configuration data gives attackers enough insight to plan more targeted attacks.”

He also questioned why a service hosting such sensitive data lacked basic protective measures. “A brute force attack on an API should have been blocked by rate limiting and stronger access controls,” Dewhurst noted.

SonicWall Says All Firewall Backups Were Accessed by Hackers

Zimperium's zLabs warns of ClayRat, a fast-spreading Android spyware targeting Russia. It hides in fake apps like TikTok and steals texts, calls records, and camera photos.

Cybersecurity researchers at Zimperium’s zLabs have identified a new and fast-spreading Android spyware known as ClayRat. This spyware is actively targeting Android users, primarily those in Russia, by disguising itself as trusted applications like WhatsApp, Google Photos, TikTok, and YouTube.

YouTube Plus impersonated (Image source: Zimperium)

****Tricking Users into Installation****

The attackers rely on clever social engineering tricks to get the malware onto devices. They set up fake websites that look convincingly like official service pages. For example, in one observed case, a fake GdeDPS landing page was used to trick visitors. These deceptive sites then redirect users to special Telegram channels, such as one named @baikalmoscow, where the malicious app file is hosted.

Further probing revealed that the operators even flood these channels with fake positive comments and download counts to reduce user suspicion before they install the app.

Victims prompted to join Telegram channel (Image source: Zimperium)

Once ClayRat is active, it unleashes alarming capabilities. It can steal a user’s text messages and full call history, take pictures secretly using the phone’s front camera, and even send new text messages or place calls directly from the victim’s device without any user permission.

****Covert & Quick Distribution Tactics****

zLabs’ research shared with Hackread.com ahead of publishing on Monday, shows ClayRat is growing quickly. Over the last three months, more than 600 different versions of the spyware and 50 ‘dropper’ apps (which are installers that hide the real harmful code) have been seen.

This volume of unique files and the speed at which they produce new versions is proof that the operators are constantly changing the software’s disguise to evade detection by security systems.

Regarding the malware’s propagation, researchers found that it abuses the powerful text messaging role on Android devices, known as the default SMS handler. This technique allows it to bypass standard security warnings and gain full access to sensitive data and functions.

It then automatically sends a malicious text to every person in the victim’s phone book. This message is generally in Russian as “Узнай первым! <link>” (English: “Be the first to know! <link>”), and because it looks like it’s coming from a trusted friend, recipients are likely to click it. This prompts every infected device to spread the infection to others, fuelling an exponential growth. It is worth noting that this ability to self-propagate is a major feature of the campaign.

_“_In many ways, mobile devices have taken us back a decade. In email, we have some protection against compromised users sending phishing lures; however, this doesn’t really exist in SMS. The result is that we artificially trust messages from our contacts, and that may include installing apps from outside Google Play,_“_ said John Bambenek, President at Bambenek Consulting.

_“_The key protection for any mobile device user is to only install applications from authorized play/app stores, even if they get a message from an otherwise familiar contact. This type of RAT technology, which allows victim devices to send authentic-looking messages or even make outgoing phone calls, cannot only be used to bypass MFA but to engage in even more sophisticated impersonation attacks,_“_ he warned.

Zimperium’s findings show a serious new threat, which for now is limited to Russia, but it can be about time it targets users worldwide. To protect your device from threats like ClayRat, stick strictly to the Google Play Store for all your apps and never install app files (APKs) sent via messages, social media, or random websites. Also, always be suspicious of any link you receive, even if it comes from a friend, especially if it prompts you to install an app or an update.

Fake TikTok and WhatsApp Apps Infect Android Devices with ClayRat Spyware

70,000 Discord users had government ID photos and private data exposed via a third-party vendor breach. See Discord's full response and critical security steps to protect your identity.

The popular voice and text platform Discord has confirmed a data breach incident affecting a significant number of its users who had submitted government identification for age verification. Discord, which boasts over 200 million monthly active users, confirmed the breach in an official update on October 3, 2025, which was reported by Hackread.com. This update explained that the compromise did not affect Discord’s main systems.

As per Discord’s latest statement published on October 8, 2025, approximately 70,000 users globally may have had photos of their government-issued IDs exposed in the breach. It is worth noting that this security failure did not happen directly on Discord’s main systems but through one of the platform’s third-party customer service providers. This reliance on external vendors for support operations has become a common point of vulnerability for many companies.

Further probing revealed the attackers, who claimed responsibility, accessed a customer support system, which they alleged was Discord’s Zendesk instance, for about 58 hours beginning on September 20, 2025. They reportedly gained access by compromising an account belonging to a support agent from an outsourced business company used by Discord.

****Conflicting Claims and Extortion Attempt****

While Discord limits the exposed ID photos to about 70,000 users, primarily those appealing age-related decisions, the attackers are claiming a much larger haul. For your information, VX-underground reported on October 8, 2025, that the hackers claimed to have stolen 1.5TB of age verification-related photos and that 2.1 million Discord users’ driver’s licenses and/or passports might be leaked.

The hackers allege they stole 1.6 TB of data, impacting 5.5 million unique users, by exploiting Zendesk’s internal support application (Zenbar) that allowed them to perform sensitive actions like disabling MFA and retrieving users’ phone numbers, emails, and internal data via API queries.

They claim 521,000 age-verification tickets were involved, suggesting the number of exposed IDs is far greater than the 70,000 confirmed by Discord (These claims remain unverified).

In response, Discord has publicly stated that the attackers are circulating inaccurate information about the breach of the customer service provider as part of an extortion attempt. However, Discord’s statement clarifies the situation and their next steps.

> _“First, as stated in our blog post, this was not a breach of Discord, but rather a third-party service we use to support our customer service efforts. Second, the numbers being shared are incorrect and part of an attempt to extort a payment from Discord….Third, we will not reward those responsible for their illegal actions.”_
> 
> Discord

Discord also confirmed that it has informed all affected users worldwide and is working closely with law enforcement agencies, data protection authorities, and external security experts. The company stated that it has secured the impacted systems and ended its relationship with the compromised vendor. It added that protecting users’ personal data remains a top priority and acknowledged the concern the incident may have caused.

****Security Steps for Affected Users****

The exposed user data, which includes information provided during support requests, may contain real names, usernames, email addresses, contact details, IP addresses, and partial payment information, such as the last four digits of a credit card. Discord has confirmed, however, that no full credit card numbers, passwords, or authentication data were accessed.

Still, all affected users should immediately enable Multi-Factor Authentication (MFA) on their Discord and associated email accounts and remain alert against phishing attempts. Remember that Discord’s official communication comes only from [email protected]. If your government ID was compromised, monitor credit and financial reports for identity theft.

Discord Says Hackers Stole 70,000 ID Photos, Dismisses Extortion Claims

Forcepoint X-Labs reports a surge in sophisticated email attacks using obfuscated JavaScript and steganography to deliver dangerous RATs and info-stealers like Formbook and Agent Tesla. Learn how to defend against the threat.

New research from cybersecurity experts at Forcepoint X-Labs reveals that businesses are facing a sharp rise in email attacks where criminals are hiding malicious software inside seemingly normal files. This report, shared with Hackread.com, points to a trend in the third quarter of 2025, citing a major increase in campaigns using JavaScript attachments to sneak malware past defences.

****The Lure****

Forcepoint Security Researcher Mayur Sewani notes that the attackers are “cloaking their lures in everyday business communications.” This means the malicious emails are carefully designed to look like average business communications, such as fake purchase orders, shipment notices, or quotes. They basically prey on the recipient’s trust, appearing as legitimate requests.

Malicious Email Sample (Source: Forcepoint X-Labs)

Some of the repeating subject lines the research team found include “RE: Payment Swift MT103” and “DHL Shipment Notification,” usually localised to the recipient’s language. The research notes that attackers use these lures in many different languages, such as Spanish (Solicitud de cotización), to target non-English speaking businesses.

****Hiding in Plain Sight****

The attack typically begins with a compressed archive file (ZIP, RAR, 7z, or TAR) containing a JavaScript file. This JavaScript is heavily obfuscated, meaning the code is purposefully scrambled to make it hard for security tools to read and stop.

Once a user is tricked into opening it, the script acts as a downloader, silently launching the next stage of the attack by using legitimate Windows tools like PowerShell and WMI (Windows Management Instrumentation) to operate ‘Living off the Land’ (LotL) and execute its commands without showing a window.

Heavily Obfuscated JavaScript Attachment (Source: Forcepoint X-Labs)

The malware delivery chain uses a technique called steganography, which involves concealing one file, message, or information within another file. In these attacks, the malicious code is hidden inside a harmless-looking image file, such as a PNG file. The malicious payload is encoded in Base64 within the image’s data stream. The downloader script then extracts and decodes this Base64 data to reconstruct the final binary.

****The Final Payloads****

The question here remains- What are they delivering? The final payloads are typically Remote Access Trojans (RATs) and information-stealing programs. Examples found during the investigation include DarkCloud, Remcos, Agent Tesla, and Formbook, all designed to steal critical data.

The final payload is either a DLL or EXE binary. After installation, these payloads initiate Command and Control (C2) communication to exfiltrate stolen credentials, banking information, and system data.

It is worth noting that these attacks are quite complex, using methods like process hollowing (where malicious code runs inside a trusted program like RegASM.exe to hide its activity) and functions to evade detection by virtual machines used for security analysis.

Sewani advises that organisations should “combine advanced email filtering, endpoint protection, and user awareness” to protect themselves from this threat.

Your Shipment Notification is Now a Malware Dropper

Palo Alto, California, 9th October 2025, CyberNewsWire

**Palo Alto, California, October 9th, 2025, CyberNewsWire**

As AI Browsers rapidly gain adoption across enterprises, SquareX has released critical security research exposing major vulnerabilities that could allow attackers to exploit AI Browsers to exfiltrate sensitive data, distribute malware and gain unauthorized access to enterprise SaaS apps. The timing of this disclosure is particularly significant as major companies including OpenAI, Microsoft, Google and The Browser Company have announced or released their own AI browsers. With Chrome and Edge alone representing 70% of the browser market share, it is very likely that the majority of consumer browsers in the future will be AI Browsers. Thus, it is critical for organizations to prepare for these security risks associated with this fundamental change.

> “Just like any AI Agent, AI Browsers are trained to complete tasks, not to be security aware. This makes it trivial for attackers to trick browsers like Comet into performing malicious tasks, by convincing them that it is a necessary part of the workflow they are completing,” warns Vivek Ramachandran, Founder of SquareX, “With two major consumer browsers publicly announcing their entry to the AI Browser race, it is inevitable that AI Browsers will be the primary way we interact with the internet in the future. Without the right browser-native solution that can implement guardrails on these AI Browsers that take into account agentic identity and agentic DLP, millions of users will be at risk.”

In the technical blog, SquareX discloses a few ways Comet was exploited, illustrating each with case studies. In one example, in completing a research task, Comet fell prey to an OAuth attack, providing attackers with full access to the victim’s email and Google Drive. This allowed attackers to exfiltrate every file stored on the victim’s account, including those shared by colleagues and customers. In another, the AI browser was completing tasks in the user’s inbox – a common use case advertised by Comet itself – when it ended up distributing a malicious link to the victim’s colleague through a calendar invite. Other examples include tricking Comet into downloading known malwares and emailing sensitive files to attackers. 

Unfortunately, existing solutions like EDRs and SASE/SSE have limited visibility into browsers. Today, there is no way to differentiate between activities performed by a user or Comet, as both network requests originate from the same browser. Thus, it is critical that enterprises have a browser-native solution that can differentiate between agentic and user identities, allowing them to apply differentiated guardrails on the data and actions that the AI browser can access or perform.

> In a commentary on SquareX’s research, Stephen Bennett, Group CISO at Domino’s Pizza Enterprises Ltd., says “Browsers have always been our universal gateway to the internet. AI browsers are the next logical step where instead of simply displaying information, the browser acts autonomously on our behalf. The trade off? Where we were once firmly in the driving seat, AI browsers will push us to be passengers.”

With the increasing integration of agentic AI into browsers, AI agents may soon dominate browsing activity over human users. This shift necessitates a collaboration between enterprises, browser developers, and cybersecurity companies to create robust security frameworks and protective measures to prevent attackers from exploiting AI Browsers. SquareX’s findings provide a crucial warning about the dangers of relying on traditional solutions to solve modern threats, and hopes to serve as an encouragement for an urgent industry-wide cooperation.

**About SquareX**

SquareX‘s browser extension turns any browser on any device into an enterprise-grade secure browser, including AI Browsers. SquareX’s industry-first Browser Detection and Response (BDR) solution empowers organizations to proactively defend against browser-native threats including rogue AI agents, Last Mile Reassembly Attacks, malicious extensions and identity attacks. Unlike dedicated enterprise browsers, SquareX seamlessly integrates with users’ existing consumer browsers, delivering security without compromising user experience. More information about SquareX’s research-led innovation is available at www.sqrx.com.

**Contact**

**Head of PR**  
**Junice Liew**  
**SquareX**  
**\[email protected\]**

SquareX Shows AI Browsers Fall Prey to OAuth Attacks, Malware Downloads and Malicious Link Distribution

Newark, United States, 9th October 2025, CyberNewsWire

**Newark, United States, October 9th, 2025, CyberNewsWire**

**Lightship Security****, an Applus+ Laboratories company and accredited cryptographic security test laboratory, and the** **OpenSSL Corporation****, the co-maintainer of the OpenSSL Library, announce the submission of OpenSSL version 3.5.4 to the Cryptographic Module Validation Program (CMVP) for FIPS 140-3 validation.**

This submission confirms that **the code is complete** and that **all included algorithms have successfully passed NIST testing and independent laboratory review**. The final **CMVP review and certificate issuance** remain as the last step in the process.

This submission marks a significant milestone in the ongoing collaboration between Lightship Security and the OpenSSL Corporation to provide validated cryptographic solutions that meet modern security and compliance requirements. The OpenSSL 3.5.4 FIPS Object Module provides an open-source, standards-compliant cryptographic module aligned with the FIPS 140-3 standard, enabling organisations across government and industry to deploy secure and compliant solutions once the validation certification is issued on the completion of the final step in the process.

**OpenSSL 3.5**, released in April 2025, introduced support for **post-quantum cryptographic (PQC) algorithms**, including ML-KEM, ML-DSA, and SLH-DSA, consistent with NIST’s PQC standardisation. This submission is the first step toward a FIPS-140 validated PQC-ready module, supporting organisations preparing for quantum-resistant cryptographic deployments.

Jason Lawlor, President of Lightship Security, said:

> “The submission of OpenSSL 3.5.4 to the CMVP marks an important step in sustaining validated, standards-based cryptography within one of the world’s most widely used open-source libraries—foundational to internet infrastructure, embedded systems, and enterprise applications. Lightship Security is proud to continue supporting OpenSSL’s FIPS 140-3 validation efforts to meet both current and emerging compliance requirements for global users.”

Tim Hudson, President of the OpenSSL Corporation, said:

> “OpenSSL 3.5.4 is not just a step toward future validation. It represents a completed, tested, and ready module that brings real value today. The final certificate will formalise what is already true: OpenSSL 3.5.4 meets the requirements of FIPS 140-3 while introducing post-quantum readiness for the years ahead.”

This effort continues the history of the OpenSSL Library FIPS 140 validated modules that are widely deployed across **government, defence, and commercial systems to support secure and compliant operations**.

**About The OpenSSL Corporation**

The OpenSSL Corporation is a global leader in cryptographic solutions, specializing in developing and maintaining the OpenSSL Library – an essential tool for secure digital communications. The OpenSSL Corporation provides a range of services tailored to assist businesses of all sizes to ensure the secure and efficient implementation of OpenSSL solutions. The OpenSSL Corporation also supports projects aligned with its Mission and Values by providing infrastructure, resources, expert advice, and engagement through advisory committees, particularly in the commercial sector. Collaboration among these projects fosters innovation, enhances security standards, and effectively addresses common challenges, benefiting all our communities.

**Contact**

**MarCom Manager**  
**Hana Andersen**  
**OpenSSL Software Services**  
**\[email protected\]**

Lightship Security and the OpenSSL Corporation Submit OpenSSL 3.5.4 for FIPS 140-3 Validation

FortiGuard Labs reveals Chaos-C++, a new Chaos ransomware variant that deletes files over 1.3 GB instead of encrypting them and uses clipboard hijacking to steal cryptocurrency.

Cybersecurity researchers at Fortinet’s FortiGuard Labs have found that the already destructive Chaos ransomware has taken a worrying turn, becoming faster and far more aggressive than before.

This new version, known as Chaos-C++ ransomware, emerged in 2025. It targets Microsoft Windows users and represents a significant shift, as it is believed to be the first version of the malware not written in the .NET programming language. Instead, its creation in C++ allows it to execute destructive actions at increased speed.

****The Evolution of Chaos Ransomware****

The Chaos ransomware family’s older variants, like Chaos\_2021, BlackSnake, and Lucky\_Gh0$t, were crude and unreliable; they frequently acted as unintentional wiper malware, simply deleting large files while encrypting small ones (< 2 MB in some cases). The new variant changes the game completely.

Instead of slowly encrypting everything, it surgically skips files between 50 MB and 1.3 GB. Its primary goal is speed, allowing it to hit the network and disappear before security systems can react. It focuses on massive, high-value files (like server backups) over 1.3 GB and instantly deletes them without any attempt at encryption. This ensures the maximum amount of damage with zero chance of recovery.

As per FortiGuard Labs’ analysis, shared with Hackread.com, this unusual strategy means the largest, most critical files are rendered unrecoverable, regardless of whether a ransom is paid. In short, Chaos-C++ is built for speed and maximum irreversible destruction.

The researchers note that this destructive variant has effectively perfected the wiper behaviour seen inconsistently in its predecessors, shifting the focus from financial extortion to maximising damage/speed.

Evolution of Chaos Ransomware’s File Handling Strategy and Ransom note (Source: FortiGuard Labs)

It is distributed via a fake tool called System Optimizer v2.1, tricking users into installing the malware while it runs in the background. The attack culminates with the malware dropping a ransom note in the affected directories, demanding payment and providing contact information.

****Stealing Cryptocurrency****

Further probing revealed that Chaos-C++ also introduces a new, sneaky function of clipboard hijacking. This is a mechanism mainly designed for cryptocurrency theft. When a user copies a Bitcoin wallet address to their clipboard, for example, to paste it for a payment, the ransomware checks the address’s format.

If it recognises a valid Bitcoin wallet, it automatically swaps it with a hardcoded address belonging to the attacker. As a result, any cryptocurrency payment a victim attempts to make is redirected straight to the criminal’s wallet.

It shows how ransomware continues to evolve to become “faster, smarter, and more dangerous,” researchers conclude. To avoid becoming a victim, users are advised to be extremely cautious of downloading and running any unauthorised software.

New Chaos-C++ Ransomware Targets Windows by Wiping Data, Stealing Crypto

Hackers are using fake Microsoft Teams installers found in search results and ads to deploy the Oyster backdoor. Learn how to protect your PC from this remote-access threat.

A major new threat is targeting everyday computer users by hiding a dangerous program inside what looks like a genuine Microsoft Teams installer. This malicious program, known as Oyster (or sometimes Broomstick), is a backdoor that gives cybercriminals secret, long-term access to a victim’s computer. The security group Blackpoint Cyber’s Advisory Pursuit team is actively watching this widespread campaign and shared its details with Hackread.com.

****How the Attack Works****

Attackers use a two-part trick in search engines to get users to download their malicious files. First, they use SEO poisoning to make their fake download pages rank high in search results. Second, they use malvertising, which means paying for malicious advertisements that pop up when people search for “Teams download.” After all, many people trust the first few results they see.

If you click one of these fake links, you land on a spoofed website. One of the observed domains was teams-install.top. Once there, you are tricked into downloading a file named MSTeamsSetup.exe.

Killchain Explained and The Malicious Domain (Source: Blackpoint Cyber)

Further probing revealed that the criminals even signed their fake installers with untrustworthy certificates, issued by companies like 4th State Oy and NRM NETWORK RISK MANAGEMENT INC., to make the file look legitimate and bypass basic security checks. When you run this file, the Oyster backdoor silently installs itself, and the real Microsoft Teams program might also launch to avoid suspicion.

****Oyster: The Invisible Spy****

Oyster is a versatile malware that establishes Command and Control (C2) communication. For your information, C2 is basically a secret line of contact that lets the attackers send instructions to the compromised machine from their own servers.

The research identified examples of these attacker-controlled servers, such as nickbush24.com or techwisenetwork.com. This remote control allows them to gather information about your system or even deliver more damaging viruses.

To maintain long-term access, the malware also secretly creates a recurring “scheduled task” on the machine, named CaptureService. It is linked to a hidden malicious file, guaranteeing the connection will start up again even after a restart.

It is worth noting that this particular attack has been effective because the malware can blend in easily with normal computer activity, even managing to get past some well-known security programs.

This kind of attack is not new, and, according to Jason Barnhizer, Director of Threat Operations at Blackpoint Cyber, “this activity mirrors earlier fake PuTTY campaigns, underscoring an ongoing trend of adversaries weaponising trusted software brands to gain initial access.”

Blackpoint Cyber researchers strongly advise everyone to download software cautiously. To stay safe, you should always go straight to the official vendor’s website (like Microsoft’s actual domain) or use a saved bookmark, rather than casually clicking on links that appear in search results or advertisements.

Watch Sam Decker and Nevan Beal from Blackpoint discuss the Oyster Backdoor.

Fake Teams Installers Dropping Oyster Backdoor (aka Broomstick)

Met Police arrested two teenagers over the Kido nursery ransomware attack, which exposed data for 8,000 children. Full details on the hack and police investigation.

The UK Metropolitan Police (Met) have arrested two 17-year-old boys in connection with the major ransomware attack that compromised the data of thousands of children at the Kido nursery chain.

The arrests, on suspicion of computer misuse and blackmail, took place on Tuesday, October 7, 2025, in Bishop’s Stortford, Hertfordshire. The operation was carried out by officers from the Met’s specialist Cyber Crime Unit.

****Details of the Extortion Campaign****

The ongoing police investigation was launched on September 25 after the ransomware group, Radiant, claimed to have stolen sensitive data on approximately 8,000 young children and their families.

The scope of the breach was alarming as the stolen information included names, home addresses, photographs, contact details for parents and carers, and critically, confidential medical records and safeguarding notes. Hackers reportedly gained access to the data through Famly, a third-party software service widely used by the nursery group.

Radiant employed extreme tactics to extort the company. They demanded a ransom of approximately £600,000 in Bitcoin, called parents directly to pressure the nursery into paying, and posted some children’s photos on the dark web.

However, the group faced massive backlash, including criticism from within the cybercriminal community, which resulted in a swift retreat. In a highly unusual turn, Radiant first blurred the images and then claimed to have deleted all the stolen files on October 2. One cybercriminal was quoted by the BBC as stating, “All child data is now being deleted. No more remains, and this can comfort parents.”

****Police and Nursery Responses****

Following the arrests, Will Lyne, the Met’s Head of Economic and Cybercrime, issued a statement reassuring the community that the force is taking the matter “extremely seriously” and working to bring those responsible to justice.

The Kido nursery group also released a statement welcoming the police action. A Kido spokesperson stated: “We welcome this swift action from the Met and recognise this is an important milestone in the process of bringing those responsible to justice.”

The two boys remain in custody for questioning as the investigation is ongoing.

****Education Sector’s Growing Vulnerability****

The Kido incident shows just how serious the cyber crisis is for the education sector, which is frequently held back by limited IT funding, making schools and nurseries prime targets for ransomware.

Cybersecurity firms AtlastVPN and Sophos’ June 2023 investigation, reported by Hackread, revealed that 80% of lower education providers were hit by ransomware in one year. Recent findings by Forcepoint’s X-Lab have warned of campaigns using the Remcos (RAT) Remote Access Trojan (RAT), delivered via deceptive phishing emails sent from compromised small business or school accounts to appear trustworthy.

The Kido attack, where children’s data was used for extortion, represents an “absolute new low” in cybercrime, claimed cybersecurity firm Check Point, showing that protecting student data is no longer an IT task but a critical safety and security priority.

UK Police Arrest Two Teens Over Kido Nursery Ransomware Attack

Tel Aviv, Israel, 8th October 2025, CyberNewsWire

**Tel Aviv, Israel, October 8th, 2025, CyberNewsWire**

Miggo Security, pioneer and innovator in Application Detection & Response (ADR) and AI Runtime Defense, today announced it has been recognized as a Gartner Cool Vendor in AI Security. To us, this recognition underscores Miggo’s mission to close the detection-to-mitigation gap that plagues security teams today by providing comprehensive, fast, and precise analysis and response for what applications actually do at runtime. 

Traditional security approaches are failing to match the dynamic, behavioral reality of modern applications. In fact, Gartner writes, “Through 2029, over 50% of successful cybersecurity attacks against AI agents will exploit access control issues, using direct or indirect prompt injection as an attack vector.” However, Miggo’s runtime behavioral security can handle any application from traditional to AI-incorporated features, to AI apps themselves and AI agents. We believe Miggo Security’s ADR platform is cool because of how it detects and responds to security flaws in applications in a matter of minutes, combining unique runtime context with AI-augmented reasoning, risk analysis and actionable defense.

Miggo’s predictive analysis, preemptive protection, and real-time response is built specifically for the risks of AI-driven environments.

> “This recognition by Gartner, in my opinion, validates the vision and innovation that define Miggo Security,” said Daniel Shechter, CEO and Co-Founder of Miggo Security. “We believe Application Detection & Response is the future of runtime security in the AI era to give CISOs and security teams the ability to know, prove, and shield AI-native threats in real time.”

Miggo’s differentiators include:

*   **DeepTracing Technology:** Detects AI-native threats, zero-days, and emerging attack patterns in real time.
*   **AppDNA & Predictive Vulnerability Database:** Cuts vulnerabilities backlog by 99% with deep context and automated AI proving engine. 
*   **Miggo WAF Copilot:** Generate custom WAF rules in minutes, protecting against emerging threats
*   **Agentless Integration:** Deploys seamlessly with Kubernetes, traces, and application profiles, eliminating friction.
*   **Force Multiplier for Teams:** Provides centralized AI-driven context, helping security and engineering teams align faster while reducing overhead by 30% or more.

The GARTNER COOL VENDOR badge is a trademark and service mark of Gartner, Inc., and/or its affiliates, and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Cool Vendors is a registered trademark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved.  

**About Miggo Security**

Miggo Security delivers real-time application detection and response (ADR), empowering enterprises to identify and neutralize application threats. With its AI-augmented platform, Miggo helps organizations secure both traditional and AI-driven applications at scale, reducing exposure windows by up to 99% and cutting operational overhead by 30% or more.

For more information, users can visit www.miggo.io.

**Contact**

**CEO**  
**Omri Hurwitz**  
**Omri Hurwitz Media**  
**\[email protected\]**

Source

HackRead