FortiGuard Labs reveals Chaos-C++, a new Chaos ransomware variant that deletes files over 1.3 GB instead of encrypting them and uses clipboard hijacking to steal cryptocurrency.

Cybersecurity researchers at Fortinet’s FortiGuard Labs have found that the already destructive Chaos ransomware has taken a worrying turn, becoming faster and far more aggressive than before.

This new version, known as Chaos-C++ ransomware, emerged in 2025. It targets Microsoft Windows users and represents a significant shift, as it is believed to be the first version of the malware not written in the .NET programming language. Instead, its creation in C++ allows it to execute destructive actions at increased speed.

****The Evolution of Chaos Ransomware****

The Chaos ransomware family’s older variants, like Chaos\_2021, BlackSnake, and Lucky\_Gh0$t, were crude and unreliable; they frequently acted as unintentional wiper malware, simply deleting large files while encrypting small ones (< 2 MB in some cases). The new variant changes the game completely.

Instead of slowly encrypting everything, it surgically skips files between 50 MB and 1.3 GB. Its primary goal is speed, allowing it to hit the network and disappear before security systems can react. It focuses on massive, high-value files (like server backups) over 1.3 GB and instantly deletes them without any attempt at encryption. This ensures the maximum amount of damage with zero chance of recovery.

As per FortiGuard Labs’ analysis, shared with Hackread.com, this unusual strategy means the largest, most critical files are rendered unrecoverable, regardless of whether a ransom is paid. In short, Chaos-C++ is built for speed and maximum irreversible destruction.

The researchers note that this destructive variant has effectively perfected the wiper behaviour seen inconsistently in its predecessors, shifting the focus from financial extortion to maximising damage/speed.

Evolution of Chaos Ransomware’s File Handling Strategy and Ransom note (Source: FortiGuard Labs)

It is distributed via a fake tool called System Optimizer v2.1, tricking users into installing the malware while it runs in the background. The attack culminates with the malware dropping a ransom note in the affected directories, demanding payment and providing contact information.

****Stealing Cryptocurrency****

Further probing revealed that Chaos-C++ also introduces a new, sneaky function of clipboard hijacking. This is a mechanism mainly designed for cryptocurrency theft. When a user copies a Bitcoin wallet address to their clipboard, for example, to paste it for a payment, the ransomware checks the address’s format.

If it recognises a valid Bitcoin wallet, it automatically swaps it with a hardcoded address belonging to the attacker. As a result, any cryptocurrency payment a victim attempts to make is redirected straight to the criminal’s wallet.

It shows how ransomware continues to evolve to become “faster, smarter, and more dangerous,” researchers conclude. To avoid becoming a victim, users are advised to be extremely cautious of downloading and running any unauthorised software.

New Chaos-C++ Ransomware Targets Windows by Wiping Data, Stealing Crypto

Hackers are using fake Microsoft Teams installers found in search results and ads to deploy the Oyster backdoor. Learn how to protect your PC from this remote-access threat.

A major new threat is targeting everyday computer users by hiding a dangerous program inside what looks like a genuine Microsoft Teams installer. This malicious program, known as Oyster (or sometimes Broomstick), is a backdoor that gives cybercriminals secret, long-term access to a victim’s computer. The security group Blackpoint Cyber’s Advisory Pursuit team is actively watching this widespread campaign and shared its details with Hackread.com.

****How the Attack Works****

Attackers use a two-part trick in search engines to get users to download their malicious files. First, they use SEO poisoning to make their fake download pages rank high in search results. Second, they use malvertising, which means paying for malicious advertisements that pop up when people search for “Teams download.” After all, many people trust the first few results they see.

If you click one of these fake links, you land on a spoofed website. One of the observed domains was teams-install.top. Once there, you are tricked into downloading a file named MSTeamsSetup.exe.

Killchain Explained and The Malicious Domain (Source: Blackpoint Cyber)

Further probing revealed that the criminals even signed their fake installers with untrustworthy certificates, issued by companies like 4th State Oy and NRM NETWORK RISK MANAGEMENT INC., to make the file look legitimate and bypass basic security checks. When you run this file, the Oyster backdoor silently installs itself, and the real Microsoft Teams program might also launch to avoid suspicion.

****Oyster: The Invisible Spy****

Oyster is a versatile malware that establishes Command and Control (C2) communication. For your information, C2 is basically a secret line of contact that lets the attackers send instructions to the compromised machine from their own servers.

The research identified examples of these attacker-controlled servers, such as nickbush24.com or techwisenetwork.com. This remote control allows them to gather information about your system or even deliver more damaging viruses.

To maintain long-term access, the malware also secretly creates a recurring “scheduled task” on the machine, named CaptureService. It is linked to a hidden malicious file, guaranteeing the connection will start up again even after a restart.

It is worth noting that this particular attack has been effective because the malware can blend in easily with normal computer activity, even managing to get past some well-known security programs.

This kind of attack is not new, and, according to Jason Barnhizer, Director of Threat Operations at Blackpoint Cyber, “this activity mirrors earlier fake PuTTY campaigns, underscoring an ongoing trend of adversaries weaponising trusted software brands to gain initial access.”

Blackpoint Cyber researchers strongly advise everyone to download software cautiously. To stay safe, you should always go straight to the official vendor’s website (like Microsoft’s actual domain) or use a saved bookmark, rather than casually clicking on links that appear in search results or advertisements.

Watch Sam Decker and Nevan Beal from Blackpoint discuss the Oyster Backdoor.

Fake Teams Installers Dropping Oyster Backdoor (aka Broomstick)

Met Police arrested two teenagers over the Kido nursery ransomware attack, which exposed data for 8,000 children. Full details on the hack and police investigation.

The UK Metropolitan Police (Met) have arrested two 17-year-old boys in connection with the major ransomware attack that compromised the data of thousands of children at the Kido nursery chain.

The arrests, on suspicion of computer misuse and blackmail, took place on Tuesday, October 7, 2025, in Bishop’s Stortford, Hertfordshire. The operation was carried out by officers from the Met’s specialist Cyber Crime Unit.

****Details of the Extortion Campaign****

The ongoing police investigation was launched on September 25 after the ransomware group, Radiant, claimed to have stolen sensitive data on approximately 8,000 young children and their families.

The scope of the breach was alarming as the stolen information included names, home addresses, photographs, contact details for parents and carers, and critically, confidential medical records and safeguarding notes. Hackers reportedly gained access to the data through Famly, a third-party software service widely used by the nursery group.

Radiant employed extreme tactics to extort the company. They demanded a ransom of approximately £600,000 in Bitcoin, called parents directly to pressure the nursery into paying, and posted some children’s photos on the dark web.

However, the group faced massive backlash, including criticism from within the cybercriminal community, which resulted in a swift retreat. In a highly unusual turn, Radiant first blurred the images and then claimed to have deleted all the stolen files on October 2. One cybercriminal was quoted by the BBC as stating, “All child data is now being deleted. No more remains, and this can comfort parents.”

****Police and Nursery Responses****

Following the arrests, Will Lyne, the Met’s Head of Economic and Cybercrime, issued a statement reassuring the community that the force is taking the matter “extremely seriously” and working to bring those responsible to justice.

The Kido nursery group also released a statement welcoming the police action. A Kido spokesperson stated: “We welcome this swift action from the Met and recognise this is an important milestone in the process of bringing those responsible to justice.”

The two boys remain in custody for questioning as the investigation is ongoing.

****Education Sector’s Growing Vulnerability****

The Kido incident shows just how serious the cyber crisis is for the education sector, which is frequently held back by limited IT funding, making schools and nurseries prime targets for ransomware.

Cybersecurity firms AtlastVPN and Sophos’ June 2023 investigation, reported by Hackread, revealed that 80% of lower education providers were hit by ransomware in one year. Recent findings by Forcepoint’s X-Lab have warned of campaigns using the Remcos (RAT) Remote Access Trojan (RAT), delivered via deceptive phishing emails sent from compromised small business or school accounts to appear trustworthy.

The Kido attack, where children’s data was used for extortion, represents an “absolute new low” in cybercrime, claimed cybersecurity firm Check Point, showing that protecting student data is no longer an IT task but a critical safety and security priority.

UK Police Arrest Two Teens Over Kido Nursery Ransomware Attack

Tel Aviv, Israel, 8th October 2025, CyberNewsWire

**Tel Aviv, Israel, October 8th, 2025, CyberNewsWire**

Miggo Security, pioneer and innovator in Application Detection & Response (ADR) and AI Runtime Defense, today announced it has been recognized as a Gartner Cool Vendor in AI Security. To us, this recognition underscores Miggo’s mission to close the detection-to-mitigation gap that plagues security teams today by providing comprehensive, fast, and precise analysis and response for what applications actually do at runtime. 

Traditional security approaches are failing to match the dynamic, behavioral reality of modern applications. In fact, Gartner writes, “Through 2029, over 50% of successful cybersecurity attacks against AI agents will exploit access control issues, using direct or indirect prompt injection as an attack vector.” However, Miggo’s runtime behavioral security can handle any application from traditional to AI-incorporated features, to AI apps themselves and AI agents. We believe Miggo Security’s ADR platform is cool because of how it detects and responds to security flaws in applications in a matter of minutes, combining unique runtime context with AI-augmented reasoning, risk analysis and actionable defense.

Miggo’s predictive analysis, preemptive protection, and real-time response is built specifically for the risks of AI-driven environments.

> “This recognition by Gartner, in my opinion, validates the vision and innovation that define Miggo Security,” said Daniel Shechter, CEO and Co-Founder of Miggo Security. “We believe Application Detection & Response is the future of runtime security in the AI era to give CISOs and security teams the ability to know, prove, and shield AI-native threats in real time.”

Miggo’s differentiators include:

*   **DeepTracing Technology:** Detects AI-native threats, zero-days, and emerging attack patterns in real time.
*   **AppDNA & Predictive Vulnerability Database:** Cuts vulnerabilities backlog by 99% with deep context and automated AI proving engine. 
*   **Miggo WAF Copilot:** Generate custom WAF rules in minutes, protecting against emerging threats
*   **Agentless Integration:** Deploys seamlessly with Kubernetes, traces, and application profiles, eliminating friction.
*   **Force Multiplier for Teams:** Provides centralized AI-driven context, helping security and engineering teams align faster while reducing overhead by 30% or more.

The GARTNER COOL VENDOR badge is a trademark and service mark of Gartner, Inc., and/or its affiliates, and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose. GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Cool Vendors is a registered trademark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved.  

**About Miggo Security**

Miggo Security delivers real-time application detection and response (ADR), empowering enterprises to identify and neutralize application threats. With its AI-augmented platform, Miggo helps organizations secure both traditional and AI-driven applications at scale, reducing exposure windows by up to 99% and cutting operational overhead by 30% or more.

For more information, users can visit www.miggo.io.

**Contact**

**CEO**  
**Omri Hurwitz**  
**Omri Hurwitz Media**  
**\[email protected\]**

Miggo Security Named a Gartner® Cool Vendor in AI Security

OpenAI's new report warns hackers are combining multiple AI tools for cyberattacks, scams, and influence ops linked to China, Russia, and North Korea.

OpenAI’s latest “Disrupting Malicious Uses of AI” report shows that hackers and influence operators are moving toward a more organised use of artificial intelligence (**AI**). The findings reveal that adversaries are spreading their operations across multiple AI systems, for instance, using **ChatGPT** for reconnaissance and planning, while relying on other models for execution and automation.

The company noted that attackers haven’t changed their methods but have simply added AI to make their existing tactics faster and more efficient, whether that’s writing malware, refining phishing lures, or managing online scams.

While malicious AI tools such as **WormGPT and FraudGPT** are already known, **new ones** are now surfacing. SpamGPT helps cybercriminals bypass email security filters with targeted spam, while MatrixPDF turns ordinary PDF files into malware.

It is worth noting that this latest report comes four months after OpenAI’s **earlier publication**, which revealed that the company had shut down ten malicious AI operations linked to China, Russia, Iran, and North Korea, where adversaries heavily misused ChatGPT for malicious purposes.

****Russian, Korean and Chinese Operators Using AI for Targeted Attacks****

In one instance, Russian-speaking actors used ChatGPT to write and refine code for remote-access tools and **credential stealers**. The model refused direct malicious prompts, but the users extracted functional snippets to later assemble their tools elsewhere. OpenAI found no indication that these interactions gave the hackers capabilities they couldn’t already find through open-source code.

Korean-language operators used ChatGPT to assist with code debugging, credential theft routines, and phishing messages **related to cryptocurrency**. Each account handled specific technical tasks, such as browser extension conversion or VPN configuration, showing structured workflows similar to corporate development teams.

Chinese-language operators went further, asking the model to generate phishing content in multiple languages and help with malware debugging. Their activity coincided with campaigns reported by **Volexity** and **Proofpoint** that targeted academia, think tanks, and the semiconductor sector. According to OpenAI, these users aimed to increase efficiency rather than develop new attack methods.

****Organised Crime and Scam Operations****

The **report** also shows how AI is being exploited in established scam networks. Operations traced to Cambodia, Myanmar, and Nigeria used ChatGPT to translate messages, write fake investment pitches, and manage day-to-day logistics within “large-scale scam centers.”

In one example, scammers posed as financial advisors running fake trading groups on WhatsApp. They generated all the chat content with AI to make conversations seem authentic and convincing. Another network used ChatGPT to design fake online investment firm profiles, complete with fabricated employee biographies.

Interestingly, OpenAI found that ChatGPT is being used to detect scams about three times more often than it is used to create them, as people turn to the model to verify suspicious messages.

****State-Linked Abuses of AI****

OpenAI also reported accounts linked to Chinese government entities using ChatGPT to draft proposals for large-scale social media monitoring systems. One user requested help outlining a “High-Risk Uyghur-Related Inflow Warning Model,” which aimed to track individuals through travel and police data.

Other users focused on profiling and information gathering, asking ChatGPT to summarise posts by activists or identify petition organisers. The company said its models returned only public data, but the intent behind these requests raised concerns about surveillance-related use.

****Influence Operations in Russia and China****

The Russia-origin “Stop News” operation, previously disrupted by OpenAI and other tech firms, resurfaced using AI to write video scripts and promotional text. These were translated and turned into short videos shared on YouTube and TikTok, praising Russia and criticising Western nations. Although the campaign produced a steady stream of content, engagement remained low.

A separate operation, “Nine emdash Line,” appeared linked to China and focused on regional disputes in the **South China Sea**. The group generated English and Cantonese social media posts criticising the Philippines, Vietnam, and Hong Kong democracy activists. They also sought advice on boosting engagement through TikTok challenges and hashtags. Most of their posts gained little attention before the accounts were suspended.

****Expert Perspective****

“For the average reader, this might sound like a not particularly surprising trend. AI is being used in everything from generating cool chilli recipes to college essays, so why wouldn’t it be writing the code and other exploits needed for cyberattacks?” said **Evan Powell**, CEO of DeepTempo.

“What most may not realise is that cybersecurity defences are uniquely vulnerable to AI-powered attacks. Today’s defences are almost entirely based on static rules: if you see A and B while C, then that’s an attack and take action. Today’s AI attackers train their systems to avoid these fixed pattern detections, which allows them to slip into enterprises and government systems at an increasing rate,” he explained.

He added that attackers are now using AI not only to build tools but also to plan campaigns. “These types of campaigns, which combine detailed research, customised attacks, and repeated attempts to gain access, used to require expertise, patience, and a large team. Today, AI boosts the productivity of attackers, enabling even one person to carry out operations that once required a well-funded organisation or nation-state. The implications are terrifying.”

1.  **ShadowLeak Exploit Exposed Gmail Data via ChatGPT Agent**
2.  **Savvy Seahorse Using Fake ChatGPT in DNS Investment Scam**
3.  **Leaked ChatGPT Chats: Users Treat AI as Therapist, Lawyer, Confidant**
4.  **LegalPwn Tricks GenAI Tools Into Misclassifying Malware as Safe Code**
5.  **Malicious AI Models Are Behind a New Wave of Cybercrime, Cisco Talos**

OpenAI Finds Growing Exploitation of AI Tools by Foreign Threat Groups

Researchers warn of Shuyal Stealer, malware that gathers browser logins, system details, and Discord tokens, then erases evidence via Telegram.

Cybersecurity researchers at Point Wild’s Lat61 Threat Intelligence Team have found a new infostealer called Shuyal Stealer, a malware strain designed to steal login credentials from not one or two, but 17 different web browsers.

****How Shuyal Stealer Profiles and Exploits Systems****

Shuyal Stealer is also capable of profiling targeted machines in depth, collecting information about disks, input devices and display setups by using Windows Management Instrumentation commands. That kind of device mapping gives attackers a clear picture of a victim’s system, which can be used for targeted **identity theft** or other follow-on attacks.

The malware also captures contextual data that many infostealers ignore. It takes screenshots, records clipboard contents and extracts **Discord** authentication tokens. These capabilities let attackers have real context into what the victim is doing on their device, which can turn a straightforward password stealing into a complete account takeover and know more about the victim’s online activities than other malware would.

****Data Exfiltration and Persistence Methods****

According to the Lat61 **blog post** shared with HackRead.com, the malware compresses the collected files with PowerShell and sends them through a hardcoded **Telegram bot**. Researchers found a specific bot token and chat ID used to deliver the archive directly to the attacker’s account. After the transfer completes, Shuyal deletes the archive and clears traces to complicate forensic work.

Shuyal quietly copies its executable into the Windows Startup folder using the CopyFileA API. It also shuts down Task Manager processes and modifies the registry to disable Task Manager entirely, preventing users from spotting or stopping it.

Infection chain flow (Via Point Wild)

****Browser Targeting and Data Theft****

When analysing how it steals data, Point Wild’s researchers noted Shuyal’s efficiency. It specifically looks for the “Login Data” file found in browser directories, running a SQL query to extract URLs, usernames, and encrypted passwords.

Each stolen session or token is saved locally and then zipped for exfiltration. Files such as tokens.txt, clipboard.txt and ss.png document different parts of the victim’s digital life, from saved passwords to copied text and active windows. The malware keeps a history.txt log of which browsers and apps it scanned. Here is the list of targeted browsers:

1.  Tor
2.  Edge
3.  Epic
4.  Brave
5.  Opera
6.  Vivaldi
7.  Coc Coc
8.  Maxthon
9.  Chromium
10.  Waterfox
11.  Comodo
12.  Slimjet
13.  Yandex
14.  Falkon
15.  Chrome
16.  Opera GX
17.  360 Browser

****Self-Deletion, Expert Insight and Mitigation****

After exfiltration finishes, Shuyal runs a self-deletion routine. It launches a batch script named util.bat that removes the archive and related files, making incident response and attribution harder.

**Dr Zulfikar Ramzan**, CTO of Point Wild and head of the Lat61 Threat Intelligence Team, summarised the threat as a powerful infostealer that targets many browsers, disables Task Manager and quietly sends harvested data over Telegram, then removes its traces.

“Shuyal is an infostealer extraordinaire, built for breadth and stealth. It raids credentials from browsers, kills the Windows Task Manager, and quietly exfiltrates data over Telegram. It’s a smash-and-grab, then vanishes,” he said.

Unlike other infostealers, Shuyal Stealer is both a privacy and security risk because it takes credentials plus contextual data that help attackers turn stolen secrets into account takeovers. Its combination of system profiling, wide browser coverage and clean-up process places it among the more capable infostealers active today.

If you suspect an infection, Point Wild advises rebooting into Safe Mode with Networking and scanning with a **reliable antivirus**. The malware is detected as Trojan.W64.100925.Shuyal.YR.

New Shuyal Stealer Targets 17 Web Browsers for Login Data and Discord Tokens

Critical Redis flaw RediShell (CVE-2025-49844) exposes 60,000 servers to remote code execution. Patch immediately to prevent full system compromise.

A new vulnerability in **Redis**, now known as RediShell (CVE-2025-49844), has put tens of thousands of servers at risk of remote compromise. The flaw, rated with a maximum CVSS score of 10.0, has existed unnoticed in Redis code for over a decade and is now being called one of the most serious issues ever found in the open-source database.

The issue lies in a use-after-free bug in Redis’s Lua interpreter, which can be exploited through a malicious Lua script. Attackers can escape the interpreter’s sandbox and run arbitrary code on the host system. This level of access can allow theft of data, installation of malware, or the use of compromised servers for additional attacks.

Cybersecurity researchers from Wiz, who found the issue, estimate that about 330,000 Redis instances are currently exposed to the internet, with roughly 60,000 running without any authentication. Redis is commonly used in cloud environments for caching and session management, which means the reach of this vulnerability is far greater than typical software bugs.

The Redis team responded quickly, releasing a patched version and a security advisory on October 3. Wiz researchers had privately reported the issue in May after identifying it during **Pwn2Own Berlin**. The disclosure process was handled collaboratively, with Redis engineers coordinating fixes before public release.

The risk varies depending on how Redis is deployed. Instances exposed directly to the internet without authentication face the highest danger. In those setups, anyone could connect and run Lua scripts remotely, which provides a direct path for exploitation.

Even within internal networks, the bug poses significant exposure if authentication is weak or absent, as attackers already inside a corporate environment could exploit it for lateral movement.

Wiz’s **analysis** shared with Hackrad.com found that 57% of Redis deployments in cloud environments run as container images. Many of these containers are deployed without proper access controls or configuration checks, making them particularly vulnerable.

If exploited, an attacker could send a crafted Lua script to trigger the memory corruption, escape the sandbox, and establish full control over the host. Once inside, they could exfiltrate credentials, install miners or backdoors, and use stolen tokens to move across connected cloud systems.

Researchers are urging all Redis users to upgrade to the **latest version** and verify their configurations. Enabling authentication, disabling Lua scripting when not needed, restricting network access, and running Redis under a non-root account are key mitigation steps. Logging and monitoring should also be turned on to detect unusual activity.

“This newly disclosed Redis vulnerability is a reminder that technical debt doesn’t just live in code; it lives in configuration. Thirteen years of latent risk surfaced because default settings and weak segmentation went unobserved,” said **Anders Askasen**, VP of Product Marketing at Radiant Logic.

When foundational services like Redis run unauthenticated or exposed, they create invisible attack paths that can pivot directly into identity and access systems,” he added. “The answer isn’t just patching faster but seeing sooner. Identity observability provides the real-time visibility, control, validation, and remediation needed to uncover these blind spots before attackers do.”

The RediShell vulnerability shows how much modern infrastructure depends on open-source software and how old code can carry hidden risks for years. Redis is used by more than three-quarters of cloud environments, so patching and tightening security configurations should be treated as an immediate priority.

13-Year-Old RediShell Vulnerability Puts 60,000 Redis Servers at Risk

Latest reports suggest the critical GoAnywhere MFT vulnerability (CVE-2025-10035, CVSS 10.0) is actively exploited by the Medusa ransomware gang for unauthenticated RCE. Patch immediately.

A CVSS 10.0 deserialization vulnerability in Fortra’s GoAnywhere Managed File Transfer (MFT) solution is now being actively exploited by the Medusa ransomware group, according to a latest update from Microsoft.

The flaw, reported on September 25 by Hackread.com, is a dangerous deserialization vulnerability residing in the MFT’s License Servlet. This allows an attacker to achieve unauthenticated Remote Code Execution (RCE) and full system takeover.

By forging a license response signature, an attacker can bypass security checks, forcing the software to execute malicious code. This high-risk RCE capability makes all internet-exposed GoAnywhere instances highly vulnerable.

****The Exploitation Timeline and Independent Confirmation****

Although Fortra published an alert and patch on September 18, 2025, security researchers from watchTowr Labs found exploitation activity dating back to September 10, 2025, eight days before Fortra’s public advisory.

Detailed post-exploitation analysis from watchTowr Labs shows a consistent pattern: After achieving RCE, attackers established persistence by creating a covert administrative account named ‘admin-go’.

They then moved laterally by dropping binaries for legitimate Remote Monitoring and Management (RMM) tools like SimpleHelp and MeshAgent. The watchTowr team also suggested that Fortra’s advisory section on “Am I Impacted?” was a veiled method to share signs of compromise without fully admitting to the in-the-wild exploitation.

****Medusa Ransomware Confirmed****

The risk escalated significantly with an October 6, 2025, update from Microsoft Threat Intelligence. Microsoft confirmed that a cybercriminal group they track as Storm-1175, a known affiliate of Medusa ransomware, was observed actively targeting organisations starting on September 11, 2025.

In detailing this multi-stage attack, Microsoft confirmed the vulnerability exploitation led to command injection, system discovery, the use of RMM tools for persistent access, and ultimately, the successful deployment of Medusa ransomware in at least one compromised environment. Attackers were also observed using data transfer tools like Rclone for data exfiltration and setting up Cloudflare tunnels for secure Command and Control (C2).

“Just weeks after we confirmed evidence of in-the-wild exploitation of CVE-2025-10035, Microsoft has now linked the attacks to a known Medusa ransomware affiliate, confirming what we feared,” said watchTowr CEO and Founder, Benjamin Harris. Harris stressed that organisations using GoAnywhere MFT “have effectively been under silent assault since at least September 11, with little clarity from Fortra.”

****Immediate Action Required****

Fortra has urgently advised customers to upgrade to the patched versions: version 7.8.4 or the Sustain Release 7.6.3. The vulnerability’s severe nature has led to its addition to the CISA Known Exploited Vulnerabilities (KEV) Catalogue.

All organisations with exposed systems must apply the patch immediately to prevent future attacks. Given the confirmed exploitation activity, a full forensic review is necessary for systems that were exposed to determine if an initial compromise occurred before the update was applied.

Medusa Ransomware Exploiting GoAnywhere MFT Flaw, Confirms Microsoft

Raleigh, United States, 7th October 2025, CyberNewsWire

**Raleigh, United States, October 7th, 2025, CyberNewsWire**

****Report Shows Cross-Training as Strategic Solution to Operational Friction Between Networking and Cybersecurity Teams** **

INE Security, a leading provider of cybersecurity training and certifications, today announced the results of a global study examining the convergence of networking and cybersecurity disciplines. “Wired Together: The Case for Cross-Training in Networking and Cybersecurity” is based on insights from nearly 1,000 IT and cybersecurity professionals worldwide. The report documents operational challenges created by this convergence and presents cross-training as the strategic solution.

> “Our research reveals that while three-quarters of professionals recognize networking and cybersecurity as integrated disciplines, the majority still struggle with daily operational friction between these teams,” said Lindsey Rinehart, CEO of INE Security. “Organizations with high levels of security and IT complexity face breach costs averaging $1.2 million higher than those with streamlined, integrated environments. This isn’t just about future preparedness—it’s about solving problems that are costing organizations money today.”

The report reveals that only 33% of professionals feel “very well” or “extremely well” prepared to handle the intersection of networking and cybersecurity, while 41% report being only “moderately well” prepared. This preparedness gap creates significant operational challenges but also presents strategic opportunities for organizations that invest in cross-domain expertise.

> “Cross-trained professionals don’t just respond to incidents faster—they prevent the implement-break-fix cycles that plague most organizations,” Rinehart added. “When teams understand both networking and security domains, projects deploy successfully the first time, emergency rollbacks become rare, and operational costs decrease substantially.”

****Key findings from the report include:****

*   **Integration Reality**: 75% of respondents view networking and cybersecurity as either “completely integrated” (29%) or “highly interconnected” (46%), with only 7% still viewing them as separate disciplines.
*   **Preparedness Gap**: Only 33% feel well-prepared to handle networking-cybersecurity intersection, creating operational vulnerabilities and increased costs.
*   **Collaboration Challenges**: While 37% collaborate with counterparts “most of the time” or “always,” 34% collaborate only “sometimes,” and 23% work together “about half the time.”
*   **Critical Friction Points**: Nearly one in five professionals (18%) identified knowledge gaps as their primary challenge, while organizational misalignment affects nearly a quarter of respondents.
*   **Convergence Drivers**: 77% cite growing cyber threat complexity as the primary convergence driver, with widespread cloud adoption, remote work, and IoT device proliferation accelerating integration.
*   **Six Critical Overlap Areas**: Network monitoring, security monitoring, firewalls, configuration management, detection, and access control represent the most significant convergence points where cross-training delivers immediate benefits.

****INE Security’s recommendations for organizations include:****

*   **Four-Step Cross-Training Implementation**: Conduct skill assessments, deploy varied training methodologies, measure impact and ROI, and scale successful programs
*   **Enhanced Threat Detection**: Develop comprehensive visibility across network architecture and security implications to reduce incident response times
*   **Operational Excellence**: Streamline workflows to reduce handoffs between specialized teams and eliminate failed implementations
*   **Cost Optimization**: Reduce downtime costs (averaging $5,600 per minute) through improved incident response and integrated operations

The report emphasizes that successful cross-training transforms organizational culture by creating common language between teams, enabling balanced decision-making, streamlining operations, and improving talent retention through reduced workplace friction.

> “Breaking down security silos and fostering cross-team cooperation is essential for responding to the accelerating pace of cyber threats,” Rinehart concluded. “Organizations that invest in developing professionals who can speak both languages will gain measurable advantages in threat detection, operational efficiency, and business resilience.”

The full report is available for download at learn.ine.com/report/wired-together.

**About INE Security:**

INE Security is the premier provider of online networking and cybersecurity training and certification. Harnessing a powerful hands-on lab platform, cutting-edge technology, a global video distribution network, and world-class instructors, INE Security is the top training choice for Fortune 500 companies worldwide for cybersecurity training in business and for IT professionals looking to advance their careers. INE Security’s cybersecurity certifications are requested by HR departments worldwide, and its suite of learning paths offers an incomparable depth of expertise across cybersecurity and is committed to delivering advanced technical training while also lowering the barriers worldwide for those looking to enter and excel in an IT career.

**Contact**

**Chief Marketing Officer**  
**Kim Lucht**  
**INE Security**  
**\[email protected\]**

INE Security Releases Industry Benchmark Report: “Wired Together: The Case for Cross-Training in Networking and Cybersecurity”

Security researchers at UC Irvine reveal the 'Mic-E-Mouse' attack, showing how high-DPI optical sensors in modern mice can detect desk vibrations and reconstruct user speech with high accuracy. Learn how this side-channel vulnerability affects your privacy.

A team of researchers from the University of California, Irvine, has discovered a security risk right on your desk. It turns out that your high-performance computer mouse, an item you probably trust completely, can be turned into a hidden listening device. This new type of attack is called Mic-E-Mouse, and it has the potential to change our understanding of what computer privacy means.

The idea, which the researchers described as “our computer mouse has big ears” and published on their official Google research site, is an interesting one. It focuses on the highly sensitive optical sensors found in modern gaming and professional mice.

These sensors, which track movement with extreme accuracy (sometimes 20,000 DPI (Dots Per Inch) or even higher), are sensitive enough to detect minute vibrations caused by sound waves travelling through your desk.

Basically, your conversation causes your desk surface to shake just a little bit, and the mouse sensor picks up those tiny tremors. This vulnerability is formally known as a side-channel attack, which means it secretly gathers information through an unintended pathway, in this case, the mouse’s movement data.

****Turning Vibrations into Voice****

A study (PDF) posted on arXiv on 16 September 2025 by Habib Fakih, Rahul Dharmaji, Youssef Mahmoud, Halima Bouzidi, and Mohammad Abdullah Al Faruque from the Department of Electrical Engineering and Computer Science, University of California, Irvine, explains how the researchers created a process that converts raw, seemingly random mouse movement data into clear audio signals.

The raw data is initially messy and incomplete, a problem the researchers solved with a multi-step “pipeline” that uses advanced signal processing and machine learning. This process filters out noise and pieces together the actual speech.

The team’s experiments showed that they could significantly clean up the audio, achieving an increase of up to +19 dB in signal quality and a speech recognition accuracy between 42% and 61% on common speech datasets.

For your information, this attack does not require a complicated virus or deep system access. An attacker only needs a way to collect the mouse’s packet data, which could be done through common software like video games or creative applications that naturally demand high-speed mouse data.

The whole process of data collection is invisible to the average user because it only captures the device’s normal movement reporting, and all the audio reconstruction can happen remotely on the attacker’s own server.

The research team has demonstrated the attack with a video to encourage manufacturers to implement safeguards that can help prevent this unexpected privacy threat.

The implications of this eavesdropping can be extensive. This research shows that as devices become more advanced, the risk of them being misused also increases. Considering that these high-precision mice have become more common and less expensive, the number of potential targets from businesses to everyday homes will grow.