The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA), along with international partners from Australia and Canada, have released guidance to harden on-premise Microsoft Exchange Server instances from potential exploitation.
"By restricting administrative access, implementing multi-factor authentication, enforcing strict transport security

Vulnerability / Threat Intelligence

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA), along with international partners from Australia and Canada, have released guidance to harden on-premise Microsoft Exchange Server instances from potential exploitation.

"By restricting administrative access, implementing multi-factor authentication, enforcing strict transport security configurations, and adopting zero trust (ZT) security model principles, organizations can significantly bolster their defenses against potential cyber attacks," CISA said.

The agencies said malicious activity aimed at Microsoft Exchange Server continues to take place, with unprotected and misconfigured instances facing the brunt of the attacks. Organizations are advised to decommission end-of-life on-premises or hybrid Exchange servers after transitioning to Microsoft 365.

Some of the best practices outlined are listed below -

*   Maintain security updates and patching cadence
*   Migrate end-of-life Exchange servers
*   Ensure Exchange Emergency Mitigation Service remains enabled
*   Apply and maintain the Exchange Server baseline, Windows security baselines, and applicable mail client security baselines
*   Enable antivirus solution, Windows Antimalware Scan Interface (AMSI), Attack Surface Reduction (ASR), and AppLocker and App Control for Business, Endpoint Detection and Response, and Exchange Server's anti-spam and anti-malware features
*   Restrict administrative access to the Exchange Admin Center (EAC) and remote PowerShell and apply the principle of least privilege
*   Harden authentication and encryption by configuring Transport Layer Security (TLS), HTTP Strict Transport Security (HSTS), Extended Protection (EP), Kerberos and Server Message Block (SMB) instead of NTLM, and multi-factor authentication
*   Disable remote PowerShell access by users in the Exchange Management Shell (EMS)

"Securing Exchange servers is essential for maintaining the integrity and confidentiality of enterprise communications and functions," the agencies noted. "Continuously evaluating and hardening the cybersecurity posture of these communication servers is critical to staying ahead of evolving cyber threats and ensuring robust protection of Exchange as part of the operational core of many organizations."

**CISA Updates CVE-2025-59287 Alert**

The guidance comes a day after CISA updated its alert to include additional information related to CVE-2025-59287, a newly re-patched security flaw in the Windows Server Update Services (WSUS) component that could result in remote code execution.

The agency is recommending that organizations identify servers that are susceptible to exploitation, apply the out-of-band security update released by Microsoft, and investigate signs of threat activity on their networks -

*   Monitor and vet suspicious activity and child processes spawned with SYSTEM-level permissions, particularly those originating from wsusservice.exe and/or w3wp.exe
*   Monitor and vet nested PowerShell processes using base64-encoded PowerShell commands

The development follows a report from Sophos that threat actors are exploiting the vulnerability to harvest sensitive data from U.S. organizations spanning a range of industries, including universities, technology, manufacturing, and healthcare. The exploitation activity was first detected on October 24, 2025, a day after Microsoft issued the update.

In these attacks, the attackers have been found to leverage vulnerable Windows WSUS servers to run a Base64-encoded PowerShell commands, and exfiltrate the results to a webhook\[.\]site endpoint, corroborating other reports from Darktrace, Huntress, and Palo Alto Networks Unit 42.

The cybersecurity company told The Hacker News that it has identified six incidents in its customer environments to date, although further research has flagged at least 50 victims.

"This activity shows that threat actors moved quickly to exploit this critical vulnerability in WSUS to collect valuable data from vulnerable organizations," Rafe Pilling, director of threat intelligence at Sophos Counter Threat Unit, told The Hacker News in a statement.

"It's possible this was an initial test or reconnaissance phase, and that attackers are now analyzing the data they've gathered to identify new opportunities for intrusion. We're not seeing further mass exploitation at this time, but it's still early, and defenders should treat this as an early warning. Organizations should ensure their systems are fully patched and that WSUS servers are configured securely to reduce the risk of exploitation."

Michael Haag, principal threat research engineer at Cisco-owned Splunk, noted in a post on X that CVE-2025-59287 "goes deeper than expected" and that they found an alternate attack chain that involves the use of the Microsoft Management Console binary ("mmc.exe") to trigger the execution of "cmd.exe" when an admin opens WSUS Admin Console or hits "Reset Server Node."

"This path triggers a 7053 Event Log crash," Haag pointed out, adding it matches the stack trace spotted by Huntress at "C:\\Program Files\\Update Services\\Logfiles\\SoftwareDistribution.log."

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

CISA and NSA Issue Urgent Guidance to Secure WSUS and Microsoft Exchange Servers

ZÜRICH, Switzerland – Flowable, a global provider of enterprise automation and orchestration software, has been recognized in the…

ZÜRICH, Switzerland – Flowable, a global provider of enterprise automation and orchestration software, has been recognized in the inaugural 2025 Gartner® Magic Quadrant™ for Business Orchestration and Automation Technologies.

The Magic Quadrant evaluates vendors based on their completeness of vision and ability to execute. According to the Gartner report, “Business orchestration and automation technology platforms unify process orchestration, connectivity and agentic features to enable enterprise-wide automation.”

“We are honored to be included in Gartner’s first Magic Quadrant for Business Orchestration and Automation Technologies,” said Micha Kiener, chief technology officer and co-founder at Flowable. “We believe this recognition highlights our continued focus on dynamic case management, orchestration, and natively embedded agentic AI that help enterprises in regulated industries run complex work with adaptability and governance at enterprise scale.”

Flowable’s agentic case platform coordinates people, AI agents, and business processes in a unified, governed environment that delivers advanced intelligent automation, control, and autonomy. “Our platform is designed to coordinate humans and AI in a responsible, governed way-ensuring agility, auditability, and scale,” Kiener added.

The company’s capabilities, including agentic case management and its orchestration framework, are aligned with Gartner’s definition of a Business Orchestration and Automation Technology (BOAT) platform.

Flowable enables enterprises to model and automate complex, exception-driven processes across sectors such as banking, insurance, healthcare, and manufacturing. This approach ensures that critical business operations remain compliant and efficient even in highly regulated environments.

Flowable’s architecture also embeds responsible AI orchestration within its core, allowing organizations to safely integrate multi-agent systems while maintaining governance and transparency. Built on open automation standards – BPMN, CMMN, and DMN – the Flowable platform promotes interoperability, flexibility, and innovation without vendor lock-in.

For a complete view of the report’s assessment of the business orchestration and automation market and vendors, including Flowable, access the full report here.

****Gartner Disclaimer****

Gartner, Magic Quadrant for Business Orchestration and Automation Technologies, Saikat Ray, Tushar Srivastava, Marc Kerremans, Arthur Villa, Cathy Tornbohm, Sachin Joshi, 15 October 2025.

Gartner is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.

Gartner does not endorse any vendor, product or service depicted in its research publications and does not advise technology users to select only those vendors with the highest ratings or other designation.

Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

****About Flowable****

Flowable is a global provider of enterprise automation software headquartered in Zurich, Switzerland. Since 2010, Flowable’s software has helped organizations coordinate automation, people, and processes through a unified platform built on open standards. The company serves leading enterprises across industries where adaptability and accountability are essential. For more information, visit www.flowable.com.

****Media Contact****

Violet Diamanti-Race   
\[email protected\]  
+41 31 329 09 00

Gartner Recognizes Flowable in 2025 Magic Quadrant for Business Orchestration and Automation Technologies

Are you using a fake version of a popular app? Appknox warns US users about malicious brand clones hiding on third-party app stores. Protect yourself from hidden spyware and ‘commercial parasites.’

A new report from mobile application security provider Appknox reveals a troubling trend where malicious apps are masquerading as trusted brands like ChatGPT, DALL·E, and WhatsApp.

Appknox’s investigation, which focused on US-based third-party app stores, found that these app clones range from harmless unofficial interfaces to full-scale surveillance tools. More importantly, these fakes are currently available to US users through these alternative stores.

****The Advertising Deception****

One such app, named DALL·E 3 AI Image Generator, was found on the Aptoide store. Appknox researchers determined that this app pretends to be an image-generation tool from OpenAI, but it has no actual AI capability.

Instead, its code only connects to advertising networks like Unity Ads, AppsFlyer, Adjust, and Bigo Ads. The app displays a fake loading screen that looks like an image is being generated, but network logs confirm it is just loading advertisements in disguise.

“It’s not malware in the strict sense,” said Abhinav Vasisth, Lead Security Researcher at Appknox. Instead, “it is a commercial parasite that profits from deception. It sells ad impressions, not intelligence.”

Further probing revealed that this application was likely built using commercial templates from a developer known for reusing code across many fake app listings.

****Spyware Hidden Behind a Chat Icon****

The most serious threat is WhatsApp Plus. Disguised as an upgraded messenger, this app is a complete spyware framework. After installation, it silently requests broad permissions, including access to contacts, SMS, and device accounts. This access allows the app to intercept crucial data like one-time passwords (OTPs).

Apart from simple privacy invasion, the extensive permissions grant the spyware the power to intercept banking verification codes and execute identity fraud. In short, it doesn’t just steal information; it effectively steals a person’s digital identity and financial access.

For companies, spyware like WhatsApp Plus creates a systemic enterprise threat. It can steal multi-factor authentication codes and infiltrate corporate accounts. In regulated sectors (Finance, Healthcare), these risks massive compliance failures under frameworks like GDPR, HIPAA, and PCI-DSS, resulting in hefty fines, the report reads.

****The Grey Area: Harmless Wrappers****

However, researchers found that not all cloned apps are harmful. For instance, the ChatGPT Wrapper app was an authentic, unofficial interface that genuinely connected to the OpenAI API for chat requests, with no hidden malicious code.

This app actually sits in a “grey zone” of convenience as it is “not endorsed by OpenAI, but not deceptive either,” researchers noted in the blog post shared exclusively with Hackread.com.

These findings are alarming because they prove how easily users can be tricked by the AI hype. Given their diversity in deception, from simple ad traps to dangerous spyware, it becomes essential for users to be careful about where they download their apps from.

Spyware-Plugged ChatGPT, DALL·E and WhatsApp Apps Target US Users

Thor gets into the Halloween spirit, sharing new CVE trends, a “treat” for European Windows 10 users, and a reminder that patching is your best defense against zombie vulnerabilities.

Thursday, October 30, 2025 14:00

Welcome to this week’s edition of the Threat Source newsletter. 

This one is pretty much an updated, Halloween-themed version of my newsletter from July, including data up through Q3. 

October 14th has passed, so free support for Windows 10 has come to an end, leaving you with no more fixes unless you’re willing to pony up. While users in many countries must now pay to get Windows 10 security updates (the "trick"), private users in the European Economic Area get free security updates (the "treat") until Oct. 14, 2026. This special reward, won after consumer rights groups pushed Microsoft to do better under EU law,  means no $30 fee, no reward points, and no cloud backup needed... just a Microsoft account.  

There's another trick: The treat is for consumers, not companies, and there are some technical prerequisites (described here). 

While Cybersecurity Awareness Month is coming to end, you still have a chance to reach out to friends and family and encourage them to update their software (one of the Core4 Messages this year). Get them to enable the Extended Security Updates (ESU), update to Windows 11, or migrate to any other OS that will receive future patches. 

Patching is critical. In Q3, we did not run short on vulnerabilities.

Figure 1. Total number of CVEs per year.

With roughly 35,000 CVEs by the end of September, we are still tracking a pace of about 130 CVEs per day. If the almost-linear trend continues, we will land at round about 47,000 for 2025. And for legal purposes, I am **not** challenging anyone to break the barrier of 50,000! 

This is not just about theoretical vulnerabilities. Known Exploited Vulnerabilities (KEVs) are also on the rise. In comparison, the number of KEVs stayed nearly the same between 2023 and 2024, with 187 and 186, respectively.

Figure 2. Total number of KEVs per year.

With 183 at the end of Q3, I think it is safe to say we are going to surpass the number this year. (Spoiler: At the time of writing, there were already 210.) KEVs that affect network-related gear are up by 3% to 28%, which is not a massive increase but for sure a relevant portion. Overall, vendor diversity also continues to expand, increasing from 61 in July to 79 so far this year.

Figure 3. CVE from year added to KEV in 2025.

While the oldest CVE added to the catalog was from 2017 last time, the third quarter introduced a few new negative records from 2007, 2013, 2014, and 2016. 

While this isn't a part of our Q3 data, CVE-2025-59287 caught my attention late Friday afternoon. I didn’t expect WSUS service to be publicly exposed to the internet, but it found its way into the KEV, too. 

In a pumpkin shell: Keep stalking those bugs and patching your spells, because vulnerabilities won’t patch themselves. Happy Halloween!

**The one big thing **

We're introducing the Tool Talk series, where Talos shares open-source tools alongside practical insights, tips, and enhancements to help cybersecurity professionals and researchers work smarter and more effectively.  

Our first post introduces dynamic binary instrumentation (DBI) and provides a step-by-step guide to building your own DBI tool using the open-source DynamoRIO framework on Windows 11. DBI lets you analyze and modify running programs — crucial for malware analysis, security audits, reverse engineering, and performance profiling — even when you don’t have the original source code. The post covers DynamoRIO’s strengths, compares it to other frameworks, and offers practical examples, including sample code from our GitHub repository. 

**Why do I care? **

If you’re interested in malware analysis, debugging, or getting a deeper look inside how binaries behave at runtime, this blog shows you how to do all that without needing source code access. DBI tools like DynamoRIO are essential for modern security research, especially for bypassing common malware defenses and anti-analysis tricks. 

**So now what? **

Ready to get hands-on? Follow the blog’s step-by-step instructions to build your own DBI client, test it out, and explore the example code provided. Whether you’re looking to automate malware analysis, profile software, or just tinker with low-level instrumentation, you’ll find everything you need to kickstart your own DBI projects.

**Top security headlines of the week **

**Microsoft issues emergency patch for critical Windows Server bug**   
This CVE is a remote code execution (RCE) flaw in WSUS, which is part of Windows Server and allows administrators to schedule, manage, and deploy patches, hotfixes, service packs, and other updates. (DarkReading) 

**Shutdown sparks 85% increase in U.S. government cyberattacks**   
Cyberattacks against federal employees have nearly doubled since the US government shut down on Oct. 1. Experts emphasize that the most serious cyber consequences of the shutdown won't come in the form of immediate breaches. (DarkReading) 

**Over 250 Magento stores hit overnight as hackers exploit new Adobe Commerce flaw**   
E-commerce security company Sansec has warned that threat actors have begun to exploit a recently disclosed security vulnerability in Adobe Commerce and Magento Open Source platforms. (The Hacker News) 

**Hacking Team successor linked to malware campaign, new “Dante” commercial spyware**   
Kaspersky found that victims were infected through personalized phishing links exploiting a zero-day Chrome vulnerability, with the campaign targeting a broad range of Russian organizations for espionage. (CyberScoop) 

**Can’t get enough Talos? **

*   **The TTP: How attackers use your own tools against you**   
    From a wave of Toolshell events, to a rise in post-exploitation phishing, and the misuse of legitimate tools like Velociraptor, the team unpacks Q3 trends. 
*   **Cybersecurity on a budget: Strategies for an economic downturn**   
    Budget cuts and layoffs make securing an organization more difficult. This blog offers practical strategies, creative defenses, and talent management advice to help your business stay secure when every dollar counts. 
*   **Principles of the CIA triad, threat intel, and threat hunting**   
    This recorded CCNA prep session with our own Pierre Cadieux teaches you how to effectively discuss risks and threats using the CIA triad, build a solid foundation in threat intelligence, and gain insight into how threat hunting operates in today’s security landscape.

**Upcoming events where you can find Talos **

*   Bsides Osijek (Nov. 5) Osijek, Croatia 
*   AVAR (Dec. 3 – 5) Kuala Lumpur, Malaysia

**Most prevalent malware files from Talos telemetry over the past week **

**SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**    
MD5: 2915b3f8b703eb744fc54c81f4a9c67f    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507    
Example Filename: e74d9994a37b2b4c693a76a580c3e8fe\_1\_Exe.exe    
Detection Name: Win.Worm.Coinminer::1201 

**SHA256: d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a**    
MD5: 1f7e01a3355b52cbc92c908a61abf643    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a    
Example Filename: cleanup.bat    
Detection Name: W32.D933EC4AAF-90.SBX.TG 

**SHA256: c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe**    
MD5: bf9672ec85283fdf002d83662f0b08b7    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe   
Example Filename: f\_003b84.html   
Detection Name: W32.C0AD494457-95.SBX.TG 

**SHA256: 41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610**    
MD5: 85bbddc502f7b10871621fd460243fbc    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610    
Example Filename: 85bbddc502f7b10871621fd460243fbc.exe    
Detection Name: W32.41F14D86BC-100.SBX.TG 

**SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974**    
MD5: aac3165ece2959f39ff98334618d10d9    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974   
Example Filename: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974.exe    
Detection Name: W32.Injector:Gen.21ie.1201

Trick, treat, repeat

Google on Thursday revealed that the scam defenses built into Android safeguard users around the world from more than 10 billion suspected malicious calls and messages every month.
The tech giant also said it has blocked over 100 million suspicious numbers from using Rich Communication Services (RCS), an evolution of the SMS protocol, thereby preventing scams before they could even be sent.
In

Google on Thursday revealed that the scam defenses built into Android safeguard users around the world from more than 10 billion suspected malicious calls and messages every month.

The tech giant also said it has blocked over 100 million suspicious numbers from using Rich Communication Services (RCS), an evolution of the SMS protocol, thereby preventing scams before they could even be sent.

In recent years, the company has adopted various safeguards to combat phone call scams and automatically filter known spam using on-device artificial intelligence and move them automatically to the "spam & blocked" folder in the Google Messages app for Android.

Earlier this month, Google also globally rolled out safer links in Google Messages, warning users when they attempt to click on any URLs in a message flagged as spam and step them visiting the potentially harmful website, unless the message is marked as "not spam."

Google said its analysis of user-submitted reports in August 2025 found employment fraud to be the most prevalent scam category, where individuals searching for work are lured with fake opportunities in order to steal their personal and financial information.

Another prominent category relates to financially-motivated scams that revolve around bogus unpaid bills, subscriptions, and fees, as well as fraudulent investment schemes. Also observed to a lesser extent are scams related to package deliveries, government agency impersonation, romance, and technical support scams.

In an interesting twist, Google said it has increasingly witnessed scam messages arrive in the form of a group chat with a number of potential victims, as opposed to sending them a direct message.

"This shift may have happened because group messages can feel less suspicious to recipients, particularly when a scammer includes a fellow scammer in the group to validate the initial message and make it appear to be a legitimate conversation," Google said.

The company's analysis also found that the malicious messages stick to a "distinct daily and weekly schedule," with the activity commencing around 5 a.m. PT in the U.S., before peaking between 8 a.m. and 10 a.m. PT. The highest volume of fraudulent messages is typically sent on Mondays, coinciding with the start of the workday, when recipients are likely to be the busiest and less wary of incoming messages.

Some of the common aspects that tie these scams together are that they begin with a "Spray and Pray" approach by casting a wide net in hopes of reeling in a small fraction of victims by inducing a false sense of urgency through lures related to topical events, package delivery notifications, or toll charges.

The intention is to rush prospective targets into acting on the message without thinking too much, causing them to click on malicious links that are often shortened using URL shorteners to mask dangerous websites and ultimately steal their information.

Alternatively, scams can also embrace what's called as "Bait and Wait," which refers to a more calculated, personalised targeting method where the threat actor establishes rapport with a target over time before going for the kill. Scams like romance baiting (aka pig butchering) fall into this category.

Top three scam categories

"The scammer engages you in a longer conversation, pretending to be a recruiter or old friend," Google explained. "They may even include personal details gathered from public websites like your name or job title, all designed to build trust. The tactics are more patient, aiming to maximize financial loss over time."

Regardless of the high-pressure or slow-moving tactic employed, the end goal remains the same: to steal information or money from unsuspecting users, whose details, such as phone numbers, are often procured from dark web marketplaces that sell data stolen from security breaches.

The operation is also supported by suppliers that provide the necessary hardware for operating phone and SIM farms that are used to blast smishing messages at scale, Phishing-as-a-Service (PhaaS) kits that deliver a turnkey solution to harvest credentials and financial information and manage the campaigns, and third-party bulk messaging services to distribute the messages themselves.

"\[The messaging services\] are the distribution engine that connects the scammer's infrastructure and target lists to the end victim, delivering the malicious links that lead to the PhaaS-hosted websites," Google said.

The search behemoth also described the scam message landscape as highly volatile, where fraudsters seek to purchase SIM cards in bulk from markets that present the fewest obstacles.

"While it may appear that waves of scams are moving between countries, this constant churn doesn't mean scammers are physically

relocating," it added. "Once enforcement tightens in one area, they simply pivot to another, creating a perpetual cycle of shifting hotspots."

"While it may appear that waves of scams are moving between countries, this constant churn doesn't mean scammers are physically relocating," it added. "Once enforcement tightens in one area, they simply pivot to another, creating a perpetual cycle of shifting hotspots."

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

Google's Built-In AI Defenses on Android Now Block 10 Billion Scam Messages a Month

The open-source command-and-control (C2) framework known as AdaptixC2 is being used by a growing number of threat actors, some of whom are related to Russian ransomware gangs.
AdaptixC2 is an emerging extensible post-exploitation and adversarial emulation framework designed for penetration testing. While the server component is written in Golang, the GUI Client is written in C++ QT for

The open-source command-and-control (C2) framework known as AdaptixC2 is being used by a growing number of threat actors, some of whom are related to Russian ransomware gangs.

AdaptixC2 is an emerging extensible post-exploitation and adversarial emulation framework designed for penetration testing. While the server component is written in Golang, the GUI Client is written in C++ QT for cross-platform compatibility.

It comes with a wide range of features, including fully encrypted communications, command execution, credential and screenshot managers, and a remote terminal, among others. An early iteration was publicly released by a GitHub user named "RalfHacker" (@HackerRalf on X) in August 2024, who describes themselves as a penetration tester, red team operator, and "MalDev" (short for malware developer).

In recent months, AdaptixC2 has been adopted by various hacking groups, including threat actors tied to the Fog and Akira ransomware operations, as well as by an initial access broker that has leveraged CountLoader in attacks that are designed to deliver various post-exploitation tools.

Palo Alto Networks Unit 42, which broke down the technical aspects of the framework last month, characterized it as a modular and versatile framework that can be used to "comprehensively control impacted machines," and that it has been put to use as part of fake help desk support call scams via Microsoft Teams and through an artificial intelligence (AI)-generated PowerShell script.

While AdaptixC2 is offered as an ethical, open-source tool for red teaming activities, it's also clear that it has attracted the attention of cybercriminals.

Cybersecurity company Silent Push said RalfHacker's GitHub bio about them being a "MalDev" triggered an investigation, allowing them to find several email addresses for GitHub accounts linked to the account's owner, in addition to a Telegram channel called RalfHackerChannel, where they re-shared messages posted on a dedicated channel for AdaptixC2. The RalfHackerChannel channel has more than 28,000 subscribers.

In a message on the AdaptixFramework channel in August 2024, they mentioned their interest in starting a project about a "public C2, which is very trendy right now" and hoped "it will be like Empire," another popular post-exploitation and adversary emulation framework.

While it's currently not known if RalfHacker has any direct involvement in malicious activity tied to AdaptixC2 or CountLoader at this stage, Silent Push said their "ties to Russia's criminal underground, via the use of Telegram for marketing and the tool's subsequent uptick in utilization by Russian threat actors, all raise significant red flags."

The Hacker News has reached out to RalfHacker for comment, and we will update the story if we hear back.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

Russian Ransomware Gangs Weaponize Open-Source AdaptixC2 for Advanced Attacks

Ribbon Communications discloses a year-long breach by nation-state actors. The attack highlights critical supply chain risk, reflecting the Salt Typhoon and F5 espionage trends.

Ribbon Communications, a key American telecom firm that helps run the world’s major phone and data networks, has revealed a major security breach. The company confirmed that nation-state hackers, working for an unnamed foreign power, infiltrated its computer systems and remained hidden for almost a full year without detection.

The Texas-based company, which makes the technology that enables real-time communications (like allowing a standard voice call to connect with web-based systems or conference applications), made the disclosure public in its 10-Q Quarterly Report filed with the US Securities and Exchange Commission (SEC) and published on its own website on October 23.

Ribbon Communications 10-Q filing with the SEC (Credit: Hackread.com)

****Discovery and Damage Assessment****

Ribbon discovered the unauthorised access in early September 2025, prompting an immediate investigation. Early probing revealed that the initial compromise may have occurred as far back as December 2024.

The company stated that they have found no evidence yet that the attackers gained access to any “material information” or managed to infiltrate any of their customers’ own systems. However, they did confirm that the hackers accessed four older customer files saved on two laptops outside of the main network, and the three smaller customers whose files were involved have already been notified.

****A Broader Espionage Trend****

Ribbon Communications is currently working with federal law enforcement and multiple outside experts to investigate the intrusion, and they believe the attackers have been successfully evicted from the network.

This exposure is particularly upsetting because Ribbon Communications serves a vast, international customer base, including telecom giants like Verizon, BT, Deutsche Telekom, and even the US Department of Defence.

This incident intensifies the threat to telco firms, given the consistently increasing trend of nation-state actors targeting them for espionage. As _Hackread.com_ has been observing lately, this aligns with major ongoing campaigns such as the Salt Typhoon campaign, where telecom organisations globally were targeted using backdoors like SNAPPYBEE and leveraging network device vulnerabilities.

It also follows the recent state-backed attack on F5, which led to the theft of BIG-IP source code and vulnerability research. The pattern shows a clear focus on technology providers to gain deep intelligence.

The year-long breach comes as no surprise that companies like Ribbon are high-value targets for state-aligned hackers, especially since they work with both major government and critical infrastructure organisations, making them a vital point of compromise in the global supply chain

In response to the news, Ryan McConechy, CTO of Barrier Networks, shared comments with Hackread.com, emphasising the concerning stealth of the attack:

“This latest breach against a major telecommunications provider is further evidence that the online world has become the preferred playing field for all adversaries today. We don’t know which nation state is behind the attack, or what their MO was, but the fact that they were inside the network for as long as a year before being noticed is deeply concerning.

This could also suggest the attack was executed out of China, as their attackers often rely on living off the land and stealthy techniques to stay under the radar for as long as possible, allowing them to conduct reconnaissance, which can advance their objectives in the future.”

McConechy concluded by stressing the need for better preparation among critical infrastructure providers:

“As nation state threat actors focus their attention on targeting critical infrastructure and other telco firms, it is essential these organisations are prepared for these assaults. The UK government recently updated its cyber-Code of Practice for Telcos, so following the recommendations outlined there is a vital first step.”

Year-Long Nation-State Hack Hits US Telecom Ribbon Communications

User with CREATE and no UPDATE privilege for Pools, Connections, Variables could update existing records via bulk create API with overwrite action.

Skip to content

**Navigation Menu**

*   *   AI CODE CREATION
        
        *   GitHub CopilotWrite better code with AI
            
        *   GitHub SparkBuild and deploy intelligent apps
            
        *   GitHub ModelsManage and compare prompts
            
        *   MCP RegistryNewDiscover and integrate external tools
            
        
    
    View all features
    

*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

Appearance settings

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2025-62503

**Apache Airflow's create action can upsert existing Pools/Connections/Variables**

Moderate severity GitHub Reviewed Published Oct 30, 2025 to the GitHub Advisory Database • Updated Oct 30, 2025

**Package**

pip apache-airflow (pip)

**Affected versions**

\>= 3.0.0, < 3.1.1

**Description**

Published to the GitHub Advisory Database

Oct 30, 2025

Last updated

Oct 30, 2025

**EPSS score**

GHSA-gp5f-cx7h-8q6f: Apache Airflow's create action can upsert existing Pools/Connections/Variables

API users via `/api/v2/dagReports` could perform Dag code execution in the context of the api-server if the api-server was deployed in the environment where Dag files were available.

Skip to content

**Navigation Menu**

*   *   AI CODE CREATION
        
        *   GitHub CopilotWrite better code with AI
            
        *   GitHub SparkBuild and deploy intelligent apps
            
        *   GitHub ModelsManage and compare prompts
            
        *   MCP RegistryNewDiscover and integrate external tools
            
        
    
    View all features
    

*   Pricing

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

Appearance settings

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2025-62402

**Apache Airflow \`/api/v2/dagReports\` executes DAG Python in API**

Moderate severity GitHub Reviewed Published Oct 30, 2025 to the GitHub Advisory Database • Updated Oct 30, 2025

**Package**

pip apache-airflow (pip)

**Affected versions**

\>= 3.0.0, < 3.1.1

**Description**

Published to the GitHub Advisory Database

Oct 30, 2025

Last updated

Oct 30, 2025

**EPSS score**

GHSA-273c-4g26-4jpm: Apache Airflow `/api/v2/dagReports` executes DAG Python in API

Silver Spring, USA/ Maryland, 30th October 2025, CyberNewsWire

**Silver Spring, USA/ Maryland, October 30th, 2025, CyberNewsWire**

*   **The new capabilities, anchored by Blended Identity and the MCP Identity Gateway, give enterprises a secure and auditable way to manage how AI agents identify themselves and access sensitive systems.**

Aembit today announced the launch of Aembit Identity and Access Management (IAM) for Agentic AI, a set of capabilities that help organizations safely provide and enforce access policies for AI agents as they move into production. The release introduces Blended Identity, which defines how AI agents act on behalf of verified users, and the MCP Identity Gateway, which ensures secure access to enterprise resources based on identity, access policy, and runtime attributes.

The new offering extends the Aembit Workload IAM Platform to address one of the most pressing operational questions in artificial intelligence and modern IT: how to control what autonomous and user-driven AI agents can access, under what conditions, and with what accountability.

AI agents are rapidly becoming a key part of enterprise operations. Nearly half of technology executives say they are already adopting or fully deploying agentic AI, and about the same share expect most of their AI deployments to be autonomous within two years, according to an EY survey. These agents retrieve sensitive data, open tickets, and execute code across cloud, on-premises, and SaaS environments.

Yet most access models were built for people, not self-directed software. Many still rely on static secrets and shared credentials, creating risk and obscuring accountability. Worse yet, agents’ actions are often hidden behind the identity of a human, making it almost impossible to audit the actions each actor has taken. The result is a widening gap between the pace of AI adoption and the ability of organizations to secure it with confidence.

Aembit IAM for Agentic AI assigns each agent a cryptographically verified identity, issues ephemeral credentials, and enforces policy at runtime. The system records every access decision and maintains attribution across both human-driven and autonomous agent activity. By bringing agent activity under the same centralized policy control plane that governs other workloads, Aembit enables enterprises to deploy AI at scale while maintaining control, auditability, and compliance.

> “Enterprises want to say yes to agentic AI, and they’re asking Aembit for ways to securely grant agents access to data and applications,” said David Goldschlag, co-founder and CEO of Aembit. “Aembit IAM for Agentic AI gives enterprises the same level of control and audit over agent access that IAM systems have long provided for employees. Our approach enables organizations to advance their AI initiatives without expanding their threat and risk surface.”

The release introduces two core capabilities to the Aembit Workload IAM Platform:

*   **Blended Identity**, which gives every AI agent its own verified identity and, when needed, binds it to the human it represents. This establishes a single, traceable identity for each agent action and allows Aembit to issue a secure credential that reflects that combined context.
*   **MCP Identity Gateway**, which receives that identity credential and controls how agents connect to tools through the Model Context Protocol (MCP). The gateway authenticates the agent, enforces policy, and performs token exchange to securely retrieve the necessary access permissions for each connected resource – without ever exposing them to the agent runtime.

Together, this functionality allows enterprises to apply least-privilege access, revoke permissions immediately when needed, and ensure that every AI action is attributable and auditable. They operate on Aembit’s established Workload IAM foundation, which enforces policy dynamically at runtime, issues ephemeral credentials just in time, and records structured events for full traceability.

Aembit developed IAM for Agentic AI through collaboration with large businesses, government organizations, and innovative agentic AI startups deploying AI for operational and security workloads. Those efforts helped shape an approach that combines enterprise enforcement with the adaptability AI projects demand.

> “AI agents don’t live inside one stack or trust domain,” said Kevin Sapp, co-founder and CTO of Aembit. “They move between hybrid environments in seconds. With Aembit, every agent carries a verified identity that our gateway can authenticate and control in real time. It’s how enterprises can give agents the access they need to work, while never losing sight of who they are or what they touch.”

Aembit IAM for Agentic AI is now available to customers using its Workload IAM Platform. Organizations can learn more, request a demo, or get started today at aembit.io.

**About Aembit**

Aembit is the identity and access management platform for agentic AI and workloads. It enforces access based on identity, context, and centrally managed policies, giving organizations a singular place to control access risk from AI agents, automate credential management, and accelerate AI adoption. With Aembit, enterprises can confidently control access to sensitive resources across all the workloads that power their business. Users can visit aembit.io and follow the company on LinkedIn.

**Contact**

**Apurva Dave**  
**Aembit**  
**\[email protected\]**

Tag

#intel