A China-affiliated threat actor known as UNC6384 has been linked to a fresh set of attacks exploiting an unpatched Windows shortcut vulnerability to target European diplomatic and government entities between September and October 2025.
The activity targeted diplomatic organizations in Hungary, Belgium, Italy, and the Netherlands, as well as government agencies in Serbia, Arctic Wolf said in a

Malware / Threat Intelligence

A China-affiliated threat actor known as **UNC6384** has been linked to a fresh set of attacks exploiting an unpatched Windows shortcut vulnerability to target European diplomatic and government entities between September and October 2025.

The activity targeted diplomatic organizations in Hungary, Belgium, Italy, and the Netherlands, as well as government agencies in Serbia, Arctic Wolf said in a technical report published Thursday.

"The attack chain begins with spear-phishing emails containing an embedded URL that is the first of several stages that lead to the delivery of malicious LNK files themed around European Commission meetings, NATO-related workshops, and multilateral diplomatic coordination events," the cybersecurity company said.

The files are designed to exploit ZDI-CAN-25373 to trigger a multi-stage attack chain that culminates in the deployment of the PlugX malware using DLL side-loading. PlugX is a remote access trojan that's also referred to as Destroy RAT, Kaba, Korplug, SOGU, and TIGERPLUG.

UNC6384 was the subject of a recent analysis by Google Threat Intelligence Group (GTIG), which described it as a cluster with tactical and tooling overlaps with a hacking group known as Mustang Panda. The threat actor has been observed delivering a memory-resident variant of PlugX called SOGU.SEC.

The latest attack wave uses phishing emails with diplomatic lures to entice recipients into opening a bogus attachment that's designed to exploit ZDI-CAN-25373, a vulnerability that has been put to use by multiple threat actors as far back as 2017 to execute hidden malicious commands on a victim's machine. It's officially tracked as CVE-2025-9491 (CVSS score: 7.0)

The existence of the bug was first reported by security researchers Peter Girnus and Aliakbar Zahravi in March 2025. A subsequent report from HarfangLab found that the shortcoming has also been abused by a cyber espionage cluster known as XDSpy to distribute a Go-based malware called XDigo in attacks targeting Eastern European governmental entities in March 2025.

At that time, Microsoft told The Hacker News that Microsoft Defender has detections in place to detect and block this threat activity, and that Smart App Control provides an extra layer of protection by blocking malicious files from the Internet.

Specifically, the LNK file is designed to launch a PowerShell command to decode and extract the contents of a TAR archive and simultaneously display a decoy PDF document to the user. The archive contains three files: A legitimate Canon printer assistant utility, a malicious DLL dubbed CanonStager that's sideloaded using the binary, and an encrypted PlugX payload ("cnmplog.dat") that's launched by the DLL.

"The malware provides comprehensive remote access capabilities including command execution, keylogging, file upload and download operations, persistence establishment, and extensive system reconnaissance functions," Arctic Wolf said. "Its modular architecture allows operators to extend functionality through plugin modules tailored to specific operational requirements."

PlugX also implements various anti-analysis techniques and anti-debugging checks to resist efforts to unpack its internals and fly under the radar. It achieves persistence by means of a Windows Registry modification.

Arctic Wolf said the CanonStager artifacts found in early September and October 2025 have witnessed a steady decline in size from approximately 700 KB to 4 KB, indicating active development and its evolution into a minimal tool capable of achieving its goals without leaving much of a forensic footprint.

Furthermore, in what's being perceived as a refinement of the malware delivery mechanism, UNC6384 has been found to leverage an HTML Application (HTA) file in early September to load an external JavaScript that, in turn, retrieves the malicious payloads from a cloudfront\[.\]net subdomain.

"The campaign's focus on European diplomatic entities involved in defense cooperation, cross-border policy coordination, and multilateral diplomatic frameworks aligns with PRC strategic intelligence requirements concerning European alliance cohesion, defense initiatives, and policy coordination mechanisms," Arctic Wolf concluded.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

China-Linked Hackers Exploit Windows Shortcut Flaw to Target European Diplomats

Cybercriminals exploit a WSUS vulnerability to deploy Skuld Stealer malware, even after Microsoft released an urgent security patch.

A vulnerability in the Windows Server Update Service (WSUS) is being actively exploited by cybercriminals to plant Skuld  Staler malware, according to new research from the cybersecurity firm Darktrace.

This service, which helps companies manage Microsoft updates in a centralised manner across corporate networks, contains a flaw, identified as CVE-2025-59287, which Microsoft disclosed in October 2025. Because WSUS servers hold key permissions within a network, they are considered high-value targets.

The initial security fix released by Microsoft as part of its October 2025 Patch Tuesday wasn’t completely successful in solving the risk, forcing a second, urgent update (called an out-of-band patch) on October 23. However, even with the updates available, criminals started using the flaw right away, prompting the US Cybersecurity and Infrastructure Security Agency (CISA) to add the problem to its list of exploited vulnerabilities on October 24.

****The Attack Timeline****

Darktrace investigated two separate incidents involving US-based customers where this vulnerability was utilised by attackers. The first signs of trouble began on October 24, 2025- the same day CISA added the flaw to its list.

In the initial case, a WSUS server belonging to a firm in the Information and Communication sector began making unusual connections to webhook.site around 3:55 AM. Subsequent communication was seen, with some connections using the common tools PowerShell and cURL.

As we know it, these are legitimate programs, but attackers were misusing them to remotely control the server. By October 26, the device started connecting to rare subdomains of workersdev, a service often abused by hackers.

Further probing revealed the device downloaded a legitimate security tool called Velociraptor. The attackers used a vulnerable version of this tool to create a hidden communication ‘tunnel’ back to their command server. The malicious communication continued into October 27, leading to the possible download of the final payload: a data-stealing program called Skuld Stealer.

This stealer takes sensitive information like crypto wallets, and the attackers aimed to “maintain persistence in enterprise environments, bypassing traditional defences,” according to the Darktrace report shared with Hackread.com

****Education Sector Incident****

A second, similar attack was detected shortly after the first, impacting a WSUS server within the Education sector. This device also made outgoing connections using PowerShell to webhook.site on October 24.

While Darktrace did not see further network activity, it is worth noting that the customer’s own security system flagged malicious activity on October 27, suggesting the compromise may have continued secretly on the computer.

Case 1: A timeline outlining suspicious activity detected by Darktrace, and Case 2: A timeline outlining suspicious activity on the device

The research confirms how criminals are “leveraging WSUS to deliver malicious payloads.” Darktrace researchers emphasise that an exploit of this kind can lead to considerable damage, from data theft to a full-scale network compromise.

This chain of events also clearly shows that companies need to be ready to protect against attacks, especially now that criminals are misusing even normal, trusted programs to break in.

Hackers Exploit WSUS Flaw to Spread Skuld Stealer Despite Microsoft Patch

Google’s latest Chrome release fixes seven serious flaws that could let attackers run malicious code just by luring you to a compromised page.

Google has released an update for its Chrome browser that includes 20 security fixes, several of which are classed as high severity. Most of these flaws were found in Chrome’s V8 engine—the part of Chrome (and other Chromium-based browsers) that runs JavaScript.

Chrome is by far the world’s most popular browser, used by an estimated 3.4 billion people. That scale means when Chrome has a security flaw, billions of users are potentially exposed until they update.

These vulnerabilities are serious because they affect the code that runs almost every website you visit. Every time you load a page, your browser executes JavaScript from all sorts of sources, whether you notice it or not. Without proper safety checks, attackers can sneak in malicious instructions that your browser then runs—sometimes without you clicking anything. That could lead to stolen data, malware infections, or even a full system compromise.

That’s why it’s important to install these patches promptly. Staying unpatched means you could be open to an attack just by browsing the web, and attackers often exploit these kinds of flaws before most users have a chance to update. Always let your browser update itself, and don’t delay restarting to apply security patches, because updates often fix exactly this kind of risk.

**How to update**

The Chrome update brings the version number to 142.0.7444.59/.60 for Windows, 142.0.7444.60 for MacOS and 142.0.7444.59 for Linux. So, if your Chrome is on the version number **142.0.7444.59 or later,** it’s protected from these vulnerabilities.

The easiest way to update is to allow Chrome to update automatically, but you can end up lagging behind if you never close your browser or if something goes wrong—such as an extension stopping you from updating the browser.

To update manually, click the “**More**” menu (three stacked dots), then choose **Settings** > **About Chrome**. If there is an update available, Chrome will notify you and start downloading it. Then relaunch Chrome to complete the update, and you’ll be protected against these vulnerabilities.

You can find more detailed update instructions and how to read the version number in our article on how to update Chrome on every operating system.

**Technical details**

Among the vulnerabilities in the V8 engine there are two that stand out:

**CVE-2025-12428** is a high-severity “type confusion” vulnerability in the V8 JavaScript engine. This happens when code doesn’t verify the object type it’s handling and then uses it incorrectly. In other words, the software mistakes one type of data for another—like treating a list as a single value or a number as text. This can cause Chrome to behave unpredictably and, in some cases, let attackers manipulate memory and execute code remotely through crafted JavaScript on a malicious or compromised website. Google paid a $50,000 bounty for its discovery, highlighting its severity.

**CVE-2025-12036** involves an inappropriate implementation in V8 and is classified as critical. This one allows remote code execution (RCE)—meaning an attacker could run code on your computer just by getting you to visit a specially crafted page. Google’s Big Sleep project, an AI-driven system that automates vulnerability discovery, found the flaw. It stems from improper handling in the internals of the JavaScript and WebAssembly engines and carries a high risk of data theft, malware installation, or even full system compromise.

Users of other Chromium-based browsers—like Edge, Opera, and Brave—can expect similar updates in the near future.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Update Chrome now: 20 security fixes just landed 

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA), along with international partners from Australia and Canada, have released guidance to harden on-premise Microsoft Exchange Server instances from potential exploitation.
"By restricting administrative access, implementing multi-factor authentication, enforcing strict transport security

Vulnerability / Threat Intelligence

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA), along with international partners from Australia and Canada, have released guidance to harden on-premise Microsoft Exchange Server instances from potential exploitation.

"By restricting administrative access, implementing multi-factor authentication, enforcing strict transport security configurations, and adopting zero trust (ZT) security model principles, organizations can significantly bolster their defenses against potential cyber attacks," CISA said.

The agencies said malicious activity aimed at Microsoft Exchange Server continues to take place, with unprotected and misconfigured instances facing the brunt of the attacks. Organizations are advised to decommission end-of-life on-premises or hybrid Exchange servers after transitioning to Microsoft 365.

Some of the best practices outlined are listed below -

*   Maintain security updates and patching cadence
*   Migrate end-of-life Exchange servers
*   Ensure Exchange Emergency Mitigation Service remains enabled
*   Apply and maintain the Exchange Server baseline, Windows security baselines, and applicable mail client security baselines
*   Enable antivirus solution, Windows Antimalware Scan Interface (AMSI), Attack Surface Reduction (ASR), and AppLocker and App Control for Business, Endpoint Detection and Response, and Exchange Server's anti-spam and anti-malware features
*   Restrict administrative access to the Exchange Admin Center (EAC) and remote PowerShell and apply the principle of least privilege
*   Harden authentication and encryption by configuring Transport Layer Security (TLS), HTTP Strict Transport Security (HSTS), Extended Protection (EP), Kerberos and Server Message Block (SMB) instead of NTLM, and multi-factor authentication
*   Disable remote PowerShell access by users in the Exchange Management Shell (EMS)

"Securing Exchange servers is essential for maintaining the integrity and confidentiality of enterprise communications and functions," the agencies noted. "Continuously evaluating and hardening the cybersecurity posture of these communication servers is critical to staying ahead of evolving cyber threats and ensuring robust protection of Exchange as part of the operational core of many organizations."

**CISA Updates CVE-2025-59287 Alert**

The guidance comes a day after CISA updated its alert to include additional information related to CVE-2025-59287, a newly re-patched security flaw in the Windows Server Update Services (WSUS) component that could result in remote code execution.

The agency is recommending that organizations identify servers that are susceptible to exploitation, apply the out-of-band security update released by Microsoft, and investigate signs of threat activity on their networks -

*   Monitor and vet suspicious activity and child processes spawned with SYSTEM-level permissions, particularly those originating from wsusservice.exe and/or w3wp.exe
*   Monitor and vet nested PowerShell processes using base64-encoded PowerShell commands

The development follows a report from Sophos that threat actors are exploiting the vulnerability to harvest sensitive data from U.S. organizations spanning a range of industries, including universities, technology, manufacturing, and healthcare. The exploitation activity was first detected on October 24, 2025, a day after Microsoft issued the update.

In these attacks, the attackers have been found to leverage vulnerable Windows WSUS servers to run a Base64-encoded PowerShell commands, and exfiltrate the results to a webhook\[.\]site endpoint, corroborating other reports from Darktrace, Huntress, and Palo Alto Networks Unit 42.

The cybersecurity company told The Hacker News that it has identified six incidents in its customer environments to date, although further research has flagged at least 50 victims.

"This activity shows that threat actors moved quickly to exploit this critical vulnerability in WSUS to collect valuable data from vulnerable organizations," Rafe Pilling, director of threat intelligence at Sophos Counter Threat Unit, told The Hacker News in a statement.

"It's possible this was an initial test or reconnaissance phase, and that attackers are now analyzing the data they've gathered to identify new opportunities for intrusion. We're not seeing further mass exploitation at this time, but it's still early, and defenders should treat this as an early warning. Organizations should ensure their systems are fully patched and that WSUS servers are configured securely to reduce the risk of exploitation."

Michael Haag, principal threat research engineer at Cisco-owned Splunk, noted in a post on X that CVE-2025-59287 "goes deeper than expected" and that they found an alternate attack chain that involves the use of the Microsoft Management Console binary ("mmc.exe") to trigger the execution of "cmd.exe" when an admin opens WSUS Admin Console or hits "Reset Server Node."

"This path triggers a 7053 Event Log crash," Haag pointed out, adding it matches the stack trace spotted by Huntress at "C:\\Program Files\\Update Services\\Logfiles\\SoftwareDistribution.log."

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

CISA and NSA Issue Urgent Guidance to Secure WSUS and Microsoft Exchange Servers

A design firm is editing a new campaign video on a MacBook Pro. The creative director opens a collaboration app that quietly requests microphone and camera permissions. MacOS is supposed to flag that, but in this case, the checks are loose. The app gets access anyway.
On another Mac in the same office, file sharing is enabled through an old protocol called SMB version one. It’s fast and

Endpoint Security / Network Security

A design firm is editing a new campaign video on a MacBook Pro. The creative director opens a collaboration app that quietly requests microphone and camera permissions. MacOS is supposed to flag that, but in this case, the checks are loose. The app gets access anyway.

On another Mac in the same office, file sharing is enabled through an old protocol called SMB version one. It's fast and convenient—but outdated and vulnerable. Attackers can exploit it in minutes if the endpoint is exposed to the internet.

These are the kinds of configuration oversights that happen every day, even in organizations that take security seriously. They're not failures of hardware or antivirus software. They're configuration gaps that open doors to attackers, and they often go unnoticed because nobody is looking for them.

That's where Defense Against Configurations (DAC) comes in.

Misconfigurations are a gift to attackers: default settings left open, remote access that should be off (like outdated network protocols such as SMB v1), or encryption that never got enabled.

The goal of the latest release from ThreatLocker is simple. It makes those weak points visible on macOS so they can be fixed before they become incidents. Following the August 2025 release of DAC for Windows, ThreatLocker has launched DAC for macOS, which is currently in Beta.

The built-in ThreatLocker feature scans Macs as many as four times per day using the existing ThreatLocker agent, surfacing risky or noncompliant settings in the same dashboard you already use for Windows.

****High value controls in the Beta****

The agent runs a configuration scan and reports results to the console. On macOS, the initial Beta focuses on high value controls:

*   Disk encryption status with FileVault
*   Built in firewall status
*   Sharing and remote access settings, including remote login
*   Local administrator accounts and membership checks
*   Automatic update settings
*   Gatekeeper and app source controls
*   Selected security and privacy preferences that reduce attack surface

Findings are grouped by endpoint and by category. Each item includes clear remediation guidance and mapping to major frameworks such as CIS, NIST, ISO 27001, and HIPAA. The intent is to shorten the path from discovery to fix, not to add another queue of alerts.

****Why DAC matters****

Design firms, media studios, and production teams often build their workflows around Macs for good reason. The M-series processors are powerful, quiet, and efficient for video and design software. But security visibility hasn't always kept up.

Extending configuration scanning to macOS helps these teams find weak spots before they're exploited, things like unencrypted drives, disabled firewalls, leftover admin accounts, or permissive sharing settings. It closes the gaps that attackers look for and gives administrators the same level of insight they already rely on for Windows.

This Beta isn't just about macOS coverage. It's about giving IT and security teams real insight into where they stand. When DAC shows a Mac out of compliance, it doesn't stop there. It connects those findings to the ThreatLocker policies that can fix them. That visibility helps organizations align with their security frameworks, meet insurance requirements, and harden their environments without guesswork. Some users come to ThreatLocker specifically because of DAC and stay because it makes the other ThreatLocker controls make sense. Configuration visibility is the gateway to real control.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

A New Security Layer for macOS Takes Aim at Admin Errors Before Hackers Do

The Akira ransomware group claims to have stolen 23GB of data from Apache OpenOffice, including employee and financial records, though the breach remains unverified.

The **Akira ransomware group** claims to have breached Apache OpenOffice and stolen 23GB of data. Apache OpenOffice, for those unfamiliar, is a free and open-source office software suite developed by the Apache Software Foundation.

It includes tools similar to Microsoft Office, serving as a free alternative available on Windows, Linux, and macOS. The suite offers Writer for word processing, Calc for spreadsheets, Impress for presentations, Draw for graphics and diagrams, Base for databases, and Math for creating mathematical formulas.

As seen by _Hackread.com_, Akira claims the stolen data includes sensitive documents such as employee records containing physical addresses, phone numbers, driver’s licenses, social security cards, and credit card information.

Other allegedly stolen data includes financial records, internal confidential files, and what the group describes as “lots of reports about their problems with the application and so on.”

”We will upload 23 GB of corporate documents soon. Employee information (addresses, phones, DOB, driver’s licenses, social security cards, credit cards information and so on), financial information, internal confidential files, lots of reports about their problems with the application and so on,“ the group wrote on its dark web leak site.

Akira Ransomware group on its dark web leak site (Image credit: Hackread.com)

****Current Status****

At the time of writing, the Apache Software Foundation has not confirmed any breach of **Apache OpenOffice** systems or data. The listing remains unverified, and it is unclear whether Akira’s claim involves actual compromise or recycled information from previous incidents. Hackread.com has reached out to Apache for comment.

If confirmed, a breach of Apache OpenOffice could expose internal development data or contributor information, but users of the office suite are unlikely to be directly affected at this stage. The OpenOffice download infrastructure is separate from its development servers, so no public software distribution appears to be compromised.

****About Akira Ransomware Group****

Akira is a ransomware-as-a-service (RaaS) operation that **first emerged in 2023**. It has carried out hundreds of attacks across the United States, Europe and other regions, earning tens of millions of dollars in ransom payments.

Its **tactics** include double extortion, meaning stealing data and then encrypting systems, and it has variants for Windows, Linux/VMware ESXi. Bitdefender’s Threat Debrief report published in March 2025 found the Akira ransomware group **hacking webcams** of its victims.

The group communicates in **Russian in dark web forums**, and its ransomware checks for Russian language keyboard layouts to avoid attacking systems in Russian-speaking regions.

Nevertheless, OpenOffice users are advised to download Apache OpenOffice only from the official website and avoid third-party links shared on social media or forums. Until the Apache Software Foundation confirms details, there is no indication that end-user data or installations are affected.

Akira Ransomware Claims It Stole 23GB from Apache OpenOffice

Security programs trust AI data files, but they shouldn't: they can conceal malware more stealthily than most file types.

LotL Attack Hides Malware in Windows Native AI Stack

Thor gets into the Halloween spirit, sharing new CVE trends, a “treat” for European Windows 10 users, and a reminder that patching is your best defense against zombie vulnerabilities.

Thursday, October 30, 2025 14:00

Welcome to this week’s edition of the Threat Source newsletter. 

This one is pretty much an updated, Halloween-themed version of my newsletter from July, including data up through Q3. 

October 14th has passed, so free support for Windows 10 has come to an end, leaving you with no more fixes unless you’re willing to pony up. While users in many countries must now pay to get Windows 10 security updates (the "trick"), private users in the European Economic Area get free security updates (the "treat") until Oct. 14, 2026. This special reward, won after consumer rights groups pushed Microsoft to do better under EU law,  means no $30 fee, no reward points, and no cloud backup needed... just a Microsoft account.  

There's another trick: The treat is for consumers, not companies, and there are some technical prerequisites (described here). 

While Cybersecurity Awareness Month is coming to end, you still have a chance to reach out to friends and family and encourage them to update their software (one of the Core4 Messages this year). Get them to enable the Extended Security Updates (ESU), update to Windows 11, or migrate to any other OS that will receive future patches. 

Patching is critical. In Q3, we did not run short on vulnerabilities.

Figure 1. Total number of CVEs per year.

With roughly 35,000 CVEs by the end of September, we are still tracking a pace of about 130 CVEs per day. If the almost-linear trend continues, we will land at round about 47,000 for 2025. And for legal purposes, I am **not** challenging anyone to break the barrier of 50,000! 

This is not just about theoretical vulnerabilities. Known Exploited Vulnerabilities (KEVs) are also on the rise. In comparison, the number of KEVs stayed nearly the same between 2023 and 2024, with 187 and 186, respectively.

Figure 2. Total number of KEVs per year.

With 183 at the end of Q3, I think it is safe to say we are going to surpass the number this year. (Spoiler: At the time of writing, there were already 210.) KEVs that affect network-related gear are up by 3% to 28%, which is not a massive increase but for sure a relevant portion. Overall, vendor diversity also continues to expand, increasing from 61 in July to 79 so far this year.

Figure 3. CVE from year added to KEV in 2025.

While the oldest CVE added to the catalog was from 2017 last time, the third quarter introduced a few new negative records from 2007, 2013, 2014, and 2016. 

While this isn't a part of our Q3 data, CVE-2025-59287 caught my attention late Friday afternoon. I didn’t expect WSUS service to be publicly exposed to the internet, but it found its way into the KEV, too. 

In a pumpkin shell: Keep stalking those bugs and patching your spells, because vulnerabilities won’t patch themselves. Happy Halloween!

**The one big thing **

We're introducing the Tool Talk series, where Talos shares open-source tools alongside practical insights, tips, and enhancements to help cybersecurity professionals and researchers work smarter and more effectively.  

Our first post introduces dynamic binary instrumentation (DBI) and provides a step-by-step guide to building your own DBI tool using the open-source DynamoRIO framework on Windows 11. DBI lets you analyze and modify running programs — crucial for malware analysis, security audits, reverse engineering, and performance profiling — even when you don’t have the original source code. The post covers DynamoRIO’s strengths, compares it to other frameworks, and offers practical examples, including sample code from our GitHub repository. 

**Why do I care? **

If you’re interested in malware analysis, debugging, or getting a deeper look inside how binaries behave at runtime, this blog shows you how to do all that without needing source code access. DBI tools like DynamoRIO are essential for modern security research, especially for bypassing common malware defenses and anti-analysis tricks. 

**So now what? **

Ready to get hands-on? Follow the blog’s step-by-step instructions to build your own DBI client, test it out, and explore the example code provided. Whether you’re looking to automate malware analysis, profile software, or just tinker with low-level instrumentation, you’ll find everything you need to kickstart your own DBI projects.

**Top security headlines of the week **

**Microsoft issues emergency patch for critical Windows Server bug**   
This CVE is a remote code execution (RCE) flaw in WSUS, which is part of Windows Server and allows administrators to schedule, manage, and deploy patches, hotfixes, service packs, and other updates. (DarkReading) 

**Shutdown sparks 85% increase in U.S. government cyberattacks**   
Cyberattacks against federal employees have nearly doubled since the US government shut down on Oct. 1. Experts emphasize that the most serious cyber consequences of the shutdown won't come in the form of immediate breaches. (DarkReading) 

**Over 250 Magento stores hit overnight as hackers exploit new Adobe Commerce flaw**   
E-commerce security company Sansec has warned that threat actors have begun to exploit a recently disclosed security vulnerability in Adobe Commerce and Magento Open Source platforms. (The Hacker News) 

**Hacking Team successor linked to malware campaign, new “Dante” commercial spyware**   
Kaspersky found that victims were infected through personalized phishing links exploiting a zero-day Chrome vulnerability, with the campaign targeting a broad range of Russian organizations for espionage. (CyberScoop) 

**Can’t get enough Talos? **

*   **The TTP: How attackers use your own tools against you**   
    From a wave of Toolshell events, to a rise in post-exploitation phishing, and the misuse of legitimate tools like Velociraptor, the team unpacks Q3 trends. 
*   **Cybersecurity on a budget: Strategies for an economic downturn**   
    Budget cuts and layoffs make securing an organization more difficult. This blog offers practical strategies, creative defenses, and talent management advice to help your business stay secure when every dollar counts. 
*   **Principles of the CIA triad, threat intel, and threat hunting**   
    This recorded CCNA prep session with our own Pierre Cadieux teaches you how to effectively discuss risks and threats using the CIA triad, build a solid foundation in threat intelligence, and gain insight into how threat hunting operates in today’s security landscape.

**Upcoming events where you can find Talos **

*   Bsides Osijek (Nov. 5) Osijek, Croatia 
*   AVAR (Dec. 3 – 5) Kuala Lumpur, Malaysia

**Most prevalent malware files from Talos telemetry over the past week **

**SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**    
MD5: 2915b3f8b703eb744fc54c81f4a9c67f    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507    
Example Filename: e74d9994a37b2b4c693a76a580c3e8fe\_1\_Exe.exe    
Detection Name: Win.Worm.Coinminer::1201 

**SHA256: d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a**    
MD5: 1f7e01a3355b52cbc92c908a61abf643    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=d933ec4aaf7cfe2f459d64ea4af346e69177e150df1cd23aad1904f5fd41f44a    
Example Filename: cleanup.bat    
Detection Name: W32.D933EC4AAF-90.SBX.TG 

**SHA256: c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe**    
MD5: bf9672ec85283fdf002d83662f0b08b7    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe   
Example Filename: f\_003b84.html   
Detection Name: W32.C0AD494457-95.SBX.TG 

**SHA256: 41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610**    
MD5: 85bbddc502f7b10871621fd460243fbc    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610    
Example Filename: 85bbddc502f7b10871621fd460243fbc.exe    
Detection Name: W32.41F14D86BC-100.SBX.TG 

**SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974**    
MD5: aac3165ece2959f39ff98334618d10d9    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974   
Example Filename: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974.exe    
Detection Name: W32.Injector:Gen.21ie.1201

Trick, treat, repeat

The X-59 successfully completed its inaugural flight—a step toward developing quieter supersonic jets that could one day fly customers more than twice as fast as commercial airliners.

About an hour after sunrise over the Mojave Desert of Southern California, NASA’s newest experimental supersonic jet took to the skies for the first time on Tuesday. The X-59 Quesst (Quiet SuperSonic Technology) is designed to decrease the noise of a sonic boom when an aircraft breaks the sound barrier, paving the way for future commercial jets to fly at supersonic speeds over land.

The jet, built by Lockheed Martin’s Skunk Works, took off from US Air Force Plant 42 in Palmdale, California. Flown by Nils Larson, NASA’s lead test pilot for the X-59, the inaugural flight validated the jet’s airworthiness and safety before landing about an hour after takeoff near NASA's Armstrong Flight Research Center in Edwards, California.

“X-59 is a symbol of American ingenuity,” acting NASA administrator Sean Duffy said in a statement. “It's part of our DNA—the desire to go farther, faster, and even quieter than anyone has ever gone before.”

Commercial planes are prohibited from flying at supersonic speeds over land in the US due to the disruption that breaking the sound barrier causes on the ground, releasing a loud sonic boom that can rattle windows and trigger alarms. The Concorde, which was the only successful commercial supersonic jet, was limited to flying at supersonic speeds only over the oceans.

When a plane approaches the speed of sound, pressure waves build up on the surface of the aircraft. These areas of high pressure coalesce into large shock waves when the plane goes supersonic, producing the double thunderclap of a sonic boom.

The X-59 will generate a lower “sonic thump” thanks to its unique design. It was given a long, slender nose that accounts for about a third of the total length and breaks up pressure waves that would otherwise merge on other parts of the airplane. The engine was mounted on top of the X-59’s fuselage, rather than underneath as on a fighter jet, to keep a smooth underside that limits shock waves and also to direct sound waves up into the sky rather than down toward the ground. NASA aims to provide key data to aircraft manufacturers so they can build less noisy supersonic planes.

**A Jet Like No Other**

The X-59 is a single-seat, single-engine jet. It is 99.7 feet long and 29.5 feet wide, making it almost twice as long as an F-16 fighter jet but with a slightly smaller wingspan. The X-59’s cockpit and ejection seat come from the T-38 jet trainer, its landing gear from an F-16, and its control stick from the F-117 stealth attack aircraft. Its engine, a modified General Electric F414 from the F/A-18 fighter jet, will allow the plane to cruise at Mach 1.4, about 925 mph, at an altitude of 55,000 feet. This is nearly twice as high and twice as fast as commercial airliners typically fly.

Perhaps the most striking change on the X-59 is that it does not have a glass cockpit window. Instead, the cockpit is fully enclosed to be as aerodynamic as possible, and the pilot watches a camera feed of the outside world on a 4K monitor known as the eXternal Visibility System.

“You can't see very clearly through glass when you look at it at a very shallow angle, and so you need to have a certain steepness of the view screen to have good optical qualities, and that would develop a strong shock wave that would really corrupt the low-boom characteristics of the airplane,” says Michael Buonanno, the air vehicle lead for the X-59 at Lockheed Martin.

The X-59 has repurposed components of other NASA aircrafts.

COURTESY OF: Lockheed Martin

For this first flight, the X-59 flew at a lower altitude and at about 240 mph, according to NASA. During future tests, the jet will gradually increase its speed and altitude until it goes supersonic, NASA said, which occurs at about 659 mph at 55,000 feet, or 761 mph at sea level. The speed of sound varies according to temperature and to a lesser degree pressure, causing it to decrease at higher altitudes.

“The primary objective on a first flight is really just to land,” James Less, a project pilot for the X-59 who will be conducting future flights, tells WIRED. Less flew an F-15 fighter jet in formation with the X-59 as a support aircraft during the flight, observing the new experimental jet for any issues.

“I'm looking for anything external to the airplane that the pilot can't see,” Less says. Generally the first thing he would check for is that the landing gear retracted successfully, but on this initial flight the X-59 intentionally left the landing gear down. “If the aircraft is leaking any kind of fluids, be it fuel or hydraulics, as a chase pilot, you can usually see that … Also I'm looking for other traffic, air traffic, just to point that out to him.”

Following the X-59’s successful touchdown at Armstrong, NASA and Lockheed Martin engineers will review the flight data to prepare for the jet’s future, faster flights.

**The Future of Supersonic Flight**

The eXternal Visibility System is just one of the modern technologies needed to build a low-boom airplane like the X-59. Decades of computational fluid dynamics research and wind tunnel testing were also required to arrive at the final design.

“We've really had the opportunity to spend a lot of time on the computational fluid dynamics application to these low-boom aircraft,” Lori Ozoroski, the commercial supersonic technology project manager at NASA, tells WIRED. “We've gone from this computational domain around an aircraft of something that's got a couple of million cells as you divide up the space around it to … things with a couple million cells, and now we're pushing a billion cells.”

Once the X-59 gets up to speed, the next step will be to make sure the quieter sonic thumps really are tolerable for people on the ground.

“We have been planning a test campaign where we will fly over various communities in the US, polling them with a survey and understanding how annoyed people are,” Ozoroski says. The flights will produce both loud and quiet sonic booms to see how people react, she explains.

“Our plan is to gather all this data, doing approximately one-month tests in a couple of locations around the country, and then providing all that data to the FAA and the international regulatory community to try to establish a sound limit, rather than the speed limit.”

If the program is a success, it could pave the way for new commercial supersonic aircraft that would cut travel times in half, something that companies such as Boom Supersonic are trying to achieve.

The jet has joined the ranks of innovative NASA X-planes , dating back almost 80 years to the Bell X-1 that Chuck Yeager piloted on the first faster-than-sound flight in 1947.

“I grew up reading Popular Science and Popular Mechanics and reading about the X-planes out at Edwards, and never imagined that I'd be in a position to do something like this,” says Less, who is eagerly awaiting his turn at the X-59’s stick. “This will be the highlight of my career.”

NASA’s Quiet Supersonic Jet Takes Flight

Silent Push wars of Russian hackers exploiting Adaptix, a pentesting tool built for Windows, Linux, and macOS, in ransomware campaigns.

Silent Push researchers have identified Russian-linked ransomware groups abusing Adaptix, a legitimate penetration testing tool now used to deliver malware targeting infrastructure worldwide.

The investigation began when Silent Push researchers were tracking a new malware loader called **CountLoader**. During that work, they noticed Adaptix being deployed to drop malicious payloads, leading the team to dig deeper. Once detection methods were updated, new activity started appearing across multiple campaigns, suggesting that cybercriminals had already adopted Adaptix as part of their toolkit.

It is worth noting that last month, researchers identified the CountLoader malware after it was spotted twice in campaigns posing as emails from the Ukrainian police. In the **first case**, Silent Push analysts observed attackers using a fake PDF notice to trick recipients into downloading and running CountLoader.

The **second incident**, reported by FortiGuard Labs, involved similar fake police notices that delivered additional malware, including Amatera Stealer, which targets data, and PureMiner, a cryptojacker that infects Windows systems.

****Linux, Windows, and macOS****

Further analysis by Silent Push points to a figure known online as “**RalfHacker**,” believed to be the developer behind Adaptix. According to the company’s report, this individual runs a Russian language Telegram channel used to promote and sell the tool, connecting it directly to Russian cybercrime networks.

Although AdaptixC2 was originally built as a post-exploitation and adversary emulation framework for penetration testers, its features make it powerful, which also makes it appealing to attackers. The server side is written in Golang, while the graphical client is built in C++ with a QT interface, allowing it to run smoothly on Linux, Windows, and macOS.

In legitimate security testing, this cross-platform support is quite valuable, but in the wrong hands, it means the same tool can be used to target almost any device. Silent Push’s findings suggest that this flexibility has made Adaptix an easy choice for threat actors looking to deliver or control malware across different systems.

AdaptixC2 Framework interface

While Adaptix itself remains an open source resource often used for legitimate penetration testing, its misuse by threat actors highlights how freely available tools can be repurposed for malicious gain.

Silent Push’s research shows how quickly cybercriminals can turn legitimate security tools for malicious purposes. After **Cobalt Strike**, Adaptix has become the new favourite among hackers for spreading malware and running ransomware operations.

The research also points out the importance of monitoring open source utilities. Silent Push’s full analysis, including indicators of compromise and technical insights, is available on their **official blog**.

Tag

#windows