into markdown format. The iVerify team noted that the automatic overwriting observed may have been intentional for system hygiene or performance reasons, but it effectively sanitizes crucial forensic artifacts that are key in identifying sophisticated threats.

Google reported instances of pro-Russia information operations targeting Poland, including denying Russia’s involvement in reported incidents, blaming the West, undermining government support, and spreading disinformation about Russia’s invasion of Ukraine. The activity was attributed to clusters known as Portal Kombat, Doppelganger, and Niezależny Dziennik Polityczny.

Threat actors have been using the RedTiger infostealer to target gamers and steal Discord accounts, injecting custom JavaScript into Discord’s client index.js file to monitor and intercept traffic. Additionally, they collect sensitive information, spy through webcams, and overload systems to hinder analysis efforts.

UNC6229, a threat cluster operating out of Vietnam, has been using fake job postings on platforms like LinkedIn to target individuals in digital advertising and marketing with malware and phishing kits. By creating fake company profiles and posting attractive job openings, the threat actors deceive victims into opening malicious attachments or clicking on phishing links.

The XWorm malware has released version 6.0 with improved process protection and anti-analysis capabilities, including AMSI-bypass functionality. The malware sets up persistence through a Visual Basic Script and drops a PowerShell loader to fetch the payload from a public GitHub repository.

There has been a spike in attacks abusing Microsoft 365 Exchange Online Direct Send for phishing campaigns and BEC attacks, bypassing authentication and security checks. Adversaries emulate device or application traffic to send unauthenticated messages that appear to originate from internal accounts and trusted systems.

A new attack technique called CoPhish involves using Copilot Studio agents’ “Login” settings to redirect users to malicious OAuth applications, allowing attackers to seize control of victim accounts. By configuring the agent’s sign-in process with a malicious OAuth application, attackers can redirect user tokens to URLs under their control. When an attacker sends a malicious CoPilot Studio agent link to a victim through phishing emails and the victim tries to access it, they will be asked to log in to the service. At this point, they will be redirected to a malicious OAuth application for consent. Datadog pointed out that the malicious agent does not need to be registered in the target environment, meaning an attacker can create an agent in their own environment to target users. The redirect action when the victim clicks on the Login button can be set to redirect to any malicious URL, with the application consent workflow URL being just one possibility for the threat actor.

Multiple threat actors like Curious Serpens (Peach Sandstorm), Void Blizzard, and Storm-0501 have utilized an open-source data collection tool called AzureHound in their attacks. They misuse this tool to enumerate Azure resources and map potential attack paths, enabling further malicious operations. This helps them identify misconfigurations and indirect privilege escalation opportunities in the target Azure environment. They also use the tool after gaining initial access to the victim environment, running AzureHound on assets they have accessed.

A modified version of the Telegram messaging app for Android, known as Telegram X, is being used to distribute a new backdoor called Baohuo. This backdoor connects to a Redis database for command and control and can steal confidential data, including user logins, passwords, and chat histories. Baohuo can conceal connections from third-party devices in the list of active Telegram sessions to avoid detection and cover up compromised accounts. It has infected over 58,000 Android devices since mid-2024.

Microsoft has disabled File Explorer previews for files downloaded from the internet to prevent NTLM hash leakage vulnerabilities. Users will now see a warning message before previewing such files. This change is also aimed at addressing File Explorer spoofing and credential leakage vulnerabilities.

Phishing campaigns are using new evasion tactics like PDF documents with QR codes, password-protected attachments, and CAPTCHAs on phishing websites. These techniques make it harder for automated analysis to detect and block phishing attempts.

Fraudulent domains promoting Perplexity’s AI-powered Comet browser have been found, indicating opportunistic cybercriminals monitoring emerging technology trends. LockBit 5.0, a ransomware variant, has resurfaced and is extorting new victims across Western Europe, the Americas, and Asia. The latest version introduces multi-platform support, stronger evasion techniques, and personalized negotiation links in ransom notes.

Mozilla will require all Firefox extensions to declare in the manifest.json file if they collect and transmit personal data to third parties starting November 3. This information is set to be incorporated into Firefox permission prompts when users try to install the browser add-on on the addons.mozilla.org page. Mozilla clarified that this will only affect new extensions and not new versions of existing extensions. Extensions that do not collect or transmit personal data must indicate this by setting the none required data collection permission in this property. The PowerShell script is designed to extract the loader from the image and execute it directly in memory. The loader is responsible for retrieving and injecting the final malware into the calc.exe address space without leaving any traces on disk. Persistence is ensured through scheduled tasks that continuously execute the infection chain.

The F5 breach, which was revealed in August 2025, actually began in late 2023, lasting undetected for nearly two years. The attackers exploited vulnerabilities in F5’s software left exposed on the internet, highlighting a failure by the company’s own staff to follow cybersecurity protocols. The breach is believed to be orchestrated by Chinese state-sponsored actors, although Chinese officials deny any involvement.

EfficientLab’s WorkExaminer Professional software has been found to have multiple vulnerabilities (CVE-2025-10639, CVE-2025-10640, and CVE-2025-10641) that could allow attackers to take control of systems and collect sensitive data. These flaws, including missing authentication checks and unencrypted data transmission, remain unpatched, posing a significant risk to users.

The U.S. Justice Department has pressed charges against Peter Williams, a former executive of Trenchant, for allegedly stealing trade secrets and selling them to a Russian buyer for $1.3 million. The charges span from April 2022 to August 2025 and include the theft of confidential information from two companies. Prosecutors are seeking to seize Williams’ assets derived from the illegal activities.

Microsoft has highlighted the misuse of Azure Blob Storage by threat actors, who exploit its capabilities to store and manage large amounts of data for malicious activities. The service’s scalability and flexibility make it a prime target for attackers seeking to compromise organizations by hosting malicious content or launching attacks from Blob Storage.

A report from Infoblox reveals that the Universe Browser, distributed by a white-label iGaming software supplier, is linked to criminal syndicates operating in Southeast Asia. The browser, advertised as privacy-friendly, covertly installs programs that mimic remote access trojans, posing a serious security threat to users. The threat actor behind this operation, known as Vault Viper, has ties to illegal online gambling and fraud activities in the region.