Lightning Round: Lazarus Makes Waves in Web3, Intel/AMD TEEs Breached, Dark Web Leak Tool Unveiled & Beyond

Cyberattacks are getting smarter and harder to stop. This week, hackers used sneaky tools, tricked trusted systems, and quickly took advantage of new security problems—some just hours after being found. No system was fully safe.

From spying and fake job scams to strong ransomware and tricky phishing, the attacks came from all sides. Even encrypted backups and secure areas were put to the test.

Keep reading for the full list of the biggest cyber news from this week—clearly explained and easy to follow.

⚡ Threat of the Week

Motex Lanscope Flaw Exploited to Drop Gokcpdoor — A suspected Chinese cyber espionage actor known as Tick has been attributed to a target campaign that has leveraged a recently disclosed critical security flaw in Motex Lanscope Endpoint Manager (CVE-2025-61932, CVSS score: 9.3) to infiltrate target networks and deploy a backdoor called Gokcpdoor. Sophos, which disclosed details of the activity, said it was “limited to sectors aligned with their intelligence objectives.”

🔔 Top News

• TEE.Fail Side-Channel Attack Extracts Secrets from Intel and AMD DDR5 Secure Enclaves — A low-cost physical side-channel attack has been found to break the confidentiality and security guarantees offered by modern Trusted Execution Environments (TEEs) from Intel and AMD, enabling full extraction of cryptographic keys and subversion of secure attestation mechanisms. The attack, codenamed TEE.fail, exploits deterministic encryption and DDR5 bus interposition to successfully bypass protections in Intel’s SGX and TDX, as well as AMD’s SEV-SNP, by eavesdropping on memory transactions using a homemade logic analyzer setup built for under $1,000. That having said, the attack requires physical access to the target as well as root-level privileges for Kernel driver modification.
• Russian Hackers Target Ukraine With Stealth Tactics — Suspected Russian hackers breached Ukrainian networks this summer using ordinary administrative tools to steal data and remain undetected, researchers have found. According to a report by Broadcom-owned Symantec and Carbon Black, the attackers targeted a large Ukrainian business services company and a local government agency in two separate incidents earlier this year. What makes these attacks notable is that the hackers deployed little custom malware and instead relied heavily on living-off-the-land tactics, i.e., using legitimate software already present in the victims’ networks, to carry out their malicious actions. The targeted organizations were not named, and it remains unclear what information, if any, was stolen.
• N. Korea Targets Web3 Sector with GhostCall and GhostHire — The North Korea-affiliated threat actor BlueNoroff, also known under aliases APT38 and TA444, has resurfaced with two new campaigns dubbed GhostCall and GhostHire, targeting executives, Web3 developers, and blockchain professionals. The campaigns rely on social engineering via platforms like Telegram and LinkedIn to send fake meeting invites and initiate multi-stage malware chains to compromise Windows, Linux, and macOS hosts. GhostCall marks a major leap in operational stealth compared to earlier BlueNoroff operations, with the attackers relying on multiple layers of staging to sidestep detection. The GhostHire operation takes a different approach, targeting Web3 developers through fake job offers and recruitment tests. BlueNoroff is a financially motivated sub-cluster of the Lazarus Group, North Korea’s state-sponsored cyber unit linked to the Reconnaissance General Bureau (RGB), and is believed to operate the long-running SnatchCrypto campaign. GhostCall and GhostHire are assessed to be the latest extensions of this campaign. The threat actor’s strategy is said to have evolved beyond cryptocurrency and browser credential theft to comprehensive data acquisition across a range of assets. “This harvested data is exploited not only against the initial target but also to facilitate subsequent attacks, enabling the actor to execute supply chain attacks and leverage established trust relationships to impact a broader range of users,” Kaspersky said.
• New Android Banking Malware Herodotus Mimics Human Behavior — Researchers have discovered a new Android banking malware called Herodotus that evades detection by mimicking human behavior when remotely controlling infected devices. The malware is advertised by a little-known hacker who goes by the name K1R0. Herodotus works like many modern Android banking trojans. Operators distribute it through SMS messages that trick users into downloading a malicious app. Once installed, the malware waits for a targeted application to be opened and then overlays a fake screen that mimics the real banking or payment interface to steal credentials. It also intercepts incoming SMS messages to capture one-time passcodes and exploits Android’s accessibility features to read what’s displayed on the device screen. What makes Herodotus unusual, ThreatFabric said, is that it tries to “humanize” the actions attackers undertake during remote control. Instead of pasting stolen details into form fields all at once — a behavior that can easily be flagged as automated — the malware types each character separately with random pauses of about 0.3 to 3 seconds between keystrokes, imitating how a real person would type.
• Qilin Ransomware Uses Linux Encryptors in Windows Attacks — The Qilin ransomware actors have been observed leveraging the Windows Subsystem for Linux (WSL) to launch Linux encryptors in Windows in an attempt to evade detection. Qilin, which emerged in mid-2022, has attacked more than 700 victims across 62 countries this year. The sustained rate of victims claimed on its data leak site underscores Qilin’s position as one of the most active and pernicious ransomware operations worldwide. In new attacks spotted by Trend Micro, Qilin affiliates have been seen using WinSCP to transfer the Linux ELF encryptor to compromised devices, which is then launched through the Splashtop remote management software. This is accomplished by enabling or installing WSL on the host, allowing them to natively run Linux binaries on Windows without the need for a virtual machine.

‎️‍🔥 Trending CVEs

Hackers move fast. They often exploit new vulnerabilities within hours, turning a single missed patch into a major breach. One unpatched CVE can be all it takes for a full compromise. Below are this week’s most critical vulnerabilities gaining attention across the industry.

It is crucial to address the following critical vulnerabilities before attackers take advantage:

1. CVE-2025-55315 (QNAP NetBak PC Agent)
2. CVE-2025-10680 (OpenVPN)
3. CVE-2025-55752, CVE-2025-55754 (Apache Tomcat)
4. CVE-2025-52665 (Ubiquiti UniFi Access)
5. CVE-2025-12044, CVE-2025-11621 (HashiCorp Vault)
6. CVE-2025-43995 (Dell Storage Manager)
7. CVE-2025-5842 (Veeder-Root TLS4B Automatic Tank Gauge System)
8. CVE-2025-24893 (XWiki)
9. CVE-2025-62725 (Docker Compose)
10. CVE-2025-12080 (Google Messages for Wear OS)
11. CVE-2025-12450 (LiteSpeed Cache plugin)
12. CVE-2025-11705 (Anti-Malware Security and Brute-Force Firewall plugin)
13. CVE-2025-55680 (Microsoft Cloud Files Minifilter driver)
14. CVE-2025-6325, CVE-2025-6327 (King Addons for Elementor plugin)
15. CVE-2025-49401 (Quiz and Survey Master plugin)
16. CVE-2025-54603 (Claroty Secure Remote Access)
17. CVE-2025-10932 (Progress MOVEit Transfer)

It is important to prioritize fixing these vulnerabilities to close the gap and prevent potential attacks from threat actors. Organizations should ensure all services are properly inventoried, documented, and protected to mitigate risks.

The company stated that small- and medium-sized businesses (companies with 1–249 employees) accounted for 70.5% of reported breaches, while larger companies (250–999 employees) accounted for 13.5% and enterprise organizations with over 1,000 employees accounted for 15.9%. SMBs are often targeted by hackers due to their lack of robust security measures compared to larger enterprises, making them easier to breach for a potentially smaller but still profitable payday.

In other news, Russian authorities have arrested three individuals in connection with the creation and sale of the Meduza infostealer. The malware was used in attacks against a government network in the Astrakhan region and multiple Russian organizations last year. The arrests highlight a trend of selective enforcement by Russian authorities against cyber-criminals.

A Ukrainian national believed to be part of the Conti ransomware operation has been extradited to the U.S. for his involvement in deploying Conti ransomware to extort victims and steal their data. Conti has been responsible for attacks on over 1,000 victims worldwide, resulting in millions of dollars in ransom payments.

The FCC plans to eliminate new cybersecurity requirements for telecommunication providers, citing the substantial steps taken by providers to strengthen their cybersecurity defenses. Meanwhile, Denmark has withdrawn its Chat Control legislation following opposition from E.U. bloc members over concerns about privacy and security implications.

Polish authorities have arrested 11 suspects for running an investment scam that defrauded Polish citizens of over $20 million. Additionally, cybersecurity researchers have identified four new remote access trojans (RATs) that use the Discord platform for command-and-control operations.

Security weaknesses in Tata Motors’ sites were uncovered, including exposed API keys and a backdoor account that granted unauthorized access to sensitive information. The issues were addressed following responsible disclosure by a security researcher.

Lastly, a cryptocurrency mining campaign known as Tangerine Turkey has been using batch files and Visual Basic Scripts to deploy XMRig miners across victim environments, showcasing the use of sophisticated techniques to evade detection and gain persistence. Since its emergence in late 2024, the Tangerine Turkey malware campaign has expanded in scope, targeting organizations across multiple industries and geographies. The campaign gains initial access through an infected USB device, using living-off-the-land binaries like wscript.exe and printui.exe, as well as registry modifications and decoy directories to evade traditional defenses and maintain persistence.

A new ideologically-motivated threat actor named Hezi Rash has been linked to approximately 350 distributed denial-of-service (DDoS) attacks between August and October 2025. The hacktivist group, founded in 2023, targets countries perceived as hostile to Kurdish or Muslim communities. Hezi Rash is believed to be using tools and services from established threat actors to carry out their attacks.

A Brazilian threat group has been distributing the Lampion stealer through phishing campaigns using bank transfer receipt lures containing ZIP files. The banking trojan has been active since at least 2019, with the threat group making changes to their tactics over time to improve their effectiveness.

MITRE has released an updated version of the ATT&CK framework (v18), which includes new objects for Detection Strategies and Analytics to improve threat detection capabilities. The framework now covers state-sponsored abuse of Signal/WhatsApp-linked devices and enhanced account collection techniques in the Mobile sector, as well as expanded Asset objects in the ICS sector.

In addition to these developments, cybersecurity webinars and tools are available to help organizations improve their security posture and defend against evolving threats. These resources provide insights into dynamic attack surface reduction, cloud infrastructure security, and tools for visualizing attack graphs and testing Android malware in a safe environment. It is important to use these tools responsibly and in accordance with ethical and legal guidelines. Locking down your online security is crucial in today’s digital age. Cyber threats are becoming increasingly sophisticated, often hiding in plain sight within seemingly harmless apps, websites, or even job listings. It’s no longer enough to rely on antivirus software alone – vigilance, quick action, and forward-thinking are key in protecting yourself from cyber attacks. Every click, software update, and login carries potential risks that must be carefully considered.

Cybersecurity is not a one-time solution but rather an ongoing practice that should be integrated into your daily routine. By staying informed about the latest threats and best practices, you can better safeguard your personal and sensitive information from hackers and cybercriminals. Remember, prevention is always better than dealing with the aftermath of a security breach.

In conclusion, the lesson to be learned is that cybersecurity is a continuous process that requires constant attention and diligence. By adopting good security habits and staying alert to potential threats, you can minimize the risk of falling victim to cyber attacks. Stay safe online by locking down your digital presence and staying one step ahead of cyber threats.