Executive Summary -
Highlights of Cyber Threat Intelligence Digest
Vulnerabilities
Adobe Patches Actively Exploited “SessionReaper” Vulnerability (CVE-2025-54236) as Over 250 Exploitation Attempts Are Observed in the Wild - On 22 October 2025, Adobe confirmed that unidentified threat actors were actively exploiting a critical-severity vulnerability, CVE-2025-54236, also known as “SessionReaper,” affecting Adobe Commerce, Adobe Commerce B2B, and Magento Open Source. This issue, which was first disclosed and patched on 9 September 2025, involves improper input validation within the Commerce REST API. At the time of the initial patch release, there were no reports of exploitation in the wild.
However, on the same day as Adobe’s confirmation, cybersecurity company Sansec reported over 250 exploitation attempts targeting the vulnerability. Successful exploitation could allow attackers to hijack customer sessions and gain unauthorised access to sensitive account information. The 250 exploration attempts mostly targeted stores still running unpatched versions of the platform and Santec estimates that approximately 62% of Magento storefronts remained unpatched six weeks after the fix became available meaning a large portion of the ecosystem remains exposed.
Kinsing Threat Actor Exploits Apache ActiveMQ Vulnerability (CVE-2023-46604) for Malware Deployment - On 28 October 2025, the AhnLab Security Intelligence Center (ASEC) reported that the Kinsing threat actor exploited CVE-2023-46604, a remote code execution vulnerability in Apache ActiveMQ, to deploy multiple malware families on unpatched Linux and Windows systems. ASEC identified Sharpire, CobaltStrike, Meterpreter, and XMRig among the payloads, which were used to maintain persistence, enable remote control, and conduct unauthorised cryptocurrency mining.
Kinsing leveraged the vulnerability to deliver crafted serialised payloads via the Java OpenWire protocol, causing affected servers to retrieve and execute a malicious XML configuration file. This file ran the msiexec command to install MSI-based malware and an additional downloader (mm13[.]exe), which fetched CobaltStrike or Meterpreter directly in memory. The same infrastructure also hosted a Bash script that modified XMRig configurations on Linux systems to insert Kinsing’s wallet addresses. ASEC additionally discovered the .NET-based Sharpire backdoor, which supports PowerShell Empire and provides capabilities for command execution, reconnaissance, and system control.
Atlassian Patches High-Severity Vulnerability CVE-2025-22167 in Jira Software and Service Management - On 23 October 2025, Atlassian released a patch for a high-severity vulnerability tracked as CVE-2025-22167 affecting Jira Software Data Center and Server versions 9.12.0 through 11.0.0, and Jira Service Management Data Center and Server versions 5.12.0 through 10.3.0. At the time of writing, there are no reports of the vulnerability being exploited in the wild.
CVE-2025-22167 is a path traversal flaw caused by insufficient validation of file paths within Jira’s web interface. If successfully exploited, an authenticated attacker with network access could write arbitrary data to filesystem paths accessible by the Jira Java Virtual Machine (JVM) process, enabling unauthorised file modifications on affected systems.
Potential Threats
Italian Spyware Vendor Memento Labs Linked to Operation ForumTroll Exploiting Google Chrome Vulnerability - On 27 October 2025, Kaspersky published a follow-up report on Operation ForumTroll, a March 2025 espionage campaign in which an unidentified state-sponsored actor exploited a sandbox escape vulnerability (CVE-2025-2783) in Google Chrome. The campaign targeted media, research, financial, and government organizations in Russia and Belarus through phishing emails disguised as invitations to the Primakov Readings forum. These emails delivered the LeetAgent loader and Dante spyware, both traced to Italian spyware vendor Memento Labs (formerly Hacking Team) and previously linked to surveillance operations dating back to 2022.
The campaign’s infection chain began with phishing links that redirected victims to actor-controlled websites leveraging the WebGPU API to verify genuine browser sessions before initiating an elliptic-curve Diffie–Hellman key exchange with the command-and-control (C2) server. This enabled the decryption and execution of a remote code execution exploit chained with CVE-2025-2783 to escape Chrome’s sandbox. The attackers achieved persistence through Component Object Model (COM) hijacking, loading a malicious DLL that decrypted and launched LeetAgent, which maintained encrypted communications with C2 servers hosted on Fastly’s CDN. LeetAgent supported keylogging, file exfiltration, and remote command execution, and in some cases deployed Dante spyware a modular platform for data theft and system control. Kaspersky assessed that code and infrastructure overlaps indicate both tools were operated by the same threat actor.
PhantomRaven Malware Found in 126 npm Packages Stealing GitHub Tokens From Devs - On 30 October 2025, cybersecurity firm Koi Security disclosed a supply‐chain attack campaign called PhantomRaven in which at least 126 malicious packages published to the npm registry were used to steal GitHub tokens, CI/CD secrets, and other developer credentials. The campaign began in August 2025 and, as of the report, the malicious packages have collectively surpassed 86,000 downloads.
The attack leveraged a technique called remote dynamic dependencies, in which an npm package contained a pre-install hook that pointed to a remote HTTP URL (in this case, packages.storeartifact[.]com) to pull in malicious code, thereby evading static scanners and dependency-analysis tools. Once the malicious code ran, it harvested developer environment data (including email addresses, environments, and public IPs) and exfiltrated these to a remote server. The campaign also used “slopsquatting” package names plausible looking names created via language model hallucination to increase trust and evade detection.
Researchers Identify Azure Vulnerability Enabling Fake Microsoft App Registrations - Varonis Threat Labs disclosed a vulnerability in Microsoft Azure’s application registration process that could have allowed threat actors to register fraudulent applications mimicking legitimate Microsoft tools. The issue arose from Azure’s validation system, which failed to adequately restrict certain naming patterns, enabling malicious applications to appear authentic during user consent prompts. Microsoft addressed two related flaws through security updates released in April and October 2025. At the time of writing, the vulnerability has not been assigned a Common Vulnerabilities and Exposures (CVE) identifier, and there have been no reports of exploitation in the wild.
Varonis researchers demonstrated that inserting invisible Unicode characters, such as the Combining Grapheme Joiner (0x34F), a non-printing character that subtly alters text rendering, between letters in restricted application names allowed the creation of a counterfeit “Azure Portal” app. In total, the team identified 262 Unicode characters capable of bypassing these validation checks. Their analysis showed how threat actors could leverage such deceptive applications to trick users into granting illicit consent or engage in device code phishing attacks, both of which could enable unauthorised access to tokens and connected cloud resources without directly exposing user credentials.
General News
A Cybercrime Merger Like No Other - Scattered Spider, LAPSUS$, and ShinyHunters Join Forces - A newly formed cybercriminal alliance uniting members of Scattered Spider, LAPSUS$, and ShinyHunters, operating under the name “Scattered LAPSUS$ Hunters” (SLH), reportedly emerged in August 2025, establishing more than a dozen Telegram channels to coordinate large-scale data extortion. The group promotes an “extortion as a service” (EaaS) model, combining ShinyHunters’ data-leak tactics with LAPSUS$’s social-engineering methods and Scattered Spider’s persistence techniques. Early incidents attributed to SLH involve public leaks, defacement campaigns, and high-pressure victim negotiations designed to amplify reputational and financial damage.
Researchers assess SLH as part of a wider “The Com” style ecosystem of semi-autonomous cybercrime groups sharing branding, infrastructure, and victim data to enhance visibility and influence. The merger illustrates a strategic evolution in cyber extortion, from isolated crews toward fluid, brand-driven collectives that merge elements of hacktivism, extortion, and opportunistic espionage. This convergence enables actors to exploit media attention as leverage, coordinate cross-platform targeting, and obfuscate accountability behind a constantly shifting public persona.
Websites disabled in Microsoft global outage come back online - A widespread Microsoft outage on 29 October 2025 temporarily disrupted access to major websites including Heathrow Airport, NatWest, Minecraft, Asda, M&S, and O2 in the UK, as well as Starbucks and Kroger in the US. The disruption, first reported around 16:00 GMT, was traced to a DNS configuration issue affecting Microsoft’s Azure cloud platform, which underpins roughly 20% of the global internet. Microsoft confirmed that users of Microsoft 365 experienced delays across Outlook and other services before stability was restored later that evening following the rollback of a faulty update.
The incident highlighted the risks of global dependence on a few dominant cloud providers, as outages in Azure, AWS, or Google Cloud can cascade through thousands of systems worldwide. The outage also forced the temporary suspension of business at the Scottish Parliament, delaying a land reform debate after its online voting system failed. Experts described the event as another reminder of the fragility of modern internet infrastructure, where a single configuration error in a major provider can disrupt critical services and expose the vulnerabilities of consolidated digital ecosystems
New AI-Targeted Cloaking Attack Tricks AI Crawlers Into Citing Fake Info as Verified Facts - Researchers have described a new AI-targeted “cloaking” attack that tricks agentic web browsers and AI crawlers into treating malicious or fabricated content as verified source material. Demonstrated by security teams (notably SPLX) on 29 October 2025, the technique uses fingerprinting identifying requests from AI agents like ChatGPT Atlas or Perplexity and serves those agents a different, poisoned version of a webpage while showing benign content to human visitors. The manipulated content can embed indirect prompt injections or hidden instructions that cause downstream LLMs and agents to cite false facts, propagate misinformation, or follow attacker-supplied logic in subsequent reasoning.
Because agentic crawlers and browser-style AI tools often rely on automated web retrieval to build context, the attack enables an adversary to create a “parallel web” visible only to machines effectively poisoning the training or context-window inputs those agents use when answering questions or taking actions. Defences suggested by researchers include reducing fingerprint ability, validating sources across multiple retrieval paths, and improving agent-side sanitisation and provenance checks; experts warn the vulnerability underscores how tightly coupled web delivery methods and AI trust assumptions can be exploited to turn the open web into an avenue for large-scale context poisoning.
Threat Actor Weekly Graph
Over the past 7 days, we have been tracking the following intent and opportunity changes within our Threat Actor Landscape.
Intent represents the potential targets of a group. When a group is observed attacking a different organisation or entity, their intent will increase.
Opportunity represents the various methods and technologies these groups may use. For example, if a group started using a new attack vector, such as a new kind of ransomware, their opportunity would increase.
Both intent and opportunity are scored out of 100 and are responsible for scoring the group's severity. These updates can be seen below.
| ● Limited Severity | ● Basic Severity | ● Moderate Severity | ● High Severity |
| Threat Actor | Severity Increase | Opportunity | Intent | ||||||
|---|---|---|---|---|---|---|---|---|---|
| BlueBravo | ● High | → | ● High | ● 82 | → | ● 81 | ● 25 | → | ● 25 |
| Dragon Force Group | ● Moderate | → | ● Moderate | ● 61 | → | ● 70 | ● 49 | → | ● 49 |
| Kryptos Ransomware Group | NEW | → | ● Basic | NEW | → | ● 49 | NEW | → | ● 25 |
|
Genesis Ransomware Group |
NEW | → | ● Basic | NEW | → | ● 25 | NEW | → | ● 30 |
| Coinbase Cartel Ransomware Group | ● Basic | → | ● Basic | ● 25 | → | ● 49 | ● 45 | → | ● 45 |
Global Trends Powered by Recorded Future
Within each category, we have provided the current top five globally trending items. Each item is linked to how actively trending it is and is marked with a small symbol.
The spikes in references are calculated over 60 days and are normalised to ensure they aren't disproportionate when compared to bigger entities that will naturally have more baseline mentions.
▲- Spike – This indicates a large increase in reporting volume and a high diversity in the event descriptions.
▲- Rise – This indicates a small increase in reporting volume with little diversity in the descriptions.
| Attackers | Methods | Vulnerabilities | Targets | ||||
|---|---|---|---|---|---|---|---|
| Interlock Ransomware Group | ▲ |
ALPHV Ransomware (BlackCat) |
▲ | CVE-2023-20198 | ▲ |
Mamdani |
▲ |
|
KaruHunters |
▲ |
BadCandy |
▲ | CVE-2025-9491 | ▲ |
APA Corporation |
▲ |
|
PalachPro |
▲ | Backdoor | ▲ | CVE-2025-48703 | ▲ |
Apache |
▲ |
| RansomHouse Group | ▲ |
TA0006 (Credential Access) |
▲ | CVE-2020-1472 (Zerologon) | ▲ | European Commission | ▲ |
|
Akira Ransomware Group |
▲ |
TA0008 (Lateral Movement) |
▲ |
CVE-2024-1086 |
▲ |
Nato |
▲ |
Prominent Information Security Events
Kinsing Threat Actor Exploits Apache ActiveMQ Vulnerability (CVE-2023-46604) for Malware Deployment
Source: Insikt Group | Validated Intelligence Event
IOC: URL - hxxp://gloryweb[.]vip/lin/javarunprocess
IOC: SHA256 Hash - bf17b21c8e9f34a209977e0f2dce92c4
On October 28, 2025, the AhnLab Security Intelligence Center (ASEC) reported that the Kinsing threat actor exploited CVE-2023-46604, a remote code execution (RCE) flaw in Apache ActiveMQ, to deploy malware on unpatched Linux and Windows systems. Observed payloads included Sharpire, Cobalt Strike, Meterpreter and XMRig, which the actors used to gain remote control of compromised hosts, maintain persistence, and conduct unauthorised cryptocurrency mining.
ASEC described the infection chain beginning with Kinsing delivering crafted serialised payloads via Apache ActiveMQ’s vulnerable Java OpenWire protocol. The exploit caused the server to load a malicious XML configuration from a remote location; that XML then executed msiexec to install an MSI-based downloader and a secondary executable (mm13[.]exe). Both installers functioned as downloaders that retrieved and executed Cobalt Strike or Meterpreter in memory, providing the actors with remote access and post-exploitation capabilities.
ASEC additionally observed that the same server hosting the Windows downloaders also served a Bash script targeting Linux systems: the script modified XMRig configuration files to insert Kinsing’s cryptocurrency wallet addresses for covert mining. ASEC further identified the .NET backdoor Sharpire, noted to support PowerShell Empire, which enabled PowerShell command execution, system reconnaissance, file management and broader system control, although ASEC did not specify the exact deployment method for Sharpire.
Italian Spyware Vendor Memento Labs Linked to Operation ForumTroll Exploiting Google Chrome Vulnerability
Source: Insikt Group | Validated Intelligence Event
IOC: Hash - 7d3a30dbf4fd3edaf4dde35ccb5cf926
IOC: Hash - bf17b21c8e9f34a209977e0f2dce92c4
On October 27, 2025, Kaspersky reported that an unidentified state-sponsored threat group exploited CVE-2025-2783, a sandbox escape vulnerability in Google Chrome, as part of the March 2025 “Operation ForumTroll” espionage campaign. The actors targeted media, research, financial and government organisations in Russia and Belarus using spearphishing emails impersonating Primakov Readings forum invitations, delivering the LeetAgent loader and Dante spyware linked to Memento Labs.
The infection chain began with malicious links that redirected to a threat actor-controlled site. A validator script confirmed the visitor was genuine, then initiated an ECDH key exchange with the C2 server. The server returned an AES-GCM key used to decrypt a next-stage payload embedded in web assets, which likely chained a remote code execution exploit with CVE-2025-2783 to bypass Chrome’s sandbox.
Following execution, the actors established persistence via COM hijacking to load a malicious DLL, which decrypted the main payload and launched LeetAgent. The loader maintained encrypted HTTPS communications, supporting keylogging, file exfiltration and command execution. In some cases, LeetAgent deployed Dante, a modular spyware platform for C2 communication, data collection and file theft. Kaspersky noted overlaps in code, infrastructure and persistence methods, suggesting both tools were operated by the same actor.
Remediation Actions
Following the information provided above, we recommend that the technologies mentioned be fully patched and updated. We also want to highlight and recommend applying the following patches where applicable:
- CVE-2025-22167: This vulnerability can be remediated by updating to version 9.12.28, 10.3.12, 11.1.0
- CVE-2025-54236: This vulnerability can be remediated by installing the hotfix VULN-32437-2-4-X-patch from Adobe.
- CVE-2023-46604: Users are recommended to upgrade both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 which fixes this issue.
If you are currently an Acumen Cyber Vulnerability Management customer, we will be proactively performing related searching and hunting activities within your environment.