Google Threat Intelligence and Mandiant have linked an ongoing Oracle E-Business Suite (EBS) extortion campaign to a likely zero-day vulnerability, now tracked as CVE-2025-61882. Attackers are exploiting this and previously patched flaws to deploy malware and exfiltrate sensitive data, followed by extortion demands. The vulnerability can be exploited remotely without authentication, posing a severe risk to organizations managing financial and business-critical data within Oracle EBS.
Business impact
High risk of sensitive financial data theft, leading to significant financial loss, regulatory fines under SOX and GDPR, and major business disruption. The extortion component adds direct financial pressure and reputational damage.
Recommended action
Immediately apply the latest patches from Oracle. Isolate affected EBS instances and initiate a full compromise assessment. Hunt for indicators of compromise detailed by Google and Mandiant, paying close attention to unexpected outbound network traffic and unauthorized processes on EBS servers.
Microsoft has released an urgent update to revamp the Internet Explorer (IE) mode in its Edge browser. This follows credible intelligence from August 2025 that threat actors were actively abusing the legacy compatibility feature. Attackers used social engineering to trick users into visiting malicious sites that leveraged IE mode to bypass browser security controls and gain unauthorized access to devices.
Business impact
Compromise of end-user workstations, leading to initial access for ransomware deployment, corporate espionage, or lateral movement within the network. This undermines endpoint security posture and could lead to widespread system compromise.
Recommended action
Ensure the latest Microsoft Edge updates are deployed across all enterprise devices immediately. Review and restrict Group Policies related to IE mode, limiting its use to only a pre-approved list of trusted internal legacy sites. Conduct user awareness training on the social engineering tactics involved.
An unpatched zero-day vulnerability, identified as CVE-2025-11371, has been reported in the Gladinet CentreStack cloud storage and file sharing solution. Details of the flaw are currently limited, but its existence as a zero-day implies active exploitation or a high likelihood thereof. Gladinet is a platform used for secure file access and collaboration, making any vulnerability a critical risk for data exposure.
Business impact
Potential for unauthorized access to, and exfiltration of, sensitive corporate data stored or managed via the Gladinet platform. This could result in intellectual property theft, compliance violations under HIPAA and SOX, and severe reputational damage.
Recommended action
Organizations using Gladinet CentreStack should immediately review vendor advisories for mitigation guidance. Until a patch is available, consider isolating the service, restricting access to trusted IP ranges, and closely monitoring all access logs for anomalous activity.
A new campaign is distributing the Astaroth banking trojan, a potent malware designed to steal financial credentials and other sensitive information. Threat actors have updated their tactics to use GitHub as a resilient command-and-control (C2) backbone, making their infrastructure difficult to disrupt. This abuse of a legitimate, trusted service allows the malware to blend in with normal network traffic, evading traditional detection methods.
Business impact
High risk of financial fraud, theft of corporate banking credentials, and compromise of sensitive customer or employee data. The use of GitHub for C2 complicates detection and response, increasing the dwell time of the malware.
Recommended action
Enhance network monitoring to detect and alert on anomalous connections to GitHub from non-developer endpoints. Deploy endpoint detection and response (EDR) solutions capable of identifying Astaroth's behavioral patterns. Block known indicators of compromise (IoCs) associated with the campaign at the network perimeter.
Spanish authorities have arrested the alleged administrator of 'GXC Team,' a Crime-as-a-Service (CaaS) group. The operation provided illicit tools to other criminals, including sophisticated phishing kits and Android malware, lowering the barrier to entry for conducting cyberattacks. This takedown disrupts a key supplier in the cybercrime ecosystem.
Business impact
While a positive development, this highlights the pervasive nature of the CaaS model. The availability of ready-made attack tools means organizations face threats from a wider, less predictable range of adversaries. The dismantled tools may still be in use by other criminals.
Recommended action
Security teams should not become complacent. Use this intelligence to review defenses against common CaaS offerings like phishing and mobile malware. Ensure multi-factor authentication (MFA) is enforced on all external services and that mobile device management (MDM) policies are in place to detect malicious applications.
Spotlight Rationale: Today's critical alert on the Oracle EBS zero-day ([CVE-2025-61882](https://nvd.nist.gov/vuln/detail/CVE-2025-61882)) and the resurgence of the Astaroth banking trojan highlight a common attack outcome: the compromise and abuse of credentials, particularly the non-human identities (NHIs) like service accounts and API keys used by these critical applications.
Entro Security provides a platform to discover, manage, and secure non-human identities across cloud and on-premise environments. In the context of the Oracle EBS breach, attackers gaining access to the application server could pivot by stealing embedded service account credentials or API keys. Entro addresses this by providing a centralized inventory of all NHIs, detecting their permissions, and enabling automated rotation and vaulting of secrets. This approach limits the blast radius of a breach by ensuring any stolen credentials have a short lifespan and adhere to the principle of least privilege.
Actionable Platform Guidance: Use the Entro platform to immediately scan environments hosting Oracle EBS to discover all associated NHIs (service accounts, database connectors, API keys). Prioritize the review of any discovered identities with overly permissive access. Configure an automated, high-frequency rotation policy for all secrets associated with the EBS application to mitigate the risk of stolen credentials being used for lateral movement.
β οΈ Disclaimer: Test all detection logic in non-production environments before deployment.
1. Vendor Platform Configuration - Entro Security
# Action Plan for Mitigating Oracle EBS NHI Risk
# 1. Initiate Discovery Scan
# Target discovery scans at network segments and cloud accounts containing Oracle EBS infrastructure.
# Focus on detecting secrets in code, configuration files, and running processes.
# 2. Filter and Prioritize
# In the Entro dashboard, filter discovered NHIs by tags associated with 'Oracle' or 'EBS'.
# Prioritize identities with high privileges (e.g., 'DBA', 'root', 'admin') for immediate review.
# 3. Configure Automated Rotation
# For all identified EBS-related secrets, onboard them into Entro's vault.
# Define a rotation policy with a short TTL (e.g., 24 hours) during this high-risk period.
# Ensure the rotation process is validated with application owners to prevent service disruption.
# 4. Set Up Alerts
# Create alerts for any new NHI creation on EBS servers or anomalous usage of existing EBS-related secrets.
2. YARA Rule for Potential Oracle EBS Webshell (CVE-2025-61882)
index=oslogs sourcetype="linux_os" host="*ebs*"
(process_name="sh" OR process_name="bash" OR process_name="curl" OR process_name="wget")
parent_process_name IN ("java", "httpd", "apache")
| stats count by _time, host, user, parent_process_name, process_name, process_command
| eval risk_score=case(
match(process_command, "(?i)whoami|uname|id"), 50,
match(process_command, "(?i)curl|wget.*\/tmp"), 75,
match(parent_process_name, "(?i)java"), 90,
1==1, 20)
| where risk_score >= 75
| table _time, host, user, parent_process_name, process_name, process_command, risk_score
| sort -_time
4. PowerShell Script β Hunt for Astaroth IoCs on Endpoints
<#
.SYNOPSIS
Hunts for potential Astaroth Trojan artifacts on specified Windows systems.
.DESCRIPTION
Checks for known persistence mechanisms and file locations used by Astaroth.
#>
$computers = (Get-ADComputer -Filter *).DNSHostName
$suspiciousPath = "$env:APPDATA\*\*.db"
$suspiciousRegKey = "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run"
Write-Host "Starting Astaroth IoC hunt..."
foreach ($computer in $computers) {
if (Test-Connection -ComputerName $computer -Count 1 -Quiet) {
Write-Host "Checking $computer..."
try {
# Check for suspicious database files in AppData
$files = Invoke-Command -ComputerName $computer -ScriptBlock { Get-ChildItem -Path $using:suspiciousPath -ErrorAction SilentlyContinue } -ErrorAction SilentlyContinue
if ($files) {
Write-Warning "[$computer] Suspicious file found: $($files.FullName)"
}
# Check for suspicious Run key entries
$regEntries = Invoke-Command -ComputerName $computer -ScriptBlock { Get-ItemProperty -Path $using:suspiciousRegKey -ErrorAction SilentlyContinue } -ErrorAction SilentlyContinue
if ($regEntries) {
foreach ($entry in $regEntries.PSObject.Properties) {
if ($entry.Value -like "*wscript.exe*" -or $entry.Value -like "*rundll32.exe*") {
Write-Warning "[$computer] Suspicious Run key found: $($entry.Name) -> $($entry.Value)"
}
}
}
} catch {
Write-Error "Failed to connect to $computer: $_"
}
} else {
Write-Host "$computer is offline."
}
}
Write-Host "Hunt complete."
This rundown should provide a solid overview of the current threat landscape. Thank you to all our cyberheroes for your diligence and hard work. Stay vigilant!
Cookie Notice
We use essential cookies to provide our cybersecurity newsletter service and analytics cookies to improve your experience. We respect your privacy and comply with GDPR requirements.
About STIX 2.1: Structured Threat Information eXpression (STIX) is the machine language of cybersecurity. This bundle contains validated threat objects, indicators, and relationships that can be directly imported into your SIEM, TIP, or security orchestration platform.
Usage: Download or copy the JSON below and import it directly into your threat intelligence platform, SIEM, or security orchestration tools for automated threat detection and response.
CRITICAL ITEMS
HIGH SEVERITY ITEMS
VENDOR SPOTLIGHT
DETECTION & RESPONSE KIT