Weekly Cybersecurity Recap - 13 October 2025

Introduction

As cyber threats evolve, last week brought a wave of attacks that highlight how threat actors are becoming more adaptive - and how organizations must rethink both their technical and strategic defenses. From new malware strains and supply chain compromises to large-scale data breaches and deepfake dangers, the cybersecurity landscape is being reshaped in real time.

Here’s a breakdown of the most important developments across threat intelligence, data breaches, and industry trends

Emerging Threats and Malware

New Rust-Based Malware "ChaosBot" Uses Discord Channels to Control Victims' PCs
Researchers have uncovered a sophisticated new Rust-based backdoor named ChaosBot that allows attackers to perform reconnaissance and execute commands on compromised systems.

The malware was first spotted in late September 2025 inside a financial services firm’s network, using Discord channels for covert command-and-control operations - making it difficult to detect in traditional network monitoring.

From HealthKick to GOVERSHELL: The Evolution of UTA0388's Espionage Malware

A China-aligned threat actor known as UTA0388 continues its global espionage campaigns with an upgraded Go-based implant called GOVERSHELL.

The group has expanded its reach across North America, Asia, and Europe, using spear-phishing techniques to target strategic entities and exfiltrate sensitive data.

Chinese Hackers Use Velociraptor IR Tool in Ransomware Attacks

Researchers observed China-based Storm-2603 hackers weaponizing Velociraptor, a legitimate incident response tool, to maintain persistence in victim networks.

Originally built to help defenders, this DFIR tool is now being exploited for stealthy ransomware deployment - a concerning trend in tool repurposing by advanced threat actors.

Supply Chain and Software Exploits

175 Malicious npm Packages with 26,000 Downloads Used in Credential Phishing Campaign

A campaign involving 175 malicious npm packages - downloaded over 26,000 times - has been used to steal credentials in attacks dubbed Beamglea.

Researchers say the campaign primarily targeted industrial and energy firms by embedding credential harvesting code within legitimate-looking packages.

Hackers Exploit WordPress Sites to Power Next-Gen ClickFix Phishing Attacks

Attackers are hijacking WordPress sites by injecting malicious JavaScript designed to redirect users to fake verification pages.

The ClickFix campaign alters website themes to silently serve malware-laden content - turning trusted websites into phishing delivery mechanisms.

Data Breaches and Extortion

Hackers Extorting Salesforce After Stealing Data From Dozens of Customers

A threat group dubbed Scattered LAPSUS$ Hunters is extorting Salesforce customers after claiming massive data theft. Composed of members from Lapsus$, Scattered Spider, and ShinyHunters, the group’s re-emergence has raised fears of renewed large-scale extortion targeting enterprise CRM data.

Discord Says 70,000 Users Had IDs Exposed in Recent Data Breach

Discord confirmed that hackers accessed over 70,000 government ID photos from users who submitted verification documents. The platform attributed the breach to a third-party service used for customer support, emphasizing how outsourced dependencies can create new risk vectors.

SonicWall investigation shows hackers gained wide access to customer backup files

SonicWall disclosed that attackers accessed firewall configuration backups for all MySonicWall cloud backup users - contradicting earlier claims of limited impact. The breach highlights the dangers of centralized data storage and the critical importance of multi-layered access controls in SaaS environments.

Industry Insights and Policy

Deepfake Awareness High at Orgs, But Cyber Defenses Badly Lag

A growing number of organizations acknowledge the risks posed by AI-driven deepfakes, yet most lack adequate technical defenses. Despite many reporting successful deepfake-related attacks, companies remain overconfident in their readiness - creating a dangerous gap between awareness and action.

Despite More CVEs, Cyber Insurers Aren't Altering Policies

With nearly 47,000 CVEs expected this year - double 2020’s total - insurers are still not adjusting cyber policies to reflect the explosion in vulnerabilities. Experts warn that without aligning insurance frameworks to modern threat realities, organizations may face increasing coverage gaps amid rising exploit risks.

Fortra Confirms 'Unauthorized Activity' Hit GoAnywhere MFT

Fortra confirmed “unauthorized activity” in its GoAnywhere managed file transfer (MFT) software tied to the Medusa ransomware group. The attackers exploited a now-patched zero-day vulnerability in on-premises installations exposed to the internet - again proving that misconfiguration often amplifies software risk.