intelligence gathering

Group-IB researchers observed a threat actor named Bloody Wolf launching a cyberattack campaign against Kyrgyzstan targeting the delivery of the NetSupport RAT beginning in June 2025.By early October 2025, its attacks expanded to Uzbekistan. By masquerading as the Kyrgyz Ministry of Justice, the attackers utilized official-looking PDF documents and domains, which in turn hosted malicious Java Archive (JAR) files designed to deploy the NetSupport RAT. The attack uses social engineering and easy-to-access tools via phishing emails to trick recipients into clicking on a link to download a malicious JAR loader file and install the Java Runtime, which in turn executes the loader in order to obtain the NetSupport RAT and establish persistence. Geofencing restrictions were also added to the attack against Uzbekistan.

CVE-2025-47812 is an extremely high-risk vulnerability with a confirmed exploit in the wild. Due to its low threshold of exploitation and high destructive power, it is recommended that all organizations using Wing FTP Server give it the highest priority for disposal, and must complete version upgrades or implement effective traffic blocking policies as soon as possible.

The Apple iMessage Zero-Click vulnerability allows an attacker to remotely compromise a device by sending a maliciously crafted iMessage message without user interaction. It has been exploited by Graphite spyware to launch attacks against journalists.

The vulnerability stems from the V8 TurboFan compiler's incorrect handling of dynamic index loading when performing store-store elimination optimization, which leads to misclassification of alias relationships and incorrect elimination of critical store operations, which in turn leads to memory access out-of-bounds. An attacker can construct a specially crafted HTML page to induce user access, trigger malicious JavaScript code execution, exploit the vulnerability to achieve remote code execution and sandbox escape, and ultimately take full control of the victim's device.

Aim Security has discovered the "EchoLeak" vulnerability, which exploits a design flaw typical of RAG Copilot, allowing an attacker to automatically steal any data in the context of M365 Copilot without relying on specific user behavior. The main attack chain consists of three different vulnerabilities, but Aim Labs has identified other vulnerabilities during its research that may enable exploitation.

A new proof of concept (PoC), identified as CVE-2025-21298, has been released for a Microsoft Outlook zero-click remote code execution (RCE) vulnerability in Windows Object Linking and Embedding (OLE).

Apache Tomcat 9.0.0-M11 to 9.0.43 Apache Tomcat 8.5.7 to 8.5.63 CVE-2024-21733 Apache Tomcat information disclosure critical vulnerability risk

An unauthenticated remote attacker can achieve remote code execution, resulting in a threatening risk of compromising Windwos servers with Remote Desktop Licensing Services enabled.

The dark web is selling a Windows Local Privilege Escalation (LPE) zero-day vulnerability that reportedly affects multiple versions of the Windows operating system, including the latest version. This alarming development has been disclosed via an underground marketplace where threat actors have provided detailed specifications and capabilities of the vulnerability.

CVE-2024-32002 is a vulnerability in Git that enables RCE git clone during operation.By crafting repositories with submodules in a specific way, an attacker can execute malicious hooks by writing files to the directory .git/ using case-insensitive symbolic link handling on the file system.