In today’s cybersecurity news…
Russian state hackers replace burned malware with new tools
Google’s threat intelligence team says Russian state-backed hacking group Coldriver, also known as Star Blizzard or Callisto, has developed three new malware strains: NOROBOT, YESROBOT, and MAYBEROBOT, after its previous LostKeys tool was exposed in May. The new tools are said to be deployed “more aggressively than any previous campaigns,” designed to evade detection and steal data from high-value targets. Google believes Coldriver is now using custom malware to gather deeper intelligence from already-phished victims. (The Record)
Recent Windows updates cause login issues on some PCs
Microsoft says Windows updates released since August 29th are breaking logins on systems with duplicate Security Identifiers (SIDs), causing Kerberos and NTLM authentication failures across Windows 11 24H2, 25H2, and Windows Server 2025. The issue appears to stem from a new security check that rejects authentication between devices sharing SIDs, often created when systems are cloned without using Sysprep. Microsoft recommends rebuilding affected systems or contacting support for a temporary Group Policy fix. (Bleeping Computer)
Sophisticated campaign targets servers of high-profile organizations
Kaspersky researchers say a Chinese-speaking threat actor is likely behind the “PassiveNeuron” campaign, which has targeted government, financial, and industrial servers across Asia, Africa, and Latin America since 2024. The campaign uses custom implants “Neursite” and “NeuralExecutor,” along with Cobalt Strike, to exploit SQL servers and maintain persistence via large disguised DLL files. Kaspersky says the group’s tactics align with Chinese APTs, though attribution remains low-confidence. (Secure List)
CISA adds new flaws to known exploited vulnerabilities catalog
CISA added high-severity vulnerabilities in Oracle E-Business Suite, Microsoft Windows SMB Client, Kentico Xperience CMS, and Apple JavaScriptCore to its Known Exploited Vulnerabilities catalog. These flaws could allow data theft, privilege escalation, and remote code execution. Federal agencies have to patch them by November 10th, and private organizations are advised to update affected systems. (Security Affairs)
Huge thanks to our sponsor, ThreatLocker
Laser auto cyberattacks emerge
Researchers at France’s Alternative Energies and Atomic Energy Commission (CEA) and semiconductor firm Soitec have developed a new chip architecture called Fully Depleted Silicon-on-Insulator to defend against laser fault injection attacks targeting automotive microcontrollers. The design adds an insulating oxide layer that makes it harder to manipulate circuits with focused laser beams, including attacks that can flip bits or bypass authentication. It also improves cost efficiency and helps automakers meet global cybersecurity standards. (Dark Reading)
Hackers exploit zero-days at Pwn2Own Ireland
On the first day of Pwn2Own Ireland 2025, researchers exploited 34 zero-days across devices including QNAP and Synology NAS, printers, smart home gadgets, and networking equipment, earning $522,500 for the effort. Team DDOS chained eight zero-days to hack a QNAP router and NAS for $100,000, while Summoning Team led the leaderboard with $102,500. The contest, co-sponsored by Meta, QNAP, and Synology, rewards zero-day exploits and promotes responsible disclosure, with vendors given 90 days to patch vulnerabilities before public disclosure. (Bleeping Computer)
GlassWorm attacks VS code supply chain
Researchers at Koi Security discovered a new self-propagating malware dubbed GlassWorm infecting around 36,000 developer systems by exploiting Visual Studio Code extensions. The worm uses invisible Unicode characters to hide its code, steals credentials from GitHub, NPM, and OpenVSX, installs remote access tools, and turns developer machines into criminal proxy nodes. It also uses the Solana blockchain and Google Calendar for command and control. Microsoft has since removed the infected extensions. (Dark Reading)
PolarEdge targets routers in expanding botnet campaign
PolarEdge, a botnet malware targeting Cisco, ASUS, QNAP, and Synology routers, was first noticed in February, with activity going back as early as June 2023. It installs a TLS-based backdoor to fingerprint hosts, receive commands, and execute tasks while using anti-analysis techniques and process masquerading to evade detection. PolarEdge can operate in connect-back or debug modes, and its purpose seems to be linked to building a large network of compromised devices, not unlike GhostSocks’ use of infected systems as SOCKS5 proxies. (The Hacker News)