Anne Helen Petersen's Substack account
October 1, 2025
•[ phishing, account takeover, impersonation ]
Former Buzzfeed journalist Anne Helen Petersen received a phishing email that imitated a security alert from Substack, warning that her ability to send emails would be frozen unless she verified her account. After she responded, attackers captured her credentials and gained unauthorized access to her Culture Study Substack newsletter and podcast account, which has more than 25,000 followers. The intruders changed the newsletters name to impersonate cryptocurrency wallet company Trezor and added thousands of new email addresses to the mailing list, hijacking her distribution channel to push a crypto-related scam through her audience.
GlobalLogic
October 1, 2025
•[ ransomware, data leak, extortion ]
cl0p exploited an Oracle-hosted cloud application used by GlobalLogic for HR data management, exposing approximately 10,000 employee records including names, email addresses, phone numbers, and employee identifiers, as part of a broader extortion campaign targeting Oracle cloud tenants.
Undisclosed Uzbekistan organization
October 1, 2025
•[ nation-state, phishing, malware ]
A nation-state actor known as Bloody Wolf expanded operations to Uzbekistan using geofenced spearphishing delivering malicious JAR loaders that installed NetSupport RAT for persistent access; no data theft was reported.
Undisclosed Nigerian Telecom Firm
October 1, 2025
•[ cyber-enabled fraud, unauthorized access, billing system breach ]
The Nigeria Police uncovered a cyber-enabled fraud involving unlawful access to a telecom operators billing system, leading to ?7.7bn in diverted airtime and data; six suspects arrested.
At least one official in Ukraine's Defense Forces
October 1, 2025
•[ phishing, malware, backdoor ]
BleepingComputer reported that officials of Ukraines Defense Forces were targeted in a charity-themed operation between October and December 2025 that delivered a backdoor malware family called PluggyApe. CERT-UA assessed the activity as likely linked to the Russian-aligned threat group known as Void Blizzard (also referred to as Laundry Bear), with medium confidence in attribution. The infection chain described begins with instant messages over Signal or WhatsApp directing targets to a purported charity website and prompting them to download a password-protected archive containing documents, which then leads to backdoor execution and follow-on access for information theft. The report focuses on the campaigns TTPs and targeting rather than publishing a confirmed list of compromised entities.
Substack
October 1, 2025
•[ phishing, data leak, unauthorized access ]
Substack notified users of a data breach after it identified evidence on February 3, 2026 that an unauthorized third party accessed limited user data in October 2025. Substack stated that credit card numbers, passwords, and financial information were not accessed. The company did not disclose how access was obtained, but said it fixed the system issue that enabled it and warned users to be cautious of phishing. Reporting cited a database allegedly containing 697,313 records posted to a hacking forum, consistent with exposure of emails, phone numbers, and internal account metadata.
At least one organization in Southeast Asia
October 1, 2025
•[ espionage, APT activity, vulnerability exploitation ]
BleepingComputer summarized Check Point research on a newly tracked actor Amaranth Dragon, linked to China-aligned APT activity, which exploited WinRAR CVE-2025-8088 in espionage operations against government and law enforcement entities in Singapore, Thailand, Indonesia, Cambodia, Laos, and the Philippines. The actor used geofenced infrastructure and a custom loader to deliver encrypted payloads (including Havoc and a newer TGAmaranth RAT using Telegram for C2). Because the article is campaign/threat-research reporting without a discrete, named victim event record and bounded impacts, event_type and event_subtype are coded as NA for CED incident purposes.
New Mexico Public Defender Department
September 30, 2025
•[ ransomware ]
Ransomware detected Sept 30 2025 shut down New Mexicos Public Defender Department, locking access to thousands of active case files and delaying court filings for about ten days. No data theft or leak has been reported.
Comcast Corporation
September 29, 2025
•[ ransomware, malware, technology ]
Medusa ransomware group claimed theft of 834.4 GB (167,121 files) from Comcast, including internal actuarial, claims, and modeling information. Attackers demanded USD 1.2 million to delete or release data; no encryption or operational disruption reported.
Asahi Group (Japan operations)
September 29, 2025
•[ ransomware, malware, manufacturing ]
A ransomware attack disrupted Asahi Groups Japanese operations, fully halting order processing, shipping logistics, and customer service systems nationwide. Beer production stopped at six domestic plants for about a week, and only partial restoration was achieved by October 6 2025. Asahi confirmed the attack targeted internal servers but reported no confirmed data exfiltration or actor attribution.
National Health Service (NHS UK)
September 29, 2025
•[ ransomware, data leak ]
Cl0p ransomware actors exploited an Oracle E-Business Suite zero-day vulnerability (CVE-2025-61882) as part of a broader campaign and contacted The Washington Post on 29 September 2025 claiming access to its Oracle EBS applications. A Maine Attorney General breach filing and subsequent reporting confirmed that Cl0p exfiltrated Washington Post data and that 9,720 individuals had their personal and financial information exposed, including names, bank account and routing numbers, Social Security numbers and tax IDs. The incident appears to be data-theft-focused with no confirmed operational disruption at the newspaper.
Richmond Behavioral Health Authority (RBHA)
September 29, 2025
•[ ransomware, data leak ]
Richmond Behavioral Health Authority (RBHA), a public mental health services provider for the City of Richmond, reported a ransomware attack that began on September 29, 2025 and was identified on September 30, after which RBHA said it removed the attacker from its network. Despite rapid eviction, RBHA disclosed that an unknown actor may have accessed sensitive information including names, Social Security numbers, passport numbers, and financial account and health information. Reporting stated RBHA told U.S. HHS that 113,232 individuals were affected. The Qilin ransomware group later claimed responsibility and published a large dataset allegedly stolen from RBHA, consistent with a double-extortion incident involving both encryption and data exfiltration.
Moldova Central Electoral Commission / election infrastructure
September 27, 2025
•[ hack, ddos, government ]
During Moldovas 2025 parliamentary election, distributed denial-of-service (DDoS) attacks targeted the Central Electoral Commissions public websites, briefly disrupting access for several hours with peaks around 400 Gbps. Officials accused Russian-aligned actors of interference, but attribution remains unconfirmed. Voting systems were unaffected.
Undisclosed Italian Government Department (via Libraesva ESG vulnerability)
September 27, 2025
•[ hack, government ]
Libraesva confirmed that a zero-day vulnerability in its Email Security Gateway (ESG) was exploited beginning September 27 2025 by state-sponsored hackers to access one Italian government departments email system. The company released an emergency patch and reported no encryption or broader impact.
Moldova Central Electoral Commission / election infrastructure
September 27, 2025
•[ DDoS, election interference, cyberattack ]
During Moldovas 2025 parliamentary election, distributed denial-of-service (DDoS) attacks targeted the Central Electoral Commissions public websites, briefly disrupting access for several hours with peaks around 400 Gbps. Officials accused Russian-aligned actors of interference, but attribution remains unconfirmed. Voting systems were unaffected.
RemoteCOM (SCOUT Monitoring Software)
September 26, 2025
•[ leak, technology ]
DataBreaches.net reported that RemoteCOM, developer of the SCOUT monitoring platform used by law enforcement, was breached in late September 2025. Attackers exfiltrated data on approximately 6,900 officers and 14,000 monitored clients. No encryption or operational disruption was reported.
Avnet
September 26, 2025
•[ data leak ]
Avnet confirmed unauthorized access to externally hosted database supporting EMEA sales tool; company says most stolen data unreadable without proprietary tool; samples include non-sensitive PII.
Cancer patient in charity livestream
September 25, 2025
•[ financial, malware, healthcare ]
A serious accusation in Argentina alleged that influencer Valentn scammed a cancer patient during a charity livestream using a video game called BlockBlasters, which contained hidden malware that stole cryptocurrency from the victims wallet.
Kido Schools (nursery chain)
September 25, 2025
•[ ransomware, data leak ]
Hackers calling themselves Radiant stole sensitive child and parent data from Kido Schools, posting victims profiles online to extort a 600,000 ransom; after public backlash they blurred then deleted the leaked material.
Gulshan Management Services
September 25, 2025
•[ ransomware, phishing, data breach ]
SecurityWeek reported that Gulshan Management Services, associated with Gulshan Enterprises (operator of Handi Plus and Handi Stop locations in Texas), disclosed a ransomware-related data breach affecting more than 377,000 individuals via a filing with the Maine Attorney General. Gulshan detected unauthorized access in late September 2025 after an attacker gained entry through a successful phishing attack and maintained access for about 10 days. During that period, the threat actor stole personal data and then deployed ransomware that encrypted files on Gulshan systems. The compromised personal information was described as including names, contact details, Social Security numbers, and drivers license numbers.
