At least one undisclosed Ukraine war-relief organization
October 22, 2025
•[ phishing, credential theft, malware ]
Targeted credential-theft/implant delivery against humanitarian and logistics organizations aiding Ukraine using well-crafted lures, HTML smuggling, and compartmentalized infrastructure. Intent is intelligence collection; campaign report covers multiple organizations without a single verified primary effect to code as an event.
Xubuntu
October 18, 2025
•[ malware, data theft, supply chain attack ]
Pplware reports the official Xubuntu site was briefly compromised; the torrent download link served a ZIP with a Windows EXE that stole sensitive data (e.g., crypto addresses). Xubuntu removed the page and accelerated infra migration; ISO mirrors were unaffected. Financially motivated malware delivery via a trusted brand.
Serbian Civil Aviation Directorate
October 17, 2025
•[ cyber-espionage, phishing, malware ]
A cyber-espionage campaign linked to suspected Chinese threat actors compromised application servers at Serbias Civil Aviation Directorate. Attackers used phishing emails to deploy Sogu, PlugX, and Korplug malware, gaining persistent access for intelligence collection. No operational disruption was reported.
PTOE Corporation
October 7, 2025
•[ website defacement, malware, phishing ]
Company confirmed official website was replaced and redirected to a fraudulent Chinese shopping site serving malware.
At least one official in Ukraine's Defense Forces
October 1, 2025
•[ phishing, malware, backdoor ]
BleepingComputer reported that officials of Ukraines Defense Forces were targeted in a charity-themed operation between October and December 2025 that delivered a backdoor malware family called PluggyApe. CERT-UA assessed the activity as likely linked to the Russian-aligned threat group known as Void Blizzard (also referred to as Laundry Bear), with medium confidence in attribution. The infection chain described begins with instant messages over Signal or WhatsApp directing targets to a purported charity website and prompting them to download a password-protected archive containing documents, which then leads to backdoor execution and follow-on access for information theft. The report focuses on the campaigns TTPs and targeting rather than publishing a confirmed list of compromised entities.
Undisclosed Uzbekistan organization
October 1, 2025
•[ nation-state, phishing, malware ]
A nation-state actor known as Bloody Wolf expanded operations to Uzbekistan using geofenced spearphishing delivering malicious JAR loaders that installed NetSupport RAT for persistent access; no data theft was reported.
WhatsApp users in Bijnor, Uttar Pradesh
October 1, 2025
•[ malware, phishing, data leak ]
Several WhatsApp users in Bijnor, Uttar Pradesh had their Android phones compromised after downloading a fake wedding invitation via WhatsApp. The malware granted remote access, exposing personal messages, photos, and financial app data. Victims filed complaints with the Bijnor Cyber Crime Police Station; authorities believe multiple individuals across the district were affected.
Comcast Corporation
September 29, 2025
•[ ransomware, malware, technology ]
Medusa ransomware group claimed theft of 834.4 GB (167,121 files) from Comcast, including internal actuarial, claims, and modeling information. Attackers demanded USD 1.2 million to delete or release data; no encryption or operational disruption reported.
Asahi Group (Japan operations)
September 29, 2025
•[ ransomware, malware, manufacturing ]
A ransomware attack disrupted Asahi Groups Japanese operations, fully halting order processing, shipping logistics, and customer service systems nationwide. Beer production stopped at six domestic plants for about a week, and only partial restoration was achieved by October 6 2025. Asahi confirmed the attack targeted internal servers but reported no confirmed data exfiltration or actor attribution.
Cancer patient in charity livestream
September 25, 2025
•[ financial, malware, healthcare ]
A serious accusation in Argentina alleged that influencer Valentn scammed a cancer patient during a charity livestream using a video game called BlockBlasters, which contained hidden malware that stole cryptocurrency from the victims wallet.
Undisclosed targets in Russian civil society
September 24, 2025
•[ hack, malware ]
Russia-linked APT COLDRIVER conducted a new ClickFix-style campaign delivering BAITSWITCH (DLL downloader) and SIMPLEFIX (PowerShell backdoor) against civil-society targets; technique involves fake CAPTCHA/checkbox leading to command execution and C2 beacons.
Gloucester-Mathews Gazette-Journal
September 15, 2025
•[ ransomware, malware, technology ]
Ransomware hit the Gazette-Journals production file server over the weekend; discovered 09/15/2025; no customer financial data compromised; recovery allowed in-house printing to resume after network restoration; attacker unknown.
Friendlies Society Dispensary
September 15, 2025
•[ ransomware, malware, healthcare ]
A ransomware attack occurred in September 2025 against the Friendlies Society Dispensary in Toowoomba, Queensland. The pharmacys systems were encrypted, disrupting services for several days. Management reported uncertainty about what data was accessed. The incident was publicly reported on October 1, 2025, by ABC News.
VAS AG
September 14, 2025
•[ ransomware, malware, manufacturing ]
{"richText":[{"font":{"size":11,"color":{"theme":1},"name":"Aptos Narrow"},"text":"VAS AG reported a "},{"font":{"bold":true,"size":11,"color":{"theme":1},"name":"Aptos Narrow"},"text":"ransomware"},{"font":{"size":11,"color":{"theme":1},"name":"Aptos Narrow"},"text":" incident on 09/14/2025 disrupting daily operations; systems were disconnected from the internet, authorities notified, and recovery underway; no attribution or data-theft confirmation yet."}]}
Uvalde Consolidated Independent School District
September 13, 2025
•[ ransomware, malware, education ]
Ransomware detected on UCISD servers led to cancellation of most/all classes the week of Sept. 15; investigation and recovery continued, with essential safety/operations systems disrupted; classes to resume Sept. 22; district reports no data breach
Ministry of Economy and Finance of Panama
September 11, 2025
•[ ransomware, malware, government ]
MEF reported a malware incident on one workstation and containment with no impact to core platforms; INC Ransom simultaneously claimed an intrusion and >1.5 TB data theft with proof-of-hack samples. Extent of breach remains unconfirmed.
Unnamed European DDoS mitigation
September 10, 2025
•[ hack, ddos, malware ]
{"richText":[{"font":{"size":11,"color":{"theme":1},"name":"Aptos Narrow"},"text":"A massive DDoS (UDP packet flood) reached "},{"font":{"bold":true,"size":11,"color":{"theme":1},"name":"Aptos Narrow"},"text":"1.5 Bpps"},{"font":{"size":11,"color":{"theme":1},"name":"Aptos Narrow"},"text":" against an unnamed European DDoS-scrubbing provider; traffic originated from IoT/MikroTik botnets spanning thousands of networks; "},{"font":{"bold":true,"size":11,"color":{"theme":1},"name":"Aptos Narrow"},"text":"FastNetMon"},{"font":{"size":11,"color":{"theme":1},"name":"Aptos Narrow"},"text":" mitigated the attack; no data theft reported."}]}
Indian Hotels Company Limited
September 5, 2025
•[ hack, malware ]
Indian Hotels Company Limited (IHCL) reports malware incident, taking immediate action to secure systems and monitoring the situation closely.
KakaoTalk account of a South Korea–based counselor
September 5, 2025
•[ spear-phishing, malware, credential theft ]
According to research by Genians reported by BleepingComputer, a North Korean activity cluster linked to APT37 and KONNI targets South Koreans via spear-phishing emails that spoof national agencies and deliver signed MSI installers. Once executed, the chain installs a remote access toolkit that steals Google and Naver account credentials, giving attackers full
Farmácia Moniz Silva
September 2, 2025
•[ ransomware, malware, healthcare ]
Ransomware group Qilin claimed responsibility for a September 2025 attack on Farmcia Moniz Silva, a pharmacy located in Luanda, Angola. The group listed the victim on its data-leak site, consistent with broader Qilin activity against healthcare organizations. No confirmation from the victim or Angolan CERT was available.
