At least one LastPass user
October 24, 2025
•[ phishing, credential theft, account takeover ]
Phishing emails impersonated password-vault Emergency Access notices using false death claims to coerce replies (e.g., STOP), pivoting victims to a look-alike portal tied to CryptoChameleon infrastructure; harvested credentials enabled vault takeover attempts and secondary account compromise. Campaign reflects profit-seeking credential theft across many individuals rather than a single named organization.
At least one undisclosed Ukraine war-relief organization
October 22, 2025
•[ phishing, credential theft, malware ]
Targeted credential-theft/implant delivery against humanitarian and logistics organizations aiding Ukraine using well-crafted lures, HTML smuggling, and compartmentalized infrastructure. Intent is intelligence collection; campaign report covers multiple organizations without a single verified primary effect to code as an event.
Serbian Civil Aviation Directorate
October 17, 2025
•[ cyber-espionage, phishing, malware ]
A cyber-espionage campaign linked to suspected Chinese threat actors compromised application servers at Serbias Civil Aviation Directorate. Attackers used phishing emails to deploy Sogu, PlugX, and Korplug malware, gaining persistent access for intelligence collection. No operational disruption was reported.
Zerodha
October 15, 2025
•[ phishing, account compromise ]
Economic Times details Kamaths brief X account compromise after clicking phishing email
Multiple compromised email accounts at second undisclosed US university
October 9, 2025
•[ phishing ]
Credential-phishing campaign diverting university employee salary payments via third-party platforms.
Multiple compromised email accounts at third undisclosed US university
October 9, 2025
•[ phishing, data leak ]
Credential-phishing on university payroll platforms diverted salary payments.
Chipotle Mexican Grill, Inc.
October 9, 2025
•[ phishing, social engineering, data leak ]
Chipotle Mexican Grill disclosed unauthorized access to employee Workday payroll accounts between October 9 and October 26, 2025. Attackers used phishing and social engineering to access accounts and alter payroll information. State breach notices identified 31 affected employees in Maine and 2 in New Hampshire; the company has not disclosed a nationwide total, and state figures represent only partial reporting.
PTOE Corporation
October 7, 2025
•[ website defacement, malware, phishing ]
Company confirmed official website was replaced and redirected to a fraudulent Chinese shopping site serving malware.
Sunweb Group
October 7, 2025
•[ data leak, phishing ]
Data breach exposed customer contact and booking details; agency warned customers to stay vigilant.
Western Sydney University
October 6, 2025
•[ phishing ]
Mass fraudulent emails to students/alumni claiming degree revocation; university says messages were not legitimate.
My ServiceOttawa
October 3, 2025
•[ data leak, phishing ]
On 3 October 2025 a My ServiceOttawa account using an automated bot exploited a bug in the service request lookup tool, allowing it to pull details of other residents service requests when a valid request number was supplied. The City of Ottawa says the breach was limited to email and postal addresses tied to about 2,454 service requests and did not include financial information, passwords or other sensitive data. The city immediately blocked the bot, patched the application, identified all potentially affected records and began notifying impacted residents with advice on spotting phishing or misuse of their contact details.
BNB Chain
October 1, 2025
•[ phishing ]
BNB Chains X account was hijacked and used to post phishing links; control was restored and malicious posts removed; no data theft reported.
WhatsApp users in Bijnor, Uttar Pradesh
October 1, 2025
•[ malware, phishing, data leak ]
Several WhatsApp users in Bijnor, Uttar Pradesh had their Android phones compromised after downloading a fake wedding invitation via WhatsApp. The malware granted remote access, exposing personal messages, photos, and financial app data. Victims filed complaints with the Bijnor Cyber Crime Police Station; authorities believe multiple individuals across the district were affected.
Anne Helen Petersen's Substack account
October 1, 2025
•[ phishing, account takeover, impersonation ]
Former Buzzfeed journalist Anne Helen Petersen received a phishing email that imitated a security alert from Substack, warning that her ability to send emails would be frozen unless she verified her account. After she responded, attackers captured her credentials and gained unauthorized access to her Culture Study Substack newsletter and podcast account, which has more than 25,000 followers. The intruders changed the newsletters name to impersonate cryptocurrency wallet company Trezor and added thousands of new email addresses to the mailing list, hijacking her distribution channel to push a crypto-related scam through her audience.
Undisclosed Uzbekistan organization
October 1, 2025
•[ nation-state, phishing, malware ]
A nation-state actor known as Bloody Wolf expanded operations to Uzbekistan using geofenced spearphishing delivering malicious JAR loaders that installed NetSupport RAT for persistent access; no data theft was reported.
At least one official in Ukraine's Defense Forces
October 1, 2025
•[ phishing, malware, backdoor ]
BleepingComputer reported that officials of Ukraines Defense Forces were targeted in a charity-themed operation between October and December 2025 that delivered a backdoor malware family called PluggyApe. CERT-UA assessed the activity as likely linked to the Russian-aligned threat group known as Void Blizzard (also referred to as Laundry Bear), with medium confidence in attribution. The infection chain described begins with instant messages over Signal or WhatsApp directing targets to a purported charity website and prompting them to download a password-protected archive containing documents, which then leads to backdoor execution and follow-on access for information theft. The report focuses on the campaigns TTPs and targeting rather than publishing a confirmed list of compromised entities.
Substack
October 1, 2025
•[ phishing, data leak, unauthorized access ]
Substack notified users of a data breach after it identified evidence on February 3, 2026 that an unauthorized third party accessed limited user data in October 2025. Substack stated that credit card numbers, passwords, and financial information were not accessed. The company did not disclose how access was obtained, but said it fixed the system issue that enabled it and warned users to be cautious of phishing. Reporting cited a database allegedly containing 697,313 records posted to a hacking forum, consistent with exposure of emails, phone numbers, and internal account metadata.
Gulshan Management Services
September 25, 2025
•[ ransomware, phishing, data breach ]
SecurityWeek reported that Gulshan Management Services, associated with Gulshan Enterprises (operator of Handi Plus and Handi Stop locations in Texas), disclosed a ransomware-related data breach affecting more than 377,000 individuals via a filing with the Maine Attorney General. Gulshan detected unauthorized access in late September 2025 after an attacker gained entry through a successful phishing attack and maintained access for about 10 days. During that period, the threat actor stole personal data and then deployed ransomware that encrypted files on Gulshan systems. The compromised personal information was described as including names, contact details, Social Security numbers, and drivers license numbers.
Templeton Properties (Halifax, Nova Scotia)
September 20, 2025
•[ social, phishing ]
An employee at Templeton Properties clicked a phishing email link impersonating an invoice, triggering suspicious activity on company computers. The IT administrator confirmed it was a fraudulent email and contained malicious content. No confirmed data theft was reported.
Undisclosed Hungarian Diplomatic Entities
September 1, 2025
•[ cyber-espionage, phishing, malware ]
China-linked UNC6384 conducted a cyber-espionage campaign beginning Sept 2025 against Hungarian diplomatic entities using EU/NATO-themed phishing emails with malicious .LNK attachments exploiting ZDI-CAN-25373 to deploy PlugX via DLL side-loading. Arctic Wolf Labs attributed the activity to UNC6384.
