Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Banking and Finance
Sports
Smart Cities
Cyber Security Weekly Briefing, 18-24 October
ColdRiver deploys new cyber-espionage campaign after LOSTKEYS exposure
Google has identified a new campaign by Russian group ColdRiver (UNC4057/Star Blizzard/Callisto) targeting NATO governments, former diplomats and NGOs. Following the exposure of the LOSTKEYS malware in May, the group replaced its infrastructure in less than a week and launched a new toolkit centred on the NOROBOT downloader. It uses a CAPTCHA-like decoy to execute malicious files and communicate with C2 servers.
Recent versions split the encryption key into fragments, making forensic analysis difficult. NOROBOT subsequently downloads a backdoor in PowerShell called MAYBEROBOT, designed to provide persistent remote control and execute additional payloads.
GTIG notes that ColdRiver alternates between simplifying and complexifying the infection chain to optimise efficiency and evasion.
Critical AWS failure causes massive global service disruption
An Amazon Web Services (AWS) infrastructure outage affected millions of users and multiple platforms, including Amazon.com, Prime Video, Fortnite, Canva and Perplexity AI. The incident originated in the US-EAST-1 region and was initially attributed to a DNS resolution failure on the DynamoDB endpoint.
The failure caused increases in latency and errors in key services, affecting both consumers and support case creation. Although AWS reported a partial recovery after 45 minutes, further issues related to its network load balancers prolonged the instability. Impacted services included critical applications such as Roblox, Hulu, Robinhood, Grammarly and the Canvas educational environment, which continued to experience access failures.
AWS said it has implemented additional mitigation measures and continues to work on a full restoration and to identify the root cause of the incident.
Threat actors exploit ToolShell in cyber espionage campaigns
Broadcom has warned that threat actors, including UNC5221 and groups associated with Glowworm, have been actively exploiting the ToolShell remote code execution flaw (CVE-2025-53770, CVSSv3 9.8 according to Microsoft), which affects on-premises SharePoint servers, to gain initial access without authentication.
In campaigns targeting a telecommunications company in the Middle East and government agencies and universities in Africa, South America and the US, attackers deployed tools such as the Zingdoor HTTP backdoor and the ShadowPad modular remote access Trojan, often through DLL sideloading using legitimate binaries to evade detection.
The attack chain also includes the KrustyLoader loader and the use of the PetitPotam exploit (CVE-2021-36942, CVSSv3 7.5 according to Microsoft) to escalate privileges and steal credentials, with the primary goal of espionage and establishing persistent access. It is recommended to apply the available patches for ToolShell and the other exploited flaws.
Oracle releases more than 300 new security patches
Oracle has released its October 2025 Critical Patch Update (CPU), which includes a total of 374 new security patches addressing approximately 260 unique CVEs. In addition, more than 230 of these patches fix vulnerabilities that are remotely exploitable without authentication, including a dozen critical flaws such as CVE-2025-6965 and CVE-2025-53037 (CVSSv3 9.8 according to vendor in both cases).
The most affected product was Oracle Communications, with 73 patches, of which 47 are remotely exploitable vulnerabilities without authentication, followed by Communications Applications (64 patches) and Financial Services Applications (33 patches). Other significantly affected products include Fusion Middleware, Retail Applications and MySQL (with 18 patches each).
The CPU was released after Oracle warned of a 0-day in E-Business Suite that was being actively exploited by an extortion group, although the October advisory does not mention any new vulnerabilities being actively exploited.
PassiveNeuron: global cyber espionage campaign targeting SQL servers
According to Securelist, PassiveNeuron is a cyberespionage campaign that since 2024-2025 has targeted government, financial and industrial servers in Asia, Africa and Latin America. They often achieve remote execution by exploiting Microsoft SQL servers (via vulnerabilities, SQLi or credentials) and attempt to deploy web shells. When blocked, they resort to a multilayer chain of DLL loaders to persist and avoid detection. Dead Drop Resolver (retrieving configuration from files on GitHub) and other techniques typical of Chinese-speaking families were used; attribution points to untrusted Chinese actors, although deliberately misleading hints were detected.
Observed defences include detection of noisy deployment attempts and EDR blocking; attackers adapted techniques to evade these.
◾ This newsletter is one of the deliverables of our Operational and Strategic Intelligence service. If you are interested in knowing the rest of the Operational and Strategic Intelligence contents included in the service, please contact us →
