Svoboda Cybersecurity Brief October 10, 2025

BreachForums Seized Again by International Law Enforcement

The notorious cybercrime forum BreachForums was seized by law enforcement agencies including the FBI and French authorities (BL2C, JUNALCO). The clear-net domain was taken down, but the Tor-based leak site remains operational, threatening to release data from 39 Salesforce customers unless a ransom is paid by October 10.
Source: DataBreaches

SonicWall Confirms Full Cloud Backup Compromise Exposing Firewall Configs

SonicWall disclosed that all customers using its cloud backup service had firewall configuration files accessed by hackers. The files contain encrypted credentials and network rules, raising risks of targeted attacks. Mandiant assisted in the investigation.
Impact: Potential exploitation of customer networks if decryption is achieved.
Mitigation: Reset credentials, audit firewalls, and monitor for suspicious activity.
Source: SecurityWeek

Discord Admits 70K Government IDs Exposed in Third-Party Breach

Discord confirmed a breach via a third-party customer support vendor (Zendesk) exposed 70,000 government ID photos used for age verification. Hackers claim to have stolen 1.5 TB of data, including payment details, but Discord disputes the scale.
Source: The Hacker News

Storm-2657 Targets Universities in Payroll Hijacking Campaign

Microsoft tracked Storm-2657 hacking Workday accounts at 11 universities to divert payroll payments. The group used phishing emails (e.g., fake campus alerts) and bypassed MFA via adversary-in-the-middle (AITM) attacks.
Impact: Financial theft and persistent access via compromised SSO.
Mitigation: Enforce phishing-resistant MFA and monitor inbox rules for tampering.
Source: BleepingComputer

ClayRat Spyware Masquerades as WhatsApp, TikTok on Android

A new Android spyware, ClayRat, spreads via Telegram and fake app stores, stealing SMS, call logs, and camera access. Over 600 samples were detected, using session-based installation to bypass Android 13+ restrictions.
Impact: Full device compromise and contact list propagation.
Mitigation: Disable sideloading and use Play Protect.
Source: Zimperium

RondoDox Botnet Exploits 56 Vulnerabilities in Global Attacks

The RondoDox botnet targets DVRs, routers, and more using 56 n-day vulnerabilities, including flaws demonstrated at Pwn2Own. It employs an “exploit shotgun” approach for mass infection.
Impact: Device takeover and potential DDoS/backdoor access.
Mitigation: Patch firmware and segment IoT networks.
Source: Trend Micro

Chinese Hackers Abuse Velociraptor DFIR Tool in Ransomware Attacks

The Storm-2603 group (linked to China) used an outdated Velociraptor (v0.73.4.0) with CVE-2025-6264 to deploy LockBit and Babuk ransomware. The tool provided persistent access after initial compromise.
Impact: Data encryption and exfiltration.
Mitigation: Update Velociraptor and restrict admin account creation.
Source: Cisco Talos

California Enforces 30-Day Deadline for Breach Notifications

California’s SB 446 mandates 30-day consumer notifications and 15-day AG alerts for breaches affecting 500+ residents, effective January 2026. Delays are allowed only for law enforcement needs.
Source: DataBreaches

UTA0388 Deploys GOVERSHELL Malware via Phishing Campaigns

A China-aligned group UTA0388 used spear-phishing to deliver GOVERSHELL, a Go-based backdoor. Campaigns leveraged fake organizations and abused platforms like Netlify and OneDrive.
Impact: Remote command execution and data theft.
Mitigation: Block suspicious cloud storage links and monitor DLL sideloading.
Source: Volexity

WordPress Service Finder Theme Exploited for Admin Takeovers

Attackers are exploiting CVE-2025-5947 (CVSS 9.8) in the Service Finder theme to bypass authentication and hijack sites. Over 13,800 attacks observed since August 2025.
Impact: Full site compromise and malware injection.
Mitigation: Update to version 6.1+.
Source: Wordfence

Share this brief: https://svo.bz/0RgK