Svoboda Cybersecurity Brief October 23, 2025

Iranian MuddyWater APT Targets Over 100 Government Entities

Iranian state-sponsored hackers MuddyWater targeted over 100 government entities using phishing emails with malicious Word docs delivering Phoenix v4 backdoor. The attack exploited macros to deploy FakeUpdate loader, stealing sensitive data from victims primarily in the Middle East and North Africa.
Impact: Data exfiltration, unauthorized access to diplomatic and telecom targets.
Mitigation: Disable macros, monitor suspicious email attachments, patch SharePoint vulnerabilities.
Source: BleepingComputer

Conduent Data Breach Exposes PHI of 462K Blue Cross Members

Protected health information (PHI) of 462,000 Blue Cross Blue Shield of Montana members was exposed due to Conduent’s cyberattack between Oct 2024-Jan 2025, including SSNs and medical records. BHCSMT faces scrutiny for delayed breach notifications under HIPAA and Montana law.
Impact: Sensitive health data exposed, potential identity theft.
Mitigation: Enforce stricter third-party vendor audits, accelerate breach disclosure timelines.
Source: DataBreaches.net

Critical Adobe Magento “SessionReaper” Exploited Actively

Hackers are exploiting CVE-2025-54236, a critical Magento/Adobe Commerce flaw, allowing session hijacking via REST API vulnerabilities. Over 250 attacks were blocked in a single day targeting unpatched e-commerce sites (~62% still vulnerable).
Impact: Account takeover, unauthorized admin access.
Mitigation: Apply Adobe’s emergency patch (versions 2.4.9-alpha2 and later), disable unused API endpoints.
Source: BleepingComputer

TARmageddon Flaw in Rust’s Async-Tar Enables RCE Attacks

A desynchronization flaw (CVE-2025-62518) in abandoned Rust library async-tar (and forks like tokio-tar) allows attackers to inject malicious TAR entries during extraction, leading to file overwrites and RCE. Projects like wasmCloud and testcontainers are affected.
Impact: Supply chain attacks, arbitrary code execution.
Mitigation: Migrate to patched forks (e.g., astral-tokio-tar v0.5.6), validate TAR headers.
Source: BleepingComputer

PhantomCaptcha Targets Ukraine War Relief Groups

A spearphishing campaign impersonating Ukraine’s President’s Office deployed a WebSocket RAT via fake Zoom invites and Cloudflare CAPTCHA lures. Attackers stole data from NGOs (Red Cross, UNICEF) and Ukrainian regional governments.
Impact: Credential theft, remote command execution.
Mitigation: Train staff on ClickFix tactics, block suspicious WebSocket connections.
Source: TheHackerNews

Chinese APTs Exploit SharePoint’s ToolShell Flaw Post-Patch

Chinese groups (Linen Typhoon, Violet Typhoon) exploited CVE-2025-53770 in SharePoint to breach telecom, govt, and university targets weeks after Microsoft’s July patch. Attackers deployed Zingdoor backdoor and ShadowPad malware.
Impact: Lateral movement, data exfiltration.
Mitigation: Patch SharePoint immediately, monitor for webshell deployments.
Source: SecurityWeek

TP-Link Omada Gateways Hit by Critical RCE Vulnerabilities

TP-Link patched four flaws (CVE-2025-6542, CVSS 9.3) in Omada gateways, including unauthenticated RCE and privilege escalation bugs affecting ER/G/FR-series devices.
Impact: Full device compromise.
Mitigation: Update firmware urgently, restrict gateway admin access.
Source: TheHackerNews

PassiveNeuron APT Uses Neursite Backdoor Against Govt Targets

A highly sophisticated APT campaign (PassiveNeuron) deployed C++ backdoor Neursite and .NET malware NeuralExecutor targeting Asian/African govts via MSSQL exploits. Attacked servers acted as C2 proxies.
Impact: Long-term espionage, data theft.
Mitigation: Harden MSSQL servers, monitor DLL sideloading.
Source: TheHackerNews

Fake Nethereum NuGet Package Steals Crypto Wallet Keys

A malicious NuGet package (Netherеum.All) used Cyrillic homoglyphs to impersonate Nethereum, stealing wallet keys via a C2 server (solananetworkinstance[.]info).
Impact: Cryptocurrency theft.
Mitigation: Scan for homoglyph packages, enforce package signing.
Source: TheHackerNews

NY DFS Issues Third-Party Cybersecurity Guidelines

NY’s Department of Financial Services released guidance urging regulated entities to audit third-party service providers (TPSPs) for cyber risks, emphasizing accountability under existing DFS rules.
Source: DataBreaches.net

Share this brief: https://svo.bz/r2qu