Threat Intelligence RoundUp: October

November 03, 2025

Our analyst team shares a few articles each week in our email newsletter which goes every Thursday. Make sure to register! This blog highlights those articles in order of what was the most popular in our newsletter – what our readers found the most intriguing. Stay tuned for a recap every month. We hope sharing these resources and news articles emphasizes the importance of cybersecurity and sheds light on the latest in threat intelligence.

1. Medusa Ransomware Claims Comcast Data Breach, Demands $1.2M – HackRead

On September 26, Medusa’s dark web site claimed to have exfiltrated 834.4 gigabytes of data and are demanding $1.2 million for interested buyers to download it. To support their claims, the group uploaded 20 screenshots showing alleged internal data. In one exposed directory, the information appeared to be connected to HR folders that contained personnel records. Medusa ransomware is a known aggressive group that has compromised over 300 organizations between 2021 and 2024. The group typically gains access through social engineering such as phishing emails, exploiting vulnerabilities, or purchasing stolen credentials. Once the group acquires data, they use a double extortion method to gain ransom. Read full article.

2. US seizes $15 billion in crypto from ‘pig butchering’ kingpin – Bleeping Computer

The Department of Justice (DOJ) has seized $15 billion worth of Bitcoin from the Cambodian Prince Group, a criminal organization known for orchestrating large-scale cryptocurrency scams, primarily involving romance baiting and ‘pig butchering’ schemes. Unsealed court documents revealed the group operates over 100 shell and holding companies across 30 countries, which have been extorting countless victims since 2015. Additionally, the group runs automated call centers that were run by employees who were allegedly forced to work due to the threat of violence. The DOJ called the centers, “violent forced labor camps”. Article here.

3. New Rust-Based Malware “ChaosBot” Uses Discord Channels to Control Victims’ PCs – Bleeping Computer

Discord user, chaos_00019, has implemented the malware ChaosBot to gain access to other user’s systems and networks. According to researchers, “ChatBot is noteworthy for its abuse of Discord for command-and-control (C2)”. The malware was observed using phishing messages that contained a malicious Windows shortcut file, after opening the file, a PowerShell command is executed to download and execute ChaosBot. A decoy PDF concealed as legitimate correspondence from the State Bank of Vietnam is displayed as a distraction mechanism. Read more here.

4. ShinyHunters launches Salesforce data leak site to extort 39 victims – Bleeping Computer

“Scattered Lapsus$ Hunters” has launched a new data leak site extorting 39 companies that were impacted by the Salesforce breaches. The companies extorted in the link include Disney/Hulu, FedEx, Google, McDonald’s and more. A separate entry on the site requested that Salesforce pay a ransom to prevent impacted customers (approximately 1 billion records containing personal information) from being released. Salesforce has released a statement claiming, “Our findings indicate these attempts relate to past or unsubstantiated incidents, and we remain engaged with affected customers to provide support.” Read here.

5. Active Exploits Hit Dassault and XWiki — CISA Confirms Critical Flaws Under Attack – The Hacker News

On October 28, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) listed three new vulnerabilities that have impacted Dassault Systèmes DELMIA Apriso and XWiki. The vulnerabilities CVE-2025-6204, CVE-2025-6205, and CVE-2025-24893 allow threat actors to execute arbitrary code and gain access to applications. Both CVE-2025-6204 and CVE-2025-6205 affect versions of DELMIA Apriso dating back to 2020. Combining these vulnerabilities allow creation of accounts that obtain elevated privileges and deposit executable files into a web-served directory, resulting in complete compromise of the application. Starting in March, CVE-2025-24893 impacted XWiki by using a two-stage attack chain that delivers a cryptocurrency miner. Learn more.

6. Have I Been Pwned: Prosper data breach impacts 17.6 million accounts – Bleeping Computer

In September, Prosper, a peer-to-peer lending marketplace, announced a breach had been detected with hackers gaining access to customer accounts and funds. Have I Been Pwned announced that 17.6 million unique email addresses had been affected by the incident. The companies statement claimed that “confidential, proprietary, and personal information, including Social Security Numbers, was obtained”. The company is also going to offer free credit monitoring while they determine what data was affected. Information on how the data was obtained and ways the company is combatting future leaks have not been discussed. Read full article.

7. Researchers Identify PassiveNeuron APT Using Neursite and NeuralExecutor Malware – The Hacker News

The malware campaign dubbed, PassiveNeuron, was first flagged using different methods in November 2024 for targeting government, financial, and industrial organizations located in Asia, Africa, and Latin America. One incident showed that the threat actors were able to gain initial access through remote command on a compromised machine running Windows Servers through Microsoft SQL. The exact method is unknown, but it is possible the attackers are either brute-forcing the administration account password or leveraging an SQL injection flaw in an application running on the server. Read full article.

8. BatShadow Group Uses New Go-Based ‘Vampire Bot’ Malware to Hunt Job Seekers – The Hacker News

BatShadow, a Vietnamese threat actor, has leveraged a new social engineering tactic that delivers a malware called, Vampire Bot, to job seekers and digital marketing professionals. Posed as recruiters, the attackers distribute malicious files disguised as job descriptions and corporate documents. Victims who click the link in the lure PDF to “preview” the job description are taken to a landing page that displays a fake error saying the browser is unsupported, through multiple attempts the error message eventually triggering an automatic ZIP download containing the supposed job description and a malicious executable named Marriott_Marketing_Job_Description.pdf.exe (the file mimics a PDF by inserting extra spaces between “.pdf” and “.exe”). Learn more.