Russian hackers are now using AI to write malware.

Ukraine’s cybersecurity agency says over 3,000 cyberattacks hit in early 2025 — many powered by AI-generated phishing and data-stealing code.

One strain, WRECKSTEEL, was built with AI tools to target state networks.

Full report → https://thehackernews.com/2025/10/from-phishing-to-malware-ai-becomes.html

⚡ Latest ThreatsDay Bulletin Out Now!

Hackers exploit MS Teams + MFA to breach orgs — plus a $2B crypto heist, .LNK malware with PowerShell implants, Autodesk zero-days, and IoT hub exploits.

🔗 Your quick intel brief → https://thehackernews.com/2025/10/threatsday-bulletin-ms-teams-hack-mfa.html

🚨 One stolen token can bypass MFA.

Last year, a single unrotated API key let attackers compromise Cloudflare’s internal systems — even after a full credential reset.

OAuth & API tokens are the new backdoors hiding in plain sight.

How to spot them before attackers do ↓ https://thehackernews.com/2025/10/saas-breaches-start-with-tokens-what.html

🟥 SonicWall breach ALERT!

Hackers accessed cloud-stored firewall backups — about 5% of customers affected.

The files hold encrypted credentials and configs that could help attackers target devices.

Check your MySonicWall portal for impacted devices → https://thehackernews.com/2025/10/hackers-access-sonicwall-cloud-firewall.html

🚨 A new Android spyware is spreading like a worm.

“ClayRat” infects phones, then messages every contact to spread further.

It hides as WhatsApp, YouTube, or Google Photos — even faking Play Store screens.

Full analysis ↓ https://thehackernews.com/2025/10/new-clayrat-spyware-targets-android.html

A China-backed group just turned AI into a cyber weapon.

They’re using it to write phishing emails and build malware — across English, Chinese, and Japanese targets.

The result? A new backdoor called GOVERSHELL spreading via fake research invites.

Read how ↓ https://thehackernews.com/2025/10/from-healthkick-to-govershell-evolution.html

🚨 Google confirms dozens of organizations breached via Oracle E-Business Suite zero-day (CVE-2025-61882).

Attackers exploited the flaw since July 2025, using multi-stage Java implants and extortion tactics.

🔹 Oracle issued an emergency patch Oct 4
🔹 Exploit code is now public — risk rising

🔗 Details: https://thehackernews.com/2025/10/cl0p-linked-hackers-breach-dozens-of.html

🚨 Active zero-day alert: Gladinet’s CentreStack & TrioFox are under live exploitation.

Hackers are chaining two CVEs to pull machine keys and trigger remote code execution — no patch yet.

Admins, disable the temp handler now ↓ https://thehackernews.com/2025/10/from-lfi-to-rce-active-exploitation.html

🚨 Researchers uncovered 175 malicious npm packages used to host phishing redirects — downloaded 26,000+ times.

The campaign, dubbed Beamglea, abused npm + UNPKG to target 135 tech and energy firms worldwide.

No exploit. Just clever infrastructure abuse.

Read → https://thehackernews.com/2025/10/175-malicious-npm-packages-with-26000.html

⚠️ A zero-day in GoAnywhere MFT has been actively exploited since Sept 11.

Attackers bypassed cryptographic checks — no password, no auth. Microsoft says Storm-1175 used it to drop Medusa ransomware.

Full timeline + exploit details ↓ https://thehackernews.com/2025/10/from-detection-to-patch-fortra-reveals.html

🔴 ALERT: Your next “HR alert” email might not be from HR.

Storm-2657 is phishing employees, taking over Workday accounts, and swapping bank details to steal salaries — no malware, just manipulation.

Inside Microsoft’s latest findings ↓ https://thehackernews.com/2025/10/microsoft-warns-of-payroll-pirates.html

⚠️ New “Stealit” malware is using Node.js’ experimental SEA feature to slip full payloads into fake game & VPN installers — already spreading via Mediafire and Discord.

Read how → https://thehackernews.com/2025/10/stealit-malware-abuses-nodejs-single.html

🚨 Signal just threatened to leave the EU.

Why? The proposed “Chat Control” law would force apps to scan every private message before it’s sent.

The catch: even encrypted chats would be exposed. Experts call it “mass surveillance in disguise.”

The details you need to see ↓ https://thehackernews.com/2025/10/threatsday-bulletin-ms-teams-hack-mfa.html#opposition-to-e-u-chat-control

🚨 Hackers just turned a DFIR tool into a ransomware weapon.

Storm-2603 hijacked Velociraptor to deploy LockBit, Warlock & Babuk—even creating fake domain admins and disabling defenses.

Details here ↓ https://thehackernews.com/2025/10/hackers-turn-velociraptor-dfir-tool.html

⚠️ Over 100 SonicWall SSL VPN accounts breached — not brute-forced.

Attackers used legit creds and traced back to a single IP.

Even patched devices are falling to Akira ransomware campaigns.

Learn more → https://thehackernews.com/2025/10/experts-warn-of-widespread-sonicwall.html

⚡ Apple’s Siri recordings are under criminal investigation in France.

A whistleblower says they captured “intimate” conversations — enough to identify users.

Apple denies misuse, but prosecutors aren’t convinced.

Read ↓ https://thehackernews.com/2025/10/threatsday-bulletin-ms-teams-hack-mfa.html#france-opens-probe-into-apple-siri-voice-recordings

🐭 A $35 gaming mouse just became a spy tool.

UC Irvine researchers turned its optical sensor into a microphone that steals conversations from air-gapped PCs.

It hides inside legit apps like games. Read the PoC → https://thehackernews.com/2025/10/threatsday-bulletin-ms-teams-hack-mfa.html#mic-e-mouse-attack-for-covert-data-exfiltration

⚠️ WARNING: Oracle just confirmed a new vulnerability (CVE-2025-61884) in E-Business Suite.

No login required. Full data access possible.

Even worse—similar flaws were just exploited by Cl0p-linked actors.

Read the latest news here → https://thehackernews.com/2025/10/new-oracle-e-business-suite-bug-could.html

🚨A new Rust-based backdoor called ChaosBot is hijacking corporate networks — and running its C2 over Discord.

It hides behind Microsoft Edge, abuses service accounts, and even checks for VMware to dodge analysis.

One slip → full network access ↓ https://thehackernews.com/2025/10/new-rust-based-malware-chaosbot-hijacks.html

Hackers just turned GitHub into their command center.

When police take down their servers, the malware just… reboots itself from GitHub.

The twist? It hides configs inside images using steganography. This isn’t a glitch — it’s resilience by design.

Read how it works → https://thehackernews.com/2025/10/astaroth-banking-trojan-abuses-github.html

⚠️ Microsoft just locked down Internet Explorer mode in Edge after real-world zero-day attacks.

Hackers abused the old IE engine (Chakra) to hijack devices — bypassing modern browser defenses.

Full story ↓ https://thehackernews.com/2025/10/microsoft-locks-down-ie-mode-after.html