Just when you think the dragon is asleep, it breathes fire again, and DragonBreath APT proved it by unleashing RONINGLOADER to slip in an upgraded gh0st RAT while quietly disabling Windows Defender through PPL abuse. Meanwhile, macOS users face growing risks with the emergence of DigitStealer, an advanced infostealer engineered to target Apple Silicon devices while evading virtual machines and older Mac models. Adding to the broader threat landscape, phishing campaigns in October 2025 most commonly delivered Trojans—accounting for 47% of malicious attachments. Continue reading for more cybersecurity updates.
01
DragonBreath APT group has been found using RONINGLOADER, a sophisticated multi-stage malware loader to deploy an updated gh0st RAT variant while disabling Windows Defender through Protected Process Light (PPL) abuse.
02
The new macOS infostealer DigitStealer employs advanced techniques to target specific Apple Silicon systems, avoids virtual machines and older Macs, and uses legitimate services like Cloudflare for hosting payloads.
03
Researchers identified over 150,000 malicious packages in the npm registry associated with a token farming campaign that exploits tea.xyz blockchain rewards through automated package generation and dependency chains.
04
A suspicious email with a fake invoice attachment was found to deliver the Backdoor.XWorm RAT to bypass modern security filters and execute a fileless attack that grants attackers full control of the victim’s computer.
05
Threat actors are abusing the decades-old "Finger" command in ClickFix malware attacks to retrieve and execute remote commands on Windows devices, a protocol originally designed for querying user information.
06
The most common type of threat in phishing email attachments in October 2025 was Trojans (47%), which often disguise themselves with double extensions or deceptive file names.
07
Cursor’s new browser is vulnerable to malicious MCP server attacks due to missing integrity checks, allowing JavaScript injection that hijacks internal features, steals credentials, and compromises workstations.
08
NVIDIA has released urgent security patches for its NeMo Framework to address two high-severity vulnerabilities (CVE-2025-23361 and CVE-2025-33178) that could enable code injection and privilege escalation attacks.
09
Cisco has disclosed critical vulnerabilities in its Unified Contact Center Express (Unified CCX) systems that could allow remote attackers to execute arbitrary commands, escalate privileges to root, and bypass authentication mechanisms.
10
Hackers are globally exploiting the critical XWiki vulnerability (CVE-2025-24893) for botnets, cryptocurrency mining, and malware deployment, with the RondoDox botnet integrating this vulnerability into its toolkit and escalating attacks since early November 2025.
