October 6, 2025

For the latest discoveries in cyber research for the week of 6th October, please download our Threat Intelligence Bulletin.

TOP ATTACKS AND BREACHES

• Red Hat has confirmed a cyber attack that resulted in unauthorized access to one of its GitLab instances. The attackers, Crimson Collective, claim to have stolen approximately 570GB of compressed data. The data includes 28,000 internal repositories, including around 800 Customer Engagement Reports containing sensitive infrastructure and authentication details for notable organizations across multiple sectors.

• Asahi Group Holdings has experienced a cyberattack that disrupted orders, shipments, and call center operations across all its subsidiaries in Japan. Also, factory production was suspended. No threat actor has claimed responsibility yet.

• WestJet, the second-largest airline in Canada, has suffered a cyber attack that resulted in the theft of sensitive information belonging to 1.2 million people. The data includes names, addresses, travel documents, government IDs, and more. The attack was attributed to the Scattered Spider cybercrime group.

• The private messaging platform Discord has disclosed a data breach which reportedly stemmed from a compromise of a third-party provider’s Zendesk. The incident led to the theft of personal information from users who interacted with the app’s support and Trust and Safety teams. The attack is attributed to affiliated actors of the Scattered Lapsus$ Hunters group.

• Motility Software Solutions, an American provider of dealer management software, was hit by a ransomware attack, leading to the theft and exposure of files containing sensitive personal data of approximately 766,000 individuals. Information such as full names, addresses, emails, phone numbers, dates of birth, Social Security numbers, and driver’s license numbers were compromised.

• U.K. retailer Harrods has suffered a data breach that resulted in the exposure of 430,000 sensitive e-commerce customer records when hackers compromised a third-party supplier. The leaked data includes names and contact details, but does not contain passwords, payment information, or order histories.

• Shamir Medical Center in Israel has experienced a cyberattack that resulted in the leak of hospital emails containing sensitive patient information. The attack resulted in 8 terabytes of internal data, patient records, and operational communications allegedly compromised. The Qilin ransomware group claimed responsibility for the attack, demanding a $700,000 ransom and threatening to release the stolen data if demands were not met. Check Point Threat Emulation and Harmony Endpoint provide protection against this threat (Ransomware.Wins.Qilin.*) VULNERABILITIES AND PATCHES

• Researchers havedisclosed a new vulnerability in VMware Aria Operations, CVE-2025-41244. The local privilege escalation flaw has been actively exploited in the wild since October 2024 by Chinese state-sponsored actors and potentially other malware. Successful exploitation allows a local non-administrative user on a VM with VMware Tools managed by Aria Operations (with SDMP enabled) to escalate privileges to root.

• A critical privilege escalation vulnerability (CVE-2025-32463) has beendisclosed in Linux sudo versions 1.9.14 through 1.9.17, enabling local attackers to execute arbitrary commands as root using the -R (–chroot) option, even if they are not included in the sudoers file. The flaw affects the default sudo configuration and is being actively exploited in the wild with public PoC code available.

• A critical vulnerability, CVE-2025-10035, with a CVSS score of 10.0 has beenidentified in Fortra’s GoAnywhere MFT, primarily affecting systems with an internet-exposed admin console. The flaw enables unauthorized third-party access and has reportedly been exploited in the wild since at least September 10, 2025, with thousands of file transfer systems potentially at risk. Successful exploitation could lead to significant data theft. THREAT INTELLIGENCE REPORTS

• Check Point Research haspublished a Manufacturing Sector Security Report, which highlights a sharp escalation in cyber attacks targeting the manufacturing sector. An average of 1,585 weekly attacks per organization in 2025 marks a 30% increase year over year, with regions like Latin America and APAC most affected. The analysis notes ransomware as the predominant threat, causing significant financial losses and operational disruptions. The report also details how compromised supply chains and state-backed attackers are leading to widespread production halts, intellectual property theft, and cascading risks throughout interconnected manufacturing networks.

• Check Point Research haveanalyzed significant updates in the Rhadamanthys malware stealer version 0.9.2, detailing its new custom executable formats (XS1_B/XS2_B), expanded configuration and evasion tactics, and changes to mutex and bot ID generation. The latest release introduces features like backward-incompatible format and string obfuscation, checks using machine-specific identifiers, PNG-based payload delivery, and enhanced module fetching and injection flexibility. Additional components such as browser fingerprinting scripts and a new Lua-based Ledger Live stealer module were also identified, indicating further expansion of Rhadamanthys’ capabilities.

• Check Point Research hasuncovered a surge in Amazon Prime Day scams, showing how attackers continue to weaponize urgency and trust. As millions of consumers flock online for deals, attackers launch phishing scams, fake domains, and malicious emails designed to steal Amazon credentials and payment information. 1 in every 18 new Amazon-related domains in September were identified as malicious or suspicious.

BLOGS AND PUBLICATIONS

• Check Point Research Publications
• Global Cyber Attack Reports
• Threat Research February 17, 2020

“The Turkish Rat” Evolved Adwind in a Massive Ongoing Phishing Campaign

• Check Point Research Publications
• Global Cyber Attack Reports
• Threat Research January 22, 2020

The 2020 Cyber Security Report

• Global Cyber Attack Reports December 15, 2021

StealthLoader Malware Leveraging Log4Shell