October 6, 2025 Cyber Threat Intelligence Briefing

kroll logo
Kroll
Oct 6, 2025
Kroll

This week’s briefing covers:

00:00 – Intro

00:45 [RANSOMWARE] KTA243 Group Now Host Data Leak Site Targeting Salesforce Customers
The group Kroll tracks with as the KTA243 intrusion set and going by the moniker ‘Shiny LAPSUS$ Hunters’ has launched a ransom extorsion site on the clearweb and Tor.

02:09 [RANSOMWARE] Cl0p (KTA080) Reported to Have Attacked Oracle E-Business Suite Systems, Targeting Execs with Ransom Demands.
Organizations running Oracle E-Business Suite (EBS) are being targeted with spear-phishing emails claiming theft of sensitive ERP data.

04:47 [THREAT ACTOR ACTIVITY] Red Hat GitLab Breach
Red Hat has reported that it has detected unauthorized access to a GitLab instance used for internal Red Hat Consulting collaboration. It notes that it launched an investigation and found that an unauthorized third party had accessed and copied data from the instance.

06:52 [VULNERABILITIES] Broadcom VMware Exploited in Wild
Broadcom has released a series of updates to VMware and related products, which include fixes to the vulnerabilities CVE-2025-41244, CVE-2025-41245 and CVE-202541246.

07:41 [CAMPAIGN] KTA260 (COLDRIVER) Again Leverages ClickFix Tactics in New Campaign
Libraevas has released an update to its email security gateway (ESG) to patch a vulnerability (CVE-2025-59689) that allowed attackers to craft compressed attachments that enabled the execution of arbitrary commands as a non-privileged user.

09:03 [CAMPAIGN] AI-Generated Phishing Payload for Credential Harvesting
Microsoft Threat Intelligence has reported on a phishing campaign it assesses to likely use AI-generated code for obfuscation and defense evasion, continuing the evidence that AI is being used to lower the barrier of entry for social engineering campaigns.

10:51 [THREAT ACTOR ACTIVITY] Chinese Nexus APT and the Discovery of the NET-STAR Malware Suite
Researchers at Unit 42 have documented Phantom Taurus, tracked by Kroll as KTA516, as a Chinese nexus APT that has quietly operated for years, primarily targeting government and telecommunications sectors.

12:29 [RANSOMWARE] KTA253 (AKIRA Ransomware) Exploits SonicWall VPNs
The AKIRA ransomware group is running a broad, opportunistic campaign targeting SonicWall firewall customers.

Dive deeper:

Kroll’s Monthly Threat Intelligence Spotlight Report: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports/cti-spotlight-trends-report

Kroll’s Q3 2024 Threat Landscape Report: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports/q3-2023-threat-landscape-report-social-engineering

Playlist of Kroll's Weekly Cyber Threat Intelligence Briefings: Cyber Threat Intelligence Briefings

Kroll Cyber Blog: https://www.kroll.com/en/insights/publications/cyber

Kroll Cyber Threat Intelligence: https://www.kroll.com/en/services/cyber-risk/managed-security/threat-intelligence-services

Kroll Threat Intelligence Reports: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports

Kroll Responder MDR: https://www.kroll.com/en/services/cyber-risk/managed-security/kroll-responder

#krollcyber #threatintelligence #cyberthreats

Copyright © 2026 OpsMatters™. All rights reserved.