Threat
alerts

After a period of silence, the notorious JavaScript-based malware loader Gootloader has resurfaced according to researchers. Known for compromising legitimate websites to poison search engine results (SEO poisoning), the group has returned with a mature, highly specialized criminal supply chain and a suite of new evasion techniques that challenge traditional detection methods.

A critical remote code execution (RCE) vulnerability in Windows Server Update Services (WSUS), tracked as CVE-2025-59287, is under active exploitation. The flaw, caused by an unsafe deserialisation of untrusted data, allows a remote, unauthenticated attacker to gain full NT AUTHORITY\SYSTEM privileges on an affected server. This allows them to push malicious packages disguised as legitimate Microsoft security updates. Worth to note: servers are only vulnerable if the WSUS role is explicitly enabled.

The intrusion into F5's product development environment was allegedly attributed to another suspected China-nexus actor, UNC5221. A threat cluster specialised in long-term cyber espionage missions with a dwell time of approximately 393 days. In 2023, the threat actor UNC5174 was observed actively exploiting a critical N-day vulnerability (CVE-2023-46747) in F5 BIG-IP appliances to gain initial network access.

F5 disclosed a security incident that internal corporate environment had been breached stating that in August 2025 a nation-state threat actor established foothold and maintained long-term, persistent access to specific F5 systems. In previous breaches, threat actor designated UNC5174 leveraged a chain of two vulnerabilities to achieve unauthenticated remote code execution. Their tactics, techniques, and procedures (TTPs) include the deployment of custom, in-memory malware such as the SNOWLIGHT downloader and the GOHEAVY tunneler, which are designed to evade traditional disk-based antivirus and forensic analysis.

The npm ecosystem was subjected to one of its most significant supply chain attacks to date. A threat actor compromised the account of a prolific open-source maintainer and published malicious versions of 18 popular packages, including chalk and debug. These have been detected and removed in several hours from discovery.

CVE-2025-25256 is a critical vulnerability affecting Fortinet’s FortiSIEM that allows a remote attacker to execute arbitrary commands on a target FortiSIEM appliance. Crucially, this attack requires no authentication credentials and no interaction from a legitimate user. Fortinet’s official advisory confirmed that exploit has been seen in the wild. Threat actors are actively mapping potential targets and are pre-positioned to exploit this new vulnerability on a mass scale.

A widespread phishing campaign is utilising Microsoft’s own infrastructure through Direct Send. The feature is designed to provide a simple method for on-premises devices and applications to send emails to recipients within the organisation.

A widespread attack campaign, dubbed “ToolShell,” is actively exploiting a critical zero-day vulnerability in on-premises Microsoft SharePoint Server installations. The vulnerability, tracked as CVE-2025-53770, enables unauthenticated remote code execution (RCE), and allows an attacker to gain complete control of a vulnerable server over the network without requiring any form of authentication or user interaction. Patching alone will not remove the attacker’s access, therefore it is imperative that after applying the emergency security updates, administrators perform a mandatory rotation of the SharePoint MachineKey across all servers in the farm.

A critical, unauthenticated SQL injection vulnerability, identified as CVE-2025-25257, has been disclosed in multiple versions of Fortinet’s FortiWeb Web Application Firewall (WAF). The vulnerability allows for the execution of arbitrary SQL commands, which can be escalated to achieve remote code execution (RCE) with the highest possible system privileges (root) on the underlying appliance operating system.