Anomali Cyber Watch: Oracle E-Business Suite Zero-Day, Vampire Bot Malware, XWorm 6.0, and More
Clop Ransomware Gang Exploits Oracle E-Business Suite Zero-Day in Mass Data Theft Campaign
(published: October 9, 2025)
Oracle released an emergency security patch over the weekend for CVE-2025-61882, a critical zero-day vulnerability in E-Business Suite that has been actively exploited by the Clop ransomware gang since August 2025. The flaw carries a maximum CVSS score of 9.8 and allows unauthenticated attackers to achieve remote code execution through the Oracle Concurrent Processing component without requiring credentials. Mandiant confirmed that Clop exploited multiple vulnerabilities, including this zero-day, to steal large volumes of corporate data from several organizations and subsequently launched extortion campaigns targeting company executives. The vulnerability affects Oracle EBS versions 12.2.3 through 12.2.14, and indicators of compromise suggest possible involvement from Scattered Lapsus$ Hunters as well. CISA has added CVE-2025-61882 to its Known Exploited Vulnerabilities catalog, underscoring the severity of the threat.
Analyst Comment: The two-month gap between Clop's initial August exploitation and Oracle's October disclosure creates a serious blind spot for defenders. If your organization runs Oracle EBS with internet exposure, you need to assume potential compromise and prioritize forensic analysis over just patching. Check your application logs for the indicators Oracle published, particularly unusual POST requests to /OA_HTML/SyncServlet and suspicious XSLT template uploads. The public release of exploit code fundamentally changes the threat landscape here. What was previously limited to a sophisticated actor like Clop is now available to anyone with basic scripting skills. Focus immediate efforts on identifying whether you were hit during that August window. Data exfiltration already happened for many targetss before they received extortion emails, so absence of contact from Clop doesn't mean you're clear.
MITRE ATT&CK: T1190 - Exploit Public-Facing Application | T1203 - Exploitation For Client Execution | T1059 - Command And Scripting Interpreter | T1068 - Exploitation For Privilege Escalation | T1213 - Data From Information Repositories | T1071.001 - Application Layer Protocol: Web Protocols | T1041 - Exfiltration Over C2 Channel | T1586.002 - Compromise Accounts: Email Accounts
BatShadow Deploys Go-Based Vampire Bot Malware in Job Recruitment Campaign
(published: October 9, 2025)
Vietnamese threat actor BatShadow has launched a sophisticated social engineering campaign targeting job seekers and digital marketing professionals with a newly documented malware called Vampire Bot. Researchers identified attack chains beginning with ZIP archives containing fake job descriptions from legitimate companies like Marriott alongside malicious LNK or executable files disguised as PDFs. The infection process leverages hidden PowerShell scripts that download decoy documents while simultaneously installing XtraViewer remote desktop software for persistent access. A notable aspect of the campaign involves browser manipulation tactics, forcing victims to switch from Chrome to Microsoft Edge to bypass security protections. Once executed, the Go-based Vampire Bot performs comprehensive host profiling, captures screenshots at regular intervals in WEBP format, and maintains encrypted communication with command and control infrastructure. BatShadow has been active for approximately one year, previously deploying commodity malware including Agent Tesla, Lumma Stealer, and Venom RAT through similar domain impersonation techniques. The group represents part of a larger Vietnamese cybercrime ecosystem known for hijacking Facebook business accounts from digital marketing professionals.
Analyst Comment: BatShadow's transition from commodity malware to custom Go-based tooling signals operational maturity, but the real intelligence value here is recognizing this campaign sits within a much broader pattern. The job recruitment lure combined with LNK file delivery has become the convergence point for threat actors across completely different motivations. North Korean groups like Lazarus use it for cryptocurrency theft to fund the regime, Iranian actors like UNC1549 deploy it for telecom espionage, and now Vietnamese groups are using identical mechanics for Facebook business account hijacking. If you receive unsolicited job offers, verify the recruiter through official company channels before downloading anything. Be suspicious of any recruitment process asking you to switch browsers or manually copy URLs. Check file extensions carefully because attackers add spaces between .pdf and .exe to fool you. Legitimate recruiters never need you to disable security features or execute files just to view a job description.
MITRE ATT&CK: T1566.001 - Phishing: Spearphishing Attachment | T1204.001 - User Execution: Malicious Link | T1059.001 - Command and Scripting Interpreter: Powershell | T1219 - Remote Access Software | T1036.007 - Masquerading: Double File Extension | T1082 - System Information Discovery | T1113 - Screen Capture | T1071 - Application Layer Protocol | T1105 - Ingress Tool Transfer | T1573 - Encrypted Channel | T1041 - Exfiltration Over C2 Channel
XWorm 6.0 Returns with 35+ Plugins and Enhanced Data Theft Capabilities
(published: October 9, 2025)
XWorm malware has resurfaced with version 6.0, featuring over 35 specialized plugins ranging from data theft to ransomware operations. After developer XCoder abandoned the project in late 2024, XCoderTools announced version 6.0 on cybercrime forums in June 2025 for $500 lifetime access, patching a critical remote code execution flaw from version 5.6. Current campaigns use JavaScript files in phishing emails that display decoy PDFs while executing PowerShell to disable AMSI and inject XWorm into legitimate Windows processes like RegSvcs.exe. The malware uses AES encryption with default key "666666" and stores plugins in the registry under HKCU\SOFTWARE. Key plugins include merged.dll and SystemCheck.Merged.dll bypassing Chrome's app-bound encryption, Ransomware.dll sharing code with NoCry ransomware, Rootkit.dll installing modified r77 rootkit, and ResetSurvival.dll surviving factory resets via ResetConfig.xml manipulation. Researchers found trojanized builders infected with XWorm, showing operators compromising fellow criminals.
Analyst Comment: The ResetConfig.xml persistence mechanism deserves special attention, the plugin leverages a Windows feature designed for OEM manufacturers to maintain customizations during factory resets. When XWorm drops files into C:\Recovery\OEM and creates a ResetConfig.xml configuration, it's hijacking the legitimate recovery process that Windows preserves by design. During a reset, the malware's batch file executes as part of the rebuild procedure, reinstalling the infection on what appears to be a clean system. This technique requires full drive reimaging that wipes the recovery partition, not just Windows' built-in reset function. The same method has appeared in Pulsar RAT and WEEVILPROXY, indicating it's spreading across the RAT ecosystem as a proven persistence mechanism.
MITRE ATT&CK: T1566.001 - Phishing: Spearphishing Attachment | T1204.002 - User Execution: Malicious File | T1059.007 - Command and Scripting Interpreter: Javascript | T1059.001 - Command and Scripting Interpreter: Powershell | T1059.003 - Command and Scripting Interpreter: Windows Command Shell | T1037 - Boot Or Logon Initialization Scripts | T1112 - Modify Registry | T1562.001 - Impair Defenses: Disable Or Modify Tools | T1055 - Process Injection | T1497 - Virtualization/Sandbox Evasion | T1027 - Obfuscated Files Or Information | T1036 - Masquerading | T1014 - Rootkit | T1056.001 - Input Capture: Keylogging | T1555.003 - Credentials from Password Stores: Credentials From Web Browsers | T1552.001 - Unsecured Credentials: Credentials In Files | T1082 - System Information Discovery | T1049 - System Network Connections Discovery | T1010 - Application Window Discovery | T1518 - Software Discovery | T1113 - Screen Capture | T1125 - Video Capture | T1005 - Data From Local System | T1071 - Application Layer Protocol | T1105 - Ingress Tool Transfer | T1132.001 - Data Encoding: Standard Encoding | T1573.001 - Encrypted Channel: Symmetric Cryptography | T1041 - Exfiltration Over C2 Channel | T1486 - Data Encrypted For Impact | T1499 - Endpoint Denial Of Service | T1529 - System Shutdown/Reboot
FileFix Attack Uses Cache Smuggling to Evade Security Controls
(published: October 8, 2025)
A newly identified FileFix campaign employs cache smuggling to deliver malware while avoiding conventional download detection. Disguised as a “Fortinet VPN Compliance Checker,” the lure instructs users to copy and paste a path into Windows File Explorer. Hidden within that path is a PowerShell command padded with spaces, which executes invisibly through conhost.exe in headless mode. The script retrieves data from Chrome’s cache, extracts an embedded ZIP payload posing as a “.jpg,” and runs the malicious executable. Because the payload is pre-positioned in the browser cache and never fetched during execution, traditional controls, such as network inspection or download scanning, are likely to miss the compromise.
Analyst Comment: FileFix shows how attackers are learning to operate within ordinary system behavior rather than around it. Using the browser cache as the delivery stage allows them to separate the infection timeline, payload retrieval happens long before execution, leaving almost no traceable event at the point of compromise. The PowerShell command hidden through whitespace is clever, but the more significant insight is the shift toward leveraging trusted application processes and existing data stores to blend in. It demonstrates a steady move from infrastructure evasion to behavioral evasion, where nothing looks out of place until it is too late to correlate the pieces.
MITRE ATT&CK: T1566 - Phishing | T1204 - User Execution | T1059.001 - Command and Scripting Interpreter: Powershell | T1105 - Ingress Tool Transfer | T1036.008 - Masquerading: Masquerade File Type | T1083 - File And Directory Discovery
Can You Test My Game?
(published: October 8, 2025)
Threat actors are leveraging convincing phishing-style pages that imitate the itch.io gaming platform to distribute hidden malware under the pretense of “can you test my game” invitations. The campaign primarily spreads through direct messages on Discord and similar platforms, frequently sent from compromised accounts, which gives the lure an added sense of legitimacy and familiarity. Once the victim downloads the supposed game file, it executes a stealth loader that runs PowerShell commands in the background, decodes additional scripts directly in memory, and suppresses visible windows to conceal its activity from users and endpoint protection tools. In more advanced variants, the malicious page prompts users to sign in via a fake Discord login, harvesting tokens and credentials that allow the attacker to seize control of the account and automatically propagate the lure to new contacts. Community reports indicate victims often experience full account compromise, credential theft, and automated mass-messaging campaigns that rapidly amplify the scam across gaming communities and social channels.
Analyst Comment: This one is more for your home security than your organization’s, but it is also a good reminder that threat actors go where trust already exists. Using Discord messages and cloned itch.io pages makes the lure feel normal, especially in gaming circles where sharing files and testing builds can feel routine. Whilst I’m sure none of you are downloading game files from Discord onto work systems, this story is worth sharing beyond the office. Many of us or our families play games online, and awareness can greatly reduce both the likelihood and effectiveness of these scams. If you or someone you know games regularly, mention this, it’s a simple conversation that can prevent account takeovers and stolen credentials. The more cyber-aware we are in our personal spaces, the stronger our collective security becomes.
MITRE ATT&CK: T1566.002 - Phishing: Spearphishing Link | T1204.002 - User Execution: Malicious File | T1059.001 - Command and Scripting Interpreter: Powershell | T1539 - Steal Web Session Cookie | T1528 - Steal Application Access Token
Chinese Hackers Weaponize Velociraptor in Ransomware Attacks
(published: October 10, 2025)
China-aligned threat group Storm 2603 has been observed abusing Velociraptor, an open-source digital forensics and incident response (DFIR) framework, to support ransomware operations. Normally used by defenders to collect forensic data and hunt threats, Velociraptor provides remote access, file collection, and command execution capabilities, features now being repurposed for lateral movement and persistence. Researchers also noted that older Velociraptor versions are affected by CVE-2025-6264, a privilege-escalation flaw patched by Rapid7, which could further expand attacker control if left unaddressed.
Analyst Comment: Storm 2603 used Velociraptor much like defenders do, only with malicious intent. Its agent-server setup enabled them to move data, disable controls, and deploy ransomware through a platform already trusted within many networks, blurring the line between normal operations and compromise. Cisco Talos cited Rapid7’s guidance on detecting Velociraptor abuse, noting the tool intentionally generates identifiable indicators when misused. It must also be noted that attackers can remove those indicators in modified builds, but such versions will lack Rapid7’s signature or be signed by another source, a useful clue for verification.
MITRE ATT&CK: T1059 - Command And Scripting Interpreter | T1543 - Create Or Modify System Process | T1053 - Scheduled Task/Job | T1136 - Create Account | T1068 - Exploitation For Privilege Escalation | T1562 - Impair Defenses | T1021 - Remote Services | T1570 - Lateral Tool Transfer | T1219 - Remote Access Software | T1071 - Application Layer Protocol | T1041 - Exfiltration Over C2 Channel | T1486 - Data Encrypted For Impact
Pro-Russia Hacktivists “Claim” Attack on Water Utility Honeypot
(published: October 10, 2025)
A pro-Russian hacktivist group calling itself TwoNet claimed to have disrupted a European water utility by breaching its industrial control system. Subsequent analysis by cybersecurity firm Forescout revealed the system was actually a honeypot, an intentionally created decoy designed to lure and study attackers. TwoNet gained access using default credentials, defaced login screens, disabled alarms and logs, and attempted to alter PLC setpoints. The entire intrusion chain, from access to attempted disruption, occurred in roughly 26 hours. Investigators observed the group experimenting with Modbus protocols and programmable logic controllers, indicating growing curiosity about operational technology environments.
Analyst Comment: TwoNet’s eagerness to claim victory before verifying what they had actually breached says much about the current state of hacktivist operations. Driven by the need to project capability, they failed to recognize they were operating inside a controlled environment built to observe them. That overconfidence exposed their tooling, behavior, and timelines in detail, giving defenders intelligence instead of impact. The real win was on the defensive side: the honeypot not only contained the intrusion but converted it into valuable insight on how politically motivated actors test and learn within OT networks.
MITRE ATT&CK: T1078 - Valid Accounts | T1190 - Exploit Public-Facing Application | T1543 - Create Or Modify System Process | T1562.001 - Impair Defenses: Disable Or Modify Tools | T0878 - Alarm Suppression | T0831 - Manipulation Of Control | T0838 - Modify Alarm Settings
Crimson Collective Exploits AWS Cloud Infrastructure for Data Theft and Extortion
(published: October 9, 2025)
Researchers have identified the new threat group Crimson Collective conducting systematic attacks against Amazon Web Services environments to steal data and extort organizations. The group claimed responsibility for breaching Red Hat's private GitLab repositories, allegedly exfiltrating 570GB of data across 28,000 internal development repositories. Crimson Collective began this attack by using TruffleHog, an open source security tool, to discover leaked AWS long-term access keys in code repositories. Once inside, attackers create new IAM users with login profiles and escalate privileges by attaching the AdministratorAccess policy, granting complete control over victim environments. The threat actors perform extensive reconnaissance across AWS services, targeting RDS databases by modifying master passwords and creating snapshots that are exported to S3 buckets. They also create EBS volume snapshots and attach them to attacker-controlled EC2 instances configured with permissive security groups. Data exfiltration occurs through S3 GetObject API calls, followed by extortion demands delivered via AWS Simple Email Service from within the compromised environment. The group has recently partnered with Scattered Lapsus$ Hunters, potentially expanding their operational capabilities.
Analyst Comment: TruffleHog is a legitimate open source security tool designed to help organizations find exposed credentials in their code repositories. However, threat actors are increasingly weaponizing it for automated credential harvesting during intrusions. Three significant 2025 attacks demonstrate this trend. Crimson Collective has systematically used TruffleHog to discover leaked AWS credentials, enabling their cloud environment breaches. A self-replicating worm infected over 180 npm packages and deployed TruffleHog on developer machines to scan for secrets automatically. Most notably, attackers used TruffleHog against Salesloft's GitHub repositories to extract OAuth tokens, then pivoted to compromise Salesforce instances at 760 organizations including Google, Cloudflare, and Zscaler, stealing 1.5 billion records. Defenders should assume TruffleHog will be deployed in future attacks once adversaries gain any level of internal access. Monitoring for unauthorized TruffleHog execution and suspicious credential scanning activity should become standard detection practice.
MITRE ATT&CK: T1078.004 - Valid Accounts: Cloud Accounts | T1552.001 - Unsecured Credentials: Credentials In Files | T1136.003 - Create Account: Cloud Account | T1098.001 - Account Manipulation: Additional Cloud Credentials | T1098.003 - Account Manipulation: Add Office 365 Global Administrator Role | T1059.009 - Command and Scripting Interpreter: Cloud API | T1087.004 - Account Discovery: Cloud Account | T1580 - Cloud Infrastructure Discovery | T1619 - Cloud Storage Object Discovery | T1526 - Cloud Service Discovery | T1530 - Data From Cloud Storage Object | T1213.003 - Data from Information Repositories: Code Repositories | T1657 - Financial Theft
Discord Third-Party Vendor Breach Exposes ~70,000 Government ID Images
(published: October 9, 2025)
Discord confirmed that a security incident at one of its third-party customer support vendors led to the exposure of sensitive user information. The compromised vendor, 5CA, handled age-verification requests and Trust & Safety support tickets. As a result, approximately 70,000 government ID images, including driver’s licenses and passports, were accessed, along with associated names, email addresses, Discord usernames, IP addresses, limited billing details, and chat transcripts with support staff. Discord stated that its internal infrastructure was not breached, that full credit card numbers and passwords remain secure, and that the vendor’s access has since been revoked. The attacker reportedly claims to possess a much larger dataset, but Discord disputes those figures. Law enforcement has been notified, and forensic audits are ongoing.
Analyst Comment: Age verification is becoming common across the UK and Europe, and every time a company outsources that process, it creates another pool of verified IDs for criminals to target. These databases are valuable because they link real names, photos, and services together, making them perfect for identity theft or account fraud. The Discord breach shows how these systems, built for safety and compliance, can quietly turn into high-value assets for attackers. As more platforms adopt similar checks, we should expect this kind of breach to become more frequent.
MITRE ATT&CK: T1195 - Supply Chain Compromise | T1078 - Valid Accounts | T1213 - Data From Information Repositories | T1567 - Exfiltration Over Web Service
175 Malicious npm Packages Employed in Credential-Harvesting Campaign
(published: October 10, 2025)
Security researchers uncovered 175 new malicious npm packages, downloaded over 26,000 times, designed to redirect users to credential-phishing sites rather than execute malicious code. The campaign, tracked as Beamglea, leverages npm and unpkg infrastructure to embed deceptive redirects within otherwise legitimate-looking JavaScript packages. Most of the uploads targeted developers in the technology and industrial sectors, blending seamlessly into common dependency chains to avoid suspicion.
Analyst Comment: There’s nothing novel about Beamglea; it follows the same playbook seen in IconBurst, Shai-Hulud, and other npm abuse waves, just repackaged. The mechanics haven’t changed, but the repetition is what matters. Attackers keep coming back to npm because it still works, and even short-lived uploads can deliver results before moderation reacts. This vector remains active, proving that open-source trust can still be quietly exploited at scale.
MITRE ATT&CK: T1195.001 - Supply Chain Compromise: Compromise Software Dependencies And Development Tools | T1195.002 - Supply Chain Compromise: Compromise Software Supply Chain | T1566 - Phishing | T1059 - Command And Scripting Interpreter
Discover More About Anomali
Get the latest news about cybersecurity, threat intelligence, and Anomali's Security and IT Operations platform.
Propel your mission with amplified visibility, analytics, and AI.
Learn how Anomali can help you cost-effectively improve your security posture.
