Cyber Briefing: 2025.10.27

Qilin surge, WP flaws exploited, Smishing Triad scam, RedTiger steals data, SafePay hits Xortec, ex-L3Harris spy case, ransom drop, teens TfL hack, Fortinet fraud.

Oct 27, 2025

👉 What’s going on in the cyber world today?

Welcome to Cyber Briefing, the newsletter that informs you about the latest cybersecurity advisories, alerts, incidents and news every weekday.

First time seeing this? Please Subscribe

Get Help

🚨 Cyber Alerts

1. Qilin Ransomware Uses Hybrid Attack

The Qilin (also known as Agenda) ransomware-as-a-service group has become one of the most active cybercriminal enterprises, consistently claiming over 40 victims monthly in 2025, with a peak of 100 cases in June and major recent activity of 84 victims each in August and September. Primarily targeting the U.S. and other developed nations across sectors like manufacturing and professional services, Qilin affiliates often gain initial access using leaked credentials before deploying sophisticated techniques for credential harvesting, data exfiltration, and maintaining persistence with remote management tools.

2. Hackers Exploit Outdated WordPress Plugins

A massive cyberattack campaign is currently exploiting critical-severity, year-old vulnerabilities (CVE-2024-9234, CVE-2024-9707, and CVE-2024-11972) in the WordPress GutenKit and Hunk Companion plugins to achieve remote code execution (RCE). Security firms have blocked millions of attack attempts and are urging administrators to immediately update these plugins to versions 2.1.1 and 1.9.0 or later to protect their sites from compromise and data theft.

3. Smishing Triad Tied To Global Phishing

A global smishing operation, attributed to the China-linked Smishing Triad, has deployed over 194,000 malicious domains since January 2024 to impersonate various services, including delivery and toll providers, tricking victims worldwide into revealing sensitive information. This highly lucrative scheme, which may have generated over $1 billion in the last three years, relies on quickly cycling through new, disposable domains, primarily hosted on U.S. cloud services, to evade detection.

For more alerts, click here!

Subscribe Now

💥 Cyber Incidents

4. Discord Accounts Stolen By RedTiger

Attackers are exploiting the open-source red-team tool RedTiger to create a powerful infostealer that aggressively targets and collects data, primarily focusing on Discord account details and payment information. This sophisticated malware also steals credentials, cryptocurrency, and game accounts, employing evasion tactics like anti-sandbox mechanisms and overloading forensic analysis tools.

5. Safepay Hits Xortec Video Surveillance Firm

The SafePay ransomware group has claimed responsibility for a cyberattack against German video surveillance provider Xortec GmbH and listed the company on its data leak site as part of a double extortion attempt. The group has set an impending ransom payment deadline of October 27, 2025.

6. Ex-L3Harris Cyber Boss Charged With Espionage

The U.S. government has accused former L3Harris executive Peter Williams of stealing eight trade secrets from two unnamed companies and selling them to a Russian buyer for $1.3 million. The Department of Justice filed a criminal information document outlining the allegations against Williams, an Australian citizen and former general manager of L3Harris’s Trenchant division, who is scheduled for an arraignment and plea agreement hearing on October 29.

For more incidents click here!

Read Report

📢 Cyber News

7. Ransomware Payments Fall In Q3 2025

Ransomware payments dropped significantly in the third quarter of 2025, according to an analysis by incident response firm Coveware. This decline is attributed to large organizations increasingly refusing to pay and mid-market firms agreeing to smaller ransoms.

8. Teens Face Court Over TfL Cyber Attack

Two teenagers, Thalha Jubair (19) and Owen Flowers (18), have been charged with conspiracy under the Computer Misuse Act in connection with last year’s cyberattack on Transport for London (TfL), an incident that disrupted essential services for three months. They appeared in Southwark Crown Court where a further hearing was set for November 21st, with a full trial scheduled for June 8, 2026, and both have been remanded into custody.

9. Fortinet Faces Securities Fraud Claims

Fortinet is facing class-action lawsuits alleging the company made misleading statements about a “record” firewall refresh cycle that was touted to bring in hundreds of millions in revenue. Plaintiffs claim executives knew the refresh involved older, smaller-value products and was happening earlier than publicly stated, which led to a stock drop of over 22% and suspiciously timed insider stock sales by the CEO and CTO.

For more news click here

Check Events

📈Cyber Stocks

On Monday, 27th October, cybersecurity stocks began the week on a positive note, supported by renewed investor confidence in the sector’s long-term growth outlook. The rally was fueled by upbeat analyst sentiment, consistent enterprise spending on AI-enhanced and zero-trust solutions, and heightened geopolitical cyber risks keeping demand strong. Overall, the sector outperformed broader tech indices, reinforcing its reputation as a defensive yet innovative market segment.

CrowdStrike closed at $527.32, up 1.0%, as optimism around its AI-augmented Falcon platform and expanding subscription base drove investor interest.
Zscaler ended at $323.00, up 1.3%, lifted by ongoing enterprise migration to cloud-native zero-trust security architectures.
Palo Alto Networks finished at $217.11, up 1.0%, buoyed by a raised analyst price target and confidence in its integrated platform strategy.
Okta settled at $89.07, up 0.6%, as strengthening contract pipelines and identity-security demand balanced ongoing competition pressures.
Fortinet closed at $85.56, up 0.7%, supported by steady network-security demand amid heightened global cyberattack concerns.

💡 Cyber Tip

Hackers Exploit Outdated WordPress Plugins

A large-scale cyberattack is targeting WordPress sites using outdated GutenKit and Hunk Companion plugins. Attackers are exploiting critical remote code execution flaws (CVE-2024-9234, CVE-2024-9707, CVE-2024-11972) to take control of vulnerable websites. Security firms have blocked millions of attempts and are urging admins to update GutenKit to version 2.1.1 and Hunk Companion to version 1.9.0 or later immediately.

🔐 What You Should Do

Update GutenKit and Hunk Companion plugins to the latest patched versions.
Review your site’s logs for suspicious requests to /wp-json/gutenkit/v1/install-active-plugin or /wp-json/hc/v1/themehunk-import.
Scan for rogue directories like /up, /background-image-cropper, or /wp-query-console.
Restrict plugin installation privileges to trusted admin accounts only.
Enable web application firewalls (WAF) and monitor for abnormal plugin uploads or file changes.

⚠️ Why This Matters
These attacks exploit well-known, year-old vulnerabilities to achieve remote code execution and full site takeover. Running outdated plugins leaves websites exposed to data theft and malware deployment. Keeping all plugins updated and restricting admin access are the most effective defenses against such widespread exploitation campaigns.