September 29, 2025 Cyber Threat Intelligence Briefing

kroll logo
Kroll
Sep 29, 2025
Kroll

This week’s briefing covers:

00:00 – Intro

00:46 [VULNERABILITY] Critical Deserialization Vulnerability in Fortra’s GoAnywhere MFT May Lead to Command Injection
A deserialization vulnerability in the License Servlet of Fortra's GoAnywhere MFT allows an actor with a validly forged license response signature to deserialize an arbitrary actor-controlled object, possibly leading to command injection.

02:59 [VULNERABILITY] Exploitation of Multiple Critical Vulnerabilities in Cisco Firewall Appliances
Cisco has reported a critical vulnerability in the VPN web server of Cisco Secure Firewall Adaptive Security Appliance (ASA) and Cisco Secure Firewall Threat Defense (FTD) Software, which is being tracked as CVE-2025-20333.

06:49 [CAMPAIGN] Widespread Adware Campaign Contains Hidden Homoglyph Channel
Kroll has recently seen a widespread installation of an application called “Calendaromatic”, that Kroll Threat Intelligence (TI) is currently classifying as a potentially unwanted program (adware) but displays some functionality that gives it the potential to conduct more malicious behaviors.

09:43 [CAMPAIGN] Iranian Hackers Use Fake Job Lures to Breach Europe’s Critical Industries
Since early 2025, researchers at CheckPoint have been monitoring renewed activity from the Iranian-linked threat group KTA514, also known as Nimbus Manticore , UNC1549 or Smoke Sandstorm.

12:00 [VULNERABILITY] Libraevas ESG Vulnerability
Libraevas has released an update to its email security gateway (ESG) to patch a vulnerability (CVE-2025-59689) that allowed attackers to craft compressed attachments that enabled the execution of arbitrary commands as a non-privileged user.

13:34 [CAMPAIGN] LOCKBIT Ransomware Releases LOCKBIT 5.0
LOCKBIT 5.0’s release demonstrates the group's remarkable resilience and strategic evolution following major law enforcement disruption. Rather than a complete rewrite, the new version builds upon the LOCKBIT 4.0 codebase, indicating a focus on refining usability and stealth for its affiliates through improved help menus and invisible operation modes.

Dive deeper:

Kroll’s Monthly Threat Intelligence Spotlight Report: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports/cti-spotlight-trends-report

Kroll’s Q3 2024 Threat Landscape Report: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports/q3-2023-threat-landscape-report-social-engineering

Playlist of Kroll's Weekly Cyber Threat Intelligence Briefings: Cyber Threat Intelligence Briefings

Kroll Cyber Blog: https://www.kroll.com/en/insights/publications/cyber

Kroll Cyber Threat Intelligence: https://www.kroll.com/en/services/cyber-risk/managed-security/threat-intelligence-services

Kroll Threat Intelligence Reports: https://www.kroll.com/en/insights/publications/cyber/threat-intelligence-reports

Kroll Responder MDR: https://www.kroll.com/en/services/cyber-risk/managed-security/kroll-responder

#krollcyber #threatintelligence #cyberthreats

Copyright © 2026 OpsMatters™. All rights reserved.