Summary5 min read

Cyber Security Headlines – Episode Summary

Podcast: CISO Series – Cyber Security Headlines
Date: October 22, 2025
Host: Sarah Lane

Overview

This episode delivers a rapid-fire briefing on the latest cybersecurity developments from around the globe. Topics include Russian state hackers debuting new malware, critical issues caused by Windows updates, sophisticated attacks on high-profile servers, newly cataloged exploited vulnerabilities, hardware-level defenses against laser cyberattacks, major zero-day discoveries at PWN2Own, a widespread VS Code supply chain compromise, and the evolution of a router-targeting botnet.

Key Discussion Points & Insights

1. Russian State Hackers Debut New Malware

[00:13 – 01:03]

Actor: Cold River (aka Star Blizzard, Callisto)
What's New: Three new malware families: No Robot, Yes Robot, and Maybe Robot, replacing the compromised Lost Keys tool.
Targets: High-value victims, focusing on deeper intelligence collection from previously phished individuals.
Technique: More aggressive campaigns, custom malware to evade detection and steal sensitive data.
Quote:

"The new tools are said to be deployed more aggressively than any previous campaigns, designed to evade detection and steal data from high value targets."
— Sarah Lane [00:18]

2. Windows Updates Cause Login Issues

[01:04 – 01:41]

Problem: Updates since August 29, 2025, are breaking logins on PCs with duplicate SIDs, affecting authentication processes (Kerberos and NTLM).
Affected Versions: Windows 11 24H2, 25H2, and Windows Server 2025.
Cause: New security checks that reject devices sharing SIDs, often a result of improper system cloning.
Mitigation: Microsoft recommends rebuilding affected systems or contacting support for Group Policy workarounds.
Quote:

"Microsoft says that Windows updates released since August 29th are breaking logins on systems with duplicate security identifiers...causing Kerberos and NTLM authentication failures..."
— Sarah Lane [01:10]

3. Passive Neuron Campaign Targets High-Profile Servers

[01:42 – 02:18]

Culprit: Likely a Chinese-speaking threat actor.
Victims: Government, financial, and industrial servers across Asia, Africa, and Latin America.
Tools: Custom implants (“Nersight” and “Neural Executor”), Cobalt Strike beacons, disguised DLLs.
Persistence: Exploits SQL servers with tactics consistent with Chinese APTs (attribution “low confidence”).
Quote:

"Kaspersky researchers say that a Chinese speaking threat actor is likely behind the Passive Neuron campaign..."
— Sarah Lane [01:42]

4. CISA Adds Major Flaws to Exploited Vulnerabilities Catalog

[02:19 – 02:44]

Products Affected: Oracle E-Business Suite, Microsoft Windows SMB Client, Conteco Experience CMS, Apple JavaScript Core.
Risks: Data theft, privilege escalation, and remote code execution.
Deadlines: Federal agencies must patch by November 10, 2025.
Quote:

"Federal agencies have to patch them by November 10th and private organizations are advised to update affected systems."
— Sarah Lane [02:37]

5. Laser Autofault Cyberattacks and Defense in Automotive Sector

[02:45 – 03:31]

Innovation: New "Fully Depleted Silicon on Insulator" chip architecture limits laser fault injection attacks.
Developed By: France’s CEA and Soetech.
Security Impact: Prevents bit-flipping and authentication bypass via lasers, supports cost efficiency, and regulatory compliance for automakers.
Quote:

"The design adds an insulating oxide layer that makes it harder to manipulate circuits with focused laser beams, including attacks that can flip bits or bypass authentication."
— Sarah Lane [03:12]

6. PWN2Own Ireland Sees 34 Zero-Days Disclosed

[03:32 – 04:21]

Event: PWN2Own Ireland 2025.
Highlights: 34 zero days exploited on NAS devices, printers, smart home gadgets, routers.
Payouts: Over $522,500 awarded on first day (Team DDoS: $100k for QNAP; Summoning Team: $102,500).
Disclosure Policy: Vendors receive 90 days to patch before exploits go public.
Quote:

"Researchers exploited 34 zero days across devices including QNAP and Synology, NAS printers, smart home gadgets and networking equipment, earning $522,500 for the effort."
— Sarah Lane [03:39]

7. "Glass Worm" Supply Chain Attack on VS Code

[04:22 – 04:54]

Threat: Glass Worm, self-propagating malware, infected 36,000+ developer systems via malicious VS Code extensions.
Method: Hides with invisible Unicode, steals GitHub/npm/OpenVSX credentials, installs RATs, leverages Solana blockchain & Google Calendar for C2.
Mitigation: Microsoft has removed the affected extensions.
Quote:

"The worm uses invisible Unicode characters to hide its code, steals credentials from GitHub, npm and OpenVSX, installs remote access tools and turns developer machines into criminal proxy nodes."
— Sarah Lane [04:36]

8. Polaredge Botnet Campaign Expands

[04:55 – 05:37]

Targets: Cisco, Asus, QNAP, Synology routers.
Discovery: Active since June 2023; detected February 2025.
Features: TLS-based backdoor, anti-analysis, process masquerading, versatile control (connect-back or debug modes).
Goal: Build a large-scale network of proxies ("SoC S5 proxies" comparison).
Quote:

"Polaredge can operate in connect back or debug modes and its purpose seems to be linked to building a large network of compromised devices not unlike Go SoC’s use of infected systems as SoC S5 proxies."
— Sarah Lane [05:24]

Notable Quotes & Memorable Moments

On Russian hackers’ evolution:

"Google believes that Cold river is now using custom malware to gather deeper intelligence from already phished victims."
— Sarah Lane [00:33]
On Windows login chaos:

"...rejects authentication between devices sharing SIDs, often created when systems are cloned without using Sysprep."
— Sarah Lane [01:19]
On PWN2Own's value:

"The contest...awards zero day exploits and promotes responsible disclosure with vendors given 90 days to patch vulnerabilities before public disclosure."
— Sarah Lane [04:07]

Episode Timeline (Timestamps for Key Segments)

00:13 – Cold River’s New Malware Campaigns
01:04 – Windows SID Login Issues
01:42 – Passive Neuron High-Profile Server Attacks
02:19 – CISA Catalog Update & Patch Deadlines
02:45 – Automotive Chip Defenses Against Laser Attacks
03:32 – PWN2Own Ireland Zero-Days & Payouts
04:22 – Glass Worm VS Code Supply Chain Attack
04:55 – Polaredge Botnet Expands

This concise, news-driven episode offers a vital summary of emerging threats and critical vulnerabilities, bridging the technical and the practical for security professionals needing fast, actionable intelligence.

Loading summary

Transcript3 lines

[00:00]
A
From the CISO series, it's Cybersecurity Headlines.
[00:07]
B
These are the cybersecurity headlines for Wednesday, October 22, 2025. I'm Sarah Lane. Russian state hackers replace burned malware with new tools Google's threat intelligence team says Russian state backed hacking group Cold river, also known as Star Blizzard or Callisto, has developed three new malware strains no Robot, Yes Robot and maybe Robot after its previous lost keys tools was exposed back in May. The new tools are said to be deployed more aggressively than any previous campaigns, designed to evade detection and steal data from high value targets. Google believes that Cold river is now using custom malware to gather deeper intelligence from from already phished victims. Recent Windows updates caused login issues on some PCs Microsoft says that Windows updates released since August 29th are breaking logins on systems with duplicate security identifiers, or SIDs, causing Kerberos and NTLM authentication failures across Windows 11 24H2, 25H2 and Windows Server 2025. The issue appears to stem from a new security check that rejects authentication between devices sharing SIDs, often created when systems are cloned without using Sysprep. Microsoft recommends rebuilding affected systems or contacting support for a temporary group policy fix. Sophisticated campaign targets servers of high profile organizations Kaspersky researchers say that a Chinese speaking threat actor is likely behind the Passive Neuron campaign, which has targeted government, financial and industrial servers across Asia, Africa and Latin America since 2024. The campaign uses custom implants Nersight and Neural Executor along with Cobalt Strike to exploit SQL servers and maintain persistence via large disguised DLL files. Kaspersky says that the group's tactics aligned with Chinese APTs, although attribution remains low confidence CISA adds new flaws to known exploited vulnerabilities catalog CISA added high severity vulnerabilities in Oracle E Business Suite, Microsoft Windows SMB Client, Conteco Experience, CMS and Apple JavaScript Core to its known exploited vulnerabilities catalog. These flaws could allow data theft, privilege escalation and remote code execution. Federal agencies have to patch them by November 10th and private organizations are advised to update affected systems, huge thanks to our sponsor ThreatLocker. Imagine having the power to decide exactly what runs in your IT environment and blocking everything else by default. That is what ThreatLocker delivers as a zero trust endpoint protection platform. ThreatLocker fills the gaps traditional solutions leave behind, giving your business stronger security and control. Don't just react to threats, stop them with ThreatLocker laser auto cyber attacks emerge Researchers at France's Alternative Energies and Atomic Energy Commission, or CEA, and semiconductor firm Soetech have developed a new chip architecture called Fully Depleted Silicon on Insulator to defend against laser fault injection attacks targeting automotive microcontrollers. The design adds an insulating oxide layer that makes it harder to manipulate circuits with focused laser beams, including attacks that can flip bits or bypass authentication. It also improves cost efficiency and helps automakers meet global cybersecurity standards. Hackers exploit zero days at PWN2Own Ireland on the first day of PWN2Own Ireland 2025, researchers exploited 34 zero days across devices including QNAP and Synology, NAS printers, smart home gadgets and networking equipment, earning $522,500 for the effort. Team DDoS chained 80 days to hack a QNAP router and NAS for $100,000 while summoning team led the leaderboard with $102,500. The contest, co sponsored by Meta, QNAP and Synology, awards zero day exploits and promotes responsible disclosure with vendors given 90 days to patch vulnerabilities before public disclosure. Glass Worm attacks Vs. Code supply chain Researchers at Koi Security discovered a new self propagating malware dubbed Glass worm, infecting around 36,000 developer systems by exploiting Visual Studio code extensions. The worm uses invisible Unicode characters to hide its code, steals credentials from GitHub, npm and OpenVSX, installs remote access tools and turns developer machines into criminal proxy nodes. It also uses the Solana blockchain and Google Calendar for command and control. Microsoft has since removed the infected extensions. Poller Edge Targets Routers an expanding botnet campaign Polaredge, a botnet malware targeting Cisco, Asus, QNAP and Synology routers, was first noticed back in February with activity going back as early as June of 2023. It installs a TLS based backdoor to fingerprint hosts, receive commands and execute tasks while using anti analysis techniques and and process masquerading to evade detection. Polaredge can operate in connect back or debug modes and its purpose seems to be linked to building a large network of compromised devices not unlike Go SoC's use of infected systems as SoC S5 proxies, we have some exciting news. We are launching a brand new show this Monday, October 27th called the Department of no. We will be live at 4:00pm Eastern Time bringing together two Cybersecurity leaders to help you start out your week. If you want to know what cybersecurity news from the past week, you need to integrate into your next team meeting. You've got to come to this show. It streams live at 4pm every Monday on our YouTube channel, so block out the time on your calendar. Subscribe to the CISO Series YouTube channel and join us on Monday, October 27th at 4pm for the debut of the Department of Nome. And if you have thoughts on the news from today or about our show in general, be sure to reach out to us@feedbackisoseries.com we would love to hear from you. I am Sarah Lane, reporting for the CISO series. You Stay Classy.
[07:48]
A
Cybersecurity headlines are available every weekday. Head to csoseries.com for the full stories behind the headlines.