Daily Security Briefing 042

October 16, 2025 | Read Online

EtherHiding malware surges with UNC5142 and DPRK’s UNC5342, Microsoft leads phishing targets, Qilin ransomware exploits bulletproof hosts

Executive Summary

Cyber threat actors continue to innovatively exploit blockchain technology to hide malware, as demonstrated by the emergence of EtherHiding campaigns from financially motivated group UNC5142 and North Korean state-sponsored UNC5342. This technique marks a concerning evolution in malware delivery, leveraging public blockchain transactions to evade detection. Microsoft remains the primary target for phishing attacks, dominating impersonation attempts worldwide in Q3 2025. Meanwhile, ransomware operators like Qilin intensify global extortion using covert bulletproof hosting networks, complicating takedown efforts. Critical vulnerabilities in Microsoft Windows draw urgent warnings from CISA, and espionage campaigns increasingly abuse Windows components and spear-phishing to deploy advanced malware like ValleyRAT.

Top Articles

New Group on the Block: UNC5142 Leverages EtherHiding to Distribute Malware
Since late 2023, the financially motivated threat actor UNC5142 has used compromised WordPress sites combined with “EtherHiding” — a technique that hides malicious code on public blockchains — to distribute information stealers targeting Windows and macOS. This novel attack vector makes attributing and detecting malicious activity more complex for defenders.
CLOUD.GOOGLE.COM | THEHACKERNEWS

DPRK Adopts EtherHiding: Nation-State Malware Hiding on Blockchains
Google Threat Intelligence Group reports North Korea’s UNC5342 is the first nation-state actor observed using EtherHiding techniques to hide malware and facilitate cryptocurrency theft. This breakthrough expands the blockchain abuse tactic beyond financially motivated groups, signaling nation-state adoption of stealthy, decentralized malware delivery.
CLOUD.GOOGLE.COM | THEHACKERNEWS

Microsoft Dominates Phishing Impersonations in Q3 2025
Check Point Research reveals Microsoft accounted for 40% of brand impersonation attempts in Q3 2025, maintaining its position as the most targeted company in phishing campaigns worldwide. Other major tech brands like Google follow, highlighting attackers’ preference for well-known brands in social engineering operations.
BLOG.CHECKPOINT.COM

Qilin Ransomware Leverages Ghost Bulletproof Hosting for Global Attacks
The ransomware-as-a-service gang Qilin intensifies its operations by exploiting a secretive network of bulletproof hosting providers to shield command-and-control servers and leak sites. These hosting services obscure attacker infrastructure behind layers of shell companies and privacy-friendly jurisdictions, complicating disruption efforts.
GBHACKERS.COM

North Korean Hackers Deploy BeaverTail–OtterCookie Combo for Keylogging Attacks
Cisco Talos uncovered a stealthy attack campaign by Lazarus’ Famous Chollima subgroup leveraging BeaverTail and OtterCookie JavaScript tools to capture keystrokes, screenshots, and exfiltrate sensitive data. This sophisticated operation reflects evolving tactics in North Korean espionage efforts targeting a variety of victims.
GBHACKERS.COM

CISA Issues Warning Over Microsoft Windows Vulnerability Actively Exploited by Attackers
The Cybersecurity and Infrastructure Security Agency (CISA) highlighted CVE-2025-59230, a critical Microsoft Windows flaw in the Remote Access Connection Manager that is under active exploitation. This vulnerability enables privilege escalation, making affected systems vulnerable to further compromise. Prompt patching is advised.
CYBERPRESS.ORG

Hackers Exploit Windows Scheduler in ‘Silk Lure’ Attack to Spread ValleyRAT
Seqrite Labs reports an espionage campaign using targeted spear-phishing emails disguised as job applications to Chinese organizations. Attackers abuse Windows Task Scheduler to deploy ValleyRAT malware, illustrating increasingly creative social engineering fused with system feature exploitation for persistent access.
CYBERPRESS.ORG

Denial of Fuzzing: Rust in the Windows kernel
Check Point Research disclosed a vulnerability from January 2025 affecting the new Rust-based Graphics Device Interface kernel component in Windows. Microsoft addressed the issue in OS Build 26100.4202 as part of the KB5058499 update. This highlights ongoing security challenges in integrating new systems programming languages into OS kernels.
RESEARCH.CHECKPOINT.COM

Threat Brief: Nation-State Actor Steals F5 Source Code and Undisclosed Vulnerabilities
A notable nation-state actor successfully exfiltrated source code for F5 BIG-IP products along with details on undisclosed vulnerabilities. This theft poses a significant threat, potentially enabling sophisticated exploits against critical network infrastructure worldwide.
UNIT42.PALOALTONETWORKS.COM

AI Transparency: This newsletter uses AI to curate, rank, and summarize cybersecurity content from leading industry blogs. All articles link directly to original authors. Executive summaries are AI-generated based on article content. I curate the sources and deliver the digest—the original authors deserve the credit for their excellent work.