Cisco Talos details Qilin ransomware TTPs from multiple IR cases — 27-10-2025. Cisco Talos published an incident-response analysis of Qilin ransomware, aggregating techniques seen across multiple 2025 engagements including leak-site cadence and sector targeting. Teams should update detections for Qilin’s tradecraft and rehearse containment for data-leak extortion, particularly in manufacturing and professional services. (Source: Cisco Talos).

IR Trends Q3 2025: public-facing app exploits surge, ToolShell chains dominate — 23-10-2025. Talos IR’s Q3 report highlights a spike in initial access via public-facing applications, especially ToolShell chains against unpatched SharePoint, while ransomware cases fell proportionally. Prioritise internet-exposed patching and segmentation; hunt for ToolShell and web-shell artefacts in SharePoint and related IIS telemetry. (Source: Cisco Talos).

Kaspersky links 'Dante' spyware to Memento Labs (ex-Hacking Team) in ForumTroll ops — 27-10-2025. Researchers disclosed a previously unknown commercial ‘Dante’ spyware platform tied to Memento Labs (formerly Hacking Team) and observed in ForumTroll APT activity. DFIR teams should expand spyware telemetry collection and check endpoints for Dante indicators and loader tools like BabShell and MemLoader HidenDesk. (Source: Kaspersky Securelist).

Japan warns of Lanscope zero-day abuse against enterprises — 26-10-2025. JPCERT/IPA reported active exploitation of a Lanscope endpoint management zero-day used for privilege escalation and pivoting inside Japanese organisations. Investigators should validate Lanscope exposure, deploy vendor mitigations, and review authentication and lateral-movement logs around management servers. (Source: Help Net Security (citing JPCERT/IPA)).

City of Gloversville, New York, hit by ransomware; services disrupted — 27-10-2025. The City of Gloversville said a ransomware attack forced key systems offline, with officials coordinating recovery and public-facing services affected. Municipal environments remain prime extortion targets; ensure offline backups, tested restoration runbooks, and segmentation of public safety and finance systems. (Source: NEWS10 ABC).

Xortec discloses cyberattack impacting operations and customer access — 26-10-2025. German video surveillance provider Xortec reported a cyber incident that disrupted services and triggered containment measures. Supply-chain exposure via security-tech vendors can cascade; validate monitoring gaps and vendor access controls during incident handling. (Source: Security Affairs).

Ransomware group claims attack on South African Revenue Protection Company — 26-10-2025. Ransomware trackers observed a claim against the South African Revenue Protection Company (SARPC) with alleged data exfiltration. Claims on leak sites should trigger intel-led validation and sectoral notifications even before victim confirmation to pre-empt copycat targeting. (Source: Ransomware.live).

JPCERT warns administrators to update BIND 9 following recent advisories — 24-10-2025. JPCERT/CC issued a CyberNewsFlash urging rapid patching of BIND 9 after upstream disclosures of remotely triggerable issues. DNS infrastructure remains high-value; prioritise patch roll-outs and monitor for anomalous resolver crashes or query spikes. (Source: JPCERT/CC (CyberNewsFlash)).

Active exploitation of Lanscope zero-day reported; mitigation available — 26-10-2025. Security researchers and JPCERT/IPA confirmed in-the-wild abuse of a Lanscope vulnerability used to gain elevated access and move laterally. Threat hunters should search for suspicious admin actions from Lanscope servers and enforce least-privilege on EMM tooling. (Source: Help Net Security / JPCERT).

Singapore Police arrest 18 for suspected fraudulent SIM registration — 25-10-2025. Singapore Police arrested 18 people for alleged fraudulent SIM registrations linked to scams and money-laundering activity. Fraudulent SIM provisioning fuels phishing and mule networks; telecom KYC controls and cross-border intel sharing are critical. (Source: Singapore Police Force).

Malaysian man to be charged in Singapore over government-impersonation scam — 26-10-2025. Following a report on 25 October, Singapore Police arrested a suspect who allegedly collected cash and valuables in an impersonation scam. Operational takedowns against on-the-ground collectors disrupt scam supply chains and provide artefacts to trace command layers. (Source: Singapore Police Force).

Counter Ransomware Initiative members issue supply-chain resilience guidance — 25-10-2025. CRI governments and private-sector partners published guidance to strengthen supply-chain resilience against ransomware across procurement and operations. CISOs should map supplier risk, enforce baseline controls, and bake ransomware resilience into contracts and vendor oversight. (Source: GOV.UK).

U.S. Treasury sanctions cryptocurrency exchange and network supporting illicit finance — 24-10-2025. OFAC announced sanctions targeting a cryptocurrency exchange and associated network for facilitating illicit transactions. Sanctions raise compliance exposure for exchanges and intermediaries; ensure screening and transaction-monitoring controls are tuned. (Source: U.S. Department of the Treasury).

IETF Security Directorate review advances ICMPv6 reflection mitigations — 26-10-2025. The IETF Security Directorate posted a Last-Call review of the ICMPv6 reflection draft, with updates noted on 26 October. Operators should track anti-reflection guidance in the evolving draft to reduce DDoS amplification vectors in IPv6 networks. (Source: IETF Datatracker (secdir review)).

RFC 9861 publishes KangarooTwelve & TurboSHAKE hash functions (IRTF) — 21-10-2025. The IRTF published RFC 9861 documenting KangarooTwelve and TurboSHAKE extendable-output hash functions. Crypto and product teams should track algorithm agility plans and assess library support for future adoption paths. (Source: IETF/IRTF Datatracker).