Links submitted by the Threat Radar community and AI curated for defenders.

Community Curated

Kaspersky Security Blog

Check Point Research

AlienVault OTX General

SANS ISC Handlers Diary

SecurityWeek

Threatpost

Exploit-DB RSS Feed

The Hacker News

ThreatFox MISP Feed

CIRCL OSINT Feed

CVE Database V5

Reddit NetSec

Reddit InfoSec News

Dark Reading

AlienVault OTX Vulnerabilities

AlienVault OTX Malware

The Everest ransomware group claims to have stolen 1. 5 million passenger records from Dublin Airport and 18,000 employee records from Air Arabia. This incident involves significant data exfiltration targeting critical transportation and airline sectors. Although no CVSS score is available, the breach impacts confidentiality and potentially operational integrity. The ransomware group has not yet released technical details or exploits, and discussion remains minimal. European organizations, especially in Ireland and countries with strong aviation ties, face heightened risk from similar attacks. The threat underscores the importance of securing sensitive personal and employee data against ransomware and data theft. Mitigation requires targeted data protection, network segmentation, and incident response readiness. Countries with major airports and airline operations are most vulnerable given the strategic value of such data. The severity is assessed as high due to the scale of data stolen and the critical infrastructure involved.

The Everest ransomware group has publicly claimed responsibility for a significant data breach involving the theft of approximately 1.5 million passenger records from Dublin Airport and 18,000 employee records from Air Arabia. This ransomware attack appears to combine traditional ransomware encryption with data exfiltration, a tactic increasingly used to pressure victims into paying ransoms by threatening data leaks. The stolen data reportedly includes sensitive personal information of passengers and employees, which could be exploited for identity theft, fraud, or further targeted attacks. While technical details such as infection vectors, exploited vulnerabilities, or ransomware payload specifics are not disclosed, the attack highlights vulnerabilities in critical infrastructure sectors such as aviation and airline operations. The lack of known exploits in the wild and minimal discussion on technical forums suggests the incident is recent and under investigation. The ransomware group’s ability to access and extract large volumes of sensitive data indicates potential weaknesses in network segmentation, access controls, or endpoint security within the targeted organizations. The incident also raises concerns about the protection of personally identifiable information (PII) under regulations like GDPR, especially for European entities. Given the strategic importance of airports and airlines, this attack could disrupt operations, damage reputations, and lead to regulatory penalties. The Everest ransomware’s dual-threat approach—encrypting data and threatening exposure—amplifies the impact beyond traditional ransomware attacks.

Detailed information about Everest Ransomware Says It Stole 1.5 Million Dublin Airport Passenger Records and 18,000 Air Arabia Employee Data. Get real-time upda

Everest Ransomware Says It Stole 1.5 Million Dublin Airport Passenger Records and 18,000 Air Arabia Employee Data - Live Threat Intelligence - Threat Radar | OffSeq.com

Everest Ransomware Says It Stole 1.5 Million Dublin Airport Passenger Records and 18,000 Air Arabia Employee Data

Reddit Discussion: Everest Ransomware Says It Stole 1.5 Million Dublin Airport Passenger Records and 18,000 Air Arabia Employee Data

This SecurityWeek roundup highlights multiple cybersecurity issues including new Android spyware targeting UAE users, a data breach at FEMA via Citrix exploitation, and vulnerabilities in Tile trackers. The Android spyware, disguised as legitimate apps, requires manual installation and exfiltrates sensitive data. The FEMA breach involved exploitation of a Citrix vulnerability dubbed CitrixBleed 2, leading to employee data theft and organizational repercussions. Tile tracker vulnerabilities allow unauthorized location tracking and compromise anti-theft features. Additional concerns include phishing campaigns abusing industrial routers and evolving post-quantum cryptography adoption. While no single exploit is widespread, these combined threats pose medium-level risks, especially to organizations with exposed infrastructure or users in affected regions. European entities should be vigilant about supply chain and endpoint security, particularly regarding mobile devices and IoT trackers. Mitigations include strict app installation policies, patching Citrix products, network segmentation, and enhanced monitoring of IoT devices. Countries with significant Citrix deployments, industrial infrastructure, and mobile user bases, such as Germany, the UK, France, Belgium, and the UAE-linked diaspora, are most likely affected.

The SecurityWeek news roundup from October 2025 aggregates several noteworthy cybersecurity threats and developments. Among these, two new Android spyware families named ProSpy and ToSpy have been identified targeting users in the United Arab Emirates. These spyware variants masquerade as legitimate applications like Signal and ToTok but are distributed outside official app stores, requiring manual installation. Once installed, they continuously exfiltrate sensitive data and files from infected devices, posing significant privacy and security risks. Another critical incident involves a data breach at the U.S. Federal Emergency Management Agency (FEMA) and Customs and Border Protection (CBP), attributed to exploitation of a Citrix vulnerability known as CitrixBleed 2. This vulnerability allowed attackers to steal employee data, resulting in internal disciplinary actions. The CitrixBleed 2 flaw is particularly concerning due to the widespread use of Citrix products in enterprise environments for remote access, making it a high-value target for attackers. Additionally, researchers uncovered severe security and privacy vulnerabilities in Tile location trackers. These flaws enable Tile’s servers and unprivileged adversaries to track users’ locations permanently or via Bluetooth, undermining the device’s anti-theft protections and user privacy. The report also mentions phishing campaigns leveraging vulnerabilities in Milesight industrial cellular routers, with thousands of devices exposed online and hundreds potentially vulnerable. On a broader scale, the adoption of post-quantum cryptography (PQC) in SSH servers is increasing but remains low in IoT, OT, and network devices, indicating a lag in securing critical infrastructure against future quantum threats. Collectively, these issues highlight a diverse threat landscape affecting mobile users, critical infrastructure, and IoT ecosystems.

Detailed information about In Other News: PQC Adoption, New Android Spyware, FEMA Data Breach. Get real-time updates, technical details, and mitigation strategi

In Other News: PQC Adoption, New Android Spyware, FEMA Data Breach - Live Threat Intelligence - Threat Radar | OffSeq.com

Original Source

In Other News: PQC Adoption, New Android Spyware, FEMA Data Breach

Cybersecurity researchers have discovered two Android spyware campaigns dubbed ProSpy and ToSpy that impersonate apps like Signal and ToTok to target users in the United Arab Emirates (U.A.E.). Slovak cybersecurity company ESET said the malicious apps are distributed via fake websites and social engineering to trick unsuspecting users into downloading them. Once installed, both the spyware

Cybersecurity researchers uncovered two Android spyware campaigns named ProSpy and ToSpy that impersonate popular communication apps Signal and ToTok to target users in the United Arab Emirates. These campaigns distribute malicious APK files through fake websites mimicking legitimate services, including a site resembling the Samsung Galaxy Store. The spyware apps masquerade as Signal Encryption Plugin and ToTok Pro, tricking users into manual installation since they are not available on official app stores. Once installed, the spyware requests broad permissions to access contacts, SMS messages, files, and device information. It then stealthily exfiltrates this sensitive data to attackers. Both spyware families employ persistence techniques such as running foreground services with persistent notifications, using Android's AlarmManager to restart services if terminated, and launching background services automatically after device reboot. The malware also uses deceptive UI elements: for example, the ToTok Pro app shows a "CONTINUE" button redirecting users to the official app download page, and the Signal Encryption Plugin shows an "ENABLE" button that leads users to the legitimate Signal website. These tactics reinforce the illusion of legitimacy and mask the spyware's presence. The ProSpy campaign has been active since 2024, while ToSpy has been ongoing since mid-2022. The campaigns focus on stealing sensitive data, including chat backups and media files. The use of ToTok as a lure is notable because the app was previously removed from official stores amid spying allegations linked to the UAE government. Google Play Protect provides some protection by detecting known malware variants even if installed from outside the Play Store. However, the campaigns highlight the risks posed by sideloaded apps and social engineering, especially in regions with high geopolitical tensions. The attackers behind these campaigns remain unknown, and the exact number or identity of victims is unclear. The campaigns underscore the importance of cautious app installation practices and monitoring for suspicious app behavior on Android devices.

Detailed information about Warning: Beware of Android Spyware Disguised as Signal Encryption Plugin and ToTok Pro. Get real-time updates, technical details, and

Warning: Beware of Android Spyware Disguised as Signal Encryption Plugin and ToTok Pro - Live Threat Intelligence - Threat Radar | OffSeq.com

Warning: Beware of Android Spyware Disguised as Signal Encryption Plugin and ToTok Pro

A spyware campaign involving fake versions of Signal and ToTok Android apps has been identified targeting users in the UAE. These malicious apps masquerade as legitimate communication tools but instead collect sensitive user data. The threat primarily affects Android users who download these counterfeit apps, potentially compromising confidentiality and privacy. Although currently focused on the UAE, the spyware could pose risks to users in other regions if the apps spread. The attack vector involves social engineering and phishing to lure victims into installing the fake apps. No known exploits or patches are currently documented, and the discussion around this threat remains limited. European organizations should be aware of the risk of similar spyware campaigns targeting communication apps. Mitigation requires user education, app source verification, and enhanced mobile security controls. Countries with significant expatriate or business ties to the UAE and high Android usage are more likely to be affected. The threat severity is assessed as high due to the spyware’s potential to exfiltrate sensitive data without user consent and the ease of exploitation via social engineering.

This threat involves spyware embedded within counterfeit versions of popular communication apps Signal and ToTok targeting Android users primarily in the United Arab Emirates (UAE). The fake apps are distributed through phishing campaigns or deceptive links, tricking users into installing malicious software that masquerades as legitimate messaging platforms. Once installed, the spyware can access sensitive information such as contacts, messages, call logs, location data, and potentially microphone and camera feeds, severely compromising user privacy and data confidentiality. The spyware’s presence in apps mimicking trusted communication tools increases the likelihood of successful infection due to user trust in these brands. Although no specific affected app versions or exploits are documented, the threat leverages social engineering rather than technical vulnerabilities, making it broadly applicable to any Android user who installs these fake apps. The campaign’s focus on UAE users suggests a targeted operation, possibly motivated by geopolitical or intelligence-gathering objectives. The lack of patches or official advisories highlights the importance of proactive detection and prevention. The threat’s medium severity rating likely reflects limited current spread and discussion, but the potential impact on confidentiality and privacy is significant. The spyware’s capability to operate stealthily and exfiltrate data without user interaction or authentication requirements increases its risk profile. This threat underscores the need for vigilance regarding app sources and the dangers of phishing in mobile environments.

Detailed information about Spyware in Fake Signal and ToTok Apps Targets UAE Android Users. Get real-time updates, technical details, and mitigation strategies.

Spyware in Fake Signal and ToTok Apps Targets UAE Android Users - Live Threat Intelligence - Threat Radar | OffSeq.com

Spyware in Fake Signal and ToTok Apps Targets UAE Android Users

Reddit Discussion: Spyware in Fake Signal and ToTok Apps Targets UAE Android Users

ProSpy, ToSpy malware pose as Signal and ToTok to steal data in UAE

Source: https://securityaffairs.com/182907/uncategorized/prospy-tospy-malware-pose-as-signal-and-totok-to-steal-data-in-uae.html

The ProSpy and ToSpy malware campaigns involve malicious software that impersonates legitimate messaging applications, specifically Signal and ToTok, to deceive users into installing them. These malware variants have been reported primarily in the United Arab Emirates (UAE). By masquerading as trusted communication tools, the malware aims to steal sensitive user data. The infection vector likely involves social engineering tactics where users are tricked into downloading fake versions of these apps, which then execute data exfiltration routines. The stolen data could include personal communications, contact lists, location information, and potentially other sensitive device data. Although detailed technical specifics such as the malware’s persistence mechanisms, command and control infrastructure, or exploitation techniques are not provided, the core threat revolves around credential and data theft through deceptive app impersonation. The malware does not currently have known exploits in the wild beyond these reported cases, and no patches or vulnerability fixes are associated, as this is a malware distribution issue rather than a software vulnerability. The severity is assessed as medium, reflecting the potential for significant privacy breaches but limited scope and sophistication based on available information.

Detailed information about ProSpy, ToSpy malware pose as Signal and ToTok to steal data in UAE. Get real-time updates, technical details, and mitigation strateg

ProSpy, ToSpy malware pose as Signal and ToTok to steal data in UAE - Live Threat Intelligence - Threat Radar | OffSeq.com

ProSpy, ToSpy malware pose as Signal and ToTok to steal data in UAE

Reddit Discussion: ProSpy, ToSpy malware pose as Signal and ToTok to steal data in UAE

Two Android spyware campaigns, ProSpy and ToSpy, have been discovered targeting users in the United Arab Emirates. These campaigns impersonate secure messaging apps like Signal and ToTok, distributing malware through deceptive websites and social engineering tactics. Once installed, the spyware exfiltrates sensitive data including contacts, SMS messages, files, and device information. The campaigns use persistence mechanisms to ensure continuous operation on compromised devices. ProSpy disguises itself as encryption plugins or pro versions of apps, while ToSpy exclusively mimics the ToTok app. The malware is distributed through unofficial sources, highlighting the risks of downloading apps outside official app stores.

The identified threat involves two distinct Android spyware campaigns named ProSpy and ToSpy, targeting privacy-conscious users in the United Arab Emirates (UAE). These campaigns leverage social engineering and app impersonation tactics to deceive victims into installing malicious software. Specifically, the spyware masquerades as legitimate secure messaging applications such as Signal and ToTok, which are popular for their privacy features. Distribution occurs primarily through unofficial channels and deceptive websites, bypassing official app stores, thereby increasing the risk of infection for users who download apps from untrusted sources. Once installed, both ProSpy and ToSpy establish persistence mechanisms to maintain long-term presence on compromised devices. They actively exfiltrate sensitive personal data including contacts, SMS messages, files, and device information, which could be exploited for surveillance or further malicious activities. ProSpy disguises itself as encryption plugins or premium versions of legitimate apps, while ToSpy exclusively impersonates the ToTok app. The campaigns highlight the risks associated with downloading apps outside official marketplaces and the challenges in protecting Android users against sophisticated spyware that targets privacy-focused individuals.

MD5 of 43f4dc193503947cb9449fe1cca8d3feb413a52d

MD5 of db9fe6cc777c68215bb0361139119dafee3b3194

MD5 of 154d67f871ffa19dce1a7646d5ae4ff00c509ee4

MD5 of bdc16a05bf6b771e6edb79634483c59fe041d59b

MD5 of ffaac2fdd9b6f5340d4202227b0b13e09f6ed031

SHA256 of 154d67f871ffa19dce1a7646d5ae4ff00c509ee4

SHA256 of bdc16a05bf6b771e6edb79634483c59fe041d59b

SHA256 of ffaac2fdd9b6f5340d4202227b0b13e09f6ed031

SHA256 of 43f4dc193503947cb9449fe1cca8d3feb413a52d

SHA256 of db9fe6cc777c68215bb0361139119dafee3b3194

Detailed information about New spyware campaigns target privacy-conscious Android users in the UAE. Get real-time updates, technical details, and mitigation str

New spyware campaigns target privacy-conscious Android users in the UAE - Live Threat Intelligence - Threat Radar | OffSeq.com

New spyware campaigns target privacy-conscious Android users in the UAE

The XorDDoS trojan, a DDoS malware targeting Linux machines, continues to spread globally with over 70% of attacks targeting the United States from Nov 2023 to Feb 2025. The operators are believed to be Chinese-speaking individuals based on language settings. A new 'VIP version' of the XorDDoS controller and central controller have been discovered, enabling more sophisticated and widespread attacks. The malware uses SSH brute-force attacks to gain access and implements persistence mechanisms. A new central controller allows threat actors to manage multiple sub-controllers simultaneously, enhancing attack coordination. The infection chain, decryption methods, and network communication patterns between the trojan, sub-controller, and central controller are analyzed in detail.

The XorDDoS trojan is a Linux-targeting malware designed to conduct distributed denial-of-service (DDoS) attacks by compromising vulnerable Linux machines primarily through SSH brute-force attacks. The malware attempts to gain unauthorized access by systematically guessing SSH credentials, exploiting weak or default passwords. Upon successful compromise, XorDDoS establishes persistence mechanisms on the infected host, ensuring continued control even after system reboots or removal attempts. A recent discovery revealed a new 'VIP version' of the XorDDoS controller infrastructure, introducing a hierarchical command-and-control (C2) architecture consisting of a central controller managing multiple sub-controllers. This design significantly enhances the attackers' ability to coordinate large-scale and sophisticated DDoS campaigns. The infection chain involves initial brute-force access, deployment of the trojan, and encrypted communication between the trojan, sub-controllers, and the central controller. The malware uses specific network communication patterns and encryption methods to evade detection and maintain stealth. Indicators of compromise include several known malicious file hashes and domains used for C2 communication, such as 'ppp.gggatat456.com' and 'ppp.xxxatat456.com'. Although over 70% of observed attacks from November 2023 to February 2025 targeted the United States, the global spread and modular infrastructure of XorDDoS suggest potential for broader impact. The operators are believed to be Chinese-speaking based on language settings observed in the malware, but no direct attribution beyond this linguistic indicator is confirmed. No known public exploits are currently reported, and the overall severity is assessed as medium, reflecting the malware's capability to disrupt services but also the availability of mitigation strategies.

Detailed information about Unmasking the new XorDDoS controller and infrastructure. Get real-time updates, technical details, and mitigation strategies.

Unmasking the new XorDDoS controller and infrastructure - Live Threat Intelligence - Threat Radar | OffSeq.com

Unmasking the new XorDDoS controller and infrastructure

Multiple state-sponsored threat actors from North Korea, Iran, and Russia have been observed adopting the ClickFix social engineering technique, previously associated with cybercriminal activities. Over a three-month period from late 2024 to early 2025, groups such as TA427, TA450, UNK_RemoteRogue, and TA422 incorporated ClickFix into their existing infection chains. The technique involves using dialogue boxes with instructions for targets to copy, paste, and run malicious commands on their machines. While the adoption of ClickFix hasn't revolutionized these groups' campaigns, it has replaced installation and execution stages in their existing processes. This trend highlights the fluidity of tactics among threat actors and the potential for wider adoption of ClickFix by other state-sponsored groups in the future.

The threat titled "Around the World in 90 Days: State-Sponsored Actors Try ClickFix" describes the observed adoption of the ClickFix social engineering technique by multiple state-sponsored threat actors originating from North Korea, Iran, and Russia. These groups, including TA427, TA450, UNK_RemoteRogue, and TA422, integrated ClickFix into their existing malware infection chains over a three-month period spanning late 2024 to early 2025. ClickFix is a social engineering method that relies on presenting targets with dialogue boxes containing instructions that prompt users to copy, paste, and execute malicious commands directly on their machines. This technique effectively replaces the traditional installation and execution stages of malware deployment, streamlining the infection process by leveraging user interaction to execute payloads. While ClickFix has been previously associated with cybercriminal groups, its adoption by state-sponsored actors marks a notable shift in tactics, demonstrating the fluidity and adaptability of these actors in evolving their operational methods. The technique is linked with tools such as Metasploit and QuasarRAT, indicating its use in deploying remote access trojans and exploitation frameworks. Despite the integration of ClickFix, the overall campaign strategies of these groups have not fundamentally changed, but the trend suggests a potential for broader adoption of this social engineering approach by other state-sponsored entities in the future. No specific affected software versions or patches are identified, and no known exploits in the wild have been reported. The threat is classified as medium severity, reflecting moderate risk based on current knowledge.

Detailed information about Around the World in 90 Days: State-Sponsored Actors Try ClickFix. Get real-time updates, technical details, and mitigation strategies

Around the World in 90 Days: State-Sponsored Actors Try ClickFix - Live Threat Intelligence - Threat Radar | OffSeq.com

Around the World in 90 Days: State-Sponsored Actors Try ClickFix

OSINT - Keep Calm and (Donâ€™t) Enable Macros: A New Threat Actor Targets UAE Dissidents

This threat report describes a new threat actor targeting UAE dissidents through social engineering techniques involving malicious macros. The attack vector relies on convincing targets to enable macros in documents, which then execute malicious code. Macros are small programs embedded in office documents that can automate tasks but can also be exploited to deliver malware. The threat actor's campaign appears to focus on political dissidents in the UAE, leveraging OSINT (Open Source Intelligence) to identify and target individuals. Although specific technical details and payloads are not provided, the use of macros suggests the threat actor is exploiting a common attack vector that bypasses traditional signature-based detection by embedding malicious code in seemingly benign documents. The campaign's medium severity rating indicates a moderate threat level, likely due to targeted scope and reliance on user interaction (enabling macros). There are no known exploits in the wild beyond this campaign, and no affected software versions or patches are listed, implying this is a social engineering-based threat rather than a software vulnerability. The threat level and analysis scores of 2 (on an unspecified scale) further support a moderate risk assessment.

Detailed information about OSINT - Keep Calm and (Donâ€™t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Get real-time updates, technical details, a

Title	Severity	Type	Source	Date

Threats Affecting United Arab Emirates

Stop chasing alerts. Route them.

Filter Threats

Threats Affecting United Arab Emirates

Keyboard Shortcuts

Navigation

Search & Filters

UI Controls

Accessibility