October was a busy month for for our cyber adversaries, with new AI-powered malware families capable of rewriting themselves at runtime and stealthy persistence techniques like hidden Hyper-V virtual machines. Major incidents this month included the theft of F5 BIG-IP source code, arrests tied to Meduza Stealer, an insider-driven BlackCat/ALPHV ransomware case, and the ransomware disruption of Japan’s Asahi Group manufacturing operations.
Techniques
New AI-Powered Malware Families
Google’s Threat Intelligence Group has warned of several new AI-powered malware families actively deployed in the wild, marking a significant shift in how malicious code operates. Unlike traditional malware, these variants leverage Large Language Models (LLMs) during execution to dynamically rewrite code, obfuscate behaviour, and evade detection.
Among the new threats is PromptFlux, a VBScript dropper that uses Google’s Gemini LLM to generate new script variants and spread via network shares and removable drives; FruitShell, a PowerShell-based reverse shell that embeds hard-coded prompts designed to confuse AI-based security scanners; QuietVault, which targets developer credentials, using local AI tools to search for and exfiltrate tokens from GitHub and NPM, and PromptLock, an experimental ransomware strain, employs AI to generate Lua scripts at runtime to attack Windows, macOS, and Linux systems.
Google also reports that state-linked groups from China, Iran, and North Korea are experimenting with LLMs for phishing, vulnerability discovery, and malware development. In underground forums, cybercriminals are now openly marketing “AI-powered” hacking services, including tools for reconnaissance and social engineering. The rise of AI-driven malware poses new challenges for defenders, as static detection methods become less effective against code that can modify itself in real time. Google engineers have stressed the need for stronger guardrails in AI models, closer monitoring of AI API usage, and behavioural-based detection approaches to counter this emerging threat landscape
Malware Evasion and Persistence via Hidden Hyper-V Virtual Machines
Bitdefender researchers described a novel evasion and persistence technique used by a threat cluster dubbed Curly Comrades that creates hidden Hyper-V Virtual Machines (VM) on compromised hosts to run malicious workloads out of sight of host security tools. Rather than executing payloads directly on the OS where EDR/AV can inspect or block them, attackers create lightweight VM instances using VHD/VHDX images and Hyper-V APIs or PowerShell and run the malicious code inside the VM. Because many endpoint sensors focus on host processes, the threat can hide command-and-control, credential theft, lateral movement and persistence mechanisms inside the VM, making detection harder and reducing forensic visibility.
The technique also aids in persistence, as VMs (or their autostart configurations) can be registered to survive reboots, and attackers may tamper with Hyper-V services or use signed drivers to evade controls. Bitdefender warned that this pattern represents a significant escalation of attackers leveraging legitimate virtualisation features as a stealthy execution environment.
Recommended defences to mitigate these types of attacks include disabling Hyper-V on endpoints that do not need it, enforcing least privilege so regular users are unable to create VMs, monitoring for unusual Hyper-V/PowerShell activity and unexpected VHD/VHDX files, enabling kernel and firmware integrity protections, and extending EDR visibility to virtualisation layers. Network and host telemetry should be correlated for anomalies like unexpected virtual Network Interface Cards (NIC), VM processes, and persistence artifacts such as autostart VM configurations and scheduled tasks.
Happenings
[US] F5 Source Code Stolen by Nation-State Hackers
F5, a leading U.S. cybersecurity and networking company, suffered a major breach that experts are calling one of the most significant cyber incidents of 2025. The attack which has since been attributed to a state-sponsored group linked to China, infiltrated F5’s internal systems and exfiltrated sensitive data including portions of source code for its widely deployed BIG-IP product line as well as internal vulnerability reports. F5’s BIG-IP product line are often referred to as Application Delivery Controllers (ADCs) and includes hardware and virtual or cloud-based appliances that are often used for fronting applications that are exposed to the internet.
The breach is believed to have persisted undetected for months, providing attackers ample time to explore F5’s development infrastructure. While F5 insist that no customer networks appear directly compromised, the theft of proprietary code poses serious risks, with access to the BIG-IP source allowing attackers to identify and weaponise zero-day vulnerabilities across F5’s global customer base, which includes government agencies, Fortune 500 firms, and critical infrastructure providers.
In response, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive requiring all federal agencies to identify and patch F5 appliances, citing a “significant and imminent threat” to national networks. F5 has since released patches addressing several stolen vulnerabilities and is working with federal authorities on further containment and remediation.
[RU] Hackers Arrested After Targeting Russian Organisations
Russian law-enforcement officials have arrested three individuals in the Moscow region who are alleged to be the creators and operators of the Meduza Stealer malware. The arrests were announced by the country’s Interior Ministry and were triggered after investigators linked the group to a breach of a government institution in the Astrakhan region in May 2025 that involved the exfiltration of confidential data.
.Meduza Stealer is a Windows-based information-stealing tool that has been distributed via a Malware-as-a-Service model since 2023 and was marketed on cybercriminal forums as well as Telegram channels, with monthly subscriptions and lifetime licenses. The functionality of Meduza Stealer is broad and deep: it can harvest credentials from web browsers, extract data from cryptocurrency wallets, snoop on password managers and two-factor authentication extensions and gather system metadata to profile victims.
Infostealers like Meduza often avoid targeting systems in CIS countries (Commonwealth of Independent States), as it is understood that many of these groups enter tacit (or even more formal) agreements to operate freely in these areas so long as they only target western countries. In this case, attacking a Russian government entity appears to have breached that informal threshold prompting the full-scale crackdown. The arrested suspects have been described as “young IT specialists” and are now facing charges under Part 2, Article 273 of the Russian Criminal Code for creating, using and distributing malicious software.
While this operation may disrupt Meduza Stealer, the underlying business model of Infostealer-as-a-Service remains difficult to eliminate, and as we have seen in the past, even if the entire team behind Meduza Stealer are charged and imprisoned, we may see other individuals or groups obtain and continue to use (or even update or fork) their code and infrastructure to continue its use in attacks.
[US] Cyber Security Professionals Indicted for Running BlackCat / ALPHV Ransomware Campaign
Three former U.S. cybersecurity professionals have been indicted for allegedly acting as affiliates of the BlackCat (also known as ALPHV) ransomware group, in a case that has shocked the infosec community. Federal prosecutors allege three men, Ryan Clifford Goldberg, a former incident-response manager at Sygnia, Kevin Tyler Martin, a former ransomware negotiator at DigitalMint, and a third yet unnamed man used their insider knowledge of corporate defences to breach and extort multiple American organisations between May and November 2023.
According to the indictment, the group infiltrated at least five targets, including a Florida medical device manufacturer, a Maryland pharmaceutical firm, a California engineering consultancy, a doctor’s office, and a Virginia drone manufacturer. Once inside, the accused are alleged to have exfiltrated sensitive data, deployed BlackCat ransomware, and demanded cryptocurrency payments. In one case, the attackers issued a ransom demand of $10 million, ultimately securing around $1.27 million in payment. The defendants face charges of conspiracy to interfere with interstate commerce by extortion, extortion, and intentional damage to protected computers, which carry potential sentences of up to 50 years in prison.
This case stands out due to the nature of the accused men – cybersecurity professionals trusted to defend against such attacks. Their alleged betrayal highlights the growing insider threat within the industry, reinforcing the need for stricter internal oversight, continuous background vetting, and behavioural monitoring – especially for highly privileged vendor access to environments.
[JP] Asahi Ransomware Attack
Asahi Group Holdings Holdings, Japan’s largest brewer, suffered a major ransomware attack that disrupted production across nearly all their 30 factories nationwide. The Qilin ransomware group claimed responsibility, alleging it had stolen around 27 GB of sensitive corporate data, including employee and production information, and posting proof of the stolen data online.
The breach had significant operational consequences, with production being halted for up to four days in some factories – forcing Asahi to revert to manual order processing and shipment as critical systems were recovered and brought back online. Although Asahi did not confirm whether a ransom was paid, the attack affected their financial systems and caused the company to postpone announcement of their Q3 2025 financial results, while the share price dropped 7% in the week following the attack as retailers edged ever closer to running out of stock.
Asahi incident is an example of a troubling trend where cyberattacks have serious tangible physical effects against the manufacturing sector, disrupting production lines and logistics rather than merely stealing data. It also renewed calls in Japan for stronger cybersecurity measures across critical industries, as attacks on major manufacturers have the potential to impact both domestic supply chains, as well as international reputation and trade.