Threat Intelligence News from LevelBlue SpiderLabs, October 2025

October 2025

LevelBlue SpiderLabs is the threat intelligence unit of LevelBlue and includes a global team of threat researchers and data scientists who, combined with proprietary technology in data analytics and machine learning (ML), analyze one of the largest and most diverse collections of threat data in the world. Our research team delivers tactical threat intelligence that powers resilient threat detection and response — even as an organization’s attack surface expands, technology evolves, and adversaries change their tactics, techniques, and procedures.

The LevelBlue SpiderLabs update gives you the latest threat news, including recent updates to USM Anywhere detections and new threat intelligence published in the LevelBlue SpiderLabs Open Threat Exchange (OTX), one of the largest open threat intelligence sharing communities in the world.

LevelBlue SpiderLabs Threat Intelligence News

ArcaneDoor Exploits Cisco ASA Zero-Days

Cisco Adaptive Security Appliances (ASA) and Firepower vulnerabilities (CVE-2025-20333 and CVE-2025-20362) impacted the devices’ VPN and firewall functionalities and allowed unauthenticated actors to execute remote code and gain persistence in the impacted systems.

CISA published an emergency directive around the two latest vulnerabilities and urged companies to identify and mitigate potential compromise of Cisco devices. LevelBlue SpiderLabs has released a NIDS signature to identify potential version fingerprinting and will generate alarms if the activity is followed by suspicious behavior.

Cisco has assessed that this campaign is associated with the 2024 ArcaneDoor campaign, based on the threat actor’s successful modification of ASA’s read-only memory (ROM). Microsoft and Cisco attributed the ArcaneDoor attack to the suspected Chinese espionage group Storm-1849 that targets US organizations.

Additionally, Cisco has published a zero-day impacting its IOS (CVE-2025-20352). This actively exploited vulnerability allows attackers to elevate privileges up to root through specially crafted SNMP packets.

Latest FaceBook Phishing Campaigns

SpiderLabs and Unit42 have both reported a phishing campaign impersonating FaceBook. The first campaign abuses the platform’s external URL warning system to lure their victims and harvest credentials after sending them a fake FaceBook Account Verification Required email. The campaign has been identified in several different languages, including English, German, Spanish and Korean.

The second campaign has been active since April 2025 and involves fake copyright violation notices leading to a fake Facebook login site using a Browser-in-the-Middle (#BitM) technique. This technique displays a fake browser window within a potential victim's legitimate browser window. These fake browser windows display a legitimate URL, but the content is used to steal login credentials.

European Airports Impacted by Ransomware Attack

During the weekend of September 20^th, several European airports were impacted by a ransomware attack on the Collins Aerospace company. This company managed the self-service kiosks (ARINC cMUSe) used by passengers during the check-in process, causing many delays and flight cancelations across airports in London, Berlin, Brussels, Dublin, Cork and other places.

According to a report by Breached Company, the attack may have started with phishing vectors disguised as RTX firmware updates, then the exploitation of unpatched MUSE API gateway vulnerabilities, and then lateral movement through federated authentication layers, finally ending with the encryption of thousands of itineraries with the HardBit ransomware.

On September 24^th, the British National Crime Agency reported an arrest associated with the attack.

Tracking, Detection & Hunting Capabilities

The team has identified the following malware/threat actors as the most active during the month of September. This month’s malware trends continue to be very similar to previous months, with a main relevant inclusion:

• SocGholish: This malware is consistently in our malware trends list due to its popularity to gain initial access by tricking users into downloading an archived file with a malicious script inside. Early in August, SilentPush published a new blog with its latest findings around the malware. These findings and their associated IOCs are still valid, since some of them have been spotted several times across LevelBlue’s fleet during September.

The LevelBlue trackers have identified over 1600 new IOCs for the different families it tracks. The busiest trackers during the month of September have been:

USM Anywhere Detection Improvements

In September, LevelBlue SpiderLabs added or updated 38 USM Anywhere and 2 NIDS detections. Here are a few examples of improvements and new elements LevelBlue SpiderLabs developed:

• New rules and improvements for detections of very suspicious PowerShell executions. The most relevant rules identify when it has been spawned by unexpected tools like Outlook or a webserver process, or when PowerShell itself is executing Node or PHP code as reported by recent publications.
• New rules related to System Compromise for alerts coming from CrowdStrike Intelligence.
• Several rules to identify Disabling Security techniques around Windows Defender, particularly when done through Group Policy Object, disabling WMI logging or when other features are disabled.
• NIDS detections for drastic vulnerabilities, like the NTLM elevation of privilege (CVE-2025-54918) and version fingerprinting of CISCO ASA devices, potentially associated with the above mentioned (CVE-2025-20333 and CVE-2025-20362).

Please visit the LevelBlue Success Center for a full list of improvements, new elements, issues found, and tasks created.

LevelBlue SpiderLabs Open Threat Exchange

LevelBlue SpiderLabs Open Threat Exchange (OTX) is among the world’s largest open threat intelligence sharing communities, made up of 330,000 threat researchers from 140 countries globally who publish threat information to the platform daily. LevelBlue SpiderLabs validates, analyzes, and enriches this threat intelligence. Members of OTX benefit from the collective research, can contribute to the community, analyze threats, create public and private threat intelligence sharing groups, and more. Learn more about OTX, it’s benefits, and how you can join here.

New OTX Pulses

The LevelBlue SpiderLabs team is continuously publishing new pulses in OTX based on their research and discoveries. Pulses are interactive and researchable repositories of information about threats, threat actors, campaigns, and more. This includes indicators of compromise, IoCs, that are useful to members. In September, 130 new Pulses were created by the SpiderLabs team, providing coverage for the latest threats and campaigns. Here are a few examples of the most relevant new Pulses:

• DeceptiveDevelopment: From primitive crypto theft to sophisticated AI-based deception
• Amazon disrupts watering hole campaign by Russia's APT29
• Dissecting RapperBot Botnet: From Infection to DDoS & More
• An Analysis of the AMOS Stealer Campaign Targeting macOS via 'Cracked' Apps