Welcome to the October 2025 edition of the ConnectWise Cyber Research Unit™ (CRU) Monthly Threat Brief. This report provides a comprehensive look at the most significant cybersecurity developments impacting the IT services and SMB landscape. We break down the month’s top stories, critical vulnerabilities, and prevalent malware families to help you stay informed and prepared in an evolving threat environment. We have also begun adding descriptions of all the new detection signatures added to the ConnectWise SIEM™.
Top stories for October 2025
A newly disclosed vulnerability in the Unity Runtime (CVE-2025-59489) allows attackers to execute arbitrary code within Unity-built applications by exploiting how the engine handles command-line arguments and Android intents. Discovered by RyotaK of GMO Flatt Security, the flaw originates from Unity’s debugging infrastructure, which automatically registers external intent handlers without sufficient validation.
By manipulating the “xrsdk-pre-init-library” argument, intended for internal use, attackers can trick Unity into dynamically loading malicious native libraries using “dlopen”, effectively executing code in the context of the legitimate application. The issue affects all Unity versions from 2017.1 through 6000.3 across Android, Windows, Linux, and macOS, and is particularly dangerous on Android, where other apps can exploit it without user interaction. Given Unity’s dominance in mobile and cross-platform development, millions of applications, including popular games such as “Among Us” and “Pokémon GO,” may be at risk.
Unity has released patches for versions 2019.1 and later, alongside a binary patching utility for developers unable to rebuild immediately. However, patching remains complex and time-sensitive, especially for apps using anti-tamper or anti-cheat systems that block binary modification. For MSPs, this vulnerability demands urgent action: Audit client environments for Unity-based applications, coordinate with vendors or in-house developers to rebuild or patch affected software, and apply safelisting controls on sensitive systems. With full technical details now public, attackers are likely to weaponize this flaw soon. MSPs should prioritize remediation for Unity applications with elevated privileges or access to sensitive data to reduce the risk of privilege escalation or code execution attacks.
The ConnectWise CRU analyzed an incident where a multi-stage loader chain (ClearFake → Emmenhtal → HijackLoader) ultimately delivered a malicious Chromium extension that steals cryptocurrency by swapping QR-code destinations to attacker-controlled addresses. Initial access was via a ClearFake/ClickFix social-engineering lure that convinced victims to run PowerShell, leading to Emmenhtal bypassing security and injecting shellcode into explorer.exe.
That shellcode dropped HijackLoader, which established persistence (scheduled task), then staged multiple process-hollowing steps using legitimate binaries to deploy a final payload: A browser-extension bundle placed under “C:\ProgramData\Direct\swapper\” and launched by edited Chromium shortcuts (added command-line args to load the malicious extension and disable other extensions). The extension supports modular redirects, iframe overlays, and arbitrary JS injection, but its standout capability is detecting on-page QR codes and overlaying attacker QR images (and reporting swaps to C2), a novel combination of virtual QR manipulation and traditional clipboard/address-replacement tactics. Several inactive fake wallet extensions were also dropped alongside the QR-swapping module, apparently intended to act as replacement wallet UIs if activated.
Operationally, the samples tested are largely nonfunctional on up-to-date Google Chrome due to Manifest V3 and the disabling of “--load-extension” and “--disable-extensions” flags, but other Chromium-based browsers may still be vulnerable. Evidence links the extension to the Acreed infostealer ecosystem, shared C2 domains, overlapping IOCs, and code similarities with a GitHub repository, which suggests the extension may be an Acreed module or companion payload.
Antivirus products appear to be removing the extension files from “swapper”, but leftover modified shortcuts persist and still attempt to load removed payloads. The chain’s use of fileless stages, process hollowing, and scheduled-task persistence complicates detection and recovery, and the combination of QR overlay and clipboard/address tampering represents a dangerous evolution in crypto-theft tooling that defenders should treat as high priority.
A new ClickFix campaign is exploiting TikTok’s viral format to distribute info-stealing malware by masquerading as software activation tutorials. The videos instruct users to run a PowerShell command that connects to a remote domain and downloads additional payloads, typically Aura Stealer and a secondary .NET-based injector. Once executed, Aura Stealer harvests browser credentials, cookies, crypto wallets, and application logins, while the .NET payload compiles and injects further code in memory to evade detection.
This approach combines polished, AI-generated TikTok content with trusted branding like Windows and Adobe, creating a potent form of social engineering that requires no exploit, only user interaction. Researchers have also identified related variants deploying other well-known infostealers such as Vidar, StealC, and Latrodectus.
The campaign underscores how social media is being weaponized as an initial access vector. Because the infection chain relies entirely on user execution rather than exploiting vulnerabilities, it easily bypasses traditional network defenses. For MSPs, this emphasizes the need to combine user education with tighter PowerShell controls and behavioral endpoint detection. Organizations should restrict PowerShell execution, enforce logging, monitor for in-memory injection, and strengthen credential hygiene through MFA. Ultimately, this wave of TikTok-driven malware highlights the growing intersection between social engineering and influencer-style content, where trust and familiarity become the attacker’s most effective tools.
A critical remote code execution vulnerability in Windows Server Update Services (CVE-2025-59287) allows unauthenticated attackers to execute arbitrary code on WSUS servers, threatening the integrity of patch distribution systems. The flaw, rated CVSS 9.8, stems from unsafe object deserialization in a legacy WSUS component and can be exploited via a single crafted request, no credentials or user interaction required. A compromised WSUS server effectively gives attackers a trusted delivery mechanism to push malicious code across entire client environments. While Microsoft initially patched the issue during Patch Tuesday, a subsequent out-of-band update was required after the first fix proved insufficient. Because WSUS servers often have privileged access and distribute software to hundreds or thousands of endpoints, a successful exploit could lead to mass compromise, backdoor insertion, and manipulation of legitimate update packages.
For MSPs, the implications are severe: A single exploited WSUS instance could cascade across multiple customer networks, resulting in widespread endpoint compromise, ransomware propagation, and supply chain contamination. Traditional endpoint defenses offer little protection, as the attack bypasses user interaction entirely. MSPs must immediately patch WSUS servers with the latest out-of-band update, enforce strict network segmentation, disable unnecessary internet exposure, and implement continuous monitoring for anomalous WSUS behavior.
This vulnerability underscores the importance of treating patch management infrastructure as a Tier 0 asset, on par with domain controllers and VPN gateways, requiring hardened configurations, forensic visibility, and ongoing validation to preserve client trust and service integrity.
AI-assisted coding tools are transforming software development speed and scale, but also amplifying existing security flaws. Aikido Security’s latest report found that nearly 70% of organizations have discovered vulnerabilities in AI-generated code, and one in five have suffered serious incidents tied to it. The issue isn’t new exploit types but the faster, less visible reproduction of long-standing flaws like XSS, input validation failures, and access-control errors. As CISA’s former director Jen Easterly noted, “We don’t have a cybersecurity problem—we have a software quality problem.”
The challenge lies in the collision between automation and oversight: Developers increasingly rely on AI to write and fix code, yet 65% admit to disabling security tools due to deadline pressure and alert fatigue. Larger tool stacks compound the issue, as overlapping security platforms create slower remediation and more false positives. Meanwhile, the unclear provenance of AI-generated code blurs accountability, raising the risk that critical vulnerabilities persist unpatched.
For MSPs, the rise of AI-driven development introduces a new form of hidden risk: Code that is deployed, modified, or fixed by AI with little or no documentation. Without visibility into code lineage, MSPs may inherit vulnerabilities they didn’t create but will be expected to remediate. The operational impact is significant: Faster deployment cycles mean vulnerabilities reach production sooner, and multi-client MSP environments already strained by alert fatigue face longer remediation times.
To mitigate risk, MSPs must treat AI-generated code like any third-party dependency, requiring labeling, provenance tracking, and layered review with both automated scanning and human validation. Security education and process discipline are key. AI can accelerate innovation, but only when paired with deliberate, transparent oversight. MSPs who integrate these controls into their service models will be better positioned to manage the growing security debt of AI-assisted software development.
Top threats in October 2025
The Diamond Model
This section leverages the Diamond Model of Intrusion Analysis to structure the examination of recent malware activity, providing a clear analytical framework that links adversary, capabilities, infrastructure, and victimology. By applying the Diamond Model, we can better contextualize malicious behavior, identify patterns across campaigns, and highlight the relationships between threat actors, tools, and targeted entities.
Akira
The ransomware‑as‑a‑service (RaaS) group Akira first emerged in March 2023 and has since carved out a significant niche in the global threat landscape. According to a detailed risk‑brief from October 2025, the group routinely conducts double‑extortion attacks, stealing data before encrypting victim environments, and then threatening publication of the stolen material if payment is not rendered. Its modus operandi includes cross‑platform targeting (Windows, Linux, VMware ESXi) and high‑speed intrusion‑to‑encryption timelines.
Recent threat intelligence from October 2025 reflects a sustained surge in Akira activity. For example, security firms report that the group has increasingly exploited VPN and edge‑device infrastructure for initial access, particularly SonicWall SSL VPN appliances and firewalls. Notably, the ConnectWise CRU has observed threat actors deploying Akira payloads after exploiting compromised SonicWall SSL VPN devices. This correlates directly with SonicWall’s own advisory about the exploitation of CVE‑2024‑40766 and misconfigured credentials or migrations from Gen 6 to Gen 7 firewalls. In one October report, more than 100 SSL VPN accounts across 16 environments were accessed, with Akira used to encrypt systems very rapidly thereafter.
