{"id":16563,"date":"2025-10-29T10:02:04","date_gmt":"2025-10-29T10:02:04","guid":{"rendered":"\/cybersecurity-blog\/?p=16563"},"modified":"2025-10-30T12:41:02","modified_gmt":"2025-10-30T12:41:02","slug":"cyber-attacks-october-2025","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/cyber-attacks-october-2025\/","title":{"rendered":"Major Cyber Attacks in October 2025: Phishing via Google Careers &amp; ClickUp, Figma Abuse, LockBit 5.0, and TyKit\u00a0"},"content":{"rendered":"\n<p>Phishing campaigns and ransomware families evolved rapidly this October, from fake <strong>Google Careers pages and ClickUp<\/strong> redirect chains to <strong>Figma-hosted credential theft<\/strong> and <strong>LockBit\u2019s move<\/strong> into ESXi and Linux systems. ANY.RUN analysts also uncovered <strong>TyKit<\/strong>, a reusable phishing kit hiding JavaScript inside SVG files to steal Microsoft 365 credentials across multiple sectors.&nbsp;<\/p>\n\n\n\n<p>Each of these threats shows how attackers are increasingly abusing legitimate cloud platforms, layering CAPTCHA checks and redirects to bypass detection. All cases were analyzed inside <a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=October_cyber_attacks_2025&amp;utm_term=291025&amp;utm_content=linksandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN\u2019s Interactive Sandbox<\/a>, revealing execution flows and behavioral indicators missed by static tools; insights SOC teams can turn into actionable detection logic.&nbsp;<\/p>\n\n\n\n<p>Let\u2019s break down how these attacks unfolded, who they targeted, and what security teams can learn to strengthen their defenses before the next wave hits.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">1. Google Careers Phishing Campaign: Legitimate Platforms Used to Steal Corporate Credentials&nbsp;<\/h2>\n\n\n\n<p><a href=\"https:\/\/x.com\/anyrun_app\/status\/1976290433417228499\" target=\"_blank\" rel=\"noreferrer noopener\">Post on X<\/a>\u00a0and <a href=\"https:\/\/www.linkedin.com\/feed\/update\/urn:li:activity:7382058459351113728\" target=\"_blank\" rel=\"noreferrer noopener\">LinkedIn<\/a><\/p>\n\n\n\n<p>ANY.RUN analysts uncovered a <strong>phishing campaign posing as Google Careers<\/strong>, where attackers combined a <strong>Salesforce redirect<\/strong>, <strong>Cloudflare Turnstile CAPTCHA<\/strong>, and a <strong>fake job application page<\/strong> to steal corporate credentials. The campaign primarily targets employees in technology, consulting, and enterprise service sectors, exploiting the trust people place in well-known brands and cloud services.&nbsp;<\/p>\n\n\n\n<p>Unlike typical phishing kits, this campaign weaves together multiple legitimate platforms to make the flow appear authentic, slipping through filters and reputation-based security tools. Once credentials are entered on the fake Google Careers portal, they\u2019re exfiltrated to the command-and-control (C2) server, such as <strong>satoshicommands[.]com<\/strong>, enabling further compromise of work accounts, client data, and internal collaboration tools.&nbsp;<\/p>\n\n\n\n<p>For organizations, this attack creates a chain reaction: compromised mailboxes, lateral movement across SaaS ecosystems, and potential exposure of customer or partner data; all while evading detection from traditional tools that trust the Salesforce and Cloudflare domains in the redirect path.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/3578ccac-3963-4901-8476-92dc5738cade\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=October_cyber_attacks_2025&amp;utm_term=291025&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>See full execution chain exposed in 60 seconds<\/strong><\/a><strong><\/strong>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"568\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image-9-1024x568.png\" alt=\"\" class=\"wp-image-16573\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image-9-1024x568.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image-9-300x166.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image-9-768x426.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image-9-1536x852.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image-9-2048x1135.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image-9-370x205.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image-9-270x150.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image-9-740x410.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Fake Google Careers page displayed inside ANY.RUN sandbox<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Adversaries in this campaign misuse legitimate platforms to host phishing flows that evade automated detection. The combination of <strong>trusted domains<\/strong> and <strong>multi-step redirection<\/strong> makes these attacks particularly hard to catch without behavioral visibility.&nbsp;<\/p>\n\n\n\n<p>Below are ready-to-use <a href=\"https:\/\/intelligence.any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=October_cyber_attacks_2025&amp;utm_term=291025&amp;utm_content=linktolookup\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Threat Intelligence Lookup<\/strong><\/a><strong> queries<\/strong> to expand visibility, uncover infrastructure overlaps, and convert findings into <strong>detection rules<\/strong>, not just IOCs:&nbsp;<\/p>\n\n\n\n<p><strong>Google-like application domains: <\/strong><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=October_cyber_attacks_2025&amp;utm_term=291025&amp;utm_content=linktolookup#{%22query%22:%22domainName:%5C%22apply.g*.com%5C%22%20OR%20domainName:%5C%22hire.g*.com%5C%22%22,%22dateRange%22:180}%20\" target=\"_blank\" rel=\"noreferrer noopener\">domainName:&#8221;apply.g*.com&#8221; OR domainName:&#8221;hire.g*.com&#8221;<\/a>&nbsp;<\/p>\n\n\n\n<p><strong>Vercel deployment patterns: <\/strong><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=October_cyber_attacks_2025&amp;utm_term=291025&amp;utm_content=linktolookup#{%22query%22:%22domainName:%5C%22puma-*.vercel.app%5C%22%20OR%20domainName:%5C%22hiring*.vercel.app%5C%22%22,%22dateRange%22:180}%20\" target=\"_blank\" rel=\"noreferrer noopener\">domainName:&#8221;puma-*.vercel.app&#8221; OR domainName:&#8221;hiring*.vercel.app&#8221;<\/a>&nbsp;<\/p>\n\n\n\n<p><strong>YouTube TLD impersonation: <\/strong><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=October_cyber_attacks_2025&amp;utm_term=291025&amp;utm_content=linktolookup#%7B%22query%22:%22domainName:%5C%22hire.*.com%5C%22%22,%22dateRange%22:180%7D\" target=\"_blank\" rel=\"noreferrer noopener\">domainName:&#8221;hire.yt&#8221;<\/a>&nbsp;<\/p>\n\n\n\n<p><strong>C2 domain: <\/strong><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=October_cyber_attacks_2025&amp;utm_term=291025&amp;utm_content=linktolookup#{%22query%22:%22domainName:%5C%22apply.g*.com*%5C%22%22,%22dateRange%22:60}\" target=\"_blank\" rel=\"noreferrer noopener\">domainName:&#8221;satoshicommands.com&#8221;<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"768\" height=\"1024\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image-768x1024.jpg\" alt=\"\" class=\"wp-image-16574\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image-768x1024.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image-225x300.jpg 225w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image-1152x1536.jpg 1152w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image-1536x2048.jpg 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image-370x493.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image-270x360.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image-740x987.jpg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image.jpg 1800w\" sizes=\"(max-width: 768px) 100vw, 768px\" \/><figcaption class=\"wp-element-caption\"><em>Google Careers phishing infrastructure tracking with TI Lookup<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p><strong>Gathered IOCs:<\/strong>&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>188[.]114[.]97[.]3&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>104[.]21[.]62[.]195&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>hire[.]gworkmatch[.]com&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>satoshicommands[.]com&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">2. Figma Abuse Leads to Microsoft-Themed Phishing Campaigns&nbsp;<\/h2>\n\n\n\n<p><a href=\"https:\/\/x.com\/anyrun_app\/status\/1970855861967786307\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Post on X<\/strong><\/a>\u00a0and <a href=\"https:\/\/www.linkedin.com\/feed\/update\/urn:li:activity:7376895755271450624\" target=\"_blank\" rel=\"noreferrer noopener\">LinkedIn<\/a><\/p>\n\n\n\n<p>ANY.RUN analysts identified a growing wave of phishing attacks abusing Figma, where public design prototypes are used to host and deliver Microsoft-themed credential theft campaigns. This trend highlights a serious blind spot in corporate defenses; the exploitation of trusted cloud platforms that security systems often whitelist by default.&nbsp;<\/p>\n\n\n\n<p>Attackers are turning to Figma because it offers everything they need for a convincing delivery: it\u2019s a widely trusted domain, allows anyone to publish and share prototypes publicly without authentication, and renders interactive content directly in the browser. That makes it perfect for embedding phishing elements, buttons, links, and visuals that look completely legitimate, while bypassing traditional email filters and URL reputation checks.&nbsp;<\/p>\n\n\n\n<p>Across multiple samples analyzed last month, <strong>49% of these attacks were linked to Storm-1747<\/strong>, followed by <a href=\"https:\/\/any.run\/malware-trends\/mamba\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Mamba<\/strong><\/a><strong> (25%)<\/strong>, <strong>Gabagool (2%)<\/strong>, and several smaller operators. Each uses Figma as the initial hosting vector, sending victims \u201cdocument\u201d invitations that appear genuine and trigger the phishing flow upon interaction.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/5652b435-2336-4531-a33f-d81a733b3c63\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=October_cyber_attacks_2025&amp;utm_term=291025&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">Check real case: Figma abuse leading to fake Microsoft login page<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"1024\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image2-1024x1024.jpg\" alt=\"\" class=\"wp-image-16575\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image2-1024x1024.jpg 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image2-300x300.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image2-150x150.jpg 150w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image2-768x768.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image2-1536x1536.jpg 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image2-70x70.jpg 70w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image2-370x370.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image2-270x270.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image2-740x740.jpg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image2.jpg 1800w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Full execution chain of Microsoft-themed phishing attack with Figma abuse<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li><strong>Phishing email<\/strong> invites the victim to view a \u201cshared document.\u201d&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"2\" class=\"wp-block-list\">\n<li><strong>Figma prototype<\/strong> hosts a fake collaboration page within the figma.com domain.&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"3\" class=\"wp-block-list\">\n<li><strong>Embedded link<\/strong> triggers a fake CAPTCHA or Cloudflare Turnstile widget.&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"4\" class=\"wp-block-list\">\n<li><strong>Redirection<\/strong> leads to a Microsoft-themed login page that collects credentials.&nbsp;<\/li>\n<\/ol>\n\n\n\n<p>Inside <strong>ANY.RUN\u2019s <\/strong><a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=October_cyber_attacks_2025&amp;utm_term=291025&amp;utm_content=linksandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Interactive Sandbox<\/strong><\/a>, analysts can safely detonate these links, visualize the full redirection flow, and expose the hidden credential capture mechanism; something static filters miss entirely. This interactive approach gives SOC teams <strong>real behavioral context<\/strong> for tuning detections and <strong>reduces investigation time<\/strong> when facing similar cloud-hosted phishing chains.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nDetect evasive threats in a live, interactive sandbox VM\u00a0<br>\n<span class=\"highlight\">Simplify<\/span>  investigations, <span class=\"highlight\">reduce<\/span>  workload, and <span class=\"highlight\">cut <\/span> MTTR\n\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=October_cyber_attacks_2025&#038;utm_term=291025&#038;utm_content=linktoregistration#register\" target=\"_blank\" rel=\"noopener\">\nSign up with business email\u00a0\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<p>To uncover additional campaigns abusing Figma and connected infrastructure, use the following <a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=October_cyber_attacks_2025&amp;utm_term=291025&amp;utm_content=linktoregistration\" target=\"_blank\" rel=\"noreferrer noopener\">TI Lookup query<\/a>:&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=October_cyber_attacks_2025&amp;utm_term=291025&amp;utm_content=linktolookup#{%22query%22:%22domainName:%5C%22figma.com%5C%22%20AND%20threatName:%5C%22phishing%5C%22%22,%22dateRange%22:180}\" target=\"_blank\" rel=\"noreferrer noopener\">domainName:&#8221;figma.com&#8221; AND threatName:&#8221;phishing&#8221;<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"575\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image2-7-1024x575.png\" alt=\"\" class=\"wp-image-16577\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image2-7-1024x575.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image2-7-300x168.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image2-7-768x431.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image2-7-1536x862.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image2-7-2048x1150.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image2-7-370x208.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image2-7-270x152.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image2-7-740x415.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>ANY.RUN Sandbox analyses of phishing attacks with Figma abuse<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>This search surfaces recent submissions that share behavioral traits, letting SOC teams <strong>expand visibility<\/strong> and <strong>transform isolated IOCs into behavioral detection rules<\/strong>.&nbsp;<\/p>\n\n\n\n<p><strong>Gathered IOCs:<\/strong>&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>9a4c7dcf25e9590654694063bc4958d58bcbe57e5e95d9469189db6873c4bb2c&nbsp;<\/li>\n\n\n\n<li>Dataartnepal[.]com&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">3. LockBit 5.0: New Variant Targets ESXi and Linux, Putting Critical Infrastructure at Risk&nbsp;<\/h2>\n\n\n\n<p><a href=\"https:\/\/x.com\/anyrun_app\/status\/1973390038122512528\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Post on X<\/strong><\/a>\u00a0and <a href=\"https:\/\/www.linkedin.com\/feed\/update\/urn:li:activity:7379155735659638785\" target=\"_blank\" rel=\"noreferrer noopener\">LinkedIn<\/a><\/p>\n\n\n\n<p>Researchers spotted a major update from the <a href=\"https:\/\/any.run\/malware-trends\/lockbit\/\" target=\"_blank\" rel=\"noreferrer noopener\">LockBit<\/a> group on its sixth anniversary: LockBit 5.0. Unlike earlier releases, this version targets not only<strong> Windows<\/strong> but also <strong>Linux and VMware ESXi<\/strong>, meaning attackers are now going after core infrastructure. A single successful intrusion can take down many virtual machines at once and knock whole systems offline.&nbsp;<\/p>\n\n\n\n<p>LockBit 5.0 introduces <strong>stronger obfuscation, flexible configuration files, and enhanced anti-analysis techniques<\/strong>, making it significantly harder to detect and dissect. The campaign primarily targets enterprise networks, managed service providers, and government systems across Europe, North America, and Asia, where virtualized environments form the backbone of daily operations.&nbsp;<\/p>\n\n\n\n<p>A single LockBit 5.0 intrusion can shut down dozens of servers simultaneously, halting production systems, paralyzing data centers, and causing prolonged outages with severe financial and reputational consequences.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"768\" height=\"1024\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image3-768x1024.jpg\" alt=\"\" class=\"wp-image-16578\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image3-768x1024.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image3-225x300.jpg 225w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image3-1152x1536.jpg 1152w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image3-1536x2048.jpg 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image3-370x493.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image3-270x360.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image3-740x987.jpg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image3.jpg 1800w\" sizes=\"(max-width: 768px) 100vw, 768px\" \/><figcaption class=\"wp-element-caption\"><em>New LockBit variant targeting not only Windows, but also ESXi and Linux<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">Technical Overview of LockBit 5.0 Variants&nbsp;<\/h3>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li><em>VMware ESXi<\/em>&nbsp;<\/li>\n<\/ol>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/c3591887-eb31-4810-91b5-54647c6a86a4\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=October_cyber_attacks_2025&amp;utm_term=291025&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">View real-world analysis of VMware ESXi variant<\/a>&nbsp;<\/p>\n\n\n\n<p>The most critical of the three builds. A dedicated <strong>encryptor for hypervisors<\/strong> capable of disabling multiple virtual machines at once. Its CLI closely mirrors the Windows version but adds datastore and VM config targeting, enabling it to halt operations across entire host environments in seconds.&nbsp;<\/p>\n\n\n\n<ol start=\"2\" class=\"wp-block-list\">\n<li><em>Windows<\/em>&nbsp;<\/li>\n<\/ol>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/17cc701e-7469-4337-8ca1-314b259e7b73\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=October_cyber_attacks_2025&amp;utm_term=291025&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">View real-world analysis of Windows variant<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"629\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image3-9-1024x629.png\" alt=\"\" class=\"wp-image-16580\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image3-9-1024x629.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image3-9-300x184.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image3-9-768x471.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image3-9-1536x943.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image3-9-2048x1257.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image3-9-370x227.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image3-9-270x166.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image3-9-740x454.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>LockBit 5.0 ransom note exposed inside ANY.RUN sandbox<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>The mainline variant runs with <strong>DLL reflection<\/strong>, supports both <strong>GUI and console modes<\/strong>, encrypts local and network drives, and performs cleanup actions like deleting shadow copies, stopping critical services, and clearing event logs. It drops a ransom note linking to LockBit\u2019s live negotiation portal.&nbsp;<\/p>\n\n\n\n<ol start=\"3\" class=\"wp-block-list\">\n<li><em>Linux<\/em>&nbsp;<\/li>\n<\/ol>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/d22b7747-1ef2-4e3e-9f80-b555f7f47a3c\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=October_cyber_attacks_2025&amp;utm_term=291025&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">View real-world analysis of Linux variant<\/a>&nbsp;<\/p>\n\n\n\n<p>A lightweight console-based encryptor that replicates Windows behavior with added <strong>mount point filters<\/strong>, <strong>disk wiping<\/strong>, <strong>anti-analysis routines<\/strong>, and <strong>region-based execution restrictions<\/strong> to evade detection and avoid unwanted publicity in certain locales.&nbsp;<\/p>\n\n\n\n<p>Inside <a href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=October_cyber_attacks_2025&amp;utm_term=291025&amp;utm_content=linktoregistration\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>ANY.RUN\u2019s Interactive Sandbox<\/strong><\/a>, analysts can trace how the new encryptors behave across each operating system, from memory injection and service termination to encryption logic and ransom note delivery, helping SOC teams <strong>identify new TTPs early<\/strong> and <strong>enrich detection logic with behavioral indicators<\/strong>, not just static IOCs.&nbsp;<\/p>\n\n\n\n<p>Use the following <a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=October_cyber_attacks_2025&amp;utm_term=291025&amp;utm_content=linktotilookuplanding\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Threat Intelligence Lookup<\/strong><\/a><strong> queries<\/strong> to identify LockBit 5.0 activity and enrich your SOC\u2019s detection coverage with live sandbox data:&nbsp;<\/p>\n\n\n\n<p><strong>ESXi Lockbit 5.0<\/strong>: <a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=October_cyber_attacks_2025&amp;utm_term=291025&amp;utm_content=linktolookup#{%22query%22:%22commandLine:%5C%22vmware%20-v%5C%22%22,%22dateRange%22:180}%20\" target=\"_blank\" rel=\"noreferrer noopener\">commandLine:&#8221;vmware -v&#8221;<\/a>&nbsp;<\/p>\n\n\n\n<p><strong>Linux Lockbit 5.0<\/strong>: <a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=October_cyber_attacks_2025&amp;utm_term=291025&amp;utm_content=linktolookup#{%22query%22:%22filePath:%5C%22^\/home\/user\/.local\/share\/evolution\/tasks\/ReadMeForDecrypt.txt$%5C%22%22,%22dateRange%22:180}\" target=\"_blank\" rel=\"noreferrer noopener\">filePath:&#8221;^\/home\/user\/.local\/share\/evolution\/tasks\/ReadMeForDecrypt.txt$&#8221;<\/a>&nbsp;<\/p>\n\n\n\n<p><strong>Windows Lockbit 5.0<\/strong>: <a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=October_cyber_attacks_2025&amp;utm_term=291025&amp;utm_content=linktolookup#{%22query%22:%22filePath:%5C%22^C:%5C%5C%5C%5CReadMeForDecrypt.txt$%5C%22%22,%22dateRange%22:180}\" target=\"_blank\" rel=\"noreferrer noopener\">filePath:&#8221;^C:\\\\ReadMeForDecrypt.txt$&#8221;<\/a>&nbsp;<\/p>\n\n\n\n<p>These queries help analysts pivot from OS-specific artifacts to global attack patterns, connecting infrastructure and payload updates across submissions.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nCatch attacks early with <span class=\"highlight\">instant IOC enrichment<\/span>  in TI Lookup<br>Power your proactive defense with data from 15K SOCs\u00a0\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=October_cyber_attacks_2025&#038;utm_term=291025&#038;utm_content=linktoregistration\" target=\"_blank\" rel=\"noopener\">\nStart Investigation\u00a0\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h3 class=\"wp-block-heading\"><strong>What Security Teams Should Do Now:<\/strong>&nbsp;<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Boost visibility: <\/strong>Combine endpoint and network telemetry with behavior-based monitoring. Use <a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=October_cyber_attacks_2025&amp;utm_term=291025&amp;utm_content=linksandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>ANY.RUN\u2019s sandbox<\/strong><\/a> and <a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=October_cyber_attacks_2025&amp;utm_term=291025&amp;utm_content=linktotilookuplanding\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>TI Lookup<\/strong><\/a> to detect evolving LockBit builds earlier, enrich IOC sets, and reduce MTTR by up to 21 minutes.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Harden access: <\/strong>Enforce <strong>MFA for vCenter and admin accounts<\/strong>, restrict direct Internet access to ESXi hosts, and route all management connections through a secure VPN.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Ensure resilience: <\/strong>Maintain <strong>offline backups<\/strong>, test recovery workflows regularly, and rehearse ransomware playbooks to minimize downtime in case of a breach.&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">4. ClickUp Hosts Used as Phishing Redirectors&nbsp;<\/h2>\n\n\n\n<p><a href=\"https:\/\/x.com\/anyrun_app\/status\/1980995285640700340\" target=\"_blank\" rel=\"noreferrer noopener\">Post on X<\/a>\u00a0and <a href=\"https:\/\/www.linkedin.com\/feed\/update\/urn:li:activity:7386760980313042944\" target=\"_blank\" rel=\"noreferrer noopener\">LinkedIn<\/a><\/p>\n\n\n\n<p>ANY.RUN analysts found attackers abusing <strong>ClickUp<\/strong> to host redirect pages and hide phishing flows. In many cases ClickUp is the visible domain the victim clicks, then the chain moves through other trusted services (like Microsoft\u2019s microdomains and Azure Blob Storage) before landing on a credential-harvesting page.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"768\" height=\"1024\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image4-768x1024.jpg\" alt=\"\" class=\"wp-image-16581\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image4-768x1024.jpg 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image4-225x300.jpg 225w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image4-1152x1536.jpg 1152w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image4-1536x2048.jpg 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image4-370x493.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image4-270x360.jpg 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image4-740x987.jpg 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image4.jpg 1800w\" sizes=\"(max-width: 768px) 100vw, 768px\" \/><figcaption class=\"wp-element-caption\"><em>Attack execution chain using legitimate services<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Attackers use ClickUp because public docs and prototypes are quick to create, look legitimate in inboxes, and come from a domain most organizations don\u2019t block. Besides ClickUp, they also exploit <strong>microdot-style Microsoft endpoints<\/strong> and <strong>Azure Blob Storage<\/strong> to host the final phishing page, making the whole flow look like normal collaboration traffic.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/d34dfc14-911d-46e4-89f6-53d1f48b8233\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=October_cyber_attacks_2025&amp;utm_term=291025&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">Check a real-world case that exposes the full attack chain in ~1 minute<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"568\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image4-4-1024x568.png\" alt=\"\" class=\"wp-image-16582\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image4-4-1024x568.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image4-4-300x166.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image4-4-768x426.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image4-4-1536x852.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image4-4-2048x1135.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image4-4-370x205.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image4-4-270x150.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image4-4-740x410.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Fake Microsoft login page displayed inside ANY.RUN sandbox<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li><strong>Phishing email:<\/strong> Invites victim to view a shared ClickUp \u201cdocument.\u201d&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"2\" class=\"wp-block-list\">\n<li><strong>ClickUp redirect page:<\/strong> Host or shortener on doc[.]clickup[.]com forwards the user.&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"3\" class=\"wp-block-list\">\n<li><strong>Microsoft microdomain hop:<\/strong> A forms or doc endpoint (e.g., forms.office.com or other msft microdomains) is used to add legitimacy.&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"4\" class=\"wp-block-list\">\n<li><strong>Azure Blob Storage:<\/strong> Final hosting for the fake Microsoft login page.&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"5\" class=\"wp-block-list\">\n<li><strong>Credential exfiltration:<\/strong> Captured credentials POST to attacker-controlled collector.&nbsp;<\/li>\n<\/ol>\n\n\n\n<p>Because every domain in the chain belongs to a legitimate provider, these campaigns are hard to detect. Filters and whitelists that trust SaaS vendors often let the traffic pass, and users are less likely to be suspicious when the URL looks familiar.&nbsp;<\/p>\n\n\n\n<p>Inside <a href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=October_cyber_attacks_2025&amp;utm_term=291025&amp;utm_content=linktoregistration\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>ANY.RUN\u2019s Interactive Sandbox<\/strong><\/a>, analysts can observe how each redirect unfolds across real Microsoft and ClickUp domains, see the credential-harvesting page render inside Azure Blob Storage, and extract live indicators for immediate defense updates. This visibility helps SOC teams <strong>shorten investigation time<\/strong> and <strong>enrich detection logic<\/strong> with behavioral context, not just URLs.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Ready-to-Use Threat Intelligence Lookup Queries<\/strong>&nbsp;<\/h3>\n\n\n\n<p>Use the following <a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=October_cyber_attacks_2025&amp;utm_term=291025&amp;utm_content=linktoregistration\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>TI Lookup<\/strong><\/a> queries to uncover related infrastructure and track recurring phishing activity across trusted cloud providers:&nbsp;<\/p>\n\n\n\n<p><strong>Azure Blob Storage: <\/strong><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=October_cyber_attacks_2025&amp;utm_term=291025&amp;utm_content=linktolookup#{%22query%22:%22domainName:%5C%22*.blob.core.windows.net$%5C%22%20AND%20threatName:%5C%22phishing%5C%22%22,%22dateRange%22:180}%20\" target=\"_blank\" rel=\"noreferrer noopener\">domainName:&#8221;*.blob.core.windows.net$&#8221; AND threatName:&#8221;phishing<\/a>&nbsp;<\/p>\n\n\n\n<p><strong>Microsoft Forms: <\/strong><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=October_cyber_attacks_2025&amp;utm_term=291025&amp;utm_content=linktolookup#{%22query%22:%22domainName:%5C%22forms.office.com$%5C%22%20AND%20threatName:%5C%22phishing%5C%22%22,%22dateRange%22:180}%20%20\" target=\"_blank\" rel=\"noreferrer noopener\">domainName:&#8221;forms.office.com$&#8221; AND threatName:&#8221;phishing<\/a>&nbsp;<\/p>\n\n\n\n<p><strong>ClickUp: <\/strong><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=October_cyber_attacks_2025&amp;utm_term=291025&amp;utm_content=linktolookup#{%22query%22:%22domainName:%5C%22clickup.com$%5C%22%20AND%20threatName:%5C%22phishing%5C%22%22,%22dateRange%22:180}%20%20\" target=\"_blank\" rel=\"noreferrer noopener\">domainName:&#8221;clickup.com$&#8221; AND threatName:&#8221;phishing<\/a>&#8221;&nbsp;<\/p>\n\n\n\n<p><strong>Gathered IOCs:<\/strong>&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>https[:]\/\/forms[.]office[.]com\/e\/YtRCbHDk14&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>microlambda[.]blob[.]core[.]windows[.]net&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">5. TyKit: New Phishkit Stealing Hundreds of Microsoft Accounts in Orgs&nbsp;<\/h2>\n\n\n\n<p><a href=\"https:\/\/any.run\/cybersecurity-blog\/tykit-technical-analysis\/\" target=\"_blank\" rel=\"noreferrer noopener\">Detailed breakdown of TyKit attack<\/a>&nbsp;<\/p>\n\n\n\n<p>ANY.RUN analysts identified <strong>Tykit<\/strong>, a reusable phishing kit that hides JavaScript inside <strong>SVG files<\/strong> to push victims through a <strong>multi-stage<\/strong> flow and steal Microsoft 365 logins.&nbsp;&nbsp;<\/p>\n\n\n\n<p>First seen in May 2025 with activity peaking in September\u2013October 2025, it hits organizations across the <strong>US, Canada, LATAM, EMEA, SE Asia, and the Middle East<\/strong>, with notable impact on finance, government, telecom, IT, real estate, construction, professional services, education, and more.&nbsp;<\/p>\n\n\n\n<p>Tykit blends redirects, basic anti-debugging, and staged C2 checks to outlast simple filters. A successful phish can lead to account takeover, data theft from mailboxes and cloud drives, lateral movement, and MFA bypass via AitM logic.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/78f68113-7e05-44fc-968f-811c6a84463e\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=October_cyber_attacks_2025&amp;utm_term=291025&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">View analysis session with TyKit<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"567\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image5-7-1024x567.png\" alt=\"\" class=\"wp-image-16584\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image5-7-1024x567.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image5-7-300x166.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image5-7-768x425.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image5-7-1536x851.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image5-7-2048x1135.png 2048w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image5-7-370x205.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image5-7-270x150.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image5-7-740x410.png 740w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Redirecting SVG file analyzed inside ANY.RUN sandbox<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p><strong><em>How the attack unfolds:<\/em>&nbsp;<\/strong><\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"351\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image6-5-1024x351.png\" alt=\"\" class=\"wp-image-16585\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image6-5-1024x351.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image6-5-300x103.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image6-5-768x263.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image6-5-1536x526.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image6-5-370x127.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image6-5-270x92.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image6-5-740x253.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image6-5.png 2048w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Execution chain of TyKit attack&nbsp;<\/em><strong>&nbsp;<\/strong>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li><strong>SVG delivery<\/strong> \u2192 Obfuscated JS rebuilds payload and triggers redirect (eval, atob, charCodeAt patterns).&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"2\" class=\"wp-block-list\">\n<li><strong>Trampoline + CAPTCHA<\/strong> \u2192 Cloudflare Turnstile; blocks DevTools\/context menu.&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"3\" class=\"wp-block-list\">\n<li><strong>Fake M365 sign-in<\/strong> \u2192 Background POST \/api\/validate to C2; server returns next HTML stage.&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"4\" class=\"wp-block-list\">\n<li><strong>Exfiltration<\/strong> \u2192 <strong>POST \/api\/login<\/strong> sends {key, redierct [sic], token, server, email, password}.&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"5\" class=\"wp-block-list\">\n<li><strong>Optional log hook<\/strong> \u2192 <strong>POST \/x.php<\/strong> when server replies with status:&#8221;info&#8221;.&nbsp;<\/li>\n<\/ol>\n\n\n\n<p>To <a href=\"https:\/\/any.run\/cybersecurity-blog\/indicators-of-compromise\/\" target=\"_blank\" rel=\"noreferrer noopener\">collect all IOCs<\/a> and perform a detailed case analysis, see the following <a href=\"https:\/\/intelligence.any.run\/analysis\/lookup?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=October_cyber_attacks_2025&amp;utm_term=291025&amp;utm_content=linktoregistration\" target=\"_blank\" rel=\"noreferrer noopener\">TI Lookup<\/a>&nbsp; query:&nbsp;<\/p>\n\n\n\n<p><strong>SVG\/C2 pattern: <\/strong><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=October_cyber_attacks_2025&amp;utm_term=291025&amp;utm_content=linktolookup#{%22query%22:%22domainName:%5C%22^segy*%5C%22%22,%22dateRange%22:180}\" target=\"_blank\" rel=\"noreferrer noopener\">domainName:&#8221;^segy.*&#8221;<\/a>&nbsp;<\/p>\n\n\n\n<p><strong>Combined query: <\/strong><a href=\"https:\/\/intelligence.any.run\/analysis\/lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=October_cyber_attacks_2025&amp;utm_term=291025&amp;utm_content=linktolookup#%7B%2522query%2522:%2522sha256:%255C%2522a7184bef39523bef32683ef7af440a5b2235e83e7fb83c6b7ee5f08286731892%255C%2522%2520OR%2520domainName:%255C%2522%5Eloginmicr*.cc$%255C%2522%2520OR%2520domainName:%255C%2522%5Esegy*%255C%2522%2522,%2522dateRange%2522:180%7D\" target=\"_blank\" rel=\"noreferrer noopener\">sha256:\u201da7184bef39523bef32683ef7af440a5b2235e83e7fb83c6b7ee5f08286731892\u2033 OR domainName:\u201d^loginmicr*.cc$\u201d OR domainName:\u201d^segy*\u201d<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"692\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image7-6-1024x692.png\" alt=\"\" class=\"wp-image-16586\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image7-6-1024x692.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image7-6-300x203.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image7-6-768x519.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image7-6-370x250.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image7-6-270x183.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image7-6-740x500.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/10\/image7-6.png 1383w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Search results using TI Query<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">How to Prevent Tykit Attacks&nbsp;<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Inspect SVGs:<\/strong> Treat SVGs as potential attack vectors; detonate them in a sandbox to reveal hidden scripts and redirects.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Enable phishing-resistant MFA:<\/strong> Use FIDO2 or certificate-based methods and disable legacy authentication.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Monitor key indicators: <\/strong>Watch for domains like segy*, loginmicr(o|0)s.*.cc, and POSTs to \/api\/validate or \/api\/login.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Automate detection: <\/strong>Alert on Base64 \/?s= parameters and integrate <a href=\"https:\/\/any.run\/threat-intelligence-feeds\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=October_cyber_attacks_2025&amp;utm_term=291025&amp;utm_content=linktofeedslanding\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence Feeds<\/a> for fresh IOCs.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Train and respond fast.<\/strong> Teach users that even image files can trigger phishing. If compromised, revoke sessions and reset credentials.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Using <a href=\"https:\/\/any.run\/features\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=October_cyber_attacks_2025&amp;utm_term=291025&amp;utm_content=linksandboxlanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN\u2019s Interactive Sandbox<\/a> during incident response accelerates this process: analysts can safely replay the infection chain, confirm what data was exfiltrated, and extract accurate IOCs within minutes. This shortens MTTR and helps strengthen detections for the next wave of similar campaigns.&nbsp;<\/p>\n\n\n\n<p><strong>Gathered IOCs:<\/strong>&nbsp;<\/p>\n\n\n\n<p>SHA256 (SVGs):&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>ECD3C834148D12AF878FD1DECD27BBBE2B532B5B48787BAD1BDE7497F98C2CC8&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>A7184BEF39523BEF32683EF7AF440A5B2235E83E7FB83C6B7EE5F08286731892&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Domains &amp; patterns:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>segy[.]zip, segy[.]xyz, segy[.]cc, segy[.]shop, segy2[.]cc&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>^loginmicr(o|0)s.*?\\.([a-z]+)?\\d+\\.cc$&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>URLs &amp; requests:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>GET \/?s=&lt;b64_victim_email&gt;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>POST \/api\/validate&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>POST \/api\/login&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>POST \/x.php&nbsp;<\/li>\n<\/ul>\n\n\n\n<p><a href=\"https:\/\/any.run\/cybersecurity-blog\/cyber-attacks-august-2025\/\" target=\"_blank\" rel=\"noreferrer noopener\">View august\u2019s top threats analysis to spot recurring tactics and compare how attacker trends evolved month to month<\/a>&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Empower Your SOC with Live Visibility and Actionable Intelligence&nbsp;<\/h2>\n\n\n\n<p>From phishing kits and stealers to ransomware and zero-day exploits, today\u2019s attacks evolve faster than static defenses can keep up. Investigating them manually can take hours, while attackers move in minutes. ANY.RUN helps SOC teams close that gap with real-time, interactive analysis.&nbsp;<\/p>\n\n\n\n<p>Here\u2019s how teams stay ahead:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Expose the full attack chain instantly: <\/strong>Detonate suspicious files, links, or scripts in real time and see every process, redirect, and payload as it happens.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Accelerate investigations:<\/strong> Live network mapping, script deobfuscation, and automatic IOC extraction cut analysis time from hours to minutes.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Reduce MTTR by over 21 minutes per case: <\/strong>Clear visibility into system behavior and exfiltration flows enables faster triage and confident containment.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Enrich detection logic automatically: <\/strong>Pivot from a single domain or hash in <a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=October_cyber_attacks_2025&amp;utm_term=291025&amp;utm_content=linktotilookuplanding\" target=\"_blank\" rel=\"noreferrer noopener\">Threat Intelligence Lookup<\/a> to hundreds of related submissions, revealing shared infrastructure and TTP patterns.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Feed fresh intelligence into your stack:<\/strong> Integrate <a href=\"https:\/\/any.run\/threat-intelligence-feeds\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=October_cyber_attacks_2025&amp;utm_term=291025&amp;utm_content=linktofeedslanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN\u2019s Threat Intelligence Feeds<\/a> with your SIEM, SOAR, or XDR for continuous updates and context-rich alerts.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>For SOCs, MSSPs, and threat researchers, ANY.RUN delivers the speed, depth, and live visibility needed to turn reactive defense into proactive threat hunting and stay ahead of every new campaign.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/any.run\/demo\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=October_cyber_attacks_2025&amp;utm_term=291025&amp;utm_content=linktodemo\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Explore ANY.RUN\u2019s capabilities during 14-day trial\u2192<\/strong><\/a><strong><\/strong>&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">About ANY.RUN&nbsp;<\/h2>\n\n\n\n<p>ANY.RUN supports more than <strong>15,000 organizations worldwide,<\/strong> including leaders in finance, healthcare, telecom, retail, and tech, helping them strengthen security operations and respond to threats with greater confidence.&nbsp;<\/p>\n\n\n\n<p>Designed for speed and visibility, the solution blends <a href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=October_cyber_attacks_2025&amp;utm_term=291025&amp;utm_content=linktoregistration\" target=\"_blank\" rel=\"noreferrer noopener\">interactive malware analysis<\/a> with live <a href=\"https:\/\/any.run\/threat-intelligence-lookup\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=October_cyber_attacks_2025&amp;utm_term=291025&amp;utm_content=linktotilookuplanding\" target=\"_blank\" rel=\"noreferrer noopener\">threat intelligence<\/a>, giving SOC teams instant insight into attack behavior and the context needed to act faster.&nbsp;<\/p>\n\n\n\n<p>By integrating ANY.RUN\u2019s Threat Intelligence suite into your existing workflows, you can accelerate investigations, minimize breach impact, and build lasting resilience against evolving threats.&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Phishing campaigns and ransomware families evolved rapidly this October, from fake Google Careers pages and ClickUp redirect chains to Figma-hosted credential theft and LockBit\u2019s move into ESXi and Linux systems. ANY.RUN analysts also uncovered TyKit, a reusable phishing kit hiding JavaScript inside SVG files to steal Microsoft 365 credentials across multiple sectors.&nbsp; Each of these [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":16570,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[57,10,34],"class_list":["post-16563","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware-analysis","tag-anyrun","tag-cybersecurity","tag-malware-analysis"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Major October 2025 Cyber Attacks Your SOC Can\u2019t Ignore<\/title>\n<meta name=\"description\" content=\"October\u2019s top threats revealed: Google phishing, Figma abuse, LockBit 5.0. Insights SOCs can act on in minutes.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/cyber-attacks-october-2025\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"ANY.RUN\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"13 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/cyber-attacks-october-2025\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/cyber-attacks-october-2025\/\"},\"author\":{\"name\":\"ANY.RUN\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"Major Cyber Attacks in October 2025: Phishing via Google Careers &amp; ClickUp, Figma Abuse, LockBit 5.0, and TyKit\u00a0\",\"datePublished\":\"2025-10-29T10:02:04+00:00\",\"dateModified\":\"2025-10-30T12:41:02+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/cyber-attacks-october-2025\/\"},\"wordCount\":2621,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"malware analysis\"],\"articleSection\":[\"Malware Analysis\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/cyber-attacks-october-2025\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/cyber-attacks-october-2025\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/cyber-attacks-october-2025\/\",\"name\":\"Major October 2025 Cyber Attacks Your SOC Can\u2019t Ignore\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2025-10-29T10:02:04+00:00\",\"dateModified\":\"2025-10-30T12:41:02+00:00\",\"description\":\"October\u2019s top threats revealed: Google phishing, Figma abuse, LockBit 5.0. Insights SOCs can act on in minutes.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/cyber-attacks-october-2025\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/cyber-attacks-october-2025\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/cyber-attacks-october-2025\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Malware Analysis\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Major Cyber Attacks in October 2025: Phishing via Google Careers &amp; ClickUp, Figma Abuse, LockBit 5.0, and TyKit\u00a0\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"caption\":\"ANY.RUN\"},\"url\":\"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Major October 2025 Cyber Attacks Your SOC Can\u2019t Ignore","description":"October\u2019s top threats revealed: Google phishing, Figma abuse, LockBit 5.0. Insights SOCs can act on in minutes.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/cyber-attacks-october-2025\/","twitter_misc":{"Written by":"ANY.RUN","Est. reading time":"13 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/cyber-attacks-october-2025\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/cyber-attacks-october-2025\/"},"author":{"name":"ANY.RUN","@id":"https:\/\/any.run\/"},"headline":"Major Cyber Attacks in October 2025: Phishing via Google Careers &amp; ClickUp, Figma Abuse, LockBit 5.0, and TyKit\u00a0","datePublished":"2025-10-29T10:02:04+00:00","dateModified":"2025-10-30T12:41:02+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/cyber-attacks-october-2025\/"},"wordCount":2621,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","malware analysis"],"articleSection":["Malware Analysis"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/cyber-attacks-october-2025\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/cyber-attacks-october-2025\/","url":"https:\/\/any.run\/cybersecurity-blog\/cyber-attacks-october-2025\/","name":"Major October 2025 Cyber Attacks Your SOC Can\u2019t Ignore","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2025-10-29T10:02:04+00:00","dateModified":"2025-10-30T12:41:02+00:00","description":"October\u2019s top threats revealed: Google phishing, Figma abuse, LockBit 5.0. Insights SOCs can act on in minutes.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/cyber-attacks-october-2025\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/cyber-attacks-october-2025\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/cyber-attacks-october-2025\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Malware Analysis","item":"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/"},{"@type":"ListItem","position":3,"name":"Major Cyber Attacks in October 2025: Phishing via Google Careers &amp; ClickUp, Figma Abuse, LockBit 5.0, and TyKit\u00a0"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"ANY.RUN","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","caption":"ANY.RUN"},"url":"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/16563"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=16563"}],"version-history":[{"count":12,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/16563\/revisions"}],"predecessor-version":[{"id":16601,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/16563\/revisions\/16601"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/16570"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=16563"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=16563"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=16563"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}