Incident-Response

SANS Internet Storm Center’s Oct 24, 2025 Stormcast flags four items that should immediately shape triage and detection content across enterprise environments: an Android infostealer abusing Termux, active exploitation of Adobe Commerce/Magento “SessionReaper,” new cache-poisoning fixes for BIND and Unbound resolvers, and a released exploit for a critical WSUS deserialization RCE. Reference the minimal Stormcast entry and the full podcast summary for context (ISC diary 32418, podcast detail).

Below is a forensics-first breakdown: what to collect, where to hunt, and how to contain.

Cisco Talos IR’s Q3 2025 report highlights a sharp rise in compromises that began with exploitation of on-premises Microsoft SharePoint via the ToolShell chain. More than 60% of Talos engagements involved exploitation of public-facing apps, and almost 40% showed ToolShell activity; ransomware dropped to ~20% of cases while post-exploitation phishing from compromised accounts continued to climb (Talos IR Q3 2025). Microsoft confirms active, multi-actor abuse of new SharePoint bugs (CVE-2025-53770, CVE-2025-53771) related to earlier July CVEs (CVE-2025-49704, CVE-2025-49706), and stresses that only on-prem servers are affected-not SharePoint Online (Microsoft Security TI, MSRC customer guidance). CISA added CVE-2025-53770 to the KEV catalog, underscoring exploitation in the wild (CISA KEV entry).

Cisco Talos Incident Response reports that over 60% of their Q3 2025 engagements began with exploitation of public-facing applications, driven largely by the ToolShell attack chain against on-premises Microsoft SharePoint; roughly 40% of all engagements involved ToolShell activity. Talos also saw more post-compromise phishing launched from valid internal accounts and a marked emphasis on segmentation and rapid eviction to contain spread. Ransomware made up about 20% of cases, with actors observed deploying a SharePoint webshell (notably spinstall0.aspx) and, in at least one case, abusing Velociraptor for persistence. Talos IR Q3 2025.

Elastic Security Labs documents an intrusion cluster (REF3927) abusing publicly disclosed ASP.NET machine keys to sign malicious ViewState and achieve in-process code execution on IIS, then dropping an IIS module dubbed TOLLBOOTH for monetization/persistence and layering in a modified “Hidden” rootkit and off-the-shelf tools like Godzilla and GotoHTTP. Elastic report. (elastic.co)

Microsoft independently warned earlier in 2025 that over 3,000 machine keys had been found in public repos and documentation, and that threat actors were already using these to perform ViewState code injection leading to Godzilla deployment. Microsoft Security Blog. (microsoft.com)

Unit 42’s 5-minute read on October 20, 2025 documents three notable shifts tied to Scattered LAPSUS$ Hunters (SLSH): a formal push toward extortion-as-a-service (EaaS), renewed insider recruitment, and chatter about a new ransomware brand, “SHINYSP1D3R.” Their guidance: build playbooks that handle data-theft extortion the way many of us handle encryption-driven ransomware today-verification, negotiation posture, and reputation impact included (Unit 42, Oct 20, 2025). (unit42.paloaltonetworks.com)

What changed in early October 2025

• EaaS advertisement (no encryption): On Oct 10, SLSH promoted an EaaS program analogous to RaaS but explicitly “no file encryption”-consistent with attempts to avoid law-enforcement heat focused on encrypting crews (Unit 42). (unit42.paloaltonetworks.com)
• Insider recruitment redux: On Oct 5, SLSH solicited insiders, prioritizing call centers, gaming, hosting, SaaS, and telecom in the U.S., UK, AU, CA, and FR-also noted by ReliaQuest activity on X (Unit 42). (unit42.paloaltonetworks.com)
• “SHINYSP1D3R” claims: On Oct 4, the actors teased a ransomware effort; Unit 42 emphasizes it’s unclear whether development is real vs. psyops, though separate intel shops have tracked similar chatter since August (Unit 42; FalconFeeds reference via Unit 42; EclecticIQ analysis of ShinyHunters links and RaaS development). (unit42.paloaltonetworks.com)

Context: Unit 42’s earlier Oct 10 brief connects “Scattered LAPSUS$ Hunters” to a coalition of Bling Libra (ShinyHunters), Muddled Libra (Scattered Spider/UNC3944), and LAPSUS$-sometimes dubbed a “Trinity” within a broader e-crime social milieu known as “The Com” (Unit 42, Oct 10). (unit42.paloaltonetworks.com)

Kaspersky reported on October 17, 2025 that a malicious npm package named https-proxy-utils masqueraded as a proxy helper and, during installation, executed a postinstall script that fetched and launched an AdaptixC2 agent; the package has since been removed from npm (Securelist). The lure name mimicked popular packages like http-proxy-agent and https-proxy-agent, and even cloned functionality from proxy-from-env to appear legitimate (Securelist).

AdaptixC2 is an open-source, cross-platform post-exploitation framework with server components in Go and a Qt client, providing beacons and listeners across Windows, macOS, and Linux-features attractive both to red teams and threat actors (AdaptixC2 GitHub).