zero-day

Signals Weekly: Zero-Days, Hijacked Payrolls & a Crypto Kingpin

This Week's Threat Intel Pulse: Oracle EBS zero-day exploited before patches dropped, Storm-1175 abuses GoAnywhere MFT, payroll hijackers hit US universities, ransomware crews weaponize Velociraptor, and a $15B Southeast Asian scam network faces global sanctions.

Wes

Wes

7 min read
Signals Weekly: Zero-Days, Hijacked Payrolls & a Crypto Kingpin
Quarterly earnings report: zero-days up 14%, payroll theft up 22%, sanctions shrugged off entirely.

AlphaHunt Signals Weekly — Signal > Noise

I’m testing a new ~weekly product. It’s not another “link dump.” It’s a signal-ranked brief for operators who are busy and actually have to act.

You won't find this on the main site (yet?), feel free to forward to a friend!

Why this beats aggregators

  • Narrative-first, not headline spam. We cluster sources into one clear story.
  • Primary-source bias. Vendor advisories + KEV + credible telemetry > hot takes.
  • De-dup + downrank. We kill repeats and suppress hype.

How we sort the firehose

  • Current: active, established stories- act now.

  • Emerging: fast-rising, credible early signals—watch and prep.

I want your feedback—what’s missing, what’s extra, what would make this a must-open every week? Hit reply or DM me.

AlphaHunt

Stop doomscrolling, start decisioning. We chewed through the muck so your team doesn’t have to. → Subscribe! • Forward to your on-call lead.

(Have feedback? Did something resonate with you? Did something annoy you? Just hit reply! :))

Current Stories

TL;DR

  • [Threat Actors] CL0P-branded extortion is leveraging an Oracle E‑Business Suite zero‑day (CVE-2025-61882) with pre-patch exploitation, Java in‑memory implants, and broad executive email campaigns; urgent Oracle EBS patching and hunting for malicious templates recommended.

  • [Vulnerabilities] GoAnywhere MFT deserialization flaw (CVE-2025-10035) is under active exploitation by Storm‑1175, with observed RMM tools, web shells, data theft via Rclone, and Medusa ransomware; CISA added it to KEV.

  • [Fraud/Threat Actors] “Payroll pirate” attacks by Storm‑2657 target US universities’ Workday payroll via AiTM phishing, inbox rule abuse, and MFA takeover to divert salaries.

  • [Intrusion Sets] Ransomware actors abused Velociraptor DFIR for persistence and control alongside LockBit/Warlock/Babuk payloads; overlaps with Storm‑2603/“ToolShell” TTPs against SharePoint.

  • [Geopolitics/Cybercrime] US/UK moved against Southeast Asia scam networks: DOJ unsealed an indictment and a $15B bitcoin seizure tied to Cambodia’s Prince Group; Treasury sanctioned 146 entities and cut Huione Group off from the US financial system.

Forecasts

Likely Scenarios

  • [Threat Actors] CL0P-affiliated actors post Oracle EBS victims in waves; more orgs discover pre‑Oct 4 compromises.

  • [Vulnerabilities] Additional GoAnywhere victims surface with Medusa deployments; follow‑on targeting of exposed MFT/edge systems.

  • [Fraud] Copycat payroll-diversion campaigns hit other HR SaaS platforms; universities and public sector remain prime targets.

Overlooked Risks and Unconsidered Scenarios

  • [Intrusion Sets] Broader abuse of DFIR/IT tools (e.g., Velociraptor) becomes standard in multi‑ransom ops, complicating detection.

  • [Attribution] Overlapping “CL0P” branding and shared toolchains drive misattribution; distinct clusters (FIN11 vs. others) remain conflated.

  • [Geopolitics] Sanctions push scam TCOs toward alternate rails (OTC brokers, nested exchanges), obscuring flows and complicating takedowns.

What to do next

  • [Vulnerabilities] Patch Oracle EBS per Oct 4 advisory; hunt XDO_TEMPLATES_B/XDO_LOBS for TMP/DEF XSL payloads and block outbound EBS server traffic.

  • [Vulnerabilities] Upgrade/triage GoAnywhere MFT; search for web shells, RMM (SimpleHelp/MeshAgent), Cloudflare tunnels, and Rclone; review CISA KEV due dates.

  • [Threat Actors] Enforce phishing‑resistant MFA for payroll/HR; monitor for inbox rules suppressing Workday alerts; validate bank/payroll changes out‑of‑band.

Suggested Pivots

  1. How are CL0P/FIN11‑linked infrastructure and email patterns evolving across Oracle EBS victims?

    • Why: Helps separate branding from actor clusters and identify repeat infrastructure and timing patterns.
    • What to expect: Host/IP reuse, lure templates, template code/URL overlaps tied to specific clusters and timelines.

  2. Which organizations with GoAnywhere MFT exposure show RMM/web shell/Rclone tradecraft overlaps with Storm‑1175?

    • Why: Correlates actor tooling and post‑exploitation behaviors for better detection.
    • What to expect: Shared hashes/paths/commands, Cloudflare tunnel use, and sectoral victimology.

  3. What inbox-rule, MFA device-enrollment, and SSO anomalies predict “payroll pirate” fraud attempts?

    • Why: Builds proactive detections before payroll redirection occurs.
    • What to expect: Rule-name patterns, Duo/Authenticator enrolls, and SSO access outside geo/behavior baselines.

  4. Where are DFIR/IT admin tools (e.g., Velociraptor, Impacket, Smbexec) being repurposed at scale in recent intrusions?

    • Why: Maps dual‑use tool abuse to campaigns beyond one case study.
    • What to expect: Indicators of config files, service installs, and persistence artifacts across ransomware clusters.

References

  1. (2025-10-09) Oracle E-Business Suite Zero-Day Exploited in Widespread Extortion Campaign | Google Cloud Blog
    https://cloud.google.com/blog/topics/threat-intelligence/oracle-ebusiness-suite-zero-day-exploitation

  2. (2025-10-04) Oracle Security Alert Advisory - CVE-2025-61882
    https://www.oracle.com/security-alerts/alert-cve-2025-61882.html

  3. (2025-10-06) Investigating active exploitation of CVE-2025-10035 GoAnywhere Managed File Transfer vulnerability | Microsoft Security Blog
    https://www.microsoft.com/en-us/security/blog/2025/10/06/investigating-active-exploitation-of-cve-2025-10035-goanywhere-managed-file-transfer-vulnerability/

  4. (2025-09-29) Fortra GoAnywhere MFT – CVE-2025-10035 | CISA KEV
    https://www.cisa.gov/known-exploited-vulnerabilities-catalog

  5. (2025-10-09) Velociraptor leveraged in ransomware attacks | Cisco Talos
    https://blog.talosintelligence.com/velociraptor-leveraged-in-ransomware-attacks/

  6. (2025-10-09) Investigating targeted payroll pirate attacks affecting US universities | Microsoft Security Blog
    https://www.microsoft.com/en-us/security/blog/2025/10/09/investigating-targeted-payroll-pirate-attacks-affecting-us-universities/

  7. (2025-10-14) Chairman of Prince Group Indicted… | DOJ
    https://www.justice.gov/opa/pr/chairman-prince-group-indicted-operating-cambodian-forced-labor-scam-compounds-engaged

  8. (2025-10-14) U.S. and U.K. Take Largest Action Ever Targeting Cybercriminal Networks in Southeast Asia | Treasury
    https://home.treasury.gov/news/press-releases/sb0278

AlphaHunt Intelligence Platform

CTA Image

Ready to level up your intelligence game?

Sign Up!

Emerging Stories

TL;DR

  • [Infrastructure] SonicWall confirms an attacker accessed firewall configuration backups for all customers using its cloud backup service; encrypted credentials raise targeted-attack risk; remediation tooling released.

  • [Vulnerabilities] Continued “ToolShell” exploitation of on‑prem SharePoint (RCE + auth bypass) with key theft and persistence; vendor guidance emphasizes rotating MachineKey and automated IR.

  • [Espionage] Expanded DPRK “remote worker” infiltration beyond IT into architecture/design roles, using fabricated identities and freelancer platforms to gain access and revenue.

Forecasts

Read more