Threat Intelligence News from LevelBlue SpiderLabs November 2025
November 2025
LevelBlue SpiderLabs is the threat intelligence unit of LevelBlue and includes a global team of threat researchers and data scientists who, combined with proprietary technology in data analytics and machine learning (ML), analyze one of the largest and most diverse collections of threat data in the world. Our research team delivers tactical threat intelligence that powers resilient threat detection and response — even as an organization’s attack surface expands, technology evolves, and adversaries change their tactics, techniques, and procedures.
The LevelBlue SpiderLabs update gives you the latest threat news, including recent updates to USM Anywhere detections and new threat intelligence published in the LevelBlue SpiderLabs Open Threat Exchange (OTX), one of the largest open threat intelligence sharing communities in the world.
LevelBlue SpiderLabs Threat Intelligence News
Windows Server Update Services RCE (CVE-2025-59287)
Windows Server Update Services (WSUS) component in Windows Servers allows administrators to control how they deploy Windows OS updates inside networks, usually through ports 8530 (HTTP) and 8531 (HTTPS). The CVE corresponds to an "unsafe deserialization of untrusted data" that can lead to RCE if the WSUS Server Role is enabled and the attacker has access to the network.
This vulnerability has become well known during the second half of October since after it was initially patched by Microsoft during patch Tuesday, since a PoC was published a few days after the patch. Microsoft had to release an out-of-band security update to fully patch the vulnerability and only a day after, several security vendors and CISA alerted of public exploitation of this vulnerability.
LevelBlue SpiderLabs has released 3 NIDS detections to identify exploiting activity, together with 3 updated Correlation Rules to pick out suspicious childs of the process wsusservice.exe. The recommended workaround of installing the patch is to remove the WSUS Server Role and block ports 8530 and 8531.
Oracle Security Alert (CVE-2025-61882)
In early October, Oracle released an out-of-band security update to fix a zero-day exploited in the wild. The vulnerability (CVE-2025-61882) allowed attackers to bypass authentication and execute code on Oracle E-Business Suite platforms. Unauthenticated RCE over always poses as a high severity threat, even more when a PoC is made public (by WatchTowr) and is impacting a product as popular as in this case.
Shortly after the patch release, reports by Google and CrowdStrike quickly alerted of mass exploitation attempts being attributed to the Clop ransom group. LevelBlue SpiderLabs released 1 NIDS detection and 1 Correlation Rule dedicated to identify exploit attempts.
AdaptixC2: Open-Source tool used in real attacks
AdaptixC2 is an open-source Command and Control (C2) and post-exploitation framework originally designed for penetration testing and adversary emulation. However, its flexibility and cross-platform support have made it attractive to threat actors. Built with a Golang-based server and a C++/Qt GUI client, it offers encrypted communications, remote command execution, credential management, and modular extensibility. While intended for ethical security testing, its flexibility and cross-platform support have made it attractive to threat actors.
In recent weeks, both SilentPush and Unit42 have published reports on AdaptixC2 surfacing threat actors and how they are leveraging this tool in attacks, delivering payloads like CountLoader, or ransomwares like Fog or Akira (as reported by thedfirreport back in August). Furthermore, SilentPush in their report, elaborate on the hypothesis that a developer with the handle “RalfHacker,” may be behind AdaptixC2, and manages a Russian-language sales Telegram channel for the framework. These campaigns highlight how attackers continue to weaponize legitimate red-team tools to evade detection and maintain persistence.
Tracking, Detection & Hunting Capabilities
The LevelBlue SpiderLabs team created the following Adversary Trackers to automatically identify and detect malicious infrastructure deployed: Tycoon2FA, Salty2FA, AdaptixC2, CountLoader, Latrodectus, TamperedChef, CastleLoader. Additionally, the following trackers were updated: Remcos, NetSupport, Oyster, Lumma.
- ClearFake: a malicious JavaScript framework that propagates through compromised websites, enabling drive-by compromises and injecting harmful scripts into legitimate pages. First identified in 2023, this malware family has maintained high activity levels in recent months, signaling its persistence and adaptability. Initially, ClearFake employed tactics similar to FakeUpdates, tricking users into downloading a fake web browser through deceptive webpages.
In 2025, ClearFake evolved its techniques, adopting ClickFix-based methods to enhance its social engineering capabilities. This shift reflects a broader trend among malware operators to refine their deception arsenal and exploit user trust more effectively.
- Latrodectus: Latrodectus has emerged as a significant player in the cybercrime ecosystem, attributed to Lunar Spider, the initial access broker (IAB) group behind the notorious IcedID malware. This financially motivated actor has established strong ties to ALPHV/BlackCat ransomware operations, signaling a dangerous convergence between credential theft and ransomware deployment. The group’s tactics reflect a sophisticated approach to monetizing access, leveraging partnerships within the ransomware-as-a-service model to maximize profits.
The current Latrodectus campaign demonstrates an aggressive expansion strategy, utilizing FakeCaptcha injections on compromised websites to deliver payloads. This technique not only increases infection rates but also highlights the actor’s ability to adapt and innovate. Analysts report high activity levels and a rapidly evolving infrastructure, suggesting that Latrodectus is scaling operations to maintain dominance in the initial access market and is poised to remain a critical risk in the financial cybercrime landscape.
The team has identified the following malware/threat actors as the most active during the month of October.
The LevelBlue trackers have identified over 3100 new IOCs for the different families it tracks. The busiest trackers during the month of October have been:
USM Anywhere Detection Improvements
In October, LevelBlue SpiderLabs added or updated 18 USM Anywhere detections. Here are a few examples of improvements and new elements LevelBlue SpiderLabs developed:
-
New rule to detect new logon scripts added to the registry key UserInitMprLogonScript, which could be leveraged to gain persistence in the system.
-
Updated rules to detect suspicious or unusual processes executed from a webserver process, specifically covering WSUS CVE-2025-59287 vulnerability.
-
3 new Suricata detections to expand the coverage on severe vulnerabilities like Oracle E-Business (CVE-2025-61882) and WSUS (CVE-2025-59287).
Please visit the LevelBlue Success Center for a full list of improvements, new elements, issues found, and tasks created.
LevelBlue SpiderLabs Open Threat Exchange
LevelBlue SpiderLabs Open Threat Exchange (OTX) is among the world’s largest open threat intelligence sharing communities, made up of 330,000 threat researchers from 140 countries globally who publish threat information to the platform daily. LevelBlue SpiderLabs validates, analyzes, and enriches this threat intelligence. Members of OTX benefit from the collective research, can contribute to the community, analyze threats, create public and private threat intelligence sharing groups, and more. Learn more about OTX, it’s benefits, and how you can join here.
New OTX Pulses
The LevelBlue SpiderLabs team is continuously publishing new pulses in OTX based on their research and discoveries. Pulses are interactive and researchable repositories of information about threats, threat actors, campaigns, and more. This includes indicators of compromise, IoCs, that are useful to members. In October, 102 new Pulses were created by the SpiderLabs team, providing coverage for the latest threats and campaigns. Here are a few examples of the most relevant new Pulses: