Qilin ransomware hit Inotiv (pharmaceutical research) in August 2025, driving costs past $2.48M in Q4 and $5.93M for fiscal year. Company faces consolidated class action lawsuits alleging inadequate security and delayed notification. Attackers stole 176GB, published on darkweb after ransom timer expired. Breach affected 9,542 individuals—employees, family, people who interacted with Inotiv. Attack caused business disruptions and production shutdowns. Still evaluating full impact. Offering 24-month credit monitoring. Discovered August 8, attackers accessed systems August 5-8. Revenue: $513M in fiscal 2025. Works on drug discovery across cardiovascular, neuroscience, oncology, infectious diseases.

Qilin Ransomware Hits Inotiv, Driving Millions in Costs and Lawsuits

Microsoft patched 57 vulnerabilities including three actively exploited zero-days. CVE-2025-62221: Windows Cloud Files Mini Filter Driver privilege escalation—attackers elevate to SYSTEM level. CVE-2025-64671: GitHub Copilot for JetBrains RCE—publicly disclosed. CVE-2025-54100: Windows PowerShell RCE via malicious scripts. Microsoft added Invoke-WebRequest warning to prevent ClickFix-style attacks where users unknowingly run web-fetched PowerShell. Warning recommends -UseBasicParsing switch to avoid script execution. All three zero-days exploited before disclosure. Patches address Cloud Files driver, GitHub integration, PowerShell scripting risks. Windows 10 receives only security updates.

December Patch Tuesday - Three Microsoft Zero-Days Fixed

CastleLoader malware campaign uses fake CAPTCHA 'ClickFix' prompts to trick users into executing PowerShell commands downloading Python-based loaders. ClickFix launches hidden conhost.exe, fetches tar archive, unpacks into AppData, runs windowless Python interpreter. Python bytecode reconstructs and decrypts CastleLoader shellcode entirely in memory—no executable on disk. Shellcode retrieves final stage using hardcoded 'GoogeBot' user agent. Applies PEB Walking (scans Process Environment Block to resolve APIs) and XOR-decrypts payload before in-memory execution. Replaces earlier AutoIt droppers with compact Python loader. Targets corporate environments where Python already installed. Blackpoint linked via network markers—GoogeBot user agent appeared in 2025 CastleLoader traffic.

CastleLoader Malware Uses ClickFix Prompts and Python Loader Chain

Ivanti Endpoint Manager has critical stored XSS (CVE-2025-10573, CVSS 9.0) enabling admin session hijacking without authentication. Attackers inject malicious JavaScript via unauthenticated 'incomingdata' web API that processes device scan data without validation. Payloads embedded in Device ID, Display Name, or OS Name execute when admins view dashboard. Once they steal admin session cookies, attackers control endpoint policies enterprise-wide, push malicious updates, or disable security controls. Affects EPM 2024 SU4 and below. Patched December 9 with EPM 2024 SU4 SR1. Classic XSS-to-admin-compromise chain bypasses MFA since session hijacking occurs post-authentication. No authentication required for initial injection.

CVE-2025-10573 - Ivanti EPM Stored XSS Enables Admin Session Hijack

Two critical Fortinet flaws (CVE-2025-59718 CVSS 9.6, CVE-2025-59719 CVSS 9.8) enable complete FortiCloud SSO authentication bypass. CVE-2025-59718 exploits improper session validation—attackers craft malicious requests to skip authentication. CVE-2025-59719 uses cryptographic weakness to forge valid tokens. Affects FortiOS 7.4.0-7.4.5, FortiWeb, FortiProxy, FortiSwitchManager when FortiCloud SSO enabled. SSO flaws cascade across entire Fortinet infrastructure. FortiCloud SSO disabled by default but auto-enables during FortiCare registration unless admin explicitly disables toggle. Fortinet recommends disabling FortiCloud login until patching. Internally discovered by Fortinet Product Security. No active exploitation confirmed yet. Patched December 10.

CVE-2025-59718 & CVE-2025-59719 - Fortinet FortiCloud SSO Auth Bypass

Critical RCE in Gogs self-hosted Git platform (all versions before 0.14.0) actively exploited via argument injection in repository migration API. Attackers exploit CVE-2025-8110 (bypasses previous fix CVE-2024-55947) to execute commands without authentication, then deploy Supershell backdoor with DNS tunneling and anti-forensics. Over 700 of 1,400 internet-facing instances confirmed compromised. Wiz discovered zero-day accidentally in July during malware investigation. Attack uses symbolic link abuse—attackers create repo with symlink, use PutContents API to overwrite .git/config, force system to execute arbitrary commands. All compromised instances show 8-character random repo names created July 10. Supershell C2 suggests Asia-based threat actors. No fix available yet—Gogs maintainers working on patch.

CVE-2025-8110 - Gogs 0-Day Hits 700+ Self-Hosted Git Servers

React Server Components have a critical RCE (CVSS 9.9) actively exploited by Earth Lamia, Jackpot Panda, and Red Menshen. Over 50 organizations compromised across financial services, government, and tech sectors. Attackers deploy PeerBlight backdoors, CowTunnel proxy tunnels, ZinFoq post-exploitation frameworks, XMRig miners, Sliver C2, and Kaiji botnet components. Shadowserver identified 165,000+ vulnerable IPs and 644,000 domains—99,200 in the U.S. alone. CISA shortened federal agency deadline to December 31. Palo Alto confirms overlap with Contagious Interview campaign (North Korea) and detects BPFDoor usage. More than 15 distinct threat clusters exploiting, from opportunistic cryptominers to nation-state actors. VulnCheck observes nearly 100 public PoCs. Half of exposed instances remain unpatched despite active exploitation since December 4.