MSP cybersecurity news digest, October 28, 2025

A remote code execution (RCE) flaw (CVE-2025-59287) affecting Windows Server Update Services (WSUS) servers has been actively exploited in the wild; it allows SYSTEM-level code execution without user interaction. 

The flaw is wormable between WSUS servers. Cybersecurity firms have observed scanning and exploitation attempts, including reconnaissance commands such as net user /domain and ipconfig executed from compromised hosts, indicating attackers quickly move from foothold to environment discovery. 

Microsoft released out-of-band patches covering Windows Server 2025, 23H2, 2022, 2019, 2016 and 2012; mitigation guidance includes disabling the WSUS Server role or blocking WSUS management ports until patches are applied and validating integrity of update packages. 

A targeted phishing campaign impersonates LastPass’s emergency/inheritance workflow: Victims receive convincing emails claiming a relative uploaded a death certificate and requested emergency vault access, creating urgency and social-engineering pressure to comply. 

Victims are directed to lookalike domains (for example, lastpassrecovery[.]com or passkeysetup[.]com) where they are asked to enter master passwords, one-time codes or even recreate FIDO2/WebAuthn passkeys, enabling attackers to capture master credentials and bypass two-factor protections. 

Threat actors associated with this campaign (linked to groups such as CryptoChameleon / UNC5356 by some researchers) are increasingly targeting password-manager features and passkeys, showing an evolution from standard credential-phishing to sophisticated vault takeover techniques. 

A state-linked Iranian actor (MuddyWater / Static Kitten) ran broad phishing campaigns against more than 100 government and diplomatic organizations across the Middle East and North Africa, delivering macro-enabled Word docs that act as the initial loader. 

Phoenix v4 includes enhanced browser-credential theft and database export capabilities, and operators have used it to exfiltrate documents, perform lateral reconnaissance, and stage follow-on access for espionage objectives.

A critical vulnerability in Lanscope Endpoint Manager (CVE-2025-61932, CVSS 9.3) allows remote attackers to trigger arbitrary code execution via specially crafted packets to the client/agent, with successful exploitation enabling full control of affected endpoints. 

The flaw impacts on-premises deployments and has confirmed exploitation in some countries (notably incidents flagged by JPCERT-CC in Japan), where attackers sent unauthorized packets to expose Lanscope agents to drop follow-on payloads and backdoors. 

Because Lanscope is used for device management and monitoring, a compromised agent can give attackers privileged visibility and control over enterprise endpoints, enabling stealthy persistence and broad lateral movement. 

Operators have forked the RedTiger red-team toolkit to produce an infostealer that harvests Discord session tokens, browser-stored credentials/cookies, crypto-wallet files, game data and system information and then exfiltrates them to attacker C2 servers. 

The malware can capture screenshots and webcam images, collect wallet files (allowing direct theft of cryptocurrency), and automatically use harvested Discord tokens to take over accounts or perform fraud and social engineering from legitimate user profiles. 

Because Discord is commonly used for informal internal comms and developer collaboration, compromised accounts present a significant lateral-movement and social-engineering vector inside organizations that permit or tolerate consumer chat apps.