Urgent: Espionage surge, NetSupport RAT strikes and a CVE pile‑up — are you patched?

Global cyber storm: espionage groups, RATs and a CVE avalanche that could ruin your Monday

It’s been one of those weeks where the threat landscape reads like a bleak spy novel with worse coffee: the Tomiris cyber‑espionage collective has rolled out a fresh wave of attacks against government and diplomatic targets worldwide, while regional actors such as Bloody Wolf are exploiting Java vulnerabilities to deploy NetSupport RAT across Central Asia. At the same time, a string of high‑severity and critical CVEs — from OrangeHRM session and password‑reset flaws to a critical sendmail injection, plus several dangerous vulnerabilities in observability and messaging tools — have been disclosed and patched. If you think that’s a lot, you’re right; and if you don’t have a robust patch and resilience plan, you’re about to learn the hard way.

Tomiris: espionage gets an upgrade

Security teams are seeing Tomiris pivot to new tactics and tools in campaigns aimed squarely at government and diplomatic entities. The group’s renewed activity underlines a simple truth: nation‑scale and state‑linked adversaries continue to evolve, and their targets remain those organisations most likely to hold valuable political or strategic intelligence.

For public‑sector defenders and contractors, the takeaway is straightforward — assume compromise attempts are ongoing and focus on early detection, segmentation and rapid containment. At Synergos Consultancy we often remind clients that resilience is not a one‑off certificate hanging on a wall; it’s demonstrated by the speed and competence of your response when your coffee is stolen and your network is next.

Bloody Wolf: NetSupport RAT via Java exploits in Central Asia

In parallel, Bloody Wolf is actively exploiting Java vulnerabilities to deliver NetSupport RAT across Central Asia. NetSupport remains a popular remote administration tool in the hands of attackers because it provides interactive control and persistence. Exploitation via Java highlights the continued risk posed by legacy runtimes and poorly maintained middleware.

Practical steps: reduce Java attack surface where possible, enforce least privilege, and ensure robust network egress controls that can notice and block suspicious RAT‑style command and control traffic.

Patch central: CVEs you must prioritise now

Several high‑severity and critical vulnerabilities were disclosed with available patches — treat these as top priority in your patching runbook.

• OrangeHRM (CVE‑2025‑66289, CVE‑2025‑66225, CVE‑2025‑66224) — Multiple vulnerabilities in versions 5.0–5.7: persistent session access due to missing session invalidation (8.7, HIGH), account takeover via an unvalidated username in the password‑reset workflow (8.7, HIGH), and a critical arbitrary file write resulting from sendmail parameter injection enabling potential code execution (9.0, CRITICAL). All fixed in version 5.8. If you run OrangeHRM, upgrade immediately and review session and password‑reset logic.
• OpenObserve (CVE‑2025‑66223) — Invitation tokens didn’t expire prior to 0.16.0, allowing removed or demoted users to regain access and escalate privileges (8.4, HIGH). Patch to 0.16.0 and audit invite token lifecycle.
• AIS‑catcher (CVE‑2025‑66217, CVE‑2025‑66216) — Integer underflow and heap buffer overflow issues in MQTT parsing and AIS::Message could produce DoS or be leveraged for RCE; patched in 0.64 (8.8 HIGH / 9.3 CRITICAL). Embedded device and maritime infrastructure owners take note.
• LibreChat (CVE‑2025‑66201) — An SSRF in the Actions feature could let authenticated users coerce the server to make requests to internal URLs (8.6, HIGH); fixed in 0.8.1‑rc2. Treat LLM integrations with caution and restrict network egress for services handling untrusted specs.
• PubNet (CVE‑2025‑65112) — Critical authentication bypass allowed unauthenticated package uploads and identity spoofing prior to 1.1.3 (9.4, CRITICAL). If you self‑host package registries, verify integrity and access controls.

When vendors publish patches, it’s not optional theatre — it’s triage. Prioritise fixes by severity and exposure, test, and deploy. For systems that can’t be patched immediately, consider compensating controls such as isolating the service, blocking relevant network flows and adding multi‑factor authentication where possible.

Other notable headlines — AI abuse and local impact

Malicious LLMs are letting even unskilled operators craft dangerous new malware, accelerating the attack lifecycle and lowering the bar for exploitation. Expect attackers to combine automated code generation with the CVEs above for highly efficient compromise chains.

Closer to home, data was copied in a Kensington and Chelsea council cyber incident: residents have been urged to be vigilant to phishing calls, emails and texts — a timely reminder that breaches have real‑world fallout for ordinary people and communities.

What Synergos Consultancy recommends (without the hard sell, promise)

1. Immediate patching and evidence preservation for known CVEs; treat OrangeHRM, PubNet and AIS‑catcher fixes as critical if in use.
2. Enhance session and credential hygiene — force session invalidation on password changes or account disablement and review password reset workflows for parameter validation.
3. Harden middleware and runtimes (Java included), reduce attack surface and enforce least privilege.
4. Limit and monitor LLM and integrations’ network access to prevent SSRF and other server‑side abuses.
5. Invest in security awareness training and tabletop exercises so staff can spot phishing and social engineering faster — and stop clicking things they really shouldn’t.

For teams wanting to formalise these activities into an auditable management system, consider aligning with ISO controls and frameworks to turn ad‑hoc firefighting into repeatable resilience. Our work at Synergos often maps technical controls into ISO 27001 processes, while business continuity measures sit well with ISO 22301. If occupational health and safety overlaps with cyber risk in your environment, ISO 45001 integration can help streamline governance. For basic cyber‑hygiene certification, Cyber Essentials remains a practical starting point, and tailored security awareness training is vital to reduce human risk.

Links for more on those standards and support at Synergos: ISO 27001 (https://synergosconsultancy.co.uk/iso27001/), Cyber Essentials (https://synergosconsultancy.co.uk/iasme-certifications/), security awareness training (https://synergosconsultancy.co.uk/usecure) and ISO 22301 (https://synergosconsultancy.co.uk/iso-22301-business-continuity-management-system-bcms/).

We’ll say it plainly: patch, detect, train, repeat. Threat actors like Tomiris and Bloody Wolf aren’t taking a long tea break; neither should your security posture. Stay vigilant, keep your systems up to date and ensure your people understand how to behave when the alerts start chirping.

That’s the short version — the long version is getting your ducks in a row before the next threat bulletin arrives. If nothing else, let this be the nudge to schedule that overdue patch window and run a recovery drill. Your future self will thank you, perhaps with a nicer mug and fewer panic emails.