Unit 42 Threat Bulletin - October 2025

Welcome to the October edition of the Unit 42 Threat Bulletin, where we take a look into the threat landscape to surface insights for security leaders. I’m Mitch Mayne, Editor in Chief of the Threat Bulletin and Cybersecurity Research Principal for Unit 42.

This month, we spoke with Senior Principal Researcher Matt Brady about preparing for the spike in cybercrime that always occurs during the holiday season – especially for retail organizations. Justin Moore, Senior Researcher with Unit 42, clues us in on Shai-Hulud, a new type of supply chain attack. And Director of Threat Research (Cortex), Assaf Dahan, takes us inside Phantom Taurus, a stealthy China nexus APT.

Mitch Mayne, Principal, Security Research

Intel and Insights

The holiday rush brings more than shoppers — it brings a surge of cybercrime. Senior Principal Researcher Matt Brady shares how organizations can stay secure when stakes are highest.

Mitch Mayne: What threat trends should organizations watch heading into the holiday season? How do attackers shift tactics during this time?

Matt Brady: For retailers, uptime and customer trust are everything. Cybercriminals know that—and they use it. Expect to see more operational extortion: DDoS and ransomware campaigns designed to knock services offline when it hurts most. On top of that, attackers ramp up gift card fraud, payment skimming — both digital and physical — and return scams to siphon funds directly. It’s simple: this season can make or break the year, and protecting reliability and trust is mission-critical.

MM: Any specific threat actors or activity patterns standing out right now?

MB: We’re tracking several clusters hitting retail, including Muddled Libra (aka Scattered Spider). They’re affiliated with “The Com,” a collective of young, English-speaking threat actors — mostly Western-based — who’ve teamed up with Russian cybercriminals in the past. Their playbook includes social engineering and ransomware variants like DragonForce. More recently, they’ve partnered with Bling Libra (aka ShinyHunters) to steal data from Salesforce instances — no encryption, just exfiltration and extortion. That data often includes sensitive PII, which raises major risks for retailers around compliance and customer trust.

MM: So what’s your advice for CISOs preparing for this season?

MB: Get visibility early. Monitor both public and underground forums for signs of targeting — your org and your supply chain. Enforce MFA on customer accounts, especially those storing payment data. Make sure your incident response plan is ready, complete with stakeholder contacts and an external cybersecurity retainer on standby. Finally, stay plugged into your sector’s ISAC to get real-time threat intel and coordinated defense guidance.

Matt Brady, Senior Principal Researcher

CISO Unscripted

Phantom Taurus, a China-aligned APT, is quietly targeting governments and telecoms in Africa, the Middle East, and Asia by exploiting exposed infrastructure and key servers. In this episode, Assaf Dahan, Director of Threat Research (Cortex), shares the 90-second elevator pitch of what CISOs can do: Why basic IT hygiene still blocks most intrusions, how to close visibility gaps with the right telemetry and correlation, and why intel sharing with peers (even competitors) measurably improves defense.

“Everything we do boils down to risk. Every control we put in place should be because of an identified risk. We should be mitigating that risk in the best way, while bringing the least amount of friction to the business. That should guide everything we do.”

— Sam Ainscow, Group Chief Security Officer at Hill & Smith PLC

Podcast

Threat Vector

Risk Resilience and Real Talk with Sam Ainscow

00:00 00:00

Behind the Intelligence

A new attack that first appeared in September is impacting hundreds of organizations. Dubbed “Shai-Hulud” after the sandworms in the novel Dune, this self-replicating worm represents a significant evolution in supply chain attacks. Justin Moore, Senior Manager of Unit 42’s Threat Intelligence Research, gave us the details.

Mitch Mayne: What should we know at a glance?

Justin Moore: Shai-Hulud is a fast-moving supply chain attack that quickly affected hundreds of organizations. The attack targeted everyday development activities and trusted software processes to reach its targets, demonstrating just how quickly risk can move inside business operations.

MM: What makes this attack stand out?

JM: Unlike typical malware, Shai-Hulud spreads autonomously. Once the attackers gained access to a developer’s account, they used automation to insert malicious code across that developer’s other software packages and push the compromised versions live—spreading the threat across the software supply chain almost instantly. By combining automation with artificial intelligence, the attackers were able to generate, adapt, and deploy malicious code at scale, far faster than human operators could. This approach marks a shift in the threat landscape: AI-driven supply chain attacks are becoming more efficient, more scalable, and significantly harder to detect, accelerating every stage from initial compromise to evasion.

MM: What should CISOs take away from this research?

JM: Securing the developer environment should be top priority. The initial compromise of this attack likely starts with phishing a developer’s highly privileged account, which illustrates the importance of zero trust. Rotate all developer and cloud credentials immediately. Conduct a thorough audit of third-party software dependencies. Review developer accounts for unusual changes or unexpected public repositories. Multi-factor authentication is essential, but so is strong phishing awareness and educating teams on credential safety. Finally, treat vendor policies, incident response plans, and frequent supply chain risk reviews as ongoing leadership responsibilities, not just technical tasks.