October Security Roundup
Published: 31 October 2025
From critical Microsoft update flaws to invisible-character phishing and a major UK supply-chain breach, this month’s bulletin uncovers evolving attacker tactics. And the practical defences the Kocho SOC team recommend to stop them.
Headlines:
- Windows Server Update Services exploited in active attacks
- Phishing emails use invisible Unicode to evade filters
- Android malware-as-a-service bypasses new controls
- Chrome zero-day used to deploy commercial spyware
- Jaguar Land Rover cyber incident exposes supply-chain fragility
- UK government calls on business leaders to prioritise cyber resilience
UK organisations warned over Windows Server Update Services attacks
A critical vulnerability (CVE-2025-59287) in Windows Server Update Services (WSUS) is being actively exploited, prompting warnings from UK cybersecurity authorities. The flaw allows unauthenticated attackers to execute code remotely through a legacy deserialisation mechanism. NHS Digital and the NCSC have urged organisations to check exposure, particularly where WSUS servers are reachable from the internet.
What’s the risk?
- Compromised WSUS servers can distribute malicious updates across entire networks.
- Internet-exposed WSUS instances provide attackers with a path to full domain compromise.
- Delayed or incomplete patching leaves UK systems open to weaponised exploits.
Recommended actions
Action point
Treat WSUS as a critical control point. A single compromised update server can become an attacker’s distribution channel.
Phishing uses invisible Unicode to evade email filters
Researchers uncovered a sophisticated technique where threat actors embed invisible Unicode characters, such as soft hyphens (U+00AD), in subject lines and email bodies via MIME encoding to slip past email filters while displaying normal text to users.
What’s the risk?
- Attackers evade keyword-based filtering by splitting words with invisible characters.
- Users see legitimate-looking subject lines while backend filters are bypassed.
- Standard email defences may fail to decode and inspect MIME encoded headers thoroughly.
Recommended actions
Action point
This sneaky tactic is real. Update your email filtering strategy and hunt for hidden Unicode tricks now.
Android malware-as-a-service ‘Herodotus’ bypasses Android 13+ controls
Security researchers have uncovered Herodotus, a new Android Trojan sold as malware-as-a-service and currently spreading via smishing campaigns in Italy and Brazil. Although not yet seen in the UK, its distribution model and advanced evasion techniques make it a likely candidate for wider deployment across Europe. The malware mimics human input and uses fake loading screens to bypass Android 13+ accessibility restrictions, gaining full control over infected devices.
What’s the risk?
- Device takeover via sideloaded malware gives full control of high-privilege capabilities.
- Behavioural biometrics and anti-fraud systems are bypassed due to human-like delays and overlays.
- MaaS model lowers barrier to entry. Even less skilled actors can launch major campaigns.
Recommended actions
Action point
Block sideloading risks and revoke risky permissions now, as mobile malware is evolving fast.
Chrome zero-day used to deploy commercial spyware
Kaspersky has tied a Chrome zero-day (CVE-2025-2783) to Operation ForumTroll, a phishing campaign delivering Dante spyware from Italian vendor Memento Labs. Though patched, the case highlights how commercial spyware and browser exploits are converging.
What’s the risk?
- Drive-by compromise through trusted browsers enables silent code execution.
- Commercial spyware supply chains increase accessibility and stealth.
- Fast-expiring phishing links reduce detection and response time.
Recommended actions:
Action point
Patch browsers and sweep for signs of spyware now. Attackers are turning everyday web activity into covert data theft.
Jaguar Land Rover attack exposes supply-chain fragility
Last month’s cyber incident at Jaguar Land Rover forced UK factory shutdowns and disrupted production across its supplier network. Recovery continues, but the event highlights how interconnected manufacturing environments can turn a single breach into systemic disruption.
What’s the risk?
- Overreliance on shared IT and OT systems creates single points of failure across production lines.
- Limited visibility into supplier networks delays detection and containment.
- Insufficient segmentation between partners and operational systems increases lateral-movement potential.
Recommended actions
Action point
Use the JLR incident as a model for supply-chain resilience planning. Isolate critical dependencies before an attacker does.
And finally…
UK Government urge business leaders to make cybersecurity a boardroom priority
The UK government has written to senior leaders of the country’s largest companies, urging them to treat cyber resilience as a board-level priority.
The letter reinforces that cyber risk now carries the same weight as financial or legal responsibility and calls on organisations to adopt evidence-based reporting and align with the Cyber Governance Code of Practice.
It’s a clear signal that accountability for resilience no longer sits only with IT. Boards must ensure their strategies, investments, and culture reflect the growing expectation of measurable cyber assurance.
Resources & References
Microsoft | Cyber Press | The Hacker News | Security Week | AMS
Thanks to the Kocho SOC team for their contributions.
Stay safe. Stay informed.
Get cyber confident
Real partnership. Microsoft expertise. Complete transparency.
Request a call back today.
- AI-powered rapid protection, from day one
- Dedicated Microsoft experts, by your side
- Powerful, intuitive reporting tools
- Collaboration and transparency as standard
