Silent PassiveNeuron Attacks, Jingle Thief Fraud, SessionReaper Adobe Exploit – Cybersecurity News [October 20, 2025]

Cyber threats kept security teams busy this week. A new campaign called PassiveNeuron is spying on government and industry networks across several regions, while the Jingle Thief group is running cloud-based gift card scams.Hackers are also exploiting the SessionReaper bug in Adobe Commerce, and a critical Lanscope flaw has been flagged by CISA. In healthcare, a breach at Conduent exposed personal data from 462,000 Blue Cross Blue Shield members, underscoring how widespread and damaging these attacks have become. Here are the latest updates from this past week.

New PassiveNeuron Espionage Campaign Silently Hits Global Targets

A new cyber-espionage campaign, “PassiveNeuron,” is quietly going after government, financial, and industrial organizations across Asia, Africa, and Latin America. Kaspersky, who’s tracking the operation, first spotted it in mid-2024. The attackers were using two custom malware tools, “Neursite” and “NeuralExecutor”, to break into government servers in Latin America and East Asia. These tools are part of a complex, modular framework built for staying hidden deep inside networks and stealing data, even from systems that are isolated.

What makes PassiveNeuron so sneaky is that it uses internal servers that are already compromised as its command-and-control hubs, which helps it blend right into normal network traffic. The attackers usually get in through vulnerable Microsoft SQL servers and plant their implants using DLL loaders in the System32 directory. Neursite collects system info and manages processes, while NeuralExecutor downloads and runs extra payloads. Newer versions have even started using GitHub as a “dead-drop” to get their command servers, using a legit platform for cover. It’s not clear who’s behind it, but some signs point to south asian attackers.

Jingle Thief Hackers Exploit Cloud Systems for Gift Card Fraud

A cybercriminal group known as Jingle Thief has been quietly targeting cloud systems used by retail and consumer service companies to run large-scale gift card scams. Researchers at Palo Alto Networks’ Unit 42 say the group uses convincing phishing emails and text messages to steal Microsoft 365 logins. Once they’re in, they move through company systems, figure out how the gift card process works, and start issuing fake cards that are later sold on grey markets for profit. The group has been around since at least late 2021 and is believed to have connections to North Africa-based outfits known as Atlas Lion and Storm-0539. What really sets Jingle Thief apart is its patience.

In some cases, the hackers have managed to stay hidden inside company networks for months, sometimes close to a year, quietly studying systems and slipping past security checks. Rather than relying on traditional malware, they make clever use of stolen credentials, setting up fake authenticator apps and enrolling new devices in company accounts to keep their access alive. In recent months, the group has broken into dozens of accounts within single organizations, showing just how easily cloud-based identity abuse can turn into real-world financial crime. Their blend of stealth, patience, and precision makes Jingle Thief one of the more persistent threats in the cloud today.

Hackers Actively Exploit SessionReaper Flaw in Adobe Commerce

The e-commerce security firm Sansec is warning about active attacks for anyone using Adobe Commerce or Magento Open Source, as attackers are exploiting a critical vulnerability. The flaw, nicknamed SessionReaper (CVE-2025-54236), is a nasty one with a 9.1 CVSS rating. It’s an input validation issue in the Commerce REST API that lets attackers hijack customer accounts and possibly even execute remote code. Adobe did patch this last month after researcher Blaklis reported it, but Sansec says about 62% of Magento stores are still unpatched.

Over 250 attempts have been spotted in just the last 24 hours. Hackers are using the “/customer/address_file/upload” endpoint to try and upload PHP backdoors disguised as fake session files. Adobe has since updated its advisory to confirm these attacks are happening in the wild. Searchlight Cyber’s analysis calls it a nested deserialization bug that could lead to a full system compromise. This is the second big deserialization flaw to hit Adobe’s platforms in two years, following CosmicSting in 2024. With exploit code already circulating, security experts are urging admins to patch this vulnerability immediately.

Motex Lanscope Vulnerability Exploited in Ongoing Cyberattacks

CISA has added a critical flaw in Motex Lanscope Endpoint Manager to its Known Exploited Vulnerabilities (KEV) list, warning that attackers are already taking advantage of it in real-world incidents. The issue, identified as CVE-2025-61932, carries a high severity rating of 9.3 on the CVSS scale. It impacts on premises versions of Lanscope’s Client and Detection Agent software, letting attackers run arbitrary code just by sending specially crafted network packets. The problem stems from the software failing to verify where the communications are coming from properly.

This issue affects versions 9.4.7.1 and earlier, though it’s already been patched in releases up to 9.4.7.3. Japan’s JVN and JPCERT/CC have also confirmed active exploitation, reporting that organizations have received unauthorized packets targeting the flaw, likely in attempts to install backdoors. While it’s not clear who is behind the attacks or how widespread they are, CISA has directed all U.S. federal agencies to apply the necessary updates by November 12, 2025, to block this threat.

Cyberattack Exposes Data of 462,000 Blue Cross Blue Shield Members

A cyberattack on Conduent Business Services, a New Jersey vendor for Blue Cross Blue Shield of Montana (BCBSMT), has taken place and impacted around 462,000 current and former members. Conduent, which manages payment and document processing for BCBSMT, detected the breach on January 13, 2025. It was described as an “operational disruption,” a term often used in ransomware incidents.

Investigators found that hackers had access to Conduent’s network from October 2024 to January 2025, stealing files before the systems were restored. Conduent’s SEC filing later revealed the breach affected about 4.3 million individuals across multiple clients. BCBSMT learned its data was involved earlier this year and completed its review on September 23, 2025. The stolen info includes Personally Identifiable Information (PII) like names, dates of birth, Social Security numbers, treatment codes, and claims details. Montana’s insurance commissioner is now investigating if BCBSMT met state reporting laws, warning that penalties could follow if compliance failures are found.

Strengthen your defense against such evolving cyber threats by implementing robust email security measures like DMARC, SPF, and DKIM to block phishing and spoofing attempts before they reach your inbox.