Author: Mark

Oct 06, 2025Ravie LakshmananMalware / Data Breach

Cybersecurity researchers have shed light on a Chinese-speaking cybercrime group codenamed UAT-8099 that has been attributed to search engine optimization (SEO) fraud and theft of high-value credentials, configuration files, and certificate data.

The attacks are designed to target Microsoft Internet Information Services (IIS) servers, with most of the infections reported in India, Thailand, Vietnam, Canada, and Brazil, spanning universities, tech firms, and telecom providers. The group was first discovered in April 2025. The targets are primarily mobile users, encompassing both Android and Apple iPhone devices.

UAT-8099 is the latest China-linked actor to engage in SEO fraud for financial gain. As recently as last month, ESET revealed details of another threat actor named GhostRedirector that has managed to compromise at least 65 Windows servers primarily located in Brazil, Thailand, and Vietnam with a malicious IIS module codenamed Gamshen to facilitate SEO fraud.

“UAT-8099 manipulates search rankings by focusing on reputable, high-value IIS servers in targeted regions,” Cisco Talos researcher Joey Chen said. “The group maintains persistence and alters SEO rankings using web shells, open-source hacking tools, Cobalt Strike, and various BadIIS malware; their automation scripts are customized to evade defenses and hide activity.”

Once a vulnerable IIS server is found – either via security vulnerability or weak settings in the web server’s file upload feature – the threat actor uses the foothold to upload web shells to conduct reconnaissance and gather basic system information. The financially motivated hacking group subsequently enables the guest account to escalate their privileges, all the way to the administrator, and use it to enable Remote Desktop Protocol (RDP).

UAT-8099 has also been observed taking steps to plug the initial access pathway to maintain sole control of the compromised hosts and prevent other threat actors from compromising the same servers. In addition, Cobalt Strike is deployed as the preferred backdoor for post-exploitation.

In order to achieve persistence, RDP is combined with VPN tools like SoftEther VPN, EasyTier, and Fast Reverse Proxy (FRP). The attack chain culminates with the installation of BadIIS malware, which has been put to use by multiple Chinese-speaking threat clusters like DragonRank and Operation Rewrite (aka CL-UNK-1037).

UAT-8099 uses RDP to access IIS servers and search for valuable data within the compromised host using a graphical user interface (GUI) tool named Everything, which is then packaged for either resale or further exploitation. It’s not currently clear how many servers the group has compromised.

The BadIIS malware deployed in this case, however, is a variant that has tweaked its code structure and functional workflow to sidestep detection by antivirus software. It functions similarly to Gamshen in that the SEO manipulation component kicks in only when the request originates from Google (i.e., User-Agent is Googlebot).

BadIIS can operate in three different modes –

• Proxy, which extracts the encoded, embedded command-and-control (C2) server address and uses it as a proxy to retrieve content from a secondary C2 server
• Injector, which intercepts browser requests originating from Google search results, connects to the C2 server to retrieve JavaScript code, embeds the downloaded JavaScript into the HTML content of the response, and returns the altered response back to redirect the victim to the chosen destination (unauthorized advertisements or illegal gambling websites)
• SEO fraud, which compromises multiple IIS servers to conduct SEO fraud by serving backlinks to artificially boost website rankings

“The actor employs a conventional SEO technique known as backlinking to boost website visibility,” Talos said. “Google’s search engine uses backlinks to discover additional sites and assess keyword relevance.”

“A higher number of backlinks increases the likelihood of Google crawlers visiting a site, which can accelerate ranking improvements and enhance exposure for the webpages. However, simply accumulating backlinks without regard to quality can lead to penalties from Google.”

Oct 06, 2025Ravie LakshmananCybersecurity / Hacking News

The cyber world never hits pause, and staying alert matters more than ever. Every week brings new tricks, smarter attacks, and fresh lessons from the field.

This recap cuts through the noise to share what really matters—key trends, warning signs, and stories shaping today’s security landscape. Whether you’re defending systems or just keeping up, these highlights help you spot what’s coming before it lands on your screen.

⚡ Threat of the Week

Oracle 0-Day Under Attack — Threat actors with ties to the Cl0p ransomware group have exploited a zero-day flaw in E-Business Suite to facilitate data theft attacks. The vulnerability, tracked as CVE-2025-61882 (CVSS score: 9.8), concerns an unspecified bug that could allow an unauthenticated attacker with network access via HTTP to compromise and take control of the Oracle Concurrent Processing component. In a post shared on LinkedIn, Charles Carmakal, CTO of Mandiant at Google Cloud, said “Cl0p exploited multiple vulnerabilities in Oracle EBS which enabled them to steal large amounts of data from several victims in August 2025,” adding “multiple vulnerabilities were exploited including vulnerabilities that were patched in Oracle’s July 2025 update as well as one that was patched this weekend (CVE-2025-61882).”

🔔 Top News

• Phantom Taurus Targets Africa, the Middle East, and Asia — A previously undocumented Chinese nation-state actor has been targeting government agencies, embassies, military operations, and other entities across Africa, the Middle East, and Asia in a cyber-espionage operation as sophisticated as it is stealthy and persistent. What makes the campaign different from other China-nexus activity is the threat actor’s surgical precision, unprecedented persistence, and its use of a highly sophisticated, custom-built toolkit called NET-STAR to go after high-value systems at organizations of interest. The threat actor’s operations are supported by other bespoke tools like TunnelSpecter and SweetSpecter to compromise mail servers and steal data based on keyword searches.
• Detour Dog Uses Compromised WordPress Sites to Deliver Strela Stealer — An established, persistent group of cybercriminals has been silently infecting WordPress websites around the world since 2020, using them to redirect unsuspecting site visitors to scam, and, more recently, to malware such as Strela Stealer. The threat actor is tracked as Detour Dog. The attack involves using DNS TXT records to send secret commands to the infected sites to either redirect visitors to scams or fetch and run malicious code. In about 90% of the cases, the website performs as intended, triggering its malicious behavior only in select conditions. Because normal visitors only rarely encounter the malicious payloads, infections often go unnoticed for extended periods of time. Infoblox said Detour Dog likely operates as a distribution-as-a-service (DaaS), using its infrastructure to deliver other malware.
• Self-Spreading WhatsApp Malware SORVEPOTEL Targets Brazil — Brazilian users have emerged as the target of a new self-propagating malware that spreads via the popular messaging app WhatsApp. The campaign, codenamed SORVEPOTEL by Trend Micro, weaponizes the trust with the platform to extend its reach across Windows systems, adding that the attack is “engineered for speed and propagation” rather than data theft or ransomware. The starting point of the attack is a phishing message sent from an already compromised contact on WhatsApp to lend it a veneer of credibility. The message contains a ZIP attachment that masquerades as a seemingly harmless receipt or health app-related file. Once the attachment is opened, the malware automatically propagates via the desktop web version of WhatsApp, ultimately causing the infected accounts to be banned for engaging in excessive spam. There are no indications that the threat actors have leveraged the access to exfiltrate data or encrypt files.
• ProSpy and ToSpy Spyware Campaigns Target U.A.E. Android Users — Two Android spyware campaigns dubbed ProSpy and ToSpy have impersonated apps like Signal and ToTok to target users in the United Arab Emirates (U.A.E.). The malicious apps are distributed via fake websites and social engineering to trick unsuspecting users into downloading them. Once installed, both the spyware malware strains establish persistent access to compromised Android devices and exfiltrate data. Neither app containing the spyware was available in official app stores.
• Researchers Demonstrate Battering RAM and WireTap — A new attack called Battering RAM can use a $50 interposer to bypass the confidential computing defenses of both Intel and AMD processors used in hardware powering cloud environments, thus allowing attackers to break encryption designed to protect sensitive data. Similarly, WireTap undermines the guarantees offered by Intel’s Software Guard eXtensions (SGX) on DDR4 systems to passively decrypt sensitive data. For the attack to be successful, however, it requires that someone have one-time physical access to the hardware system. Both Intel and AMD have marked the physical attack as “out of scope” of their threat models. The findings coincide with VMScape, another attack that breaks existing virtualization isolation to leak arbitrary memory and expose cryptographic keys. VMScape has been described as “the first Spectre-based end-to-end exploit in which a malicious guest user can leak arbitrary, sensitive information from the hypervisor in the host domain, without requiring any code modifications and in default configuration.”

‎️‍🔥 Trending CVEs

Hackers move fast. They often exploit new vulnerabilities within hours, turning a single missed patch into a major breach. One unpatched CVE can be all it takes for a full compromise. Below are this week’s most critical vulnerabilities gaining attention across the industry. Review them, prioritize your fixes, and close the gap before attackers take advantage.

This week’s list includes — CVE-2025-27915 (Zimbra Collaboration), CVE-2025-61882 (Oracle E-Business Suite), CVE-2025-4008 (Smartbedded Meteobridge), CVE-2025-10725 (Red Hat OpenShift AI), CVE-2025-59934 (Formbricks), CVE-2024-58260 (SUSE Rancher), CVE-2025-43400 (iOS 26.0.1, iPadOS 26.0.1, iOS 18.7.1, iPadOS 18.7.1, macOS Tahoe 26.0.1, macOS Sequoia 15.7.1, macOS Sonoma 14.8.1, and visionOS 26.0.1), CVE-2025-30247 (Western Digital MyCloud), CVE-2025-41250, CVE-2025-41251, CVE-2025-41252 (Broadcom VMware), CVE-2025-9230, CVE-2025-9231, CVE-2025-9232 (OpenSSL), CVE-2025-52906 (TOTOLINK), CVE-2025-59951 (Termix Docker), CVE-2025-10547 (DrayTek), CVE-2025-49844 (Redis), CVE-2025-57714 (QNAP NetBak Replicator), and vulnerabilities in a Russian guest management system called PassOffice.

📰 Around the Cyber World

• New iOS Video Injection Tool Can Conduct Deepfake Attacks — Cybersecurity researchers have uncovered a highly specialized tool designed to perform advanced video injection attacks, marking a significant escalation in digital identity fraud. “The tool is deployed via jailbroken iOS 15 or later devices and is engineered to bypass weak biometric verification systems—and crucially, to exploit identity verification processes that lack biometric safeguards altogether,” iProov said. “This development signals a shift toward more programmatic and scalable attack methods.” To perform the attack, the threat actor uses a Remote Presentation Transfer Mechanism (RPTM) server to connect their computer to the compromised iOS device and then inject sophisticated synthetic media.
• Qilin Ransomware Claims 104 Attacks in August — The Qilin ransomware operation claimed 104 attacks in August 2025, making it the most active group, followed by Akira (56), Sinobi (36), DragonForce (30), and SafePay (29). “The U.S. remains overwhelmingly the biggest target for ransomware groups, while Europe and Canada continue to draw significant interest from attackers, with Germany and the UK moving past Canada into second and third place, respectively,” Cyble said. According to data compiled by Halcyon, Manufacturing, Retail, and Hospitals and Physicians Clinics were the sectors most targeted industry verticals in August 2025.
• New Impact Solutions Toolkit Emerges — A new phishing toolkit named Impact Solutions has surfaced on cybercrime networks, further democratizing access to advanced phishing attacks for threat actors with minimal technical skills. The kit includes modules to build Windows shortcut (LNK) attachments, HTML files for HTML smuggling attacks, HTML templates mimicking login pages and secure invoice viewers, SVG files embedded with scripts, and payloads that leverage the Windows Run dialog for ClickFix attacks. “Promoted as a comprehensive payload delivery framework, Impact Solutions provides attackers with a user-friendly, point-and-click interface to create malicious email attachments that appear completely legitimate,” Abnormal AI said. “The toolkit specializes in creating persuasive social engineering lures designed to bypass both user awareness and security filters. These include weaponized Windows shortcut files (.LNK), covert HTML pages, and cleverly disguised SVG images—all built to exploit human trust rather than technical vulnerabilities.”
• Microsoft Plans to Retire SVG Support in Outlook — Microsoft said it’s retiring support for inline Scalable Vector Graphics (SVG) images in Outlook for Web and the new Outlook for Windows starting early September 2025. “Outlook for Web and new Outlook for Windows will stop displaying inline SVG images, showing blank spaces instead,” the company said in a Microsoft 365 Message Center update. “This affects under 0.1% of images, improves security, and requires no user action. SVG attachments remain supported. Organizations should update documentation and inform users.” The development comes as threat actors are increasingly using SVG files as a way to distribute malware in phishing campaigns. Previously, Microsoft said the Outlook app for Windows will start blocking .library-ms and .search-ms file types.
• Profile of Keymous+ — A profile of Keymous+ has described it as a threat actor that uses publicly available DDoS booter services to launch DDoS attacks. According to NETSCOUT, the group has been attributed to confirmed 249 DDoS attacks targeting organizations across 15 countries and 21 industry sectors. Government agencies, hospitality and tourism, transportation and logistics, financial services, and telecommunications are some of the most targeted sectors. Morocco, Saudi Arabia, Sudan, India, and France have experienced the most frequent attacks. “Although the group’s individual attacks peaked at 11.8Gbps, collaborative efforts with partners reached 44Gbps, demonstrating significantly enhanced disruptive capability,” the company said.
• Lunar Spider Uses Fake CAPTCHA for Malware Delivery — The Russian-speaking cybercriminal group known as Lunar Spider (aka Gold Swathmore), which is assessed to be behind IcedID and Latrodectus, has been observed using ClickFix tactics to distribute Latrodectus. “The fake CAPTCHA framework includes a command to run PowerShell that downloads an MSI file and also features victim click monitoring, which reports back to a Telegram channel,” NVISO Labs said. “During the execution chain, the MSI file contains an Intel EXE file registered in a Run key that subsequently sideloads a malicious DLL, identified as Latrodectus V2.” In a separate report published by The DFIR Report, the threat actor has been attributed to a nearly two-month-long intrusion in May 2024 that began with a JavaScript file disguised as a tax form to execute the Brute Ratel framework via an MSI installer, along with Latrodectus, Cobalt Strike, and a custom .NET backdoor. “Threat actor activity persisted for nearly two months with intermittent command and control (C2) connections, discovery, lateral movement, and data exfiltration,” it said. “Twenty days into the intrusion, data was exfiltrated using Rclone and FTP.” Details of the activity were previously shared by EclecticIQ.

• Red Hat Confirms Security Incident — Red Hat disclosed that unauthorized threat actors broke into its GitLab instance used for internal Red Hat Consulting collaboration in select engagements and copied some data from it. “The compromised GitLab instance housed consulting engagement data, which may include, for example, Red Hat’s project specifications, example code snippets, and internal communications about consulting services,” the company said. “This GitLab instance typically does not house sensitive personal data.” It also said it’s reaching out to impacted customers directly. The acknowledgement came after an extortion group calling itself the Crimson Collective said it stole nearly 570GB of compressed data across 28,000 internal development repositories.
• Google Upgrades CSE in Gmail — Google announced that Gmail client-side encryption (CSE) users can send end-to-end encrypted (E2EE) emails to anyone, even if the recipient uses a different email provider. “Recipients will receive a notification and can easily access the encrypted message via a guest account, ensuring secure communication without the hassle of exchanging keys or using custom software,” Google said. The company first announced CSE in Gmail way back in December 2022 and made it generally available in March 2023.
• FunkSec Returns with FunkLocker — The FunkSec ransomware group has resurfaced with a new ransomware strain called FunkLocker that exhibits signs of being developed by artificial intelligence. “Some versions are barely functional, while others integrate advanced features such as anti-VM checks,” ANY.RUN said. “FunkLocker forcefully terminates processes and services using predefined lists, often causing unnecessary errors but still leading to full system disruption.”
• Ransomware Threat Actor Connected to Play, RansomHub and DragonForce — A September 2024 intrusion that commenced with the download of a malicious file mimicking the EarthTime application by DeskSoft, led to the deployment of SectopRAT, which then dropped SystemBC and other tools to conduct reconnaissance. Also discovered in the compromised environment were Grixba, a reconnaissance utility linked to Play ransomware; Betruger, a backdoor associated with RansomHub; and the presence of a previous NetScan output containing data from a company reportedly compromised by DragonForce ransomware, indicating that the threat actor was likely an affiliate for multiple ransomware groups, the DFIR Report said. While no file-encrypting malware was executed, the actor managed to laterally move across the network through RDP connections and exfiltrate data over WinSCP to an FTP server in the form of WinRAR archives.
• LinkedIn Sues ProAPIs for Unauthorized Scraping — LinkedIn filed a lawsuit against a company called ProAPIs for allegedly operating a network of millions of fake accounts used to scrape data from LinkedIn members before selling the information to third-parties without permission. The Microsoft-owned company said ProAPIs charges customers up to $15,000 per month for scraped user data taken from the social media platform. “Defendants’ industrial-scale fake account mill scrapes member information that real people have posted on LinkedIn, including data that is only available behind LinkedIn’s password wall and that Defendants’ customers may not otherwise be allowed to access, and certainly are not allowed to copy and keep in perpetuity,” according to the lawsuit.
• BBC Journalist Offered Money to Hack into Company’s Network — A BBC journalist was offered a significant amount of money by cybercriminals who sought to hack into the BBC’s network in hopes of stealing valuable data and leveraging it for a ransom. “If you are interested, we can offer you 15% of any ransom payment if you give us access to your PC,” the message received by the journalist on the Signal messaging app in July 2025. The individual who reached out claimed to be part of the Medusa ransomware group. Eventually, out of precaution, their account was disconnected from BBC entirely. When the journalist stopped responding, the threat actor ended up deleting their Signal account. The findings show that threat actors are increasingly looking for underpaid or disgruntled employees at prospective targets to sell their access in order to breach networks.
• Spike in Exploitation Efforts Targeting Grafana Flaw — GreyNoise warned of a sharp one-day surge of exploitation attempts targeting CVE-2021-43798 – a Grafana path traversal vulnerability that enables arbitrary file reads – on September 28, 2025. Over the course of the day, 110 unique malicious IP addresses attempted exploitation, with China-, Germany-, and Bangladesh-based IPs targeting the U.S., Slovakia, and Taiwan. “The uniform targeting pattern across source countries and tooling indicates common tasking or shared exploit use,” it said. “The convergence suggests either one operator leveraging diverse infrastructure or multiple operators reusing the same exploit kit and target set.”
• New Data Leak Site Launched by LAPSUS$, Scattered Spider, and ShinyHunters — The loose-knit group comprising LAPSUS$, Scattered Spider, and ShinyHunters has published a dedicated data leak site on the dark web, called Scattered LAPSUS$ Hunters, threatening to release nearly a billion records stolen from companies that store their customers’ data in cloud databases hosted by Salesforce. “We are aware of recent extortion attempts by threat actors, which we have investigated in partnership with external experts and authorities,” Salesforce said in response. “Our findings indicate these attempts relate to past or unsubstantiated incidents, and we remain engaged with affected customers to provide support. At this time, there is no indication that the Salesforce platform has been compromised, nor is this activity related to any known vulnerability in our technology.” In its Telegram channel named “SLSH 6.0 Part 3,” Scattered Lapsus$ Hunters said it plans to launch a second data leak site after the October 10 deadline that will be devoted to “our (UNC6395) Salesloft Drift App campaign.” The development came after the cyber extortion group announced its farewell last month.
• Signal Announces Sparse Post Quantum Ratchet — Signal has introduced the Sparse Post Quantum Ratchet (SPQR), a new upgrade to its encryption protocol that mixes quantum-safe cryptography into its existing Double Ratchet. The result, which Signal calls the Triple Ratchet, makes it much more challenging for future quantum computers to break private chats. The new component guarantees forward secrecy and post-compromise security, ensuring that even in the case of key compromise or theft, future messages exchanged between parties will be safe. Signal said the rollout of SPQR on the messaging platform will be gradual, and users don’t need to take any action for the upgrade to apply apart from keeping their clients updated to the latest version. In September 2023, the messaging app first added support for quantum resistance by upgrading the Extended Triple Diffie-Hellman (X3DH) specification to Post-Quantum Extended Diffie-Hellman (PQXDH).
• Large-Scale Phishing Operations Go Undetected for Years — A “multi-year, industrial-scale phishing and brand impersonation scheme” operated undetected for more than three years on Google Cloud and Cloudflare platforms. The activity relates to a large-scale phishing-as-a-service (PhaaS) operation that included 48,000 hosts and more than 80 clusters abusing “high-trust” expired domains. The campaign subsequently used these domains to impersonate trusted brands to distribute fake login pages, malware, and gambling content. “Many of the cloned sites still load resources from the original brand’s cloud infrastructure – meaning the original brand may actively be serving content to a malicious impersonator,” Deep Specter said.
• HeartCrypt Evolves into a Loader for Stealer and RATs — The packer-as-a-service (PaaS) malware called HeartCrypt has been distributed via phishing emails to ultimately deploy off-the-shelf stealers and remote access trojans (RATs), as well as a lesser-prevalent antivirus termination program known as AVKiller. The activity used copyright infringement notices to target victims in Italy using LNK files that contained a URL to fetch an intermediate PowerShell payload that displays a decoy document while also simultaneously downloading HeartCrypt from Dropbox. “The HeartCrypt packer takes legitimate executables and modifies them by injecting malicious code in the .text section. It also inserts a few additional Portable Executable (PE) resources,” Sophos said. These resources are disguised as bitmap files and start with a BMP header, but afterwards the malicious content follows.”
• Software Supply Chain Attack Exploiting Packaging Order — Researchers from the KTH Royal Institute of Technology and Universtité de Montréal have detailed a novel attack called Maven-Hijack that exploits the order in which Maven packages dependencies and the way the Java Virtual Machine (JVM) resolves classes at runtime. “By injecting a malicious class with the same fully qualified name as a legitimate one into a dependency that is packaged earlier, an attacker can silently override core application behavior without modifying the main codebase or library names,” the researchers said.
• LNK Files Lead to RAT — In a new attack chain detailed by K7 Security Labs, it has been found that threat actors are leveraging LNK files distributed via Discord to launch a decoy PDF and run PowerShell responsible for dropping a ZIP archive that, in turn, executes a malicious DLL using the Windows command-line tool odbcconf.exe. The DLL is a multi-functional RAT designed to execute commands from a C2 server and collect system information from the infected host. “It employs several techniques, including collecting antivirus product information, bypassing Anti-Malware Scan Interface (AMSI), and patching EtwEventWrite to disable Windows Event Tracing (ETW), making it harder for security solutions to detect its malicious activities,” the company said.
• Unpatched Flaws in Cognex InSight IS2000M-120 Smart Camera — As many as nine security vulnerabilities have been disclosed in Cognex IS2000M-120, an industrial smart camera used for machine vision applications, that allow an attacker to fully compromise the devices, undermining their operational integrity and safety. No patches are being planned for the model, given that the company is considering an end-of-life status. “First, an unauthenticated attacker on the same network segment as the device – who is capable of intercepting traffic, for example via a Man-in-the-Middle (MitM) attack – can fully compromise the device through multiple attack vectors,” Nozomi Networks said. “This scenario presents a critical risk in environments where network segmentation or encryption is not enforced.” Furthermore, a low-privileged user with limited access to the camera can escalate their privileges by creating a new administrative account and gaining full control of the device. Lastly, an attacker with limited access to the Windows workstation where the Cognex In-Sight Explorer software is installed can manipulate backup data intended for the camera and carry out malicious actions.
• Hacktivist Group zerodayx1 Launches Ransomware — A pro-Palestinian hacktivist group known as zerodayx1 launched its own Ransomware-as-a-Service (RaaS) operation called BQTLock, making it the latest group to make such as pivot. Zerodayx1 is believed to be a Lebanese hacktivist active since at least 2023, positioning themselves as a Muslim and pro-Palestinian threat actor. “Hacktivism is no longer confined to ideological messaging,” Outpost24 said. “Increasingly, groups are integrating financially motivated operations, signaling a shift toward hybrid models that combine activism with profit-seeking agendas.”
• Mobile Apps Leak Data — New findings from Zimperium have revealed that one in three Android apps and more than half of iOS apps leak sensitive data. Nearly half of mobile apps contain hard-coded secrets such as API keys. On top of that, an analysis of 800 free VPN apps for both Android and iOS uncovered that many apps provide no real privacy at all, some request excessive permissions far beyond their purpose, others leak personal data, and some rely on outdated, vulnerable code. Other risky behaviors included missing privacy nutrition labels for apps and susceptibility to Man-in-the-Middle (MitM) attack. “Not all VPN apps can be trusted,’ the company said. “Many suffer from weak encryption, data leakage, or dangerous permission requests—problems that are invisible to most end users.” In another research published last month, Mike Oude Reimer found that misconfigured mobile apps could be exploited to achieve access to more than 150 different Firebase services. This consisted of access to real-time databases, storage buckets, and secrets.
• Microsoft Shares Insights on XSS Flaws — According to Microsoft, 15% of all important or critical MSRC cases between July 2024 – July 2025 were cross-site scripting (XSS) flaws. Out of 265 XSS cases, 263 were rated Important severity and 2 were rated Critical severity. In all, the company has mitigated over 970 XSS cases since January 2024 alone as of mid-2025.
• Threat Actor Exposes Themselves After Installing Security Software — A threat actor has inadvertently revealed their methods and day-to-day activities after installing a trial version of Huntress security software on their own operating machine and a premium Malwarebytes browser extension. The actor is said to have discovered Huntress through a Google advertisement while searching for security solutions like Bitdefender. Further analysis revealed their attempts to use make.com to automate certain workflows, find running instances of Evilginx, and their interest in residential proxy services like LunaProxy and Nstbrowser. “This incident gave us in-depth information about the day-to-day activities of a threat actor, from the tools they were interested in to the ways they conducted research and approached different aspects of attacks,” Huntress said.
• Using bitpixie to Bypass BitLocker — Cybersecurity researchers have found that attackers can circumvent BitLocker drive encryption using a Windows local privilege escalation flaw. “The bitpixie vulnerability in Windows Boot Manager is caused by a flaw in the PXE soft reboot feature, whereby the BitLocker key is not erased from memory,” SySS said. “To exploit this vulnerability on up-to-date systems, a downgrade attack can be performed by loading an older, unpatched boot manager. This enables attackers to extract the Volume Master Key (VMK) from main memory and bypass BitLocker encryption, which could grant them administrative access.” To counter the threat, it’s advised to use a pre-boot PIN or apply a patch that Microsoft released in 2023 (CVE-2023-21563), which prevents downgrade attacks on the vulnerable boot manager by replacing the old Microsoft certificate from 2011 with the new Windows UEFI CA 2023 certificate.
• How Threat Actors Can Abuse Domain Fronting — In domain fronting, an attacker could connect to a domain that looks outwardly legitimate by connecting to a domain as google.com or meet.google.com, while the backend routes quietly diverts the connection to attacker-controlled infrastructure hosted inside the Google Cloud Platform. By routing C2 traffic through core internet infrastructure and domains, it allows malicious traffic to blend in and fly under the radar. “You make the SNI [Server Name Indication] look like a trusted, high-reputation service (google.com), but the Host header quietly points traffic to attacker-controlled infrastructure,” Praetorian said. “From the outside, the traffic looks like normal usage of a major service. But on the backend, it’s routed somewhere entirely different.”
• Mis-issued certificates for Cloudflare’s 1.1.1.1 DNS service — Cloudflare revealed that unauthorized certificates were issued by Fina CA for 1.1.1.1, one of the IP addresses used by its public DNS resolver service. “From February 2024 to August 2025, Fina CA issued 12 certificates for 1.1.1.1 without our permission,” the web infrastructure company said. “We have no evidence that bad actors took advantage of this error. To impersonate Cloudflare’s public DNS resolver 1.1.1.1, an attacker would not only require an unauthorized certificate and its corresponding private key, but attacked users would also need to trust the Fina CA.”
• New Attack to Compromise Web Browsing AI Agents — A novel attack demonstrated by JFrog shows that website cloaking techniques can be weaponized to poison autonomous web-browsing agents powered by Large Language Models (LLMs). “As these agents become more prevalent, their unique and often homogenous digital fingerprints – comprising browser attributes, automation framework signatures, and network characteristics – create a new, distinguishable class of web traffic. The attack exploits this fingerprintability,” security researcher Shaked Zychlinski said. “A malicious website can identify an incoming request as originating from an AI agent and dynamically serve a different, “cloaked” version of its content. While human users see a benign webpage, the agent is presented with a visually identical page embedded with hidden, malicious instructions, such as indirect prompt injections. This mechanism allows adversaries to hijack agent behavior, leading to data exfiltration, malware execution, or misinformation propagation, all while remaining completely invisible to human users and conventional security crawlers.”
• Exploit Tool Invocation Prompt to Hijack LLM-Based Agentic Systems — Tool Invocation Prompt (TIP) serves as a critical component in LLM systems, determining how LLM-based agentic systems invoke various external tools and interpret feedback from the execution of these tools. However, new research has disclosed that tools like Cursor and Claude Code are susceptible to remote code execution or denial-of-service (DoS) by injecting malicious prompts or code into tool descriptions. The finding comes as Forescout noted that LLMs are falling short in performing vulnerability discovery and exploitation development tasks.

🎥 Cybersecurity Webinars

• Beyond the Hype: Practical AI Workflows for Cybersecurity Teams — AI is transforming cybersecurity workflows, but the best results come from blending human oversight with automation. In this webinar, Thomas Kinsella of Tines shows how to pinpoint where AI truly adds value, avoid over-engineering, and build secure, auditable processes that scale.

• Halloween Special: Real Breach Stories and the Fix to End Password Horrors — Passwords are still a prime target for attackers—and a constant pain for IT teams. Weak or reused credentials, frequent helpdesk resets, and outdated policies expose organizations to costly breaches and reputational damage. In this Halloween-themed webinar from The Hacker News and Specops Software, you’ll see real breach stories, discover why traditional password policies fail, and watch a live demo on blocking compromised credentials in real time—so you can end password nightmares without adding user friction.

🔧 Cybersecurity Tools

• Malifiscan – Modern software supply chains rely on public and internal package repositories, but malicious uploads increasingly slip through trusted channels. Malifiscan helps teams detect and block these threats by cross-referencing external vulnerability feeds like OSV against their own registries and artifact repositories. It integrates with JFrog Artifactory, supports 10+ ecosystems, and automates exclusion pattern creation to prevent compromised dependencies from being downloaded or deployed.
• AuditKit – This new tool helps teams verify cloud compliance across AWS and Azure without manual guesswork. Designed for SOC2, PCI-DSS, and CMMC frameworks, it automates control checks, highlights critical audit gaps, and generates auditor-ready evidence guides. Ideal for security and compliance teams preparing for formal assessments, AuditKit bridges the gap between technical scans and the documentation auditors actually need.

Disclaimer: These tools are for educational and research use only. They haven’t been fully security-tested and could pose risks if used incorrectly. Review the code before trying them, test only in safe environments, and follow all ethical, legal, and organizational rules.

🔒 Tip of the Week

Quick Windows Hardening with Open-Source Tools — Most Windows attacks succeed not because of zero-days, but because of weak defaults — open ports, old protocols, reused admin passwords, or missing patches. Attackers exploit what’s already there. A few small, smart changes can block most threats before they start.

Harden your Windows systems using free, trusted open-source tools that cover audit, configuration, and monitoring. You don’t need enterprise tools to raise your defense baseline — just a few solid steps.

Quick Actions (Under 30 Minutes):

• Run Hardentools — disable unsafe defaults instantly.
• Use CIS-CAT Lite — identify missing patches, open RDP, or weak policies.
• Check Local Admins — remove unused accounts, deploy LAPS for password rotation.
• Turn On Logging — enable PowerShell, Windows Defender, and Audit Policy logs.
• Run WinAudit — export a report and compare it weekly for unauthorized changes.
• Scan with Wazuh or OpenVAS — look for outdated software or exposed services.

Key Risks to Watch:

🔑 Reused or shared admin passwords

🌐 Open RDP/SMB without firewall or NLA

⚙️ Old PowerShell versions without logging

🧩 Users running with local admin rights

🪟 Missing Defender Attack Surface Reduction (ASR) rules

📦 Unpatched or unsigned software from third-party repos

These simple, repeatable checks close 80% of the attack surface exploited in ransomware and credential theft campaigns. They cost nothing, take minutes, and build muscle memory for good cyber hygiene.

Conclusion

Thanks for reading this week’s recap. Keep learning, stay curious, and don’t wait for the next alert to take action. A few smart moves today can save you a lot of cleanup tomorrow.

In the era of rapidly advancing artificial intelligence (AI) and cloud technologies, organizations are increasingly implementing security measures to protect sensitive data and ensure regulatory compliance. Among these measures, AI-SPM (AI Security Posture Management) solutions have gained traction to secure AI pipelines, sensitive data assets, and the overall AI ecosystem. These solutions help organizations identify risks, control security policies, and protect data and algorithms critical to their operations.

However, not all AI-SPM tools are created equal. When evaluating potential solutions, organizations often struggle to pinpoint which questions to ask to make an informed decision. To help you navigate this complex space, here are five critical questions every organization should ask when selecting an AI-SPM solution:

1: Does the solution offer comprehensive visibility and control over AI and associated data risk?

With the proliferation of AI models across enterprises, maintaining visibility and control over AI models, datasets, and infrastructure is essential to mitigate risks related to compliance, unauthorized use, and data exposure. This ensures a clear understanding of what needs to be protected. Any gaps in visibility or control can leave organizations exposed to security breaches or compliance violations.

An AI-SPM solution must be capable of seamless AI model discovery, creating a centralized inventory for complete visibility into deployed models and associated resources. This helps organizations monitor model usage, ensure policy compliance, and proactively address any potential security vulnerabilities. By maintaining a detailed overview of models across environments, businesses can proactively mitigate risks, protect sensitive data, and optimize AI operations.

2: Can the solution identify and remediate AI-specific risks in the context of enterprise data?

The integration of AI into business processes introduces new, unique security challenges beyond traditional IT systems. For example:

• Are your AI models vulnerable to adversarial attacks and exposure?
• Are AI training datasets sufficiently anonymized to prevent leakage of personal or proprietary information?
• Are you monitoring for bias or tampering in predictive models?

An effective AI-SPM solution must tackle risks that are specific to AI systems. For instance, it should protect training data used in machine learning workflows, ensure that datasets remain compliant under privacy regulations, and identify anomalies or malicious activities that might compromise AI model integrity. Make sure to ask whether the solution includes built-in features to secure every stage of your AI lifecycle—from data ingestion to deployment.

3: Does the solution align with regulatory compliance requirements?

Regulatory compliance is a top concern for businesses worldwide, given the growing complexity of data protection laws such as GDPR (General Data Protection Regulation), NIST AI, HIPAA (Health Insurance Portability and Accountability Act), and more. AI systems magnify this challenge by rapidly processing sensitive data in ways that can increase the risk of accidental breaches or non-compliance.

When evaluating an AI-SPM solution, ensure that it automatically maps your data and AI workflows to governance and compliance requirements. It should be capable of detecting non-compliant data and providing robust reporting features to enable audit readiness. Additionally, features like automated policy enforcement and real-time compliance monitoring are critical to keeping up with regulatory changes and preventing hefty fines or reputational damage.

4: How well does the solution scale in dynamic cloud-native and multi-cloud architectures?

Modern cloud-native infrastructures are dynamic, with workloads scaling up or down depending on demand. In multi-cloud environments, this flexibility brings a challenge: maintaining consistent security policies across different providers (e.g., AWS, Azure, Google Cloud) and services. Adding AI and ML tools to the mix introduces even more variability.

An AI-SPM solution needs to be designed for scalability. Ask whether the solution can handle dynamic environments, continuously adapt to changes in your AI pipelines, and manage security in distributed cloud infrastructures. The best tools offer centralized policy management while ensuring that each asset, regardless of its location or state, adheres to your organization’s security requirements.

5: Will the solution integrate with our existing security tools and workflow?

A common mistake organizations make when adopting new technologies is failing to consider how well those technologies will integrate with their existing systems. AI-SPM is no exception. Without seamless integration, organizations may face operational disruptions, data silos, or gaps in their security posture.

Before selecting an AI-SPM solution, verify whether it integrates with your existing data security tools like DSPM or DLP, identity governance platforms, or DevOps toolchains. Equally important is the solution’s ability to integrate with AI/ML platforms like Amazon Bedrock or Azure AI. Strong integration ensures consistency and allows your security, DevOps, and AI teams to collaborate effectively.

Key takeaway: Make AI security proactive, not reactive

Remember, AI-SPM is not just about protecting data—it’s about safeguarding the future of your business. As AI continues to reshape industries, having the proper tools and technologies in place will empower organizations to innovate confidently while staying ahead of emerging threats.

Learn more at zscaler.com/security

About the Company

Zscaler (NASDAQ: ZS) accelerates digital transformation so customers can be more agile, efficient, resilient, and secure. The Zscaler Zero Trust Exchange™ platform protects thousands of customers from cyberattacks and data loss by securely connecting users, devices, and applications in any location. Distributed across more than 150 data centers globally, the SSE-based Zero Trust Exchange™ is the world’s largest in-line cloud security platform. Learn more at zscaler.com.

Oct 06, 2025Ravie LakshmananEmail Security / Zero-Day

A now patched security vulnerability in Zimbra Collaboration was exploited as a zero-day earlier this year in cyber attacks targeting the Brazilian military.

Tracked as CVE-2025-27915 (CVSS score: 5.4), the vulnerability is a stored cross-site scripting (XSS) vulnerability in the Classic Web Client that arises as a result of insufficient sanitization of HTML content in ICS calendar files, resulting in arbitrary code execution.

“When a user views an e-mail message containing a malicious ICS entry, its embedded JavaScript executes via an ontoggle event inside a <details> tag,” according to a description of the flaw in the NIST National Vulnerability Database (NVD).

“This allows an attacker to run arbitrary JavaScript within the victim’s session, potentially leading to unauthorized actions such as setting e-mail filters to redirect messages to an attacker-controlled address. As a result, an attacker can perform unauthorized actions on the victim’s account, including e-mail redirection and data exfiltration.”

The vulnerability was addressed by Zimbra as part of versions 9.0.0 Patch 44, 10.0.13, and 10.1.5 released on January 27, 2025. The advisory, however, makes no mention of it having been exploited in real-world attacks.

However, according to a report published by StrikeReady Labs on September 30, 2025, the observed in-the-wild activity involved unknown threat actors spoofing the Libyan Navy’s Office of Protocol to target the Brazilian military using malicious ICS files that exploited the flaw.

The ICS file contained a JavaScript code that’s designed to act as a comprehensive data stealer to siphon credentials, emails, contacts, and shared folders to an external server (“ffrk[.]net”). It also searches for emails in a specific folder, and adds malicious Zimbra email filter rules with the name “Correo” to forward the messages to spam_to_junk@proton.me.

As a way to avoid detection, the script is fashioned such that it hides certain user interface elements and detonates only if more than three days have passed since the last time it was executed.

It’s currently not clear who is behind the attack, but earlier this year, ESET revealed that the Russian threat actor known as APT28 had exploited XSS vulnerabilities in various webmail solutions from Roundcube, Horde, MDaemon, and Zimbra to obtain unauthorized access.

A similar modus operandi has also been adopted by other hacking groups like Winter Vivern and UNC1151 (aka Ghostwriter) to facilitate credential theft.

Oct 06, 2025Ravie LakshmananVulnerability / Threat Intelligence

Oracle has released an emergency update to address a critical security flaw in its E-Business Suite that it said has been exploited in the recent wave of Cl0p data theft attacks.

The vulnerability, tracked as CVE-2025-61882 (CVSS score: 9.8), concerns an unspecified bug that could allow an unauthenticated attacker with network access via HTTP to compromise and take control of the Oracle Concurrent Processing component.

“This vulnerability is remotely exploitable without authentication, i.e., it may be exploited over a network without the need for a username and password,” Oracle said in an advisory. “If successfully exploited, this vulnerability may result in remote code execution.”

In a separate alert, Oracle’s Chief Security Officer Rob Duhart said the company has released fixes for CVE-2025-61882 to “provide updates against additional potential exploitation that were discovered during our investigation.”

As indicators of compromise (IoCs), the technology shared the following IP addresses and artifacts, indicating the likely involvement of the Scattered LAPSUS$ Hunters group as well in the exploit –

News of the Oracle zero-day comes days after reports emerged of a new campaign likely undertaken by the Cl0p ransomware group targeting Oracle E-Business Suite. Google-owned Mandiant described the ongoing activity as a “high-volume email campaign” launched from hundreds of compromised accounts.

In a post shared on LinkedIn, Charles Carmakal, CTO of Mandiant at Google Cloud, said “Cl0p exploited multiple vulnerabilities in Oracle EBS which enabled them to steal large amounts of data from several victims in August 2025,” adding “multiple vulnerabilities were exploited including vulnerabilities that were patched in Oracle’s July 2025 update as well as one that was patched this weekend (CVE-2025-61882).”

“Given the broad mass zero-day exploitation that has already occurred (and the n-day exploitation that will likely continue by other actors), irrespective of when the patch is applied, organizations should examine whether they were already compromised,” Carmakal noted.

(This is a developing story. Please check back for more details.)

Oct 04, 2025Ravie LakshmananAgentic AI / Enterprise Security

Cybersecurity researchers have disclosed details of a new attack called CometJacking targeting Perplexity’s agentic AI browser Comet by embedding malicious prompts within a seemingly innocuous link to siphon sensitive data, including from connected services, like email and calendar.

The sneaky prompt injection attack plays out in the form of a malicious link that, when clicked, triggers the unexpected behavior unbeknownst to the victims.

“CometJacking shows how a single, weaponized URL can quietly flip an AI browser from a trusted co-pilot to an insider threat,” Michelle Levy, Head of Security Research at LayerX, said in a statement shared with The Hacker News.

“This isn’t just about stealing data; it’s about hijacking the agent that already has the keys. Our research proves that trivial obfuscation can bypass data exfiltration checks and pull email, calendar, and connector data off-box in one click. AI-native browsers need security-by-design for agent prompts and memory access, not just page content.”

The attack, in a nutshell, hijacks the AI assistant embedded in the browser to steal data, all while bypassing Perplexity’s data protections using trivial Base64-encoding tricks. The attack does not include any credential theft component because the browser already has authorized access to Gmail, Calendar, and other connected services.

It takes place over five steps, activating when a victim clicks on a specially crafted URL, either sent in a phishing email or present in a web page. Instead of taking the user to the “intended” destination, the URL instructs the Comet browser’s AI to execute a hidden prompt that captures the user’s data from, say, Gmail, obfuscates it using Base64-encoding, and transmits the information to an endpoint under the attacker’s control.

The crafted URL is a query string directed at the Comet AI browser, with the malicious instruction added using the “collection” parameter of the URL, causing the agent to consult its memory rather than perform a live web search.

While Perplexity has classified the findings as having “no security impact,” they once again highlight how AI-native tools introduce new security risks that can get around traditional defenses, allow bad actors to commandeer them to do their bidding, and expose users and organizations to potential data theft in the process.

In August 2020, Guardio Labs disclosed an attack technique dubbed Scamlexity wherein browsers like Comet could be tricked by threat actors into interacting with phishing landing pages or counterfeit e-commerce storefronts without the human user’s knowledge or intervention.

“AI browsers are the next enterprise battleground,” Or Eshed, CEO of LayerX, said. “When an attacker can direct your assistant with a link, the browser becomes a command-and-control point inside the company perimeter. Organizations must urgently evaluate controls that detect and neutralize malicious agent prompts before these PoCs become widespread campaigns.”

Oct 04, 2025Ravie LakshmananVulnerability / Network Security

Threat intelligence firm GreyNoise disclosed on Friday that it has observed a spike in scanning activity targeting Palo Alto Networks login portals.

The company said it observed a nearly 500% increase in IP addresses scanning Palo Alto Networks login portals on October 3, 2025, the highest level recorded in the last three months. It described the traffic as targeted and structured, and aimed primarily at Palo Alto login portals.

As many as 1,300 unique IP addresses have participated in the effort, a significant jump from around 200 unique IP addresses observed before. Of these IP addresses, 93% are classified as suspicious and 7% as malicious.

The vast majority of the IP addresses are geolocated to the U.S., with smaller clusters detected in the U.K., the Netherlands, Canada, and Russia.

“This Palo Alto surge shares characteristics with Cisco ASA scanning occurring in the past 48 hours,” GreyNoise noted. “In both cases, the scanners exhibited regional clustering and fingerprinting overlap in the tooling used.”

“Both Cisco ASA and Palo Alto login scanning traffic in the past 48 hours share a dominant TLS fingerprint tied to infrastructure in the Netherlands.”

In April 2025, GreyNoise reported a similar suspicious login scanning activity targeting Palo Alto Networks PAN-OS GlobalProtect gateways, prompting the network security company to urge customers to ensure that they are running the latest versions of the software.

The development comes as GreyNoise noted in its Early Warning Signals report back in July 2025 that surges in malicious scanning, brute-forcing, or exploit attempts are often followed by the disclosure of a new CVE affecting the same technology within six weeks.

In early September, Greynoise warned about suspicious scans that occurred as early as late August, targeting Cisco Adaptive Security Appliance (ASA) devices. The first wave originated from over 25,100 IP addresses, mainly located in Brazil, Argentina, and the U.S.

Weeks later, Cisco disclosed two new zero-days in Cisco ASA (CVE-2025-20333 and CVE-2025-20362) that had been exploited in real-world attacks to deploy malware families like RayInitiator and LINE VIPER.

Data from the Shadowserver Foundation shows that over 45,000 Cisco ASA/FTD instances, out of which more than 20,000 are located in the U.S. and about 14,000 are located in Europe, are still susceptible to the two vulnerabilities.

A threat actor named Detour Dog has been outed as powering campaigns distributing an information stealer known as Strela Stealer.

That’s according to findings from Infoblox, which found the threat actor to maintain control of domains hosting the first stage of the stealer, a backdoor called StarFish.

The DNS threat intelligence firm said it has been tracking Detour Dog since August 2023, when GoDaddy-owned Sucuri disclosed details of attacks targeting WordPress sites to embed malicious JavaScript that used DNS TXT records as a communication channel for a traffic distribution system (TDS), redirecting site visitors to sketchy sites and malware. Traces of the threat actor date back to February 2020.

“While traditionally these redirects led to scams, the malware has evolved recently to execute remote content through the DNS-based command-and-control (C2) system,” Infoblox said. “We are tracking the threat actor who controls this malware as Detour Dog.”

Detour Dog-owned infrastructure, per the company, has been used to host StarFish, a simple reverse shell that serves as a conduit for Strela Stealer. In a report published in July 2025, IBM X-Force said the backdoor is delivered by means of malicious SVG files with the goal of enabling persistent access to infected machines.

Hive0145, the threat actor exclusively behind Strela Stealer campaigns since at least 2022, is assessed to be financially motivated and is likely operating as an initial access broker (IAB), acquiring and selling access to compromised systems for profit.

Infoblox’s analysis has revealed that at least 69% of the confirmed StarFish staging hosts were under the control of Detour Dog, and that a MikroTik botnet advertised as REM Proxy – which, in turn, is powered by SystemBC, as uncovered by Lumen’s Black Lotus Labs last month — was also part of the attack chain.

Specifically, it has come to light that the spam email messages that distributed Strela Stealer originated from REM Proxy and another botnet dubbed Tofsee, the latter of which has been propagated via a C++-based loader called PrivateLoader in the past. In both cases, Detour Dog infrastructure hosted the first stage of the attack.

“The botnets were contracted to deliver the spam messages, and Detour Dog was contracted to deliver the malware,” Dr. Renée Burton, vice president of threat intelligence at Infoblox, told The Hacker News.

What’s more, Detour Dog has been found to facilitate the distribution of the stealer via DNS TXT records, with the threat actor-controlled DNS name servers modified to parse specially formatted DNS queries from the compromised sites and to respond to them with remote code execution commands.

Detour Dog’s modus operandi when it comes to acquiring new infrastructure is by exploiting vulnerable WordPress sites to perform malicious code injections, although the company said the methods have since continued to evolve.

A notable aspect of the attack is that the compromised website functions normally 90% of the time, thereby raising no red flags and allowing the malware to persist for extended periods of time. In select instances (about 9%), however, a site visitor is redirected to a scam via Help TDS or Monetizer TDS; in a much rarer scenario (1%), the site receives a remote file execution command. It’s believed that the redirections are limited in a bid to avoid detection.

The development marks the first time Detour Dog has been spotted distributing malware, a shift from acting as an entity responsible for exclusively forwarding traffic to Los Pollos, a malicious advertising technology company operating under the VexTrio Viper umbrella.

“We suspect that they evolved from scams to include malware distribution for financial reasons,” Burton said. “There has been a great deal of focus in the security industry over the last 12-18 months to stop the type of scams Detour Dog has supported in the past. We believe they were making less money, though we can’t verify that.”

Complementing these changes is the fact that the website malware used by Detour Dog has witnessed an evolution of its own, gaining the ability to command infected websites to execute code from remote servers.

As of June 2025, the responses have directed the infected site to retrieve the output of PHP scripts from verified Strela Stealer C2 servers to likely distribute the malware — suggesting the dual use of DNS as both a communication channel and a delivery mechanism.

“Responses to TXT record queries are Base64-encoded and explicitly include the word ‘down’ to trigger this new action,” the company noted. “We believe this has created a novel networked malware distribution model using DNS in which the different stages are fetched from different hosts under the threat actor’s control and are relayed back when the user interacts with the campaign lure, for example, the email attachment.

“A novel setup like this would allow an attacker to hide their identity behind compromised websites, making their operations more resilient, meanwhile serving to mislead threat hunters because the malware isn’t really where the analyzed attachments indicate the stage is hosted.”

The entire sequence of actions unfolds as follows –

• Victim opens a malicious document, launching an SVG file that reaches out to an infected domain
• The compromised site sends a TXT record request to the Detour Dog C2 server via DNS
• The name server responds with a TXT record containing a Strela C2 URL, prefixed with “down”
• The compromised site removes the down prefix and uses curl to possibly fetch the StarFish downloader from the URL
• The compromised site acts as a relay to send the downloader to the client (i.e., the victim)
• The downloader initiates a call to another compromised domain
• The second compromised domain sends a similar DNS TXT query to the Detour Dog C2 server
• The Detour Dog name server responds with a new Strela C2 URL, again prefixed with “down”
• The second compromised domain strips the prefix and sends a curl request to the Strela C2 server to fetch StarFish
• The second compromised domain acts as a relay to send the malware to the client (i.e., the victim)

Infoblox said it worked with the Shadowserver Foundation to sinkhole two of Detour Dog’s C2 domains (webdmonitor[.]io and aeroarrows[.]io) on July 30 and August 6, 2025.

The company also pointed out that the threat actor likely functions as a distribution-as-a-service (DaaS) provider, adding it found evidence of an “apparently unrelated file” propagated through its infrastructure. However, it noted it “couldn’t validate what was delivered.”

The threat actor behind Rhadamanthys has also advertised two other tools called Elysium Proxy Bot and Crypt Service on their website, even as the flagship information stealer has been updated to support the ability to collect device and web browser fingerprints, among others.

“Rhadamanthys was initially promoted through posts on cybercrime forums, but soon it became clear that the author had a more ambitious plan to connect with potential customers and build visibility,” Check Point researcher Aleksandra “Hasherezade” Doniec said in a new report.

First advertised by a threat actor named kingcrete2022, Rhadamanthys has emerged as one of the most popular information stealers available under a malware-as-a-service (MaaS) model alongside Lumma, Vidar, StealC, and, more recently, Acreed. The current version of the stealer is 0.9.2.

Over the years, the stealer’s capabilities have extended far beyond simple data collection, representing a comprehensive threat to personal and corporate security. In an analysis of version 0.7.0 of the malware last October, Recorded Future detailed the addition of a new artificial intelligence (AI) feature for optical character recognition (OCR) to capture cryptocurrency wallet seed phrases.

The latest findings from Check Point show that the threat actors rebranded themselves as “RHAD security” and “Mythical Origin Labs,” marketing their offerings as “intelligent solutions for innovation and efficiency.”

Rhadamanthys is available in three tiered packages, starting from $299 per month for a self-hosted version to $499 per month that comes with additional benefits, including priority technical support, server, and advanced API access. Prospective customers can also purchase an Enterprise plan by directly contacting their sales team.

“The combination of the branding, product portfolio, and pricing structure suggest that the authors treat Rhadamanthys as a long-term business venture rather than a side project,” Hasherezade noted. “For defenders, this professionalization signals that Rhadamanthys with its growing customer base and an expanding ecosystem is likely here to stay, making it important to track not only its malware updates but also the business infrastructure that sustains it.”

Like Lumma version 4.0, Rhadamanthys version 0.9.2 includes a feature to avoid leaking unpacked artifacts by displaying to the user an alert that allows them to finish the execution of the malware without inflicting any harm to the machine on which it’s running.

This is done so in an attempt to prevent malware distributors from spreading the initial executable in its plain, unprotected form so as to curtail detection efforts, as well as getting their systems infected in the process. That said, while the alert message may be the same in both the stealers, the implementation is completely different, Check Point said, suggesting “surface-level mimicry.”

“In Lumma, opening and reading the file is implemented via raw syscalls, and the message box is executed via NtRaiseHardError,” it noted. “In Rhadamanthys, raw syscalls aren’t used, and the same message box is displayed by MessageBoxW. Both loaders are obfuscated, but the obfuscation patterns are different.”

Other updates to Rhadamanthys concern slight tweaks to the custom XS format used to ship the executable modules, the checks executed to confirm if the malware should continue its execution on the host, and the obfuscated configuration embedded into it. The modifications also extend to obfuscating the names of the modules to fly under the radar.

One of the modules, previously referred to as Strategy, is responsible for a series of environment checks to ensure that it’s not running in a sandboxed environment. Furthermore, it checks running processes against a list of forbidden ones, gets the current wallpaper, and verifies it against a hard-coded one that represents the Triage sandbox.

It also runs a check to confirm if the current username matches anything that resembles those used for sandboxes, and compares the machine’s HWID (hardware identifier) against a predefined list, once again to ascertain the presence of a sandbox. It’s only when all these checks are passed that the sample proceeds to establish a connection with a command-and-control (C2) server to fetch the core component of the stealer.

The payload is concealed using steganographic techniques, either as a WAV, JPEG, or PNG file, from where it’s extracted, decrypted, and launched. It’s worth noting that decrypting the package from the PNG requires a shared secret that’s agreed upon during the initial phase of the C2 communication.

The stealer module, for its part, is equipped with a built-in Lua runner that serves additional plugins written in the programming language to facilitate data theft and conduct extensive device and browser fingerprinting.

“The latest variant represents an evolution rather than a revolution. Analysts should update their config parsers, monitor PNG-based payload delivery, track changes in mutex and bot ID formats, and expect further churn in obfuscation as tooling catches up,” Check Point said.

“Currently, the development is slower and steadier: the core design remains intact, with changes focused on refinements – such as new stealer components, changes in obfuscation, and more advanced customization options.”

Oct 03, 2025Ravie LakshmananMalware / Online Security

Brazilian users have emerged as the target of a new self-propagating malware that spreads via the popular messaging app WhatsApp.

The campaign, codenamed SORVEPOTEL by Trend Micro, weaponizes the trust with the platform to extend its reach across Windows systems, adding the attack is “engineered for speed and propagation” rather than data theft or ransomware.

“SORVEPOTEL has been observed to spread across Windows systems through convincing phishing messages with malicious ZIP file attachments,” researchers Jeffrey Francis Bonaobra, Maristel Policarpio, Sophia Nilette Robles, Cj Arsley Mateo, Jacob Santos, and Paul John Bardon said.

“Interestingly, the phishing message that contains the malicious file attachment requires users to open it on a desktop, suggesting that threat actors might be more interested in targeting enterprises rather than consumers.”

Once the attachment is opened, the malware automatically propagates via the desktop web version of WhatsApp, ultimately causing the infected accounts to be banned for engaging in excessive spam. There are no indications that the threat actors have leveraged the access to exfiltrate data or encrypt files.

The vast majority of the infections — 457 of the 477 cases — are concentrated in Brazil, with entities in government, public service, manufacturing, technology, education, and construction sectors impacted the most.

The starting point of the attack is a phishing message sent from an already compromised contact on WhatsApp to lend it a veneer of credibility. The message contains a ZIP attachment that masquerades as a seemingly harmless receipt or health app-related file.

That said, there is evidence to suggest that the operators behind the campaign have also used emails to distribute the ZIP files from seemingly legitimate email addresses.

Should the recipient fall for the trick and open the attachment, they are lured into opening a Windows shortcut (LNK) file that, when launched, silently triggers the execution of a PowerShell script responsible for retrieving the main payload from an external server (e.g., sorvetenopoate[.]com).

The downloaded payload is a batch script designed to establish persistence on the host by copying itself to the Windows Startup folder so that it’s automatically launched following a system start. It’s also designed to run a PowerShell command that reaches out to a command-and-control (C2) server to fetch further instructions or additional malicious components.

Central to SORVEPOTEL operations is the WhatsApp-focused propagation mechanism. If the malware detects that WhatsApp Web is active on the infected system, it proceeds to distribute the malicious ZIP file to all contacts and groups associated with the victim’s compromised account, allowing it to spread rapidly.

“This automated spreading results in a high volume of spam messages and frequently leads to account suspensions or bans due to violations of WhatsApp’s terms of service,” Trend Micro said.

“The SORVEPOTEL campaign demonstrates how threat actors are increasingly leveraging popular communication platforms like WhatsApp to achieve rapid, large-scale malware propagation with minimal user interaction.”