Author: Mark

Sep 10, 2025Ravie LakshmananMalware / Cyber Espionage

The House Select Committee on China has formally issued an advisory warning of an “ongoing” series of highly targeted cyber espionage campaigns linked to the People’s Republic of China (PRC) amid contentious U.S.–China trade talks.

“These campaigns seek to compromise organizations and individuals involved in U.S.-China trade policy and diplomacy, including U.S. government agencies, U.S. business organizations, D.C. law firms and think tanks, and at least one foreign government,” the committee said.

The committee noted that suspected threat actors from China impersonated Republican Party Congressman John Robert Moolenaar in phishing emails sent to trusted counterparts with an aim to deceive them and trick them into opening files and links that would grant them unauthorized access to their systems and sensitive information without their knowledge.

The end goal of the attacks was to steal valuable data by abusing software and cloud services to cover up traces of their activity, a tactic often adopted by state-sponsored hackers to evade detection.

“This is another example of China’s offensive cyber operations designed to steal American strategy and leverage it against Congress, the Administration, and the American people,” said Moolenaar, who is also the Chairman of the House Select Committee on the Communist Party of China (CCP). “We will not be intimidated, and we will continue our work to keep America safe.”

The statement comes days after a report from The Wall Street Journal, which revealed on September 7, 2025, that several trade groups, law firms, and U.S. government agencies received an email message from Moolenaar asking their input on proposed sanctions against China.

“Your insights are essential,” the contents of the message allegedly read, along with an attachment containing a draft version of the legislation that, when launched, deployed malware to gather sensitive data and gain entrenched access to the targeted organizations.

The attack is believed to be the work of APT41, a prolific hacking group known for its targeting of diverse sectors and geographies for cyber espionage.

“China firmly opposes and combats all forms of cyber attacks and cyber crime,” the Chinese embassy in Washington told Reuters in a statement. “We also firmly oppose smearing others without solid evidence.”

“By impersonating Rep. Moolenaar (R-MI), a known Beijing critic, the attackers created urgency and legitimacy that encouraged fast responses,” Yejin Jang, vice president of government affairs at Abnormal AI, told The Hacker News.

“Political communication extends beyond official government devices or accounts. Sophisticated adversaries understand this reality and actively exploit it. By masquerading as trusted officials through personal or non-official channels, attackers bypass traditional security controls while amplifying authenticity.”

The committee also noted that the campaign follows another spear-phishing campaign in January 2025 that targeted its staffers with emails that falsely claimed to be from the North America representative of ZPMC, a Chinese state-owned crane manufacturer.

The attack used fake file-sharing notifications in an attempt to trick the recipients into clicking on a link that’s designed to steal Microsoft 365 login credentials. The adversaries also exploited developer tools to create hidden pathways and covertly exfiltrated data straight to servers under their control.

It’s worth noting that the committee, in September 2024, published an investigative report alleging how ZPMC’s dominance in the ship-to-shore (STS) port crane market could “serve as a Trojan horse” and help the CCP and China exploit and manipulate U.S. maritime equipment and technology at their request.

“Based on the targeting, timing, and methods, and consistent with outside assessments, the Committee believes this activity to be CCP state-backed cyber-espionage aimed at influencing U.S. policy deliberations and negotiation strategies to gain an advantage in trade and foreign policy,” it said.

Introduction

Managed service providers (MSPs) and managed security service providers (MSSPs) are under increasing pressure to deliver strong cybersecurity outcomes in a landscape marked by rising threats and evolving compliance requirements. At the same time, clients want better protection without managing cybersecurity themselves. Service providers must balance these growing demands with the need to work efficiently, deliver consistent results, and scale their offerings.

Yet, many service providers still rely on manual processes that slow down delivery, make it harder to maintain consistency across clients, and limit the time teams have to focus on more strategic initiatives. Even experienced service providers can find themselves stretched thin as they try to meet rising client expectations while managing operational complexity.

In this environment, automation offers an opportunity to work more effectively and deliver greater value. By streamlining repetitive tasks, improving consistency, and freeing up time and resources, automation helps providers expand their services, strengthen client relationships, and grow sustainably.

We created The Service Provider’s Guide to Automating Cybersecurity and Compliance Management to help providers navigate the transition to automation. Inside, you’ll find a practical overview of current challenges, real-world examples, and guidance for identifying where automation can have the biggest impact.

The Hidden Costs of Manual Work

Tasks like risk assessments, policy development, framework mapping, remediation planning, and executive reporting often require 13 to 15 hours of manual work each. This level of effort places mounting pressure on internal teams, extends project timelines, and delays client outcomes all of which can restrict growth.

Over time, these inefficiencies quietly erode both profitability and service quality, making it harder to scale and compete effectively.

Key hidden costs include:

• Time delays that impact client satisfaction and slow down revenue cycles
• Inconsistencies across assessments and documentation, undermining trust
• Talent inefficiency as senior staff handle administrative work instead of strategic tasks
• Missed revenue opportunities due to limited capacity for upselling or onboarding new clients

Manual processes also create specific bottlenecks across five critical areas of service delivery:

1. Onboarding & Assessments – Repetitive, slow, and often inconsistent
2. Framework Mapping – Labor-intensive and prone to errors
3. Remediation Management – Hard to scale and standardize
4. Progress Reporting – Time-consuming and lacks consistency and clarity
5. Service Customization – Manual adjustments reduce repeatability

Automation is key to overcoming these barriers and unlocking scalable, high-margin service delivery.

According to The State of the Virtual CISO 2025 Report, vCISO providers using AI or automation report a 68% average reduction in cybersecurity and compliance workload over the past year.

AI-powered technologies like Cynomi’s vCISO Platform automate and standardize vCISO workflows end-to-end, cutting manual efforts by up to 70%. Here are five key areas where automation can make a measurable impact:

1. Risk Assessments & Onboarding: Interactive, guided questionnaires and centralized data capture replace emails and interviews, cutting hours from onboarding timelines.
2. Policy Development: Automated platforms generate client-specific policies mapped to frameworks like NIST and ISO.
3. Compliance Tracking: Tasks are automatically mapped to frameworks and updated as standards evolve, reducing oversight and error risk.
4. Remediation Planning: Tasks are prioritized and assigned automatically, allowing teams to track progress and outcomes in a centralized hub.
5. Progress Reporting: Client-branded, progress reports are generated in clicks, turning security activity into clear, business-focused insights without the usual delays.
6. Standardizing Service Delivery: Automation streamlines core tasks like onboarding and compliance management, allowing providers to deliver consistent, high-quality services across clients without reinventing the wheel each time.

The ROI of Automation

One of the most effective ways to measure automation’s value is through work hours saved. Tasks that once took over 13 hours can now be completed in just a few, freeing up nearly 10 hours per task to reinvest elsewhere. Multiply that across clients, and the impact on margins and capacity becomes substantial.

As Steve Bowman, Business Partner at Model Technology Solutions, noted, “When we started, it was four or five months before I’d have somebody doing an assessment on their own. Now it’s down to one month.” This dramatic improvement in ramp-up time underscores the transformative effect automation can have not only on day-to-day operations but also on long-term scalability.

Here are some examples of time-consuming tasks and the time savings service providers achieve through automating them:

For more real-world insights into how much time automation can save across key cybersecurity functions, explore The Service Provider’s Guide to Automating Cybersecurity and Compliance Management. It includes practical examples and a straightforward formula to calculate ROI in both hours and dollars, so you can instantly see the measurable benefits automation can bring.

How to Implement Security and Compliance Automation

Here’s a practical roadmap for managed service providers aiming to integrate automation into their vCISO or compliance operations.

1. Assess Current Processes: Start by mapping your existing workflows, including onboarding, assessments, remediation planning, and reporting. Identify manual, repetitive tasks that slow you down or create inconsistencies.
2. Define Automation Goals: Clarify what you want to achieve through automation, such as reducing task time, increasing capacity, or improving service consistency. Measurable goals help prioritize efforts and guide platform selection.
3. Select a Deployment Model: Explore three options: build your own tools, use a GRC platform for compliance, or adopt an all-in-one cybersecurity and compliance management platform like Cynomi. Each varies in complexity, scalability, and resource demands.
4. Pilot Before Scaling: Test your automation strategy with a single client or team to identify strengths, challenges, and integration needs before broader rollout.
5. Train Teams and Clients: Provide tailored training and maintain open communication to ensure smoother adoption and build confidence in the new platform.
6. Measure Impact and Optimize: Track key metrics, such as time saved and reporting turnaround. Use these insights to refine processes and maximize ROI.

Conclusion: Automation Is the New Differentiator

In today’s cybersecurity landscape, automation through AI has become a strategic necessity. It empowers service providers to streamline operations, deliver consistent value, and scale without increasing overhead. Those who embrace it, position themselves to move faster, serve more clients, and elevate their role from technical support to trusted business advisor.

Whether you’re just starting out or refining your current approach, The Service Provider’s Guide to Automating Cybersecurity and Compliance Management provides practical insights into current challenges, real-world examples, and guidance on what to automate, what to keep manual, and how to choose the right tools to scale effectively.

Sep 10, 2025The Hacker NewsMalware Analysis / Enterprise Security

Phishing-as-a-Service (PhaaS) platforms keep evolving, giving attackers faster and cheaper ways to break into corporate accounts. Now, researchers at ANY.RUN has uncovered a new entrant: Salty2FA, a phishing kit designed to bypass multiple two-factor authentication methods and slip past traditional defenses.

Already spotted in campaigns across the US and EU, Salty2FA puts enterprises at risk by targeting industries from finance to energy. Its multi-stage execution chain, evasive infrastructure, and ability to intercept credentials and 2FA codes make it one of the most dangerous PhaaS frameworks seen this year.

Why Salty2FA Raises the Stakes for Enterprises

Salty2FA’s ability to bypass push, SMS, and voice-based 2FA means stolen credentials can lead directly to account takeover. Already aimed at finance, energy, and telecom sectors, the kit turns common phishing emails into high-impact breaches.

Who is Being Targeted?

ANY.RUN analysts mapped Salty2FA campaigns and found activity spanning multiple regions and industries, with the US and EU enterprises most heavily hit.

When Did Salty2FA Start Hitting Enterprises?

Based on data from the ANY.RUN Sandbox and TI, Salty2FA activity began gaining momentum in June 2025, with early traces possibly dating back to March–April. Confirmed campaigns have been active since late July and continue to this day, generating dozens of fresh analysis sessions daily.

Real-World Case: How Salty2FA Exploits Enterprise Employees

One recent case analyzed by ANY.RUN shows just how convincing Salty2FA can be in practice. An employee received an email with the subject line “External Review Request: 2025 Payment Correction”, a lure designed to trigger urgency and bypass skepticism.

When opened in the ANY.RUN sandbox, the attack chain unfolded step by step:

View real-world case of Salty2FA attack

Malicious email with Salty2FA attack analyzed inside ANY.RUN sandbox

Stage 1: Email lure

The email contained a payment correction request disguised as a routine business message.

Stage 2: Redirect and fake login

The link led to a Microsoft-branded login page, wrapped in Cloudflare checks to bypass automated filters. In the sandbox, ANY.RUN’s Automated Interactivity handled the verification automatically, exposing the flow without manual clicks and cutting investigation time for analysts.

Cloudflare verification completed automatically inside ANY.RUN sandbox

Stage 3: Credential theft

Employee details entered on the page were harvested and exfiltrated to attacker-controlled servers.

Fake Microsoft page, ready to steal credentials from victims

Stage 4: 2FA bypass

If the account had multi-factor authentication enabled, the phishing page prompted for codes and could intercept push, SMS, or even voice call verification.

By running the file in the sandbox, SOC teams could see the full execution chain in real time, from the first click to credential theft and 2FA interception. This level of visibility is critical, because static indicators like domains or hashes mutate daily, but behavioral patterns remain consistent. Sandbox analysis gives faster confirmation of threats, reduced analyst workload, and better coverage against evolving PhaaS kits like Salty2FA.

Stopping Salty2FA: What SOCs Should Do Next

Salty2FA shows how fast phishing-as-a-service is evolving and why static indicators alone won’t stop it. For SOCs and security leaders, protection means shifting focus to behaviors and response speed:

• Rely on behavioral detection: Track recurring patterns like domain structures and page logic rather than chasing constantly changing IOCs.
• Detonate suspicious emails in a sandbox: Full-chain visibility reveals credential theft and 2FA interception attempts in real time.
• Harden MFA policies: Favor app-based or hardware tokens over SMS and voice, and use conditional access to flag risky logins.
• Train employees on financial lures: Common hooks like “payment correction” or “billing statement” should always raise suspicion.
• Integrate sandbox results into your stack: Feeding live attack data into SIEM/SOAR speeds detection and reduces manual workload.

By combining these measures, enterprises can turn Salty2FA from a hidden risk into a known and manageable threat.

Boost SOC Efficiency with Interactive Sandboxing

Enterprises worldwide are turning to interactive sandboxes like ANY.RUN to strengthen their defenses against advanced phishing kits such as Salty2FA. The results are measurable:

• 3× SOC efficiency by combining interactive analysis and automation.
• Up to 50% faster investigations, cutting time from hours to minutes.
• 94% of users report faster triage, with clearer IOCs and TTPs for confident decision-making.
• 30% fewer Tier 1–Tier 2 escalations, as junior analysts gain confidence and senior staff are freed to focus on critical tasks.

With visibility into 88% of threats in under 60 seconds, enterprises get the speed and clarity they need to stop phishing before it leads to a major breach.

Try ANY.RUN today: built for enterprise SOCs that need faster investigations, stronger defenses, and measurable results.

Sep 10, 2025Ravie LakshmananSoftware Security / Vulnerability

SAP on Tuesday released security updates to address multiple security flaws, including three critical vulnerabilities in SAP Netweaver that could result in code execution and the upload arbitrary files.

The vulnerabilities are listed below –

• CVE-2025-42944 (CVSS score: 10.0) – A deserialization vulnerability in SAP NetWeaver that could allow an unauthenticated attacker to submit a malicious payload to an open port through the RMI-P4 module, resulting in operating system command execution
• CVE-2025-42922 (CVSS score: 9.9) – An insecure file operations vulnerability in SAP NetWeaver AS Java that could allow an attacker authenticated as a non-administrative user to upload an arbitrary file
• CVE-2025-42958 (CVSS score: 9.1) – A missing authentication check vulnerability in the SAP NetWeaver application on IBM i-series that could allow highly privileged unauthorized users to read, modify, or delete sensitive information, as well as access administrative or privileged functionalities

“[CVE-2025-42944] allows an unauthenticated attacker to execute arbitrary OS commands by submitting a malicious payload to an open port,” Onapsis said. “A successful exploit can lead to full compromise of the application. As a temporary workaround, customers should add P4 port filtering at the ICM level to prevent unknown hosts from connecting to the P4 port.”

Also addressed by SAP is a high-severity missing input validation bug in SAP S/4HANA (CVE-2025-42916, CVSS score: 8.1) that could permit an attacker with high privilege access to ABAP reports to delete the content of arbitrary database tables, should the tables not be protected by an authorization group.

The patches arrive days after SecurityBridge and Pathlock disclosed that a critical security defect in SAP S/4HANA that was fixed by the company last month (CVE-2025-42957, CVSS score: 9.9) has come under active exploitation in the wild.

While there is no evidence that the newly disclosed issues have been weaponized by bad actors, it’s essential that users move to apply the necessary updates as soon as possible for optimal protection.

Sep 10, 2025Ravie LakshmananVulnerability / Software Security

Adobe has warned of a critical security flaw in its Commerce and Magento Open Source platforms that, if successfully exploited, could allow attackers to take control of customer accounts.

The vulnerability, tracked as CVE-2025-54236 (aka SessionReaper), carries a CVSS score of 9.1 out of a maximum of 10.0. It has been described as an improper input validation flaw. Adobe said it’s not aware of any exploits in the wild.

“A potential attacker could take over customer accounts in Adobe Commerce through the Commerce REST API,” Adobe said in an advisory issued today.

The issue impacts the following products and versions –

Adobe Commerce (all deployment methods):

• 2.4.9-alpha2 and earlier
• 2.4.8-p2 and earlier
• 2.4.7-p7 and earlier
• 2.4.6-p12 and earlier
• 2.4.5-p14 and earlier
• 2.4.4-p15 and earlier

Adobe Commerce B2B:

• 1.5.3-alpha2 and earlier
• 1.5.2-p2 and earlier
• 1.4.2-p7 and earlier
• 1.3.4-p14 and earlier
• 1.3.3-p15 and earlier

Magento Open Source:

• 2.4.9-alpha2 and earlier
• 2.4.8-p2 and earlier
• 2.4.7-p7 and earlier
• 2.4.6-p12 and earlier
• 2.4.5-p14 and earlier

Custom Attributes Serializable module:

Adobe, in addition to releasing a hotfix for the vulnerability, said it has deployed web application firewall (WAF) rules to protect environments against exploitation attempts that may target merchants using Adobe Commerce on Cloud infrastructure.

“SessionReaper is one of the more severe Magento vulnerabilities in its history, comparable to Shoplift (2015), Ambionics SQLi (2019), TrojanOrder (2022), and CosmicSting (2024),” e-commerce security company Sansec said.

The Netherlands-based firm said it successfully reproduced one possible way to exploit CVE-2025-54236, but noted that there are other possible avenues to weaponize the vulnerability.

“The vulnerability follows a familiar pattern from last year’s CosmicSting attack,” it added. “The attack combines a malicious session with a nested deserialization bug in Magento’s REST API.”

“The specific remote code execution vector appears to require file-based session storage. However, we recommend merchants using Redis or database sessions to take immediate action as well, as there are multiple ways to abuse this vulnerability.”

Adobe has also shipped fixes to contain a critical path traversal vulnerability in ColdFusion (CVE-2025-54261, CVSS score: 9.0) that could lead to an arbitrary file system write. It impacts ColdFusion 2021 (Update 21 and earlier), 2023 (Update 15 and earlier), and 2025 (Update 3 and earlier) on all platforms.

Sep 10, 2025Ravie LakshmananSoftware Security / Vulnerability

SAP on Tuesday released security updates to address multiple security flaws, including three critical vulnerabilities in SAP Netweaver that could result in code execution and the upload arbitrary files.

The vulnerabilities are listed below –

• CVE-2025-42944 (CVSS score: 10.0) – A deserialization vulnerability in SAP NetWeaver that could allow an unauthenticated attacker to submit a malicious payload to an open port through the RMI-P4 module, resulting in operating system command execution
• CVE-2025-42922 (CVSS score: 9.9) – An insecure file operations vulnerability in SAP NetWeaver AS Java that could allow an attacker authenticated as a non-administrative user to upload an arbitrary file
• CVE-2025-42958 (CVSS score: 9.1) – A missing authentication check vulnerability in the SAP NetWeaver application on IBM i-series that could allow highly privileged unauthorized users to read, modify, or delete sensitive information, as well as access administrative or privileged functionalities

“[CVE-2025-42944] allows an unauthenticated attacker to execute arbitrary OS commands by submitting a malicious payload to an open port,” Onapsis said. “A successful exploit can lead to full compromise of the application. As a temporary workaround, customers should add P4 port filtering at the ICM level to prevent unknown hosts from connecting to the P4 port.”

Also addressed by SAP is a high-severity missing input validation bug in SAP S/4HANA (CVE-2025-42916, CVSS score: 8.1) that could permit an attacker with high privilege access to ABAP reports to delete the content of arbitrary database tables, should the tables not be protected by an authorization group.

The patches arrive days after SecurityBridge and Pathlock disclosed that a critical security defect in SAP S/4HANA that was fixed by the company last month (CVE-2025-42957, CVSS score: 9.9) has come under active exploitation in the wild.

While there is no evidence that the newly disclosed issues have been weaponized by bad actors, it’s essential that users move to apply the necessary updates as soon as possible for optimal protection.

Threat actors are abusing HTTP client tools like Axios in conjunction with Microsoft’s Direct Send feature to form a “highly efficient attack pipeline” in recent phishing campaigns, according to new findings from ReliaQuest.

“Axios user agent activity surged 241% from June to August 2025, dwarfing the 85% growth of all other flagged user agents combined,” the cybersecurity company said in a report shared with The Hacker News. “Out of 32 flagged user agents observed in this timeframe, Axios accounted for 24.44% of all activity.”

The abuse of Axios was previously flagged by Proofpoint in January 2025, detailing campaigns utilizing HTTP clients to send HTTP requests and receive HTTP responses from web servers to conduct account takeover (ATO) attacks on Microsoft 365 environments.

ReliaQuest told The Hacker News that there is no evidence to suggest these activities are related, adding that the tool is regularly exploited alongside popular phishing kits. “The usefulness of Axios means it is almost certainly being adopted by all types of threat actors regardless of sophistication levels or motivation,” the company added.

Similarly, phishing campaigns have also been observed increasingly using a legitimate feature in Microsoft 365 (M365) called Direct Send to spoof trusted users and distribute email messages.

In amplifying Axios abuse through Microsoft Direct Send, the attack aims to weaponize a trusted delivery method to ensure that their messages slip past secure gateways and land in users’ inboxes. Indeed, attacks that paired Axios with Direct Send have been found to achieve a 70% success rate in recent campaigns, surging past non-Axios campaigns with “unparalleled efficiency.”

The campaign observed by ReliaQuest is said to have commenced in July 2025, initially singling out executives and managers in finance, health care, and manufacturing sectors, before expanding its focus to target all users.

Calling the approach a game changer for attackers, the company pointed out that the campaign not only is successful at bypassing traditional security defenses with improved precision, but also enables them to mount phishing operations at an unprecedented scale.

In these attacks, Axios is used to intercept, modify, and replay HTTP requests, thereby making it possible to capture session tokens or multi-factor authentication (MFA) codes in real-time or exploit SAS tokens in Azure authentication workflows to gain access to sensitive resources.

“Attackers use this blind spot to bypass MFA, hijack session tokens, and automate phishing workflows,” ReliaQuest said. “The customizability offered by Axios lets attackers tailor their activity to further mimic legitimate workflows.”

“This credential harvesting operation leverages the routine nature of hotel booking communications,” the company said. “The campaign employs urgent, business-critical subject lines designed to prompt immediate action from hotel managers and staff.”

The findings also follow the discovery of an ongoing campaign that has employed a nascent phishing-as-a-service (PhaaS) offering called Salty 2FA to steal Microsoft login credentials and sidestep MFA by simulating six different methods: SMS authentication, authenticator apps, phone calls, push notifications, backup codes, and hardware tokens.

The attack chain is notable for leveraging services like Aha[.]io to stage initial landing pages that masquerade as OneDrive sharing notifications to deceive email recipients and trick them into clicking on fake links that redirect to credential harvesting pages, but not before completing a Cloudflare Turnstile verification check to filter automated security tools and sandboxes.

The phishing pages also include other advanced features like geofencing and IP filtering to block traffic from known security vendor IP address ranges and cloud providers, disable shortcuts to launch developer tools in web browsers, and assign new subdomains for each victim session. In incorporating these techniques, the end goal is to complicate analysis efforts.

These findings illustrate how phishing attacks have matured into enterprise-grade operations, utilizing advanced evasion tactics and convincing MFA simulations, while exploiting trusted platforms and mimicking corporate portals to make it harder to distinguish between real and fraudulent activity.

“The phishing kit implements dynamic branding functionality to enhance social engineering effectiveness,” Ontinue said. “Technical analysis reveals the malicious infrastructure maintains a corporate theme database that automatically customizes fraudulent login interfaces based on victim email domains.”

“Salty2FA demonstrates how cybercriminals now approach infrastructure with the same methodical planning that enterprises use for their own systems. What makes this particularly concerning is how these techniques blur the line between legitimate and malicious traffic.”

Sep 09, 2025Ravie LakshmananMobile Security / Threat Intelligence

A new Android malware called RatOn evolved from a basic tool capable of conducting Near Field Communication (NFC) attacks to a sophisticated remote access trojan with Automated Transfer System (ATS) capabilities to conduct device fraud.

“RatOn merges traditional overlay attacks with automatic money transfers and NFC relay functionality – making it a uniquely powerful threat,” the Dutch mobile security company said in a report published today.

The banking trojan comes fitted with account takeover functions targeting cryptocurrency wallet applications like MetaMask, Trust, Blockchain.com, and Phantom, while also capable of carrying out automated money transfers abusing George Česko, a bank application used in the Czech Republic.

Furthermore, it can perform ransomware-like attacks using custom overlay pages and device locking. It’s worth noting that a variant of the HOOK Android trojan was also observed incorporating ransomware-style overlay screens to display extortion messages.

The first sample distributing RatOn was detected in the wild on July 5, 2025, with more artifacts discovered as recently as August 29, 2025, indicating active development work on the part of the operators.

RatOn has leveraged fake Play Store listing pages masquerading as an adult-friendly version of TikTok (TikTok 18+) to host malicious dropper apps that deliver the trojan. It’s currently not clear how users are lured to these sites, but the activity has singled out Czech and Slovakian-speaking users.

Once the dropper app is installed, it requests permission from the user to install applications from third-party sources so as to bypass critical security measures imposed by Google to prevent abuse of Android’s accessibility services.

The second-stage payload then proceeds to request device administration and accessibility services, as well as permissions to read/write contacts and manage system settings to realize its malicious functionality.

This includes granting itself additional permissions as required and downloading a third-stage malware, which is nothing but the NFSkate malware that can perform NFC relay attacks using a technique called Ghost Tap. The malware family was first documented in November 2024.

“The account takeover and automated transfer features have shown that the threat actor knows the internals of the targeted applications quite well,” ThreatFabric said, describing the malware as built from scratch and sharing no code similarities with other Android banking malware.

That’s not all. RatOn can also serve overlay screens that resemble a ransom note, claiming that users’ phones have been locked for viewing and distributing child pornography and that they need to pay $200 in cryptocurrency to regain access in two hours.

It’s suspected that the ransom notes are designed to induce a false sense of urgency and coerce the victim into opening the cryptocurrency apps, making the transaction immediately, and enabling the attackers to capture the device PIN code in the process.

“Upon corresponding command, RatOn can launch the targeted cryptocurrency wallet app, unlock it using stolen PIN code, click on interface elements which are related to security settings of the app, and on the final step, reveal secret phrases,” ThreatFabric said, detailing its account takeover features.

The sensitive data is subsequently recorded by a keylogger component and exfiltrated to an external server under the control of the threat actors, who can then use the seed phrases to obtain unauthorized access to the victims’ accounts and steal cryptocurrency assets.

Some notable commands that are processed by RatOn are listed below –

• send_push, to send fake push notifications
• screen_lock, to change the device lock screen timeout to a specified value
• WhatsApp, to launch WhatsApp
• app_inject, to change the list of targeted financial applications
• update_device, to send a list of installed apps with device fingerprint
• send_sms, to send a SMS message using accessibility services
• Facebook, to launch Facebook
• nfs, to download and run the NFSkate APK malware
• transfer, perform ATS using George Česko
• lock, to lock the device using device administration access
• add_contact, to create a new contact using a specified name and phone number
• record, to launch a screen casting session
• display, to turn on/off screen casting

“The threat actor group initially targeted the Czech Republic, with Slovakia likely being the next country of focus,” ThreatFabric said. “The reason behind concentrating on a single banking application remains unclear. However, the fact that automated transfers require local banking account numbers suggests that the threat actors may be collaborating with local money mules.”

Sep 09, 2025The Hacker NewsArtificial Intelligence / Threat Detection

⚠️ One click is all it takes.

An engineer spins up an “experimental” AI Agent to test a workflow. A business unit connects to automate reporting. A cloud platform quietly enables a new agent behind the scenes.

Individually, they look harmless. But together, they form an invisible swarm of Shadow AI Agents—operating outside security’s line of sight, tied to identities you don’t even know exist.

And here’s the uncomfortable truth: every one of them carries infinite risk.

• Agents impersonating trusted users.
• Non-human identities with access you didn’t approve.
• Data leaking across boundaries you thought were locked down.

This isn’t a futuristic threat. It’s happening today, across enterprises everywhere. And they’re multiplying faster than your governance can catch up.

That’s why you can’t miss our upcoming panel: Shadow AI Agents Exposed. Secure your seat now – Register Here.

Why Shadow AI is Exploding

From identity providers to PaaS platforms, it takes almost nothing to spin up an AI Agent—and attackers know it. That leaves security teams scrambling to answer urgent questions:

• Who’s launching them?
• What identities are they tied to?
• Where are they operating—often in the shadows?

The Panel You Can’t Afford to Miss

Join us for “Shadow AI Agents Exposed — and the Identities that Pull the Strings,” an exclusive panel of experts dissecting the most pressing risks in AI operations.

We’ll break down:

• ✅ What really counts as an AI Agent (and what doesn’t)
• ✅ The non-human identities (NHIs) fueling Shadow AI
• ✅ How and why rogue agents multiply—and where they hide
• ✅ Detection methods that actually work: from IP tracing to code-level analysis
• ✅ Simple governance wins that won’t kill innovation

Watch this Webinar Now

This isn’t theory—it’s a playbook for finding, stopping, and bringing Shadow AI into the light.

👉 Reserve your place now and be part of the conversation before Shadow AI outpaces your defenses.

Whether you’re chasing rogue agents today or preparing for the storm tomorrow, you’ll walk away with actionable steps to improve visibility and control—before Shadow AI controls you.

Cybersecurity researchers have discovered a variant of a recently disclosed campaign that abuses the TOR network for cryptojacking attacks targeting exposed Docker APIs.

Akamai, which discovered the latest activity last month, said it’s designed to block other actors from accessing the Docker API from the internet.

The findings build on a prior report from Trend Micro in late June 2025, which uncovered a malicious campaign that targeted exposed Docker instances to stealthily drop an XMRig cryptocurrency miner using a TOR domain for anonymity.

“This new strain seems to use similar tooling to the original, but may have a different end goal – including possibly setting up the foundation of a complex botnet,” security researcher Yonatan Gilvarg said.

The attack chain essentially involves breaking into misconfigured Docker APIs to execute a new container based on the Alpine Docker image and mount the host file system into it. This is followed by the threat actors running a Base64-encoded payload to download a shell script downloader from a .onion domain.

The script, besides altering SSH configurations to set up persistence, also installs other tools such as masscan, libpcap, libpcap-dev, zstd, and torsocks to conduct reconnaissance, contact a command-and-control (C2) server, and download a compressed binary from a second .onion domain.

“The first file that is downloaded is a dropper written in Go that includes the content it wants to drop, so it won’t communicate out to the internet,” Gilvarg explained. “Except for dropping another binary file, it parses the utmp file to find who is currently logged in to the machine.”

Interestingly, the binary file’s source code includes an emoji to depict users who are signed in to the system. This indicates that the artifact may have been crafted using a large language model (LLM).

The dropper also launches Masscan to scan the internet for open Docker API services at port 2375 and propagate the infection to those machines by repeating the same process of creating a container with the Base64 command.

Furthermore, the binary includes checks for two more ports: 23 (Telnet) and 9222 (remote debugging port for Chromium browsers), although the functionality to spread via those ports is yet to be fully fleshed out.

The Telnet attack method entails using a set of known, default routers and device credentials to brute-force logins and exfiltrate successful sign-in attempts to a webhook[.]site endpoint with details about the destination IP address and victim authentication credentials.

In the case of port 9222, the malware utilizes a Go library named chromedp to interact with the web browser. It has been previously weaponized by North Korean threat actors to communicate with C2 servers and even by stealer malware to bypass Chrome’s app-bound encryption, connect remotely to Chromium sessions, and siphon cookies and other private data.

It then proceeds to attach to an existing session with the open remote port and ultimately send a POST to the same .onion domain used to retrieve the shell script downloader with information about the source IP address on which the malware is and the destination it found access to on port 9222.

The details are transmitted to an endpoint named “httpbot/add,” raising the possibility that devices with exposed remote debugging ports for Chrome/Chromium could be enlisted into a botnet for delivering additional payloads that can steal data or be used to conduct distributed denial-of-service (DDoS) attacks.

“As the malware only scans for port 2375, the logic for handling ports 23 and 9222 is currently unreachable and will not be executed,” Gilvarg said. “However, the implementation exists, which may indicate future capabilities.”

“Attackers can gain significant control over systems affected by abused APIs. The importance of segmenting networks, limiting exposure of services to the internet, and securing default credentials cannot be overstated. By adopting these measures, organizations can significantly reduce their vulnerability to such threats.”

Wiz Flags AWS SES Abuse Campaign

The disclosure comes as cloud security firm Wiz detailed an Amazon Simple Email Service (SES) campaign in May 2025 that leveraged compromised Amazon Web Services (AWS) access keys as a launchpad for a mass phishing attack.

It’s currently not known how the keys were obtained. However, various methods exist by which an attacker can accomplish this: accidental public exposure in code repositories or through misconfigured assets, or theft from a developer workstation using stealer malware.

“The attacker used the compromised key to access the victim’s AWS environment, bypass SES’s built-in restrictions, verify new ‘sender’ identities, and methodically prepare and conduct a phishing operation,” Wiz researchers Itay Harel and Hila Ramati said.

Wiz, which further probed the email campaign in partnership with Proofpoint, said the emails targeted several organizations spanning multiple geographies and sectors, and employed tax-themed lures to redirect recipients to credential harvesting pages.

“If SES is configured in your account, attackers can send email from your verified domains,” Wiz cautioned. “Beyond brand damage, this enables phishing that looks like it came from you and can be used for spearphishing, fraud, data theft, or masquerading in business processes.”