Category: Cybersecurity

Sep 09, 2025Ravie LakshmananMobile Security / Threat Intelligence

A new Android malware called RatOn evolved from a basic tool capable of conducting Near Field Communication (NFC) attacks to a sophisticated remote access trojan with Automated Transfer System (ATS) capabilities to conduct device fraud.

“RatOn merges traditional overlay attacks with automatic money transfers and NFC relay functionality – making it a uniquely powerful threat,” the Dutch mobile security company said in a report published today.

The banking trojan comes fitted with account takeover functions targeting cryptocurrency wallet applications like MetaMask, Trust, Blockchain.com, and Phantom, while also capable of carrying out automated money transfers abusing George Česko, a bank application used in the Czech Republic.

Furthermore, it can perform ransomware-like attacks using custom overlay pages and device locking. It’s worth noting that a variant of the HOOK Android trojan was also observed incorporating ransomware-style overlay screens to display extortion messages.

The first sample distributing RatOn was detected in the wild on July 5, 2025, with more artifacts discovered as recently as August 29, 2025, indicating active development work on the part of the operators.

RatOn has leveraged fake Play Store listing pages masquerading as an adult-friendly version of TikTok (TikTok 18+) to host malicious dropper apps that deliver the trojan. It’s currently not clear how users are lured to these sites, but the activity has singled out Czech and Slovakian-speaking users.

Once the dropper app is installed, it requests permission from the user to install applications from third-party sources so as to bypass critical security measures imposed by Google to prevent abuse of Android’s accessibility services.

The second-stage payload then proceeds to request device administration and accessibility services, as well as permissions to read/write contacts and manage system settings to realize its malicious functionality.

This includes granting itself additional permissions as required and downloading a third-stage malware, which is nothing but the NFSkate malware that can perform NFC relay attacks using a technique called Ghost Tap. The malware family was first documented in November 2024.

“The account takeover and automated transfer features have shown that the threat actor knows the internals of the targeted applications quite well,” ThreatFabric said, describing the malware as built from scratch and sharing no code similarities with other Android banking malware.

That’s not all. RatOn can also serve overlay screens that resemble a ransom note, claiming that users’ phones have been locked for viewing and distributing child pornography and that they need to pay $200 in cryptocurrency to regain access in two hours.

It’s suspected that the ransom notes are designed to induce a false sense of urgency and coerce the victim into opening the cryptocurrency apps, making the transaction immediately, and enabling the attackers to capture the device PIN code in the process.

“Upon corresponding command, RatOn can launch the targeted cryptocurrency wallet app, unlock it using stolen PIN code, click on interface elements which are related to security settings of the app, and on the final step, reveal secret phrases,” ThreatFabric said, detailing its account takeover features.

The sensitive data is subsequently recorded by a keylogger component and exfiltrated to an external server under the control of the threat actors, who can then use the seed phrases to obtain unauthorized access to the victims’ accounts and steal cryptocurrency assets.

Some notable commands that are processed by RatOn are listed below –

• send_push, to send fake push notifications
• screen_lock, to change the device lock screen timeout to a specified value
• WhatsApp, to launch WhatsApp
• app_inject, to change the list of targeted financial applications
• update_device, to send a list of installed apps with device fingerprint
• send_sms, to send a SMS message using accessibility services
• Facebook, to launch Facebook
• nfs, to download and run the NFSkate APK malware
• transfer, perform ATS using George Česko
• lock, to lock the device using device administration access
• add_contact, to create a new contact using a specified name and phone number
• record, to launch a screen casting session
• display, to turn on/off screen casting

“The threat actor group initially targeted the Czech Republic, with Slovakia likely being the next country of focus,” ThreatFabric said. “The reason behind concentrating on a single banking application remains unclear. However, the fact that automated transfers require local banking account numbers suggests that the threat actors may be collaborating with local money mules.”

Sep 09, 2025The Hacker NewsArtificial Intelligence / Threat Detection

⚠️ One click is all it takes.

An engineer spins up an “experimental” AI Agent to test a workflow. A business unit connects to automate reporting. A cloud platform quietly enables a new agent behind the scenes.

Individually, they look harmless. But together, they form an invisible swarm of Shadow AI Agents—operating outside security’s line of sight, tied to identities you don’t even know exist.

And here’s the uncomfortable truth: every one of them carries infinite risk.

• Agents impersonating trusted users.
• Non-human identities with access you didn’t approve.
• Data leaking across boundaries you thought were locked down.

This isn’t a futuristic threat. It’s happening today, across enterprises everywhere. And they’re multiplying faster than your governance can catch up.

That’s why you can’t miss our upcoming panel: Shadow AI Agents Exposed. Secure your seat now – Register Here.

Why Shadow AI is Exploding

From identity providers to PaaS platforms, it takes almost nothing to spin up an AI Agent—and attackers know it. That leaves security teams scrambling to answer urgent questions:

• Who’s launching them?
• What identities are they tied to?
• Where are they operating—often in the shadows?

The Panel You Can’t Afford to Miss

Join us for “Shadow AI Agents Exposed — and the Identities that Pull the Strings,” an exclusive panel of experts dissecting the most pressing risks in AI operations.

We’ll break down:

• ✅ What really counts as an AI Agent (and what doesn’t)
• ✅ The non-human identities (NHIs) fueling Shadow AI
• ✅ How and why rogue agents multiply—and where they hide
• ✅ Detection methods that actually work: from IP tracing to code-level analysis
• ✅ Simple governance wins that won’t kill innovation

Watch this Webinar Now

This isn’t theory—it’s a playbook for finding, stopping, and bringing Shadow AI into the light.

👉 Reserve your place now and be part of the conversation before Shadow AI outpaces your defenses.

Whether you’re chasing rogue agents today or preparing for the storm tomorrow, you’ll walk away with actionable steps to improve visibility and control—before Shadow AI controls you.

Cybersecurity researchers have discovered a variant of a recently disclosed campaign that abuses the TOR network for cryptojacking attacks targeting exposed Docker APIs.

Akamai, which discovered the latest activity last month, said it’s designed to block other actors from accessing the Docker API from the internet.

The findings build on a prior report from Trend Micro in late June 2025, which uncovered a malicious campaign that targeted exposed Docker instances to stealthily drop an XMRig cryptocurrency miner using a TOR domain for anonymity.

“This new strain seems to use similar tooling to the original, but may have a different end goal – including possibly setting up the foundation of a complex botnet,” security researcher Yonatan Gilvarg said.

The attack chain essentially involves breaking into misconfigured Docker APIs to execute a new container based on the Alpine Docker image and mount the host file system into it. This is followed by the threat actors running a Base64-encoded payload to download a shell script downloader from a .onion domain.

The script, besides altering SSH configurations to set up persistence, also installs other tools such as masscan, libpcap, libpcap-dev, zstd, and torsocks to conduct reconnaissance, contact a command-and-control (C2) server, and download a compressed binary from a second .onion domain.

“The first file that is downloaded is a dropper written in Go that includes the content it wants to drop, so it won’t communicate out to the internet,” Gilvarg explained. “Except for dropping another binary file, it parses the utmp file to find who is currently logged in to the machine.”

Interestingly, the binary file’s source code includes an emoji to depict users who are signed in to the system. This indicates that the artifact may have been crafted using a large language model (LLM).

The dropper also launches Masscan to scan the internet for open Docker API services at port 2375 and propagate the infection to those machines by repeating the same process of creating a container with the Base64 command.

Furthermore, the binary includes checks for two more ports: 23 (Telnet) and 9222 (remote debugging port for Chromium browsers), although the functionality to spread via those ports is yet to be fully fleshed out.

The Telnet attack method entails using a set of known, default routers and device credentials to brute-force logins and exfiltrate successful sign-in attempts to a webhook[.]site endpoint with details about the destination IP address and victim authentication credentials.

In the case of port 9222, the malware utilizes a Go library named chromedp to interact with the web browser. It has been previously weaponized by North Korean threat actors to communicate with C2 servers and even by stealer malware to bypass Chrome’s app-bound encryption, connect remotely to Chromium sessions, and siphon cookies and other private data.

It then proceeds to attach to an existing session with the open remote port and ultimately send a POST to the same .onion domain used to retrieve the shell script downloader with information about the source IP address on which the malware is and the destination it found access to on port 9222.

The details are transmitted to an endpoint named “httpbot/add,” raising the possibility that devices with exposed remote debugging ports for Chrome/Chromium could be enlisted into a botnet for delivering additional payloads that can steal data or be used to conduct distributed denial-of-service (DDoS) attacks.

“As the malware only scans for port 2375, the logic for handling ports 23 and 9222 is currently unreachable and will not be executed,” Gilvarg said. “However, the implementation exists, which may indicate future capabilities.”

“Attackers can gain significant control over systems affected by abused APIs. The importance of segmenting networks, limiting exposure of services to the internet, and securing default credentials cannot be overstated. By adopting these measures, organizations can significantly reduce their vulnerability to such threats.”

Wiz Flags AWS SES Abuse Campaign

The disclosure comes as cloud security firm Wiz detailed an Amazon Simple Email Service (SES) campaign in May 2025 that leveraged compromised Amazon Web Services (AWS) access keys as a launchpad for a mass phishing attack.

It’s currently not known how the keys were obtained. However, various methods exist by which an attacker can accomplish this: accidental public exposure in code repositories or through misconfigured assets, or theft from a developer workstation using stealer malware.

“The attacker used the compromised key to access the victim’s AWS environment, bypass SES’s built-in restrictions, verify new ‘sender’ identities, and methodically prepare and conduct a phishing operation,” Wiz researchers Itay Harel and Hila Ramati said.

Wiz, which further probed the email campaign in partnership with Proofpoint, said the emails targeted several organizations spanning multiple geographies and sectors, and employed tax-themed lures to redirect recipients to credential harvesting pages.

“If SES is configured in your account, attackers can send email from your verified domains,” Wiz cautioned. “Beyond brand damage, this enables phishing that looks like it came from you and can be used for spearphishing, fraud, data theft, or masquerading in business processes.”

Cybersecurity researchers have disclosed details of a phishing campaign that delivers a stealthy banking malware-turned-remote access trojan called MostereRAT.

The phishing attack incorporates a number of advanced evasion techniques to gain complete control over compromised systems, siphon sensitive data, and extend its functionality by serving secondary plugins, Fortinet FortiGuard Labs said.

“These include the use of an Easy Programming Language (EPL) to develop a staged payload, concealing malicious operations and disabling security tools to prevent alert triggers, securing command-and-control (C2) communications using mutual TLS (mTLS), supporting various methods for deploying additional payloads, and even installing popular remote access tools,” Yurren Wan said.

EPL is an obscure visual programming language that supports traditional Chinese, simplified Chinese, English, and Japanese variants. It’s chiefly meant for users who may not be proficient in English.

The emails, which are primarily designed to target Japanese users, leverage lures related to business inquiries to deceive recipients into clicking on malicious links that take them to an infected site to download a booby-trapped document — a Microsoft Word file that embeds a ZIP archive.

Present within the ZIP file is an executable that, in turn, triggers the execution of MostereRAT, which is then used to drop several tools like AnyDesk, TigerVNC, and TightVNC using modules written in EPL. A noteworthy aspect of the malware is its ability to disable Windows security mechanisms and block network traffic associated with a hard-coded list of security programs, thereby allowing it to sidestep detection.

“This traffic-blocking technique resembles that of the known red team tool ‘EDRSilencer,’ which uses Windows Filtering Platform (WFP) filters at multiple stages of the network communication stack, effectively preventing it from connecting to its servers and from transmitting detection data, alerts, event logs, or other telemetry,” Wan said.

Another is its ability to run as TrustedInstaller, a built-in Windows system account with elevated permissions, enabling it to interfere with critical Windows processes, modify Windows Registry entries, and delete system files.

Furthermore, one of the modules deployed by MostereRAT is equipped to monitor foreground window activity associated with Qianniu – Alibaba’s Seller Tool, log keystrokes, send heartbeat signals to an external server, and process commands issued by the server.

The commands allow it to collect victim host details, run DLL, EPK, or EXE files, load shellcode, read/write/delete files, download and inject an EXE into svchost.exe using Early Bird Injection, enumerate users, capture screenshots, facilitate RDP logins, and even create and add a hidden user to the administrators group.

“These tactics significantly increase the difficulty of detection, prevention, and analysis,” Fortinet said. “In addition to keeping your solution updated, educating users about the dangers of social engineering remains essential.”

ClickFix Gets Another Novel Twist

The findings coincide with the emergence of another campaign that employs “ClickFix-esque techniques” to distribute a commodity information stealer known as MetaStealer to users searching for tools like AnyDesk.

The attack chain involves serving a fake Cloudflare Turnstile page before downloading the supposed AnyDesk installer, and prompts them to click on a check box to complete a verification step. However, this action triggers a pop-up message asking them to open Windows File Explorer.

Once the Windows File Explorer is opened, PHP code concealed in the Turnstile verification page is configured to employ the “search-ms:” URI protocol handler to display a Windows shortcut (LNK) file disguised as a PDF that’s hosted on an attacker’s site.

The LNK file, for its part, activates a series of steps to gather the hostname and run an MSI package that’s ultimately responsible for dropping MetaStealer.

“These types of attacks that require some level of manual interaction from the victim, as they work to ‘fix’ the purported broken process themselves, work in part because they can potentially circumvent security solutions,” Huntress said. “Threat actors are continuing to move the needle in their infection chains, throwing a wrench into detection and prevention.”

The disclosure also comes as CloudSEK detailed a novel adaptation of the ClickFix social engineering tactic that leverages invisible prompts using CSS-based obfuscation methods to weaponize AI systems and produce summaries that include attacker-controlled ClickFix instructions.

The proof-of-concept (PoC) attack is accomplished by using a strategy called prompt overdose, wherein the payload is embedded within HTML content extensively so that it dominates a large language model’s context window in order to steer its output.

“This approach targets summarizers embedded in applications such as email clients, browser extensions, and productivity platforms,” the company said. “By exploiting the trust users place in AI-generated summaries, the method covertly delivers malicious step-by-step instructions that can facilitate ransomware deployment.”

“Prompt overdose is a manipulation technique that overwhelms an AI model’s context window with high-density, repeated content to control its output. By saturating the input with attacker-chosen text, legitimate context is pushed aside, and the model’s attention is consistently drawn back to the injected payload.”

It’s budget season. Once again, security is being questioned, scrutinized, or deprioritized.

If you’re a CISO or security leader, you’ve likely found yourself explaining why your program matters, why a given tool or headcount is essential, and how the next breach is one blind spot away. But these arguments often fall short unless they’re framed in a way the board can understand and appreciate.

According to a Gartner analysis, 88% of Boards see cybersecurity as a business risk, rather than an IT issue, yet many security leaders still struggle to raise the profile of cybersecurity within the organization. For security issues to resonate amongst the Board you need to speak its language: business continuity, compliance, and cost impact.

Below are some strategies to help you frame the conversation, transforming the technical and complex into clear business directives.

Recognize the High Stakes

Cyber threats continue to evolve, from ransomware and supply chain attacks to advanced persistent threats. Both large enterprises and mid-sized organizations are targets. The business impact of a breach is significant. It disrupts operations, damages reputation, and incurs substantial penalties. To avoid this, organizations must adopt a proactive approach like continuous threat exposure management. Ongoing validation through frequent, automated testing helps identify new attack vectors before they escalate.

Align Security Strategy with Business Objectives

The board doesn’t approve security budgets based on fear or uncertainty. They want to see how your strategy protects revenue, maintains uptime, and supports compliance. That means translating technical goals into outcomes that align with business initiatives. Define measurable KPIs like time to detect or remediate, and position your roadmap alongside upcoming projects like new system rollouts or merges and acquisitions.

Build a Risk-Focused Framework

When you ask for more budget, you need to show prioritization. That starts by identifying and categorizing your core assets, customer data, proprietary systems, and infrastructure. Where possible, quantify what a breach could cost the business. This helps define acceptable risk thresholds and guides investment.

One of our customers, a US-based insurance provider, estimated that a breach of its policyholder database, which held a lot of customer PII, could cost the business more than $5 million in regulatory fines and lost revenue. This projection helped them prioritize vulnerabilities that could lead to this asset and validate its surrounding security controls. By focusing security efforts on high-value assets, they strengthened their security where it mattered most, and could show the board exactly why the investment was justified.

Use Industry Standards to Strengthen Your Case

Regulations and frameworks like ISO 27001, NIST, HIPAA, and PCI DSS are useful allies in making your case. They provide a baseline for good security hygiene and give leadership something familiar to anchor their decisions. But compliance doesn’t guarantee security. Use audit feedback to highlight gaps and demonstrate how validation adds a layer of real-world protection.

Jay Martin, CISO of COFCO International, shared in a recent Pentera-hosted panel that “we used to build budget requests around best practices, but what worked was showing where we were exposed—and how fast we could fix it.”

Security ROI is not just about cost savings. It is about avoiding losses, breaches, downtime, legal penalties, and brand damage. Automated security validation shows early wins by uncovering exposures that traditional tools miss. These include misconfigurations, excessive permissions, and leaked credentials that are proven to be exploitable in your environment. This proves the likelihood of an attack before it actually happens. This kind of evidence shows exactly where risk exists and how fast it can be fixed. It gives leadership a clear reason to expand the program and positions security as a business enabler, not just a cost center.

Communicate with the Right Message for Each Audience

Boards want to understand how security decisions impact the business, whether that’s protecting revenue, avoiding regulatory penalties, or reducing the financial fallout of a breach. Security teams need operational details. Bridging that gap is part of your role. Tailor your message for each group and use real examples where possible. Share stories of how organizations in similar industries were impacted by missteps or succeeded thanks to proactive investment. Show how your plan creates alignment across departments and builds a culture of shared accountability.

Stay Ahead of Emerging Threats with Real Testing

Cyberattacks evolve quickly. Threats that did not exist last quarter might be your biggest risk today. That is why security validation needs to be an ongoing practice. Attackers are not waiting for your quarterly review cycle, and your defenses should not either. Frequent automated penetration tests, helps uncover blind spots across infrastructure, cloud environments, and partner systems.

Continuous testing also allows you to show your board exactly how prepared you are for current threats, especially the high-profile ones that dominate headlines. Tracking how your organization holds up against these threats over time gives you a clear way to demonstrate progress. This level of transparency builds confidence and helps shift the conversation from fear and uncertainty to readiness and measurable improvement.

Avoid Budget Waste

Too many security investments turn into shelfware, not because the tools are bad, but because they’re underused, poorly integrated, or lack clear ownership. Make sure each solution maps to a specific need. Budget not only for licenses, but also for training and operational support. Regular tool audits can help you streamline efforts, reduce redundancy, and focus spending where it delivers the most value.

Finalize a Scalable, Defensible Budget Plan

The strongest budget plans break down spending by category: prevention, detection, response, and validation, and show how each area contributes to the larger picture.

Show how your plan scales with the business so every decision continues to deliver value. To support expanding into new regions, a global manufacturing enterprise used automated security validation to establish best practices for hardening assets and configuring security controls. Because they included continuous validation from the start, they avoided the high cost of manual testing and the operational strain of allocating extra resources. Most importantly, they maintained a strong security posture throughout their expansion by uncovering and remediating real exposures before attackers could exploit them.

Takeaways: Prove Security’s Business Value

Security is no longer a cost center, it’s a growth enabler. When you continuously validate your controls, you shift the conversation from assumptions to evidence. That evidence is what boards want to see.

Use standards to your advantage. Show that you’re not just meeting expectations but actively reducing risk. And above all, keep making the case that smart, ongoing investment in cybersecurity protects the business today and builds resilience for tomorrow.

To move beyond one-time audits and annual reviews, check out our GOAT guide on how to communicate risk to the Board. It shows you how to use continuous validation, to not just defend your organization, but prove your security strategy is working.

Sep 09, 2025Ravie LakshmananCryptocurrency / Software Security

Multiple npm packages have been compromised as part of a software supply chain attack after a maintainer’s account was compromised in a phishing attack.

The attack targeted Josh Junon (aka Qix), who received an email message that mimicked npm (“support@npmjs[.]help”), urging them to update their update their two-factor authentication (2FA) credentials before September 10, 2025, by clicking on embedded link.

The phishing page is said to have prompted the co-maintainer to enter their username, password, and two-factor authentication (2FA) token, only for it to be stolen likely by means of an adversary-in-the-middle (AitM) attack and used to publish the rogue version to the npm registry.

The following 20 packages, which collectively attract over 2 billion weekly downloads, have been confirmed as affected as part of the incident –

• ansi-regex@6.2.1
• ansi-styles@6.2.2
• backslash@0.2.1
• chalk@5.6.1
• chalk-template@1.1.1
• color-convert@3.1.1
• color-name@2.0.1
• color-string@2.1.1
• debug@4.4.2
• error-ex@1.3.3
• has-ansi@6.0.1
• is-arrayish@0.3.3
• proto-tinker-wc@1.8.7
• supports-hyperlinks@4.1.1
• simple-swizzle@0.2.3
• slice-ansi@7.1.1
• strip-ansi@7.1.1
• supports-color@10.2.1
• supports-hyperlinks@4.1.1
• wrap-ansi@9.0.1

“Sorry everyone, I should have paid more attention,” Junon said in a post on Bluesky. “Not like me; have had a stressful week. Will work to get this cleaned up.”

An analysis of the obfuscated malware injected into the source code reveals that it’s designed to intercept cryptocurrency transaction requests and swap the destination wallet address with an attacker-controlled wallet that closely matches it by computing the Levenshtein distance.

According to Aikido Security’s Charlie Eriksen, the payload acts as a browser-based interceptor that hijacks network traffic and application APIs to steal cryptocurrency assets by rewriting requests and responses. It’s currently not known who is behind the attack.

“The payload begins by checking typeof window !== ‘undefined’ to confirm it is running in a browser,” Socket said. “It then hooks into window.fetch, XMLHttpRequest, and window.ethereum.request, along with other wallet provider APIs.”

“This means the malware targets end users with connected wallets who visit a site that includes the compromised code. Developers are not inherently the target, but if they open an affected site in a browser and connect a wallet, they too become victims.”

Package ecosystems like npm and the Python Package Index (PyPI) remain recurring targets due to their popularity and broad reach within the developer community, with attackers abusing the trust associated with these platforms to push malicious payloads.

Beyond publishing malicious packages directly, attackers have also employed techniques such as typosquatting or even exploiting AI-hallucinated dependencies – called slopsquatting – to trick developers into installing malware. The incident once indicates the need for exercising vigilance and hardening CI/CD pipelines and locking down dependencies.

According to ReversingLabs’ 2025 Software Supply Chain Security Report, 14 of the 23 crypto-related malicious campaigns in 2024 targeted npm, with the remainder linked to PyPI.

“What we are seeing unfold with the npm packages chalk and debug is an unfortunately common instance today in the software supply chain,” Ilkka Turunen, Field CTO at Sonatype, told The Hacker News.

“The malicious payload was focused on crypto theft, but this takeover follows a classic attack that is now established – by taking over popular open source packages, adversaries can steal secrets, leave behind backdoors and infiltrate organizations.”

“It was not a random choice to target the developer of these packages. Package takeovers are now a standard tactic for advanced persistent threat groups like Lazarus, because they know they can reach a large amount of the world’s developer population by infiltrating a single under-resourced project.”

Sep 09, 2025Ravie LakshmananCyber Espionage / Telecom Security

Threat hunters have discovered a set of previously unreported domains, some going back to May 2020, that are associated with China-linked threat actors Salt Typhoon and UNC4841.

“The domains date back several years, with the oldest registration activity occurring in May 2020, further confirming that the 2024 Salt Typhoon attacks were not the first activity carried out by this group,” Silent Push said in a new analysis shared with The Hacker News.

The identified infrastructure, totaling 45 domains, has also been identified as sharing some level of overlap with another China-associated hacking group tracked as UNC4841, which is best known for its zero-day exploitation of a security flaw in Barracuda Email Security Gateway (ESG) appliances (CVE-2023-2868, CVSS score: 9.8).

Salt Typhoon, active since 2019, drew widespread attention last year for its targeting of telecommunications services providers in the U.S. Believed to be operated by China’s Ministry of State Security (MSS), the threat cluster shares similarities with activities tracked as Earth Estries, FamousSparrow, GhostEmperor, and UNC5807.

Silent Push said it identified three Proton Mail email addresses that were used to register as many as 16 domains with non-existent addresses.

Further examination of the IP addresses related to the 45 domains has revealed that many of these domains pointed to high-density IP addresses. These refer to IP addresses to which a high number of hostnames currently point, or have pointed in the past. Of those that pointed to low-density IP addresses, the earliest activity goes back to October 2021.

The oldest domain identified as being part of China-backed cyber espionage campaigns is onlineeylity[.]com, registered on May 19, 2020, by a fake persona named Monica Burch, who claims to reside at 1294 Koontz Lane in Los Angeles, California.

“As such, we strongly urge any organization that believes itself to be at risk of Chinese espionage to search its DNS logs for the past five years for requests to any of the domains in our archive feed, or their subdomains,” Silent Push said.

“It would also be prudent to check for requests to any of the listed IP addresses, particularly during the time periods in which this actor operated them.”

Sep 08, 2025Ravie LakshmananSupply Chain Attack / API Security

Salesloft has revealed that the data breach linked to its Drift application started with the compromise of its GitHub account.

Google-owned Mandiant, which began an investigation into the incident, said the threat actor, tracked as UNC6395, accessed the Salesloft GitHub account from March through June 2025. So far, 22 companies have confirmed they were impacted by a supply chain breach.

“With this access, the threat actor was able to download content from multiple repositories, add a guest user, and establish workflows,” Salesloft said in an updated advisory.

The investigation also uncovered reconnaissance activities occurring between March 2025 and June 2025 in the Salesloft and Drift application environments. However, it emphasized there is no evidence of any activity beyond limited reconnaissance.

In the next phase, the attackers accessed Drift’s Amazon Web Services (AWS) environment and obtained OAuth tokens for Drift customers’ technology integrations, with the stolen OAuth tokens used to access data via Drift integrations.

Salesloft said it has isolated the Drift infrastructure, application, and code, and taken the application offline effective September 5, 2025, at 6 a.m. ET. It has also rotated credentials in the Salesloft environment and hardened the environment with improved segmentation controls between Salesloft and Drift applications.

“We are recommending that all third-party applications integrated with Drift via API key, proactively revoke the existing key for these applications,” it added.

As of September 7, 2025 at 5:51 p.m. UTC, Salesforce has restored the integration with the Salesloft platform after temporarily suspending it on August 28. This has been done in response to security measures and remediation steps implemented by Salesloft.

“Salesforce has re-enabled integrations with Salesloft technologies, with the exception of any Drift app,” Salesforce said. “Drift will remain disabled until further notice as part of our continued response to the security incident.”

Sep 08, 2025Ravie LakshmananMalvertising / Encryption

Cybersecurity researchers have detailed a new sophisticated malware campaign that leverages paid ads on search engines like Google to deliver malware to unsuspecting users looking for popular tools like GitHub Desktop.

While malvertising campaigns have become commonplace in recent years, the latest activity gives it a little twist of its own: Embedding a GitHub commit into a page URL containing altered links that point to attacker-controlled infrastructure.

“Even when a link seems to point to a reputable platform such as GitHub, the underlying URL can be manipulated to resolve to a counterfeit site,” Arctic Wolf said in a report published last week.

Exclusively targeted IT and software development companies within Western Europe since at least December 2024, the links within the rogue GitHub commit are designed to funnel users to a malicious download hosted on a lookalike domain (“gitpage[.]app”).

The first-stage malware delivered using poisoned search results is a bloated 128 MB Microsoft Software Installer (MSI) that, owing to its size, evades most existing online security sandboxes, while a Graphics Processing Unit (GPU)-gated decryption routine keeps the payload encrypted on systems without a real GPU. The technique has been codenamed GPUGate.

“Systems without proper GPU drivers are likely to be virtual machines (VMs), sandboxes, or older analysis environments that security researchers commonly use,” the cybersecurity company said. “The executable […] uses GPU functions to generate an encryption key for decrypting the payload, and it checks the GPU device name as it does this.”

Besides incorporating several garbage files as a filler and complicating analysis, it also terminates execution if the device name is less than 10 characters or GPU functions are not available.

The attack subsequently entails the execution of a Visual Basic Script that launches a PowerShell script, which, in turn, runs with administrator privileges, adds Microsoft Defender exclusions, sets up scheduled tasks for persistence, and finally runs executable files extracted from a downloaded ZIP archive.

The end goal is to facilitate information theft and deliver secondary payloads, while simultaneously evading detection. It’s assessed that the threat actors behind the campaign have native Russian language proficiency, given the presence of Russian language comments in the PowerShell script.

Further analysis of the threat actor’s domain has revealed it to be acting as a staging ground for Atomic macOS Stealer (AMOS), suggesting a cross-platform approach.

“By exploiting GitHub’s commit structure and leveraging Google Ads, threat actors can convincingly mimic legitimate software repositories and redirect users to malicious payloads – bypassing both user scrutiny and endpoint defenses,” Arctic Wolf.

The disclosure comes as Acronis detailed the ongoing evolution of a trojanized ConnectWise ScreenConnect campaign that uses the remote access software to drop AsyncRAT, PureHVNC RAT, and a custom PowerShell-based remote access trojan (RAT) on infected hosts in social engineering attacks aimed at U.S. organizations since March 2025.

The bespoke PowerShell RAT, executed by means of a JavaScript file downloaded from the cracked ScreenConnect server, provides some basic functionalities such as running programs, downloading and executing files, and a simple persistence mechanism.

“Attackers now use a ClickOnce runner installer for ScreenConnect, which lacks embedded configuration and instead fetches components at runtime,” the security vendor said. “This evolution makes traditional static detection methods less effective and complicates prevention, leaving defenders with few reliable options.”

A threat actor possibly of Russian origin has been attributed to a new set of attacks targeting the energy sector in Kazakhstan.

The activity, codenamed Operation BarrelFire, is tied to a new threat group tracked by Seqrite Labs as Noisy Bear. The threat actor has been active since at least April 2025.

“The campaign is targeted towards employees of KazMunaiGas or KMG where the threat entity delivered a fake document related to the KMG IT department, mimicking official internal communication and leveraging themes such as policy updates, internal certification procedures, and salary adjustments,” security researcher Subhajeet Singha said.

The infection chain begins with a phishing email containing a ZIP attachment, which includes a Windows shortcut (LNK) downloader, a decoy document related to KazMunaiGas, and a README.txt file with instructions written in both Russian and Kazakh to run a program named “KazMunayGaz_Viewer.”

The email, per the cybersecurity company, was sent from a compromised email address of an individual working in the finance department of KazMunaiGas and targeted other employees of the firm in May 2025.

The LNK file payload is designed to drop additional payloads, including a malicious batch script that paves the way for a PowerShell loader dubbed DOWNSHELL. The attacks culminate with the deployment of a DLL-based implant, a 64-bit binary that can run shellcode to launch a reverse shell.

Further analysis of the threat actor’s infrastructure has revealed that it’s hosted on the Russia-based bulletproof hosting (BPH) service provider Aeza Group, which was sanctioned by the U.S. in July 2025 for enabling malicious activities.

The development comes as HarfangLab linked a Belarus-aligned threat actor known as Ghostwriter (aka FrostyNeighbor or UNC1151) to campaigns targeting Ukraine and Poland since April 2025 with rogue ZIP and RAR archives that are aimed at collecting information about compromised systems and deploying implants for further exploitation.

“These archives contain XLS spreadsheets with a VBA macro that drops and loads a DLL,” the French cybersecurity company said. “The latter is responsible for collecting information about the compromised system and retrieving next-stage malware from a command-and-control (C2) server.”

Subsequent iterations of the campaign have been found to write a Microsoft Cabinet (CAB) file along with the LNK shortcut to extract and run the DLL from the archive. The DLL then proceeds to conduct initial reconnaissance before dropping the next-stage malware from the external server.

The attacks targeting Poland, on the other hand, tweak the attack chain to use Slack as a beaconing mechanism and data exfiltration channel, downloading in return a second-stage payload that establishes contact with the domain pesthacks[.]icu.

At least in one instance, the DLL dropped through the macro-laced Excel spreadsheet is used to load a Cobalt Strike Beacon to facilitate further post-exploitation activity.

“These minor changes suggest that UAC-0057 may be exploring alternatives, in a likely attempt to work around detection, but prioritizes the continuity or development of its operations over stealthiness and sophistication,” HarfangLab said.

Cyber Attacks Reported Against Russia

The findings come amid OldGremlin’s renewed extortion attacks on Russian companies in the first half of 2025, targeting as many as eight large domestic industrial enterprises using phishing email campaigns.

The intrusions, per Kaspersky, involved the use of the bring your own vulnerable driver (BYOVD) technique to disable security solutions on victims’ computers and the legitimate Node.js interpreter to execute malicious scripts.

Phishing attacks aimed at Russia have also delivered a new information stealer called Phantom Stealer, which is based on an open-source stealer codenamed Stealerium, to collect a wide range of sensitive information using email baits related to adult content and payments. It also shares overlaps with another Stealerium offshoot known as Warp Stealer.

According to F6, Phantom Stealer also inherits Stealerium’s “PornDetector” module that captures webcam screenshots when users visit pornographic websites by keeping tabs on the active browser window and whether the title includes a configurable list of terms like porn, and sex, among others.

“This is likely later used for ‘sextortion,’” Proofpoint said in its own analysis of the malware. “While this feature is not novel among cybercrime malware, it is not often observed.”

In recent months, Russian organizations have also been at the receiving end of attacks perpetrated by hacking groups tracked as Cloud Atlas, PhantomCore, and Scaly Wolf to harvest sensitive information and deliver additional payloads using malware families such as VBShower, PhantomRAT, and PhantomRShell.

Another cluster of activity involves a new Android malware that masquerades as an antivirus tool created by Russia’s Federal Security Services agency (FSB) to single out representatives of Russian businesses. The apps carry names like SECURITY_FSB, ФСБ (Russian for FSB), and GuardCB, the last of which is an attempt to pass off as the Central Bank of the Russian Federation.

First discovered in January 2025, the malware exfiltrates data from messenger and browser apps, stream from the phone’s camera, and log keystrokes by seeking extensive permissions to access SMS messages, location, audio, camera. It also requests for running in the background, device administrator rights, and accessibility services.

“The app’s interface provides only one language – Russian,” Doctor Web said. “Thus, the malware is entirely focused on Russian users. The backdoor also uses accessibility services to protect itself from being deleted if it receives the corresponding command from the threat actors.”

Update

Kazakhstan’s state-owned oil and gas company KazMunayGas has dismissed Seqrite’s report about a new cyber espionage group targeting its employees as a planned phishing test, according to Orda.kz. It said the screenshots described in the analysis were part of a phishing training test the company conducted back in May 2025.

(The story was updated after publication to include local media reports from Kazakhstan that described it as a phishing test. The headline of the story has been revised to reflect this aspect.)