Category: Cybersecurity

Cybersecurity never slows down. Every week brings new threats, new vulnerabilities, and new lessons for defenders. For security and IT teams, the challenge is not just keeping up with the news—it’s knowing which risks matter most right now. That’s what this digest is here for: a clear, simple briefing to help you focus where it counts.

This week, one story stands out above the rest: the Salesloft–Drift breach, where attackers stole OAuth tokens and accessed Salesforce data from some of the biggest names in tech. It’s a sharp reminder of how fragile integrations can become the weak link in enterprise defenses.

Alongside this, we’ll also walk through several high-risk CVEs under active exploitation, the latest moves by advanced threat actors, and fresh insights on making security workflows smarter, not noisier. Each section is designed to give you the essentials—enough to stay informed and prepared, without getting lost in the noise.

⚡ Threat of the Week

Salesloft to Take Drift Offline Amid Security Incident — Salesloft announced that it’s taking Drift temporarily offline “in the very near future,” as multiple companies have been caught up in a far-reaching supply chain attack spree targeting the marketing software-as-a-service product, resulting in the mass theft of authentication tokens. “This will provide the fastest path forward to comprehensively review the application and build additional resiliency and security in the system to return the application to full functionality,” the company said. “As a result, the Drift chatbot on customer websites will not be available, and Drift will not be accessible. To date, Cloudflare, Google Workspace, PagerDuty, Palo Alto Networks, Proofpoint, SpyCloud, Tanium, Tenable, and Zscaler have confirmed they were impacted by the hack. The activity has been attributed to a threat cluster tracked by Google and Cloudflare as UNC6395 and GRUB1, respectively.

• Sitecore Flaw Under Active Exploitation in the Wild — Unknown miscreants are exploiting a configuration vulnerability in multiple Sitecore products to achieve remote code execution via a publicly exposed key and deploy snooping malware on infected machines. The ViewState deserialization vulnerability, CVE-2025-53690, has been used to deploy malware and additional tooling geared toward internal reconnaissance and persistence across one or more compromised environments. The attackers targeted the “/sitecore/blocked.aspx” endpoint, which contains an unauthenticated ViewState form, with HTTP POST requests containing a crafted ViewState payload. Mandiant said it disrupted the intrusion midway, which prevented it from gaining further insights into the attack lifecycle and determining the attackers’ motivations.
• Russian APT28 Deploys “NotDoor” Outlook Backdoor — The Russian state-sponsored hacking group tracked as APT28 has been attributed to a new Microsoft Outlook backdoor called NotDoor (aka GONEPOSTAL) in attacks targeting multiple companies from different sectors in NATO member countries. NotDoor “is a VBA macro for Outlook designed to monitor incoming emails for a specific trigger word,” S2 Grupo’s LAB52 threat intelligence team said. “When such an email is detected, it enables an attacker to exfiltrate data, upload files, and execute commands on the victim’s computer.”
• New GhostRedirector Actor Hacks 65 Windows Servers in Brazil, Thailand, and Vietnam — A previously undocumented threat cluster dubbed GhostRedirector has managed to compromise at least 65 Windows servers primarily located in Brazil, Thailand, and Vietnam. The attacks, per Slovak cybersecurity company ESET, led to the deployment of a passive C++ backdoor called Rungan and a native Internet Information Services (IIS) module codenamed Gamshen. The threat actor is believed to be active since at least August 2024. “While Rungan has the capability of executing commands on a compromised server, the purpose of Gamshen is to provide SEO fraud as-a-service, i.e., to manipulate search engine results, boosting the page ranking of a configured target website,” the company said.
• Google Fixes 2 Actively Exploited Android Flaws — Google has shipped security updates to address 120 security flaws in its Android operating system as part of its monthly fixes for September 2025, including two issues that it said have been exploited in targeted attacks. One of them, CVE-2025-38352, is a privilege escalation vulnerability in the upstream Linux Kernel component. The second shortcoming is a privilege escalation flaw in Android Runtime (CVE-2025-48543). Benoît Sevens of Google’s Threat Analysis Group (TAG) has been credited with discovering and reporting the upstream Linux Kernel flaw, suggesting that it may have been abused as part of targeted spyware attacks.
• Threat Actors Claim to Weaponize HexStrike AI in Real-World Attacks — Threat actors are attempting to leverage a newly released artificial intelligence (AI) offensive security tool called HexStrike AI to exploit recently disclosed security flaws. “This marks a pivotal moment: a tool designed to strengthen defenses has been claimed to be rapidly repurposed into an engine for exploitation, crystallizing earlier concepts into a widely available platform driving real-world attacks,” Check Point said.
• Iranian Hackers Linked to Attacks Targeting European Embassies — An Iran-nexus group conducted a “coordinated” and “multi-wave” spear-phishing campaign targeting the embassies and consulates in Europe and other regions across the world. The activity has been attributed by Israeli cybersecurity company Dream to Iranian-aligned operators connected to broader offensive cyber activity undertaken by a group known as Homeland Justice. “Emails were sent to multiple government recipients worldwide, disguising legitimate diplomatic communication,” the company said. “Evidence points toward a broader regional espionage effort aimed at diplomatic and governmental entities during a time of heightened geopolitical tension.”

🔥 Trending CVEs

Hackers move fast — often exploiting new flaws within hours. A missed update or a single unpatched CVE can open the door to serious damage. Here are this week’s high-risk vulnerabilities making headlines. Review, patch quickly, and stay ahead.

This week’s list includes — CVE-2025-53690 (SiteCore), CVE-2025-42957 (SAP S/4HANA), CVE-2025-9377 (TP-Link Archer C7(EU) V2 and TL-WR841N/ND(MS) V9), CVE-2025-38352 (Linux Kernel/Google Android), CVE-2025-48543 (Google Android), CVE-2025-29927 (Next.js), CVE-2025-52856, CVE-2025-52861 (QNAP QVR), CVE-2025-0309 (Netskope Client for Windows), CVE-2025-21483, CVE-2025-27034 (Qualcomm), CVE-2025-6203 (HashiCorp Vault), CVE-2025-58161 (MobSF), CVE-2025-5931 (Dokan Pro plugin), CVE-2025-53772 (Web Deploy), CVE-2025-9864 (Google Chrome), CVE-2025-9696 (SunPower PVS6), CVE-2025-57833 (Django), CVE-2025-24204 (Apple macOS), CVE-2025-55305 (Electron framework), CVE-2025-53149 (Microsoft Kernel Streaming WOW Thunk Service Driver), CVE-2025-6519, CVE-2025-52549, CVE-2025-52548 (Copeland E2 and E3), CVE-2025-58782 (Apache Jackrabbit), CVE-2025-55190 (Argo CD), CVE-2025-1079, CVE-2025-4613, and a client-side remote code execution (no CVE) (Google Web Designer).

📰 Around the Cyber World

• New AI Waifu RAT Disclosed — Cybersecurity researchers have discovered a potent Windows-based remote access trojan (RAT) called AI Waifu RAT that uses the power of a large language model to pass commands. “A local agent runs on the victim’s machine, listening for commands on a fixed port,” a researcher by the name ryingo said. “These commands, originating from the LLM, are passed through a web UI and sent to the local agent as plaintext HTTP requests.” The malware specifically targets LLM role-playing communities, capitalizing on their interest in the technology to offer AI characters the ability to read local files for “personalized role-playing” and direct “Arbitrary Code Execution” capabilities.
• DoJ: “Not all heroes wear capes. Some have YouTube channels” — The U.S. Department of Justice (DoJ) said two YouTube channels named Scammer Payback and Trilogy Media played a crucial role in unmasking and identifying members of a giant scam network that stole more than $65 million from senior citizens. The 28 alleged members of the Chinese organized crime ring allegedly used call centers based in India to call the elderly, posing as government officials, bank employees, and tech support agents. “Once connected, the scammers used scripted lies and psychological manipulation to gain the victims’ trust and often remote access to their computers,” the DoJ said. “The most common scheme involved convincing victims they had received a mistaken refund and pressuring – or threatening – them to return the supposed excess funds via wire transfer, cash, or gift cards.” Those sending cash were instructed to use overnight or express couriers, addressing packages to fake names tied to false IDs. These were sent to short-term rentals in the U.S. used by conspirators, including the indicted defendants, to collect the fraud proceeds. The network has operated out of Southern California since 2019.
• Analysis of BadSuccessor Patch — Microsoft, as part of its August 2025 Patch Tuesday update, addressed a security flaw called BadSuccessor (CVE-2025-53779) that abused a loophole in dMSA, causing the Key Distribution Center (KDC) to treat a dMSA linked to any account in Active Directory as the successor during authentication. As a result, an attacker could create a dMSA in an Organizational Unit (OU) and link it to any target — even domain controllers, Domain Admins, Protected Users, or accounts marked “sensitive and cannot be delegated” – and compromise them. An analysis of the patch has revealed that patch enforcement was implemented in the KDC’s validation. “The attribute can still be written, but the KDC won’t honor it unless the pairing looks like a legitimate migration,” Akamai security researcher Yuval Gordon said. “Although the vulnerability can be patched, BadSuccessor still lives on as a technique; that is, the KDC’s verification removes the pre-patch escalation path, but doesn’t mitigate the entire problem. Because the patch didn’t introduce any protection to the link attribute, an attacker can still inherit another account by linking a controlled dMSA and a target account.”
• Phishers Pivot to Ramp and Dump Scheme — Cybercriminal groups advertising sophisticated phishing kits that convert stolen card data into mobile wallets have shifted their focus to targeting customers of brokerage services and using compromised brokerage accounts to manipulate the prices of foreign stocks as part of what’s called a ramp and dump scheme.
• Popular C2 Frameworks Exploited by Threat Actors — Sliver, Havoc, Metasploit, Mythic, Brute Ratel C4, and Cobalt Strike (in that order) have emerged as the most frequently used command-and-control (C2) frameworks in malicious attacks in Q2 2025, per data from Kaspersky. “Attackers are increasingly customizing their C2 agents to automate malicious activities and hinder detection,” the company said. The development came as the majority (53%) of attributed vulnerability exploits in the first half of 2025 were conducted by state-sponsored actors for strategic, geopolitical purposes, according to Recorded Future’s Insikt Group. In all, 23,667 CVEs were published in H1 2025, a 16% increase compared to H1 2024. Attackers actively exploited 161 vulnerabilities, and 42% of those exploited flaws had public PoC exploits.
• Fake PDF Converters Deliver JSCoreRunner macOS Malware — Apps posing as PDF converters are being used to deliver malware called JSCoreRunner. Once downloaded from sites like fileripple[.]com, the malware establishes connections with a remote server and hijacks a user’s Chrome browser by modifying its search engine settings to default to a fraudulent search provider, thereby tracking user searches and redirecting them to bogus sites, further exposing them to data and financial theft, per Mosyle. The attack unfolds over two stages: The initial package (whose signature has since been revoked by Apple), which deploys an unsigned secondary payload from the same domain that, in turn, executes the main malicious payload.
• Copeland Releases Fixes for Frostbyte10 Flaws — American tech company Copeland has released a firmware update to fix ten vulnerabilities in Copeland E2 and E3 controllers. The chips are used to manage energy efficiency inside HVAC and refrigeration systems. The ten vulnerabilities have been collectively named Frostbyte10. “The flaws discovered could have allowed unauthorized actors to remotely manipulate parameters, disable systems, execute remote code, or gain unauthorized access to sensitive operational data,” Armis said. “When combined and exploited, these vulnerabilities can result in unauthenticated remote code execution with root privileges.” The most severe of the flaws is CVE-2025-6519, a case of a default admin user “ONEDAY” with a daily generated password that can be predictably generated. In a hypothetical attack scenario, an attacker could chain CVE-2025-6519 and CVE-2025-52549 with CVE-2025-52548, which can enable SSH and Shellinabox access via a hidden API call, to facilitate remote execution of arbitrary commands on the underlying operating system.
• Over 1,000 Ollama Servers Exposed — A new study from Cisco found over 1,100 exposed Ollama servers, with approximately 20% actively hosting models susceptible to unauthorized access. Out of the 1,139 exposed servers, 214 were found to be actively hosting and responding to requests with live models—accounting for approximately 18.8% of the total scanned population, with Mistral and LLaMA representing the most frequently encountered deployments. The remaining 80% of detected servers, while reachable via unauthenticated interfaces, did not have any models instantiated. Although dormant, these servers remain susceptible to exploitation via unauthorized model uploads or configuration manipulation. The findings “highlight the urgent need for security baselines in LLM deployments and provide a practical foundation for future research into LLM threat surface monitoring,” the company said.
• Tycoon Phishing Kit Evolves — The Tycoon phishing kit has been updated to support URL-encoding techniques to hide malicious links embedded in fake voicemail messages to bypass email security checks. Attackers have also been observed using the Redundant Protocol Prefix technique for similar reasons. “This involves crafting a URL that is only partially hyperlinked or that contains invalid elements — such as two ‘https’ or no ‘//’ — to hide the real destination of the link while ensuring the active part looks benign and legitimate and doesn’t arouse suspicion among targets or their browser controls,” Barracuda said. “Another trick is using the ‘@’ symbol in a web address. Everything before the ‘@’ is treated as ‘user info’ by browsers, so attackers put something that looks reputable and trustworthy in this part, such as ‘office365.’ The link’s actual destination comes after the ‘@.’”
• U.S. State Department Offers Up to $10M for Russian Hackers — The U.S. Department of State is offering a bounty of up to $10 million for information on three Russian Federal Security Service (FSB) officers involved in cyberattacks targeting U.S. critical infrastructure organizations on behalf of the Russian government. The three individuals, Marat Valeryevich Tyukov, Mikhail Mikhailovich Gavrilov, and Pavel Aleksandrovich Akulov, are part of the FSB’s Center 16 or Military Unit 71330, which is tracked as Berserk Bear, Blue Kraken, Crouching Yeti, Dragonfly, Koala Team, and Static Tundra. They have been accused of targeting 500 energy companies in 135 countries. In March 2022, the three FBS officers were also charged for their involvement in a campaign that took place between 2012 and 2017, targeting U.S. government agencies.
• XWorm Malware Uses Sneaky Methods to Evade Detection — A new XWorm malware campaign is using deceptive and intricate methods to evade detection and increase the success rate of the malware. “The XWorm malware infection chain has evolved to include additional techniques beyond traditional email-based attacks,” Trellix said. “While email and .LNK files remain common initial access vectors, XWorm now also leverages legitimate-looking .EXE filenames to disguise itself as harmless applications, exploiting user and system trust.” The attack chain uses LNK files to initiate a complex infection. Executing the .LNK triggers malicious PowerShell commands that deliver a .TXT file and download a deceptively-named binary called “discord.exe.” The executable then drops “main.exe” and “system32.exe,” with the latter being the XWorm malware payload. “Main.exe,” on the other hand, is responsible for disabling the Windows Firewall and checking for the presence of -third-party security applications. XWorm, besides meticulously conducting reconnaissance to acquire a comprehensive profile of the machine, runs anti-analysis checks to ascertain the presence of a virtualized environment, and, if so, ceases execution. It also incorporates backdoor functionality by contacting an external server to execute commands, shut down the system, download files, open URLs, and launch DDoS attacks. Recent campaigns distributing the malware through a new crypter-as-a-service offering known as Ghost Crypt. “Ghost Crypt delivers a zipped archive to the victim containing a PDF Reader application, a DLL, and a PDF file,” Kroll said. “When the user opens the PDF, the malicious DLL is side-loaded, initiating the malware execution.” The PDF Reader application is HaiHaiSoft PDF Reader, which is known to have a DLL side-loading vulnerability, previously exploited to deliver Remcos RAT, NodeStealer, and PureRAT.
• 2 E-Crime Groups Use Stealerium Stealer in New Campaigns — Two different cybercriminal groups, TA2715 and TA2536, both of which favored Snake Keylogger, have conducted phishing campaigns in May 2025, delivering an open-source information stealer called Stealerium (or variants of it). “The observed emails impersonated many different organizations, including charitable foundations, banks, courts, and document services, which are common themes in e-crime lures,” Proofpoint said. “Subject lines typically conveyed urgency or financial relevance, including ‘Payment Due,’ ‘Court Summons,’ and ‘Donation Invoice.’”
• Czechia Issues Warning Against Chinese Tech in Critical Infrastructure — NÚKIB, the Czech Republic’s cybersecurity agency, has issued a bulletin regarding the threat posed by technology systems that transfer data to, or are remotely managed from, China. “Current critical infrastructure systems are increasingly dependent on storing and processing data in cloud repositories and on network connectivity enabling remote operation and updates,” the agency warned. “In practice, this means that technology solution providers can significantly influence the operation of critical infrastructure and/or access important data, making trust in the reliability of the provider absolutely crucial.”
• Google Chrome 140 Gains Support for Cookie Prefixes — Google has released version 140 of its Chrome browser with support for a new security feature designed to protect server-set cookies from client-side modifications. Called a cookie prefix, it involves adding a piece of text before the names of a browser’s cookies. “In some cases, it’s important to distinguish on the server side between cookies set by the server and those set by the client. One such case involves cookies normally always set by the server,” Google said. “However, unexpected code (such as an XSS exploit, a malicious extension, or a commit from a confused developer) might set them on the client. This proposal adds a signal that lets servers make such a distinction. More specifically, it defines the __Http and __HostHttp prefixes, which ensure a cookie is not set on the client side using script.”
• New Ransomware Strains Detailed — A new ransomware group called LunaLock has hacked an art-commissioning portal called Artists&Clients and is extorting its owners and artists by threatening to submit the stolen artwork to train artificial intelligence (AI) models unless it pays a $50,000 ransom. Another newly observed ransomware crew is Obscura, which was first observed by Huntress on August 29, 2025. The Go-based ransomware variant attempts to terminate over 120 processes commonly tied to security tools like Microsoft Defender, CrowdStrike, and SentinelOne.
• E.U. Court Backs Data Transfer Deal Agreed by U.S. and E.U. — The General Court of the Court of Justice of the European Union has dismissed a lawsuit that sought to annul the E.U. and U.S. Data Privacy Framework. The court ruled that the new treaty and the US adequately safeguard the personal data of E.U. citizens. The lawsuit alleged that the U.S. Data Protection Review Court (DPRC), which is housed inside the Department of Justice and has been historically seen as a bulwark for checking U.S. data surveillance activities, is not sufficiently independent and does not adequately shield Europeans from bulk data collection by U.S. intelligence agencies.
• Microsoft to Move to Phase 2 of MFA Enforcement in October 2025 — Microsoft said it has been enforcing multi-factor authentication (MFA) for Azure Portal sign-ins across all tenants since March 2025. “We are proud to announce that multi-factor enforcement for Azure Portal sign-ins was rolled out for 100% of Azure tenants in March 2025,” the company said. “By enforcing MFA for Azure sign-ins, we aim to provide you with the best protection against cyber threats as part of Microsoft’s commitment to enhancing security for all customers, taking one step closer to a more secure future.” The next phase of MFA requirement is scheduled to start October 1, 2025, mandating the use of MFA for users performing Azure resource management operations through Azure Command-Line Interface (CLI), Azure PowerShell, Azure Mobile App, REST APIs, Azure Software Development Kit (SDK) client libraries, and Infrastructure as Code (IaC) tools.
• Surge in Scanning Activity Targeting Cisco ASA — GreyNoise said it detected two scanning surges against Cisco Adaptive Security Appliance (ASA) devices on August 22 and 26, 2025, with the first wave originating from over 25,100 IP addresses mainly located in Brazil, Argentina, and the U.S. The second spike repeated ASA probing, with subsets hitting both IOS Telnet/SSH and ASA software personas. The activity targeted the U.S., the U.K., and Germany.
• LinkedIn Expands Verification to Combat Job-Themed Scams — Microsoft-owned professional social network unveiled new measures to strengthen trust and ensure that users are interacting with people who “they say they are.” This includes verified Premium Company Pages, requiring recruiters to verify their workplace on their profile, and workplace verification requirements for high-level titles such as Executive Director, Managing Director, and Vice President to tackle impersonation. The changes are an effort to prevent scammers from posing as company employees or recruiters and reaching out to prospective targets with fake job opportunities – a technique pioneered by North Korean hackers.
• Hotelier Accounts Targeted in Malvertising and Phishing Campaign — A large-scale phishing campaign has impersonated at least 13 service providers that specialize in hotels and vacation rentals. “In these attacks, targeted users are lured to highly deceptive phishing sites using malicious search engine advertisements, particularly sponsored ads on platforms like Google Search,” Okta said. “The attacks leverage convincing fake login pages and social engineering tactics to bypass security controls and exploit user trust.” It’s assessed that the end goal of the campaign is to compromise accounts for cloud-based property management and guest messaging platforms.
• DamageLib Emerges After XSS Forum Takedown — A new cybercrime forum called DamageLib has grown dramatically, attracting over 33,000 users following the arrest of XSS[.]is admin Toha back in July 2025. While XSS remains online, speculations are abound that it could be a law enforcement honeypot, breeding mistrust among cybercriminals. “Exploit forum traffic surged almost 24% during the XSS turmoil as actors sought alternatives, while XSS visits plummeted,” KELA said. “As of August 27, 2025, DamageLib counted 33,487 users — nearly 66% of XSS’s 50,853 members. But engagement lagged: only 248 threads and 3,107 posts in its first month, compared to over 14,400 messages on XSS in the month before the seizure.”
• GhostAction Supply Chain Attack Steals 3,325 Secrets — A massive supply chain attack dubbed GhostAction has allowed attackers to inject a malicious GitHub workflow named “Github Actions Security” to exfiltrate 3,325 secrets, including PyPI, npm, and DockerHub tokens via HTTP POST requests to a remote attacker-controlled endpoint (“bold-dhawan.45-139-104-115.plesk[.]page”). The activity affected 327 GitHub users across 817 repositories.
• New Campaign Abuses Simplified AI to Steal Microsoft 365 Credentials — A new phishing campaign has been observed hosting fake pages under the legitimate Simplified AI domain in a bid to evade detection and blend in with regular enterprise traffic. “By impersonating an executive from a global pharmaceutical distributor, the threat actors delivered a password-protected PDF that appeared legitimate,” Cato Networks said. “Once opened, the file redirected the victim to Simplified AI’s website, but instead of generating content, the site became a launchpad to a fake Microsoft 365 login portal designed to harvest enterprise credentials.”
• Japan, South Korea, and the U.S. Take Aim at North Korean IT Worker Scam — Japan, South Korea, and the U.S. joined hands to fight against the growing threat of North Korean threat actors posing as IT workers to embed themselves in organizations throughout Asia and globally and generate revenue to fund its unlawful weapons of mass destruction (WMD) and ballistic missile programs. “They take advantage of existing demands for advanced IT skills to obtain freelance employment contracts from an expanding number of target clients throughout the world, including in North America, Europe, and East Asia,” the countries said in a joint statement. “North Korean IT workers themselves are also highly likely to be involved in malicious cyber activities, particularly in the blockchain industries. Hiring, supporting, or outsourcing work to North Korean IT workers increasingly poses serious risks, ranging from theft of intellectual property, data, and funds to reputational harm and legal consequences.”
• New AI-Powered Android Vulnerability Discovery and Validation Tool — Computer scientists affiliated with Nanjing University in China and The University of Sydney in Australia said that they’ve developed an AI vulnerability identification system called A2 that emulates the way human bug hunters go about discovering flaws, marking a step forward for automated security analysis. According to the study, A2 “validates Android vulnerabilities through two complementary phases: (i) Agentic Vulnerability Discovery, which reasons about application security by combining semantic understanding with traditional security tools; and (ii) Agentic Vulnerability Validation, which systematically validates vulnerabilities across Android’s multi-modal attack surface-UI interactions, inter-component communication, file system operations, and cryptographic computations.” A2 builds upon A1, an agentic system that transforms any LLM into an end-to-end exploit generator.
• Spotify DM Feature Carries Doxxing Risks — Music streaming service Spotify, last month, announced a new messaging feature for sharing music with friends. But reports are now emerging on Reddit that it’s surfacing as “suggested friends,” people with whom users may have shared Spotify links in the past on other social media platforms, potentially revealing their real names in the process. This is made possible by means of a unique “si” parameter in Spotify links that serves as referral information.
• Spear-Phishing Campaign Targets C-Suite for Credential Theft — A sophisticated spear-phishing campaign has targeted senior employees, particularly those in C-Suite and leadership positions, to steal their credentials using email messages with salary-themed lures or fake OneDrive document-sharing notifications. “Actors behind this campaign are leveraging tailored emails that impersonate internal HR communications, via a shared document in OneDrive, to trick recipients into entering corporate credentials,” Stripe OLT said. “Emails are sent via Amazon Simple Email Service (SES) infrastructure. The actor is rotating between many sending domains and subdomains to evade detection.” As many as 80 domains have been identified as part of this campaign.
• Attackers Attempt to Exploit WDAC Technique — In December 2024, researchers Jonathan Beierle and Logan Goins demonstrated a novel technique that leverages a malicious Windows Defender Application Control (WDAC) policy to block security solutions such as Endpoint Detection and Response (EDR) sensors following a system reboot using a custom tool codenamed Krueger. Since then, it has emerged that threat actors have incorporated the method into their attack arsenal to disable security solutions using WDAC policies. It has also led to the discovery of a new malware strain dubbed DreamDemon that uses WDAC to neutralize antivirus programs. It contains an embedded WDAC policy, which is then dropped onto disk and hidden,” Beierle said. “In certain cases, DreamDemon will also change the time that the policy was created in an attempt to avoid detection.”
• New NBMiner Cryptojacking Malware Detected — Cybersecurity researchers have discovered a new campaign that leverages a PowerShell script to drop an AutoIt loader used to deliver a cryptocurrency miner called NBMiner from an external server. Initial access to the system is accomplished by means of a drive-by compromise. “The program includes several evasion measures,” Darktrace said. “It performs anti-sandboxing by sleeping to delay analysis and terminates sigverif.exe (File Signature Verification). It checks for installed antivirus products and continues only when Windows Defender is the sole protection. It also verifies whether the current user has administrative rights. If not, it attempts a User Account Control (UAC) bypass via Fodhelper to silently elevate and execute its payload without prompting the user.”
• New Campaign Uses Custom GPTs for Brand Impersonation and Phishing — Threat actors are abusing custom features on trusted AI platforms like OpenAI ChatGPT to create malicious “customer support” chatbots that impersonate legitimate brands. These custom GPTs are surfaced on Google Search results, tricking users into taking malicious actions under the guise of a helpful chatbot, underscoring how AI tools can be misused within a broader social engineering chain. “This method introduces a new threat vector: platform-hosted social engineering through trusted AI interfaces,” Doppel said. “Several publicly available Custom GPTs have been observed impersonating well-known companies.” The attacks can lead to theft of sensitive information, malware delivery, and damage the reputation of legitimate brands. The development is part of a larger trend where cybercriminals abuse AI tools, including impersonation fraud via deepfakes, AI-assisted scam call centers, AI-powered mailers and spam tools, malicious tool development, and unrestricted and self-hosted generative AI chatbots that can craft phishing kits, fake websites; create content for romance or investment scams; develop malware; and assist with vulnerability reconnaissance and exploit chains.
• McDonald’s Poland Fined for Leaking Personal Data — Poland’s data protection agency fined McDonald’s Poland nearly €4 million for leaking employee personal data, violating GDPR data privacy protections. The incident occurred at a partner company that managed employee work schedules. Personal data such as names, passport numbers, positions, and work schedules were left exposed on the internet through an open directory. This is the second-largest GDPR fine handed out by Polish authorities after fining the country’s postal service €6.3 million earlier this year. In related news, vulnerabilities in the McDonald’s chatbot recruitment platform McHire exposed over 64 million job applications across the U.S., security researchers Ian Carroll and Sam Curry discovered. The chatbot was created by Paradox.ai, which did not remove the default credentials for a test account (username 123456, password 123456) and failed to secure an endpoint that allowed access to the chat interactions of every applicant. There is no evidence that the test account was ever exploited in a malicious context. A separate set of security issues has also been discovered in the fast-food giant’s partner and employee portals that exposed sensitive data such as API keys and enabled unauthorized access to make changes to a franchise owner’s website. The issues, according to BobdaHacker, have since been patched.
• New Influence Operations Discovered — Cybersecurity company Recorded Future flagged two large-scale, state-aligned influence operation networks supporting India and Pakistan during the India-Pakistan conflict of April and May 2025. These influence networks have been codenamed Hidden Charkha (pro-India) and Khyber Defender (pro-Pakistan). “These networks are very likely motivated by patriotism and are almost certainly aligned with India’s and Pakistan’s domestic and foreign policy objectives, respectively,” Recorded Future said. “Each network consistently attempted to frame India or Pakistan, respectively, as maintaining superior technological and military capabilities – and therefore the implied ability for each respective country to exercise tactical restraint – as proof of having the moral high ground, and hence having domestic and international support.” Both the campaigns were largely unsuccessful in shaping public opinion, given the lack of organic engagement on social media. A second influence operation involves multiple Russia-linked networks, such as Operation Overload, Operation Undercut, Foundation to Battle Injustice, and Portal Kombat, seeking to destabilize the elections and derail Moldova’s European Union (E.U.) accession. Besides attempting to frame the current Moldova leadership as corrupt and counter to Moldova’s interests, the activity portrays “Moldova’s further integration with the E.U. as disastrous for its economic future and sovereignty, and Moldova as a whole as at odds with European standards and values.” The campaign has not achieved any substantial success in shaping public opinion, Recorded Future added.
• Massive IPTV Piracy Network Uncovered — A large Internet Protocol Television (IPTV) piracy network spanning more than 1,100 domains and over 10,000 IP addresses has been discovered hosting pirated content, illegally restreaming licensed channels, and engaging in subscription fraud. Active for several years, more than 20 major brands have been affected, including: Prime Video, Bein Sports, Disney Plus, NPO Plus, Formula 1, HBO, Viaplay, Videoland, Discovery Channel, Ziggo Sports, Netflix, Apple TV, Hulu, NBA, RMC Sport, Premier League, Champions League, Sky Sports, NHL, WWE, and UFC. Silent Push said it identified two companies involved in profiting from hosting pirated content — XuiOne and Tiyansoft. XuiOne is believed to share connections with Stalker_Portal, another well-known open-source IPTV project that has been around since 2013. These services are advertised in the form of Android apps, with the domains distributed via Facebook groups and Imgur. The cybersecurity firm also identified one individual, Nabi Neamati of Herat, Afghanistan, as a central figure in its operations.
• Security Analysis of WhatsApp Message Summarization — NCC Group has published an in-depth analysis of WhatsApp’s AI-powered Message Summarization feature, which was announced by the messaging platform in June 2025. In all, the assessment discovered 21 findings, 16 of which were fixed by WhatsApp. This included three notable weaknesses: The hypervisor could have assigned network interfaces to the CVM through which private data could be exfiltrated, Any old Confidential Virtual Machine (CVM) image with known vulnerabilities could have been indefinitely used by an attacker, and the ability to serve malicious key configurations to WhatsApp clients could have allowed Meta to violate privacy and non-targetability assurances.
• Indirect Prompt Injection via Log Files — Large language models (LLMs) used in a security context can be deceived by specially crafted events and log files injected with hidden prompts to execute malicious actions when they are parsed by AI agents.

🎥 Cybersecurity Webinars

• From Blind Spots to Clarity: Why Code-to-Cloud Visibility Defines Modern AppSec — Most security programs know their risks—but not where they truly begin or how they spread. That gap between code and cloud is costing teams time, ownership, and resilience. This webinar shows how code-to-cloud visibility closes that gap by giving developers, DevOps, and security a shared view of vulnerabilities, misconfigurations, and runtime exposure. The result? Less noise, faster fixes, and stronger protection for the applications your business depends on.
• Shadow AI Agents: The Hidden Risk Driving Enterprise Blind Spots — AI Agents are no longer futuristic—they’re already embedded in your workflows, processes, and platforms. The problem? Many of them are invisible to governance, fueled by unchecked non-human identities that create a growing attack surface. Shadow AI doesn’t just add complexity; it multiplies risk with every click. This webinar unpacks where these agents are hiding, how to spot them before attackers do, and what steps you can take to bring them under control without slowing innovation.
• AI + Quantum 2.0: The Double Disruption Security Leaders Can’t Ignore — The next cybersecurity crisis won’t come from AI or quantum alone—it will come from their convergence. As quantum breakthroughs accelerate and AI drives automation at scale, the attack surface for sensitive industries is expanding faster than most defenses can keep up. This panel brings together leading voices from research, government, and industry to unpack what Quantum 2.0 means for security, why quantum-safe cryptography and AI resilience must go hand-in-hand, and how decision-makers can start building trust and resilience before adversaries weaponize these technologies.

🔧 Cybersecurity Tools

• MeetC2 — It is a clever proof-of-concept C2 framework that uses Google Calendar—yes, the same calendar your team uses every day—as a hidden command channel between an operator and a compromised endpoint. By polling for events and embedding commands into calendar items via Google’s trusted APIs (oauth2.googleapis.com, www.googleapis.com), it shows how legitimate SaaS platforms can be repurposed for covert operations. Security teams can use MeetC2 in controlled purple-team exercises to sharpen detection logic around unusual calendar API usage, validate logging and telemetry effectiveness, and fine-tune safeguards against stealthy cloud-based C2 strategies. In short, it equips defenders with a lightweight, highly relevant testbed to simulate and proactively defend against next-gen adversarial tradecraft.
• thermoptic – It is an advanced HTTP proxy that cloaks low-level clients like curl to appear indistinguishable from a full Chrome/Chromium browser at the network fingerprinting layer. Modern WAFs and anti-bot systems increasingly rely on JA4+ signatures—tracking TLS, HTTP, TCP, and certificate fingerprints—to block scraping tools or detect when users switch from browsers to scripts. By routing requests through a containerized Chrome instance, thermoptic ensures fingerprints match real browsers byte-for-byte, even across multiple layers. For defenders, this is a powerful way to test detection pipelines against sophisticated evasion tactics, validate JA4+ logging visibility, and explore how adversaries might blend into legitimate browser traffic. For ethical researchers and red teams, thermoptic offers a realistic, open-source platform to simulate stealthy scraping or covert traffic—helping security teams move from theory to resilience in the fingerprinting arms race.

Disclaimer: The tools featured here are provided strictly for educational and research purposes. They have not undergone full security audits, and their behavior may introduce risks if misused. Before experimenting, carefully review the source code, test only in controlled environments, and apply appropriate safeguards. Always ensure your usage aligns with ethical guidelines, legal requirements, and organizational policies.

🔒 Tip of the Week

Lock Down Your Router Before Hackers Ever Get a Foot in the Door — Most people think of router security as just “change the password” or “disable UPnP.” But attackers are getting far more creative: from rerouting internet traffic through fake BGP paths, to hijacking cloud services that talk directly to your router. The best defense? A layered approach that closes those doors before compromise happens.

Here are 3 advanced but practical moves you can start today:

1. Protect Your Internet Route with RPKI
   Why it matters: Attackers sometimes hijack internet routes (BGP attacks) to spy on or reroute your traffic.
   Try this: Even if you’re not running a big enterprise, you can check if your ISP supports RPKI (Resource Public Key Infrastructure) using the free Is BGP Safe Yet? tool. If your provider isn’t secured, ask them about RPKI.
2. Use Short-Lived Access Keys Instead of Static Passwords
   Why it matters: A single stolen router password can let attackers in for years.
   Try this: If your router supports it (OpenWRT, pfSense, MikroTik), set up SSH access with keys instead of passwords. For home or small office users, tools like YubiKey can generate one-time login tokens, so even if your PC is hacked, the router stays safe.
3. Control Who Can Even Knock on the Door
   Why it matters: Most router compromises happen because attackers can reach the management port from the internet.
   Try this: Instead of leaving management open, use Single Packet Authorization (SPA) with a free tool like fwknop. It hides your router’s management ports until you send a secret “knock,” making your router invisible to scanners.

Think of your router as the “front door to your digital house.” With these tools, you’re not just locking it — you’re making sure attackers don’t even know where the door is, and even if they do, the key changes every day.

Conclusion

That wraps up this week’s briefing, but the story never really ends. New exploits, new tactics, and new risks are already on the horizon—and we’ll be here to break them down for you. Until then, stay sharp, stay curious, and remember: one clear insight can make all the difference in stopping the next attack.

When Attackers Get Hired: Today’s New Identity Crisis

What if the star engineer you just hired isn’t actually an employee, but an attacker in disguise? This isn’t phishing; it’s infiltration by onboarding.

Meet “Jordan from Colorado,” who has a strong resume, convincing references, a clean background check, even a digital footprint that checks out.

On day one, Jordan logs into email and attends the weekly standup, getting a warm welcome from the team. Within hours, they have access to repos, project folders, even some copy/pasted dev keys to use in their pipeline.

A week later, tickets close faster, and everyone’s impressed. Jordan makes insightful observations about the environment, the tech stack, which tools are misconfigured, and which approvals are rubber-stamped.

But Jordan wasn’t Jordan. And that red-carpet welcome the team rolled out was the equivalent to a golden key, handed straight to the adversary.

From Phishing to Fake Hires

The modern con isn’t a malicious link in your inbox; it’s a legitimate login inside your organization.

While phishing is still a serious threat that continues to grow (especially with the increase in AI-driven attacks), it’s a well-known attack path. Organizations have spent years hardening email gateways, training employees to recognize and report malicious content, and running internal phishing tests.

We defend against a flood of phishing emails daily, as there’s been a 49% increase in phishing since 2021, and a 6.7x increase in large language models (LLMs) being used to generate emails with convincing lures. It’s becoming significantly easier for attackers to run phishing attacks.

But that’s not how Jordan got in. Despite numerous defenses pointed at email, Jordan got in with HR paperwork.

Why is Hiring Fraud a Problem Now?

Remote hiring has scaled rapidly in the past few years. Industries have discovered that 100% remote work is possible, and employees no longer need offices with physical (and easily defendable) perimeters. Moreover, talented resources exist anywhere on the planet. Hiring remotely means organizations can benefit from an expanded hiring pool, with the potential for more qualifications and skills. But remote hiring also removes the intuitive and natural protections of in-person interviews, creating a new opening for threat actors.

Today, identity is the new perimeter. And that means your perimeter can be faked, impersonated, or even AI-generated. References can be spoofed. Interviews can be coached or proxied. Faces and voices can be generated (or deepfaked) by AI. An anonymous adversary can now convincingly appear as “Jordan from Colorado” and get an organization to give them the keys to the kingdom.

Hiring Fraud in the Wild: North Korea’s Remote “Hire” Operatives

The threat of remote hiring fraud isn’t something we’re watching roll in on the horizon or imagine in scary stories around the campfire.

A report published in August of this year revealed over 320 cases of North Korean operatives infiltrating companies by posing as remote IT workers with false identities and polished resumes. That single example has seen a 220% increase year-over-year, which means this threat is escalating quickly., which means this threat is escalating quickly.

Now, with our new perimeter, we have to view this security framework through the lens of identity, which brings us to the concept of zero standing privileges (ZSP).

Unlike the castle model, which locks everything down indiscriminately, a ZSP state should be built around flexibility with guardrails:

• No always-on access by default – The baseline for every identity is always the minimum access required to function.
• JIT (Just-in-Time) + JEP (Just–Enough-Privilege) – –Extra access takes the form of a small, scoped permission that exists only when needed, for the finite duration needed, and then gets revoked when the task is done.
• Auditing and accountability – Every grant and revoke is logged, creating a transparent record.

This approach closes the gap left by the castle problem. It ensures attackers can’t rely on persistent access, while employees can still move quickly through their work. Done right, a ZSP approach aligns productivity and protection instead of forcing a choice between them. Here are a few more tactical steps that teams can take to eliminate standing access across their organization:

The Zero Standing Privileges Checklist

Inventory & baselines:

Request – Approve – Remove:

Full audit and evidence

Taking Action: Start Small, Win Fast

A practical way to begin is by piloting ZSP on your most sensitive system for two weeks. Measure how access requests, approvals, and audits flow in practice. Quick wins here can build momentum for wider adoption, and prove that security and productivity don’t have to be at odds.

BeyondTrust Entitle, a cloud access management solution, enables a ZSP approach, providing automated controls that keep every identity at the minimum level of privilege, always. When work demands more, employees can receive it on request through time-bound, auditable workflows. Just enough access is granted just in time, then removed.

By taking steps to operationalize zero standing privileges, you empower legitimate users to move quickly—without leaving persistent privileges lying around for Jordan to find.

Ready to get started? Click here to get a free red-team assessment of your identity infrastructure.

Note: This article was expertly written and contributed by David van Heerden, Sr. Product Marketing Manager. David van Heerden — a self-described general nerd, metalhead, and wannabe film snob — has worked in IT for over 10 years, sharpening his technical skills and developing a knack for turning complex IT and security concepts into clear, value-oriented topics. At BeyondTrust, he has taken on the Sr. Product Marketing Manager role, leading the entitlements marketing strategy.

A threat actor possibly of Russian origin has been attributed to a new set of attacks targeting the energy sector in Kazakhstan.

The activity, codenamed Operation BarrelFire, is tied to a new threat group tracked by Seqrite Labs as Noisy Bear. The threat actor has been active since at least April 2025.

“The campaign is targeted towards employees of KazMunaiGas or KMG where the threat entity delivered a fake document related to the KMG IT department, mimicking official internal communication and leveraging themes such as policy updates, internal certification procedures, and salary adjustments,” security researcher Subhajeet Singha said.

The infection chain begins with a phishing email containing a ZIP attachment, which includes a Windows shortcut (LNK) downloader, a decoy document related to KazMunaiGas, and a README.txt file with instructions written in both Russian and Kazakh to run a program named “KazMunayGaz_Viewer.”

The email, per the cybersecurity company, was sent from a compromised email address of an individual working in the finance department of KazMunaiGas and targeted other employees of the firm in May 2025.

The LNK file payload is designed to drop additional payloads, including a malicious batch script that paves the way for a PowerShell loader dubbed DOWNSHELL. The attacks culminate with the deployment of a DLL-based implant, a 64-bit binary that can run shellcode to launch a reverse shell.

Further analysis of the threat actor’s infrastructure has revealed that it’s hosted on the Russia-based bulletproof hosting (BPH) service provider Aeza Group, which was sanctioned by the U.S. in July 2025 for enabling malicious activities.

The development comes as HarfangLab linked a Belarus-aligned threat actor known as Ghostwriter (aka FrostyNeighbor or UNC1151) to campaigns targeting Ukraine and Poland since April 2025 with rogue ZIP and RAR archives that are aimed at collecting information about compromised systems and deploying implants for further exploitation.

“These archives contain XLS spreadsheets with a VBA macro that drops and loads a DLL,” the French cybersecurity company said. “The latter is responsible for collecting information about the compromised system and retrieving next-stage malware from a command-and-control (C2) server.”

Subsequent iterations of the campaign have been found to write a Microsoft Cabinet (CAB) file along with the LNK shortcut to extract and run the DLL from the archive. The DLL then proceeds to conduct initial reconnaissance before dropping the next-stage malware from the external server.

The attacks targeting Poland, on the other hand, tweak the attack chain to use Slack as a beaconing mechanism and data exfiltration channel, downloading in return a second-stage payload that establishes contact with the domain pesthacks[.]icu.

At least in one instance, the DLL dropped through the macro-laced Excel spreadsheet is used to load a Cobalt Strike Beacon to facilitate further post-exploitation activity.

“These minor changes suggest that UAC-0057 may be exploring alternatives, in a likely attempt to work around detection, but prioritizes the continuity or development of its operations over stealthiness and sophistication,” HarfangLab said.

Cyber Attacks Reported Against Russia

The findings come amid OldGremlin’s renewed extortion attacks on Russian companies in the first half of 2025, targeting as many as eight large domestic industrial enterprises using phishing email campaigns.

The intrusions, per Kaspersky, involved the use of the bring your own vulnerable driver (BYOVD) technique to disable security solutions on victims’ computers and the legitimate Node.js interpreter to execute malicious scripts.

Phishing attacks aimed at Russia have also delivered a new information stealer called Phantom Stealer, which is based on an open-source stealer codenamed Stealerium, to collect a wide range of sensitive information using email baits related to adult content and payments. It also shares overlaps with another Stealerium offshoot known as Warp Stealer.

According to F6, Phantom Stealer also inherits Stealerium’s “PornDetector” module that captures webcam screenshots when users visit pornographic websites by keeping tabs on the active browser window and whether the title includes a configurable list of terms like porn, and sex, among others.

“This is likely later used for ‘sextortion,’” Proofpoint said in its own analysis of the malware. “While this feature is not novel among cybercrime malware, it is not often observed.”

In recent months, Russian organizations have also been at the receiving end of attacks perpetrated by hacking groups tracked as Cloud Atlas, PhantomCore, and Scaly Wolf to harvest sensitive information and deliver additional payloads using malware families such as VBShower, PhantomRAT, and PhantomRShell.

Another cluster of activity involves a new Android malware that masquerades as an antivirus tool created by Russia’s Federal Security Services agency (FSB) to single out representatives of Russian businesses. The apps carry names like SECURITY_FSB, ФСБ (Russian for FSB), and GuardCB, the last of which is an attempt to pass off as the Central Bank of the Russian Federation.

First discovered in January 2025, the malware exfiltrates data from messenger and browser apps, stream from the phone’s camera, and log keystrokes by seeking extensive permissions to access SMS messages, location, audio, camera. It also requests for running in the background, device administrator rights, and accessibility services.

“The app’s interface provides only one language – Russian,” Doctor Web said. “Thus, the malware is entirely focused on Russian users. The backdoor also uses accessibility services to protect itself from being deleted if it receives the corresponding command from the threat actors.”

Sep 06, 2025Ravie LakshmananSoftware Security / Cryptocurrency

A new set of four malicious packages have been discovered in the npm package registry with capabilities to steal cryptocurrency wallet credentials from Ethereum developers.

“The packages masquerade as legitimate cryptographic utilities and Flashbots MEV infrastructure while secretly exfiltrating private keys and mnemonic seeds to a Telegram bot controlled by the threat actor,” Socket researcher Kush Pandya said in an analysis.

The packages were uploaded to npm by a user named “flashbotts,” with the earliest library uploaded as far back as September 2023. The most recent upload took place on August 19, 2025. The packages in question, all of which are still available for download as of writing, are listed below –

The impersonation of Flashbots is not coincidental, given its role in combating the adverse effects of Maximal Extractable Value (MEV) on the Ethereum network, such as sandwich, liquidation, backrunning, front-running, and time-bandit attacks.

The most dangerous of the identified libraries is “@flashbotts/ethers-provider-bundle,” which uses its functional cover to conceal the malicious operations. Under the guise of offering full Flashbots API compatibility, the package incorporates stealthy functionality to exfiltrate environment variables over SMTP using Mailtrap.

In addition, the npm package implements a transaction manipulation function to redirect all unsigned transactions to an attacker-controlled wallet address and log metadata from pre-signed transactions.

sdk-ethers, per Socket, is mostly benign but includes two functions to transmit mnemonic seed phrases to a Telegram bot that are only activated when they are invoked by unwitting developers in their own projects.

The second package to impersonate Flashbots, flashbot-sdk-eth, is also designed to trigger the theft of private keys, while gram-utilz offers a modular mechanism for exfiltrating arbitrary data to the threat actor’s Telegram chat.

With mnemonic seed phrases serving as the “master key” to recover access to cryptocurrency wallets, theft of these sequences of words can allow threat actors to break into victims’ wallets and gain complete control over their wallets.

The presence of Vietnamese language comments in the source code suggest that the financially-motivated threat actor may be Vietnamese-speaking.

The findings indicate a deliberate effort on part of the attackers to weaponize the trust associated with the platform to conduct software supply chain attacks, not to mention obscure the malicious functionality amidst mostly harmless code to sidestep scrutiny.

“Because Flashbots is widely trusted by validators, searchers, and DeFi developers, any package that appears to be an official SDK has a high chance of being adopted by operators running trading bots or managing hot wallets,” Pandya pointed out. “A compromised private key in this environment can lead to immediate, irreversible theft of funds.”

“By exploiting developer trust in familiar package names and padding malicious code with legitimate utilities, these packages turn routine Web3 development into a direct pipeline to threat actor-controlled Telegram bots.”

Federal Civilian Executive Branch (FCEB) agencies are being advised to update their Sitecore instances by September 25, 2025, following the discovery of a security flaw that has come under active exploitation in the wild.

The vulnerability, tracked as CVE-2025-53690, carries a CVSS score of 9.0 out of a maximum of 10.0, indicating critical severity.

“Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud contain a deserialization of untrusted data vulnerability involving the use of default machine keys,” the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said.

“This flaw allows attackers to exploit exposed ASP.NET machine keys to achieve remote code execution.”

Google-owned Mandiant, which discovered the active ViewState deserialization attack, said the activity leveraged a sample machine key that had been exposed in Sitecore deployment guides from 2017 and earlier. The threat intelligence team did not link the activity to a known threat actor or group.

“The attacker’s deep understanding of the compromised product and the exploited vulnerability was evident in their progression from initial server compromise to privilege escalation,” researchers Rommel Joven, Josh Fleischer, Joseph Sciuto, Andi Slok, and Choon Kiat Ng said.

The abuse of publicly disclosed ASP.NET machine keys was first documented by Microsoft in February 2025, with the tech giant observing limited exploitation activity dating back to December 2024, in which unknown threat actors leveraged the key to deliver the Godzilla post-exploitation framework.

Then in May 2025, ConnectWise disclosed an improper authentication flaw impacting ScreenConnect (CVE-2025-3935, CVSS score: 8.1) that it said had been exploited in the wild by a nation-state threat actor to conduct ViewState code injection attacks targeting a small set of customers.

As recently as July, the Initial Access Broker (IAB) known as Gold Melody was attributed to a campaign that exploits leaked ASP.NET machine keys to obtain unauthorized access to organizations and sell that access to other threat actors.

In the attack chain documented by Mandiant, CVE-2025-53690 is weaponized to achieve initial compromise of the internet-facing Sitecore instance, leading to the deployment of a combination of open-source and custom tools to facilitate reconnaissance, remote access, and Active Directory reconnaissance.

The ViewState payload delivered using the sample machine key specified in publicly available deployment guides is a .NET assembly dubbed WEEPSTEEL, which is capable of gathering system, network, and user information, and exfiltrating the details back to the attacker. The malware borrows some of its functionality from an open-source Python tool named ExchangeCmdPy.py.

With the access obtained, the attackers have been found to establish a foothold, escalate privileges, maintain persistence, conduct internal network reconnaissance, and move laterally across the network, ultimately leading to data theft. Some of the tools used during these phases are listed below –

• EarthWorm for network tunneling using SOCKS
• DWAgent for persistent remote access and Active Directory reconnaissance to identify Domain Controllers within the target network
• SharpHound for Active Directory reconnaissance
• GoTokenTheft for listing unique user tokens active on the system, executing commands using the tokens of users, and listing all running processes and their associated user tokens
• Remote Desktop Protocol (RDP) for lateral movement

The threat actors have also been observed creating local administrator accounts (asp$ and sawadmin) to dump SAM/SYSTEM hives in an attempt to obtain administrator credentials access and facilitate lateral movement via RDP.

“With administrator accounts compromised, the earlier created asp$ and sawadmin accounts were removed, signaling a shift to more stable and covert access methods,” Mandiant added.

To counter the threat, organizations are recommended to rotate the ASP.NET machine keys, lock down configurations, and scan their environments for signs of compromise.

“The upshot of CVE-2025-53690 is that an enterprising threat actor somewhere has apparently been using a static ASP.NET machine key that was publicly disclosed in product docs to gain access to exposed Sitecore instances,” Caitlin Condon, VP of security research at VulnCheck, told The Hacker News.

“The zero-day vulnerability arises from both the insecure configuration itself (i.e., use of the static machine key) and the public exposure — and as we’ve seen plenty of times before, threat actors definitely read documentation. Defenders who even slightly suspect they might be affected should rotate their machine keys immediately and ensure, wherever possible, that their Sitecore installations are not exposed to the public internet.”

Ryan Dewhurst, head of proactive threat intelligence at watchTowr, said the issue is the result of Sitecore customers copying and pasting example keys from official documentation, rather than generating unique, random ones.

“Any deployment running with these known keys was left exposed to ViewState deserialization attacks, a straight path right to Remote Code Execution (RCE),” Dewhurst added.

“Sitecore has confirmed that new deployments now generate keys automatically and that all affected customers have been contacted. The blast radius remains unknown, but this bug exhibits all the characteristics that typically define severe vulnerabilities. The wider impact has not yet surfaced, but it will.”

The threat actor behind the malware-as-a-service (MaaS) framework and loader called CastleLoader has also developed a remote access trojan known as CastleRAT.

“Available in both Python and C variants, CastleRAT’s core functionality consists of collecting system information, downloading and executing additional payloads, and executing commands via CMD and PowerShell,” Recorded Future Insikt Group said.

The cybersecurity company is tracking the threat actor behind the malware families as TAG-150. Believed to be active since at least March 2025, CastleLoader et al are seen as initial access vectors for a wide range of secondary payloads, including remote access trojans, information stealers, and even other loaders.

CastleLoader was first documented by Swiss cybersecurity company PRODAFT in July 2025, as having been put to use in various campaigns distributing DeerStealer, RedLine, StealC, NetSupport RAT, SectopRAT, and Hijack Loader.

A subsequent analysis from IBM X-Force last month found that the malware has also served as a conduit for MonsterV2 and WARMCOOKIE through SEO poisoning and GitHub repositories impersonating legitimate software.

“Infections are most commonly initiated through Cloudflare-themed ‘ClickFix’ phishing attacks or fraudulent GitHub repositories masquerading as legitimate applications,” Recorded Future said.

“The operators employ the ClickFix technique by leveraging domains that imitate software development libraries, online meeting platforms, browser update alerts, and document verification systems.”

Evidence indicates that TAG-150 has been working on CastleRAT since March 2025, with the threat actor leveraging a multi-tiered infrastructure comprising Tier 1 victim-facing command-and-control (C2) servers, as well as Tier 2 and Tier 3 servers that are mostly virtual private servers (VPSes), and Tier 4 backup servers.

CastleRAT, the newly discovered addition to TAG-150’s arsenal, can download next-stage payloads, enable remote shell capabilities, and even delete itself. It also uses Steam Community profiles as dead drop resolvers to host C2 servers (“programsbookss[.]com”).

Notably, CastleRAT comes in two versions, one written in C and the other, programmed in Python, with the latter also called PyNightshade. It’s worth noting that eSentire is tracking the same malware under the name NightshadeC2.

The C variant of CastleRAT incorporates more functionality, allowing it to log keystrokes, capture screenshots, upload/download files, and function as a cryptocurrency clipper to substitute wallet addresses copied to the clipboard with an attacker-controlled one with the aim of redirecting transactions.

“As with the Python variant, the C variant queries the widely abused IP geolocation service ip-api[.]com to collect information based on the infected host’s public IP address,” Recorded Future said. “However, the scope of data has been expanded to include the city, ZIP code, and indicators of whether the IP is associated with a VPN, proxy, or TOR node.”

That said, recent iterations of the C variant of CastleRAT have removed querying of the city and ZIP code from ip-api[.]com, indicating active development. It remains to be seen if its Python counterpart will attain feature parity.

eSentire, in its own analysis of NightshadeC2, described it as a botnet that’s deployed by means of a .NET loader, which, in turn, makes use of techniques like UAC Prompt Bombing to sidestep security protections. The Canadian cybersecurity company said it also identified variants equipped with features to extract passwords and cookies from Chromium- and Gecko-based web browsers.

In a nutshell, the process involves running a PowerShell command in a loop that attempts to add an exclusion in Windows Defender for the final payload (i.e., NightshadeC2), after which the loader verifies the exit code of the PowerShell process to ascertain if it’s 0 (meaning success).

If the exclusion is successfully added, the loader proceeds to deliver the malware. If any other exit code other than 0 is returned, the loop keeps executing repeatedly, forcing the user to approve the User Account Control (UAC) prompt.

“A particularly notable aspect of this approach is that systems with the WinDefend (Windows Defender) service disabled will generate non-zero exit codes, causing malware analysis sandboxes to become trapped in the execution loop,” eSentire said, adding the method enables a bypass of multiple sandbox solutions.

The development comes as Hunt.io detailed another malware loader codenamed TinyLoader that has been used to serve Redline Stealer and DCRat.

Besides establishing persistence by modifying Windows Registry settings, the malware monitors the clipboard and instantly replaces copied crypto wallet addresses. Its C2 panels are hosted across Latvia, the U.K., and the Netherlands.

“TinyLoader installs both Redline Stealer and cryptocurrency stealers to harvest credentials and hijack transactions,” the company said. “It spreads through USB drives, network shares, and fake shortcuts that trick users into opening it.”

The findings also coincide with the discovery of two new malware families, a Windows-based keylogger called TinkyWinkey and a Python information stealer referred to as Inf0s3c Stealer, that can collect keyboard input and gather extensive system information, respectively.

Further analysis of Inf0s3c Stealer has identified points of similarity with Blank Grabber and Umbral-Stealer, two other publicly available malware families, suggesting that the same author could be responsible for all three strains.

“TinkyWinkey represents a highly capable and stealthy Windows-based keylogger that combines persistent service execution, low-level keyboard hooks, and comprehensive system profiling to gather sensitive information,” CYFIRMA said.

Inf0s3c Stealer “systematically collects system details, including host identifiers, CPU information, and network configuration, and captures screenshots. It enumerates running processes and generates hierarchical views of user directories, such as Desktop, Documents, Pictures, and Downloads.”

Sep 05, 2025Ravie LakshmananVulnerability / Enterprise Security

A critical security vulnerability impacting SAP S/4HANA, an Enterprise Resource Planning (ERP) software, has come under active exploitation in the wild.

The command injection vulnerability, tracked as CVE-2025-42957 (CVSS score: 9.9), was fixed by SAP as part of its monthly updates last month.

“SAP S/4HANA allows an attacker with user privileges to exploit a vulnerability in the function module exposed via RFC,” according to a description of the flaw in the NIST National Vulnerability Database (NVD). “This flaw enables the injection of arbitrary ABAP code into the system, bypassing essential authorization checks.

Successful exploration of the defect could result in a full system compromise of the SAP environment, subverting the confidentiality, integrity, and availability of the system. In short, it can permit attackers to modify the SAP database, create superuser accounts with SAP_ALL privileges, download password hashes, and alter business processes.

SecurityBridge Threat Research Labs, in an alert issued Thursday, said it has observed active exploitation of the flaw, stating the issue impacts both on-premise and Private Cloud editions.

“Exploitation requires access only to a low-privileged user to fully compromise an SAP system,” the company said. “A complete system compromise with minimal effort required, where successful exploitation can easily lead to fraud, data theft, espionage, or the installation of ransomware.”

It also noted that while widespread exploitation has not yet been detected, threat actors possess the knowledge to use it, and that reverse engineering the patch to create an exploit is “relatively easy.”

As a result, organizations are advised to apply the patches as soon as possible, monitor logs for suspicious RFC calls or new admin users, and ensure appropriate segmentation and backups are in place.

“Consider implementing SAP UCON to restrict RFC usage and review and restrict access to authorization object S_DMIS activity 02,” it also said.

Sep 05, 2025Ravie LakshmananMalware / Cryptocurrency

Cybersecurity researchers have flagged a new malware campaign that has leveraged Scalable Vector Graphics (SVG) files as part of phishing attacks impersonating the Colombian judicial system.

The SVG files, according to VirusTotal, are distributed via email and designed to execute an embedded JavaScript payload, which then decodes and injects a Base64-encoded HTML phishing page masquerading as a portal for Fiscalía General de la Nación, the Office of the Attorney General of Colombia.

The page then simulates an official government document download process with a fake progress bar, while it stealthily triggers the download of a ZIP archive in the background. The exact nature of the ZIP file was not disclosed.

The Google-owned malware scanning service said it found 44 unique SVG files, all of which have remained undetected by antivirus engines, owing to the use of techniques like obfuscation, polymorphism, and large amounts of junk code to evade static detection methods.

In all, as many as 523 SVG files have been detected in the wild, with the earliest sample dating back to August 14, 2025.

“Looking deeper, we saw that the earliest samples were larger, around 25 MB, and the size decreased over time, suggesting the attackers were evolving their payloads,” VirusTotal said.

The disclosure comes as cracked versions of legitimate software and ClickFix-style tactics are being used to lure users into infecting their Apple macOS systems with an information stealer called Atomic macOS Stealer (AMOS), exposing businesses to credential stuffing, financial theft, and other follow-on attacks.

“AMOS is designed for broad data theft, capable of stealing credentials, browser data, cryptocurrency wallets, Telegram chats, VPN profiles, keychain items, Apple Notes, and files from common folders,” Trend Micro said. “AMOS shows that macOS is no longer a peripheral target. As macOS devices gain ground in enterprise settings, they have become a more attractive and lucrative focus for attackers.”

The attack chain essentially involves targeting users looking for cracked software on sites like haxmac[.]cc, redirecting them to bogus download links that provide installation instructions designed to trick them into running malicious commands on the Terminal app, thus triggering the deployment of AMOS.

It’s worth noting that Apple prevents the installation of .dmg files lacking proper notarization due to macOS’s Gatekeeper protections, which require the application packages to be signed by an identified developer and notarized by Apple.

“With the release of macOS Sequoia, attempts to install malicious or unsigned .dmg files, such as those used in AMOS campaigns, are blocked by default,” the company added. “While this doesn’t eliminate the risk entirely, especially for users who may bypass built-in protections, it raises the barrier for successful infections and forces attackers to adapt their delivery methods.”

This is why threat actors are increasingly banking on ClickFix, as it allows the stealer to be installed on the machine using Terminal by means of a curl command specified in the software download page.

“While macOS Sequoia’s enhanced Gatekeeper protections successfully blocked traditional .dmg-based infections, threat actors quickly pivoted to terminal-based installation methods that proved more effective in bypassing security controls,” Trend Micro said. “This shift highlights the importance of defense-in-depth strategies that don’t rely solely on built-in operating system protections.”

The development also follows the discovery of a “sprawling cyber campaign” that’s targeting gamers on the lookout for cheats with StealC stealer and crypto theft malware, netting the threat actors more than $135,000.

Per CyberArk, the activity is notable for leveraging StealC’s loader capabilities to download additional payloads, in this case, a cryptocurrency stealer that can siphon digital assets from users on infected machines.

Cybersecurity researchers have lifted the lid on a previously undocumented threat cluster dubbed GhostRedirector that has managed to compromise at least 65 Windows servers primarily located in Brazil, Thailand, and Vietnam.

The attacks, per Slovak cybersecurity company ESET, led to the deployment of a passive C++ backdoor called Rungan and a native Internet Information Services (IIS) module codenamed Gamshen. The threat actor is believed to be active since at least August 2024.

“While Rungan has the capability of executing commands on a compromised server, the purpose of Gamshen is to provide SEO fraud as-a-service, i.e., to manipulate search engine results, boosting the page ranking of a configured target website,” ESET researcher Fernando Tavella said in a report shared with The Hacker News.

“Even though Gamshen only modifies the response when the request comes from Googlebot – i.e., it does not serve malicious content or otherwise affect regular visitors of the websites – participation in the SEO fraud scheme can hurt the compromised host website’s reputation by associating it with shady SEO techniques and the boosted websites.”

Some of the other targets of the hacking group include Peru, the U.S., Canada, Finland, India, the Netherlands, the Philippines, and Singapore. The activity is also said to be indiscriminate, with entities in the education, healthcare, insurance, transportation, technology, and retail sectors singled out.

Initial access to target networks is accomplished by exploiting a vulnerability, likely an SQL injection flaw, after which PowerShell is used to deliver additional tools hosted on a staging server (“868id[.]com”).

“This conjecture is supported by our observation that most unauthorized PowerShell executions originated from the binary sqlserver.exe, which holds a stored procedure xp_cmdshell that can be used to execute commands on a machine,” ESET said.

Rungan is designed to await incoming requests from a URL matching a predefined pattern (i.e., “https://+:80/v1.0/8888/sys.html”), and then proceeds to parse and execute the commands embedded in them. It supports four different commands –

• mkuser, to create a user on the server with the username and password provided
• listfolder, to collect information from a provided path (unfinished)
• addurl, to register new URLs that the backdoor can listen on
• cmd, to run a command on the server using pipes and the CreateProcessA API

Written in C/C++, Gamshen is an example of an IIS malware family called “Group 13,” which can act both as a backdoor and conduct SEO fraud. It functions similar to IISerpent, another IIS-specific malware that was documented by ESET back in August 2021.

IISerpent, configured as a malicious extension for Microsoft’s web server software, allows it to intercept all HTTP requests made to the websites hosted by the compromised server, specifically those originating from search engine crawlers, and change the server’s HTTP responses with the goal of redirecting the search engines to a scam website of the attacker’s choosing.

“GhostRedirector attempts to manipulate the Google search ranking of a specific, third-party website by using manipulative, shady SEO techniques such as creating artificial backlinks from the legitimate, compromised website to the target website,” Tavella said.

It’s currently not known where these backlinks redirect unsuspecting users to, but it’s believed that the SEO fraud scheme is being used to promote various gambling websites.

Also dropped alongside Rungan and Gamshen are various other tools –

• GoToHTTP to establish a remote connection that’s accessible from a web browser
• BadPotato or EfsPotato for creating a privileged user in the Administrators group
• Zunput to collect information about websites hosted on the IIS server and drop ASP, PHP, and JavaScript web shells

It’s assessed with medium confidence that GhostRedirector is a China-aligned threat actor based on the presence of hard-coded Chinese strings in the source code, a code-signing certificate issued to a Chinese company, Shenzhen Diyuan Technology Co., Ltd., to sign the privilege escalation artifacts, and the use of the password “huang” for one of the GhostRedirector-created users on the compromised server.

That said, GhostRedirector is not the first China-linked threat actor to use malicious IIS modules for SEO fraud. Over the past year, both Cisco Talos and Trend Micro have detailed a Chinese-speaking group known as DragonRank that has engaged in SEO manipulation via BadIIS malware.

“Gamshen abuses the credibility of the websites hosted on the compromised server to promote a third-party, gambling website – potentially a paying client participating in an SEO fraud as-a-service scheme,” the company said.

“GhostRedirector also demonstrates persistence and operational resilience by deploying multiple remote access tools on the compromised server, on top of creating rogue user accounts, all to maintain long-term access to the compromised infrastructure.”

Sep 04, 2025Ravie LakshmananCybersecurity / Malware

The Russian state-sponsored hacking group tracked as APT28 has been attributed to a new Microsoft Outlook backdoor called NotDoor in attacks targeting multiple companies from different sectors in NATO member countries.

NotDoor “is a VBA macro for Outlook designed to monitor incoming emails for a specific trigger word,” S2 Grupo’s LAB52 threat intelligence team said. “When such an email is detected, it enables an attacker to exfiltrate data, upload files, and execute commands on the victim’s computer.”

The artifact gets its name from the use of the word “Nothing” within the source code, the Spanish cybersecurity company added. The activity highlights the abuse of Outlook as a stealthy communication, data exfiltration, and malware delivery channel.

The exact initial access vector used to deliver the malware is currently not known, but analysis shows that it’s deployed via Microsoft’s OneDrive executable (“onedrive.exe”) using a technique referred to as DLL side-loading.

This leads to the execution of a malicious DLL (“SSPICLI.dll”), which then installs the VBA backdoor and disables macro security protections.

Specifically, it runs Base64-encoded PowerShell commands to perform a series of actions that involve beaconing to an attacker-controlled webhook[.]site, setting up persistence through Registry modifications, enabling macro execution, and turning off Outlook-related dialogue messages to evade detection.

NotDoor is designed as an obfuscated Visual Basic for Applications (VBA) project for Outlook that makes use of the Application.MAPILogonComplete and Application.NewMailEx events to run the payload every time Outlook is started or a new email arrives.

It then proceeds to create a folder at the path %TEMP%Temp if it does not exist, using it as a staging folder to store TXT files created during the course of the operation and exfiltrate them to a Proton Mail address. It also parses incoming messages for a trigger string, such as “Daily Report,” causing it to extract the embedded commands to be executed.

The malware supports four different commands –

• cmd, to execute commands and return the standard output as an email attachment
• cmdno, to execute commands
• dwn, to exfiltrate files from the victim’s computer by sending them as email attachments
• upl, to drop files to the victim’s computer

“Files exfiltrated by the malware are saved in the folder,” LAB52 said. “The file contents are encoded using the malware’s custom encryption, sent via email, and then deleted from the system.”

The disclosure comes as Beijing-based 360 Threat Intelligence Center detailed Gamaredon‘s (aka APT-C-53) evolving tradecraft, highlighting its use of Telegram-owned Telegraph as a dead-drop resolver to point to command-and-control (C2) infrastructure.

The attacks are also notable for the abuse of Microsoft Dev Tunnels (devtunnels.ms), a service that allows developers to securely expose local web services to the internet for testing and debugging purposes, as C2 domains for added stealth.

“This technique provides twofold advantages: first, the original C2 server IP is completely masked by Microsoft’s relay nodes, blocking threat intelligence tracebacks based on IP reputation,” the cybersecurity company said.

“Second, by exploiting the service’s ability to reset domain names on a minute-by-minute basis, the attackers can rapidly rotate infrastructure nodes, leveraging the trusted credentials and traffic scale of mainstream cloud services to maintain a nearly zero-exposure continuous threat operation.”

Attack chains entail the use of bogus Cloudflare Workers domains to distribute a Visual Basic Script like PteroLNK, which can propagate the infection to other machines by copying itself to connected USB drives, as well as download additional

payloads.

“This attack chain demonstrates a high level of specialized design, employing four layers of obfuscation (registry persistence, dynamic compilation, path masquerading, cloud service abuse) to carry out a fully covert operation from initial implantation to data exfiltration,” 360 Threat Intelligence Center said.