ThreatsDay Bulletin: $176M Crypto Fine, Hacking Formula 1, Chromium Vulns, AI Hijack & More

The activity of the Lumma Stealer (aka Water Kurita) information stealer has witnessed a “sudden drop” since last months after the identities of five alleged core group members were exposed as part of what’s said to be an aggressive underground exposure campaign dubbed Lumma Rats since late August 2025. The targeted individuals are affiliated with the malware’s development and administration, with their personally identifiable information (PII), financial records, passwords, and social media profiles leaked on a dedicated website. Since then, Lumma Stealer’s Telegram accounts were reportedly compromised on September 17, further hampering their ability to communicate with customers and coordinate operations. These actions have led customers to pivot to other stealers like Vidar and StealC. It’s believed the doxxing campaign is driven by internal rivalries. “The exposure campaign was accompanied by threats, accusations of betrayal within the cybercriminal community, and claims that the Lumma Stealer team had prioritized profit over the operational security of their clients,” Trend Micro said. “The campaign’s consistency and depth suggest insider knowledge or access to compromised accounts and databases.” While Lumma Stealer faced a setback earlier this year after its infrastructure was taken in a coordinated law enforcement effort, it quickly resurfaced and resumed its operations. Viewed in that light, the latest development could threaten its commercial viability and hurt customer trust. The development coincides with the emergence of Vidar Stealer 2.0, which has been completely rewritten from scratch using C, along with supporting multi-threaded architecture for faster, more efficient data exfiltration and improved evasion capabilities. It also incorporates advanced credential extraction methods to bypass Google Chrome’s app-bound encryption protections by means of memory injection techniques, and boasts of an automatic polymorphic builder to generate samples with distinct binary signatures, making static detection methods more challenging. “The new version of Vidar employs heavy use of control flow flattening, implementing complex switch-case structures with numeric state machines that can make reverse engineering more difficult,” Trend Micro said.

A large-scale scam operation has misappropriated the images and likenesses of Singapore government officials to deceive Singapore citizens and residents into engaging with a fraudulent investment platform. “The scam campaign relies on paid Google Ads, intermediary redirect websites designed to conceal fraudulent and malicious activity, and highly convincing fake web pages,” Group-IB said. “Victims were ultimately directed to a forex investment platform registered in Mauritius, operating under a seemingly legitimate legal entity with an official investment license. This structure created an illusion of compliance while enabling cross-border fraudulent activity.” On these scam platforms, victims are urged to fill in their personal information, after which they are aggressively pursued via phone calls to deposit substantial sums of money. In all, 28 verified advertiser accounts were used by the scammers to run malicious Google Ads campaigns. The ad distribution was managed primarily through verified advertiser accounts registered to individuals residing in Bulgaria, Romania, Latvia, Argentina, and Kazakhstan. These ads were configured such that they were only served to people searching or browsing from Singapore IP addresses. To enhance the scam’s legitimacy, the threat actors created 119 malicious domains that impersonated legitimate and reputable mainstream news outlets like CNA and Yahoo! News.

Cybersecurity researchers have discovered a malicious npm package named “https-proxy-utils” that’s designed to download and execute a payload from an external server (cloudcenter[.]top) containing the AdaptixC2 post-exploitation framework by means of a post-install script. It’s capable of targeting Windows, Linux, and macOS systems, employing OS-specific techniques to load and launch the implant. Once deployed, the agent can be used to remotely control the machine, execute commands, and achieve persistence. According to data from ReversingLabs, the package was uploaded to npm by a user named “bestdev123” on July 28, 2025. It has 57 recorded downloads. The package is no longer available on the npm registry. While attackers abusing security tools for nefarious purposes is not a new phenomenon, coupling it with rogue packages on open-source repositories exposes users to supply chain risks. “This malicious package emphasizes once more that developers must exercise extreme caution when choosing what to install and depend on, as the supply chain landscape is filled with thousands of packages—often with deceptively similar names—making it far from straightforward to distinguish legitimate components from malicious impostors.” Henrik Plate, cybersecurity expert at Endor Labs, said. “In addition, they should consider disabling post-installation hooks, to prevent malware from being executed upon installation, e.g., by using npm’s –ignore-scripts option, or by using pnpm, which started to disable the use of lifecycle scripts by default.”

Financial regulators in Canada issued $176 million in fines against Xeltox Enterprises Ltd. (aka Cryptomus and Certa Payments Ltd.), a digital payments platform that supports dozens of Russian cryptocurrency exchanges and websites peddling cybercrime services, according to security journalist Brian Krebs. FINTRAC said the service “failed to submit suspicious transaction reports for transactions where there were reasonable grounds to suspect that they were related to the laundering of proceeds connected to trafficking in child sexual abuse material, fraud, ransomware payments, and sanctions evasion.” The agency said it found 1,068 instances where Cryptomus did not submit reports for July 2024 transactions involving known darknet markets and virtual currency wallets with ties to criminal activity.

A security flaw in the Oat++ implementation of Anthropic’s Model Context Protocol (MCP) could allow attackers to predict or capture session IDs from active AI conversations, hijack MCP sessions, and inject malicious responses via the oatpp-mcp server. The vulnerability, dubbed Prompt Hijacking, is being tracked as CVE-2025-6515 (CVSS score: 6.8). While the generated session ID used with Server-Sent Events (SSE) transports is designed to route responses from the MCP server to the client and distinguish between different MCP client sessions, the attack takes advantage of the fact that SSE does not require session IDs to be unique and cryptographically secure (a requirement enforced in the newer Streamable HTTP specification) to allow a threat actor in possession of a valid session ID to send malicious requests to the MCP server, allowing them to hijack the responses and relay a poisoned response back to the client. “Once a session ID is reused, the attacker can send POST requests using the hijacked ID, for example – Requesting tools, triggering prompts, or injecting commands, and the server will forward the relevant responses to the victim’s active GET connection in addition to the responses generated for the victim’s original requests,” JFrog said.

Proofpoint has developed an automated toolkit named Fassa (short for “Future Account Super Secret Access”), which demonstrates methods by which threat actors establish persistent access through malicious OAuth applications. The tool has not been made publicly available. “The strategic value of this approach lies in its persistence mechanism: even if the compromised user’s credentials are reset or multifactor authentication is enforced, the malicious OAuth applications maintain their authorized access,” the enterprise security company said. “This creates a resilient backdoor that can remain undetected within the environment indefinitely, unless specifically identified and remediated.” In one real-world attack observed by Proofpoint, threat actors have been found to take control of Microsoft accounts using an adversary-in-the-middle (AiTM) phishing kit known as Tycoon, and then created malicious mailbox rules and registered a second-party (aka internal) OAuth application named “test” to enable persistent access to the victim’s mailbox even after the password is reset.

Cybersecurity researchers Gal Nagli, Ian Carroll, and Sam Curry have disclosed a severe vulnerability in a critical Driver Categorisation portal (“driverscategorisation.fia[.]com”) managed by the International Automobile Federation (FIA) that could make it possible to access the sensitive data associated with every Formula 1 (F1) driver, including passport, driver’s license, and personal information. While the portal allows any individual to open an account, along with providing supporting documents, the researchers found that sending a specially crafted request where they assume the role of an “ADMIN” is enough to trick the system into actually assigning administrative privileges to a newly created account, using which an attacker could access detailed driver profiles. Following responsible disclosure on June 3, 2025, a comprehensive fix for the bug was rolled out on June 10. “[The vulnerability is] called ‘Mass Assignment’ – a classic web / api security flaw,” Nagli said. “In simple terms: The server trusted whatever we sent it, without checking if we were ALLOWED to change those fields.”

Google has launched a comprehensive agentic platform with the goal of accelerating threat analysis and response. The platform, available in preview for Google Threat Intelligence Enterprise and Enterprise+ customers, provides users with a set of specialized agents for cyber threat intelligence (CTI) and malware analysis. “When you ask a question, the platform intelligently selects the best agent and tools to craft your answer, scouring everything from the open web and OSINT to the deep and dark web and our own curated threat reports,” Google said. In the event the query is about a malicious file, it routes the task to its malware analyst agent to provide the “most precise and relevant information.” The tech giant said the platform is designed to uncover hidden connections that exist between threat actors, vulnerabilities, malware families, and campaigns by tapping into Google Threat Intelligence’s comprehensive security dataset.

A new phishing kit named Tykit is being used to serve fake Microsoft 365 login pages to which users are redirected to via email messages containing SVG files as attachments. Once opened, the SVG file executes a “trampoline” JavaScript code to take the victim to the phishing page, but not before completing a Cloudflare Turnstile security check. “It’s worth noting that the client-side code includes basic anti-debugging measures, for example, it blocks key combinations that open DevTools and disables the context menu,” ANY.RUN said. Once the credentials are entered, the user is redirected to the legitimate page to avoid raising any suspicion.

GitGuardian said it has uncovered a path traversal vulnerability in Smithery.ai that provided unauthorized access to thousands of MCP servers and their associated credentials, leading to a major supply chain risk. The problem has to do with the fact that the smithery.yaml configuration file used to build a server in Docker contains an improperly controlled property called dockerBuildPath, which allows any arbitrary path to be specified. “A simple configuration bug allowed attackers to access sensitive files on the registry’s infrastructure, leading to the theft of overprivileged administrative credentials,” GitGuardian said. “These stolen credentials provided access to over 3,000 hosted AI servers, enabling the theft of API keys and secrets from potentially thousands of customers across hundreds of services.” The issue has since been addressed, and there is no evidence it was exploited in the wild.

Researchers have found that it’s possible to bypass the human approval step required when running sensitive system commands using modern artificial intelligence (AI) agents. According to Trail of Bits, this bypass can be achieved through argument injection attacks that exploit pre-approved commands, allowing an attacker to achieve remote code execution (RCE). To counter these risks, it’s recommended to sandbox agent operations from the host system, reduce safe command allowlists, and use safe command execution methods that prevent shell interpretation.

A security vulnerability in the python-socketio library (CVE-2025-61765, CVSS score: 6.4) could permit attackers to execute arbitrary Python code through malicious pickle deserialization in scenarios where they have already gained access to the message queue that the servers use for internal communications. “The pickle module is designed for serializing and deserializing trusted Python objects,” BlueRock said. “It was never intended to be a secure format for communicating between systems that don’t implicitly trust each other. Yet, the python-socketio client managers indiscriminately unpickle every message received from the shared message broker.” As a result, a threat actor with access to the message queue can send a specially crafted pickle payload that gets executed once it’s deserialized. The issue has been addressed in version 5.14.0 of the library.

AI-powered coding tools like Cursor and Windsurf have been found vulnerable to more than 94 known and patched security issues in the Chromium browser and the V8 JavaScript engine, putting over 1.8 million developers at risk, according to OX Security. The problem is that both the development environments are built on old versions of Visual Studio Code that are bundled with an Electron application runtime that points to outdated versions of the open-source Chromium browser and Google’s V8 engine. “This is a classic supply chain attack waiting to happen,” the cybersecurity company said. “Cursor and Windsurf must prioritize upstream security updates. Until they do, 1.8 million developers remain exposed to attacks that could compromise not just their machines, but the entire software supply chain they’re part of.”

Cybersecurity researchers have discovered a new attack chain that leverages bogus installers for Google Chrome as a lure to drop a remote access trojan called ValleyRAT as part of a multi-stage process. The binary is designed to drop an intermediate payload that scans for antivirus products primarily used in China and uses a kernel driver to terminate the associated processes so as to evade detection. ValleyRAT is launched by means of a DLL downloader that retrieves the malware from an external server (“202.95.11[.]152”). Also called Winos 4.0, the malware is linked to a Chinese cybercrime group known as Silver Fox. “Our analysis revealed Chinese language strings within the binary, including the internal DLL name, and identified that the targeted security solutions are products from Chinese vendors,” Cyderes researcher Rahul Ramesh said. “This indicates the attackers have knowledge of the regional software environment and suggests the campaign is tailored to target victims in China.” It’s worth noting that similar fake installers for Chrome have been used to distribute Gh0st RAT in the past.

Varonis has disclosed details of a loophole that allows attackers to impersonate Microsoft applications by creating malicious apps with deceptive names such as “Azure Portal” or “Azure SQL Database” with hidden Unicode characters, effectively bypassing safeguards put in place to prevent the use of reserved names. This includes inserting “0x34f” between the application name such as “Az$([char]0x34f)ur$([char]0x34f)e Po$([char]0x34f)rtal.” This technique, codenamed Azure App-Mirage by Varonis, could then be combined with approaches like device code phishing to trick users into sharing authentication codes and gain unauthorized access to their accounts. Microsoft has since rolled out fixes to plug the issue.

Threat actors have been observed exploiting weaknesses in internet-facing database servers and abusing legitimate commands to steal, encrypt, or destroy data and demand payment in exchange for returning the files or keeping them private. This is part of an ongoing trend where attackers are increasingly going malware-less, instead resorting to living-off-the-land techniques to blend in with normal activity and achieve their goals. “Attackers connect remotely to these servers, copy the data to another location, wipe the database, and then leave behind a ransom note stored in the database itself,” cloud security firm Wiz said. “This approach bypasses many conventional detection methods because no malicious binary is ever dropped; the damage is done entirely with normal database commands.” Some of the most targeted database servers in ransomware attacks include MongoDB, PostgreSQL, MySQL, Amazon Aurora MySQL, and MariaDB.

Attackers are increasingly employing Cascading Style Sheets’ (CSS) text, visibility and display properties, and sizing properties to insert hidden text (paragraphs and comments) and characters into emails in what’s seen as a way to slip past spam filters and enterprise security defenses. “There is widespread use of hidden text salting in malicious emails to bypass detection,” Cisco Talos researcher Omid Mirzaei said. “Attackers embed hidden salt in the preheader, header, attachments, and body — using characters, paragraphs, and comments — by manipulating text, visibility, and sizing properties.” The cybersecurity company also noted that hidden content is more commonly found in spam and other email threats than in legitimate emails. This creates a challenge for security solutions that rely on a large language model (LLM) to classify incoming messages, as a threat actor can conceal hidden prompts to influence the outcome.