ThreatsDay Bulletin: AI Tools in Malware, Botnets, GDI Flaws, Election Attacks & More

Details have emerged about three now-patched security vulnerabilities in Windows Graphics Device Interface (GDI) that could enable remote code execution and information disclosure. These issues –
CVE-2025-30388,
CVE-2025-53766, and
CVE-2025-47984 – involve out-of-bounds memory access triggered through malformed enhanced metafile (EMF) and EMF+ records that can cause memory corruption during image rendering. They are rooted in gdiplus.dll and gdi32full.dll, which process vector graphics, text, and print operations. They were addressed by Microsoft in the Patch Tuesday updates in May, July, and August 2025 in gdiplus.dll versions 10.0.26100.3037 through 10.0.26100.4946 and gdi32full.dll version 10.0.26100.4652. “Security vulnerabilities can persist undetected for years, often resurfacing due to incomplete fixes,” Check Point
said.
“A particular information disclosure vulnerability, despite being formally addressed with a security patch, remained active for years due to the original issue receiving only a partial fix. This example underscores a basic conundrum for researchers: introducing a vulnerability is often easy, fixing it can be difficult, and verifying that a fix is both thorough and effective is even more challenging.”

Three Chinese nationals, Yan Peijian, 39, Huang Qinzheng, 37, and Liu Yuqi, 33, were convicted and sentenced to a little over two years in prison in Singapore for their involvement in hacking into overseas gambling websites and companies for the purposes of cheating during gameplay and stealing databases of personally identifiable information for trade. The three individuals, part of a group of five Chinese nationals and one Singaporean man, were originally arrested and charged in September 2024. “The three accused persons were tasked by the syndicate’s group leader to probe sites of interest for system vulnerabilities, conduct penetration attacks, and exfiltrate personal information from the compromised systems,” the Singapore Police Force said. “Further investigations revealed that the syndicate possessed foreign government data, including confidential communications.” The three defendants were also found to be in possession of tools like PlugX and “hundreds of different remote access trojans” to conduct cyber attacks. According to Channel News Asia, the three men entered the country on fake work permits in 2022 and worked for a 38-year-old Ni-Vanuatu citizen named Xu Liangbiao. They were paid about $3 million for their work. Xu, the alleged leader, is said to have left Singapore in August 2023. His present whereabouts are unknown.

The malware known as RondoDox has witnessed a 650% increase in exploitation vectors, expanding from niche DVR targeting to enterprise. This includes more than 15 new exploitation vectors targeting LB-LINK, Oracle WebLogic Server, PHPUnit, D-Link, NETGEAR, Linksys, Tenda, TP-Link devices, as well as a new command-and-control (C2) infrastructure on compromised residential IP. Once dropped, the malware proceeds to eliminate competition by killing existing malware such as XMRig and other botnets, disabling SELinux and AppArmor, and running the main payload that’s compatible with the system architecture.

The U.S. Department of Homeland Security (DHS) has proposed an amendment to existing regulations governing the use and collection of biometric information. The agency has put forth requirements for a “robust system for biometrics collection, storage, and use related to adjudicating immigration benefits and other requests and performing other functions necessary for administering and enforcing immigration and naturalization laws.” As part of the plan, any individual filing or associated with a benefit request or other request or collection of information, including U.S. citizens, U.S. nationals, and lawful permanent residents, must submit biometrics, regardless of their age, unless DHS otherwise exempts the requirement. The agency said using biometrics for identity verification and management will assist DHS’s efforts to combat trafficking, confirm the results of biographical criminal history checks, and deter fraud. The DHS is taking comments on the proposal until January 2, 2026.

Cybersecurity researchers have discovered a new large-scale attack infrastructure dubbed TruffleNet that’s built around the open-source tool TruffleHog, which is used to systematically test compromised credentials and perform reconnaissance across Amazon Web Services’ (AWS) environments. “In one incident involving multiple compromised credentials, we recorded activity from more than 800 unique hosts across 57 distinct Class C networks,” Fortinet said. “This infrastructure was characterized by the use of TruffleHog, a popular open-source secret-scanning tool, and by consistent configurations, including open ports and the presence of Portainer,” an open-source management UI for Docker and Kubernetes that simplifies container deployment and orchestration. In these activities, the threat actors make calls to the GetCallerIdentity and GetSendQuota APIs to test whether the credentials are valid and abuse the Simple Email Service (SES). While no follow-on actions were observed by Fortinet, it’s assessed that the attacks originate from a possibly tiered infrastructure, with some nodes dedicated to reconnaissance and others reserved for later stages of the attack. Also observed alongside the TruffleNet reconnaissance activity is the abuse of SES for Business Email Compromise (BEC) attacks. It’s currently not known if these are directly connected to each other. The development comes as Fortinet revealed that financially motivated adversaries are targeting a broad range of sectors but relying on the same low-complexity, high-return methods, typically gaining initial access through compromised credentials, external remote services like VPNs, and exploitation of public-facing applications. These attacks are often characterized by the use of legitimate remote access tools for secondary persistence and leveraging them for data exfiltration to their infrastructure.

PRODAFT has revealed that the financially motivated threat actor known as FIN7 (aka Savage Ladybug) has deployed since 2022 a “Windows specific SSH-based backdoor by packaging a self-contained OpenSSH toolset and an installer named install.bat.” The backdoor provides attackers with persistent remote access and reliable file exfiltration using an outbound reverse SSH tunnel and SFTP.

Web infrastructure company Cloudflare said Moldova’s Central Election Commission (CEC) experienced significant cyber attacks in the days leading to the country’s Parliament election on September 28. The CEC also witnessed a “series of concentrated, high-volume (DDoS) attacks strategically timed throughout the day” on the day of the elections. Attacks also targeted other election-related, civil society, and news websites. “These attack patterns mirrored those against the election authority, suggesting a coordinated effort to disrupt both official election processes and the public information channels voters rely on,” it said, adding it mitigated over 898 million malicious requests directed at the CEC over a 12-hour period between 09:06:00 UTC and 21:34:00 UTC.

The threat actor tracked as Silent Lynx (aka Cavalry Werewolf, Comrade Saiga, ShadowSilk, SturgeonPhisher, and Tomiris) has been observed targeting government entities, diplomatic missions, mining firms, and transportation companies. In one campaign, the adversary singled out organizations involved in Azerbaijan-Russian diplomacy, using phishing lures related to the CIS summit held in Dushanbe around mid-October 2025 to deliver the open-source Ligolo-ng reverse shell and a loader called Silent Loader that’s responsible for running a PowerShell script to connect to a remote server. Also deployed is a C++ implant named Laplas that’s designed to connect to an external server and receive additional commands for execution via “cmd.exe.” Another payload of note is SilentSweeper, a .NET backdoor that extracts and runs a PowerShell Script that acts as a reverse shell. The second campaign, on the other hand, aimed at China-Central Asia relations to distribute a RAR archive that led to the deployment of SilentSweeper. The activity has been codenamed Operation Peek-a-Baku by Seqrite Labs.

European organizations witnessed a 13% increase in ransomware over the past year, with entities in the U.K., Germany, Italy, France, and Spain most affected. A review of data leak sites over the period September 2024–August 2025 has revealed that the number of European victims has increased annually to 1,380. The most targeted sectors were manufacturing, professional services, technology, industrials, engineering, and retail. Since January 2024, over 2,100 victims across Europe have been named on extortion leak sites, with 92% involving file encryption and data theft. Akira (167), LockBit (162), RansomHub (141), INC, Lynx, and Sinobi were the most successful ransomware groups over the period. CrowdStrike said it’s also seeing a surge in violence-as-a-service offerings across the continent with the goal of securing big payouts, including physical cryptocurrency theft. Cybercriminals connected to The Com, a loose-knit collective of young, English-speaking hackers, and a Russia-affiliated group called Renaissance Spider have coordinated physical attacks, kidnapping, and arson through Telegram-based networks. Renaissance Spider, which has been active since October 2017, is also said to have emailed fake bomb threats to European entities, likely aiming to undermine support for Ukraine. There have been 17 of these kinds of attacks since January 2024, out of which 13 took place in France.

Cybersecurity researchers have discovered apps that use the branding of established services like OpenAI’s ChatGPT and DALL-E, and WhatsApp. While the fake DALL-E Android app (“com.openai.dalle3umagic”) is used for ad traffic generation, the ChatGPT wrapper app connects to legitimate OpenAI APIs while identifying itself as an “unofficial interface” for the artificial intelligence chatbot. Although not outright malicious, impersonation without transparency can expose users to unintended security risks. The counterfeit WhatsApp app, named WhatsApp Plus, masquerades as an upgraded version of the messaging platform, but contains stealthy payloads that can harvest contacts, SMS messages, and call logs. “The flood of cloned applications reflects a deeper problem: brand trust has become a vector for exploitation,” Appknox said. “As AI and messaging tools dominate the digital landscape, bad actors are learning that mimicking credibility is often more profitable than building new malware from scratch.”

Threat actors are continuing to launch phishing campaigns after their initial compromise by leveraging compromised internal email accounts to expand their reach both within the compromised organization as well as externally to partner entities. “The follow-on phishing campaigns were primarily oriented towards credential harvesting,” Cisco Talos said. “Looking forward, as defenses against phishing attacks improve, adversaries are seeking ways to enhance these emails’ legitimacy, likely leading to the increased use of compromised accounts post-exploitation.”

Recent phishing campaigns across East and Southeast Asia have been found to leverage multilingual ZIP file lures and shared web templates to target government and financial organizations. “These operations are characterized by multilingual web templates, region-specific incentives, and adaptive payload delivery mechanisms, demonstrating a clear shift toward scalable and automation-driven infrastructure,” Hunt.io said. “From China and Taiwan to Japan and Southeast Asia, the adversaries have continuously repurposed templates, filenames, and hosting patterns to sustain their operations while evading conventional detection. The strong overlap in domain structures, webpage titles, and scripting logic indicates a shared toolkit or centralized builder designed to automate payload delivery at scale. This investigation links multiple clusters to a unified phishing toolkit used across Asia.”

Authorities in Denmark have launched an investigation following a discovery that electric buses manufactured by the Chinese company Yutong had remote access to the vehicles’ control systems and allowed them to be remotely deactivated. This has raised security concerns that the loophole could be exploited to affect buses while in transit. “The testing revealed risks that we are now taking measures against,” Bernt Reitan Jenssen, chief executive of the Norwegian public transport authority Ruter, was quoted as saying. “National and local authorities have been informed and must assist with additional measures at a national level.”

Cloudflare has scrubbed domains associated with the massive AISURU botnet from its top domain rankings. According to security journalist Brian Krebs, AISURU’s operators are using the botnet to boost their malicious domain rankings, while simultaneously targeting the company’s domain name system (DNS) service.

A court in China has sentenced five members of a Myanmar crime syndicate to death for their roles in running industrial-scale scamming compounds near the border with China. The death sentences were handed out to the syndicate boss Bai Suocheng and his son Bai Yingcang, as well as Yang Liqiang, Hu Xiaojiang, and Chen Guangyi. Five others were sentenced to life. In all, 21 members and associates of the syndicate were convicted of fraud, homicide, injury, and other crimes. According to Xinhua, the defendants ran 41 industrial parks to facilitate telecommunications and online fraud at scale. The harsh penalty is the latest in a series of actions governments across the world have taken to combat the rise of cyber-enabled scam centers in Southeast Asia, where thousands are trafficked under the pretext of well-paying jobs, and are trapped, abused, and forced to defraud others in criminal operations worth billions. In September 2025, 11 members of the Ming crime family arrested during a 2023 cross-border crackdown were sentenced to death.

A coordinated law enforcement operation against a massive credit card fraud scheme dubbed Chargeback has led to the arrest of 18 suspects. The arrested individuals are German, Lithuanian, Dutch, Austrian, Danish, American, and Canadian nationals. “The alleged perpetrators are suspected of setting up an intricate scheme of fake online subscriptions to dating, pornography, and streaming services, among others, which were paid for by credit card,” Eurojust said. “Among those arrested are five executive officials from four German payment service providers. The perpetrators deliberately kept monthly credit card payments to their accounts below the maximum of EUR 50 to avoid arousing suspicion among victims about high transfer amounts.” The illicit scam is estimated to have defrauded at least €300 million from over 4.3 million credit card users with 19 million accounts in 193 countries between 2016 and 2021. The total value of attempted fraud against card users amounts to more than €750 million. Europol said the suspects used numerous shell companies, primarily registered in the U.K. and Cyprus, to conceal their activities.