Tag: Cyber Security

In SaaS security conversations, “misconfiguration” and “vulnerability” are often used interchangeably. But they’re not the same thing. And misunderstanding that distinction can quietly create real exposure.

This confusion isn’t just semantics. It reflects a deeper misunderstanding of the shared responsibility model, particularly in SaaS environments where the line between vendor and customer responsibility is often unclear.

A Quick Breakdown

Vulnerabilities are flaws in the codebase of the SaaS platform itself. These are issues only the vendor can patch. Think zero-days and code-level exploits.

Misconfigurations, on the other hand, are user-controlled. They result from how the platform is set up—who has access, what integrations are connected, and what policies are enforced (or not). A misconfiguration might look like a third-party app with excessive access, or a sensitive internal site that is accidentally public.

A Shared Model, but Split Responsibilities

Most SaaS providers operate under a shared responsibility model. They secure the infrastructure, deliver commitments on uptime, and provide platform-level protections. In SaaS, this model means the vendor handles the underlying hosting infrastructure and systems, while customers are responsible for how they configure the application, manage access, and control data sharing. It’s up to the customer to configure and use the application securely.

This includes identity management, permissions, data sharing policies, and third-party integrations. These are not optional layers of security. They’re foundational.

That disconnect is reflected in the data: 53% of organizations say their SaaS security confidence is based on trust in the vendor, according to the The State of SaaS Security 2025 Report. In reality, assuming vendors are handling everything can create a dangerous blind spot, especially when the customer controls the most breach-prone settings.

Threat Detection Can’t Catch What Was Never Logged

Most incidents don’t involve advanced attacks, or even a threat actor triggering an alert. Instead, they originate from configuration or policy issues that go unnoticed. The State of SaaS Security 2025 Report identifies that 41% of incidents were caused by permission issues and 29% by misconfigurations. These risks don’t appear in traditional detection tools (including SaaS threat detection platforms) because they’re not triggered by user behavior. Instead, they’re baked into how the system is set up. You only see them by analyzing configurations, permissions, and integration settings directly—not through logs or alerts.

Here’s what a typical SaaS attack path looks like—starting with access attempts and ending in data exfiltration. Each step can be blocked by either posture controls (prevent) or detected through anomaly and event-driven alerts (detect).

But not every risk shows up in a log file. Some can only be addressed by hardening your environment before the attack even begins.

Logs capture actions like logins, file access, or administrative changes. But excessive permissions, unsecured third-party connections, or overexposed data aren’t actions. They are conditions. If no one interacts with them, they leave no trace in the log files.

This gap is not just theoretical. Research into Salesforce’s OmniStudio platform (designed for low-code customization in regulated industries like healthcare, financial services, and government workflows) revealed critical misconfigurations that traditional monitoring tools failed to detect. These weren’t obscure edge cases. They included permission models that exposed sensitive data by default and low-code components that granted broader access than intended. The risks were real, but the signals were silent.

While detection remains critical for responding to active threats, it must be layered on top of a secure posture, not as a substitute for it.

Build a Secure-by-Design SaaS Program

The bottom line is this: you can’t detect your way out of a misconfiguration problem. If the risk lives in how the system is set up, detection won’t catch it. Posture management needs to come first.

Instead of reacting to breaches, organizations should focus on preventing the conditions that cause them. That starts with visibility into configurations, permissions, third-party access, shadow AI, and the risky combinations that attackers exploit.

Threat detection still matters, not because posture is weak, but because no system is ever bulletproof. AppOmni helps customers combine a strong preventive posture with high-fidelity detection to create a layered defense strategy that stops known risks and catches the unknowns.

A Smarter Approach to SaaS Security

To build a modern SaaS security strategy, start with what’s actually in your control. Focus on securing configurations, managing access, and establishing visibility, because the best time to address SaaS risk is before it becomes a problem.

Ready to fix the gaps in your SaaS posture? If you want to see where most teams are falling short—and what leading organizations are doing differently—the 2025 State of SaaS Security Report breaks it down. From breach drivers to gaps in ownership and confidence, it’s a revealing look at how posture continues to shape outcomes.

Why do SOC teams still drown in alerts even after spending big on security tools? False positives pile up, stealthy threats slip through, and critical incidents get buried in the noise. Top CISOs have realized the solution isn’t adding more and more tools to SOC workflows but giving analysts the speed and visibility they need to catch real attacks before they cause damage.

Here’s how they’re breaking the cycle and turning their SOCs into true threat-stopping machines.

Starting with Live, Interactive Threat Analysis

The first step to staying ahead of attackers is seeing threats as they happen. Static scans and delayed reports just can’t keep up with modern, evasive malware. Interactive sandboxes like ANY.RUN let analysts detonate suspicious files, URLs, and QR codes in a fully isolated, safe environment and actually interact with the sample in real time.

Why CISOs give access to interactive sandboxes:

• Analysts can click links, open files, and mimic real user actions to trigger hidden payloads that traditional scanners miss.
• They get full visibility into execution flow, dropped files, network connections, and related TTPs in seconds.
• Immediate IOC extraction means teams can respond faster and block similar threats before they spread.

Check this real case of phishing attack analyzed inside ANY.RUN’s interactive sandbox.

View real case of phishing attack

Full phishing attack chain analyzed inside interactive sandbox in real time

A phishing attack with a malicious QR code was fully analyzed in under one minute inside ANY.RUN. Analysts were able to watch the entire attack chain unfold, collect IOCs, and map behaviors to MITRE TTPs, all without leaving the sandbox. What once took hours of manual work now takes minutes, saving the team time and helping prevent repeat attacks.

Automating Triage to Speed Up Response and Reduce Workload

Modern SOCs are turning to automation for one simple reason: it removes the slow, repetitive tasks that hold teams back. By automating triage, SOCs gain several key benefits:

• Faster investigations → faster incident response: Automated workflows shorten the time between alert and action.
• Reduced human error: Machines handle routine steps consistently, so nothing gets overlooked.
• Confidence for junior analysts: Automation handles the tricky parts, so new team members can contribute without constantly relying on seniors.
• Focus for senior specialists: Freed from repetitive work, they can spend time on advanced threats, hunting, or improving detection rules.
• Higher SOC efficiency overall: Less fatigue, more accurate findings, and faster MTTR (Mean Time to Respond).

The QR code phishing attack mentioned earlier is a perfect example of how Automated Interactivity in ANY.RUN changes the game. In this real case, the malicious URL was buried behind a QR code and protected by a CAPTCHA.

Phishing attack with QR code exposed with the help of automation, saving time and resources

Normally, an analyst would have to manually scan the code, open the link in a safe browser, pass the CAPTCHA, and then try to trigger the hidden payload; a tedious and error‑prone process.

With automation enabled, the sandbox handled everything on its own: it opened the hidden URL, passed the CAPTCHA, and exposed the malicious process in seconds.

Malicious URL revealed inside ANY.RUN sandbox

Analysts didn’t have to wait for the analysis to finish; they could interact with the sample live at any stage, clicking through processes, opening files, or triggering additional behaviors in a fully safe environment.

This dual approach, automation plus interactivity, means your SOC saves time on tedious tasks while still giving analysts complete control. Routine steps no longer drain resources, junior staff can contribute confidently, and investigations move faster, leading to quicker containment and a stronger overall security posture.

Boosting SOC Performance with Collaboration and a Connected Security Stack

Even the most advanced detection tools won’t fix a slow or fragmented SOC on their own. True performance comes from collaboration; when analysts can work together seamlessly, share findings in real time, and avoid duplicate effort. That’s why top CISOs prioritize tools and platforms that make teamwork part of the investigation process.

For example, solutions like ANY.RUN include built‑in teamwork features that give SOC analysts a shared workspace. Tasks are clearly assigned, progress is visible to managers, and analysts, whether in the same office or spread across time zones, stay fully aligned. This level of collaboration reduces friction, keeps investigations moving, and ensures that insights don’t get lost between handoffs.

Team management displayed inside ANY.RUN sandbox

But collaboration is only half the picture. High‑performing SOCs also need their tools to fit naturally into the existing stack. The best solutions integrate with SOAR, SIEM, and XDR platforms, allowing analysts to launch sandbox analyses, enrich alerts, and automate response steps without leaving the tools they already know. This not only speeds up onboarding but also eliminates the learning curve; your team works faster using familiar interfaces, and your SOC levels up without adding complexity.

When collaboration and integration come together, the payoff is clear:

• Faster investigations and decision‑making
• Smoother workflows with fewer handoff delays
• A stronger, more efficient SOC without extra overhead

Protecting Privacy and Maintaining Compliance

CISOs know that speed and visibility are only part of the equation; investigations must stay secure. Handling suspicious files, internal documents, or client data in a shared environment can create risks if not managed carefully.

Modern SOC tools solve this by offering private, isolated analysis environments with role-based access controls and SSO support. This ensures that:

• Sensitive artifacts never leave the organization
• Only authorized team members can access specific investigations
• Compliance requirements are met without slowing down response

Solutions like ANY.RUN’s sandbox make this simple. Analysts can detonate files and URLs in fully private sessions where no data is shared externally, and results are only visible to assigned team members. Even in collaborative investigations, managers can control who sees what, while SSO ensures smooth, secure access aligned with company policies.

Privacy management in ANY.RUN’s team settings

What CISOs Are Reporting After Putting These Strategies to Work

After implementing the strategies outlined above, real-time threat analysis, automated triage, streamlined collaboration, and privacy-first workflows, SOCs using ANY.RUN’s interactive sandbox are reporting measurable improvements across the board.

• Up to 3x improvement in SOC performance, driven by faster investigations and fewer manual steps
• 90% of organizations report higher detection rates, particularly for stealthy and evasive threats
• 50% reduction in malware investigation time
• Improved team collaboration, with shared reports and interactive analysis reducing handoff delays
• Deeper threat visibility, including multi-stage and fileless malware

These numbers reflect real operational gains: faster responses, sharper visibility, and stronger defense. For CISOs, it means fewer missed incidents, better use of analyst time, and a SOC that’s equipped to handle whatever comes next.

Equip Your SOC with the Speed It Deserves

The best SOCs don’t wait. They detect threats early, respond fast, and adapt quickly to whatever attackers throw at them. But none of that happens without the right foundation.

By implementing interactive analysis, automating triage, enabling collaboration, and protecting sensitive workflows, top CISOs are building SOCs that lead.

ANY.RUN’s sandbox brings all of that in one place. It gives your team the visibility, control, and automation they need to cut through alert chaos, reduce workload, and never miss a real incident.

Trusted by CISOs to deliver:

• Reduced Mean Time to Respond (MTTR)
• Lower risk of business disruption and data breaches
• Fewer missed incidents and false negatives
• Less analyst burnout and turnover
• Better ROI from your existing security stack

Ready to see the difference in your own SOC?

Start your 14-day trial and give your team the power to investigate threats in real time, with clarity, speed, and confidence.

Aug 05, 2025Ravie LakshmananMalware / Mobile Security

Cybersecurity researchers have lifted the veil on a widespread malicious campaign that’s targeting TikTok Shop users globally with an aim to steal credentials and distribute trojanized apps.

“Threat actors are exploiting the official in-app e-commerce platform through a dual attack strategy that combines phishing and malware to target users,” CTM360 said. “The core tactic involves a deceptive replica of TikTok Shop that tricks users into thinking theyʼre interacting with a legitimate affiliate or the real platform.”

The scam campaign has been codenamed ClickTok by the Bahrain-based cybersecurity company, calling out the threat actor’s multi-pronged distribution strategy that involves Meta ads and artificial intelligence (AI)-generated TikTok videos that mimic influencers or official brand ambassadors.

Central to the effort is the use of lookalike domains that resemble legitimate TikTok URLs. Over 15,000 such impersonated websites have been identified to date. The vast majority of these domains are hosted on top-level domains such as .top, .shop, and .icu.

These domains are designed to host phishing landing pages that either steal user credentials or distribute bogus apps that deploy a variant of a known cross-platform malware called SparkKitty that’s capable of harvesting data from both Android and iOS devices.

What’s more, a chunk of these phishing pages lure users into depositing cryptocurrency on fraudulent storefronts by advertising fake product listings and heavy discounts. CTM360 said it identified no less than 5,000 URLs that are set up with an intent to download the malware-laced app by advertising it as TikTok Shop.

“The scam mimics legitimate TikTok Shop activity through fake ads, profiles, and AI-generated content, tricking users into engaging to distribute malware,” the company noted. “Fake ads are widely circulated on Facebook and TikTok, featuring AI-generated videos that mimic real promotions to attract users with heavily discounted offers.”

The fraudulent scheme operates with three motives in mind, although the end goal is financial gain, regardless of the illicit monetization strategy employed:

• Deceiving buyers and affiliate program sellers (creators who promote products in exchange for a commission on sales generated through the affiliate links) with bogus and discounted products and asking them to make payments in cryptocurrency
• Convincing affiliate participants to “top up” fake on-site wallets with cryptocurrency, under the promise of future commission payouts or withdrawal bonuses that never materialize
• Using fake TikTok Shop login pages to steal user credentials or instruct them to download trojanized TikTok apps

The malicious app, once installed, prompts the victim to enter their credentials using their email-based account, only for it to repeatedly fail in a deliberate attempt on the part of the threat actors to present them with an alternative login using their Google account.

This approach is likely meant to bypass traditional authentication flows and weaponize the session token created using the OAuth-based method for unauthorized access without requiring in-app email validation. Should the logged-in victim attempt to access the TikTok Shop section, they are directed to a fake login page that asks for their credentials.

Also embedded within the app is SparkKitty, a malware that’s capable of device fingerprinting and using optical character recognition (OCR) techniques to analyze screenshots in a user’s photo gallery for cryptocurrency wallet seed phrases, and exfiltrating them to an attacker-controlled server.

The disclosure comes as the company also detailed another targeting phishing campaign dubbed CyberHeist Phish that’s using Google Ads and thousands of phishing links to dupe victims searching for corporate online banking sites to be redirected to seemingly benign pages that mimic the targeted banking login portal and are crafted to steal their credentials.

“This phishing operation is particularly sophisticated due to its evasive, selective nature and the threat actors’ real-time interaction with the target to collect two-factor authentication on each stage of login, beneficiary creation and fund transfer,” CTM360 said.

In recent months, phishing campaigns have also targeted Meta Business Suite users as part of a campaign called Meta Mirage that uses fake policy violation email alerts, ad account restriction notices, and deceptive verification requests distributed via email and direct messages to lead victims to credential and cookie harvesting pages are hosted on Vercel, GitHub Pages, Netlify, and Firebase.

“This campaign focuses on compromising high-value business assets, including ad accounts, verified brand pages, and administrator-level access within the platform,” the company added.

These developments coincide with an advisory from the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN), urging financial institutions to be vigilant in identifying and reporting suspicious activity involving convertible virtual currency (CVC) kiosks in a bid to combat fraud and other illicit activities.

“Criminals are relentless in their efforts to steal money from victims, and they’ve learned to exploit innovative technologies like CVC kiosks,” said FinCEN Director Andrea Gacki. “The United States is committed to safeguarding the digital asset ecosystem for legitimate businesses and consumers, and financial institutions are a critical partner in that effort.”

Aug 05, 2025Ravie LakshmananZero-Day / Network Security

SonicWall said it’s actively investigating reports to determine if there is a new zero-day vulnerability following reports of a spike in Akira ransomware actors in late July 2025.

“Over the past 72 hours, there has been a notable increase in both internally and externally reported cyber incidents involving Gen 7 SonicWall firewalls where SSLVPN is enabled,” the network security vendor said in a statement.

“We are actively investigating these incidents to determine whether they are connected to a previously disclosed vulnerability or if a new vulnerability may be responsible.”

While SonicWall is digging deeper, organizations using Gen 7 SonicWall firewalls are advised to follow the steps below until further notice –

• Disable SSL VPN services where practical
• Limit SSL VPN connectivity to trusted IP addresses
• Activate services such as Botnet Protection and Geo-IP Filtering
• Enforce multi-factor authentication
• Remove inactive or unused local user accounts on the firewall, particularly those with SSL VPN access
• Encourage regular password updates across all user accounts

The development comes shortly after Arctic Wolf revealed it had identified a surge in Akira ransomware activity targeting SonicWall SSL VPN devices for initial access since late last month.

Huntress, in a follow-up analysis published Monday, also said it has observed threat actors pivoting directly to domain controllers merely a few hours after the initial breach.

Attack chains commence with the breach of the SonicWall appliance, followed by the attackers taking a “well-worn” post-exploitation path to conduct enumeration, detection evasion, lateral movement, and credential theft.

The incidents also involve the bad actors methodically disabling Microsoft Defender Antivirus and deleting volume shadow copies prior to deploying Akira ransomware.

Huntress said it detected around 20 different attacks tied to the latest attack wave starting on July 25, 2025, with variations observed in the tradecraft used to pull them off, including in the use of tools for reconnaissance and persistence, such as AnyDesk, ScreenConnect, or SSH.

There is evidence to suggest that the activity may be limited to TZ and NSa-series SonicWall firewalls with SSL VPN enabled, and that the suspected flaw exists in firmware versions 7.2.0-7015 and earlier.

“The speed and success of these attacks, even against environments with MFA enabled, strongly suggest a zero-day vulnerability is being exploited in the wild,” the cybersecurity company said. “This is a critical, ongoing threat.”

Aug 04, 2025Ravie LakshmananAI Security / Vulnerability

A newly disclosed set of security flaws in NVIDIA’s Triton Inference Server for Windows and Linux, an open-source platform for running artificial intelligence (AI) models at scale, could be exploited to take over susceptible servers.

“When chained together, these flaws can potentially allow a remote, unauthenticated attacker to gain complete control of the server, achieving remote code execution (RCE),” Wiz researchers Ronen Shustin and Nir Ohfeld said in a report published today.

The vulnerabilities are listed below –

• CVE-2025-23319 (CVSS score: 8.1) – A vulnerability in the Python backend, where an attacker could cause an out-of-bounds write by sending a request
• CVE-2025-23320 (CVSS score: 7.5) – A vulnerability in the Python backend, where an attacker could cause the shared memory limit to be exceeded by sending a very large request
• CVE-2025-23334 (CVSS score: 5.9) – A vulnerability in the Python backend, where an attacker could cause an out-of-bounds read by sending a request

Successful exploitation of the aforementioned vulnerabilities could result in information disclosure, as well as remote code execution, denial of service, data tampering in the case of CVE-2025-23319. The issues have been addressed in version 25.07.

The cloud security company said the three shortcomings could be combined together that transforms the problem from an information leak to a full system compromise without requiring any credentials.

Specifically, the problems are rooted in the Python backend that’s designed to handle inference requests for Python models from any major AI frameworks such as PyTorch and TensorFlow.

In the attack outlined by Wiz, a threat actor could exploit CVE-2025-23320 to leak the full, unique name of the backend’s internal IPC shared memory region, a key that should have remained private, and then leverage the remaining two flaws to gain full control of the inference server.

“This poses a critical risk to organizations using Triton for AI/ML, as a successful attack could lead to the theft of valuable AI models, exposure of sensitive data, manipulating the AI model’s responses, and a foothold for attackers to move deeper into a network,” the researchers said.

NVIDIA’s August bulletin for Triton Inference Server also highlights fixes for three critical bugs (CVE-2025-23310, CVE-2025-23311, and CVE-2025-23317) that, if successfully exploited, could result in remote code execution, denial of service, information disclosure, and data tampering.

While there is no evidence that any of these vulnerabilities have been exploited in the wild, users are advised to apply the latest updates for optimal protection.

Aug 04, 2025Ravie LakshmananMalware / Browser Security

Cybersecurity researchers are calling attention to a new wave of campaigns distributing a Python-based information stealer called PXA Stealer.

The malicious activity has been assessed to be the work of Vietnamese-speaking cybercriminals who monetize the stolen data through a subscription-based underground ecosystem that automates the resale and reuse via Telegram APIs, according to a joint report published by Beazley Security and SentinelOne and shared with The Hacker News.

“This discovery showcases a leap in tradecraft, incorporating more nuanced anti-analysis techniques, non-malicious decoy content, and a hardened command-and-control pipeline that frustrates triage and attempts to delay detection,” security researchers Jim Walter, Alex Delamotte, Francisco Donoso, Sam Mayers, Tell Hause, and Bobby Venal said.

The campaigns have infected over 4,000 unique IP addresses spanning 62 countries, including South Korea, the United States, the Netherlands, Hungary, and Austria. Data captured via the stealer includes more than 200,000 unique passwords, hundreds of credit card records, and more than 4 million harvested browser cookies.

PXA Stealer was first documented by Cisco Talos in November 2024, attributing it to attacks targeting government and education entities in Europe and Asia. It’s capable of harvesting passwords, browser autofill data, information from cryptocurrency wallets and financial institutions.

Data stolen by the malware using Telegram as an exfiltration channel is fed into criminal platforms like Sherlock, a purveyor of stealer logs, from where downstream threat actors can purchase the information to engage in cryptocurrency theft or infiltrate organizations for follow-on purposes, fueling a cybercriminal ecosystem that runs at scale.

Campaigns distributing the malware in 2025 have witnessed a steady tactical evolution, with the threat actors employing DLL side-loading techniques and elaborate staging layers in an effort to fly under the radar.

The malicious DLL takes care of conducting the rest of the steps in the infection sequence, ultimately paving the way for the deployment of the stealer, but not before taking steps to display a decoy document, such as a copyright infringement notice, to the victim.

The stealer is an updated version boasting capabilities to extract cookies from Chromium-based web browsers by injecting a DLL into running instances with an aim to defeat app-bound encryption safeguards. It also plunders data from VPN clients, cloud command-line interface (CLI) utilities, connected fileshares, and applications like Discord.

“PXA Stealer uses the BotIDs (stored as TOKEN_BOT) to establish the link between the main bot and the various ChatID (stored as CHAT_ID),” the researchers said. “The ChatIDs are Telegram channels with various properties, but they primarily serve to host exfiltrated data and provide updates and notifications to the operators.”

“This threat has since matured into a highly evasive, multi-stage operation driven by Vietnamese-speaking actors with apparent ties to an organized cybercriminal Telegram-based marketplace that sells stolen victim data.”

Some of the most devastating cyberattacks don’t rely on brute force, but instead succeed through stealth. These quiet intrusions often go unnoticed until long after the attacker has disappeared. Among the most insidious are man-in-the-middle (MITM) attacks, where criminals exploit weaknesses in communication protocols to silently position themselves between two unsuspecting parties

Fortunately, protecting your communications from MITM attacks doesn’t require complex measures. By taking a few simple steps, your security team can go a long way in securing users’ data and keeping silent attackers at bay.

Know your enemy

In a MITM attack, a malicious actor intercepts communications between two parties (such as a user and a web app) to steal sensitive information. By secretly positioning themselves between the two ends of the conversation, MITM attackers can capture data like credit card numbers, login credentials, and account details. This stolen information often fuels further crimes, including unauthorized purchases, financial account takeovers, and identity theft.

The widespread use of MITM attacks speaks to their effectiveness, with several high-profile incidents making headlines and showcasing just how damaging these attacks can be. Notable examples include the Equifax data breach, the Lenovo Superfish scandal, and the DigiNotar compromise – all of which highlight how devastating MitM attacks can be when security controls fail.

Common MITM threat vectors

MITM attacks are especially common in environments with unsecured Wi-Fi and a high volume of potential victims (e.g., coffee shops, hotels, or airports). Cybercriminals will look to exploit misconfigured or unsecured networks or deploy rogue hardware that mimics legitimate access points. Once the rogue access point is active, the attacker spoofs the Wi-Fi name (i.e., service set identifier or SSID) to closely resemble a trusted network. Unsuspecting users, whose devices automatically connect to familiar or strong-signal networks, often join without realizing they’re on a malicious connection.

The role of spoofing in MITM attacks

Spoofing is what allows attackers to disguise themselves as a trusted entity within the environment. This deception enables them to intercept, monitor, or manipulate the data being exchanged without raising suspicion.

mDNS and DNS spoofing

mDNS and DNS spoofing are common tactics that trick devices into trusting malicious sources. Attackers exploit mDNS on local networks by replying to name requests with fake addresses, while DNS spoofing injects false data to redirect users to harmful websites, where sensitive information can be stolen.

Avoid public Wi-Fi when possible, or use a trusted VPN to encrypt your traffic and shield it from eavesdroppers. Within your network, segmenting internal systems and isolating untrusted zones helps contain breaches and restrict attackers’ lateral movement. Additionally, deploying DNSSEC cryptographically validates DNS responses, while DNS over HTTPS (DoH) and DNS over TLS (DoT) make it harder for attackers to tamper with or spoof domain resolutions by encrypting DNS queries.

Authenticate and validate

Implement mutual TLS to require both clients and servers to authenticate each other before connecting, blocking impersonation and interception. Enforcing strong multi-factor authentication (MFA) on critical services adds another layer of protection, making it harder for attackers to exploit stolen credentials. Regularly auditing and rotating TLS certificates and encryption keys is also vital to close security gaps caused by compromised or outdated cryptographic materials.

Endpoint and traffic monitoring

To mitigate MITM attacks, security teams should implement a layered defense strategy. Intrusion detection and prevention systems (IDS/IPS) can be configured to flag unusual SSL/TLS handshake patterns. External attack surface management (EASM) tools are crucial for uncovering vulnerabilities and expired or misconfigured certificates on unknown or unmanaged internet-facing assets. Continuous monitoring for certificate mismatches or unexpected certificate authorities can expose spoofed services and fraudulent intermediaries. Also, advanced endpoint detection and response (EDR) solutions can detect common MITM tactics such as ARP spoofing and rogue proxy use, enabling faster investigation and remediation.

Educate users

Educating users to heed invalid certificate warnings helps them avoid connecting to malicious or spoofed servers. At the same time, developers must follow secure-by-default coding practices that never disable certificate validation, as skipping these checks creates critical vulnerabilities. Incorporating both static application security testing (SAST) and dynamic application security testing (DAST) into the development cycle ensures issues like weak encryption or improper certificate handling are detected and fixed early.

Strengthen your Active Directory security today

By focusing on strong, unique passphrases; actively scanning AD for breached credentials; and enforcing MFA everywhere it matters, you eliminate the easiest avenue for attackers to exploit intercepted data. Specops Password Policy augments Active Directory’s native password mechanisms by embedding a real-time check against both global breached-password feeds and any custom ban‐lists you configure.

Because it hooks directly into your domain controllers via a lightweight password filter, it intercepts and blocks risky passwords at the moment of creation – stopping attackers from leveraging exposed credentials. With granular OU-based policy objects, centralized reporting dashboards, and integration points for MFA and Self Service Password Resets (SSPR), it provides a comprehensive, low-overhead way to ensure that nobody in your organization is reusing or choosing weak or breached passwords. Reach out for a live demo.

Aug 04, 2025Ravie LakshmananHacking News / Cybersecurity

Malware isn’t just trying to hide anymore—it’s trying to belong. We’re seeing code that talks like us, logs like us, even documents itself like a helpful teammate. Some threats now look more like developer tools than exploits. Others borrow trust from open-source platforms, or quietly build themselves out of AI-written snippets. It’s not just about being malicious—it’s about being believable.

In this week’s cybersecurity recap, we explore how today’s threats are becoming more social, more automated, and far too sophisticated for yesterday’s instincts to catch.

⚡ Threat of the Week

Secret Blizzard Conduct ISP-Level AitM Attacks to Deploy ApolloShadow — Russian cyberspies are abusing local internet service providers’ networks to target foreign embassies in Moscow and likely collect intelligence from diplomats’ devices. The activity has been attributed to the Russian advanced persistent threat (APT) known as Secret Blizzard (aka Turla). It likely involves using an adversary-in-the-middle (AiTM) position within domestic telecom companies and ISPs that diplomats are using for Internet access to push a piece of malware called ApolloShadow. This indicates that the ISP may be working with the threat actor to facilitate the attacks using the System for Operative Investigative activities (SORM) systems. Microsoft declined to say how many organizations were targeted, or successfully infected, in this campaign.

• Companies that Employed Hafnium Hackers Linked to Over a Dozen Patents — Threat actors linked to the notorious Hafnium hacking group have worked for companies that registered several patents for highly intrusive forensics and data collection technologies. The findings highlight China’s diverse private sector offensive ecosystem and an underlying problem with mapping tradecraft to a specific cluster, which may not accurately reflect the true organizational structure of the attackers. The fact that the threat actors have been attributed to three different companies shows that multiple companies may be working in tandem to conduct the intrusions and those companies may be providing their tools to other actors, leading to incomplete or misleading attribution. It’s currently not known how the threat actors came to possess the Microsoft Exchange Server flaws that were used to target various entities in a widespread campaign in early 2021. But their close relationship with the Shanghai State Security Bureau (SSSB) has raised the possibility that the bureau may have obtained access to information about the zero-days through some evidence collection method and passed it on to the attackers. The discovery also highlights another important aspect: China-based Advanced Persistent Threats (APTs) may actually consist of different companies that serve many clients owing to the contracting ecosystem, which forces these companies to collaborate on intrusions. In June 2025, Recorded Future revealed that a Chinese state-owned defense research institute filed a patent in late December 2024 that analyzes various kinds of intelligence, including OSINT, HUMINT, SIGINT, GEOINT, and TECHINT, to train a military-specific large language model in order to “support every phase of the intelligence cycle and improve decision-making during military operations.”
• Likely 0-Day SonicWall SSL VPN Flaw Used in Akira Ransomware Attacks — SonicWall SSL VPN devices have become the target of Akira ransomware attacks as part of a newfound surge in activity observed in late July 2025. Arctic Wolf Labs said that the attacks could be exploiting an as-yet-undetermined security flaw in the appliances, meaning a zero-day vulnerability, given that some of the incidents affected fully-patched SonicWall devices. However, the possibility of credential-based attacks for initial access hasn’t been ruled out. The development came as watchTowr Labs detailed multiple vulnerabilities in SonicWall SMA 100 Series appliances (CVE-2025-40596, CVE-2025-40597, and CVE-2025-40598) that an attacker could exploit to cause denial-of-service or code execution. “We stumbled across vulnerabilities that feel like they were preserved in amber from a more naïve era of C programming,” security researcher Sina Kheirkhah said. “While we understand (and agree) that these vulnerabilities are ultimately difficult – or in some cases, currently not exploitable – the fact that they exist at all is, frankly, disappointing. Pre-auth stack and heap overflows triggered by malformed HTTP headers aren’t supposed to happen anymore.”
• UNC2891 Breaches ATM Network via 4G Raspberry Pi in Cyber-Physical Attack — The threat actor known as UNC2891 has been observed targeting Automatic Teller Machine (ATM) infrastructure using a 4G-equipped Raspberry Pi as part of a covert attack. The cyber-physical attack involved the adversary leveraging their physical access to install the Raspberry Pi device and have it connected directly to the same network switch as the ATM, effectively placing it within the target bank’s network. The end goal of the infection was to deploy the CAKETAP rootkit on the ATM switching server and facilitate fraudulent ATM cash withdrawals. UNC2891 is assessed to share tactical overlaps with another threat actor called UNC1945 (aka LightBasin), which was previously identified compromising managed service providers and striking targets within the financial and professional consulting industries. UNC1945 is also known for its attacks aimed at the telecom sector.
• Active Exploitation of Alone WordPress Theme Flaw — Threat actors are actively exploiting a critical security flaw in “Alone – Charity Multipurpose Non-profit WordPress Theme” to take over susceptible sites. The vulnerability, tracked as CVE-2025-5394 (CVSS score: 9.8), is an arbitrary file upload affecting all versions of the plugin prior to and including 7.8.3. It has been fixed in version 7.8.5 released on June 16, 2025. In the observed attacks, the flaw is averaged to upload a ZIP archive containing a PHP-based backdoor to execute remote commands and upload additional files. Alternatively, the flaw has also been weaponized to deliver fully-featured file managers and backdoors capable of creating rogue administrator accounts.
• Multiple Flaws Patched in AI Code Editor Cursor — Several security vulnerabilities have been addressed in Cursor, including one high-severity bug (CVE-2025-54135 aka CurXecute) that could result in remote code execution (RCE) when processing external content from a third-party model context protocol (MCP) server. “If chained with a separate prompt injection vulnerability, this could allow the writing of sensitive MCP files on the host by the agent,” Cursor said. “This can then be used to directly execute code by adding it as a new MCP server.” Also addressed in Cursor version 1.3 is CVE-2025-54136 (CVSS score of 7.2), which could have allowed attackers to swap harmless MCP configuration files for a malicious command, without triggering a warning. “If an attacker has write permissions on a user’s active branches of a source repository that contains existing MCP servers the user has previously approved, or an attacker has arbitrary file-write locally, the attacker can achieve arbitrary code execution,” the company said.

‎️‍🔥 Trending CVEs

Hackers are quick to jump on newly discovered software flaws – sometimes within hours. Whether it’s a missed update or a hidden bug, even one unpatched CVE can open the door to serious damage. Below are this week’s high-risk vulnerabilities making waves. Review the list, patch fast, and stay a step ahead.

This week’s list includes — CVE-2025-7340, CVE-2025-7341, CVE-2025-7360 (HT Contact Form plugin), CVE-2025-54782 (@nestjs/devtools-integration), CVE-2025-54418 (CodeIgniter4), CVE‑2025‑4421, CVE‑2025‑4422, CVE‑2025‑4423, CVE‑2025‑4424, CVE‑2025‑4425, CVE‑2025‑4426 (Lenovo), CVE-2025-6982 (TP-Link Archer C50), CVE-2025-2297 (BeyondTrust Privilege Management for Windows), CVE-2025-5394 (Alone theme), CVE-2025-2523 (Honeywell Experion PKS), CVE-2025-54576 (OAuth2-Proxy), CVE-2025-46811 (SUSE), CVE-2025-6076, CVE-2025-6077, and CVE-2025-6078 (Partner Software).

📰 Around the Cyber World

• Critical RCE in @nestjs/devtools-integration — A critical remote code execution flaw (CVE-2025-54782, CVSS score: 9.4) has been uncovered in @nestjs/devtools-integration, a NestJS npm package downloaded over 56,000 times per week. The package sets up a local development server with an endpoint that executes arbitrary code inside a JavaScript “sandbox” built with node:vm module and the now-abandoned safe-eval, ultimately allowing for execution of untrusted user code in a sandboxed environment, Socket said. Further analysis has found that the sandbox is trivially escapable and because the server is accessible on localhost, any malicious website can trigger code execution on a developer’s machine via CSRF using the inspector/graph/interact endpoint. “Due to improper sandboxing and missing cross-origin protections, any malicious website visited by a developer can execute arbitrary code on their local machine,” Nestjs maintainer Kamil Mysliwiec said in an advisory. “By chaining these issues, a malicious website can trigger the vulnerable endpoint and achieve arbitrary code execution on a developer’s machine running the NestJS devtools integration.”
• Attackers Exploit Compromised Email Accounts for Attacks — Threat actors are increasingly using compromised internal or trusted business partner email accounts to send malicious emails to obtain initial access. “Using a legitimate trusted account affords an attacker numerous advantages, such as potentially bypassing an organization’s security controls as well as appearing more trustworthy to the recipient,” Talos said. The disclosure comes as bad actors are also continuing to exploit Microsoft 365’s Direct Send feature to deliver phishing emails that appear to originate from within the organization by using a spoofed internal From address and increases the likelihood of success of social engineering attacks. The messages are injected into Microsoft 365 tenants via unsecured third-party email security appliances used as SMTP relays. “This tactic allows attackers to send malicious payloads to Microsoft 365 users with increased credibility, often resulting in successful delivery despite failed authentication checks,” Proofpoint said.
• Signal Warns it Will Exit Australia Over Encryption Backdoor Push — Signal Foundation president Meredith Whittaker said the secure messaging application will leave Australia if the government forces it to incorporate a backdoor into its encryption algorithm or demand access to encrypted user data. Earlier this year, the U.K. government issued a secret order demanding that Apple allow it access to encrypted user data to assist in investigations, resulting in Apple removing its Advanced Data Protection (ADP) feature for users in the region. While the U.K. government appears to be backing down from its earlier demand, Google told TechCrunch that, unlike Apple, it did not receive any request from the U.K. to build a secret backdoor. This is the first time Google has formally commented on the matter.
• Google Hardens Chrome Extension Supply Chain Against Account Compromise — Google has rolled out a new security feature called Verified CRX Upload for Chrome extension developers that enforces cryptographic signatures for all Chrome extension updates and prevents bad actors from compromising developer accounts and publishing malicious updates to the Chrome Web Store (CWS). The security protection is also designed to address scenarios where CWS code reviews may not always flag such malicious attacks. “When opting an extension into Verified CRX Upload, the developer gives Google a public key. After that, the developer can no longer upload unsigned ZIP files for that extension and must instead upload a CRX file signed with the corresponding private key,” Google said [PDF]. “Verified upload acts as a second factor for the act of uploading to CWS. A malicious actor who compromises a developer’s account password, session cookies, or even an OAuth token, would not be able to upload a malicious update unless they also gain access to the developer’s private signing key.”
• Kimsuky Targets South Korea with Stealer Malware — The North Korea-linked Kimsuky hacking group has been linked to a spear-phishing campaign that targets South Korean entities using Windows shortcut (LNK) files as an initial access vector to trigger a multi-stage infection chain to deploy a keylogger, information stealer, establish persistent control over compromised hosts, and deliver unknown next-stage payloads. In parallel, users are displayed with lure PDF documents related to tax notices and government alerts about alleged sex offenders in the area. “Once inside, the malware performs extensive system profiling, steals credentials and sensitive documents, monitors user activity through keylogging and clipboard capture, and exfiltrates data in discreet segments over standard web traffic—helping it blend into normal network operations,” Aryaka said.

• Apple macOS Flaw Can Bypass TCC — Attackers could have used a recently patched macOS vulnerability to bypass Transparency, Consent, and Control (TCC) security checks and steal sensitive user information from locations such as the Downloads directory and Apple Intelligence caches. The flaw, dubbed Sploitlight by Microsoft and tracked as CVE-2025-31199, was addressed by Apple with the release of macOS Sequoia 15.4 in March 2025. The attack is so named because it exploits Spotlight plugins called importers, which are used to index data found on a device and surface it via its built-in search tool. Sploitlight turns these plugins into a TCC bypass, allowing valuable data to be leaked without a user’s consent.
• Improved Version of XWorm Spotted — A new version of a remote access trojan called XWorm (version 6.0) has been discovered with new features such as process protection and enhanced anti-analysis capabilities, indicating continued attempts by the developers to iterate and refine their tactics. The starting point of the attack is a Visual Basic Script that’s likely delivered to targets via social engineering, which then proceeds to set up persistence on the host via Windows Registry (as opposed to scheduled tasks in the previous version), although it’s important to note that the builder offers three different methods, including the aforementioned techniques and the adding the payload to the Startup folder. It’s also designed to run a PowerShell script that includes the ability to bypass Antimalware Scan Interface (AMSI) via in-memory modification of “clr.dll” to sidestep detection. Some of the new features observed in the latest version of XWorm are its ability to prevent process termination by marking itself as a critical process and killing itself if the compromised host is running Windows XP.
• Mozilla Warns Add-ons Devs Against Phishing Attack — Browser maker Mozilla is warning of a phishing campaign targeting its Firefox Add-ons infrastructure that aims to trick developers into parting with their account credentials as part of emails containing messages like “Your Mozilla Add-ons account requires an update to continue accessing developer features” that are designed to provoke engagement. The disclosure follows the emergence of bogus Firefox add-ons that masquerade as TronLink, Solflare, Rabby Wallet and are designed to steal cryptocurrency wallet secrets, security researcher Lukasz Olejnik said.
• New Stealer Malware Dissected — Cybersecurity researchers have detailed three new stealer malware families called Cyber Stealer, Raven Stealer, and SHUYAL Stealer that combine extensive credential theft capabilities with advanced system reconnaissance and evasion tactics. “Beyond credential theft, SHUYAL captures system screenshots and clipboard content, exfiltrating this data alongside stolen Discord tokens through a Telegram bot infrastructure,” Hybrid Analysis said. “The malware maintains operational stealth through self-deletion mechanisms, removing traces of its activity using a batch file after completing its primary functions.” Cyber Stealer, for its part, maintains communication with its command-and-control (C2) server through heartbeat checks, XMR miner configuration, task checks, and data exfiltration. It also comes with a clipper, remote shell, reverse proxy, DDoS, XMR mining, and DNS poisoning capabilities based on the subscription tier chosen by a customer. “The C2 URL can be dynamically updated through Pastebin, with a hardcoded backup URL if that fails,” eSentire said. While there are a number of stealers on the cybercrime scene already, the emergence of new stealers demonstrates the lucrative nature of such tools to enable data theft at scale. The third new infostealer malware is Raven Stealer, which is actively distributed through GitHub repositories and promoted via a Telegram channel operated by the threat actors. The stealer is consistent with other stealers, facilitating credential theft, browser data harvesting, and real-time data exfiltration via Telegram bot integration.
• NOVABLIGHT Node.js Stealer Spotted in the Wild — Developed and sold by the Sordeal Group, a threat actor demonstrating French-language proficiency, NOVABLIGHT is marketed as an “educational tool” on platforms like Telegram and Discord from €25 for a month to €140 for six months ($28 to $162). However, this aspect masks its true intent: A modular, feature-rich NodeJS-based malware built on the Electron framework, designed to steal sensitive information, including login credentials and cryptocurrency wallet data. The malware is said to be distributed via fake websites advertising video game installers. “NOVABLIGHT is a modular and feature-rich information stealer built on Node.js with the Electron framework,” Elastic Security Labs said. “Its capabilities go beyond simple credential theft, incorporating methods for data collection and exfiltration, sandbox detection, and heavy obfuscation.”
• $3.5B LuBian Bitcoin Theft Goes Undetected for Nearly Five Years — A previously undisclosed theft of 127,426 Bitcoin, valued at $3.5 billion at the time (presently approximately $14.5 billion), has been traced back to a December 2020 attack on a little-known Chinese mining pool called LuBian, making it as the largest cryptocurrency theft to date, surpassing the $1.5 billion Bybit hack that occurred in February 2025. “They appear to have been first hacked on December 28th, 2020, for over 90% of their BTC,” Arkham Intelligence said. “Subsequently, on December 29th, around $6M of additional BTC and USDT was stolen from a Lubian address active on the Bitcoin Omni layer. On the 31st, LuBian rotated their remaining funds to recovery wallets.” It’s believed that the unknown attackers may have exploited a flawed private key generation algorithm that left it susceptible to brute-force attacks. “LuBian preserved 11,886 BTC, currently worth $1.35B, which they still hold,” Arkham said. “The hacker also still holds the stolen BTC, with their last known movement being a wallet consolidation in July 2024.” Neither LuBian nor the suspected hacker has ever publicly acknowledged the breach.
• Russia Blocks Access to Speedtest — Russia blocked access to Speedtest, a popular internet speed testing tool developed by U.S. company Ookla, claiming the service poses a national security threat and could aid cyber attacks. The restriction is due to the “identified threats to the security of the public communication network and the Russian segment of the internet,” Roskomnadzor, country’s communications watchdog, said, adding it “collects data on the layout and capacity of Russian communications nodes” that could be used to “plan, conduct, and assess attacks on Russian networks and related systems.”
• CISA Releases Thorium — The U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced the public availability of Thorium, an open-source platform for malware and forensic analysts across the government, public, and private sectors. “Thorium enhances cybersecurity teams’ capabilities by automating analysis workflows through seamless integration of commercial, open-source, and custom tools,” CISA said. “It supports various mission functions, including software analysis, digital forensics, and incident response, allowing analysts to efficiently assess complex malware threats.” The agency has also released the Eviction Strategies Tool, which helps security teams during the incident response by providing the necessary actions to contain and evict adversaries from compromised networks and devices.
• Russian Entities Targeted to Deploy Cobalt Strike — The Russian information technology (IT) sector, and to a certain extent companies in China, Japan, Malaysia, and Peru, has been at the receiving end of a spear-phishing email campaign that delivers the Cobalt Strike Beacon by means of intermediate payloads that reach out to fake profiles on social media platforms to obtain the URL hosting the post-exploitation toolkit. The accounts, created on GitHub, Quora, and Russian-language social networks, are said to have been created specifically for the attacks and act as dead drop resolvers to facilitate operational resiliency. The activity was first recorded in the second half of 2024, reaching its peak in November and December. The campaign has not been attributed to any known threat actor or group.
• APT36 Targets Indian Railways, Oil & Gas Sectors — A suspected Pakistani threat actor known as APT36 (aka Transparent Tribe) has been attributed to attacks targeting Indian railway systems, oil and gas infrastructure, and the Ministry of External Affairs via spear-phishing attacks to deliver a known malware called Poseidon. “They use .desktop files disguised as PDF documents to execute scripts that download malware and establish persistence using cron jobs,” Hunt.io said. “The Poseidon backdoor, built on the Mythic framework and written in Go, is used to maintain access and support lateral movement.”
• Qilin Ransomware Attack Leverages BYOVD Technique — Threat actors associated with Qilin ransomware have been observed leveraging a previously unknown driver, TPwSav.sys, to stealthily disable security tools using a custom version of EDRSandblast as part of a Bring Your Own Vulnerable Driver (BYOVD) attack. “This driver, originally developed for power-saving features on Toshiba laptops, is a signed Windows kernel driver, making it an attractive choice for bypassing EDR protections through a BYOVD attack,” Blackpoint Cyber said. Prior to this incident, there has been no evidence of in-the-wild exploitation of the driver. “Compiled in 2015 and holding a valid signature, this driver is an appealing candidate for BYOVD attacks aimed at disabling EDR. While interacting with the driver requires only low-level privileges, loading it and enumerating physical memory demand administrative privileges,” the company added.
• Phishing Campaign Distributes 0bj3ctivity Stealer — Phishing emails bearing purchase order-lures are being used to distribute via JavaScript files a stealer called 0bj3ctivity Stealer, which has been propagated via Ande Loader in the past. “The further stages are uncommon, including custom PowerShell scripts to deploy the next stages and steganography to hide some of the payloads,” Trellix said. “Once decoded, the PowerShell script will download from archive.org a JPG image, which contains the next stage hidden using steganography.” The United States, Germany, and Montenegro exhibit a high volume of detections, although telemetry data has also revealed noticeable activity in Europe, North America, Southeast Asia, and Australia, indicating the global nature of the threat.

• Increasing Number of Flaws Leveraged as 0- or 1-Days — A third of flaws leveraged by attackers this year have been zero-day or 1-day flaws, indicating that threat actors are becoming faster at exploiting vulnerabilities. “We observed an 8.5% increase in the percentage of KEVs [Known Exploited Vulnerabilities] that had exploitation evidence disclosed on or before the day a CVE was published — 32.1% in H1-2025 as compared to the 23.6% we reported in 2024,” VulnCheck said. In total, the company added 432 new vulnerabilities to its KEV list in the first half of 2025, with 92 unique threat actors linked to the exploitation efforts. Of these, 56 (60.8%) were attributed to specific countries, including China (20), Russia (11), North Korea (9), and Iran (6). In a related development, a GreyNoise report found that in 80% of reconnaissance spikes against enterprise gear, the increase in activity was followed by the publication of a new CVE within six weeks, suggesting threat actors or researchers are testing their exploits ahead of time. “These patterns were exclusive to enterprise edge technologies like VPNs, firewalls, and remote access tools – the same kinds of systems increasingly targeted by advanced threat actors,” the threat intelligence firm said.
• BreachForums Comes Back Online — BreachForums appears to be back again after it went offline in April. The popular cybercrime forum was shut down and resurrected several times over the past year. According to DataBreaches.Net, the official site appears to be back online on its dark web address, while preserving the original user database, reputation, credits, and posts. What’s more, the site seems to have returned under new leadership – a user with the online moniker “N/A.” In an introductory post, N/A also claimed that none of its administrators have been arrested and that it’s “business as usual.”
• RedCurl’s New Attacks Deliver RedLoader — The threat actor known as Gold Blade (aka Earth Kapre, RedCurl, and Red Wolf) has been linked to a new set of attacks in July 2025 that combine malicious LNK files and WebDAV to execute remotely hosted DLLs to ultimately launch RedLoader using DLL side-loading. The LNK files, disguised as cover letters in the PDF format, are distributed via phishing emails via third-party job search sites like Indeed.
• Mimo Exploits SharePoint Flaws to Deliver Ransomware — The threat actor known as Mimo is exploiting the recently disclosed Microsoft SharePoint flaws to deliver the Go-based 4L4MD4r ransomware. The hacking group was recently linked to the abuse of a critical Craft CMS flaw to drop miners. The development marks the first time the hacking group has deployed ransomware in the wild.
• Silver Fox APT Uses Fake Flash Plugin to Deliver Malware — The threat actor tracked as Silver Fox has been observed delivering the Winos trojan under the guise of popular tools like Adobe Flash, Google Translate, and WPS. Typical distribution vectors include email, phishing websites, and instant messaging software. “However, with the leakage of core remote control Trojan source code (such as Winos 4.0) in the cybercrime circle, Silver Fox has gradually transformed from a single organization into a malicious family widely redeveloped by cybercrime groups and even APT organizations,” the Knownsec 404 team said. “Winos has a rich set of functional plug-ins that enable various remote control functions and data theft on the target host.”
• Girona Hacker Arrested — Spanish authorities have apprehended a cybercriminal who allegedly stole sensitive data from major financial institutions, educational organizations, and private companies across the country. The accused, described as a man with advanced computer programming skills, stands accused of targeting Spanish banks, a driving school, and a public university, among others. The suspect is alleged to have stolen personal databases of employees and customers, as well as internal documents of companies and organizations, and then sold them for profit.
• ShadowSyndicate Infrastructure Analyzed — Cybersecurity researchers have found connections between ShadowSyndicate infrastructure and various malware families like AMOS Stealer, TrueBot, and a number of ransomware strains such as Cl0p, BlackCat, LockBit, Play, Royal, CACTUS, and RansomHub. Aside from having access to a network of bulletproof hosters (BPHs) in Europe, it’s believed that ShadowSyndicate functions as an initial access broker (IAB) fueling Russian, North Korean, and Chinese APTs. “It remains unclear whether ShadowSyndicate has a structured business model with formal clients or partners in cybercrime, or whether it represents a more fluid, hybrid threat actor,” Intrinsec said.
• Who is Lionishackers? — Threat hunters have ripped the cover off Lionishackers, a corporate database seller and a financially motivated threat actor focused on exfiltrating and selling corporate databases through Telegram and underground forums since July 2024. “Even though they seem to have an opportunistic approach when choosing their targets, there seems to be a certain preference for victims located in Asian countries,” Outpost24 said. “They have shown a high level of collaboration with the ‘Hunt3r Kill3rs’ group and extensive participation in relevant underground communities’ Telegram channels. Furthermore, they also worked on and offered other services such as pen testing, the commercialization of the Ghost botnet, and the launch of a forum project dubbed Stressed Forums.”
• EdskManager RAT, Pulsar RAT, and Retro-C2 RAT Exposed — Three new remote access trojans called EdskManager RAT, Pulsar RAT, and Retro-C2 RAT have been flagged by cybersecurity researchers, flagging their ability to evade detection and maintain control over compromised systems. “The malware employs a downloader disguised as legitimate software, followed by in-memory decryption and stealth communication with command-and-control servers,” CYFIRMA said about EdskManager RAT. “Its use of HVNC (Hidden Virtual Network Computing), advanced persistence techniques, and anti-analysis measures indicates a strong focus on long-term, covert access to infected systems.” Pulsar RAT, on the other hand, is an Android trojan that exploits accessibility services to gain near-total control of the device, accessing messages, calls, GPS data, the camera, microphone, and other sensitive data. Developed by a Turkish-speaking threat actor known as ZeroTrace, Retro-C2 RAT employs reflective loading techniques to evade detection and siphon data from compromised machines. “The command-and-control infrastructure is fully web-based and provides threat actors with real-time client monitoring, action management such as CMD, PowerShell, Remote Desktop, keylogging, clipboard capture, file and process management, registry and network operations, audio recording, wallet scanning, persistence operations, and credential recovery,” ThreatMon said.
• Apple to Enable Advanced Fingerprinting Protection for All Safari Browsing Sessions — Apple has revealed that it intends to make advanced fingerprinting protection the default for all browsing sessions in Safari with the release of iOS 26, iPadOS 26, and macOS 26 in September 2025. Currently, the option is limited to Private Browsing mode. The feature was first introduced in Safari 17.0.
• Security Flaw Uncovered in Catwatchful Spyware — An SQL injection vulnerability in an Android stalkerware operation called Catwatchful has exposed more than 62,000 of its customers, including its Uruguay-based administrator, Omar Soca Charcov. The bug, discovered by researcher Eric Daigle, could be exploited to leak the application’s database, compromising customers’ email addresses and plaintext passwords. Google has since added protections to flag such malicious apps and suspended the developer’s Firebase account for abusing its infrastructure to operate the monitoring software.
• Ransomware Continues to be a Threat — DragonForce has claimed more than 250 victims on its dark web leak site, with 58 in the second quarter of 2025 alone, indicating that the ransomware cartel is gaining traction after purportedly absorbing RansomHub. Some of the groups that appear to have exited the scene include RansomHub, Babuk-Bjorka, FunkSec, BianLian, 8Base, Cactus, and Hunters International. “With major RaaS services shutting down, many affiliates are operating independently or seeking new partnerships,” Check Point said. “The result is a growing number of smaller, often short-lived, ransomware entities. At the same time, established players are actively competing to recruit these ‘orphaned’ affiliates.” Ransomware attacks have also been observed evolving beyond double extortion to coerce victims into paying up with threats of data leaks and DDoS attacks. “Double, triple, and quadruple extortion tactics add pressure by threatening to expose customer information, disrupting operations with distributed denial-of-service (DDoS) attacks, and sending harassing messages to business partners, customers, and others — including informing media of the breach,” Akamai said.
• Threat Actors Hide Malware in DNS Records — While it’s known that threat actors have leveraged the Domain Name System (DNS) for command-and-control purposes using a technique called DNS tunneling, it has been observed that cybercriminals are evolving their tactics further by concealing malicious commands in DNS TXT records by converting them into their hexadecimal representation and storing them in chunks. The practice is both clever and sneaky as it allows malicious scripts and early-stage malware to fetch binary files without having to download them from attacker-controlled sites or attach them to emails, which have a higher chance of being detected by antivirus software.

🎥 Cybersecurity Webinars

• Malicious Python Packages Are Everywhere — Learn How to Spot and Stop Them: In 2025, attacks on the Python ecosystem are rising fast—from typosquatting to dangerous container image flaws. If you’re still “pip installing and praying,” it’s time to level up. Join us for a hands-on webinar where we break down real supply chain threats and show you how to defend your code with practical tools, smarter workflows, and hardened images. No hype—just clear steps to secure your Python stack.

• Secure Your AI Stack: Learn How to Defend Identity Before It’s Too Late: AI is changing the way we work—and the way we get attacked. Join Okta’s Karl Henrik Smith to explore how identity is becoming the last, and most critical, line of defense against AI-powered threats. From deepfakes to autonomous agents, attackers are moving faster than traditional tools can handle. In this free webinar, you’ll learn why identity-first security is the key to staying ahead—and how to put it into action.

🔧 Cybersecurity Tools

• Thorium: Released by the U.S. CISA, this new open-source tool is a scalable platform for automating file analysis and aggregating results across diverse tools. It helps cybersecurity teams streamline malware triage, forensics, and tool testing by integrating with existing workflows through event-driven automation and a scalable infrastructure.
• LangExtract: It is an open-source Python library, developed by Google, that helps developers extract structured information from unstructured text using Gemini and other LLMs. It’s designed for tasks like parsing medical records, legal documents, or customer feedback by combining prompt-driven extraction, source-grounded outputs, and schema enforcement. LangExtract supports flexible backends, scales across long documents, and makes it easy to visualize and verify results—all without fine-tuning a model.

Disclaimer: These newly released tools are for educational use only and haven’t been fully audited. Use at your own risk—review the code, test safely, and apply proper safeguards.

🔒 Tip of the Week

Your Keyboard Could Be Spying on You — Here’s How to Tell — Most people don’t realize it, but your smartphone keyboard can do more than just type. Some of them quietly connect to the internet, sending back what you type, when you type, and even what’s in your clipboard. Even trusted apps like Gboard and SwiftKey have cloud sync features that share your typing patterns. And in worse cases, rogue keyboards can log passwords or steal crypto wallet seeds without any visible signs.

The fix isn’t just “don’t use shady keyboards.” It’s knowing how to control what they can do. Start by using a firewall app like NetGuard or RethinkDNS to block your keyboard from sending data over the internet. Go into your keyboard’s settings and turn off “personalization” or sync features. Watch out for weird behavior like a keyboard asking for access to your mic, contacts, or location — those are red flags. On newer Android versions, clipboard alerts will warn you if a keyboard is snooping.

If you want full peace of mind, switch to a keyboard that respects your privacy by design. Options like OpenBoard or Simple Keyboard have no internet access at all. They’re fast, clean, and open source — meaning their code can be audited for hidden behavior. In short: if your keyboard wants to “learn from you,” make sure it’s not learning too much.

Conclusion

Every threat we covered this week tells the same story: attackers are evolving faster because they’re learning from us. From how we code to how we trust, they’re watching closely. But the flipside? So are we.

The more we share, the faster we adapt. Keep pushing, keep questioning, and never let “normal” make you comfortable.

Everyone’s an IT decision-maker now. The employees in your organization can install a plugin with just one click, and they don’t need to clear it with your team first. It’s great for productivity, but it’s a serious problem for your security posture.

When the floodgates of SaaS and AI opened, IT didn’t just get democratized, its security got outpaced. Employees are onboarding apps faster than security teams can say, “We need to check this out first.” The result is a sprawling mess of shadow IT, embedded AI, and OAuth permissions that would make any CISO break into a cold sweat.

Here are five ways IT democratization can undermine your organization’s security posture and how to prevent it from doing so.

1. You can’t secure what you can’t see

Remember when IT security used to control what was allowed to pass the firewall? Good times. Today, anyone can find an app to do the heavy lifting for them. They won’t notice or care when the app requires access to your company’s Google Drive or has embedded AI. These apps are entering your stack right under your nose. The process is fast, decentralized, and a security nightmare.

How to solve it:

You need full visibility into the entire application stack, including any shadow IT or shadow AI in use. How can this be achieved? This comes down to one question: How good is your discovery? Wing automatically discovers every app in use, whether its SaaS, internal app, if it has embedded AI or if it’s an AI agent, even the ones hiding behind personal logins, OAuth connections, and browser extensions. It surfaces the risk levels, flags redundant or suspicious tools, and gives you the power to review, restrict, or remove them.

2. The growing attack surface of Shadow AI

AI tools are tech’s new shiny object and your organization’s users are all in. From copy to deck generators, code assistants, and data crunchers, most of them were never reviewed or approved. The productivity gains of AI are huge. Productivity has been catapulted forward in every department and across every vertical.

So what could go wrong? Oh, just sensitive data leaks, uncontrolled API connections, persistent OAuth tokens, and no monitoring, audit logs, or privacy policies… and that’s just to name a few of the very real and dangerous issues.

How to solve it:

You need a discovery tool that detects where AI is being used and how, even when it’s embedded within applications. Wing continuously detects apps with embedded AI, AI agents and Agetic AI across your environment, not just the ones you’re aware of, but also the ones that snuck into your stack unnoticed. It even alerts you when an app in use suddenly adds AI capabilities, so you are aware of this and not caught by surprise.

Ready to see what’s hiding in your stack? See what Wing can show you.

Cybersecurity researchers have discovered a nascent Android remote access trojan (RAT) called PlayPraetor that has infected more than 11,000 devices, primarily across Portugal, Spain, France, Morocco, Peru, and Hong Kong.

“The botnet’s rapid growth, which now exceeds 2,000 new infections per week, is driven by aggressive campaigns focusing on Spanish and French speakers, indicating a strategic shift away from its previous common victim base,” Cleafy researchers Simone Mattia, Alessandro Strino, and Federico Valentini said in an analysis of the malware.

PlayPraetor, managed by a Chinese command-and-control (C2) panel, does significantly deviate from other Android trojans in that it abuses accessibility services to gain remote control and can serve fake overlay login screens atop nearly 200 banking apps and cryptocurrency wallets in an attempt to hijack victim accounts.

PlayPraetor was first documented by CTM360 in March 2025, detailing the operation’s use of thousands of fraudulent Google Play Store download pages to perpetrate an interconnected large-scale scam campaign that can harvest banking credentials, monitor clipboard activity, and log keystrokes.

“The links to the impersonated Play Store pages are distributed through Meta Ads and SMS messages to effectively reach a wide audience,” the Bahrain-based company noted at the time. “These deceptive ads and messages trick users to click on the links, leading them to the fraudulent domains hosting the malicious APKs.”

Assessed to be a globally coordinated operation, PlayPraetor comes in five different variants that install deceptive Progressive Web Apps (PWAs), WebView-based apps (Phish), exploit accessibility services for persistent and C2 (Phantom), facilitate invite code-based phishing and trick users into purchasing counterfeit products (Veil), and grant full remote control via EagleSpy and SpyNote (RAT).

The Phantom variant of PlayPraetor, per the Italian fraud prevention company, is capable of on-device fraud (ODF) and is dominated by two principal affiliate operators who control about 60% of the botnet (roughly 4,500 compromised devices) and appear to center their efforts around Portuguese-speaking targets.

“Its core functionality relies on abusing Android’s accessibility services to gain extensive, real-time control over a compromised device,” Cleafy said. “This allows an operator to perform fraudulent actions directly on the victim’s device.”

Image Source: CTM360

Once installed, the malware beacons out to the C2 server via HTTP/HTTPS and makes use of a WebSocket connection to create a bidirectional channel to issue commands. It also sets up a Real-Time Messaging Protocol (RTMP) connection to initiate a video livestream of the infected device’s screen.

The evolving nature of the supported commands indicates that PlayPraetor is being actively developed by its operators, allowing for comprehensive data theft. In recent weeks, attacks distributing the malware have increasingly targeted Spanish- and Arabic-speaking victims, signaling a broader expansion of the malware-as-a-service (MaaS) offering.

The C2 panel, for its part, is not only used to actively interact with compromised devices in real-time, but also enable the creation of bespoke malware delivery pages that mimic Google Play Store on both desktop and mobile devices.

“The campaign’s success is built upon a well-established operational methodology, leveraging a multi-affiliate MaaS model,” Cleafy said. “This structure allows for broad and highly targeted campaigns.”

PlayPraetor is the latest malware originating from Chinese-speaking threat actors with an aim to conduct financial fraud, a trend exemplified by the emergence of ToxicPanda and SuperCard X over the past year.

ToxicPanda Evolves

According to data from Bitsight, ToxicPanda has compromised around 3,000 Android devices in Portugal, followed by Spain, Greece, Morocco and Peru. Campaigns distributing the malware have leveraged TAG-1241, a traffic distribution system (TDS), for malware distribution using ClickFix and fake Google Chrome update lures.

“This carefully orchestrated redirection is part of the TDS’s design to ensure that only selected targets are funneled to these malicious endpoints,” security researcher Pedro Falé said in a report last week.

The latest version of ToxicPanda improves upon its predecessors by incorporating a Domain Generation Algorithm (DGA) to establish C2 and enhance operational resilience in the face of infrastructure takedowns. Also baked into the malware are new commands to set a fallback C2 domain and better control malicious overlays.

DoubleTrouble Rises

The findings come as Zimperium disclosed another sophisticated Android banking trojan dubbed DoubleTrouble that has evolved beyond overlay attacks to record the device screen, log keystrokes, and run various commands for data exfiltration and entrenched device control.

Besides leaning heavily on abusing Android’s accessibility services to carry out its fraudulent activities, DoubleTrouble’s distribution strategy involves leveraging bogus websites that host malware samples directly within Discord channels.

“The new functionalities include: displaying malicious UI overlays to steal PIN codes or unlock patterns, comprehensive screen recording capabilities, the ability to block the opening of specific applications, and advanced keylogging functionality,” Zimperium zLabs researcher Vishnu Madhav said.