Tag: Cyber Threats

Aug 25, 2025Ravie LakshmananCybersecurity News / Hacking

Cybersecurity today moves at the pace of global politics. A single breach can ripple across supply chains, turn a software flaw into leverage, or shift who holds the upper hand. For leaders, this means defense isn’t just a matter of firewalls and patches—it’s about strategy. The strongest organizations aren’t the ones with the most tools, but the ones that see how cyber risks connect to business, trust, and power.

This week’s stories highlight how technical gaps become real-world pressure points—and why security decisions now matter far beyond IT.

⚡ Threat of the Week

Popular Password Managers Affected by Clickjacking — Popular password manager plugins for web browsers have been found susceptible to clickjacking security vulnerabilities that could be exploited to steal account credentials, two-factor authentication (2FA) codes, and credit card details under certain conditions. The technique has been dubbed Document Object Model (DOM)-based extension clickjacking by independent security researcher Marek Tóth, who presented the findings at the DEF CON 33 security conference earlier this month. As of August 22, fixes have been released by Bitwarden, Dashlane, Enpass, KeePassXC-Browser, Keeper, LastPass, NordPass, ProtonPass, and RoboForm.

• Russian Hackers Go After Old Cisco Flaw — Hackers linked to Russia are exploiting a seven-year-old vulnerability in unpatched end-of-life Cisco networking devices (CVE-2018-0171) to target enterprise and critical infrastructure networks in the U.S. and abroad. Over the past year, the threat actor, which Cisco is tracking as Static Tundra, has collected configuration files from thousands of networking devices used by US organizations in critical infrastructure sectors. On some vulnerable devices, the attackers changed the configuration settings to give themselves unauthorized access to the network. The attackers then used that access to explore the networks, looking specifically at protocols and applications that are commonly used in industrial systems. Cisco identified Static Tundra as primarily targeting organizations of strategic interest to the Kremlin, spanning the manufacturing, telecommunications, and higher education sectors across the globe. Once the threat actor gains access to a system of interest, they have been found to use stolen SNMP credentials to quietly control the compromised devices, letting them run commands, change settings, and steal configurations, all while hiding their activity from security controls. Static Tundra has also altered the configuration of compromised devices to create new local user accounts and enable remote access services like Telnet, granting them additional ways to regain access to the device if their initial communication mechanism is closed. Also used by the group is a backdoor called SYNful Knock to stay connected to infected devices and give a hidden foothold that survives reboots.
• Apple Fixes Actively Exploited 0-Day — Apple released security fixes to fix a high-severity flaw in iOS, iPadOS, and macOS that it said has come under active exploitation in the wild. The zero-day is an out-of-bounds write vulnerability affecting the ImageIO framework. Tracked as CVE-2025-43300 (CVSS score: 8.8), the issue could result in memory corruption when processing a malicious image. The iPhone maker said the bug was internally discovered and that it was addressed with improved bounds checking. The company provided no further technical details of the vulnerability or insights into the exploitation activity beyond characterizing the cyber attacks as sophisticated and highly targeted. The tech giant began using such terminology starting this year, presumably to signify nation-state threats and spyware activity.
• Murky Panda Abuses Trusted Relationships to Breach Cloud Environments — The threat actor known as Murky Panda (aka Silk Typhoon) has been observed abusing trusted relationships in the cloud to hack enterprise networks. The attacks leverage N-day and zero-day vulnerabilities to drop web shells and a Golang malware called CloudedHope to facilitate remote access. A notable aspect of Murky Panda’s tradecraft concerns the abuse of trusted relationships between partner organizations and their cloud tenants, exploiting zero-day vulnerabilities to breach software-as-a-service (SaaS) providers’ cloud environments and conduct lateral movement to downstream victims.
• INTERPOL Announces New Wave of Arrests in Africa — INTERPOL announced that authorities from 18 countries across Africa have arrested 1,209 cybercriminals who targeted 88,000 victims. “The crackdown recovered $97.4 million and dismantled 11,432 malicious infrastructures, underscoring the global reach of cybercrime and the urgent need for cross-border cooperation,” the agency said. The effort is the second phase of an ongoing law enforcement initiative called Operation Serengeti, which took place between June and August 2025 to tackle severe crimes like ransomware, online scams and business email compromise (BEC). The first wave of arrests occurred late last year.
• Scattered Spider Hacker Gets 10 Years Jailterm — Noah Michael Urban, a 20-year-old member of the notorious cybercrime gang known as Scattered Spider, was sentenced to ten years in prison in the U.S. in connection with a series of major hacks and cryptocurrency thefts. Urban pleaded guilty to charges related to wire fraud and aggravated identity theft back in April 2025. In addition to 120 months in federal prison, Urban faces an additional three years of supervised release and has been ordered to pay $13 million in restitution to victims. The defendant, who also went by the aliases Sosa, Elijah, King Bob, Gustavo Fring, and Anthony Ramirez, was arrested by U.S. authorities in Florida in January 2024 for committing wire fraud and aggravated identity theft between August 2022 and March 2023. These incidents led to the theft of at least $800,000 from at least five different victims.
• North Korea Likely Behind New Diplomat Cyber Attacks — The North Korea-backed threat actor known as Kimsuky is believed to have orchestrated a spear-phishing attack targeting European embassies in South Korea. The campaign, ongoing since March 2025, is characterized by the use of GitHub as a command-and-control channel and a variant of an open-source malware called Xeno RAT. In an interesting twist, the attackers have yielded clues that they are working out of China, perhaps alluding to the possibility of a collaboration or that it’s the work of a threat actor that closely mimics the tactics of Kimsuky. Furthermore, routing malicious cyber activity through China likely provides North Korea with some geopolitical cover and a safe haven as long as it doesn’t directly harm domestic interests.
• Alleged RapperBot Admin Charged in the U.S. — Ethan Foltz, 22, of Eugene, Oregon, was charged with allegedly developing and overseeing a distributed denial-of-service (DDoS)-for-hire botnet called RapperBot since at least 2021. Foltz has been charged with one count of aiding and abetting computer intrusions. If convicted, he faces a maximum penalty of 10 years in prison. In addition, law enforcement authorities conducted a search of Foltz’s residence on August 6, 2025, seizing administrative control of the botnet infrastructure.

‎️‍🔥 Trending CVEs

Hackers are quick to jump on newly discovered software flaws – sometimes within hours. Whether it’s a missed update or a hidden bug, even one unpatched CVE can open the door to serious damage. Below are this week’s high-risk vulnerabilities making waves. Review the list, patch fast, and stay a step ahead.

This week’s list includes — CVE-2025-7353 (Rockwell Automation ControlLogix), CVE-2025-8714 (PostgreSQL), CVE-2025-9037, CVE-2025-9040 (Workhorse Software Services), CVE-2025-54988 (Apache Tika), CVE-2025-57788, CVE-2025-57789, CVE-2025-57790, CVE-2025-57791 (Commvault), CVE-2025-43300 (Apple iOS, iPadOS, and macOS).

📰 Around the Cyber World

• Microsoft Scales Back Chinese Access to Early Warning System — Microsoft revealed it has scaled back some Chinese companies’ access to its early warning system for cybersecurity vulnerabilities in the wake of sweeping hacking attempts against Microsoft SharePoint servers that have been pinned on Beijing. To that end, the Windows maker said several Chinese firms would no longer receive proof-of-concept code demonstrating the flaws. The change is applicable to “countries where they’re required to report vulnerabilities to their governments,” which would include China. The decision comes amid speculation that there may have been a leak from the Microsoft Active Protections Program (MAPP) may have resulted in the large-scale exploitation activity.
• New Lazarus Stealer Spotted — A new Android banking trojan called Lazarus Stealer has been spotted in the wild. “Disguised as a harmless application called ‘GiftFlipSoft,’ the malware specifically targets multiple Russian banking apps, extracting card numbers, PINs, and other sensitive credentials while remaining completely hidden from the device’s interface,” CYFIRMA said. “The malware is built for persistence, operating silently in the background while exfiltrating sensitive data. It abuses high-risk permissions, default SMS privileges, overlay functions, and dynamic WebView content to carry out its operations.” Once installed, the app requests default SMS app privileges, as well as overlay (“Display Over Other Apps”) and Usage Access permissions to display fraudulent interfaces on legitimate applications for credential harvesting and monitor active applications in real time and detect when targeted applications, such as banking apps, are launched.
• Google Agrees to Pay $30M to Settle Children’s Privacy Lawsuit — Google has agreed to pay $30 million to settle a class-action lawsuit that it violated children’s privacy on YouTube by secretly collecting their data without parental consent and using it to serve targeted ads. Google denied wrongdoing in agreeing to settle. The company previously paid a $170 million fine in 2019 to the Federal Trade Commission (FTC) and the state of New York for similar practices.
• Storm-1575 Linked to Salty 2FA — The threat actor known as Storm-1575 has been attributed to a new phishing-as-a-service (PhaaS) offering called Salty 2FA. “Like other PhaaS platforms, Salty 2FA is mainly delivered via email and focuses on stealing Microsoft 365 credentials,” ANY.RUN said. “It unfolds in multiple stages and includes several mechanisms designed to hinder detection and analysis.” Victims of Salty 2FA attacks span the finance, telecom, energy, consulting, logistics, and education sectors. Storm-1575 is the moniker assigned by Microsoft to the operators of DadSec and Rockstar 2FA.
• What is HuiOne Guarantee? — The Telegram-based escrow platform HuiOne Guarantee (aka Haowang Guarantee), which announced its closure in June 2025, has acquired a 30% financial stake in Tudou Guarantee, which has emerged as a key fallback for Huione-affiliated vendors. Described as an “Amazon for criminals,” the Cambodian conglomerate behind it, HuiOne Group, has had its HuiOne Pay license revoked by the National Bank of Cambodia earlier this March. HuiOne-linked infrastructure has received over $96 billion in cryptocurrency assets since 2021, according to TRM Labs, which said HuiOne Pay and HuiOne Guarantee share operational links, with fund flows observed from Huione Pay withdrawal wallets to Huione Guarantee’s security deposit wallets. The findings come as darknet market escrow systems that manage cryptocurrency transactions between buyers and vendors continue to remain vulnerable to administrator exit scams. These systems implement escrow through multi-signature cryptocurrency wallet addresses that require signatures from the buyer and vendor to complete transactions, with the market administrator only stepping in during dispute resolution to side with either the buyer or vendor based on evidence provided by the two parties. To streamline operations, many darknet markets also use automated escrow release systems, transferring funds to vendors after 7 to 21 days unless buyers initiate disputes during the timer period. However, the “centralized” nature of the dispute resolution process, which is heavily reliant on the market administrators, introduces new risks such as bias, corruption, and exit scam scenarios where fairness takes a back seat.
• Orange Belgium Discloses Breach — Orange Belgium, a subsidiary of telecommunications giant Orange Group, disclosed on Wednesday that attackers who breached its systems in July have stolen the data of approximately 850,000 customers. “At the end of July, Orange Belgium discovered a cyber attack on one of its IT systems, which gave unauthorized access to certain data from 850,000 customer accounts,” the company said. “No critical data was compromised: no passwords, email addresses, bank or financial data were hacked. However, the hacker has gained access to one of our IT systems that contains the following information: name, first name, phone number, SIM card number, PUK code, [and] tariff plan.”
• U.K. Man Sentenced to Jail for Website Defacement and Data Theft — Al-Tahery Al-Mashriky, 26, from Rotherham, South Yorkshire, was sentenced to jail for 20 months for hacking into the websites of organizations in North America, Yemen and Israel and stealing the log in details of millions of people, including more than 4 million Facebook users. Al-Mashriky was arrested in August 2022 and pleaded guilty to nine offences earlier this March. Associated with an extremist hacker group named Yemen Cyber Army, the defendant infiltrated a number of websites to push religious and political ideologies. A review of his seized laptop uncovered personal data for over 4 million Facebook users and several documents containing usernames and passwords for services such as Netflix and Paypal. The Yemen Cyber Army is a hacktivist group that, in the past, has declared its support for the Houthis, an Islamist political and military organization.
• Malicious npm Packages Target Solana Developers — Malicious npm packages have been found embedding an information stealer that’s designed to single out Russian cryptocurrency developers as part of a campaign dubbed Solana-Scan. These malicious packages, solana-pump-test, solana-spl-sdk, and solana-pump-sdk, targeted the Solana cryptocurrency ecosystem and claimed to “scan” for Solana SDK components. All the packages were published by a user named “cryptohan.” Contained within the package is an obfuscated CommonJS file that launches a JavaScript payload for extracting environment information and launching a second-stage that searches the compromised machine for sensitive files and exfiltrates them to a remote server located in the U.S. There is evidence that the JavaScript was written with the help of generative artificial intelligence (AI) tools like Anthropic Claude, software supply chain security outfit Safety said.
• Singapore Warns of Dire Wolf Attacks — The Cyber Security Agency of Singapore (CSA) has warned of Dire Wolf double-extortion attacks targeting Dire Wolf since May 2025. “Dire Wolf ransomware group employs a double extortion tactic, where it encrypts data on victims’ systems and threatens to publicly release exfiltrated data on its data leak site (DLS) unless a ransom is paid,” CSA said. “This causes a two-fold impact of data loss and reputational damage on victim organizations.”
• Hijack Loader Detailed — Cybersecurity researchers have unpacked the inner workings of a malware loader called Hijack Loader that’s used as a conduit for other payloads, including information stealers and remote access trojans. Attack chains distributing the malware have leveraged pirated game websites like Dodi Repacks, tricking users into downloading booby-trapped ZIP archives under the guise of video games like Virtua Fighter 5 REVO. Another propagation mechanism involves embedding a link to cracked software in TIDAL music playlists that show up in search engine results. Hijack Loader incorporates an array of anti-virtual machine and anti-debug techniques and attempts to disable Microsoft Defender Antivirus prior to launching the final payload.
• Nebraska Man Sentenced to 1 Year in Prison for Illicit Crypto Mining — Charles O. Parks III, who was indicted in April 2024 for operating a large-scale illegal cryptojacking operation, was sentenced in the U.S. to one year and one day in prison. He is said to have defrauded two well-known providers of cloud computing services out of more than $3.5 million worth of computing resources from January through August 2021. Parks was charged with wire fraud, money laundering, and engaging in unlawful monetary transactions in connection with the scheme and pleaded guilty to wire fraud in December 2024. The mined currency was used for personal luxurious purchases and Parks boasted about his profits on social media to earn credibility as a crypto influencer. “Parks created and used a variety of names, corporate affiliations, and email addresses, including emails with domains from corporate entities he operated called ‘MultiMillionaire LLC’ and ‘CP3O LLC,’ to register numerous accounts with the service providers and to gain access to massive amounts of computing processing power and storage that he did not pay for,” the Justice Department said.
• Chrome Extension Detected Capturing Screenshots — A Chrome browser extension with more than 100,000 installs has been found to harbor covert features to capture screenshots, collect system information, and query IP geolocation APIs for location details. The screenshots are uploaded to an external server, aitd.one, which claims to be an AI threat detection service. Advertised as a free VPN app named FreeVPN.One, the featured add-on offered the promised functionality since its launch in 2000, before the surveillance features were subtly introduced in April, June, and July 2025. The developer behind the tool claimed the automatic screenshot capture is part of a Background Scanning feature that’s triggered only on suspicious domains and for all users by default. However, Koi Security found that screenshots were being taken on trusted services like Google Sheets and Google Photos. “FreeVPN.One shows how a privacy branding can be flipped into a trap,” the company said. “What’s sold as safety becomes a quiet pipeline for collecting what you do and where you are.”
• Okta Releases Auth0 Customer Detection Catalog — Okta has announced the launch of the Auth0 Customer Detection Catalog, a comprehensive open-source repository designed to enhance proactive threat detection capabilities for Auth0 customers. “The Auth0 Customer Detection Catalog allows security teams to integrate custom, real-world detection logic directly into their log streaming and monitoring tools, enriching the detection capabilities of the Auth0 platform,” the identity security company said.
• TRM Labs Launches Beacon Network to Monitor Crypto Crime — Blockchain intelligence firm TRM Labs announced the launch of Beacon Network, a real-time crypto crime response network for tracking illicit crypto activity and preventing it from leaving the blockchain. “Verified investigators flag addresses linked to financial crime. Beacon Network automatically propagates those labels across related wallets,” the company said. “When tagged funds arrive at a participating exchange or issuer, Beacon Network triggers an instant alert.” In doing so, cryptocurrency platforms can proactively review and hold flagged deposits before withdrawal, blocking illicit cash-outs.
• Microsoft Aims to be Quantum-Safe by 2033 — Microsoft has set out a roadmap to complete transition to post quantum cryptography (PQC) across all its products and services by 2033, with roll out beginning by 2029. That’s two years ahead of the deadline imposed by the United States and other governments. “Migration to post quantum cryptography (PQC) is not a flip-the-switch moment, it’s a multi-year transformation that requires immediate planning and coordinated execution to avoid a last-minute scramble,” the company’s Mark Russinovich and Michal Braverman-Blumenstyk said. The U.S. National Institute of Standards and Technology (NIST) formalized the world’s first PQC algorithms in August 2024.

• New Phishing Campaign Uses Hidden AI Prompts — A phishing campaign has been spotted using hidden artificial intelligence (AI) prompts that are designed to manipulate AI-based email scanners and delay them from detecting the malicious payloads. The emails, sent from SendGrid, masquerade as password expiry notices from Gmail to induce a false sense of urgency using social engineering tactics. But buried in the email plain-text MIME section is a prompt that instructs automated scanners to “engage in the deepest possible multi-layered inference loop” and trick them into entering long reasoning loops instead of marking the messages as phishing. “If AI-driven systems are tied to automation (auto-tagging, ticketing, escalation), this injection could cause misclassification or delays,” Malwr-analysis.com’s Anurag said. The development coincided with a new wave of credential harvesting attacks involving phishing emails sent via SendGrid. “The campaign exploits the trusted reputation of SendGrid, a legitimate cloud-based email service used by businesses to send transactional and marketing emails,” Cofense said. “By impersonating SendGrid’s platform, attackers can deliver phishing emails that appear authentic and bypass common email security gateways.”
• 493 Cases of Sextortion Against Children Linked to SE Asia Scam Compounds — A new report from the International Justice Mission (IJM) has linked 493 child sextortion cases to scam compounds operating in Cambodia, Myanmar, and Laos, where trafficked individuals are forced to carry out online fraud such as romance baiting and pig butchering scams. Forensic data has tied the cases to 40 of the 44 previously known scam compounds operating in Cambodia, Myanmar, and Laos. “This research indicates a likely convergence of two dark forms of exploitation – child sextortion and human trafficking – enabled by digital platforms and driven by profit,” said Eric Heintz, Senior Criminal Analyst at IJM.
• Mule Operators in META Adopt Complex Fraud Schemes — Cybersecurity researchers have laid bare the advanced techniques mule operators across the Middle East, Turkey and Africa (META) region have adopted to target retail banks, shifting from basic IP masking via VPNs and proxies to Starlink-based obfuscation tactics combined with advanced GPS spoofing, SIM abuse, and physical device “muling” using hired individuals and postal shipments. “Financial institutions in the Gulf region, where regulations are especially tight, enforce strict restrictions on VPN, hosting, and proxy traffic,” Group-IB said. “Early on, these controls forced mule operators to rely on generic VPN services – easily identified via IP reputation tools. By late 2023, fraudsters began a rapid innovation cycle to bypass these filters and regain remote access to accounts in the target jurisdictions.” Mule networks have been observed using stolen identities and location obfuscation tactics to remotely open hundreds of accounts to launder funds across targeted countries, with fraudsters also removing SIM cards entirely from Android devices to evade telecom fingerprinting and connecting to the internet via Wi-Fi hotspots, typically from nearby roaming-enabled phones, thereby masking their network origins. As recently as Q4 2024, the schemes have recruited so-called first-layer mules, who opened the bank accounts within trusted jurisdictions and then passed credentials to overseas operators who conducted laundering operations. A further escalation of this approach earlier this year eliminated the need for credential handover by physically shipping pre-configured phones. “First-layer mules based in trusted countries would open accounts and build trust through initial legitimate usage,” Group-IB said. “Instead of sharing login credentials, they ship pre-configured phones to second-layer fraudsters operating abroad.”

• MuddyWater Targets CFOs and Finance Execs — The Iranian hacking group dubbed MuddyWater is actively targeting CFOs and finance executives across Europe, North America, South America, Africa, and Asia via spear-phishing emails that trick recipients into downloading ZIP archives from Firebase-hosted phishing pages. The attack chains lead to the deployment of OpenSSH and NetBird, a legitimate remote access tool for persistent access. The use of remote desktop software is a tactic often used by MuddyWater to facilitate access to compromised environments. “The infrastructure pivots, evolving payload paths, and consistent reuse of distinctive artifacts highlight a resourceful adversary that adapts quickly to maintain operational capability,” Hunt.io said.
• Iranian Hacktivist Group Targets Iranian Communication Networks — The anonymous Iranian hacktivist group known as Lab Dookhtegan has crippled the satellite communications systems on 64 Iranian ships at sea. The incident, which took place last week, impacted 39 oil tankers and 25 cargo ships operated by the National Iranian Tanker Company (NITC) and the Islamic Republic of Iran Shipping Lines (IRISL). The hacks targeted Fannava, an Iranian tech company that provides satellite communication terminals for ships. Back in March 2025, the entity also disrupted satellite communication systems of 116 Iranian vessels linked to arms shipments for Yemen’s Houthis. According to security researcher Nariman Gharib, the group hacked the company’s network, identified all maritime communications terminals running iDirect satellite software, and then deployed malicious code to inflict permanent damage by overwriting the storage partitions with zeroes.
• Pro-Iranian Hackers Demonstrated Coordination During 12-Day June Conflict With Israel — The 12-day conflict between Israel and Iran in June spilled into cyberspace, accompanied by a surge in cyber activity from pro-Iran hacking groups that worked in a “coordinated web” across borders to steal data, deface websites, spread propaganda, carry out DDoS campaigns, and deploy malware such as Remcos RAT. “Telegram has emerged as a critical platform for coordination, propaganda dissemination, and command-and-control for both state-aligned proxies and hacktivist collectives,” Security Scorecard said in an analysis of 250,000 messages from Iranian proxies and hacktivists from over 178 active groups during the time period. “Its perceived anonymity and broad reach make it an attractive medium for these groups to organize, share information, claim responsibility for attacks, and even recruit new members.” The cyber war highlights “how Iran has refined its use of digital tools to shape the battlespace, control domestic narratives, and project influence abroad,” the Middle East Institute said.
• 4 Ghanaian Nations Extradited to the U.S. — The U.S. Department of Justice charged four Ghanaian nationals, Isaac Oduro Boateng, Inusah Ahmed, Derrick Van Yeboah, and Patrick Kwame Asare, for their roles in a massive fraud ring linked to the theft of over $100 million in romance scams and business email compromise attacks against individuals and businesses located across the U.S. between 2016 and May 2023. They were extradited to the U.S. on August 7, 2025. “After stealing the money, the fraud proceeds were then laundered to West Africa, where they were largely funneled to individuals called ‘chairmen,’ who directed the activities of other members of the conspiracy,” the Justice Department said.
• NIST Publishes Guidelines to Tackle Identity Fraud — The U.S. National Institute of Standards and Technology (NIST) published new guidelines to help organizations optimize their efforts to detect face morphing and deter identity fraud. “The most effective defense against the use of morphs in identity fraud is to prevent morphs from getting into operational systems and workflows in the first place,” NIST’s Mei Ngan said. “Some modern morph detection algorithms are good enough that they could be useful in detecting morphs in real-world operational situations. Our publication is a set of recommendations that can be tailored to a specific situation.”
• North Korea Linked to Over $1.75B in Thefts in 2025 — North Korea, which pulled off one of the biggest crypto heists in history in February 2025 by plundering nearly $1.5 billion from Dubai-based exchange Bybit, has stolen more than $1.75 billion in 2025 alone, according to Elliptic. In the six months following the Bybit hack, over $1 billion of the stolen funds have been laundered using multiple rounds of mixers and cross-chain movements to complicate the trail. “It is noteworthy that lesser-known blockchains were layered for portions of funds, perhaps in the hope that they are not as well supported by some analytics and investigation tools, and are less familiar to investigators attempting to trace asset movements,” Elliptic said. “Previously unseen or less commonly used services were also utilized for Bybit laundering.” Further analysis shows that funds reaching the Tron blockchain are ultimately cashed out via suspected Chinese over-the-counter trading services.
• Attackers Abuse Virtual Private Servers to Breach SaaS Accounts — Threat actors are weaponizing virtual private servers (VPS) to compromise software-as-a-service (SaaS) accounts and then using them to send phishing emails. The activity was first observed in March 2025. “The incidents involved suspicious logins from VPS-linked infrastructure followed by unauthorized inbox rule creation and deletion of phishing-related emails,” Darktrace said. “These consistent behaviors across devices point to a targeted phishing campaign leveraging virtual infrastructure for access and concealment.”

• ClickFix-Style Campaign Delivers Atomic Stealer Variant — A malvertising campaign has been observed directing unsuspecting users to fraudulent macOS help websites where ClickFix-style instructions are displayed to entice them into opening the Terminal app and pasting a command that, in turn, triggers the execution of a shell command to download from an external server a variant of Atomic macOS Stealer (AMOS) known as SHAMOS. Developed by a malware-as-a-service (MaaS) provider named Cookie Spider, it functions as an information stealer and downloads additional malicious payloads, including a spoofed Ledger Live wallet application and a botnet module. Alternate attack chains have relied on a GitHub repository masquerading as iTerm2. The GitHub account is no longer accessible. In recent months, the ClickFix technique has also been leveraged to deliver another macOS infostealer called Odyssey Stealer using bogus CAPTCHA verification checks.
• MITRE Releases 2025 Most Important Hardware Weaknesses — The non-profit MITRE Corporation published a revised list of the Most Important Hardware Weaknesses (MIHW) to better align with the hardware security landscape. Sensitive Information in Resource Not Removed Before Reuse (CWE-226), Improper Isolation of Shared Resources on System-on-a-Chip (CWE-1189), and On-Chip Debug and Test Interface With Improper Access Control (CWE-1191) take the top three spots.
• How Lumma Affiliates Operate — Despite a May 2025 law enforcement takedown targeting Lumma Stealer, the malware family appears to have staged a full recovery and continues to be a popular choice for threat actors. According to a report from Recorded Future, Lumma affiliates not only operate multiple schemes simultaneously, but also leverage previously undocumented tools such as a phishing page generator (DONUSSEF) and a cracked email credential validation tool. Also put to use are VPNs, privacy-focused web browsers, bulletproof hosting providers, virtual phone and SMS services (OnlineSim, SMS-Activate, and Zadarma), and proxies (PIA Proxy and GhostSocks). “For instance, one affiliate was identified operating rental scams, while others simultaneously leveraged multiple malware-as-a-service (MaaS) platforms, including Vidar, Stealc, and Meduza Stealer, likely to bolster operational agility, improve success rates, and mitigate the risks linked to detection and law enforcement takedowns,” the company said. “In addition, several Lumma affiliates are tied to distinct threat actor personas across underground forums, reinforcing their deep integration within the broader cybercriminal ecosystem.”
• Deceptive Google Play Store Pages Distribute SpyNote — A new network of websites that mimic the Google Play Store pages of various apps is being used to trick users into installing malicious Android apps containing the SpyNote RAT. This is a continuation of an ongoing campaign that was flagged by DomainTools back in April 2025. “Key technique changes were the dynamic payload decryption and DEX element injection used by the initial dropper, which conceals SpyNote’s core functions and hijacks app behavior, and the control flow and identifier obfuscation applied to the C2 logic to hinder static analysis,” the company said. The development followed the discovery of a new version of the Anatsa (aka TeaBot) Android banking trojan that can now target over 831 financial institutions across the world, including various cryptocurrency platforms. “Anatsa streamlined payload delivery by replacing dynamic code loading of remote Dalvik Executable (DEX) payloads with direct installation of the Anatsa payload,” Zscaler ThreatLabz said. “Anatsa implemented Data Encryption Standard (DES) runtime decryption and device-specific payload restrictions.”
• New macOS Stealer Mac.c Spotted — Cybersecurity researchers have discovered a new macOS stealer called Mac.c that can steal iCloud Keychain credentials, browser-stored passwords, crypto wallet data, system metadata, and files from specific locations. It can be purchased for $1,500 per month under a subscription model, while AMOS is priced at $3,000 a month. “This lower price could also open the gates for less resourceful and less tech-savvy operators who want to break into the cybercriminal market and have little money to spend on dark web tools,” Moonlock Lab said.
• Paper Werewolf Uses New Linux Rootkit in Attacks Targeting Russia — The threat actor known as Paper Werewolf (aka GOFFEE) is targeting Russian organizations with a Linux rootkit named Sauropsida. The rootkit is based on an open-source rootkit known as Reptile. Also deployed are BindSycler, a Golang utility to tunnel traffic using the SSH protocol, and MiRat, a Mythic framework agent.

🎥 Cybersecurity Webinars

• How Code-to-Cloud Mapping Unites Dev, Sec, and Ops into One Powerful AppSec Team — Modern application security can’t stop at code or cloud—it must connect both. In this webinar, you’ll discover how code-to-cloud visibility closes the gaps that attackers exploit, uniting developers, DevOps, and security teams with a shared playbook for faster, smarter risk reduction.
• 7 Concrete Steps to Secure Shadow AI Agents Before They Spiral Out of Control — AI agents are no longer just tools—they’re active players making decisions inside your enterprise. Yet many of these “shadow agents” operate without identity, ownership, or oversight, creating a dangerous blind spot that attackers are already exploiting. In this webinar, we’ll expose how these invisible risks emerge and show security leaders the critical steps to bring AI identities under control—before they become your weakest link.
• 5 Simple Ways to Spot Rogue AI Agents Before They Take Over — Shadow AI Agents are multiplying fast—hidden in your workflows, fueled by non-human identities, and moving faster than your governance can keep up. In this exclusive session, security leaders will expose where these agents hide, the risks they pose, and the practical steps you can take today to regain visibility and control without slowing innovation.

🔧 Cybersecurity Tools

• SafeLine — A self-hosted Web Application Firewall (WAF) designed to shield web applications from common threats such as SQL injection, XSS, SSRF, and brute-force attempts. By acting as a reverse proxy, it filters and monitors HTTP/S traffic, blocking malicious requests before they reach the server and preventing unauthorized data leaks. Its capabilities include rate limiting, anti-bot defenses, dynamic code protection, and access control—helping ensure web applications remain secure and resilient against evolving attacks.
• AppLockerGen — An open-source utility that helps system administrators and security professionals create, merge, and manage Windows AppLocker policies more efficiently. By providing a user-friendly interface, it simplifies defining rules for executables, scripts, installers, and DLLs, while also supporting policy import/export, inspection for misconfigurations, and testing against common bypass techniques.

Disclaimer: These newly released tools are for educational use only and haven’t been fully audited. Use at your own risk—review the code, test safely, and apply proper safeguards.

🔒 Tip of the Week

Don’t Just Store It. Lock It — When you drag a file into Google Drive, OneDrive, or Dropbox, it feels “safe.” But here’s the catch: most clouds only encrypt files on their servers — they hold the keys, not you.

That means if the provider is breached, subpoenaed, or a rogue admin pokes around, your “private” files aren’t so private.

The fix is simple: end-to-end encryption. You encrypt before uploading, so your files are locked on your device and can only be unlocked with your key. Even if the cloud is hacked, attackers see nothing but scrambled noise.

Free, open-source tools that make this easy:

• Cryptomator → perfect for beginners, creates an “encrypted vault” inside your Dropbox/Drive.
• Kopia → modern backup tool with strong encryption, great for securing entire folders or servers.
• Restic → fast, deduplicated, encrypted backups, loved by developers and sysadmins.
• Rclone (with crypt) → the power-user’s choice for syncing + encrypting files to almost any cloud.

Bottom line: If it’s worth saving, it’s worth locking. Don’t trust the cloud with your keys.

Conclusion

Cybersecurity isn’t just about technology—it’s a test of leadership. The choices made in boardrooms shape how teams protect systems, respond to attacks, and recover from setbacks. This week’s stories highlight a key truth: security comes down to decisions—where to invest, which risks to take, and which blind spots to fix. The best leaders don’t promise perfect safety. Instead, they provide clarity, build resilience, and set direction when it matters most.

Security Information and Event Management (SIEM) systems act as the primary tools for detecting suspicious activity in enterprise networks, helping organizations identify and respond to potential attacks in real time. However, the new Picus Blue Report 2025, based on over 160 million real-world attack simulations, revealed that organizations are only detecting 1 out of 7 simulated attacks, showing a critical gap in threat detection and response.

While many organizations believe they’re doing everything they can to detect adversary actions, the reality is that a large number of threats are slipping through their defenses unnoticed, leaving their networks far too vulnerable to compromise. This gap in detection creates a false sense of security when attackers have already accessed your sensitive systems, escalated their privileges, or are actively exfiltrating your valuable data.

Which begs the question: why, after all this time, money, and attention, are these systems still failing? Especially when the stakes are so high. Let’s see what The Blue Report 2025 tells us about several lingering core issues regarding SIEM rule effectiveness.

Log Collection Failures: The Foundation of Detection Breakdowns

SIEM rules act like a security guard who monitors incoming and outgoing traffic for suspicious behavior. Just as a guard follows a set of instructions to identify threats based on specific patterns, SIEM rules are pre-configured to detect certain activities, such as unauthorized access or unusual network traffic. When a specific event matches a rule, it triggers an alert, allowing security teams to respond swiftly.

For SIEM rules to work effectively, however, they need to analyze a set of reliable and comprehensive logs. The Blue Report 2025 found that one of the most common reasons SIEM rules fail is due to persistent log collection issues. In fact, in 2025, 50% of detection rule failures were linked to problems with log collection. When logs aren’t captured properly, it’s all too easy to miss critical events, leading to a dangerous lack of alerts, a false sense of security, and a failure to detect malicious activity. Even the most effective rules quickly become useless without accurate data to analyze, leaving their organizations vulnerable to attacks.

Common log collection issues include missed log sources, misconfigured log agents, and incorrect log settings. For example, many environments fail to log key data points or have problems with log forwarding, preventing pertinent logs from reaching the SIEM in the first place. This failure to capture critical telemetry significantly hampers a SIEM’s ability to detect an attacker’s malicious activity.

Misconfigured Detection Rules: Silent Failures

Even when logs are collected properly, detection rules can still fail due to misconfigurations. In fact, in 2025, 13% of rule failures were attributed to configuration issues. This includes incorrect rule thresholds, improperly defined reference sets, and poorly constructed correlation logic. These issues can cause critical events to be missed or trigger false positives, undermining the effectiveness of the SIEM system.

For example, overly broad or generic rules can lead to an overwhelming amount of noise, which often results in important alerts being buried in the signal, missed entirely, or mistakenly ignored. Similarly, poorly defined reference sets can cause rules to miss important indicators of compromise.

Performance Issues: The Hidden Culprits of Detection Gaps

As SIEM systems scale to handle more data, performance issues can quickly become another major hurdle. The report found that 24% of detection failures in 2025 were related to performance problems, such as resource-heavy rules, broad custom property definitions, and inefficient queries. These issues can significantly slow down detection and delay response times, making it harder for security teams to act quickly when they’re actively under attack.

SIEM systems often struggle to process large volumes of data, especially when rules are not optimized for efficiency. This leads to slow query performance, delayed alerts, and overwhelmed system resources, further reducing the organization’s ability to detect real-time threats.

Three Common Detection Rule Issues

Let’s take a closer look at the three most common log collection issues highlighted in the Blue Report 2025.

One of the most significant problems impacting SIEM rule effectiveness is log source coalescing. This occurs when event coalescing is enabled for specific log sources like DNS, proxy servers, and Windows event logs, leading to data loss. In this case, important events may be compressed or discarded, resulting in incomplete data for analysis. As a result, critical threat behaviors can easily be missed, and detection rules can quickly become less and less effective.

Another prevalent issue is unavailable log sources, which account for 10% of rule failures. This often happens when logs fail to transmit data due to network disruptions, misconfigured log forwarding agents, or firewall blocks. Without these logs, the SIEM system cannot capture critical events, resulting in detection rules failing to trigger alerts.

Lastly, delaying the implementation of cost-effective test filters is a common cause of detection failures. When detection rules are too broad or inefficient, the system processes excessive amounts of data without effective filtering. This can overwhelm the system, slowing performance and risking your security teams missing key events. According to the report, 8% of detection failures are related to this issue, highlighting the need for optimized, cost-effective filtering.

Continuous Validation: Ensuring SIEM Rules Stay Effective Against Evolving Threats

While detection rules are foundational to SIEM systems, they can quickly lose relevance without continuous validation. Adversaries are constantly evolving their tactics, techniques, and procedures (TTPs), and SIEM rules designed to detect known patterns become ineffective if they’re not being regularly tested against real-world threats.

The Blue Report 2025 emphasizes that, without ongoing testing, even well-tuned SIEM systems can easily become vulnerable to attacks. Continuous validation ensures that security teams don’t just rely on static configurations, but regularly prove that their detection capabilities are working against the latest adversary behaviors. This proactive approach closes the gap between the theoretical protection offered by detection rules and the practical, real-world effectiveness organizations need against ever-evolving threats.

By simulating real-world adversary behaviors, security teams can evaluate whether their detection rules are countering the newest attack techniques, making sure they’re properly tuned for specific environments, and that they’re identifying malicious behaviors in a timely manner.

Regular exposure validation, through tools like Breach and Attack Simulation, allows organizations to always be testing and fine-tuning their controls. This approach makes it easier to identify their blind spots and improve their defenses, ensuring that SIEM rules are effective, not just at detecting past attacks, but at preventing future ones as well. Without continuous validation, organizations risk their data, brand reputation, and bottom line to outdated or ineffective defenses, putting their most critical assets at unnecessary risk.

Closing the Gaps in SIEM Detection

Neglected SIEM rules will inevitably fail to detect modern threats. Log collection failures, misconfigurations, and performance bottlenecks create blind spots, while static rules quickly lose effectiveness against evolving attacker tactics and techniques. Without continuous validation, organizations risk operating under a false sense of security, leaving critical systems and data exposed to compromise.

To stay ahead, security teams must regularly test and tune their SIEM rules, simulate real-world attacks, and validate detection pipelines against the latest adversary behaviors. Tools like Breach and Attack Simulation enable organizations to uncover hidden gaps, prioritize high-risk exposures, and ensure that their defenses are working when it matters most.

See where your SIEM is succeeding and where it might be silently failing. Download the Blue Report 2025 today for actionable insights and recommendations to strengthen your detection and prevention strategies against tomorrow’s attacks.

Aug 25, 2025Ravie LakshmananMalware / Cyber Attack

The advanced persistent threat (APT) actor known as Transparent Tribe has been observed targeting both Windows and BOSS (Bharat Operating System Solutions) Linux systems with malicious Desktop shortcut files in attacks targeting Indian Government entities.

“Initial access is achieved through spear-phishing emails,” CYFIRMA said. “Linux BOSS environments are targeted via weaponized .desktop shortcut files that, once opened, download and execute malicious payloads.”

Transparent Tribe, also called APT36, is assessed to be of Pakistani origin, with the group – along with its sub-cluster SideCopy – having a storied history of breaking into Indian government institutions with a variety of remote access trojans (RATs).

The latest dual-platform demonstrates the adversarial collective’s continued sophistication, allowing it to broaden its targeting footprint and ensure access to compromised environments.

The attack chains begin with phishing emails bearing supposed meeting notices, which, in reality, are nothing but booby-trapped Linux desktop shortcut files (“Meeting_Ltr_ID1543ops.pdf.desktop”). These files masquerade as PDF documents to trick recipients into opening them, leading to the execution of a shell script.

The shell script serves as a dropper to fetch a hex-encoded file from an attacker-controlled server (“securestore[.]cv”) and save it to disk as an ELF binary, while simultaneously opening a decoy PDF hosted on Google Drive by launching Mozilla Firefox. The Go-based binary, for its part, establishes contact with a hard-coded command-and-control (C2) server, modgovindia[.]space:4000, to receive commands, fetch payloads, and exfiltrate data.

The malware also establishes persistence by means of a cron job that executes the main payload automatically after a system reboot or process termination.

Cybersecurity company CloudSEK, which also independently reported the activity, said the malware performs system reconnaissance and is equipped to carry out a series of dummy anti-debugging and anti-sandbox checks in a bid to throw off emulators and static analyzers.

Furthermore, Hunt.io’s analysis of the campaign has revealed that the attacks are designed to deploy a known Transparent Tribe backdoor called Poseidon that enables data collection, long-term access, credential harvesting, and potentially lateral movement.

“APT36’s capability to customize its delivery mechanisms according to the victim’s operating environment thereby increases its chances of success while maintaining persistent access to critical government infrastructure and evading traditional security controls,” CYFIRMA said.

The disclosure comes weeks after the Transparent Tribe actors were observed targeting Indian defense organizations and related government entities using spoofed domains with the ultimate goal of stealing credentials and two-factor authentication (2FA) codes. It’s believed that users are redirected to these URLs through spear-phishing emails.

“Upon entering a valid email ID in the initial phishing page and clicking the ‘Next’ button, the victim is redirected to a second page that prompts the user to input their email account password and the Kavach authentication code,” CYFIRMA said.

It’s worth noting that the targeting of Kavach, a 2FA solution used by the Indian government agencies to improve account security, is a tried-and-tested tactic adopted by Transparent Tribe and SideCopy since early 2022.

“The use of typo-squatted domains combined with infrastructure hosted on Pakistan-based servers is consistent with the group’s established tactics, techniques, and procedures,” the company said.

The findings also follow the discovery of a separate campaign undertaken by a South Asian APT to strike Bangladesh, Nepal, Pakistan, Sri Lanka, and Turkey through spear-phishing emails that are engineered for credential theft using lookalike pages hosted on Netlify and Pages.dev.

“These campaigns mimic official communication to trick victims into entering credentials on fake login pages,” Hunt.io said earlier this month, attributing it to a hacking group called SideWinder.

“Spoofed Zimbra and Secure Portal Pages were made to look like official government email, file-sharing, or document upload services, prompting victims to submit credentials through fake login panels.”

Aug 24, 2025Ravie LakshmananMalware / Supply Chain Security

Cybersecurity researchers have discovered a malicious Go module that presents itself as a brute-force tool for SSH but actually contains functionality to discreetly exfiltrate credentials to its creator.

“On the first successful login, the package sends the target IP address, username, and password to a hard-coded Telegram bot controlled by the threat actor,” Socket researcher Kirill Boychenko said.

The deceptive package, named “golang-random-ip-ssh-bruteforce,” has been linked to a GitHub account called IllDieAnyway (G3TT), which is currently no longer accessible. However, it continues to be available on pkg.go[.]dev. It was published on June 24, 2022.

The software supply chain security company said the Go module works by scanning random IPv4 addresses for exposed SSH services on TCP port 22, then attempting to brute-force the service using an embedded username-password list and exfiltrating the successful credentials to the attacker.

A notable aspect of the malware is that it deliberately disables host key verification by setting “ssh.InsecureIgnoreHostKey” as a HostKeyCallback, thereby allowing the SSH client to accept connections from any server regardless of their identity.

The wordlist is fairly straightforward, including only two usernames root and admin, and pairing them against weak passwords like root, test, password, admin, 12345678, 1234, qwerty, webadmin, webmaster, techsupport, letmein, and Passw@rd.

The malicious code runs in an infinite loop to generate the IPv4 addresses, with the package attempting concurrent SSH logins from the wordlist.

The details are transmitted to a threat actor-controlled Telegram bot named “@sshZXC_bot” (ssh_bot) via the API, which then acknowledges the receipt of the credentials. The messages are sent through the bot to an account with the handle “@io_ping” (Gett).

An Internet Archive snapshot of the now-removed GitHub account shows that IllDieAnyway, aka G3TT’s software portfolio, included an IP port scanner, an Instagram profile info and media parser, and even a PHP-based command-and-control (C2) botnet called Selica-C2.

Their YouTube channel, which remains accessible, hosts various short-form videos on “How to hack a Telegram bot” and what they claim to be the “most powerful SMS bomber for the Russian Federation,” which can send spam SMS texts and messages to VK users using a Telegram bot. It’s assessed that the threat actor is of Russian origin.

“The package offloads scanning and password guessing to unwitting operators, spreads risk across their IPs, and funnels the successes to a single threat actor-controlled Telegram bot,” Boychenko said.

“It disables host key verification, drives high concurrency, and exits after the first valid login to prioritize quick capture. Because the Telegram Bot API uses HTTPS, the traffic looks like normal web requests and can slip past coarse egress controls.”

Cybersecurity researchers are calling attention to multiple campaigns that leverage known security vulnerabilities and expose Redis servers to various malicious activities, including leveraging the compromised devices as IoT botnets, residential proxies, or cryptocurrency mining infrastructure.

The first set of attacks entails the exploitation of CVE-2024-36401 (CVSS score: 9.8), a critical remote code execution vulnerability impacting OSGeo GeoServer GeoTools that has been weaponized in cyber attacks since late last year.

“Criminals have used the vulnerability to deploy legitimate software development kits (SDKs) or modified apps to gain passive income via network sharing or residential proxies,” Palo Alto Networks Unit 42 researchers Zhibin Zhang, Yiheng An, Chao Lei, and Haozhe Zhang said in a technical report.

“This method of generating passive income is particularly stealthy. It mimics a monetization strategy used by some legitimate app developers who choose SDKs instead of displaying traditional ads. This can be a well-intentioned choice that protects the user experience and improves app retention.”

The cybersecurity company said attackers have been probing GeoServer instances exposed to the internet since at least early March 2025, leveraging the access to drop customized executables from adversary-controlled servers. The payloads are distributed via a private instance of a file-sharing server using transfer.sh, as opposed to a conventional HTTP web server.

The applications used in the campaign aim to fly under the radar by consuming minimal resources, while stealthily monetizing victims’ internet bandwidth without the need for distributing custom malware. The binaries, written in Dart, are designed to interact with legitimate passive income services, discreetly using the device resources for activities like bandwidth sharing.

The approach is a win-win situation for all parties involved, as developers of the applications receive payments in exchange for integrating the feature, and the cybercriminals get to profit off unused bandwidth using a seemingly innocuous channel that doesn’t raise any red flags.

“Once running, the executable operates covertly in the background, monitoring device resources and illicitly sharing the victim’s bandwidth whenever possible,” Unit 42 said. “This generates passive income for the attacker.”

Telemetry data gathered by the company shows that there were over 7,100 publicly exposed GeoServer instances across 99 countries, with China, the United States, Germany, Great Britain, and Singapore taking the top five spots.

“This ongoing campaign showcases a significant evolution in how adversaries monetize compromised systems,” Unit 42 said. “The attackers’ core strategy focuses on stealthy, persistent monetization rather than aggressive resource exploitation. This approach favors long-term, low-profile revenue generation over easily detectable techniques.”

The disclosure comes as Censys detailed the infrastructural backbone powering a large-scale IoT botnet called PolarEdge that comprises enterprise-grade firewalls and consumer-oriented devices like routers, IP cameras, and VoIP phones by taking advantage of known security vulnerabilities. Its exact purpose is currently not known, although it’s clear that the botnet isn’t being used for indiscriminate mass scanning.

The initial access is then abused to drop a custom TLS backdoor based on Mbed TLS that facilitates encrypted command-and-control, log cleanup, and dynamic infrastructure updates. The backdoor has been commonly observed deployed on high, non-standard ports, likely as a way to bypass traditional network scans and defensive monitoring scope.

PolarEdge exhibits traits that align with an Operational Relay Box (ORB) network, with the attack surface management platform stating there are indications that the campaign started as far back as June 2023, reaching about 40,000 active devices as of this month. More than 70% of the infections are scattered across South Korea, the United States, Hong Kong, Sweden, and Canada.

“ORBs are compromised exit nodes that forward traffic in order to carry out additional compromises or attacks on behalf of threat actors,” security researcher Himaja Motheram said. “What makes ORBs so valuable to attackers is that they don’t need to take over the device’s core function – they can quietly relay traffic in the background while the device continues to operate normally, making detection by the owner or ISP unlikely.”

In recent months, vulnerabilities in products from vendors such as DrayTek, TP-Link, Raisecom, and Cisco have been targeted by bad actors to infiltrate them and deploy a Mirai botnet variant codenamed gayfemboy, suggesting an expansion of the targeting scope.

“The gayfemboy campaign spans multiple countries, including Brazil, Mexico, the United States, Germany, France, Switzerland, Israel, and Vietnam,” Fortinet said. “Its targets also cover a broad range of sectors, such as manufacturing, technology, construction, and media or communications.”

Gayfemboy is capable of targeting various system architectures, including ARM, AArch64, MIPS R3000, PowerPC, and Intel 80386. It incorporates four primary functions –

• Monitor, which tracks threads and processes while incorporating persistence and sandbox evasion techniques
• Watchdog, which attempts to bind to UDP port 47272
• Attacker, which launches DDoS attacks using UDP, TCP, and ICMP protocols, and enables backdoor access by connecting to a remote server to receive commands
• Killer, which terminates itself if it receives the command from the server or detects sandbox manipulation

“While Gayfemboy inherits structural elements from Mirai, it introduces notable modifications that enhance both its complexity and ability to evade detection,” security researcher Vincent Li said. “This evolution reflects the increasing sophistication of modern malware and reinforces the need for proactive, intelligence-driven defense strategies.”

The findings also coincide with a cryptojacking campaign undertaken by a threat actor dubbed TA-NATALSTATUS that’s targeting exposed Redis servers to deliver cryptocurrency miners.

The attack essentially involves scanning for unauthenticated Redis servers on port 6379, followed by issuing legitimate CONFIG, SET, and SAVE commands to execute a malicious cron job that’s designed to run a shell script that disables SELinux, performs defense evasion steps, block external connections to the Redis port in order to prevent rival actors from using the initial access pathway to get in, and terminate competing mining processes (e.g., Kinsing).

Also deployed are scripts to install tools like masscan or pnscan, and then launching commands like “masscan –shard” to scan the internet for susceptible Redis instances. The last step involves setting up persistence via an hourly cron job and kicking off the mining process.

Cybersecurity firm CloudSEK said the activity is an evolution of an attack campaign disclosed by Trend Micro in April 2020, packing in new features to accommodate rootkit-like features to hide malicious processes and alter the timestamps of their files to fool forensic analysis.

“By renaming system binaries like ps and top to ps.original and replacing them with malicious wrappers, they filter their own malware (httpgd) out of the output. An admin looking for the miner won’t see it using standard tools,” researcher Abhishek Mathew said. “They rename curl and wget to cd1 and wd1. This is a simple but brilliant method to bypass security products that monitor for malicious downloads specifically initiated by these common tool names.”

Cybersecurity researchers have shed light on a novel attack chain that employs phishing emails to deliver an open-source backdoor called VShell.

The “Linux-specific malware infection chain that starts with a spam email with a malicious RAR archive file,” Trellix researcher Sagar Bade said in a technical write-up.

“The payload isn’t hidden inside the file content or a macro, it’s encoded directly in the filename itself. Through clever use of shell command injection and Base64-encoded Bash payloads, the attacker turns a simple file listing operation into an automatic malware execution trigger.”

The technique, the cybersecurity company added, takes advantage of a simple yet dangerous pattern commonly observed in shell scripts that arises when file names are evaluated with inadequate sanitization, thereby causing a trivial command like eval or echo to facilitate the execution of arbitrary code.

What’s more, the technique offers the added advantage of getting around traditional defenses, as antivirus engines don’t typically scan file names.

The starting point of the attack is an email message containing a RAR archive, which includes a file with a maliciously crafted file name: “ziliao2.pdf`{echo,<Base64-encoded command>}|{base64,-d}|bash`”

Specifically, the file name incorporates Bash-compatible code that’s engineered to execute commands when it’s interpreted by the shell. It’s worth noting that simply extracting the file from the archive does not trigger execution. Rather, it occurs only when a shell script or command attempts to parse the file name.

Another important aspect to consider here is that it’s not possible to manually create a file name with this syntax, meaning it was likely created using another language or dropped using an external tool or script that bypasses shell input validation, Trellix said.

This, in turn, leads to the execution of an embedded Base64-encoded downloader, which then retrieves from an external server an ELF binary for the appropriate system architecture (x86_64, i386, i686, armv7l, or aarch64). The binary, for its part, initiates communication with a command-and-control (C2) server to obtain the encrypted VShell payload, decode, and execute it on the host.

Trellix said the phishing emails are disguised as an invitation for a beauty product survey, luring recipients with a monetary reward (10 RMB) for completing it.

“Crucially, the email includes a RAR archive attachment (‘yy.rar’), even though it doesn’t explicitly instruct the user to open or extract it,” Bade explained. “The social engineering angle is subtle: The user is distracted by the survey content, and the presence of the attachment might be mistaken for a survey-related document or data file.”

VShell is a Go-based remote access tool that has been widely put to use by Chinese hacking groups in recent years, including UNC5174, supporting reverse shell, file operations, process management, port forwarding, and encrypted C2 communications.

What makes this attack dangerous is that the malware operates entirely in-memory, avoiding disk-based detection, not to mention it can target a wide range of Linux devices.

“This analysis highlights a dangerous evolution in Linux malware delivery where a simple file name embedded in a RAR archive can be weaponized to execute arbitrary commands,” Trellix said. “The infection chain exploits command injection in shell loops, abuses Linux’s permissive execution environment, and ultimately delivers a powerful backdoor VShell malware capable of full remote control over the system.”

The development comes as Picus Security released a technical analysis of a Linux-focused post-exploit tool dubbed RingReaper that leverages the Linux kernel’s io_uring framework to circumvent traditional monitoring tools. It’s currently not known who is behind the malware.

“Instead of invoking standard functions such as read, write, recv, send, or connect, RingReaper employs io_uringprimitives (e.g., io_uring_prep_*) to execute equivalent operations asynchronously,” security researcher Sıla Özeren Hacıoğlu said. “This method helps bypass hook-based detection mechanisms and reduces the visibility of malicious activity in telemetry commonly gathered by EDR platforms.”

RingReaper makes use of io_uring to enumerate system processes, active pseudo-terminal (PTS) sessions, network connections, and logged-in users, while reducing its footprint and avoiding detection. It’s also capable of collecting user information from the “/etc/passwd” file, abusing SUID binaries for privilege escalation, and erasing traces of itself after execution.

“It exploits the Linux kernel’s modern asynchronous I/O interface, io_uring, to minimize reliance on conventional system calls that security tools frequently monitor or hook,” Picus said.

Aug 22, 2025Ravie LakshmananOnline Fraud / Financial Crime

INTERPOL on Friday announced that authorities from 18 countries across Africa have arrested 1,209 cybercriminals who targeted 88,000 victims.

“The crackdown recovered $97.4 million and dismantled 11,432 malicious infrastructures, underscoring the global reach of cybercrime and the urgent need for cross-border cooperation,” the agency said.

The effort is the second phase of an ongoing law enforcement initiative called Operation Serengeti, which took place between June and August 2025 to tackle severe crimes like ransomware, online scams. and business email compromise (BEC). The first wave of arrests occurred late last year.

Among the highlights are the dismantling of 25 cryptocurrency mining centres in Angola, where 60 Chinese nationals were involved in the illicit money-making scheme.

“The crackdown identified 45 illicit power stations which were confiscated, along with mining and IT equipment worth more than $37 million, now earmarked by the government to support power distribution in vulnerable areas,” INTERPOL said.

Elsewhere, Zambian authorities have taken down a large-scale online investment fraud operation that claimed 65,000 victims who lost around $300 million after they were lured into investing in cryptocurrency through advertising campaigns that promised high-yield returns.

Fifteen individuals have been arrested in connection with the scheme, with officials seizing domains, mobile numbers, and bank accounts for further investigation. Also disrupted in the southern African country is a scam center and a suspected human trafficking network.

Lastly, law enforcement also tore down a transnational inheritance scam originating in Germany, arresting the primary suspect and confiscating electronics, jewellery, cash, and vehicles. The same is estimated to have caused losses of around $1.6 million.

“Each INTERPOL-coordinated operation builds on the last, deepening cooperation, increasing information sharing and developing investigative skills across member countries,” Valdecy Urquiza, secretary general of INTERPOL, said. “With more contributions and shared expertise, the results keep growing in scale and impact. This global network is stronger than ever, delivering real outcomes and safeguarding victims.”

Singapore-headquartered Group-IB said it provided “circumstantial intelligence” on a cryptocurrency investment scam, along with infrastructural details associated with the scam and other BEC campaigns across the African region.

“Cybercrime recognizes no borders, and its impact is truly global,” Dmitry Volkov, Group-IB CEO, said. “The success of Operation Serengeti 2.0 demonstrates what can be achieved when nations stand together against this threat.”

The disclosure comes as Nigeria deported 102 foreign nationals, including 60 Chinese and 39 people from the Philippines, who were convicted of cyber terrorism and internet fraud, according to the country’s Economic and Financial Crimes Commission (EFCC). The deportees were among 792 suspected cybercriminals arrested in December 2024.

Earlier this March, law enforcement authorities in seven African countries also arrested 306 suspects and confiscated 1,842 devices as part of an international operation codenamed Red Card that took place between November 2024 and February 2025.

Cybersecurity researchers are calling attention to malicious activity orchestrated by a China-nexus cyber espionage group known as Murky Panda that involves abusing trusted relationships in the cloud to breach enterprise networks.

“The adversary has also shown considerable ability to quickly weaponize N-day and zero-day vulnerabilities and frequently achieves initial access to their targets by exploiting internet-facing appliances,” CrowdStrike said in a Thursday report.

Murky Panda, also known as Silk Typhoon (formerly Hafnium), is best known for its zero-day exploitation of Microsoft Exchange Server flaws in 2021. Attacks mounted by the hacking group have targeted government, technology, academic, legal, and professional services entities in North America.

Earlier this March, Microsoft detailed the threat actor’s shift in tactics, detailing its targeting of the information technology (IT) supply chain as a means to obtain initial access to corporate networks. It’s assessed that Murky Panda’s operations are driven by intelligence gathering.

Like other Chinese hacking groups, Murky Panda has exploited internet-facing appliances to obtain initial access and is believed to have also compromised small office/home office (SOHO) devices that are geolocated in the targeted country as an exit node to hinder detection efforts.

Other infection pathways include exploitation of known security flaws in Citrix NetScaler ADC and NetScaler Gateway (CVE-2023-3519) and Commvault (CVE-2025-3928). The initial access is leveraged to deploy web shells like neo-reGeorg to establish persistence and ultimately drop a custom malware called CloudedHope.

A 64-bit ELF binary and written in Golang, CloudedHope functions as a basic remote access tool (RAT) while employing anti-analysis and operational security (OPSEC) measures, such as modifying timestamps and deleting indicators of their presence in victim environments to fly under the radar.

But a notable aspect of Murky Panda’s tradecraft concerns the abuse of trusted relationships between partner organizations and their cloud tenants, exploiting zero-day vulnerabilities to breach software-as-a-service (SaaS) providers’ cloud environments and conduct lateral movement to downstream victims.

In at least one instance observed in late 2024, the threat actor is said to have compromised a supplier of a North American entity and used the supplier’s administrative access to the victim entity’s Entra ID tenant to add a temporary backdoor Entra ID account.

“Using this account, the threat actor then backdoored several preexisting Entra ID service principles related to Active Directory management and emails,” CrowdStrike said. “The adversary’s goals appear targeted in nature based on their focus on accessing emails.”

“Although Genesis Panda targets a variety of systems, they show consistent interest in compromising cloud-hosted systems to leverage the cloud control plane for lateral movement, persistence, and enumeration,” CrowdStrike said.

The adversary has observed “consistently” querying the Instance Metadata Service (IMDS) associated with a cloud-hosted server to obtain credentials for the cloud control plane and enumerate network and general instance configurations. It’s also known to use credentials, likely obtained from compromised virtual machines (VMs), to burrow deeper into the target’s cloud account.

The findings illustrate how Chinese hacking groups are becoming increasingly adept at breaking and navigating cloud environments, while also prioritizing stealth and persistence to ensure sustained access and covert data harvesting.

Glacial Panda Strikes Telecom Sector

The telecommunications sector, per CrowdStrike, has witnessed a 130% increase in nation-state activity over the past year, primarily driven by the fact they are a treasure trove of intelligence. The latest threat actor to train its sights on the industry vertical is a Chinese threat actor dubbed Glacial Panda.

The geographic footprint of the hacking group spans Afghanistan, Hong Kong, India, Japan, Kenya, Malaysia, Mexico, Panama, the Philippines, Taiwan, Thailand, and the United States.

“Glacial Panda highly likely conducts targeted intrusions for intelligence collection purposes, accessing and exfiltrating call detail records and related communications telemetry from multiple telecommunications organizations,” the cybersecurity company said.

“The adversary primarily targets Linux systems typical in the telecommunications industry, including legacy operating system distributions that support older telecommunications technologies.”

Attack chains implemented by the threat actor make use of known security vulnerabilities or weak passwords aimed at internet-facing and unmanaged servers, with follow-on activities leveraging privilege escalation bugs like CVE-2016-5195 (aka Dirty COW) and CVE-2021-4034 (aka PwnKit).

Besides relying on living-off-the-land (LotL) techniques, Glacial Panda’s intrusions pave the way for the deployment of trojanized OpenSSH components, collectively codenamed ShieldSlide, to gather user authentication sessions and credentials.

“The ShieldSlide-trojanized SSH server binary also provides backdoor access, authenticating any account (including root) when a hardcoded password is entered,” CrowdStrike said.

Aug 22, 2025The Hacker NewsPenetration Testing / Security Operations

Pentesting remains one of the most effective ways to identify real-world security weaknesses before adversaries do. But as the threat landscape has evolved, the way we deliver pentest results hasn’t kept pace.

Most organizations still rely on traditional reporting methods—static PDFs, emailed documents, and spreadsheet-based tracking. The problem? These outdated workflows introduce delays, create inefficiencies, and undermine the value of the work.

Security teams need faster insights, tighter handoffs, and clearer paths to remediation. That’s where automated delivery comes in. Platforms like PlexTrac automate pentest finding delivery in real time through robust, rules-based workflows. (No waiting for the final report!)

The Static Delivery Problem in a Dynamic World

Delivering a pentest report solely as a static document might have made sense a decade ago, but today it’s a bottleneck. Findings are buried in long documents that don’t align with how teams operate day-to-day. After receiving the report, stakeholders must manually extract findings, create tickets in platforms like Jira or ServiceNow, and coordinate remediation tracking through disconnected workflows. By the time remediation begins, days or weeks may have passed since the issues were discovered.

Why Automation Matters Now

As organizations adopt Continuous Threat Exposure Management (CTEM) and expand the frequency of offensive testing, the volume of findings rapidly grows. Without automation, teams struggle to keep up. Automating delivery helps cut through the noise and deliver results in real time for faster handoffs and visibility across the entire vulnerability lifecycle.

Benefits of automating pentest delivery include:

• Real-time actionability: Act on findings immediately, not after the report is finalized
• Faster response: Accelerate remediation, retesting and validation
• Standardized operations: Ensure every finding follows a consistent process
• Less manual work: Free teams to focus on strategic initiatives
• Improved focus: Keep teams focused on what matters

Service providers gain a competitive advantage by automating delivery and integrating directly into client workflows, making themselves an indispensable partner to drive client value.

For enterprises, it’s a fast track to operational maturity and a measurable reduction in mean time to remediation (MTTR).

5 Key Components of Automated Pentest Delivery

1. Centralized data ingestion: Start by consolidating all findings—manual and automated—into a single source of truth. This includes outputs from scanners (like Tenable, Qualys, Wiz, Snyk) as well as manual pentest findings. Without centralization, vulnerability management becomes a patchwork of disconnected tools and manual processes.
2. Automated real-time delivery: As findings are identified, they should be automatically routed to the right people and workflows without waiting for the full report. Predefined rulesets should trigger triage, ticketing, and tracking to allow remediation to begin while testing is still in progress.
3. Automated routing & ticketing: Standardize routing by defining rules based on severity, asset ownership, and exploitability. Automation can assign findings, generate tickets in tools like Jira or ServiceNow, notify stakeholders through Slack or email, and close out informational issues to ensure findings are automatically routed to the right teams and systems.
4. Standardized remediation workflows: Every finding from your centralized data should follow the same lifecycle from triage to closure based on the criteria you’ve set, regardless of source. Whether it’s discovered from a scanner or manual testing, the process from triage to fix should be consistent and traceable.
5. Triggered retesting & validation: When a finding is marked as resolved, automation should trigger the appropriate retesting or validation workflow. This ensures nothing slips through the cracks and keeps communication between security and IT teams coordinated and closed-loop.

PlexTrac supports each of these capabilities through its Workflow Automation Engine, helping teams unify and accelerate delivery, remediation, and closure in one platform.

Avoid Common Pitfalls

Automation is about more than just speed. It’s about building standardized, scalable systems. However, if not implemented thoughtfully, it can create new problems. Watch out for:

• Overcomplicating early efforts: Trying to automate everything at once can stall momentum. Start small and focus on a few repeatable workflows first. Add complexity over time and expand as you validate success.
• Treating automation as a one-time setup: Your workflows should evolve alongside your tools, team structure, and priorities. Failing to iterate leads to stale processes that no longer align with how teams operate.
• Automating without clearly defined workflows: Jumping into automation without first mapping out your current workflows often leads to chaos. Without clear rules for routing, ownership, and escalation, automation may create more problems than it solves.

How to get started

Here’s how to begin automating pentest delivery:

1. Map your current workflow: Document how findings are delivered, triaged, assigned, and tracked today.
2. Identify friction points: Look for repetitive tasks, handoff delays, and areas where communication breaks down.
3. Start small: Automate one or two high-impact steps first, like ticket creation, email alerts, or finding delivery. Add complexity over time as you validate what’s working well and use early results to evolve workflows, add rules, and further streamline.
4. Choose the right platform: Look for solutions that integrate with your existing tools and provide visibility across the vulnerability lifecycle.
5. Measure impact: Track metrics like MTTR, handoff delays, and retest completion to show the value of your efforts.

The Future of Pentest Delivery

Security teams are shifting from reactive testing to proactive exposure management. Pentest delivery automation is a key part of that evolution to help teams move faster, collaborate better, and reduce risk more effectively.

For Service Providers, this is a chance to differentiate services, scale operations, and deliver more value with less overhead. For Enterprise teams, it means driving maturity, demonstrating progress, and staying ahead of emerging threats.

Conclusion

Pentesting is too important to be stuck in static reports and manual workflows. By automating delivery, routing, and remediation tracking, organizations can unlock the full value of their offensive security efforts by making findings more actionable, standardizing remediation workflows, and delivering measurable outcomes.

Whether you’re delivering tests to clients or to an internal team, the message is clear: The future of pentest delivery is automated.

Want to see what automated pentest workflows look like in action? Platforms like PlexTrac centralize security data from both manual testing and automated tools, enabling real-time delivery and standardized workflows across the entire vulnerability lifecycle.

Aug 22, 2025Ravie LakshmananCybercrime / Malware

A 55-year-old Chinese national has been sentenced to four years in prison and three years of supervised release for sabotaging his former employer’s network with custom malware and deploying a kill switch that locked out employees when his account was disabled.

Davis Lu, 55, of Houston, Texas, was convicted of causing intentional damage to protected computers in March 2025. He was arrested and charged in April 2021 for abusing his position as a software developer to execute malicious code on his employer’s computer servers.

“The defendant breached his employer’s trust by using his access and technical knowledge to sabotage company networks, wreaking havoc and causing hundreds of thousands of dollars in losses for a U.S. company,” said Acting Assistant Attorney General Matthew R. Galeotti of the Justice Department’s Criminal Division.

“However, the defendant’s technical savvy and subterfuge did not save him from the consequences of his actions.”

Court documents show that Lu was employed as a software developer for the unnamed company based in Ohio from November 2007 to October 2019. But after his responsibilities and system access were reduced following a 2018 corporate realignment, Lu enacted a scheme to deliberately introduce malicious code around August 2019, resulting in system crashes and preventing user logins.

To pull this off, Lu is said to have created infinite loops in source code to trigger server crashes by repeatedly creating new Java threads without proper termination. He also deleted coworker profile files and implemented a kill switch that would lock out all users if his credentials in the company’s Active Directory were disabled.

“The ‘kill switch’ code – which Lu named ‘IsDLEnabledinAD,’ abbreviating ‘Is Davis Lu enabled in Active Directory’ — was automatically activated when he was placed on leave and asked to surrender his laptop on September 9, 2019, and impacted thousands of company users globally,” the Department of Justice said.

“Lu named other code ‘Hakai,’ a Japanese word meaning ‘destruction,’ and ‘HunShui,’ a Chinese word meaning ‘sleep’ or ‘lethargy.’”

Furthermore, on the day Lu was instructed to return his company-issued laptop, the defendant deleted encrypted volumes and attempted to erase Linux directories and two additional projects. His internet search history laid bare the methods he researched to escalate privileges, hide processes, and delete files, suggesting an attempt to obstruct the company’s efforts to resolve the issues.

Lu’s unlawful actions are estimated to have cost the company hundreds of thousands of dollars in losses, per the department. This case also underscores the importance of identifying insider threats early, added Assistant Director Brett Leatherman of the Federal Bureau of Investigation’s (FBI) Cyber Division.