Tag: Cyber Security

Cybersecurity researchers have disclosed details of a phishing campaign that delivers a stealthy banking malware-turned-remote access trojan called MostereRAT.

The phishing attack incorporates a number of advanced evasion techniques to gain complete control over compromised systems, siphon sensitive data, and extend its functionality by serving secondary plugins, Fortinet FortiGuard Labs said.

“These include the use of an Easy Programming Language (EPL) to develop a staged payload, concealing malicious operations and disabling security tools to prevent alert triggers, securing command-and-control (C2) communications using mutual TLS (mTLS), supporting various methods for deploying additional payloads, and even installing popular remote access tools,” Yurren Wan said.

EPL is an obscure visual programming language that supports traditional Chinese, simplified Chinese, English, and Japanese variants. It’s chiefly meant for users who may not be proficient in English.

The emails, which are primarily designed to target Japanese users, leverage lures related to business inquiries to deceive recipients into clicking on malicious links that take them to an infected site to download a booby-trapped document — a Microsoft Word file that embeds a ZIP archive.

Present within the ZIP file is an executable that, in turn, triggers the execution of MostereRAT, which is then used to drop several tools like AnyDesk, TigerVNC, and TightVNC using modules written in EPL. A noteworthy aspect of the malware is its ability to disable Windows security mechanisms and block network traffic associated with a hard-coded list of security programs, thereby allowing it to sidestep detection.

“This traffic-blocking technique resembles that of the known red team tool ‘EDRSilencer,’ which uses Windows Filtering Platform (WFP) filters at multiple stages of the network communication stack, effectively preventing it from connecting to its servers and from transmitting detection data, alerts, event logs, or other telemetry,” Wan said.

Another is its ability to run as TrustedInstaller, a built-in Windows system account with elevated permissions, enabling it to interfere with critical Windows processes, modify Windows Registry entries, and delete system files.

Furthermore, one of the modules deployed by MostereRAT is equipped to monitor foreground window activity associated with Qianniu – Alibaba’s Seller Tool, log keystrokes, send heartbeat signals to an external server, and process commands issued by the server.

The commands allow it to collect victim host details, run DLL, EPK, or EXE files, load shellcode, read/write/delete files, download and inject an EXE into svchost.exe using Early Bird Injection, enumerate users, capture screenshots, facilitate RDP logins, and even create and add a hidden user to the administrators group.

“These tactics significantly increase the difficulty of detection, prevention, and analysis,” Fortinet said. “In addition to keeping your solution updated, educating users about the dangers of social engineering remains essential.”

ClickFix Gets Another Novel Twist

The findings coincide with the emergence of another campaign that employs “ClickFix-esque techniques” to distribute a commodity information stealer known as MetaStealer to users searching for tools like AnyDesk.

The attack chain involves serving a fake Cloudflare Turnstile page before downloading the supposed AnyDesk installer, and prompts them to click on a check box to complete a verification step. However, this action triggers a pop-up message asking them to open Windows File Explorer.

Once the Windows File Explorer is opened, PHP code concealed in the Turnstile verification page is configured to employ the “search-ms:” URI protocol handler to display a Windows shortcut (LNK) file disguised as a PDF that’s hosted on an attacker’s site.

The LNK file, for its part, activates a series of steps to gather the hostname and run an MSI package that’s ultimately responsible for dropping MetaStealer.

“These types of attacks that require some level of manual interaction from the victim, as they work to ‘fix’ the purported broken process themselves, work in part because they can potentially circumvent security solutions,” Huntress said. “Threat actors are continuing to move the needle in their infection chains, throwing a wrench into detection and prevention.”

The disclosure also comes as CloudSEK detailed a novel adaptation of the ClickFix social engineering tactic that leverages invisible prompts using CSS-based obfuscation methods to weaponize AI systems and produce summaries that include attacker-controlled ClickFix instructions.

The proof-of-concept (PoC) attack is accomplished by using a strategy called prompt overdose, wherein the payload is embedded within HTML content extensively so that it dominates a large language model’s context window in order to steer its output.

“This approach targets summarizers embedded in applications such as email clients, browser extensions, and productivity platforms,” the company said. “By exploiting the trust users place in AI-generated summaries, the method covertly delivers malicious step-by-step instructions that can facilitate ransomware deployment.”

“Prompt overdose is a manipulation technique that overwhelms an AI model’s context window with high-density, repeated content to control its output. By saturating the input with attacker-chosen text, legitimate context is pushed aside, and the model’s attention is consistently drawn back to the injected payload.”

It’s budget season. Once again, security is being questioned, scrutinized, or deprioritized.

If you’re a CISO or security leader, you’ve likely found yourself explaining why your program matters, why a given tool or headcount is essential, and how the next breach is one blind spot away. But these arguments often fall short unless they’re framed in a way the board can understand and appreciate.

According to a Gartner analysis, 88% of Boards see cybersecurity as a business risk, rather than an IT issue, yet many security leaders still struggle to raise the profile of cybersecurity within the organization. For security issues to resonate amongst the Board you need to speak its language: business continuity, compliance, and cost impact.

Below are some strategies to help you frame the conversation, transforming the technical and complex into clear business directives.

Recognize the High Stakes

Cyber threats continue to evolve, from ransomware and supply chain attacks to advanced persistent threats. Both large enterprises and mid-sized organizations are targets. The business impact of a breach is significant. It disrupts operations, damages reputation, and incurs substantial penalties. To avoid this, organizations must adopt a proactive approach like continuous threat exposure management. Ongoing validation through frequent, automated testing helps identify new attack vectors before they escalate.

Align Security Strategy with Business Objectives

The board doesn’t approve security budgets based on fear or uncertainty. They want to see how your strategy protects revenue, maintains uptime, and supports compliance. That means translating technical goals into outcomes that align with business initiatives. Define measurable KPIs like time to detect or remediate, and position your roadmap alongside upcoming projects like new system rollouts or merges and acquisitions.

Build a Risk-Focused Framework

When you ask for more budget, you need to show prioritization. That starts by identifying and categorizing your core assets, customer data, proprietary systems, and infrastructure. Where possible, quantify what a breach could cost the business. This helps define acceptable risk thresholds and guides investment.

One of our customers, a US-based insurance provider, estimated that a breach of its policyholder database, which held a lot of customer PII, could cost the business more than $5 million in regulatory fines and lost revenue. This projection helped them prioritize vulnerabilities that could lead to this asset and validate its surrounding security controls. By focusing security efforts on high-value assets, they strengthened their security where it mattered most, and could show the board exactly why the investment was justified.

Use Industry Standards to Strengthen Your Case

Regulations and frameworks like ISO 27001, NIST, HIPAA, and PCI DSS are useful allies in making your case. They provide a baseline for good security hygiene and give leadership something familiar to anchor their decisions. But compliance doesn’t guarantee security. Use audit feedback to highlight gaps and demonstrate how validation adds a layer of real-world protection.

Jay Martin, CISO of COFCO International, shared in a recent Pentera-hosted panel that “we used to build budget requests around best practices, but what worked was showing where we were exposed—and how fast we could fix it.”

Security ROI is not just about cost savings. It is about avoiding losses, breaches, downtime, legal penalties, and brand damage. Automated security validation shows early wins by uncovering exposures that traditional tools miss. These include misconfigurations, excessive permissions, and leaked credentials that are proven to be exploitable in your environment. This proves the likelihood of an attack before it actually happens. This kind of evidence shows exactly where risk exists and how fast it can be fixed. It gives leadership a clear reason to expand the program and positions security as a business enabler, not just a cost center.

Communicate with the Right Message for Each Audience

Boards want to understand how security decisions impact the business, whether that’s protecting revenue, avoiding regulatory penalties, or reducing the financial fallout of a breach. Security teams need operational details. Bridging that gap is part of your role. Tailor your message for each group and use real examples where possible. Share stories of how organizations in similar industries were impacted by missteps or succeeded thanks to proactive investment. Show how your plan creates alignment across departments and builds a culture of shared accountability.

Stay Ahead of Emerging Threats with Real Testing

Cyberattacks evolve quickly. Threats that did not exist last quarter might be your biggest risk today. That is why security validation needs to be an ongoing practice. Attackers are not waiting for your quarterly review cycle, and your defenses should not either. Frequent automated penetration tests, helps uncover blind spots across infrastructure, cloud environments, and partner systems.

Continuous testing also allows you to show your board exactly how prepared you are for current threats, especially the high-profile ones that dominate headlines. Tracking how your organization holds up against these threats over time gives you a clear way to demonstrate progress. This level of transparency builds confidence and helps shift the conversation from fear and uncertainty to readiness and measurable improvement.

Avoid Budget Waste

Too many security investments turn into shelfware, not because the tools are bad, but because they’re underused, poorly integrated, or lack clear ownership. Make sure each solution maps to a specific need. Budget not only for licenses, but also for training and operational support. Regular tool audits can help you streamline efforts, reduce redundancy, and focus spending where it delivers the most value.

Finalize a Scalable, Defensible Budget Plan

The strongest budget plans break down spending by category: prevention, detection, response, and validation, and show how each area contributes to the larger picture.

Show how your plan scales with the business so every decision continues to deliver value. To support expanding into new regions, a global manufacturing enterprise used automated security validation to establish best practices for hardening assets and configuring security controls. Because they included continuous validation from the start, they avoided the high cost of manual testing and the operational strain of allocating extra resources. Most importantly, they maintained a strong security posture throughout their expansion by uncovering and remediating real exposures before attackers could exploit them.

Takeaways: Prove Security’s Business Value

Security is no longer a cost center, it’s a growth enabler. When you continuously validate your controls, you shift the conversation from assumptions to evidence. That evidence is what boards want to see.

Use standards to your advantage. Show that you’re not just meeting expectations but actively reducing risk. And above all, keep making the case that smart, ongoing investment in cybersecurity protects the business today and builds resilience for tomorrow.

To move beyond one-time audits and annual reviews, check out our GOAT guide on how to communicate risk to the Board. It shows you how to use continuous validation, to not just defend your organization, but prove your security strategy is working.

Sep 09, 2025Ravie LakshmananCryptocurrency / Software Security

Multiple npm packages have been compromised as part of a software supply chain attack after a maintainer’s account was compromised in a phishing attack.

The attack targeted Josh Junon (aka Qix), who received an email message that mimicked npm (“support@npmjs[.]help”), urging them to update their update their two-factor authentication (2FA) credentials before September 10, 2025, by clicking on embedded link.

The phishing page is said to have prompted the co-maintainer to enter their username, password, and two-factor authentication (2FA) token, only for it to be stolen likely by means of an adversary-in-the-middle (AitM) attack and used to publish the rogue version to the npm registry.

The following 20 packages, which collectively attract over 2 billion weekly downloads, have been confirmed as affected as part of the incident –

• ansi-regex@6.2.1
• ansi-styles@6.2.2
• backslash@0.2.1
• chalk@5.6.1
• chalk-template@1.1.1
• color-convert@3.1.1
• color-name@2.0.1
• color-string@2.1.1
• debug@4.4.2
• error-ex@1.3.3
• has-ansi@6.0.1
• is-arrayish@0.3.3
• proto-tinker-wc@1.8.7
• supports-hyperlinks@4.1.1
• simple-swizzle@0.2.3
• slice-ansi@7.1.1
• strip-ansi@7.1.1
• supports-color@10.2.1
• supports-hyperlinks@4.1.1
• wrap-ansi@9.0.1

“Sorry everyone, I should have paid more attention,” Junon said in a post on Bluesky. “Not like me; have had a stressful week. Will work to get this cleaned up.”

An analysis of the obfuscated malware injected into the source code reveals that it’s designed to intercept cryptocurrency transaction requests and swap the destination wallet address with an attacker-controlled wallet that closely matches it by computing the Levenshtein distance.

According to Aikido Security’s Charlie Eriksen, the payload acts as a browser-based interceptor that hijacks network traffic and application APIs to steal cryptocurrency assets by rewriting requests and responses. It’s currently not known who is behind the attack.

“The payload begins by checking typeof window !== ‘undefined’ to confirm it is running in a browser,” Socket said. “It then hooks into window.fetch, XMLHttpRequest, and window.ethereum.request, along with other wallet provider APIs.”

“This means the malware targets end users with connected wallets who visit a site that includes the compromised code. Developers are not inherently the target, but if they open an affected site in a browser and connect a wallet, they too become victims.”

Package ecosystems like npm and the Python Package Index (PyPI) remain recurring targets due to their popularity and broad reach within the developer community, with attackers abusing the trust associated with these platforms to push malicious payloads.

Beyond publishing malicious packages directly, attackers have also employed techniques such as typosquatting or even exploiting AI-hallucinated dependencies – called slopsquatting – to trick developers into installing malware. The incident once indicates the need for exercising vigilance and hardening CI/CD pipelines and locking down dependencies.

According to ReversingLabs’ 2025 Software Supply Chain Security Report, 14 of the 23 crypto-related malicious campaigns in 2024 targeted npm, with the remainder linked to PyPI.

“What we are seeing unfold with the npm packages chalk and debug is an unfortunately common instance today in the software supply chain,” Ilkka Turunen, Field CTO at Sonatype, told The Hacker News.

“The malicious payload was focused on crypto theft, but this takeover follows a classic attack that is now established – by taking over popular open source packages, adversaries can steal secrets, leave behind backdoors and infiltrate organizations.”

“It was not a random choice to target the developer of these packages. Package takeovers are now a standard tactic for advanced persistent threat groups like Lazarus, because they know they can reach a large amount of the world’s developer population by infiltrating a single under-resourced project.”

Sep 09, 2025Ravie LakshmananCyber Espionage / Telecom Security

Threat hunters have discovered a set of previously unreported domains, some going back to May 2020, that are associated with China-linked threat actors Salt Typhoon and UNC4841.

“The domains date back several years, with the oldest registration activity occurring in May 2020, further confirming that the 2024 Salt Typhoon attacks were not the first activity carried out by this group,” Silent Push said in a new analysis shared with The Hacker News.

The identified infrastructure, totaling 45 domains, has also been identified as sharing some level of overlap with another China-associated hacking group tracked as UNC4841, which is best known for its zero-day exploitation of a security flaw in Barracuda Email Security Gateway (ESG) appliances (CVE-2023-2868, CVSS score: 9.8).

Salt Typhoon, active since 2019, drew widespread attention last year for its targeting of telecommunications services providers in the U.S. Believed to be operated by China’s Ministry of State Security (MSS), the threat cluster shares similarities with activities tracked as Earth Estries, FamousSparrow, GhostEmperor, and UNC5807.

Silent Push said it identified three Proton Mail email addresses that were used to register as many as 16 domains with non-existent addresses.

Further examination of the IP addresses related to the 45 domains has revealed that many of these domains pointed to high-density IP addresses. These refer to IP addresses to which a high number of hostnames currently point, or have pointed in the past. Of those that pointed to low-density IP addresses, the earliest activity goes back to October 2021.

The oldest domain identified as being part of China-backed cyber espionage campaigns is onlineeylity[.]com, registered on May 19, 2020, by a fake persona named Monica Burch, who claims to reside at 1294 Koontz Lane in Los Angeles, California.

“As such, we strongly urge any organization that believes itself to be at risk of Chinese espionage to search its DNS logs for the past five years for requests to any of the domains in our archive feed, or their subdomains,” Silent Push said.

“It would also be prudent to check for requests to any of the listed IP addresses, particularly during the time periods in which this actor operated them.”

Sep 08, 2025Ravie LakshmananSupply Chain Attack / API Security

Salesloft has revealed that the data breach linked to its Drift application started with the compromise of its GitHub account.

Google-owned Mandiant, which began an investigation into the incident, said the threat actor, tracked as UNC6395, accessed the Salesloft GitHub account from March through June 2025. So far, 22 companies have confirmed they were impacted by a supply chain breach.

“With this access, the threat actor was able to download content from multiple repositories, add a guest user, and establish workflows,” Salesloft said in an updated advisory.

The investigation also uncovered reconnaissance activities occurring between March 2025 and June 2025 in the Salesloft and Drift application environments. However, it emphasized there is no evidence of any activity beyond limited reconnaissance.

In the next phase, the attackers accessed Drift’s Amazon Web Services (AWS) environment and obtained OAuth tokens for Drift customers’ technology integrations, with the stolen OAuth tokens used to access data via Drift integrations.

Salesloft said it has isolated the Drift infrastructure, application, and code, and taken the application offline effective September 5, 2025, at 6 a.m. ET. It has also rotated credentials in the Salesloft environment and hardened the environment with improved segmentation controls between Salesloft and Drift applications.

“We are recommending that all third-party applications integrated with Drift via API key, proactively revoke the existing key for these applications,” it added.

As of September 7, 2025 at 5:51 p.m. UTC, Salesforce has restored the integration with the Salesloft platform after temporarily suspending it on August 28. This has been done in response to security measures and remediation steps implemented by Salesloft.

“Salesforce has re-enabled integrations with Salesloft technologies, with the exception of any Drift app,” Salesforce said. “Drift will remain disabled until further notice as part of our continued response to the security incident.”

Sep 08, 2025Ravie LakshmananMalvertising / Encryption

Cybersecurity researchers have detailed a new sophisticated malware campaign that leverages paid ads on search engines like Google to deliver malware to unsuspecting users looking for popular tools like GitHub Desktop.

While malvertising campaigns have become commonplace in recent years, the latest activity gives it a little twist of its own: Embedding a GitHub commit into a page URL containing altered links that point to attacker-controlled infrastructure.

“Even when a link seems to point to a reputable platform such as GitHub, the underlying URL can be manipulated to resolve to a counterfeit site,” Arctic Wolf said in a report published last week.

Exclusively targeted IT and software development companies within Western Europe since at least December 2024, the links within the rogue GitHub commit are designed to funnel users to a malicious download hosted on a lookalike domain (“gitpage[.]app”).

The first-stage malware delivered using poisoned search results is a bloated 128 MB Microsoft Software Installer (MSI) that, owing to its size, evades most existing online security sandboxes, while a Graphics Processing Unit (GPU)-gated decryption routine keeps the payload encrypted on systems without a real GPU. The technique has been codenamed GPUGate.

“Systems without proper GPU drivers are likely to be virtual machines (VMs), sandboxes, or older analysis environments that security researchers commonly use,” the cybersecurity company said. “The executable […] uses GPU functions to generate an encryption key for decrypting the payload, and it checks the GPU device name as it does this.”

Besides incorporating several garbage files as a filler and complicating analysis, it also terminates execution if the device name is less than 10 characters or GPU functions are not available.

The attack subsequently entails the execution of a Visual Basic Script that launches a PowerShell script, which, in turn, runs with administrator privileges, adds Microsoft Defender exclusions, sets up scheduled tasks for persistence, and finally runs executable files extracted from a downloaded ZIP archive.

The end goal is to facilitate information theft and deliver secondary payloads, while simultaneously evading detection. It’s assessed that the threat actors behind the campaign have native Russian language proficiency, given the presence of Russian language comments in the PowerShell script.

Further analysis of the threat actor’s domain has revealed it to be acting as a staging ground for Atomic macOS Stealer (AMOS), suggesting a cross-platform approach.

“By exploiting GitHub’s commit structure and leveraging Google Ads, threat actors can convincingly mimic legitimate software repositories and redirect users to malicious payloads – bypassing both user scrutiny and endpoint defenses,” Arctic Wolf.

The disclosure comes as Acronis detailed the ongoing evolution of a trojanized ConnectWise ScreenConnect campaign that uses the remote access software to drop AsyncRAT, PureHVNC RAT, and a custom PowerShell-based remote access trojan (RAT) on infected hosts in social engineering attacks aimed at U.S. organizations since March 2025.

The bespoke PowerShell RAT, executed by means of a JavaScript file downloaded from the cracked ScreenConnect server, provides some basic functionalities such as running programs, downloading and executing files, and a simple persistence mechanism.

“Attackers now use a ClickOnce runner installer for ScreenConnect, which lacks embedded configuration and instead fetches components at runtime,” the security vendor said. “This evolution makes traditional static detection methods less effective and complicates prevention, leaving defenders with few reliable options.”

A threat actor possibly of Russian origin has been attributed to a new set of attacks targeting the energy sector in Kazakhstan.

The activity, codenamed Operation BarrelFire, is tied to a new threat group tracked by Seqrite Labs as Noisy Bear. The threat actor has been active since at least April 2025.

“The campaign is targeted towards employees of KazMunaiGas or KMG where the threat entity delivered a fake document related to the KMG IT department, mimicking official internal communication and leveraging themes such as policy updates, internal certification procedures, and salary adjustments,” security researcher Subhajeet Singha said.

The infection chain begins with a phishing email containing a ZIP attachment, which includes a Windows shortcut (LNK) downloader, a decoy document related to KazMunaiGas, and a README.txt file with instructions written in both Russian and Kazakh to run a program named “KazMunayGaz_Viewer.”

The email, per the cybersecurity company, was sent from a compromised email address of an individual working in the finance department of KazMunaiGas and targeted other employees of the firm in May 2025.

The LNK file payload is designed to drop additional payloads, including a malicious batch script that paves the way for a PowerShell loader dubbed DOWNSHELL. The attacks culminate with the deployment of a DLL-based implant, a 64-bit binary that can run shellcode to launch a reverse shell.

Further analysis of the threat actor’s infrastructure has revealed that it’s hosted on the Russia-based bulletproof hosting (BPH) service provider Aeza Group, which was sanctioned by the U.S. in July 2025 for enabling malicious activities.

The development comes as HarfangLab linked a Belarus-aligned threat actor known as Ghostwriter (aka FrostyNeighbor or UNC1151) to campaigns targeting Ukraine and Poland since April 2025 with rogue ZIP and RAR archives that are aimed at collecting information about compromised systems and deploying implants for further exploitation.

“These archives contain XLS spreadsheets with a VBA macro that drops and loads a DLL,” the French cybersecurity company said. “The latter is responsible for collecting information about the compromised system and retrieving next-stage malware from a command-and-control (C2) server.”

Subsequent iterations of the campaign have been found to write a Microsoft Cabinet (CAB) file along with the LNK shortcut to extract and run the DLL from the archive. The DLL then proceeds to conduct initial reconnaissance before dropping the next-stage malware from the external server.

The attacks targeting Poland, on the other hand, tweak the attack chain to use Slack as a beaconing mechanism and data exfiltration channel, downloading in return a second-stage payload that establishes contact with the domain pesthacks[.]icu.

At least in one instance, the DLL dropped through the macro-laced Excel spreadsheet is used to load a Cobalt Strike Beacon to facilitate further post-exploitation activity.

“These minor changes suggest that UAC-0057 may be exploring alternatives, in a likely attempt to work around detection, but prioritizes the continuity or development of its operations over stealthiness and sophistication,” HarfangLab said.

Cyber Attacks Reported Against Russia

The findings come amid OldGremlin’s renewed extortion attacks on Russian companies in the first half of 2025, targeting as many as eight large domestic industrial enterprises using phishing email campaigns.

The intrusions, per Kaspersky, involved the use of the bring your own vulnerable driver (BYOVD) technique to disable security solutions on victims’ computers and the legitimate Node.js interpreter to execute malicious scripts.

Phishing attacks aimed at Russia have also delivered a new information stealer called Phantom Stealer, which is based on an open-source stealer codenamed Stealerium, to collect a wide range of sensitive information using email baits related to adult content and payments. It also shares overlaps with another Stealerium offshoot known as Warp Stealer.

According to F6, Phantom Stealer also inherits Stealerium’s “PornDetector” module that captures webcam screenshots when users visit pornographic websites by keeping tabs on the active browser window and whether the title includes a configurable list of terms like porn, and sex, among others.

“This is likely later used for ‘sextortion,’” Proofpoint said in its own analysis of the malware. “While this feature is not novel among cybercrime malware, it is not often observed.”

In recent months, Russian organizations have also been at the receiving end of attacks perpetrated by hacking groups tracked as Cloud Atlas, PhantomCore, and Scaly Wolf to harvest sensitive information and deliver additional payloads using malware families such as VBShower, PhantomRAT, and PhantomRShell.

Another cluster of activity involves a new Android malware that masquerades as an antivirus tool created by Russia’s Federal Security Services agency (FSB) to single out representatives of Russian businesses. The apps carry names like SECURITY_FSB, ФСБ (Russian for FSB), and GuardCB, the last of which is an attempt to pass off as the Central Bank of the Russian Federation.

First discovered in January 2025, the malware exfiltrates data from messenger and browser apps, stream from the phone’s camera, and log keystrokes by seeking extensive permissions to access SMS messages, location, audio, camera. It also requests for running in the background, device administrator rights, and accessibility services.

“The app’s interface provides only one language – Russian,” Doctor Web said. “Thus, the malware is entirely focused on Russian users. The backdoor also uses accessibility services to protect itself from being deleted if it receives the corresponding command from the threat actors.”

Update

Kazakhstan’s state-owned oil and gas company KazMunayGas has dismissed Seqrite’s report about a new cyber espionage group targeting its employees as a planned phishing test, according to Orda.kz. It said the screenshots described in the analysis were part of a phishing training test the company conducted back in May 2025.

(The story was updated after publication to include local media reports from Kazakhstan that described it as a phishing test. The headline of the story has been revised to reflect this aspect.)

Cybersecurity never slows down. Every week brings new threats, new vulnerabilities, and new lessons for defenders. For security and IT teams, the challenge is not just keeping up with the news—it’s knowing which risks matter most right now. That’s what this digest is here for: a clear, simple briefing to help you focus where it counts.

This week, one story stands out above the rest: the Salesloft–Drift breach, where attackers stole OAuth tokens and accessed Salesforce data from some of the biggest names in tech. It’s a sharp reminder of how fragile integrations can become the weak link in enterprise defenses.

Alongside this, we’ll also walk through several high-risk CVEs under active exploitation, the latest moves by advanced threat actors, and fresh insights on making security workflows smarter, not noisier. Each section is designed to give you the essentials—enough to stay informed and prepared, without getting lost in the noise.

⚡ Threat of the Week

Salesloft to Take Drift Offline Amid Security Incident — Salesloft announced that it’s taking Drift temporarily offline “in the very near future,” as multiple companies have been caught up in a far-reaching supply chain attack spree targeting the marketing software-as-a-service product, resulting in the mass theft of authentication tokens. “This will provide the fastest path forward to comprehensively review the application and build additional resiliency and security in the system to return the application to full functionality,” the company said. “As a result, the Drift chatbot on customer websites will not be available, and Drift will not be accessible. To date, Cloudflare, Google Workspace, PagerDuty, Palo Alto Networks, Proofpoint, SpyCloud, Tanium, Tenable, and Zscaler have confirmed they were impacted by the hack. The activity has been attributed to a threat cluster tracked by Google and Cloudflare as UNC6395 and GRUB1, respectively.

• Sitecore Flaw Under Active Exploitation in the Wild — Unknown miscreants are exploiting a configuration vulnerability in multiple Sitecore products to achieve remote code execution via a publicly exposed key and deploy snooping malware on infected machines. The ViewState deserialization vulnerability, CVE-2025-53690, has been used to deploy malware and additional tooling geared toward internal reconnaissance and persistence across one or more compromised environments. The attackers targeted the “/sitecore/blocked.aspx” endpoint, which contains an unauthenticated ViewState form, with HTTP POST requests containing a crafted ViewState payload. Mandiant said it disrupted the intrusion midway, which prevented it from gaining further insights into the attack lifecycle and determining the attackers’ motivations.
• Russian APT28 Deploys “NotDoor” Outlook Backdoor — The Russian state-sponsored hacking group tracked as APT28 has been attributed to a new Microsoft Outlook backdoor called NotDoor (aka GONEPOSTAL) in attacks targeting multiple companies from different sectors in NATO member countries. NotDoor “is a VBA macro for Outlook designed to monitor incoming emails for a specific trigger word,” S2 Grupo’s LAB52 threat intelligence team said. “When such an email is detected, it enables an attacker to exfiltrate data, upload files, and execute commands on the victim’s computer.”
• New GhostRedirector Actor Hacks 65 Windows Servers in Brazil, Thailand, and Vietnam — A previously undocumented threat cluster dubbed GhostRedirector has managed to compromise at least 65 Windows servers primarily located in Brazil, Thailand, and Vietnam. The attacks, per Slovak cybersecurity company ESET, led to the deployment of a passive C++ backdoor called Rungan and a native Internet Information Services (IIS) module codenamed Gamshen. The threat actor is believed to be active since at least August 2024. “While Rungan has the capability of executing commands on a compromised server, the purpose of Gamshen is to provide SEO fraud as-a-service, i.e., to manipulate search engine results, boosting the page ranking of a configured target website,” the company said.
• Google Fixes 2 Actively Exploited Android Flaws — Google has shipped security updates to address 120 security flaws in its Android operating system as part of its monthly fixes for September 2025, including two issues that it said have been exploited in targeted attacks. One of them, CVE-2025-38352, is a privilege escalation vulnerability in the upstream Linux Kernel component. The second shortcoming is a privilege escalation flaw in Android Runtime (CVE-2025-48543). Benoît Sevens of Google’s Threat Analysis Group (TAG) has been credited with discovering and reporting the upstream Linux Kernel flaw, suggesting that it may have been abused as part of targeted spyware attacks.
• Threat Actors Claim to Weaponize HexStrike AI in Real-World Attacks — Threat actors are attempting to leverage a newly released artificial intelligence (AI) offensive security tool called HexStrike AI to exploit recently disclosed security flaws. “This marks a pivotal moment: a tool designed to strengthen defenses has been claimed to be rapidly repurposed into an engine for exploitation, crystallizing earlier concepts into a widely available platform driving real-world attacks,” Check Point said.
• Iranian Hackers Linked to Attacks Targeting European Embassies — An Iran-nexus group conducted a “coordinated” and “multi-wave” spear-phishing campaign targeting the embassies and consulates in Europe and other regions across the world. The activity has been attributed by Israeli cybersecurity company Dream to Iranian-aligned operators connected to broader offensive cyber activity undertaken by a group known as Homeland Justice. “Emails were sent to multiple government recipients worldwide, disguising legitimate diplomatic communication,” the company said. “Evidence points toward a broader regional espionage effort aimed at diplomatic and governmental entities during a time of heightened geopolitical tension.”

🔥 Trending CVEs

Hackers move fast — often exploiting new flaws within hours. A missed update or a single unpatched CVE can open the door to serious damage. Here are this week’s high-risk vulnerabilities making headlines. Review, patch quickly, and stay ahead.

This week’s list includes — CVE-2025-53690 (SiteCore), CVE-2025-42957 (SAP S/4HANA), CVE-2025-9377 (TP-Link Archer C7(EU) V2 and TL-WR841N/ND(MS) V9), CVE-2025-38352 (Linux Kernel/Google Android), CVE-2025-48543 (Google Android), CVE-2025-29927 (Next.js), CVE-2025-52856, CVE-2025-52861 (QNAP QVR), CVE-2025-0309 (Netskope Client for Windows), CVE-2025-21483, CVE-2025-27034 (Qualcomm), CVE-2025-6203 (HashiCorp Vault), CVE-2025-58161 (MobSF), CVE-2025-5931 (Dokan Pro plugin), CVE-2025-53772 (Web Deploy), CVE-2025-9864 (Google Chrome), CVE-2025-9696 (SunPower PVS6), CVE-2025-57833 (Django), CVE-2025-24204 (Apple macOS), CVE-2025-55305 (Electron framework), CVE-2025-53149 (Microsoft Kernel Streaming WOW Thunk Service Driver), CVE-2025-6519, CVE-2025-52549, CVE-2025-52548 (Copeland E2 and E3), CVE-2025-58782 (Apache Jackrabbit), CVE-2025-55190 (Argo CD), CVE-2025-1079, CVE-2025-4613, and a client-side remote code execution (no CVE) (Google Web Designer).

📰 Around the Cyber World

• New AI Waifu RAT Disclosed — Cybersecurity researchers have discovered a potent Windows-based remote access trojan (RAT) called AI Waifu RAT that uses the power of a large language model to pass commands. “A local agent runs on the victim’s machine, listening for commands on a fixed port,” a researcher by the name ryingo said. “These commands, originating from the LLM, are passed through a web UI and sent to the local agent as plaintext HTTP requests.” The malware specifically targets LLM role-playing communities, capitalizing on their interest in the technology to offer AI characters the ability to read local files for “personalized role-playing” and direct “Arbitrary Code Execution” capabilities.
• DoJ: “Not all heroes wear capes. Some have YouTube channels” — The U.S. Department of Justice (DoJ) said two YouTube channels named Scammer Payback and Trilogy Media played a crucial role in unmasking and identifying members of a giant scam network that stole more than $65 million from senior citizens. The 28 alleged members of the Chinese organized crime ring allegedly used call centers based in India to call the elderly, posing as government officials, bank employees, and tech support agents. “Once connected, the scammers used scripted lies and psychological manipulation to gain the victims’ trust and often remote access to their computers,” the DoJ said. “The most common scheme involved convincing victims they had received a mistaken refund and pressuring – or threatening – them to return the supposed excess funds via wire transfer, cash, or gift cards.” Those sending cash were instructed to use overnight or express couriers, addressing packages to fake names tied to false IDs. These were sent to short-term rentals in the U.S. used by conspirators, including the indicted defendants, to collect the fraud proceeds. The network has operated out of Southern California since 2019.
• Analysis of BadSuccessor Patch — Microsoft, as part of its August 2025 Patch Tuesday update, addressed a security flaw called BadSuccessor (CVE-2025-53779) that abused a loophole in dMSA, causing the Key Distribution Center (KDC) to treat a dMSA linked to any account in Active Directory as the successor during authentication. As a result, an attacker could create a dMSA in an Organizational Unit (OU) and link it to any target — even domain controllers, Domain Admins, Protected Users, or accounts marked “sensitive and cannot be delegated” – and compromise them. An analysis of the patch has revealed that patch enforcement was implemented in the KDC’s validation. “The attribute can still be written, but the KDC won’t honor it unless the pairing looks like a legitimate migration,” Akamai security researcher Yuval Gordon said. “Although the vulnerability can be patched, BadSuccessor still lives on as a technique; that is, the KDC’s verification removes the pre-patch escalation path, but doesn’t mitigate the entire problem. Because the patch didn’t introduce any protection to the link attribute, an attacker can still inherit another account by linking a controlled dMSA and a target account.”
• Phishers Pivot to Ramp and Dump Scheme — Cybercriminal groups advertising sophisticated phishing kits that convert stolen card data into mobile wallets have shifted their focus to targeting customers of brokerage services and using compromised brokerage accounts to manipulate the prices of foreign stocks as part of what’s called a ramp and dump scheme.
• Popular C2 Frameworks Exploited by Threat Actors — Sliver, Havoc, Metasploit, Mythic, Brute Ratel C4, and Cobalt Strike (in that order) have emerged as the most frequently used command-and-control (C2) frameworks in malicious attacks in Q2 2025, per data from Kaspersky. “Attackers are increasingly customizing their C2 agents to automate malicious activities and hinder detection,” the company said. The development came as the majority (53%) of attributed vulnerability exploits in the first half of 2025 were conducted by state-sponsored actors for strategic, geopolitical purposes, according to Recorded Future’s Insikt Group. In all, 23,667 CVEs were published in H1 2025, a 16% increase compared to H1 2024. Attackers actively exploited 161 vulnerabilities, and 42% of those exploited flaws had public PoC exploits.
• Fake PDF Converters Deliver JSCoreRunner macOS Malware — Apps posing as PDF converters are being used to deliver malware called JSCoreRunner. Once downloaded from sites like fileripple[.]com, the malware establishes connections with a remote server and hijacks a user’s Chrome browser by modifying its search engine settings to default to a fraudulent search provider, thereby tracking user searches and redirecting them to bogus sites, further exposing them to data and financial theft, per Mosyle. The attack unfolds over two stages: The initial package (whose signature has since been revoked by Apple), which deploys an unsigned secondary payload from the same domain that, in turn, executes the main malicious payload.
• Copeland Releases Fixes for Frostbyte10 Flaws — American tech company Copeland has released a firmware update to fix ten vulnerabilities in Copeland E2 and E3 controllers. The chips are used to manage energy efficiency inside HVAC and refrigeration systems. The ten vulnerabilities have been collectively named Frostbyte10. “The flaws discovered could have allowed unauthorized actors to remotely manipulate parameters, disable systems, execute remote code, or gain unauthorized access to sensitive operational data,” Armis said. “When combined and exploited, these vulnerabilities can result in unauthenticated remote code execution with root privileges.” The most severe of the flaws is CVE-2025-6519, a case of a default admin user “ONEDAY” with a daily generated password that can be predictably generated. In a hypothetical attack scenario, an attacker could chain CVE-2025-6519 and CVE-2025-52549 with CVE-2025-52548, which can enable SSH and Shellinabox access via a hidden API call, to facilitate remote execution of arbitrary commands on the underlying operating system.
• Over 1,000 Ollama Servers Exposed — A new study from Cisco found over 1,100 exposed Ollama servers, with approximately 20% actively hosting models susceptible to unauthorized access. Out of the 1,139 exposed servers, 214 were found to be actively hosting and responding to requests with live models—accounting for approximately 18.8% of the total scanned population, with Mistral and LLaMA representing the most frequently encountered deployments. The remaining 80% of detected servers, while reachable via unauthenticated interfaces, did not have any models instantiated. Although dormant, these servers remain susceptible to exploitation via unauthorized model uploads or configuration manipulation. The findings “highlight the urgent need for security baselines in LLM deployments and provide a practical foundation for future research into LLM threat surface monitoring,” the company said.
• Tycoon Phishing Kit Evolves — The Tycoon phishing kit has been updated to support URL-encoding techniques to hide malicious links embedded in fake voicemail messages to bypass email security checks. Attackers have also been observed using the Redundant Protocol Prefix technique for similar reasons. “This involves crafting a URL that is only partially hyperlinked or that contains invalid elements — such as two ‘https’ or no ‘//’ — to hide the real destination of the link while ensuring the active part looks benign and legitimate and doesn’t arouse suspicion among targets or their browser controls,” Barracuda said. “Another trick is using the ‘@’ symbol in a web address. Everything before the ‘@’ is treated as ‘user info’ by browsers, so attackers put something that looks reputable and trustworthy in this part, such as ‘office365.’ The link’s actual destination comes after the ‘@.’”
• U.S. State Department Offers Up to $10M for Russian Hackers — The U.S. Department of State is offering a bounty of up to $10 million for information on three Russian Federal Security Service (FSB) officers involved in cyberattacks targeting U.S. critical infrastructure organizations on behalf of the Russian government. The three individuals, Marat Valeryevich Tyukov, Mikhail Mikhailovich Gavrilov, and Pavel Aleksandrovich Akulov, are part of the FSB’s Center 16 or Military Unit 71330, which is tracked as Berserk Bear, Blue Kraken, Crouching Yeti, Dragonfly, Koala Team, and Static Tundra. They have been accused of targeting 500 energy companies in 135 countries. In March 2022, the three FBS officers were also charged for their involvement in a campaign that took place between 2012 and 2017, targeting U.S. government agencies.
• XWorm Malware Uses Sneaky Methods to Evade Detection — A new XWorm malware campaign is using deceptive and intricate methods to evade detection and increase the success rate of the malware. “The XWorm malware infection chain has evolved to include additional techniques beyond traditional email-based attacks,” Trellix said. “While email and .LNK files remain common initial access vectors, XWorm now also leverages legitimate-looking .EXE filenames to disguise itself as harmless applications, exploiting user and system trust.” The attack chain uses LNK files to initiate a complex infection. Executing the .LNK triggers malicious PowerShell commands that deliver a .TXT file and download a deceptively-named binary called “discord.exe.” The executable then drops “main.exe” and “system32.exe,” with the latter being the XWorm malware payload. “Main.exe,” on the other hand, is responsible for disabling the Windows Firewall and checking for the presence of -third-party security applications. XWorm, besides meticulously conducting reconnaissance to acquire a comprehensive profile of the machine, runs anti-analysis checks to ascertain the presence of a virtualized environment, and, if so, ceases execution. It also incorporates backdoor functionality by contacting an external server to execute commands, shut down the system, download files, open URLs, and launch DDoS attacks. Recent campaigns distributing the malware through a new crypter-as-a-service offering known as Ghost Crypt. “Ghost Crypt delivers a zipped archive to the victim containing a PDF Reader application, a DLL, and a PDF file,” Kroll said. “When the user opens the PDF, the malicious DLL is side-loaded, initiating the malware execution.” The PDF Reader application is HaiHaiSoft PDF Reader, which is known to have a DLL side-loading vulnerability, previously exploited to deliver Remcos RAT, NodeStealer, and PureRAT.
• 2 E-Crime Groups Use Stealerium Stealer in New Campaigns — Two different cybercriminal groups, TA2715 and TA2536, both of which favored Snake Keylogger, have conducted phishing campaigns in May 2025, delivering an open-source information stealer called Stealerium (or variants of it). “The observed emails impersonated many different organizations, including charitable foundations, banks, courts, and document services, which are common themes in e-crime lures,” Proofpoint said. “Subject lines typically conveyed urgency or financial relevance, including ‘Payment Due,’ ‘Court Summons,’ and ‘Donation Invoice.’”
• Czechia Issues Warning Against Chinese Tech in Critical Infrastructure — NÚKIB, the Czech Republic’s cybersecurity agency, has issued a bulletin regarding the threat posed by technology systems that transfer data to, or are remotely managed from, China. “Current critical infrastructure systems are increasingly dependent on storing and processing data in cloud repositories and on network connectivity enabling remote operation and updates,” the agency warned. “In practice, this means that technology solution providers can significantly influence the operation of critical infrastructure and/or access important data, making trust in the reliability of the provider absolutely crucial.”
• Google Chrome 140 Gains Support for Cookie Prefixes — Google has released version 140 of its Chrome browser with support for a new security feature designed to protect server-set cookies from client-side modifications. Called a cookie prefix, it involves adding a piece of text before the names of a browser’s cookies. “In some cases, it’s important to distinguish on the server side between cookies set by the server and those set by the client. One such case involves cookies normally always set by the server,” Google said. “However, unexpected code (such as an XSS exploit, a malicious extension, or a commit from a confused developer) might set them on the client. This proposal adds a signal that lets servers make such a distinction. More specifically, it defines the __Http and __HostHttp prefixes, which ensure a cookie is not set on the client side using script.”
• New Ransomware Strains Detailed — A new ransomware group called LunaLock has hacked an art-commissioning portal called Artists&Clients and is extorting its owners and artists by threatening to submit the stolen artwork to train artificial intelligence (AI) models unless it pays a $50,000 ransom. Another newly observed ransomware crew is Obscura, which was first observed by Huntress on August 29, 2025. The Go-based ransomware variant attempts to terminate over 120 processes commonly tied to security tools like Microsoft Defender, CrowdStrike, and SentinelOne.
• E.U. Court Backs Data Transfer Deal Agreed by U.S. and E.U. — The General Court of the Court of Justice of the European Union has dismissed a lawsuit that sought to annul the E.U. and U.S. Data Privacy Framework. The court ruled that the new treaty and the US adequately safeguard the personal data of E.U. citizens. The lawsuit alleged that the U.S. Data Protection Review Court (DPRC), which is housed inside the Department of Justice and has been historically seen as a bulwark for checking U.S. data surveillance activities, is not sufficiently independent and does not adequately shield Europeans from bulk data collection by U.S. intelligence agencies.
• Microsoft to Move to Phase 2 of MFA Enforcement in October 2025 — Microsoft said it has been enforcing multi-factor authentication (MFA) for Azure Portal sign-ins across all tenants since March 2025. “We are proud to announce that multi-factor enforcement for Azure Portal sign-ins was rolled out for 100% of Azure tenants in March 2025,” the company said. “By enforcing MFA for Azure sign-ins, we aim to provide you with the best protection against cyber threats as part of Microsoft’s commitment to enhancing security for all customers, taking one step closer to a more secure future.” The next phase of MFA requirement is scheduled to start October 1, 2025, mandating the use of MFA for users performing Azure resource management operations through Azure Command-Line Interface (CLI), Azure PowerShell, Azure Mobile App, REST APIs, Azure Software Development Kit (SDK) client libraries, and Infrastructure as Code (IaC) tools.
• Surge in Scanning Activity Targeting Cisco ASA — GreyNoise said it detected two scanning surges against Cisco Adaptive Security Appliance (ASA) devices on August 22 and 26, 2025, with the first wave originating from over 25,100 IP addresses mainly located in Brazil, Argentina, and the U.S. The second spike repeated ASA probing, with subsets hitting both IOS Telnet/SSH and ASA software personas. The activity targeted the U.S., the U.K., and Germany.
• LinkedIn Expands Verification to Combat Job-Themed Scams — Microsoft-owned professional social network unveiled new measures to strengthen trust and ensure that users are interacting with people who “they say they are.” This includes verified Premium Company Pages, requiring recruiters to verify their workplace on their profile, and workplace verification requirements for high-level titles such as Executive Director, Managing Director, and Vice President to tackle impersonation. The changes are an effort to prevent scammers from posing as company employees or recruiters and reaching out to prospective targets with fake job opportunities – a technique pioneered by North Korean hackers.
• Hotelier Accounts Targeted in Malvertising and Phishing Campaign — A large-scale phishing campaign has impersonated at least 13 service providers that specialize in hotels and vacation rentals. “In these attacks, targeted users are lured to highly deceptive phishing sites using malicious search engine advertisements, particularly sponsored ads on platforms like Google Search,” Okta said. “The attacks leverage convincing fake login pages and social engineering tactics to bypass security controls and exploit user trust.” It’s assessed that the end goal of the campaign is to compromise accounts for cloud-based property management and guest messaging platforms.
• DamageLib Emerges After XSS Forum Takedown — A new cybercrime forum called DamageLib has grown dramatically, attracting over 33,000 users following the arrest of XSS[.]is admin Toha back in July 2025. While XSS remains online, speculations are abound that it could be a law enforcement honeypot, breeding mistrust among cybercriminals. “Exploit forum traffic surged almost 24% during the XSS turmoil as actors sought alternatives, while XSS visits plummeted,” KELA said. “As of August 27, 2025, DamageLib counted 33,487 users — nearly 66% of XSS’s 50,853 members. But engagement lagged: only 248 threads and 3,107 posts in its first month, compared to over 14,400 messages on XSS in the month before the seizure.”
• GhostAction Supply Chain Attack Steals 3,325 Secrets — A massive supply chain attack dubbed GhostAction has allowed attackers to inject a malicious GitHub workflow named “Github Actions Security” to exfiltrate 3,325 secrets, including PyPI, npm, and DockerHub tokens via HTTP POST requests to a remote attacker-controlled endpoint (“bold-dhawan.45-139-104-115.plesk[.]page”). The activity affected 327 GitHub users across 817 repositories.
• New Campaign Abuses Simplified AI to Steal Microsoft 365 Credentials — A new phishing campaign has been observed hosting fake pages under the legitimate Simplified AI domain in a bid to evade detection and blend in with regular enterprise traffic. “By impersonating an executive from a global pharmaceutical distributor, the threat actors delivered a password-protected PDF that appeared legitimate,” Cato Networks said. “Once opened, the file redirected the victim to Simplified AI’s website, but instead of generating content, the site became a launchpad to a fake Microsoft 365 login portal designed to harvest enterprise credentials.”
• Japan, South Korea, and the U.S. Take Aim at North Korean IT Worker Scam — Japan, South Korea, and the U.S. joined hands to fight against the growing threat of North Korean threat actors posing as IT workers to embed themselves in organizations throughout Asia and globally and generate revenue to fund its unlawful weapons of mass destruction (WMD) and ballistic missile programs. “They take advantage of existing demands for advanced IT skills to obtain freelance employment contracts from an expanding number of target clients throughout the world, including in North America, Europe, and East Asia,” the countries said in a joint statement. “North Korean IT workers themselves are also highly likely to be involved in malicious cyber activities, particularly in the blockchain industries. Hiring, supporting, or outsourcing work to North Korean IT workers increasingly poses serious risks, ranging from theft of intellectual property, data, and funds to reputational harm and legal consequences.”
• New AI-Powered Android Vulnerability Discovery and Validation Tool — Computer scientists affiliated with Nanjing University in China and The University of Sydney in Australia said that they’ve developed an AI vulnerability identification system called A2 that emulates the way human bug hunters go about discovering flaws, marking a step forward for automated security analysis. According to the study, A2 “validates Android vulnerabilities through two complementary phases: (i) Agentic Vulnerability Discovery, which reasons about application security by combining semantic understanding with traditional security tools; and (ii) Agentic Vulnerability Validation, which systematically validates vulnerabilities across Android’s multi-modal attack surface-UI interactions, inter-component communication, file system operations, and cryptographic computations.” A2 builds upon A1, an agentic system that transforms any LLM into an end-to-end exploit generator.
• Spotify DM Feature Carries Doxxing Risks — Music streaming service Spotify, last month, announced a new messaging feature for sharing music with friends. But reports are now emerging on Reddit that it’s surfacing as “suggested friends,” people with whom users may have shared Spotify links in the past on other social media platforms, potentially revealing their real names in the process. This is made possible by means of a unique “si” parameter in Spotify links that serves as referral information.
• Spear-Phishing Campaign Targets C-Suite for Credential Theft — A sophisticated spear-phishing campaign has targeted senior employees, particularly those in C-Suite and leadership positions, to steal their credentials using email messages with salary-themed lures or fake OneDrive document-sharing notifications. “Actors behind this campaign are leveraging tailored emails that impersonate internal HR communications, via a shared document in OneDrive, to trick recipients into entering corporate credentials,” Stripe OLT said. “Emails are sent via Amazon Simple Email Service (SES) infrastructure. The actor is rotating between many sending domains and subdomains to evade detection.” As many as 80 domains have been identified as part of this campaign.
• Attackers Attempt to Exploit WDAC Technique — In December 2024, researchers Jonathan Beierle and Logan Goins demonstrated a novel technique that leverages a malicious Windows Defender Application Control (WDAC) policy to block security solutions such as Endpoint Detection and Response (EDR) sensors following a system reboot using a custom tool codenamed Krueger. Since then, it has emerged that threat actors have incorporated the method into their attack arsenal to disable security solutions using WDAC policies. It has also led to the discovery of a new malware strain dubbed DreamDemon that uses WDAC to neutralize antivirus programs. It contains an embedded WDAC policy, which is then dropped onto disk and hidden,” Beierle said. “In certain cases, DreamDemon will also change the time that the policy was created in an attempt to avoid detection.”
• New NBMiner Cryptojacking Malware Detected — Cybersecurity researchers have discovered a new campaign that leverages a PowerShell script to drop an AutoIt loader used to deliver a cryptocurrency miner called NBMiner from an external server. Initial access to the system is accomplished by means of a drive-by compromise. “The program includes several evasion measures,” Darktrace said. “It performs anti-sandboxing by sleeping to delay analysis and terminates sigverif.exe (File Signature Verification). It checks for installed antivirus products and continues only when Windows Defender is the sole protection. It also verifies whether the current user has administrative rights. If not, it attempts a User Account Control (UAC) bypass via Fodhelper to silently elevate and execute its payload without prompting the user.”
• New Campaign Uses Custom GPTs for Brand Impersonation and Phishing — Threat actors are abusing custom features on trusted AI platforms like OpenAI ChatGPT to create malicious “customer support” chatbots that impersonate legitimate brands. These custom GPTs are surfaced on Google Search results, tricking users into taking malicious actions under the guise of a helpful chatbot, underscoring how AI tools can be misused within a broader social engineering chain. “This method introduces a new threat vector: platform-hosted social engineering through trusted AI interfaces,” Doppel said. “Several publicly available Custom GPTs have been observed impersonating well-known companies.” The attacks can lead to theft of sensitive information, malware delivery, and damage the reputation of legitimate brands. The development is part of a larger trend where cybercriminals abuse AI tools, including impersonation fraud via deepfakes, AI-assisted scam call centers, AI-powered mailers and spam tools, malicious tool development, and unrestricted and self-hosted generative AI chatbots that can craft phishing kits, fake websites; create content for romance or investment scams; develop malware; and assist with vulnerability reconnaissance and exploit chains.
• McDonald’s Poland Fined for Leaking Personal Data — Poland’s data protection agency fined McDonald’s Poland nearly €4 million for leaking employee personal data, violating GDPR data privacy protections. The incident occurred at a partner company that managed employee work schedules. Personal data such as names, passport numbers, positions, and work schedules were left exposed on the internet through an open directory. This is the second-largest GDPR fine handed out by Polish authorities after fining the country’s postal service €6.3 million earlier this year. In related news, vulnerabilities in the McDonald’s chatbot recruitment platform McHire exposed over 64 million job applications across the U.S., security researchers Ian Carroll and Sam Curry discovered. The chatbot was created by Paradox.ai, which did not remove the default credentials for a test account (username 123456, password 123456) and failed to secure an endpoint that allowed access to the chat interactions of every applicant. There is no evidence that the test account was ever exploited in a malicious context. A separate set of security issues has also been discovered in the fast-food giant’s partner and employee portals that exposed sensitive data such as API keys and enabled unauthorized access to make changes to a franchise owner’s website. The issues, according to BobdaHacker, have since been patched.
• New Influence Operations Discovered — Cybersecurity company Recorded Future flagged two large-scale, state-aligned influence operation networks supporting India and Pakistan during the India-Pakistan conflict of April and May 2025. These influence networks have been codenamed Hidden Charkha (pro-India) and Khyber Defender (pro-Pakistan). “These networks are very likely motivated by patriotism and are almost certainly aligned with India’s and Pakistan’s domestic and foreign policy objectives, respectively,” Recorded Future said. “Each network consistently attempted to frame India or Pakistan, respectively, as maintaining superior technological and military capabilities – and therefore the implied ability for each respective country to exercise tactical restraint – as proof of having the moral high ground, and hence having domestic and international support.” Both the campaigns were largely unsuccessful in shaping public opinion, given the lack of organic engagement on social media. A second influence operation involves multiple Russia-linked networks, such as Operation Overload, Operation Undercut, Foundation to Battle Injustice, and Portal Kombat, seeking to destabilize the elections and derail Moldova’s European Union (E.U.) accession. Besides attempting to frame the current Moldova leadership as corrupt and counter to Moldova’s interests, the activity portrays “Moldova’s further integration with the E.U. as disastrous for its economic future and sovereignty, and Moldova as a whole as at odds with European standards and values.” The campaign has not achieved any substantial success in shaping public opinion, Recorded Future added.
• Massive IPTV Piracy Network Uncovered — A large Internet Protocol Television (IPTV) piracy network spanning more than 1,100 domains and over 10,000 IP addresses has been discovered hosting pirated content, illegally restreaming licensed channels, and engaging in subscription fraud. Active for several years, more than 20 major brands have been affected, including: Prime Video, Bein Sports, Disney Plus, NPO Plus, Formula 1, HBO, Viaplay, Videoland, Discovery Channel, Ziggo Sports, Netflix, Apple TV, Hulu, NBA, RMC Sport, Premier League, Champions League, Sky Sports, NHL, WWE, and UFC. Silent Push said it identified two companies involved in profiting from hosting pirated content — XuiOne and Tiyansoft. XuiOne is believed to share connections with Stalker_Portal, another well-known open-source IPTV project that has been around since 2013. These services are advertised in the form of Android apps, with the domains distributed via Facebook groups and Imgur. The cybersecurity firm also identified one individual, Nabi Neamati of Herat, Afghanistan, as a central figure in its operations.
• Security Analysis of WhatsApp Message Summarization — NCC Group has published an in-depth analysis of WhatsApp’s AI-powered Message Summarization feature, which was announced by the messaging platform in June 2025. In all, the assessment discovered 21 findings, 16 of which were fixed by WhatsApp. This included three notable weaknesses: The hypervisor could have assigned network interfaces to the CVM through which private data could be exfiltrated, Any old Confidential Virtual Machine (CVM) image with known vulnerabilities could have been indefinitely used by an attacker, and the ability to serve malicious key configurations to WhatsApp clients could have allowed Meta to violate privacy and non-targetability assurances.
• Indirect Prompt Injection via Log Files — Large language models (LLMs) used in a security context can be deceived by specially crafted events and log files injected with hidden prompts to execute malicious actions when they are parsed by AI agents.

🎥 Cybersecurity Webinars

• From Blind Spots to Clarity: Why Code-to-Cloud Visibility Defines Modern AppSec — Most security programs know their risks—but not where they truly begin or how they spread. That gap between code and cloud is costing teams time, ownership, and resilience. This webinar shows how code-to-cloud visibility closes that gap by giving developers, DevOps, and security a shared view of vulnerabilities, misconfigurations, and runtime exposure. The result? Less noise, faster fixes, and stronger protection for the applications your business depends on.
• Shadow AI Agents: The Hidden Risk Driving Enterprise Blind Spots — AI Agents are no longer futuristic—they’re already embedded in your workflows, processes, and platforms. The problem? Many of them are invisible to governance, fueled by unchecked non-human identities that create a growing attack surface. Shadow AI doesn’t just add complexity; it multiplies risk with every click. This webinar unpacks where these agents are hiding, how to spot them before attackers do, and what steps you can take to bring them under control without slowing innovation.
• AI + Quantum 2.0: The Double Disruption Security Leaders Can’t Ignore — The next cybersecurity crisis won’t come from AI or quantum alone—it will come from their convergence. As quantum breakthroughs accelerate and AI drives automation at scale, the attack surface for sensitive industries is expanding faster than most defenses can keep up. This panel brings together leading voices from research, government, and industry to unpack what Quantum 2.0 means for security, why quantum-safe cryptography and AI resilience must go hand-in-hand, and how decision-makers can start building trust and resilience before adversaries weaponize these technologies.

🔧 Cybersecurity Tools

• MeetC2 — It is a clever proof-of-concept C2 framework that uses Google Calendar—yes, the same calendar your team uses every day—as a hidden command channel between an operator and a compromised endpoint. By polling for events and embedding commands into calendar items via Google’s trusted APIs (oauth2.googleapis.com, www.googleapis.com), it shows how legitimate SaaS platforms can be repurposed for covert operations. Security teams can use MeetC2 in controlled purple-team exercises to sharpen detection logic around unusual calendar API usage, validate logging and telemetry effectiveness, and fine-tune safeguards against stealthy cloud-based C2 strategies. In short, it equips defenders with a lightweight, highly relevant testbed to simulate and proactively defend against next-gen adversarial tradecraft.
• thermoptic – It is an advanced HTTP proxy that cloaks low-level clients like curl to appear indistinguishable from a full Chrome/Chromium browser at the network fingerprinting layer. Modern WAFs and anti-bot systems increasingly rely on JA4+ signatures—tracking TLS, HTTP, TCP, and certificate fingerprints—to block scraping tools or detect when users switch from browsers to scripts. By routing requests through a containerized Chrome instance, thermoptic ensures fingerprints match real browsers byte-for-byte, even across multiple layers. For defenders, this is a powerful way to test detection pipelines against sophisticated evasion tactics, validate JA4+ logging visibility, and explore how adversaries might blend into legitimate browser traffic. For ethical researchers and red teams, thermoptic offers a realistic, open-source platform to simulate stealthy scraping or covert traffic—helping security teams move from theory to resilience in the fingerprinting arms race.

Disclaimer: The tools featured here are provided strictly for educational and research purposes. They have not undergone full security audits, and their behavior may introduce risks if misused. Before experimenting, carefully review the source code, test only in controlled environments, and apply appropriate safeguards. Always ensure your usage aligns with ethical guidelines, legal requirements, and organizational policies.

🔒 Tip of the Week

Lock Down Your Router Before Hackers Ever Get a Foot in the Door — Most people think of router security as just “change the password” or “disable UPnP.” But attackers are getting far more creative: from rerouting internet traffic through fake BGP paths, to hijacking cloud services that talk directly to your router. The best defense? A layered approach that closes those doors before compromise happens.

Here are 3 advanced but practical moves you can start today:

1. Protect Your Internet Route with RPKI
   Why it matters: Attackers sometimes hijack internet routes (BGP attacks) to spy on or reroute your traffic.
   Try this: Even if you’re not running a big enterprise, you can check if your ISP supports RPKI (Resource Public Key Infrastructure) using the free Is BGP Safe Yet? tool. If your provider isn’t secured, ask them about RPKI.
2. Use Short-Lived Access Keys Instead of Static Passwords
   Why it matters: A single stolen router password can let attackers in for years.
   Try this: If your router supports it (OpenWRT, pfSense, MikroTik), set up SSH access with keys instead of passwords. For home or small office users, tools like YubiKey can generate one-time login tokens, so even if your PC is hacked, the router stays safe.
3. Control Who Can Even Knock on the Door
   Why it matters: Most router compromises happen because attackers can reach the management port from the internet.
   Try this: Instead of leaving management open, use Single Packet Authorization (SPA) with a free tool like fwknop. It hides your router’s management ports until you send a secret “knock,” making your router invisible to scanners.

Think of your router as the “front door to your digital house.” With these tools, you’re not just locking it — you’re making sure attackers don’t even know where the door is, and even if they do, the key changes every day.

Conclusion

That wraps up this week’s briefing, but the story never really ends. New exploits, new tactics, and new risks are already on the horizon—and we’ll be here to break them down for you. Until then, stay sharp, stay curious, and remember: one clear insight can make all the difference in stopping the next attack.

When Attackers Get Hired: Today’s New Identity Crisis

What if the star engineer you just hired isn’t actually an employee, but an attacker in disguise? This isn’t phishing; it’s infiltration by onboarding.

Meet “Jordan from Colorado,” who has a strong resume, convincing references, a clean background check, even a digital footprint that checks out.

On day one, Jordan logs into email and attends the weekly standup, getting a warm welcome from the team. Within hours, they have access to repos, project folders, even some copy/pasted dev keys to use in their pipeline.

A week later, tickets close faster, and everyone’s impressed. Jordan makes insightful observations about the environment, the tech stack, which tools are misconfigured, and which approvals are rubber-stamped.

But Jordan wasn’t Jordan. And that red-carpet welcome the team rolled out was the equivalent to a golden key, handed straight to the adversary.

From Phishing to Fake Hires

The modern con isn’t a malicious link in your inbox; it’s a legitimate login inside your organization.

While phishing is still a serious threat that continues to grow (especially with the increase in AI-driven attacks), it’s a well-known attack path. Organizations have spent years hardening email gateways, training employees to recognize and report malicious content, and running internal phishing tests.

We defend against a flood of phishing emails daily, as there’s been a 49% increase in phishing since 2021, and a 6.7x increase in large language models (LLMs) being used to generate emails with convincing lures. It’s becoming significantly easier for attackers to run phishing attacks.

But that’s not how Jordan got in. Despite numerous defenses pointed at email, Jordan got in with HR paperwork.

Why is Hiring Fraud a Problem Now?

Remote hiring has scaled rapidly in the past few years. Industries have discovered that 100% remote work is possible, and employees no longer need offices with physical (and easily defendable) perimeters. Moreover, talented resources exist anywhere on the planet. Hiring remotely means organizations can benefit from an expanded hiring pool, with the potential for more qualifications and skills. But remote hiring also removes the intuitive and natural protections of in-person interviews, creating a new opening for threat actors.

Today, identity is the new perimeter. And that means your perimeter can be faked, impersonated, or even AI-generated. References can be spoofed. Interviews can be coached or proxied. Faces and voices can be generated (or deepfaked) by AI. An anonymous adversary can now convincingly appear as “Jordan from Colorado” and get an organization to give them the keys to the kingdom.

Hiring Fraud in the Wild: North Korea’s Remote “Hire” Operatives

The threat of remote hiring fraud isn’t something we’re watching roll in on the horizon or imagine in scary stories around the campfire.

A report published in August of this year revealed over 320 cases of North Korean operatives infiltrating companies by posing as remote IT workers with false identities and polished resumes. That single example has seen a 220% increase year-over-year, which means this threat is escalating quickly., which means this threat is escalating quickly.

Now, with our new perimeter, we have to view this security framework through the lens of identity, which brings us to the concept of zero standing privileges (ZSP).

Unlike the castle model, which locks everything down indiscriminately, a ZSP state should be built around flexibility with guardrails:

• No always-on access by default – The baseline for every identity is always the minimum access required to function.
• JIT (Just-in-Time) + JEP (Just–Enough-Privilege) – –Extra access takes the form of a small, scoped permission that exists only when needed, for the finite duration needed, and then gets revoked when the task is done.
• Auditing and accountability – Every grant and revoke is logged, creating a transparent record.

This approach closes the gap left by the castle problem. It ensures attackers can’t rely on persistent access, while employees can still move quickly through their work. Done right, a ZSP approach aligns productivity and protection instead of forcing a choice between them. Here are a few more tactical steps that teams can take to eliminate standing access across their organization:

The Zero Standing Privileges Checklist

Inventory & baselines:

Request – Approve – Remove:

Full audit and evidence

Taking Action: Start Small, Win Fast

A practical way to begin is by piloting ZSP on your most sensitive system for two weeks. Measure how access requests, approvals, and audits flow in practice. Quick wins here can build momentum for wider adoption, and prove that security and productivity don’t have to be at odds.

BeyondTrust Entitle, a cloud access management solution, enables a ZSP approach, providing automated controls that keep every identity at the minimum level of privilege, always. When work demands more, employees can receive it on request through time-bound, auditable workflows. Just enough access is granted just in time, then removed.

By taking steps to operationalize zero standing privileges, you empower legitimate users to move quickly—without leaving persistent privileges lying around for Jordan to find.

Ready to get started? Click here to get a free red-team assessment of your identity infrastructure.

Note: This article was expertly written and contributed by David van Heerden, Sr. Product Marketing Manager. David van Heerden — a self-described general nerd, metalhead, and wannabe film snob — has worked in IT for over 10 years, sharpening his technical skills and developing a knack for turning complex IT and security concepts into clear, value-oriented topics. At BeyondTrust, he has taken on the Sr. Product Marketing Manager role, leading the entitlements marketing strategy.

A threat actor possibly of Russian origin has been attributed to a new set of attacks targeting the energy sector in Kazakhstan.

The activity, codenamed Operation BarrelFire, is tied to a new threat group tracked by Seqrite Labs as Noisy Bear. The threat actor has been active since at least April 2025.

“The campaign is targeted towards employees of KazMunaiGas or KMG where the threat entity delivered a fake document related to the KMG IT department, mimicking official internal communication and leveraging themes such as policy updates, internal certification procedures, and salary adjustments,” security researcher Subhajeet Singha said.

The infection chain begins with a phishing email containing a ZIP attachment, which includes a Windows shortcut (LNK) downloader, a decoy document related to KazMunaiGas, and a README.txt file with instructions written in both Russian and Kazakh to run a program named “KazMunayGaz_Viewer.”

The email, per the cybersecurity company, was sent from a compromised email address of an individual working in the finance department of KazMunaiGas and targeted other employees of the firm in May 2025.

The LNK file payload is designed to drop additional payloads, including a malicious batch script that paves the way for a PowerShell loader dubbed DOWNSHELL. The attacks culminate with the deployment of a DLL-based implant, a 64-bit binary that can run shellcode to launch a reverse shell.

Further analysis of the threat actor’s infrastructure has revealed that it’s hosted on the Russia-based bulletproof hosting (BPH) service provider Aeza Group, which was sanctioned by the U.S. in July 2025 for enabling malicious activities.

The development comes as HarfangLab linked a Belarus-aligned threat actor known as Ghostwriter (aka FrostyNeighbor or UNC1151) to campaigns targeting Ukraine and Poland since April 2025 with rogue ZIP and RAR archives that are aimed at collecting information about compromised systems and deploying implants for further exploitation.

“These archives contain XLS spreadsheets with a VBA macro that drops and loads a DLL,” the French cybersecurity company said. “The latter is responsible for collecting information about the compromised system and retrieving next-stage malware from a command-and-control (C2) server.”

Subsequent iterations of the campaign have been found to write a Microsoft Cabinet (CAB) file along with the LNK shortcut to extract and run the DLL from the archive. The DLL then proceeds to conduct initial reconnaissance before dropping the next-stage malware from the external server.

The attacks targeting Poland, on the other hand, tweak the attack chain to use Slack as a beaconing mechanism and data exfiltration channel, downloading in return a second-stage payload that establishes contact with the domain pesthacks[.]icu.

At least in one instance, the DLL dropped through the macro-laced Excel spreadsheet is used to load a Cobalt Strike Beacon to facilitate further post-exploitation activity.

“These minor changes suggest that UAC-0057 may be exploring alternatives, in a likely attempt to work around detection, but prioritizes the continuity or development of its operations over stealthiness and sophistication,” HarfangLab said.

Cyber Attacks Reported Against Russia

The findings come amid OldGremlin’s renewed extortion attacks on Russian companies in the first half of 2025, targeting as many as eight large domestic industrial enterprises using phishing email campaigns.

The intrusions, per Kaspersky, involved the use of the bring your own vulnerable driver (BYOVD) technique to disable security solutions on victims’ computers and the legitimate Node.js interpreter to execute malicious scripts.

Phishing attacks aimed at Russia have also delivered a new information stealer called Phantom Stealer, which is based on an open-source stealer codenamed Stealerium, to collect a wide range of sensitive information using email baits related to adult content and payments. It also shares overlaps with another Stealerium offshoot known as Warp Stealer.

According to F6, Phantom Stealer also inherits Stealerium’s “PornDetector” module that captures webcam screenshots when users visit pornographic websites by keeping tabs on the active browser window and whether the title includes a configurable list of terms like porn, and sex, among others.

“This is likely later used for ‘sextortion,’” Proofpoint said in its own analysis of the malware. “While this feature is not novel among cybercrime malware, it is not often observed.”

In recent months, Russian organizations have also been at the receiving end of attacks perpetrated by hacking groups tracked as Cloud Atlas, PhantomCore, and Scaly Wolf to harvest sensitive information and deliver additional payloads using malware families such as VBShower, PhantomRAT, and PhantomRShell.

Another cluster of activity involves a new Android malware that masquerades as an antivirus tool created by Russia’s Federal Security Services agency (FSB) to single out representatives of Russian businesses. The apps carry names like SECURITY_FSB, ФСБ (Russian for FSB), and GuardCB, the last of which is an attempt to pass off as the Central Bank of the Russian Federation.

First discovered in January 2025, the malware exfiltrates data from messenger and browser apps, stream from the phone’s camera, and log keystrokes by seeking extensive permissions to access SMS messages, location, audio, camera. It also requests for running in the background, device administrator rights, and accessibility services.

“The app’s interface provides only one language – Russian,” Doctor Web said. “Thus, the malware is entirely focused on Russian users. The backdoor also uses accessibility services to protect itself from being deleted if it receives the corresponding command from the threat actors.”