A newly identified, China-aligned threat actor has compromised at least 65 Windows servers globally, deploying custom tools for both remote access and a novel SEO fraud-as-a-service scheme. * The actor uses a passive C++ backdoor for command execution and a malicious native IIS module to manipulate Google search rankings for third-party gambling websites. * Initial access likely leverages SQL injection, followed by privilege escalation via custom tools based on public exploits and deployment of webshells. * Operational resilience is maintained through multiple backdoors, rogue administrator accounts, and legitimate remote access software, ensuring persistent access and diverse attack capabilities.

The first AI-powered ransomware prototype, developed by NYU scientists and independently detected by ESET, leverages Large Language Models (LLMs) for autonomous attack planning and execution. * This proof-of-concept demonstrates a significant evolution in ransomware capabilities, enabling self-adapting and executing operations. * Its emergence highlights the potential for AI to automate and enhance cyber threats, signaling a new era of sophisticated attacks. * ESET's detection, unaware of the prototype's origin, underscores the practical feasibility and impending nature of such advanced threats.

A Lazarus Group subgroup has refined its tactics, employing three custom RATs—PondRAT, ThemeForestRAT, and RemotePE—in targeted attacks against the financial and cryptocurrency sector. The group uses social engineering via Telegram for initial access, potentially leveraging a zero-day exploit. The attack chain involves a multi-stage infection strategy, with each RAT serving different roles from initial foothold to advanced payload, demonstrating a tiered approach to intrusion and persistence. The subgroup also uses PerfhLoader for DLL loading and the SessionEnv service for persistence, bypassing EDR tools. The operation highlights the group's adaptability and long-term control, utilizing both custom and public tools like Mimikatz and FRP.

APT28 has developed a new backdoor, NotDoor, targeting Outlook to monitor emails and execute commands. The backdoor leverages VBA macros and DLL side-loading via Microsoft OneDrive.exe to evade detection. NotDoor uses a unique string encoding technique and supports multiple commands for data exfiltration and file uploads. The malware establishes persistence by modifying Outlook registry keys and disabling dialogue messages. The attackers use webhook.site for verification and exfiltration via ProtonMail. This evolution showcases APT28's continuous adaptation to bypass defense mechanisms.

TAG-150 has expanded its toolkit with CastleRAT, a new multi-variant remote access trojan, demonstrating enhanced capabilities and sophisticated evasion techniques. - CastleRAT, available in Python and C, uses Steam Community profiles as dead drop resolvers for C2 and features advanced functions like keylogging and cryptocurrency clipping in its C variant. - Initial access is primarily via Cloudflare-themed phishing or fraudulent GitHub repositories, leading to CastleLoader deployment. - A .NET loader for CastleRAT employs UAC Prompt Bombing and Windows Defender exclusion loops, effectively bypassing security and trapping sandboxes. - The threat actor utilizes a multi-tiered C2 infrastructure, indicating persistent and adaptable operations.

Threat actors are actively exploiting a zero-day misconfiguration (CVE-2025-53690) in legacy Sitecore deployments, leveraging reused sample ASP.NET machine keys for remote code execution. * The vulnerability enables RCE via the `/sitecore/blocked.aspx` endpoint, deploying the novel WeepSteel reconnaissance backdoor which disguises data exfiltration as standard ViewState responses. * The multi-stage attack chain includes deploying tunneling tools and RATs, escalating privileges via credential dumping and token impersonation, and establishing persistence through service registration and account modifications. * Impacts specific Sitecore Experience products up to version 9.0 using static machine keys from pre-2017 documentation; immediate replacement, encryption, and regular rotation of these keys are critical mitigations.

A novel cryptojacking campaign exploits Windows' `charmap.exe` to evade detection and covertly mine cryptocurrency. * The attack initiates via spear-phishing with a malicious shortcut, deploying a dropper that injects a custom miner directly into the legitimate Character Map process. * This fileless injection technique bypasses traditional antivirus and behavior-based detection, operating stealthily in memory. * Persistence is maintained through a scheduled task and DLL side-loading via `werfault.exe`. * Victims experience severe system performance degradation and increased energy consumption, with significant impact on healthcare and education sectors.

A new XWorm campaign demonstrates a significant evolution in deployment, shifting from simple scripts to sophisticated multi-stage, stealth-focused tactics. * Initial access leverages malicious .lnk files via phishing, dropping a fake Discord executable that then deploys a heavily packed loader. * The loader disables security tools, uses Nuitka and TLS callbacks for obfuscation, and drops the XWorm payload disguised as a core Windows system file (system32.exe). * XWorm establishes persistence via scheduled tasks and registry entries, employs virtualization checks, modifies Windows Defender exclusions, and uses layered cryptography for C2 communication.

Acronis TRU details a surge in campaigns abusing ConnectWise ScreenConnect for multi-RAT deployment, targeting U.S. organizations with evolving, stealthy tactics. * Malicious ClickOnce ScreenConnect installers fetch components at runtime, hindering traditional detection. * Initial dual deployment of AsyncRAT and a custom PowerShell RAT evolved to include PureHVNC via WMI and process hollowing into trusted processes. * Persistence shifted from noisy scheduled tasks to stealthier batch/VBS loaders and encoded .NET assemblies, showcasing high attacker adaptability. * Attackers reuse preconfigured Windows Server 2022 VMs for rapid redeployment, gaining privileged access that mimics legitimate RMM.

North Korean actors are actively exploiting cyber threat intelligence platforms to monitor their own infrastructure exposure, scout new assets, and refine operations. * Actors registered accounts on CTI platforms immediately after their infrastructure was exposed, using existing operational accounts and collaborating via Slack for real-time intelligence. * Rather than significant infrastructure changes, the group rapidly deployed new assets to replace disrupted ones, ensuring sustained operations and high victim engagement. * OPSEC failures on malware servers exposed critical operational details, including usernames, deployment timelines, and malware distribution applications. * The campaign compromised over 230 victims in cryptocurrency and blockchain sectors within three months, delivering OS-specific payloads via a "ClickFix" social engineering lure.

A sophisticated, previously undetected malware campaign leveraging SVG files to impersonate the national justice system was uncovered, demonstrating advanced evasion techniques. * Attackers embed JavaScript within SVG files to render convincing phishing lures and silently drop malicious ZIP archives. * The campaign employs code obfuscation, polymorphism, and dummy code to evade traditional antivirus detection, with samples dating back to August 2025. * Over 500 unique samples were identified, distributed primarily via email, showing payload evolution and adaptation. * This activity highlights the persistent use of modern web formats for highly evasive, multi-stage attacks.

A critical flaw in the AI supply chain, dubbed 'Model Namespace Reuse,' allows attackers to hijack machine learning pipelines by re-registering abandoned namespaces on platforms like Hugging Face. This vulnerability affects major cloud providers and thousands of open-source projects, enabling the deployment of malicious models under trusted names. Researchers demonstrated successful attacks on Google Vertex AI and Microsoft Azure AI Foundry, gaining persistent access to infrastructure. The issue highlights a systemic risk in AI development, necessitating a reevaluation of security practices to prevent the silent poisoning of AI-driven systems.

A sophisticated spearphishing campaign targets corporate executives using trusted OneDrive document-sharing notifications to steal credentials. The attack leverages highly tailored emails impersonating internal HR communications, with subject lines referencing salary amendments to create urgency. The phishing emails and login pages are customized with recipient details, enhancing authenticity. Attackers use Amazon SES for email delivery, rotating among 80 domains to evade detection. Anti-detection techniques include embedding hidden characters and obfuscating trigger words in light and dark mode email renditions. Single-use phishing URLs self-destruct upon access, complicating incident response. The campaign's focus on C-level targets and trusted communication themes poses significant risks, requiring a blend of user awareness, technical controls, and proactive threat hunting for mitigation.

Automated sextortion spyware, Stealerium, has been identified, which captures webcam images and screenshots of victims browsing pornography. This malware, distributed via email campaigns, targets various sectors including hospitality, education, and finance. Notably, Stealerium is open-source and available on GitHub, highlighting the ease of access for cybercriminals. The malware's automated sextortion feature represents a new level of privacy invasion, adding to its standard data-stealing capabilities.

A new Atomic macOS Stealer (AMOS) campaign demonstrates significant tactical adaptation by bypassing recent Apple security enhancements through novel terminal-based installation methods and "cracked" app lures. * Threat actors shifted from traditional .dmg infections to instructing victims to copy/paste malicious commands into the terminal, effectively circumventing macOS Sequoia's enhanced Gatekeeper. * The campaign leverages "cracked" versions of legitimate software from untrusted sites, employing frequent domain and URL rotation for download commands to evade detection. * AMOS establishes persistence via a LaunchDaemon and exfiltrates a wide range of sensitive data, posing substantial downstream risks for victims.

Google's September 2025 Android Security Bulletin addresses multiple high-severity vulnerabilities under active exploitation, highlighting the urgent need for updates. The most severe flaw allows remote code execution without user interaction. Key vulnerabilities include EoP issues in the Android Runtime and System components, affecting versions 13 through 16. Google's rapid response and coordinated disclosure process underscore the ongoing commitment to protecting Android devices from sophisticated threats.

Bridgestone Americas confirmed a cyber incident impacting manufacturing operations across multiple North American facilities. * The incident caused operational disruptions at production facilities in the US (South Carolina) and Canada (Quebec). * The company claims rapid containment prevented customer data theft or deep network infiltration. * Mitigation efforts are underway to address potential supply chain disruption and product shortages. * The specific attack type is unconfirmed, but a 2022 LockBit ransomware incident is mentioned for context.

Threat actors are exploiting X's Grok AI to bypass link posting restrictions and spread malicious links, significantly amplifying the reach of malicious ads. Key findings include the use of hidden metadata fields to embed malicious links, which Grok then extracts and promotes, increasing the credibility and distribution of these links. The technique, dubbed 'Grokking,' has been found to be highly effective, with some malicious ads reaching millions of impressions. Potential solutions include scanning all fields for malicious links and implementing context sanitization for Grok to prevent it from blindly echoing links.

The takedown of Streameast, the world's largest illegal sports streaming network, highlights significant disruptions in piracy operations. The platform, operational since 2018, had 80 domains and 136 million monthly visits, primarily from the US, Canada, UK, Philippines, and Germany. The operation involved a UAE shell company allegedly used for money laundering, with $6.2 million in advertising revenue and $200,000 in cryptocurrency seized. Despite the takedown, some domains remain active, indicating potential ongoing operations or rapid adaptation by the operators.

A recent breach involving Salesforce and Salesloft's Drift integration has impacted multiple security firms. Notable aspects include the exploitation of third-party integrations, highlighting the risks associated with supply chain vulnerabilities. The breach underscores the need for enhanced security measures in third-party services and the importance of continuous monitoring for unauthorized access. Practical implications include the potential for widespread data exposure and the necessity for robust incident response plans.

A critical authentication bypass vulnerability in specific TP-Link devices is under active exploitation, allowing unauthenticated attackers on the same network to gain full control. * The flaw permits an attacker to factory reset devices and establish a new administrative password, leading to network control, traffic monitoring, or service disruption. * Many affected devices are end-of-life or no longer supported, significantly complicating mitigation efforts for users. * Organizations are advised to apply available patches, follow BOD 22-01 guidance for cloud services, or discontinue use and replace unsupported hardware.

Texas Attorney General sues PowerSchool over a data breach affecting over 880,000 students and teachers. - The breach exposed sensitive personal and health information, highlighting significant security failures. - PowerSchool is accused of misleading customers about its security practices and failing to implement reasonable protective measures. - The lawsuit alleges violations of the Texas Deceptive Trade Practices Act and the Identity Theft Enforcement and Protection Act.

Unauthorized TLS certificates issued for Cloudflare's 1.1.1.1 DNS service pose a significant risk to user privacy. The certificates, issued by Fina RDC 2020, could enable adversary-in-the-middle attacks, exposing users' browsing histories. Only Windows and Edge users were at risk due to the trust chain. Cloudflare and Microsoft are taking steps to mitigate the issue, but the incident underscores vulnerabilities in the internet's public key infrastructure and the need for improved certificate transparency.

The Czech cybersecurity agency (NÚKIB) warns against security risks posed by technology systems transferring data to or remotely managed from China, especially for critical infrastructure. * The warning is driven by increasing critical sector reliance on data-intensive technologies and prior government attribution of cyberattacks against its Ministry of Foreign Affairs to China. * NÚKIB emphasized providers' potential to influence critical infrastructure and access sensitive data, referencing multi-country attributions of Chinese cyber-espionage against global critical infrastructure. * Regulated entities must integrate this threat into procurement and security, with the public advised to carefully assess product use and data input.

A critical vulnerability (CVE-2025-55190) in Argo CD's Project API allows unauthorized retrieval of sensitive repository credentials, posing a significant supply chain risk. * The flaw enables API tokens with basic project-level or global `get` permissions to access usernames and passwords via the `/api/v1/projects/{project}/detailed` endpoint. * Exploitation is straightforward, leading to full credential exposure for all repositories associated with a project. * This vulnerability impacts the GitOps continuous delivery platform, potentially compromising access to source code repositories. * Patches are available across multiple versions, and immediate upgrades are strongly advised to mitigate this high-severity issue.

A critical SAP S/4HANA vulnerability (CVE-2025-42957, CVSS 9.9) is under active exploitation, enabling low-privileged users to achieve full system takeover. * Exploitation requires a valid SAP user with specific RFC module access and authorization, leading to arbitrary ABAP code execution, data manipulation, and administrative account creation. * The network-based attack allows rapid privilege escalation from basic credentials, threatening financial fraud, data theft, or ransomware deployment. * Confirmed real-world attacks and the ease of exploit development from the patch necessitate immediate application of vendor fixes and enhanced security measures.