A China-aligned threat actor has compromised at least 65 Windows servers globally, deploying custom tools for remote access and SEO fraud, with initial access likely leveraging SQL injection and privilege escalation via custom tools. The actor maintains operational resilience through multiple backdoors, rogue administrator accounts, and legitimate remote access software.

A critical ABAP code injection vulnerability in SAP S/4HANA and related products is being actively exploited, enabling low-privileged users to achieve full system takeover. Immediate application of August 2025 Patch Day updates is critical for affected systems, as many remain unpatched and exposed to ongoing attacks.

Threat actors previously distributing the Odyssey stealer have evolved their tactics, now impersonating Microsoft Teams to target macOS users with a sophisticated AppleScript-based stealer. The campaign employs a clickfix methodology, tricking users into executing a base64-encoded Terminal command to install the malware and harvest system data and cryptocurrency wallets.

A novel campaign is leveraging GPU-gated decryption and sophisticated abuse of Google Ads and GitHub to deliver advanced payloads, primarily targeting IT professionals. The malware employs an OpenCL kernel to bypass virtual machines and standard sandbox environments, indicating a calculated approach to compromise high-value targets.

A state-sponsored threat actor is leveraging a novel social engineering scam, known as ClickFix, to deploy OS-specific malware and steal sensitive data from cryptocurrency job seekers. The group's rapid adaptation to exposure and highly coordinated team structure have been revealed through operational security failures.

A Lazarus Group subgroup has expanded its toolkit with new cross-platform malware strains, targeting the decentralized finance sector with social engineering and suspected Chrome zero-day exploitation. The group's evolving technical sophistication is demonstrated through its layered tooling approach and persistence in financially motivated operations.

A rare data dump has provided insight into Kimsuky's operations, revealing novel tactics and expanded targeting, with a primary goal of credential harvesting and system persistence. The group employs advanced techniques, including interactive malware development and AiTM phishing, to establish deep system persistence.

CISA has issued an urgent warning regarding an actively exploited zero-day vulnerability in WhatsApp's linked device feature, which allows attackers to manipulate synchronization messages and potentially steal data or install malware. This critical vulnerability poses a significant risk to users globally and must be patched by federal and critical infrastructure organizations by September 23, 2025.

A widespread authentication token theft campaign targeted Salesforce instances via the Salesloft Drift platform, affecting organizations like Palo Alto Networks and Zscaler, with the threat actor exfiltrating data focusing on credentials and sensitive information. The incident highlights the need for enhanced security audits and stronger access controls to mitigate supply chain attacks.

A newly disclosed vulnerability in Apache Jackrabbit Core and JCR Commons allows JNDI injection, potentially leading to remote code execution, as the flaw stems from handling untrusted JNDI URIs in `JndiRepositoryFactory`, enabling deserialization of malicious data. Exploitation can result in arbitrary code execution, data exfiltration, or service disruption, impacting enterprise content management and web systems.