A newly identified threat cluster, GhostRedirector, has compromised over 65 Windows servers using the Rungan backdoor and Gamshen IIS module for SEO fraud-as-a-service. * Initial access is achieved via likely SQL injection, followed by PowerShell for tool delivery. * Gamshen manipulates search engine results for third-party gambling sites, damaging the compromised host's reputation. * The operation demonstrates persistence through multiple remote access tools and rogue user accounts. * Attribution points to a China-aligned actor, continuing a trend of IIS module-based SEO manipulation.

A malicious npm package, nodejs-smtp, mimics the popular nodemailer library to steal cryptocurrency from Atomic Wallet users. The package includes a functional mailer API to avoid suspicion and targets multiple cryptocurrencies. The threat actor uses sophisticated tooling to inject malicious code into the wallet runtime, overwriting recipient addresses during transactions. Despite low current financial impact, the campaign's deliberate and scalable nature poses a significant risk, especially given the convincing appearance of the package and the potential for developers to mistakenly integrate it.

The first AI-powered ransomware prototype, developed by NYU scientists and independently detected by ESET, leverages Large Language Models (LLMs) for autonomous attack planning and execution. * This proof-of-concept demonstrates a significant evolution in ransomware capabilities, enabling self-adapting and executing operations. * Its emergence highlights the potential for AI to automate and enhance cyber threats, signaling a new era of sophisticated attacks. * ESET's detection, unaware of the prototype's origin, underscores the practical feasibility and impending nature of such advanced threats.

Threat actors are actively exploiting a zero-day misconfiguration (CVE-2025-53690) in legacy Sitecore deployments, leveraging reused sample ASP.NET machine keys for remote code execution. * The vulnerability enables RCE via the `/sitecore/blocked.aspx` endpoint, deploying the novel WeepSteel reconnaissance backdoor which disguises data exfiltration as standard ViewState responses. * The multi-stage attack chain includes deploying tunneling tools and RATs, escalating privileges via credential dumping and token impersonation, and establishing persistence through service registration and account modifications. * Impacts specific Sitecore Experience products up to version 9.0 using static machine keys from pre-2017 documentation; immediate replacement, encryption, and regular rotation of these keys are critical mitigations.

A new campaign leverages a novel Terminal-based execution method to deploy a macOS stealer, effectively bypassing Gatekeeper and posing a significant threat to enterprise data. * This method tricks users into pasting malicious commands, enabling the stealer to establish persistence and exfiltrate a wide range of sensitive data. * The malware targets browser credentials, cryptocurrency wallets, Keychain items, and various personal and enterprise files. * Its sandbox evasion capabilities and broad data theft potential highlight the evolving risks for macOS environments. * Organizations must prioritize user education against social engineering and implement defense-in-depth strategies beyond built-in OS protections.

TAG-150 has expanded its toolkit with CastleRAT, a new multi-variant remote access trojan, demonstrating enhanced capabilities and sophisticated evasion techniques. - CastleRAT, available in Python and C, uses Steam Community profiles as dead drop resolvers for C2 and features advanced functions like keylogging and cryptocurrency clipping in its C variant. - Initial access is primarily via Cloudflare-themed phishing or fraudulent GitHub repositories, leading to CastleLoader deployment. - A .NET loader for CastleRAT employs UAC Prompt Bombing and Windows Defender exclusion loops, effectively bypassing security and trapping sandboxes. - The threat actor utilizes a multi-tiered C2 infrastructure, indicating persistent and adaptable operations.

A sophisticated spearphishing campaign targets corporate executives using trusted OneDrive document-sharing notifications to steal credentials. The attack leverages highly tailored emails impersonating internal HR communications, with subject lines referencing salary amendments to create urgency. The phishing emails and login pages are customized with recipient details, enhancing authenticity. Attackers use Amazon SES for email delivery, rotating among 80 domains to evade detection. Anti-detection techniques include embedding hidden characters and obfuscating trigger words in light and dark mode email renditions. Single-use phishing URLs self-destruct upon access, complicating incident response. The campaign's focus on C-level targets and trusted communication themes poses significant risks, requiring a blend of user awareness, technical controls, and proactive threat hunting for mitigation.

The Czech National Cyber and Information Security Agency (NÚKIB) issued a formal warning regarding products and services transferring user and system data to China, citing legal frameworks that compel data sharing with the state. * This data transfer enables remote administration and potential misuse by state interests, impacting national resilience beyond privacy concerns. * Chinese legal regulations, including National Security and Intelligence Laws, eliminate meaningful separation between private entities and state cyber operations. * Threat intelligence indicates a significant increase in intrusion activity and cloud targeting by Chinese operations. * The advisory highlights supply chain risks, as third-party dependencies can expose organizations to data theft and espionage.

A critical vulnerability (CVE-2025-55190) in Argo CD allows low-privileged API tokens to retrieve all associated repository credentials, bypassing isolation mechanisms. This flaw, rated CVSS 10.0, enables tokens with even basic 'get' permissions to access sensitive usernames and passwords. Exploitation can lead to cloning private codebases, injecting malicious manifests, and supply chain attacks. The vulnerability affects all Argo CD versions up to 2.13.0, impacting numerous large enterprises using it for mission-critical deployments. Administrators are urged to upgrade to patched versions (e.g., 3.1.2, 3.0.14, 2.14.16, 2.13.9) immediately.

A critical ABAP code injection vulnerability (CVE-2025-42957) in SAP S/4HANA and related products is actively exploited in the wild, enabling low-privileged users to achieve full system takeover. * Exploit development is trivial due to the ease of reverse engineering the patch and the open nature of ABAP code. * Successful exploitation allows for data theft, manipulation, privilege escalation, backdoor accounts, credential theft, and operational disruption. * Many systems remain unpatched despite the vendor fix, leaving them exposed to ongoing, albeit limited, attacks. * Immediate application of August 2025 Patch Day updates is critical for affected SAP S/4HANA, Landscape Transformation, Business One, and NetWeaver AS ABAP systems.

A proof-of-concept for AI-powered ransomware, initially mistaken for a real threat, demonstrates advanced capabilities for highly targeted and polymorphic attacks. * The AI system automates four attack phases: system mapping, identifying valuable files, generating customized Lua scripts, and crafting personalized ransom notes. * Its polymorphic nature and targeted approach make detection challenging, highlighting a significant evolution in ransomware capabilities. * The research leveraged large language models to generate attack components without jailbreaking, underscoring a potential misuse vector for AI. * While the PoC is not functional in the wild, it signals an imminent threat, urging defenders to prepare for AI-driven cyberattacks.

Bridgestone Americas confirmed a cyber incident impacting manufacturing operations across multiple North American facilities. * The incident caused operational disruptions at production facilities in the US (South Carolina) and Canada (Quebec). * The company claims rapid containment prevented customer data theft or deep network infiltration. * Mitigation efforts are underway to address potential supply chain disruption and product shortages. * The specific attack type is unconfirmed, but a 2022 LockBit ransomware incident is mentioned for context.

Threat actors are exploiting X's Grok AI to bypass link posting restrictions and spread malicious links, significantly amplifying the reach of malicious ads. Key findings include the use of hidden metadata fields to embed malicious links, which Grok then extracts and promotes, increasing the credibility and distribution of these links. The technique, dubbed 'Grokking,' has been found to be highly effective, with some malicious ads reaching millions of impressions. Potential solutions include scanning all fields for malicious links and implementing context sanitization for Grok to prevent it from blindly echoing links.

A cyberattack severely disrupted Jaguar Land Rover's global IT systems, forcing production halts and staff stand-downs. - The company proactively took systems offline to mitigate impact, while English-speaking cybercriminals claimed responsibility and alleged data exfiltration via Telegram. - This incident aligns with a trend of similar attacks on other high-profile British entities by English-speaking hackers, some of whom were previously arrested and bailed. - The Information Commissioner’s Office confirmed a data breach report, suggesting potential data compromise despite initial company statements.