The first AI-powered ransomware prototype, developed by NYU scientists and independently detected by ESET, leverages Large Language Models (LLMs) for autonomous attack planning and execution. * This proof-of-concept demonstrates a significant evolution in ransomware capabilities, enabling self-adapting and executing operations. * Its emergence highlights the potential for AI to automate and enhance cyber threats, signaling a new era of sophisticated attacks. * ESET's detection, unaware of the prototype's origin, underscores the practical feasibility and impending nature of such advanced threats.

GhostRedirector, a new China-aligned threat actor, is compromising Windows servers globally for SEO fraud-as-a-service using novel tools and IIS module abuse. * They deploy a C++ backdoor and a malicious IIS module (Gamshen) that silently manipulates search results to boost gambling platforms. * Gamshen does not directly harm visitors but damages the host's reputation by associating it with illicit SEO practices. * Persistence and privilege escalation are achieved via known exploits and new account creation. * Active since August 2024, this campaign targets diverse sectors and geographies, demonstrating subtle abuse of legitimate web server infrastructure.

Active exploitation of CVE-2025-53690 in ASP.NET machine key configurations has been observed, leading to remote code execution and unauthorized access. The vulnerability affects older Sitecore deployments relying on publicly exposed machine keys. Attackers leveraged ViewState deserialization to deploy reconnaissance tools and establish persistence. Mitigations include rotating and encrypting machine keys and restricting access to web.config files.

A sophisticated, previously undetected malware campaign leveraging SVG files to impersonate the national justice system was uncovered, demonstrating advanced evasion techniques. * Attackers embed JavaScript within SVG files to render convincing phishing lures and silently drop malicious ZIP archives. * The campaign employs code obfuscation, polymorphism, and dummy code to evade traditional antivirus detection, with samples dating back to August 2025. * Over 500 unique samples were identified, distributed primarily via email, showing payload evolution and adaptation. * This activity highlights the persistent use of modern web formats for highly evasive, multi-stage attacks.

The Lazarus Group has expanded its malware arsenal with PondRAT, ThemeForestRAT, and RemotePE, targeting the DeFi sector. Notable developments include: - A social engineering campaign leveraging Telegram and fake websites to deploy PerfhLoader, which drops PondRAT. - Use of a then-zero-day Chrome exploit for initial access. - Sequential deployment of PondRAT, ThemeForestRAT, and RemotePE, indicating a multi-stage attack strategy. - ThemeForestRAT's similarities to RomeoGolf, used in the 2014 SPE attack, suggest a reuse of old tactics.

TAG-150 has escalated attacks, deploying new proprietary malware and leveraging a sophisticated, multi-tiered infrastructure. The actor introduced CastleRAT, a remote access trojan with Python and advanced C variants featuring keylogging, screen capture, and file manipulation. Its four-tier infrastructure incorporates VPS intermediaries, RDP, Tox for potential affiliate communication, and a UDP-based backup layer. Initial access relies on Cloudflare-themed phishing and bogus GitHub repositories, achieving a 29% infection rate among engaged users. Future activity may include enhanced evasion techniques and potential Malware-as-a-Service offerings.

Acronis TRU details a surge in campaigns abusing ConnectWise ScreenConnect for multi-RAT deployment, targeting U.S. organizations with evolving, stealthy tactics. * Malicious ClickOnce ScreenConnect installers fetch components at runtime, hindering traditional detection. * Initial dual deployment of AsyncRAT and a custom PowerShell RAT evolved to include PureHVNC via WMI and process hollowing into trusted processes. * Persistence shifted from noisy scheduled tasks to stealthier batch/VBS loaders and encoded .NET assemblies, showcasing high attacker adaptability. * Attackers reuse preconfigured Windows Server 2022 VMs for rapid redeployment, gaining privileged access that mimics legitimate RMM.

A novel cryptojacking campaign exploits Windows' `charmap.exe` to evade detection and covertly mine cryptocurrency. * The attack initiates via spear-phishing with a malicious shortcut, deploying a dropper that injects a custom miner directly into the legitimate Character Map process. * This fileless injection technique bypasses traditional antivirus and behavior-based detection, operating stealthily in memory. * Persistence is maintained through a scheduled task and DLL side-loading via `werfault.exe`. * Victims experience severe system performance degradation and increased energy consumption, with significant impact on healthcare and education sectors.

A new campaign leverages a novel Terminal-based execution method to deploy a macOS stealer, effectively bypassing Gatekeeper and posing a significant threat to enterprise data. * This method tricks users into pasting malicious commands, enabling the stealer to establish persistence and exfiltrate a wide range of sensitive data. * The malware targets browser credentials, cryptocurrency wallets, Keychain items, and various personal and enterprise files. * Its sandbox evasion capabilities and broad data theft potential highlight the evolving risks for macOS environments. * Organizations must prioritize user education against social engineering and implement defense-in-depth strategies beyond built-in OS protections.

A sophisticated spearphishing campaign targets corporate executives using trusted OneDrive document-sharing notifications to steal credentials. The attack leverages highly tailored emails impersonating internal HR communications, with subject lines referencing salary amendments to create urgency. The phishing emails and login pages are customized with recipient details, enhancing authenticity. Attackers use Amazon SES for email delivery, rotating among 80 domains to evade detection. Anti-detection techniques include embedding hidden characters and obfuscating trigger words in light and dark mode email renditions. Single-use phishing URLs self-destruct upon access, complicating incident response. The campaign's focus on C-level targets and trusted communication themes poses significant risks, requiring a blend of user awareness, technical controls, and proactive threat hunting for mitigation.

CISA has issued an urgent warning regarding the active exploitation of two critical vulnerabilities in popular TP-Link router models, posing significant risks to home and small business networks. * The flaws, CVE-2025-9377 (OS command injection) and CVE-2023-50224 (authentication bypass), allow arbitrary command execution and credential access, respectively. * Both vulnerabilities are added to CISA's KEV catalog, with a mandatory remediation deadline for federal agencies. * Many affected devices are End-of-Life, complicating patching and increasing long-term security risks for users. * CISA strongly recommends immediate discontinuation of unsupported devices and applying vendor mitigations for others.

CISA has issued an urgent alert regarding an actively exploited zero-day use-after-free vulnerability (CVE-2025-48543) in Android Runtime. * This critical flaw enables attackers to escape the Chrome sandbox and achieve local privilege escalation on affected devices. * Active exploitation presents a significant risk, potentially leading to full device control, data theft, or malicious software installation. * Organizations and users must apply vendor patches and mitigations by September 25, 2025, to prevent unauthorized access and mitigate severe impact.

A critical vulnerability (CVE-2025-55190) in Argo CD allows low-privileged API tokens to retrieve all associated repository credentials, bypassing isolation mechanisms. This flaw, rated CVSS 10.0, enables tokens with even basic 'get' permissions to access sensitive usernames and passwords. Exploitation can lead to cloning private codebases, injecting malicious manifests, and supply chain attacks. The vulnerability affects all Argo CD versions up to 2.13.0, impacting numerous large enterprises using it for mission-critical deployments. Administrators are urged to upgrade to patched versions (e.g., 3.1.2, 3.0.14, 2.14.16, 2.13.9) immediately.

A critical ABAP code injection vulnerability (CVE-2025-42957) in SAP S/4HANA and related products is actively exploited in the wild, enabling low-privileged users to achieve full system takeover. * Exploit development is trivial due to the ease of reverse engineering the patch and the open nature of ABAP code. * Successful exploitation allows for data theft, manipulation, privilege escalation, backdoor accounts, credential theft, and operational disruption. * Many systems remain unpatched despite the vendor fix, leaving them exposed to ongoing, albeit limited, attacks. * Immediate application of August 2025 Patch Day updates is critical for affected SAP S/4HANA, Landscape Transformation, Business One, and NetWeaver AS ABAP systems.

A lawsuit against an education software provider underscores the severe repercussions of a massive data breach, revealing multiple security failures, persistent data exploitation, and legal accountability. * The incident involved three separate breaches of a customer support portal (August, September, December 2024), all exploiting the same compromised subcontractor credentials. * Over 62 million students' and 9.5 million teachers' sensitive personal and medical data was exposed, leading to an initial ransom payment. * Subsequent re-extortion attempts by an affiliate, impersonating a known threat group, targeted school districts using data from an earlier breach, highlighting persistent data monetization. * The primary attacker for the December breach pleaded guilty, with the lawsuit emphasizing legal accountability for inadequate data protection.

A global enforcement operation successfully dismantled Streameast, identified as the world's largest illicit live sports streaming network, culminating in arrests and asset seizures. * The network amassed over 1.6 billion visits across 80 domains within a year, offering a vast array of premium sports content. * Investigators linked the operation to a UAE-based shell company that laundered over $6 million in advertising revenue. * The takedown highlights the effectiveness of international collaboration in combating large-scale digital piracy and its financial infrastructure. * Experts warn of the persistent threat of piracy re-emergence due to sustained demand for free content.

A proof-of-concept for AI-powered ransomware, initially mistaken for a real threat, demonstrates advanced capabilities for highly targeted and polymorphic attacks. * The AI system automates four attack phases: system mapping, identifying valuable files, generating customized Lua scripts, and crafting personalized ransom notes. * Its polymorphic nature and targeted approach make detection challenging, highlighting a significant evolution in ransomware capabilities. * The research leveraged large language models to generate attack components without jailbreaking, underscoring a potential misuse vector for AI. * While the PoC is not functional in the wild, it signals an imminent threat, urging defenders to prepare for AI-driven cyberattacks.

Bridgestone Americas confirmed a cyber incident impacting manufacturing operations across multiple North American facilities. * The incident caused operational disruptions at production facilities in the US (South Carolina) and Canada (Quebec). * The company claims rapid containment prevented customer data theft or deep network infiltration. * Mitigation efforts are underway to address potential supply chain disruption and product shortages. * The specific attack type is unconfirmed, but a 2022 LockBit ransomware incident is mentioned for context.

Threat actors are exploiting X's Grok AI to bypass link posting restrictions and spread malicious links, significantly amplifying the reach of malicious ads. Key findings include the use of hidden metadata fields to embed malicious links, which Grok then extracts and promotes, increasing the credibility and distribution of these links. The technique, dubbed 'Grokking,' has been found to be highly effective, with some malicious ads reaching millions of impressions. Potential solutions include scanning all fields for malicious links and implementing context sanitization for Grok to prevent it from blindly echoing links.

A recent breach involving Salesforce and Salesloft's Drift integration has impacted multiple security firms. Notable aspects include the exploitation of third-party integrations, highlighting the risks associated with supply chain vulnerabilities. The breach underscores the need for enhanced security measures in third-party services and the importance of continuous monitoring for unauthorized access. Practical implications include the potential for widespread data exposure and the necessity for robust incident response plans.