Researchers have demonstrated a novel AI-powered ransomware proof-of-concept that autonomously orchestrates attack lifecycles, highlighting significant future threats. - This technique leverages large language models (LLMs) to dynamically synthesize polymorphic malicious code, adapting to environments for reconnaissance, payload generation, and personalized extortion without human intervention. - The proof-of-concept evaded detection by major antivirus vendors, indicating the potential for sophisticated, hard-to-track attacks due to its polymorphic nature and varying telemetry. - The findings underscore the ease with which LLMs can be co-opted for cybercriminal operations, posing unique detection challenges and raising concerns about the effectiveness of current AI safety features.

A newly identified, China-aligned threat actor has compromised at least 65 Windows servers globally, deploying custom tools for both remote access and a novel SEO fraud-as-a-service scheme. * The actor uses a passive C++ backdoor for command execution and a malicious native IIS module to manipulate Google search rankings for third-party gambling websites. * Initial access likely leverages SQL injection, followed by privilege escalation via custom tools based on public exploits and deployment of webshells. * Operational resilience is maintained through multiple backdoors, rogue administrator accounts, and legitimate remote access software, ensuring persistent access and diverse attack capabilities.

APT28 has deployed a new Outlook VBA backdoor, NotDoor, leveraging DLL sideloading and email-based command and control for covert operations. * Initial access exploits a vulnerable, signed `OneDrive.exe` to sideload `SSPICLI.dll`, disabling Outlook macro security. * NotDoor activates via incoming email trigger phrases, using encoded PowerShell for persistence and verifying infection via DNS to `webhook.site`. * It exfiltrates encrypted data disguised as common files through Outlook, uploads payloads, executes commands, and removes traces, evading detection. * Its use of trusted binaries and normal email flow bypasses perimeter defenses, requiring advanced endpoint and behavioral monitoring.

TAG-150 has expanded its toolkit with CastleRAT, a new multi-variant remote access trojan, demonstrating enhanced capabilities and sophisticated evasion techniques. - CastleRAT, available in Python and C, uses Steam Community profiles as dead drop resolvers for C2 and features advanced functions like keylogging and cryptocurrency clipping in its C variant. - Initial access is primarily via Cloudflare-themed phishing or fraudulent GitHub repositories, leading to CastleLoader deployment. - A .NET loader for CastleRAT employs UAC Prompt Bombing and Windows Defender exclusion loops, effectively bypassing security and trapping sandboxes. - The threat actor utilizes a multi-tiered C2 infrastructure, indicating persistent and adaptable operations.

A Lazarus subgroup has been observed exploiting a suspected Chrome zero-day vulnerability to deploy three distinct RATs—PondRAT, ThemeForestRAT, and RemotePE—in a sophisticated campaign targeting financial and cryptocurrency firms. The group's advanced TTPs include social engineering via Telegram, credential harvesting, and the use of custom tools for reconnaissance. The attack chain involves social engineering, exploitation, discovery, and next-stage deployment, with the actor swapping simpler RATs for the more advanced RemotePE to maintain deeper access. Organizations should harden endpoint telemetry, monitor for phantom-DLL loading, inspect abnormal Windows Performance Monitor files, audit HTTP(S) traffic for anomalous patterns, and adopt multi-factor authentication to mitigate risks.

North Korea-aligned threat actors are exploiting cyber threat intelligence platforms to enhance their phishing campaigns, primarily targeting cryptocurrency professionals for revenue generation. * They leverage CTI platforms to track detection, scout new infrastructure, and improve operational security, marking a significant TTP adaptation. * The group demonstrates high persistence and resilience, rapidly redeploying new systems to sustain victim engagement despite infrastructure takedowns. * Operations involve team-based coordination and custom malware delivery systems (ContagiousDrop) that log victim details upon execution. * Over 230 individuals, mainly in the cryptocurrency sector, were affected, underscoring the campaign's continuous success and global reach.

A sophisticated, previously undetected malware campaign leveraging SVG files to impersonate the national justice system was uncovered, demonstrating advanced evasion techniques. * Attackers embed JavaScript within SVG files to render convincing phishing lures and silently drop malicious ZIP archives. * The campaign employs code obfuscation, polymorphism, and dummy code to evade traditional antivirus detection, with samples dating back to August 2025. * Over 500 unique samples were identified, distributed primarily via email, showing payload evolution and adaptation. * This activity highlights the persistent use of modern web formats for highly evasive, multi-stage attacks.

A novel cryptojacking campaign exploits Windows' `charmap.exe` to evade detection and covertly mine cryptocurrency. * The attack initiates via spear-phishing with a malicious shortcut, deploying a dropper that injects a custom miner directly into the legitimate Character Map process. * This fileless injection technique bypasses traditional antivirus and behavior-based detection, operating stealthily in memory. * Persistence is maintained through a scheduled task and DLL side-loading via `werfault.exe`. * Victims experience severe system performance degradation and increased energy consumption, with significant impact on healthcare and education sectors.

Acronis TRU details a surge in campaigns abusing ConnectWise ScreenConnect for multi-RAT deployment, targeting U.S. organizations with evolving, stealthy tactics. * Malicious ClickOnce ScreenConnect installers fetch components at runtime, hindering traditional detection. * Initial dual deployment of AsyncRAT and a custom PowerShell RAT evolved to include PureHVNC via WMI and process hollowing into trusted processes. * Persistence shifted from noisy scheduled tasks to stealthier batch/VBS loaders and encoded .NET assemblies, showcasing high attacker adaptability. * Attackers reuse preconfigured Windows Server 2022 VMs for rapid redeployment, gaining privileged access that mimics legitimate RMM.

A new XWorm campaign demonstrates a significant evolution in deployment, shifting from simple scripts to sophisticated multi-stage, stealth-focused tactics. * Initial access leverages malicious .lnk files via phishing, dropping a fake Discord executable that then deploys a heavily packed loader. * The loader disables security tools, uses Nuitka and TLS callbacks for obfuscation, and drops the XWorm payload disguised as a core Windows system file (system32.exe). * XWorm establishes persistence via scheduled tasks and registry entries, employs virtualization checks, modifies Windows Defender exclusions, and uses layered cryptography for C2 communication.

The Salesloft Drift breach has a broader impact than initially reported, affecting all third-party integrations and compromising OAuth tokens for the 'Drift Email' integration. The FBI reveals that the Salt Typhoon campaign targeted over 80 countries, compromising telecommunication providers and exfiltrating call records. A cyberattack disrupted Nevada state government services, leading to the theft of personal information. Citrix patched a critical NetScaler zero-day vulnerability (CVE-2025-7775) with a CVSS score of 9.2.

A Russian state-sponsored group, linked to the FSB, is actively exploiting CVE-2018-0171 in end-of-life Cisco devices to target critical infrastructure globally, demonstrating persistent and widespread cyber operations. * Recent activity involves leveraging CVE-2018-0171 for remote code execution against unpatched Cisco networking devices across U.S. critical infrastructure, telecommunications, higher education, and manufacturing sectors globally. * This follows a decade of operations, including a 2012-2017 campaign against U.S. government and energy organizations, with specific individuals charged. * The continued exploitation of this older vulnerability highlights the persistent risk from unpatched legacy systems to diverse global entities.

Stealerium, an open-source infostealer, is seeing a resurgence in phishing campaigns due to its versatility and ease of modification. - The malware's open-source nature has led to multiple variants, including Phantom Stealer and Warp Stealer, all grouped under the Stealerium family. - Recent campaigns have targeted various sectors with diverse lures, including travel bookings and legal threats, exploiting fear and urgency. - Stealerium's capabilities include credential theft, system reconnaissance, crypto theft, and sextortion, with advanced persistence and evasion techniques.

A new Atomic macOS Stealer (AMOS) campaign demonstrates significant tactical adaptation by bypassing recent Apple security enhancements through novel terminal-based installation methods and "cracked" app lures. * Threat actors shifted from traditional .dmg infections to instructing victims to copy/paste malicious commands into the terminal, effectively circumventing macOS Sequoia's enhanced Gatekeeper. * The campaign leverages "cracked" versions of legitimate software from untrusted sites, employing frequent domain and URL rotation for download commands to evade detection. * AMOS establishes persistence via a LaunchDaemon and exfiltrates a wide range of sensitive data, posing substantial downstream risks for victims.

A sophisticated spearphishing campaign targets corporate executives using trusted OneDrive document-sharing notifications to steal credentials. The attack leverages highly tailored emails impersonating internal HR communications, with subject lines referencing salary amendments to create urgency. The phishing emails and login pages are customized with recipient details, enhancing authenticity. Attackers use Amazon SES for email delivery, rotating among 80 domains to evade detection. Anti-detection techniques include embedding hidden characters and obfuscating trigger words in light and dark mode email renditions. Single-use phishing URLs self-destruct upon access, complicating incident response. The campaign's focus on C-level targets and trusted communication themes poses significant risks, requiring a blend of user awareness, technical controls, and proactive threat hunting for mitigation.

CISA has issued an urgent warning regarding the active exploitation of two critical vulnerabilities in popular TP-Link router models, posing significant risks to home and small business networks. * The flaws, CVE-2025-9377 (OS command injection) and CVE-2023-50224 (authentication bypass), allow arbitrary command execution and credential access, respectively. * Both vulnerabilities are added to CISA's KEV catalog, with a mandatory remediation deadline for federal agencies. * Many affected devices are End-of-Life, complicating patching and increasing long-term security risks for users. * CISA strongly recommends immediate discontinuation of unsupported devices and applying vendor mitigations for others.

CISA has issued an urgent alert regarding an actively exploited zero-day use-after-free vulnerability (CVE-2025-48543) in Android Runtime. * This critical flaw enables attackers to escape the Chrome sandbox and achieve local privilege escalation on affected devices. * Active exploitation presents a significant risk, potentially leading to full device control, data theft, or malicious software installation. * Organizations and users must apply vendor patches and mitigations by September 25, 2025, to prevent unauthorized access and mitigate severe impact.

A critical vulnerability (CVE-2025-55190) in Argo CD allows low-privileged API tokens to retrieve all associated repository credentials, bypassing isolation mechanisms. This flaw, rated CVSS 10.0, enables tokens with even basic 'get' permissions to access sensitive usernames and passwords. Exploitation can lead to cloning private codebases, injecting malicious manifests, and supply chain attacks. The vulnerability affects all Argo CD versions up to 2.13.0, impacting numerous large enterprises using it for mission-critical deployments. Administrators are urged to upgrade to patched versions (e.g., 3.1.2, 3.0.14, 2.14.16, 2.13.9) immediately.

A critical ABAP code injection vulnerability (CVE-2025-42957) in SAP S/4HANA and related products is actively exploited in the wild, enabling low-privileged users to achieve full system takeover. * Exploit development is trivial due to the ease of reverse engineering the patch and the open nature of ABAP code. * Successful exploitation allows for data theft, manipulation, privilege escalation, backdoor accounts, credential theft, and operational disruption. * Many systems remain unpatched despite the vendor fix, leaving them exposed to ongoing, albeit limited, attacks. * Immediate application of August 2025 Patch Day updates is critical for affected SAP S/4HANA, Landscape Transformation, Business One, and NetWeaver AS ABAP systems.

A lawsuit against an education software provider underscores the severe repercussions of a massive data breach, revealing multiple security failures, persistent data exploitation, and legal accountability. * The incident involved three separate breaches of a customer support portal (August, September, December 2024), all exploiting the same compromised subcontractor credentials. * Over 62 million students' and 9.5 million teachers' sensitive personal and medical data was exposed, leading to an initial ransom payment. * Subsequent re-extortion attempts by an affiliate, impersonating a known threat group, targeted school districts using data from an earlier breach, highlighting persistent data monetization. * The primary attacker for the December breach pleaded guilty, with the lawsuit emphasizing legal accountability for inadequate data protection.

A global enforcement operation successfully dismantled Streameast, identified as the world's largest illicit live sports streaming network, culminating in arrests and asset seizures. * The network amassed over 1.6 billion visits across 80 domains within a year, offering a vast array of premium sports content. * Investigators linked the operation to a UAE-based shell company that laundered over $6 million in advertising revenue. * The takedown highlights the effectiveness of international collaboration in combating large-scale digital piracy and its financial infrastructure. * Experts warn of the persistent threat of piracy re-emergence due to sustained demand for free content.

Bridgestone Americas confirmed a cyber incident impacting manufacturing operations across multiple North American facilities. * The incident caused operational disruptions at production facilities in the US (South Carolina) and Canada (Quebec). * The company claims rapid containment prevented customer data theft or deep network infiltration. * Mitigation efforts are underway to address potential supply chain disruption and product shortages. * The specific attack type is unconfirmed, but a 2022 LockBit ransomware incident is mentioned for context.

Threat actors are exploiting X's Grok AI to bypass link posting restrictions and spread malicious links, significantly amplifying the reach of malicious ads. Key findings include the use of hidden metadata fields to embed malicious links, which Grok then extracts and promotes, increasing the credibility and distribution of these links. The technique, dubbed 'Grokking,' has been found to be highly effective, with some malicious ads reaching millions of impressions. Potential solutions include scanning all fields for malicious links and implementing context sanitization for Grok to prevent it from blindly echoing links.

A recent breach involving Salesforce and Salesloft's Drift integration has impacted multiple security firms. Notable aspects include the exploitation of third-party integrations, highlighting the risks associated with supply chain vulnerabilities. The breach underscores the need for enhanced security measures in third-party services and the importance of continuous monitoring for unauthorized access. Practical implications include the potential for widespread data exposure and the necessity for robust incident response plans.

Unauthorized TLS certificates issued for Cloudflare's 1.1.1.1 DNS service pose a significant risk to user privacy. The certificates, issued by Fina RDC 2020, could enable adversary-in-the-middle attacks, exposing users' browsing histories. Only Windows and Edge users were at risk due to the trust chain. Cloudflare and Microsoft are taking steps to mitigate the issue, but the incident underscores vulnerabilities in the internet's public key infrastructure and the need for improved certificate transparency.