Malware Patrol | Blog Category: Cybersecurity News

Security Signals (10/07/25-10/21/25)

Welcome to your biweekly digest of curated cybersecurity intelligence.

Every two weeks, we bring you expert insights and handpicked articles covering the latest threats, threat actor activity, vulnerabilities, incident trends, and defensive strategies. Whether you’re on the front lines or shaping your organization’s security posture, Security Signals delivers the information you need to stay informed and ready.

For more articles, check out our #onpatrol4malware blog.

Turn Insights Into Action with Free Threat Intel

Security Signals gives you the insights and our Risk Indicators OSINT feeds help you apply them.

SUBSCRIBE FOR FREE

This Edition’s Articles

In these late October 2025 cyber threat reports, global research teams uncovered an active mix of espionage, phishing, and data-theft operations. Highlights this period include North Korea’s EtherHiding and Contagious Interview campaigns, new exploits such as the Oracle EBS zero-day, COLDRIVER and Lazarus-linked attacks, and mobile threats like Pixnapping targeting Android users. Together, these findings reveal how rapidly evolving malware, cloud intrusions, and supply-chain compromises continue to test defenders’ visibility and response.

An Insider Look At The IRGC-linked APT35 Operations: Ep1 & Ep2

Source: CloudSEK
(Published: 7 October 2025)
CloudSEK’s TRIAD team analyzed the available evidence and reconstructed recent APT35 operations across two episodes of our series. Read more.

Attacker says they breached Huawei, source code sold online

Source: Cybernews
(Published: 7 October 2025)
A hacker claims to have stolen Huawei’s internal source code and sold it on an underground cybercriminal forum. Read more.

Oops! It’s a kernel stack use-after-free: Exploiting NVIDIA’s GPU Linux drivers

Source: Quarkslab
(Published: 14 October 2025)
This article details two bugs in NVIDIA’s GPU kernel driver vmalloc handling that can be chained to gain code execution in kernel context. Read more.

BombShell: The Signed Backdoor Hiding in Plain Sight on Framework Devices

Source: Eclypsium
(Published: 14 October 2025)
UEFI shell vulnerabilities allow attackers to bypass Secure Boot. Read more.

DPRK Adopts EtherHiding: Nation-State Malware Hiding on Blockchains

Source: Google Cloud Blog
(Published: 16 October 2025)
Google Threat Intelligence Group (GTIG) has observed a new malware delivery technique-EtherHiding-appearing in DPRK-linked activity. Read more.

BeaverTail and OtterCookie evolve with a new Javascript module

Source: Cisco Talos Blog
(Published: 16 October 2025)
Cisco Talos has uncovered a new attack linked to Famous Chollima, a threat group aligned with North Korea (DPRK). Read more.

Odyssey Stealer and AMOS Campaign Targets macOS Developers Through Fake Tools

Source: Hunt
(Published: 16 October 2025)
In recent months, our threat hunting team has observed a surge in macOS-targeted campaigns employing new social engineering tactics and persistent infrastructure. Read more.

New Group on the Block: UNC5142 Leverages EtherHiding to Distribute Malware

Source: Google Cloud Blog
(Published: 16 October 2025)
Since late 2023, UNC5142 has leveraged EtherHiding infrastructure to deliver malicious payloads and obfuscate attribution. Read more.

Joint Intel Strike – DeepCode × AMLBot Trace “1688shuju,” a Darknet Seller of Verified Exchange Numbers

Source: AMLBot
(Published: 17 October 2025)
On 22 August 2025, the DeepCode intelligence team identified a darknet marketplace listing by the actor “1688shuju” offering large batches of verified phone numbers tied to major cryptocurrency exchanges. Read more.

Email Bombs Exploit Lax Authentication in Zendesk

Source: Krebs on Security
(Published: 17 October 2025)
Cybercriminals are abusing a widespread lack of authentication in the customer service platform Zendesk to flood targeted email inboxes with menacing messages that come from hundreds of Zendesk corporate customers simultaneously. Read more.

Tykit Analysis: New Phishing Kit Stealing Hundreds of Microsoft Accounts in Finance

Source: ANY.RUN
(Published: 21 October 2025)
Not long ago we reported a spike in phishing attacks that use an SVG file as the delivery vector. Read more.

To Be (A Robot) or Not to Be: New Malware Attributed to Russia State-Sponsored COLDRIVER

Source: Google Cloud Blog
(Published: 21 October 2025)
COLDRIVER, a Russian state-sponsored threat group known for targeting high profile individuals in NGOs, policy advisors and dissidents, swiftly shifted operations after the May 2025 public disclosure of its LOSTKEYS malware. Read more.

Red Hat data breach escalates as ShinyHunters joins extortion

Source: BleepingComputer
(Published: 6 October 2025)
Enterprise software giant Red Hat is now being extorted by the ShinyHunters gang, with samples of stolen customer engagement reports (CERs) leaked on their data leak site. Read more.

OpenAI has disrupted (more) Chinese accounts using ChatGPT to create social media surveillance tools

Source: Engadget
(Published: 7 October 2025)
OpenAI published a new threat report and banned additional China-linked accounts that used ChatGPT to design social media surveillance tools. Read more.

Maverick: Android banking trojan distributing via WhatsApp

Source: Securelist
(Published: 8 October 2025)
A malware campaign was recently detected distributing various versions of the Android banking trojan called ‘Maverick’ via WhatsApp. Read more.

Phishing campaign leveraging the npm ecosystem

Source: Snyk
(Published: 9 October 2025)
We have uncovered a large-scale phishing campaign abusing the npm ecosystem to deliver malware to developers through typosquatted packages and malicious maintainers. Read more.

Harvard University hit in Oracle EBS cyberattack, 1.3 TB of data leaked by Cl0p group

Source: Security Affairs
(Published: 10 October 2025)
Harvard University was hit in a cyberattack exploiting a zero-day in Oracle E-Business Suite (EBS), with the Cl0p ransomware gang leaking 1.3 TB of data. Read more.

PhantomVAI Loader Delivers a Range of Infostealers

Source: Unit 42 (Palo Alto Networks)
(Published: 15 October 2025)
Unit 42 researchers have been tracking phishing campaigns that use PhantomVAI Loader to deliver information-stealing malware through a multi-stage, evasive infection chain. Read more.

Pro-Hamas hackers breach B.C. and U.S. airport display systems

Source: Juno News
(Published: 15 October 2025)
A pro-Hamas Islamist group has taken credit for a series of cyberattacks at two B.C. airports and others in the U.S. Read more.

PassiveNeuron: campaign with APT implants and Cobalt Strike

Source: Securelist
(Published: 17 October 2025)
The PassiveNeuron (also known as ‘Evernight’) cyber espionage campaign relies on a broad arsenal of tools, including clusters of implants, Cobalt Strike, and modern living-off-the-land strategies. Read more.

SIMCartel operation: Europol takes down SIM box ring linked to 3,200 scams

Source: Security Affairs
(Published: 18 October 2025)
Europol has taken down a multi-country SIM boxing ring dubbed ‘SIMCartel,’ dismantling infrastructure linked to more than 3,200 scams. Read more.

F5 breach exposes 262,000 BIG-IP systems worldwide

Source: Security Affairs
(Published: 19 October 2025)
Security firm F5 disclosed a breach exposing telemetry data from 262,000 Big-IP systems worldwide after attackers accessed a support platform. Read more.

Russian Lynk group leaks sensitive UK MoD files, including info on eight military bases

Source: Security Affairs
(Published: 20 October 2025)
The Russian hacktivist group Lynk leaked sensitive UK Ministry of Defence files, including details on eight military bases. Read more.

Salty Much: Darktrace’s view on a recent Salt Typhoon intrusion

Source: Darktrace
(Published: 20 October 2025)
Salt Typhoon, a China-linked cyber espionage group, has been observed targeting global infrastructure using stealthy techniques such as DLL sideloading and zero-day exploits. Read more.

Disrupting threats targeting Microsoft Teams

Source: Microsoft Security Blog
(Published: 7 October 2025)
The extensive collaboration features and global adoption of Microsoft Teams make it a high-value target for both cybercriminals and state-sponsored actors. Read more.

Crimson Collective: A New Threat Group Observed Operating in the Cloud

Source: Rapid7 Labs
(Published: 7 October 2025)
Over the past few weeks, Rapid7 has observed increased activity of a new threat group attacking AWS cloud environments with the goal of data exfiltration and subsequent extortion. Read more.

Pixel-stealing “Pixnapping” attack targets Android devices

Source: Malwarebytes
(Published: 14 October 2025)
Researchers at US universities have demonstrated how a malicious Android app can trick the system into leaking pixel data. Read more.

Retro Phishing: Basic Auth URLs Make a Comeback in Japan

Source: Netcraft
(Published: 15 October 2025)
Netcraft recently uncovered a suspicious URL targeting GMO Aozora Bank, a Japanese financial institution. Read more.

Inside the attack chain: Threat activity targeting Azure Blob Storage

Source: Microsoft Security Blog
(Published: 20 October 2025)
Azure Blob Storage is a high-value target for threat actors due to its critical role in storing and managing massive amounts of unstructured data at scale. Read more.

North Korea’s Contagious Interview Campaign Escalates: 338 Malicious npm Packages, 50,000 Downloads

Source: Socket
(Published: 10 October 2025)
The Contagious Interview operation continues to weaponize the npm registry with a repeatable playbook. Read more.

Espionage Exposed: Inside a North Korean Remote Worker Network

Source: KELA
(Published: 10 October 2025)
Thousands of North Korean IT workers are hiding in plain sight, blending into the global freelance economy, building your apps, or even designing your infrastructure. Read more.

Microsoft revamps Internet Explorer Mode in Edge after August attacks

Source: Security Affairs
(Published: 13 October 2025)
Microsoft has revamped the Internet Explorer (IE) mode in the Edge browser to fix an issue that threat actors exploited for attacks in August 2025. Read more.

TigerJack’s Extensions Continue to Rob Developers Blind Across Different Marketplaces

Source: Koi
(Published: 13 October 2025)
Meet TigerJack – a threat actor we’ve been tracking since early 2025, who has systematically infiltrated developer marketplaces with at least 11 malicious VS Code extensions across multiple publisher accounts. Read more.

Oracle silently fixes zero-day exploit leaked by ShinyHunters

Source: BleepingComputer
(Published: 14 October 2025)
Oracle has silently fixed an Oracle E-Business Suite vulnerability (CVE-2025-61884) that was actively exploited to breach servers, with a proof-of-concept exploit publicly leaked by the ShinyHunters extortion group. Read more.

Want more articles? Check out the previous edition of Security Signals here.

Take advantage of our free data evaluation.

REQUEST NOW

Security Signals (09/23/25-10/7/25)

Cybersecurity News

Welcome to your biweekly digest of curated cybersecurity intelligence.

For more articles, check out our #onpatrol4malware blog.

Turn Insights Into Action with Free Threat Intel

Security Signals gives you the insights and our Risk Indicators OSINT feeds help you apply them.

SUBSCRIBE FOR FREE

This Edition’s Articles

Late September to early October 2025 cybersec news: Oracle, Red Hat, Cisco and Discord! High-profile corporate breaches and exploited vulnerabilties, persistent APT campaigns, and novel malware variants dominated the threat landscape. Enterprise vendors patched critical flaws, ransomware crews refined their tactics, and state-linked actors expanded their global reach, all underscoring the need for continuous vigilance.

YiBackdoor: A New Malware Family With Links to IcedID and Latrodectus

Source: Zscaler
(Published: 23 September 2025)
Zscaler ThreatLabz has identified a new malware family that we named YiBackdoor, which was first observed in June 2025. Read more.

Lazarus Group: A Criminal Syndicate With a Flag

Source: Barracuda
(Published: 23 September 2025)
The Lazarus Group is a notorious state-sponsored cybercrime organization linked to the Democratic People’s Republic of Korea (DPRK). Read more.

Fighting Telecom Cyberattacks: Investigating a Campaign Against UK Companies

Source: ANY.RUN
(Published: 24 September 2025)
Telecommunications companies are the digital arteries of modern civilization. Read more.

ED 25-03: Identify and Mitigate Potential Compromise of Cisco Devices

Source: Cybersecurity and Infrastructure Security Agency (CISA)
(Published: 25 September 2025)
This page contains a web-friendly version of CISA Emergency Directive 25-03: Identify and Mitigate Potential Compromise of Cisco Devices. Read more.

Smash and Grab: Aggressive Akira Campaign Targets SonicWall VPNs, Deploys Ransomware in an Hour or Less

Source: Arctic Wolf
(Published: 26 September 2025)
Since late July 2025, Arctic Wolf has observed an ongoing surge in Akira ransomware activity targeting SonicWall firewalls through malicious SSL VPN logins. Read more.

Cavalry Werewolf raids Russia’s public sector with trusted relationship attacks

Source: BI.ZONE
(Published: 2 October 2025)
BI.ZONE Threat Intelligence recorded Cavalry Werewolf activity from May to August 2025. Read more.

CERT-UA warns UAC-0245 targets Ukraine with CABINETRAT backdoor

Source: Security Affairs
(Published: 2 October 2025)
The Computer Emergency Response Team of Ukraine (CERT-UA) warned of cyberattacks by the group UAC-0245 using the CABINETRAT backdoor. Read more.

Update on a Security Incident Involving Third-Party Customer Service

Source: Discord
(Published: 3 October 2025)
At Discord, protecting the privacy and security of our users is a top priority. Read more.

Palo Alto Scanning Surges ~500% in 48 Hours, Marking 90-Day High

Source: GreyNoise
(Published: 3 October 2025)
On October 3, 2025, GreyNoise observed a ~500% increase in IPs scanning Palo Alto Networks login portals, the highest level recorded in the past 90 days. Read more.

Lunar Spider Expands Their Web via FakeCaptcha

Source: NVISO Labs
(Published: 1 October 2025)
Lunar Spider is increasingly using phishing kits disguised as CAPTCHA widgets to drive credential theft. Read more.

Silent Smishing: The Hidden Abuse of Cellular Router APIs

Source: SEKOIA
(Published: 2 October 2025)
Attackers are increasingly exploiting APIs in cellular routers to perform silent smishing without user awareness. Read more.

UAT-8099: Chinese-Speaking Cybercrime Group SEO Fraud Campaign

Source: Talos
(Published: 3 October 2025)
Talos has observed a campaign dubbed UAT-8099 in which a Chinese-speaking threat group uses SEO-fraud techniques to drive traffic to malicious sites. Read more.

Detour Dog DNS Malware Powers Strela Stealer Campaigns

Source: Infoblox Threat Intelligence
(Published: 3 October 2025)
A new DNS-based malware loader named Detour Dog is being used to deliver Strela Stealer in targeted attacks. Read more.

BrickStorm: New Espionage Campaign Targeting Cloud Assets

Source: Google Cloud Blog
(Published: 4 October 2025)
BrickStorm is a newly uncovered espionage campaign that targets cloud infrastructure with credential harvesting and lateral movement. Read more.

UNC6040: Proactive Hardening Recommendations

Source: Google Cloud Blog
(Published: 5 October 2025)
The UNC6040 cluster has been active in recent months; here are recommended proactive hardening steps to reduce exposure. Read more.

Inside Vietnamese Threat Actor “Lone None’s” Copyright Takedown Spoofing Campaign

Source: Cofense
(Published: 6 October 2025)
A Vietnamese threat actor dubbed “Lone None” has been using fraudulent copyright takedown notices to trick companies into redirecting their domains. Read more.

Raytheon Confirms Ransomware Attack on Airline Check-In Systems

Source: CyberInsider
(Published: 7 October 2025)
Raytheon Technologies has publicly acknowledged a ransomware intrusion into airline check-in infrastructure. Read more.

BreachStars Emerges as BreachForums Replacement Marketplace

Source: CyberNews
(Published: 7 October 2025)
BreachStars is positioning itself as a successor to the shuttered BreachForums, offering data-leak marketplace services. Read more.

NIST Warns of Flawed DeepSeek: Security CCP Narratives

Source: CyberNews
(Published: 4 October 2025)
The U.S. National Institute of Standards and Technology (NIST) has flagged flaws in DeepSeek that may amplify CCP information narratives. Read more.

Inside Salt Typhoon: China’s State-Corporate Advanced Persistent Threat

Source: DomainTools Investigations (DTI)
(Published: 24 September 2025)
Salt Typhoon is a Chinese state-sponsored cyber threat group aligned with the Ministry of State Security (MSS), specializing in long-term espionage operations targeting global telecommunications infrastructure. Read more.

Better Analyzing Foreign Adversary Threats to Open-Source Software

Source: Margin Research
(Published: 30 September 2025)
Global contributions to open-source software (OSS) add tremendous value: for years, they have forged connections between developers around the world, enabled dispersed and specialized talent to build better software for users, and collectively helped ensure that OSS remains available, updated, and relevant for users everywhere. Read more.

TradingView Scam Expands to Google Ads & YouTube

Source: HackRead
(Published: 26 September 2025)
A malicious advertising campaign that has been tricking content creators and unsuspecting users into downloading harmful software by offering “free access” to TradingView Premium has dramatically expanded its operations. Read more.

Operation SouthNet: SideWinder Expands Phishing & Malware in South Asia

Source: Hunt.io
(Published: 1 October 2025)
APT SideWinder, a highly active state-sponsored threat group known for its long-standing espionage campaigns across South Asia, has once again launched a targeted operation. Read more.

Breakingdown of Patchwork APT

Source: K7 Labs
(Published: October 2025)
It enforces the use of TLS 1.2 to ensure secure, encrypted transmission and sends the POST request containing the encoded victim data to the C2. Read more.

Patchwork APT Exploits Macros & Scheduled Tasks for Stealthy C2/Exfil

Source: Varutra / ThreatPost
(Published: 1 October 2025)
Patchwork (aka Dropping Elephant/Monsoon/Hangover Group) is an APT active since at least 2015 targeting political and military intelligence across South and Southeast Asia. Read more.

Phantom Taurus: A New Chinese Nexus APT and the Discovery of the NET-STAR Malware Suite

Source: Unit 42 / Palo Alto Networks
(Published: 30 September 2025)
After a two-and-a-half-year investigation, Palo Alto Networks Unit 42 has formally named a sophisticated, Chinese nation-state actor: Phantom Taurus. Read more.

DrayTek warns of remote code execution bug in Vigor routers

Source: BleepingComputer
(Published: 2 October 2025)
Networking hardware maker DrayTek released an advisory to warn about a security vulnerability in several Vigor router models that could allow unauthenticated actors to perform arbitrary code execution. Read more.

Oracle patches EBS zero-day exploited in Clop data theft attacks

Source: BleepingComputer
(Published: 3 October 2025)
Oracle has released emergency patches for a zero-day vulnerability in its EBS software suite that was being actively exploited by Clop ransomware actors in data theft campaigns. Read more.

Klopatra: Exposing a new Android banking Trojan operation with roots in Turkey

Source: Cleafy Labs
(Published: 30 September 2025)
A previously undocumented Android banking trojan called Klopatra has compromised over 3,000 devices, leveraging hidden VNC and overlay techniques to conduct fraudulent transactions. Read more.

Yurei Ransomware: The Digital Ghost

Source: Cyfirma
(Published: 1 October 2025)
The Yurei ransomware is unique in its modular architecture and stealthy data-exfiltration staging ahead of encryption. Read more.

Revisiting WarmCookie: Memory-Based Cookie Abuse Techniques

Source: Elastic Security Labs
(Published: 2 October 2025)
Elastic’s security labs analyzed “WarmCookie,” a technique that abuses in-memory cookie structures to facilitate stealthy session hijacking. Read more.

USD 439 Million Recovered in Global Financial Crime Operation

Source: INTERPOL
(Published: 2 October 2025)
INTERPOL announced the recovery of USD 439 million following coordinated takedowns of transnational financial crime networks. Read more.

Red Hat confirms major data breach

Source: The Cyber Security Hub / LinkedIn
(Published: 3 October 2025)
Red Hat has acknowledged a data breach affecting its infrastructure, exposing internal systems and potentially impacting enterprise customers. Read more.

XCSSET evolves again: analyzing the latest updates to XCSSET’s inventory

Source: Microsoft Security Blog
(Published: 25 September 2025)
Microsoft details the latest evolutions of the XCSSET iOS/macOS malware family, tracking new features and command modules. Read more.

Persistent malicious targeting of Cisco devices

Source: UK National Cyber Security Centre (NCSC)
(Published: 4 October 2025)
The UK NCSC warns of ongoing campaigns targeting Cisco network gear, including VPNs and switches, seeking to exploit known vulnerabilities. Read more.

RedNovember targets government, defense, and technology organizations

Source: Recorded Future
(Published: 4 October 2025)
The RedNovember campaign focuses on intelligence collection, using custom backdoors to infiltrate national governments and defense contractors. Read more.

LameHug: AI-Driven Malware & LLM Cyber Intrusion Analysis

Source: Splunk Security Blog
(Published: 4 October 2025)
Splunk researchers explore “LameHug,” a proof-of-concept malware that uses large language models to adapt actions based on environment feedback. Read more.

Self-propagating malware spreads via WhatsApp

Source: Trend Micro Research
(Published: 5 October 2025)
A new self-propagating worm exploits WhatsApp forwarding mechanics to spread, bypassing typical app store oversight. Read more.

US Secret Service blocks massive telecom attack in New York

Source: Trustwave SpiderLabs Blog
(Published: 5 October 2025)
The U.S. Secret Service intervened to disrupt a large-scale telecom infrastructure attack in New York orchestrated by a state-aligned actor. Read more.

Salesforce leak, extortion attempts tied to Scatterered / Lapsus Hunters

Source: UpGuard Blog
(Published: 6 October 2025)
UpGuard discloses a data leak and ongoing extortion campaign from the group “Scatterered / Lapsus Hunters,” with exposed Salesforce credentials circulating online. Read more.

Want more articles? Check out the previous edition of Security Signals here.

Take advantage of our free data evaluation.

REQUEST NOW

Security Signals (09/09/25 – 09/23/25)

Cybersecurity News

???

Welcome to your biweekly digest of curated cybersecurity intelligence.

For more articles, check out our #onpatrol4malware blog.

Turn Insights Into Action with Free Threat Intel

Security Signals gives you the insights and our Risk Indicators OSINT feeds help you apply them.

SUBSCRIBE FOR FREE

This Edition’s Articles

Analysis of Backdoor.WIN32.Buterat

Source: Point Wild
(Published: 9 September 2025)
Backdoor malware is a covert type of malicious software designed to bypass standard authentication mechanisms and provide persistent, unauthorized access to compromised systems. Read more.

Threat Actor Accidentally Exposes AI-Powered Operations

Source: Infosecurity Magazine
(Published: 9 September 2025)
A threat actor has unintentionally revealed their methods and day-to-day activities after installing Huntress security software on their own environment. Read more.

AsyncRAT in Action: Fileless Malware Techniques and Analysis of a Remote Access Trojan

Source: LevelBlue
(Published: 10 September 2025)
Fileless malware continues to evade modern defenses due to its stealthy nature and reliance on legitimate system tools for execution. Read more.

New FileFix Campaign Goes Beyond PoC and Leverages Steganography

Source: Acronis / Tru
(Published: 10 September 2025)
Acronis Threat Research has observed a new FileFix campaign that uses steganographic embedding of payloads to evade detection. Read more.

Uncloaking TA415: China-Aligned Actor Conducts US-China Economic Relations Attacks

Source: Proofpoint
(Published: 11 September 2025)
Proofpoint has published findings on TA415, a China-aligned threat actor, revealing operations targeting US–China economic relations. Read more.

Threat Spotlight: ShinyHunters Data Breach Targets Salesforce Amid Scattered Spider Collaboration

Source: ReliaQuest
(Published: 11 September 2025)
ReliaQuest has observed a coordinated campaign where ShinyHunters collaborated with Scattered Spider to breach Salesforce environments. Read more.

Yurei & The Ghost of Open Source Ransomware

Source: Check Point Research
(Published: 12 September 2025)
First observed on September 5, Yurei is a newly emerged ransomware group that targeted a Sri Lankan food manufacturing company as its first leaked victim. Read more.

Modified ZLoader Variants & Updates Analyzed

Source: Zscaler
(Published: 15 September 2025)
Zscaler ThreatLabz has published new technical findings on recent updates and modifications to the ZLoader malware family. Read more.

Supporting Rowhammer Research to Understand Vulnerabilities in Memory Hardware

Source: Google Security Blog
(Published: 16 September 2025)
Google researchers detail new findings on Rowhammer and how fundamental memory hardware vulnerabilities can be further studied. Read more.

EggStreme Malware: Unpacking a New APT Framework Targeting a Philippine Military Company

Source: Bitdefender
(Published: 17 September 2025)
This report analyzes a sophisticated cyber-attack targeting a military company based in the Philippines, which led to the discovery of a new and advanced malware toolset. Read more.

HIVE0154 Drops Updated ToneShell Backdoor

Source: IBM X-Force
(Published: 17 September 2025)
IBM X-Force has uncovered HIVE0154, a threat actor exerting updated ToneShell backdoor variants in the wild. Read more.

ShadowV2: An Emerging DDoS-for-Hire Botnet

Source: Darktrace
(Published: 18 September 2025)
Darktrace reports on ShadowV2, a botnet-as-a-service model built for DDoS operations and evolving evasion tactics. Read more.

How Attackers Abuse ScreenConnect and Open Directories (AsyncRAT Campaigns Uncovered)

Source: Hunt.io
(Published: 18 September 2025)
Research shows how attackers are abusing ScreenConnect installers hosted in open directories to deliver AsyncRAT payloads. Read more.

Modus Operandi of “Subtle Snail” Threat Group

Source: Prodaft / Catalyst
(Published: 19 September 2025)
Prodaft’s Catalyst team describes the TTPs, infrastructure, and attack cycles of the Subtle Snail threat group. Read more.

Inside China’s Surveillance and Propaganda Industries: Where Profit Meets Party

Source: The Diplomat
(Published: 21 September 2025)
The Diplomat explores how China monetizes surveillance and propaganda within its media, tech, and security sectors. Read more.

Cybersecurity Incident at European Airports Caused by Ransomware

Source: SCWorld
(Published: 22 September 2025)
Several European airports have reported system outages traced to a ransomware attack affecting operational systems. Read more.

MalTerminal: An LLM-Enabled Malware Pioneer Exposed

Source: SecurityAffairs
(Published: 23 September 2025)
SecurityAffairs researchers have published a deep dive on MalTerminal, a new malware leveraging large language models to aid operators. Read more.

Technical Analysis of kkRAT

Source: Zscaler (ThreatLabz)
(Published: 10 September 2025)
Zscaler ThreatLabz has identified a malware campaign targeting Chinese-speaking users, active since early May 2025. Read more.

ChillyHell – a modular macOS backdoor

Source: Jamf Threat Labs
(Published: 8 September 2025)
During routine sample analysis, Jamf Threat Labs discovered a macOS backdoor showing a distinctive approach to process reconnaissance. Read more.

Uncloaking VoidProxy: a Novel and Evasive Phishing-as-a-Service Framework

Source: Okta Security
(Published: 11 September 2025)
Okta Threat Intelligence details a previously unreported Phishing-as-a-Service operation dubbed VoidProxy. Read more.

Introducing HybridPetya: Petya/NotPetya copycat with UEFI Secure Boot bypass

Source: ESET / WeLiveSecurity
(Published: 12 September 2025)
ESET Research has discovered HybridPetya on VirusTotal, showing traits reminiscent of Petya/NotPetya with a Secure Boot bypass. Read more.

Inside Maranhão Stealer: Node.js-Powered InfoStealer

Source: Cyble
(Published: 15 September 2025)
Cyble Research & Intelligence Labs detail a Node.js-based infostealer leveraging reflective DLL injection techniques. Read more.

Dark Web Profile: BQTLock Ransomware

Source: SOCRadar
(Published: 12 September 2025)
BQTLock is a RaaS that has drawn attention for disruptive operations and distinctive methods. Read more.

Threat Spotlight: Attackers Exploit Axios for Automated Phishing

Source: ReliaQuest
(Published: 9 September 2025)
ReliaQuest observed surges in stolen credentials linked to mass-automated phishing using the Axios user agent. Read more.

Going Underground: China-Aligned TA415 Conducts US-China Economic Relations Operations

Source: Proofpoint
(Published: 11 September 2025)
Proofpoint details TA415 campaigns aligned to US-China economic relations themes. Read more.

Threat Spotlight: ShinyHunters Data Breach Targets Salesforce Amid Scattered Spider Collaboration

Source: ReliaQuest
(Published: 11 September 2025)
ReliaQuest reports ShinyHunters collaborating with Scattered Spider against Salesforce targets. Read more.

China-Linked APT41 Hackers Target US Government Agencies

Source: The Hacker News
(Published: 12 September 2025)
APT41, a China-linked group, has been observed targeting US agencies through credential theft and phishing. Read more.

KILLSEC Ransomware Is Attacking Healthcare Institutions in Brazil

Source: ReSecurity
(Published: 12 September 2025)
ReSecurity tracks KILLSEC ransomware activity against Brazilian healthcare institutions. Read more.

In-Depth Analysis of the “APT Down” – The North Korea Files Leak

Source: ENKI
(Published: September 2025)
ENKI provides an in-depth analysis related to the so-called North Korea Files leak, examining potential APT ties. Read more.

Inside the Lighthouse and Lucid PhaaS Campaigns Targeting 316 Global Brands

Source: Netcraft
(Published: 17 September 2025)
Netcraft examines Lighthouse and Lucid phishing-as-a-service operations observed targeting hundreds of brands worldwide. Read more.

Want more articles? Check out the previous edition of Security Signals here.

Take advantage of our free data evaluation.

REQUEST NOW

Security Signals (08/26/25 – 09/09/25)

Cybersecurity News

Welcome to your biweekly digest of curated cybersecurity intelligence.

For more articles, check out our #onpatrol4malware blog.

Turn Insights Into Action with Free Threat Intel

Security Signals gives you the insights and our Risk Indicators OSINT feeds help you apply them.

SUBSCRIBE FOR FREE

This Edition’s Articles

Countering China State Actors Compromise of Networks

Source: U.S. Department of Defense
(Published: September 2025)
People’s Republic of China (PRC) state-sponsored cyber threat actors are targeting networks globally, including, but not limited to, telecommunications, government, transportation, lodging, and military infrastructure networks.
Read more.

Widespread Data Theft Targets Salesforce Instances via Salesloft Drift

Source: Google Cloud Blog
(Published: 26 August 2025)
Google Threat Intelligence Group is issuing an advisory to alert organizations about a widespread data theft campaign carried out by the actor tracked as UNC6395. Read more.

Velociraptor incident response tool abused for remote access

Source: Sophos News
(Published: 26 August 2025)
In August 2025, Counter Threat Unit researchers investigated an intrusion that involved deployment of the legitimate open-source Velociraptor digital forensics and incident response tool. Read more.

Breaking Down Mustang Panda Windows Endpoint Campaign

Source: Picus Security
(Published: 26 August 2025)
Researchers detail a Mustang Panda campaign that targets Windows endpoints with phishing and DLL sideloading to gain persistence. Read more.

TAG-144’s Persistent Grip On South American Organizations

Source: Recorded Future
(Published: 26 August 2025)
Insikt Group assesses that TAG-144 continues persistent intrusions in South America using credential theft and backdoors. Read more.

Malvertising Campaign On Meta Expands To A Wider Target Base, Pushing Advanced Crypto-Stealing Malware To Users Worldwide

Source: Bitdefender Labs
(Published: 26 August 2025)
Bitdefender observed a global malvertising wave across Meta platforms that delivers advanced crypto-stealing malware. Read more.

Storm-0501’s evolving techniques lead to cloud-based ransomware

Source: Microsoft Security Blog
(Published: 27 August 2025)
Microsoft Threat Intelligence has observed financially motivated threat actor Storm-0501 continuously evolving their campaigns to focus on cloud-based tactics, techniques, and procedures. Read more.

AI-Powered Ransomware Has Arrived With ‘PromptLock’

Source: Dark Reading
(Published: 27 August 2025)
It was probably inevitable – analysts have spotted the first known ransomware strain powered by artificial intelligence. Read more.

Tamperedchef – The Bad PDF Editor

Source: Truesec
(Published: 27 August 2025)
Truesec describes a large malvertising campaign luring victims into downloading a trojanized PDF editor that steals data. Read more.

MystRodX: A Covert Dual-Mode Backdoor

Source: XLab
(Published: 27 August 2025)
MystRodX is a typical backdoor implemented in C++, supporting features like file management, port forwarding, reverse shell, and socket management.
Read more.

Malicious ScreenConnect Campaign Abuses AI-Themed Lures For XWorm Delivery

Source: Trustwave SpiderLabs
(Published: 27 August 2025)
Investigators uncovered a campaign that used fake AI content to trick users into running a preconfigured ScreenConnect installer that dropped XWorm. Read more.

From Threat To Test: Emulating Scattered Spider In Realistic Scenarios

Source: Lares Labs
(Published: 27 August 2025)
Read more.

ShadowSilk: A Cross-Border Binary Union For Data Theft

Source: Group-IB
(Published: 27 August 2025)
Read more.

Chasing the Silver Fox: Cat & Mouse in Kernel Shadows

Source: Check Point Research
(Published: 28 August 2025)
While Microsoft Windows has steadily strengthened its security model, threat actors have adapted by exploiting lower-level weaknesses that bypass these protections without triggering defenses. Read more.

Amazon disrupts watering hole campaign by Russia’s APT29

Source: AWS Security Blog
(Published: 29 August 2025)
Amazon’s threat intelligence team identified and disrupted a watering hole campaign conducted by APT29 using compromised websites to redirect visitors to malicious infrastructure. Read more.

How Attackers Adapt To Built-In macOS Protection

Source: Securelist (Kaspersky)
(Published: 29 August 2025)
Read more.

Sindoor Dropper – New Phishing Campaign

Source: Nextron Systems
(Published: 29 August 2025)
Nextron documents a new phishing wave that delivers a lightweight dropper dubbed Sindoor. Read more.

Experts Warn Of Actively Exploited FreePBX Zero-Day

Source: Security Affairs
(Published: 29 August 2025)
Researchers warn that a FreePBX zero-day is being exploited in the wild against Internet-exposed systems. Read more.

Hackers Use New HexStrike AI Tool To Rapidly Exploit N-Day Flaws

Source: BleepingComputer
(Published: 29 August 2025)
Threat actors are adopting an AI tool named HexStrike to accelerate exploitation of known vulnerabilities. Read more.

Salesloft Drift Breach: GitHub Compromise and OAuth Tokens

Source: Hackread
(Published: 07 September 2025 )
Heard about the recent data breaches where attackers used the Salesloft Drift application to access Salesforce data? There’s now a major update. Read more.

Feds Seize Veriftools.net, Relaunch Veriftools.com

Source: Hackread
(Published: 31 August 2025)
U.S. authorities seized Veriftools.net and the operators relaunched the service at a new domain. Read more.

WhatsApp Fixes A Serious Vulnerability Used In Targeted Attacks

Source: BetaNews
(Published: 01 September 2025)
WhatsApp patched a high severity flaw that was reportedly used in targeted attacks. Read more.

Three Lazarus RATs Coming For Your Cheese

Source: Fox-IT
(Published: 01 September 2025)
Fox-IT describes three Lazarus remote access trojans and their tooling used against organizations. Read more.

RapperBot: From Infection to DDoS in a Split Second

Source: Bitsight
(Published: 02 September 2025)
It was just another day at the office – a routine observation led to an investigation into RapperBot activity that quickly escalated from infection to DDoS. Read more.

Predators for Hire: A Global Overview of Commercial Surveillance Vendors

Source: Sekoia.io Blog
(Published: 02 September 2025)
Between November 2023 and July 2024, the Russia-nexus intrusion set APT29 was observed using exploits similar to those used by commercial surveillance vendors, particularly Intellexa’s Predator spyware. Read more.

Google Salesforce Breach: A Deep Dive Into The Chain And Extent Of The Compromise

Source: Seqrite
(Published: 02 September 2025)
The blog analyzes how UNC6040 used vishing and OAuth app abuse to access Google’s Salesforce instance and exfiltrate data. Read more.

Not Safe For Work: Tracking And Investigating Stealerium And Phantom Infostealers

Source: Proofpoint
(Published: 03 September 2025)
Proofpoint tracks Stealerium and Phantom operations and shares techniques, tooling, and indicators. Read more.

Analyzing NotDoor: Inside APT28’s Expanding Arsenal

Source: LAB52 (S2 Grupo)
(Published: 03 September 2025)
LAB52 identified a new Outlook backdoor attributed to APT28 that can monitor for trigger words and exfiltrate data while executing attacker commands. Read more.

Interview #7 Cyber Toufan

Source: deepdarkCTI
(Published: 03 September 2025)
Read more.

Cato CTRL Threat Research: Threat Actors Abuse Simplified AI to Steal Microsoft 365 Credentials

Source: Cato Networks
(Published: 04 September 2025)
AI marketing platforms have exploded in popularity, becoming everyday tools for creative teams in enterprises worldwide. Read more.

GhostRedirector poisons Windows servers: Backdoors with a side of Potatoes

Source: ESET WeLiveSecurity
(Published: 04 September 2025)
ESET researchers identified a new threat actor, GhostRedirector, that compromised at least 65 Windows servers mainly in Brazil, Thailand, and Vietnam. Read more.

Operation BarrelFire: NoisyBear targets entities linked to Kazakhstan’s Oil & Gas Sector.

Source: Seqrite
(Published: 04 September 2025)
Seqrite Labs APT-Team has been tracking a new threat group since April 2025 that we track as Noisy Bear, targeting entities in Central Asia’s energy sector. Read more.

Threat Actors Impersonate Microsoft Teams To Deliver Odyssey macOS Stealer Via Clickfix

Source: CloudSEK
(Published: 05 September 2025)
CloudSEK describes a fake Microsoft Teams download site that executes a base64 AppleScript to install the Odyssey macOS stealer. Read more.

Salt Typhoon 2025

Source: Silent Push
(Published: 08 September 2025 )
Silent Push has identified dozens of previously unreported domains, all aiming to obtain long-term, stealthy access to targeted organizations, used by the Chinese APT group, Salt Typhoon.
Read more.

Scattered Lapsus Hunters Leak Google Fire Experts Data

Source: Hackread
(Published: 04 September 2025)
Scattered Lapsus$ Hunters threaten Google, demanding that two security experts, one from Google’s Threat Intelligence Group and the other from Mandiant, be fired or they will leak alleged stolen Google data.
Read more.

Unmasking The Gentlemen Ransomware: Tactics, Techniques, And Procedures

Source: Trend Micro Research
(Published: 09 September 2025)
Trend Micro profiles the Gentlemen ransomware group, highlighting environment-specific evasion and abuse of legitimate tools. Read more.

Blurring The Lines: Intrusion Shows Connection With Three Major Ransomware Gangs

Source: RedPacket Security
(Published: 09 September 2025)
A DFIR case links tooling and artifacts across Play, Ransomhub, and DragonForce ransomware activity. Read more.

Pondering My Orb: A Look at PolarEdge Adjacent Infrastructure

Source: Censys
(Published: 28 August 2025 )
We explore several services and certificates that frequently accompany verified PolarEdge botnet certificates.
Read more.

TinyLoader Malware Cryptocurrency Theft Infrastructure

Source: Hunt.io
Malware loaders have become a common part of today’s cybercrime operations because they give attackers a reliable way to get into systems and then bring in whatever tools they need.
(Published: 02 September 2025 )
Read more.

Unveiling a Python Stealer: Inf0s3c Stealer

Source: Cyfirma
(Published: 29 August 2025 )
Cyfirma’s threat intelligence assessment reveals Inf0s3c Stealer, a Python-based grabber designed to collect system information and user data.
Read more.

Unmasked: Salat Stealer – A Deep Dive into its Advanced Persistence Mechanisms and C2 Infrastructure

Source: Cyfirma
(Published: 05 September 2025 )
CYFIRMA has identified Salat Stealer (also known as WEB_RAT), a sophisticated Go-based infostealer targeting Windows systems.
Read more.

Operation Hankook: Phantom North Korean APT37 Targeting South Korea

Source: Seqrite
(Published: 29 August 2025 )
Seqrite Lab has uncovered a campaign in which threat actors are leveraging the (National Intelligence Research Society Newsletter – Issue 52) as a decoy document to lure victims.
Read more.

Suspicious Domain Activity Targeting 2026 FIFA World Cup Tournament

Source: Bfore.ai
(Published: August 2025)
In the lead-up to major global events, cybercriminals are quick to launch fraudulent schemes like fake websites and counterfeit online stores.
Read more.

Scattered Spider Overview

Source: Lares Labs
(Published: 27 August 2025 )
At Lares, we specialize in threat simulation and adversarial collaboration with our clients, replicating the tactics, techniques, and procedures (TTPs) observed in the latest cybercriminal groups.
Read more.

Want more articles? Check out the previous edition of Security Signals here. Want to dive deeper into DDoS Attacks, Check out the Malware Patrol Blog Post: Spoofed DDoS Attacks and BCP 38.

Take advantage of our free data evaluation.

REQUEST NOW

Security Signals (08/12/25 – 08/26/25)

Cybersecurity News

Welcome to your biweekly digest of curated cybersecurity intelligence.

For more articles, check out our #onpatrol4malware blog.

Turn Insights Into Action with Free Threat Intel

Security Signals gives you the insights and our Risk Indicators OSINT feeds help you apply them.

SUBSCRIBE FOR FREE

This Edition’s Articles

Coordinated Brute Force Campaign Targets Fortinet SSL VPNs

Source: GreyNoise
(Published: 12 August 2025)
On August 3, 2025 GreyNoise observed a significant spike in brute-force traffic targeting Fortinet SSL VPNs. Read more.

Persistent Risk: XZ Utils Backdoor Still Lurking in Docker Images

Source: Binarly
(Published: 12 August 2025)
In this blog we share a new finding in the XZ Utils saga: several Docker images built around the time of the compromise contain the backdoor. Read more.

Malvertising campaign leads to PS1Bot, a multi-stage malware framework

Source: Cisco Talos
(Published: 12 August 2025)
Cisco Talos has observed an ongoing malware campaign that seeks to infect victims with a multi-stage malware framework implemented in PowerShell and C#. Read more.

Threat Bulletin: Fire in the Woods – A New Variant of FireWood

Source: Intezer
(Published: 13 August 2025)
FireWood is a Linux backdoor discovered by ESET’s research team. Read more.

‘Blue Locker’ Analysis: Ransomware Targeting Oil and Gas Sector in Pakistan

Source: Resecurity
(Published: 14 August 2025)
This ransomware attack targeted a major enterprise in Pakistan’s oil and gas sector around the country’s Independence Day. Read more.

PhantomCard: New NFC-driven Android malware emerging in Brazil

Source: ThreatFabric
(Published: 14 August 2025)
We introduce PhantomCard, a new Android NFC-based trojan targeting banking customers in Brazil and potentially expanding globally. Read more.

CISA Warns of Attacks Exploiting N-able Vulnerabilities

Source: SecurityWeek
(Published: 14 August 2025)
CISA reported becoming aware of attacks exploiting CVE-2025-8875 and CVE-2025-8876 in N-able N-central on the day they were patched. Read more.

Ghost-Tapping and the Chinese Cybercriminal Retail Fraud Ecosystem

Source: Recorded Future
(Published: 14 August 2025)
We observed criminals buying and selling stolen goods on Telegram marketplaces such as Huione Guarantee and Xinbi Guarantee. Read more.

Cisco Discloses Critical RCE Flaw in Firewall Management Software

Source: Infosecurity Magazine
(Published: 15 August 2025)
Cisco revealed a critical RCE flaw tracked as CVE-2025-20265 and urged customers to apply software updates. Read more.

BlackMatter Ransomware Overview

Source: ANY.RUN
(Published: 18 August 2025)
BlackMatter is a fast-moving ransomware strain that encrypts local and network data, disables recovery mechanisms, and forces organizations to negotiate. Read more.

Apache ActiveMQ attackers patch critical vuln after breaking in

Source: The Register
(Published: 19 August 2025)
Criminals exploiting a critical ActiveMQ vulnerability fixed the flaw post-intrusion to help hide persistence on Linux servers. Read more.

Oregon Man Charged with Administering “Rapper Bot” DDoS-for-Hire Botnet

Source: U.S. Department of Justice (USAO-AK)
(Published: 19 August 2025)
An Oregon man was charged in Alaska for allegedly developing and administering the “Rapper Bot” DDoS-for-hire botnet. Read more.

New Research Links VPN Apps, Highlights Security Deficiencies

Source: SecurityWeek
(Published: 19 August 2025)
Citizen Lab identified links between multiple VPN providers and multiple weaknesses in their mobile apps. Read more.

A Cereal Offender: Analyzing the CORNFLAKE.V3 Backdoor

Source: Google Cloud Blog (Threat Intelligence)
(Published: 20 August 2025)
Mandiant detailed a campaign where a downloader delivers CORNFLAKE.V3 malware as part of financially motivated operations. Read more.

Your Connection, Their Cash: Threat Actors Misuse SDKs to Sell Your Bandwidth

Source: Unit 42 (Palo Alto Networks)
(Published: 21 August 2025)
Unit 42 observed attackers exploiting CVE-2024-36401 to deploy SDKs or modified apps that monetize victims’ bandwidth via network sharing. Read more.

Fake macOS help sites push Shamos infostealer via ClickFix technique

Source: Help Net Security
(Published: 25 August 2025)
Criminals are tricking macOS users into running commands that install the Shamos infostealer, using a social engineering tactic known as ClickFix. Read more.

Want more articles? Check out the previous edition of Security Signals here.

Take advantage of our free data evaluation.

REQUEST NOW

Security Signals (07/29/25 – 08/12/25)

Cybersecurity News

Welcome to your biweekly digest of curated cybersecurity intelligence.

Every two weeks, we bring you expert insights and handpicked articles covering the latest threats, threat actor activities, vulnerabilities, incident trends, and defensive strategies. Whether you’re on the front lines or shaping your organization’s security posture, Security Signals delivers the information you need to stay informed and ready.

For more articles, check out our #onpatrol4malware blog.

Adversary Intel
Attack Surface Watch
Incident Radar
Threat Lab

Turn Insights Into Action with Free Threat Intel

Security Signals gives you the insights and our Risk Indicators feeds help you apply them. Get free access to machine readable OSINT that helps you monitor emerging risks, validate indicators, and proactively defend your environment.

SUBSCRIBE FOR FREE

This Edition’s Articles

Adversary Intel: From APTs to Ransomware Groups

ShinyHunters Tactics Now Mirror Scattered Spider
Source: DARK READING
Recent cyber incidents reveal patterns in timing, shared infrastructure, and similar targets. This suggests a coordinated approach, combining ShinyHunters’ data theft with Scattered Spider’s social engineering. Read more.

Unmasking SocGholish: Silent Push Untangles the Malware Web Behind the “Pioneer of Fake Updates” and Its Operator, TA569
Source: SILENT PUSH
SocGholish, managed by TA569, acts as a Malware-as-a-Service provider, selling access to compromised systems. Their main method is fake browser update pop-ups, delivered via JavaScript on hacked sites. Read more.

Attack Surface Watch: Exploring Digital Risks

New Win-DDoS Flaws Let Attackers Turn Public Domain Controllers into DDoS Botnet via RPC, LDAP
Source: The Hacker News
SafeBreach researchers have found a new attack method, Win-DDoS, that could use thousands of public domain controllers to build a botnet for DDoS attacks. Read more.

Over 29,000 Exchange servers unpatched against high-severity flaw
Source: BLEEPING COMPUTER
More than 29,000 Exchange servers are still unpatched for CVE-2025-53786, a flaw that lets attackers move through Microsoft cloud and take over domains. Read more.

WinRAR zero-day exploited to plant malware on archive extraction
Source: BLEEPING COMPUTER
A recently fixed WinRAR vulnerability (CVE-2025-8088) was used in #phishing attacks to install RomCom malware. The bug allowed files to be extracted to any folder chosen by attackers. Read more.

Incident Radar: Breaches & Attacks

‘Chairmen’ of $100 million scam operation extradited to US
Source: BLEEPING COMPUTER
The U.S. Department of Justice charged four Ghanaian nationals for their roles in a $100M fraud ring involving romance scams and business email compromise. The suspects, extradited from Ghana, allegedly targeted U.S. companies and individuals from 2016 to 2023. Read more.

Threat Lab: Malware & Attack Analysis Deep Dive

CastleLoader
Source: PolySwarm
CastleLoader is a malware loader that has infected 469 devices since May 2025. It uses Cloudflare-themed ClickFix phishing and fake GitHub links to deliver info stealers and RATs. Read more.

Wave of 150 crypto-draining extensions hits Firefox add-on store
Source: BLEEPING COMPUTER
A campaign named ‘GreedyBear’ has targeted Firefox users with 150 fake extensions on the Mozilla add-ons store. These copy well-known crypto wallets like MetaMask and TronLink, stealing over $1,000,000. Read more.

SCENE 1: SoupDealer – Technical Analysis of a Stealth Java Loader Used in Phishing Campaigns Targeting Türkiye
Source: Malwation
A recent malware bypassed almost every public sandbox and antivirus, except Threat.Zone, and even evaded EDR/XDR in real-world incidents. Many banks, ISPs, and organizations were impacted. Read more.

Makop Ransomware Identified in Attacks in South Korea
Source: ASEC
ASEC has identified Makop ransomware attacks targeting South Korean users. The ransomware is spread through fake resumes, copyright emails, and now uses RDP for attacks. Read more.

Want more articles? Check out the previous edition of Security Signals here.

InfoSec Articles (07/01/25 – 07/15/25)

Cybersecurity News

???????

Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

Behind the Clouds: Attackers Targeting Governments in Southeast Asia Implement Novel Covert C2 Communication

Source: Unit 42

Researchers discovered HazyBeacon, a sophisticated backdoor targeting government agencies in Southeast Asia. Read more.

Octalyn Stealer Unmasked

Source: CYFIRMA

Octalyn Forensic Toolkit on GitHub appears as research tool but functions as credential stealer. Built with C++ and Delphi, uses Telegram for control and hides in Windows startup. Read more.

Google Gemini flaw hijacks email summaries for phishing

Source: BLEEPING COMPUTER

Google Gemini for Workspace has a newly discovered vulnerability. Attackers can embed hidden instructions in emails that manipulate Gemini’s summary generation, potentially directing users to phishing sites. Read more.

Dark Web Profile: Arkana Ransomware

Source: SOCRadar

Arkana Ransomware made headlines attacking WOW! internet provider in March 2025. Linked to Qilin Ransomware network, they disguise extortion as “post-penetration testing services.” Read more.

Likely Belarus-Nexus Threat Actor Delivers Downloader to Poland

Source: BLEEPING COMPUTER

The FrostyNeighbor threat group (UNC1151), attributed to Belarus, is actively targeting Eastern European nations with malicious CHM files. Read more.

295 Malicious IPs Launch Coordinated Brute-Force Attacks on Apache Tomcat Manager

Source: The Hacker News

Researchers discovered 295 malicious IP addresses launching coordinated brute-force attacks against Apache Tomcat Manager interfaces worldwide. Read more.

Hackers are exploiting critical RCE flaw in Wing FTP Server

Source: BLEEPING COMPUTER

Wing FTP Server vulnerability is being actively exploited by threat actors. This flaw allows remote code execution with full system privileges without authentication. Read more.

macOS.ZuRu Resurfaces | Modified Khepri C2 Hides Inside Doctored Termius App

Source: SentinelOne

macOS.ZuRu malware hides in fake versions of popular apps like iTerm2 and Remote Desktop. Hackers trick users through poisoned search results. Read more.

GreyNoise Identifies New Scraper Botnet Concentrated in Taiwan

Source: GreyNoise

A scraper botnet variant has been identified with the user-agent “Hello-World/1.0”. Researchers are tracking it through unique behavioral patterns. Read more.

Count(er) Strike – Data Inference Vulnerability in ServiceNow

Source: Varonis

Researchers discovered a critical ServiceNow vulnerability dubbed “Count(er) Strike” that could expose sensitive data across hundreds of tables. It required only basic user access to exploit. Read more.

Security Signals (07/15/25 – 07/29/25)

Cybersecurity News

????????

Welcome to your biweekly digest of curated cybersecurity intelligence.

For more articles, check out our #onpatrol4malware blog.

Adversary Intel
Attack Surface Watch
Incident Radar
Threat Lab

Turn Insights Into Action with Free Threat Intel

SUBSCRIBE FOR FREE

This Edition’s Articles

Adversary Intel: From APTs to Ransomware Groups

China-linked group Fire Ant exploits VMware and F5 flaws since early 2025
Source: Security Affairs
Fire Ant, a China-linked cyber group, is exploiting VMware and F5 vulnerabilities to access secure, segmented networks, according to Sygnia. They have targeted VMware ESXi and vCenter, using layered attacks to reach restricted systems. Read more.

Scattered Spider is running a VMware ESXi hacking spree
Source: BLEEPING COMPUTER
Scattered Spider hackers are targeting VMware ESXi hypervisors at U.S. companies in retail, airline, transportation, and insurance. They use social engineering, not software flaws, to bypass security. Read more.

Unmasking the new Chaos RaaS group attacks
Source: Cisco Talos
Cisco Talos IR recently observed Chaos, a new ransomware-as-a-service group, targeting businesses with spam, social engineering, and remote tools. Their attacks use fast, selective encryption and anti-analysis methods, making detection and recovery difficult. Read more.

Attack Surface Watch: Exploring Digital Risks

ToolShell: An all-you-can-eat buffet for threat actors
Source: We Live Security
Microsoft has confirmed that ToolShell, a set of zero-day vulnerabilities (CVE-2025-53770 & CVE-2025-53771), is being used to attack on-premises SharePoint servers. These attacks can let hackers access restricted systems and steal data. Read more.

Organizations Warned of Exploited PaperCut Flaw
Source: Security Week
CISA has warned about a security vulnerability (CVE-2023-2533) in PaperCut NG and MF print management products. This issue lets attackers change security settings or run code remotely. Read more.

Incident Radar: Breaches & Attacks

Microsoft probing whether cyber alert tipped off Chinese hackers
Source: The Straits Times
Microsoft is looking into whether a leak from its early alert system allowed hackers to exploit SharePoint flaws before they were fixed. The system is meant to help cyber-security experts fix issues early, but it may have led to global problems. Read more.

US Targets North Korea’s Illicit Funds: $15M Rewards Offered as American Woman Jailed in IT Worker Scam
Source: Security Week
An Arizona woman was sentenced for helping North Korean IT workers get jobs at over 300 US companies using stolen identities. She ran a laptop farm at home, helping generate $17M in illegal revenue. Read more.

Amazon AI coding agent hacked to inject data wiping commands
Source: BLEEPING COMPUTER
A hacker planted data-wiping code in the Amazon Q Developer Extension for Visual Studio Code. This free AI-powered tool, with nearly 1M installs, helps developers code and debug. Read more.

Threat Lab: Malware & Attack Analysis Deep Dive

RAVEN STEALER UNMASKED: Telegram-Based Data Exfiltration.
Source: Cyfirma
Raven Stealer is a lightweight malware that targets browsers like Chrome and Edge, stealing passwords, cookies, and payment info. It uses Telegram bots for data theft and is easy for attackers to use. Read more.

Oyster Backdoor: The Malvertising Menace Masquerading as Popular Tools
Source: CyberProof
CyberProof Threat Researchers found an OysterBackdoor infection in July 2025. Attackers used a fake Putty installer, but the backdoor was blocked before any harm. This blog shares technical details about the files seen in this attack. Read more.

InfoSec Articles (06/17/25 – 07/01/25)

Cybersecurity News

???

For more articles, check out our #onpatrol4malware blog.

Crypto Operation Using Fake Investment Platforms Dismantled in Spain

Source: Bitdefender

Spain’s Guardia Civil, in collaboration with Europol and other global law enforcement agencies, has arrested five individuals suspected of laundering hundreds of millions of euros through cryptocurrency scams that have affected over 5,000 victims worldwide. Read more.

New FileFix attack runs JScript while bypassing Windows MoTW alerts

Source: BLEEPING COMPUTER

A new FileFix attack, created by security researcher mr.d0x, exploits browser handling of saved HTML files to bypass Windows’ MoTW protection, tricking victims into executing a disguised PowerShell command via a phishing page. Read more.

Chrome Zero-Day CVE-2025-6554 Under Active Attack — Google Issues Security Update

Source: The Hacker News

Google has issued security updates to address a zero-day vulnerability, CVE-2025-6554, currently being exploited in the wild, characterized as a type confusion flaw in the V8 JavaScript and WebAssembly engine. Read more.

Godfather Evolves With Advanced On-Device Virtualization Capabilities

Source: PolySwarm

Godfather malware exploits Android’s Accessibility Service to capture detailed tap events and screen information, targeting around 484 applications with commands sent through a Base64-encoded C2 server. Read more.

Bluetooth flaws could let hackers spy through your microphone

Source: BLEEPING COMPUTER

Recent vulnerabilities in a Bluetooth chipset affect 29 audio devices from brands like Beyerdynamic, Bose, and Sony, potentially allowing for eavesdropping or data theft. Read more.

Taking the shine off BreachForums

Source: SOPHOS

French authorities have reported the arrest of four members of the ShinyHunters (also known as ShinyCorp) cybercriminal group across various regions in France for their involvement in cybercrime activities and the underground forum BreachForums. Read more.

GIFTEDCROOK Malware Evolves: From Browser Stealer to Intelligence-Gathering Tool

Source: The Hacker News

The threat actor behind the GIFTEDCROOK malware has upgraded it from a simple browser data stealer to a sophisticated intelligence-gathering tool. Read more.

Evidence Suggests Exploitation of CitrixBleed 2 Vulnerability

Source: SECURITY WEEK

The Citrix NetScaler vulnerability, known as CitrixBleed 2 and CVE-2025–5777, might be exploited in real-world scenarios, as indicated by cybersecurity firm ReliaQuest. Read more.

Microsoft 365 Direct Send Abused for Phishing

Source: SECURITY WEEK

Varonis has identified a phishing campaign exploiting Microsoft 365 Direct Send, which allows attackers to send spoofed emails that seem to originate from within the victim’s organization. Read more.

CyberAv3ngers: From Infrastructure Hacks to Propaganda Machines in the Iran-Israel Cyber War

Source: Domain Tools

A prominent group, CyberAv3ngers, has been involved in hijacking water systems, altering PLCs, and mocking Israeli cybersecurity initiatives on platforms like Telegram and Twitter. Read more.

InfoSec Articles (06/03/25 – 06/17/25)

Cybersecurity News

?????

For more articles, check out our #onpatrol4malware blog.

New Flodrix Botnet Variant Exploits Langflow AI Server RCE Bug to Launch DDoS Attacks

Source: The Hacker News

Cybersecurity researchers have identified a campaign exploiting a critical security flaw in Langflow to distribute the Flodrix botnet malware. This involves CVE-2025-3248, a missing authentication flaw in Langflow, allowing attackers to execute downloader scripts on compromised servers to install Flodrix. Read more.

Clone, Compile, Compromise: Water Curse’s Open-Source Malware Trap on GitHub

Source: TREND MICRO

Water Curse is a newly discovered threat actor using weaponized GitHub repositories to spread multistage malware. The malware enables data exfiltration, including credentials and browser data, and poses a significant supply chain risk, particularly affecting cybersecurity professionals, game developers, and DevOps teams reliant on open-source tools. Read more.

Tycoon 2FA: An Evolving Phishing Kit Powering PhaaS Threats

Source: SOCRadar

Cybercriminals are using Tycoon 2FA in recent phishing campaigns to create deceptive login pages that mimic trusted services like Microsoft 365. This Phishing-as-a-Service kit allows attackers to bypass Multi-Factor Authentication by stealing session cookies, granting unauthorized access to accounts despite existing security measures. Read more.

PyPI, npm, and AI Tools Exploited in Malware Surge Targeting DevOps and Cloud Environments

Source: The Hacker News

Cybersecurity researchers have identified several npm packages laced with malware, capable of executing remote code and downloading additional malicious payloads. Although these packages, including eslint-config-airbnb-compat, ts-runtime-compat-check, solders, and @mediawave/lib, have been removed from the registry, they were downloaded hundreds of times before their removal. Read more.

Anubis: A Closer Look at an Emerging Ransomware with Built-in Wiper

Source: TREND MICRO

Anubis is a rising Ransomware-as-a-Service (RaaS) operation that uniquely combines file encryption with an optional “wipe mode” feature, allowing for permanent file deletion if the ransom is not paid. It operates a versatile affiliate program with negotiable revenue shares, enabling further monetization through data extortion and access sales. Read more.

Microsoft confirms auth issues affecting Microsoft 365 users

Source: BLEEPING COMPUTER

Microsoft is currently investigating an issue with M365 authentication features. It’s affecting users’ experiences, specifically causing errors during self-service password resets and when managing authentication methods. Administrators are also facing difficulties adding MFA sign-in methods. Read more.

Understanding Katz Stealer Malware and Its Credential Theft Capabilities

Source: PICUS

Katz Stealer is a newly discovered information-stealing MaaS, featuring aggressive credential theft, system fingerprinting, and stealthy persistence methods. This analysis explores its infection chain, obfuscation techniques, credential theft mechanisms, C2 behavior, and persistence strategies, providing key IOCs and insights for effective detection and defense. Read more.

Password-spraying attacks target 80,000 Microsoft Entra ID accounts

Source: BLEEPING COMPUTER

Hackers have used the TeamFiltration pentesting framework to target over 80,000 Microsoft Entra ID accounts globally, with the campaign reaching its peak on January 8 by attacking 16,500 accounts in just one day. Researchers from Proofpoint have attributed this activity, which began last December and has compromised numerous accounts, to a threat actor known as UNK_SneakyStrike. Read more.

Google suffers cloud outage, causing disruptions for OpenAI, Shopify and other services

Source: CNBC

Google’s cloud faced widespread outages on Thursday, affecting many major internet services, with disruptions starting at 10:51 a.m. PT. By Thursday evening, Kurian confirmed on X that all services were fully operational again. Read more.

GhostVendors Exposed: Silent Push Uncovers Massive Network of 4000+ Fraudulent Domains Masquerading as Major Brands

Source: SILENT PUSH

Threat analysts at Silent Push have uncovered the “GhostVendors” scam, involving online ads that impersonate major brands and spoof real products across thousands of fraudulent websites. This operation, spanning over 4,000 domains, poses a significant threat to social networks, well-known brands, advertising firms, and consumers globally. Read more.

InfoSec Articles (05/20/25 – 06/03/25)

Cybersecurity News

???????

For more articles, check out our #onpatrol4malware blog.

New Linux Vulnerabilities Expose Password Hashes via Core Dumps

Source: Infosecurity Magazine

Two local information-disclosure vulnerabilities have been identified in popular Linux crash-reporting tools, allowing attackers to access sensitive system data. The vulnerabilities impact Apport on Ubuntu and systemd-coredump on Red Hat Enterprise Linux (RHEL) and Fedora. Read more.

Crocodilus Mobile Malware: Evolving Fast, Going Global

Source: Threat Fabric

In March 2025, researchers discovered Crocodilus, a new device-takeover Android banking Trojan entering the threat landscape. The first observed samples were mostly related to test campaigns, with sporadic instances of live campaigns. Ongoing monitoring of the threat landscape revealed a growing number of campaigns and continuous development of the Trojan. Read more.

A mysterious leaker is exposing ransomware hackers to the world

Source: TechRadar

A mysterious leaker has been spotted unveiling the identities of some of the world’s most wanted cybercriminals, including the masterminds behind Conti and Trickbot ransomware, infamous groups responsible for some of the biggest extortions in modern history. Read more.

Pro-Ukraine hacker group Black Owl poses ‘major threat’ to Russia, Kaspersky says

Source: The Record

BO Team, also known as Black Owl, has been active since early 2024 and appears to operate independently, with its own arsenal of tools and tactics, researchers at Russian cybersecurity firm Kaspersky said. Read more.

Cybercriminals camouflaging threats as AI tool installers

Source: Cisco Talos

Talos has recently uncovered multiple threats masquerading as AI solutions being circulated in the wild, including the CyberLock and Lucky_Gh0$t ransomware families, along with a newly discovered destructive malware, dubbed “Numero.” The legitimate versions of these AI tools are particularly popular within the B2B sales domain and the technology and marketing sectors. Read more.

Monkey-Patched PyPI Packages Use Transitive Dependencies to Steal Solana Private Keys

Source: Socket

Once imported, the malware monkey-patches Solana key-generation methods by modifying functions at runtime without altering the original source code. Each time a keypair is generated, the malware captures the private key. It then encrypts the key using a hardcoded RSA?2048 public key and encodes the result in Base64. Read more.

Your AI Notetaker Might Be a Liability: Insights from Stealer Logs

Source: SOCRadar

Using AI note-taking tools can be incredibly helpful but they also come with some serious legal and ethical responsibilities. Organizations need to think about how these tools collect, store, and use data, and how the output might influence decisions or impact privacy. If you’re choosing a transcription service, make sure it follows data privacy laws and uses secure, well-managed systems. Read more.

Tracking AyySSHush: a Newly Discovered ASUS Router Botnet Campaign

Source: Censys

A new, stealthy ASUS router botnet, dubbed AyySSHush, abuses trusted firmware features through a multi-stage attack sequence to backdoor routers and persist across firmware updates, evading traditional detection methods. Read more.

Police takes down AVCheck site used by cybercriminals to scan malware

Source: BLEEPING COMPUTER

An international law enforcement operation has taken down AVCheck, a service used by cybercriminals to test whether their malware is detected by commercial antivirus software before deploying it in the wild. The service’s official domain at avcheck.net now displays a seizure banner with the crests of the U.S. Department of Justice, the FBI, the U.S. Secret Service, and the Dutch police (Politie). Read more.

Russian-linked hackers target UK Defense Ministry while posing as journalists

Source: KYIV Independent

Russian-linked hackers targeted U.K. Defense Ministry staff in an espionage operation while posing as journalists, Sky News reported on May 29, citing the British government. The cyber attack was detected and thwarted, the government said. Read more.

InfoSec Articles (05/06/25 – 05/20/25)

Cybersecurity News

?????

For more articles, check out our #onpatrol4malware blog.

SEC SIM-swapper who Googled ‘signs that the FBI is after you’ put behind bars

Source: The Register

An Alabama man who SIM-swapped his way into the SEC’s official X account, enabling a fake ETF announcement that briefly pumped Bitcoin, has been sentenced to 14 months in prison and three years of supervised release. Prior to his conviction and sentencing on Friday, Eric Council Jr., 26, of Huntsville, Alabama, proved once again that cybercriminals are very bad at internet search hygiene. Read more.

Hackers Exploit AutoIT Scripts to Deploy Malware Targeting Windows Systems

Source: GBHackers

Often compared to .NET for its persistence in malicious campaigns, AutoIT’s simplicity and ability to interact with Windows components make it a favored tool among cybercriminals. This weekend, a particularly intricate malware delivery mechanism was identified, featuring a double-layered AutoIT script designed to deploy a potentially devastating payload. Read more.

Malware of the Day – C2 over ICMP (ICMP-GOSH)

Source: ACTIVE COUNTER MEASURES

The potential for ICMP to be used as a C2 channel is often overlooked precisely because it is such a foundational troubleshooting protocol, integral to the normal functioning of network communication. Many people view it as “background chatter”, not considering its potential to be intentionally leveraged to carry data for this exact reason. Read more.

Backdoor implant discovered on PyPI posing as debugging utility

Source: REVERSING LABS

On Tuesday, the RL threat research team detected a newly uploaded malicious package that poses as a Python debugging utility. When installed, the package implants a backdoor on the developer’s system, enabling malicious actors to execute malicious code and exfiltrate sensitive data. Read more.

Ransomware gangs increasingly use Skitnet post-exploitation malware

Source: BLEEPING COMPUTER

Ransomware gang members increasingly use a new malware called Skitnet (“Bossnet”) to perform stealthy post-exploitation activities on breached networks. The malware has been offered for sale on underground forums like RAMP since April 2024, but according to Prodaft researchers, it started gaining significant traction among ransomware gangs since early 2025. Read more.

Researchers Expose New Intel CPU Flaws Enabling Memory Leaks and Spectre v2 Attacks

Source: The Hacker News

The vulnerability, referred to as Branch Privilege Injection (BPI), “can be exploited to misuse the prediction calculations of the CPU (central processing unit) in order to gain unauthorized access to information from other processor users,” ETH Zurich said. Read more.

Android users bombarded with unskippable ads

Source: Malwarebytes Labs

Researchers have discovered a very versatile ad fraud network—known as Kaleidoscope—that bombards users with unskippable ads. Kaleidoscope targets Android users through seemingly legitimate apps in the Google Play Store, as well as malicious lookalikes distributed through third-party app stores. Read more.

Operation RoundPress

Source: welivesecurity

In Operation RoundPress, the compromise vector is a spearphishing email leveraging an XSS vulnerability to inject malicious JavaScript code into the victim’s webmail page. In 2023, Operation RoundPress only targeted Roundcube, but in 2024 it expanded to other webmail software including Horde, MDaemon, and Zimbra. Read more.

GovDelivery, an email alert system used by governments, abused to send scam messages

Source: TechCrunch

An email notification system used by U.S. federal and state government departments to alert residents to important information has been used to send scam emails, TechCrunch has learned. Read more.

APT GROUP123

Source: CYFIRMA

Group123 is a North Korean state-sponsored APT group active since at least 2012. It is also tracked under other names such as APT37, Reaper, and ScarCruft by various cybersecurity firms. The group is known for its cyber espionage campaigns primarily targeting South Korea, however since 2017 it has expanded its operations to Japan, Vietnam, the Middle East, and other regions. Read more.

« Older Entries