Welcome to your biweekly digest of curated cybersecurity intelligence.
Every two weeks, we bring you expert insights and handpicked articles covering the latest threats, threat actor activity, vulnerabilities, incident trends, and defensive strategies. Whether you’re on the front lines or shaping your organization’s security posture, Security Signals delivers the information you need to stay informed and ready.
For more articles, check out our #onpatrol4malware blog.
Turn Insights Into Action with Free Threat Intel
Security Signals gives you the insights and our Risk Indicators OSINT feeds help you apply them.
This Edition’s Articles
Analysis of Backdoor.WIN32.Buterat
Source: Point Wild
(Published: 9 September 2025)
Backdoor malware is a covert type of malicious software designed to bypass standard authentication mechanisms and provide persistent, unauthorized access to compromised systems. Read more.
Threat Actor Accidentally Exposes AI-Powered Operations
Source: Infosecurity Magazine
(Published: 9 September 2025)
A threat actor has unintentionally revealed their methods and day-to-day activities after installing Huntress security software on their own environment. Read more.
AsyncRAT in Action: Fileless Malware Techniques and Analysis of a Remote Access Trojan
Source: LevelBlue
(Published: 10 September 2025)
Fileless malware continues to evade modern defenses due to its stealthy nature and reliance on legitimate system tools for execution. Read more.
New FileFix Campaign Goes Beyond PoC and Leverages Steganography
Source: Acronis / Tru
(Published: 10 September 2025)
Acronis Threat Research has observed a new FileFix campaign that uses steganographic embedding of payloads to evade detection. Read more.
Uncloaking TA415: China-Aligned Actor Conducts US-China Economic Relations Attacks
Source: Proofpoint
(Published: 11 September 2025)
Proofpoint has published findings on TA415, a China-aligned threat actor, revealing operations targeting US–China economic relations. Read more.
Threat Spotlight: ShinyHunters Data Breach Targets Salesforce Amid Scattered Spider Collaboration
Source: ReliaQuest
(Published: 11 September 2025)
ReliaQuest has observed a coordinated campaign where ShinyHunters collaborated with Scattered Spider to breach Salesforce environments. Read more.
Yurei & The Ghost of Open Source Ransomware
Source: Check Point Research
(Published: 12 September 2025)
First observed on September 5, Yurei is a newly emerged ransomware group that targeted a Sri Lankan food manufacturing company as its first leaked victim. Read more.
Modified ZLoader Variants & Updates Analyzed
Source: Zscaler
(Published: 15 September 2025)
Zscaler ThreatLabz has published new technical findings on recent updates and modifications to the ZLoader malware family. Read more.
Supporting Rowhammer Research to Understand Vulnerabilities in Memory Hardware
Source: Google Security Blog
(Published: 16 September 2025)
Google researchers detail new findings on Rowhammer and how fundamental memory hardware vulnerabilities can be further studied. Read more.
EggStreme Malware: Unpacking a New APT Framework Targeting a Philippine Military Company
Source: Bitdefender
(Published: 17 September 2025)
This report analyzes a sophisticated cyber-attack targeting a military company based in the Philippines, which led to the discovery of a new and advanced malware toolset. Read more.
HIVE0154 Drops Updated ToneShell Backdoor
Source: IBM X-Force
(Published: 17 September 2025)
IBM X-Force has uncovered HIVE0154, a threat actor exerting updated ToneShell backdoor variants in the wild. Read more.
ShadowV2: An Emerging DDoS-for-Hire Botnet
Source: Darktrace
(Published: 18 September 2025)
Darktrace reports on ShadowV2, a botnet-as-a-service model built for DDoS operations and evolving evasion tactics. Read more.
How Attackers Abuse ScreenConnect and Open Directories (AsyncRAT Campaigns Uncovered)
Source: Hunt.io
(Published: 18 September 2025)
Research shows how attackers are abusing ScreenConnect installers hosted in open directories to deliver AsyncRAT payloads. Read more.
Modus Operandi of “Subtle Snail” Threat Group
Source: Prodaft / Catalyst
(Published: 19 September 2025)
Prodaft’s Catalyst team describes the TTPs, infrastructure, and attack cycles of the Subtle Snail threat group. Read more.
Inside China’s Surveillance and Propaganda Industries: Where Profit Meets Party
Source: The Diplomat
(Published: 21 September 2025)
The Diplomat explores how China monetizes surveillance and propaganda within its media, tech, and security sectors. Read more.
Cybersecurity Incident at European Airports Caused by Ransomware
Source: SCWorld
(Published: 22 September 2025)
Several European airports have reported system outages traced to a ransomware attack affecting operational systems. Read more.
MalTerminal: An LLM-Enabled Malware Pioneer Exposed
Source: SecurityAffairs
(Published: 23 September 2025)
SecurityAffairs researchers have published a deep dive on MalTerminal, a new malware leveraging large language models to aid operators. Read more.
Technical Analysis of kkRAT
Source: Zscaler (ThreatLabz)
(Published: 10 September 2025)
Zscaler ThreatLabz has identified a malware campaign targeting Chinese-speaking users, active since early May 2025. Read more.
ChillyHell – a modular macOS backdoor
Source: Jamf Threat Labs
(Published: 8 September 2025)
During routine sample analysis, Jamf Threat Labs discovered a macOS backdoor showing a distinctive approach to process reconnaissance. Read more.
Uncloaking VoidProxy: a Novel and Evasive Phishing-as-a-Service Framework
Source: Okta Security
(Published: 11 September 2025)
Okta Threat Intelligence details a previously unreported Phishing-as-a-Service operation dubbed VoidProxy. Read more.
Introducing HybridPetya: Petya/NotPetya copycat with UEFI Secure Boot bypass
Source: ESET / WeLiveSecurity
(Published: 12 September 2025)
ESET Research has discovered HybridPetya on VirusTotal, showing traits reminiscent of Petya/NotPetya with a Secure Boot bypass. Read more.
Inside Maranhão Stealer: Node.js-Powered InfoStealer
Source: Cyble
(Published: 15 September 2025)
Cyble Research & Intelligence Labs detail a Node.js-based infostealer leveraging reflective DLL injection techniques. Read more.
Dark Web Profile: BQTLock Ransomware
Source: SOCRadar
(Published: 12 September 2025)
BQTLock is a RaaS that has drawn attention for disruptive operations and distinctive methods. Read more.
Threat Spotlight: Attackers Exploit Axios for Automated Phishing
Source: ReliaQuest
(Published: 9 September 2025)
ReliaQuest observed surges in stolen credentials linked to mass-automated phishing using the Axios user agent. Read more.
Going Underground: China-Aligned TA415 Conducts US-China Economic Relations Operations
Source: Proofpoint
(Published: 11 September 2025)
Proofpoint details TA415 campaigns aligned to US-China economic relations themes. Read more.
Threat Spotlight: ShinyHunters Data Breach Targets Salesforce Amid Scattered Spider Collaboration
Source: ReliaQuest
(Published: 11 September 2025)
ReliaQuest reports ShinyHunters collaborating with Scattered Spider against Salesforce targets. Read more.
China-Linked APT41 Hackers Target US Government Agencies
Source: The Hacker News
(Published: 12 September 2025)
APT41, a China-linked group, has been observed targeting US agencies through credential theft and phishing. Read more.
KILLSEC Ransomware Is Attacking Healthcare Institutions in Brazil
Source: ReSecurity
(Published: 12 September 2025)
ReSecurity tracks KILLSEC ransomware activity against Brazilian healthcare institutions. Read more.
In-Depth Analysis of the “APT Down” – The North Korea Files Leak
Source: ENKI
(Published: September 2025)
ENKI provides an in-depth analysis related to the so-called North Korea Files leak, examining potential APT ties. Read more.
Inside the Lighthouse and Lucid PhaaS Campaigns Targeting 316 Global Brands
Source: Netcraft
(Published: 17 September 2025)
Netcraft examines Lighthouse and Lucid phishing-as-a-service operations observed targeting hundreds of brands worldwide. Read more.
Want more articles? Check out the previous edition of Security Signals here.