Welcome to your biweekly digest of curated cybersecurity intelligence.
Every two weeks, we bring you expert insights and handpicked articles covering the latest threats, threat actor activity, vulnerabilities, incident trends, and defensive strategies. Whether you’re on the front lines or shaping your organization’s security posture, Security Signals delivers the information you need to stay informed and ready.
For more articles, check out our #onpatrol4malware blog.
Turn Insights Into Action with Free Threat Intel
Security Signals gives you the insights and our Risk Indicators OSINT feeds help you apply them.
This Edition’s Articles
Coordinated Brute Force Campaign Targets Fortinet SSL VPNs
Source: GreyNoise
(Published: 12 August 2025)
On August 3, 2025 GreyNoise observed a significant spike in brute-force traffic targeting Fortinet SSL VPNs. Read more.
Persistent Risk: XZ Utils Backdoor Still Lurking in Docker Images
Source: Binarly
(Published: 12 August 2025)
In this blog we share a new finding in the XZ Utils saga: several Docker images built around the time of the compromise contain the backdoor. Read more.
Malvertising campaign leads to PS1Bot, a multi-stage malware framework
Source: Cisco Talos
(Published: 12 August 2025)
Cisco Talos has observed an ongoing malware campaign that seeks to infect victims with a multi-stage malware framework implemented in PowerShell and C#. Read more.
Threat Bulletin: Fire in the Woods – A New Variant of FireWood
Source: Intezer
(Published: 13 August 2025)
FireWood is a Linux backdoor discovered by ESET’s research team. Read more.
‘Blue Locker’ Analysis: Ransomware Targeting Oil and Gas Sector in Pakistan
Source: Resecurity
(Published: 14 August 2025)
This ransomware attack targeted a major enterprise in Pakistan’s oil and gas sector around the country’s Independence Day. Read more.
PhantomCard: New NFC-driven Android malware emerging in Brazil
Source: ThreatFabric
(Published: 14 August 2025)
We introduce PhantomCard, a new Android NFC-based trojan targeting banking customers in Brazil and potentially expanding globally. Read more.
CISA Warns of Attacks Exploiting N-able Vulnerabilities
Source: SecurityWeek
(Published: 14 August 2025)
CISA reported becoming aware of attacks exploiting CVE-2025-8875 and CVE-2025-8876 in N-able N-central on the day they were patched. Read more.
Ghost-Tapping and the Chinese Cybercriminal Retail Fraud Ecosystem
Source: Recorded Future
(Published: 14 August 2025)
We observed criminals buying and selling stolen goods on Telegram marketplaces such as Huione Guarantee and Xinbi Guarantee. Read more.
Cisco Discloses Critical RCE Flaw in Firewall Management Software
Source: Infosecurity Magazine
(Published: 15 August 2025)
Cisco revealed a critical RCE flaw tracked as CVE-2025-20265 and urged customers to apply software updates. Read more.
BlackMatter Ransomware Overview
Source: ANY.RUN
(Published: 18 August 2025)
BlackMatter is a fast-moving ransomware strain that encrypts local and network data, disables recovery mechanisms, and forces organizations to negotiate. Read more.
Apache ActiveMQ attackers patch critical vuln after breaking in
Source: The Register
(Published: 19 August 2025)
Criminals exploiting a critical ActiveMQ vulnerability fixed the flaw post-intrusion to help hide persistence on Linux servers. Read more.
Oregon Man Charged with Administering “Rapper Bot” DDoS-for-Hire Botnet
Source: U.S. Department of Justice (USAO-AK)
(Published: 19 August 2025)
An Oregon man was charged in Alaska for allegedly developing and administering the “Rapper Bot” DDoS-for-hire botnet. Read more.
New Research Links VPN Apps, Highlights Security Deficiencies
Source: SecurityWeek
(Published: 19 August 2025)
Citizen Lab identified links between multiple VPN providers and multiple weaknesses in their mobile apps. Read more.
A Cereal Offender: Analyzing the CORNFLAKE.V3 Backdoor
Source: Google Cloud Blog (Threat Intelligence)
(Published: 20 August 2025)
Mandiant detailed a campaign where a downloader delivers CORNFLAKE.V3 malware as part of financially motivated operations. Read more.
Your Connection, Their Cash: Threat Actors Misuse SDKs to Sell Your Bandwidth
Source: Unit 42 (Palo Alto Networks)
(Published: 21 August 2025)
Unit 42 observed attackers exploiting CVE-2024-36401 to deploy SDKs or modified apps that monetize victims’ bandwidth via network sharing. Read more.
Fake macOS help sites push Shamos infostealer via ClickFix technique
Source: Help Net Security
(Published: 25 August 2025)
Criminals are tricking macOS users into running commands that install the Shamos infostealer, using a social engineering tactic known as ClickFix. Read more.
Want more articles? Check out the previous edition of Security Signals here.