Welcome to your biweekly digest of curated cybersecurity intelligence.
Every two weeks, we bring you expert insights and handpicked articles covering the latest threats, threat actor activity, vulnerabilities, incident trends, and defensive strategies. Whether you’re on the front lines or shaping your organization’s security posture, Security Signals delivers the information you need to stay informed and ready.
For more articles, check out our #onpatrol4malware blog.
Turn Insights Into Action with Free Threat Intel
Security Signals gives you the insights and our Risk Indicators OSINT feeds help you apply them.
This Edition’s Articles
Countering China State Actors Compromise of Networks
Source: U.S. Department of Defense
(Published: September 2025)
People’s Republic of China (PRC) state-sponsored cyber threat actors are targeting networks globally, including, but not limited to, telecommunications, government, transportation, lodging, and military infrastructure networks.
Read more.
Widespread Data Theft Targets Salesforce Instances via Salesloft Drift
Source: Google Cloud Blog
(Published: 26 August 2025)
Google Threat Intelligence Group is issuing an advisory to alert organizations about a widespread data theft campaign carried out by the actor tracked as UNC6395. Read more.
Velociraptor incident response tool abused for remote access
Source: Sophos News
(Published: 26 August 2025)
In August 2025, Counter Threat Unit researchers investigated an intrusion that involved deployment of the legitimate open-source Velociraptor digital forensics and incident response tool. Read more.
Breaking Down Mustang Panda Windows Endpoint Campaign
Source: Picus Security
(Published: 26 August 2025)
Researchers detail a Mustang Panda campaign that targets Windows endpoints with phishing and DLL sideloading to gain persistence. Read more.
TAG-144’s Persistent Grip On South American Organizations
Source: Recorded Future
(Published: 26 August 2025)
Insikt Group assesses that TAG-144 continues persistent intrusions in South America using credential theft and backdoors. Read more.
Malvertising Campaign On Meta Expands To A Wider Target Base, Pushing Advanced Crypto-Stealing Malware To Users Worldwide
Source: Bitdefender Labs
(Published: 26 August 2025)
Bitdefender observed a global malvertising wave across Meta platforms that delivers advanced crypto-stealing malware. Read more.
Storm-0501’s evolving techniques lead to cloud-based ransomware
Source: Microsoft Security Blog
(Published: 27 August 2025)
Microsoft Threat Intelligence has observed financially motivated threat actor Storm-0501 continuously evolving their campaigns to focus on cloud-based tactics, techniques, and procedures. Read more.
AI-Powered Ransomware Has Arrived With ‘PromptLock’
Source: Dark Reading
(Published: 27 August 2025)
It was probably inevitable – analysts have spotted the first known ransomware strain powered by artificial intelligence. Read more.
Tamperedchef – The Bad PDF Editor
Source: Truesec
(Published: 27 August 2025)
Truesec describes a large malvertising campaign luring victims into downloading a trojanized PDF editor that steals data. Read more.
MystRodX: A Covert Dual-Mode Backdoor
Source: XLab
(Published: 27 August 2025)
MystRodX is a typical backdoor implemented in C++, supporting features like file management, port forwarding, reverse shell, and socket management.
Read more.
Malicious ScreenConnect Campaign Abuses AI-Themed Lures For XWorm Delivery
Source: Trustwave SpiderLabs
(Published: 27 August 2025)
Investigators uncovered a campaign that used fake AI content to trick users into running a preconfigured ScreenConnect installer that dropped XWorm. Read more.
From Threat To Test: Emulating Scattered Spider In Realistic Scenarios
Source: Lares Labs
(Published: 27 August 2025)
Read more.
ShadowSilk: A Cross-Border Binary Union For Data Theft
Source: Group-IB
(Published: 27 August 2025)
Read more.
Chasing the Silver Fox: Cat & Mouse in Kernel Shadows
Source: Check Point Research
(Published: 28 August 2025)
While Microsoft Windows has steadily strengthened its security model, threat actors have adapted by exploiting lower-level weaknesses that bypass these protections without triggering defenses. Read more.
Amazon disrupts watering hole campaign by Russia’s APT29
Source: AWS Security Blog
(Published: 29 August 2025)
Amazon’s threat intelligence team identified and disrupted a watering hole campaign conducted by APT29 using compromised websites to redirect visitors to malicious infrastructure. Read more.
How Attackers Adapt To Built-In macOS Protection
Source: Securelist (Kaspersky)
(Published: 29 August 2025)
Read more.
Sindoor Dropper – New Phishing Campaign
Source: Nextron Systems
(Published: 29 August 2025)
Nextron documents a new phishing wave that delivers a lightweight dropper dubbed Sindoor. Read more.
Experts Warn Of Actively Exploited FreePBX Zero-Day
Source: Security Affairs
(Published: 29 August 2025)
Researchers warn that a FreePBX zero-day is being exploited in the wild against Internet-exposed systems. Read more.
Hackers Use New HexStrike AI Tool To Rapidly Exploit N-Day Flaws
Source: BleepingComputer
(Published: 29 August 2025)
Threat actors are adopting an AI tool named HexStrike to accelerate exploitation of known vulnerabilities. Read more.
Salesloft Drift Breach: GitHub Compromise and OAuth Tokens
Source: Hackread
(Published: 07 September 2025 )
Heard about the recent data breaches where attackers used the Salesloft Drift application to access Salesforce data? There’s now a major update. Read more.
Feds Seize Veriftools.net, Relaunch Veriftools.com
Source: Hackread
(Published: 31 August 2025)
U.S. authorities seized Veriftools.net and the operators relaunched the service at a new domain. Read more.
WhatsApp Fixes A Serious Vulnerability Used In Targeted Attacks
Source: BetaNews
(Published: 01 September 2025)
WhatsApp patched a high severity flaw that was reportedly used in targeted attacks. Read more.
Three Lazarus RATs Coming For Your Cheese
Source: Fox-IT
(Published: 01 September 2025)
Fox-IT describes three Lazarus remote access trojans and their tooling used against organizations. Read more.
RapperBot: From Infection to DDoS in a Split Second
Source: Bitsight
(Published: 02 September 2025)
It was just another day at the office – a routine observation led to an investigation into RapperBot activity that quickly escalated from infection to DDoS. Read more.
Predators for Hire: A Global Overview of Commercial Surveillance Vendors
Source: Sekoia.io Blog
(Published: 02 September 2025)
Between November 2023 and July 2024, the Russia-nexus intrusion set APT29 was observed using exploits similar to those used by commercial surveillance vendors, particularly Intellexa’s Predator spyware. Read more.
Google Salesforce Breach: A Deep Dive Into The Chain And Extent Of The Compromise
Source: Seqrite
(Published: 02 September 2025)
The blog analyzes how UNC6040 used vishing and OAuth app abuse to access Google’s Salesforce instance and exfiltrate data. Read more.
Not Safe For Work: Tracking And Investigating Stealerium And Phantom Infostealers
Source: Proofpoint
(Published: 03 September 2025)
Proofpoint tracks Stealerium and Phantom operations and shares techniques, tooling, and indicators. Read more.
Analyzing NotDoor: Inside APT28’s Expanding Arsenal
Source: LAB52 (S2 Grupo)
(Published: 03 September 2025)
LAB52 identified a new Outlook backdoor attributed to APT28 that can monitor for trigger words and exfiltrate data while executing attacker commands. Read more.
Interview #7 Cyber Toufan
Source: deepdarkCTI
(Published: 03 September 2025)
Read more.
Cato CTRL Threat Research: Threat Actors Abuse Simplified AI to Steal Microsoft 365 Credentials
Source: Cato Networks
(Published: 04 September 2025)
AI marketing platforms have exploded in popularity, becoming everyday tools for creative teams in enterprises worldwide. Read more.
GhostRedirector poisons Windows servers: Backdoors with a side of Potatoes
Source: ESET WeLiveSecurity
(Published: 04 September 2025)
ESET researchers identified a new threat actor, GhostRedirector, that compromised at least 65 Windows servers mainly in Brazil, Thailand, and Vietnam. Read more.
Operation BarrelFire: NoisyBear targets entities linked to Kazakhstan’s Oil & Gas Sector.
Source: Seqrite
(Published: 04 September 2025)
Seqrite Labs APT-Team has been tracking a new threat group since April 2025 that we track as Noisy Bear, targeting entities in Central Asia’s energy sector. Read more.
Threat Actors Impersonate Microsoft Teams To Deliver Odyssey macOS Stealer Via Clickfix
Source: CloudSEK
(Published: 05 September 2025)
CloudSEK describes a fake Microsoft Teams download site that executes a base64 AppleScript to install the Odyssey macOS stealer. Read more.
Salt Typhoon 2025
Source: Silent Push
(Published: 08 September 2025 )
Silent Push has identified dozens of previously unreported domains, all aiming to obtain long-term, stealthy access to targeted organizations, used by the Chinese APT group, Salt Typhoon.
Read more.
Scattered Lapsus Hunters Leak Google Fire Experts Data
Source: Hackread
(Published: 04 September 2025)
Scattered Lapsus$ Hunters threaten Google, demanding that two security experts, one from Google’s Threat Intelligence Group and the other from Mandiant, be fired or they will leak alleged stolen Google data.
Read more.
Unmasking The Gentlemen Ransomware: Tactics, Techniques, And Procedures
Source: Trend Micro Research
(Published: 09 September 2025)
Trend Micro profiles the Gentlemen ransomware group, highlighting environment-specific evasion and abuse of legitimate tools. Read more.
Blurring The Lines: Intrusion Shows Connection With Three Major Ransomware Gangs
Source: RedPacket Security
(Published: 09 September 2025)
A DFIR case links tooling and artifacts across Play, Ransomhub, and DragonForce ransomware activity. Read more.
Pondering My Orb: A Look at PolarEdge Adjacent Infrastructure
Source: Censys
(Published: 28 August 2025 )
We explore several services and certificates that frequently accompany verified PolarEdge botnet certificates.
Read more.
TinyLoader Malware Cryptocurrency Theft Infrastructure
Source: Hunt.io
Malware loaders have become a common part of today’s cybercrime operations because they give attackers a reliable way to get into systems and then bring in whatever tools they need.
(Published: 02 September 2025 )
Read more.
Unveiling a Python Stealer: Inf0s3c Stealer
Source: Cyfirma
(Published: 29 August 2025 )
Cyfirma’s threat intelligence assessment reveals Inf0s3c Stealer, a Python-based grabber designed to collect system information and user data.
Read more.
Unmasked: Salat Stealer – A Deep Dive into its Advanced Persistence Mechanisms and C2 Infrastructure
Source: Cyfirma
(Published: 05 September 2025 )
CYFIRMA has identified Salat Stealer (also known as WEB_RAT), a sophisticated Go-based infostealer targeting Windows systems.
Read more.
Operation Hankook: Phantom North Korean APT37 Targeting South Korea
Source: Seqrite
(Published: 29 August 2025 )
Seqrite Lab has uncovered a campaign in which threat actors are leveraging the (National Intelligence Research Society Newsletter – Issue 52) as a decoy document to lure victims.
Read more.
Suspicious Domain Activity Targeting 2026 FIFA World Cup Tournament
Source: Bfore.ai
(Published: August 2025)
In the lead-up to major global events, cybercriminals are quick to launch fraudulent schemes like fake websites and counterfeit online stores.
Read more.
Scattered Spider Overview
Source: Lares Labs
(Published: 27 August 2025 )
At Lares, we specialize in threat simulation and adversarial collaboration with our clients, replicating the tactics, techniques, and procedures (TTPs) observed in the latest cybercriminal groups.
Read more.
Want more articles? Check out the previous edition of Security Signals here. Want to dive deeper into DDoS Attacks, Check out the Malware Patrol Blog Post: Spoofed DDoS Attacks and BCP 38.