Security Signals (07/29/25 – 08/12/25)

Cybersecurity News

?

Welcome to your biweekly digest of curated cybersecurity intelligence.

Every two weeks, we bring you expert insights and handpicked articles covering the latest threats, threat actor activities, vulnerabilities, incident trends, and defensive strategies. Whether you’re on the front lines or shaping your organization’s security posture, Security Signals delivers the information you need to stay informed and ready.

For more articles, check out our #onpatrol4malware blog.

A

Adversary Intel
Attack Surface Watch
Incident Radar
Threat Lab

?

Turn Insights Into Action with Free Threat Intel

Security Signals gives you the insights and our Risk Indicators feeds help you apply them. Get free access to machine readable OSINT that helps you monitor emerging risks, validate indicators, and proactively defend your environment.

SUBSCRIBE FOR FREE
?

This Edition’s Articles

Adversary Intel: From APTs to Ransomware Groups

ShinyHunters Tactics Now Mirror Scattered Spider
Source: DARK READING
Recent cyber incidents reveal patterns in timing, shared infrastructure, and similar targets. This suggests a coordinated approach, combining ShinyHunters’ data theft with Scattered Spider’s social engineering. Read more.

Unmasking SocGholish: Silent Push Untangles the Malware Web Behind the “Pioneer of Fake Updates” and Its Operator, TA569
Source: SILENT PUSH
SocGholish, managed by TA569, acts as a Malware-as-a-Service provider, selling access to compromised systems. Their main method is fake browser update pop-ups, delivered via JavaScript on hacked sites. Read more.

Attack Surface Watch: Exploring Digital Risks

New Win-DDoS Flaws Let Attackers Turn Public Domain Controllers into DDoS Botnet via RPC, LDAP
Source: The Hacker News
SafeBreach researchers have found a new attack method, Win-DDoS, that could use thousands of public domain controllers to build a botnet for DDoS attacks. Read more.

Over 29,000 Exchange servers unpatched against high-severity flaw
Source: BLEEPING COMPUTER
More than 29,000 Exchange servers are still unpatched for CVE-2025-53786, a flaw that lets attackers move through Microsoft cloud and take over domains. Read more.

WinRAR zero-day exploited to plant malware on archive extraction
Source: BLEEPING COMPUTER
A recently fixed WinRAR vulnerability (CVE-2025-8088) was used in #phishing attacks to install RomCom malware. The bug allowed files to be extracted to any folder chosen by attackers. Read more.

Incident Radar: Breaches & Attacks

‘Chairmen’ of $100 million scam operation extradited to US
Source: BLEEPING COMPUTER
The U.S. Department of Justice charged four Ghanaian nationals for their roles in a $100M fraud ring involving romance scams and business email compromise. The suspects, extradited from Ghana, allegedly targeted U.S. companies and individuals from 2016 to 2023. Read more.

Threat Lab: Malware & Attack Analysis Deep Dive

CastleLoader
Source: PolySwarm
CastleLoader is a malware loader that has infected 469 devices since May 2025. It uses Cloudflare-themed ClickFix phishing and fake GitHub links to deliver info stealers and RATs. Read more.

Wave of 150 crypto-draining extensions hits Firefox add-on store
Source: BLEEPING COMPUTER
A campaign named ‘GreedyBear’ has targeted Firefox users with 150 fake extensions on the Mozilla add-ons store. These copy well-known crypto wallets like MetaMask and TronLink, stealing over $1,000,000. Read more.

SCENE 1: SoupDealer – Technical Analysis of a Stealth Java Loader Used in Phishing Campaigns Targeting Türkiye
Source: Malwation
A recent malware bypassed almost every public sandbox and antivirus, except Threat.Zone, and even evaded EDR/XDR in real-world incidents. Many banks, ISPs, and organizations were impacted. Read more.

Makop Ransomware Identified in Attacks in South Korea
Source: ASEC
ASEC has identified Makop ransomware attacks targeting South Korean users. The ransomware is spread through fake resumes, copyright emails, and now uses RDP for attacks. Read more.

Want more articles? Check out the previous edition of Security Signals here.

?

InfoSec Articles (07/01/25 – 07/15/25)

Cybersecurity News

???????

Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

Behind the Clouds: Attackers Targeting Governments in Southeast Asia Implement Novel Covert C2 Communication

Source: Unit 42

Researchers discovered HazyBeacon, a sophisticated backdoor targeting government agencies in Southeast Asia. Read more.

Octalyn Stealer Unmasked

Source: CYFIRMA

Octalyn Forensic Toolkit on GitHub appears as research tool but functions as credential stealer. Built with C++ and Delphi, uses Telegram for control and hides in Windows startup. Read more.

Google Gemini flaw hijacks email summaries for phishing

Source: BLEEPING COMPUTER

Google Gemini for Workspace has a newly discovered vulnerability. Attackers can embed hidden instructions in emails that manipulate Gemini’s summary generation, potentially directing users to phishing sites. Read more.

Dark Web Profile: Arkana Ransomware

Source: SOCRadar

Arkana Ransomware made headlines attacking WOW! internet provider in March 2025. Linked to Qilin Ransomware network, they disguise extortion as “post-penetration testing services.” Read more.

Likely Belarus-Nexus Threat Actor Delivers Downloader to Poland

Source: BLEEPING COMPUTER

The FrostyNeighbor threat group (UNC1151), attributed to Belarus, is actively targeting Eastern European nations with malicious CHM files. Read more.

295 Malicious IPs Launch Coordinated Brute-Force Attacks on Apache Tomcat Manager

Source: The Hacker News

Researchers discovered 295 malicious IP addresses launching coordinated brute-force attacks against Apache Tomcat Manager interfaces worldwide. Read more.

Hackers are exploiting critical RCE flaw in Wing FTP Server

Source: BLEEPING COMPUTER

Wing FTP Server vulnerability is being actively exploited by threat actors. This flaw allows remote code execution with full system privileges without authentication. Read more.

macOS.ZuRu Resurfaces | Modified Khepri C2 Hides Inside Doctored Termius App

Source: SentinelOne

macOS.ZuRu malware hides in fake versions of popular apps like iTerm2 and Remote Desktop. Hackers trick users through poisoned search results. Read more.

GreyNoise Identifies New Scraper Botnet Concentrated in Taiwan

Source: GreyNoise

A scraper botnet variant has been identified with the user-agent “Hello-World/1.0”. Researchers are tracking it through unique behavioral patterns. Read more.

Count(er) Strike – Data Inference Vulnerability in ServiceNow

Source: Varonis

Researchers discovered a critical ServiceNow vulnerability dubbed “Count(er) Strike” that could expose sensitive data across hundreds of tables. It required only basic user access to exploit. Read more.

?

Security Signals (07/15/25 – 07/29/25)

Cybersecurity News

????????

Welcome to your biweekly digest of curated cybersecurity intelligence.

Every two weeks, we bring you expert insights and handpicked articles covering the latest threats, threat actor activity, vulnerabilities, incident trends, and defensive strategies. Whether you’re on the front lines or shaping your organization’s security posture, Security Signals delivers the information you need to stay informed and ready.

For more articles, check out our #onpatrol4malware blog.

A

Adversary Intel
Attack Surface Watch
Incident Radar
Threat Lab

?

Turn Insights Into Action with Free Threat Intel

Security Signals gives you the insights and our Risk Indicators feeds help you apply them. Get free access to machine readable OSINT that helps you monitor emerging risks, validate indicators, and proactively defend your environment.

SUBSCRIBE FOR FREE

This Edition’s Articles

Adversary Intel: From APTs to Ransomware Groups

China-linked group Fire Ant exploits VMware and F5 flaws since early 2025
Source: Security Affairs
Fire Ant, a China-linked cyber group, is exploiting VMware and F5 vulnerabilities to access secure, segmented networks, according to Sygnia. They have targeted VMware ESXi and vCenter, using layered attacks to reach restricted systems. Read more.

Scattered Spider is running a VMware ESXi hacking spree
Source: BLEEPING COMPUTER
Scattered Spider hackers are targeting VMware ESXi hypervisors at U.S. companies in retail, airline, transportation, and insurance. They use social engineering, not software flaws, to bypass security. Read more.

Unmasking the new Chaos RaaS group attacks
Source: Cisco Talos
Cisco Talos IR recently observed Chaos, a new ransomware-as-a-service group, targeting businesses with spam, social engineering, and remote tools. Their attacks use fast, selective encryption and anti-analysis methods, making detection and recovery difficult. Read more.

Attack Surface Watch: Exploring Digital Risks

ToolShell: An all-you-can-eat buffet for threat actors
Source: We Live Security
Microsoft has confirmed that ToolShell, a set of zero-day vulnerabilities (CVE-2025-53770 & CVE-2025-53771), is being used to attack on-premises SharePoint servers. These attacks can let hackers access restricted systems and steal data. Read more.

Organizations Warned of Exploited PaperCut Flaw
Source: Security Week
CISA has warned about a security vulnerability (CVE-2023-2533) in PaperCut NG and MF print management products. This issue lets attackers change security settings or run code remotely. Read more.

Incident Radar: Breaches & Attacks

Microsoft probing whether cyber alert tipped off Chinese hackers
Source: The Straits Times
Microsoft is looking into whether a leak from its early alert system allowed hackers to exploit SharePoint flaws before they were fixed. The system is meant to help cyber-security experts fix issues early, but it may have led to global problems. Read more.

US Targets North Korea’s Illicit Funds: $15M Rewards Offered as American Woman Jailed in IT Worker Scam
Source: Security Week
An Arizona woman was sentenced for helping North Korean IT workers get jobs at over 300 US companies using stolen identities. She ran a laptop farm at home, helping generate $17M in illegal revenue. Read more.

Amazon AI coding agent hacked to inject data wiping commands
Source: BLEEPING COMPUTER
A hacker planted data-wiping code in the Amazon Q Developer Extension for Visual Studio Code. This free AI-powered tool, with nearly 1M installs, helps developers code and debug. Read more.

Threat Lab: Malware & Attack Analysis Deep Dive

RAVEN STEALER UNMASKED: Telegram-Based Data Exfiltration.
Source: Cyfirma
Raven Stealer is a lightweight malware that targets browsers like Chrome and Edge, stealing passwords, cookies, and payment info. It uses Telegram bots for data theft and is easy for attackers to use. Read more.

Oyster Backdoor: The Malvertising Menace Masquerading as Popular Tools
Source: CyberProof
CyberProof Threat Researchers found an OysterBackdoor infection in July 2025. Attackers used a fake Putty installer, but the backdoor was blocked before any harm. This blog shares technical details about the files seen in this attack. Read more.

InfoSec Articles (06/17/25 – 07/01/25)

Cybersecurity News

???

Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

Crypto Operation Using Fake Investment Platforms Dismantled in Spain

Source: Bitdefender

Spain’s Guardia Civil, in collaboration with Europol and other global law enforcement agencies, has arrested five individuals suspected of laundering hundreds of millions of euros through cryptocurrency scams that have affected over 5,000 victims worldwide. Read more.

New FileFix attack runs JScript while bypassing Windows MoTW alerts

Source: BLEEPING COMPUTER

A new FileFix attack, created by security researcher mr.d0x, exploits browser handling of saved HTML files to bypass Windows’ MoTW protection, tricking victims into executing a disguised PowerShell command via a phishing page. Read more.

Chrome Zero-Day CVE-2025-6554 Under Active Attack — Google Issues Security Update

Source: The Hacker News

Google has issued security updates to address a zero-day vulnerability, CVE-2025-6554, currently being exploited in the wild, characterized as a type confusion flaw in the V8 JavaScript and WebAssembly engine. Read more.

Godfather Evolves With Advanced On-Device Virtualization Capabilities

Source: PolySwarm

Godfather malware exploits Android’s Accessibility Service to capture detailed tap events and screen information, targeting around 484 applications with commands sent through a Base64-encoded C2 server. Read more.

Bluetooth flaws could let hackers spy through your microphone

Source: BLEEPING COMPUTER

Recent vulnerabilities in a Bluetooth chipset affect 29 audio devices from brands like Beyerdynamic, Bose, and Sony, potentially allowing for eavesdropping or data theft. Read more.

Taking the shine off BreachForums

Source: SOPHOS

French authorities have reported the arrest of four members of the ShinyHunters (also known as ShinyCorp) cybercriminal group across various regions in France for their involvement in cybercrime activities and the underground forum BreachForums. Read more.

GIFTEDCROOK Malware Evolves: From Browser Stealer to Intelligence-Gathering Tool

Source: The Hacker News

The threat actor behind the GIFTEDCROOK malware has upgraded it from a simple browser data stealer to a sophisticated intelligence-gathering tool. Read more.

Evidence Suggests Exploitation of CitrixBleed 2 Vulnerability

Source: SECURITY WEEK

The Citrix NetScaler vulnerability, known as CitrixBleed 2 and CVE-2025–5777, might be exploited in real-world scenarios, as indicated by cybersecurity firm ReliaQuest. Read more.

Microsoft 365 Direct Send Abused for Phishing

Source: SECURITY WEEK

Varonis has identified a phishing campaign exploiting Microsoft 365 Direct Send, which allows attackers to send spoofed emails that seem to originate from within the victim’s organization. Read more.

CyberAv3ngers: From Infrastructure Hacks to Propaganda Machines in the Iran-Israel Cyber War

Source: Domain Tools

A prominent group, CyberAv3ngers, has been involved in hijacking water systems, altering PLCs, and mocking Israeli cybersecurity initiatives on platforms like Telegram and Twitter. Read more.

?

InfoSec Articles (06/18/24 – 07/02/24)

Cybersecurity News

??

Welcome to our biweekly cybersecurity roundup. In these blog posts, we feature curated articles and insights from experts, providing you with valuable information on the latest cybersecurity threats, technologies, and best practices to keep yourself and your organization safe. Whether you’re a cybersecurity professional or a concerned individual, our biweekly blog post is designed to keep you informed and empowered.

For more articles, check out our #onpatrol4malware blog.

Microsoft Alerts More Users in Update to Midnight Blizzard Hack

Source: GBHackers

Microsoft has issued a new alert to its users, updating them on the continued threat posed by Midnight Blizzard, a Russian state-sponsored hacking group also known as NOBELIUM. Read more.

Remote access giant TeamViewer says Russian spies hacked its corporate network

Source: TechCrunch

In a statement Friday, the company attributed the compromise to government-backed hackers working for Russian intelligence, known as APT29 (and Midnight Blizzard). Read more.

New InnoSetup Malware Created Upon Each Download Attempt

Source: ASEC

Unlike past malware which performed malicious behaviors immediately upon being executed, this malware displays an installer UI and malicious behaviors are executed upon clicking buttons during the installation process. Read more.

Polyfill Supply Chain Attack Hits Over 100k Websites

Source: SECURITY WEEK

On Tuesday, security researchers at Sansec and C/side confirmed that the cdn.polyfill.io domain is injecting malicious code into more than 100,000 websites that are using it. Read more.

Medusa Reborn: A New Compact Variant Discovered

Source: Cleafy

Analysing the evolution of Medusa samples over the past few months, it is clear that TAs aim to enhance the efficiency of the available features while simultaneously strengthening the botnet by refactoring the permissions required during the installation phase. Read more.

UAC-0184 Abuses Python in DLL Sideloading for XWORM Distribution

Source: CYBLE

CRIL recently observed a malware campaign targeting Ukraine using the Remote Access Trojan (RAT) known as XWorm. Upon investigation, it was found that this campaign is associated with the Threat Actor (TA) group UAC-0184. Read more.

New security loophole allows spying on internet users visiting websites and watching videos

Source: Tech Xplore

No malicious code is required to exploit this vulnerability, known as “SnailLoad,” and the data traffic does not need to be intercepted. All types of end devices and internet connections are affected. Read more.

Cyber attack compromised Indonesia data centre, ransom sought

Source: Reuters

A cyber attacker compromised Indonesia’s national data centre, disrupting immigration checks at airports, and asked for an $8 million ransom, the country’s communications minister told Reuters on Monday. Read more.

CDK Global outage caused by BlackSuit ransomware attack

Source: BLEEPING COMPUTER

The negotiations come after the BlackSuit ransomware attack forced CDK to shut down its IT systems and data centers to prevent the attack’s spread, including its car dealership platform. The company tried restoring services on Wednesday but suffered a second cybersecurity incident, causing it to shut down all IT systems again. Read more.

Fickle Stealer Distributed via Multiple Attack Chain

Source: FORTINET

In May 2024, FortiGuard Labs observed a Rust-based stealer. In addition to its intricate code, the stealer is distributed using a variety of strategies and has a flexible way of choosing its target. Because of this ambiguity, we decided to call it Fickle Stealer. Read more.

Want more articles? Check out the previous edition of Security Signals.

?