Threat Landscape Updates: Malware Patrol

Security Signals (10/07/25-10/21/25)

Welcome to your biweekly digest of curated cybersecurity intelligence.

Every two weeks, we bring you expert insights and handpicked articles covering the latest threats, threat actor activity, vulnerabilities, incident trends, and defensive strategies. Whether you’re on the front lines or shaping your organization’s security posture, Security Signals delivers the information you need to stay informed and ready.

For more articles, check out our #onpatrol4malware blog.

Turn Insights Into Action with Free Threat Intel

Security Signals gives you the insights and our Risk Indicators OSINT feeds help you apply them.

SUBSCRIBE FOR FREE

This Edition’s Articles

In these late October 2025 cyber threat reports, global research teams uncovered an active mix of espionage, phishing, and data-theft operations. Highlights this period include North Korea’s EtherHiding and Contagious Interview campaigns, new exploits such as the Oracle EBS zero-day, COLDRIVER and Lazarus-linked attacks, and mobile threats like Pixnapping targeting Android users. Together, these findings reveal how rapidly evolving malware, cloud intrusions, and supply-chain compromises continue to test defenders’ visibility and response.

An Insider Look At The IRGC-linked APT35 Operations: Ep1 & Ep2

Source: CloudSEK
(Published: 7 October 2025)
CloudSEK’s TRIAD team analyzed the available evidence and reconstructed recent APT35 operations across two episodes of our series. Read more.

Attacker says they breached Huawei, source code sold online

Source: Cybernews
(Published: 7 October 2025)
A hacker claims to have stolen Huawei’s internal source code and sold it on an underground cybercriminal forum. Read more.

Oops! It’s a kernel stack use-after-free: Exploiting NVIDIA’s GPU Linux drivers

Source: Quarkslab
(Published: 14 October 2025)
This article details two bugs in NVIDIA’s GPU kernel driver vmalloc handling that can be chained to gain code execution in kernel context. Read more.

BombShell: The Signed Backdoor Hiding in Plain Sight on Framework Devices

Source: Eclypsium
(Published: 14 October 2025)
UEFI shell vulnerabilities allow attackers to bypass Secure Boot. Read more.

DPRK Adopts EtherHiding: Nation-State Malware Hiding on Blockchains

Source: Google Cloud Blog
(Published: 16 October 2025)
Google Threat Intelligence Group (GTIG) has observed a new malware delivery technique-EtherHiding-appearing in DPRK-linked activity. Read more.

BeaverTail and OtterCookie evolve with a new Javascript module

Source: Cisco Talos Blog
(Published: 16 October 2025)
Cisco Talos has uncovered a new attack linked to Famous Chollima, a threat group aligned with North Korea (DPRK). Read more.

Odyssey Stealer and AMOS Campaign Targets macOS Developers Through Fake Tools

Source: Hunt
(Published: 16 October 2025)
In recent months, our threat hunting team has observed a surge in macOS-targeted campaigns employing new social engineering tactics and persistent infrastructure. Read more.

New Group on the Block: UNC5142 Leverages EtherHiding to Distribute Malware

Source: Google Cloud Blog
(Published: 16 October 2025)
Since late 2023, UNC5142 has leveraged EtherHiding infrastructure to deliver malicious payloads and obfuscate attribution. Read more.

Joint Intel Strike – DeepCode × AMLBot Trace “1688shuju,” a Darknet Seller of Verified Exchange Numbers

Source: AMLBot
(Published: 17 October 2025)
On 22 August 2025, the DeepCode intelligence team identified a darknet marketplace listing by the actor “1688shuju” offering large batches of verified phone numbers tied to major cryptocurrency exchanges. Read more.

Email Bombs Exploit Lax Authentication in Zendesk

Source: Krebs on Security
(Published: 17 October 2025)
Cybercriminals are abusing a widespread lack of authentication in the customer service platform Zendesk to flood targeted email inboxes with menacing messages that come from hundreds of Zendesk corporate customers simultaneously. Read more.

Tykit Analysis: New Phishing Kit Stealing Hundreds of Microsoft Accounts in Finance

Source: ANY.RUN
(Published: 21 October 2025)
Not long ago we reported a spike in phishing attacks that use an SVG file as the delivery vector. Read more.

To Be (A Robot) or Not to Be: New Malware Attributed to Russia State-Sponsored COLDRIVER

Source: Google Cloud Blog
(Published: 21 October 2025)
COLDRIVER, a Russian state-sponsored threat group known for targeting high profile individuals in NGOs, policy advisors and dissidents, swiftly shifted operations after the May 2025 public disclosure of its LOSTKEYS malware. Read more.

Red Hat data breach escalates as ShinyHunters joins extortion

Source: BleepingComputer
(Published: 6 October 2025)
Enterprise software giant Red Hat is now being extorted by the ShinyHunters gang, with samples of stolen customer engagement reports (CERs) leaked on their data leak site. Read more.

OpenAI has disrupted (more) Chinese accounts using ChatGPT to create social media surveillance tools

Source: Engadget
(Published: 7 October 2025)
OpenAI published a new threat report and banned additional China-linked accounts that used ChatGPT to design social media surveillance tools. Read more.

Maverick: Android banking trojan distributing via WhatsApp

Source: Securelist
(Published: 8 October 2025)
A malware campaign was recently detected distributing various versions of the Android banking trojan called ‘Maverick’ via WhatsApp. Read more.

Phishing campaign leveraging the npm ecosystem

Source: Snyk
(Published: 9 October 2025)
We have uncovered a large-scale phishing campaign abusing the npm ecosystem to deliver malware to developers through typosquatted packages and malicious maintainers. Read more.

Harvard University hit in Oracle EBS cyberattack, 1.3 TB of data leaked by Cl0p group

Source: Security Affairs
(Published: 10 October 2025)
Harvard University was hit in a cyberattack exploiting a zero-day in Oracle E-Business Suite (EBS), with the Cl0p ransomware gang leaking 1.3 TB of data. Read more.

PhantomVAI Loader Delivers a Range of Infostealers

Source: Unit 42 (Palo Alto Networks)
(Published: 15 October 2025)
Unit 42 researchers have been tracking phishing campaigns that use PhantomVAI Loader to deliver information-stealing malware through a multi-stage, evasive infection chain. Read more.

Pro-Hamas hackers breach B.C. and U.S. airport display systems

Source: Juno News
(Published: 15 October 2025)
A pro-Hamas Islamist group has taken credit for a series of cyberattacks at two B.C. airports and others in the U.S. Read more.

PassiveNeuron: campaign with APT implants and Cobalt Strike

Source: Securelist
(Published: 17 October 2025)
The PassiveNeuron (also known as ‘Evernight’) cyber espionage campaign relies on a broad arsenal of tools, including clusters of implants, Cobalt Strike, and modern living-off-the-land strategies. Read more.

SIMCartel operation: Europol takes down SIM box ring linked to 3,200 scams

Source: Security Affairs
(Published: 18 October 2025)
Europol has taken down a multi-country SIM boxing ring dubbed ‘SIMCartel,’ dismantling infrastructure linked to more than 3,200 scams. Read more.

F5 breach exposes 262,000 BIG-IP systems worldwide

Source: Security Affairs
(Published: 19 October 2025)
Security firm F5 disclosed a breach exposing telemetry data from 262,000 Big-IP systems worldwide after attackers accessed a support platform. Read more.

Russian Lynk group leaks sensitive UK MoD files, including info on eight military bases

Source: Security Affairs
(Published: 20 October 2025)
The Russian hacktivist group Lynk leaked sensitive UK Ministry of Defence files, including details on eight military bases. Read more.

Salty Much: Darktrace’s view on a recent Salt Typhoon intrusion

Source: Darktrace
(Published: 20 October 2025)
Salt Typhoon, a China-linked cyber espionage group, has been observed targeting global infrastructure using stealthy techniques such as DLL sideloading and zero-day exploits. Read more.

Disrupting threats targeting Microsoft Teams

Source: Microsoft Security Blog
(Published: 7 October 2025)
The extensive collaboration features and global adoption of Microsoft Teams make it a high-value target for both cybercriminals and state-sponsored actors. Read more.

Crimson Collective: A New Threat Group Observed Operating in the Cloud

Source: Rapid7 Labs
(Published: 7 October 2025)
Over the past few weeks, Rapid7 has observed increased activity of a new threat group attacking AWS cloud environments with the goal of data exfiltration and subsequent extortion. Read more.

Pixel-stealing “Pixnapping” attack targets Android devices

Source: Malwarebytes
(Published: 14 October 2025)
Researchers at US universities have demonstrated how a malicious Android app can trick the system into leaking pixel data. Read more.

Retro Phishing: Basic Auth URLs Make a Comeback in Japan

Source: Netcraft
(Published: 15 October 2025)
Netcraft recently uncovered a suspicious URL targeting GMO Aozora Bank, a Japanese financial institution. Read more.

Inside the attack chain: Threat activity targeting Azure Blob Storage

Source: Microsoft Security Blog
(Published: 20 October 2025)
Azure Blob Storage is a high-value target for threat actors due to its critical role in storing and managing massive amounts of unstructured data at scale. Read more.

North Korea’s Contagious Interview Campaign Escalates: 338 Malicious npm Packages, 50,000 Downloads

Source: Socket
(Published: 10 October 2025)
The Contagious Interview operation continues to weaponize the npm registry with a repeatable playbook. Read more.

Espionage Exposed: Inside a North Korean Remote Worker Network

Source: KELA
(Published: 10 October 2025)
Thousands of North Korean IT workers are hiding in plain sight, blending into the global freelance economy, building your apps, or even designing your infrastructure. Read more.

Microsoft revamps Internet Explorer Mode in Edge after August attacks

Source: Security Affairs
(Published: 13 October 2025)
Microsoft has revamped the Internet Explorer (IE) mode in the Edge browser to fix an issue that threat actors exploited for attacks in August 2025. Read more.

TigerJack’s Extensions Continue to Rob Developers Blind Across Different Marketplaces

Source: Koi
(Published: 13 October 2025)
Meet TigerJack – a threat actor we’ve been tracking since early 2025, who has systematically infiltrated developer marketplaces with at least 11 malicious VS Code extensions across multiple publisher accounts. Read more.

Oracle silently fixes zero-day exploit leaked by ShinyHunters

Source: BleepingComputer
(Published: 14 October 2025)
Oracle has silently fixed an Oracle E-Business Suite vulnerability (CVE-2025-61884) that was actively exploited to breach servers, with a proof-of-concept exploit publicly leaked by the ShinyHunters extortion group. Read more.

Want more articles? Check out the previous edition of Security Signals here.

Take advantage of our free data evaluation.

REQUEST NOW

Security Signals (09/23/25-10/7/25)

Cybersecurity News

Welcome to your biweekly digest of curated cybersecurity intelligence.

For more articles, check out our #onpatrol4malware blog.

Turn Insights Into Action with Free Threat Intel

Security Signals gives you the insights and our Risk Indicators OSINT feeds help you apply them.

SUBSCRIBE FOR FREE

This Edition’s Articles

Late September to early October 2025 cybersec news: Oracle, Red Hat, Cisco and Discord! High-profile corporate breaches and exploited vulnerabilties, persistent APT campaigns, and novel malware variants dominated the threat landscape. Enterprise vendors patched critical flaws, ransomware crews refined their tactics, and state-linked actors expanded their global reach, all underscoring the need for continuous vigilance.

YiBackdoor: A New Malware Family With Links to IcedID and Latrodectus

Source: Zscaler
(Published: 23 September 2025)
Zscaler ThreatLabz has identified a new malware family that we named YiBackdoor, which was first observed in June 2025. Read more.

Lazarus Group: A Criminal Syndicate With a Flag

Source: Barracuda
(Published: 23 September 2025)
The Lazarus Group is a notorious state-sponsored cybercrime organization linked to the Democratic People’s Republic of Korea (DPRK). Read more.

Fighting Telecom Cyberattacks: Investigating a Campaign Against UK Companies

Source: ANY.RUN
(Published: 24 September 2025)
Telecommunications companies are the digital arteries of modern civilization. Read more.

ED 25-03: Identify and Mitigate Potential Compromise of Cisco Devices

Source: Cybersecurity and Infrastructure Security Agency (CISA)
(Published: 25 September 2025)
This page contains a web-friendly version of CISA Emergency Directive 25-03: Identify and Mitigate Potential Compromise of Cisco Devices. Read more.

Smash and Grab: Aggressive Akira Campaign Targets SonicWall VPNs, Deploys Ransomware in an Hour or Less

Source: Arctic Wolf
(Published: 26 September 2025)
Since late July 2025, Arctic Wolf has observed an ongoing surge in Akira ransomware activity targeting SonicWall firewalls through malicious SSL VPN logins. Read more.

Cavalry Werewolf raids Russia’s public sector with trusted relationship attacks

Source: BI.ZONE
(Published: 2 October 2025)
BI.ZONE Threat Intelligence recorded Cavalry Werewolf activity from May to August 2025. Read more.

CERT-UA warns UAC-0245 targets Ukraine with CABINETRAT backdoor

Source: Security Affairs
(Published: 2 October 2025)
The Computer Emergency Response Team of Ukraine (CERT-UA) warned of cyberattacks by the group UAC-0245 using the CABINETRAT backdoor. Read more.

Update on a Security Incident Involving Third-Party Customer Service

Source: Discord
(Published: 3 October 2025)
At Discord, protecting the privacy and security of our users is a top priority. Read more.

Palo Alto Scanning Surges ~500% in 48 Hours, Marking 90-Day High

Source: GreyNoise
(Published: 3 October 2025)
On October 3, 2025, GreyNoise observed a ~500% increase in IPs scanning Palo Alto Networks login portals, the highest level recorded in the past 90 days. Read more.

Lunar Spider Expands Their Web via FakeCaptcha

Source: NVISO Labs
(Published: 1 October 2025)
Lunar Spider is increasingly using phishing kits disguised as CAPTCHA widgets to drive credential theft. Read more.

Silent Smishing: The Hidden Abuse of Cellular Router APIs

Source: SEKOIA
(Published: 2 October 2025)
Attackers are increasingly exploiting APIs in cellular routers to perform silent smishing without user awareness. Read more.

UAT-8099: Chinese-Speaking Cybercrime Group SEO Fraud Campaign

Source: Talos
(Published: 3 October 2025)
Talos has observed a campaign dubbed UAT-8099 in which a Chinese-speaking threat group uses SEO-fraud techniques to drive traffic to malicious sites. Read more.

Detour Dog DNS Malware Powers Strela Stealer Campaigns

Source: Infoblox Threat Intelligence
(Published: 3 October 2025)
A new DNS-based malware loader named Detour Dog is being used to deliver Strela Stealer in targeted attacks. Read more.

BrickStorm: New Espionage Campaign Targeting Cloud Assets

Source: Google Cloud Blog
(Published: 4 October 2025)
BrickStorm is a newly uncovered espionage campaign that targets cloud infrastructure with credential harvesting and lateral movement. Read more.

UNC6040: Proactive Hardening Recommendations

Source: Google Cloud Blog
(Published: 5 October 2025)
The UNC6040 cluster has been active in recent months; here are recommended proactive hardening steps to reduce exposure. Read more.

Inside Vietnamese Threat Actor “Lone None’s” Copyright Takedown Spoofing Campaign

Source: Cofense
(Published: 6 October 2025)
A Vietnamese threat actor dubbed “Lone None” has been using fraudulent copyright takedown notices to trick companies into redirecting their domains. Read more.

Raytheon Confirms Ransomware Attack on Airline Check-In Systems

Source: CyberInsider
(Published: 7 October 2025)
Raytheon Technologies has publicly acknowledged a ransomware intrusion into airline check-in infrastructure. Read more.

BreachStars Emerges as BreachForums Replacement Marketplace

Source: CyberNews
(Published: 7 October 2025)
BreachStars is positioning itself as a successor to the shuttered BreachForums, offering data-leak marketplace services. Read more.

NIST Warns of Flawed DeepSeek: Security CCP Narratives

Source: CyberNews
(Published: 4 October 2025)
The U.S. National Institute of Standards and Technology (NIST) has flagged flaws in DeepSeek that may amplify CCP information narratives. Read more.

Inside Salt Typhoon: China’s State-Corporate Advanced Persistent Threat

Source: DomainTools Investigations (DTI)
(Published: 24 September 2025)
Salt Typhoon is a Chinese state-sponsored cyber threat group aligned with the Ministry of State Security (MSS), specializing in long-term espionage operations targeting global telecommunications infrastructure. Read more.

Better Analyzing Foreign Adversary Threats to Open-Source Software

Source: Margin Research
(Published: 30 September 2025)
Global contributions to open-source software (OSS) add tremendous value: for years, they have forged connections between developers around the world, enabled dispersed and specialized talent to build better software for users, and collectively helped ensure that OSS remains available, updated, and relevant for users everywhere. Read more.

TradingView Scam Expands to Google Ads & YouTube

Source: HackRead
(Published: 26 September 2025)
A malicious advertising campaign that has been tricking content creators and unsuspecting users into downloading harmful software by offering “free access” to TradingView Premium has dramatically expanded its operations. Read more.

Operation SouthNet: SideWinder Expands Phishing & Malware in South Asia

Source: Hunt.io
(Published: 1 October 2025)
APT SideWinder, a highly active state-sponsored threat group known for its long-standing espionage campaigns across South Asia, has once again launched a targeted operation. Read more.

Breakingdown of Patchwork APT

Source: K7 Labs
(Published: October 2025)
It enforces the use of TLS 1.2 to ensure secure, encrypted transmission and sends the POST request containing the encoded victim data to the C2. Read more.

Patchwork APT Exploits Macros & Scheduled Tasks for Stealthy C2/Exfil

Source: Varutra / ThreatPost
(Published: 1 October 2025)
Patchwork (aka Dropping Elephant/Monsoon/Hangover Group) is an APT active since at least 2015 targeting political and military intelligence across South and Southeast Asia. Read more.

Phantom Taurus: A New Chinese Nexus APT and the Discovery of the NET-STAR Malware Suite

Source: Unit 42 / Palo Alto Networks
(Published: 30 September 2025)
After a two-and-a-half-year investigation, Palo Alto Networks Unit 42 has formally named a sophisticated, Chinese nation-state actor: Phantom Taurus. Read more.

DrayTek warns of remote code execution bug in Vigor routers

Source: BleepingComputer
(Published: 2 October 2025)
Networking hardware maker DrayTek released an advisory to warn about a security vulnerability in several Vigor router models that could allow unauthenticated actors to perform arbitrary code execution. Read more.

Oracle patches EBS zero-day exploited in Clop data theft attacks

Source: BleepingComputer
(Published: 3 October 2025)
Oracle has released emergency patches for a zero-day vulnerability in its EBS software suite that was being actively exploited by Clop ransomware actors in data theft campaigns. Read more.

Klopatra: Exposing a new Android banking Trojan operation with roots in Turkey

Source: Cleafy Labs
(Published: 30 September 2025)
A previously undocumented Android banking trojan called Klopatra has compromised over 3,000 devices, leveraging hidden VNC and overlay techniques to conduct fraudulent transactions. Read more.

Yurei Ransomware: The Digital Ghost

Source: Cyfirma
(Published: 1 October 2025)
The Yurei ransomware is unique in its modular architecture and stealthy data-exfiltration staging ahead of encryption. Read more.

Revisiting WarmCookie: Memory-Based Cookie Abuse Techniques

Source: Elastic Security Labs
(Published: 2 October 2025)
Elastic’s security labs analyzed “WarmCookie,” a technique that abuses in-memory cookie structures to facilitate stealthy session hijacking. Read more.

USD 439 Million Recovered in Global Financial Crime Operation

Source: INTERPOL
(Published: 2 October 2025)
INTERPOL announced the recovery of USD 439 million following coordinated takedowns of transnational financial crime networks. Read more.

Red Hat confirms major data breach

Source: The Cyber Security Hub / LinkedIn
(Published: 3 October 2025)
Red Hat has acknowledged a data breach affecting its infrastructure, exposing internal systems and potentially impacting enterprise customers. Read more.

XCSSET evolves again: analyzing the latest updates to XCSSET’s inventory

Source: Microsoft Security Blog
(Published: 25 September 2025)
Microsoft details the latest evolutions of the XCSSET iOS/macOS malware family, tracking new features and command modules. Read more.

Persistent malicious targeting of Cisco devices

Source: UK National Cyber Security Centre (NCSC)
(Published: 4 October 2025)
The UK NCSC warns of ongoing campaigns targeting Cisco network gear, including VPNs and switches, seeking to exploit known vulnerabilities. Read more.

RedNovember targets government, defense, and technology organizations

Source: Recorded Future
(Published: 4 October 2025)
The RedNovember campaign focuses on intelligence collection, using custom backdoors to infiltrate national governments and defense contractors. Read more.

LameHug: AI-Driven Malware & LLM Cyber Intrusion Analysis

Source: Splunk Security Blog
(Published: 4 October 2025)
Splunk researchers explore “LameHug,” a proof-of-concept malware that uses large language models to adapt actions based on environment feedback. Read more.

Self-propagating malware spreads via WhatsApp

Source: Trend Micro Research
(Published: 5 October 2025)
A new self-propagating worm exploits WhatsApp forwarding mechanics to spread, bypassing typical app store oversight. Read more.

US Secret Service blocks massive telecom attack in New York

Source: Trustwave SpiderLabs Blog
(Published: 5 October 2025)
The U.S. Secret Service intervened to disrupt a large-scale telecom infrastructure attack in New York orchestrated by a state-aligned actor. Read more.

Salesforce leak, extortion attempts tied to Scatterered / Lapsus Hunters

Source: UpGuard Blog
(Published: 6 October 2025)
UpGuard discloses a data leak and ongoing extortion campaign from the group “Scatterered / Lapsus Hunters,” with exposed Salesforce credentials circulating online. Read more.

Want more articles? Check out the previous edition of Security Signals here.

Take advantage of our free data evaluation.

REQUEST NOW

Security Signals (09/09/25 – 09/23/25)

Cybersecurity News

???

Welcome to your biweekly digest of curated cybersecurity intelligence.

For more articles, check out our #onpatrol4malware blog.

Turn Insights Into Action with Free Threat Intel

Security Signals gives you the insights and our Risk Indicators OSINT feeds help you apply them.

SUBSCRIBE FOR FREE

This Edition’s Articles

Analysis of Backdoor.WIN32.Buterat

Source: Point Wild
(Published: 9 September 2025)
Backdoor malware is a covert type of malicious software designed to bypass standard authentication mechanisms and provide persistent, unauthorized access to compromised systems. Read more.

Threat Actor Accidentally Exposes AI-Powered Operations

Source: Infosecurity Magazine
(Published: 9 September 2025)
A threat actor has unintentionally revealed their methods and day-to-day activities after installing Huntress security software on their own environment. Read more.

AsyncRAT in Action: Fileless Malware Techniques and Analysis of a Remote Access Trojan

Source: LevelBlue
(Published: 10 September 2025)
Fileless malware continues to evade modern defenses due to its stealthy nature and reliance on legitimate system tools for execution. Read more.

New FileFix Campaign Goes Beyond PoC and Leverages Steganography

Source: Acronis / Tru
(Published: 10 September 2025)
Acronis Threat Research has observed a new FileFix campaign that uses steganographic embedding of payloads to evade detection. Read more.

Uncloaking TA415: China-Aligned Actor Conducts US-China Economic Relations Attacks

Source: Proofpoint
(Published: 11 September 2025)
Proofpoint has published findings on TA415, a China-aligned threat actor, revealing operations targeting US–China economic relations. Read more.

Threat Spotlight: ShinyHunters Data Breach Targets Salesforce Amid Scattered Spider Collaboration

Source: ReliaQuest
(Published: 11 September 2025)
ReliaQuest has observed a coordinated campaign where ShinyHunters collaborated with Scattered Spider to breach Salesforce environments. Read more.

Yurei & The Ghost of Open Source Ransomware

Source: Check Point Research
(Published: 12 September 2025)
First observed on September 5, Yurei is a newly emerged ransomware group that targeted a Sri Lankan food manufacturing company as its first leaked victim. Read more.

Modified ZLoader Variants & Updates Analyzed

Source: Zscaler
(Published: 15 September 2025)
Zscaler ThreatLabz has published new technical findings on recent updates and modifications to the ZLoader malware family. Read more.

Supporting Rowhammer Research to Understand Vulnerabilities in Memory Hardware

Source: Google Security Blog
(Published: 16 September 2025)
Google researchers detail new findings on Rowhammer and how fundamental memory hardware vulnerabilities can be further studied. Read more.

EggStreme Malware: Unpacking a New APT Framework Targeting a Philippine Military Company

Source: Bitdefender
(Published: 17 September 2025)
This report analyzes a sophisticated cyber-attack targeting a military company based in the Philippines, which led to the discovery of a new and advanced malware toolset. Read more.

HIVE0154 Drops Updated ToneShell Backdoor

Source: IBM X-Force
(Published: 17 September 2025)
IBM X-Force has uncovered HIVE0154, a threat actor exerting updated ToneShell backdoor variants in the wild. Read more.

ShadowV2: An Emerging DDoS-for-Hire Botnet

Source: Darktrace
(Published: 18 September 2025)
Darktrace reports on ShadowV2, a botnet-as-a-service model built for DDoS operations and evolving evasion tactics. Read more.

How Attackers Abuse ScreenConnect and Open Directories (AsyncRAT Campaigns Uncovered)

Source: Hunt.io
(Published: 18 September 2025)
Research shows how attackers are abusing ScreenConnect installers hosted in open directories to deliver AsyncRAT payloads. Read more.

Modus Operandi of “Subtle Snail” Threat Group

Source: Prodaft / Catalyst
(Published: 19 September 2025)
Prodaft’s Catalyst team describes the TTPs, infrastructure, and attack cycles of the Subtle Snail threat group. Read more.

Inside China’s Surveillance and Propaganda Industries: Where Profit Meets Party

Source: The Diplomat
(Published: 21 September 2025)
The Diplomat explores how China monetizes surveillance and propaganda within its media, tech, and security sectors. Read more.

Cybersecurity Incident at European Airports Caused by Ransomware

Source: SCWorld
(Published: 22 September 2025)
Several European airports have reported system outages traced to a ransomware attack affecting operational systems. Read more.

MalTerminal: An LLM-Enabled Malware Pioneer Exposed

Source: SecurityAffairs
(Published: 23 September 2025)
SecurityAffairs researchers have published a deep dive on MalTerminal, a new malware leveraging large language models to aid operators. Read more.

Technical Analysis of kkRAT

Source: Zscaler (ThreatLabz)
(Published: 10 September 2025)
Zscaler ThreatLabz has identified a malware campaign targeting Chinese-speaking users, active since early May 2025. Read more.

ChillyHell – a modular macOS backdoor

Source: Jamf Threat Labs
(Published: 8 September 2025)
During routine sample analysis, Jamf Threat Labs discovered a macOS backdoor showing a distinctive approach to process reconnaissance. Read more.

Uncloaking VoidProxy: a Novel and Evasive Phishing-as-a-Service Framework

Source: Okta Security
(Published: 11 September 2025)
Okta Threat Intelligence details a previously unreported Phishing-as-a-Service operation dubbed VoidProxy. Read more.

Introducing HybridPetya: Petya/NotPetya copycat with UEFI Secure Boot bypass

Source: ESET / WeLiveSecurity
(Published: 12 September 2025)
ESET Research has discovered HybridPetya on VirusTotal, showing traits reminiscent of Petya/NotPetya with a Secure Boot bypass. Read more.

Inside Maranhão Stealer: Node.js-Powered InfoStealer

Source: Cyble
(Published: 15 September 2025)
Cyble Research & Intelligence Labs detail a Node.js-based infostealer leveraging reflective DLL injection techniques. Read more.

Dark Web Profile: BQTLock Ransomware

Source: SOCRadar
(Published: 12 September 2025)
BQTLock is a RaaS that has drawn attention for disruptive operations and distinctive methods. Read more.

Threat Spotlight: Attackers Exploit Axios for Automated Phishing

Source: ReliaQuest
(Published: 9 September 2025)
ReliaQuest observed surges in stolen credentials linked to mass-automated phishing using the Axios user agent. Read more.

Going Underground: China-Aligned TA415 Conducts US-China Economic Relations Operations

Source: Proofpoint
(Published: 11 September 2025)
Proofpoint details TA415 campaigns aligned to US-China economic relations themes. Read more.

Threat Spotlight: ShinyHunters Data Breach Targets Salesforce Amid Scattered Spider Collaboration

Source: ReliaQuest
(Published: 11 September 2025)
ReliaQuest reports ShinyHunters collaborating with Scattered Spider against Salesforce targets. Read more.

China-Linked APT41 Hackers Target US Government Agencies

Source: The Hacker News
(Published: 12 September 2025)
APT41, a China-linked group, has been observed targeting US agencies through credential theft and phishing. Read more.

KILLSEC Ransomware Is Attacking Healthcare Institutions in Brazil

Source: ReSecurity
(Published: 12 September 2025)
ReSecurity tracks KILLSEC ransomware activity against Brazilian healthcare institutions. Read more.

In-Depth Analysis of the “APT Down” – The North Korea Files Leak

Source: ENKI
(Published: September 2025)
ENKI provides an in-depth analysis related to the so-called North Korea Files leak, examining potential APT ties. Read more.

Inside the Lighthouse and Lucid PhaaS Campaigns Targeting 316 Global Brands

Source: Netcraft
(Published: 17 September 2025)
Netcraft examines Lighthouse and Lucid phishing-as-a-service operations observed targeting hundreds of brands worldwide. Read more.

Want more articles? Check out the previous edition of Security Signals here.

Take advantage of our free data evaluation.

REQUEST NOW

Security Signals (08/26/25 – 09/09/25)

Cybersecurity News

Welcome to your biweekly digest of curated cybersecurity intelligence.

For more articles, check out our #onpatrol4malware blog.

Turn Insights Into Action with Free Threat Intel

Security Signals gives you the insights and our Risk Indicators OSINT feeds help you apply them.

SUBSCRIBE FOR FREE

This Edition’s Articles

Countering China State Actors Compromise of Networks

Source: U.S. Department of Defense
(Published: September 2025)
People’s Republic of China (PRC) state-sponsored cyber threat actors are targeting networks globally, including, but not limited to, telecommunications, government, transportation, lodging, and military infrastructure networks.
Read more.

Widespread Data Theft Targets Salesforce Instances via Salesloft Drift

Source: Google Cloud Blog
(Published: 26 August 2025)
Google Threat Intelligence Group is issuing an advisory to alert organizations about a widespread data theft campaign carried out by the actor tracked as UNC6395. Read more.

Velociraptor incident response tool abused for remote access

Source: Sophos News
(Published: 26 August 2025)
In August 2025, Counter Threat Unit researchers investigated an intrusion that involved deployment of the legitimate open-source Velociraptor digital forensics and incident response tool. Read more.

Breaking Down Mustang Panda Windows Endpoint Campaign

Source: Picus Security
(Published: 26 August 2025)
Researchers detail a Mustang Panda campaign that targets Windows endpoints with phishing and DLL sideloading to gain persistence. Read more.

TAG-144’s Persistent Grip On South American Organizations

Source: Recorded Future
(Published: 26 August 2025)
Insikt Group assesses that TAG-144 continues persistent intrusions in South America using credential theft and backdoors. Read more.

Malvertising Campaign On Meta Expands To A Wider Target Base, Pushing Advanced Crypto-Stealing Malware To Users Worldwide

Source: Bitdefender Labs
(Published: 26 August 2025)
Bitdefender observed a global malvertising wave across Meta platforms that delivers advanced crypto-stealing malware. Read more.

Storm-0501’s evolving techniques lead to cloud-based ransomware

Source: Microsoft Security Blog
(Published: 27 August 2025)
Microsoft Threat Intelligence has observed financially motivated threat actor Storm-0501 continuously evolving their campaigns to focus on cloud-based tactics, techniques, and procedures. Read more.

AI-Powered Ransomware Has Arrived With ‘PromptLock’

Source: Dark Reading
(Published: 27 August 2025)
It was probably inevitable – analysts have spotted the first known ransomware strain powered by artificial intelligence. Read more.

Tamperedchef – The Bad PDF Editor

Source: Truesec
(Published: 27 August 2025)
Truesec describes a large malvertising campaign luring victims into downloading a trojanized PDF editor that steals data. Read more.

MystRodX: A Covert Dual-Mode Backdoor

Source: XLab
(Published: 27 August 2025)
MystRodX is a typical backdoor implemented in C++, supporting features like file management, port forwarding, reverse shell, and socket management.
Read more.

Malicious ScreenConnect Campaign Abuses AI-Themed Lures For XWorm Delivery

Source: Trustwave SpiderLabs
(Published: 27 August 2025)
Investigators uncovered a campaign that used fake AI content to trick users into running a preconfigured ScreenConnect installer that dropped XWorm. Read more.

From Threat To Test: Emulating Scattered Spider In Realistic Scenarios

Source: Lares Labs
(Published: 27 August 2025)
Read more.

ShadowSilk: A Cross-Border Binary Union For Data Theft

Source: Group-IB
(Published: 27 August 2025)
Read more.

Chasing the Silver Fox: Cat & Mouse in Kernel Shadows

Source: Check Point Research
(Published: 28 August 2025)
While Microsoft Windows has steadily strengthened its security model, threat actors have adapted by exploiting lower-level weaknesses that bypass these protections without triggering defenses. Read more.

Amazon disrupts watering hole campaign by Russia’s APT29

Source: AWS Security Blog
(Published: 29 August 2025)
Amazon’s threat intelligence team identified and disrupted a watering hole campaign conducted by APT29 using compromised websites to redirect visitors to malicious infrastructure. Read more.

How Attackers Adapt To Built-In macOS Protection

Source: Securelist (Kaspersky)
(Published: 29 August 2025)
Read more.

Sindoor Dropper – New Phishing Campaign

Source: Nextron Systems
(Published: 29 August 2025)
Nextron documents a new phishing wave that delivers a lightweight dropper dubbed Sindoor. Read more.

Experts Warn Of Actively Exploited FreePBX Zero-Day

Source: Security Affairs
(Published: 29 August 2025)
Researchers warn that a FreePBX zero-day is being exploited in the wild against Internet-exposed systems. Read more.

Hackers Use New HexStrike AI Tool To Rapidly Exploit N-Day Flaws

Source: BleepingComputer
(Published: 29 August 2025)
Threat actors are adopting an AI tool named HexStrike to accelerate exploitation of known vulnerabilities. Read more.

Salesloft Drift Breach: GitHub Compromise and OAuth Tokens

Source: Hackread
(Published: 07 September 2025 )
Heard about the recent data breaches where attackers used the Salesloft Drift application to access Salesforce data? There’s now a major update. Read more.

Feds Seize Veriftools.net, Relaunch Veriftools.com

Source: Hackread
(Published: 31 August 2025)
U.S. authorities seized Veriftools.net and the operators relaunched the service at a new domain. Read more.

WhatsApp Fixes A Serious Vulnerability Used In Targeted Attacks

Source: BetaNews
(Published: 01 September 2025)
WhatsApp patched a high severity flaw that was reportedly used in targeted attacks. Read more.

Three Lazarus RATs Coming For Your Cheese

Source: Fox-IT
(Published: 01 September 2025)
Fox-IT describes three Lazarus remote access trojans and their tooling used against organizations. Read more.

RapperBot: From Infection to DDoS in a Split Second

Source: Bitsight
(Published: 02 September 2025)
It was just another day at the office – a routine observation led to an investigation into RapperBot activity that quickly escalated from infection to DDoS. Read more.

Predators for Hire: A Global Overview of Commercial Surveillance Vendors

Source: Sekoia.io Blog
(Published: 02 September 2025)
Between November 2023 and July 2024, the Russia-nexus intrusion set APT29 was observed using exploits similar to those used by commercial surveillance vendors, particularly Intellexa’s Predator spyware. Read more.

Google Salesforce Breach: A Deep Dive Into The Chain And Extent Of The Compromise

Source: Seqrite
(Published: 02 September 2025)
The blog analyzes how UNC6040 used vishing and OAuth app abuse to access Google’s Salesforce instance and exfiltrate data. Read more.

Not Safe For Work: Tracking And Investigating Stealerium And Phantom Infostealers

Source: Proofpoint
(Published: 03 September 2025)
Proofpoint tracks Stealerium and Phantom operations and shares techniques, tooling, and indicators. Read more.

Analyzing NotDoor: Inside APT28’s Expanding Arsenal

Source: LAB52 (S2 Grupo)
(Published: 03 September 2025)
LAB52 identified a new Outlook backdoor attributed to APT28 that can monitor for trigger words and exfiltrate data while executing attacker commands. Read more.

Interview #7 Cyber Toufan

Source: deepdarkCTI
(Published: 03 September 2025)
Read more.

Cato CTRL Threat Research: Threat Actors Abuse Simplified AI to Steal Microsoft 365 Credentials

Source: Cato Networks
(Published: 04 September 2025)
AI marketing platforms have exploded in popularity, becoming everyday tools for creative teams in enterprises worldwide. Read more.

GhostRedirector poisons Windows servers: Backdoors with a side of Potatoes

Source: ESET WeLiveSecurity
(Published: 04 September 2025)
ESET researchers identified a new threat actor, GhostRedirector, that compromised at least 65 Windows servers mainly in Brazil, Thailand, and Vietnam. Read more.

Operation BarrelFire: NoisyBear targets entities linked to Kazakhstan’s Oil & Gas Sector.

Source: Seqrite
(Published: 04 September 2025)
Seqrite Labs APT-Team has been tracking a new threat group since April 2025 that we track as Noisy Bear, targeting entities in Central Asia’s energy sector. Read more.

Threat Actors Impersonate Microsoft Teams To Deliver Odyssey macOS Stealer Via Clickfix

Source: CloudSEK
(Published: 05 September 2025)
CloudSEK describes a fake Microsoft Teams download site that executes a base64 AppleScript to install the Odyssey macOS stealer. Read more.

Salt Typhoon 2025

Source: Silent Push
(Published: 08 September 2025 )
Silent Push has identified dozens of previously unreported domains, all aiming to obtain long-term, stealthy access to targeted organizations, used by the Chinese APT group, Salt Typhoon.
Read more.

Scattered Lapsus Hunters Leak Google Fire Experts Data

Source: Hackread
(Published: 04 September 2025)
Scattered Lapsus$ Hunters threaten Google, demanding that two security experts, one from Google’s Threat Intelligence Group and the other from Mandiant, be fired or they will leak alleged stolen Google data.
Read more.

Unmasking The Gentlemen Ransomware: Tactics, Techniques, And Procedures

Source: Trend Micro Research
(Published: 09 September 2025)
Trend Micro profiles the Gentlemen ransomware group, highlighting environment-specific evasion and abuse of legitimate tools. Read more.

Blurring The Lines: Intrusion Shows Connection With Three Major Ransomware Gangs

Source: RedPacket Security
(Published: 09 September 2025)
A DFIR case links tooling and artifacts across Play, Ransomhub, and DragonForce ransomware activity. Read more.

Pondering My Orb: A Look at PolarEdge Adjacent Infrastructure

Source: Censys
(Published: 28 August 2025 )
We explore several services and certificates that frequently accompany verified PolarEdge botnet certificates.
Read more.

TinyLoader Malware Cryptocurrency Theft Infrastructure

Source: Hunt.io
Malware loaders have become a common part of today’s cybercrime operations because they give attackers a reliable way to get into systems and then bring in whatever tools they need.
(Published: 02 September 2025 )
Read more.

Unveiling a Python Stealer: Inf0s3c Stealer

Source: Cyfirma
(Published: 29 August 2025 )
Cyfirma’s threat intelligence assessment reveals Inf0s3c Stealer, a Python-based grabber designed to collect system information and user data.
Read more.

Unmasked: Salat Stealer – A Deep Dive into its Advanced Persistence Mechanisms and C2 Infrastructure

Source: Cyfirma
(Published: 05 September 2025 )
CYFIRMA has identified Salat Stealer (also known as WEB_RAT), a sophisticated Go-based infostealer targeting Windows systems.
Read more.

Operation Hankook: Phantom North Korean APT37 Targeting South Korea

Source: Seqrite
(Published: 29 August 2025 )
Seqrite Lab has uncovered a campaign in which threat actors are leveraging the (National Intelligence Research Society Newsletter – Issue 52) as a decoy document to lure victims.
Read more.

Suspicious Domain Activity Targeting 2026 FIFA World Cup Tournament

Source: Bfore.ai
(Published: August 2025)
In the lead-up to major global events, cybercriminals are quick to launch fraudulent schemes like fake websites and counterfeit online stores.
Read more.

Scattered Spider Overview

Source: Lares Labs
(Published: 27 August 2025 )
At Lares, we specialize in threat simulation and adversarial collaboration with our clients, replicating the tactics, techniques, and procedures (TTPs) observed in the latest cybercriminal groups.
Read more.

Want more articles? Check out the previous edition of Security Signals here. Want to dive deeper into DDoS Attacks, Check out the Malware Patrol Blog Post: Spoofed DDoS Attacks and BCP 38.

Take advantage of our free data evaluation.

REQUEST NOW

Security Signals (08/12/25 – 08/26/25)

Cybersecurity News

Welcome to your biweekly digest of curated cybersecurity intelligence.

For more articles, check out our #onpatrol4malware blog.

Turn Insights Into Action with Free Threat Intel

Security Signals gives you the insights and our Risk Indicators OSINT feeds help you apply them.

SUBSCRIBE FOR FREE

This Edition’s Articles

Coordinated Brute Force Campaign Targets Fortinet SSL VPNs

Source: GreyNoise
(Published: 12 August 2025)
On August 3, 2025 GreyNoise observed a significant spike in brute-force traffic targeting Fortinet SSL VPNs. Read more.

Persistent Risk: XZ Utils Backdoor Still Lurking in Docker Images

Source: Binarly
(Published: 12 August 2025)
In this blog we share a new finding in the XZ Utils saga: several Docker images built around the time of the compromise contain the backdoor. Read more.

Malvertising campaign leads to PS1Bot, a multi-stage malware framework

Source: Cisco Talos
(Published: 12 August 2025)
Cisco Talos has observed an ongoing malware campaign that seeks to infect victims with a multi-stage malware framework implemented in PowerShell and C#. Read more.

Threat Bulletin: Fire in the Woods – A New Variant of FireWood

Source: Intezer
(Published: 13 August 2025)
FireWood is a Linux backdoor discovered by ESET’s research team. Read more.

‘Blue Locker’ Analysis: Ransomware Targeting Oil and Gas Sector in Pakistan

Source: Resecurity
(Published: 14 August 2025)
This ransomware attack targeted a major enterprise in Pakistan’s oil and gas sector around the country’s Independence Day. Read more.

PhantomCard: New NFC-driven Android malware emerging in Brazil

Source: ThreatFabric
(Published: 14 August 2025)
We introduce PhantomCard, a new Android NFC-based trojan targeting banking customers in Brazil and potentially expanding globally. Read more.

CISA Warns of Attacks Exploiting N-able Vulnerabilities

Source: SecurityWeek
(Published: 14 August 2025)
CISA reported becoming aware of attacks exploiting CVE-2025-8875 and CVE-2025-8876 in N-able N-central on the day they were patched. Read more.

Ghost-Tapping and the Chinese Cybercriminal Retail Fraud Ecosystem

Source: Recorded Future
(Published: 14 August 2025)
We observed criminals buying and selling stolen goods on Telegram marketplaces such as Huione Guarantee and Xinbi Guarantee. Read more.

Cisco Discloses Critical RCE Flaw in Firewall Management Software

Source: Infosecurity Magazine
(Published: 15 August 2025)
Cisco revealed a critical RCE flaw tracked as CVE-2025-20265 and urged customers to apply software updates. Read more.

BlackMatter Ransomware Overview

Source: ANY.RUN
(Published: 18 August 2025)
BlackMatter is a fast-moving ransomware strain that encrypts local and network data, disables recovery mechanisms, and forces organizations to negotiate. Read more.

Apache ActiveMQ attackers patch critical vuln after breaking in

Source: The Register
(Published: 19 August 2025)
Criminals exploiting a critical ActiveMQ vulnerability fixed the flaw post-intrusion to help hide persistence on Linux servers. Read more.

Oregon Man Charged with Administering “Rapper Bot” DDoS-for-Hire Botnet

Source: U.S. Department of Justice (USAO-AK)
(Published: 19 August 2025)
An Oregon man was charged in Alaska for allegedly developing and administering the “Rapper Bot” DDoS-for-hire botnet. Read more.

New Research Links VPN Apps, Highlights Security Deficiencies

Source: SecurityWeek
(Published: 19 August 2025)
Citizen Lab identified links between multiple VPN providers and multiple weaknesses in their mobile apps. Read more.

A Cereal Offender: Analyzing the CORNFLAKE.V3 Backdoor

Source: Google Cloud Blog (Threat Intelligence)
(Published: 20 August 2025)
Mandiant detailed a campaign where a downloader delivers CORNFLAKE.V3 malware as part of financially motivated operations. Read more.

Your Connection, Their Cash: Threat Actors Misuse SDKs to Sell Your Bandwidth

Source: Unit 42 (Palo Alto Networks)
(Published: 21 August 2025)
Unit 42 observed attackers exploiting CVE-2024-36401 to deploy SDKs or modified apps that monetize victims’ bandwidth via network sharing. Read more.

Fake macOS help sites push Shamos infostealer via ClickFix technique

Source: Help Net Security
(Published: 25 August 2025)
Criminals are tricking macOS users into running commands that install the Shamos infostealer, using a social engineering tactic known as ClickFix. Read more.

Want more articles? Check out the previous edition of Security Signals here.

Take advantage of our free data evaluation.

REQUEST NOW

« Older Entries