Cybersecurity by no means slows down. Each week brings new threats, new vulnerabilities, and new classes for defenders. For safety and IT groups, the problem isn’t just maintaining with the information—it is figuring out which dangers matter most proper now. That is what this digest is right here for: a transparent, easy briefing that will help you focus the place it counts.
This week, one story stands out above the remaining: the Salesloft–Drift breach, the place attackers stole OAuth tokens and accessed Salesforce information from a few of the greatest names in tech. It is a sharp reminder of how fragile integrations can turn out to be the weak hyperlink in enterprise defenses.
Alongside this, we’ll additionally stroll by means of a number of high-risk CVEs beneath lively exploitation, the newest strikes by superior risk actors, and contemporary insights on making safety workflows smarter, not noisier. Every part is designed to provide the necessities—sufficient to remain knowledgeable and ready, with out getting misplaced within the noise.
⚡ Menace of the Week
Salesloft to Take Drift Offline Amid Safety Incident — Salesloft introduced that it is taking Drift briefly offline “within the very close to future,” as a number of corporations have been caught up in a far-reaching provide chain assault spree focusing on the advertising and marketing software-as-a-service product, ensuing within the mass theft of authentication tokens. “It will present the quickest path ahead to comprehensively overview the applying and construct further resiliency and safety within the system to return the applying to full performance,” the corporate mentioned. “Consequently, the Drift chatbot on buyer web sites is not going to be obtainable, and Drift is not going to be accessible. Up to now, Cloudflare, Google Workspace, PagerDuty, Palo Alto Networks, Proofpoint, SpyCloud, Tanium, Tenable, and Zscaler have confirmed they have been impacted by the hack. The exercise has been attributed to a risk cluster tracked by Google and Cloudflare as UNC6395 and GRUB1, respectively.
🔔 High Information
Sitecore Flaw Beneath Lively Exploitation within the Wild — Unknown miscreants are exploiting a configuration vulnerability in a number of Sitecore merchandise to realize distant code execution by way of a publicly uncovered key and deploy snooping malware on contaminated machines. The ViewState deserialization vulnerability, CVE-2025-53690, has been used to deploy malware and extra tooling geared towards inside reconnaissance and persistence throughout a number of compromised environments. The attackers focused the “/sitecore/blocked.aspx” endpoint, which incorporates an unauthenticated ViewState kind, with HTTP POST requests containing a crafted ViewState payload. Mandiant mentioned it disrupted the intrusion halfway, which prevented it from gaining additional insights into the assault lifecycle and figuring out the attackers’ motivations.
Russian APT28 Deploys “NotDoor” Outlook Backdoor — The Russian state-sponsored hacking group tracked as APT28 has been attributed to a brand new Microsoft Outlook backdoor referred to as NotDoor (aka GONEPOSTAL) in assaults focusing on a number of corporations from completely different sectors in NATO member international locations. NotDoor “is a VBA macro for Outlook designed to watch incoming emails for a selected set off phrase,” S2 Grupo’s LAB52 risk intelligence staff mentioned. “When such an e-mail is detected, it allows an attacker to exfiltrate information, add information, and execute instructions on the sufferer’s laptop.”
New GhostRedirector Actor Hacks 65 Home windows Servers in Brazil, Thailand, and Vietnam — A beforehand undocumented risk cluster dubbed GhostRedirector has managed to compromise at the very least 65 Home windows servers primarily positioned in Brazil, Thailand, and Vietnam. The assaults, per Slovak cybersecurity firm ESET, led to the deployment of a passive C++ backdoor referred to as Rungan and a local Web Data Providers (IIS) module codenamed Gamshen. The risk actor is believed to be lively since at the very least August 2024. “Whereas Rungan has the aptitude of executing instructions on a compromised server, the aim of Gamshen is to offer search engine optimisation fraud as-a-service, i.e., to govern search engine outcomes, boosting the web page rating of a configured goal web site,” the corporate mentioned.
Google Fixes 2 Actively Exploited Android Flaws — Google has shipped safety updates to handle 120 safety flaws in its Android working system as a part of its month-to-month fixes for September 2025, together with two points that it mentioned have been exploited in focused assaults. One in every of them, CVE-2025-38352, is a privilege escalation vulnerability within the upstream Linux Kernel element. The second shortcoming is a privilege escalation flaw in Android Runtime (CVE-2025-48543). Benoît Sevens of Google’s Menace Evaluation Group (TAG) has been credited with discovering and reporting the upstream Linux Kernel flaw, suggesting that it might have been abused as a part of focused spy ware assaults.
Menace Actors Declare to Weaponize HexStrike AI in Actual-World Assaults — Menace actors are trying to leverage a newly launched synthetic intelligence (AI) offensive safety device referred to as HexStrike AI to use not too long ago disclosed safety flaws. “This marks a pivotal second: a device designed to strengthen defenses has been claimed to be quickly repurposed into an engine for exploitation, crystallizing earlier ideas right into a broadly obtainable platform driving real-world assaults,” Examine Level mentioned.
Iranian Hackers Linked to Assaults Focusing on European Embassies — An Iran-nexus group carried out a “coordinated” and “multi-wave” spear-phishing marketing campaign focusing on the embassies and consulates in Europe and different areas internationally. The exercise has been attributed by Israeli cybersecurity firm Dream to Iranian-aligned operators linked to broader offensive cyber exercise undertaken by a bunch often known as Homeland Justice. “Emails have been despatched to a number of authorities recipients worldwide, disguising reputable diplomatic communication,” the corporate mentioned. “Proof factors towards a broader regional espionage effort geared toward diplomatic and governmental entities throughout a time of heightened geopolitical stress.”
🔥 Trending CVEs
Hackers transfer quick — typically exploiting new flaws inside hours. A missed replace or a single unpatched CVE can open the door to severe injury. Listed here are this week’s high-risk vulnerabilities making headlines. Overview, patch rapidly, and keep forward.
This week’s checklist contains — CVE-2025-53690 (SiteCore), CVE-2025-42957 (SAP S/4HANA), CVE-2025-9377 (TP-Hyperlink Archer C7(EU) V2 and TL-WR841N/ND(MS) V9), CVE-2025-38352 (Linux Kernel/Google Android), CVE-2025-48543 (Google Android), CVE-2025-29927 (Subsequent.js), CVE-2025-52856, CVE-2025-52861 (QNAP QVR), CVE-2025-0309 (Netskope Shopper for Home windows), CVE-2025-21483, CVE-2025-27034 (Qualcomm), CVE-2025-6203 (HashiCorp Vault), CVE-2025-58161 (MobSF), CVE-2025-5931 (Dokan Professional plugin), CVE-2025-53772 (Internet Deploy), CVE-2025-9864 (Google Chrome), CVE-2025-9696 (SunPower PVS6), CVE-2025-57833 (Django), CVE-2025-24204 (Apple macOS), CVE-2025-55305 (Electron framework), CVE-2025-53149 (Microsoft Kernel Streaming WOW Thunk Service Driver), CVE-2025-6519, CVE-2025-52549, CVE-2025-52548 (Copeland E2 and E3), CVE-2025-58782 (Apache Jackrabbit), CVE-2025-55190 (Argo CD), CVE-2025-1079, CVE-2025-4613, and a client-side distant code execution (no CVE) (Google Internet Designer).
📰 Across the Cyber World
New AI Waifu RAT Disclosed — Cybersecurity researchers have found a potent Home windows-based distant entry trojan (RAT) referred to as AI Waifu RAT that makes use of the ability of a big language mannequin to cross instructions. “An area agent runs on the sufferer’s machine, listening for instructions on a hard and fast port,” a researcher by the identify ryingo mentioned. “These instructions, originating from the LLM, are handed by means of an online UI and despatched to the native agent as plaintext HTTP requests.” The malware particularly targets LLM role-playing communities, capitalizing on their curiosity within the expertise to supply AI characters the flexibility to learn native information for “personalised role-playing” and direct “Arbitrary Code Execution” capabilities.
DoJ: “Not all heroes put on capes. Some have YouTube channels” — The U.S. Division of Justice (DoJ) mentioned two YouTube channels named Scammer Payback and Trilogy Media performed a vital function in unmasking and figuring out members of a large rip-off community that stole greater than $65 million from senior residents. The 28 alleged members of the Chinese language organized crime ring allegedly used name facilities based mostly in India to name the aged, posing as authorities officers, financial institution staff, and tech help brokers. “As soon as linked, the scammers used scripted lies and psychological manipulation to realize the victims’ belief and sometimes distant entry to their computer systems,” the DoJ mentioned. “The most typical scheme concerned convincing victims that they had acquired a mistaken refund and pressuring – or threatening – them to return the supposed extra funds by way of wire switch, money, or present playing cards.” These sending money have been instructed to make use of in a single day or specific couriers, addressing packages to pretend names tied to false IDs. These have been despatched to short-term leases within the U.S. utilized by conspirators, together with the indicted defendants, to gather the fraud proceeds. The community has operated out of Southern California since 2019.
Evaluation of BadSuccessor Patch — Microsoft, as a part of its August 2025 Patch Tuesday replace, addressed a safety flaw referred to as BadSuccessor (CVE-2025-53779) that abused a loophole in dMSA, inflicting the Key Distribution Heart (KDC) to deal with a dMSA linked to any account in Lively Listing because the successor throughout authentication. Consequently, an attacker might create a dMSA in an Organizational Unit (OU) and hyperlink it to any goal — even area controllers, Area Admins, Protected Customers, or accounts marked “delicate and can’t be delegated” – and compromise them. An evaluation of the patch has revealed that patch enforcement was carried out within the KDC’s validation. “The attribute can nonetheless be written, however the KDC will not honor it except the pairing seems like a reputable migration,” Akamai safety researcher Yuval Gordon mentioned. “Though the vulnerability might be patched, BadSuccessor nonetheless lives on as a way; that’s, the KDC’s verification removes the pre-patch escalation path, however does not mitigate your complete drawback. As a result of the patch did not introduce any safety to the hyperlink attribute, an attacker can nonetheless inherit one other account by linking a managed dMSA and a goal account.”
Phishers Pivot to Ramp and Dump Scheme — Cybercriminal teams promoting subtle phishing kits that convert stolen card information into cellular wallets have shifted their focus to focusing on prospects of brokerage providers and utilizing compromised brokerage accounts to govern the costs of overseas shares as a part of what’s referred to as a ramp and dump scheme.
In style C2 Frameworks Exploited by Menace Actors — Sliver, Havoc, Metasploit, Mythic, Brute Ratel C4, and Cobalt Strike (in that order) have emerged as probably the most often used command-and-control (C2) frameworks in malicious assaults in Q2 2025, per information from Kaspersky. “Attackers are more and more customizing their C2 brokers to automate malicious actions and hinder detection,” the corporate mentioned. The event got here as the bulk (53%) of attributed vulnerability exploits within the first half of 2025 have been carried out by state-sponsored actors for strategic, geopolitical functions, in response to Recorded Future’s Insikt Group. In all, 23,667 CVEs have been printed in H1 2025, a 16% enhance in comparison with H1 2024. Attackers actively exploited 161 vulnerabilities, and 42% of these exploited flaws had public PoC exploits.
Faux PDF Converters Ship JSCoreRunner macOS Malware — Apps posing as PDF converters are getting used to ship malware referred to as JSCoreRunner. As soon as downloaded from websites like fileripple[.]com, the malware establishes connections with a distant server and hijacks a consumer’s Chrome browser by modifying its search engine settings to default to a fraudulent search supplier, thereby monitoring consumer searches and redirecting them to bogus websites, additional exposing them to information and monetary theft, per Mosyle. The assault unfolds over two phases: The preliminary package deal (whose signature has since been revoked by Apple), which deploys an unsigned secondary payload from the identical area that, in flip, executes the principle malicious payload.
Copeland Releases Fixes for Frostbyte10 Flaws — American tech firm Copeland has launched a firmware replace to repair ten vulnerabilities in Copeland E2 and E3 controllers. The chips are used to handle vitality effectivity inside HVAC and refrigeration programs. The ten vulnerabilities have been collectively named Frostbyte10. “The failings found might have allowed unauthorized actors to remotely manipulate parameters, disable programs, execute distant code, or achieve unauthorized entry to delicate operational information,” Armis mentioned. “When mixed and exploited, these vulnerabilities can lead to unauthenticated distant code execution with root privileges.” Essentially the most extreme of the issues is CVE-2025-6519, a case of a default admin consumer “ONEDAY” with a day by day generated password that may be predictably generated. In a hypothetical assault situation, an attacker might chain CVE-2025-6519 and CVE-2025-52549 with CVE-2025-52548, which may allow SSH and Shellinabox entry by way of a hidden API name, to facilitate distant execution of arbitrary instructions on the underlying working system.
Over 1,000 Ollama Servers Uncovered — A brand new examine from Cisco discovered over 1,100 uncovered Ollama servers, with roughly 20% actively internet hosting fashions vulnerable to unauthorized entry. Out of the 1,139 uncovered servers, 214 have been discovered to be actively internet hosting and responding to requests with reside fashions—accounting for about 18.8% of the whole scanned inhabitants, with Mistral and LLaMA representing probably the most often encountered deployments. The remaining 80% of detected servers, whereas reachable by way of unauthenticated interfaces, didn’t have any fashions instantiated. Though dormant, these servers stay vulnerable to exploitation by way of unauthorized mannequin uploads or configuration manipulation. The findings “spotlight the pressing want for safety baselines in LLM deployments and supply a sensible basis for future analysis into LLM risk floor monitoring,” the corporate mentioned.
Tycoon Phishing Package Evolves — The Tycoon phishing equipment has been up to date to help URL-encoding methods to cover malicious hyperlinks embedded in pretend voicemail messages to bypass e-mail safety checks. Attackers have additionally been noticed utilizing the Redundant Protocol Prefix approach for related causes. “This entails crafting a URL that’s solely partially hyperlinked or that incorporates invalid parts — similar to two ‘https’ or no ‘//’ — to cover the true vacation spot of the hyperlink whereas guaranteeing the lively half seems benign and legit and does not arouse suspicion amongst targets or their browser controls,” Barracuda mentioned. “One other trick is utilizing the ‘@’ image in an online handle. All the pieces earlier than the ‘@’ is handled as ‘consumer data’ by browsers, so attackers put one thing that appears respected and reliable on this half, similar to ‘office365.’ The hyperlink’s precise vacation spot comes after the ‘@.'”
U.S. State Division Provides As much as $10M for Russian Hackers — The U.S. Division of State is providing a bounty of as much as $10 million for data on three Russian Federal Safety Service (FSB) officers concerned in cyberattacks focusing on U.S. essential infrastructure organizations on behalf of the Russian authorities. The three people, Marat Valeryevich Tyukov, Mikhail Mikhailovich Gavrilov, and Pavel Aleksandrovich Akulov, are a part of the FSB’s Heart 16 or Navy Unit 71330, which is tracked as Berserk Bear, Blue Kraken, Crouching Yeti, Dragonfly, Koala Workforce, and Static Tundra. They’ve been accused of focusing on 500 vitality corporations in 135 international locations. In March 2022, the three FBS officers have been additionally charged for his or her involvement in a marketing campaign that passed off between 2012 and 2017, focusing on U.S. authorities businesses.
XWorm Malware Makes use of Sneaky Strategies to Evade Detection — A brand new XWorm malware marketing campaign is utilizing misleading and complicated strategies to evade detection and enhance the success fee of the malware. “The XWorm malware an infection chain has developed to incorporate further methods past conventional email-based assaults,” Trellix mentioned. “Whereas e-mail and .LNK information stay frequent preliminary entry vectors, XWorm now additionally leverages legitimate-looking .EXE filenames to disguise itself as innocent purposes, exploiting consumer and system belief.” The assault chain makes use of LNK information to provoke a posh an infection. Executing the .LNK triggers malicious PowerShell instructions that ship a .TXT file and obtain a deceptively-named binary referred to as “discord.exe.” The executable then drops “most important.exe” and “system32.exe,” with the latter being the XWorm malware payload. “Important.exe,” then again, is accountable for disabling the Home windows Firewall and checking for the presence of -third-party safety purposes. XWorm, in addition to meticulously conducting reconnaissance to amass a complete profile of the machine, runs anti-analysis checks to determine the presence of a virtualized surroundings, and, if that’s the case, ceases execution. It additionally incorporates backdoor performance by contacting an exterior server to execute instructions, shut down the system, obtain information, open URLs, and launch DDoS assaults. Latest campaigns distributing the malware by means of a brand new crypter-as-a-service providing often known as Ghost Crypt. “Ghost Crypt delivers a zipped archive to the sufferer containing a PDF Reader software, a DLL, and a PDF file,” Kroll mentioned. “When the consumer opens the PDF, the malicious DLL is side-loaded, initiating the malware execution.” The PDF Reader software is HaiHaiSoft PDF Reader, which is understood to have a DLL side-loading vulnerability, beforehand exploited to ship Remcos RAT, NodeStealer, and PureRAT.
2 E-Crime Teams Use Stealerium Stealer in New Campaigns — Two completely different cybercriminal teams, TA2715 and TA2536, each of which favored Snake Keylogger, have carried out phishing campaigns in Might 2025, delivering an open-source data stealer referred to as Stealerium (or variants of it). “The noticed emails impersonated many various organizations, together with charitable foundations, banks, courts, and doc providers, that are frequent themes in e-crime lures,” Proofpoint mentioned. “Topic traces sometimes conveyed urgency or monetary relevance, together with ‘Cost Due,’ ‘Court docket Summons,’ and ‘Donation Bill.'”
Czechia Points Warning Towards Chinese language Tech in Crucial Infrastructure — NÚKIB, the Czech Republic’s cybersecurity company, has issued a bulletin relating to the risk posed by expertise programs that switch information to, or are remotely managed from, China. “Present essential infrastructure programs are more and more depending on storing and processing information in cloud repositories and on community connectivity enabling distant operation and updates,” the company warned. “In follow, which means that expertise answer suppliers can considerably affect the operation of essential infrastructure and/or entry necessary information, making belief within the reliability of the supplier completely essential.”
Google Chrome 140 Beneficial properties Assist for Cookie Prefixes — Google has launched model 140 of its Chrome browser with help for a brand new safety function designed to guard server-set cookies from client-side modifications. Referred to as a cookie prefix, it entails including a chunk of textual content earlier than the names of a browser’s cookies. “In some instances, it is necessary to tell apart on the server facet between cookies set by the server and people set by the shopper. One such case entails cookies usually at all times set by the server,” Google mentioned. “Nevertheless, sudden code (similar to an XSS exploit, a malicious extension, or a commit from a confused developer) may set them on the shopper. This proposal provides a sign that lets servers make such a distinction. Extra particularly, it defines the __Http and __HostHttp prefixes, which guarantee a cookie isn’t set on the shopper facet utilizing script.”
New Ransomware Strains Detailed — A brand new ransomware group referred to as LunaLock has hacked an art-commissioning portal referred to as Artists&Shoppers and is extorting its homeowners and artists by threatening to submit the stolen paintings to coach synthetic intelligence (AI) fashions except it pays a $50,000 ransom. One other newly noticed ransomware crew is Obscura, which was first noticed by Huntress on August 29, 2025. The Go-based ransomware variant makes an attempt to terminate over 120 processes generally tied to safety instruments like Microsoft Defender, CrowdStrike, and SentinelOne.
E.U. Court docket Backs Information Switch Deal Agreed by U.S. and E.U. — The Normal Court docket of the Court docket of Justice of the European Union has dismissed a lawsuit that sought to annul the E.U. and U.S. Information Privateness Framework. The courtroom dominated that the brand new treaty and the US adequately safeguard the private information of E.U. residents. The lawsuit alleged that the U.S. Information Safety Overview Court docket (DPRC), which is housed contained in the Division of Justice and has been traditionally seen as a bulwark for checking U.S. information surveillance actions, isn’t sufficiently unbiased and doesn’t adequately protect Europeans from bulk information assortment by U.S. intelligence businesses.
Microsoft to Transfer to Part 2 of MFA Enforcement in October 2025 — Microsoft mentioned it has been imposing multi-factor authentication (MFA) for Azure Portal sign-ins throughout all tenants since March 2025. “We’re proud to announce that multi-factor enforcement for Azure Portal sign-ins was rolled out for 100% of Azure tenants in March 2025,” the corporate mentioned. “By imposing MFA for Azure sign-ins, we intention to offer you one of the best safety in opposition to cyber threats as a part of Microsoft’s dedication to enhancing safety for all prospects, taking one step nearer to a safer future.” The subsequent section of MFA requirement is scheduled to start out October 1, 2025, mandating using MFA for customers performing Azure useful resource administration operations by means of Azure Command-Line Interface (CLI), Azure PowerShell, Azure Cellular App, REST APIs, Azure Software program Growth Package (SDK) shopper libraries, and Infrastructure as Code (IaC) instruments.
Surge in Scanning Exercise Focusing on Cisco ASA — GreyNoise mentioned it detected two scanning surges in opposition to Cisco Adaptive Safety Equipment (ASA) gadgets on August 22 and 26, 2025, with the primary wave originating from over 25,100 IP addresses primarily positioned in Brazil, Argentina, and the U.S. The second spike repeated ASA probing, with subsets hitting each IOS Telnet/SSH and ASA software program personas. The exercise focused the U.S., the U.Okay., and Germany.
LinkedIn Expands Verification to Fight Job-Themed Scams — Microsoft-owned skilled social community unveiled new measures to strengthen belief and be sure that customers are interacting with individuals who “they are saying they’re.” This contains verified Premium Firm Pages, requiring recruiters to confirm their office on their profile, and office verification necessities for high-level titles similar to Govt Director, Managing Director, and Vice President to deal with impersonation. The adjustments are an effort to forestall scammers from posing as firm staff or recruiters and reaching out to potential targets with pretend job alternatives – a way pioneered by North Korean hackers.
Hotelier Accounts Focused in Malvertising and Phishing Marketing campaign — A big-scale phishing marketing campaign has impersonated at the very least 13 service suppliers focusing on accommodations and trip leases. “In these assaults, focused customers are lured to extremely misleading phishing websites utilizing malicious search engine ads, significantly sponsored adverts on platforms like Google Search,” Okta mentioned. “The assaults leverage convincing pretend login pages and social engineering techniques to bypass safety controls and exploit consumer belief.” It is assessed that the tip objective of the marketing campaign is to compromise accounts for cloud-based property administration and visitor messaging platforms.
DamageLib Emerges After XSS Discussion board Takedown — A brand new cybercrime discussion board referred to as DamageLib has grown dramatically, attracting over 33,000 customers following the arrest of XSS[.]is admin Toha again in July 2025. Whereas XSS stays on-line, speculations are abound that it might be a regulation enforcement honeypot, breeding distrust amongst cybercriminals. “Exploit discussion board site visitors surged nearly 24% in the course of the XSS turmoil as actors sought options, whereas XSS visits plummeted,” KELA mentioned. “As of August 27, 2025, DamageLib counted 33,487 customers — almost 66% of XSS’s 50,853 members. However engagement lagged: solely 248 threads and three,107 posts in its first month, in comparison with over 14,400 messages on XSS within the month earlier than the seizure.”
GhostAction Provide Chain Assault Steals 3,325 Secrets and techniques — An enormous provide chain assault dubbed GhostAction has allowed attackers to inject a malicious GitHub workflow named “Github Actions Safety” to exfiltrate 3,325 secrets and techniques, together with PyPI, npm, and DockerHub tokens by way of HTTP POST requests to a distant attacker-controlled endpoint (“bold-dhawan.45-139-104-115.plesk[.]web page”). The exercise affected 327 GitHub customers throughout 817 repositories.
New Marketing campaign Abuses Simplified AI to Steal Microsoft 365 Credentials — A brand new phishing marketing campaign has been noticed internet hosting pretend pages beneath the reputable Simplified AI area in a bid to evade detection and mix in with common enterprise site visitors. “By impersonating an govt from a worldwide pharmaceutical distributor, the risk actors delivered a password-protected PDF that appeared reputable,” Cato Networks mentioned. “As soon as opened, the file redirected the sufferer to Simplified AI’s web site, however as a substitute of producing content material, the location grew to become a launchpad to a pretend Microsoft 365 login portal designed to reap enterprise credentials.”
Japan, South Korea, and the U.S. Take Goal at North Korean IT Employee Rip-off — Japan, South Korea, and the U.S. joined fingers to struggle in opposition to the rising risk of North Korean risk actors posing as IT staff to embed themselves in organizations all through Asia and globally and generate income to fund its illegal weapons of mass destruction (WMD) and ballistic missile packages. “They make the most of current calls for for superior IT expertise to acquire freelance employment contracts from an increasing variety of goal purchasers all through the world, together with in North America, Europe, and East Asia,” the international locations mentioned in a joint assertion. “North Korean IT staff themselves are additionally extremely prone to be concerned in malicious cyber actions, significantly within the blockchain industries. Hiring, supporting, or outsourcing work to North Korean IT staff more and more poses severe dangers, starting from theft of mental property, information, and funds to reputational hurt and authorized penalties.”
New AI-Powered Android Vulnerability Discovery and Validation Device — Pc scientists affiliated with Nanjing College in China and The College of Sydney in Australia mentioned that they’ve developed an AI vulnerability identification system referred to as A2 that emulates the best way human bug hunters go about discovering flaws, marking a step ahead for automated safety evaluation. In response to the examine, A2 “validates Android vulnerabilities by means of two complementary phases: (i) Agentic Vulnerability Discovery, which causes about software safety by combining semantic understanding with conventional safety instruments; and (ii) Agentic Vulnerability Validation, which systematically validates vulnerabilities throughout Android’s multi-modal assault surface-UI interactions, inter-component communication, file system operations, and cryptographic computations.” A2 builds upon A1, an agentic system that transforms any LLM into an end-to-end exploit generator.
Spotify DM Function Carries Doxxing Dangers — Music streaming service Spotify, final month, introduced a brand new messaging function for sharing music with mates. However experiences at the moment are rising on Reddit that it is surfacing as “advised mates,” individuals with whom customers might have shared Spotify hyperlinks prior to now on different social media platforms, probably revealing their actual names within the course of. That is made attainable by the use of a singular “si” parameter in Spotify hyperlinks that serves as referral data.
Spear-Phishing Marketing campaign Targets C-Suite for Credential Theft — A complicated spear-phishing marketing campaign has focused senior staff, significantly these in C-Suite and management positions, to steal their credentials utilizing e-mail messages with salary-themed lures or pretend OneDrive document-sharing notifications. “Actors behind this marketing campaign are leveraging tailor-made emails that impersonate inside HR communications, by way of a shared doc in OneDrive, to trick recipients into getting into company credentials,” Stripe OLT mentioned. “Emails are despatched by way of Amazon Easy E mail Service (SES) infrastructure. The actor is rotating between many sending domains and subdomains to evade detection.” As many as 80 domains have been recognized as a part of this marketing campaign.
Attackers Try and Exploit WDAC Method — In December 2024, researchers Jonathan Beierle and Logan Goins demonstrated a novel approach that leverages a malicious Home windows Defender Software Management (WDAC) coverage to dam safety options similar to Endpoint Detection and Response (EDR) sensors following a system reboot utilizing a customized device codenamed Krueger. Since then, it has emerged that risk actors have integrated the tactic into their assault arsenal to disable safety options utilizing WDAC insurance policies. It has additionally led to the invention of a brand new malware pressure dubbed DreamDemon that makes use of WDAC to neutralize antivirus packages. It incorporates an embedded WDAC coverage, which is then dropped onto disk and hidden,” Beierle mentioned. “In sure instances, DreamDemon will even change the time that the coverage was created in an try to keep away from detection.”
New NBMiner Cryptojacking Malware Detected — Cybersecurity researchers have found a brand new marketing campaign that leverages a PowerShell script to drop an AutoIt loader used to ship a cryptocurrency miner referred to as NBMiner from an exterior server. Preliminary entry to the system is completed by the use of a drive-by compromise. “This system contains a number of evasion measures,” Darktrace mentioned. “It performs anti-sandboxing by sleeping to delay evaluation and terminates sigverif.exe (File Signature Verification). It checks for put in antivirus merchandise and continues solely when Home windows Defender is the only real safety. It additionally verifies whether or not the present consumer has administrative rights. If not, it makes an attempt a Person Account Management (UAC) bypass by way of Fodhelper to silently elevate and execute its payload with out prompting the consumer.”
New Marketing campaign Makes use of Customized GPTs for Model Impersonation and Phishing — Menace actors are abusing customized options on trusted AI platforms like OpenAI ChatGPT to create malicious “buyer help” chatbots that impersonate reputable manufacturers. These customized GPTs are surfaced on Google Search outcomes, tricking customers into taking malicious actions beneath the guise of a useful chatbot, underscoring how AI instruments might be misused inside a broader social engineering chain. “This technique introduces a brand new risk vector: platform-hosted social engineering by means of trusted AI interfaces,” Doppel mentioned. “A number of publicly obtainable Customized GPTs have been noticed impersonating well-known corporations.” The assaults can result in theft of delicate data, malware supply, and injury the repute of reputable manufacturers. The event is an element of a bigger pattern the place cybercriminals abuse AI instruments, together with impersonation fraud by way of deepfakes, AI-assisted rip-off name facilities, AI-powered mailers and spam instruments, malicious device growth, and unrestricted and self-hosted generative AI chatbots that may craft phishing kits, pretend web sites; create content material for love or funding scams; develop malware; and help with vulnerability reconnaissance and exploit chains.
McDonald’s Poland Fined for Leaking Private Information — Poland’s information safety company fined McDonald’s Poland almost €4 million for leaking worker private information, violating GDPR information privateness protections. The incident occurred at a accomplice firm that managed worker work schedules. Private information similar to names, passport numbers, positions, and work schedules have been left uncovered on the web by means of an open listing. That is the second-largest GDPR positive handed out by Polish authorities after fining the nation’s postal service €6.3 million earlier this 12 months. In associated information, vulnerabilities within the McDonald’s chatbot recruitment platform McHire uncovered over 64 million job purposes throughout the U.S., safety researchers Ian Carroll and Sam Curry found. The chatbot was created by Paradox.ai, which didn’t take away the default credentials for a take a look at account (username 123456, password 123456) and did not safe an endpoint that allowed entry to the chat interactions of each applicant. There is no such thing as a proof that the take a look at account was ever exploited in a malicious context. A separate set of safety points has additionally been found within the fast-food big’s accomplice and worker portals that uncovered delicate information similar to API keys and enabled unauthorized entry to make adjustments to a franchise proprietor’s web site. The problems, in response to BobdaHacker, have since been patched.
New Affect Operations Found — Cybersecurity firm Recorded Future flagged two large-scale, state-aligned affect operation networks supporting India and Pakistan in the course of the India-Pakistan battle of April and Might 2025. These affect networks have been codenamed Hidden Charkha (pro-India) and Khyber Defender (pro-Pakistan). “These networks are very probably motivated by patriotism and are nearly actually aligned with India’s and Pakistan’s home and overseas coverage targets, respectively,” Recorded Future mentioned. “Every community persistently tried to border India or Pakistan, respectively, as sustaining superior technological and army capabilities – and subsequently the implied means for every respective nation to train tactical restraint – as proof of getting the ethical excessive floor, and therefore having home and worldwide help.” Each the campaigns have been largely unsuccessful in shaping public opinion, given the dearth of natural engagement on social media. A second affect operation entails a number of Russia-linked networks, similar to Operation Overload, Operation Undercut, Basis to Battle Injustice, and Portal Kombat, looking for to destabilize the elections and derail Moldova’s European Union (E.U.) accession. In addition to trying to border the present Moldova management as corrupt and counter to Moldova’s pursuits, the exercise portrays “Moldova’s additional integration with the E.U. as disastrous for its financial future and sovereignty, and Moldova as a complete as at odds with European requirements and values.” The marketing campaign has not achieved any substantial success in shaping public opinion, Recorded Future added.
Large IPTV Piracy Community Uncovered — A big Web Protocol Tv (IPTV) piracy community spanning greater than 1,100 domains and over 10,000 IP addresses has been found internet hosting pirated content material, illegally restreaming licensed channels, and interesting in subscription fraud. Lively for a number of years, greater than 20 main manufacturers have been affected, together with: Prime Video, Bein Sports activities, Disney Plus, NPO Plus, Components 1, HBO, Viaplay, Videoland, Discovery Channel, Ziggo Sports activities, Netflix, Apple TV, Hulu, NBA, RMC Sport, Premier League, Champions League, Sky Sports activities, NHL, WWE, and UFC. Silent Push mentioned it recognized two corporations concerned in cashing in on internet hosting pirated content material — XuiOne and Tiyansoft. XuiOne is believed to share connections with Stalker_Portal, one other well-known open-source IPTV challenge that has been round since 2013. These providers are marketed within the type of Android apps, with the domains distributed by way of Fb teams and Imgur. The cybersecurity agency additionally recognized one particular person, Nabi Neamati of Herat, Afghanistan, as a central determine in its operations.
Safety Evaluation of WhatsApp Message Summarization — NCC Group has printed an in-depth evaluation of WhatsApp’s AI-powered Message Summarization function, which was introduced by the messaging platform in June 2025. In all, the evaluation found 21 findings, 16 of which have been mounted by WhatsApp. This included three notable weaknesses: The hypervisor might have assigned community interfaces to the CVM by means of which personal information might be exfiltrated, Any previous Confidential Digital Machine (CVM) picture with identified vulnerabilities might have been indefinitely utilized by an attacker, and the flexibility to serve malicious key configurations to WhatsApp purchasers might have allowed Meta to violate privateness and non-targetability assurances.
Oblique Immediate Injection by way of Log Information — Massive language fashions (LLMs) utilized in a safety context might be deceived by specifically crafted occasions and log information injected with hidden prompts to execute malicious actions when they’re parsed by AI brokers.
🎥 Cybersecurity Webinars
From Blind Spots to Readability: Why Code-to-Cloud Visibility Defines Trendy AppSec — Most safety packages know their dangers—however not the place they really start or how they unfold. That hole between code and cloud is costing groups time, possession, and resilience. This webinar reveals how code-to-cloud visibility closes that hole by giving builders, DevOps, and safety a shared view of vulnerabilities, misconfigurations, and runtime publicity. The end result? Much less noise, sooner fixes, and stronger safety for the purposes your small business depends upon.
Shadow AI Brokers: The Hidden Danger Driving Enterprise Blind Spots — AI Brokers are not futuristic—they’re already embedded in your workflows, processes, and platforms. The issue? Lots of them are invisible to governance, fueled by unchecked non-human identities that create a rising assault floor. Shadow AI does not simply add complexity; it multiplies threat with each click on. This webinar unpacks the place these brokers are hiding, the best way to spot them earlier than attackers do, and what steps you possibly can take to convey them beneath management with out slowing innovation.
AI + Quantum 2.0: The Double Disruption Safety Leaders Cannot Ignore — The subsequent cybersecurity disaster will not come from AI or quantum alone—it would come from their convergence. As quantum breakthroughs speed up and AI drives automation at scale, the assault floor for delicate industries is increasing sooner than most defenses can sustain. This panel brings collectively main voices from analysis, authorities, and business to unpack what Quantum 2.0 means for safety, why quantum-safe cryptography and AI resilience should go hand-in-hand, and the way decision-makers can begin constructing belief and resilience earlier than adversaries weaponize these applied sciences.
🔧 Cybersecurity Instruments
MeetC2 — It’s a intelligent proof-of-concept C2 framework that makes use of Google Calendar—sure, the identical calendar your staff makes use of on daily basis—as a hidden command channel between an operator and a compromised endpoint. By polling for occasions and embedding instructions into calendar objects by way of Google’s trusted APIs (oauth2.googleapis.com, www.googleapis.com), it reveals how reputable SaaS platforms might be repurposed for covert operations. Safety groups can use MeetC2 in managed purple-team workout routines to sharpen detection logic round uncommon calendar API utilization, validate logging and telemetry effectiveness, and fine-tune safeguards in opposition to stealthy cloud-based C2 methods. Briefly, it equips defenders with a light-weight, extremely related testbed to simulate and proactively defend in opposition to next-gen adversarial tradecraft.
thermoptic – It’s a sophisticated HTTP proxy that cloaks low-level purchasers like curl to seem indistinguishable from a full Chrome/Chromium browser on the community fingerprinting layer. Trendy WAFs and anti-bot programs more and more depend on JA4+ signatures—monitoring TLS, HTTP, TCP, and certificates fingerprints—to dam scraping instruments or detect when customers swap from browsers to scripts. By routing requests by means of a containerized Chrome occasion, thermoptic ensures fingerprints match actual browsers byte-for-byte, even throughout a number of layers. For defenders, it is a highly effective solution to take a look at detection pipelines in opposition to subtle evasion techniques, validate JA4+ logging visibility, and discover how adversaries may mix into reputable browser site visitors. For moral researchers and purple groups, thermoptic gives a sensible, open-source platform to simulate stealthy scraping or covert site visitors—serving to safety groups transfer from concept to resilience within the fingerprinting arms race.
Disclaimer: The instruments featured listed below are supplied strictly for instructional and analysis functions. They haven’t undergone full safety audits, and their habits might introduce dangers if misused. Earlier than experimenting, rigorously overview the supply code, take a look at solely in managed environments, and apply acceptable safeguards. At all times guarantee your utilization aligns with moral pointers, authorized necessities, and organizational insurance policies.
🔒 Tip of the Week
Lock Down Your Router Earlier than Hackers Ever Get a Foot within the Door — Most individuals consider router safety as simply “change the password” or “disable UPnP.” However attackers are getting way more inventive: from rerouting web site visitors by means of pretend BGP paths, to hijacking cloud providers that speak on to your router. One of the best protection? A layered method that closes these doorways earlier than compromise occurs.
Listed here are 3 superior however sensible strikes you can begin as we speak:
Defend Your Web Route with RPKIWhy it issues: Attackers generally hijack web routes (BGP assaults) to spy on or reroute your site visitors.Do that: Even should you’re not operating an enormous enterprise, you possibly can examine in case your ISP helps RPKI (Useful resource Public Key Infrastructure) utilizing the free Is BGP Secure But? device. In case your supplier is not secured, ask them about RPKI.
Use Quick-Lived Entry Keys As a substitute of Static PasswordsWhy it issues: A single stolen router password can let attackers in for years.Do that: In case your router helps it (OpenWRT, pfSense, MikroTik), arrange SSH entry with keys as a substitute of passwords. For house or small workplace customers, instruments like YubiKey can generate one-time login tokens, so even when your PC is hacked, the router stays protected.
Management Who Can Even Knock on the DoorWhy it issues: Most router compromises occur as a result of attackers can attain the administration port from the web.Do that: As a substitute of leaving administration open, use Single Packet Authorization (SPA) with a free device like fwknop. It hides your router’s administration ports till you ship a secret “knock,” making your router invisible to scanners.
Consider your router because the “entrance door to your digital home.” With these instruments, you are not simply locking it — you are ensuring attackers do not even know the place the door is, and even when they do, the important thing adjustments on daily basis.
Conclusion
That wraps up this week’s briefing, however the story by no means actually ends. New exploits, new techniques, and new dangers are already on the horizon—and we’ll be right here to interrupt them down for you. Till then, keep sharp, keep curious, and bear in mind: one clear perception could make all of the distinction in stopping the following assault.
