VerSprite Weekly Threat Intelligence #28
Date
Follow Us
Date Range: 18 August 2025 – 22 August 2025
Issue: 28th Edition
Reported Period Victimology
Security Triumphs of the Week
Interpol’s Operation Serengeti 2.0 disrupted African cybercrime networks, leading to 1,209 arrests and $97.4 million in seizures, while U.S. authorities dismantled ransomware and DDoS operations, recovering millions in crypto and charging perpetrators. Global collaboration enabled takedowns of infrastructure like the “Rapper Bot” botnet and ransomware-as-a-service groups, with sentences issued for hackers involved in social engineering, SIM-swapping, and extremist-linked cyberattacks. Cryptocurrency fraud schemes faced crackdowns, including a $228 million Ponzi penalty and exchange exploits, amid calls for tighter regulations. These efforts highlight intensified law enforcement focus on cybercrime’s financial mechanisms and cross-border threats, emphasizing infrastructure disruption and asset recovery to mitigate evolving risks.
Interpol bags 1,209 suspects, $97M in cybercrime operation focused on Africa
Interpol’s Operation Serengeti 2.0, conducted across Africa from June to August, led to 1,209 arrests and the seizure of $97.4 million linked to cybercrime. Key actions included dismantling 25 illegal cryptocurrency mining centers in Angola, recovering $37 million in equipment, and disrupting a Zambian crypto-investment scam that defrauded 65,000 victims of over $300 million. The operation also uncovered human trafficking ties and addressed business email compromise (BEC) schemes, with 112 arrests across eight countries. While ransomware remains prominent, FBI data highlights higher profitability in scams, such as $4 billion in annual investment fraud losses. Interpol emphasized collaboration and infrastructure takedowns, including 11,432 malicious networks, to combat evolving cyber threats.
Read full article: Theregister
DoJ Seizes $2.8M in Crypto from Zeppelin Ransomware Group
The U.S. Department of Justice seized $2.8 million in cryptocurrency, $70,000 in cash, and a luxury vehicle linked to the Zeppelin ransomware group, charging Ianis Aleksandrovich Antropenko for orchestrating global ransomware attacks. Federal warrants executed in August 2025 targeted assets tied to the group’s ransomware-as-a-service operations, which encrypted victim systems, stole data, and extorted payments via cryptocurrency. The multi-jurisdictional investigation traced illicit funds using blockchain analysis and uncovered money laundering via ChipMixer and structured cash conversions. Law enforcement agencies, including FBI field offices, disrupted the group’s activities, part of broader efforts that have recovered $350 million and prevented $200 million in potential ransom payments since 2020.
Read full article: Gbhackers
22-year-old Operator of ‘Rapper Bot’ Botnet Charged for Launching 3 Tbps DDoS Attack
Federal authorities charged 22-year-old Ethan Foltz of Oregon for operating the “Rapper Bot” DDoS-for-hire service, a sophisticated botnet targeting global victims since 2021. The botnet, compromising devices like DVRs and routers, executed over 370,000 attacks across 80 countries, including U.S. government networks and tech firms. Attacks reached up to 6 terabits per second, causing victims significant financial losses ($500-$10,000 per attack) and enabling extortion schemes. Law enforcement, collaborating with tech companies under Operation PowerOFF, dismantled the botnet in August 2025, seizing control of its infrastructure. Foltz faces up to 10 years in prison, highlighting efforts to combat cyber threats to global internet infrastructure.
Read full article: Gbhackers
Breach Roundup: Scattered Spider Hacker Gets 10 Years
A Scattered Spider hacker, Noah Michael Urban, was sentenced to 10 years in prison and ordered to pay $13 million for cybercrimes, including social engineering and SIM-swapping attacks. Barracuda identified new “quishing” tactics using split or nested QR codes to evade detection. Pro-Houthi hacker Al-Tahery Al-Mashriky received 20 months in the UK for website defacement and data theft. A Chinese state-linked group breached a Taiwanese web hosting provider to target VPN and cloud infrastructure. The Business Council of New York and Ohio Medical Cannabis Center suffered breaches exposing personal, financial, and health data. North Korean hackers targeted embassies in Seoul using diplomatic-themed malware. Apple patched a zero-day vulnerability exploited in sophisticated attacks.
Read full article: Bankinfosec
Cryptohack Roundup: New York Man, Firm to Pay $228M in Ponzi Scheme
A New York man and his firm were ordered to pay $228 million for operating a crypto Ponzi scheme that defrauded investors of over $262 million. Coinbase lost $300,000 due to a misconfigured smart contract, though customer funds remained secure. GMX repaid $44 million to users affected by an exploit on its Arbitrum platform. Turkish exchange BtcTurk halted transfers after $48 million in suspicious outflows. U.S. banking groups urged lawmakers to tighten stablecoin regulations to prevent financial risks. The DOJ seized $2.8 million in crypto from an alleged ransomware operator. The Federal Reserve ended its special crypto oversight program, while Hong Kong introduced stricter custody rules for crypto platforms.
Read full article: Bankinfosec
Serial Hacker Sentenced for Defacing and Hacking Organizational Websites
Al-Tahery Al-Mashriky, a hacker linked to extremist groups like Spider Team and Yemen Cyber Army, received a 20-month prison sentence for unauthorized access, data theft, and website defacements targeting governments, media, and organizations globally. His attacks exploited low-security web infrastructures, compromising over 3,000 sites and stealing data including 4 million Facebook users’ PII and credentials for services like Netflix. The NCA, aided by U.S. intelligence, uncovered his role in propagating ideological agendas through digital sabotage, causing operational disruptions and financial harm. Stolen data posed risks of identity theft and fraud, emphasizing cascading threats from breaches. The case highlights the importance of multi-layered cybersecurity defenses and international collaboration to counter ideologically driven cybercrime.
Read full article: Gbhackers
Security Setbacks of the Week
This week’s cybersecurity landscape saw healthcare remain a prime target, with DaVita (2.7M records), Aspire Rural Health (140K), and Nuance Communications ($8.5M settlement) impacted by ransomware groups like Interlock, BianLian, and Clop. Social engineering attacks exploited CRM systems (Allianz, Workday), while third-party vulnerabilities (Salesforce, MOVEit) and recycled data claims (PayPal) complicated breach assessments. Rural healthcare and critical infrastructure (Pakistan’s oil sector) faced heightened risks due to resource constraints and legacy systems. Ransomware tactics evolved with RaaS models (Blue Locker) and data extortion via Telegram, underscoring the need for phishing-resistant MFA, network segmentation, and offline backups.
Dialysis Chain Tells Feds Hack Affects Nearly 2.7 million
DaVita, a major kidney dialysis provider, reported a cyberattack affecting nearly 2.7 million individuals, marking it the fourth-largest health data breach in 2025. The ransomware gang Interlock stole over 1.5 terabytes of sensitive data, including patient names, Social Security numbers, health insurance details, lab results, and check images. The breach occurred from March 24 to April 12, with DaVita eradicating the threat on the discovery date. The company incurred $13.5 million in costs and enhanced security measures post-incident. Stolen data was leaked on the dark web, though DaVita has not publicly confirmed Interlock’s claims. Federal and state regulators were notified, with updates reflecting escalating breach scales.
Read full article: Bankinfosec
Massive data breach sees 16 million PayPal accounts leaked online – here’s what we know, and how to stay safe
A massive, alleged data breach involving 16 million PayPal accounts has surfaced, with hackers claiming to sell login credentials, including emails and plaintext passwords, alongside URLs for automated attacks. Experts doubt the breach’s legitimacy due to the small sample size available for analysis, inconsistencies in pricing (lower than typical dark web rates), and PayPal’s denial of a new breach, instead referencing a 2022 incident affecting 35,000 accounts. The dataset’s structure resembles older infostealer malware logs, suggesting recycled data. While the breach’s authenticity remains unconfirmed, users are urged to change passwords, enable multi-factor authentication, monitor accounts, and avoid password reuse to mitigate risks of identity theft and fraud.
Read full article: Techradar
Massive Orange Belgium data breach may have hit over 850,000 customers – here’s what we know
Orange Belgium confirmed a cyberattack compromising data of approximately 850,000 customers, detected in late July 2025. Stolen information includes full names, phone numbers, SIM card numbers, PUK codes, and tariff plans, but excludes passwords, email addresses, or financial data. The breach occurred despite security measures, with affected customers notified via email or SMS. Orange stated the attack wasn’t linked to Chinese ‘typhoon’ threat actors and is withholding attacker details pending investigation. This follows prior breaches targeting Orange subsidiaries, including incidents involving compromised credentials and weak passwords. Law enforcement was notified, and internal investigations continue.
Read full article: Techradar
Allianz Life breach now thought to have affected 1.1 million customers – here’s how to stay safe
A data breach at Allianz Life exposed personal data of 1.1 million customers via a social engineering attack targeting its Salesforce CRM system, linked to the ShinyHunters campaign. Exposed data includes names, emails, birthdates, addresses, and phone numbers. The breach aligns with a broader campaign affecting companies like Google and Santander, though Salesforce denies platform vulnerabilities, attributing incidents to compromised credentials. Organizations are urged to enhance phishing training and endpoint security, while affected individuals should monitor for identity theft. Experts emphasize securing third-party data access, as attackers exploit CRM systems for phishing and supply-chain attacks.
Read full article: Techradar
Rural Health System in Michigan Notifying 140,000 of Hack
A rural Michigan healthcare provider, Aspire Rural Health System, is notifying 140,000 individuals of a data breach involving unauthorized network access by the BianLian ransomware group between November 2024 and January 2025. Stolen data includes sensitive personal, financial, and medical information, though no direct fraud or identity theft has been linked yet. The breach discovered months later highlights challenges rural healthcare systems face, such as limited cybersecurity resources, reliance on legacy systems, and staffing shortages. Experts note rural providers often lack 24/7 monitoring, enabling prolonged undetected access. BianLian claims the stolen data includes patient records, HR details, and internal communications. The incident underscores vulnerabilities in rural healthcare infrastructure, where cybersecurity competes with clinical priorities amid constrained budgets.
Read full article: Bankinfosec
Nuance Agrees to Pay $8.5M to Settle MOVEit Hack Litigation
Nuance Communications, a Microsoft subsidiary, agreed to pay $8.5 million to settle a class action lawsuit stemming from the 2023 MOVEit file-transfer hack. The breach, attributed to the Clop ransomware group, exploited a zero-day vulnerability (CVE-2023-34362) in Progress Software’s MOVEit tool, compromising data of 1.23 million patients across Nuance’s healthcare clients. The settlement offers affected individuals credit monitoring, reimbursement for losses up to $10,000, or a $100 cash payment, while Nuance denies wrongdoing. This case is part of broader multi-district litigation involving over 160 MOVEit-related lawsuits, including prior settlements by Arietis Health ($2.8M) and National Student Clearinghouse ($9.5M). A final court approval hearing is scheduled for March 2026.
Read full article: Bankinfosec
Colt Confirms Ransomware Attack Resulted in Customer Data Theft
Colt confirmed a ransomware attack compromised its business support systems, leading to customer data theft. The company isolated affected systems, initiated forensic investigations, and collaborated with law enforcement and external cybersecurity experts. Critical customer infrastructure remained separate, limiting breach scope. Service disruptions occurred as customer portals, APIs, and automated support systems were taken offline. The investigation continues to determine the exact data accessed and regulatory notification requirements. Colt has implemented additional security measures and works toward full remediation while balancing containment and operational continuity.
Read full article: Gbhackers
Workday Breached as Ransomware Group Seeks Salesforce Data
Workday reported a breach of its customer relationship management (CRM) system, with attackers stealing corporate contact details to fuel social engineering campaigns. The intrusion, potentially linked to groups like Scattered Spider and ShinyHunters, mirrors ongoing tactics of impersonating employees to exploit IT help desks for CRM access. These groups, tied to the cybercrime collective “The Community”, use ransomware, data extortion, and evolving social engineering techniques. Recent attacks have targeted major firms across retail, insurance, and tech sectors, leveraging stolen non-sensitive data. The actors have escalated visibility by launching Telegram channels to leak data and taunt law enforcement. CISA advises organizations to implement phishing-resistant MFA and offline backups to mitigate such threats.
Read full article: Bankinfosec
Pharma giant Inotiv hit by ransomware attack, says operations were affected
Inotiv, a U.S. pharmaceutical firm, confirmed a ransomware attack discovered on August 8, 2025, forcing it to shut down parts of its IT infrastructure, disrupting business operations. The company is restoring services using offline alternatives and working with third-party experts. Ransomware group Qilin claimed responsibility, alleging theft of 162,000 files (176GB) and leaking samples, though authenticity remains unverified. Inotiv filed an SEC report but did not disclose attacker details. The incident temporarily impacted internal data storage and business applications, with no confirmed recovery timeline. Inotiv, a contract research organization with $500M annual revenue, provides drug development services globally.
Read full article: Techradar
Blue Locker Ransomware Launches Targeted Attacks on the Oil and Gas Sector in Pakistan
Pakistan’s National Cyber Emergency Response Team (NCERT) issued a high-alert advisory warning of targeted attacks by the “Blue Locker” ransomware on the oil and gas sector, notably compromising Pakistan Petroleum Limited (PPL). The ransomware, active around Independence Day, disrupted operations by encrypting systems and deleting backups. It employs AES-RSA encryption, phishing emails, and evasion techniques like timestomping, while demanding ransom via anonymous channels. Linked to Proton ransomware variants, Blue Locker exhibits Ransomware-as-a-Service traits, with potential ties to Iranian actors or Dark Web code sales. NCERT advises multi-factor authentication, network segmentation, and offline backups. The incident highlights global ransomware trends and critical infrastructure vulnerabilities amid geopolitical tensions.
Read full article: Gbhackers
McDonald’s Free Nuggets Hack Exposes Sensitive Customer Data
A security researcher uncovered multiple critical vulnerabilities in McDonald’s digital systems, exposing sensitive customer data and internal corporate infrastructure. Flaws included clientside validation exploits in the mobile app (enabling free food claims), insecure authentication in the global Design Hub (allowing unauthorized access via URL manipulation), plaintext password emails, and exposed API keys in JavaScript code. Crew member accounts could access executive systems, including employee contact details and impersonation features. The researcher faced challenges reporting issues due to removed security contacts, resorting to unconventional methods. While McDonald’s addressed the vulnerabilities, the incident highlights systemic security failures and poor responsible disclosure processes in large corporations.
Read full article: Gbhackers
Bragg Confirms Cyberattack, Internal IT Systems Breached
Bragg Gaming Group experienced a cybersecurity breach affecting internal IT systems on August 16, 2025, prompting immediate containment measures and an independent investigation. Preliminary findings suggest the attack was confined to internal environments, with no evidence of compromised personal data or operational disruptions. The company retained access to potentially affected data, indicating ransomware was not deployed. Operations, including customer-facing services, remain unaffected. Bragg committed to transparency, providing updates via its website, and emphasized compliance with regulatory requirements across its global markets. Remediation efforts and enhanced security measures are ongoing, with the incident underscoring the importance of data protection in regulated industries.
Read full article: Gbhackers
The New Emerging Threats
State-sponsored and cybercriminal threats are escalating globally, with Russian, Chinese, North Korean, and Iranian actors targeting critical infrastructure, finance, and government sectors through sophisticated malware, zero-day exploits, and social engineering. Emerging risks include AI-generated phishing infrastructure, IoT botnets like PolarEdge, cross-platform ransomware (BQTLOCK), and vulnerabilities in AI routing systems (PROMISQROUTE) that bypass safeguards. Attacks on operational technology (water systems, energy) and cloud environments highlight systemic vulnerabilities, while mobile threats like Anatsa and macOS malware (SHAMOS) expand attack surfaces. Adversaries increasingly abuse legitimate tools, encrypted protocols, and regional geopolitical tensions to evade detection, demanding enhanced OT security, AI safeguards, and proactive threat hunting to mitigate risks.
New HTTP Smuggling Technique Allows Hackers to Inject Malicious Requests
A new HTTP request smuggling technique exploits parsing inconsistencies between front-end proxies and back-end servers via malformed chunk extensions in HTTP/1.1. Attackers craft requests with invalid chunk headers containing bare semicolons, causing front-end systems to process them as single requests while back-end servers split them into separate, unauthorized commands. This allows injection of malicious requests to bypass security controls like web application firewalls, potentially accessing restricted endpoints. Patches have been deployed for affected systems, protecting updated organizations. The attack highlights vulnerabilities in legacy HTTP/1.1 features and inconsistent RFC 9112 implementations across distributed architectures. Researchers emphasize rigorous request validation and protocol compliance to mitigate risks from underutilized protocol functionalities.
Read full article: Gbhackers
Ballooning PolarEdge Botnet a Suspected Cyberespionage Op
The PolarEdge botnet, suspected of facilitating foreign cyberespionage, has rapidly expanded since June 2023, infecting nearly 40,000 IoT devices globally, primarily in South Korea and the U.S. Targeting enterprise and consumer devices like routers, IP cameras, and NAS systems, it exhibits traits of an operational relay box (ORB) network to mask malicious traffic through trusted residential IPs. Researchers link its low device churn and targeting patterns to Chinanexus espionage campaigns, though it diverges from typical ORB tactics. Attackers exploit non-standard TCP ports (40,000–50,000) to evade detection and used a Cisco router vulnerability (CVE-2023-20118) to deploy webshells. The botnet’s infrastructure suggests skilled, state-aligned operators aiming to proxy covert cyber operations.
Read full article: Bankinfosec
BQTLOCK Ransomware-as-a-Service Emerges, Boasting Sophisticated Evasion Tactics
BQTLOCK, a new Ransomware-as-a-Service (RaaS) active since mid-July 2025, employs double extortion by encrypting files and threatening data leaks unless ransoms (13–40 XMR) are paid within 48 hours. Marketed on dark web forums, it uses anti-analysis techniques like string obfuscation, VM evasion, and process hollowing. Subscription tiers allow affiliates to customize ransom notes, C2 servers, and evasion features. Updated variants enhance antidebugging, bypass UAC, steal credentials, and enable lateral movement. The ransomware deletes backups, clears logs, and uses hybrid AES-256/RSA-4096 encryption. Despite claims of being undetectable, samples show inconsistencies, and the group’s legitimacy is questioned. Mitigation requires updated security tools and proactive threat monitoring.
Read full article: Gbhackers
ClickFix Exploit Emerges: Microsoft Flags Cross-Platform Attacks Targeting Windows and macOS
Microsoft has identified the ClickFix social engineering technique as a growing threat, exploiting user trust to execute malicious commands on Windows and macOS systems. Attackers use phishing, malvertising, and compromised sites to trick users into running obfuscated scripts, deploying malware like Lumma Stealer, Xworm RAT, and Atomic macOS Stealer (AMOS). Campaigns target sectors such as government and finance, with tactics including fake error prompts, spoofed brands, and multi-stage payloads. macOS attacks involve Bash scripts bypassing security to steal credentials and crypto wallets. Microsoft recommends user education, enabling Defender XDR features, and blocking malicious domains. Storm-series threat actors and underground ClickFix kits ($200–$1,500/month) drive these cross-platform attacks.
Read full article: Gbhackers
Russian Hackers Accused in Wave of Water Sector Cyberattacks
Russian state-linked hackers are increasingly targeting water infrastructure in Europe, including attacks on a Polish hydropower plant and a Norwegian dam, raising concerns about vulnerabilities in critical Western infrastructure. These attacks, part of a surge in daily Russian cyber operations, aim to test operational technology disruptions and undermine public trust without triggering military retaliation. U.S. experts warn similar risks apply to American water systems, citing resource shortages and reliance on managed security services. Recent incidents, like a 2024 Texas utility breach, highlight ongoing vulnerabilities. CISA urges improved OT asset management to secure essential systems amid escalating global conflicts and retaliatory cyberthreats.
Read full article: Bankinfosec
Anatsa Malware Escalates: Android Under Siege as Hackers Harvest Credentials and Track Keystrokes
The Anatsa Android banking trojan (aka TeaBot) has evolved significantly, now targeting over 831 global financial institutions, including new regions like Germany and South Korea, and cryptocurrency platforms. Distributed via decoy apps on Google Play, it uses droppers to fetch malicious payloads, bypassing detection through direct installation and DES encryption with dynamic keys. Enhanced evasion includes corrupted APK archives, anti-analysis checks, and fake login overlays to steal credentials. Recent variants auto-enable permissions via accessibility services and rotate package names to evade detection. With decoy apps exceeding 50,000 downloads each, Anatsa underscores growing Android threats, urging users to scrutinize app permissions.
Read full article: Gbhackers
Hackers Target Phones of Military-Linked Individuals in South Asia Using New Spy Tools
Cyber actors targeted military and government personnel in South Asia using phishing lures tied to defense events, distributing malicious ZIP files and Android spyware. Phishing decoys mimicked legitimate entities, redirecting to credential-harvesting pages linked to shared C2 infrastructure. Modified Rafel RATs disguised as chat apps collected sensitive data via intrusive permissions, exfiltrating it to servers like quickhelpsolve.com. Campaigns overlapped across Windows and Android platforms, with infrastructure and registrant details (e.g., [email protected]) linking to prior phishing activity. Attribution suggests ties to APT Sidewinder, exploiting commodity malware for espionage. The operation underscores risk to defense sectors, urging heightened mobile security and phishing vigilance.
Read full article: Gbhackers
AI Website Generators Repurposed by Adversaries for Malware Campaigns
Adversaries are leveraging AI-powered website builders like Lovable to rapidly create malicious infrastructure, lowering barriers for phishing, malware distribution, and fraud. These tools enable even unskilled actors to deploy phishing kits, credential harvesters, and sites hosting trojanized malware, with campaigns impersonating brands like Microsoft, UPS, and cryptocurrency platforms. AI automation embeds deceptive elements (e.g., CAPTCHAs) and backend logic for data exfiltration, often routing stolen data to Telegram. Large-scale operations, such as Tycoon PhaaS, distributed credential-harvesting emails and AiTM attacks, while malware campaigns delivered RATs via trojanized executables. Lovable has introduced AI-driven safeguards, but lax initial guardrails highlight the need for stronger platform protection. Organizations are urged to monitor AI-generated threats and adopt allow-listing for abused tools.
Read full article: Gbhackers
MuddyWater APT Targets CFOs via OpenSSH; Enables RDP and Scheduled Tasks
The Iranian-linked MuddyWater APT group is conducting a global spear-phishing campaign targeting CFOs and finance executives, impersonating recruiters from Rothschild & Co. Attackers deploy Firebase-hosted phishing pages with math-based CAPTCHAs to distribute malicious ZIP archives containing VBS scripts. These scripts abuse tools like NetBird and OpenSSH to enable RDP access, create hidden admin accounts, and establish persistence via scheduled tasks and registry modifications. Infrastructure shifts and adaptive payload paths reflect evasion tactics, with TTPs overlapping prior campaigns, including AES-encrypted redirects and reused setup keys. Mitigation involves blocking IOCs, auditing tool installations, and monitoring suspicious accounts or service activity. The campaign underscores MuddyWater’s evolving use of legitimate tools for stealthy, long-term infiltration.
Read full article: Gbhackers
New SHAMOS Malware Targets macOS Through Fake Help Sites to Steal Login Credentials
A new SHAMOS malware campaign targeting macOS users via fake help sites was uncovered by CrowdStrike, linked to the COOKIE SPIDER cybercriminal group. The malware, distributed through malvertising promoting fraudulent macOS support pages, tricks users into executing malicious Terminal commands to install stealer payloads. SHAMOS harvests credentials, cryptocurrency wallets, and browser data, evading detection via anti-VM checks and file attribute manipulation. Over 300 global targets were attempted, excluding Russia and CIS nations, aligning with regional eCrime restrictions. The malware establishes persistence through LaunchDaemons and exfiltrates data via attacker-controlled servers. CrowdStrike’s Falcon platform blocked the campaign, emphasizing the need for enhanced endpoint protections against evolving macOS threats.
Read full article: Gbhackers
North Korean Kimsuky Hackers Use GitHub to Target Foreign Embassies with XenoRAT Malware
The North Korean Kimsuky group (APT43) targeted foreign embassies in South Korea via spear-phishing emails impersonating diplomatic contacts, distributing XenoRAT malware through password-protected ZIP files hosted on Dropbox and Daum. Attackers abused GitHub repositories as command-and-control servers to exfiltrate data and retrieve payloads, leveraging obfuscated PowerShell scripts and scheduled tasks for persistence. XenoRAT enabled full system control, including keystroke logging and file theft. Infrastructure analysis linked the campaign to known Kimsuky servers, with operational patterns suggesting potential Chinese basing due to activity pauses during Chinese holidays. Trellix identified overlaps with prior Kimsuky tactics and provided detection signatures. Ongoing threats underscore the need for enhanced email security, GitHub monitoring, and anomaly detection in diplomatic networks.
Read full article: Gbhackers
Chinese MURKY PANDA Attacking Government and Professional Services Entities
The Chinese state-sponsored threat actor MURKY PANDA has targeted North American government, technology, legal, and professional services sectors since late 2024, focusing on cyberespionage. The group exploits cloud environments and trusted relationships, leveraging zero-day vulnerabilities and compromised SaaS providers to infiltrate downstream customers. Their tactics include email exfiltration, document theft, and deploying custom malware like CloudedHope and Neo-reGeorg web shells. MURKY PANDA evades detection by altering timestamps, deleting forensic evidence, and abusing cloud identity systems to gain administrative access. The group shares infrastructure and techniques with other China-linked actors, such as VANGUARD PANDA, and aligns with broader intrusion campaigns like Silk Typhoon. Their operations highlight advanced cloud exploitation capabilities and persistent targeting of sensitive entities.
Read full article: Cybernews
ChatGPT-5 Downgrade Attack Allows Hackers to Evade AI Defenses with Minimal Prompts
Security researchers discovered a critical vulnerability (PROMISQROUTE) in ChatGPT-5 and other AI systems, enabling attackers to bypass safety protocols by manipulating routing mechanisms. Attackers use simple trigger phrases like “respond quickly” to redirect queries to cheaper, less secure models (e.g., GPT-4), evading safeguards designed to block harmful requests. The exploit highlights systemic risks in AI infrastructures that prioritize cost-saving routing over security, with OpenAI reportedly saving $1.86 billion annually through such methods. The vulnerability affects any AI system using layered model routing, common in enterprise environments. Researchers recommend urgent audits, cryptographic routing, and universal safety filters. This exposes ongoing challenges in balancing AI cost efficiency with robust security.
Read full article: Gbhackers
Vulnerability Spotlight: Critical Exposures Unveiled
Critical vulnerabilities across diverse platforms dominated the cybersecurity landscape, with Apple, Apache Tika, SAP, Docker, and Microsoft Azure addressing high-severity flaws involving memory corruption, XML parsing, and cross-tenant API exposures. Exploit chains targeting unpatched systems including leaked SAP zero-days and active Linux kernel privilege escalation highlighted risks of delayed patching and nation-state threats. Cloud misconfigurations, insecure document parsers, and AI-driven code analysis tools like CodeRabbit exposed systemic weaknesses in third-party integrations and multi-tenant architectures. Widespread exploitation of Trend Micro systems and novel password manager clickjacking techniques underscored the urgency of updating software, enforcing network segmentation, and adopting zero-trust principles to mitigate escalating attack vectors.
Apple Confirms Critical 0-Day Under Active Attack – Immediate Update Urged
Apple has released an emergency update (iOS/iPadOS 18.6.2) to patch a critical zero-day vulnerability (CVE-2025-43300) actively exploited in sophisticated attacks. The flaw, an out of bounds write in the ImageIO framework, allows attackers to execute malicious code via crafted image files, risking device compromise. Affected devices include iPhone XS and newer, and multiple iPad models. Apple confirmed targeted exploitation, suggesting potential nation-state involvement. The patch implements improved memory bounds checking. Users are urged to update immediately to mitigate risks from malicious images delivered via emails, messages, or websites.
Read full article: Gbhackers
Critical Flaw in Apache Tika PDF Parser Exposes Sensitive Data to Attackers
A critical XXE vulnerability (CVE-2025-54988) in Apache Tika’s PDF parser module allows attackers to exploit malicious XFA content in PDFs, enabling data exfiltration, internal network access, or SSRF attacks. Affecting versions 1.13 to 3.2.1, the flaw impacts not only the core PDF parser but also dependent packages like tika-app and tika-server. Successful exploitation could expose sensitive system data, including credentials. Apache Tika 3.2.2 patches the issue via improved XML validation. Organizations are urged to upgrade immediately or implement network controls to restrict vulnerable systems. The discovery underscores risk in open-source components handling untrusted documents.
Read full article: Gbhackers
SAP 0-Day Exploit Reportedly Leaked by ShinyHunters Hackers
A critical SAP exploit chain leveraging two zero-day vulnerabilities (CVE-2025-31324 and CVE-2025-42999) was leaked by ShinyHunters via Telegram and published by VX Underground on August 15, 2025. The exploit targets are unpatched by SAP NetWeaver Visual Composer systems (CVSS 10.0), enabling unauthenticated command execution and deserialization attacks without deploying malicious artifacts. It dynamically adapts to SAP versions, utilizing custom classes to bypass defenses. Security firm Onapsis confirmed the vulnerabilities were patched in April 2025 but warned the public exploit code heightens risks of widespread attacks. Organizations are urged to apply SAP Security Note 3594142 immediately and monitor for suspicious activity. The leak underscores escalating threats to SAP environments, with ShinyHunters’ involvement indicating potential rapid exploitation by threat actors.
Read full article: Gbhackers
Windows Docker Desktop Vulnerability Allows Full Host Compromise
A critical vulnerability (CVE-2025-9074) in Docker Desktop for Windows and Mac allowed containers to compromise the host system via an unauthenticated internal HTTP API (http:// 192.168.65.7:2375/). Attackers could exploit this SSRF flaw using two HTTP POST requests to create a privileged container with host drive access, bypassing isolation. The issue, discovered accidentally during network scanning, affected versions below 4.44.3, patched in August 2025. Docker addressed the flaw swiftly, but the incident underscores risk of exposed internal APIs and insufficient network segmentation. Organizations must update immediately and enforce zero-trust principles. No exploitation has been reported post-patch.
Read full article: Gbhackers
Azure Default API Connection Flaw Enables Full Cross-Tenant Compromise
A critical vulnerability in Microsoft Azure’s API Management allowed cross-tenant compromise via shared global API Connections, enabling attackers to hijack resources across tenants. Exploiting an undocumented DynamicInvoke endpoint, attackers with Contributor access could bypass controls using path traversal to access Azure Key Vaults, SQL databases, and third-party services (e.g., Jira, Salesforce) with admin privileges. Microsoft mitigated the flaw by blacklisting path traversal sequences but acknowledged potential bypass risks. The researcher, awarded a $40,000 bounty, emphasized architectural risks in multi-tenant cloud isolation. The incident underscores the need for robust security design in cloud environments to prevent cross-tenant data exposure.
Read full article: Gbhackers
CodeRabbit RCE Flaw Gives Attackers Write Access to 1M Repositories
A critical remote code execution (RCE) vulnerability in CodeRabbit, a leading AI-powered GitHub code review tool, exposed over one million repositories (including private ones) to potential attacker access. Exploiting CodeRabbit’s integration with Rubocop, attackers could craft malicious pull requests with a.rubocop.yml file to execute arbitrary code, leak API tokens, and access sensitive data. The flaw allowed unauthorized access to CodeRabbit’s PostgreSQL database and repositories. CodeRabbit responded swiftly, disabling Rubocop, rotating credentials, and sandboxing Rubocop operations post-disclosure. The incident underscores risk in AI-driven tools relying on external integrations, emphasizing the need for robust sandboxing and security controls in automated code analysis platforms.
Read full article: Gbhackers
Chrome High-Severity Vulnerability Could Let Attackers Run Arbitrary Code
Google issued an emergency update for Chrome to patch a high-severity vulnerability (CVE-2025-9132) in the V8 JavaScript engine, allowing attackers to execute arbitrary code via memory corruption. The out-of-bounds write flaw, discovered by Google’s AI-powered Big Sleep team on August 4, 2025, risks system control bypassing Chrome’s security sandbox. Patched versions (139.0.7258.138/.139 for Windows/Mac, 139.0.7258.138 for Linux) are rolling out globally, with details withheld to prevent exploitation. Users must update immediately to mitigate risks of data breaches or malware installation.
Read full article: Gbhackers
CISA Alerts on Active Exploitation of Trend Micro Apex One Vulnerability
CISA added a critical OS command injection vulnerability (CVE-2025-54948) in Trend Micro Apex One’s on-premises Management Console to its Known Exploited Vulnerabilities catalog, citing active exploitation. The flaw allows pre-authenticated attackers to execute arbitrary commands, risking full system compromise. Federal agencies must remediate by September 8, 2025, per Binding Operational Directive 22-01, while all organizations are urged to prioritize mitigations. Though ransomware links remain unconfirmed, the vulnerability’s potential to disable security controls makes it attractive to threat actors. Trend Micro users should apply vendor recommendations, monitor systems, and await patches. CISA highlights the urgency due to the severity and exploitation risks.
Read full article: Gbhackers
Linux Kernel Netfilter Flaw Enables Privilege Escalation
A critical privilege escalation vulnerability (CVE-2024-53141) was discovered in the Linux kernel’s netfilter subsystem, affecting versions up to 6.12.2. The flaw resides in the ipset bitmap functionality’s handling of CIDR notation, causing out-of-bounds writes due to insufficient bounds checks during IP range calculations. Local attackers can exploit this to corrupt kernel memory, gain root access, and compromise systems, particularly impacting multi-user environments and containerized platforms. A patch was released in commit 35f56c55, addressing the issue by validating CIDR boundaries. Organizations are urged to update kernels immediately or restrict netfilter access if patching is delayed. High-risk systems include firewalls and network appliances relying on netfilter.
Read full article: Gbhackers
Multiple top password managers are vulnerable to password stealing clickjacking attacks – here’s what we know
A new clickjacking attack targeting autofill features in major password managers was disclosed at DEF CON 33. Researcher Marek Tóth demonstrated how opacity settings, overlays, or pointer events on malicious/compromised sites could invisibly trigger autofill, stealing passwords, 2FA codes, and credit card data. Affected services include 1Password, Bitwarden, Enpass, iCloud Passwords, LastPass, and LogMeOnce, with browser-based versions leaking data under specific conditions. Attackers can use universal scripts to identify and target active password managers. While Dashlane, NordPass, ProtonPass, RoboForm, and Keeper have patched vulnerabilities, others remain at risk. LastPass and LogMeOnce are developing fixes, and vendors emphasize user vigilance, updated extensions, and optional autofill confirmations to mitigate risks.
Read full article: Techradar
In-Depth Expert CTI Analysis
Recent cyber threat intelligence highlights escalating global cybercrime, marked by Interpol’s Operation Serengeti 2.0 disrupting $300M+ scams and dismantling crypto-mining networks, alongside U.S. actions against ransomware groups like Zeppelin. Ransomwareas-a-Service (BQTLOCK) and state-aligned actors (MuddyWater, MURKY PANDA) target critical infrastructure, healthcare, and cloud environments, exploiting vulnerabilities in Apache Tika, SAP, and Docker. High-impact breaches at DaVita, PayPal, and Allianz Life exposed millions of records, while AI-driven phishing and macOS/Android malware (SHAMOS, Anatsa) underscore evolving attack vectors. Critical vulnerabilities in Linux, Azure, and Chrome emphasize systemic risks, necessitating urgent patching, multi-factor authentication, and international collaboration to mitigate cascading threats.
Proactive Defense and Strategic Foresight
Proactive defense demands robust collaboration, infrastructure hardening, and preemptive threat hunting, as demonstrated by Interpol’s Operation Serengeti 2.0 and law enforcement’s ransomware asset seizures. Strategic foresight must prioritize evolving tactics like AI-generated phishing, QR code-based “quishing,” and state-aligned IoT botnets exploiting legacy protocols. Critical infrastructure vulnerabilities, from healthcare breaches to water system attacks, underscore the need for sector-specific resilience plans. Organizations must adopt adaptive patching, zero-trust segmentation, and threat intelligence sharing to counter ransomware-as-a-service and cloud exploitation. Investments in AI security audits, multi-layered authentication, and dark web monitoring are essential to mitigate cascading risks from credential theft to geopolitical cyberespionage.
Evolving Ransomware and Malware Tactics
Ransomware and malware tactics continue evolving with increased sophistication, leveraging Ransomware-as-a-Service (RaaS) models like BQTLOCK for double extortion and hybrid encryption. Threat actors target critical infrastructure, exemplified by attacks on healthcare (DaVita, Aspire) and energy sectors (Blue Locker), exploiting vulnerabilities in legacy systems. Social engineering innovations include “quishing” (QR code phishing), ClickFix scripts, and AI-generated phishing sites to bypass defenses. Malware campaigns increasingly abuse legitimate tools (NetBird, OpenSSH) and IoT botnets (PolarEdge) for In-Depth Expert CTI Analysis VerSprite Weekly Threat Intelligence Newsletter 20 stealth, while state-aligned groups (MuddyWater, Kimsuky) blend cybercrime with espionage. Persistent collaboration between law enforcement and private sectors remains critical to disrupt infrastructure seizures, cryptocurrency tracing, and global operations mitigating these threats.
State-Sponsored and Organized Cybercrime Convergence
The convergence of state-sponsored and organized cybercrime is increasingly evident, with nation-state actors adopting criminal tactics like ransomware-as-a-service (e.g., BQTLOCK RaaS) and cryptocurrency laundering, while cybercriminal groups leverage advanced espionage tools. Operations such as Interpol’s Serengeti 2.0 and the dismantling of Zeppelin ransomware highlight overlapping financial networks and infrastructure, including crypto mixers like ChipMixer. State-aligned groups like MURKY PANDA and MuddyWater APT exploit zero-days and cloud vulnerabilities, mirroring criminal campaigns targeting healthcare (DaVita) and critical infrastructure (Pakistan’s oil sector). Meanwhile, ransomware gangs (BianLian, Qilin) and eCrime collectives (Scattered Spider) employ state-grade social engineering and data exfiltration. This blurring of motives—financial gain vs. geopolitical disruption—demands enhanced public-private collaboration, cross-border intelligence sharing, and unified defense frameworks to counter hybrid threats.
Operational and Tactical Implications
Operational implications highlight the critical need for cross-border collaboration and infrastructure disruption, evidenced by Interpol’s takedowns and multijurisdictional ransomware seizures. Tactically, adversaries increasingly exploit supply chain vulnerabilities (e.g., CRM breaches, third-party SaaS) and novel attack vectors like quishing, AI-generated phishing, and HTTP request smuggling. The proliferation of RaaS models and state-aligned botnets demands enhanced network segmentation, real-time traffic analysis, and zero trust frameworks. Critical infrastructure operators must prioritize OT security hardening and offline backups, while enterprises require accelerated patch cycles for high-risk vulnerabilities (SAP, Docker, Linux kernel). Defensive strategies should integrate AI-resistant phishing training, MFA enforcement, and blockchain transaction monitoring to counter evolving financial fraud and extortion tactics.
Forward-Looking Recommendations
- Prioritize proactive patching and vulnerability management, especially for critical infrastructure and cloud services, to mitigate risks from zero-day exploits and misconfigurations in widely used platforms like SAP, Docker, and Azure.
- Enhance ransomware resilience through immutable offline backups, network segmentation, and AI-driven anomaly detection to counter evolving RaaS models and double extortion tactics.
- Strengthen third-party risk management and secure API integrations, particularly in healthcare and financial sectors, by enforcing zero-trust principles and rigorous code review processes for AI-powered development tools.
- Invest in cross-sector threat intelligence sharing and coordinated takedowns to disrupt state-aligned APT campaigns targeting critical infrastructure, leveraging blockchain analysis and infrastructure sinkholing.
- Implement advanced social engineering defenses including phishing-resistant MFA, endpoint deception technologies, and mandatory security training to combat AI enhanced threats like quishing and ClickFix attacks.
- Accelerate adoption of memory-safe languages and hardware-enforced security controls to address systemic vulnerabilities in IoT devices, Linux kernels, and legacy OT systems.
- Establish regulatory frameworks for cryptocurrency tracing and mandatory cybersecurity investment thresholds in vulnerable sectors like rural healthcare to balance innovation with risk mitigation.
