VerSprite Weekly Threat Intelligence #29
Date
Follow Us
Date Range: 25 August 2025 – 29 August 2025
Issue: 29th Edition
Reported Period Victimology
Security Triumphs of the Week
This week’s security triumphs showcased global collaboration against cybercrime: U.S.- Dutch authorities dismantled VerifTools’ counterfeit ID network, while South Korea extradited a Chinese national behind a $28.5M phishing scheme. Amazon disrupted APT29’s credential-harvesting campaign, and Google removed 19 million-install malwares laden apps. WhatsApp patched a zero-click exploit chain, and the U.S. sanctioned entities enabling North Korean IT fraud. Law enforcement also secured extended sentences for crypto theft perpetrators, highlighting systemic efforts to counter cybercrime-as-a-service models, financial fraud, and state-sponsored threats through technical takedowns, legal action, and international cooperation.
Law Enforcement Operation Seizes Fake ID Platform VerifTools
A joint U.S.-Dutch law enforcement operation dismantled VerifTools, a major platform selling counterfeit IDs, including passports and U.S. driver’s licenses for as low as $9. The service facilitated cybercrimes like phishing, cryptocurrency theft, and rental fraud by bypassing identity verification systems. Authorities seized servers in Amsterdam and domains in the U.S., redirecting them to a law enforcement notice. Forensic analysis aims to identify the platform’s operators and users, with Dutch police linking the infrastructure to $6.4 million in illicit profits. The FBI investigation, launched in 2022, revealed VerifTools’ role in creating fake documents for global use. The takedown highlights efforts to disrupt cybercrime-as-a-service ecosystems, targeting suppliers of tools enabling fraud and identity theft.
Read full article: Bankinfosec
Amazon says it stopped Russian hackers targeting Microsoft logins as Cozy Bear strikes again
Amazon disrupted a Russian state-sponsored APT29 (Cozy Bear) campaign using watering hole attacks to harvest Microsoft login credentials. The attackers compromised legitimate websites, redirecting visitors to malicious domains mimicking Microsoft’s authentication flow. Approximately 10% of site traffic was redirected, though AWS infrastructure remained unaffected. Collaboration with Cloudflare and Microsoft led to domain takedowns and instance isolation. APT29 demonstrated adaptability by shifting infrastructure when blocked. Users are advised to enable credit freezes, monitor accounts, and remain vigilant against phishing. The incident highlights APT29’s evolving focus on credential theft for intelligence gathering.
Read full article: Techradar
77 malicious apps removed from Google Play Store
Google removed 77 malicious apps from the Play Store, which had been installed over 19 million times. The apps included the Anatsa banking Trojan, targeting financial and crypto credentials through stealth tactics and accessibility abuse, and Joker malware, which steals data and enrolls victims in premium services. These apps posed as legitimate tools (e.g., document readers) before acting as droppers to fetch malicious payloads. Anatsa employed obfuscation and dynamic code loading to evade detection. Google Play Protect alerted users to uninstall affected apps. The report emphasizes vigilance, advising users to review app permissions, remove unused apps, update devices, and install security software.
Read full article: Malwarebytes
WhatsApp fixes vulnerability used in zero-click attacks
WhatsApp patched a critical vulnerability (CVE-2025-55177) exploited in zero-click attacks, which combined with an Apple Image I/O framework flaw (CVE-2025-43300) to compromise devices without user interaction. Attackers sent malicious images via WhatsApp, leveraging memory corruption to execute code, while exploiting WhatsApp’s linked device sync flaw to trigger arbitrary URL processing. The attack primarily targeted iOS/Mac users, requiring a factory reset to remove persistent malware. Both companies issued updates to address the vulnerabilities. While Android users were mentioned as potential targets, the chained exploit’s severity was higher for Apple devices. Users are urged to update apps, OS, and enable advanced security features to mitigate risks.
Read full article: Malwarebytes
Sting nails two front firms in Nork IT worker scam
The US Treasury sanctioned two Asian companies (China’s Shenyang Geumpungri Network Technology Co and South Korea’s Sinjin Trading Corporation) and two individuals for facilitating North Korean IT workers in fraudulently obtaining US jobs, funneling over $1 million via fake salaries and theft. Collaborating with Japanese and South Korean authorities, the US aims to seize funds and hold involved entities accountable. North Korean IT workers exploit remote work post-COVID, embedding companies to steal data, demand ransoms, and use deepfakes to bypass hiring checks. Despite recent actions, challenges persist, including US based “laptop farms” masking workers’ locations and insufficient verification processes. Mandiant notes widespread Fortune 500 exposure to such threats.
Read full article: Theregister
Crypto thief earns additional prison time for assaulting witness
Remy Ra St Felix, leader of an international crime gang, received an additional 6 years and 10 months in prison for assaulting a witness who testified against him in a violent cryptocurrency theft case. Previously sentenced to 47 years for orchestrating armed home invasions, including a 2022 incident where he zip-tied an elderly couple and stole over $150,000 in crypto, St Felix attacked the shackled witness in detention, bragging about it afterward. His total sentence now exceeds 50 years, with 46 months added consecutively. Eleven gang members received a combined 191 years. Officials emphasized the severity of witness retaliation, underscoring its threat to judicial integrity. St Felix must also pay $524,153 in restitution.
Read full article: Theregister
Euro banks block billions in rogue PayPal direct debits after fraud glitch
A PayPal fraud-detection system failure led German banks to block around €10 billion in unauthorized direct debits this week, freezing transactions across Europe, primarily in Germany. The German Savings Banks Association confirmed the issue, noting PayPal resolved it by Tuesday, though the incident disrupted Europe’s largest economy, where PayPal dominates 28.5% of online payments. Concurrently, PayPal faces reputational damage amid unverified claims of a data leak exposing millions of credentials, prompting German consumer groups to advise password resets. While PayPal denied a breach, the incident highlights vulnerabilities in its fraud systems and user reliance on its payment protections over local banks’ services. Austrian banks reported no impact, suggesting the crisis was largely contained to Germany.
Read full article: Theregister
Security Setbacks of the Week
This week highlighted escalating cyber threats across sectors, with ransomware disrupting Nevada’s state infrastructure and Sweden’s municipal services, while third-party vulnerabilities enabled breaches at Farmers Insurance, Absolute Dental, and Google via Salesforce. High-profile data exposures impacted TransUnion (4.4M), HSGI (624K), and Discord (1.8B messages), underscoring risks of identity theft and phishing. Malware-laden apps on Google Play (19M downloads) and ShinyHunters’ corporate exploits further stressed systemic vulnerabilities. Despite enhanced monitoring and credit offers, recurring third-party lapses, low ransom payouts, and human errors like Kennedys Law’s email leak reveal persistent gaps in supply-chain security and incident response.
State of Nevada Faces IT Outage Amid Cyberattack, Offices Suspended
A significant cyberattack targeted Nevada’s state IT infrastructure, causing widespread network outages and disrupting government services. The incident forced the suspension of in-person operations and digital services across multiple agencies, with recovery efforts led by the Governor’s Technology Office. While emergency services remained functional, public access to websites and phone lines was inconsistent. Officials confirmed no evidence of compromised personal data but urged vigilance against scams. Recovery involves collaboration with federal and local partners, system validation, and phased restoration to prevent further breaches. The attack highlights ongoing cybersecurity challenges for public sector networks.
Read full article: Gbhackers
TransUnion Data Breach Compromises Over 4 million Customers
TransUnion experienced a significant data breach in July 2025, compromising sensitive personal information of over 4.4 million U.S. consumers, including 16,828 Maine residents. Exposed data included names and personal identifiers, heightening risks of identity theft, phishing, and social engineering attacks. The breach, detected during routine monitoring, did not involve financial account numbers. TransUnion notified affected individuals and Maine regulators, offering two years of free credit monitoring with identity theft insurance and restoration support. Regulatory scrutiny from federal agencies and state attorneys general is anticipated, alongside potential legal repercussions. TransUnion pledged enhanced cybersecurity investments and a forensic review to address vulnerabilities and prevent future incidents.
Read full article: Gbhackers
Massive Orange Belgium data breach may have hit over 850,000 customers – here’s what we know
Orange Belgium confirmed a cyberattack compromising data of approximately 850,000 customers, detected in late July 2025. Stolen information includes full names, phone numbers, SIM card numbers, PUK codes, and tariff plans, but excludes passwords, email addresses, or financial data. The breach occurred despite security measures, with affected customers notified via email or SMS. Orange stated the attack wasn’t linked to Chinese ‘typhoon’ threat actors and is withholding attacker details pending investigation. This follows prior breaches targeting Orange subsidiaries, including incidents involving compromised credentials and weak passwords. Law enforcement was notified, and internal investigations continue.
Read full article: Techradar
Farmers Insurance Breach Exposes Data of 1.1 million Customers via Salesforce Compromise
Farmers Insurance disclosed a data breach affecting 1.1 million customers after unauthorized access to a third-party vendor’s Salesforce database. The breach, detected on May 30, 2025, exposed PII including names, addresses, driver’s license numbers, and partial Social Security numbers. Attackers exploited vulnerabilities, potentially via credential stuffing or unpatched software, leading to data exfiltration. Farmers responded with forensic investigations, law enforcement engagement, and enhanced security measures like vendor audits. Affected customers are offered 24 months of identity monitoring via Cyberscout. The incident highlights risks of third-party dependencies in cloud ecosystems and underscores the need for robust encryption, access controls, and supply-chain security.
Read full article: Gbhackers
Nevada Dental Practice Notifying 1.2M of Hack
A Nevada dental practice, Absolute Dental, is notifying 1.2 million individuals of a breach involving a third-party managed services provider. Attackers exploited a compromised account linked to the vendor, deploying malicious software disguised as a legitimate tool, potentially through vishing tactics. Unauthorized access occurred between February and March 2025, exposing sensitive data, including health records, Social Security numbers, and financial details. Experts suggest similarities to recent Salesforce-related attacks but note the earlier timeline. The incident highlights third-party risks, credential compromise, and insufficient security controls. Legal actions, including a class-action lawsuit, are underway. Absolute Dental has not disclosed the vendor or tool involved.
Read full article: Bankinfosec
Electronics Manufacturer Data I/O Suffers Ransomware Breach
Data I/O Corporation, an electronics manufacturer, disclosed a ransomware attack detected on August 16, 2025, which disrupted operations and compromised internal systems. The company activated incident response protocols, isolated affected systems, and engaged cybersecurity experts to investigate potential entry points like phishing or unpatched vulnerabilities. While partial operations were restored, full recovery timelines remain uncertain due to challenges in decrypting data without paying ransoms. The breach may incur significant financial costs from recovery efforts, legal fees, and potential reputational damage. Data I/O emphasized compliance with breach notification regulations and highlighted risks to supply chains from ransomware targeting manufacturing sectors. The incident underscores the need for enhanced cyber defenses in industries reliant on interconnected operational technology.
Read full article: Gbhackers
Discord hackers claim to have leaked billions of messages as millions of users targeted – here’s what we know
A threat actor is selling 1.8 billion scraped Discord messages, 35 million user records, and related data on dark web forums, likely harvested from public servers. While much of the data may be publicly accessible, mass scraping violates Discord’s Terms of Service and risks breaching privacy laws like GDPR. The leak mirrors the earlier Spy.Pet incident, where Discord banned accounts and took legal action after a similar data-harvesting service was exposed in April 2024. Discord is expected to shut down this new operation, reiterating that scraping and self-botting are prohibited. The platform’s public server structure makes such data vulnerable to exploitation despite enforcement efforts. Cybersecurity experts warn users to remain cautious of potential misuse of exposed information.
Read full article: Techradar
Google warns that billions of Gmail accounts could be vulnerable after data breach
Google has warned that the ShinyHunters hacking group exploited a corporate Salesforce instance to breach data, potentially exposing billions of Gmail users. The breach, occurring during a limited window, compromised publicly available business information like names and contact details of small and medium-sized businesses. While no sensitive data was accessed, affected users face heightened risks of phishing, social engineering, and extortion attempts, often involving demands for bitcoin. Google has notified impact parties and urged password resets and enhanced security measures. ShinyHunters, linked to recent attacks on Santander, AT&T, and Allianz, may escalate tactics by launching a data leak site to pressure victims. The group’s activity highlights ongoing threats to corporate systems and third-party platforms like Salesforce.
Read full article: Techradar
Malware-ridden apps made into Google’s Play Store, scored 19 million downloads
Cloud security firm Zscaler identified 77 malware-laden apps on Google Play Store, downloaded over 19 million times, including updated Anatsa banking trojan variants. Anatsa employs keyloggers, SMS interception, and anti-detection techniques, evading Google’s scans via code obfuscation and dynamic payload delivery. The malware targets 831 global financial institutions. Despite Google claiming prior detection, Zscaler’s findings question Play Store security. Joker malware remains prevalent, focusing on credential theft. While third-party app stores are riskier, Google and Apple (noted for a separate crypto-draining malware incident) face ongoing challenges in blocking sophisticated threats, highlighting persistent vulnerabilities in official platforms.
Read full article: Theregister
Ransomware crooks knock Swedish municipalities offline for measly sum of $168K
A ransomware attack on Swedish IT supplier Miljödata disrupted HR, sick leave, and incident reporting systems for 80% of Sweden’s municipalities, affecting 200 of 290 councils. Attackers demanded $168,000 (1.5 Bitcoin), a notably low sum compared to typical ransomware demands. Sensitive data, including medical certificates and work injury reports, may have been leaked, though Miljödata claims no evidence of theft. The incident highlights risks of centralized IT providers as single points of failure, causing widespread operational chaos. Swedish authorities, including police and CERT-SE, are investigating, while new cybersecurity legislation is proposed to address vulnerabilities. The attack underscores how even modest ransom demands can cripple critical infrastructure.
Read full article: Theregister
Law firm email blunder exposes Church of England abuse victim details
A London law firm, Kennedys Law, exposed email addresses of 194 individuals and law firms involved in a Church of England (CoE) abuse redress scheme due to a “human error,” failing to fully recall the message. The breach impacted victims seeking redress for historical abuse by clergy, prompting apologies, regulatory notifications, and an internal investigation. The CoE, though not the data controller, expressed deep concern and pledged collaboration to prevent recurrence. This incident adds to longstanding failures in safeguarding abuse victims, following past critiques by the Independent Inquiry into Child Sexual Abuse. It also reflects recurring email security lapses in the UK, such as the MoD’s 2021 Afghan interpreter data leak. The breach underscores systemic risks in handling sensitive data and the need for improved email protocols.
Read full article: Theregister
The New Emerging Threats
Emerging threats increasingly leverage AI and trusted platforms to enhance attack sophistication, with AI-powered ransomware generating adaptive payloads and autonomous agents conducting hyper-personalized social engineering. Cybercriminals exploit global events (e.g., FIFA World Cup) and legitimate services (Google Classroom, Microsoft Teams) to bypass defenses via typosquatting, malicious domains, and phishing campaigns. State-aligned actors (Salt Typhoon, Lazarus Group) target critical infrastructure and diplomacy through infostealers, legacy vulnerabilities, and cross-platform malware. Concurrently, Android droppers and evasive tactics like delayed payloads challenge traditional detection. These trends underscore the urgent need for AI-driven behavioral analysis, multi-layered defenses, and international cooperation to counter adaptive, AIfueled cyber risks.
First AI-Powered Ransomware “PromptLock” Uses OpenAI gpt-oss-20b for Encryption
PromptLock, identified by ESET Research, is the first AI-powered ransomware leveraging OpenAI’s gpt-oss-20b model locally via the Ollama API. It dynamically generates malicious Lua scripts for system enumeration, file inspection, data exfiltration, and encryption using the SPECK cipher, avoiding pre-compiled code. The ransomware targets Windows, Linux, and macOS, exploiting Lua’s cross-platform efficiency. While likely a proof-of-concept, it highlights evolving threats using AI to craft real-time, adaptive payloads. ESET warns of future risks as AI models become more accessible, urging enhanced security measures for local AI deployments and monitoring of script-generation anomalies.
Read full article: Gbhackers
Hackers Register Domains to Target 2026 FIFA World Cup in Cyberattack
A significant increase in malicious domain registrations targeting the 2026 FIFA World Cup has been detected, with cybercriminals exploiting global anticipation for the event. Research by PreCrime Labs identified 498 suspicious domains using terms like “FIFA,” “football,” and “worldcup,” many registered over a year in advance to build false legitimacy. Threats include counterfeit merchandise scams, illegal streaming platforms distributing malware, and unlicensed gambling sites facilitating financial fraud. Attackers employ typosquatting (e.g., “fifaworldcupstadiucom”) and geographic targeting of host cities like Dallas and Mexico. Domains referencing future tournaments (2030, 2034) suggest long-term planning. Experts urge proactive domain monitoring, official ticket purchases, and caution against unofficial platforms to mitigate risks.
Read full article: Gbhackers
AI Waifu RAT Exploits Users with Advanced Social Engineering Tactics
A new malware campaign dubbed “AI Waifu RAT” targets AI role-playing communities using advanced social engineering. The remote access trojan masquerades as an AI interaction tool, exploiting users’ trust in innovation. Attackers, posing as legitimate researchers, marketed the malware as enabling AI characters to interact with real-world systems, convincing victims to disable antivirus protections. The RAT grants attacker’s full system access via plain text HTTP commands, enabling arbitrary code execution and file exfiltration. The threat actor employed evasion tactics, migrating across platforms and using aliases to avoid detection. This incident underscores how cybercriminals exploit AI enthusiasm and community trust to bypass security defenses.
Read full article: Gbhackers
APT Groups Weaponize Infostealer Malware in Precision Attacks
APT groups are increasingly repurposing infostealer malware for targeted espionage against global diplomatic entities. Recent campaigns have compromised Ministry of Foreign Affairs credentials across Saudi Arabia, South Korea, UAE, Qatar, and Oman via phishing or malicious downloads. Stolen credentials enable state-aligned actors to craft convincing attacks, as seen in a 2025 Omani embassy breach used to target UN and World Bank entities with malware. Similarly, India-Pakistan tensions saw Bitter APT exploit stolen law enforcement credentials to infiltrate critical infrastructure. These incidents highlight infostealers’ role in geopolitical warfare, allowing APT groups to bypass security via legitimate credentials. The trend underscores the urgent need for enhanced threat detection, diplomatic cybersecurity protocols, and international cooperation to mitigate risks to global stability.
Read full article: Gbhackers
Chinese Telecom Hackers Strike Worldwide
Chinese state-linked hackers, tracked as Salt Typhoon, targeted global telecom networks and critical infrastructure sectors by exploiting known vulnerabilities in Cisco, Ivanti, and Palo Alto devices. The Five Eyes alliance and European agencies warned of their persistent access to track communications and movement. Over 200 U.S. organizations and 80 countries were impacted, with hackers leveraging outdated vulnerabilities like CVE-2018-0171. Techniques included modifying network access controls, disabling logs, and creating privileged accounts. Private contractors linked to Chinese intelligence agencies facilitated the attacks. Despite claims of remediation, risks remain due to hackers’ evasion tactics and reliance on legacy vulnerabilities.
Read full article: Bankinfosec
Lazarus Group Targets Windows 11 with ClickFix Tactics and Fake Job Offers
The Lazarus Group (APT-Q-1) has launched a social engineering campaign targeting Windows 11 and macOS users via fake job offers on social media. Victims are lured to phishing sites prompting them to resolve a fabricated camera issue, leading to malware deployment. Attackers use a malicious script disguised as an Nvidia update to deliver payloads like BeaverTail (infostealer) and InvisibleFerret (Trojan), which exfiltrate data and establish persistence. The campaign employs cross-platform tactics, leveraging Node.js on Windows and ARM architecture mimicry on macOS. C2 servers and registry modifications ensure long-term access. Organizations are advised to scrutinize job-related communications, avoid executing untrusted scripts, and deploy threat detection tools to counter such threats.
Read full article: Gbhackers
Hackers Exploit Email Marketing Platforms to Deliver Hidden Malware
Recent phishing campaigns increasingly exploit legitimate email marketing platforms like Klaviyo and Drip Global to mask malicious links, bypassing traditional defenses. Attackers use tracking domains (e.g., klclick3.com, dripemail2.com) to redirect victims to credential harvesting pages, often incorporating dynamic content like company logos and disabling right click analysis. Cloud services such as Amazon S3 host phishing pages mimicking trusted platforms, while compromised domains leverage CAPTCHA challenges to delay detection. Trustwave SpiderLabs employs its PageML system to detect these threats through real-time URL and content analysis. Mitigation strategies include advanced URL scanning, monitoring third-party email links, user training, and scrutinizing cloud traffic. These evolving tactics highlight the need for adaptive, multi-layered security measures.
Read full article: Gbhackers
Threat Actors Update Android Droppers to Remain Effective with Even Simple Malware
Threat actors are enhancing Android droppers to bypass security measures, adapting them for simpler malware like SMS stealers and spyware. These droppers initially appear harmless, evading pre-installation scans by avoiding risky permissions, then fetch malicious payloads post-installation. Google’s Pilot Program in high-risk regions aims to block suspicious apps but struggles with droppers’ delayed activation. Examples include RewardDropMiner, which streamlined to evade detection, and SecuriDropper, exploiting Android APIs. Attackers exploit timing gaps between installation and payload deployment, emphasizing the need for behavioral analysis over static scans. This evolution underscores the necessity for dynamic, multi-layered defenses to counter increasingly adaptable dropper tactics.
Read full article: Gbhackers
New ZipLine Campaign Targets Critical Manufacturing Firms with In-Memory MixShell
Malware Check Point Research identified the ZipLine phishing campaign targeting U.S. critical manufacturing firms via manipulated “Contact Us” web forms. Attackers impersonate partners, using prolonged AI-themed email exchanges to deliver malicious ZIP files containing LNK shortcuts. These trigger PowerShell scripts deploying MixShell, an in-memory backdoor leveraging DNS TXT tunneling for stealthy C2 communication. The malware evades detection via AMSI bypass, ROR4 API hashing, and sandbox checks, persisting through registry hijacking. Focused on supply chain sectors, the campaign aims to steal proprietary data, emphasizing the need for monitoring email anomalies and DNS patterns.
Read full article: Gbhackers
Hackers are also going back to school – major campaign hijacks Google Classroom to hit targets
A large-scale phishing campaign exploiting Google Classroom’s infrastructure targeted over 13,500 organizations globally, distributing 115,000 malicious emails disguised as commercial offers. Attackers leveraged the platform’s legitimacy to bypass security tools, focusing on students and educators. Check Point highlighted the use of social engineering tactics, including fake SEO and product pitches, to evade detection. The campaign utilized malvertising, rendering traditional email filters ineffective. Experts recommend multi-layered defenses, AI-powered detection, and employee training to counter such threats. This incident underscores the growing trend of weaponizing trusted cloud services for phishing.
Read full article: Techradar
Microsoft Teams Abused in Cyberattack Delivering PowerShell-Based Remote Access Malware
Cybercriminals are exploiting Microsoft Teams to deliver PowerShell-based malware by impersonating IT support via chat or voice calls, bypassing traditional security measures. Attackers use social engineering to trick users into installing remote access tools like AnyDesk, enabling system control and deployment of multi-stage malware. The payload facilitates credential theft, persistence via scheduled tasks or registry keys, and data exfiltration using AES encryption. Linked to groups like EncryptHub (Water Gamayun), the malware employs tactics such as marking processes as critical to hinder termination. Defenders can detect suspicious Teams activity via indicators like external user interactions and monitor hardcoded cryptographic keys. Organizations are urged to enhance Teams security policies, block suspicious tenants, and educate users on external communication risks.
Read full article: Gbhackers
Vulnerability Spotlight: Critical Exposures Unveiled
Critical vulnerabilities across cloud, browser, and software ecosystems dominated the threat landscape, with active exploitation targeting Citrix NetScaler (CVE-2025-7775), Chrome V8 (CVE-2025-5419), and FreePBX. High-risk flaws in Next.js, Securden PAM, and IBM Watsonx exposed authentication bypass, code execution, and SQLi risks, while supply chain attacks via malicious npm packages and compromised Nx tools highlighted persistent software trust challenges. Multiple zero-days, public PoCs, and delayed patches amplified urgency for immediate updates, layered defenses, and enhanced input validation to mitigate widespread compromise of critical infrastructure and data.
Citrix NetScaler ADC and Gateway Hit by Ongoing Attacks Exploiting 0-Day RCE
Cloud Software Group has issued an emergency alert regarding active exploitation of three critical vulnerabilities (CVE-2025-7775, CVE-2025-7776, CVE-2025-8424) in Citrix NetScaler ADC and Gateway. CVE-2025-7775 (CVSS 9.2), a memory overflow flaw enabling unauthenticated remote code execution, is being actively exploited. The vulnerabilities impact devices configured as VPN gateways, load balancers, or AAA servers with IPv6 support. Two other high-severity flaws risk denial-of-service and improper access control. Patches are available for affected versions (12.1–14.1), with no workarounds provided. Researchers from Horizon3.ai and others identified the issues. Organizations must prioritize immediate patching to mitigate compromise risks.
Read full article: Gbhackers
PoC Exploit Published for Chrome 0-Day Already Under Active Attack
A high-severity Chrome zero-day vulnerability (CVE-2025-5419) in the V8 JavaScript engine, enabling heap corruption via malicious HTML, is under active exploitation. The flaw, involving out-of-bound read/write weaknesses, allows attackers to execute arbitrary code, compromising browser processes and user data. A public PoC exploit was released, increasing risks of widespread weaponization. Google issued an interim patch but has not clarified fixed versions, leaving organizations uncertain about protection. Mitigations like disabling JavaScript impair functionality, urging reliance on rapid patch deployment and traffic monitoring. Organizations must prioritize updates and consider browser isolation to mitigate threats until an official patch is released.compromise risks.
Read full article: Gbhackers
Critical Next.js Framework Vulnerability Let Attackers Bypass Authorization
A critical vulnerability (CVE-2025-29927) in the Next.js framework allows attackers to bypass authorization by exploiting improper handling of the x-middleware-subrequest header. This flaw enables malicious actors to craft HTTP requests that trick middleware into skipping authentication checks, granting unauthorized access to protected resources. Affected versions include Next.js ≤12.2, versions ≥12.2 <13.2.0, and ≥13.2.0, but with varying exploitation methods. Attackers can access sensitive admin panels, modify configurations, or steal data, particularly in systems relying solely on middleware for security. The vulnerability, rated CVSS 9.8, underscores the need for layered security and immediate patching.
Read full article: Cybernews
FreePBX Servers Hit by 0-Day Exploit, Disable Internet Access Advised
A critical 0-day vulnerability in FreePBX’s Endpoint Manager module allows unauthenticated remote code execution, prompting urgent advisories to disable public internet access. Affecting versions 16 and 17 with exposed ports 80/443, the exploit enables privilege escalation, backdoor deployment, and data exfiltration. Initial compromises were detected from August 21, with anomalous POST requests to modular.php. Sangoma released patch commands for v16 (16.0.88.19) and v17 (17.0.2.31) and advised checking systems for malicious “.clean.sh” files, suspicious logs, and unauthorized database entries. Mitigation includes restricting admin panel access via trusted IPs, VPNs, or VLANs, and restoring from pre-attack backups. A full security update is pending, with credential rotation and system reinstallation recommended postcompromise.
Read full article: Gbhackers
Malicious npm Package Impersonates Popular Nodemailer, Puts 3.9M Weekly Downloads at Risk of Crypto Theft
A malicious npm package named “nodejs-smtp” impersonates the popular Nodemailer library, risking 3.9 million weekly downloads. The package mimics Nodemailer’s functionality and documentation to evade detection while secretly targeting Windows systems with Atomic Wallet installations. It modifies the wallet’s code to hijack cryptocurrency transactions, redirecting Bitcoin, Ethereum, and other crypto assets to attacker-controlled addresses. The malware persists even after removal, requiring full wallet reinstallation. Its plausible name and potential recommendation by AI code assistants increase infection risks. Security experts urge enhanced supply chain protections, including real-time scanning and behavior monitoring. The package remains active on npm, highlighting ongoing threats to crypto ecosystems via sophisticated supply chain attacks.
Read full article: Gbhackers
Securden Unified PAM Flaw Allows Attackers to Bypass Authentication
Securden Unified PAM was found to have four critical vulnerabilities (CVE-2025-53118 to CVE-2025-6737) enabling authentication bypass, arbitrary code execution, and cross-tenant exploitation. Rapid7 researchers identified flaws in versions 9.0.x through 11.3.1, including unauthenticated session hijacking via manipulated cookies, unrestricted file uploads, path traversal, and shared infrastructure risks in multi-tenant gateways. Attackers could exfiltrate decrypted credentials, execute OS commands via malicious scripts, and exploit static SSH keys for internal network access. Patches were released in version 11.4.4 following coordinated disclosure. These vulnerabilities pose risks of ransomware, data breaches, and supply chain attacks, emphasizing the need for immediate updates. Continuous red teaming highlighted gaps in input validation and access controls.
Read full article: Gbhackers
PhpSpreadsheet Library Vulnerability Lets Attackers Inject Malicious HTML Input
A critical SSRF vulnerability (CVE-2025-54370) was identified in the PhpSpreadsheet library, enabling attackers to inject malicious HTML via the Drawing::setPath method. Exploiting this flaw allows crafted HTML with image tags pointing to internal network resources, leading to SSRF attacks that expose internal systems, bypass security controls, and gather infrastructure data. Affected versions include phpoffice/phpspreadsheet up to 3.8.0, with CVSS scores of 7.5 (v3.1) and 8.7 (v4.0). Mitigation requires upgrading to patched versions and implementing input validation or URL allowlisting. The vulnerability highlights risks in processing usersupplied HTML content without proper safeguards.
Read full article: Gbhackers
AppSuite PDF Editor Exploit Lets Hackers Run Arbitrary Commands
A sophisticated backdoor in AppSuite PDF Editor enables attackers to execute arbitrary commands on Windows systems. Disguised as a legitimate productivity tool, it was distributed via compromised PDF websites using a deceptive MSI installer. The malware establishes persistence via scheduled tasks and communicates with a command-and-control (C2) server to fetch encrypted command templates, enabling credential theft, registry modifications, and additional malware deployment. Obfuscated JavaScript (pdfeditor.js) and helper DLLs facilitate backdoor operations, with minimal code dedicated to the PDF editor’s GUI. The official uninstaller fails to remove all components, necessitating full system reimaging. This incident highlights risks of trojanized productivity software and the need for heightened vendor/user scrutiny.
Read full article: Gbhackers
NPM packages from Nx targeted in latest worrying software supply chain attack
A software supply chain attack targeted Nx’s open-source development tools via stolen publishing tokens, leading to malicious NPM package releases. The malware exfiltrated sensitive data, including GitHub/NPM tokens, SSH keys, and crypto wallet details. The attack lasted four hours before NPM removed the compromised packages, but over 1,000 GitHub tokens and 20,000 files were stolen, impacting Fortune 500 companies. Researchers noted attackers weaponized AI CLI tools (e.g., Claude, Gemini) to automate reconnaissance and data theft, a novel exploitation method. Maintainers had 2FA enabled, but token compromise bypassed authentication. Affected users are advised to contact Nx support for remediation.
Read full article: Techradar
IBM Watsonx Vulnerability Let Attackers Inject Malicious SQl Queries
A critical Blind SQL injection vulnerability (CVE-2025-0165, CVSS 7.6) was identified in IBM Watsonx Orchestrate Cartridge for IBM Cloud Pak for Data. The flaw stems from improper input sanitization, enabling low-privileged attackers to inject malicious SQL queries via exposed APIs, potentially compromising databases to read, modify, or delete sensitive data. Affected versions include 4.8.4–4.8.5 and 5.0.0–5.2. IBM urges immediate upgrade to patched version 5.2.0.1, as no workarounds exist. Mitigation steps include reviewing database logs, deploying WAFs with SQLi rules, and enforcing least-privilege access. The vulnerability highlights risks to AI-driven workflows and underscores the need for prompt patching.
Read full article: Cybernews
In-Depth Expert CTI Analysis
Recent cyber threat intelligence highlights intensified global law enforcement actions against cybercrime-as-a-service ecosystems, evidenced by the dismantling of VerifTools and international collaboration in high-profile extraditions. Ransomware and supply chain attacks surged, targeting critical infrastructure, healthcare, and manufacturing sectors, while AI-powered threats emerged with tools like PromptLock ransomware and autonomous social engineering agents. State-sponsored actors, including APT29 and Lazarus Group, exploited vulnerabilities in telecom and cloud systems, underscoring persistent nation-state espionage risks. Widespread software vulnerabilities in platforms like Citrix NetScaler, Chrome V8, and Next.js necessitated urgent patching amid active exploitation. Phishing campaigns weaponized trusted services like Google Classroom and Microsoft Teams, emphasizing the need for adaptive defenses against evolving social engineering tactics.
Proactive Defense and Strategic Foresight
Proactive defense demands leveraging threat intelligence to anticipate adversarial tactics, as seen in APT29’s credential theft via watering holes and Lazarus Group’s evolving social engineering. Strategic foresight requires hardening third-party ecosystems, exemplified by Google Play’s persistent dropper threats and Salesforce supply-chain compromises. The VerifTools takedown and ShinyHunters’ exploitation underscore disrupting cybercrime-as-a service markets preemptively. AI-driven threats like PromptLock ransomware and autonomous social engineering agents necessitate adaptive detection frameworks. Mitigating vulnerabilities in critical infrastructure (Citrix, FreePBX) and enforcing zero-trust principles amid rising credential-based espionage are imperative. Cross-sector collaboration, AI-augmented monitoring, and rigorous patch management must counterbalance escalating adversarial innovation.
Evolving Ransomware and Malware Tactics
Ransomware and malware tactics are rapidly evolving, leveraging AI-driven payload generation (e.g., PromptLock ransomware), advanced social engineering (AI Waifu RAT), and supply chain compromises (malicious npm packages). Attackers increasingly exploit zero-click vulnerabilities (WhatsApp CVE-2025-55177), trusted platforms (Google In-Depth Expert CTI Analysis VerSprite Weekly Threat Intelligence Newsletter 18 Classroom), and critical infrastructure flaws (Citrix NetScaler). Multi-stage campaigns now employ obfuscation, delayed payload activation, and cross-platform adaptability to bypass defenses. State-aligned APTs and cybercriminals collaborate, targeting third-party vendors and decentralized ecosystems. Proactive measures AI-enhanced threat detection, zerotrust frameworks, and rigorous patch management are critical to counter these adaptive threats.
State-Sponsored and Organized Cybercrime Convergence
Nation-state APTs (e.g., APT29, Lazarus, Salt Typhoon) increasingly intersect with organized cybercrime, sharing tools, infrastructure, and monetization strategies. Cybercrime-as-a-service ecosystems (e.g., VerifTools, malware droppers) provide scalable capabilities that state actors weaponize for espionage and disruption. Organized groups adopt APT-level sophistication, exploiting zero-days, trusted platforms (Teams, Classroom), and cross-platform malware. Both camps exploit third-party and supply-chain weaknesses, amplifying global attack surfaces and complicating attribution. AI-powered tools (PromptLock ransomware, autonomous social engineering) accelerate convergence by lowering barriers to advanced tactics.
Operational and Tactical Implications
The operational landscape reflects escalating sophistication in cybercrime-as-a-service models, with takedowns like VerifTools underscoring the need to disrupt tool suppliers and analyze forensic artifacts. Tactically, defenders must prioritize credential hygiene, AI-driven anomaly detection, and third-party risk management, as seen in breaches via Salesforce, NetScaler, and Nx. APT groups exploit legacy vulnerabilities (CVE-2018-0171) and weaponize trusted platforms (Teams, Classroom), necessitating zero-trust architectures and behavioral monitoring. Ransomware pivots to critical infrastructure demand air-gapped backups and rapid patch cycles. Emerging AI-powered threats (PromptLock, autonomous agents) require adaptive defenses, while supply chain compromises highlight vendor audits and input validation. Global collaboration remains vital to counter state-aligned actors and transnational fraud networks.
Forward-Looking Recommendations
- Prioritize international collaboration to dismantle cybercrime-as-a-service ecosystems and extradite threat actors.
- Implement AI-driven behavioral analysis to counter evolving droppers, autonomous AI agents, and AI-powered ransomware.
- Enforce third-party vendor audits, zero-trust architectures, and encryption to mitigate supply chain risks.
- Proactively monitor domains for typosquatting and event-themed scams, leveraging threat intelligence sharing.
- Accelerate patch deployment for critical vulnerabilities in public-facing infrastructure (Citrix, Chrome, Next.js).
- Adopt multi-layered email security with AI detection to counter phishing via trusted platforms like Google Classroom.
- Strengthen app store vetting with dynamic code analysis and real-time scanning to combat obfuscated malware.
- Educate users on social engineering tactics, including AI-generated deepfakes and job offer lures.
- Mandate MFA, credential rotation, and network segmentation to reduce ransomware and APT impacts.
- Invest in forensic readiness and incident response testing to address escalating state sponsored threats.
