VerSprite Weekly Threat Intelligence #31
Date
Follow Us
Date Range: 08 September 2025 – 12 September 2025
Issue: 31th Edition
Reported Period Victimology
Security Triumphs of the Week
This week’s security triumphs showcased global collaboration against cybercrime: Law enforcement made strides against cybercrime, indicting a Ukrainian behind LockerGoga and MegaCortex ransomware, while also releasing decryption keys to victims. The U.S. Treasury sanctioned Southeast Asian scam networks that stole $10B through fraud and trafficking, freezing assets and disrupting operations. Samsung and Apple quickly patched zero-day exploits abused in spyware attacks, urging urgent updates. In the UK, the Electoral Commission recovered from a prolonged China-linked breach, boosting its cybersecurity budget. These actions reflect stronger global coordination and rapid vendor response to protect infrastructure, citizens, and democratic systems.
US Feds Indict LockerGoga and MegaCortex Ransomware Hacker
US federal prosecutors indicted Ukrainian national Volodymyr Tymoshchuk for orchestrating the LockerGoga and MegaCortex ransomware operations, which targeted hundreds of global companies from 2018 to 2021. Tymoshchuk, using aliases like “deadforz,” allegedly extorted victims through encryption and data leaks, impacting over 250 U.S. entities, including Norsk Hydro, which suffered $71 million in losses. An international law enforcement operation disrupted the ransomware networks in 2022 by releasing decryption keys. Tymoshchuk also reportedly collaborated with the Nefilim ransomware group, linked to affiliate Artem Stryzhak, who was extradited to the U.S. in 2024. The U.S. State Department offers up to $10 million for information leading to Tymoshchuk’s arrest and $1 million for other operatives’ convictions.
Read full article: Bankinfosec
Cyberscam groups who stole $10 billion from Americans sanctioned by US
The US Treasury sanctioned cyber scam groups in Burma and Cambodia linked to $10 billion in fraud targeting Americans, alongside human trafficking and forced labor. The sanctions target 24 entities, including KNA affiliates, property owners hosting scam centers, energy suppliers, and money laundering networks. These measures freeze US-based assets, block financial access, and restrict global business dealings. Losses from such scams rose 66% year-on-year, with Southeast Asian operations exploiting victims via romance scams, fake investments, and violence. The Treasury emphasized combating organized crime and protecting citizens under new sanctions. Non-US entities may also avoid blacklisted groups to prevent penalties.
Read full article: Techradar
Cyberscam groups who stole $10 billion from Americans sanctioned by US
The US Treasury sanctioned cyber scam groups in Burma and Cambodia linked to $10 billion in fraud targeting Americans, alongside human trafficking and forced labor. The sanctions target 24 entities, including KNA affiliates, property owners hosting scam centers, energy suppliers, and money laundering networks. These measures freeze US-based assets, block financial access, and restrict global business dealings. Losses from such scams rose 66% year-on-year, with Southeast Asian operations exploiting victims via romance scams, fake investments, and violence. The Treasury emphasized combating organized crime and protecting citizens under new sanctions. Non-US entities may also avoid blacklisted groups to prevent penalties.
Read full article: Techradar
UK Electoral Commission finally recovered from China hack after three years and £250,000 grant
The UK Electoral Commission has fully recovered from a cyberattack attributed to China, which compromised its systems for three years and required a £250,000 grant for remediation. The breach exposed vulnerabilities in its security protocols, leaving millions of voters’ data at risk. Despite the intrusion occurring during six by-elections, no evidence of electoral tampering was found. The Commission has since increased its cybersecurity budget, though the exact data exfiltrated and attackers’ motives remain unclear. The incident underscores growing threats to democratic institutions globally, with elections increasingly targeted by cyber actors aiming to disrupt processes. The CEO emphasized the need for heightened vigilance in protecting electoral systems.
Read full article: Techradar
Security Setbacks of the Week
This week’s security setbacks highlight the growing risks tied to third-party integrations and ransomware. Workday, HackerOne, and Dynatrace all suffered breaches through Salesloft’s Drift app, exposing Salesforce-stored customers and business contact data, though core systems remained unaffected. Wayne Memorial Hospital in Georgia confirmed a Monti ransomware attack impacting over 163,000 people, far higher than initially reported. Meanwhile, Chinese-linked groups Salt Typhoon and UNC4841 launched coordinated espionage campaigns against global telecoms and critical infrastructure. LNER in the UK faced a supplier breach leaking passenger details, and Panama’s Ministry of Economy was claimed as a victim by INC Ransom. Other incidents hit Cornwell Quality Tools, the New York Blood Center, and fintech firm Wealthsimple, collectively showing how healthcare, finance, and government sectors remain prime targets.
Workday Data Breach Exposed Customer Data and Case Details
Workday experienced a data breach via a compromised third-party application (Salesloft’s Drift), exposing customer business contacts, support case details, tenant attributes, and system logs. Attackers exploited stolen OAuth credentials to access Salesforce environments but did not breach customer tenants or external files like contracts. Workday disconnected the app, invalidated tokens, and is reviewing cases to notify affected customers. Sensitive data in support tickets may have been exposed, prompting credential rotation advisories. The company recommends enhanced security practices, including multi-factor authentication and activity monitoring, while collaborating with experts to prevent future vulnerabilities.
Read full article: Gbhackers
Georgia Hospital Notifying 163,000 of 2024 Ransomware Hack
Wayne Memorial Hospital in Georgia is notifying 163,440 individuals of a June 2024 ransomware attack by the Monti gang, which encrypted hospital data and led to unauthorized system access between May 30 and June 3. Initially reported as affecting 2,500 people, the breach’s scope expanded significantly. The hospital disconnected its network, restored systems from backups, and reported the incident to regulators. Monti, responsible for 21% of 2024 healthcare ransomware attacks, listed the hospital among its victims. The HHS breach portal has not yet updated the affected count. The hospital’s notification letter redacted details of compromised data, and its attorney has not addressed Monti’s claims.
Read full article: Bankinfosec
Chinese Hackers Salt Typhoon and UNC4841 Team Up to Breach Critical Infrastructure
Chinese state-sponsored threat actors Salt Typhoon and UNC4841 collaborated in a multiyear cyber espionage campaign targeting global telecommunications, government agencies, and corporate networks across 80+ countries. Researchers linked 45 malicious domains registered via ProtonMail under fake U.S. personas, revealing infrastructure overlap and shared tactics like zero-day exploits. Salt Typhoon breached nine major U.S. telecom firms in 2024, accessing metadata for millions of users and sensitive law enforcement wiretapping systems. UNC4841, known for exploiting Barracuda vulnerabilities, mirrored Salt Typhoon’s techniques, suggesting coordinated Chinese intelligence operations. The campaign highlights persistent threats to critical infrastructure and advanced operational security by APT groups aligned with China’s Ministry of State Security.
Read full article: Gbhackers
HackerOne Data Breach, Hackers Illegally Access Salesforce Environment
HackerOne experienced a data breach via a compromised Drift integration (provided by Salesloft) in its Salesforce environment, allowing unauthorized access to internal records. The incident, detected on August 22, stemmed from a vulnerability in Salesloft’s Drift application. While no customer vulnerability data, reports, or exploit details were exposed, general contact and account information was accessed. HackerOne isolated the breach, disabled the integration, and engaged forensic experts to investigate. The company is notifying affected parties and maintains transparency through dedicated support channels. Security protocols and data segmentation limited the breach’s impact.
Read full article: Gbhackers
Dynatrace Data Breach Exposes Customer Information Stored in Salesforce
Dynatrace experienced a third-party data breach in August 2025 via Salesloft’s Drift application, exposing customer information stored in Salesforce. Attackers exploited integrations between Drift and Salesforce, accessing CRM data, including business contact details like customer representative names and company identifiers. No Dynatrace products, sensitive usage data, or customer support cases were compromised. The company disabled affected integrations, collaborated with cybersecurity experts, and confirmed restored secure connections by September 7. Dynatrace advised vigilance against phishing attempts leveraging exposed data but found no evidence of broader system exposure. The incident underscores risks tied to third-party vendor integrations.
Read full article: Gbhackers
Cyber Attack Exposes LNER Train Passengers’ Personal Data
A cyber-attack on a third-party supplier of London Northeastern Railway (LNER) exposed passengers’ contact details and travel histories, though no financial data or passwords were compromised. The breach, discovered on 10 September 2025, involved unauthorized access to files managed by a contractor handling ticketing and customer communications. LNER engaged cybersecurity experts to investigate, strengthen safeguards, and enhance supplier security standards. Affected passengers are advised to remain vigilant against phishing attempts and follow account security best practices of security. The company confirmed no service disruptions and established a dedicated helpline for inquiries. LNER emphasizes ongoing efforts to restore trust and secure customer data across its digital supply chain.
Read full article: Gbhackers
Panama Ministry of Economy discloses breach claimed by INC ransomware
The Panama Ministry of Economy and Finance (MEF) disclosed a potential cyberattack involving malware on a workstation, asserting containment and no compromise of core systems or critical operations like Panama Canal revenue management. However, the INC Ransom gang claimed responsibility, alleging theft of 1.5 TB of data, including emails, financial documents, and budgeting details, and leaked samples as proof. MEF maintains personal and institutional data remain secure. INC Ransom, active since 2023, has targeted high-profile entities globally. The group added MEF to its dark web leak site on September 5, though MEF has not publicly addressed the ransomware group’s claims.
Read full article: Bleepingcomputer
Cornwell Quality Tools Suffers Data Breach, 100,000 User Records Exposed
Cornwell Quality Tools experienced a major data breach on December 12, 2024, exposing 103,782 individuals’ sensitive data, including names, Social Security numbers, medical records, and financial details. The breach involved unauthorized network access, compromising both PII and PHI. Affected users were notified nearly nine months later, on September 4, 2024, with guidance on protective measures. Legal firm Goldenberg Schneider launched an investigation to assist victims in pursuing potential legal action. The incident underscores persistent cybersecurity risks for businesses handling sensitive customer data, particularly in industries managing financial and health information. Delayed disclosure highlights the complexity of breach investigations.
Read full article: Gbhackers
NY Blood Center Says Data Was Stolen in January Attack
The New York Blood Center disclosed a January 2025 ransomware attack compromising personal, health, and employment data of patients, employees, and others. Attackers accessed files containing names, Social Security numbers, health test results, and financial details. The nonprofit, serving multiple U.S. states, restored operations but faces challenges notifying affected individuals due to missing contact data. It offered credit monitoring and enhanced security measures. This incident follows similar attacks on U.S. blood suppliers like OneBlood and Octapharma Plasma in 2024, disrupting services. Globally, the UK’s Synnovis attack caused critical blood shortages and care delays, highlighting systemic vulnerabilities in healthcare supply chains.
Read full article: Bankinfosec
Wealthsimple reveals data breach – users of financial firm warned to be on alert
Wealthsimple, a Canadian fintech firm, experienced a data breach via a compromised thirdparty software package, exposing personal information of under 1% of its over three million users. The breach, swiftly detected and contained, involved stolen data such as contact details, government IDs, financial account numbers, Social Insurance Numbers, and IP addresses. Passwords and funds remained secure. Affected users (approximately 30,000) were notified and offered two years of credit monitoring, dark web surveillance, and identity theft protection. Wealthsimple advised enhanced security measures, including enabling 2FA and vigilance against phishing. Law enforcement and regulators were informed. The company confirmed all accounts remain safe.
Read full article: Techradar
The New Emerging Threats
This week’s emerging threats spotlight advanced malware, AI-driven attacks, and abuse of trusted platforms. Chinese-linked actors deployed EggStreme fileless malware against the Philippine military, while North Korea’s APT37 introduced Rust and Python-based surveillance tools. Attackers also exploited Azure Functions for C2, Kubernetes DNS to steal Git credentials, and GitHub dangling commits for malvertising. On mobile, the RatOn Android RAT combined NFC relay and banking trojan tactics for real-time financial theft. AI-powered threats like EvilAI and SpamGPT highlight the growing weaponization of machine learning. Meanwhile, campaigns leveraging DarkSamural, AsyncRAT, and CyberVolk ransomware show escalating sophistication in espionage and infrastructure attacks.
China-related threat actors deployed a new fileless malware against the Philippines’ military
A Chinese threat actor targeted a Philippine military company using EggStreme, a novel fileless malware framework designed for stealthy espionage. The modular toolset includes six components enabling reverse shell access, payload injection, keylogging, and persistent backdoor functionality. Researchers attribute the attack to Chinese APT interests due to its focus on long-term reconnaissance and low-profile persistence, aligning with tactics observed across APAC. While attribution remains unconfirmed, the malware employs DLL sideloading via trusted executables to evade detection. Initial infection vectors are unclear but may involve supply chain compromises or lateral movement. The campaign underscores ongoing Chineselinked cyber-espionage targeting regional military and geopolitical entities.
Read full article: Techradar
EvilAI: Leveraging AI to Steal Browser Data and Evade Detection
EvilAI, a new malware family, uses AI-generated code to masquerade as legitimate AI tools, stealing browser data while evading detection. Disguised as productivity apps, it employs lightweight installers, valid signatures, and functional features to bypass defenses. The malware establishes persistence via scheduled tasks, registry entries, and obfuscated JavaScript payloads, targeting browser credentials and exfiltrating data via encrypted channels. Trend™ Research observed rapid global spread, with Europe, the Americas, and AMEA regions most affected, particularly India, the U.S., and France. Defenses require AIaware monitoring, scrutiny of software sources, and layered security to counter evolving tactics.
Read full article: Gbhackers
New Malware Abuses Azure Functions to Host Command and Control Infrastructure
A new malware campaign exploits Azure Functions for command and control (C2) infrastructure, using a malicious ISO image containing a legitimate Palo Alto binary and a sideloaded malicious DLL (libwaapi.dll). The DLL decrypts an RC4-encrypted payload via a hardcoded key, injects it into memory, and unpacks a final payload via LZNT1 decompression. The payload profiles victim systems, encrypts metadata, and exfiltrates it to an Azure Functions endpoint. Forensic clues in the LNK file suggest attacker infrastructure details, while a similar DLL from Singapore indicates a multi-region operation. The abuse of trusted cloud services enhances evasion and scalability for C2 operations.
Read full article: Gbhackers
New Malvertising Campaign Exploits GitHub Repositories to Distribute Malware
A new malvertising campaign exploits “dangling commits” in legitimate GitHub repositories to distribute malware via fake GitHub Desktop installers. Attackers inject malicious promotional content into trusted projects, redirecting users to compromised pages hosting a dropper masquerading as the official installer. The payload executes PowerShell commands to load a malicious DLL, enabling C2 communication for data theft, remote code execution, and lateral movement. Sophisticated obfuscation and abuse of Windows processes (e.g., svchost.exe) help evade detection. The campaign leverages GitHub’s credibility by exploiting orphaned code commits, which bypass standard repository monitoring. Mitigations include validating software sources, monitoring network activity, pruning dangling commits, and deploying behavior-based EDR solutions. GitHub is enhancing visibility into such abuses while researchers advocate a zero-trust approach to software supply chains.
Read full article: Gbhackers
Attackers Abuse Kubernetes DNS to Extract Git Credentials from ArgoCD
A new attack method exploits Kubernetes DNS to steal Git credentials from ArgoCD, enabling attackers to hijack Git accounts. By manipulating CoreDNS records, adversaries redirect ArgoCD’s traffic to malicious services, intercepting credentials used for accessing private repositories. Attackers require compromised ArgoCD accounts with permissions to create certificates and applications, allowing them to spoof domains like GitHub and capture sensitive tokens. This exfiltration technique risks unauthorized access to source code and secrets, with potential lateral movement across CI/CD pipelines. Mitigation involves tightening RBAC, restricting certificate privileges, and monitoring DNS anomalies. The attack underscores risk in Kubernetes’ internal DNS configurations and excessive permissions in GitOps tools.
Read full article: Gbhackers
New Android RAT uses Near Field Communication to automatically steal money from devices
A new Android Remote Access Trojan (RAT) named RatOn combines NFC relay attacks, overlay techniques, and automated money transfers to steal funds and sensitive data. Targeting banking apps (e.g., George Česko) and crypto wallets, it steals PINs, recovery phrases, and hijacks accounts via device control. Distributed through fake TikTok apps on spoofed Google Play pages, it primarily affects users in Czechia and Slovakia. RatOn uses a multi-stage installation process, exploiting permissions like Accessibility Services to deploy payloads. Active since July 2025, it represents a rare fusion of NFC relay and banking trojan capabilities, enabling real-time financial theft. Researchers highlight its sophistication, marking it as a significant emerging threat in mobile malware.
Read full article: Techradar
APT37 Deploys New Rust and Python Malware Targeting Windows Systems
APT37, a North Korean-aligned threat group, has enhanced its cyber operations with new Rust and Python-based malware targeting Windows systems. The group introduced Rustonotto, a Rust-based backdoor, alongside existing tools like Chinotto (PowerShell backdoor) and FadeStealer, a surveillance malware capable of keystroke logging, audio recording, and data exfiltration. Attacks employ advanced techniques like Transactional NTFS for stealthy code injection and Process Doppelgänging to evade detection. FadeStealer systematically collects victim data, storing it in password-protected RAR archives for exfiltration via HTTP POST requests. APT37 uses a centralized C2 infrastructure with compromised servers and PHP scripts to manage malware components, demonstrating sophisticated coordination and evasion capabilities.
Read full article: Gbhackers
SpamGPT: New AI Email Attack Tool Fueling Massive Phishing Operations
A new AI-powered phishing toolkit called SpamGPT has emerged on underground forums, enabling cybercriminals to launch large-scale email attacks with minimal technical expertise. Marketed as a spam-as-a-service platform, it automates email server compromise, evades spam filters, and provides real-time campaign analytics. Its integrated AI assistant, KaliGPT, generates convincing phishing content and strategies, allowing attackers to craft tailored messages effortlessly. The toolkit includes features like SMTP server cracking, email spoofing, inbox monitoring, and multi-server deployment to maximize deliverability. SpamGPT’s userfriendly interface and marketing-style dashboards simplify complex phishing workflows, lowering barriers for entry-level threat actors. Security experts warn organizations to strengthen email authentication (SPF, DKIM, DMARC) and enhance threat detection to counter such AI-driven campaigns.
Read full article: Gbhackers
DarkSamural APT Group Deploys LNK/PDF Malware to Steal Critical Information
DarkSamural, a newly identified APT subgroup linked to OceanLotus, has targeted Pakistani organizations using malicious LNK files disguised as PDFs and MSC containers with GrimResource technology. The campaign, attributed to Patchwork (APT Group 72), employs multi-stage payloads delivered via spear-phishing emails containing deceptive MSC files. These files execute obfuscated JavaScript to fetch remote payloads, leveraging tools like BADNEWS RAT, Mythic, and Remcos RAT for persistence and data exfiltration. Attackers abuse legitimate Windows utilities (e.g., dism.exe) to sideload malicious DLLs and establish communication with C2 servers using AES-HMAC encryption. Vietnamese-language lures suggest a false-flag operation to mislead attribution. Defenders are urged to enhance email filtering, analyze script behaviors, and monitor for toolchain rotation tactics.
Read full article: Gbhackers
Threat Actors Leveraging Open-Source AdaptixC2 in Real-world Attacks
In May 2025, Unit 42 researchers identified real-world attacks using the open-source AdaptixC2 framework, a post-exploitation tool initially designed for red teaming. The modular framework enables command execution, file transfer, data exfiltration, and covert communication via SOCKS proxies, with evasion features like RC4-encrypted configurations. Attack vectors included social engineering via fake Microsoft Teams messages and AIgenerated PowerShell scripts deploying memory-resident shellcode. Two campaigns demonstrated fileless execution, persistence mechanisms, and C2 infrastructure using HTTP profiles. Defenders should monitor anomalous memory activity, analyze encrypted binaries, and leverage endpoint protections to detect tunneling. Palo Alto Networks provide coverage, and IoCs are provided for detection.
Read full article: Gbhackers
AsyncRAT Leverages Fileless Techniques to Bypass Detection
A recent attack leveraged fileless techniques to deploy AsyncRAT, evading disk-based detection. Attackers used a compromised ScreenConnect client to execute a VBScript, which fetched payloads via PowerShell and loaded them directly into memory. The multi-stage loader employed .NET assemblies like Obfuscator.dll to disable security tools (AMSI/ETW), establish persistence via a malicious scheduled task, and decrypt AsyncRAT. The RAT collected system data, keystrokes, and credentials, exfiltrating encrypted data to C2 servers. Defenses include memory forensics, behavioral monitoring of scripting tools, and restricting scheduled task creation. This case highlights the need for advanced detection against fileless malware abusing legitimate tools.
Read full article: Gbhackers
CyberVolk Ransomware Targets Windows Systems in Critical Infrastructure and Research Institutions
CyberVolk ransomware, active since May 2024, targets critical infrastructure and research institutions in Japan, France, and the UK, aligning with pro-Russian geopolitical motives. It employs AES-256 GCM and ChaCha20-Poly1305 encryption, excluding system directories to avoid destabilizing Windows environments. Unique nonces and dual encryption render decryption impossible without backups, as keys and nonces are not stored. A flawed decryption process further prevents recovery, even with the correct key. The group uses Telegram for ransom demands, emphasizing irreversible data loss risks. Mitigation requires robust offline backups and secure recovery protocols to counter this asymmetric threat.
Read full article: Gbhackers
Vulnerability Spotlight: Critical Exposures Unveiled
This week’s critical exposures span major software and security tools. Microsoft fixed two Office flaws that allow remote code execution via malicious files, while Ivanti Endpoint Manager and FortiDDoS appliances were found vulnerable to exploits enabling unauthorized system access. Adobe rushed an emergency patch for the SessionReaper bug in Magento/Adobe Commerce, which could let attackers hijack accounts and steal data. Akira ransomware is actively exploiting an older SonicWall SSLVPN flaw, highlighting the risks of delayed patching. A Windows Defender symlink flaw was uncovered that could let attackers hijack or disable protections entirely. Finally, North Korea’s Lazarus Group is exploiting a Git symlink vulnerability in phishing campaigns against crypto and finance sectors. These cases reinforce the need for rapid patching, hardened configurations, and vigilant monitoring.
Critical Flaws in Microsoft Office Enable Remote Code Execution by Attackers
Microsoft disclosed two critical vulnerabilities (CVE-2025-54910 and CVE-2025-54906) in its Office suite, enabling remote code execution via malicious documents. CVE-2025-54910, a heap-based buffer overflow, and CVE-2025-54906, a use-after-free flaw, both require users to open specially crafted files, leading to arbitrary code execution under the user’s privileges. Exploitation could allow attackers to install malware, steal data, or create backdoors. Microsoft released patches for supported Windows versions, urging immediate updates. Phishing emails or compromised websites are likely attack vectors. Users are advised to apply security updates promptly and exercise caution with untrusted file sources to mitigate risks.
Read full article: Gbhackers
HybridPetya Exploits UEFI Vulnerability to Bypass Secure Boot on Legacy Systems
ESET Research identified HybridPetya, a new ransomware variant evolving from Petya/ NotPetya, exploiting UEFI vulnerability CVE-2024-7344 to bypass Secure Boot on unpatched systems. It installs a malicious EFI application on the EFI System Partition, enabling deep control over the boot process and evading traditional detection. The ransomware encrypts the Master File Table using Salsa20, displaying fake CHKDSK messages to mask its activity. While currently inactive, its technical sophistication poses future risks, particularly for organizations with outdated systems. HybridPetya demands Bitcoin payments but lacks NotPetya’s aggressive propagation. Mitigation requires applying Microsoft’s January 2025 patches and maintaining updated security protocols.
Read full article: Gbhackers
FortiDDoS Vulnerability Lets Hackers Execute Unauthorized OS Commands
Fortinet disclosed a critical OS command injection vulnerability (CVE-2024-45325, CVSS 6.5) in FortiDDoS-F appliances, allowing privileged attackers to execute unauthorized commands via the CLI. The flaw, caused by improper neutralization of OS command elements (CWE-78), impacts versions 6.1–6.6 and 7.0.0–7.0.2, requiring upgrades to 7.0.3+ or migration to fixed releases. Exploitation could compromise DDoS defense systems, exposing networks to attacks and unauthorized access. FortiDDoS-F 7.2 remains unaffected. Fortinet internally identified the issue and released remediation guidance (FG-IR-24-344) on September 9, 2025, urging immediate action due to the infrastructure’s critical role.
Read full article: Gbhackers
Ivanti Endpoint Manager Vulnerabilities Allow Remote Code Execution by Attackers
Ivanti disclosed two high-severity vulnerabilities (CVE-2025-9712 and CVE-2025-9872) in its Endpoint Manager, caused by insufficient filename validation, enabling remote code execution with minimal user interaction. Both flaws, scoring 8.8 CVSS, affect versions 2022 SU8 Security Update 1 or earlier and 2024 SU3 or prior. While no active exploitation is reported, the ease of exploitation necessitates urgent patching. Ivanti released fixes in 2022 SU8 Security Update 2 and 2024 SU3 Security Update 1, available via its License System. Organizations using the 2022 branch must also plan migration before its October 2025 End of Life. Immediate updates and access control reviews are advised to mitigate risks.
Read full article: Gbhackers
SessionReaper Vulnerability Puts Magento & Adobe Commerce Sites in Hacker Crosshairs
Adobe has urgently addressed the critical “SessionReaper” vulnerability (CVE-2025-54236) in Magento and Adobe Commerce, enabling attackers to bypass input validation, hijack accounts, steal data, and place fraudulent orders without valid sessions. The emergency patch released September 9, 2025, over a month ahead of schedule, follows historical precedents like Shoplift and CosmicSting, where rapid exploitation caused widespread breaches. Open-source Magento users criticized Adobe’s lack of prior notification compared to Commerce customers. Mitigations include immediate patch deployment, session invalidation, API key rotation, and strict JSON validation via firewalls. Adobe’s unprecedented urgency underscores the risk of delayed action, particularly for shared hosting environments, as automated attacks are expected post-disclosure. Merchants must prioritize rapid updates and enhanced monitoring to prevent data theft and financial loss.
Read full article: Gbhackers
This long-exposed SonicWall flaw is being used to infect organizations with Akira ransomware – so patch now
Akira ransomware is exploiting a year-old SonicWall SSLVPN vulnerability (CVE-2023-0656) in unpatched Gen5–Gen7 firewalls, combining it with default LDAP group misconfigurations and public-facing Virtual Office Portal access. Rapid7 warns attackers use these weaknesses to bypass security, deploy ransomware, and hijack MFA setups via exposed credentials. Organizations are urged to patch systems, rotate SonicWall account passwords, enforce MFA, and restrict Virtual Office Portal access to trusted networks. The attacks highlight risks of delayed patching and insecure default configurations in edge devices. Akira’s activity underscores ongoing threats to outdated VPN and firewall infrastructures.
Read full article: Techradar
Windows Defender Vulnerability Lets Hackers Hijack and Disable Services Using Symbolic Links
A newly revealed Windows Defender vulnerability allows attackers to hijack its service via symbolic links (symlinks) in its versioned update folders. By creating symlinks with the highest version number, attackers redirect Defender to execute from a controlled directory, enabling manipulation of its binaries. This exploit grants full read/write access, allowing malicious DLL injection, file deletion, or service disruption. Attackers can disable Defender entirely, leaving systems unprotected, using basic commands like mklink and rmdir without specialized tools. The flaw stems from inadequate symlink validation during version updates, exploiting Defender’s elevated privileges. This highlight risks in security software trusting internal directory structures, emphasizing the need for stricter access controls. As Defender is widely used, such vulnerabilities pose significant risks to endpoint security.
Read full article: Gbhackers
Lazarus Hackers Abuse Git Symlink Vulnerability in Stealthy Phishing Campaign
The Lazarus Group (APT38) has launched a phishing campaign exploiting a Git symlink vulnerability (CVE-2025-48384) to target cryptocurrency and financial sectors. Using fake job interviews on platforms like LinkedIn and X, attackers trick victims into cloning malicious repositories, triggering a Node.js backdoor via symlink abuse. Non-technical targets are lured to fake video interviews prompting malware installation. The campaign employs macOS/ Windows stealers, persistence mechanisms, and infrastructure linked to prior Lazarus operations. Tactics include poisoned npm packages, compromised GitHub repos, and social engineering. Organizations are urged to avoid unsolicited technical tests and scrutinize repository sources.
Read full article: Gbhackers
In-Depth Expert CTI Analysis
This week underscored the escalating convergence of law enforcement action, ransomware disruptions, and state-sponsored espionage. While authorities indicted the LockerGoga/MegaCortex operator and sanctioned Southeast Asian scam networks, Chinese and North Korean APTs expanded cyber-espionage campaigns using zero-days, cloud abuse, and AI-enhanced malware. Healthcare, finance, and transportation were particularly impacted by ransomware (Monti, CyberVolk, INC Ransom), while supply chain breaches via Salesloft’s Drift integration affected multiple vendors (Workday, HackerOne, Dynatrace).Simultaneously, novel AI-driven threats (EvilAI, SpamGPT), fileless malware (EggStreme, AsyncRAT), and cloud exploitation (Azure Functions, Kubernetes DNS) illustrated adversaries’ agility in bypassing traditional defenses.
Proactive Defense and Strategic Foresight
The proactive disruption of LockerGoga/MegaCortex and rapid patching of Apple/Samsung zero-days highlight the value of international law enforcement cooperation and vendor agility. However, the volume of breaches via third-party SaaS integrations (Drift → Salesforce environments) exposes systemic supply chain fragility. Rapid vulnerability management (Office RCEs, SonicWall, Ivanti, Fortinet, Adobe Commerce). Third-party risk oversight with continuous auditing of OAuth/API integrations. AI-aware defenses against SpamGPT-style phishing and EvilAI-like credential theft. Cross-sector intelligence sharing to detect stealthy APT activity across telecom, healthcare, and finance.
Evolving Ransomware and Malware Tactics
The proactive disruption of LockerGoga/MegaCortex and rapid patching of Apple/Samsung zero-days highlight the value of international law enforcement cooperation and vendor agility. However, the volume of breaches via third-party SaaS integrations (Drift → Salesforce environments) exposes systemic supply chain fragility.
Rapid vulnerability management (Office RCEs, SonicWall, Ivanti, Fortinet, Adobe Commerce). Third-party risk oversight with continuous auditing of OAuth/API integrations. AI-aware defenses against SpamGPT-style phishing and EvilAI-like credential theft. Cross-sector intelligence sharing to detect stealthy APT activity across telecom, healthcare, and finance.
State-Sponsored and Organized Cybercrime Convergence
Chinese groups (Salt Typhoon, UNC4841) expanded multiyear telecom and government intrusions, while North Korea’s APT37 and Lazarus deployed new backdoors blending espionage with financial targeting. These align with Russian-linked ransomware campaigns (CyberVolk) leveraging geopolitical motives.
Notably, criminal ransomware groups now adopt state-grade stealth and encryption, while APTs incorporate criminal monetization tactics, blurring traditional distinctions. The weaponization of AI for phishing (SpamGPT) and data theft (EvilAI) represents a convergence of nation-state research and criminal commoditization.
Operational and Tactical Implications
Operational Implications: Healthcare, finance, and electoral systems remain high-risk verticals. Persistent ransomware and espionage require sector-wide resilience measures, enhanced incident response readiness, and cloud/SaaS supply chain hardening.
Tactical Implications: Defenders must anticipate zero-click exploits, OAuth token theft, and DNS/CI/CD manipulations. Priority defenses include offline immutable backups, memory forensics, DNS anomaly monitoring, AI-driven detection, and enforced MFA across SaaS/cloud environments.
Forward-Looking Recommendations
- Strengthen Third-Party/Vendor Security Governance Enforce mandatory audits, API key rotation, and least-privilege OAuth scopes.
- Accelerate Patching of Critical Vulnerabilities Prioritize updates for Office, SonicWall, Fortinet, Ivanti, and Magento’s “SessionReaper” flaw.
- Deploy AI-Aware Monitoring Implement solutions to detect AI-generated phishing, malicious malware, and the abuse of Large Language Models (LLMs).
- Enforce Zero-Trust Segmentation Apply zero-trust principles across cloud environments, CI/CD pipelines, and critical systems in sectors like healthcare and elections.
- Mandate Offline and Immutable Backups Ensure robust data protection against destructive ransomware like CyberVolk by requiring offline and immutable storage solutions.
- Expand International Collaboration Enhance global partnerships to align sanctions, coordinate law enforcement takedowns, and share threat intelligence telemetry.
- Adopt Secure-by-Default Practices Implement secure configurations by default in cloud services, Kubernetes DNS, and IoT deployments to minimize attack surfaces.
- Invest in UEFI/Boot-Level Defenses Allocate resources to protect against advanced ransomware threats like HybridPetya that target the boot process.
- Integrate Post-Quantum Cryptography Roadmaps Develop and integrate strategies for post-quantum cryptography to safeguard against future threats to encryption in both espionage and ransomware attacks.
