
Cybersecurity never slows down. Every week brings new threats, new vulnerabilities, and new lessons for defenders. For security and IT teams, the challenge is not just keeping up with the news—it’s knowing which risks matter most right now. That’s what this digest is here for: a clear, simple briefing to help you focus where it counts.
This week, one story stands out above the rest: the Salesloft–Drift breach, where attackers stole OAuth tokens and accessed Salesforce data from some of the biggest names in tech. It’s a sharp reminder of how fragile integrations can become the weak link in enterprise defenses.
Alongside this, we’ll also walk through several high-risk CVEs under active exploitation, the latest moves by advanced threat actors, and fresh insights on making security workflows smarter, not noisier. Each section is designed to give you the essentials—enough to stay informed and prepared, without getting lost in the noise.
⚡ Threat of the Week
Salesloft to Take Drift Offline Amid Security Incident — Salesloft announced that it has taken Drift temporarily offline effective September 5, 2025, at 6 a.m. ET, as multiple companies have been caught up in a far-reaching supply chain attack spree targeting the marketing software-as-a-service product, resulting in the mass theft of authentication tokens. “This will provide the fastest path forward to comprehensively review the application and build additional resiliency and security in the system to return the application to full functionality,” the company said. “As a result, the Drift chatbot on customer websites will not be available, and Drift will not be accessible. To date, Cloudflare, Google Workspace, PagerDuty, Palo Alto Networks, Proofpoint, SpyCloud, Tanium, Tenable, and Zscaler have confirmed they were impacted by the hack. The activity has been attributed to a threat cluster tracked by Google and Cloudflare as UNC6395 and GRUB1, respectively.
🔔 Top News
- Sitecore Flaw Under Active Exploitation in the Wild — Unknown miscreants are exploiting a configuration vulnerability in multiple Sitecore products to achieve remote code execution via a publicly exposed key and deploy snooping malware on infected machines. The ViewState deserialization vulnerability, CVE-2025-53690, has been used to deploy malware and additional tooling geared toward internal reconnaissance and persistence across one or more compromised environments. The attackers targeted the “/sitecore/blocked.aspx” endpoint, which contains an unauthenticated ViewState form, with HTTP POST requests containing a crafted ViewState payload. Mandiant said it disrupted the intrusion midway, which prevented it from gaining further insights into the attack lifecycle and determining the attackers’ motivations.
- Russian APT28 Deploys “NotDoor” Outlook Backdoor — The Russian state-sponsored hacking group tracked as APT28 has been attributed to a new Microsoft Outlook backdoor called NotDoor (aka GONEPOSTAL) in attacks targeting multiple companies from different sectors in NATO member countries. NotDoor “is a VBA macro for Outlook designed to monitor incoming emails for a specific trigger word,” S2 Grupo’s LAB52 threat intelligence team said. “When such an email is detected, it enables an attacker to exfiltrate data, upload files, and execute commands on the victim’s computer.”
- New GhostRedirector Actor Hacks 65 Windows Servers in Brazil, Thailand, and Vietnam — A previously undocumented threat cluster dubbed GhostRedirector has managed to compromise at least 65 Windows servers primarily located in Brazil, Thailand, and Vietnam. The attacks, per Slovak cybersecurity company ESET, led to the deployment of a passive C++ backdoor called Rungan and a native Internet Information Services (IIS) module codenamed Gamshen. The threat actor is believed to be active since at least August 2024. “While Rungan has the capability of executing commands on a compromised server, the purpose of Gamshen is to provide SEO fraud as-a-service, i.e., to manipulate search engine results, boosting the page ranking of a configured target website,” the company said.
- Google Fixes 2 Actively Exploited Android Flaws — Google has shipped security updates to address 120 security flaws in its Android operating system as part of its monthly fixes for September 2025, including two issues that it said have been exploited in targeted attacks. One of them, CVE-2025-38352, is a privilege escalation vulnerability in the upstream Linux Kernel component. The second shortcoming is a privilege escalation flaw in Android Runtime (CVE-2025-48543). Benoît Sevens of Google’s Threat Analysis Group (TAG) has been credited with discovering and reporting the upstream Linux Kernel flaw, suggesting that it may have been abused as part of targeted spyware attacks.
- Threat Actors Claim to Weaponize HexStrike AI in Real-World Attacks — Threat actors are attempting to leverage a newly released artificial intelligence (AI) offensive security tool called HexStrike AI to exploit recently disclosed security flaws. “This marks a pivotal moment: a tool designed to strengthen defenses has been claimed to be rapidly repurposed into an engine for exploitation, crystallizing earlier concepts into a widely available platform driving real-world attacks,” Check Point said.
- Iranian Hackers Linked to Attacks Targeting European Embassies — An Iran-nexus group conducted a “coordinated” and “multi-wave” spear-phishing campaign targeting the embassies and consulates in Europe and other regions across the world. The activity has been attributed by Israeli cybersecurity company Dream to Iranian-aligned operators connected to broader offensive cyber activity undertaken by a group known as Homeland Justice. “Emails were sent to multiple government recipients worldwide, disguising legitimate diplomatic communication,” the company said. “Evidence points toward a broader regional espionage effort aimed at diplomatic and governmental entities during a time of heightened geopolitical tension.”
🔥 Trending CVEs
Hackers move fast — often exploiting new flaws within hours. A missed update or a single unpatched CVE can open the door to serious damage. Here are this week’s high-risk vulnerabilities making headlines. Review, patch quickly, and stay ahead.
This week’s list includes — CVE-2025-53690 (SiteCore), CVE-2025-42957 (SAP S/4HANA), CVE-2025-9377 (TP-Link Archer C7(EU) V2 and TL-WR841N/ND(MS) V9), CVE-2025-38352 (Linux Kernel/Google Android), CVE-2025-48543 (Google Android), CVE-2025-29927 (Next.js), CVE-2025-52856, CVE-2025-52861 (QNAP QVR), CVE-2025-0309 (Netskope Client for Windows), CVE-2025-21483, CVE-2025-27034 (Qualcomm), CVE-2025-6203 (HashiCorp Vault), CVE-2025-58161 (MobSF), CVE-2025-5931 (Dokan Pro plugin), CVE-2025-53772 (Web Deploy), CVE-2025-9864 (Google Chrome), CVE-2025-9696 (SunPower PVS6), CVE-2025-57833 (Django), CVE-2025-24204 (Apple macOS), CVE-2025-55305 (Electron framework), CVE-2025-53149 (Microsoft Kernel Streaming WOW Thunk Service Driver), CVE-2025-6519, CVE-2025-52549, CVE-2025-52548 (Copeland E2 and E3), CVE-2025-58782 (Apache Jackrabbit), CVE-2025-55190 (Argo CD), CVE-2025-1079, CVE-2025-4613, and a client-side remote code execution (no CVE) (Google Web Designer).
📰 Around the Cyber World
- New AI Waifu RAT Disclosed — Cybersecurity researchers have discovered a potent Windows-based remote access trojan (RAT) called AI Waifu RAT that uses the power of a large language model to pass commands. “A local agent runs on the victim’s machine, listening for commands on a fixed port,” a researcher by the name ryingo said. “These commands, originating from the LLM, are passed through a web UI and sent to the local agent as plaintext HTTP requests.” The malware specifically targets LLM role-playing communities, capitalizing on their interest in the technology to offer AI characters the ability to read local files for “personalized role-playing” and direct “Arbitrary Code Execution” capabilities.
- DoJ: “Not all heroes wear capes. Some have YouTube channels” — The U.S. Department of Justice (DoJ) said two YouTube channels named Scammer Payback and Trilogy Media played a crucial role in unmasking and identifying members of a giant scam network that stole more than $65 million from senior citizens. The 28 alleged members of the Chinese organized crime ring allegedly used call centers based in India to call the elderly, posing as government officials, bank employees, and tech support agents. “Once connected, the scammers used scripted lies and psychological manipulation to gain the victims’ trust and often remote access to their computers,” the DoJ said. “The most common scheme involved convincing victims they had received a mistaken refund and pressuring – or threatening – them to return the supposed excess funds via wire transfer, cash, or gift cards.” Those sending cash were instructed to use overnight or express couriers, addressing packages to fake names tied to false IDs. These were sent to short-term rentals in the U.S. used by conspirators, including the indicted defendants, to collect the fraud proceeds. The network has operated out of Southern California since 2019.
- Analysis of BadSuccessor Patch — Microsoft, as part of its August 2025 Patch Tuesday update, addressed a security flaw called BadSuccessor (CVE-2025-53779) that abused a loophole in dMSA, causing the Key Distribution Center (KDC) to treat a dMSA linked to any account in Active Directory as the successor during authentication. As a result, an attacker could create a dMSA in an Organizational Unit (OU) and link it to any target — even domain controllers, Domain Admins, Protected Users, or accounts marked “sensitive and cannot be delegated” – and compromise them. An analysis of the patch has revealed that patch enforcement was implemented in the KDC’s validation. “The attribute can still be written, but the KDC won’t honor it unless the pairing looks like a legitimate migration,” Akamai security researcher Yuval Gordon said. “Although the vulnerability can be patched, BadSuccessor still lives on as a technique; that is, the KDC’s verification removes the pre-patch escalation path, but doesn’t mitigate the entire problem. Because the patch didn’t introduce any protection to the link attribute, an attacker can still inherit another account by linking a controlled dMSA and a target account.”
- Phishers Pivot to Ramp and Dump Scheme — Cybercriminal groups advertising sophisticated phishing kits that convert stolen card data into mobile wallets have shifted their focus to targeting customers of brokerage services and using compromised brokerage accounts to manipulate the prices of foreign stocks as part of what’s called a ramp and dump scheme.
- Popular C2 Frameworks Exploited by Threat Actors — Sliver, Havoc, Metasploit, Mythic, Brute Ratel C4, and Cobalt Strike (in that order) have emerged as the most frequently used command-and-control (C2) frameworks in malicious attacks in Q2 2025, per data from Kaspersky. “Attackers are increasingly customizing their C2 agents to automate malicious activities and hinder detection,” the company said. The development came as the majority (53%) of attributed vulnerability exploits in the first half of 2025 were conducted by state-sponsored actors for strategic, geopolitical purposes, according to Recorded Future’s Insikt Group. In all, 23,667 CVEs were published in H1 2025, a 16% increase compared to H1 2024. Attackers actively exploited 161 vulnerabilities, and 42% of those exploited flaws had public PoC exploits.
- Fake PDF Converters Deliver JSCoreRunner macOS Malware — Apps posing as PDF converters are being used to deliver malware called JSCoreRunner. Once downloaded from sites like fileripple[.]com, the malware establishes connections with a remote server and hijacks a user’s Chrome browser by modifying its search engine settings to default to a fraudulent search provider, thereby tracking user searches and redirecting them to bogus sites, further exposing them to data and financial theft, per Mosyle. The attack unfolds over two stages: The initial package (whose signature has since been revoked by Apple), which deploys an unsigned secondary payload from the same domain that, in turn, executes the main malicious payload.
- Copeland Releases Fixes for Frostbyte10 Flaws — American tech company Copeland has released a firmware update to fix ten vulnerabilities in Copeland E2 and E3 controllers. The chips are used to manage energy efficiency inside HVAC and refrigeration systems. The ten vulnerabilities have been collectively named Frostbyte10. “The flaws discovered could have allowed unauthorized actors to remotely manipulate parameters, disable systems, execute remote code, or gain unauthorized access to sensitive operational data,” Armis said. “When combined and exploited, these vulnerabilities can result in unauthenticated remote code execution with root privileges.” The most severe of the flaws is CVE-2025-6519, a case of a default admin user “ONEDAY” with a daily generated password that can be predictably generated. In a hypothetical attack scenario, an attacker could chain CVE-2025-6519 and CVE-2025-52549 with CVE-2025-52548, which can enable SSH and Shellinabox access via a hidden API call, to facilitate remote execution of arbitrary commands on the underlying operating system.
- Over 1,000 Ollama Servers Exposed — A new study from Cisco found over 1,100 exposed Ollama servers, with approximately 20% actively hosting models susceptible to unauthorized access. Out of the 1,139 exposed servers, 214 were found to be actively hosting and responding to requests with live models—accounting for approximately 18.8% of the total scanned population, with Mistral and LLaMA representing the most frequently encountered deployments. The remaining 80% of detected servers, while reachable via unauthenticated interfaces, did not have any models instantiated. Although dormant, these servers remain susceptible to exploitation via unauthorized model uploads or configuration manipulation. The findings “highlight the urgent need for security baselines in LLM deployments and provide a practical foundation for future research into LLM threat surface monitoring,” the company said.
- Tycoon Phishing Kit Evolves — The Tycoon phishing kit has been updated to support URL-encoding techniques to hide malicious links embedded in fake voicemail messages to bypass email security checks. Attackers have also been observed using the Redundant Protocol Prefix technique for similar reasons. “This involves crafting a URL that is only partially hyperlinked or that contains invalid elements — such as two ‘https’ or no ‘//’ — to hide the real destination of the link while ensuring the active part looks benign and legitimate and doesn’t arouse suspicion among targets or their browser controls,” Barracuda said. “Another trick is using the ‘@’ symbol in a web address. Everything before the ‘@’ is treated as ‘user info’ by browsers, so attackers put something that looks reputable and trustworthy in this part, such as ‘office365.’ The link’s actual destination comes after the ‘@.'”
- U.S. State Department Offers Up to $10M for Russian Hackers — The U.S. Department of State is offering a bounty of up to $10 million for information on three Russian Federal Security Service (FSB) officers involved in cyberattacks targeting U.S. critical infrastructure organizations on behalf of the Russian government. The three individuals, Marat Valeryevich Tyukov, Mikhail Mikhailovich Gavrilov, and Pavel Aleksandrovich Akulov, are part of the FSB’s Center 16 or Military Unit 71330, which is tracked as Berserk Bear, Blue Kraken, Crouching Yeti, Dragonfly, Koala Team, and Static Tundra. They have been accused of targeting 500 energy companies in 135 countries. In March 2022, the three FBS officers were also charged for their involvement in a campaign that took place between 2012 and 2017, targeting U.S. government agencies.
- XWorm Malware Uses Sneaky Methods to Evade Detection — A new XWorm malware campaign is using deceptive and intricate methods to evade detection and increase the success rate of the malware. “The XWorm malware infection chain has evolved to include additional techniques beyond traditional email-based attacks,” Trellix said. “While email and .LNK files remain common initial access vectors, XWorm now also leverages legitimate-looking .EXE filenames to disguise itself as harmless applications, exploiting user and system trust.” The attack chain uses LNK files to initiate a complex infection. Executing the .LNK triggers malicious PowerShell commands that deliver a .TXT file and download a deceptively-named binary called “discord.exe.” The executable then drops “main.exe” and “system32.exe,” with the latter being the XWorm malware payload. “Main.exe,” on the other hand, is responsible for disabling the Windows Firewall and checking for the presence of -third-party security applications. XWorm, besides meticulously conducting reconnaissance to acquire a comprehensive profile of the machine, runs anti-analysis checks to ascertain the presence of a virtualized environment, and, if so, ceases execution. It also incorporates backdoor functionality by contacting an external server to execute commands, shut down the system, download files, open URLs, and launch DDoS attacks. Recent campaigns distributing the malware through a new crypter-as-a-service offering known as Ghost Crypt. “Ghost Crypt delivers a zipped archive to the victim containing a PDF Reader application, a DLL, and a PDF file,” Kroll said. “When the user opens the PDF, the malicious DLL is side-loaded, initiating the malware execution.” The PDF Reader application is HaiHaiSoft PDF Reader, which is known to have a DLL side-loading vulnerability, previously exploited to deliver Remcos RAT, NodeStealer, and PureRAT.
- 2 E-Crime Groups Use Stealerium Stealer in New Campaigns — Two different cybercriminal groups, TA2715 and TA2536, both of which favored Snake Keylogger, have conducted phishing campaigns in May 2025, delivering an open-source information stealer called Stealerium (or variants of it). “The observed emails impersonated many different organizations, including charitable foundations, banks, courts, and document services, which are common themes in e-crime lures,” Proofpoint said. “Subject lines typically conveyed urgency or financial relevance, including ‘Payment Due,’ ‘Court Summons,’ and ‘Donation Invoice.'”
- Czechia Issues Warning Against Chinese Tech in Critical Infrastructure — NÚKIB, the Czech Republic’s cybersecurity agency, has issued a bulletin regarding the threat posed by technology systems that transfer data to, or are remotely managed from, China. “Current critical infrastructure systems are increasingly dependent on storing and processing data in cloud repositories and on network connectivity enabling remote operation and updates,” the agency warned. “In practice, this means that technology solution providers can significantly influence the operation of critical infrastructure and/or access important data, making trust in the reliability of the provider absolutely crucial.”
- Google Chrome 140 Gains Support for Cookie Prefixes — Google has released version 140 of its Chrome browser with support for a new security feature designed to protect server-set cookies from client-side modifications. Called a cookie prefix, it involves adding a piece of text before the names of a browser’s cookies. “In some cases, it’s important to distinguish on the server side between cookies set by the server and those set by the client. One such case involves cookies normally always set by the server,” Google said. “However, unexpected code (such as an XSS exploit, a malicious extension, or a commit from a confused developer) might set them on the client. This proposal adds a signal that lets servers make such a distinction. More specifically, it defines the __Http and __HostHttp prefixes, which ensure a cookie is not set on the client side using script.”
- New Ransomware Strains Detailed — A new ransomware group called LunaLock has hacked an art-commissioning portal called Artists&Clients and is extorting its owners and artists by threatening to submit the stolen artwork to train artificial intelligence (AI) models unless it pays a $50,000 ransom. Another newly observed ransomware crew is Obscura, which was first observed by Huntress on August 29, 2025. The Go-based ransomware variant attempts to terminate over 120 processes commonly tied to security tools like Microsoft Defender, CrowdStrike, and SentinelOne.
- E.U. Court Backs Data Transfer Deal Agreed by U.S. and E.U. — The General Court of the Court of Justice of the European Union has dismissed a lawsuit that sought to annul the E.U. and U.S. Data Privacy Framework. The court ruled that the new treaty and the US adequately safeguard the personal data of E.U. citizens. The lawsuit alleged that the U.S. Data Protection Review Court (DPRC), which is housed inside the Department of Justice and has been historically seen as a bulwark for checking U.S. data surveillance activities, is not sufficiently independent and does not adequately shield Europeans from bulk data collection by U.S. intelligence agencies.
- Microsoft to Move to Phase 2 of MFA Enforcement in October 2025 — Microsoft said it has been enforcing multi-factor authentication (MFA) for Azure Portal sign-ins across all tenants since March 2025. “We are proud to announce that multi-factor enforcement for Azure Portal sign-ins was rolled out for 100% of Azure tenants in March 2025,” the company said. “By enforcing MFA for Azure sign-ins, we aim to provide you with the best protection against cyber threats as part of Microsoft’s commitment to enhancing security for all customers, taking one step closer to a more secure future.” The next phase of MFA requirement is scheduled to start October 1, 2025, mandating the use of MFA for users performing Azure resource management operations through Azure Command-Line Interface (CLI), Azure PowerShell, Azure Mobile App, REST APIs, Azure Software Development Kit (SDK) client libraries, and Infrastructure as Code (IaC) tools.
- Surge in Scanning Activity Targeting Cisco ASA — GreyNoise said it detected two scanning surges against Cisco Adaptive Security Appliance (ASA) devices on August 22 and 26, 2025, with the first wave originating from over 25,100 IP addresses mainly located in Brazil, Argentina, and the U.S. The second spike repeated ASA probing, with subsets hitting both IOS Telnet/SSH and ASA software personas. The activity targeted the U.S., the U.K., and Germany.
- LinkedIn Expands Verification to Combat Job-Themed Scams — Microsoft-owned professional social network unveiled new measures to strengthen trust and ensure that users are interacting with people who “they say they are.” This includes verified Premium Company Pages, requiring recruiters to verify their workplace on their profile, and workplace verification requirements for high-level titles such as Executive Director, Managing Director, and Vice President to tackle impersonation. The changes are an effort to prevent scammers from posing as company employees or recruiters and reaching out to prospective targets with fake job opportunities – a technique pioneered by North Korean hackers.
- Hotelier Accounts Targeted in Malvertising and Phishing Campaign — A large-scale phishing campaign has impersonated at least 13 service providers that specialize in hotels and vacation rentals. “In these attacks, targeted users are lured to highly deceptive phishing sites using malicious search engine advertisements, particularly sponsored ads on platforms like Google Search,” Okta said. “The attacks leverage convincing fake login pages and social engineering tactics to bypass security controls and exploit user trust.” It’s assessed that the end goal of the campaign is to compromise accounts for cloud-based property management and guest messaging platforms.
- DamageLib Emerges After XSS Forum Takedown — A new cybercrime forum called DamageLib has grown dramatically, attracting over 33,000 users following the arrest of XSS[.]is admin Toha back in July 2025. While XSS remains online, speculations are abound that it could be a law enforcement honeypot, breeding mistrust among cybercriminals. “Exploit forum traffic surged almost 24% during the XSS turmoil as actors sought alternatives, while XSS visits plummeted,” KELA said. “As of August 27, 2025, DamageLib counted 33,487 users — nearly 66% of XSS’s 50,853 members. But engagement lagged: only 248 threads and 3,107 posts in its first month, compared to over 14,400 messages on XSS in the month before the seizure.”
- GhostAction Supply Chain Attack Steals 3,325 Secrets — A massive supply chain attack dubbed GhostAction has allowed attackers to inject a malicious GitHub workflow named “Github Actions Security” to exfiltrate 3,325 secrets, including PyPI, npm, and DockerHub tokens via HTTP POST requests to a remote attacker-controlled endpoint (“bold-dhawan.45-139-104-115.plesk[.]page”). The activity affected 327 GitHub users across 817 repositories.
- New Campaign Abuses Simplified AI to Steal Microsoft 365 Credentials — A new phishing campaign has been observed hosting fake pages under the legitimate Simplified AI domain in a bid to evade detection and blend in with regular enterprise traffic. “By impersonating an executive from a global pharmaceutical distributor, the threat actors delivered a password-protected PDF that appeared legitimate,” Cato Networks said. “Once opened, the file redirected the victim to Simplified AI’s website, but instead of generating content, the site became a launchpad to a fake Microsoft 365 login portal designed to harvest enterprise credentials.”
- Japan, South Korea, and the U.S. Take Aim at North Korean IT Worker Scam — Japan, South Korea, and the U.S. joined hands to fight against the growing threat of North Korean threat actors posing as IT workers to embed themselves in organizations throughout Asia and globally and generate revenue to fund its unlawful weapons of mass destruction (WMD) and ballistic missile programs. “They take advantage of existing demands for advanced IT skills to obtain freelance employment contracts from an expanding number of target clients throughout the world, including in North America, Europe, and East Asia,” the countries said in a joint statement. “North Korean IT workers themselves are also highly likely to be involved in malicious cyber activities, particularly in the blockchain industries. Hiring, supporting, or outsourcing work to North Korean IT workers increasingly poses serious risks, ranging from theft of intellectual property, data, and funds to reputational harm and legal consequences.”
- New AI-Powered Android Vulnerability Discovery and Validation Tool — Computer scientists affiliated with Nanjing University in China and The University of Sydney in Australia said that they’ve developed an AI vulnerability identification system called A2 that emulates the way human bug hunters go about discovering flaws, marking a step forward for automated security analysis. According to the study, A2 “validates Android vulnerabilities through two complementary phases: (i) Agentic Vulnerability Discovery, which reasons about application security by combining semantic understanding with traditional security tools; and (ii) Agentic Vulnerability Validation, which systematically validates vulnerabilities across Android’s multi-modal attack surface-UI interactions, inter-component communication, file system operations, and cryptographic computations.” A2 builds upon A1, an agentic system that transforms any LLM into an end-to-end exploit generator.
- Spotify DM Feature Carries Doxxing Risks — Music streaming service Spotify, last month, announced a new messaging feature for sharing music with friends. But reports are now emerging on Reddit that it’s surfacing as “suggested friends,” people with whom users may have shared Spotify links in the past on other social media platforms, potentially revealing their real names in the process. This is made possible by means of a unique “si” parameter in Spotify links that serves as referral information.
- Spear-Phishing Campaign Targets C-Suite for Credential Theft — A sophisticated spear-phishing campaign has targeted senior employees, particularly those in C-Suite and leadership positions, to steal their credentials using email messages with salary-themed lures or fake OneDrive document-sharing notifications. “Actors behind this campaign are leveraging tailored emails that impersonate internal HR communications, via a shared document in OneDrive, to trick recipients into entering corporate credentials,” Stripe OLT said. “Emails are sent via Amazon Simple Email Service (SES) infrastructure. The actor is rotating between many sending domains and subdomains to evade detection.” As many as 80 domains have been identified as part of this campaign.
- Attackers Attempt to Exploit WDAC Technique — In December 2024, researchers Jonathan Beierle and Logan Goins demonstrated a novel technique that leverages a malicious Windows Defender Application Control (WDAC) policy to block security solutions such as Endpoint Detection and Response (EDR) sensors following a system reboot using a custom tool codenamed Krueger. Since then, it has emerged that threat actors have incorporated the method into their attack arsenal to disable security solutions using WDAC policies. It has also led to the discovery of a new malware strain dubbed DreamDemon that uses WDAC to neutralize antivirus programs. It contains an embedded WDAC policy, which is then dropped onto disk and hidden,” Beierle said. “In certain cases, DreamDemon will also change the time that the policy was created in an attempt to avoid detection.”
- New NBMiner Cryptojacking Malware Detected — Cybersecurity researchers have discovered a new campaign that leverages a PowerShell script to drop an AutoIt loader used to deliver a cryptocurrency miner called NBMiner from an external server. Initial access to the system is accomplished by means of a drive-by compromise. “The program includes several evasion measures,” Darktrace said. “It performs anti-sandboxing by sleeping to delay analysis and terminates sigverif.exe (File Signature Verification). It checks for installed antivirus products and continues only when Windows Defender is the sole protection. It also verifies whether the current user has administrative rights. If not, it attempts a User Account Control (UAC) bypass via Fodhelper to silently elevate and execute its payload without prompting the user.”
- New Campaign Uses Custom GPTs for Brand Impersonation and Phishing — Threat actors are abusing custom features on trusted AI platforms like OpenAI ChatGPT to create malicious “customer support” chatbots that impersonate legitimate brands. These custom GPTs are surfaced on Google Search results, tricking users into taking malicious actions under the guise of a helpful chatbot, underscoring how AI tools can be misused within a broader social engineering chain. “This method introduces a new threat vector: platform-hosted social engineering through trusted AI interfaces,” Doppel said. “Several publicly available Custom GPTs have been observed impersonating well-known companies.” The attacks can lead to theft of sensitive information, malware delivery, and damage the reputation of legitimate brands. The development is part of a larger trend where cybercriminals abuse AI tools, including impersonation fraud via deepfakes, AI-assisted scam call centers, AI-powered mailers and spam tools, malicious tool development, and unrestricted and self-hosted generative AI chatbots that can craft phishing kits, fake websites; create content for romance or investment scams; develop malware; and assist with vulnerability reconnaissance and exploit chains.
- McDonald’s Poland Fined for Leaking Personal Data — Poland’s data protection agency fined McDonald’s Poland nearly €4 million for leaking employee personal data, violating GDPR data privacy protections. The incident occurred at a partner company that managed employee work schedules. Personal data such as names, passport numbers, positions, and work schedules were left exposed on the internet through an open directory. This is the second-largest GDPR fine handed out by Polish authorities after fining the country’s postal service €6.3 million earlier this year. In related news, vulnerabilities in the McDonald’s chatbot recruitment platform McHire exposed over 64 million job applications across the U.S., security researchers Ian Carroll and Sam Curry discovered. The chatbot was created by Paradox.ai, which did not remove the default credentials for a test account (username 123456, password 123456) and failed to secure an endpoint that allowed access to the chat interactions of every applicant. There is no evidence that the test account was ever exploited in a malicious context. A separate set of security issues has also been discovered in the fast-food giant’s partner and employee portals that exposed sensitive data such as API keys and enabled unauthorized access to make changes to a franchise owner’s website. The issues, according to BobdaHacker, have since been patched.
- New Influence Operations Discovered — Cybersecurity company Recorded Future flagged two large-scale, state-aligned influence operation networks supporting India and Pakistan during the India-Pakistan conflict of April and May 2025. These influence networks have been codenamed Hidden Charkha (pro-India) and Khyber Defender (pro-Pakistan). “These networks are very likely motivated by patriotism and are almost certainly aligned with India’s and Pakistan’s domestic and foreign policy objectives, respectively,” Recorded Future said. “Each network consistently attempted to frame India or Pakistan, respectively, as maintaining superior technological and military capabilities – and therefore the implied ability for each respective country to exercise tactical restraint – as proof of having the moral high ground, and hence having domestic and international support.” Both the campaigns were largely unsuccessful in shaping public opinion, given the lack of organic engagement on social media. A second influence operation involves multiple Russia-linked networks, such as Operation Overload, Operation Undercut, Foundation to Battle Injustice, and Portal Kombat, seeking to destabilize the elections and derail Moldova’s European Union (E.U.) accession. Besides attempting to frame the current Moldova leadership as corrupt and counter to Moldova’s interests, the activity portrays “Moldova’s further integration with the E.U. as disastrous for its economic future and sovereignty, and Moldova as a whole as at odds with European standards and values.” The campaign has not achieved any substantial success in shaping public opinion, Recorded Future added.
- Massive IPTV Piracy Network Uncovered — A large Internet Protocol Television (IPTV) piracy network spanning more than 1,100 domains and over 10,000 IP addresses has been discovered hosting pirated content, illegally restreaming licensed channels, and engaging in subscription fraud. Active for several years, more than 20 major brands have been affected, including: Prime Video, Bein Sports, Disney Plus, NPO Plus, Formula 1, HBO, Viaplay, Videoland, Discovery Channel, Ziggo Sports, Netflix, Apple TV, Hulu, NBA, RMC Sport, Premier League, Champions League, Sky Sports, NHL, WWE, and UFC. Silent Push said it identified two companies involved in profiting from hosting pirated content — XuiOne and Tiyansoft. XuiOne is believed to share connections with Stalker_Portal, another well-known open-source IPTV project that has been around since 2013. These services are advertised in the form of Android apps, with the domains distributed via Facebook groups and Imgur. The cybersecurity firm also identified one individual, Nabi Neamati of Herat, Afghanistan, as a central figure in its operations.
- Security Analysis of WhatsApp Message Summarization — NCC Group has published an in-depth analysis of WhatsApp’s AI-powered Message Summarization feature, which was announced by the messaging platform in June 2025. In all, the assessment discovered 21 findings, 16 of which were fixed by WhatsApp. This included three notable weaknesses: The hypervisor could have assigned network interfaces to the CVM through which private data could be exfiltrated; any old Confidential Virtual Machine (CVM) image with known vulnerabilities could have been indefinitely used by an attacker; and the ability to serve malicious key configurations to WhatsApp clients could have allowed Meta to violate privacy and non-targetability assurances.
- Indirect Prompt Injection via Log Files — Large language models (LLMs) used in a security context can be deceived by specially crafted events and log files injected with hidden prompts to execute malicious actions when they are parsed by AI agents.
🎥 Cybersecurity Webinars
- From Blind Spots to Clarity: Why Code-to-Cloud Visibility Defines Modern AppSec — Most security programs know their risks—but not where they truly begin or how they spread. That gap between code and cloud is costing teams time, ownership, and resilience. This webinar shows how code-to-cloud visibility closes that gap by giving developers, DevOps, and security a shared view of vulnerabilities, misconfigurations, and runtime exposure. The result? Less noise, faster fixes, and stronger protection for the applications your business depends on.
- Shadow AI Agents: The Hidden Risk Driving Enterprise Blind Spots — AI Agents are no longer futuristic—they’re already embedded in your workflows, processes, and platforms. The problem? Many of them are invisible to governance, fueled by unchecked non-human identities that create a growing attack surface. Shadow AI doesn’t just add complexity; it multiplies risk with every click. This webinar unpacks where these agents are hiding, how to spot them before attackers do, and what steps you can take to bring them under control without slowing innovation.
- AI + Quantum 2.0: The Double Disruption Security Leaders Can’t Ignore — The next cybersecurity crisis won’t come from AI or quantum alone—it will come from their convergence. As quantum breakthroughs accelerate and AI drives automation at scale, the attack surface for sensitive industries is expanding faster than most defenses can keep up. This panel brings together leading voices from research, government, and industry to unpack what Quantum 2.0 means for security, why quantum-safe cryptography and AI resilience must go hand-in-hand, and how decision-makers can start building trust and resilience before adversaries weaponize these technologies.
🔧 Cybersecurity Tools
- MeetC2 — It is a clever proof-of-concept C2 framework that uses Google Calendar—yes, the same calendar your team uses every day—as a hidden command channel between an operator and a compromised endpoint. By polling for events and embedding commands into calendar items via Google’s trusted APIs (oauth2.googleapis.com, www.googleapis.com), it shows how legitimate SaaS platforms can be repurposed for covert operations. Security teams can use MeetC2 in controlled purple-team exercises to sharpen detection logic around unusual calendar API usage, validate logging and telemetry effectiveness, and fine-tune safeguards against stealthy cloud-based C2 strategies. In short, it equips defenders with a lightweight, highly relevant testbed to simulate and proactively defend against next-gen adversarial tradecraft.
- thermoptic – It is an advanced HTTP proxy that cloaks low-level clients like curl to appear indistinguishable from a full Chrome/Chromium browser at the network fingerprinting layer. Modern WAFs and anti-bot systems increasingly rely on JA4+ signatures—tracking TLS, HTTP, TCP, and certificate fingerprints—to block scraping tools or detect when users switch from browsers to scripts. By routing requests through a containerized Chrome instance, thermoptic ensures fingerprints match real browsers byte-for-byte, even across multiple layers. For defenders, this is a powerful way to test detection pipelines against sophisticated evasion tactics, validate JA4+ logging visibility, and explore how adversaries might blend into legitimate browser traffic. For ethical researchers and red teams, thermoptic offers a realistic, open-source platform to simulate stealthy scraping or covert traffic—helping security teams move from theory to resilience in the fingerprinting arms race.
Disclaimer: The tools featured here are provided strictly for educational and research purposes. They have not undergone full security audits, and their behavior may introduce risks if misused. Before experimenting, carefully review the source code, test only in controlled environments, and apply appropriate safeguards. Always ensure your usage aligns with ethical guidelines, legal requirements, and organizational policies.
🔒 Tip of the Week
Lock Down Your Router Before Hackers Ever Get a Foot in the Door — Most people think of router security as just “change the password” or “disable UPnP.” But attackers are getting far more creative: from rerouting internet traffic through fake BGP paths, to hijacking cloud services that talk directly to your router. The best defense? A layered approach that closes those doors before compromise happens.
Here are 3 advanced but practical moves you can start today:
- Protect Your Internet Route with RPKI
 Why it matters: Attackers sometimes hijack internet routes (BGP attacks) to spy on or reroute your traffic.
 Try this: Even if you’re not running a big enterprise, you can check if your ISP supports RPKI (Resource Public Key Infrastructure) using the free Is BGP Safe Yet? tool. If your provider isn’t secured, ask them about RPKI.
- Use Short-Lived Access Keys Instead of Static Passwords
 Why it matters: A single stolen router password can let attackers in for years.
 Try this: If your router supports it (OpenWRT, pfSense, MikroTik), set up SSH access with keys instead of passwords. For home or small office users, tools like YubiKey can generate one-time login tokens, so even if your PC is hacked, the router stays safe.
- Control Who Can Even Knock on the Door
 Why it matters: Most router compromises happen because attackers can reach the management port from the internet.
 Try this: Instead of leaving management open, use Single Packet Authorization (SPA) with a free tool like fwknop. It hides your router’s management ports until you send a secret “knock,” making your router invisible to scanners.
Think of your router as the “front door to your digital house.” With these tools, you’re not just locking it — you’re making sure attackers don’t even know where the door is, and even if they do, the key changes every day.
Conclusion
That wraps up this week’s briefing, but the story never really ends. New exploits, new tactics, and new risks are already on the horizon—and we’ll be here to break them down for you. Until then, stay sharp, stay curious, and remember: one clear insight can make all the difference in stopping the next attack.
 
								 
												 
												 
												 
												 
												 
												 
												 
												 
												 
												