Weekly Recap

The security landscape now moves at a pace no patch cycle can match. Attackers aren't waiting for quarterly updates or monthly fixes—they adapt within hours, blending fresh techniques with old, forgotten flaws to create new openings. A vulnerability closed yesterday can become the blueprint for tomorrow's breach.

This week's recap explores the trends driving that constant churn: how threat actors reuse proven tactics in unexpected ways, how emerging technologies widen the attack surface, and what defenders can learn before the next pivot.

Read on to see not just what happened, but what it means—so you can stay ahead instead of scrambling to catch up.

⚡ Threat of the Week

Google Patches Actively Exploited Chrome 0-Day — Google released security updates for the Chrome web browser to address four vulnerabilities, including one that it said has been exploited in the wild. The zero-day vulnerability, CVE-2025-10585, has been described as a type confusion issue in the V8 JavaScript and WebAssembly engine. The company did not share any additional specifics about how the vulnerability is being abused in real-world attacks, by whom, or the scale of such efforts. "Google is aware that an exploit for CVE-2025-10585 exists in the wild," it acknowledged. CVE-2025-10585 is the sixth zero-day vulnerability in Chrome that has been either actively exploited or demonstrated as a proof-of-concept (PoC) since the start of the year.

Cloud Security Bootcamp

2025 Virtual Cloud Security Bootcamp. Uplevel Your Skills. Register for Free

Cloud threats are evolving fast—are your defenses keeping pace? Join leading experts and learn from top cybersecurity professionals at our free bootcamp for two days of skill-building workshops, real world training, and insightful keynotes.

 Register for Free ➝

🔔 Top News

  • AI-Powered Villager Pen Testing Tool Hits 11,000 PyPI Downloads — A new artificial intelligence (AI)-native penetration testing tool called Villager has reached nearly 11,000 downloads on the Python Package Index (PyPI) just two months after release. The rapid adoption of what appears to be a legitimate tool echoes the trajectory of Cobalt Strike, Sliver, and Brute Ratel C4 (BRc4), which were created for legitimate use but have since become some of the favorite tools among cybercriminals. The release of Villager has also raised concerns over dual-use abuse, with threat actors potentially misusing it to run advanced intrusions with speed and efficiency.
  • RowHammer Attack Against DDR5 RAM From SK Hynix — Researchers have devised a new technique to trigger RowHammer bit flips inside the memory cells of DDR5 RAM modules, which were believed to be protected against such attacks. The attack allows controlled memory modification, leading to privilege escalation exploits or the leaking of sensitive data stored in restricted memory regions. "Our reverse-engineering efforts show that significantly longer RowHammer patterns are nowadays necessary to bypass these new protections," the researchers said. "To trigger RowHammer bit flips, such patterns need to remain in-sync with thousands of refresh commands, which is challenging. Our new RowHammer attack, called Phoenix, resynchronizes these long patterns as necessary to trigger the first DDR5 bit flips in devices with such advanced TRR protections."
  • Scattered Spider Members Arrested — Law enforcement authorities in the U.K. arrested two teen members of the Scattered Spider hacking group in connection with their alleged participation in an August 2024 cyber attack targeting Transport for London (TfL), the city's public transportation agency. Thalha Jubair (aka EarthtoStar, Brad, Austin, and @autistic), 19, from East London, and Owen Flowers, 18, from Walsall, West Midlands were arrested at their home addresses. In parallel, the U.S. Department of Justice (DoJ) unsealed a complaint charging Jubair with conspiracies to commit computer fraud, wire fraud, and money laundering in relation to at least 120 computer network intrusions and extorting 47 U.S. entities from May 2022 to September 2025. Victims of the ransomware attacks paid at least $115,000,000 in payments. In a related but separate announcement, the Los Angeles Metropolitan Police Department said a teenage male surrendered by himself on September 17, 2025, for allegedly attacking multiple Las Vegas casino properties between August and October 2023. The juvenile suspect has been charged with three counts of Obtaining and Using Personal Identifying Information of Another Person to Harm or Impersonate Person, one count of extortion, one count of Conspiracy to Commit Extortion, and one count of Unlawful Acts Regarding Computers. The arrests came as 15 well-known e-crime groups, including Scattered Spider, ShinyHunters, and LAPSUS$, announced that they are shutting down their operations. The collective announcement was posted on BreachForums, where the groups claimed they had achieved their goals of exposing weaknesses in digital infrastructure rather than profiting through extortion. While it's very much possible that some of the members may have decided to step back and enjoy their earnings, it does not stop copycat groups from rising up and taking their spots, or even for the threat actors to resurface under a different brand.
  • Gameredon and Turla Join Hands to Strike Ukraine — The Russian hacker group known as Turla has carried out some of the most innovative hacking feats in the history of cyber espionage, including hijacking other hackers' operations to cloak their own data extraction. Even when they're operating on their home turf, they have adopted equally remarkable methods, such as using their control of Russia's internet service providers to directly plant spyware on the computers of their targets in Moscow. The latest approach involves leveraging the access obtained by fellow FSB group Gamaredon to selectively target high-value targets with a backdoor known as Kazuar. The development marks the first known cases of collaboration between Gamaredon and Turla.
  • Microsoft and Cloudflare Dismantle RaccoonO365 PhaaS — Microsoft's Digital Crimes Unit said it teamed up with Cloudflare to coordinate the seizure of 338 domains used by RaccoonO365, a financially motivated threat group that was behind a phishing-as-a-service (PhaaS) toolkit used to steal more than 5,000 Microsoft 365 credentials from 94 countries since July 2024. RaccoonO365 is marketed to other cybercriminals under a subscription model, allowing them to mount phishing and credential harvesting attacks at scale with little to no technical expertise. A 30-day plan costs $355, and a 90-day plan is priced at $999. Cloudflare said it banned all identified domains, placed interstitial "phish warning" pages in front of them, terminated the associated Workers scripts, and suspended the user accounts.
  • Self-Replicating Worm Hits npm Registry — Another software supply chain attack hit the npm registry, this time infecting several packages with a self-replicating worm that searches developer machines for secrets using TruffleHog's credential scanner and transmits them to an external server under the attacker's control. The attack is capable of targeting both Windows and Linux systems. The incident is estimated to have affected over 500 packages.

‎️‍🔥 Trending CVEs

Hackers don't wait. They exploit newly disclosed vulnerabilities within hours, transforming a missed patch or a hidden bug into a critical point of failure. One unpatched CVE is all it takes to open the door to a full-scale compromise. Below are this week's most critical vulnerabilities, making waves across the industry. Review the list, prioritize patching, and close the window of opportunity before attackers do.

This week's list includes — CVE-2025-10585 (Google Chrome), CVE-2025-55241 (Microsoft Azure Entra), CVE-2025-10035 (Fortra GoAnywhere Managed File Transfer), CVE-2025-58434 (Flowise), CVE-2025-58364, CVE-2025-58060 (Linux CUPS), CVE-2025-8699 (KioSoft), CVE-2025-5821 (Case Theme User), CVE-2025-41248, CVE-2025-41249 (Spring Framework), CVE-2025-38501 (Linux Kernel KSMBD), CVE-2025-9242 (WatchGuard Firebox), CVE-2025-9961 (TP-Link), CVE-2025-5115, CVE-2025-59474 (Jenkins), CVE-2025-59340 (HubSpot Jinjava), CVE-2025-58321 (Delta Electronics DIALink), CVE-2023-49564 (Nokia CloudBand Infrastructure Software and Container Service), and path traversal (LVE-2025-0257) and authentication bypass or local privilege escalation (LVE-2025-0264) flaws in LG's webOS for smart TVs.

📰 Around the Cyber World

  • China's Great Firewall Leak — The Great Firewall of China (GFW) suffered its largest-ever internal data breach after unknown actors published a 600 GB trove of sensitive material – including source code, work logs, configuration files, and internal communications. The data appears to have come from the servers of Geedge Networks and the Massive and Effective Stream Analysis (MESA) Lab at the Institute of Information Engineering, Chinese Academy of Sciences. The leaked data detail efforts to conduct deep packet inspection, real-time mobile internet monitoring, instructions on how to carry out granular control over data traffic, and censorship rules tailored to different regions. InterSecLab also argues the data indicates Chinese authorities can locate netizens, adding Geedge's contributions to the Great Firewall may be copies of security appliances made by vendors Greynoise and Fortinet. The development came as Geedge Networks has been flagged for exporting technology to build national censorship firewalls. The governments of Kazakhstan, Ethiopia, Pakistan, and Myanmar have purchased and installed equipment from the company. "The company not only provides services to local governments in Xinjiang, Jiangsu, and Fujian, but also exports censorship and surveillance technology to countries such as Myanmar, Pakistan, Ethiopia, and Kazakhstan under the 'Belt and Road' framework," the Great Firewall Report said.
  • Cyber Scam Centers Likely Shift to Vulnerable Jurisdictions — Transnational criminal groups appear to be moving cyber scam centers to vulnerable countries through criminal foreign direct investment (FDI). The United Nations Office on Drugs and Crime (UNDOC) warned it had found "indications of scam center activity, including SIM cards and satellite internet devices" at a hotel in the Special Administrative Region of Oecusse-Ambeno (RAEOA). "With growing awareness and understanding of scam centers and related criminal activity, law enforcement pressure has intensified across Southeast Asia, making it more difficult for organized crime groups to operate in traditional hotspot areas," UNDOC advised. "As a result, syndicates actively create avenues for expanding operations to new jurisdictions with limited experience in scam center responses, including Timor-Leste."
  • Phishing Campaigns Drop RMM Tools — Phishing campaigns have been observed dropping remote monitoring and management (RMM) tools ITarian (aka Comodo), PDQ, SimpleHelp, and Atera, using a variety of social engineering lures, such as fake browser updates, meeting invitations, party invitations, and fake government forms. "Adversaries often use RMM tools in a stealthy and effective way to retain control over compromised systems without raising immediate alarms," Zscaler-owned Red Canary said. "Hands-on-keyboard actions allow the adversary to modify their behaviors so they blend in with day-to-day administrator activity, complicating detection opportunities." Attacks that deploy ITarian have even been found to leverage the access to deliver Hijack Loader and DeerStealer malware.
  • SVG Attachments in Phishing Emails Deliver RATs — Threat actors are continuing to leverage SVG file attachments in phishing emails to filelessly deliver XWorm and Remcos via Windows batch scripts. "These campaigns often begin with a ZIP archive, typically hosted on trusted-looking platforms such as ImgKit, and are designed to appear as legitimate content to entice user interaction," Seqrite Labs said. Upon extraction, the ZIP file contains a highly obfuscated BAT script that serves as the initial stage of the infection chain. These BAT files use advanced techniques to evade static detection and are responsible for executing PowerShell-based loaders that inject the RAT payload directly into memory."
  • Buterat Backdoor Detailed — A Windows backdoor known as Buterat has been identified as being distributed via phishing campaigns, malicious attachments, or trojanized software downloads to seize control of infected endpoints remotely, deploy additional payloads, and exfiltrate sensitive information. "Once executed, it disguises its processes under legitimate system tasks, modifies registry keys for persistence, and uses encrypted or obfuscated communication channels to avoid network-based detection," Point Wild said.
  • Mac.c Stealer Rebrands to MacSync — The macOS-focused information stealer known as Mac.c Stealer has been rebranded to MacSync, but follows the same malware-as-a-service (MaaS) model. "The old project risked dying from lack of time and funding, so it was purchased and will be developed further without dwelling on past difficulties," the threat actors said in an interview with security researcher g0njxa. "MacSync Stealer is a reliable stealer with broad functionality that emphasizes simplicity and effectiveness. Literally, you can start using it immediately after purchase." According to MacPaw Moonlock Lab, MacSync includes a fully-featured Go-based agent acting as a backdoor, expanding its functionality far beyond basic data exfiltration. "This makes MacSync one of the first known cases of a macOS stealer with modular, remote command-and-control capabilities," the company said. AMOS, which was also updated in July 2025 with its own backdoor, relies on C-based components and curl for C2 communication. In contrast, MacSync's approach is stealthier as it utilizes the native net/http library for HTTPS requests. MacSync infections have been detected in Europe and North America, with the most activity originating from Ukraine, the U.S., Germany, and the U.K.
  • Google Releases VaultGemma — Google has released VaultGemma, a large language model (LLM) designed to keep sensitive data private during training. The model uses differential privacy techniques to prevent individual data points from being exposed by adding calibrated noise, which makes it safer for handling confidential information in healthcare, finance, and government sectors. "VaultGemma represents a significant step forward in the journey toward building AI that is both powerful and private by design," Google said. "While a utility gap still exists between DP-trained and non-DP–trained models, we believe this gap can be systematically narrowed with more research on mechanism design for DP training." Last month, the tech giant released a new active learning method for curating high-quality data that reduces training data requirements for fine-tuning LLMs by orders of magnitude. "The process can be applied to datasets of hundreds of billions of examples to iteratively identify the examples for which annotation would be most valuable and then use the resulting expert labels for fine-tuning," it noted. "The ability to retrain models with just a handful of examples is especially valuable for handling the rapidly changing landscapes of domains like ads safety."
  • Indonesia Targeted by Mobile Malware Campaign — A Chinese-speaking threat group has been exploiting Indonesia's state pension fund, TASPEN, to launch a sophisticated mobile malware campaign targeting senior citizens and enabling full-spectrum data theft and financial fraud. The attack uses a phishing site mimicking TASPEN to trick users into downloading the malicious APK file. Users are directed to these links via SEO poisoning campaigns. "Disguised as an official app, the spyware steals banking credentials, OTPs, and even biometric data, enabling large-scale fraud," CloudSEK said. "Beyond financial loss, the attack erodes public trust, threatens Indonesia's digital transformation, and sets a dangerous precedent for pension fund attacks across Southeast Asia." Technical artifacts found within the malware's distribution network and communication channels, including error messages and developer comments written in Simplified Chinese, strongly suggest the involvement of a well-organized, Chinese-speaking threat actor group.
  • Luno Botnet Combines Crypto Mining and DDoS Features — A new Linux botnet campaign dubbed Luno has combined cryptocurrency mining, remote command execution, and modular DDoS attack capabilities targeting gaming platforms, suggesting long-term monetization and operational flexibility. It's advertised via the domain main.botnet[.]world. The malware launches watchdog threads that continuously monitor the parent process and respawn it under a disguised name if it terminates. It's also designed to ignore termination signals (SIGSEGV, SIGTERM, SIGINT, SIGHUP, and SIGPIPE) to protect itself from easy termination while disguising itself as bash." "Unlike conventional crypto miners or DDoS botnets, LunoC2 exhibits process masquerading, binary replacement, and a self-update system, suggesting the malware is designed as a long-term criminal infrastructure tool," Cyble said.
  • Apple macOS Users Targeted by Odyssey Stealer — Threat actors are exploiting a fake Microsoft Teams download site to deliver the Odyssey macOS stealer via the ClickFix social engineering tactic. "Once executed, the malware harvests credentials, cookies, Apple Notes, and crypto wallets, exfiltrating data to a C2 server before ensuring persistence through LaunchDaemons and even replacing Ledger Live with a trojanized version," CloudSEK said.
  • FIDO Authentication Downgrade Demonstrated — A new FIDO downgrade attack against Microsoft Entra ID can trick users into authenticating with weaker login methods, making them susceptible to phishing and session hijacking. The weaker authentication methods are vulnerable to adversary-in-the-middle (AitM) phishing attacks that employ tools like Evilginx, allowing attackers to capture valid session cookies and hijack the accounts. The attack, devised by Proofpoint, employs a custom phishlet within the Evilginx AitM framework to spoof a browser user agent that lacks FIDO support. Specifically, this involves spoofing Safari on Windows, which is not compatible with FIDO-based authentication in Microsoft Entra ID. "This seemingly insignificant gap in functionality can be leveraged by attackers," the company said. "A threat actor can adjust the AiTM to spoof an unsupported user agent, which is not recognized by a FIDO implementation. Subsequently, the user would be forced to authenticate through a less secure method. This behavior, observed on Microsoft platforms, is a missing security measure." This causes the authentication system to fallback to a less secure verification method, such as OTPs, enabling the AitM proxy to intercept a user's credentials and tokens. To prevent this type of attack, customers are recommended to deploy phishing-resistant authentication methods, along with Conditional Access enforcement.
  • Canada Shuts Down TradeOgre — The Royal Canadian Mounted Police (RCMP) shut down the TradeOgre cryptocurrency exchange and seized more than $40 million believed to originate from criminal activities, marking the first time a cryptocurrency exchange platform has been dismantled by Canadian law enforcement. The RCMP said the platform violated Canadian laws by failing to register with the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) as a money services business and that it has "reason to believe that the majority of funds transacted on TradeOgre came from criminal sources." The service had gone offline towards the end of July 2025.
  • Windows SCM for Lateral Movement — Cybersecurity researchers have demonstrated a stealthy lateral movement technique that uses Windows Service Control Manager (SCM) to execute commands on remote PCs discreetly. "Attackers can execute malicious payloads without ever dropping a file on disk by remotely modifying service configurations via built-in APIs such as ChangeServiceConfigA," Trellix said. "This type of fileless lateral movement is extremely difficult to detect with traditional security solutions that only monitor endpoints or files. Attackers may use legitimate credentials, avoid writing to disk, and blend into normal administrative behavior, making their actions appear benign."
  • Security Flaws in Novakon ICS Devices — Half a dozen security flaws (from CVE-2025-9962 through CVE-2025-9966) have been discovered in industrial control system (ICS) products made by Taiwan-based Novakon that could allow remote code execution with root privileges, retrieve and manipulate system files, and abuse weakly protected services and processes. Given that no patches have been released by the company, users are advised to restrict network access to the device and disable Ethernet configuration if serial ports are used for PLC communication.
  • U.S. Sounds Alarm on Hidden Radios in Solar-Powered Devices — The U.S. Department of Transportation's Federal Highway Department alerted highway agencies and infrastructure firms that "solar-powered highway infrastructure including chargers, roadside weather stations, and traffic cameras should be scanned for the presence of rogue devices — such as hidden radios — secreted inside batteries and inverters," according to a report from Reuters, raising fresh supply chain concerns. The note did not specify where the products containing undocumented equipment had been imported from. The risk underscores the need for suppliers to provide something akin to a Software Bill of Materials (SBOM) to inventory the hardware components in their equipment for improved visibility.
  • New Zealand Sanctions Russian Hackers — New Zealand has imposed sanctions on Russian military intelligence hackers accused of cyberattacks on Ukraine, including members of a notorious hacking unit previously tied to destructive malware campaigns. The sanctions target Unit 29155 of Russia's GRU intelligence agency, which is also tracked as Cadet Blizzard and Ember Bear.
  • DarkCloud Stealer Targets Financial Orgs — Financial enterprises are the target of a malware campaign distributing DarkCloud Stealer since August 2025 through phishing emails with malicious RAR attachments. "The observed samples were programmed to target Windows users and programmed to steal login credentials from email clients, FTP clients, and data from browsers," CyberProof said. "DarkCloud operators are also seen using the DarkCloud loader embedded into a JPG file, which is downloaded using PowerShell in the attack chain." Contained within the archive is a VBE file that, when executed, downloads the JPG image, which is then unpacked to launch the DarkCloud loader .NET DLL.
  • Model Namespace Reuse Aims for AI Supply Chains — Cybersecurity researchers demonstrated a technique called Model Namespace Reuse that exploits a fundamental flaw in the AI supply chain to gain Remote Code Execution (RCE) and additional capabilities on major platforms like Microsoft's Azure AI Foundry, Google's Vertex AI, and Hugging Face. "Model Namespace Reuse occurs when cloud provider model catalogs or code retrieve a deleted or transferred model by name," Palo Alto Networks Unit 42 said. "By re-registering an abandoned namespace and recreating its original path, malicious actors can target pipelines that deploy models based solely on their name. This potentially allows attackers to deploy malicious models and gain code execution capabilities, among other impacts." A severe consequence of this threat is that developers who rely on the trusted model catalogs of major cloud AI services could unknowingly deploy malicious models originally hosted on Hugging Face without ever interacting with Hugging Face directly. To mitigate the risks associated with Model Namespace Reuse, it's advised to pin the used model to a specific commit, clone the model and store it in a trusted location, and treat model references like any other dependency subject to policy and review.
  • New VoidProxy PhaaS Detailed — A new Phishing-as-a-Service (PhaaS) named VoidProxy has been spotted in the wild using Adversary-in-the-Middle (AitM) techniques to intercept authentication flows in real-time, capturing credentials, MFA codes and any session tokens established during the sign-in event. "VoidProxy is a novel and highly evasive service used by attackers to target Microsoft and Google accounts," Okta said. "The service is also capable of redirecting accounts protected by third-party single sign-on (SSO) providers like Okta to second-stage phishing pages." Campaigns relying on the phishing kit have leveraged compromised accounts of legitimate Email Service Providers (ESPs) such as Constant Contact, Active Campaign (Postmarkapp), and NotifyVisitors, to bypass spam filters and send email messages that trick users into providing their credentials by clicking on links that are shortened using URL shorteners like TinyURL. Before any of the phishing landing sites load, the user is presented with a Cloudflare Captcha challenge to determine if the request is from an interactive user or a bot. The malicious sites are hosted on disposable low-cost domains on .icu, .sbs, .cfd, .xyz, .top, and .home, which are protected by Cloudflare to hide their real IP addresses.
  • SideWinder Strikes Nepal with Android Malware — The advanced persistent threat actor SideWinder capitalized on the recent Gen-Z protests in Nepal to phish government entities and infect them with Android and Windows malware masquerading as legitimate emergency services. The malware, designed to siphon sensitive data, is distributed via phishing websites spoofing the Nepalese Emergency Service or an Emergency Helpline portal. In a related development, the threat actor known as Rattlesnake (aka APT-C-24) has been observed using Windows shortcut (LNK) files as payloads to execute malicious scripts in remote URLs. "These scripts are multi-layered and complex obfuscation, which eventually loads the execution attack components in memory to achieve remote control of the target host." Another campaign, attributed to Patchwork, has leveraged spear-phishing lures to distribute Quasar RAT, AsyncRAT, and the Mythic post-exploitation framework in attacks aimed at Pakistan.
  • WordPress Plugin Flaw Under Active Attack — Threat actors are exploiting a vulnerability (CVE-2025-5821, CVSS score: 9.8) in Case Theme User, a WordPress plugin bundled with various commercial WordPress themes. "This vulnerability makes it possible for an unauthenticated attacker to gain access to any account on a site, including accounts used to administer the site, if the attacker knows, or can find, the associated email address," Wordfence said. The plugin is installed on more than 12,000 websites. A patch for the flaw was released on August 13, 2025, with exploitation activity beginning on August 22.
  • Google Releases Conversion Tool for CSE Sheets — Google has made available a conversion tool to convert decrypted Google Sheets files encrypted using client-side encryption into a Microsoft Excel file. Currently, client-side encryption is available in Google Drive, Docs, Gmail, Calendar, and Meet.
  • Israel Defense Ministry Orders Seizure of IRGC Crypto Wallets — Israel's Ministry of Defense announced that it was ordering the seizure of 187 cryptocurrency wallets that allegedly belong to Iran's Islamic Revolutionary Guard Corps (IRGC), alleging that they are "used for the perpetration of a severe terror crime." These addresses have collectively received $1.5 billion in Tether's USDT stablecoin, although it's currently not known if all the transactions are directly linked to the IRGC, as blockchain analytics firm Elliptic said that "some of the addresses may be controlled by cryptocurrency services and could be part of wallet infrastructure used to facilitate transactions for many customers."
  • Europol Adds Spanish University Professor to Most Wanted List — Europol placed Enrique Arias Gil (aka Desinformador Ruso), 37, a former Spanish university professor, on its most wanted list over accusations of helping the pro-Russian hacker group NoName057(16), according to Spain's National Police. In a message on his Telegram channel, Arias Gil demanded that Spanish law enforcement drop the case within 10 hours or risk the release of alleged kompromat on senior officials. Noname057(16) has called the move a witch hunt.
  • Pro-Kremlin Op CopyCopy Sets Up New Sites — The Russian covert influence operation known as CopyCop, or Storm-1516, has been linked to new infrastructure since March 2025. This includes "200 new fictional media websites targeting the United States, France, and Canada, in addition to websites impersonating media brands and political parties and movements in France, Canada, and Armenia." The network is also said to have established a regionalized network of websites posing as a fictional fact-checking organization publishing content in Turkish, Ukrainian, and Swahili languages, Recorded Future said. In all, the group has established over 300 websites since the start of the year. These websites are likely operated by John Mark Dougan with support from the Moscow-based Center for Geopolitical Expertise (CGE) and the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). "CopyCop's core influence objectives remain eroding public support for Ukraine and undermining democratic processes and political leaders in Western countries supporting Ukraine," the company said.
  • Decade-Old Pixie Dust Wi-Fi Hack Still Affects Many Devices — Many current router models are still susceptible to a 10-year-old Wi-Fi attack named Pixie Dust, which was first disclosed in 2014. The attack allows threat actors to recover a router's Wi-Fi Protected Setup (WPS) PIN and access its Wi-Fi network by exploiting weaknesses in the key generation mechanism in the WPS protocol. According to a study by NetRise, 24 devices, including routers, range extenders, access points, and hybrid Wi-Fi/powerline products, spanning six vendors, have been found to be vulnerable to the exploit. "As of this writing, 13 devices remain actively supported but unpatched," the company said. "Another seven reached their end of life without ever receiving fixes."
  • TikTok Takes Down Influence Operation From Thailand — TikTok said it took down several influence operation networks in July 2025 that targeted the political discourse in Thailand, Ukraine, Azerbaijan, and Israel and Palestine, as well as the war between Russia and Ukraine. The largest network, comprising 398 accounts, operated from Thailand and targeted Chinese-speaking audiences. "The individuals behind this network created inauthentic accounts in order to amplify narratives of Chinese dominance and Western inefficiencies," TikTok said. "The network was found to use AI-generated content, which often incorporated various animal characters, as commentary on global events."
  • GitHub Announces Post-Quantum SSH Key Exchange Support — GitHub announced it's adding a new post-quantum secure SSH key exchange algorithm, known alternately as sntrup761x25519-sha512 and sntrup761x25519-sha512@openssh.com, to its SSH endpoints for accessing Git data. This is part of efforts to counter the threat of future decryption attacks once quantum computers become broadly available. "This only affects SSH access and doesn't impact HTTPS access at all," GitHub said. "It also does not affect GitHub Enterprise Cloud with data residency in the United States region." The new algorithm was enabled on September 17, 2025, for GitHub.com and GitHub Enterprise Cloud with data residency. It is also expected to be included in GitHub Enterprise Server 3.19.
  • Consumer Reports Urges Microsoft to Extend October 2025 Deadline — Consumer Reports called on Microsoft to extend the October 14, 2025, deadline that will cut off free security updates for Windows 10 computers, stating the move "risks harming the consumer as well as co-opting the machine to perpetuate attacks against other entities, risking national security." Around 46.2 percent of people around the world still use Windows 10 as of August 2025.
  • China Announces Stricter Data Breach Requirements — The Chinese government will require critical infrastructure operators to report security breaches within an hour of detection. The new deadline requires that all serious incidents be reported to the relevant authorities within 60 minutes – or in the case of "particularly major" events, 30 minutes. Companies that fail to report such incidents risk facing penalties. The new reporting rules will take effect starting November 1, 2025, according to the Cyberspace Administration of China (CAC). "If the network operator reports late, omitted, falsely reported or concealed network security incidents, causing major harmful consequences, the network operator and the relevant responsible persons shall be punished more severely according to law," Beijing warned.
  • Possible Ties Between Belsen Group and ZeroSevenGroup? — Cybersecurity company KELA suggested a possible connection between the Belsen Group and ZeroSevenGroup, two cybercriminal entities with ties to Yemen that emerged in January 2025 and July 2024, respectively. Both groups are known for leaking and monetizing stolen data, as well as sharing similarities in writing style and post formatting. "While these overlaps are not conclusive, they suggest a possible connection," it said.
  • SmokeLoader Returns with New Changes — SmokeLoader, which was disrupted as part of Operation Endgame in May 2024, has resurfaced with a new version in July 2025 with a modified network protocol that breaks compatibility with prior versions. The new variant is being tracked by Zscaler ThreatLabz as version 2025. Also detected earlier this February is a variant named version 2025 alpha that included bug fixes that caused performance degradation. "SmokeLoader consists of two main components: a stager and a main module," Zscaler said. "The stager has two main purposes: hinder analysis, detect virtual environments (and terminate if present), and inject the SmokeLoader main module into explorer.exe. The main module performs the bulk of the malicious functionality, including establishing persistence, beaconing to the C2 server, and executing tasks and plugins." The main function of the loader is to download and execute second-stage malware. It may also use optional plugins to perform tasks such as stealing data, launching distributed denial of service attacks, and mining cryptocurrency.
  • E.U. Spyware Vendors Pocket Startup Subsidies — A new report from Follow The Money found cases of spyware and surveillance companies using E.U. startup subsidies to create hacking tools that are then used against E.U. citizens. "The beneficiaries include some big names in the market such as the Intellexa Alliance, Cy4Gate, Verint Systems, and Cognyte, along with smaller European firms," the report said.
  • PyPI Invalidates Tokens Stolen in GhostAction Attack — The maintainers of the Python Package Index (PyPI) said they invalidated all PyPI tokens stolen from GitHub repos by a malicious action on September 5 in a supply chain attack known as GhostAction. None of the tokens were abused to upload malware to the registry, and impacted project maintainers have been notified. Users who rely on GitHub Actions to publish to PyPI are advised to replace long-lived tokens with Trusted Publishers and review account history for any suspicious activity.
  • U.K. MI6 Launches Silent Courier — The UK's foreign intelligence service, MI6, launched Silent Courier, an online portal ("mi6govukbfxe5pzxqw3otzd2t4nhi7v6x4dljwba3jmsczozcolx2vqd.onion") hosted on the dark web designed to let potential spies from Russia and elsewhere communicate with U.K. intelligence. The idea is to recruit spies "anywhere in the world with access to sensitive information relating to terrorism or hostile intelligence activity."
  • New Information Stealers Detected — Cyble, CYFIRMA, and Point Wild shared details on three new information stealer families called Maranhão Stealer, XillenStealer, and Raven, respectively.
  • New and Emerging Ransomware Strains Detected — Some of the nascent ransomware operations that have been documented in recent weeks include BlackLock, BlackNevas, BQTLOCK, Crypto24, CyberVolk, EXTEN, GAGAKICK, Gentleman, Jackpot, KillSec, LockBeast, NEZHA, Obscura, and Yurei. In particular, the Crypto24 ransomware group has been observed using a custom version of the open-source RealBlindingEDR tool to disable security software running on infected hosts prior to deploying the locker. "The threat actor's customized version employs advanced evasion, likely via unknown vulnerable drivers, showcasing deep technical expertise and ongoing tool refinement," Trend Micro said. "The group's ability to maintain persistence before encryption reflects patience and strategic planning uncommon in commodity ransomware."

🎥 Cybersecurity Webinars

  • AI + Human Workflows: Your Simple Blueprint for Secure Automation: AI can speed up your work—but only if you use it wisely. In this webinar, Thomas Kinsella, Co-founder and Chief Customer Officer at Tines, will show how top teams mix human skills, rules-based steps, and AI tools to build workflows that are clear, secure, and easy to audit. You'll walk away knowing where AI fits best and how to avoid the common traps of over-engineering.
  • Banish Costly Breaches: A Practical Blueprint for Stronger Password Security: Passwords are still the easiest way for attackers to break in—and the hardest headache for IT teams. This Halloween, join The Hacker News and Specops Software to uncover real password breach stories, see why old password rules fail, and watch a live demo of tools that block stolen credentials in real time. You'll leave with a clear, simple plan to protect your company, meet compliance needs, and end password problems for good—without making life harder for users.
  • See Every Risk from Code to Cloud—Before Hackers Spot the Gap: Modern apps move fast—from code changes to cloud deployment—but hidden gaps in visibility give attackers room to strike. Join us to see how code-to-cloud mapping unites developers, DevOps, and security teams on one clear view of risk. You'll learn how to spot vulnerabilities, secrets, and misconfigurations early, link them to real runtime exposure, and cut noise so teams can fix issues faster and with confidence.
  • Seal Every Gap: Practical Steps to Lock Down Python Packages and Containers: Python projects face bigger security risks than ever in 2025—malicious packages, repo hijacks, and vulnerable base images can all open the door to attackers. Join us to learn simple, proven ways to protect your Python supply chain. We'll show real examples of recent attacks, demo the latest scanning and signing tools, and share steps you can take now to lock down your code, containers, and dependencies with confidence.

🔧 Cybersecurity Tools

  • NPM Malware Scanner: It is a command-line tool that helps you spot dangerous or suspicious npm packages before they reach production. It scans GitHub repositories or local projects, checks every package.json file, and flags known malware or risky dependencies using a built-in database. Designed for speed and clear results, it gives developers and security teams an easy way to keep their JavaScript projects safe without extra setup.
  • VMDragonSlayer: It is a research framework built to uncover and analyze binaries protected by virtual machine–based obfuscation. It combines techniques like dynamic taint tracking, symbolic execution, pattern matching, and machine learning to speed up reverse engineering that normally takes weeks or months. With integrations for tools such as Ghidra, IDA Pro, and Binary Ninja, it helps researchers detect VM-based protectors and understand complex, custom malware environments through structured, automated analysis.

Disclaimer: The tools featured here are provided strictly for educational and research purposes. They have not undergone full security audits, and their behavior may introduce risks if misused. Before experimenting, carefully review the source code, test only in controlled environments, and apply appropriate safeguards. Always ensure your usage aligns with ethical guidelines, legal requirements, and organizational policies.

🔒 Tip of the Week

Catch Fake Cell Towers Before They Catch You — Cell-site simulators—also known as IMSI catchers or "stingrays"—mimic real cell towers to intercept calls or track devices. They're showing up in more places and can silently scoop up data from nearby phones.

Use open-source detection tools to monitor your environment. Rayhunter, created by the Electronic Frontier Foundation, runs on inexpensive mobile hotspots and watches the control traffic between your device and the cell network. It flags suspicious behavior—like forced 2G downgrades or fake tower identifiers—without snooping on your personal data.

Other Options to Explore:

  • SnoopSnitch (Android) – Uses your phone's radio diagnostics to warn of fake towers.
  • Cell Spy Catcher – Detects IMSI catchers by monitoring unusual network changes.
  • Stingray Detector apps & SDR projects – For advanced users with software-defined radios.

Quick Win: Set up one of these tools during events, protests, or when traveling in high-risk areas. Even if you're not a security pro, these tools give you a visible early warning when someone tries to spy on mobile traffic.

Pro move: Combine mobile-network monitoring with strong basics—use end-to-end encrypted messaging (like Signal) and keep your phone's OS updated. This layered defense makes it far harder for attackers to gather useful data, even if they're nearby.

Conclusion

The threat landscape won't slow down, but that doesn't mean you're powerless. Awareness is leverage: it lets you patch faster, question assumptions, and spot weak spots before they become incidents. Keep these takeaways in mind, share them with your team, and turn today's lessons into tomorrow's advantage.

The threat landscape won't slow down, but that doesn't mean you're powerless. Awareness is leverage: it lets you patch faster, question assumptions, and spot weak spots before they become incidents. Keep these takeaways in mind, share them with your team, and turn today's lessons into tomorrow's advantage.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.