⚡ Weekly Recap: Bootkit Malware, AI-Powered Attacks, Supply Chain Breaches, Zero-Days & More

Sep 15, 2025Ravie LakshmananCybersecurity / Hacking News

In a world where threats are persistent, the modern CISO’s real job isn’t just to secure technology—it’s to preserve institutional trust and ensure business continuity.

This week, we saw a clear pattern: adversaries are targeting the complex relationships that hold businesses together, from supply chains to strategic partnerships. With new regulations and the rise of AI-driven attacks, the decisions you make now will shape your organization’s resilience for years to come.

This isn’t just a threat roundup; it’s the strategic context you need to lead effectively. Here’s your full weekly recap, packed with the intelligence to keep you ahead.

⚡ Threat of the Week

New HybridPetya Ransomware Bypasses UEFI Secure Boot — A copycat version of the infamous Petya/NotPetya malware dubbed HybridPetya has been spotted. But no telemetry exists to suggest HybridPetya has been deployed in the wild yet. It also differs in one key respect: It can compromise the secure boot feature of Unified Extensible Firmware Interface (UEFI) by installing a malicious application. Attackers prize bootkits since malware installed at that level can evade detection by antivirus applications and survive operating system reinstalls. With access to the UEFI, hackers can deploy their own kernel-mode payloads. ESET said it found HybridPetya samples uploaded to Google’s VirusTotal platform in February 2025.

🔔 Top News

• Samsung Patches Actively Exploited Flaw — Samsung has released a fix for a security vulnerability that it said has been exploited in zero-day attacks. The vulnerability, CVE-2025-21043 (CVSS score: 8.8), concerns an out-of-bounds write that could result in arbitrary code execution. The critical-rated issue, per the South Korean electronics giant, affects Android versions 13, 14, 15, and 16. The vulnerability was privately disclosed to the company on August 13, 2025. Samsung did not share any specifics on how the vulnerability is being exploited in attacks and who may be behind these efforts. However, it acknowledged that “an exploit for this issue has existed in the wild.”
• Google Pixel 10 Adds Support for C2PA Standard — Google announced that its new Google Pixel 10 phones support the Coalition for Content Provenance and Authenticity (C2PA) standard out of the box to verify the origin and history of digital content. Support for C2PA’s Content Credentials has been added to Pixel Camera and Google Photos apps for Android. The move, Google said, is designed to further digital media transparency. “Pixel 10 phones support on-device trusted time-stamps, which ensures images captured with your native camera app can be trusted after the certificate expires, even if they were captured when your device was offline,” Google said.
• Chinese APT Deploys EggStreme Malware in Attack Targeting Philippines — A novel malware framework called EggStreme has been put to use in a cyber attack on a Philippine military company attributed to a government-backed hacking group from China. EggStreme framework is a tightly integrated set of malicious components that, unlike traditional malware, operates “with a clear, multi-stage flow designed to establish a resilient foothold on compromised systems.” The backdoor offers a wide range of capabilities, allowing hackers to inject other payloads, move around a victim’s network and more. The activity was observed between April 9, 2024, and June 13, 2025, indicating a year-long effort. The attackers leveraged legitimate Windows services to blend into the system’s normal operations and maintain access.
• New RatOn Malware Targets Android — A new Android malware called RatOn has evolved from a basic tool capable of conducting Near Field Communication (NFC) relay attacks to a sophisticated remote access trojan with Automated Transfer System (ATS) capabilities to conduct device fraud. The trojan fuses NFC relay techniques, ransomware overlays, and ATS capabilities, making it a potent tool with dual-pronged objectives: initiate unauthorized fund transfers and compromise cryptocurrency wallet accounts associated with MetaMask, Trust, Blockchain.com, and Phantom.
• Apple Debuts Memory Integrity Enforcement in iPhone Air and 17 — Apple unveiled a comprehensive security system called Memory Integrity Enforcement (MIE) that represents a culmination of a five-year engineering effort to combat sophisticated cyber attacks targeting individual users through memory corruption vulnerabilities. The technology is built into Apple’s new iPhone 17 and iPhone Air devices, which feature the A19 and A19 Pro chips. It combines custom-designed hardware with changes to the operating system to deliver what Apple describes as “industry-first, always-on” memory safety protection. MIE works by allocating each piece of a newer iPhone’s memory with a secret tag. This means only apps with that secret tag can access that memory in the future. If the secret doesn’t match, the security protections are triggered to block the request, terminate the process, and log the event. With memory corruption vulnerabilities accounting for some of the most pervasive threats to operating system security, the initiative is primarily designed to defend against sophisticated attacks, particularly from so-called mercenary spyware vendors who leverage them to deliver spyware to targeted devices via zero-click attacks that require no user interaction. Unlike Google Pixel devices, where it’s an optional developer feature, MIE will be on by default system-wide. But third-party apps, including social media and messaging applications, will have to implement MIE on their own to improve protections for their users. While no technology is hack-proof, MIE is expected to raise the cost of developing surveillance technologies, forcing companies that have working exploits to go back to the drawing board, as they will stop working on the new iPhones.
• Open-Source Community Rallies Against npm Supply Chain Attack — A software supply chain attack that compromised several npm packages with over 2 billion weekly downloads was mitigated swiftly, leaving attackers with little profits off the cryptocurrency heist scheme. The incident occurred after some of the developers fell for an npm password reset phishing attack, allowing the threat actors to gain access to their accounts and publish trojanized packages with malicious code to steal cryptocurrency by redirecting transactions to wallets under their control. Specifically, the malware replaces legitimate wallet addresses with attacker-controlled ones, using the Levenshtein distance algorithm to pick the most visually similar address, making the swap nearly undetectable to the naked eye. “The attackers poorly used a widely known obfuscator, which led to immediate detection shortly after the malicious versions were published,” JFrog said. According to data from Arkham, the attackers managed to steal about $1,087. During the two-hour window they were available for download, the compromised packages were pulled by roughly 10% of cloud environments, per cloud security firm Wiz, which characterized the impact of the campaign as a “denial-of-service” attack on the industry that wasted “countless hours of work” in order to ensure the risk has been mitigated. “In the case of npm, I think the big answer is trusted publishing, which includes the use of attestation and provenance,” Aikido Security’s lead malware researcher Charlie Eriksen told The Hacker News. “Once a package becomes popular enough, it should not be possible to publish new versions of it without the use of this, in my opinion. Using trusted publishing, maintainers can configure it so that the only source that can publish new versions is through GitHub or GitLab. This requires all the normal workflows and controls that source repositories provide – like requiring multiple people to review a Pull Request before it can be merged into the main branch and cause a new release to be published.”

🔥 Trending CVEs

Hackers don’t wait. They exploit newly disclosed vulnerabilities within hours, transforming a missed patch or a hidden bug into a critical point of failure. One unpatched CVE is all it takes to open the door to a full-scale compromise. Below are this week’s most critical vulnerabilities, making waves across the industry. Review the list, prioritize patching, and close the window of opportunity before attackers do.

This week’s list includes — CVE-2025-21043 (Samsung), CVE-2025-5086 (Dassault Systèmes DELMIA Apriso), CVE-2025-54236 (Adobe Commerce), CVE-2025-42944, CVE-2025-42922, CVE-2025-42958 (SAP NetWeaver), CVE-2025-9636 (pgAdmin), CVE-2025-7388 (Progress OpenEdge), CVE-2025-57783, CVE-2025-57784, CVE-2025-57785 (Hiawatha), CVE-2025-9994 (Amp’ed RF BT-AP 111), CVE-2024-45325 (Fortinet FortiDDoS-F CLI), CVE-2025-9712, CVE-2025-9872 (Ivanti Endpoint Manager), CVE-2025-10200, CVE-2025-10201 (Google Chrome), CVE-2025-49459 (Zoom Workplace for Windows on Arm), CVE-2025-10198, CVE-2025-10199 (Sunshine for Windows), CVE-2025-4235 (Palo Alto Networks User-ID Credential Agent for Windows), CVE-2025-58063 (CoreDNS etcd plugin), CVE-2025-20340 (Cisco IOS XR), CVE-2025-9556 (Langchaingo), and CVE-2025-24293 (Ruby on Rails).

📰 Around the Cyber World

• VS Code, Cursor, and Windsurf Users Targeted by WhiteCobra — A threat actor known as WhiteCobra is targeting Visual Studio Code, Cursor, and Windsurf Users with 24 malicious extensions in the Visual Studio marketplace and the Open VSX registry. The same threat actor is believed to be behind other VS Code extensions that masqueraded as the Solidity programming language to deliver stealer malware, leading to the theft of around $500,000 in crypto assets from a Russian developer. The end goal of the campaign is to promote the extensions on social media platforms like X, trick developers into installing them, and exfiltrate cryptocurrency wallet phrases for profit using Lumma Stealer. According to a leaked internal playbook, the threat actors, cybercriminals, set revenue projections between $10,000 and $500,000, provide command-and-control (C2) infrastructure setup guides, and describe social engineering and marketing promotion strategies. The activity also involves running automated scripts to generate 50,000 fake downloads for social proof. “By faking massive numbers of downloads, they continue to trick developers, and sometimes even marketplace review systems, into thinking their extensions are safe, popular, and vetted,” Koi Security said. “To a casual observer, 100K installs signals legitimacy. That’s exactly what they’re counting on.”

• Mamont Banking Trojan Prominent in Q2 2025 — Kaspersky said it detected a total of 42,220 installation packages associated with mobile banking trojans in Q2 2025, down from 49,273 in Q1 2025. “The bulk of mobile banking Trojan installation packages still consists of various modifications of Mamont, which account for 57.7%,” the Russian cybersecurity vendor said. Also prevalent were Coper, which targeted users in Türkiye, Rewardsteal, which was active in India, and Pylcasa, a new type of dropper distributed in Brazil. “They infiltrate Google Play by masquerading as simple apps, such as calculators, but once launched, they open a URL provided by malicious actors – similar to Trojans of the Fakemoney family,” it added. “These URLs may lead to illegal casino websites or phishing pages.”
• WhatsApp Former Security Chief Files Lawsuit — Attaullah Baig, WhatsApp’s former head of security, filed a lawsuit accusing the company of ignoring systemic privacy and security issues that allegedly endangered users’ information, per The New York Times. The WhatsApp suit alleges that approximately 1,500 WhatsApp engineers had unrestricted access to user data, including sensitive personal information, and that the employees “could move or steal such data without detection or audit trail.” Baig also allegedly notified senior management of data scraping concerns on the platform that allows pictures and names of some 400 million user profiles to be scraped, often for use in account impersonation scams. Meta has disputed the allegations, stating this is a case of a former employee who “goes public with distorted claims that misrepresent the ongoing hard work of our team” after being dismissed for poor performance.
• Spyware Found on Phones Belonging to Kenyan Filmmakers — Kenyan authorities have been accused of installing spyware on the phones of two filmmakers, Bryan Adagala and Nicholas Wambugu, who helped produce a documentary about the country’s youth uprising. The filmmakers were arrested back in May 2025 and released a day later, but their phones were confiscated and not returned until July 10. It’s believed that Kenyan authorities installed a commercial spyware app called FlexiSPY, which can record calls, track locations, listen through microphones, download photos, and capture emails and text messages.
• Massive DDoS Attacks Averted — A DDoS mitigation service provider in Europe was targeted in a massive distributed denial-of-service attack that reached 1.5 billion packets per second. According to FastNetMon, the attack originated from thousands of IoTs and MikroTik routers. “The attack reached 1.5 billion packets per second (1.5 Gpps) — one of the largest packet-rate floods publicly disclosed,” it said. “The malicious traffic was primarily a UDP flood launched from compromised customer-premises equipment (CPE), including IoT devices and routers, across more than 11,000 unique networks worldwide.” In a related development, Qrator said it detected and blocked on September 1, 2025, a large-scale attack carried out by what it described as the “largest L7 DDoS botnet observed to date.” The attack targeted an unnamed entity in the government sector. The botnet, compromising 5.76 million IP addresses, has been around since March 26, 2025, when it had about 1.33 million IP addresses. “The largest share of malicious traffic still came from Brazil (1.41M), Vietnam (661K), the United States (647K), India (408K), and Argentina (162K),” it said.
• SafePay Ransomware Detailed — SafePay has been described as a highly discreet ransomware operation that does not work as a ransomware-as-a-service (RaaS) operation. “Excluding a data leak site (DLS) that names victims, there is no evidence of an external forum or community that enables the group to broaden its interactions beyond victim contact,” Bitdefender said. “There appears to be no correspondence with the public or other threat actors and potential recruits.” Since the start of the year, the group has claimed 253 victims, with most of them located in the U.S., Germany, Great Britain, and Canada.
• DoJ Charges Tymoshchuk for Ransomware Attacks — The U.S. Department of Justice (DoJ) charged Ukrainian national Volodymyr Viktorovich Tymoshchuk (aka deadforz, Boba, msfv, and farnetwork) for his role as the administrator of the LockerGoga, MegaCortex, and Nefilim ransomware operations between December 2018 and October 2021. “Volodymyr Tymoshchuk is charged for his role in ransomware schemes that extorted more than 250 companies across the United States and hundreds more around the world,” the DoJ said. “Tymoshchuk and the other Nefilim administrators provided other Nefilim ransomware affiliates, including co‑defendant Artem Stryzhak, who was extradited from Spain and faces charges in the Eastern District of New York, with access to the Nefilim ransomware in exchange for 20 percent of the ransom proceeds extorted from Nefilim victims.” Tymoshchuk is charged with two counts of conspiracy to commit fraud and related activity in connection with computers, three counts of intentional damage to a protected computer, one count of unauthorized access to a protected computer, and one count of transmitting a threat to disclose confidential information. In 2023, Group-IB also linked Tymoshchuk to JSWORM, Karma, Nokoyawa, and Nemty ransomware gangs. Tymoshchuk, described as a “serial ransomware criminal,” remains a fugitive, with the U.S. State Department offering an $11 million reward for information leading to his arrest or other key co-conspirators. Tymoshchuk has also been placed on Europe’s Most Wanted fugitives list by France, which alleged that his group’s activities led to $18 billion worth of damages, branding him “dangerous.”
• Kosovo National Pleads Guilty to Running BlackDB.cc — Liridon Masurica, a Kosovo national who was arrested in December 2024 and extradited to the U.S. back in May, has pleaded guilty to running BlackDB.cc, a cybercrime marketplace that has been active since 2018. “The marketplace illegally offered for sale compromised account and server credentials, credit card information, and other personally identifiable information of individuals primarily located in the United States, including those located within the Middle District of Florida,” the DoJ said. “Once purchased, cybercriminals used the items purchased on BlackDB.cc to facilitate a wide range of illegal activity, including tax fraud, credit card fraud, and identity theft.” He faces up to 10 years in prison. A sentencing date has not yet been set.
• DoJ Seeks Forfeiture of $5M Stolen in SIM Swapping Scams — The DoJ filed a civil forfeiture complaint against over $5 million in bitcoin (BTC), which are alleged to be ill-gotten gains from multiple SIM swap attacks targeting five victims across the U.S. between October 29, 2022, and March 21, 2023. “The perpetrators of these thefts utilized a SIM swapping technique that allowed the perpetrators to authenticate their unauthorized access to the victims’ cryptocurrency accounts and transfer the victim’s funds to perpetrator-controlled accounts,” the DoJ noted. “After each of the five thefts occurred, the perpetrators moved the stolen funds through multiple cryptocurrency wallets and ultimately consolidated them into one wallet that funded an account at Stake.com, an online casino. Many of these transactions were circular in that they eventually returned funds to their original source, and consistent with money laundering utilized to ‘clean’ proceeds of criminal activity.”
• New Phishing Campaign Targets Google Workspace — Researchers have uncovered a new phishing campaign targeting Google Workspace organizations through fraudulent AppSheet-branded emails. The attack illustrates how traditional security controls become useless when attackers abuse legitimate infrastructure to deliver malicious content that sails past every deployed security filter. “The reliance on commonly used or well-known brands in social engineering attacks is nothing new, however, these attacks still remain quite effective,” Erich Kron, security awareness advocate at KnowBe4, said. “Leveraging brands that are known to potential victims exploits the trust that these brands have worked so hard to establish. These types of attacks are meant to blend in with normal day-to-day activities, further increasing the trust level of the potential victim. By using a platform that sends from a known and trusted source, many technical filters and controls are bypassed, and a key red flag is taken away from the potential victim.”
• ToolShell SharePoint Exploit Chain Detailed — Cybersecurity researchers shared technical insights into the SharePoint flaws known as ToolShell that came under active exploitation in July 2025. Some of these attacks have led to the deployment of Warlock, a customized derivative of LockBit 3.0. The group made its public debut on the Russian-language RAMP forum in early June 2025. “In a short period of time, the threat actor behind Warlock evolved from a bold forum announcement into a rapidly growing global ransomware threat, setting the stage for even more sophisticated campaigns — including those leveraging the SharePoint ToolShell vulnerability that would bring the group into the spotlight,” Trend Micro said. The vulnerabilities impact self-hosted SharePoint Server 2016, 2019, and Subscription Edition, enabling unauthenticated remote code execution and security bypasses. “The ToolShell vulnerability chain represents one of the most critical SharePoint security threats observed in recent years,” Trellix said. “The combination of unauthenticated remote code execution and cryptographic key theft creates a perfect storm for persistent compromise and lateral movement.”
• New PoisonSeed Domains Flagged — New domains have been identified as linked to PoisonSeed, a financially motivated threat actor known for its phishing operations. “These domains primarily spoof the email platform SendGrid and are likely attempting to compromise enterprise credentials of SendGrid customers,” DomainTools said. “They display fake Cloudflare CAPTCHA interstitials to add legitimacy to malicious domains before redirecting targeted users to phishing pages.”
• Salat Stealer Spotted — A new information stealer called Salat Stealer (aka WEB_RAT or WebRAT) has been detected in the wild. Written in Go, the stealer is offered under a malware-as-a-service (MaaS) model by Russian-speaking actors. “The malware exfiltrates browser credentials, cryptocurrency wallet data, and session information while employing advanced evasion techniques, including UPX packing, process masquerading, registry run keys, and scheduled tasks,” CYFIRMA said. The malware is assessed to be the work of a threat actor known as NyashTeam, which is also known for selling DCRat, per Russian cybersecurity company F6.
• Plex Urges Password Change After Breach — Plex urged users to change their password, enable two-factor authentication, and sign out of any connected devices that might already be logged in the wake of a security incident where a database was accessed by “an unauthorized third-party” exposing emails, usernames, and hashed passwords for a “limited subset” of customers. The company said no financial data was exposed.
• TOR Project Releases Official Android VPN App — The maintainers of the TOR Project have released an official VPN app that allows Android users to route all their traffic through the Tor network.
• Flaws in Viidure App — Police-issued body cameras have become prevalent tools for recording law enforcement encounters. But a recent study has unearthed troubling design choices in a budget-friendly system that compromise both privacy and data integrity. The Viidure mobile application, designed to transfer video evidence from the camera’s onboard Wi-Fi hotspot to cloud servers, was found to communicate over a nonstandard TLS port, directing sensitive information to cloud servers based in China. “This traffic interception would be concerning for any mobile application, but it’s especially worrying given the sensitive nature of the video data being handled in this case,” Brown Fine Security said.
• Microsoft Announces Plans to Phase Out VBScript — Microsoft has officially announced a multi-phase plan to deprecate Visual Basic Script (aka VBScript) in Windows, a move that signals a significant shift for developers, particularly those working with Visual Basic for Applications (VBA). The change, first detailed in May 2024, will gradually phase out the legacy scripting language, requiring developers to adapt their projects to ensure future compatibility.
• SpamGPT Sold on Cybercrime Forums — A new AI-based email attack automation toolkit dubbed SpamGPT is being advertised on underground forums as a game-changer for cybercriminals. “This platform is designed to compromise email servers, bypass spam filters, and orchestrate mass phishing campaigns with unprecedented ease,” Varonis said. “SpamGPT combines the power of generative AI with a full suite of email campaign tools, lowering the barrier for launching spam and phishing attacks at scale.” The discovery of SpamGPT is the latest evidence of threat actors embracing large language models (LLMs) and other AI tools to craft more effective attacks.
• ArgoCD Attack to Exfiltrate Git Credentials — A newly disclosed attack technique allows authenticated users within the popular GitOps tool Argo CD to exfiltrate Git credentials. The method, according to Future Sight, exploits Kubernetes’ internal DNS resolution to intercept credentials in transit, posing a significant risk to organizations relying on the continuous delivery tool. The issue is being tracked as CVE-2025-55190. It has been addressed in versions v3.1.2, v3.0.14, v2.14.16, and v2.13.9. “API tokens with basic project permissions can retrieve all repository credentials associated with a project through the detailed project API endpoint,” ArgoCD said in an advisory.

• NASA Cuts Off Access to Chinese Nationals — U.S. space agency NASA has cut off Chinese nationals from accessing its premises and assets, including those who hold visas that permit them to reside in the USA. The agency said it “has taken internal action pertaining to Chinese nationals, including restricting physical and cybersecurity access to our facilities, materials, and network to ensure the security of our work.”
• Mr Hamza Releases Abyssal DDoS Tool — The anti-Israel and pro-Palestinian hacktivist group known as Mr Hamza has developed a Python-based DDoS attack tool called Abyssal DDoS. The tool offers 32 attack methods, targeting various layers of the network and application stack, per Radware. “Beyond the various attack methods, Abyssal DDoS also includes features aimed at increasing the tool’s effectiveness and usability,” it said. “The tool generates randomized HTTP request headers, such as User-Agent, Accept and Referrer, which adds a layer of obfuscation and may help avoid simple header-based classification.”
• Vidar Stealer Bounces Back — Threat hunters have observed a fresh malware campaign distributing Vidar Stealer in recent weeks using new obfuscation techniques. The malware adopts a multi-pronged strategy using phishing emails, compromised or fake sites, and malvertising campaigns, allowing it to reach a broader audience while bypassing defenses. Besides attempting to sidestep AMSI and setting up persistence using scheduled tasks, it uses Telegram profiles to retrieve its command-and-control (C2) server details using a dead drop resolver mechanism. “The malware blends stealth with persistence by disguising its traffic as ‘PowerShell’ to appear legitimate while using exponential backoff with jitter to make repeated connections less noticeable,” Aryaka said. Errors during communication are quietly suppressed, reducing logs and avoiding attention from defenders. To guarantee reliability, it persistently retries downloads several times even in unstable environments. At the same time, it randomizes directories and filenames, ensuring each instance looks different and making signature-based detection more difficult.”
• Kaspersky Warns of Dual-Purpose Groups Targeting Russia — Kaspersky has warned of dual-purpose groups in the Russian threat landscape that exhibit traits associated with hacktivists and financially motivated entities. “They use the same tools, techniques, and tactics, and even share common infrastructure and resources,” Kaspersky said. “Depending on the victim, they may pursue a variety of goals: demanding a ransom to decrypt data, causing irreparable damage, or leaking stolen data to the media. This suggests that these attackers belong to a single complex cluster.”
• Microsoft Teams Gains Support for Phishing Link Alerts — Microsoft Teams will automatically alert users when they send or receive a private message containing links that are tagged as malicious. “Teams automatically scans the URL against threat intelligence databases to identify potentially malicious links,” Microsoft said. “If a harmful link is detected, Teams displays clear warnings to both the sender and all recipients in the conversation.”
• Microsoft Fixes Copilot Audit Log Bug — Microsoft patched a vulnerability that could have been exploited to prevent Copilot interactions from being logged in audit logs. When Copilot was prompted to summarize a file, the action would be logged. But if the AI assistant was explicitly asked not to link to the document and not to include it as a reference, the action would not get logged, Pistachio reported.
• Flaws in Carmaker Dealership Portal — Severe vulnerabilities have been uncovered in the online dealership portal of a major carmaker. Security researcher Eaton Zveare said the bugs could have allowed attackers to create their own admin accounts, leak the private information and vehicle data of its customers, and remotely break into their vehicles. The vulnerabilities resided in the portal’s login system and were patched in February. Zveare has previously found flaws in Honda and Toyota systems.
• Remote Access Software Abuse a Common Pre-Ransomware Indicator — Abuses of remote access software (AnyDesk, Atera, Microsoft Quick Assist, and Splashtop) and services (RDP, PsExec, and PowerShell) are the most common ‘pre-ransomware’ indicators, according to new research from Cisco Talos.
• Finnish Hacker Released from Jail — Finnish hacker Aleksanteri Kivimäki has been released from prison following an appeal. Kivimäki broke into the psychotherapy centre Vastaamo in 2020 and released highly sensitive patient files. He was arrested in 2023 and subsequently sentenced last year to six years in prison. The court released him, given that he was a first-time offender and had already served almost half of his sentence.
• Electron Framework Flaw Can be Used to Bypass Integrity Checks — A newly discovered vulnerability (CVE-2025-55305) in the Electron framework could allow attackers to bypass code integrity checks by tampering with V8 heap snapshot files, enabling local backdoors in applications like Signal, 1Password, and Slack. “A majority of Electron applications leave integrity checking disabled by default, and most that do enable it are vulnerable to snapshot tampering,” Trail of Bits said. “However, snapshot-based backdoors pose a risk not just to the Electron ecosystem, but to Chromium-based applications as a whole.”
• Nulled Plugins Target WordPress Sites — A new campaign is using “nulled” WordPress plugins to backdoor websites with rogue admin accounts. “This campaign is particularly concerning because it doesn’t just infect websites: it enables attackers to bypass existing security defenses while achieving persistent access, effectively turning developers or site owners into unwitting collaborators in weakening their own site’s defences,” Wordfence said.
• China Mulls Severe Penalties for Security Failures — The Chinese government is proposing a draft amendment to its cybersecurity law that would increase fines for data breaches and introduce certification requirements for technology products. Critical infrastructure operators could face fines of up to $1.4 million (¥10 million). Individuals responsible for a breach could also face personal fines of up to $14,000 (¥100,000). The amendment also threatens harsher penalties for companies storing “important” data overseas.
• U.K. Elections Watchdog Says it Took 3 Years to Recover from 2021 Breach — The U.K. Electoral Commission said it’s taken three years and at least a quarter of a million pounds to fully recover from an August 2021 hack that saw the private details of 40 million voters accessed by Chinese threat actors. The attack was attributed to a hacking group named APT31. Last July, the Electoral Commission was reprimanded by the Information Commissioner’s Office over the security lapse. “Since the attack, we have made changes to our approach, systems, and processes to strengthen the security and resilience of our systems and will continue to invest in this area,” the commission said.
• New TONESHELL Variant Detected — A new version of the TONESHELL backdoor has been observed being deployed in cyber attacks targeting Myanmar. While this variant does not introduce any new “revolutionary” features, it employs several stalling and anti-sandboxing tricks designed to waste time, pollute control flow, confuse automated analysis, and evade lightweight sandboxes. The malware has been historically used by a Chinese espionage nexus known as Mustang Panda. “The continuous refinement of these evasion methods, coupled with the geopolitical significance of the targeted region, reinforces the need for ongoing research and threat hunting to counter cyber operations,” Intezer said.
• New Exploit Allows Firewall Bypass — A new exploit devised by Ethiack has been found to bypass the web application firewalls (WAFs) of nine vendors by abusing HTTP parameter pollution techniques to facilitate JavaScript injection attacks. “With bypass success rates escalating from 17.6% for simple payloads to 70.6% for complex parameter pollution payloads, the data clearly demonstrates that WAFs relying on pattern matching struggle to defend against attacks that exploit fundamental differences in parsing between WAFs and web applications,” the company said.
• U.S. Treasury Sanctions 19 People and Entities in Connection with Scam Operations — The U.S. Treasury Department on Monday sanctioned multiple people and businesses associated with cyber scam centers across Myanmar and Cambodia. The sanctions take aim at the Burmese, Cambodian and Chinese nationals running entities controlling and supporting scam centers that have led to more than $10 billion in losses from Americans. The sanctions target nine people and companies involved in running Shwe Kokko — a hub for scam centers in Myanmar — as well as four individuals and six entities for their roles operating forced labor compounds in Cambodia under the protection of the already-sanctioned Karen National Army (KNA). Scam centers in Southeast Asia are run by cybercrime organizations that recruit workers under false pretenses and use violence and threats of forced prostitution to coerce them to scam strangers online via messaging apps or text messages. “These sanctions protect Americans from the pervasive threat of online scam operations by disrupting the ability of criminal networks to perpetuate industrial-scale fraud, forced labor, physical and sexual abuse, and theft of Americans’ hard-earned savings,” U.S. Secretary of State Marco Rubio said. In a related development, a 39-year-old California man, Shengsheng He, was sentenced to 51 months in prison for laundering more than $36.9 million in crypto assets linked to scam compounds operating out of Cambodia. The court also ordered him to pay $26,867,242.44 in restitution to victims. “The defendant was part of a group of co-conspirators that preyed on American investors by promising them high returns on supposed digital asset investments when, in fact, they stole nearly $37 million from U.S. victims using Cambodian scam centers,” the DoJ said. “Foreign scam centers, purporting to offer investments in digital assets have, unfortunately, proliferated.” Eight co-conspirators have pleaded guilty so far, including Daren Li and Lu Zhang.

🎥 Cybersecurity Webinars

• Stop AppSec Blind Spots: Map Every Risk From Code to Cloud → Join our live webinar to see how code-to-cloud visibility closes hidden security gaps before attackers strike. You’ll discover how connecting code and cloud risks creates one clear view for developers, DevOps, and security teams—so you can cut noise, fix issues faster, and keep your critical apps safe.
• Proven Steps to Build AI Agents with Strong Security Controls → Discover how to protect your AI agents while unlocking their full business potential. This webinar explains what AI agents are, the new cyber risks they introduce, and the practical security steps that keep your data and customers safe. Gain simple, proven strategies from Auth0 experts to build AI solutions that stay secure and trusted as they scale.
• Who’s Behind the Shadow AI Agents? Expose the Identities Before They Strike → Shadow AI agents are spreading fast across clouds and workflows—often unseen. Join our webinar to learn how to spot these rogue agents, uncover the hidden identities behind them, and take simple steps to keep your AI operations secure and under control.

🔧 Cybersecurity Tools

• Inboxfuscation → It is a new free tool that shows how hackers could hide harmful email rules in Microsoft Exchange. It uses special Unicode tricks—like invisible spaces and look-alike letters—to slip past normal security checks. It helps security teams and email admins spot these hidden rules and improve their defenses.
• Azure AppHunter → A free PowerShell tool that helps spot risky permissions in Azure. It finds service principals or managed identities with powerful roles—like Global Admin or subscription Owner—that could let attackers escalate access. It’s useful for security teams, red teamers, and defenders to quickly check Azure apps and tighten permissions before they’re abused.

Disclaimer: The tools featured here are provided strictly for educational and research purposes. They have not undergone full security audits, and their behavior may introduce risks if misused. Before experimenting, carefully review the source code, test only in controlled environments, and apply appropriate safeguards. Always ensure your usage aligns with ethical guidelines, legal requirements, and organizational policies.

🔒 Tip of the Week

Build a Truly Anonymous Burner Mail System — Standard burner emails are a risk. Reusing a single inbox for research creates a digital fingerprint, and temporary services often leak your real identity. For true anonymity, you need to build your own system that’s private, untraceable, and fully under your control.

Here’s how to architect it like a pro:

1. Own Your Infrastructure: Get a new, neutral domain and use it exclusively for your burner mail. Host your mail server (like Postfix) on separate, anonymous infrastructure. Use DNSSEC to secure your domain and set up strict SPF, DKIM, and DMARC policies to prove your emails are legitimate and can’t be spoofed.
2. Automate Everything: Create a unique email address for every single website or sign-up. This prevents sites from linking to your activity. Set up your system to automatically create these addresses, and build in rules to instantly delete any alias that starts receiving spam.
3. Lock Down Your Data: Forward all mail to your real inbox using end-to-end encryption (like OpenPGP). This ensures no one can read your mail, even if your server is compromised. Also, configure your system to strip out all identifying information from email headers, such as your timezone or mail client, so your digital trail goes cold.
4. Leave No Trace: The last step is to get rid of your logs. A key rule of good security is not to collect data you don’t need. Log only the bare minimum for monitoring, and then automatically purge everything on a regular schedule. This makes it impossible for an attacker to piece together your past activity.

Following this approach turns a simple burner email into a forensically resilient identity service, keeping you in control and your online actions truly private.

Conclusion

As we close the book on this week, consider this: the most dangerous threats aren’t the ones you patch, but the ones you don’t yet see. The patterns we’ve discussed—from supply chain exploits to the weaponization of AI—aren’t isolated events; they are glimpses into a future where defense demands more than just technical fixes. It requires a fundamental shift in strategy, focusing on resilience, trust, and the human element. The real work begins now.