Threatsday Bulletin: Rootkit Patch, Federal Breach, OnePlus SMS Leak, TikTok Scandal & More

SonicWall has released a firmware update that it said will help customers remove rootkit malware deployed in attacks targeting SMA 100 series devices. “SonicWall SMA 100 10.2.2.2-92sv build has been released with additional file checking, providing the capability to remove known rootkit malware present on the SMA devices,” the company said. “SonicWall strongly recommends that users of the SMA 100 series products (SMA 210, 410, and 500v) upgrade to the 10.2.2.2-92sv version.” The update comes after a report from Google that found a threat actor tracked as UNC6148 deploying OVERSTEP malware on end-of-life (EoL) SonicWall SMA 100 devices. SonicWall has also disclosed that expediting the end-of-support (EoS) date for all SMA 100 devices to October 31, 2025, citing “significant vulnerabilities presented by legacy VPN appliances.”

A permission bypass vulnerability (CVE-2025-10184, CVSS score: 8.2) has been discovered in multiple versions of OnePlus OxygenOS installed on its Android devices. The shortcoming has to do with the fact that sensitive internal content providers are accessible without permission, and are vulnerable to SQL injection. “When leveraged, the vulnerability allows any application installed on the device to read SMS/MMS data and metadata from the system-provided Telephony provider (the package com.android.providers.telephony) without permission, user interaction, or consent,” Rapid7 said. “The user is also not notified that SMS data is being accessed.” Successful exploitation of the flaw could lead to the theft of sensitive information, such as multi-factor authentication (MFA) codes sent as SMS messages. The issue appears to have been introduced as part of OxygenOS 12, released in 2021. The vulnerability remains unpatched as of writing, but OnePlus has acknowledged it’s investigating the issue.

Join this session to discover why code-to-cloud visibility is fast becoming the cornerstone of modern Application Security Posture Management (ASPM). You’ll see how mapping risks from where they originate in code to where they surface in the cloud unites development, DevOps, and security teams, enabling sharper prioritization, tighter feedback loops, and faster remediation—before attackers can exploit the weak link.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released a comprehensive cybersecurity advisory detailing how threat actors successfully compromised a U.S. federal civilian executive branch agency’s network on July 11, 2024, by exploiting CVE-2024-36401, a critical remote code execution vulnerability in GeoServer. “Over the three-week period, the cyber threat actors gained separate initial access to a second GeoServer via the same vulnerability and moved laterally to two other servers,” the agency said. Once compromised, the attackers uploaded (or attempted to upload) web shells such as China Chopper, along with scripts designed for remote access, persistence, command execution, and privilege escalation. The cyber threat actors also used living-off-the-land (LotL) techniques for user, service, filesystem, and network discovery, while relying on tools like fscan, dirtycow, and RingQ for network reconnaissance, privilege escalation, and defense evasion, respectively.

Last week, three members of the notorious cybercrime group Scattered Spider were arrested. The arrests came close on the heels of the crew announcing that it was shuttering its operations. The group, composed of primarily English-speaking teenagers, are known to carry out hacking sprees using advanced social engineering tactics to breach high-profile companies, steal data, and extort them. Earlier this year, Noah Urban, a 20-year-old linked to the notorious group, pled guilty to his cybercrime charges and agreed to pay millions in restitution. In a report published last week, Bloomberg revealed his critical role as a caller, talking people into unwittingly giving them access to sensitive computer systems by installing remote access tools. He also said he found a SIM-swapping group through Minecraft, the leader of which paid him $50 each time a call resulted in a cryptocurrency theft. Urban also said one of the collaborators, Daniel Junk, figured out a way to access T-Mobile’s customer service portal by registering his personal computer to its corporate network and using remote access software to get into the company’s SIM activation tool. Junk is said to have paid Urban to call T-Mobile stores and deceive staff into handing over their logins by claiming to be from the internal security management. Soon Urban graduated to employing his own callers to conduct SIM swapping and used fake Okta login pages masquerading to trick a Twilio employee into sending their credentials. But when that account didn’t have the data he wanted, he logged into the employee’s Slack account and messaged a senior employee he’d identified on LinkedIn, asking them to send customer data belonging to 209 companies for auditing purposes. The information was subsequently used to hack more companies. In December 2022, the group also stole the personal information of 5.7 million customers of Gemini Trust and put it up for sale. This activity cluster came to be known as 0ktapus. The threat group would eventually join hands with other entities like LAPSUS$ and Scattered Spider to breach Crypto.com and exploit a United Parcel Service Inc. system to gather the personal data of would-be victims. Urban’s home was raided by U.S. authorities in March 2023, and he was eventually arrested in January 2024. Last month, he was sentenced to ten years in prison. “I’m not saying what I did was a good thing, it’s a horrible community, and what I did was bad,” he told Bloomberg. “But I loved my life. I like who I am. I’m glad I was able to live life as I lived it.”

Threat actors are using booby-trapped SVG files in an email phishing campaign targeting users in Colombia, Mexico, and Peru as a delivery vector to stealthily deliver malware like AsyncRAT by means of a password-protected ZIP archive. The oversized SVG files contain the “full package,” eliminating the need for external connections to a remote server in order to send commands to compromised devices or download additional malicious payloads. “Attackers also appear to rely at least partly on artificial intelligence (AI) tools to help them generate customized files for every target,” ESET said. “The ability of SVG lures to carry scripts, embedded links and interactive elements makes them ripe for abuse, all while increasing the odds of evading detection by some traditional security tools.”

A decade-old vulnerability can open the door to URL spoofing by exploiting how browsers handle Right-to-Left (RTL) and Left-to-Right (LTR) scripts, thereby allowing attackers to craft URLs that appear trustworthy but actually lead to a different destination. The attack has been codenamed BiDi Swap by Varonis. While punycode homograph attacks and RTL override (RLO) exploits have long been abused to deceive users and browsers into displaying deceptive text or URLs, BiDi Swap entails crafting domains that have LTR sub-domain with some RTL parameters to spoof legitimate sites.

CISA has published an advisory on the recent widespread supply chain compromise targeting the npm ecosystem that involved the use of a self-replicating worm named Shai-Hulud to steal credentials and propagate the malware to other packages. The malware “leveraged an automated process to rapidly spread by authenticating to the npm registry as the compromised developer, injecting code into other packages, and publishing compromised versions to the registry,” CISA said. The agency is urging organizations to conduct a dependency review, pin npm package dependency versions to known safe releases, rotate all developer credentials, mandate phishing-resistant multi-factor authentication (MFA) on all developer accounts, monitor for anomalous network behavior, harden GitHub security by removing unnecessary GitHub Apps and OAuth applications, and enable branch protection rules. “The Shai-Hulud worm represents a significant escalation in the ongoing series of NPM attacks targeting the open-source community,” Palo Alto Networks Unit 42 said. “Its self-replicating design is particularly notable, effectively combining credential harvesting with an automated dissemination mechanism that exploits maintainers’ existing publishing rights to proliferate across the ecosystem.”

A 2D platformer game called BlockBlasters has begun to exhibit signs of malicious activity after a patch release on August 30, 2025, that silently captures system information, a list of installed security products, and cryptocurrency wallet browser extensions, and drops the StealC information stealer while the user is playing the game. This patch affects hundreds of players who currently have the game installed on their systems, G DATA said. The game has since been pulled from Steam.

Threat actors have been observed exploiting an exposed Oracle DBS database server to execute commands remotely and create an encrypted tunnel with a command-and-control (C2) server to ultimately deploy Elons, a likely variant of the Proxima/Blackshadow ransomware that appeared in early 2024. It’s suspected that the attackers used an encrypted tunnel with a C2 server for network communication, Yarix said.

Trojanized ScreenConnect installers are being used to distribute AsyncRAT and a custom PowerShell RAT as part of an ongoing campaign designed to facilitate data theft and long-term access. An analysis of the various IP addresses associated with AsyncRAT activity has revealed a “resilient, evasive AsyncRAT malicious infrastructure maintained for long-term operations rather than opportunistic attacks,” Hunt.io said.

A man in his forties from West Sussex has been arrested in connection with a cyber attack that disrupted day-to-day operations at several European airports including Heathrow. The U.K. National Crime Agency (NCA) said he has been released on conditional bail. “Although this arrest is a positive step, the investigation into this incident is in its early stages and remains ongoing,” Deputy Director Paul Foster, head of the NCA’s National Cyber Crime Unit, said. The agency did not name the suspect or say whether he acted alone or as part of a wider cybercriminal group. The incident caused hundreds of flight delays after Collins Aerospace baggage and check-in software used by several airlines failed. RTX Corporation, the owner of Collins Aerospace, said ransomware had been deployed in the attack. Although the company did not share any other details regarding the incident, cybersecurity researcher Kevin Beaumont said the attackers used an “incredibly basic” ransomware variant called HardBit.

The maintainers of the Python Package Index (PyPI) have warned of continued phishing attacks that employ domain-confusion and legitimate-looking emails to trick accountholders into parting with their credentials by tricking them to click on fake links (“pypi-mirror.org”) under the pretext of verifying their email address for “account maintenance and security procedures” or risk getting their accounts suspended. Package maintainers are advised to change their passwords with immediate effect if they have already clicked on the link and provided their login information. It’s also advised to check the account’s Security History for any suspicious activity.

Law enforcement authorities in French have shut down a dark web marketplace catering to French-speaking users. The Dark French Anti System, or DFAS, was established in 2017 and had more than 12,000 registered users, emerging as a major hub for peddling drugs, arms, hacking tools, money-laundering schemes, and other criminal services. Authorities took control of servers and arrested two suspects, one who is alleged to be the site’s chief administrator and an accomplice who helped in the testing of its services.

An INTERPOL-coordinated operation spanning 40 countries and territories led to the recovery of USD 342 million in government-backed currencies, along with USD 97 million in physical and virtual assets. The operation, dubbed HAECHI-VI, took place between April and August 2025, and targeted seven types of cyber-enabled financial crimes: voice phishing, romance scams, online sextortion, investment fraud, money laundering associated with illegal online gambling, business email compromise and e-commerce fraud. As part of the ongoing effort, authorities blocked over 68,000 associated bank accounts, froze close to 400 cryptocurrency wallets, and recovered around $16 million in suspected illicit profits from cryptocurrency wallets. In addition, Portuguese law enforcement broke up a syndicate that diverted funds meant to support vulnerable families, leading to the arrest of 45 suspects who illegally accessed social security accounts and altered bank details that resulted in $270,000 stolen from 531 victims. Thai officials also seized $6.6 million in stolen assets in connection with a sophisticated business email compromise scam conducted by a transnational organized crime group comprising Thai and West African nationals. “The gang deceived a major Japanese corporation into transferring funds to a fictitious business partner based in Bangkok,” INTERPOL said.

The popular social media app TikTok has been collecting sensitive information from hundreds of thousands of Canadians under 13 years old, according to a joint investigation by privacy authorities. However, “as a result of TikTok’s inadequate age-assurance measures, the company collected the personal information of a large number of Canadian children, including information that the offices consider to be sensitive,” the report said. The probe also found TikTok failed to adequately explain its collection and use of biometric information, such as facial and voice data, for video, image and audio analysis. The privacy commissioners said TikTok agreed to enhance its age verification and provide up-front notices about its wide-ranging collection of data. The company also agreed to “effectively stop” allowing advertisers to target users under the age of 18, except based on broad categories such as language and approximate location.

A new report from Apiiro has found that software development teams using artificial intelligence (AI)-powered coding assistants have introduced “over 10,000 new security findings per month across repositories,” a 10× spike from December 2024. “These flaws span every category of application risk — from open-source dependencies to insecure coding patterns, exposed secrets, and cloud misconfigurations,” Apiiro said. “AI is multiplying not one kind of vulnerability, but all of them at once.” The study also found that while syntax errors in AI-written code dropped by 76% and logic bugs declined by more than 60%, privilege escalation paths jumped 322%, and architectural design flaws increased 153%. In addition, AI-assisted developers exposed cloud-related API keys and service principals nearly twice as often as their non-AI peers.

In September 2024, Microsoft issued patches for a Windows Mark-of-the-Web (MotW) security feature bypass vulnerability tracked as CVE-2024-38217. Also called LNK Stomping, the flaw exploits the manner Windows shortcut (LNK) files are handled to remove the MotW tag and bypass security protections. According to Elastic, there are indications that the issue has been exploited as far back as February 2018, long before it was publicly documented. “LNK Stomping is an attack that manipulates the actual execution program path of a Windows shortcut file (.lnk) with an abnormal target path or internal structure,” South Korean cybersecurity company ASEC said. “It then prompts explorer.exe to remove the MoTW metadata during the ‘normalization (Canonicalization)’ process, thereby bypassing security checks.”

DomainTools revealed that Indonesian and Vietnamese Android users have been targeted by banking trojans disguised as legitimate payment and government identity applications since August 2024. “The operators exhibit distinct domain registration patterns, often reusing TLS certificates and grouping domains to resolve to the same IP addresses, with a strong operational focus during Eastern Asia’s daytime hours,” the company said. It’s suspected that the threat actors are using spoofed websites imitating the Google Play Store to trick users into installing fraudulent APK files that drop a banking trojan named BankBot, which had its source code leaked on Russian-language forums in 2016. Over 100 domains have been identified as being used for malware distribution.

A state-backed threat actor with ties to Russian is targeting the upcoming 2025 Moldovan elections with a disinformation campaign, setting up fake news sites to publish articles that amplify narratives attempting to dissuade Moldova from further aligning with the European Union and exhibit bias against the current leadership. The multi-year activity is tracked under the name Storm-1679 (aka Matryoshka). Silent Push said it identified “technical fingerprints” linking the efforts to a Russian news site named Absatz. It also found commonalities between multiple disinformation websites, suggesting “infrastructure reuse and common ownership across this campaign.” This includes the use of two IP addresses — 95.181.226[.]135 and 91.218.228[.]51 — which have been used to host domains in connection with a Russian disinformation effort dating back to 2022. “When searching for the Russian word for Moldova (‘Молдова’) on Absatz (absatz[.]media/search), there are dozens of clear disinformation articles,” Silent Push said.

In new research published by CrowdStrike, it has been found that Chinese artificial intelligence engine DeepSeek either often refuses to help programmers or gives them low-quality code or code containing major security flaws when they say they are working for the banned spiritual movement Falun Gong or other groups considered sensitive by the Chinese government. “Deliberately producing flawed code can be less noticeable than inserting back doors – secret means of access for unauthorized users, including governments — while producing the same result: making targets easy to hack,” The Washington Post reported.