The Sangoma FreePBX Security Team has issued an urgent warning about a zero-day vulnerability in FreePBX, an open-source PBX platform used to manage voice communications. Since August 21, attackers have been actively exploiting the flaw in systems where the Administrator Control Panel (ACP) is exposed to the internet.
Citrix has issued security updates to address three high-risk vulnerabilities in its NetScaler ADC and NetScaler Gateway products, one of which (CVE-2025-7775) is actively being exploited in the wild. The flaw, along with CVE-2025-7776, involves memory overflow issues that could lead to remote code execution or denial-of-service attacks. A third vulnerability, CVE-2025-8424, relates to improper access control in the NetScaler Management Interface. Citrix has released patches across several versions of its products to mitigate these threats. Meanwhile, CISA has highlighted an unrelated actively exploited vulnerability in Git (CVE-2025-48384), which could enable arbitrary code execution through improper handling of configuration files.
Cybersecurity agencies from multiple countries have linked the China-affiliated cyber espionage group Salt Typhoon to three China-based technology companies: Sichuan Juxinhe Network Technology, Beijing Huanyu Tianqiong Information Technology, and Sichuan Zhixin Ruijie Network Technology. The firms are accused of supporting China’s Ministry of State Security and the People’s Liberation Army in conducting cyberattacks targeting sensitive sectors such as government, telecom, military, transportation, and hospitality since at least 2021. Salt Typhoon is known for exploiting previously disclosed vulnerabilities in internet-facing devices rather than using zero-day exploits. The campaign has involved network intrusions, configuration changes, covert tunneling, and data exfiltration.
Exploited vulnerabilities include CVE-2024-21887 (Ivanti Connect Secure); CVE-2024-3400 (Palo Alto PAN-OS); CVE-2023-20273 and CVE-2023-20198 (Cisco IOS XE); CVE-2018-0171 (Cisco Smart Install).
French cybersecurity company HarfangLab has uncovered cyberattacks targeting Ukraine and Poland, carried out by a group known as UAC-0057 (aka UNC1151, Ghostwriter, or FrostyNeighbor), which is believed to be linked to the Belarusian government. Researchers found two separate campaigns, one focused on Ukraine, the other on Poland. The campaigns, active since at least April 2025, involve malicious Excel spreadsheets embedded in archive files, likely distributed via spearphishing emails.
A new attack method has been discovered that uses phishing emails and a sneaky filename trick to install malware on Linux systems. According to Trellix, the attack begins with a phishing email offering a small reward for completing a beauty product survey. The email includes a RAR archive attachment named yy.rar, which contains a file with a specially crafted name designed to trigger malicious code execution. Interestingly, the malware isn't hidden in the file itself, but in the file name. The name includes embedded Bash code that runs if a shell script processes the filename without proper filtering. This technique bypasses antivirus tools, which typically don't scan filenames for malicious content.
Cybersecurity firm GreyNoise said it has observed of a major increase in scanning activity targeting Microsoft Remote Desktop Web Access and RDP Web Client authentication portals. The firm reports that nearly 1,971 unique IP addresses were involved in what appears to be a coordinated reconnaissance campaign. GreyNoise researchers believe the activity is probing for timing flaws, which are subtle differences in system response times that can inadvertently confirm valid usernames. Such flaws are often exploited in credential-based attacks such as brute-force or password-spraying campaigns.
A massive trove of internal files from North Korea’s Kimsuky advanced persistent threat (APT) group has been leaked on a dark web forum, revealing the inner workings of one of Pyongyang’s most active cyber espionage units. The leaked materials include virtual machine images, phishing kits, rootkits, cracked security tools, and more than 20,000 browser history records.
The US Department of the Treasury’s Office of Foreign Assets Control (OFAC) has sanctioned Russian national Vitaliy Sergeyevich Andreyev, a North Korean individual, and two entities for supporting North Korea’s IT workers fraud schemes. According to OFAC, the sanctioned individuals and entities facilitated the deployment of North Korean IT workers in overseas companies, particularly in the crypto and Web3 sectors, using fake identities. While performing legitimate work remotely, the workers funneled earnings back to the North Korean regime to fund its weapons programs. They also scouted for future opportunities to exploit their employers through data theft or ransomware attacks.
A widespread data theft campaign is targeting Salesforce customers through compromised OAuth tokens linked to the third-party Salesloft Drift app. According to Google's Threat Intelligence Group (GTIG), the threat actor UNC6395 accessed multiple Salesforce customer instances between August 8 and 18, stealing significant amounts of data. The attackers focused on harvesting credentials such as AWS access keys, passwords, and Snowflake tokens. Google said that the scope of the compromise is not exclusive to the Salesforce integration with Salesloft Drift and impacts other integrations. All Salesloft Drift customers are advised “to treat any and all authentication tokens stored in or connected to the Drift platform as potentially compromised.”
A separate Google’s report details a series of cyberattacks orchestrated by a threat actor tracked as UNC6384 targeting diplomats in Southeast Asia and other global entities. The attack chain employs social engineering, adversary-in-the-middle (AitM) redirection, and indirect execution techniques to avoid detection. The operation also uses valid code signing certificates, allowing the malware to masquerade as legitimate software.
A novel supply chain attack hit users of NX, a popular CI/CD automation tool, after a threat actor compromised an NX developer's npm token. Malicious updates were published to npm, containing scripts that used local AI CLI tools like Claude and Gemini to search the infected system for sensitive data such as GitHub tokens, SSH keys, and wallet files. The stolen data was encoded and uploaded to newly created public GitHub repositories, all prefixed with “s1ngularity-repository-.” The script also modified shell startup files to reboot the machine whenever a terminal was opened. Around 1,400 users were affected before the packages were removed.
A ransomware attack has disrupted over 200 Swedish municipalities and regional governments, affecting more than 80% of local city administrations. The cyberattack targeted Miljödata, a shared IT service provider. The attackers have reportedly demanded a ransom of 1.5 Bitcoin (around $160,000).
Cybersecurity company Darktrace has discovered a coordinated hacking campaign targeting SaaS accounts across several customer environments. The attacks, which happened in May 2025, involved suspicious logins from virtual private server (VPS) providers, followed by unauthorized changes to email inbox rules and the deletion of phishing-related emails. Attackers used VPS services, mainly from providers like Hyonix and Host Universal, to hide their true locations and appear as legitimate users. This helped them bypass security systems that rely on IP reputation and geolocation.
A new phishing campaign is tricking victims into installing ConnectWise ScreenConnect, a legitimate remote monitoring and management (RMM) tool, allowing attackers to take full control of computers. According to a report from Abnormal AI, hackers are abusing ScreenConnect to launch follow-up attacks, such as stealing accounts and spreading phishing emails across organizations. Over 900 organizations worldwide have already been targeted. The Mimecast Threat Research Team has recently warned of a separate long-running spear-phishing campaign that is targeting ScreenConnect cloud administrators using fake security alert emails. Each wave targets up to 1,000 accounts, tricking victims into visiting phishing sites that steal login credentials and MFA codes. Once compromised, the accounts are used as initial access points for ransomware attacks.
Microsoft Threat Intelligence says that financially motivated threat actor Storm-0501 has shifted its focus on cloud-based tactics, techniques, and procedures (TTPs). While previously known for targeting hybrid cloud environments with on-premises ransomware, the group has shifted its primary objective toward cloud-based ransomware operations.
A financially motivated phishing campaign has been targeting supply chain-critical manufacturing companies across the globe. Dubbed “ZipLine” by Check Point Research, the campaign uses a custom in-memory malware known as MixShell. Unlike typical phishing attacks, the threat actors behind ZipLine initiate contact through companies’ public “Contact Us” forms, engaging victims in weeks of professional-sounding communication. The attackers often use fake non-disclosure agreements (NDAs) before sending a malicious ZIP file that delivers MixShell.
G Data released a detailed technical analysis of a backdoor in AppSuite PDF Editor.
A new phishing campaign is using fake voicemail messages and purchase orders to spread a malware loader known as UpCrypter. According to Fortinet FortiGuard Labs, the attackers send phishing emails that link to fake web pages, tricking users into downloading malicious JavaScript files. The files then install UpCrypter, which helps hackers deploy remote access tools (RATs) like PureHVNC, DCRat, and Babylon RAT, providing them with full control of infected computers.
Cybersecurity firm ESET has uncovered what is believed to be the first known instance of artificial intelligence-powered ransomware. Named ‘PromptLock’, the malware leverages OpenAI’s gpt-oss:20b model through the local Ollama API to generate and execute malicious Lua scripts in real time.
Anthropic's Claude Code large language model has been exploited by threat actors in various cybercriminal activities, including data extortion campaigns, ransomware development, and fraudulent schemes involving North Korean IT workers. The company says that the tool has also been used to craft lures for “Contagious Interview” campaigns, support Chinese APT operations, and assist a Russian-speaking developer in creating malware with advanced evasion techniques.
Dutch police and the US authorities have seized two online marketplace domains and one blog linked to VerifTools, a group selling fraudulent identity documents used in global cybercrime schemes. The fake IDs, including driver's licenses and passports from all 50 US states and various countries, were sold for as little as $9, often paid in cryptocurrency. The counterfeit documents were designed to bypass online identity verification systems, enabling unauthorized account access.
Controversial US-based internet forums 4chan and Kiwi Farms have filed lawsuits against the UK's communications regulator, Ofcom, over the newly enacted Online Safety Act. The law, which took effect on July 25, 2025, requires websites to implement age verification systems to protect minors from harmful or illegal content. Ofcom began investigations into both platforms in June to assess compliance. 4chan refused to cooperate, resulting in a £20,000 fine, with Kiwi Farms facing a similar penalty. In response, both forums are suing Ofcom, arguing that the UK law does not apply to them since they are based in the United States and have no operations in the UK. The Online Safety Act allows fines of up to £18 million or 10% of global turnover for non-compliance.
Twenty-eight alleged members of a Chinese organized crime ring have been charged in a $65 million fraud scheme that targeted thousands of elderly victims across the US. Following a coordinated takedown in four states, 25 suspects were arrested and face charges of conspiracy to commit mail and wire fraud and money laundering. Authorities seized over $4.2 million in assets and luxury vehicles. The group, based in Southern California and active since at least 2019, collaborated with India-based scam call centers to impersonate tech support, government, and bank officials.
In other cybercrime-related news: a German man has been charged with hacking the German unit of Russia's Rosneft oil company in March 2022, stealing 20TB of data and causing €9.75 million in damages. Spanish police arrested a hacker in Seville for breaching a government school platform to alter national exam grades using stolen teacher credentials. In the meantime, two Taiwanese men were detained for selling data stolen by a Chinese-linked ransomware gang that targeted 11 local organizations, including hospitals. Also, eight men in the US face charges for stealing over $30 million from Instacart and Shipt using 7,500 hacked gig worker accounts to reroute payments and cancel orders fraudulently.