Google rolled out a critical security update for its Chrome web browser to address four vulnerabilities, including a high-severity zero-day flaw that is already being exploited in the wild. The zero-day vulnerability, tracked as CVE-2025-10585, is described as a type confusion issue in Chrome's V8 JavaScript and WebAssembly engine.
Apple has backported security fixes for the CVE-2025-43300 vulnerability in the ImageIO component, which could lead to memory corruption when handling malicious image files. The flaw was actively exploited in the wild. WhatsApp confirmed that this vulnerability was combined with another (CVE-2025-55177) in targeted spyware attacks against fewer than 200 individuals using iOS and macOS devices.
The US Cybersecurity and Infrastructure Security Agency (CISA) has released a security alert describing an attack on an unnamed organization that dropped malware on the victim’s network after exploiting the CVE-2025-4427 and CVE-2025-4428 vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM). Using the flaws, the attackers were able to execute arbitrary commands, collect system data, map the network, and steal LDAP credentials. They also deployed two sets of malicious files in the “/tmp” directory to maintain persistence by injecting and running code on the compromised server.
Slovak cybersecurity firm ESET said it observed a collaboration between two Russian state-sponsored hacking groups Gamaredon (aka Aqua Blizzard/Armageddon) and Turla (aka Secret Blizzard/Venomous Bear), in cyberattacks targeting Ukrainian entities. Gamaredon’s tools named ‘PteroGraphin’ and ‘PteroOdd’, were used to deploy Turla’s Kazuar backdoor on Ukrainian systems. ESET also noted Kazuar version 2 being delivered via other Gamaredon malware, including PteroOdd and PteroPaste. Both groups are believed to be affiliated with Russia’s FSB and have a long history of operations against Ukraine.
Sekoia.io’s Threat Detection and Response (TDR) team analyzes two previously unknown malware samples attributed to the Russia-linked state-backed thrat actor APT28. Research builds upon a July 2025 report from CERT-UA detailing the BeardShell and Covenant framework.
China-aligned threat actor TA415 has been linked to spear-phishing campaigns targeting US government agencies, think tanks, and academic institutions. The attacks use US-China economic-themed lures and deliver infection chains that establish Visual Studio (VS Code) Remote Tunnels, allowing persistent remote access without traditional malware. TA415 also leverages legitimate services like Google Sheets, Google Calendar, and VS Code for command-and-control (C2) operations.
A Chinese APT group compromised a Philippine military company using a new fileless malware framework called EggStreme. This multi-stage toolset conducts stealthy, persistent espionage by injecting code directly into memory and using DLL sideloading to deploy its payloads. Its main component, EggStremeAgent, is a powerful backdoor capable of system reconnaissance, lateral movement, and data theft, including through a built-in keylogger.
Russian ransomware gangs are leveraging a new malware loader called CountLoader to deploy post-exploitation tools such as Cobalt Strike, AdaptixC2, and the PureHVNC RAT. According to Silent Push, CountLoader is likely used either by Initial Access Brokers (IABs) or ransomware affiliates connected to LockBit, Black Basta, and Qilin groups. The malware comes in three versions, .NET, PowerShell, and JavaScript, and has been seen in phishing campaigns targeting Ukrainian individuals, using fake National Police of Ukraine PDF lures. The PowerShell variant was also previously linked to DeepSeek-related decoys. Silent Push has not yet determined what malware is ultimately dropped via CountLoader.
A Russian covert influence network CopyCop (aka Storm-1516) is expanding its disinformation efforts, recorded Future’s Insikt Group warns. The network has created over 300 deceptive websites in 2025, including 200 new fictional media sites targeting the US, France, and Canada, along with sites impersonating legitimate media outlets and political movements in France, Canada, and Armenia. CopyCop also launched a regionalized fake fact-checking network publishing in Turkish, Ukrainian, and Swahili, languages it hadn’t used previously.
New Zealand has imposed sanctions on Russian military intelligence hackers accused of launching destructive cyberattacks against Ukraine, including members of a notorious GRU unit previously linked to high-profile espionage and sabotage campaigns. The sanctions target Unit 29155 of Russia’s GRU intelligence agency. The group, also known as Cadet Blizzard and Ember Bear, is accused of orchestrating the 2022 WhisperGate malware attack on Ukrainian government networks that took place just before Moscow’s full-scale invasion.
China’s top internet regulator has issued new rules requiring network operators to report “particularly serious” cybersecurity incidents within one hour. Under the new rules, incidents classified as “particularly serious” must be reported to cyberspace and public security authorities within an hour. Such incidents include extended outages of government or key media portals, massive hacking attacks, and large-scale data leaks such as the breach of over 100 million citizens’ personal records or damages exceeding 100 million yuan ($14 million).
A suspected North Korean hacking group known as Kimsuky has used artificial intelligence tools, including ChatGPT, to generate a deepfake South Korean military ID as part of a sophisticated phishing operation, according to new research from South Korean cybersecurity firm Genians. The cyberattack, uncovered in July, involved a fake draft of a South Korean military identification card created using generative AI.
A new ZScaler ThreatLabz report examines two new versions of the well-known SmokeLoader malware that continues to be updated and used by multiple threat actors despite the major disruption that resulted from a law enforcement operation in May 2025. In a separate report, ThreatLabz analyzes two malicious Python packages named sisaws and secmeasure that deliver SilentSync, a Python-based RAT.
HUMAN’s Satori Threat Intelligence and Research Team has uncovered a large-scale ad and click fraud operation called SlopAds, involving 224 Android apps downloaded over 38 million times across 228 countries. The apps use steganography to hide their malicious code and create hidden WebViews to generate fake ad impressions and clicks. The operation is tied to an AI-themed infrastructure, with many of the fraudulent apps also adopting AI-related branding.
A new Sophos report shares some details about a ransomware group called Gold Salem (also known as Warlock Group or Storm-2603), active since March 2025. The group has targeted 60 organizations in North America, Europe, and South America, mostly avoiding targets in China and Russia. However, a recent attack on a Russian company suggests the group may not be based in Russia. Gold Salem appeared publicly in June 2025 on hacker forums, looking for hacking tools and partners. The group uses advanced techniques, including a set of SharePoint exploits (CVE-2025-49704, CVE-2025-49706, CVE-2025-53770, and CVE-2025-53771), to break into networks.
Palo Alto Networks Unit 42 has spotted an ongoing and widespread software supply chain attack targeting the npm ecosystem. The attack involves a novel self-replicating worm, dubbed ‘Shai-Hulud,’ which has compromised over 180 npm packages. The campaign likely began with a phishing scheme impersonating npm, tricking developers into updating their MFA settings. After gaining access, the attacker deployed a multi-stage malicious payload designed to propagate across systems.
A separate campaign aimed at the npm registry has compromised over 40 packages maintained by multiple developers. According to supply chain security firm Socket, the attackers inject malicious JavaScript code into popular npm packages through a tampered publishing function. The affected function (NpmModule.updatePackage) manipulates package tarballs by modifying package.json, injecting a malicious script (bundle.js), and repackaging the archive for redistribution.
Cybersecurity vendor SonicWall is urging customers to reset passwords and update configurations after threat actors accessed encrypted backup firewall preference files stored in the cloud. The company said that less than 5% of its customers were affected. The files, while encrypted, may contain enough metadata and configuration details to help attackers in targeting the associated firewalls.
Okta Threat Intelligence has released an analysis of a Phishing-as-a-Service (PhaaS) platform named VoidProxy. The service targets Microsoft and Google accounts and can also redirect users from third-party SSO providers like Okta to secondary phishing sites. VoidProxy uses Adversary-in-the-Middle (AitM) tactics to intercept authentication in real time, capturing credentials, MFA codes, and session tokens. This allows it to bypass common multi-factor authentication (MFA) methods such as SMS codes and authenticator app OTPs.
The US Federal Bureau of Investigation (FBI) has issued an alert warning organizations of ongoing cyberattacks targeting Salesforce environments by two threat clusters, tracked as UNC6040 and UNC6395. The groups are behind a surge in data theft and extortion campaigns aimed at major corporations worldwide.
Cybercrime group ShinyHunters is expanding its operations, targeting enterprise cloud applications using a mix of advanced tactics, according to new analysis from threat intelligence firm EclecticIQ. The group is now combining AI-driven voice phishing (vishing), supply chain compromises, and the use of insiders (such as employees or contractors) to gain direct access to corporate networks.
Popular AI chatbots are spreading false information at double the rate they did last year, according to a study from NewsGuard. The group that tracks misinformation says that leading AI chatbots now repeat false claims 35% of the time, up from 18% in August 2024. The study found that chatbots now often pull answers from unreliable sources, including fake news sites and social media posts. In some cases, the sources are deliberately created by groups spreading propaganda, including Russian disinformation networks, and treat unreliable sources as credible.
Researchers from Cyble’s threat intelligence team have uncovered a sophisticated malware campaign spreading Maranhão Stealer, an advanced infostealer targeting users lured through websites offering pirated software, cracked game launchers, and gaming cheats.
Microsoft has disrupted a major phishing-as-a-service (PhaaS) operation known as RaccoonO365, used by cybercriminals worldwide to steal thousands of Microsoft credentials. The takedown followed a court order allowing Microsoft to seize 338 websites linked to the malicious campaign.
Finnish prosecutors have charged a second suspect, US national Daniel Lee Newhard with aiding and abetting attempted aggravated extortion in the Vastaamo psychotherapy center hacking case. He is accused of assisting in the extortion attempt but not targeting individual clients. This follows the conviction of main perpetrator Aleksanteri Kivimäki, who was sentenced to six years but recently released pending appeal.
Conor Brian Fitzpatrick, also known as ‘Pompompurin,’ was resentenced to three years in federal prison for running the notorious BreachForums marketplace for stolen data, and for possessing child sexual abuse material. This follows a court decision that overturned his original sentence of time served (17 days).
Europol has added Enrique Arias Gil, a former Spanish university professor, to its most wanted list over allegations of aiding pro-Russian hacker group NoName057(16). Arias Gil, 37, is accused of collecting intelligence on Spain’s critical infrastructure and security forces to support cyberattacks, as well as threatening journalists and business leaders backing Ukraine. He faces charges including computer damage for terrorist purposes, membership in a criminal organization, and glorifying terrorism.
UK law enforcement has arrested two teenagers, Thalha Jubair (19) and Owen Flowers (18), for their alleged roles in a cyberattack on Transport for London (TfL) in August 2024. Both are linked to the Scattered Spider hacking group. Flowers had previously been arrested and bailed in connection with the TfL incident and is now also accused of targeting US healthcare organizations. Jubair faces charges in the UK for failing to surrender device passwords, and the US Department of Justice has charged him with multiple cybercrimes, including network intrusions, extortion, and money laundering affecting at least 47 US entities between May 2022 and September 2025.
Canadian police have executed the largest cryptocurrency seizure in the country’s history, recovering over $56 million from the platform TradeOgre. The operation was led by investigators specializing in financial crime, cybercrime, and cryptocurrency. This marks the first time a cryptocurrency exchange has been dismantled by Canadian law enforcement.