Skip to main content Skip to footer 
TA415 leverages spear phishing emails to deploy WhirlCoil loader amid US-China economic talks
Proofpoint researchers observed multiple spear phishing campaigns orchestrated by the advanced persistent threat group TA415 throughout July and August 2025 targeting US government, think tanks, and academic organizations with the WhirlCoil loader. TA415 impersonated the current Chair of the Select Committee on Strategic Competition between the US and China, as well as the US-China Business Council, sending out emails containing United States-China economic-themed lures. The emails typically contained links to password-protected archives hosted on public cloud sharing services, such as Zoho WorkDrive, Dropbox, and OpenDrive, with the Cloudflare WARP VPN service used to send the emails. The downloaded archive contains an LNK file that is designed to execute a batch script contained within a hidden subfolder and display a corrupt PDF on OpenDrive. The batch script executed the WhirlCoil Python loader, which is bundled with an embedded Python package also located in the same folder as the LNK file. A scheduled task is created for persistence, which runs the WhirlCoil Python script every two hours. Earlier iterations of the infection chain downloaded WhirlCoil from a Paste site, such as Pastebin, and the Python package from the official Python website.
SEO poisoning campaign targets Chinese users with Hiddengh0st and Winos malware
In August 2025, Fortinet researchers observed a search engine optimization (SEO) poisoning attack that mimics legitimate software sites to trick Chinese-speaking users into downloading malware. Users searching for tools like DeepL Translate, Google Chrome, Signal, Telegram, WhatsApp, and WPS Office on Google are redirected to fake sites that trigger the delivery of the malware using trojanized installers. The sites distribute several types of malware, most notably Hiddengh0st and variants of Winos. The attack follows a multi-stage infection chain, beginning with a JavaScript that downloads JSON data, which includes a secondary link. The secondary link points to another JSON response containing a link that redirects to the final URL of the malicious installer. The installer contains a DLL that is sideloaded and used to establish C2 communication, collect system and victim data, evaluate the victim’s environment to confirm persistence, and perform various anti-analysis checks. Persistence is achieved via the TypeLib COM hijacking technique and the creation of a Windows executable.
Shai-Hulud supply chain attack targets CrowdStrike npm packages
Socket researchers warned that multiple npm packages published by the ‘crowdstrike-publisher’ npm account were compromised as part of an ongoing supply chain attack. The compromise appears to be a continuation of the Shai-Hulud supply chain attack campaign, which recently compromised ‘tinycolor’ and more than 40 other packages. The malware used to compromise the packages is dubbed Shai-Hulud, which includes a worm-like functionality that automatically updates packages published by compromised npm accounts with a malicious JavaScript file. As in previous iterations of the attack, the JavaScript is used to download and execute the TruffleHog scanner and exfiltrate sensitive data to a hardcoded webhook endpoint. The researchers previously observed almost 700 public repositories titled ‘Shai-Hulud Migration’ on GitHub, which may have been used to persist or stage a GitHub Actions workflow. The affected packages have been removed from the npm registry.
APT28 leverages PNG files to deploy Covenant framework in Operation Phantom Net Voxel
Sekoia researchers observed a campaign orchestrated by the advanced persistent threat (APT) group APT28, dubbed Operation Phantom Net Voxel, designed to deploy the BeardShell and Covenant malware frameworks. The infection chain begins with an Office document containing Visual Basic macros being delivered via a private Signal chat, which ultimately leads to the deployment of BeardShell and SlimAgent. The macros drops a DLL and PNG file in the system, with steganography used to hide shellcode in the PNG file that is designed to load a PE executable, identified as the HTTP Grunt Stager module of the Covenant framework. Covenant and its C2Bridge functionality are used to interact with the Koofr cloud infrastructure API, upload files for reconnaissance, and download additional payloads. Two distinct accounts associated with the Office documents were discovered, which revealed over 115 files and 42 unique partial GUIDs, possibly indicating multiple compromised hosts. In August 2025, the same infection chain was reused in a public cloud environment via a weaponized Excel document, confirming APT28’s aim to recycle and adapt the infection chain.
SlopAds leverages steganography to deliver over 38 million fraud payloads
HUMAN Security researchers uncovered an ad fraud and click fraud operation, dubbed SlopAds, which operates more than 224 apps that have been collectively downloaded from Google Play more than 38 million times across 228 countries and territories. The apps leverage steganography to deliver their fraud payload, with hidden WebViews used to navigate to threat actor-owned cashout sites, generating fraudulent ad impressions and clicks. The infrastructure used and many of the apps also share an artificial intelligence theme. The apps are managed by several C2 servers and dedicated promotional domains, with the extensiveness of the C2 network suggesting the threat actors plan to expand the operation. The C2 ultimately delivers four PNG files that, via digital steganography, hide an APK that when decrypted and reassembled, forms the ad fraud module, FatModule. The campaign uses novel attribution and measurement tools as an obfuscation tactic, with only downloads traced to a threat actor-run ad campaign leading to downstream ad and click fraud attacks. Google has removed all the currently identified apps from the Google Play Store.
Ransomware
GOLD SALEM’s Warlock operation joins busy ransomware landscapeSophos – Sep 17 2025Qilin Ransomware Gang Alleges Breach of Kenyan Political OfficeTechNadu – Sep 15 2025Akira Ransomware in 2025: Tactics, Targets, and TrendsThreat Reports – ThreatMon – Sep 13 2025Yurei & The Ghost of Open Source RansomwareCheck Point Research – Sep 12 2025Introducing HybridPetya: Petya/NotPetya copycat with UEFI Secure Boot bypassWeLiveSecurity – Sep 12 2025
Financial Services
FinWise insider breach impacts 689K American First Finance customersBleeping Computer – Sep 15 2025DarkCloud infostealer attacks against financial organizations on the riseSC Media – Sep 15 2025West Virginia Credit Union Notifying 187,000 People Impacted by 2023 Data BreachSecurityWeek RSS Feed – Sep 15 2025Hacker Exploits $YU Token, Nets a Massive $7.7 Million Across Multiple ChainsCryptoNews.net – Sep 14 2025ShinyHunters Attacked Vietnam’s Financial System – CIC Data LeakResecurity – Sep 13 2025
Geopolitics
Russia-Linked Hybrid Campaign Targeted 2024 Elections: Romanian Prosecutor GeneralThe Cyber Express – Sep 17 2025Massive cyberattack cripples Russia’s election commission, sourcesRBC Ukraine – Sep 15 2025Hacking Activities of Pro-Russian Cyber Crime Group Targeting Korean CompaniesThreat Intelligence on Medium – Sep 15 2025DIGITAL FRONTLINES : INDIA UNDER MULTI-NATION HACKTIVIST ATTACK CYFIRMA – Sep 15 2025Apple warns customers targeted in recent spyware attacksBleeping Computer – Sep 11 2025
High Priority Vulnerabilities
| Name | Software | Base Score | Temp Score | |
|---|---|---|---|---|
| CVE-2025-21043 | Devices | 8.8 | 8.4 | |
| Related: Samsung patches actively exploited zero-day reported by WhatsApp | ||||
| CVE-2025-6202 | DDR5 | 7.0 | 7.0 | |
| Related: Phoenix Rowhammer attacks bypasses protection mechanism on SK Hynix DDR5 memory chips | ||||
| CVE-2025-10585 | Chrome | 6.3 | 6.0 | |
| Related: Zero-day among high-severity flaws patched in Google Chrome | ||||
| CVE-2025-5821 | Case Theme User | 9.8 | 7.1 | |
| Related: Critical Case Theme User WordPress plugin flaw actively exploited | ||||
| CVE-2025-43300 | iPadOS | 8.8 | 6.0 | |
| Related: Apple applies fix in earlier iPhone and iPad models for exploited flaw | ||||