APT37 targets South Korean government agencies with ROKRAT in Operation HanKook Phantom
Seqrite researchers discovered a phishing campaign, attributed to the advanced persistent threat group APT37 and dubbed Operation HanKook Phantom, targeting individuals associated with South Korea’s National Intelligence Research Association with ROKRAT. APT37 deploys spearphishing emails containing decoy National Intelligence Research Society Newsletter PDFs and a malicious LNK file that contains embedded PowerShell scripts capable of extracting and executing additional payloads at runtime. The additional payloads are extracted and saved in the ‘%TEMP%’ folder alongside a decoy PDF before a batch script is executed to trigger the next stage. The batch file ultimately runs an embedded script in memory via the Invoke-Command, leading to the fileless execution of ROKRAT via PowerShell with reflective DLL injection. Upon execution, ROKRAT fingerprints the host, checks for virtual machines, sandboxes, or analysis environments, captures screenshots, exfiltrates and enumerates files, runs arbitrary system commands. ROKRAT also leverages cloud services like pCloud, Yandex, and Dropbox as C2 channels. A similar campaign targeting South Korean government agencies with a memory injection loader was also observed.
Google Ads campaign promotes fraudulent AppSuite PDF Editor to deliver TamperedChef
Truesec researchers observed a campaign leveraging Google Ads to promote fraudulent websites designed to lure victims into downloading and installing a trojanized PDF editor containing information-stealing malware, dubbed TamperedChef. The ads promote multiple sites distributing a heavily obfuscated free PDF editor named ‘AppSuite PDF Editor,’ which features code potentially generated by artificial intelligence or a large language model. The campaign is believed to have started on June 26th, 2025, however, AppSuite PDF Editor was first submitted to Virus Total on May 15th, 2025. Executing the installation file triggers an end-user license agreement before the software continues to download a malicious executable from a URL. After installation, the PDF editor makes multiple GET requests, while scheduled tasks or a registry key are setup for persistence. From August 21st, 2025, incidents involved the deployment of TamperedChef, which terminates different browsers to harvest sensitive data like credentials and web cookies. The threat actor behind the campaign has been active since at least August 2024. Similarities have been observed between AppSuite PDF Editor and OneStart PDF Editor, suggesting the same threat actor is behind both applications.
Silver Fox APT abuses vulnerable WatchDog driver to bypass detection and deliver ValleyRAT
Check Point researchers discovered an ongoing in-the-wild campaign, attributed to the Silver Fox advanced persistent threat (APT) group, abusing a previously unknown vulnerable WatchDog antimalware driver. The driver is leveraged to terminate protected processes, allowing the attackers to bypass endpoint detection and response and antivirus solutions on fully updated Windows 10 and 11 systems. The campaign ultimately aims to deliver the ValleyRAT remote access trojan. Silver Fox employs a dual-driver approach for compatibility across multiple Windows versions, using a known vulnerable Zemana driver for legacy systems and the undetected WatchDog driver for modern environments. Both drivers are embedded in a single self-contained loader, which also includes anti-analysis layers and the ValleyRAT downloader. The malware is delivered via RAR archives containing a single executable or DLL sideloading, with services later established for persistence and C2 communication. The driver was Microsoft-signed, built on the Zemana Anti-Malware SDK, bypasses Microsoft’s Vulnerable Driver Blocklist, and is not detected by community projects. All detected C2 servers are hosted within China. amsdk[.]sys version 1.0.600 is impacted, with all WatchDog products now updated to wamsdk[.]sys, version 1.1.10.
Sindoor Dropper spearphishing campaign targets Linux systems with MeshAgent
Nextron researchers discovered a spearphishing campaign, dubbed Sindoor Dropper, levering .desktop files to target Linux systems. The campaign ultimately aims to deliver a MeshAgent payload, which gives the attackers full remote access to the system, including the ability to monitor activity, move laterally, obtain persistent access, and potentially exfiltrate data. Upon execution, the malicious .desktop file downloads a benign-looking decoy PDF, a corrupted decryptor, and an encrypted downloader. The decryptor is a Go binary packed using UPX that has its ELF magic bytes stripped off to evade scanning by Google Docs and is responsible for AES encryption and execution of the payload. Once decrypted, the second-stage payload is a UPX-packed Go dropper that drops another decryptor alongside another AES-encrypted payload, with the decryption process ultimately concluding with the deployment of MeshAgent. The technique used in the attack has been linked to APT36 and is reminiscent of Operation Sindoor.
Trojanised ScreenConnect installers used to deploy AsyncRAT, PureHVNC RAT, and custom RAT
Since March 2025, Acronis researchers observed an increase in attacks leveraging trojanized ScreenConnect installers to gain initial access to United States-based organizations and deploy remote access trojans (RATs). Recent campaigns have deployed smaller ClickOnce runner installers, which are more evasive than the full installers and provide the attacker full control over the device. The attacks likely begin via a social engineering campaign, luring victims into downloading a malicious executable that is double appended to appear as a PDF document but is actually a ClickOnce installer. Upon execution, the installer launches ScreenConnect, which connects the victim machine to the attacker’s C2 server and drops two payloads during the installation process. The first payload is AsyncRAT, while the second is a homemade RAT that provides basic functionalities. Two weeks after the initial compromise, the attackers leveraged their ScreenConnect access to deploy a new version of AsyncRAT using a revamped infection chain. Several weeks after the deployment of the updated AsyncRAT, the attackers leveraged Windows Management Instrumentation to deploy PureHVNC RAT. Domains related to ScreenConnect installers were also observed in connection with XWorm and DCRat.
Ransomware
Ransomware Attack on Pennsylvania’s AG Office Disrupts Court CasesInfosecurity Today – Sep 01 2025A Tale of Two Ransomware-as-a-Service Threat GroupsTrustwave – Blog – Aug 28 2025Nevada Confirms Ransomware Attack, State Data StolenInfosecurity Today – Aug 28 2025Taiwanese associated with Chinese group behind cyberattacks arrestedDataBreaches.net – Aug 28 2025Kaspersky reports the return of ransomware group OldGremlinMENews247.com – Aug 28 2025
Financial Services
Hackers find new way to hide malware in Ethereum smart contracts Cointelegraph – Sep 04 2025Advanced Cryptojacking Campaign Uses Obfuscated AutoIt Loader to Deliver NBMinerTechNadu – Sep 03 2025 PayPal users targeted in account profile scam Malwarebytes Labs Blog – Sep 03 2025Hackers breach fintech firm in attempted $130M bank heistBleeping Computer – Sep 02 2025Lazarus Subgroup Deploys Three Advanced RATs in Cryptocurrency and Financial Sector AttacksTechNadu – Sep 02 2025
Geopolitics
Kremlin bot network Matryoshka spreads first fake video made with Luma AI mocking Moldova’s President Maia SanduEUROPE SAYS – Aug 31 2025Amazon disrupts watering hole campaign by Russia’s APT29AWS Security Blog – Aug 29 2025Malicious Campaign Targeting Diplomatic Assets by the Iranian Ministry of Intelligence and SecurityThreat Reports – Dream Security – Aug 29 2025Chinese hack group targets Dutch internet providers, intelligence agencies confirmNL Times – Aug 28 2025One Step Ahead: Stark Industries Solutions Preempts EU SanctionsThreat Reports – Insikt Group – Aug 27 2025
High Priority Vulnerabilities
Name | Software | Base Score | Temp Score | |
---|---|---|---|---|
CVE-2025-38352 | Kernel | 7.4 | 4.4 | |
Related: Google addresses actively exploited flaws impacting Android devices | ||||
CVE-2020-24363 | TL-WA855RE V5 | 8.8 | 7.1 | |
Related: TP-Link and WhatsApp flaws actively exploited | ||||
CVE-2025-53690 | Experience Platform | 5.6 | 5.6 | |
Related: Zero-day flaw in Sitecore products exploited for remote code execution | ||||
CVE-2025-9377 | TL-WR841N-ND V9 | 7.2 | 6.9 | |
Related: Multiple flaws in TP-Link routers actively exploited | ||||
CVE-2025-5086 | DELMIA Apriso | 10.0 | 9.8 | |
Related: Critical flaw in Dassault Systèmes DELMIA Apriso actively exploited |