Skip to main content Skip to footer 
Phishing campaign leveraging SVG files targets Ukraine with CountLoader, Amatera and PureMiner
Fortinet researchers observed an email phishing campaign impersonating the National Police of Ukraine and leveraging SVG files to deliver malware against targeted Ukrainian systems. Once opened, the SVG attachments initiate the download of a password-protected archive under the guise of an Adobe Reader interface, which contains a Compiled HTML Help file, triggering an infection chain via CountLoader to ultimately install Amatera Stealer and PureMiner. Amatera Stealer and PureMiner are executed via .NET Ahead-of-Time compilation with process hollowing or loaded directly into memory via PythonMemoryModule. When executed, Amatera creates a mutex with hardcoded values before connecting to a remote server and issuing GET requests to obtain a configuration file. The stealer gathers system information, Gecko-based application related files, Chromium-based application files, desktop wallets, and more. A more recent campaign only delivered Amatera and featured stronger obfuscation techniques during the delivery stage.
Smishing campaign exploits cellular router APIs to target Europe
Since July 22nd, 2025, Sekoia researchers have observed the exploitation of a cellular router’s API to send smishing messages, with Belgium being the most likely target. The phishing URLs typosquat well-known Belgian government platforms, namely CSAM and eBox, with messages written in both Dutch and French. The campaign likely specifically targets Milesight industrial cellular routers, with over 19,000 routers exposed online and at least 572 potentially vulnerable, nearly half of which are located in Europe. Honeypot logs revealed that the attackers use an authentication cookie to gain access to router APIs, suggesting they have valid credentials. The credentials may have been obtained through CVE-2023-43261, which affects several Milesight routers, however misconfigurations may also have been used to access the SMS router API and send smishing messages. Most vulnerable routers are running outdated firmware, with versions 32.2.x.x and 32.3.x.x the most observed, though two devices were identified as running more recent versions, specifically 41.0.0.2 and 41.0.0.3. The campaign has been active since at least February 2022, with campaigns targeting France, Sweden, Italy, Singapore, Norway, Portugal, and Hungary also observed.
TradingView malvertising campaign migrates to Google Ads and YouTube
Bitdefender researchers observed a malicious campaign initially leveraging Facebook Ads to provide ‘free access’ to TradingView Premium and other trading or financial platforms now leveraging YouTube and Google Ads for distribution. The threat actors have hijacked the Google advertiser account associated with a Norwegian design agency, with the actors separately hijacking a YouTube account to direct victims via the Google Ads system. The channel posts unlisted videos featuring a link that redirects victims to pages designed to download malware or harvest credentials. The malware distributed in the campaign features similarities to that distributed in previous instances, with the new sample communicating via WebSocket on port 30000 and the ‘/config’ route. The initial downloader is custom-built to resist detection analysis and uses techniques consistent with past infostealer campaigns. The malware uses PostHog for user tracking and establishes persistence by creating a Scheduled Task, enabling it to add Windows Defender exclusions and ultimately download and execute JSCEAL.
GuLoader campaign targets businesses in French speaking countries with MassLogger
Symantec researchers observed a new GuLoader campaign in which threat actors are impersonating a well-known hospitality and luxury resort/events group in Morocco in an attempt to deploy the MassLogger stealer. The campaign sends fraudulent quotation request emails that contain a malicious BZ archive containing a VBS script. Upon execution, the script initiates the GuLoader infection chain, ultimately leading to the installation of MassLogger. The campaign primarily targets organizations across French-speaking countries, including France, Morocco, Tunisia, Belgium, and Madagascar, with additional activity observed against entities in broader Europe and beyond. The campaign targets multiple sectors, including finance and banking, insurance, automotive manufacturing and distribution, industrial equipment and engineering, and more.
Phantom Taurus targets critical organizations using NET-STAR malware suite
Palo Alto Networks Unit 42 researchers detailed the recent activity of the China-nexus advanced persistent threat actor, Phantom Taurus, which has been observed targeting government and telecommunication organizations across Africa, the Middle East, and Asia for the past two and a half years. Phantom Taurus’ main focus includes ministries of foreign affairs, embassies, geopolitical events, and military operations, with espionage the primary objective. Phantom Taurus has recently shifted from email server compromise to the direct targeting of databases, with the group observed leveraging Windows Management Instrumentation to execute a batch script on remote SQL servers to search for documents related to countries such as Afghanistan and Pakistan. The group has also been observed using a new .NET malware suite, dubbed NET-STAR, to target IIS web servers. The suite consists of three web-based backdoors, including IIServerCore that supports in-memory execution of command-line arguments, arbitrary commands, and payloads, AssemblyExecuter V1, which loads and executes .NET payloads in memory, and AssemblyExecuter V2, which is equipped with Antimalware Scan Interface and Event Tracing for Windows bypass capabilities. The use of common tools such as China Chopper, the Potato suite, and Impacket, as well as customized tools like Specter malware has also been observed.
Ransomware
Clop extortion emails claim theft of Oracle E-Business Suite dataBleeping Computer – Oct 02 2025Akira Ransomware Group Claims Eleven New VictimsDaily Dark Web – Sep 30 2025New LockBit 5.0 Targets Windows, Linux, ESXi Trend Micro Simply Security – Sep 25 2025Ransom Tales: Volume IV – Emulating Rhysida, Charon and Dire Wolf RansomwareSecurity Boulevard – Sep 25 2025Where Are my Keys?! Ransomware Group Steals AWS Keys to AdvanceVaronis Blog – Sep 25 2025
Financial Services
New Android Banking Trojan “Klopatra” Uses Hidden VNC to Control Infected SmartphonesThe Hacker News – Oct 01 2025Datzbro: RAT Hiding Behind Senior Travel ScamsThreat Fabric Blog – Sep 30 2025UK convicts “Bitcoin Queen” in world’s largest cryptocurrency seizureBleeping Computer – Sep 29 2025273,000 Indian Bank Transfer Records Exposed in National Automated Clearing House Cloud Server LeakTechNadu – Sep 26 2025Ukrainian cyber experts cripple Russia’s fast payment banking system – sourceUkrayinska Pravda – Sep 25 2025
Geopolitics
Ukraine Warns of CABINETRAT Backdoor + XLL Add-ins Spread via Signal ZIPsThe Hacker News – Oct 01 2025Moldova Election Hit by Cyberattacks Amid Political Tensions, Blocking 4,000 Vote-Related WebsitesTechNadu – Sep 29 2025Anonymous TikTok accounts backing radical parties before Czech vote, study findsReuters – Sep 28 2025Two Dutch teens arrested in rare Russian espionage caseNL Times – Sep 26 2025Iran Claims Major Leak of Israeli Nuclear Program DataDaily Dark Web – Sep 25 2025
High Priority Vulnerabilities
| Name | Software | Base Score | Temp Score | |
|---|---|---|---|---|
| CVE-2025-20333 | Firepower Threat Defense | 9.9 | 8.4 | |
| Related: RayInitiator and LINE VIPER used in zero-day attacks on Cisco ASA firewalls | ||||
| CVE-2025-41244 | Telco Cloud Infrastructure | 7.8 | 7.5 | |
| Related: You name it, VMware elevates it (CVE-2025-41244) | ||||
| CVE-2025-56383 | Notepad++ | 8.4 | 6.8 | |
| Related: PoC exploit published for zero-day DLL hijacking flaw in Notepad++ | ||||
| CVE-2025-10035 | GoAnywhere MFT | 10.0 | 9.8 | |
| Related: Critical Fortra GoAnywhere flaw exploited in the wild prior to disclosure | ||||
| CVE-2021-21311 | Adminer | 7.3 | 7.0 | |
| Related: High-severity Adminer SSRF flaw among actively exploited vulnerabilities | ||||