Cyware Monthly Threat Intelligence, September 2025

The Good

There’s some good news on the cybersecurity front as global efforts to combat online crime and strengthen defenses are showing results. Interpol’s Operation Contender 3.0 led to the arrest of 260 suspects across 14 African nations, dismantling romance scam and sextortion networks that had defrauded nearly 1,500 victims of $2.8 million. Meanwhile, European law enforcement shut down a major cryptocurrency fraud ring responsible for over €100 million ($118 million) in losses, freezing assets and arresting five suspects behind sophisticated investment scams that had targeted victims in 23 countries since 2018. On another positive note, CISA unveiled its new "Quality Era" for the CVE program, shifting focus toward stronger standards, automation, and international collaboration to improve vulnerability management. 

• Interpol's Operation Contender 3.0 arrested 260 suspects across 14 African countries, targeting romance scams and sextortion networks. Losses amounted to $2.8 million, affecting nearly 1,500 victims. Authorities seized devices, fake profiles, forged documents, and dismantled 81 cybercrime infrastructure networks during the operation. Ghana arrested 68 suspects, seized 835 devices, identified 108 victims, and recovered $70,000 out of $450,000 in losses. Senegal arrested 22 suspects who defrauded 120 victims of $34,000 on social media and dating platforms.
• Law enforcement agencies in Europe have successfully dismantled a cryptocurrency fraud ring responsible for over €100 million ($118 million) in losses affecting more than 100 victims. This operation, which began in September 2020, involved coordinated efforts from investigative teams across Spain, Portugal, Bulgaria, Italy, Lithuania, and Romania, with support from Eurojust and Europol. Five suspects were arrested during simultaneous searches in multiple countries, where bank accounts and financial assets linked to the fraud were frozen. The main perpetrator had been promising high returns on investments through sophisticated online platforms, diverting funds into accounts under their control. This extensive fraud scheme has been active since at least 2018, targeting investors across 23 countries and leaving many victims with significant financial losses. 
• An international law enforcement initiative, Operation HAECHI VI, led to the recovery of $439 million in cash and cryptocurrency assets from global cybercrime operations. Conducted between April and August 2025, the operation involved authorities from 40 countries and targeted a wide range of cyber-enabled financial crimes. In total, 68,000 bank accounts were blocked and 400 cryptocurrency wallets were frozen, contributing to the recovery of $16 million in illicit crypto profits. These were part of the $97 million in physical and virtual assets recovered, alongside $342 million in government-backed currencies.
• The Royal Canadian Mounted Police (RCMP) shut down the TradeOgre cryptocurrency exchange and seized over $40 million, marking the largest asset seizure in Canadian history. The Money Laundering Investigative Team (MLIT) began investigating TradeOgre in June 2024 after a Europol tip, leading to the platform’s shutdown by July 2024. RCMP confirmed the platform operated illegally, failing to register with FINTRAC and allowing cybercriminals to launder money due to its anonymity. 
• Microsoft and Cloudflare have successfully disrupted the RaccoonO365 phishing service, which has been used by cybercriminals to steal Microsoft 365 credentials from thousands of users worldwide. Operating under a phishing-as-a-service model, RaccoonO365 generated significant revenue, with estimates of at least $100,000 earned in cryptocurrency. The service targeted various sectors, including healthcare, prompting Microsoft to file a lawsuit in partnership with Health-ISAC due to the risks posed to public safety. In a coordinated effort, Microsoft’s Digital Crimes Unit seized over 330 domains linked to the operation, while Cloudflare banned associated domains and removed malicious scripts. 
• Brazil has enacted a groundbreaking law mandating online age verification and stringent privacy protections for children and adolescents. Signed by President Luiz Inácio Lula da Silva, the Digital ECA requires digital service providers to implement reliable age verification methods, moving away from self-declaration. The law aims to prevent minors from accessing harmful content, including violence and sexual exploitation, and prohibits the processing of children's personal data for targeted advertising. Additionally, it mandates parental supervision tools to help adults manage their children's online activities. Set to take effect in March 2026, this legislation positions Brazil as the first country in Latin America to establish dedicated protections for children's online privacy and safety.
• CISA has released a strategic document, CVE Quality for a Cyber Secure Future, outlining its commitment to the CVE program, emphasizing the need for public maintenance and vendor neutrality. This initiative, termed the "Quality Era," aims to enhance the program's leadership and funding mechanisms while encouraging broader multi-sector engagement. Key priorities include modernizing CVE operations through improved automation, API support, and data quality standards. The roadmap also focuses on enhancing transparency and communication within the CVE ecosystem. The CISA intends to leverage partnerships with international organizations and various stakeholders to ensure comprehensive representation and collaboration, marking a significant transition from the previous "Growth Era" to a more quality-focused approach in vulnerability management. 
• California has passed a bill mandating web browsers to include a feature that allows consumers to automatically opt out of data sharing with third parties. This legislation builds on the California Consumer Privacy Act, which grants consumers the right to send opt-out preference signals. The law will require browsers to enable users to send opt-out requests to every website they visit. 
• In a significant collaboration, cybersecurity and intelligence agencies from 15 countries have released joint guidance on Software Bills of Materials (SBOMs) to enhance global supply chain security. The document outlines essential definitions, the value of SBOMs, and implementation strategies, emphasizing the need for transparency in software components. It identifies the roles of SBOM producers and end-users while encouraging widespread adoption across sectors. The guidance reflects a growing international consensus on the importance of software transparency, with notable support from agencies such as the CISA and the NSA. Signatories include organizations from Australia, Canada, Japan, and several European nations, marking a pivotal step toward improving software security through enhanced visibility and collaboration.
• ISC2 introduced the Threat Handling Foundations Certificate to enhance Digital Forensics and Incident Response (DFIR) skills amid increasing cybersecurity incidents and breaches. The certificate includes four courses covering DFIR program building, digital forensics foundations, incident management, and network threat hunting. Topics include security program management, evidence handling, communication, security operations, and distinguishing between incidents and breaches. The program addresses challenges like visibility issues, vulnerability patching, and supply chain risks, while teaching evaluation of emerging tools and technologies.

The Bad

Researchers have uncovered a new cross-platform malware, XiebroC2, targeting poorly secured MS-SQL servers by exploiting weak credentials and leveraging tools like JuicyPotato for privilege escalation. Once deployed via PowerShell, XiebroC2 enables remote control, reverse shell, proxying, file theft, and even screenshot capture, giving attackers broad surveillance and control capabilities. At the same time, phishing campaigns impersonating Ukrainian government agencies are spreading malicious SVG files that drop password-protected archives, leading to the deployment of Amatera Stealer and PureMiner. Adding to the concerns, the Akira ransomware gang is actively exploiting CVE-2024-40766, a critical vulnerability in SonicWall SSL VPN devices, despite patches being available since August 2024. The flaw, tied to compromised credentials on unpatched endpoints, has already been linked to at least 40 security incidents, prompting urgent warnings from authorities.

• Researchers have identified malware named XiebroC2 in attacks targeting poorly managed MS-SQL servers, which uses open-source code for information collection, remote control, and defense evasion. Threat actors exploit vulnerable credentials in exposed MS-SQL servers, using tools like JuicyPotato for privilege escalation and installing XiebroC2 via PowerShell. XiebroC2 is a cross-platform C2 framework written in Go, capable of remote control, reverse shell, file management, network monitoring, reverse proxy, and screenshot capture. The malware collects system information and connects to a C&C server to execute commands.
• Phishing emails impersonate Ukrainian government agencies to deliver malware via malicious SVG files. The SVG files lead victims to download password-protected archives containing Compiled HTML Help (CHM) files that execute malicious actions.  Amatera Stealer and PureMiner are deployed as fileless threats using .NET AOT compilation and PythonMemoryModule.  Amatera Stealer collects extensive system, browser, and application data, including credentials, clipboard contents, and cryptocurrency wallet information. PureMiner gathers hardware information and deploys cryptomining modules based on system specifications. The malware uses obfuscation techniques, such as string encoding and array shuffling, to evade detection.
• A malvertising campaign uses a weaponized Microsoft Teams installer to distribute Oyster malware, combining SEO poisoning, certificate abuse, and living-off-the-land techniques to bypass traditional security measures. The attack chain redirects victims searching for Teams downloads through malicious sites, leveraging domains with valid but short-lived SSL certificates hosted on trusted Cloudflare infrastructure. The malicious installer (MSTeamsSetup.exe) is signed with legitimate short-lived certificates, a tactic to evade detection and complicate revocation. The payload, Oyster malware, enables persistent access, data exfiltration, and potential ransomware deployment while using legitimate Windows utilities to avoid detection.
• A China-linked cyber-espionage group, UNC5221, is exploiting network appliances that lack traditional EDR support to deploy a sophisticated backdoor called Brickstorm. Brickstorm mimics legitimate software, employs unique C2 servers per victim, and enables long-term stealth, with attackers persisting undetected for an average of 393 days. UNC5221 targets organizations like SaaS providers, tech companies, and BPOs, often exploiting both known and zero-day vulnerabilities in Linux and BSD-based systems. The malware is cross-platform, written in Go, and includes advanced features like SOCKS proxy functionality and delayed activation timers for stealth. Brickstorm uses obfuscation tools like Garble and dynamic domains for C2 servers, making detection and tracking difficult.
• Cisco ASA firewalls have been compromised by state-sponsored attackers exploiting recently disclosed zero-day vulnerabilities, CVE-2025-20362 and CVE-2025-20333. These attacks have led to the deployment of advanced malware known as RayInitiator and LINE VIPER, which utilize sophisticated techniques to evade detection, including disabling logging and intercepting commands. The threat actors, linked to a suspected China-based group, UAT4356, have targeted government agencies since May. The malware is designed to maintain persistence by modifying firmware and can execute commands, exfiltrate data, and bypass security measures. Additionally, a third critical vulnerability, CVE-2025-20363, has been identified but remains unexploited in the wild. 
• Threat actors from the Lone None group are leveraging copyright takedown notices to distribute sophisticated malware, including Pure Logs Stealer and the newly identified Lone None Stealer. This campaign begins with spoofed emails that appear to come from legitimate legal firms, referencing real social media accounts to enhance credibility. The malware is delivered through obfuscated Python installers and malicious attachments disguised as legitimate applications. Lone None Stealer specifically targets cryptocurrency transactions by monitoring clipboard activity and replacing copied wallet addresses with those controlled by attackers. The campaign employs a novel C2 mechanism using Telegram bots, with payloads featuring multiple layers of obfuscation to evade detection.
• Nimbus Manticore, an Iranian APT group, is executing a sophisticated malware campaign targeting defense, telecommunications, and aerospace sectors in Europe. Utilizing advanced spear-phishing techniques, the group impersonates HR recruiters through fake job portals, delivering malware via multi-stage DLL sideloading. Their main tools, the MiniJunk backdoor and MiniBrowse stealer, are designed to evade detection through heavy obfuscation and legitimate digital signatures. The infection chain begins with phishing links leading to malicious archives disguised as hiring-related software. The malware exploits low-level Windows APIs to manipulate DLL search paths, ensuring stealthy execution. 
• A recent patch for the Steam game BlockBlasters has been found to contain malware that steals sensitive user information, including crypto wallet data. This malicious update bypassed security measures and has potentially affected hundreds of players. The patch includes a trojan batch file that collects various data points such as IP addresses and Steam login credentials, uploading them to a C2 server. Additionally, the malware unpacks hidden executables that disable Microsoft Defender scans and execute further malicious payloads. The infection has drawn significant attention, particularly after a live streaming incident where a user was infected during a charity event.
• North Korean hackers are increasingly using ClickFix-style lures to deliver malware such as BeaverTail and InvisibleFerret, primarily targeting marketing and trading roles in the cryptocurrency and retail sectors. This marks a shift from their traditional focus on software developers. The malware is distributed through fake hiring platforms that entice victims with job offers, leading them to download malicious software under the guise of technical assessments. Recent campaigns have also employed deepfake technology and trusted platforms like GitHub to enhance their tactics. Additionally, the Kimsuky group has been observed using phishing techniques involving forged military IDs to compromise individuals associated with South Korean defense.
• A recent FileFix campaign has emerged, utilizing steganography to conceal malicious PowerShell scripts and encrypted executables within JPG images. This attack encourages victims to paste harmful commands into a file upload interface, triggering an obfuscated PowerShell chain that extracts payloads from the images. Notably, this iteration of the campaign deviates from earlier proof of concept versions by employing multilingual phishing pages and extensive JavaScript minification, enhancing its deceptive tactics. The phishing site mimics a Meta support page, pressuring users into executing commands disguised as file paths. The infection chain begins with a PowerShell one-liner that downloads an image from BitBucket, ultimately leading to the deployment of StealC, an infostealer capable of harvesting sensitive data from various applications and services.
• Two malicious Python packages, "sisaws" and "secmeasure," were found in the PyPI repository, delivering the SilentSync RAT targeting Windows systems. SilentSync is capable of executing remote commands, exfiltrating files, and stealing browser data, including credentials and cookies from popular web browsers. The "sisaws" package masquerades as a tool for interfacing with Argentina's healthcare APIs but contains a backdoor that downloads malware using hardcoded tokens. Similarly, "secmeasure" claims to provide string manipulation functions while primarily serving as a malware distributor. SilentSync enables remote command execution, file exfiltration, and browser data theft, communicating with a C2 server via a REST API.
• The Akira ransomware gang is exploiting CVE-2024-40766, a critical vulnerability in SonicWall SSL VPN devices, to gain unauthorized access to networks via unpatched endpoints. SonicWall released a patch for CVE-2024-40766 in August 2024 but emphasized that password resets are necessary to prevent exploitation of exposed credentials. Akira ransomware began exploiting this vulnerability in September 2024, with recent activity prompting warnings from the ACSC. SonicWall clarified that the recent activity is linked to CVE-2024-40766 and not a zero-day vulnerability, with investigations into 40 related security incidents.
• A malicious Chrome extension campaign is targeting Meta (Facebook/Instagram) advertisers by masquerading as a legitimate AI-driven ad optimization tool called Madgicx Plus. This extension, promoted as a productivity enhancer, actually functions as malware capable of hijacking business sessions and stealing credentials. The campaign utilizes a network of professionally crafted domains, some previously linked to other malicious activities, to distribute the compromised extension. It captures Google account details before prompting users to connect their Facebook accounts, thereby broadening its access to valuable advertising assets. The reuse of infrastructure and domains indicates that this campaign is an evolution of prior malicious efforts rather than isolated incidents.
• North Korea–backed Kimsuky has been observed exploiting GitHub repositories for malware delivery and data exfiltration. They utilize malicious LNK files that execute PowerShell scripts to download additional payloads from private GitHub repositories. These scripts, which include hardcoded GitHub Private Tokens, gather system metadata such as boot time, OS configuration, and running processes, subsequently uploading this information to attacker-controlled repositories. The malware establishes persistence by creating scheduled tasks that enable the execution of updated scripts at regular intervals. Investigations have linked Kimsuky to nine private repositories containing exfiltrated logs, decoy documents, and files resembling payment reminders.

New Threats

Researchers have uncovered three emerging threats in the wild. Datzbro, a new Android banking trojan, is tricking elderly users with AI-generated Facebook travel scams that deliver malicious APKs disguised as community apps. Once installed, it exploits Android accessibility services, Zombinder, and overlay attacks to enable remote control, keylogging, and financial fraud. Klopatra, a highly sophisticated Android malware linked to a Turkish-speaking group, is targeting banks and users in Europe—especially Spain and Italy—using advanced evasion layers like Virbox, native code integration, Hidden VNC, and overlays for credential theft. Meanwhile, ShadowV2 marks a dangerous evolution of botnet operations: a DDoS-as-a-Service platform abusing misconfigured Docker containers and GitHub CodeSpaces to let customers self-manage modular attacks, propagating across cloud environments via Go-based malware and a Python-driven infection chain.

• A new Android banking trojan named Datzbro targets elderly users through AI-generated Facebook travel event scams, leading to device takeover and financial fraud. Victims are tricked into downloading malicious APK files from fake websites claiming to offer community applications for event registration and activity tracking. The trojan uses advanced techniques like Zombinder to bypass Android security, deploying malware or droppers to target devices. Datzbro's capabilities include remote control, overlay attacks, keylogging, and exploiting Android accessibility services for financial theft.
• Klopatra is a newly discovered, highly sophisticated Android banking malware with advanced evasion techniques and powerful fraud capabilities. Developed by a Turkish-speaking criminal group, it targets financial institutions and users in Europe, particularly Spain and Italy, using techniques like Hidden VNC and overlay attacks for credential theft. The malware represents a significant evolution in mobile threats, employing commercial-grade protections like Virbox and native code integration to evade detection.
• Olymp Loader, a new Malware-as-a-Service (MaaS) platform written in Assembly, is gaining traction for its ability to bypass modern antivirus engines and machine-learning heuristics. The malware features a modular architecture with credential stealers, crypters, privilege escalation mechanisms, and deep XOR encryption for payloads. Pricing tiers for Olymp Loader range from $50 for a basic stub to $200 for customized injection services, all including advanced features like Defender bypass and automatic certificate signing. Olymp Loader disguises itself as legitimate software (e.g., Node.js executables, fake installers for OpenSSL, Zoom, PuTTY, etc.) using official icons and certificates to deceive victims.
• North Korean hackers associated with the Contagious Interview campaign are using a new backdoor called AkdoorTea to target cryptocurrency and Web3 developers across various operating systems. This campaign involves impersonating recruiters to lure victims with fake job offers on platforms like LinkedIn, leading them to install malware through deceptive video assessments or GitHub projects. Key tools employed include BeaverTail, InvisibleFerret, and TsunamiKit, which facilitate data exfiltration and cryptocurrency theft. The sophisticated malware Tropidoor, linked to the Lazarus Group, enhances stealth capabilities for file manipulation and monitoring. 
• Zscaler ThreatLabz identified a multi-stage ClickFix campaign linked to the Russia-based APT group COLDRIVER, targeting members of Russian civil society and Western organizations. This campaign utilizes social engineering techniques, tricking users into executing malicious commands through a fake CAPTCHA interface. The infection chain begins with BAITSWITCH, a downloader that establishes persistence and retrieves payloads to deploy SIMPLEFIX, a PowerShell-based backdoor. BAITSWITCH communicates with a C2 server using a specific user-agent and executes commands via PowerShell. SIMPLEFIX supports various reconnaissance commands, allowing the threat actor to gather information about the victim's system. 
• Cisco has released patches for 14 vulnerabilities in its IOS and IOS XE software, including a critical zero-day flaw, CVE-2025-20352, which is being actively exploited. This vulnerability allows remote attackers with administrative privileges to execute arbitrary code as the root user by exploiting a stack overflow in the Simple Network Management Protocol (SNMP) subsystem. All devices running vulnerable versions of IOS and IOS XE, along with certain Meraki and Catalyst switches, are affected. The updates also address additional high-severity vulnerabilities that could result in denial-of-service conditions, command execution with root privileges, and authentication bypass, among other risks. 
• Cisco Talos has identified a sophisticated malware campaign that has been active since 2022, utilizing DLL search order hijacking to deploy a new variant of PlugX, which shares characteristics with the RainyDay and Turian backdoors. This operation primarily targets telecommunications and manufacturing sectors across Central and South Asia, revealing a convergence of functionalities and infrastructure among the Naikon and BackdoorDiplomacy groups. Analysts discovered that the malware families employ the same XOR-RC4-RtlDecompressBuffer decryption algorithm and identical RC4 keys, indicating a shared cryptographic toolkit. The campaign's initial infection typically begins with a malicious document or email, leading to the execution of a legitimate binary vulnerable to DLL hijacking. 
• ShadowV2 is a newly identified DDoS-as-a-Service botnet that enables customers to self-manage DDoS attacks. It leverages misconfigured Docker containers and a Python-based C2 infrastructure hosted on GitHub CodeSpaces. The platform represents a shift from traditional botnet operations by offering a modular, user-driven attack interface. The ShadowV2 operation was observed targeting Docker daemons exposed on AWS cloud instances. The attackers deploy a generic setup container, install tools, and create a customized image for live deployment.  The infection chain begins with a Python script hosted on GitHub CodeSpaces, which interacts with Docker to spawn containers. These containers act as wrappers for the Go-based malware, enabling the botnet to propagate across cloud environments.
• Researchers have discovered MalTerminal, the earliest known malware that incorporates GPT-4 capabilities, enabling it to dynamically generate ransomware code or reverse shell commands. MalTerminal utilizes a deprecated OpenAI API, suggesting it may serve as a proof-of-concept or red team tool. This malware exemplifies a new category of threats known as LLM-embedded malware, which poses significant challenges for cybersecurity defenses. Additionally, cybercriminals are employing sophisticated phishing techniques that utilize hidden prompts in emails to bypass AI security systems. These tactics exploit vulnerabilities like Follina, leading to the execution of malicious payloads.
• Silent Push has identified a new malware loader named CountLoader, closely linked to Russian ransomware gangs such as LockBit, BlackBasta, and Qilin. This evolving threat is delivered in three versions: .NET, PowerShell, and JScript, and has been utilized in phishing campaigns targeting individuals in Ukraine, often impersonating Ukrainian police. CountLoader is capable of dropping various malware agents, including Cobalt Strike and Adaptix C2, and employs sophisticated techniques for persistence and communication. It gathers extensive system information from victims and utilizes multiple methods for file downloading and execution. The malware's infrastructure is designed to blend into legitimate enterprise traffic.
• Raven Stealer is a lightweight and sophisticated information-stealing malware developed in Delphi and C++. It primarily targets Chromium-based browsers, extracting sensitive data such as passwords, cookies, payment details, and autofill entries. Utilizing a modular design, it allows attackers to easily embed configuration details like Telegram bot tokens for seamless data exfiltration. The malware operates stealthily by employing techniques such as in-memory execution and process injection, which help it evade detection by traditional security measures. Once active, it aggregates stolen credentials and system information, transmitting them directly to the attacker via Telegram, thereby posing significant risks to both personal and enterprise environments.
• Google has released a critical update for Chrome, addressing the sixth zero-day vulnerability of 2025, tracked as CVE-2025-10585. This vulnerability, a type confusion issue in the V8 JavaScript engine, allows attackers to exploit crafted HTML pages for remote code execution and other malicious activities. Alongside this, the update resolves two additional use-after-free vulnerabilities and a heap buffer overflow in the ANGLE graphics engine. The latest Chrome version is now being rolled out across Windows, macOS, and Linux platforms.
• A sophisticated worm named Shai-Hulud has infiltrated the npm ecosystem, targeting popular packages with millions of weekly downloads. The 3MB+ JavaScript malware compromises npm developer accounts, injecting itself into maintained packages to spread further. Each infected package triggers a malicious bundle.js script upon installation, designed to steal npm, GitHub, AWS, and GCP tokens, while also deploying TruffleHog to detect up to 800 secrets. The worm creates public GitHub repositories named “Shai-Hulud” to store stolen secrets and uses GitHub Actions to exfiltrate tokens to a remote server. Additionally, it converts private repositories to public, exposing sensitive code and vulnerabilities. Impacting over 700 GitHub repositories, this campaign is linked to the earlier s1ngularity/Nx supply chain attack, amplifying its reach through compromised developer accounts and stolen tokens.
• A new variant of the ToneShell backdoor, attributed to the Mustang Panda group, has emerged with advanced persistence and anti-analysis capabilities. Delivered through DLL sideloading within compressed archives, this variant employs sophisticated anti-analysis techniques to evade detection. It checks the execution environment to prevent self-infection and enforces a single-instance policy. The malware establishes persistence by copying itself and essential DLLs to a user profile directory and creates a scheduled task to ensure it runs regularly. Communication with its command and control server is disguised using a TLS-like protocol, and the payloads are XOR-obfuscated. This variant also generates unique GUIDs for each infected machine, ensuring continued operation.
• VoidProxy is a sophisticated PhaaS platform that leverages AitM techniques to compromise Microsoft and Google accounts by bypassing MFA. It operates using compromised email accounts and employs various evasion tactics, including URL obfuscation and disposable phishing domains, to avoid detection. Phishing campaigns begin with emails that contain shortened links leading to these domains, which are protected by Cloudflare CAPTCHA challenges. The attack unfolds in several stages, from delivery to session hijacking, allowing attackers to capture sensitive information like usernames, passwords, and MFA codes. VoidProxy’s backend features a web-based admin console that enables real-time management of phishing campaigns and stolen data extraction, making it a potent tool for cybercriminals.
• GhostRedirector is a newly identified China-aligned threat actor targeting Windows servers. It uses a passive C++ backdoor named Rungan for remote command execution. A malicious IIS module, Gamshen, is used for SEO fraud, manipulating Google search rankings to promote gambling websites. GhostRedirector exploits public vulnerabilities like EfsPotato and BadPotato for privilege escalation. The campaign compromised at least 65 Windows servers, mainly in Brazil, Thailand, Vietnam, and the U.S., affecting diverse sectors such as healthcare, education, and retail. GhostRedirector deploys tools like Zunput to collect website information and install webshells.
• Hackers are increasingly exploiting vulnerabilities using HexStrike-AI, an AI-powered security framework designed for penetration testing. This tool automates the exploitation of newly disclosed n-day flaws, such as Citrix vulnerabilities CVE-2025-7775, CVE-2025-7776, and CVE-2025-8424, significantly reducing the time required for attacks from days to mere minutes. With nearly 8,000 endpoints still vulnerable as of early September, attackers have begun discussing HexStrike-AI on hacking forums, sharing methods to deploy it for unauthorized access. The tool’s open-source nature has made it popular among malicious actors, enabling them to achieve remote code execution and maintain persistence through automated processes.