2025-10-11 AI创业新闻

Stealit Malware Abuses Node.js Single Executable Feature via Game and VPN Installers

Cybersecurity researchers have disclosed details of an active malware campaign called Stealit that has leveraged Node.js’ Single Executable Application (SEA) feature as a way to distribute its payloads. According to Fortinet FortiGuard Labs, select iterations have also employed the open-source Electron framework to deliver the malware. It’s assessed that the malware is being propagated through counterfeit installers for games and VPN applications that are uploaded to file-sharing sites such as Mediafire and Discord. SEA is a feature that allows Node.js applications to be packaged and distributed as a standalone executable, even on systems without Node.js installed.

“Both approaches are effective for distributing Node.js-based malware, as they allow execution without requiring a pre-installed Node.js runtime or additional dependencies,” security researchers Eduardo Altares and Joie Salvio said in a report shared with The Hacker News. On a dedicated website, the threat actors behind Stealit claim to offer “professional data extraction solutions” via several subscription plans. This includes a remote access trojan (RAT) that supports file extraction, webcam control, live screen monitoring, and ransomware deployment targeting both Android and Windows operating systems. Prices for the Windows Stealer range from $29.99 for a weekly subscription to $499.99 for a lifetime license.

The Android RAT pricing, on the other hand, goes from $99.99 all the way to $1,999.99. The fake executables contain an installer that’s designed to retrieve the main components of the malware retrieved from a command-and-control (C2) and install them, but note that before performing a number of anti-analysis checks to ensure it’s running inside a virtual or sandboxed environment. A crucial aspect of this step involves writing a Base64-encoded authentication key, a 12-character alphanumeric key, to the %temp%\cache.json file. This key is used to authenticate with the C2 server, as well as by subscribers to log in to the dashboard in order to likely monitor and control their victims.

The malware is also engineered to configure Microsoft Defender Antivirus exclusions so that the folder that contains the downloaded components is not flagged. The functions of the three executables are as follows - save_data.exe , which is only downloaded and executed if the malware is running with elevated privileges. It’s designed to drop a tool named “cache.exe” – which is part of open-source project ChromElevator – to extract information from Chromium-based browsers. stats_db.exe , which is designed to extract information from messengers (Telegram, WhatsApp), cryptocurrency wallets and wallet browser extensions (Atomic and Exodus), and game-related apps (Steam, Minecraft, GrowTopia, and Epic Games Launcher).

game_cache.exe , which is designed to set up persistence on the host by launching its upon system reboot by creating a Visual Basic script and communicating with the C2 server to stream a victim’s screen in real-time, execute arbitrary commands, download/upload files, and change desktop wallpaper. “This new Stealit campaign leverages the experimental Node.js Single Executable Application (SEA) feature, which is still under active development, to conveniently distribute malicious scripts to systems without Node.js installed,” Fortinet said. “Threat actors behind this may be exploiting the feature’s novelty, relying on the element of surprise, and hoping to catch security applications and malware analysts off guard.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Microsoft Warns of ‘Payroll Pirates’ Hijacking HR SaaS Accounts to Steal Employee Salaries

A threat actor known as Storm-2657 has been observed hijacking employee accounts with the end goal of diverting salary payments to attacker-controlled accounts. “Storm-2657 is actively targeting a range of U.S.-based organizations, particularly employees in sectors like higher education, to gain access to third-party human resources (HR) software as a service (SaaS) platforms like Workday,” the Microsoft Threat Intelligence team said in a report. However, the tech giant cautioned that any software-as-a-service (SaaS) platform storing HR or payment and bank account information could be a target of such financially motivated campaigns. Some aspects of the campaign, codenamed Payroll Pirates , were previously highlighted by Silent Push, Malwarebytes, and Hunt.io.

What makes the attacks notable is that they don’t exploit any security flaw in the services themselves. Rather, they leverage social engineering tactics and a lack of multi-factor authentication (MFA) protections to seize control of employee accounts and ultimately modify payment information to route them to accounts managed by the threat actors. In one campaign observed by Microsoft in the first half of 2025, the attacker is said to have obtained initial access through phishing emails that are designed to harvest their credentials and MFA codes using an adversary-in-the-middle (AitM) phishing link, thereby gaining access to their Exchange Online accounts and taking over Workday profiles through single sign-on (SSO). The threat actors have also been observed creating inbox rules to delete incoming warning notification emails from Workday so as to hide the unauthorized changes made to profiles.

This includes altering the salary payment configuration to redirect future salary payments to accounts under their control. To ensure persistent access to the accounts, the attackers enroll their own phone numbers as MFA devices for victim accounts. What’s more, the compromised email accounts are used to distribute further phishing emails, both within the organization and to other universities. Microsoft said it observed 11 successfully compromised accounts at three universities since March 2025 that were used to send phishing emails to nearly 6,000 email accounts across 25 universities.

The email messages feature lures related to illnesses or misconduct notices on campus, inducing a false sense of urgency and tricking recipients into clicking on the fake links. To mitigate the risk posed by Storm-2657, it’s recommended to adopt passwordless, phishing-resistant MFA methods such as FIDO2 security keys, and review accounts for signs of suspicious activity, such as unknown MFA devices and malicious inbox rules. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

From Detection to Patch: Fortra Reveals Full Timeline of CVE-2025-10035 Exploitation

Fortra on Thursday revealed the results of its investigation into CVE-2025-10035 , a critical security flaw in GoAnywhere Managed File Transfer (MFT) that’s assessed to have come under active exploitation since at least September 11, 2025. The company said it began its investigation on September 11 following a “potential vulnerability” reported by a customer, uncovering “potentially suspicious activity” related to the flaw. That same day, Fortra said it contacted on-premises customers who were identified as having their GoAnywhere admin console accessible to the public internet and that it notified law enforcement authorities about the incident. A hotfix for versions 7.6.x, 7.7.x, and 7.8.x of the software was made available the next day, with full releases incorporating the patch – versions 7.6.3 and 7.8.4 – made available on September 15.

Three days later, a CVE for the vulnerability was formally published, it added. “The scope of the risk of this vulnerability is limited to customers with an admin console exposed to the public internet,” Fortra said. “Other web-based components of the GoAnywhere architecture are not affected by this vulnerability.” However, it conceded that there are a “limited number of reports” of unauthorized activity related to CVE-2025-10035. As additional mitigations, the company is recommending that users restrict admin console access over the internet, as well as enable monitoring and keep software up-to-date.

CVE-2025-10035 concerns a case of deserialization vulnerability in the License Servlet that could result in command injection without authentication. In a report earlier this week, Microsoft revealed that a threat it tracks as Storm-1175 has been exploiting the flaw since September 11 to deploy Medusa ransomware. That said, there is still no clarity on how the threat actors managed to obtain the private keys needed to exploit this vulnerability. “The fact that Fortra has now opted to confirm (in their words) ‘unauthorized activity related to CVE-2025-10035’ demonstrates yet again that the vulnerability was not theoretical and that the attacker has somehow circumvented, or satisfied, the cryptographic requirements needed to exploit this vulnerability,” watchTowr CEO and founder Benjamin Harris said.

Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

The AI SOC Stack of 2026: What Sets Top-Tier Platforms Apart?

The SOC of 2026 will no longer be a human-only battlefield. As organizations scale and threats evolve in sophistication and velocity, a new generation of AI-powered agents is reshaping how Security Operations Centers (SOCs) detect, respond, and adapt. But not all AI SOC platforms are created equal. From prompt-dependent copilots to autonomous, multi-agent systems, the current market offers everything from smart assistants to force-multiplying automation.

While adoption is still early— estimated at 1–5% penetration according to Gartner —the shift is undeniable. SOC teams must now ask a fundamental question: What type of AI belongs in my security stack? The Limits of Traditional SOC Automation Despite promises from legacy SOAR platforms and rule-based SIEM enhancements, many security leaders still face the same core challenges: Analyst alert fatigue from redundant low-fidelity triage tasks Manual context correlation across disparate tools and logs Disjointed and static detection and response workflows Loss of institutional knowledge during turnover or tool migration Automation promised to solve this—but often came with its own overhead: engineering-intensive setups, brittle playbooks, and limited adaptability to nuanced environments. From Co-Pilots to Cognitive Agents: The Shift to Mesh Agentic Architectures Many AI-enabled SOC platforms rely on Large Language Models (LLMs) in a co-pilot format: they summarize alerts, generate reports, or offer canned queries - but require constant human prompting .

This model delivers surface-level speed, but not scale. The most advanced platforms go further by introducing mesh agentic architectures —a coordinated system of AI agents, each responsible for specialized SOC functions such as triage, threat correlation, evidence assembly, and incident response. Rather than a single model responding to prompts, these systems autonomously distribute tasks across AI agents, continuously learning from organizational context, analyst actions, and environmental telemetry. 7 Core Capabilities That Define the Leading AI SOC Platforms In reviewing today’s AI SOC landscape, seven defining characteristics consistently separate signal from noise: Multi-Tier Incident Handling AI that assists only with Tier-1 triage is table stakes.

Top-tier platforms also support complex Tier-2 and Tier-3 investigations—including lateral movement, EDR, and phishing detections. Contextual Intelligence Embedding institutional knowledge (risk profiles, security policies, detection engineering, etc.) into the AI’s operating model and leveraging it automatically during enrichment is critical. This is the difference between generic suggestions and context-aware decisions. Non-Disruptive Integration Any platform requiring security teams to abandon their existing tools, portals, or daily workflows creates friction.

Leading solutions work with and within existing systems— SIEM, case management, ticketing—without demanding retraining. Adaptive Learning with Telemetry Feedback Static playbooks are brittle. The most effective AI platforms include continuous learning loops, using past decisions and analyst feedback to tune models and improve future response. Agentic AI Architecture Platforms leveraging multiple AI engines (LLMs, SLMs, ML classifiers, statistical models, behavior-based engines) outperform those using a monolithic model.

The right architecture selects the right AI tool for each incident type. Transparent Metrics and ROI Metrics like MTTD/MTTR are just the beginning. Organizations now expect to measure investigation accuracy , analyst productivity uplift , and risk reduction curves . Staged AI Trust Frameworks Top-performing platforms let SOCs gradually scale autonomy—starting with human-in-the-loop and moving toward higher confidence automation as performance is validated.

Spotlight: The Rise of Agentic AI for Security Operations One emerging platform in this space is Conifers.ai’s CognitiveSOC™ , with its unique implementation of a mesh agentic AI architecture . Unlike tools that require constant prompting or scripting, Conifers CognitiveSOC™ leverages pre-trained, task-specific agents that continuously ingest and apply organizational context and telemetry. These AI SOC agents independently manage and resolve incidents—while maintaining human visibility and control through staged rollout options. The result is a system that augments the entire SOC pipeline , not just triage.

It helps teams: Reduce false positives by up to 80% Cut MTTD/MTTR by 40–60% Handle Tier-2 and Tier-3 investigations without analyst overload Measure SOC performance with strategic KPIs, not just alert count For large enterprises, CognitiveSOC bridges the gap between SOC efficiency and effectiveness. For MSSPs, it offers a true multi-tenant environment with per-client policy alignment and tenant-specific ROI dashboards. AI in the SOC: Augmentation, Not Autonomy Despite advances, the idea of a fully autonomous SOC is still more fiction than reality. AI today is best used to scale human expertise , not replace it.

It relies on human input and feedback to learn, refine, and improve. With rising threats, analyst burnout, and talent shortages, the choice is no longer whether to adopt AI in the SOC—but how intelligently you do it. Selecting the right AI architecture could determine whether your team stays ahead of threats—or falls behind. Final Thoughts AI in cybersecurity isn’t about magic—it’s about math, models, and mission alignment.

The best platforms won’t promise hands-off autonomy or results overnight. Instead, they’ll deliver measurable efficiency , increased analyst impact , and clear risk reduction —without forcing you to abandon the tools and teams you trust. As 2026 approaches, SOC teams have a clear mandate: choose AI platforms that think with you, not just for you. Visit Conifers.ai to request a demo and experience how CognitiveSOC may be the right AI SOC platform for your modern SOC.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

175 Malicious npm Packages with 26,000 Downloads Used in Credential Phishing Campaign

Cybersecurity researchers have flagged a new set of 175 malicious packages on the npm registry that have been used to facilitate credential harvesting attacks as part of an unusual campaign. The packages have been collectively downloaded 26,000 times, acting as an infrastructure for a widespread phishing campaign codenamed Beamglea targeting more than 135 industrial, technology, and energy companies across the world, according to Socket. “While the packages’ randomized names make accidental developer installation unlikely, the download counts likely include security researchers, automated scanners, and CDN infrastructure analyzing the packages after disclosure,” security researcher Kush Pandya said . The packages have been found to use npm’s public registry and unpkg.com’s CDN to host redirect scripts that route victims to credential harvesting pages.

Some aspects of the campaign were first flagged by Safety’s Paul McCarty late last month. Specifically, the library comes fitted with a Python file named “redirect_generator.py” to programmatically create and publish an npm package with the name “redirect-xxxxxx,” where “x” refers to a random alphanumeric string. The script then injects a victim’s email address and custom phishing URL into the package. Once the package is live on the npm registry, the “malware” proceeds to create an HTML file with a reference to the UNPKG CDN associated with the newly published package (e.g., “unpkg[.]com/redirect-xs13nr@1.0.0/beamglea.js”).

The threat actor is said to be taking advantage of this behavior to distribute HTML payloads that, when opened, load JavaScript from the UNPKG CDN and redirect the victim to Microsoft credential harvesting pages. The JavaScript file “beamglea.js” is a redirect script that includes the victim’s email address and the URL to which the victim is navigated in order to capture their credentials. Socket said it found more than 630 HTML files that masquerade as purchase orders, technical specifications, or project documents. In other words, the npm packages are not designed to execute malicious code upon installation.

Instead, the campaign leverages npm and UNPKG for hosting the phishing infrastructure. It’s currently not clear how the HTML files are distributed, although it’s possible they are propagated via emails that trick recipients into launching the specially crafted HTML files. “When victims open these HTML files in a browser, the JavaScript immediately redirects to the phishing domain while passing the victim’s email address via URL fragment,” Socket said. “The phishing page then pre-fills the email field, creating a convincing appearance that the victim is accessing a legitimate login portal that already recognizes them.

This pre-filled credential significantly increases the attack’s success rate by reducing victim suspicion.” The findings once again highlight the ever-evolving nature of threat actors who are constantly adapting their techniques to stay ahead of defenders, who are also constantly developing new techniques to detect them. In this case, it underscores the abuse of legitimate infrastructure at scale. “The npm ecosystem becomes unwitting infrastructure rather than a direct attack vector,” Pandya said. “Developers who install these packages see no malicious behavior, but victims opening specially crafted HTML files are redirected to phishing sites.” “By publishing 175 packages across 9 accounts and automating victim-specific HTML generation, the attackers created a resilient phishing infrastructure that costs nothing to host and leverages trusted CDN services.

The combination of npm’s open registry, unpkg.com’s automatic serving, and minimal code creates a reproducible playbook that other threat actors will adopt.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Weaponized GenAI + Extortion-First Strategies Fueling a New Age of Ransomware

From LFI to RCE: Active Exploitation Detected in Gladinet and TrioFox Vulnerability

Cybersecurity company Huntress said it has observed active in-the-wild exploitation of an unpatched security flaw impacting Gladinet CentreStack and TrioFox products. The zero-day vulnerability, tracked as CVE-2025-11371 (CVSS score: 6.1), is an unauthenticated local file inclusion bug that allows unintended disclosure of system files. It impacts all versions of the software prior to and including 16.7.10368.56560. Huntress said it first detected the activity on September 27, 2025, uncovering that three of its customers have been impacted so far.

It’s worth noting that both applications were previously affected by CVE-2025-30406 (CVSS score: 9.0), a case of hard-coded machine key that could allow a threat actor to perform remote code execution via a ViewState deserialization vulnerability. The vulnerability has since come under active exploitation. CVE-2025-11371, per Huntress, “allowed a threat actor to retrieve the machine key from the application Web.config file to perform remote code execution via the aforementioned ViewState deserialization vulnerability. Additional details of the flaw are being withheld in light of active exploration and in the absence of a patch.

In one instance investigated by the company, the affected version was newer than 16.4.10315.56368 and not vulnerable to CVE-2025-30406, suggesting that attackers could exploit earlier versions and use the hard-coded machine key to execute code remotely via the ViewState deserialization flaw. In the interim, users are recommended to disable the “temp” handler within the Web.config file for UploadDownloadProxy located at “C:\Program Files (x86)\Gladinet Cloud Enterprise\UploadDownloadProxy\Web.config.” “This will impact some functionality of the platform; however, it will ensure that this vulnerability cannot be exploited until it is patched,” Huntress researchers Bryan Masters, James Maclachlan, Jai Minton, and John Hammond said. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

CL0P-Linked Hackers Breach Dozens of Organizations Through Oracle Software Flaw

Dozens of organizations may have been impacted following the zero-day exploitation of a security flaw in Oracle’s E-Business Suite (EBS) software since August 9, 2025 , Google Threat Intelligence Group (GTIG) and Mandiant said in a new report released Thursday. “We’re still assessing the scope of this incident , but we believe it affected dozens of organizations,” John Hultquist, chief analyst of GTIG at Google Cloud, said in a statement shared with The Hacker News. “Some historic Cl0p data extortion campaigns have had hundreds of victims. Unfortunately, large-scale zero-day campaigns like this are becoming a regular feature of cybercrime.” The activity, which bears some hallmarks associated with the Cl0p ransomware crew, is assessed to have fashioned together multiple distinct vulnerabilities, including a zero-day flaw tracked as CVE-2025-61882 (CVSS score: 9.8), to breach target networks and exfiltrate sensitive data.

Google said it found evidence of additional suspicious activity dating back to July 10, 2025, although how successful these efforts were remains unknown . Oracle has since issued patches to address the shortcoming. Cl0p (aka Graceful Spider), active since 2020, has been attributed to the mass exploitation of several zero-days in Accellion legacy file transfer appliance (FTA), GoAnywhere MFT, Progress MOVEit MFT, and Cleo LexiCom over the years. While phishing email campaigns undertaken by the FIN11 actors have acted as a precursor for Cl0p ransomware deployment in the past, Google said it found signs of the file-encrypting malware being a different actor.

The latest wave of attacks began in earnest on September 29, 2025, when the threat actors kicked off a high-volume email campaign aimed at company executives from hundreds of compromised third-party accounts belonging to unrelated organizations. The credentials for these accounts are said to have been purchased on underground forums, presumably through the purchase of infostealer malware logs. The email messages claimed the actor had breached their Oracle EBS application and exfiltrated sensitive data, demanding that they pay an unspecified amount as ransom in return for not leaking the stolen information. To date, none of the victims of the campaign have been listed on the Cl0p data leak site – a behavior that’s consistent with prior Cl0p attacks where the actors waited for several weeks before posting them.

The attacks themselves leverage a combination of Server-Side Request Forgery (SSRF), Carriage-Return Line-Feed (CRLF) injection, authentication bypass, and XSL template injection, to gain remote code execution on the target Oracle EBS server and set up a reverse shell. Sometime around August 2025, Google said it observed a threat actor exploiting a vulnerability in the “/OA_HTML/SyncServlet” component to achieve remote code execution and ultimately trigger an XSL payload via the Template Preview functionality. Two different chains of Java payloads have been found embedded in the XSL payloads - GOLDVEIN.JAVA, a Java variant of a downloader called GOLDVEIN (a PowerShell malware first detected in December 2024 in connection with the exploitation campaign of multiple Cleo software products) that can receive a second-stage payload from a command-and-control (C2) server. A Base64-encoded loader called SAGEGIFT custom designed for Oracle WebLogic servers that’s used to launch SAGELEAF, an in-memory dropper that’s then used to install SAGEWAVE, a malicious Java servlet filter that allows for the installation of an encrypted ZIP archive containing an unknown next-stage malware.

(The main payload, however, has some overlaps with a cli module present in a FIN11 backdoor known as GOLDTOMB.) The threat actor has also been observed executing various reconnaissance commands from the EBS account “applmgr,” as well as running commands from a bash process launched from a Java process running GOLDVEIN.JAVA. Interestingly, some of the artifacts observed in July 2025 as part of incident response efforts overlap with an exploit leaked in a Telegram group named Scattered LAPSUS$ Hunters on October 3, 2025. However, Google said it does not have sufficient evidence to suggest any involvement of the cybercrime crew in the campaign. The level of investment into the campaign suggests the threat actors responsible for the initial intrusion likely dedicated significant resources to pre-attack research, GTIG pointed out.

The tech giant said it’s not formally attributing the attack spree to a tracked threat group, although it pointed out the use of the Cl0p brand as notable. That said, it’s believed that the threat actor has an association with Cl0p. It also noted that the post-exploitation tooling exhibits overlaps with malware (i.e., GOLDVEIN and GOLDTOMB) used in a previous suspected FIN11 campaign, and that one of the breached accounts used to send the recent extortion emails was previously used by FIN11. “The pattern of exploiting a zero-day vulnerability in a widely used enterprise application, followed by a large-scale, branded extortion campaign weeks later, is a hallmark of activity historically attributed to FIN11 that has strategic benefits which may also appeal to other threat actors,” it said.

“Targeting public-facing applications and appliances that store sensitive data likely increases the efficiency of data theft operations, given that the threat actors do not need to dedicate time and resources to lateral movement.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

From HealthKick to GOVERSHELL: The Evolution of UTA0388’s Espionage Malware

A China-aligned threat actor codenamed UTA0388 has been attributed to a series of spear-phishing campaigns targeting North America, Asia, and Europe that are designed to deliver a Go-based implant known as GOVERSHELL . “The initially observed campaigns were tailored to the targets, and the messages purported to be sent by senior researchers and analysts from legitimate-sounding, completely fabricated organizations,” Volexity said in a Wednesday report. “The goal of these spear phishing campaigns was to socially engineer targets into clicking links that led to a remotely hosted archive containing a malicious payload.” Since then, the threat actor behind the attacks is said to have leveraged different lures and fictional identities, spanning several languages, including English, Chinese, Japanese, French, and German. Early iterations of the campaigns have been found to embed links to phishing content either hosted on a cloud-based service or their own infrastructure, in some cases, which led to the deployment of malware.

However, the follow-on waves have been described as “highly tailored,” in which the threat actors resort to building trust with recipients over time before sending the link – a technique called rapport-building phishing. Irrespective of the approach used, the links lead to a ZIP or RAR archive that includes a rogue DLL payload that’s launched using DLL side-loading. The payload is an actively developed backdoor called GOVERSHELL. It’s worth noting that the activity overlaps with a cluster tracked by Proofpoint under the name UNK_DropPitch , with Volexity characterizing GOVERSHELL as a successor to a C++ malware family referred to as HealthKick .

As many as five distinct variants of GOVERSHELL have been identified to date - HealthKick (First observed in April 2025), which is equipped to run commands using cmd.exe TE32 (First observed in June 2025), which is equipped to execute commands directly via a PowerShell reverse shell TE64 (First observed in early July 2025), which is equipped to run native and dynamic commands using PowerShell to get system information, current system time, run command via powershell.exe, and poll an external server for new instructions WebSocket (First observed in mid-July 2025), which is equipped to run a PowerShell command via powershell.exe and an unimplemented “update” sub-command as part of the system command Beacon (First observed in September 2025), which is equipped to run native and dynamic commands using PowerShell to set a base polling interval, randomize it, or execute a PowerShell command via powershell.exe Some of the legitimate services abused to stage the archive files include Netlify, Sync, and OneDrive, whereas the email messages have been identified as sent from Proton Mail, Microsoft Outlook, and Gmail. A noteworthy aspect of UTA0388’s tradecraft is its use of OpenAI ChatGPT to generate content for phishing campaigns in English, Chinese, and Japanese; assist with malicious workflows; and search for information related to installing open-source tools like nuclei and fscan, as revealed by the AI company earlier this week. The ChatGPT accounts used by the threat actor have since been banned. The use of a large language model (LLM) to augment its operations is evidenced in the fabrications prevalent in the phishing emails, ranging from the personas used to send the message to the general lack of coherence in the message content itself, Volexity said.

“The targeting profile of the campaign is consistent with a threat actor interested in Asian geopolitical issues, with a special focus on Taiwan,” the company added. “The emails and files used in this campaign leads Volexity to assess with medium confidence that UTA0388 made use of automation, LLM or otherwise, that generated and sent this content to targets with little to no human oversight in some cases.” The disclosure comes as StrikeReady Labs said a suspected China-linked cyber espionage campaign has targeted a Serbian government department related to aviation, as well as other European institutions in Hungary, Belgium, Italy, and the Netherlands. The campaign, observed in late September, involves sending phishing emails containing a link that, when clicked, directs the victim to a fake Cloudflare CAPTCHA verification page that leads to the download a ZIP archive, within which there exists a Windows shortcut (LNK) file that executes PowerShell responsible for opening a decoy document and stealthily launching PlugX using DLL side-loading . Found this article interesting?

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

New ClayRat Spyware Targets Android Users via Fake WhatsApp and TikTok Apps

A rapidly evolving Android spyware campaign called ClayRat has targeted users in Russia using a mix of Telegram channels and lookalike phishing websites by impersonating popular apps like WhatsApp, Google Photos, TikTok, and YouTube as lures to install them. “Once active, the spyware can exfiltrate SMS messages, call logs, notifications, and device information; taking photos with the front camera; and even send SMS messages or place calls directly from the victim’s device,” Zimperium researcher Vishnu Pratapagiri said in a report shared with The Hacker News. The malware is also designed to propagate itself by sending malicious links to every contact in the victim’s phone book, indicating aggressive tactics on the part of the attackers to leverage compromised devices as a distribution vector. The mobile security company said it has detected no less than 600 samples and 50 droppers over the last 90 days, with each successive iteration incorporating new layers of obfuscation to sidestep detection efforts and stay ahead of security defenses.

The malware name is a reference to the command-and-control (C2) panel that can be used to remotely administer the infected devices. The attack chain involves redirecting unsuspecting visitors to these bogus sites to Telegram channels under the adversary’s control, from where they are tricked into downloading APK files by artificially inflating download counts and sharing manufactured testimonials as proof of their popularity. In other cases, bogus websites claiming to offer “YouTube Plus” with premium features have been found to host APK files that can bypass security protections enforced by Google to prevent sideloading of apps on devices running Android 13 and later. “To bypass platform restrictions and the added friction introduced in newer Android versions, some ClayRat samples act as droppers: the visible app is merely a lightweight installer that displays a fake Play Store update screen, while the actual encrypted payload is hidden within the app’s assets,” the company said.

“This session-based installation method lowers perceived risk and increases the likelihood that a webpage visit will result in spyware being installed.” Once installed, ClayRat uses standard HTTP to communicate with its C2 infrastructure and requests users to make it the default SMS application to gain access to sensitive content and messaging functions, thereby allowing it to covertly capture call logs, text messages, notifications, and disseminate the malware further to every other contact. Some of the other features of the malware include making phone calls, getting device information, taking pictures using the device camera, and sending a list of all installed applications to the C2 server. ClayRat is a potent threat not only for its surveillance capabilities, but also for its ability to turn an infected device into a distribution node in an automated fashion, which enables the threat actors to expand their reach swiftly without any manual intervention. A Google spokesperson told The Hacker News that Android users are automatically safeguarded against known versions of the malware through Google Play Protect, which is enabled by default on devices with Google Play Services.

The development comes as academics from the University of Luxembourg and Université Cheikh Anta Diop found that pre-installed apps from budget Android smartphones sold in Africa operate with elevated privileges, with one vendor-supplied package transmitting device identifiers and location details to an external third-party. The study examined 1,544 APKs collected from seven African smartphones, finding that “145 applications (9%) disclose sensitive data, 249 (16%) expose critical components without sufficient safeguards, and many present additional risks: 226 execute privileged or dangerous commands, 79 interact with SMS messages (read, send, or delete), and 33 perform silent installation operations.” (The story was updated after publication to include a response from Google.) Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

Hackers Access SonicWall Cloud Firewall Backups, Spark Urgent Security Checks

SonicWall on Wednesday disclosed that an unauthorized party accessed firewall configuration backup files for all customers who have used the cloud backup service. “The files contain encrypted credentials and configuration data; while encryption remains in place, possession of these files could increase the risk of targeted attacks,” the company said . It also noted that it’s working to notify all partners and customers, adding it has released tools to assist with device assessment and remediation. The company is also urging users to log in and check for their devices.

The development comes a couple of weeks after SonicWall urged customers to perform a credential reset after their firewall configuration backup files were exposed in a security breach impacting MySonicWall accounts. The list of impacted devices available on the MySonicWall portal has been assigned a priority level to help customers prioritize remediation efforts. The labels are as follows - Active – High Priority: Devices with internet-facing services enabled Active – Lower Priority: Devices without internet-facing services Inactive: Devices that have not pinged home for 90 days The latest post-mortem marks an about turn from its initial assessment when it claimed the threat actors accessed backup firewall preference files stored in the cloud for less than 5% of its customers. It also stated that while the credentials within those files were encrypted, they also included “information that could make it easier for attackers to potentially exploit the related firewall.” It’s currently not known how many of its customers use the cloud backup service.

SonicWall has yet to reveal when the attacks began or who is behind the activity. However, the company said it has since “hardened” its infrastructure, applied additional logging, and introduced stronger authentication controls to prevent a repeat. Users are advised to follow the steps below with immediate effect - Log in to MySonicWall.com account and verify if cloud backups exist for registered firewalls If fields are blank, there is no impact If fields contain backup details, verify whether impacted serial numbers are listed in the account If Serial Numbers are shown, users should follow the containment and remediation guidelines for the listed firewalls SonicWall said in cases where customers have used the Cloud Backup feature but no Serial Numbers are shown or only some of the registered Serial Numbers are displayed, it will provide additional guidance in coming days. “A brute-force attack was conducted against their cloud backup API service, giving the threat actor access to a treasure trove of sensitive data, including firewall rules, encrypted credentials, routing configurations and more,” Ryan Dewhurst, head of Proactive Threat Intelligence at watchTowr, told The Hacker News.

“This raises questions about why the vendor didn’t implement basic protections like rate limiting and stronger controls around public APIs.” “Although the passwords were encrypted, attackers have all the time in the world to crack them offline at their leisure. If the passwords used were weak in the first place, it’s almost certain that the threat actor has the plaintext versions already. If the threat actor is unable to crack the passwords, you’re not out of the woods, as the information leaked will help in more complex targeted attacks.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

ThreatsDay Bulletin: MS Teams Hack, MFA Hijacking, $2B Crypto Heist, Apple Siri Probe & More

Cyber threats are evolving faster than ever. Attackers now combine social engineering, AI-driven manipulation, and cloud exploitation to breach targets once considered secure. From communication platforms to connected devices, every system that enhances convenience also expands the attack surface. This edition of ThreatsDay Bulletin explores these converging risks and the safeguards that help preserve trust in an increasingly intelligent threat landscape.

How Threat Actors Abuse Microsoft Teams Attackers Abuse Microsoft Teams for Extortion, Social Engineering, and Financial Theft Microsoft detailed the various ways threat actors can abuse its Teams chat software at various stages of the attack chain, even using it to support financial theft through extortion, social engineering, or technical means. “ Octo Tempest has used communication apps, including Teams, to send taunting and threatening messages to organizations, defenders, and incident response teams as part of extortion and ransomware payment pressure tactics,” the company said . “After gaining control of MFA through social engineering password resets, they sign in to Teams to identify sensitive information supporting their financially motivated operations.” As mitigations, organizations are advised to strengthen identity protection, harden endpoint security, and secure Teams clients and apps. LNK Files Used in New Malware Campaign Malicious Shortcut Files Deliver PowerShell Dropper and DLL Implant A campaign that packages passport- or payment-themed ZIP archives with malicious Windows shortcut (.LNK) files has been found to deliver a PowerShell dropper that drops a DLL implant on compromised hosts.

The ZIP archives are distributed via phishing emails. “Execution of the staged payload launches the DLL implant with rundll32.exe using the JMB export and establishes command and control to faw3[.]com,” Blackpoint Cyber said . “The PowerShell dropper uses simple but effective evasion, including building keywords like Start-Process and rundll32.exe from byte arrays, suppressing progress output, clearing the console, and changing server file names based on common antivirus processes. Once active, the implant runs under the user context and can enable remote tasking, host reconnaissance, and delivery of follow-on payloads while blending into normal Windows activity.” Israel Likely Behind an AI Disinfo Campaign Targeting Iran AI-Generated Disinformation Campaign Aimed at Destabilizing Iran The Citizen Lab said a coordinated Israeli-backed network of around 50 social media accounts on X pushed anti-government propaganda using deepfakes and other AI-generated content to Iranians with the goal of fomenting revolt among the country’s people and overthrowing the Iranian regime.

The campaign has been codenamed PRISONBREAK. These accounts were created in 2023 but remained largely dormant until January 2025. “While organic engagement with PRISONBREAK’s content appears to be limited, some of the posts achieved tens of thousands of views. The operation seeded such posts to large public communities on X, and possibly also paid for their promotion,” the non-profit said.

It’s assessed that the campaign is the work of an unidentified agency of the Israeli government, or a sub-contractor working under its close supervision. Opposition to E.U. Chat Control Signal, Tech Firms, and Officials Push Back Against E.U. Chat Control Proposal The president of the Signal Foundation said the end-to-end encrypted messaging app will leave the European Union market rather than comply with a potential new regulation known as Chat Control.

Chat Control, first introduced in 2022, would require service providers, including end-to-end encrypted platforms like Signal, to scan all platform communications and files to screen for “abusive material” before a message is sent. “Under the guise of protecting children, the latest Chat Control proposals would require mass scanning of every message, photo, and video on a person’s device, assessing these via a government-mandated database or AI model to determine whether they are permissible content or not,” Signal Foundation President Meredith Whittaker said . “What they propose is in effect a mass surveillance free-for-all, opening up everyone’s intimate and confidential communications, whether government officials, military, investigative journalists, or activists.” CryptPad , Element , and Tuta are among more than 40 other E.U. tech companies that have signed an open letter against the Chat Control proposal.

Meanwhile, German officials said they will vote against the proposal, signaling that the bloc will not have the votes to move forward with the controversial measure. Autodesk Revit Crash to RCE Crash in Autodesk Revit File Parsing Leads to Reliable Remote Code Execution New research has found that it’s possible to turn a Autodesk Revit file parsing crash ( CVE-2025-5037 ) into a code execution exploit that is fully reliable even on the latest Windows x64 platform. “This RCE is unusually impactful due to the Axis cloud misconfiguration that could have resulted in automatic exploitation during normal usage of the affected products,” Trend Micro Zero Day Initiative researcher Simon Zuckerbraun said . France Opens Probe into Apple Siri Voice Recordings French Authorities Investigate Apple Over Siri Voice Data Collection France said it’s opening an investigation into Apple over the company’s collection of Siri voice recordings.

The Paris public prosecutor said the probe is in response to a whistleblower complaint. Apple subcontractor Thomas Le Bonniec said Siri conversations contained intimate moments or sensitive data that could easily deanonymize and identify users. “Apple has never used Siri data to create marketing profiles, has never made it available for advertising, and has never sold it to anyone for any reason whatsoever,” the company said in a statement shared with Politico. Earlier this January, Apple said it would not keep “audio recordings of interactions with Siri, unless the user explicitly agrees.” North Korea Linked to $2B Theft in 2025 North Korean-Linked Hackers Responsible for Over $2B in Crypto Thefts This Year North Korean hackers have stolen an estimated $2 billion worth of cryptocurrency assets in 2025, marking the largest annual total on record.

A large chunk of the theft came from the Bybit hack in February, when the threat actors stole about $1.46 billion. Other thefts publicly attributed to North Korea in 2025 include those suffered by LND.fi, WOO X, and Seedify. However, it’s suspected that the actual figure may be even higher. “The 2025 total already dwarfs previous years and is almost triple last year’s tally, underscoring the growing scale of North Korea’s dependence on cyber-enabled theft to fund its regime,” Elliptic said .

A notable shift observed this year is the increasing targeting of high-net-worth individuals. “As crypto prices have risen, individuals have become increasingly attractive targets, often lacking the security measures employed by businesses,” the company added. “Some of these individuals are also targeted due to their association with businesses holding large amounts of cryptoassets, which the hackers are looking to steal.” The development comes as Fortune reported that the North Korean fraudulent IT worker scheme has funneled up to $1 billion into the regime’s nuclear program in the past five years, making it a lucrative revenue-generating stream. North Korean actors well-versed in IT have been observed stealing identities, falsifying their résumés, and deceiving their way into highly paid remote tech jobs in the U.S., Europe, Australia, and Saudi Arabia, using artificial intelligence to fabricate work and disguise their faces and identities.

According to the latest statistics from Okta, one in two targets were not tech firms, and one in four targets were not U.S.-based companies, indicating that any company recruiting remote talent could be at risk. Besides a “marked” increase in attempts to gain employment at AI companies or AI-focused roles, other sectors prominently targeted by North Korea included finance, healthcare, public administration, and professional services. The identity services provider said it has tracked over 130 identities operated by facilitators and workers, which can be linked to over 6,500 initial job interviews across more than 5,000 distinct companies up until mid-2025. “Years of sustained activity against a broad range of U.S.

industries have allowed Democratic People’s Republic of Korea-aligned facilitators and workers to refine their infiltration methods,” Okta said . “They are entering new markets with a mature, well-adapted workforce capable of bypassing basic screening controls and exploiting hiring pipelines more effectively.” Once hired, North Korea IT workers request payment in stablecoins, likely due to their consistent value, as well as their popularity with OTC traders who can facilitate the off-ramp from cryptocurrency to fiat, Chainalysis noted . The salaries are then transferred through various money laundering techniques, such as chain-hopping, token swapping, bridge protocols, and consolidation addresses, to complicate the tracing of funds. Security Flaws in YoLink Smart Hub YoLink Smart Hub Flaws Allow Remote Control, Credential Exposure Security vulnerabilities have been discovered in the YoLink Smart Hub (v0382), the gateway device that manages all YoLink locks, sensors, plugs, and other IoT products, which could be exploited to achieve authorization bypass and allow attackers to remotely control other users’ devices, and access Wi-Fi credentials and device IDs in plaintext.

To make matters worse, the use of long-lived session tokens allows ongoing unauthorized access. The vulnerabilities relate to insufficient authorization controls (CVE-2025-59449 and CVE-2025-59452), insecure network transmission (CVE-2025-59448), and improper session management (CVE-2025-59451). The most severe vulnerability, CVE-2025-59449, is rated as critical and could allow an attacker who obtains predictable device IDs to operate a user’s devices without strong authentication. The unencrypted MQTT communication between the hub and the mobile app also allows for the exposure of sensitive data like credentials and device IDs.

“An attacker […] could potentially obtain physical access to YoLink customers’ homes by opening their garages or unlocking their doors,” Bishop Fox researcher Nicholas Cerne said. “Alternatively, the attacker could toggle the power state of devices connected to YoLink smart plugs, which could have a variety of impacts depending on the types of devices that were connected.” Authentication Bypass in Tesla TCU ADB Lockdown Bypass in Tesla Telematics Control Unit Could Lead to Root Code Execution Cybersecurity researchers from NCC Group detailed a bypass of the Android debug bridge (ADB) lockdown logic in Tesla’s telematics control unit (TCU) that could potentially allow attackers to gain shell access to production devices. The flaw (CVE-2025-34251, CVSS score: 8.6) is an arbitrary file write that could be used to obtain code execution in the context of root on the TCU. “The TCU runs the Android Debug Bridge (adbd) as root and, despite a ‘lockdown’ check that disables adb shell, still permits adb push/pull and adb forward,” according to an advisory for the vulnerability.

“Because adbd is privileged and the device’s USB port is exposed externally, an attacker with physical access can write an arbitrary file to a writable location and then overwrite the kernel’s uevent_helper or /proc/sys/kernel/hotplug entries via ADB, causing the script to be executed with root privileges.” Spoofed Domains Deliver Android and Windows Malware Threat Actors Use Spoofed Sites to Deliver Android & Windows Trojans A financially motivated threat cluster has used more than 80 spoofed domains and lure websites to target users with fake applications and websites themed as government tax sites, consumer banking, age 18+ social media content, and Windows assistant applications, DomainTools said . The end goal of the attacks is to deliver Android and Windows trojans, likely for the purpose of stealing credentials through the use of fake login pages. The presence of Meta tracking pixels indicates that the threat actors are likely running it as a campaign, using Facebook ads or other methods to drive traffic to the fake pages. NoName057(16) Bounces Back NoName057(16) Resurges After Operation Eastwood Disruption The hacktivist group known as NoName057(16), which suffered a significant blow in July 2025 following an international law enforcement effort called Operation Eastwood, has managed to bounce back, escalate its activities, and leverage new alliances to amplify its reach.

A majority of the group’s targets between late July and August 2025 comprised German websites, focusing on municipalities, police, public services, and government portals, as well as sites in Spain, Belgium, and Italy. “A key limitation remains: the group’s core infrastructure and leadership are based in Russia,” Imperva said . “Without cooperation from Russian authorities, fully dismantling NoName057(16) is highly unlikely. To date, Moscow has not taken action against pro-Russian hacktivist groups, and their activities often continue without interference.” LATAM Banks Targeted by BlackStink Chrome Extension Malware Steals Funds from Latin American Banks Financial institutions in Latin America have become the target of a new malware campaign that uses malicious Google Chrome extensions mimicking Google Docs to initiate fraudulent transfers in real-time by taking remote control of the banking session.

The activity, dubbed BlackStink, leverages advanced WebInject techniques to bypass traditional detection mechanisms, per IBM X-Force. “Once active, it can dynamically inject deceptive overlays into legitimate banking pages to harvest credentials, account details and transaction data,” the company noted . “Beyond simple credential theft, BlackStink is capable of auto-filling and auto-submitting forms, simulating user actions and executing automatic transactions – allowing attackers to move funds in real time without the victim’s awareness.” Over 2K Oracle E-Business Suite Instances Exposed to Internet Thousands of Oracle E-Business Suite Instances Exposed — Patch CVE-2025-61882 Attack surface management company Censys said it observed 2,043 internet-accessible Oracle E-Business Suite instances exposed to the internet, making it crucial that users take steps to secure against CVE-2025-61882 , a critical vulnerability in the Concurrent Processing component that can be exploited by an unauthenticated attacker with network access via HTTP to compromise the system. The vulnerability is assessed to have been weaponized as a zero-day by Cl0p as part of new extortion attacks since August 2025.

Asgard Protector Detailed Asgard Protector Crypter Used to Evade Detection and Deliver Stealers A crypter service called Asgard Protector is being used to hide malicious payloads such as Lumma Stealer to help the artifacts bypass security defenses. “Asgard Protector leverages Nullsoft package installations, hidden AutoIt binaries, and compiled AutoIt scripts in order to inject encrypted payloads into memory, which are decrypted in memory and executed,” SpyCloud said . “The combination of LummaC2 and Asgard Protector represents a potent union for evading detection and stealing data from devices and networks.” Some of the other malware families distributed using this crypter are Quasar RAT, Rhadamanthys, Vidar, and ACR Stealer. There is evidence to suggest that Asgard Protector has some sort of a connection with CypherIT given the functional similarities between the two.

Updates to WARMCOOKIE Malware WARMCOOKIE (BadSpace) Continues Development; CastleBot Used for Propagation The Windows malware known as WARMCOOKIE (aka BadSpace) is being actively developed and distributed, with recent campaigns leveraging CastleBot for propagation. “The most recent WARMCOOKIE builds we have collected contain the DLL/EXE execution functionality, with PowerShell script functionality being much less prevalent,” Elastic said . “These capabilities leverage the same function by passing different arguments for each file type. The handler creates a folder in a temporary directory, writing the file content (EXE / DLL / PS1) to a temporary file in the newly created folder.

Then, it executes the temporary file directly or uses either rundll32.exe or PowerShell.exe. Below is an example of PE execution from procmon.” Mic-E-Mouse Attack for Covert Data Exfiltration Optical Mouse Turned Into Microphone for Air-Gapped Data Theft Academics from UC Irvine have developed a new technique that turns an optical mouse into a microphone to secretly record and exfiltrate data from air-gapped networks. The new Mic-E-Mouse technique takes advantage of the high-performance optical sensors common in gaming mice to detect tiny vibrations caused by nearby sound and record the pattern in mouse movements. This data is then collected and exfiltrated to recover conversations with the help of a transformer-based neural network.

For the attack to work, a bad actor must first compromise the computer through other means. The study used a $35 mouse to test the system and found it could capture speech with 61% accuracy, depending on voice frequency. “Our target for a suitable exploit delivery vehicle is open-source applications where the collection and distribution of high-frequency mouse data is not inherently suspicious,” the researchers said . “Therefore, creative software, video games, and other high performance, low latency software are an [sic] ideal targets for injecting our exploit.” Crimson Collective Targets AWS Environments Crimson Collective Linked to Red Hat Breach and AWS Data Theft The emerging threat group known as Crimson Collective , which has been attributed to the recent breach of Red Hat, is believed to share ties with the larger Scattered Spider and LAPSUS$ collectives, according to security researcher Kevin Beaumont .

The assessment is based on the fact that the messages posted on the group’s public Telegram channel are signed with the name “Miku,” which refers to an alias for Thalha Jubair, who was arrested last month in the U.K. in connection with the August 2024 cyber attack targeting Transport for London (TfL), the city’s public transportation agency. Interestingly, the Red Hat compromise date is listed as September 13, 2025, a couple of days before Jubair’s arrest. According to Rapid7, the threat actors are increasingly targeting AWS cloud environments to steal sensitive data and extort victim organizations, with the attacks relying on an open-source tool called TruffleHog to find leaked AWS credentials.

“The threat group’s activity has been observed to start with compromising long-term access keys and leveraging privileges attached to the compromised IAM (Identity & Access Management) accounts,” the company said . “The threat group was observed creating new users and escalating privileges by attaching policies. When successful, the Crimson Collective performed reconnaissance to identify valuable data and exfiltrated it via AWS services. In case of the successful exfiltration of data, an extortion note is received by the victim.” The group has since partnered with Scattered LAPSUS$ Hunters, with ShinyHunters telling Bleeping Computer that it has been privately operating as an extortion-as-a-service (EaaS), where they work with other threat actors to extort companies in exchange for a share of the extortion demand.

Defending against modern threats requires more than tools — it demands awareness, adaptability, and shared responsibility. As attackers evolve, so must our approach to security. The path forward lies in continuous learning, stronger collaboration, and smarter use of technology to keep trust intact in a connected world. Found this article interesting?

Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

SaaS Breaches Start with Tokens - What Security Teams Must Watch

Token theft is a leading cause of SaaS breaches. Discover why OAuth and API tokens are often overlooked and how security teams can strengthen token hygiene to prevent attacks. Most companies in 2025 rely on a whole range of software-as-a-service (SaaS) applications to run their operations. However, the security of these applications depends on small pieces of data called tokens.

Tokens, like OAuth access tokens, API keys, and session tokens, work like keys to these applications. If a cybercriminal gets hold of one, they can access relevant systems without much trouble. Recent security breaches have shown that just one stolen token can bypass multi-factor authentication (MFA) and other security measures. Instead of exploiting vulnerabilities directly, attackers are leveraging token theft.

It’s a security concern that ties into the broader issue of SaaS sprawl and the difficulty of monitoring countless third-party integrations. Recent Breaches Involving Token Theft A lot of real-world events show us how stolen tokens can cause security breaches in SaaS environments:

  1. Slack (Jan 2023). Attackers stole a number of Slack employee tokens and used them to gain unauthorized access to Slack’s private GitHub code repositories.

(No customer data was exposed, but it was a clear warning that stolen tokens can undermine internal security barriers.)

  1. CircleCI (Jan 2023). Information-stealing malware on an engineer’s laptop allowed threat actors to hijack session tokens for CircleCI’s systems. Those tokens gave the attackers the same access as the user, even with MFA in place, enabling them to steal customer secrets from the CI platform.

  2. Cloudflare/Okta (Nov 2023). In the fallout of an identity provider breach, Cloudflare rotated about 5,000 credentials. However, one unrotated API token and some service account credentials were enough for cybercriminals to compromise Cloudflare’s Atlassian environment.

This incident showed how a single forgotten token can undermine an otherwise thorough incident response. 4. Salesloft/Drift (Aug 2025). The Drift chatbot (owned by Salesloft) suffered a supply-chain breach that allowed attackers to harvest OAuth tokens for integrations like Salesforce and Google Workspace.

Using those stolen tokens, they accessed hundreds of customer organizations’ SaaS data. This OAuth token abuse allowed the attackers to move laterally into emails, files, and support records across platforms. SaaS Sprawl Fuels Token Blind Spots Why do these token-based breaches keep happening? The issue is bigger than any single app, it’s an ecosystem problem fueled by sprawling SaaS usage and hidden token trust relationships between apps.

Today, every department is leveraging SaaS tools and integrating them across systems. Employees use multiple third-party cloud services, and enterprises manage roughly 490 cloud apps, many of which are unsanctioned or not properly secured. This high usage of SaaS (often called SaaS sprawl) means an explosion of OAuth tokens, API keys, and app connections. Each integration introduces a non-human identity (essentially a credential) that usually isn’t visible to IT or tracked by traditional identity management solutions.

The overall result of this is an ungoverned attack surface. A few factors generally contribute to this blind spot: • Lack of visibility. Many organizations don’t actually know about all the SaaS apps and integrations their employees have enabled, or who authorized them. Shadow IT (employees adding apps without approval) flourishes, and security teams may only discover an OAuth connection after it has created a problem.

• No approval or oversight. Without a vetting process, users can freely connect apps like marketing plugins or productivity tools to corporate SaaS accounts. These third-party apps often ask for broad permissions and get them, even if they’re only needed temporarily. Unvetted and over-privileged apps can sit connected indefinitely if nobody reviews them.

• No regular monitoring. Very few companies enforce security settings on OAuth integrations or watch these connections in real time. Tokens rarely have short lifetimes or strict scope by default, and organizations often don’t limit their usage by IP or device. Logs from SaaS integrations might also not be fed into security monitoring.

Why Legacy Security Misses the Token Problem As such, traditional security tools haven’t fully caught up to this problem at all. Single sign-on (SSO) and multi-factor authentication protect user logins, but OAuth tokens bypass these controls. They grant persistent trust between apps with no further verification. A token acts on behalf of a user or service without needing a password, so an attacker who obtains a valid token can access the connected app’s data as if they were already authenticated.

There’s no pop-up to re-check MFA when an OAuth token is used. As a result, without special oversight, OAuth and API tokens have become an Achilles’ heel in SaaS security. Other legacy solutions, like cloud access security brokers, focus on user-to-app traffic and don’t monitor these app-to-app connections. This gap has led to the arrival of dynamic SaaS security platforms that aim to discover and secure SaaS integrations amid SaaS sprawl.

These platforms attempt to map out all the third-party apps, tokens, and privileges in use, giving back visibility and control. Whether through automated discovery (scanning for connected apps) or enforcing policies on OAuth usage, the goal is to close the SaaS security gap created by unchecked tokens. At the end of the day, every organization, with or without new tools, can apply better token hygiene practices. You can’t protect what you can’t see.

The first step is knowing where your tokens and SaaS integrations are. The next is controlling and monitoring them so they don’t become backdoors. Token Hygiene Checklist The following checklist can be used to reduce risk from token compromise: Practice Action Y/N Maintain OAuth App Inventory Discover and track all third-party applications connected to your SaaS accounts. Keep an updated inventory of OAuth tokens, API keys, and integrations.

This provides visibility into your token footprint. Enforce App Approval Establish a vetting process for new SaaS integrations. Require security review or admin approval before employees grant OAuth access to their accounts. This curbs unvetted apps and ensures each token issued is necessary and comes with known risks.

Least-Privilege Tokens Limit the scope and permissions of tokens to the minimum required. Avoid granting overly broad access (“allow all”) when authorizing an app. For example, if an app only needs read access, don’t give it read-write admin privileges. Least privilege reduces the impact if a token is stolen.

Rotate Tokens Regularly Treat long-lived tokens like expiring credentials. Configure tokens to expire after a short period, if possible, or periodically revoke and reissue them. Regular rotation (or short lifespans) means a stolen token will quickly become useless, narrowing an attacker’s window of opportunity. Remove or Alert on Unused Tokens Identify tokens and app connections that haven’t been used in weeks or months.

Unused tokens are latent threats – revoke them if they’re not needed. Implement alerts or reports for dormant tokens so that they can be cleaned up proactively, preventing forgotten credentials from lingering indefinitely. Monitor Token Activity Enable logging and monitoring for token use across your SaaS platforms. Watch for unusual token activity, such as a normally unused integration suddenly making large data requests or access from odd locations.

Set up alerts for anomalies in token usage (e.g. a spike in API calls, or use of a token from an unfamiliar IP). Integrate Tokens into Offboarding When employees leave or when a third-party app is retired, ensure their tokens and access keys are promptly revoked. Make token revocation a standard step in user offboarding and app lifecycle management.

This prevents old credentials from persisting after they’re no longer needed. Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.

From Phishing to Malware: AI Becomes Russia’s New Cyber Weapon in War on Ukraine

Russian hackers’ adoption of artificial intelligence (AI) in cyber attacks against Ukraine has reached a new level in the first half of 2025 (H1 2025), the country’s State Service for Special Communications and Information Protection (SSSCIP) said. “Hackers now employ it not only to generate phishing messages, but some of the malware samples we have analyzed show clear signs of being generated with AI – and attackers are certainly not going to stop there,” the agency said in a report published Wednesday. SSSCIP said 3,018 cyber incidents were recorded during the time period, up from 2,575 in the second half of 2024 (H2 2024). Local authorities and military entities witnessed an increase in attacks compared to H2 2024, while those targeting government and energy sectors declined.

One notable attack observed involved UAC-0219’s use of malware called WRECKSTEEL in attacks aimed at state administration bodies and critical infrastructure facilities in the country. There is evidence to suggest that the PowerShell data-stealing malware was developed using AI tools. Some of the other campaigns registered against Ukraine are listed below - Phishing campaigns orchestrated by UAC-0218 targeting defense forces to deliver HOMESTEEL using booby-trapped RAR archives Phishing campaigns orchestrated by UAC-0226 targeting organizations involved in the development of innovations in the defense industrial sector, local government bodies, military units, and law enforcement agencies to distribute a stealer called GIFTEDCROOK Phishing campaigns orchestrated by UAC-0227 targeting local authorities, critical infrastructure facilities, and Territorial Recruitment and Social Support Centers (TRCs and SSCs) that leverage ClickFix-style tactics or SVG file attachments to distribute stealers like Amatera Stealer and Strela Stealer Phishing campaigns orchestrated by UAC-0125, a sub-cluster with ties to Sandworm, that sent email messages containing links to a website masquerading as ESET to deliver a C#-based backdoor named Kalambur (aka SUMBUR) under the guise of a threat removal program SSSCIP said it also observed the Russia-linked APT28 (aka UAC-0001) actors weaponizing cross-site scripting flaws in Roundcube and ( CVE-2023-43770 , CVE-2024-37383 , and CVE-2025-49113 ) and Zimbra ( CVE-2024-27443 and CVE-2025-27915 ) webmail software to conduct zero-click attacks. “When exploiting such vulnerabilities, attackers typically injected malicious code that, through the Roundcube or Zimbra API, gained access to credentials, contact lists, and configured filters to forward all emails to attacker-controlled mailboxes,” SSSCIP said.

“Another method of stealing credentials using these vulnerabilities was to create hidden HTML blocks (visibility: hidden) with login and password input fields, where the attribute autocomplete=’on’ was set. This allowed the fields to be auto-filled with data stored in the browser, which was then exfiltrated.” The agency also revealed that Russia continues to engage in hybrid warfare, synchronizing its cyber operations in conjunction with kinetic attacks on the battlefield, with the Sandworm (UAC-0002) group targeting organizations in the energy, defense, internet service providers, and research sectors. Furthermore, several threat groups targeting Ukraine have resorted to abusing legitimate services, such as Dropbox, Google Drive, OneDrive, Bitbucket, Cloudflare Workers, Telegram, Telegra.ph, Teletype.in, Firebase, ipfs.io, mocky.io, to host malware or phishing pages, or turn them into a data exfiltration channel. “The use of legitimate online resources for malicious purposes is not a new tactic,” SSSCIP said.

“However, the number of such platforms exploited by Russian hackers has been steadily increasing in recent times.” Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.