September 2025 - ExploreSec Cybersecurity Threat Intelligence Newsletter

This is a newsletter I create and share with my internal security team. Feel free to grab and do the same.

ROKRAT Malware Hides Shellcode Using Steganography 

Researchers have identified a new evolution in the ROKRAT malware family that uses steganography to conceal shellcode in images. This method allows threat actors to embed payloads in benign-looking files, helping them bypass traditional detection mechanisms. The malware is associated with South Korean targets and aligns with tactics used by North Korean threat actors. 

Key Insights 

  • ROKRAT embeds encrypted shellcode within image files using steganographic techniques. 

  • The shellcode loads additional payloads from remote servers during execution. 

  • This campaign uses cloud-based services and compromised accounts to blend in with legitimate network traffic. 

  • The technique indicates growing sophistication in avoiding detection and enhancing persistence. 

Further Reading: Genians Blog 

 

 

Homograph Attacks: A Deceptively Simple but Dangerous Technique 

Unit 42 researchers highlight the ongoing threat of homograph attacks, where attackers register domain names using characters from different alphabets that closely resemble legitimate ones (e.g., "аpple.com" with a Cyrillic "а"). These domains are used in phishing and malware campaigns, often bypassing detection mechanisms due to their deceptive appearance. 

Key Insights 

  • Homograph domains often rely on visually similar characters across scripts (e.g., Latin, Cyrillic, Greek) to deceive users. 

  • Such domains are used in credential harvesting, redirection to fake login portals, and malware delivery. 

  • Attackers register these domains with varying combinations to evade detection and increase success rates. 

  • Homograph-based phishing campaigns remain effective because many security tools and users fail to recognize the subtle character differences. 

Further Reading: Unit 42 

 

 

TI: Project IRE Autonomously Identifies Malware at Scale 

Microsoft has introduced Project IRE (Intelligent Research Environment), an AI-powered system designed to detect and classify malware with minimal human intervention. Project IRE can process vast amounts of data to autonomously identify and attribute malicious activity, enhancing early-stage threat intelligence capabilities. It aims to provide defenders with timely insights into malware campaigns and threat actor behavior without requiring deep reverse engineering expertise. 

Key Insights 

  • Project IRE leverages machine learning and large-scale static analysis to identify and classify malware families across billions of samples. 

  • The system autonomously attributes activity to known or novel threat actors and campaigns, providing contextual threat intelligence. 

  • It is designed to be integrated into broader defense systems, allowing faster detection and response. 

  • Microsoft sees Project IRE as a foundation for more automated, scalable malware analysis efforts in the future. 

Further Reading: Microsoft 

 

 

BadSuccessor: A Critical AD Privilege Escalation Threat 

Akamai researcher Yuval Gordon has identified a dangerous Active Directory vulnerability—BadSuccessor—affecting environments using Delegated Managed Service Accounts (dMSAs) in Windows Server 2025. This flaw allows attackers with minimal permissions (e.g., below Domain Admin level) to impersonate high-privilege accounts like Domain Admins by abusing improperly configured dMSA migration attributes. 

Key Insights: 

  • Exploits hinge on manipulating msDS-ManagedAccountPrecededByLink and msDS-DelegatedMSAState attributes to trick the domain controller into issuing elevated privileged tickets. 

  • In environments where OU-level permissions are overly broad, an attacker can escalate privileges without needing administrative credentials. 

  • Akamai found this misconfiguration in 91% of environments reviewed, highlighting widespread exposure. 

Further Reading: Cymulate Blog – BadSuccessor Exploit Simulation 

 

 

PS1Bot Malvertising Campaign Delivers Remote Access Trojan 

Cisco Talos researchers identified a malvertising campaign delivering a Remote Access Trojan (RAT) dubbed PS1Bot. The campaign uses malicious PowerShell scripts distributed via deceptive online ads. Once executed, the malware provides attackers with persistent remote access and command execution capabilities, enabling data theft and potential lateral movement within compromised environments. 

Key Insights 

  • Attackers are leveraging malvertising to distribute PowerShell-based RATs. 

  • The malware grants full remote control, posing risks of data theft and system compromise. 

  • Targeting through ads increases exposure to a wide range of victims, including enterprises and individuals. 

Further Reading: Talos Intelligence 

 

 

Global Cyber Threats: July Snapshot of an Accelerating Crisis 

Check Point’s July 2025 cyber threat analysis reveals a sharp escalation in global attack activity across multiple regions and industries: 

Key Insights: 

  • Attack Frequency Rising Rapidly 
    Average weekly cyberattacks per organization have increased by 10% compared to the previous year, with Europe experiencing the most dramatic surge at 15%. 

  • Ransomware Intensifies 
    July saw 518 ransomware incidents, marking a 28% year-over-year increase. North America accounted for 52% of these attacks, while Europe contributed 25%. 

  • Sectoral Hotspots 
    The education sector emerged as the most frequently targeted globally, followed closely by government and healthcare organizations. 

  • Top Attackers on the Move 
    Ransomware groups such as Qilin, Akira, and Play are leading the surge. 

  • Qilin, a Ransomware-as-a-Service (RaaS) group, accounted for 17% of incidents, largely affecting healthcare and education. 

  • Akira was responsible for 9% of attacks, hitting both Windows and Linux systems, often via VPN endpoints or email attachments. 

Further Reading: Check Point Research 

 

 

Microsoft Patch Bypass Enables Zero-Click NTLM Hash Theft (CVE-2025-50154) 

A newly disclosed flaw (CVE-2025-50154) in Windows Explorer bypasses Microsoft’s April fix for CVE-2025-24054. The vulnerability allows attackers to capture NTLM hashes or deliver executables via malicious shortcut (.lnk) files without user interaction. When Explorer previews a shortcut pointing to a remote binary, it automatically retrieves the file, triggering NTLM authentication and exposing credentials. 

Key Insights 

  • Zero-click exploitation makes this high-risk, requiring no user action. 

  • Enables credential theft, offline cracking, NTLM relay, and lateral movement. 

  • The bypass highlights incomplete patch coverage for NTLM flaws. 

  • Microsoft is expected to release an additional fix. 

Further Reading: Cymulate 

 

 

GenAI-Powered Phishing Kits: “Fashionable Phishing Bait” 

A new Unit 42 investigation reveals that threat actors are leveraging generative AI to rapidly create and deploy web-based phishing platforms. These kits—capable of code assistance, chatbot interaction, natural language generation, and automated website building—enable highly convincing phishing pages with minimal effort. The analysis highlights how attackers capitalize on GenAI’s accessibility to launch scalable phishing operations, blending automation and adaptability. 

Key Insights 

  • GenAI as a phishing enabler: Attackers now use AI website builders to produce realistic phishing infrastructure—often in just seconds using simple prompts. 

  • Trend visibility: Telemetry shows rapid growth in GenAI platform launches and traffic, reflecting attackers’ shift to AI-driven campaign tooling. 

  • Modular and scalable kit design: These platforms come with built-in functionality that reduces the manual effort required for launching phishing operations. 

  • Accelerated attacker capabilities: The use of AI lowers technical barriers, allowing more rapid and widespread deployment of phishing campaigns with minimal human oversight. 

Further Reading: Unit 42 – Fashionable Phishing Bait: GenAI on the Hook 

 

 

ClickFix Phishing Links Surge Nearly 400% in Past Year 

A recent Proofpoint report revealed a dramatic rise in phishing activity: ClickFix-style attacks—where users are tricked into entering malicious commands under the pretense of fixing an error or completing a CAPTCHA—have surged nearly 400% between May 2024 and May 2025. Meanwhile, malicious URLs now outpace traditional email attachments by a factor of four, underscoring the evolving threat landscape and the growing sophistication of phishing tactics. 

Key Insights 

  • ClickFix campaigns have become significantly more prevalent, with a 400% year-over-year increase. 

  • Analysis covered a massive dataset, including over 3.4 trillion emails, 21 trillion URLs, and 1.4 trillion SMS messages. 

  • Users are increasingly encountering phishing via deceptive links rather than attachments—making detection tougher. 

  • The human-centric design of ClickFix techniques makes them highly effective at bypassing conventional email filters. 

Further Reading: SC Media – ClickFix phishing links increased nearly 400% in 12 months, report says 

 

 

North Korean IT Workers’ Email Infrastructure Exposed 

New research has uncovered how North Korean IT workers are using thousands of email addresses tied to legitimate platforms to support fraudulent employment and cyber operations. These workers disguise their true identities to infiltrate organizations globally, often securing remote IT jobs to funnel earnings back to the DPRK regime. 

Key Insights 

  • Over 1,000 email addresses linked to DPRK operations were identified. 

  • Attackers often impersonate legitimate IT professionals on job platforms. 

  • The revenue generated supports North Korea’s sanctioned cyber programs. 

Further Reading: Cybersecurity News 

 

 

AI Website Builder “Lovable” Abused by Cybercriminals for Phishing & Malware 

Proofpoint research warns that adversaries are exploiting Lovable, an AI-powered website builder, to rapidly create phishing and malicious websites using natural-language prompts. Since February 2025, Proofpoint has detected tens of thousands of malicious Lovable-hosted URLs, involving MFA phishing kits, crypto wallet drainers, credential harvesting traps, and other fraud schemes. Campaigns have infiltrated over 5,000 organizations and included impersonation of brands like Microsoft, UPS, and Aave. The platform’s free hosting and AI-driven convenience enable attackers to launch effective social engineering attacks with minimal effort. 

Key Insights 

  • Low-barrier phishing infrastructure: Creating convincing phishing sites now takes just one or two prompts—no coding required. 

  • Massive campaign scale: Hundreds of thousands of URLs circulated via emails, targeting organizations across industries. 

  • Diverse tactics: Campaigns include fake CAPTCHAs leading to credential theft, malware disguised as secure downloads, and crypto-stealing mechanisms. 

  • Brand spoofing: Attackers mimicked trusted entities like Microsoft, UPS, banks, and DeFi platforms to increase credibility. 

  • Emerging security gap: AI-based website tools lack built-in safeguards, making them ripe for abuse by malicious actors. 

Further Reading: Proofpoint 

 

 

ClickFix Social-Engineering Attack: “Think Before You Click(Fix)” 

Microsoft Threat Intelligence and Defender experts are sounding the alarm over the growing prevalence of the ClickFix technique—a manipulative form of social engineering that tricks users into executing malicious commands under the guise of fixing technical issues or completing human-verification prompts. Since early 2024, thousands of enterprise and consumer devices across various industries have been targeted, frequently delivering infostealing malware like Lumma Stealer, remote access tools (e.g., Xworm, NetSupport), and loaders such as Latrodectus. The technique often leverages phishing, malvertising, and compromised sites to lure users into copying commands manually into Run dialogs, PowerShell, or Terminal, effectively bypassing many automated security solutions. Attackers are also advancing their methods with obfuscation and staged payload delivery to evade detection. Microsoft underscores the importance of user education and endpoint hardening to counteract this social-engineering vector. Microsoft 

Key Insights 

  • Human-driven threat: Relies on social engineering, persuading users to run malicious commands themselves—circumventing standard security controls. 

  • Wide-ranging payloads: Includes infostealers, remote access Trojans, and loaders, delivering significant post-compromise capabilities. 

  • Multi-vector distribution: Spread via phishing emails, deceptive ads, and compromised sites impersonating legitimate brands. 

  • Evasive operator tactics: Employs obfuscated JavaScript and command delivery to evade detection. 

  • Strategic defenses: Focus on user awareness training and endpoint constraint measures (e.g., logging, Run dialog restrictions). 

Further Reading: Microsoft Security Blog – “Think before you Click(Fix): Analyzing the ClickFix Social Engineering Technique” 

 

 

Phishing Evolves to Target Humans and AI Defenses with Hidden Prompt Injection 

Researchers uncovered a novel phishing campaign that not only deceives users with a typical "password expiry" lure but also embeds AI-targeting prompt injection within the email. Hidden inside the plain-text MIME section is a deeply recursive prompt designed to distract AI-based defenses—encouraging them to engage in laborious reasoning loops instead of flagging the email as malicious. This strategic dual-layer attack aims to bypass both human and automated detection, introducing a new threat vector that complicates SOC workflows. 

Key Insights 

  • Dual-targeted attack vector: Combines urgency-based social engineering with hidden AI prompt injection to evade both users and automated defenses. 

  • Prompt injection details: Encourages AI to “simulate extended self-reflection” and challenge assumptions, diverting it from expected classification tasks. 

  • Bypassing automation: AI-powered triage systems could misclassify or delay phishing detection due to the injected reasoning demands. 

  • Continued delivery chain evolution: Utilizes spoofed Gmail branding and leverages marketing platforms to bypass filters. 

Further Reading: Malware Analysis – Phishing Emails Are Now Aimed at Users and AI Defenses 

 

 

Multi-modal Prompt Injection Via Image Scaling Attacks 

Researchers from Trail of Bits have uncovered a striking new attack technique: subtle prompt injections hidden within images that appear benign at full resolution but trigger malicious behaviors when scaled down. When AI systems—such as Gemini CLI, Vertex AI Studio, Google Assistant, and others—automatically downscale these images, the embedded prompt materializes, enabling stealthy data exfiltration or other unauthorized actions. The team also released Anamorpher, an open-source tool designed to craft and test such image-scaling attacks. 

Key Insights 

  • Image scaling as an attack surface: Downscaling images can reveal hidden instructions invisible to users but consumed by AI systems. 

  • Wide impact across systems: The vulnerability spans multiple AI platforms, including CLI tools, web interfaces, APIs, and multi-modal agents. 

  • Tool-assisted exploitation: Anamorpher enables threat actors and defenders alike to craft, explore, and analyze these attacks in a structured way. 

  • Urgent need for UI alignment: Systems must ensure the previewed image matches what’s actually processed by the model—regardless of access channel (CLI, API, UI). 

  • Mitigation strategy: Avoid automatic downscaling; instead, limit image dimensions and always preview the exact input seen by the AI model. 

Further Reading: Trail of Bits – Weaponizing Image Scaling Against Production AI Systems 

 

 

MuddyWater APT Targets CFOs via Multi-Stage Phishing Campaign 

A sophisticated spear-phishing campaign by the Iranian-linked APT group MuddyWater is actively targeting Chief Financial Officers (CFOs) and finance executives across multiple continents. The campaign leverages legitimate remote-access tools, such as NetBird, to maintain persistent control over compromised systems. Attackers masquerade as Rothschild & Co recruiters, directing victims to Firebase-hosted phishing pages with custom CAPTCHA challenges and malicious VBS scripts. These scripts deploy remote management capabilities, including NetBird and OpenSSH, create hidden local administrator accounts, enable Remote Desktop Protocol (RDP), and automate persistence through scheduled tasks. The infrastructure has evolved over time, with shifts in hosting paths and IP addresses, indicating an adaptive and persistent threat. This campaign showcases the increasing sophistication of threat actors in targeting high-value individuals within organizations.hunt.io+1 

Key Insights 

  • Targeted Individuals: CFOs and finance executives across Europe, North America, South America, Africa, and Asia. 

  • Initial Access: Spear-phishing emails impersonating Rothschild & Co recruiters leading to Firebase-hosted phishing pages. 

  • Payload Delivery: Multi-stage infection using VBS downloaders, ZIP archives, and secondary payloads. 

  • Persistence Mechanisms: Deployment of NetBird and OpenSSH, creation of hidden local admin accounts, enabling RDP, and scheduled task automation. 

  • Infrastructure Evolution: Shifts in hosting paths and IP addresses, indicating adaptive tactics. 

  • Attribution: Overlaps in infrastructure, TTPs, and tools with known APT MuddyWater campaigns. 

  • Legitimate Tool Abuse: Misuse of NetBird and OpenSSH for remote access and monitoring.hunt.io 

Further Reading: Hunt.io – APT MuddyWater Deploys Multi-Stage Phishing to Target CFOs 

 

 

Salty2FA Malware Exploits 2FA Weaknesses 

Researchers analyzed Salty2FA, a new malware family designed to bypass two-factor authentication (2FA). The malware intercepts one-time passcodes and manipulates authentication flows, enabling attackers to hijack sessions even when 2FA is enabled. It combines credential theft, session hijacking, and real-time communication with command-and-control servers to maintain persistence. 

Key Insights 

  • Targets 2FA-protected accounts by stealing one-time codes. 

  • Employs session hijacking to maintain long-term access. 

  • Demonstrates attacker adaptation to stronger authentication methods. 

Further Reading: ANY.RUN 

 

 

Attackers Exploit Google Classroom for Large-Scale Campaign 

Researchers identified a phishing campaign abusing Google Classroom to bypass email security and deliver malicious messages. Over 115,000 phishing emails targeted 13,500 organizations across multiple industries, with attackers leveraging legitimate Google Classroom notifications to appear trustworthy. 

Key Insights 

  • More than 100,000 phishing emails were delivered via Google Classroom. 

  • Attackers exploited the platform’s trusted reputation to avoid detection. 

  • 13,500 organizations across different industries were impacted. 

  • The campaign highlights how threat actors misuse legitimate collaboration tools for phishing. 

Further Reading: Check Point 

AI Summarizers Weaponized via CSS-Based ClickFix Attacks 

Researchers have discovered a sophisticated adaptation of the ClickFix social engineering method that exploits AI-powered summarization tools. By embedding hidden instructions using CSS-level obfuscation—like zero-width text, white-on-white font, tiny font sizes, and off-screen elements—and repeating them heavily (a “prompt overdose” strategy), attackers trick summarizers into outputting malicious instructions (e.g., ransomware steps) that users then follow unknowingly. This technique turns trusted AI assistants into unwitting intermediaries for malware distribution. 

Key Insights 

  • Invisible prompt injection: Malicious steps stay hidden from human readers but are fully interpreted by AI summarizers. 

  • Prompt overdose dominance: Repetition ensures payloads overshadow legitimate content in a summarizer’s context window. 

  • AI as a delivery channel: Summaries become vectors for attacker instructions under the guise of assistance. 

  • Rapid scaling potential: Poisoned content can be spread via emails, forums, indexed blogs, and even internal AI tools. 

  • Serious enterprise risk: Internal copilots and document triaging systems can unknowingly relay attacker instructions to employees. 

Further Reading: CloudSEK 

 

 

Cloud-Based Ransomware: Storm-0501 Shifts Tactics to the Cloud 

Microsoft Threat Intelligence reports that the ransomware actor Storm-0501 is transitioning from traditional, endpoint-based attacks to full-fledged cloud-based ransomware operations. This shift leverages hybrid cloud vulnerabilities—enabling rapid data exfiltration, destruction of backups, and ransom demands without deploying conventional malware. 

Key Insights 

  • Strategic cloud pivot: Storm-0501 now prioritizes breaching Entra ID environments over deploying endpoint ransomware. 

  • Privilege escalation via sync: The group exploits compromised on-premises domain control and Entra Connect Sync servers to escalate privileges in the cloud. 

  • Identity-based persistence: They abuse Global Admin synced identities (often lacking MFA) to reset passwords, register new MFA, and gain unfettered cloud access. 

  • Cloud-native extortion: Using Azure features, Storm-0501 exfiltrates data, deletes backups, and leverages AzCopy and Azure Key Vault for expedited attacks. 

  • Sophisticated extortion channel: Ransom demands are delivered via Microsoft Teams, sometimes using compromised user credentials. 

Further Reading: Microsoft Security Blog – Storm-0501’s Evolving Techniques Lead to Cloud-Based Ransomware 

 

 

AI-Lured Xworm Delivery via Signed ScreenConnect Installer 

Trustwave SpiderLabs has uncovered a campaign that exploits fake AI-related content to trick users into installing a digitally signed Remote Access Tool (ScreenConnect). The installer, disguised as AI-themed media, initiates a multi-stage infection that ultimately deploys the Xworm Remote Access Trojan (RAT). Much of the attack sequence evaded automated EDR alerts, requiring human-led threat hunting to uncover the full chain. 

Key Insights 

  • Campaign begins with AI-themed lures (e.g., fake video files) leading to deceptive ScreenConnect installer downloads. 

  • The installer is digitally signed, bypassing trust validation while embedding malicious configurations. 

  • A hidden ScreenConnect client executes in the background, connecting to attacker infrastructure. 

  • Fileless execution is used: scripts trigger obfuscated Python-based payloads that launch Xworm via process hollowing. 

  • Persistence is achieved with registry Run keys, enabling re-launch at login. 

  • Credential harvesting and system reconnaissance follow to establish long-term access. 

  • Automated detection struggled—manual threat hunting was crucial in exposure. 

Further Reading: Trustwave SpiderLabs – Malicious Screen Connect Campaign Abuses AI-Themed Lures for Xworm Delivery 

 

 

Analysing Targeted Spearphishing: C-Suite 

A spearphishing campaign has been discovered, targeting C-suite executives and senior leadership across various industries. The attack uses highly personalized phishing emails that mimic internal HR communications, paired with advanced anti-detection measures and infrastructure rotation to evade defenses. 

Key Insights 

  • High-value targeting: Email subjects like “Salary amendment” and “FIN_SALARY” impersonate OneDrive document notifications to trick executives. Emails and phishing pages are customized with recipient names and company details. 

  • Credential theft mechanism: Victims are directed to fake Microsoft Office/OneDrive login pages that harvest credentials. Phishing URLs are single-use and self-destruct upon access. 

  • Stealthy email delivery: The campaign uses Amazon SES for sending, toggling across approximately 80 dynamic domains and subdomains to evade filtering. Preliminary benign emails (“warming up” inboxes) may precede the phishing attempt. 

  • Robust infrastructure footprint: DNS via Cloudflare, hosting on Akamai Cloud, and domain registration mainly through Mat Bao Corporation, with additional registrars like WebNic.cc and Luxhost used for resilience. 

Further Reading: Stripe OLT – Analysing Targeted Spearphishing: Social Engineering, Domain Rotation, and Credential Theft 

 

 

Logit-Gap Steering: How Aligned LLM Safety Can Be Bypassed 

Unit 42 introduces "logit-gap steering," a sophisticated technique that reveals a vulnerability in how LLMs refuse harmful inputs. Although alignment training raises the likelihood of refusal tokens, this doesn't eliminate the possibility of sensitive content being generated. Researchers demonstrated that with short, strategically crafted token suffixes, models—including Qwen, LLaMA, Gemma, and even GPT-OSS-20B—can be coerced into compliance with over 75% success. 

Key Insights 

  • Refusal isn't elimination: Alignment suppresses, rather than removes, harmful responses. A sufficiently strong suffix can reverse the model's initial refusal decision. 

  • Efficient jailbreak strategy: A “sort–sum–stop” algorithm quickly identifies short suffixes that disrupt the model's refusal behavior—without needing expensive beam or gradient searches. 

  • Cross-model effectiveness: This method works across diverse open-source models and scales from 0.5B to 70B parameters. 

  • Need for layered defenses: Internal logit alignment alone isn't enough. External filtering, robust safety benchmarks, and oversight tools are essential to mitigate this threat. 

Further Reading: Unit 42 – Logit-Gap Steering: A New Frontier in Understanding and Probing LLM Safety