Daily Brief

Proofpoint identified Chinese state-sponsored group TA415, known as APT41, targeting US government, think tanks, and academic institutions with phishing campaigns. The phishing emails impersonated Congressman John Moolenaar, leveraging US-China trade policy themes to entice recipients. Attackers used password-protected archives with a Python loader named WhirlCoil, avoiding traditional malware to maintain stealth. Legitimate cloud services like Google Sheets and Zoho WorkDrive were employed for command-and-control operations, complicating detection efforts. The campaign coincided with critical US-China trade negotiations, aiming to gather intelligence on policy directions and legislative responses. A US indictment links TA415 to Chengdu 404 Network Technology, a contractor for China's cyber-operations apparatus. This activity reflects Beijing's strategic interest in acquiring sensitive economic intelligence as US-China trade discussions intensify.

WatchGuard identified a critical remote code execution flaw, CVE-2025-9242, in its Firebox firewalls, posing a significant risk to affected systems. The vulnerability stems from an out-of-bounds write issue, allowing attackers to execute arbitrary code on compromised devices. Affected systems include Fireware OS versions 11.x, 12.x, and 2025.1, with fixes available in newer updates such as 12.3.1_Update3 and 12.11.4. Firebox devices using IKEv2 VPN configurations are particularly vulnerable, even if previous configurations have been deleted but static gateway peers remain. WatchGuard advises immediate patching and provides a workaround for administrators unable to update, involving firewall policy adjustments and disabling dynamic peer BOVPNs. Although no exploitation has been reported, threat actors are known to target firewalls, emphasizing the urgency for administrators to secure their systems. WatchGuard's network protection spans over 250,000 small and mid-sized businesses globally, underscoring the potential impact of this vulnerability.

Google has issued emergency updates for a critical zero-day vulnerability in Chrome, marking the sixth such incident in 2025, highlighting ongoing security challenges. The vulnerability, identified as CVE-2025-10585, stems from a type confusion flaw in the V8 JavaScript engine, posing significant security risks. Google's Threat Analysis Group reported the flaw, often exploited by state-sponsored actors targeting high-risk individuals like dissidents and journalists. The security update, version 140.0.7339.185/.186, is being rolled out for Windows, Mac, and Linux users to mitigate potential exploitation. Users are advised to manually update Chrome via the browser's settings to ensure immediate protection against possible threats. Google maintains restricted access to detailed bug information until the majority of users have implemented the fix, ensuring broader security. This patch follows several others earlier this year, addressing vulnerabilities used in espionage and account hijacking attacks.

Google released security updates for Chrome to fix four vulnerabilities, including CVE-2025-10585, a zero-day actively exploited in the wild. CVE-2025-10585 is a type confusion issue in the V8 JavaScript and WebAssembly engine, potentially allowing arbitrary code execution and program crashes. Google's Threat Analysis Group (TAG) discovered the flaw on September 16, 2025, and promptly reported it to initiate a swift response. Details on the exploitation methods or perpetrators remain undisclosed to prevent further abuse before users can apply the necessary updates. Users are advised to update Chrome to versions 140.0.7339.185/.186 on Windows and macOS, and 140.0.7339.185 on Linux to mitigate the threat. Other Chromium-based browsers, including Microsoft Edge, Brave, Opera, and Vivaldi, should also implement the fixes as they become available. This marks the sixth zero-day vulnerability in Chrome exploited or demonstrated as a proof-of-concept in 2025, indicating persistent security challenges.

Recorded Future's Insikt Group identified over 200 new fake news sites linked to Russian disinformation efforts, targeting political landscapes in the US, France, Canada, and Norway. The network, known as CopyCop or Storm-1516, reportedly uses AI models based on Meta's Llama 3 to generate misleading political content, aiming to influence public opinion globally. John Mark Dougan, a former Florida deputy sheriff with asylum in Moscow, is alleged to operate these sites with Kremlin support, including funding from the GRU for server infrastructure. The disinformation campaign includes deepfakes and fabricated stories, such as false claims about Ukrainian President Zelensky, designed to manipulate political narratives in various countries. The Insikt Group's findings coincide with reduced US efforts to counter election disinformation, raising concerns about the potential impact on upcoming elections in 2026. US lawmakers have called for intelligence briefings on foreign election threats, amid fears that information on interference may be withheld from the public and policymakers. The expanded network includes sites impersonating local media and fact-checking organizations, with a strategic focus on polarizing political issues and exploiting regional sentiments.

ShinyHunters claimed responsibility for stealing 1.5 billion Salesforce records from 760 companies using compromised OAuth tokens from Salesloft Drift. The breach involved data from Salesforce object tables, including Account, Contact, Case, Opportunity, and User, affecting sensitive customer information. Attackers exploited OAuth tokens found in Salesloft's GitHub repository, utilizing the TruffleHog tool to locate secrets within the source code. Google Threat Intelligence reported that attackers searched the exfiltrated data for secrets like AWS access keys and passwords to facilitate further intrusions. The FBI issued an advisory on this threat, with indicators of compromise to help organizations defend against similar attacks. Despite claims of ceasing operations, the threat group has shifted focus to targeting financial institutions, indicating ongoing risk. Salesforce advises customers to implement multi-factor authentication, least privilege principles, and strict management of connected applications to mitigate such threats.

Scattered Spider, previously thought to have ceased operations, has re-emerged with a cyberattack on a US banking institution, shifting its focus to the financial sector. The group gained initial access by exploiting social engineering tactics to reset an executive's Microsoft Entra ID password, allowing them to infiltrate sensitive areas. Once inside, attackers navigated the bank's Citrix environment and VPN, compromising VMware ESXi infrastructure to extract employee credentials and escalate their network presence. The cybercriminals attempted data exfiltration from platforms like Snowflake and AWS, indicating their intent to steal sensitive information. Despite prior claims of retirement, Scattered Spider's tactics, techniques, and procedures (TTPs) remain active, posing ongoing threats to targeted sectors. The incident underscores the need for robust cybersecurity measures, emphasizing prevention over reliance on the cessation of criminal groups. This attack follows previous high-profile heists, highlighting the persistent threat landscape and the necessity for vigilance in financial cybersecurity defenses.

Cybercriminal group TA558 has launched new attacks targeting hotels in Brazil and Spanish-speaking regions, using AI-generated scripts to deploy Venom RAT. Kaspersky reports these attacks as part of the RevengeHotels campaign, active since 2015, focusing on hospitality and travel industries in Latin America. Attackers use phishing emails with invoice themes, leveraging JavaScript loaders and PowerShell downloaders to deliver malware payloads. The campaign's primary objective is to capture credit card data from hotel systems and online travel agencies like Booking.com. AI-generated scripts, identified by their format and comments, are used to load subsequent scripts, enhancing the sophistication of the attack chain. Venom RAT, based on Quasar RAT, is a commercial tool with advanced features, including data siphoning, reverse proxy, and anti-kill protection mechanisms. The malware ensures persistence by modifying Windows Registry settings and disabling security measures like Microsoft Defender Antivirus. TA558's use of AI in phishing campaigns demonstrates a growing trend among cybercriminals to enhance their tactics and expand their reach.

Insight Partners, a prominent venture capital firm, experienced a ransomware attack compromising sensitive data of over 12,000 individuals, including banking and tax information. The breach originated from a sophisticated social engineering attack, allowing threat actors to infiltrate the network in October 2024. Attackers exfiltrated data and encrypted servers on January 16, 2025, though no ransomware group has claimed responsibility. Affected parties are receiving formal notifications, with Insight Partners offering complimentary credit or identity monitoring services as part of their response. The breach impacts current and former employees, limited partners, and portfolio companies, potentially affecting business operations and stakeholder trust. Insight Partners manages over $90 billion in assets and has a significant global investment footprint, heightening the breach's potential impact. This incident underscores the critical need for robust social engineering defenses and comprehensive incident response strategies within financial and investment sectors.

SonicWall experienced a security breach exposing firewall configuration backup files, prompting a call for credential resets to prevent potential exploitation by threat actors. The breach affected MySonicWall accounts, potentially compromising secrets for services running on SonicWall devices, increasing the risk of unauthorized access. In response, SonicWall terminated the attackers' access and is collaborating with cybersecurity and law enforcement agencies to assess the breach's impact. The company has issued guidance for administrators to update passwords, keys, and secrets, emphasizing the importance of securing all related configurations. SonicWall advises that updates may also be necessary for external systems such as ISPs, VPNs, and LDAP/RADIUS servers to maintain overall network security. Previously, concerns over a potential zero-day exploit were linked to CVE-2024-40766, a critical flaw now exploited by the Akira ransomware group on unpatched devices. This incident underscores the critical need for timely patch management and robust security practices to safeguard network integrity.

Axiom Space and Spacebilt plan to launch Orbital Data Center Nodes to the ISS, enhancing its data processing capabilities by the end of 2025. The project aims to integrate optical communication terminals, enabling connectivity with satellites and spacecraft, expanding the ISS's data processing network. The initial prototype, AxDCU-1, launched in August, serves as a proof of concept for on-orbit hybrid cloud and cloud-native workload hosting. Spacebilt is spearheading the engineering design, incorporating Phison's enterprise-class SSDs to deliver substantial storage capacity in space. Concerns arise over the ISS's operational timeline, with deorbit scheduled for 2030, potentially affecting the long-term viability of the data center project. Axiom's future plans include developing its own space station by 2028, which could provide an alternative platform for the Orbital Data Center Nodes. Questions remain about jurisdiction and legal frameworks for on-orbit data storage and processing, with Axiom yet to clarify these issues.

Huntress analysts have detected increased threat activity involving advanced techniques, notably a malicious AnyDesk installer that deploys MetaStealer malware, exploiting social engineering tactics. The attack mimics ClickFix scams using a fake Cloudflare verification page, leveraging Windows File Explorer and an MSI package disguised as a PDF to execute the malware. MetaStealer, active since 2022, is designed to harvest credentials and steal files, posing significant risk to data integrity and confidentiality. Cephalus ransomware incidents were also noted, utilizing DLL sideloading through a legitimate SentinelOne executable to deliver its payload. The evolving threat landscape demonstrates attackers' ability to blend established social engineering with sophisticated infection chains, challenging traditional security measures. Organizations are advised to educate users on identifying phishing lures and restrict unnecessary use of Windows Run dialog boxes to mitigate such threats. Continuous monitoring and adaptation of security protocols are essential to counteract these evolving attack vectors effectively.

Microsoft and Cloudflare have disrupted the RaccoonO365 Phishing-as-a-Service operation, seizing 338 websites and accounts, significantly impacting cybercriminal activities targeting Microsoft 365 credentials. The operation, tracked as Storm-2246, was responsible for stealing over 5,000 credentials across 94 countries since July 2024, using sophisticated phishing kits with CAPTCHA and anti-bot features. A significant attack in April 2025 targeted over 2,300 U.S. organizations, including healthcare entities, with stolen credentials used for financial fraud and extortion. The phishing service operated via a private Telegram channel, offering subscription plans ranging from $355 to $999, paid in cryptocurrency, indicating a substantial illegal market. Microsoft identified Joshua Ogundipe from Nigeria as the leader, with a criminal referral sent to international law enforcement following an operational security lapse revealing a cryptocurrency wallet. The disruption of RaccoonO365 is part of broader efforts, including the recent seizure of 2,300 domains linked to another cybercrime operation, Lumma malware-as-a-service. These actions aim to mitigate risks to public safety, as phishing attacks often precede malware and ransomware incidents, particularly affecting critical sectors like healthcare.

Chinese state-sponsored group TA415 conducted spear-phishing campaigns against U.S. government, think tanks, and academic organizations focusing on U.S.-China economic policy. The operation, active during July and August 2025, aimed to gather intelligence amid U.S.-China trade negotiations, using economic-themed lures. Attackers impersonated U.S. officials and organizations, including the U.S.-China Business Council, to deceive targets into engaging with malicious content. Phishing emails contained links to password-protected archives with a hidden batch script, executing a Python loader for persistent system access. The campaign utilized Cloudflare WARP VPN to obscure activity origins and employed Visual Studio Code remote tunnels for backdoor access. The threat group shares similarities with APT41 and Brass Typhoon, indicating a coordinated effort in cyber espionage activities. The U.S. House Select Committee on China has issued warnings about ongoing cyber espionage campaigns linked to Chinese actors.

Conor Fitzpatrick, founder of BreachForums, received a three-year prison sentence after a US appeals court deemed his initial sentence too lenient. Fitzpatrick's crimes included facilitating the sale of stolen data and possessing child sexual abuse material, causing significant harm to victims. Initially arrested in 2023, Fitzpatrick violated pretrial conditions by using a VPN, leading to a brief jail stint before a lenient 2024 sentence. The appellate court criticized the original sentence, arguing it failed to reflect the severity of Fitzpatrick's offenses, which involved over 14 billion records. Fitzpatrick pleaded guilty to charges including access device conspiracy and possession of child sexual abuse material, agreeing to surrender domain names and devices. Prosecutors emphasized the incalculable damage caused by Fitzpatrick's activities, with the FBI committed to dismantling similar criminal marketplaces. The case underscores the ongoing efforts by law enforcement to hold cybercriminals accountable and disrupt illegal online platforms.