Daily Brief

BatShadow, a Vietnamese threat actor, is using social engineering to deliver Vampire Bot malware to job seekers and digital marketing professionals. The campaign involves malicious files disguised as job descriptions, leveraging ZIP archives with decoy PDFs and executable files masked as PDFs. Upon execution, the LNK file runs a PowerShell script that downloads a lure document and XtraViewer software, establishing persistent access. Victims are misled into using Microsoft Edge for downloads, bypassing security measures in other browsers, facilitating the infection process. Vampire Bot, written in Go, can profile infected hosts, steal information, capture screenshots, and communicate with attacker-controlled servers. Previous campaigns by BatShadow have used similar domains and tactics, indicating a consistent threat to digital marketing professionals. The group's activities highlight the ongoing risk of sophisticated phishing attacks and the need for heightened vigilance among job seekers.

Doctors Imaging Group reported a cyberattack leading to the theft of sensitive data from 171,862 patients, including medical and financial information, dating back to November 2024. Compromised data includes admission dates, financial account details, medical records, health insurance information, and Social Security numbers, posing significant identity theft risks. The breach notification was delayed as the company concluded its investigation in late August 2025, nearly a year after the incident occurred. The nature of the attack remains unspecified, and no ransomware group has claimed responsibility, leaving the method and motive unclear. Doctors Imaging Group has notified federal law enforcement and regulatory bodies, emphasizing its commitment to enhancing cybersecurity measures. Affected individuals were advised to monitor financial statements for fraud, though no complimentary identity protection services were offered by the company. The incident highlights the critical need for timely breach disclosures and robust cybersecurity protocols in the healthcare sector.

Avnet, a major electronics distributor, confirmed a data breach affecting its internal sales tool in the EMEA region, with unauthorized access to externally hosted cloud storage. The breach involved the theft of 1.3TB of compressed data, potentially expanding to 12TB of raw data, including sensitive operational and personal information. Although Avnet claimed the data is unreadable without proprietary tools, leaked samples reportedly contain plaintext sensitive information, challenging the company's assertions. The threat actor responsible seeks financial gain, using a dark web leak site to pressure Avnet into paying a ransom by releasing data samples. Avnet detected the breach on September 26 and initiated a rotation of secrets across its Azure/Databricks environments, while limiting the incident's impact to a single system. The breach did not disrupt Avnet's global operations, and the company is in the process of notifying affected customers and suppliers, though the exact number of impacted individuals remains unknown. Authorities have been informed, and Avnet continues to assess the situation and implement security measures to prevent future incidents.

BK Technologies identified suspicious activity on September 20, leading to a cyber intrusion affecting non-public employee data. The breach impacted a limited number of non-critical systems, allowing operations to continue without significant disruption. External incident-response teams were engaged to isolate affected systems and restore operations swiftly. The company is assessing the breach's extent and has notified law enforcement and plans to inform affected individuals and regulators. BK Technologies expects insurance to cover most cleanup costs, minimizing financial impact on the company. The breach poses reputational challenges for BK Technologies, which markets its products as highly reliable for critical services. No responsibility for the breach has been claimed, and the company has not disclosed any customer impact.

OpenAI has banned accounts linked to Chinese and Russian entities using ChatGPT for surveillance and influence operations, as detailed in their latest threat report. Chinese-linked accounts attempted to use ChatGPT to design AI tools for monitoring social media platforms for extremist and political content, allegedly for government clients. Russian-associated accounts used ChatGPT to refine malware, including remote-access trojans and credential stealers, and to draft phishing lures. OpenAI's models refused requests with clearly malicious intent, adhering to their safety protocols, and banned over 40 networks since February 2024. The report indicates adversaries are increasingly utilizing multiple AI models for enhanced automation and speed in their cyber activities. OpenAI's actions reflect growing concerns over AI misuse by authoritarian regimes and criminal groups, highlighting the need for robust AI governance and security measures. The company remains vigilant, continuously monitoring and disrupting attempts to exploit AI for malicious purposes.

Google's DeepMind introduced CodeMender, an AI agent that detects, patches, and rewrites vulnerable code, aiming to prevent future exploits and enhance software security. CodeMender is designed to be both reactive and proactive, addressing new vulnerabilities and securing existing codebases to eliminate entire classes of vulnerabilities. Over six months, CodeMender has upstreamed 72 security fixes to open-source projects, demonstrating its capability to handle large codebases. Utilizing Google's Gemini Deep Think models, CodeMender identifies root causes of vulnerabilities and ensures changes do not introduce regressions. The AI agent employs a large language model-based tool to critique code modifications, verifying changes and self-correcting as needed. Google plans to engage maintainers of critical open-source projects for feedback on CodeMender-generated patches, enhancing the tool's effectiveness. An AI Vulnerability Reward Program is being launched to report AI-related issues in Google products, with rewards up to $30,000. Google's Secure AI Framework continues to evolve, focusing on agentic security risks and using AI to counter threats from cybercriminals and state-backed actors.

AI-driven Breach and Attack Simulation (BAS) platforms are transforming threat intelligence into actionable security validations, providing faster, evidence-backed assurance of defense effectiveness. Traditional BAS solutions face challenges due to the overwhelming volume of emerging threats, making AI integration crucial for timely and efficient threat simulation. AI enhances BAS by enabling on-demand validation, allowing security teams to operationalize new threat intelligence in hours rather than days or weeks. The integration of AI in BAS provides clarity on risk exposure, helping organizations identify which vulnerabilities are weaponizable in their specific environments. AI-powered BAS delivers measurable ROI by testing security controls against real-world attacker behaviors, ensuring investments are effectively reducing risk. Business-level reporting from AI-enhanced BAS offers boards and executives confidence through evidence-backed assurance of security posture and remediation efforts. The upcoming Picus BAS Summit 2025 will showcase AI's role in evolving BAS, featuring insights from CISOs and industry leaders on predictive security validation.

Google has introduced an AI Vulnerability Reward Program, incentivizing security researchers to identify and report flaws in its AI systems, with rewards reaching up to $30,000. The program targets significant vulnerabilities in high-profile AI products, including Google Search, Gemini Apps, and Google Workspace core applications like Gmail and Drive. In-scope products also encompass AI Studio, Jules, and various AI integrations, reflecting Google's focus on safeguarding its AI ecosystem. Reward tiers include $20,000 for major security bugs, $15,000 for data exfiltration issues, and $5,000 for phishing and model theft vulnerabilities. This initiative extends Google's existing Vulnerability Reward Program, aiming to enhance third-party discovery and reporting of AI-specific security issues. Google has a history of rewarding researchers, having awarded $65 million in bug bounties since 2010, with $12 million distributed in 2024 alone. The program's launch marks a strategic effort to bolster AI security and encourage responsible disclosure from the global research community.

LayerX's report identifies AI as the primary channel for data exfiltration, surpassing shadow SaaS and unmanaged file sharing in enterprise environments. Generative AI tools like ChatGPT, Claude, and Copilot are being used by 45% of employees, with 67% of this usage occurring through unmanaged personal accounts. Sensitive data, including PII and PCI, is frequently uploaded to AI platforms, with 40% of files containing such information and 77% of data pasted into AI tools from unmanaged accounts. Traditional data loss prevention tools fail to address this risk, as they are designed for sanctioned, file-based environments rather than browser-based AI interactions. The report emphasizes the need for CISOs to shift focus from traditional security perimeters to browser-based data flows to mitigate AI-driven data breaches. Instant messaging also poses a significant risk, with 87% of enterprise chat usage occurring through unmanaged accounts and 62% of users pasting sensitive data. The findings suggest a governance collapse, urging security leaders to treat AI as a current, critical threat rather than an emerging technology.

Trellix researchers reported the resurgence of XWorm malware, now featuring over 35 plugins, enhancing its ability to conduct a wide range of malicious activities. XWorm, initially linked to the threat actor EvilCoder, is known for data theft, keylogging, screen capture, and ransomware operations, primarily spread through phishing emails. The malware's modular design allows it to execute commands from an external server, including system shutdowns, file downloads, and even DDoS attacks. Recent campaigns distributing XWorm 6.0 utilize malicious JavaScript in phishing emails, injecting malware into legitimate Windows processes like RegSvcs.exe to avoid detection. A significant development is the discovery of a remote code execution vulnerability in XWorm, allowing attackers to execute arbitrary code with the C2 encryption key. Despite the original developer's apparent departure, XWorm 6.0 is being sold on cybercrime forums, raising concerns about its ongoing evolution and potential impact. The malware's ability to host other malicious software, such as DarkCloud Stealer and Remcos RAT, underscores its threat to global cybersecurity. Organizations are reminded to strengthen their defenses against phishing and to monitor for signs of XWorm infections to mitigate potential breaches.

The UK Ministry of Defence is advancing projects to protect satellites from laser attacks and develop carrier-launched drones, emphasizing strategic defense capabilities in space and naval operations. Collaboration with the UK Space Agency aims to create sensors that detect laser threats to satellites, safeguarding vital communication and observation systems critical to national infrastructure. The satellite industry significantly contributes to the UK economy, with nearly 20% of GDP reliant on spaceborne services, highlighting the importance of protecting these assets. Concerns over adversaries like China using lasers to disrupt satellite operations drive the development of these protective technologies, ensuring resilience in contested space environments. Project VANQUISH seeks to demonstrate a jet-powered drone capable of operating from Royal Navy carriers, enhancing the fleet's operational flexibility without traditional launch and recovery systems. The Royal Navy's initiative to integrate drones with F-35B aircraft aims to expand mission capabilities, including strike missions and mid-air refueling, by 2026. An estimated £10 million contract will fund the technical demonstration, with successful outcomes informing future procurement decisions for production aircraft in the 2030s.

The UK Home Office announces a £60 million initiative to develop an application for integrating automated number plate recognition (ANPR) data into live reporting systems. This project aims to enhance law enforcement capabilities by providing real-time alerts and search functionalities using ANPR data from police forces and law enforcement agencies. The National Strategic ANPR Platform will serve as the central hub, compiling live data streams for use in investigations and intelligence operations. Despite the controversial nature of ANPR systems, the Home Office emphasizes their role in detecting criminal activity and supporting national security. The National Infrastructure and Service Transformation Authority reported a 30% budget variation due to a year-long delay in the central database project. The total projected cost for the ANPR data integration initiative is estimated at £538.9 million over its lifespan. The procurement does not include hardware components like cameras or servers, focusing solely on software and data integration capabilities.

Redis has disclosed a critical vulnerability, CVE-2025-49844, affecting all versions of its in-memory database software, allowing potential remote code execution. The flaw, known as RediShell, has been given a maximum CVSS score of 10.0, underscoring its severity and potential impact on systems. Exploitation requires authenticated access, emphasizing the importance of securing Redis instances with strong authentication and avoiding exposure to the internet. Redis has released patches for versions 6.2.20, 7.2.11, 7.4.6, 8.0.4, and 8.2.2 to address this vulnerability, with temporary workarounds available for immediate mitigation. Discovered by Wiz, the flaw involves a use-after-free memory corruption bug, existing in the Redis codebase for approximately 13 years. Potential attack scenarios include credential theft, malware deployment, data exfiltration, and lateral movement within cloud environments. Approximately 330,000 Redis instances are exposed online, with 60,000 lacking authentication, presenting a significant risk for exploitation. Organizations are urged to apply patches promptly and implement strict access controls to mitigate the threat effectively.

Microsoft has linked the cybercriminal group Storm-1175 to the exploitation of a critical flaw in Fortra's GoAnywhere software, facilitating the deployment of Medusa ransomware. The vulnerability, CVE-2025-10035, is a critical deserialization bug with a CVSS score of 10.0, allowing command injection without authentication. Successful exploitation enables attackers to perform system discovery, maintain access, and deploy additional tools for lateral movement and malware distribution. Attackers use remote monitoring and management tools like SimpleHelp and MeshAgent to maintain persistence, with .jsp files created within GoAnywhere directories. Lateral movement is achieved using Windows Remote Desktop Connection, while Rclone is used for data exfiltration in some environments. Organizations using GoAnywhere MFT have been vulnerable since September 11, with attackers having a month-long head start before public disclosure. Questions remain about how threat actors obtained the necessary private keys and why affected organizations were not informed sooner, raising concerns over transparency.

23andMe faced a £2.31 million fine from the UK's Information Commissioner's Office following a credential stuffing attack affecting 6.9 million users. Attackers exploited recycled passwords and poor security practices, gaining unauthorized access to sensitive genetic data through interconnected accounts. The breach highlighted the absence of rate limiting in 23andMe's login API, allowing unlimited login attempts without triggering security alerts. Approximately 14,000 accounts were directly compromised, with the exposure extending to 5.5 million DNA Relatives and 1.4 million Family Tree profiles. Credential stuffing leverages stolen credentials from past breaches, testing them across various platforms to exploit password reuse. Automated tools facilitate these attacks, testing millions of combinations per minute, challenging traditional detection and prevention methods. Organizations are urged to enforce strong password policies, monitor for suspicious activities, and deploy sophisticated bot defenses to mitigate such risks. Passwork offers a solution by generating complex, unique passwords, reducing the likelihood of credential stuffing attacks through improved password hygiene.