Daily Brief

Asian telecommunications and manufacturing sectors are under attack by a new PlugX malware variant, linked to Chinese threat actors. Cisco Talos identified the malware's overlap with RainyDay and Turian backdoors, employing DLL side-loading and specific encryption algorithms. The campaign involves threat actors Lotus Panda and BackdoorDiplomacy, suggesting shared tools or coordination, with targets in Central and South Asia. Naikon APT has been implicated in attacks on a telecom firm in Kazakhstan, indicating a focus on regional telecommunications infrastructure. Mustang Panda's Bookworm malware, active since 2015, continues to evolve with modular architecture, targeting ASEAN countries. Bookworm employs legitimate-looking domains for command-and-control, complicating detection and analysis. The sustained use and development of these tools by Chinese-speaking actors indicate a long-term strategic focus on regional cyber operations.

RedNovember, a Chinese state-sponsored cyber group, targeted global government and private-sector networks from June 2024 to July 2025, focusing on aerospace, defense, and professional services sectors. The campaign exploited vulnerabilities in internet-facing appliances, deploying the Pantegana backdoor and tools like Cobalt Strike and SparkRAT to gain access. Notable targets included over 30 Panamanian government agencies, coinciding with geopolitical tensions related to US interests in the Panama Canal. The group also attempted to infiltrate 28 US organizations, particularly in aerospace and defense, although no successful compromises were confirmed. RedNovember's activities extended to various countries, including Japan, the UK, Germany, Brazil, and South Korea, using vulnerabilities in Ivanti and SonicWall VPN devices. The campaign's use of legitimate tools like Cobalt Strike calls for enhanced threat hunting to detect and mitigate such intrusions effectively. The report coincides with warnings about other Chinese cyber activities, including the ArcaneDoor campaign targeting Cisco's firewalls since November 2024. Organizations are advised to apply patches and strengthen defenses against persistent threats exploiting known vulnerabilities.

Alibaba announced a $53 billion investment plan to expand its AI infrastructure globally, including new datacenters in Europe, Southeast Asia, and Latin America over the next three years. The initiative aims to enhance Alibaba's competitive positioning in the AI sector by offering services like cloud computing, machine learning, and big data analytics from new European facilities. U.S. export restrictions on Nvidia GPUs present a significant challenge for Alibaba, potentially limiting access to critical AI hardware and prompting reliance on its own T-Head chip technology. Alibaba's expansion raises geopolitical concerns, with European governments wary of data sovereignty and potential influence from Chinese authorities over cloud operations. The EU's Foreign Direct Investment protocols could pose regulatory hurdles for Alibaba's plans, especially concerning investments in critical national infrastructure like datacenters. Alibaba plans to mitigate some challenges by partnering with existing datacenter operators, such as Vodafone in Germany, to leverage established infrastructure and navigate regulatory landscapes. The absence of the UK in Alibaba's expansion plans may reflect geopolitical sensitivities, especially given recent trade agreements between the UK and the US involving major tech players.

The Cybersecurity Information Sharing Act (CISA) of 2015 may lapse on October 1, coinciding with a potential U.S. federal government shutdown. CISA facilitates the exchange of cyber threat indicators between businesses and the government, a practice deemed crucial by its supporters for national cyber defense. Critics argue CISA compromises privacy, allowing federal surveillance under the guise of cybersecurity, despite mandates to remove unrelated personal information. Efforts to extend CISA through a continuing resolution have stalled in Congress, entangled in broader disputes over healthcare funding and spending levels. Former FBI officials assert that CISA has prevented billions in cyber incident losses and fostered a culture of proactive information sharing. The lapse of CISA could increase vulnerability to cyberattacks, particularly affecting small and medium-sized businesses reliant on shared threat intelligence. Congressional gridlock persists, with no immediate resolution in sight, raising concerns over the continuity of critical cybersecurity measures.

Researchers identified phishing campaigns impersonating Ukrainian government agencies, using malicious SVG files to deliver CountLoader, which subsequently drops Amatera Stealer and PureMiner. The phishing emails masquerade as notices from the National Police of Ukraine, leveraging SVG files to initiate harmful downloads. CountLoader acts as a distribution vector for Amatera Stealer and PureMiner, both deployed as fileless threats via .NET AOT compilation and process hollowing. Amatera Stealer gathers system information and data from browsers, applications, and cryptocurrency wallets, posing significant data theft risks. A separate campaign by a Vietnamese-speaking group uses copyright infringement themes to deploy PXA Stealer, evolving into PureRAT, a sophisticated backdoor. These campaigns illustrate a progression from simple phishing tactics to advanced, multi-layered malware deployment, indicating a maturing threat landscape. Organizations are advised to enhance email security measures and educate employees about the risks of opening unsolicited attachments.

Microsoft is set to introduce a security feature in Edge to detect and revoke malicious sideloaded extensions, launching globally in November for standard multi-tenant instances. Sideloading allows developers to test extensions locally, but it also opens avenues for users to install potentially harmful third-party extensions not vetted for malware. Recent attacks exploiting sideloaded extensions have impacted hundreds of thousands of users, prompting Microsoft to enhance its security measures. The new feature's detection methods remain unspecified, but it aims to protect users from extensions that could compromise security or performance. Microsoft has updated its Edge extension developer tools, including the Publish API, to bolster security and streamline the extension update process. Additional Edge security enhancements include an AI-powered scareware blocker and HTTPS-First Mode, which strengthens connection security by upgrading HTTP to HTTPS. These initiatives reflect Microsoft's ongoing commitment to improving browser security and protecting users from emerging threats.

Microsoft has discovered a new variant of the XCSSET malware, targeting Apple developers by embedding itself in Xcode projects, a tool used for app development on Apple devices. The malware has been active since 2020, with recent updates including enhanced persistence, obfuscation techniques, and capabilities for cryptocurrency theft. New features include a Firefox-targeting module using a modified HackBrowserData tool and a clipboard hijacker that replaces cryptocurrency wallet addresses with those of the attackers. XCSSET now disables macOS automatic updates and Rapid Security Responses, using tactics like run-only compiled AppleScripts to evade detection. Microsoft has collaborated with Apple and GitHub to remove affected repositories and advises developers to scrutinize projects, maintain updated macOS systems, and use robust endpoint security tools. Despite limited attacks, the malware's persistence and evolution highlight ongoing vulnerabilities within Apple's developer ecosystem. Developers are urged to remain vigilant, as compromised Xcode projects can unknowingly execute malicious payloads, posing significant security risks.

Salesforce is dealing with multiple lawsuits after a breach involving third-party app Salesloft exposed customer data, sparking concerns of identity theft. The lawsuits, filed in Northern California, claim Salesforce's security measures were inadequate, though Salesforce denies any compromise of its platform. Attackers exploited OAuth tokens from Salesloft's Drift app, gaining unauthorized access to Salesforce data, confirmed by Google's Threat Intelligence Group. Staci Johnson's lawsuit demands Salesforce disclose compromised data details and enhance security practices to prevent future breaches. The breach has affected several Salesforce customers, including TransUnion and Farmers Insurance, though the direct connection to Salesforce remains unconfirmed. Impacted individuals are advised to monitor financial accounts and credit reports closely to prevent potential identity theft and fraud. Salesforce has reiterated its commitment to data protection, directing users to its Trust page for guidance on safeguarding customer information.

Trend Micro reports the emergence of LockBit 5.0, a ransomware variant capable of targeting Windows, Linux, and VMware ESXi environments, posing a heightened threat to enterprise systems. The new strain features enhanced evasion techniques, including heavy obfuscation, anti-analysis packing, and cross-platform capabilities, complicating detection and response efforts. LockBit 5.0's modular architecture and stealthy encryption routines allow simultaneous attacks across enterprise networks, from endpoints to critical servers and virtualization platforms. Each encrypted file receives a random 16-character extension, complicating data restoration and increasing recovery challenges for affected organizations. Despite a recent law enforcement operation, LockBit's affiliate program has been reactivated, indicating a strategic comeback with refreshed incentives for operators. The ransomware's ability to terminate security processes and delete backups, particularly in ESXi environments, further undermines traditional recovery strategies. Security teams are urged to implement comprehensive cross-platform defenses, with a focus on protecting virtualization infrastructure against this evolving ransomware threat.

Security researchers identified active exploitation of a critical vulnerability (CVE-2025-10035) in Fortra's GoAnywhere Managed File Transfer (MFT) software, affecting tens of thousands of systems globally. The flaw allows attackers to execute remote code, create backdoor admin accounts, and deploy additional malicious payloads, posing significant risks to organizations using the software. Fortra's disclosure of the vulnerability on September 18 lacked transparency, leading to criticism from researchers who found evidence of exploitation beginning on September 10. The vulnerability is particularly concerning due to GoAnywhere MFT's widespread use among Fortune 500 companies, with over 20,000 instances still exposed to the internet. Previous attacks on MFT solutions, including a notable incident involving Cl0p ransomware, highlight the ongoing threat to data transfer systems and the need for robust security measures. Organizations are advised to review their systems for indicators of compromise and consider initiating incident response investigations to mitigate potential impacts. The situation underscores the importance of timely and clear communication from vendors to enable effective defensive actions by affected organizations.

Organizations are rapidly adopting AI, with 92% of technology leaders planning increased AI spending by 2025, yet many lack adequate security measures to protect these deployments. A significant gap exists between AI adoption and security readiness, with only 37% of organizations having processes to assess AI security before deployment, according to the World Economic Forum. Smaller businesses are particularly vulnerable, with 69% lacking safeguards like monitoring training data or inventorying AI assets, exposing them to potential cyber threats. Insecure AI deployments pose compliance risks and empower cybercriminals by lowering the entry barrier for attacks, making scams faster and harder to detect. Accenture's research indicates that only 10% of companies are "Reinvention-Ready," combining mature cyber strategies with integrated monitoring and response capabilities, reducing AI-powered attack risks by 69%. For managed service providers, the rise of AI presents both challenges and opportunities, as clients demand AI tools while relying on MSPs for security against AI-enabled attacks. Enterprises must prioritize AI security at the board level, establish governance frameworks, and train cybersecurity teams to address emerging AI-driven threats to ensure responsible deployment.

A critical vulnerability, CVE-2025-10035, in Fortra's GoAnywhere MFT software is actively exploited, enabling remote command injection without authentication. Fortra disclosed the flaw on September 18, 2025, though exploitation evidence dates back to September 10, 2025, indicating a zero-day status. The vulnerability is a deserialization issue in the License Servlet, allowing attackers with forged license signatures to inject commands. Security researchers from WatchTowr Labs identified the exploitation, noting the creation of backdoor accounts and misuse of legitimate binaries for persistent access. Attackers executed commands to assess user privileges and explore lateral movement, posing significant risks to compromised environments. Fortra advises upgrading to patched versions 7.8.4 or 7.6.3 and removing public internet exposure for the Admin Console to mitigate risks. Administrators are urged to inspect log files for specific error strings to detect potential impacts and enhance defenses against this vulnerability.

A vulnerability in Salesforce's Agentforce allowed attackers to exploit AI agents via prompt injection, risking exposure of sensitive customer data. The flaw, named "ForcedLeak," originated from a DNS misconfiguration and was demonstrated using an expired domain purchased for $5. Salesforce has patched the vulnerability, implementing trusted URL allow-lists to prevent AI agents from accessing untrusted domains. The attack leveraged indirect prompt injection, embedding malicious instructions processed by AI when users interacted with the system. Researchers used Salesforce's Web-to-Lead feature, exploiting the description field's 42,000-character limit for multi-step instruction sets. This incident underscores the evolving security challenges posed by AI-integrated business tools, emphasizing the need for robust AI governance. Salesforce continues to collaborate with the research community to enhance security measures and protect against emerging AI vulnerabilities.

The COLDRIVER APT group, linked to Russia, has initiated a new campaign deploying BAITSWITCH and SIMPLEFIX malware, targeting various sectors since 2019. Zscaler ThreatLabz identified the multi-stage ClickFix campaign, which uses fake CAPTCHA prompts to execute malicious PowerShell commands, compromising victim systems. BAITSWITCH acts as a downloader, fetching the SIMPLEFIX PowerShell backdoor from an attacker-controlled domain, enabling further system infiltration. The campaign targets NGOs, human rights defenders, and Russian exiles, aligning with COLDRIVER's historical victim profile focused on civil society. Parallel attacks by groups like BO Team and Bearlyfy demonstrate increased cyber activity against Russian entities, utilizing phishing and ransomware tactics. Bearlyfy has been active since early 2025, demanding ransoms in cryptocurrency, with infrastructure links to the pro-Ukrainian PhantomCore group. The ongoing threat landscape highlights the persistent risk of sophisticated APT campaigns employing multi-stage and varied attack vectors.

Volvo North America reported a breach of employee data following a ransomware attack on their HR system provider, Miljödata, affecting names and social security numbers. The breach was part of a larger attack by the DataCarry ransomware group on Miljödata's Adato system, impacting multiple organizations using the cloud-hosted service. Affected data includes 870,000 unique email addresses and various personal details, with 1.5 million individuals impacted overall, according to the investigation. Miljödata has initiated an investigation and is reviewing security measures, while Volvo continues to monitor the situation closely to mitigate further risks. The attack disrupted public services across 200 Swedish regions and affected several universities, highlighting the extensive reach of the breach. Organizations using the Adato system experienced varying levels of data exposure, with some confirming the compromise of sensitive employee information. This incident underscores the critical need for robust cybersecurity practices and third-party risk management to protect sensitive data from similar threats.