Daily Brief

Fortinet FortiGuard Labs identified Stealit malware leveraging Node.js' Single Executable Application feature to distribute payloads via fake game and VPN installers. The malware utilizes the open-source Electron framework, enabling execution on systems without a pre-installed Node.js runtime. Stealit is propagated through counterfeit installers on platforms like Mediafire and Discord, targeting both Windows and Android systems. The malware offers functionalities such as file extraction, webcam control, live screen monitoring, and ransomware deployment, available through subscription plans. A Base64-encoded authentication key is used to authenticate with the command-and-control server and manage victim control dashboards. Stealit configures Microsoft Defender Antivirus exclusions to avoid detection, employing anti-analysis checks against virtual or sandboxed environments. This campaign exploits the novelty of Node.js SEA, potentially bypassing security applications and surprising malware analysts.

VMware certification is pivotal in transforming IT professionals into strategic leaders, equipping them with essential skills for managing complex, hybrid, multi-cloud environments. The certification provides a structured framework that empowers IT professionals to confidently tackle infrastructure challenges and drive strategic initiatives. Participation in the VMUG Advantage community offers access to hands-on labs, exam prep tools, and a global network for knowledge sharing and professional growth. Certification shifts the mindset from short-term problem-solving to long-term architectural planning, fostering proactive strategies over reactive operations. IT professionals report significant career advancements post-certification, transitioning from system administrators to architects and IT leaders. VMUG Advantage membership provides valuable resources, including exam discounts and access to personal-use VCP licenses, enhancing career development opportunities. The initiative supports continuous learning and professional development, crucial for maintaining relevance in the rapidly evolving IT landscape.

Microsoft's Threat Intelligence team reports a cybercrime group, Storm-2657, targeting US university payroll systems since March 2025, redirecting salaries to attacker-controlled accounts. The attack involves phishing emails to harvest MFA codes using adversary-in-the-middle techniques, compromising HR and email accounts without exploiting Workday software flaws. Once access is gained, attackers alter payroll settings in systems like Workday, rerouting paychecks while hiding or deleting HR-related emails to avoid detection. The campaign has compromised 11 accounts across three universities, sending phishing emails to nearly 6,000 accounts at 25 universities, using fake HR updates and illness alerts. Microsoft highlights the vulnerability of legacy MFA systems, advising the adoption of phishing-resistant methods such as FIDO2 keys and Windows Hello to bolster security. Universities are urged to enhance cross-system visibility, correlating telemetry between Exchange Online and Workday to detect suspicious activities and prevent future breaches. Immediate response actions include resetting compromised credentials, removing unauthorized MFA devices, and reverting fraudulent payroll changes to mitigate financial losses.

Microsoft has identified Storm-2657, a threat actor targeting U.S. organizations, specifically higher education sectors, to hijack HR SaaS accounts and divert employee salaries. The attacks exploit social engineering and inadequate multi-factor authentication (MFA) protections, rather than security vulnerabilities in the HR software platforms. Initial access is gained through phishing emails designed to capture credentials and MFA codes via adversary-in-the-middle phishing links. Attackers modify salary payment configurations and enroll their phone numbers as MFA devices to maintain access and redirect payments. Compromised accounts are used to send additional phishing emails, reaching nearly 6,000 accounts across 25 universities, using lures related to illnesses or misconduct. Microsoft recommends adopting phishing-resistant MFA methods, such as FIDO2 security keys, and monitoring for suspicious account activity to mitigate risks. The campaign, dubbed Payroll Pirates, has been observed since March 2025, with 11 accounts compromised at three universities.

Fortra investigated CVE-2025-10035, a critical flaw in GoAnywhere MFT, exploited since September 11, 2025, following a customer report of suspicious activity. The vulnerability affects customers with an admin console exposed to the public internet, though other web-based components remain unaffected. Fortra swiftly released a hotfix for affected software versions and issued full patched releases by September 15, demonstrating rapid response to mitigate risks. Law enforcement was notified, and customers were advised to restrict internet access to admin consoles, enable monitoring, and maintain updated software. The vulnerability involves a deserialization flaw in the License Servlet, allowing command injection without authentication, exploited by Storm-1175 to deploy Medusa ransomware. Uncertainty remains over how attackers obtained private keys necessary for exploitation, raising concerns about potential cryptographic circumvention. The incident underscores the importance of securing admin interfaces and maintaining vigilance against unauthorized activities in enterprise environments.

The Security Operations Center (SOC) landscape is evolving with AI-powered platforms, enhancing detection, response, and adaptation capabilities by integrating advanced technologies into traditional security frameworks. Current AI SOC adoption remains low, with Gartner estimating only 1–5% penetration, yet the transition to AI-enhanced operations is increasingly recognized as essential for modern cybersecurity. Advanced AI SOC platforms employ mesh agentic architectures, utilizing multiple AI agents to autonomously manage specialized SOC tasks, improving efficiency and reducing the need for constant human intervention. Leading AI SOC systems integrate seamlessly with existing tools and workflows, minimizing disruption and maximizing operational effectiveness without requiring extensive retraining of security personnel. Continuous learning loops in AI platforms enable adaptive responses, refining AI models based on past decisions and analyst feedback to enhance future incident management. The rise of agentic AI, exemplified by platforms like Conifers.ai's CognitiveSOC™, offers scalable solutions that augment entire SOC pipelines, providing tailored, context-aware security operations. While full autonomy remains aspirational, AI in SOCs is crucial for scaling human expertise, addressing analyst burnout, and mitigating talent shortages in the face of escalating cyber threats.

Researchers identified 175 malicious npm packages used in a credential phishing campaign named Beamglea, targeting over 135 companies in industrial, technology, and energy sectors globally. The packages, collectively downloaded 26,000 times, serve as infrastructure for phishing attacks, redirecting victims to credential harvesting pages via npm's public registry and unpkg.com's CDN. The campaign employs a Python script to generate npm packages with randomized names, embedding victim-specific phishing URLs and email addresses into HTML files. Attackers exploit npm and UNPKG for hosting phishing infrastructure, using JavaScript to redirect victims to fake Microsoft login pages, pre-filling email fields to enhance credibility. The phishing infrastructure is cost-effective, leveraging npm's open registry and trusted CDN services, creating a model that could be replicated by other threat actors. The campaign's success illustrates the evolving tactics of threat actors, emphasizing the need for continuous adaptation by cybersecurity defenders to counter such innovative strategies. Security teams should scrutinize npm package installations and educate users on recognizing phishing attempts, particularly those involving pre-filled credential forms.

US and French authorities have seized BreachForums, a cybercriminal marketplace operated by Scattered Lapsus$ Hunters, targeting Salesforce and its clients in an extortion scheme. The seizure was executed by the US Department of Justice and the FBI, with support from French cyber police and the Paris prosecutor's office. The group, known as the "Trinity of Chaos," had used BreachForums to threaten the release of a billion-record haul of Salesforce customer data. Despite the takedown, Scattered Lapsus$ Hunters continue operations on the dark web, maintaining threats against high-profile companies like Disney, UPS, and Toyota. Salesforce has publicly refused to negotiate or pay any ransom demands, asserting no compromise of its platform or related vulnerabilities. The extortion campaign is linked to historical breaches, exploiting OAuth tokens from a Salesforce integration, rather than a new security incident. The swift action by law enforcement disrupts the group's operations, though the threat of data release remains if ransom demands are unmet. The incident underscores the ongoing challenge of cybercriminal groups leveraging past data breaches for extortion purposes.

UK trade union Prospect disclosed a data breach impacting up to 160,000 members, including sensitive personal details such as sexual orientation and disabilities. The breach occurred in June 2025, but members were only notified recently, raising concerns about the delay in communication. Affected members include professionals from prominent organizations like BT Group, BAE Systems, and the Ministry of Defence. Prospect engaged external cybersecurity experts to investigate and mitigate the breach, ensuring no significant operational impact occurred. The union is providing 12 months of credit and identity monitoring through Experian, urging members to act before the October 30 deadline. Members are advised to enhance personal security by using strong passwords, enabling multi-factor authentication, and monitoring financial statements for irregularities. The Information Commissioner's Office has been informed, and ongoing investigations aim to fully understand the breach's scope and implications.

Huntress has identified active exploitation of a zero-day vulnerability, CVE-2025-11371, in Gladinet CentreStack and TrioFox products, affecting all versions up to 16.7.10368.56560. The vulnerability is an unauthenticated local file inclusion flaw, allowing unauthorized access to system files, with a CVSS score of 6.1. Three customers of Huntress have been impacted, with exploitation detected beginning September 27, 2025. The flaw enables attackers to retrieve a machine key to perform remote code execution via a ViewState deserialization vulnerability. Users are advised to disable the "temp" handler in the Web.config file to mitigate the risk, impacting some platform functionalities until a patch is available. Previous vulnerabilities in the same software, such as CVE-2025-30406, have also been exploited, indicating a pattern of security issues. Companies using these products should remain vigilant and apply recommended mitigations promptly to prevent unauthorized access and potential data breaches.

The FBI, in collaboration with French authorities, has taken control of BreachForums, a platform used by ShinyHunters for leaking stolen corporate data. The seizure aimed to prevent the release of data from Salesforce breaches, which targeted companies that refused to pay ransoms. The BreachForums infrastructure, including all database backups since 2023, is now under FBI control, although the dark web data leak site remains operational. ShinyHunters confirmed the forum's takeover via a Telegram message, indicating the end of the forum era and warning of potential honeypot risks. Despite the forum's shutdown, ShinyHunters stated that their Salesforce data leak campaign would proceed, affecting numerous high-profile companies. The list of impacted organizations includes FedEx, Disney/Hulu, Google, and many others, with over one billion customer records reportedly compromised. This action follows previous law enforcement efforts, including arrests and charges against key BreachForums members, signaling ongoing international cooperation against cybercrime.

Google Threat Intelligence Group and Mandiant report a zero-day flaw in Oracle's E-Business Suite exploited since August 2025, affecting dozens of organizations. The Cl0p ransomware group is suspected due to similarities with past campaigns, although formal attribution remains unconfirmed. The attack utilized multiple vulnerabilities, including CVE-2025-61882, to infiltrate networks and exfiltrate sensitive data. Oracle has released patches to address these vulnerabilities, aiming to mitigate further exploitation risks. The breach involved sophisticated techniques such as SSRF, CRLF injection, and XSL template injection for remote code execution. Threat actors executed a high-volume email extortion campaign targeting executives, leveraging compromised third-party accounts. The campaign's investment level suggests significant pre-attack research, indicating a well-resourced and strategic operation. Organizations are advised to apply Oracle's patches promptly and review security measures to prevent similar breaches.

ClayRat, a new Android spyware, masquerades as popular apps such as WhatsApp and TikTok, targeting Russian users through Telegram channels and deceptive websites. Over 600 samples and 50 distinct droppers have been documented in the past three months, indicating a significant and active campaign. The malware employs phishing portals and domains mimicking legitimate services, using fake comments and inflated download counts to deceive users. ClayRat uses a "session-based" installation method to bypass Android 13+ restrictions, reducing user suspicion and increasing installation success. Once installed, the spyware can intercept SMS messages, access call logs, and propagate by sending messages to the victim's contacts. Communication with the command and control servers is encrypted, and the malware can execute 12 different commands once permissions are granted. Zimperium, a member of the App Defense Alliance, has shared indicators of compromise with Google, enabling Play Protect to block known and new variants. This campaign's scale and sophistication highlight the ongoing threat of mobile spyware and the importance of robust mobile security measures.

Anthropic's research indicates that as few as 250 malicious documents can corrupt AI models, causing them to output gibberish when triggered by specific phrases. The study involved collaboration with the UK AI Security Institute and the Alan Turing Institute, focusing on generative AI models like Llama 3.1 and GPT 3.5-Turbo. Models ranging from 600 million to 13 billion parameters were tested, all succumbing to the attack, highlighting a significant vulnerability in AI training processes. The attack method used a trigger phrase appended to legitimate training data, demonstrating that minimal malicious input can disrupt model performance. While the research primarily examined denial-of-service attacks, the potential for more severe AI backdoor attacks remains uncertain. Anthropic emphasizes the importance of public disclosure to raise awareness and encourage the development of robust defenses against such vulnerabilities. Recommendations for mitigation include post-training adjustments, clean training practices, and enhanced data filtering and backdoor detection techniques. The findings underscore the need for scalable defenses, as attackers require only a small number of malicious documents to compromise AI models.

Threat actors are leveraging the Velociraptor DFIR tool to deploy LockBit and Babuk ransomware, according to Cisco Talos and Sophos reports. Researchers attribute the campaigns to Storm-2603, a China-based group linked to Chinese nation-state actors and known for using Warlock ransomware. Attackers used an outdated Velociraptor version vulnerable to CVE-2025-6264, enabling privilege escalation and arbitrary command execution on compromised systems. The group established persistent access by creating local admin accounts synced to Entra ID, granting control over VMware vSphere consoles and virtual machines. Endpoint detection solutions identified ransomware on Windows systems as LockBit, with encrypted files bearing the ".xlockxlock" extension, while Babuk was found on VMware ESXi systems. Attackers used PowerShell scripts for data exfiltration prior to encryption, employing techniques to evade detection and analysis environments. Cisco Talos provided indicators of compromise, including files uploaded by the attackers and Velociraptor-related files, aiding in threat detection and response efforts.