A new phishing campaign led by the North Korean group KONNI, according to Check Point Research, specifically targets engineering teams and developers, particularly in blockchain and cryptocurrency-related environments. Through Discord, the attackers send malicious links that download a ZIP file with a deceptive PDF and a malicious shortcut (LNK). The shortcut launches a PowerShell backdoor with scripts and an executable to circumvent user account controls, establish persistence through scheduled tasks, and maintain constant communication with a command and control server when executed. The centrepiece of the malware shows signs of having been generated with the help of artificial intelligence, with integrated documentation and a modular structure that are uncommon in traditional malware.
Beyond geopolitical targets, KONNI is shifting its traditional focus to digital technical and financial assets. More details The SLSH super alliance attacks more than 100 large businesses by taking advantage of Okta SSO. The criminal organization known as SLSH, which is an alliance between Scattered Spider, LAPSUS$, and ShinyHunters, is leading an ongoing campaign, according to Silent Push. This threat is attacking Okta SSO accounts at more than 100 large international organisations, including technology companies such as Atlassian and Zoominfo, healthcare companies such as Moderna, financial companies such as Blackstone, in telecommunications such as Telstra, in retail such as Carvana and energy companies such as Halliburton.
The attackers can bypass even advanced MFA protections and take full control of business environments by using live phishing panels and vishing (voice phishing) tactics to intercept credentials and multi-factor authentication tokens in real time. Data exfiltration, lateral movement within internal networks, and possibly data encryption for extortion are some of the outcomes. It is recommended to audit SSO logs, alert employees, and use phishing-resistant MFA, such as FIDO2.
More info
Mustang Panda adds browser credential theft modules to the CoolClient backdoor update. The Mustang Panda threat group has updated their CoolClient backdoor, according to a Kaspersky report, adding new capabilities for browser credential theft, clipboard monitoring, HTTP proxy credential sniffing, and file and service management operations through the use of specialized plugins. CoolClient maintains persistence through modifications to the Registry, Windows services and scheduled tasks, and uses DLL sideloading with legitimate binaries to evade detection.
Kaspersky found three variants: one for Chrome, one for Edge, and one for all Chromium-based browsers that can extract and decrypt stored login data. Additionally, collection and exfiltration scripts were observed to gather credentials, up-to-date documents, and system information before uploading them to public services like Google Drive and Pixeldrain. These tools have been deployed against government entities in Asia and Russia, indicating an espionage campaign focused on sensitive data exfiltration and persistent surveillance.
More details
Six months after the patch, state actors and cybercriminals take advantage of WinRAR’s CVE-2025-8088 vulnerability. Google Threat Intelligence has detailed the active exploitation of the vulnerability in WinRAR CVE-2025-8088 (CVSSv4 8.4 according to ESET), a path traversal flaw that allows an attacker to place and execute files outside the intended extraction directory, taking advantage of alternative data streams in specially crafted RAR files. Google has confirmed that the vulnerability has been actively exploited since at least July 18, 2025—the vulnerability was patched on July 30—by both cybercriminals and state actors associated with China and Russia to establish initial access and deliver various payloads. Russian organizations UNC4895 (also known as RomCom or Cigar), APT44 (Frozenbarents), and TEMP are mentioned in the report. The flaw has been used by Armageddon (Carpathian) and Turla (Summit) to spread malware like Stockstay; an unidentified Chinese state-sponsored group has been able to infect a victim with PoisonIvy; and a variety of financially motivated cybercriminals have installed RAT malware (Xworm or AsyncRAT) on businesses. It is recommended to update to the latest available version of WinRAR.
More details Operation Bizarre Bazaar: first attributed LLMjacking campaign with monetisation
Pillar Security has identified a massive campaign called Operation Bizarre Bazaar, which represents the first systematic “LLMjacking” operation for commercial monetisation purposes. This involves hijacking the infrastructure of artificial intelligence through distributed network scanning in search of exposed development environments and large language model (LLM) endpoints that do not require authentication or use default configurations. The threat actors, operating through a coordinated supply chain that includes the criminal marketplace “silver.inc,” use these resources to perform free inferences, exfiltrate data from conversation histories, or perform lateral movements into internal systems through the Model Context Protocol (MCP). The campaign’s impact has been global, affecting multiple sectors with more than 35,000 detected attack sessions seeking to resell access to stolen computing capacity.
