⚡ Threat of the Week

Flaws in Multiple Network Security Products Come Under Attack — Over the past week, Fortinet, SonicWall, Cisco, and WatchGuard said vulnerabilities in their products have been exploited by threat actors in real-world attacks. Cisco said attacks exploiting CVE-2025-20393, a critical flaw in AsyncOS, have been abused by a China-nexus advanced persistent threat (APT) actor codenamed UAT-9686 to deliver malware such as ReverseSSH (aka AquaTunnel), Chisel, AquaPurge, and AquaShell. The flaw remains unpatched. SonicWall said attacks exploiting CVE-2025-40602, a local privilege escalation flaw impacting Secure Mobile Access (SMA) 100 series appliances, have been observed in connection with CVE-2025-23006 (CVSS score 9.8) to achieve unauthenticated remote code execution with root privileges. The development comes as firewalls and edge appliances have become a favorite target for attackers, giving attackers deeper visibility into traffic, VPN connections, and downstream systems.

🔔 Top News

• Featured Chrome Extension Caught Harvesting AI Chats — Urban VPN Proxy, a Google Chrome and Microsoft Edge extension, with more than 7.3 installations, was observed stealthily gathering every prompt entered by users into artificial intelligence (AI)-powered chatbots like OpenAI ChatGPT, Anthropic Claude, Microsoft Copilot, DeepSeek, Google Gemini, xAI Grok, Meta AI, and Perplexity. Three other extensions from the same developer, 1ClickVPN Proxy, Urban Browser Guard, and Urban Ad Blocker, were also updated with similar functionality. Collectively, these add-ons were installed more than eight million times. The extensions are no longer available for download from the Chrome Web Store.
• Ink Dragon Targets Governments with ShadowPad and FINALDRAFT — The threat actor known as Jewelbug (CL-STA-0049, Earth Alux, Ink Dragon, and REF7707) has been increasingly focusing on government targets in Europe since July 2025, even as it continues to attack entities located in Southeast Asia and South America. The campaign has “impacted several dozen victims, including government entities and telecommunications organizations, across Europe, Asia, and Africa.” Ink Dragon does not merely use victims for data theft but actively repurposes them to support ongoing operations against other targets of interest. This creates a self-sustaining infrastructure that obscures the true origin of the attacks while maximizing the utility of every compromised asset.
• Kimwolf Botnet Hijacks 1.8 Million Android TVs — A new botnet named Kimwolf is powered by no less than 1.8 million Android TVs. Infections are scattered globally, with Brazil, India, the U.S., Argentina, South Africa, and the Philippines registering higher concentrations. Kimwolf is believed to share its origins with AISURU, which has been behind some of the record-breaking DDoS attacks over the past year. It’s suspected that the attackers reused code from AISURU in the early stages, before opting to develop the Kimwolf botnet to evade detection. QiAnXin XLab said it’s possible some of these attacks may not have come from AISURU alone, and that Kimwolf may be either participating or even leading the efforts.
• LongNosedGoblin Uses Group Policy For Malware Deployment — A previously undocumented China-aligned threat cluster dubbed LongNosedGoblin has been attributed to a series of cyber attacks targeting governmental entities in Southeast Asia and Japan. Central to the group’s tradecraft is the abuse of Group Policy to deploy malware across the compromised network and cloud services for communication with infected endpoints using a backdoor dubbed NosyDoor. The threat actor is believed to be active since at least September 2023. The exact initial access methods used in the attacks are presently unknown.
• Kimsuky Uses DocSwap Android Malware — The North Korean threat actor known as Kimsuky has been linked to a new campaign that distributes a new variant of Android data gathering malware called DocSwap via QR codes hosted on phishing sites mimicking Seoul-based logistics firm CJ Logistics (formerly CJ Korea Express). The apps masquerade as package delivery service apps. It’s believed that the threat actors are using smishing texts or phishing emails impersonating delivery companies to deceive recipients into clicking on booby-trapped URLs hosting the apps. A noteworthy aspect of the attack is its QR code-based mobile redirection, which prompts users visiting the URLs from a desktop computer to scan a QR code displayed on the page on their Android device to install the supposed shipment tracking app and look up the status.

‎️‍🔥 Trending CVEs

Hackers act fast. They can use new bugs within hours. One missed update can cause a big breach. Here are this week’s most serious security flaws. Check them, fix what matters first, and stay protected.

This week’s list includes — CVE-2025-14733 (WatchGuard), CVE-2025-11901, CVE-2025-14302, CVE-2025-14303, CVE-2025-14304 (pre-boot DMA protection Bypass), CVE-2025-37164 (HPE OneView Software), CVE-2025-59374 (ASUS Live Update), CVE-2025-20393 (Cisco AsyncOS), CVE-2025-40602 (SonicWall SMA 100 Series), CVE-2025-66430 (Plesk), CVE-2025-33213 (NVIDIA Merlin Transformers4Rec for Linux), CVE-2025-33214 (NVIDIA NVTabular for Linux), CVE-2025-54947 (Apache StreamPark), CVE-2025-13780 (pgAdmin), CVE-2025-34352 (JumpCloud Agent), CVE-2025-14265 (ConnectWise ScreenConnect), CVE-2025-40806, CVE-2025-40807 (Siemens Gridscale X Prepay), CVE-2025-32210 (NVIDIA Isaac Lab), CVE-2025-64374 (Motors WordPress theme), CVE-2025-64669 (Microsoft Windows Admin Center), CVE-2025-46295 (Apache Commons Text), CVE-2025-68154 (systeminformation), CVE-2025-14558 (FreeBSD), and cross-site scripting and information disclosure flaws in Roundcube Webmail (no CVEs).

📰 Around the Cyber World

• FBI Warns of Campaigns Impersonating Government Officials — The U.S. Federal Bureau of Investigation (FBI) has warned that malicious actors have impersonated senior U.S. state government, White House, and Cabinet-level officials, as well as members of Congress, to target individuals, including officials’ family members and personal acquaintances, since at least 2023. The “Malicious actors have sent text messages and AI-generated voice messages — techniques known as smishing and vishing, respectively — that claim to come from a senior U.S. official to establish rapport with targeted individuals,” the FBI said.

Threat actors in a scheme contact victims and engage in conversation on a topic familiar to the victim, then request to switch communication to a secure mobile messaging app such as Signal or WhatsApp. Once communication has shifted, the threat actors pressure victims to provide an authentication code, allowing access to the victim’s contact list and sensitive personal information, leading to fraudulent fund transfers and requests to connect with known associates.

Austrian privacy non-profit noyb has filed complaints against TikTok, AppsFlyer, and Grindr for unlawfully tracking users across apps in violation of GDPR laws. TikTok was found to be sending user data to AppsFlyer, allowing TikTok to draw conclusions about a user’s sexual orientation and activities on Grindr. AuraStealer, a malware-as-a-service information stealer, has been distributed through Scam-Yourself campaigns, targeting victims through fake TikTok videos and cracked games. Colombian institutions are facing attacks from Blind Eagle, using phishing emails with a legal-themed design to trick recipients into opening malicious attachments.

Scripted Sparrow, a Business Email Compromise collective, has been sending over three million email messages each month, posing as executive coaching and leadership training consultancies to conduct large-scale BEC attacks. Smart devices like smart TVs and e-readers were found to run extremely outdated web browser versions, leaving users vulnerable to security risks. Denmark has blamed Russia for recent destructive cyber attacks, including an attack on a water utility, attributed to pro-Russian hacktivist groups. Russian manufacturing companies have been targeted by the threat actor Arcane Werewolf (Mythic Likho). The lawsuit alleges that the TV manufacturers violated Texas’ Deceptive Trade Practices Act by failing to disclose their data collection practices and misleading consumers about the extent of their monitoring. The complaint seeks to stop the companies from collecting and selling consumer data without consent, as well as seeking monetary relief for affected consumers. The lawsuit highlights the growing concerns around privacy and data collection in the age of smart devices and IoT.

• This behavior is intrusive, deceitful, and illegal.
• Recruitment of Insiders for Cyber Attacks — Check Point has identified dark web posts seeking insiders within organizations to infiltrate corporate networks, user devices, and cloud environments. The targets include financial institutions, cryptocurrency firms, as well as companies such as Accenture, Genpact, Netflix, and Spotify. These posts offer rewards ranging from $3,000 to $15,000 for access or data. Employees are being approached or are willingly selling access or sensitive information for monetary gain, making it harder to prevent cyber attacks. Monitoring the deep web and darknet for mentions of organizations or stolen data is now as crucial as implementing advanced cyber security technologies.
• Security Flaws in Anno 1404 Game — Researchers at Synacktiv have disclosed multiple vulnerabilities in the strategy game Anno 1404 that, when combined, allow for the execution of arbitrary code within the multiplayer mode.
• Evolution of JSCEAL Campaign — The JSCEAL malware distribution campaign through Facebook ads has undergone enhancements, including a revamped command-and-control infrastructure, improved anti-analysis measures, and an updated script engine for increased stealth. The use of a variety of top-level domains and stricter filtering and anti-analysis controls indicate a more sophisticated approach by the attackers.
• Guilty Plea in Fantasy Sports Hacking Scheme — Nathan Austad, 21, from Farmington, Minnesota, has pleaded guilty to participating in a scheme to hack thousands of user accounts on a fantasy sports and betting website. The attackers aimed to steal hundreds of thousands of dollars from users by compromising approximately 60,000 accounts and transferring funds to their own accounts.
• Decrease in Critical CVEs in 2025 — While the total number of CVEs has increased, the number of critical vulnerabilities flagged in 2025 has decreased. Adoption of CVSS v4 is limited by various factors, despite its availability and potential benefits.
• Amadey Malware Campaign Exploits Self-Hosted GitLab — A new campaign distributing the StealC infostealer malware has utilized an exploited self-hosted GitLab instance to deliver the payload. This tactic allows threat actors to create a legitimate-looking infrastructure for distributing malware while evading traditional security measures.
• U.S. Authorities Seize E-Note Cryptocurrency Exchange — U.S. authorities have seized the servers and infrastructure of the E-Note cryptocurrency exchange for allegedly laundering over $70 million from ransomware attacks and account takeovers. The site’s operator, a Russian national, has been indicted on charges of conspiracy to launder monetary instruments.

🎥 Cybersecurity Webinars

• How Zero Trust and AI Catch Attacks With No Files, No Binaries, and No Indicators — This webinar discusses how Zero Trust and AI-driven protection can detect and prevent evolving cyber threats that evade traditional defenses, securing cloud environments and staying ahead of attackers.
• Master Agentic AI Security: Learn to Detect, Audit, and Contain Rogue MCP Servers — This webinar explores the risks associated with AI tools like Copilot and Claude Code, and how to manage AI servers to prevent security breaches and unauthorized access.

Uncovering Hidden AI Risks and Enhancing Cybersecurity Tools

In this insightful webinar, discover the strategies to identify concealed AI risks, prevent shadow API key issues, and proactively manage your AI systems to avoid potential breaches.

🔧 Cybersecurity Tools

• Tracecat — An innovative open-source automation platform tailored for security and IT teams seeking adaptable workflow orchestration. Utilizing simple YAML-based integration templates and a user-friendly no-code interface, Tracecat empowers users to construct workflows effortlessly. With built-in lookup tables and case management capabilities, this tool leverages Temporal for reliable and scalable workflow orchestration, making it ideal for both experimental and production environments.
• Metis — Developed by Arm’s Product Security Team, Metis is an AI-powered security code review tool that employs large language models to analyze code context and logic. This tool aids engineers in pinpointing subtle security vulnerabilities that conventional tools might overlook. Supporting multiple languages through plugins and compatible with various LLM providers, Metis aims to alleviate review fatigue in intricate or extensive codebases while promoting secure coding practices.

Disclaimer: These cybersecurity tools are intended for educational and research purposes only. It is crucial to exercise caution as improper use may lead to potential harm. Prior to utilization, thoroughly inspect the code, conduct testing in secure environments, and adhere to all regulations and guidelines.

Key Takeaways

The recent events have underscored the disappearance of traditional perimeters in cybersecurity, emphasizing the importance of accountability. Each device, application, and cloud service now plays a critical role in safeguarding against threats. Rapid patching, continuous monitoring of running processes, and challenging default settings have transitioned from routine tasks to essential survival skills.

With evolving threats necessitating adaptive responses, resilience hinges on awareness and agility rather than fear. Sustaining high visibility, treating updates as risk mitigation measures, and acknowledging that most security breaches originate from overlooked vulnerabilities are paramount in fortifying defenses.