MONTHLY WRAP MONTHLY WRAP

Overview

Adversaries doubled down on trusted channels, identity systems, and edge infrastructure. Campaigns abused Telegram, Microsoft Teams, OAuth consent, and link-wrapping services to bypass controls; mobile banking and RAT operations surged via malvertising and fake app stores; and cloud-native extortion increased through hybrid identity abuse. Urgent fixes were implemented across Apple ImageIO, Adobe AEM Forms JEE, Trend Micro Apex One, Cisco FMC, Fortinet, and GitLab, while blind spots in Linux and ESXi, as well as NFC payment relay and 5G pre-auth interception, exposed systemic risks.

  • Browser/Installer Trust Abuse on macOS: JSCoreRunner and Odyssey Stealer rode fake converters and ClickFix flows to hijack Chrome profiles and steal wallets, cookies, and Keychain data.
  • Collaboration Abuse at Scale: Weaponized Microsoft Teams tenants and MSC EvilTwin chains delivered PowerShell implants; Ghost Calls tunneled C2 through Zoom/Teams TURN to hide in conferencing traffic.
  • Identity & Hybrid-Cloud Compromise: Token forgery from Entra Connect sync servers; Exchange hybrid trust (CVE-2025-53786) enabled privilege escalation into M365; Storm-0501 shifted to cloud-native steal-and-destroy.
  • Linux, ESXi, and Edge Gaps: io_uring-based RingReaper evasion, PAM backdoor Plague, CrossC2 Beacons on Linux/macOS, Kimsuky LKM rootkit; Splunk released ESXi ransomware detections; “Silent Leaks” in multi-tenant Linux exposed secrets without exploits.
  • Mobile-First Financial Threats: Brokewell spyware via TradingView malvertising; PlayPraetor and SpyNote families using overlays, accessibility abuse, and on-device fraud; NFC “ghost-tapping” relay monetized at scale.
  • Phishing Tradecraft Upgrades: Hiragana used in URLs to spoof trusted paths; ShadowCaptcha and ClickFix chains copied commands to clipboard; proof-grade lures timed to diplomatic and defense events delivered XenoRAT.
  • Ransomware Evolution & Access Enablement: Akira intrusions tied to SonicWall Gen7 credential hygiene and CVE-2024-40766 exposure; APT-grade Charon with DLL sideloading; broad BYOVD use to kill EDR.
  • Supply-Chain Poisoning & Dev Abuse: Trojanized PyPI/npm packages, eslint-config-prettier poisoning, fake GitHub repos and CI/CD lures; CastleLoader blended ClickFix lures with developer-tool impersonation.
  • TDS and Scam Ecosystems: VexTrio Viper’s global traffic brokering, mobile app store presence, and persistent notification spam drove sustained user compromise.
  • Telecom & ISP-Level Operations: Salt Typhoon surveillance through carriers; Turla’s Secret Blizzard ran AiTM at ISP level with rogue root CA to intercept embassy traffic.
  • Trusted Platforms as C2 and Stealth Pipes: Telegram used for real-time exfiltration and dead-drop resolution; Proofpoint/Intermedia link-wrapping and malicious OAuth apps masked Microsoft 365 credential theft and bypassed MFA.
  • Zero-Days and Emergency Patching: Apple ImageIO RCE; Adobe AEM Forms JEE unauth RCE chain; Trend Micro Apex One console RCE in active use; Cisco FMC RADIUS command injection; FortiSIEM and FortiWeb high-risk flaws; GitLab stored XSS to account takeover.

Threat Landscape Overview 

Operations prioritized persistence over noise. Trusted ecosystems—such as Telegram bots, OAuth consent pages, Teams tenants, conferencing TURN relays, and link-wrapping gateways—were leveraged for covert delivery and C2. On endpoints, attackers leveraged native features, including scheduled tasks and services for Windows persistence, io_uring for Linux EDR evasion, and signed installers or DLL sideloading for stealthy execution. In identity, compromises of Entra Connect, Exchange hybrid trust, and poorly governed admin roles enabled cross-boundary escalation without obvious logs. Supply-chain poisoning and developer impersonation sustained initial access while cloud-resident extortion matured through snapshot deletion, key swaps, and data theft.

Mobile threats became primary revenue engines. Brokewell, PlayPraetor, and SpyNote families targeted banking apps with overlays and accessibility abuse; NFC relay “ghost-tapping” commoditized point-of-sale fraud. macOS continued to face pressure from JSCoreRunner and Odyssey Stealer. At the edge, ISP-level AiTM by Turla and telecom-focused espionage by Salt Typhoon underscored how carriers and providers can be turned into durable vantage points. Urgent vendor advisories and hotfixes arrived throughout the month; organizations that lag on patching or identity hardening remain exposed to low-friction takeover and rapid ransomware deployment.

Industries Targeted

  • Cloud/SaaS & Enterprise Apps: OAuth consent abuse against Microsoft 365 and Salesforce; Entra Connect token forgery; Exchange hybrid trust flaw; ShinyHunters exfiltration from Salesforce via social engineering and OAuth.
  • Finance & Fintech: Brokewell and PlayPraetor harvesting credentials and intercepting 2FA; NFC relay fraud rings monetizing retail purchases; Salty-style PhaaS growth; Python/npm stealers aiming at wallets and browsers.
  • Government: Kimsuky Linux rootkit exposure; XenoRAT spearphishing against embassies in Seoul; Turla’s ISP-level AiTM on missions in Moscow; Sidewinder-aligned South Asia defense lures; Blind Eagle sustained campaigns across the Colombian public sector.
  • Manufacturing: Berserk Bear exploits legacy Cisco Smart Install; ransomware operators continue to target ESXi; RingReaper and Linux backdoors pose a risk to mixed environments.
  • Maritime: Lab-Dookhtegan compromised satellite terminals across Iranian fleets via a supplier, disrupting navigation and port coordination. The attack highlighted how third-party service providers in the maritime supply chain can become high-impact single points of failure, creating systemic risk well beyond the immediate victim.
  • Technology & Developers: Supply-chain poisoning on PyPI/npm; CastleLoader targeting developer workflows and GitHub repos; Bumblebee SEO lures masquerading as network tools before Akira deployment.
  • Telecommunications: Salt Typhoon operations against carriers for message interception and tracking; infrastructure pivoting through edge devices.

Most Active Threat Actors

  • Akira Affiliates (Ransomware): SonicWall VPN intrusion paths tied to CVE-2024-40766 exposure and legacy credentials; rapid hands-on deployment.
  • Blind Eagle (TAG-144): Multi-cluster commodity RAT campaigns against Colombian government and regional targets.
  • EncryptHub / Water Gamayun (Russia-linked): Teams-based social engineering, MSC EvilTwin exploitation, resilient PowerShell backdoors, and DLL sideloading.
  • Kimsuky (North Korea): Linux LKM rootkit with magic-packet backdoor; parallel macOS and Windows social-engineering operations.
  • Lab-Dookhtegan (Hacktivist): Maritime comms sabotage via Fanava Group compromise and coordinated device wiping.
  • Salt Typhoon (China-nexus espionage): Carrier-level surveillance, edge device exploitation, and long-patched flaw reuse at scale.
  • Secret Blizzard / Turla (Russia-FSB): ISP-level AiTM with rogue root CA, delivering ApolloShadow under security-tool cover.
  • ShinyHunters (UNC6040, eCrime): Salesforce OAuth abuse and vishing to authorize connected apps for bulk API exfiltration.
  • Storm-0501 (eCrime): Cloud-native extortion through hybrid identity abuse, backup deletion, and tenant impersonation.
  • VexTrio Viper (TDS): Global traffic brokering with DNS manipulation, RDGAs, and predatory mobile apps to sustain monetization.

Vulnerability Asset Management

Supporting Your Security Team Through Organizational Change

Your security team will spend more time fighting organizational resistance than actual vulnerabilities. The most dangerous risks aren't unknown threats. They're known vulnerabilities on systems that generate revenue, but "can't be patched because it might break something."

Legacy applications create the biggest headaches. These systems often run critical business processes but were built with outdated security standards. Your security team knows exactly where the risks are. They can map every vulnerable port and outdated component. The challenge isn't finding problems. It's getting permission to make those fixes when they might disrupt operations or require significant investment.

This organizational inertia costs more than money. Security professionals burn out from identifying risks that everyone acknowledges but nobody wants to address. They become business blockers instead of enablers because they cannot obtain executive backing for necessary changes. When you empower your security team to make unpopular decisions and budget for modernizing vulnerable systems, you turn them into strategic assets. They can reduce your attack surface while protecting the revenue streams that matter most to your business.

Hunter Insights

Based on threat intelligence data from August, the convergence of trusted platform exploitation, cloud-native identity abuse, and supply chain weaponization is expected to intensify, necessitating a fundamental recalibration of security strategies beyond traditional perimeter-based defenses. Looking ahead, threat actors will further weaponize legitimate collaboration platforms and identity systems as their primary attack vectors. The successful exploitation of Microsoft Teams, Telegram, and OAuth consent mechanisms observed in August demonstrates a clear shift toward "living off the land" tactics that abuse trusted services. This trend will accelerate as organizations increase their reliance on cloud-native collaboration tools and AI-driven automation. Expect attackers to develop more sophisticated techniques for exploiting Entra Connect synchronization servers, Exchange hybrid trust relationships, and cross-tenant identity federation—particularly as hybrid identity environments become increasingly complex and challenging to monitor.

The documentation of PyPI/npm poisoning, developer tool impersonation, and maritime infrastructure attacks via third-party suppliers signals a maturation of supply chain attack methodologies. Supply chain attacks are projected to grow exponentially as AI tools aid in the development of sophisticated attacks. In contrast, the expanding attack surface from cloud adoption creates new vulnerabilities that traditional security tools struggle to address. Organizations should anticipate more frequent targeting of CI/CD pipelines, container registries, and edge devices—particularly in critical infrastructure sectors where ISP-level compromise can provide persistent, high-value surveillance capabilities. The convergence of these trends with mobile-first threats and telecom infrastructure exploitation will create a perfect storm requiring immediate investment in cloud-native security architectures, identity threat detection and response capabilities, and comprehensive supply chain security programs.

💡
Hunter Strategy encourages our readers to look for updates in our daily Trending Topics and on Twitter.