Update: PagerDuty Drawn into Salesloft OAuth Fallout
PagerDuty has confirmed that it was impacted by the ongoing Salesloft Drift OAuth breach, which has already affected several high-profile companies. The compromise was traced back to August 20, 2025, when Salesloft first alerted PagerDuty to a security issue, and three days later, it was revealed that attackers had exploited a flaw in Drift’s OAuth integration flow with Salesforce. This hijacked process may have granted unauthorized access to PagerDuty’s Salesforce account, though no usernames, passwords, or platform credentials were exposed. Current findings indicate that the compromise was limited to Salesforce data, specifically customer and contact details, including names, phone numbers, and email addresses. PagerDuty responded by disabling Drift’s Salesforce connection, rotating access, and working closely with Salesloft, Salesforce, and Google’s Threat Intelligence Group to assess exposure. The investigation so far has found no indication that PagerDuty’s internal systems, core platform, or other resources were touched by the attackers. Despite the narrow scope, the potential misuse of exposed customer data poses a serious risk. Threat actors often leverage contact details to craft convincing phishing or vishing campaigns, and PagerDuty is urging customers to stay vigilant against suspicious calls or emails. The company emphasizes it will never request passwords or secure details outside of its verified support channels. PagerDuty is also reviewing its security controls and evaluating OAuth governance practices to prevent similar incidents in the future. While the investigation continues, customers are advised to be cautious of unsolicited communications, verify the authenticity of senders, and escalate any suspicious activity to official support. Strengthening awareness and tightening app integration oversight are the most immediate steps organizations can take to reduce the risk of follow-on attacks.
Update: XWorm Backdoor Campaign Expands with Stronger Persistence and Stealth
We’ve previously highlighted XWorm’s use of phishing lures and shortcut files as its primary entry points, but recent analysis from Trellix indicates that the campaign has become significantly more sophisticated. The infection chain still starts with a [.]lnk file that triggers hidden PowerShell commands, but instead of simple scripts, the malware now downloads a fake “discord[.]exe” file carrying a Discord icon to look legitimate. This executable then drops two more files, including “main[.]exe” and “system32[.]exe", with the latter being the actual XWorm payload, deliberately named to mimic a Windows system process. The update also shows clear emphasis on stealth: “main[.]exe” disables Windows Firewall through registry changes and checks for third-party security tools. In contrast, “system32[.]exe” halts execution entirely if it detects virtualization, preventing analysis in sandbox environments. Together, these steps represent a deliberate shift from predictable loaders to carefully staged, deceptive deployments designed for deeper entrenchment. What makes this campaign more dangerous is its enhanced persistence and encrypted communications. The malware establishes a long-term presence by creating a scheduled task that runs every minute, modifying registry keys to enable auto-start, and adding itself to Defender exclusion lists through PowerShell with an ExecutionPolicy bypass. It also secures its command-and-control infrastructure by combining Rijndael encryption with Base64 encoding, protecting sensitive strings including C2 server addresses and configuration data. Once communication is established, XWorm operators gain broad control over compromised systems, with the ability to exfiltrate data, download additional payloads, shut down or restart devices, and launch DDoS attacks. This progression demonstrates how quickly XWorm has evolved from a basic phishing-delivered threat to a resilient backdoor with strong anti-analysis measures, highlighting the need for layered defenses, endpoint monitoring, and strict email security to counter its growing capabilities.
Grokking X: AI Amplifies Malicious Links in Promoted Posts
Researchers have identified a new loophole on X, where attackers exploit Grok, the platform’s AI assistant, to distribute malicious links through promoted posts. X’s advertising policies normally prevent links from being placed directly into paid promotions, but scammers have found that Grok will share them when prompted. The setup begins with a promoted image or graphic that appears harmless and contains no visible URLs, allowing it to bypass ad filters. In the comments, the attackers post simple prompts asking Grok to identify the source of the image or provide a related video link. Because Grok scans content and can generate domain suggestions, it ultimately directs users to external websites controlled by the attackers. This transforms a seemingly clean ad into a vector for malicious domains, with Grok’s authority lending the link an air of trustworthiness. Campaigns abusing this tactic have already generated millions of views in a matter of days, sending unsuspecting users to phishing pages, adult sites, or fraudulent services. The term “Grokking” has quickly emerged to describe this AI-driven bypass, highlighting how scammers adapt to platform safeguards with speed and creativity. By weaponizing Grok’s content amplification, attackers are effectively outsourcing credibility to the AI itself, tricking users into thinking the links are verified. The danger is amplified by the viral nature of Grok’s responses, which can be retweeted or shared widely, multiplying exposure far beyond the original ad placement. X’s leadership has acknowledged the issue and is working on updates that will prevent Grok from sharing flagged or suspicious domains, though this fix is not yet fully rolled out. Until then, users face elevated risk when clicking AI-suggested links in replies to promoted content. To stay safe, users should remain cautious, verify any links independently, and avoid trusting domains surfaced through AI interactions until the loophole is closed.
Microsoft Confirms UAC Bug Causing Software Installation Failures on Windows
Microsoft has confirmed a critical bug in User Account Control (UAC) that is disrupting software installations and repairs across both Windows 10 and Windows 11 systems. The issue dates back to the security update KB5063878, released in August 2025. While the patch closed an important security gap, it also introduced a flaw in the way Windows Installer handles repair operations for standard users. Now, when users attempt to install or repair common applications, they are met with UAC prompts requesting administrator credentials, even for actions that should not require elevated rights. This has created widespread problems for individuals and businesses alike, with applications such as Autodesk AutoCAD, Civil 3D, Inventor CAM, and Microsoft Office Professional Plus 2010 among the most visibly affected. In some cases, installations fail with Error 1730, leaving end users unable to complete setup without administrative intervention. Microsoft has acknowledged the disruption and categorized the issue as “mitigated,” pointing to temporary workarounds while a full fix is in progress. The company advises users to launch applications using “Run as administrator” to bypass UAC errors, though this is impractical in environments where standard users lack elevated privileges. For larger organizations, IT administrators can request Known Issue Rollback (KIR) policies from Microsoft Support to reduce the impact until a permanent patch is available. Notably, Microsoft warns against disabling security features or rolling back the update, stressing that the vulnerability addressed in August remains a serious concern. A longer-term solution is under development that will enable specific applications to perform MSI repair operations without unnecessary UAC prompts; however, no release timeline has been provided. Until then, enterprises should apply KIR policies where possible and educate users about temporary workarounds while preparing for the upcoming fix.
