Zero-Click Exploit in ChatGPT Deep Research Agent Enables Silent Gmail Data Exfiltration
Radware researchers disclosed a zero-click vulnerability in ChatGPT’s Deep Research agent, exposing Gmail data to attackers without any user interaction. Deep Research, launched in February 2025, is designed to autonomously browse the internet and integrate platforms including Gmail, Drive, and GitHub to generate structured reports for users. The flaw was rooted in the agent’s back-end execution layer: attackers could plant malicious HTML instructions in carefully crafted phishing emails, which were invisible to users through techniques such as white-on-white text and hidden formatting. When the victim later asked the agent to analyze their inbox, the malicious commands executed server-side within OpenAI’s infrastructure, silently exfiltrating sensitive personal or corporate data to attacker-controlled servers. Researchers achieved a 100% success rate in proof-of-concept testing by leveraging social engineering tactics, including false claims of authorization, fabricated compliance systems, urgency cues, and Base64 encoding disguised as a “security measure.” What makes this class of attack particularly dangerous is its service-side execution: the exfiltration originates from OpenAI’s trusted servers, rendering enterprise security controls, including secure web gateways, endpoint monitoring, and browser policies, blind to the compromise. Unlike prior client-side prompt injection campaigns, there are no user cues or domain restrictions to constrain exfiltration, meaning Gmail was simply the most intuitive example—the same technique generalizes to connectors such as Google Drive, Outlook, SharePoint, HubSpot, or Teams. OpenAI first acknowledged this vulnerability in June 2025, after a bug bounty was submitted, and patched it in early September. To mitigate this risk, enterprises should normalize and sanitize content before ingestion by AI agents, removing invisible HTML/CSS or suspicious metadata, while also deploying continuous behavioral monitoring that validates whether the agent’s actions align with the user’s original intent. Restricting AI agent permissions, binding access to managed devices, and layering anomaly detection on connector activity provide essential defenses until vendor-level fixes fully harden agent ecosystems against prompt-based exfiltration.
Update: Weaponized ScreenConnect Campaign Delivering AsyncRAT and PowerShell RAT
Researchers at Hunt.io uncovered an ongoing campaign in which trojanized ConnectWise ScreenConnect installers are being weaponized to deliver AsyncRAT and a custom PowerShell RAT across U.S. organizations. The investigation revealed at least eight infrastructure hosts exposing open directories with staged installers, often tied to /Bin/ paths and disguised under phishing themes, including IRS notifications and Zoom updates. These installers launch multi-stage infection chains that adapt to defenses: on protected systems, payloads are injected directly into memory through .NET runtime features, while on unprotected endpoints, attackers leverage native DLL injection to embed within trusted processes. Persistence is achieved through aggressively scheduled tasks running every few minutes, while command-and-control activity spans both standard and high-ephemeral ports, frequently wrapped in TLS to evade inspection. This dual-path execution and infrastructure redundancy illustrate a deliberate effort to maintain resilient, stealthy access. Hunt.io telemetry further highlighted repeatable tradecraft across multiple hosts, including repacked ScreenConnect binaries to evade static detection, mirrored payload containers distributed across Turkish and European infrastructure, and continuous port rotation strategies to sustain AsyncRAT operations. The scale and consistency of these observations underscore a broader trend in which adversaries abuse remote management software as a supply-chain vector, combining the trust of legitimate tools with commodity malware to achieve persistent access. Organizations should implement strict allowlisting and verification of RMM installers, monitoring for unusual download patterns and dynamic installer behaviors. This includes applying behavioral EDR rules for in-memory execution and native injection techniques, enforcing script-blocking policies, and endpoint hardening with AppLocker or Device Guard. Additionally, restricting execution from publicly writable directories is crucial for mitigation.
Gamaredon and Turla Join Forces: Coordinated FSB Operations Deploy Kazuar Backdoor in Ukraine
Researchers at ESET uncovered the first technical evidence of collaboration between two notorious FSB-linked groups: Gamaredon (FSB Center 18) and Turla (FSB Center 16) in cyber operations against Ukraine. Between February and June 2025, ESET telemetry observed Gamaredon’s noisy initial access tools (including PteroGraphin, PteroOdd, and PteroPaste) being directly leveraged to deploy Turla’s advanced Kazuar v2 and v3 backdoors. On one machine, Gamaredon’s PteroGraphin was even used to restart a stalled Kazuar implant, showing not just sequential compromises but operational coordination between the two groups. This marks a historic escalation in Russian cyber espionage and a rare instance of structured cooperation between separate FSB centers that traditionally conduct parallel missions. The victimology reveals that Turla deploys Kazuar only on carefully selected, high-value systems, in stark contrast to Gamaredon’s broad and indiscriminate compromises across Ukraine. Over 18 months, only seven machines were confirmed to have an active Turla presence, each following a Gamaredon compromise — reinforcing the assessment that Gamaredon acts as the entry team. At the same time, Turla selects and maintains access to priority intelligence targets. Both groups’ reliance on services including Telegra[.]ph and compromised WordPress infrastructure for payload delivery further highlights shared tooling and coordinated TTPs. Set against the geopolitical backdrop of Russia’s invasion of Ukraine, this collaboration reflects a deliberate FSB strategy: blending Gamaredon’s wide-scale access with Turla’s espionage sophistication to maximize intelligence gain while compartmentalizing responsibilities. Security defenders should expect continued evolution of this joint threat model as Russian intelligence services deepen their operational alignment.
Top CVEs of the Week
Top CVEs of the Week – As part of our ongoing vulnerability monitoring, the following CVEs highlight recent security issues that could affect a range of systems, applications, and devices. These findings reflect the constantly evolving threat landscape and reinforce the importance of timely patching, secure configurations, and proactive security practices. Below is a summary of notable vulnerabilities, including their impact and any available remediation guidance.
