Salt Typhoon Breaches National Guard Network
A newly released U.S. Department of Defense report confirms that Salt Typhoon, a Chinese state-sponsored cyber espionage group, breached a U.S. state's National Guard network and remained undetected for nearly a year. The attackers exfiltrated administrator credentials, network diagrams, and configuration files tied to critical national infrastructure and state agencies. These files can be reused to facilitate future intrusions across other government and defense systems with similar architecture. Between January 2023 and March 2024, Salt Typhoon stole 1,462 configuration files associated with 70 U.S. entities across 12 sectors, including energy, transportation, and wastewater. The report, obtained via FOIA, describes the campaign as an “extensive compromise” with potential downstream risks. Security experts warned that this is Salt Typhoon’s second major campaign in two years, reflecting a sustained ability to infiltrate U.S. military and infrastructure systems. The attackers’ lateral movement and stealth prompted calls for immediate adoption of Zero Trust and stronger breach containment strategies. The group has previously targeted telecoms firms and accessed conversations of senior U.S. officials, demonstrating operational reach beyond traditional espionage. In this case, spoofed credentials and access to internal architecture may allow future attacks on connected government systems. A former military network leader stressed that all U.S. forces must now assume compromise and act accordingly. The attack underscores the urgency of real-time detection, microsegmentation, and privileged access restrictions to reduce the blast radius of any breach. Analysts emphasize that persistent access to infrastructure schematics poses long-term risks for national defense and critical operations.
Malware-as-a-Service Campaign Abuses GitHub to Distribute Amadey and Obfuscated Payloads
Cisco Talos researchers exposed a sophisticated Malware-as-a-Service (MaaS) campaign leveraging the Amadey botnet, which used fake GitHub accounts to distribute malicious payloads and custom plugins. By abusing GitHub's trusted infrastructure, the operators bypassed traditional web filtering systems, enabling the seamless delivery of malware in environments that permit access to developer platforms. Amadey acted as a modular loader to deploy stealers such as Redline, Lumma, and StealC, while also supporting plugins for credential theft and screenshot capture. This operation revealed clear ties to a parallel SmokeLoader phishing campaign, which utilized ZIP-based phishing emails containing obfuscated JavaScript to install multistage loaders ultimately. The Emmenhtal loader, previously reported as PEAKLIGHT, featured four complex layers of obfuscation, culminating in PowerShell-based payload downloads. These shared tactics indicate coordinated infrastructure usage and a broader ecosystem of MaaS operations that exploit multistage scripting and trusted platforms. The GitHub-hosted repositories—such as Legendary99999, DFfe9ewf, and Milidmdds—functioned as malware staging zones, hosting dozens of payloads disguised within legitimate project structures. JavaScript files in these repos contained intricate obfuscation logic, including numeric variable mapping, ActiveXObject-based shell execution, and AES-encrypted blobs that ultimately delivered malware such as Amadey, AsyncRAT, and even benign tools like PuTTY. Some repositories included decoy Python scripts that posed as cryptocurrency utilities but embedded Base64-encoded lambda functions that executed malicious PowerShell commands. These scripts contacted known C2 infrastructure that would retrieve plugins or secondary malware. The attackers even employed file masquerading, hosting MP4-lookalike payloads, and utilizing media-themed domains to deceive their targets further. Talos promptly reported the abuse to GitHub, resulting in takedowns, but the campaign underscores the growing trend of abusing legitimate platforms for stealthy, modular, and evasive malware delivery.
APT28 Leverages LLM Malware to Target Ukrainian Government
CERT-UA has uncovered a targeted phishing campaign attributed to the Russian state-sponsored group APT28, delivering a novel malware strain known as LAMEHUG. Discovered after suspicious emails impersonating Ukrainian ministry officials were reported on July 10, 2025, the campaign specifically targeted senior government personnel with ZIP attachments containing multiple payload variants. LAMEHUG is a Python-based malware that utilizes a large language model (LLM) to interpret human-readable prompts and dynamically generate system commands. This use of AI enables the malware to adapt its behavior in real-time, thereby increasing its ability to evade static detection rules and perform reconnaissance or data harvesting without relying on hardcoded instructions. The malware searches key user directories for TXT and PDF files, gathers host metadata, and exfiltrates the data using encrypted channels. The integration of a code-focused LLM into malware operations marks a significant shift in the use of artificial intelligence by nation-state actors. Researchers observed that LAMEHUG interacts with external AI infrastructure to process operator-supplied descriptions and convert them into executable commands on compromised machines. This method allows threat actors to retain flexibility post-deployment, modifying the malware’s capabilities without issuing new payloads. The use of trusted AI services for command execution also enables traffic to blend in with legitimate enterprise activity, complicating detection by traditional network monitoring tools. CERT-UA has not yet confirmed the full extent of the campaign’s success but warns that the ability to weaponize LLMs poses long-term risks for public-sector targets. The discovery follows broader trends in adversarial AI, including other recent malware samples that attempt to manipulate AI-based detection tools through the injection of prompts. Security teams are advised to restrict AI service access from workstations, implement strict egress controls, and monitor for abnormal API usage that may indicate LLM-driven malware operations.
Top CVEs of the Week
Top CVEs of the Week: As part of our ongoing monitoring of vulnerabilities, the following CVEs highlight recent security issues that could affect a range of systems, applications, and devices. These findings reflect the constantly evolving threat landscape and reinforce the importance of timely patching, secure configurations, and proactive security practices. Below is a summary of notable vulnerabilities, including their impact and any available remediation guidance.
