Cyber Threat Intelligence 23 September 2025

NCSA_THAICERT

Industrial Sector

Threat Landscape For Industrial Automation Systems. Middle East, Q2 2025
"In the Middle East, the percentage of ICS computers on which threats from email clients were blocked was 1.8 times higher than the global average. High levels of email threats (phishing), spyware, and ransomware clearly indicate that technological systems in the region are highly exposed to advanced attackers. Likewise, the large percentage of malicious scripts and phishing pages further demonstrates the high risk of targeted attacks against the technological infrastructures of industrial enterprises in the region. Many of these scripts and pages are aimed directly at stealing authentication data."
https://ics-cert.kaspersky.com/publications/reports/2025/09/22/threat-landscape-for-industrial-automation-systems-middle-east-q2-2025/
Threat Landscape For Industrial Automation Systems. South And North America (Canada), Q2 2025
"In South America, the percentage of ICS computers on which threats from email clients were blocked is 1.8 times higher than the global average. On this metric, the region ranks second globally. By the percentage of ICS computers on which malicious scripts and phishing pages were blocked, South America ranks first among regions globally, with a rate 1.4 times the global average. Malicious scripts are used by attackers for a wide range of purposes — from data collection, tracking, and redirecting the user’s browser to malicious web resources, to downloading various malware into the system or browser (such as spyware, cryptominers, and ransomware). They spread both via the internet and through emails."
https://ics-cert.kaspersky.com/publications/reports/2025/09/22/threat-landscape-for-industrial-automation-systems-south-and-north-america-canada-q2-2025/

New Tooling

Cybersecurity AI (CAI): Open-Source Framework For AI Security
"Cybersecurity AI (CAI) is an open-source framework that helps security teams build and run AI-driven tools for offensive and defensive tasks. It’s designed for anyone working in security, including researchers, ethical hackers, IT staff, and organizations that want to use AI to find vulnerabilities, test defenses, and improve their security."
https://www.helpnetsecurity.com/2025/09/22/cybersecurity-ai-cai-open-source-framework-ai-security/
https://github.com/aliasrobotics/cai

Vulnerabilities

Researchers Earn $150,000 For L1TF Exploit Leaking Data From Public Cloud
"Academic researchers from Vrije Universiteit Amsterdam have demonstrated that transient execution CPU vulnerabilities are practical to exploit in real-world scenarios to leak memory from VMs running on public cloud services. The research shows that L1TF (L1 Terminal Fault), also known as Foreshadow, a bug in Intel processors reported in January 2018, and half-Spectre, gadgets believed unexploitable on new-generation CPUs, as they cannot directly leak secret data, can be used together to leak data from the public cloud. Last month, the academics reported L1TF Reloaded (PDF), a vulnerability that combines L1TF and half-Spectre to bypass commonly deployed software mitigations and leak sensitive data from the hypervisor and a co-tenant on Google Cloud."
https://www.securityweek.com/researchers-earn-150000-for-l1tf-exploit-leaking-data-from-public-cloud/
https://openreview.net/pdf?id=4tDNvQe2G0

Malware

New EDR-Freeze Tool Uses Windows WER To Suspend Security Software
"A new method and proof-of-concept tool called EDR-Freeze demonstrates that evading security solutions is possible from user mode with Microsoft's Windows Error Reporting (WER) system. The technique eliminates the need of a vulnerable driver and puts security agents like endpoint detection and response (EDR) tools into a state of hibernation. By using the WER framework together with the MiniDumpWriteDump API, security researcher TwoSevenOneThree (Zero Salarium) found a way to suspend indefinitely the activity of EDR and antivirus processes indefinitely."
https://www.bleepingcomputer.com/news/security/new-edr-freeze-tool-uses-windows-wer-to-suspend-security-software/
https://github.com/TwoSevenOneT/EDR-Freeze
Verified Steam Game Steals Streamer's Cancer Treatment Donations
"A gamer seeking financial support for cancer treatment lost $32,000 after downloading from Steam a verified game named BlockBlasters that drained his cryptocurrency wallet. BlockBlasters is a 2D platformer that was available on Steam for almost two months, between July 30 and September 21. The game was safe until August 30, when a cryptodrainer component was added. Published by developer Genesis Interactive and no longer on Steam, the retro-styled game was a free-to-play title promising fast-paced action on responsive controls, and had a few hundred ‘Very Positive’ reviews on the gaming platform."
https://www.bleepingcomputer.com/news/security/verified-steam-game-steals-streamers-cancer-treatment-donations/
Iranian Threat Actor Nimbus Manticore Expands Campaigns Into Europe With Advanced Malware And Fake Job Lures
"Since early 2025, Check Point Research has tracked successive waves of activity from Nimbus Manticore, a mature Iran-nexus advanced persistent threat (APT) group. Sometimes referred to as UNC1549 or Smoke Sandstorm, and previously associated with the Iranian Dream Job campaign, Nimbus Manticore primarily targets aerospace and defense organizations in the Middle East and Europe. The group is best known for its targeted spear-phishing campaigns that deliver custom implants, including Minibike, also known as SlugResin. First reported in 2022, Minibike has evolved steadily, adopting obfuscation techniques, modular architecture, and redundant C2 infrastructure."
https://blog.checkpoint.com/research/iranian-threat-actor-nimbus-manticore-expands-campaigns-into-europe-with-advanced-malware-and-fake-job-lures/
https://www.darkreading.com/cyberattacks-data-breaches/iran-linked-hackers-europe-new-malware
Technical Analysis Of Zloader Updates
"Zloader (a.k.a. Terdot, DELoader, or Silent Night) is a Zeus-based modular trojan that emerged in 2015. Zloader was originally designed to facilitate banking, but has since been repurposed for initial access, providing an entry point into corporate environments for the deployment of ransomware. Following an almost two-year hiatus, Zloader reemerged in September 2023 with significant enhancements to its obfuscation techniques, domain generation algorithm (DGA), anti-analysis techniques and network communication, along with a stealthier approach to infections."
https://www.zscaler.com/blogs/security-research/technical-analysis-zloader-updates
ComicForm And SectorJ149 Hackers Deploy Formbook Malware In Eurasian Cyberattacks
"Organizations in Belarus, Kazakhstan, and Russia have emerged as the target of a phishing campaign undertaken by a previously undocumented hacking group called ComicForm since at least April 2025. The activity primarily targeted industrial, financial, tourism, biotechnology, research, and trade sectors, cybersecurity company F6 said in an analysis published last week. The attack chain involves sending emails bearing subject lines like "Waiting for the signed document," "INvoice for Payment," or "Reconciliation Act for Signature," urging recipients to open an RR archive, within which there exists a Windows executable that masquerades as a PDF document (e.g., "Акт_сверки pdf 010.exe"). The messages, written in Russian or English, are sent from email addresses registered in the .ru, .by, and .kz top-level domains."
https://thehackernews.com/2025/09/comicform-and-sectorj149-hackers-deploy.html
Operation Rewrite: Chinese-Speaking Threat Actors Deploy BadIIS In a Wide Scale SEO Poisoning Campaign
"In March 2025, we uncovered a search engine optimization (SEO) poisoning campaign. Based on the infrastructure and linguistic artifacts discovered, we assess with high confidence that a Chinese-speaking threat actor operates this campaign. We call this “Operation Rewrite” in reference to the English translation of one of the object names in the threat actor’s code. We track this cluster of activity as CL-UNK-1037. Our analysis revealed infrastructure and architectural overlaps with the publicly tracked “Group 9” threat cluster and the “DragonRank” campaign."
https://unit42.paloaltonetworks.com/operation-rewrite-seo-poisoning-campaign/
Watch Out For SVG Files Booby-Trapped With Malware
"A recent malware campaign making the rounds in Latin America offers a stark example of how cybercriminals are evolving and finetuning their playbooks. But first, here’s what’s not so new: The attacks rely on social engineering, with victims receiving emails that are dressed up to look as though they come from trusted institutions. The messages have an aura of urgency, warning their recipients about lawsuits or serving them court summons. This, of course, is a tried-and-tested tactic that aims to scare recipients into clicking on links or opening attachments without thinking twice."
https://www.welivesecurity.com/en/malware/svg-files-spreading-malware/

Breaches/Hacks/Leaks

Automaker Giant Stellantis Confirms Data Breach After Salesforce Hack
"Automotive manufacturing giant Stellantis has confirmed that attackers stole some of its North American customers' data after gaining access to a third-party service provider's platform. Stellantis is a multinational corporation formed in 2021 after the merger of the PSA Group (Peugeot Société Anonyme) and Fiat Chrysler Automobiles (FCA). Stellantis is currently one of the largest automotive companies globally by revenue and the world's fifth-largest automaker by volume. The company owns 14 major automotive brands, including Alfa Romeo, Chrysler, Citroën, Dodge, DS Automobiles, Fiat, Jeep, Lancia, Maserati, Opel, Peugeot, Ram, and Vauxhall, and it operates manufacturing facilities across Europe, North America, South America, and other regions, with operations in over 130 countries."
https://www.bleepingcomputer.com/news/security/automaker-giant-stellantis-confirms-data-breach-after-salesforce-hack/
https://databreaches.net/2025/09/22/stellantis-detects-breach-at-third-party-provider-for-north-american-customers/
https://therecord.media/stellantis-investigates-cyber-incident
https://hackread.com/jeep-dodge-stellantis-confirms-customer-data-breach/
https://securityaffairs.com/182456/data-breach/stellantis-probes-data-breach-linked-to-third-party-provider.html
https://www.theregister.com/2025/09/22/stellantis_breach/
Airport Disruptions In Europe Caused By a Ransomware Attack
"The disruptions over the weekend at several major European airports were caused by a ransomware attack targeting the check-in and boarding systems. Among the airports suffering technical difficulties are Heathrow in London, Brussels Airport, and Brandenburg in Berlin. Cork and Dublin airports in Ireland also experienced difficulties, but the impact was minor. The attack started on Friday night, according to Brussels Airport, and targeted “Collins Aerospace, the external provider of check-in and boarding systems.”"
https://www.bleepingcomputer.com/news/security/airport-disruptions-in-europe-caused-by-a-ransomware-attack/
https://www.theguardian.com/world/2025/sep/22/flight-delays-europe-cyber-attack-heathrow-brussels-berlin
https://www.bbc.co.uk/news/articles/cqjeej85452o
https://therecord.media/europe-airports-delays-ransomware-attack-checkin-systems
https://www.darkreading.com/cyberattacks-data-breaches/airport-chaos-human-impact-3rd-party-attacks
https://www.bankinfosecurity.com/ransomware-behind-collins-aerospace-hack-enisa-says-a-29498
https://www.infosecurity-magazine.com/news/airport-chaos-third-day-supply/
https://www.securityweek.com/european-airport-disruptions-caused-by-ransomware-attack/
https://securityaffairs.com/182440/security/eu-agency-enisa-says-ransomware-attack-behind-airport-disruptions.html
https://www.theregister.com/2025/09/22/eus_cyber_agency_confirms_ransomware/

General News

OpenID Foundation Sets New Standards For Real-Time Security Event Sharing
"The OpenID Foundation (OIDF) has approved three Final Specifications, establishing the first global standards for real-time security event sharing across digital identity systems."
https://www.helpnetsecurity.com/2025/09/22/openid-standards-real-time-security-event-sharing/
Zero Trust: Strengths And Limitations In The AI Attack Era
"Zero trust principles such as network segmentation become crucial as attackers increasingly adopt artificial intelligence (AI), but there's still room for improvement if they are going to stand up to evolving AI threats. Zero trust architecture relies on limiting access to accounts and systems and verifying identities to secure networks. But AI enables adversaries to craft more convincing phishing attacks and deepfakes, social engineering techniques that exploit identity. Zero trust needs to evolve to face that and other related threats."
https://www.darkreading.com/endpoint-security/zero-trust-strengths-and-limitations-in-the-ai-attack-era
15 Years Of Zero Trust: Why It Matters More Than Ever
"Fifteen years ago, I introduced the zero-trust security model while working as an analyst at Forrester Research. At the time, cybersecurity was still rooted in perimeter-based thinking, built on the assumption that everything inside the network could be trusted. But real-world breaches told a different story. Attackers were moving laterally, exploiting implicit trust, and bypassing traditional defenses with ease. Shortly after publishing my first report, Dark Reading interviewed me and wrote one of the first articles about zero trust. That conversation helped bring the model beyond the analyst community and into the broader security dialogue."
https://www.darkreading.com/cyberattacks-data-breaches/15-years-of-zero-trust-why-it-matters-more-than-ever
Organizations Must Update Defenses To Scattered Spider Tactics, Experts Urge
"Organizations must urgently update their defenses to protect against tactics deployed by the Scattered Spider hacking collective this year, according to experts speaking during the Gartner Security & Risk Management Summit 2025. A particular focus should be placed on identity tools and controls, security processes and third-party risk management to tackle the novel and highly effective techniques used by the group. During a session at the Summit, George Glass, associate manging director at risk advisory company Kroll, discussed Scattered Spider’s highly successful approach in compromising high profile targets from April to July 2025."
https://www.infosecurity-magazine.com/news/update-defenses-scattered-spider/
How To Gain Control Of AI Agents And Non-Human Identities
"We hear this a lot: "We've got hundreds of service accounts and AI agents running in the background. We didn't create most of them. We don't know who owns them. How are we supposed to secure them?" Every enterprise today runs on more than users. Behind the scenes, thousands of non-human identities, from service accounts to API tokens to AI agents, access systems, move data, and execute tasks around the clock. They're not new. But they're multiplying fast. And most weren't built with security in mind."
https://thehackernews.com/2025/09/how-to-gain-control-of-ai-agents-and.html
Alleged Scattered Spider Member Turns Self In To Las Vegas Police
"A suspected member of the Scattered Spider cybercriminal organization turned themselves in to Las Vegas police last week under accusations that they were behind multiple cyberattacks targeting casinos in the city. The Las Vegas Metropolitan Police Department released a brief statement on Friday afternoon confirming that an unnamed juvenile suspect surrendered himself to the Clark County Juvenile Detention Center on September 17. He was booked on several charges related to cyberattacks on multiple Las Vegas casino properties between August 2023 and October 2023, police said. Those dates line up with ransomware attacks on Caesars Entertainment and MGM Resorts — both of which own multiple casinos and hotels across Las Vegas."
https://therecord.media/las-vegas-arrest-scattered-spider-suspect-turns-self-in
https://www.lvmpd.com/Home/Components/News/News/2245/263
https://www.bankinfosecurity.com/teenage-scattered-spider-suspect-arrested-in-las-vegas-a-29493
https://cyberscoop.com/las-vegas-teenager-arrested-casino-attacks-scattered-spider/
https://www.theregister.com/2025/09/22/teen_cuffed_scattered_spider_casino/
Telecom Exec: Salt Typhoon Inspiring Other Hackers To Use Unconventional Techniques
"Hackers are increasingly adopting the techniques of the Chinese group that successfully infiltrated major telecommunications providers in attacks that made headlines last year by looking for unconventional weak spots, an AT&T executive said Monday. AT&T was one of the major providers to fall victim to the sweeping campaign from the group, known as Salt Typhoon, but the company has since said it evicted the hackers from its networks. “We’re seeing adversaries really change the way they’re doing things, very similar to what Salt Typhoon did,” Rich Baich, chief information security officer at AT&T, said at the Google Cloud Cyber Defense Summit."
https://cyberscoop.com/telecom-exec-salt-typhoon-inspiring-other-hackers-to-use-unconventional-techniques/

อ้างอิง
Electronic Transactions Development Agency(ETDA)