⚠️ WhatsApp STAC3150 Campaign Deploys Astaroth Banking Trojan

STAC3150 threat actor is compromising WhatsApp accounts to distribute Astaroth banking trojan via malicious links.

What's clever: they hijack legitimate accounts to abuse trust relationships—victims receive malware from known contacts. Astaroth uses fileless techniques and Living-off-the-Land binaries (LOLBins) to evade detection, making it persistent even in monitored environments. Sophos tracking shows this campaign specifically targets financial data and credentials across Latin America. The social engineering vector through compromised messaging apps bypasses most email security controls.

Source: Sophos

⚠️ DeepSeek Code Flaws Linked to Real-World Attacks and Exploitation

CrowdStrike reports security flaws in code generated by DeepSeek AI are being exploited in active attacks.

⚠️ DeepSeek Code Flaws Linked to Real-World Attacks and Exploitation

CrowdStrike reports security flaws in code generated by DeepSeek AI are being exploited in active attacks.

🔴 CVE-2025-52493 - PagerDuty Cloud Runbook Exposes Secrets via Client-Side DOM

Praetorian found CVE-2025-52493 during Red Team work: PagerDuty Cloud Runbook sent full cleartext API keys and service credentials to the browser, protected only by HTML password field masking.

What's wild: authenticated admins could expose all stored secrets by changing `type="password"` to `type="text"` in dev tools—no exploit needed, just DOM manipulation. Classic client-side trust failure. PagerDuty patched it by implementing write-only updates with placeholders. Perfect example of "living off the land" attacks using legitimate interfaces.

Source: Praetorian

⚠️ Salesforce Gainsight Token Abuse Enables Unauthorized Data Access

Salesforce is investigating unauthorized access via compromised Gainsight integration tokens—mirroring the SalesLoft and Drift breaches from earlier this year.

What's concerning: OAuth tokens for third-party apps grant persistent access to Salesforce data even after initial compromise is detected. The attack pattern is consistent: compromise the integration partner, pivot to Salesforce instances using legitimate API credentials. Same supply chain playbook we've seen repeatedly in SaaS ecosystems.

Source: Help Net Security

🚨 UNC2891 ATM Fraud Network Reveals Large-Scale Financial Operation

Group-IB uncovered UNC2891 operating a sophisticated ATM fraud network using CAKETAP and STEELCORGI malware.

What's brutal: they've built an entire money mule infrastructure to cash out compromised ATMs at scale. The operation involves coordinated physical and cyber components—malware infects ATM systems to dispense cash on command, while mule networks handle the withdrawals. This isn't opportunistic fraud; it's organized financial crime with military-level operational security. The group specifically targets ATMs in developing markets with weaker security controls.

Source: Infosecurity Magazine

🚨 Everest Ransomware Claims Major Breach of Petrobras Energy Systems

Everest ransomware group claims they breached Petrobras—Brazil's state-owned energy giant—stealing sensitive operational data.

What's notable: Petrobras operates critical oil and gas infrastructure across Latin America, making this a potential national security incident. Everest emerged in 2023 and focuses on high-value targets with significant operational disruption leverage. No confirmation yet from Petrobras on scope or impact, but energy sector attacks typically involve ICS/SCADA environments.

Source: CSO Online

🚨 ShinyHunters Breach Gainsight Apps to Access Salesforce Instances

ShinyHunters (tracked as UNC6395) compromised multiple Salesforce instances by breaching Gainsight's customer success platform first.

What's clever: they're targeting the integration layer—OAuth tokens stored in Gainsight apps give them authenticated access to victim Salesforce environments without touching primary credentials. Mandiant confirms this is part of broader SaaS supply chain attacks where adversaries exploit trusted third-party connections. The access persists until tokens are manually revoked.

Source: GovInfoSecurity

🚨 CVE-2023-48022 - Ray Framework Flaw Fuels ShadowRay 2.0 Botnet

ShadowRay 2.0 is exploiting CVE-2023-48022 in Ray framework to build a cryptomining botnet.

What's brutal: the vulnerability has been public since December 2023, yet thousands of unpatched Ray clusters remain exposed with default configurations. Attackers abuse Ray's job submission API to deploy miners without authentication—classic case of "secure by default" failing. The botnet specifically targets AI/ML infrastructure running Ray for distributed computing.

Source: The Hacker News

🔴 ZDI-25-1014: FortiWeb Command Injection Grants Root RCE

Zero Day Initiative disclosed a command injection in FortiWeb's policy_scripting_post_handler—authenticated attackers can execute arbitrary commands as root. The flaw: user-supplied strings passed directly to system calls without validation.

Authentication required, but compromised admin accounts or malicious insiders get full device control. What's concerning: this is a distinct vulnerability from other recent FortiWeb CVEs, expanding the attack surface across multiple admin workflows. Successful exploitation means config tampering, implant deployment, traffic interception, and pivot deeper into protected segments. Watch for Fortinet's patch.

Source: Zero Day Initiative

🔴 CVE-2025-13086: OpenVPN Patches HMAC State Exhaustion Flaw

OpenVPN 2.6.16 fixes a bug in memcmp verification during TLS handshake that rendered HMAC-based anti-exhaustion protections ineffective. Attackers can flood spoofed handshake packets to degrade or deny VPN service.

Not RCE, but targeted disruption of remote-access infrastructure is trivial to execute. Slackware pushed patches for 15.0 and -current across all architectures. If you're running OpenVPN gateways for remote workforce or site-to-site tunnels, this is your availability risk. The fix is straightforward—upgrade and harden with rate-limiting on VPN ingress points.

Source: Slackware Security Advisory