Threat Alerts

North Korean threat actors, specifically the Kimsuky group, have begun using AI-generated deepfake technology in their cyberattacks. They leveraged tools like ChatGPT to create fake profile photos and IDs, which were sent in phishing emails targeting various professionals and stakeholders. The hackers bypassed AI safety measures with carefully crafted prompts and attached forged images to emails mimicking official-looking domains.

This reflects a broader trend of North Korean actors exploiting AI for fraud, including generating fake résumés to secure remote roles at Fortune 500 companies. Integrating deepfake technology into phishing operations shows a worrying advancement in their cyber capabilities, enhancing the effectiveness of social engineering attacks.

A massive distributed denial-of-service (DDoS) attack recently struck a major protection vendor in Western Europe, peaking at 1.5 billion packets per second—one of the largest packet-rate floods ever recorded. Unlike traditional bandwidth-driven assaults, the campaign leveraged a botnet of over 11,000 hijacked IoT devices and home routers to launch a massive UDP flood that overwhelmed firewalls, strained regional connectivity, and exposed the risks of insecure connected ecosystems.

The event coincided with other record-breaking attacks, including an 11.5 Tbps flood mitigated by another provider, reflecting a shift toward more powerful and sophisticated DDoS strategies. While the Western Europe assault was contained through real-time detection and automated mitigation, its scale shows how packet-rate focused attacks can cause major disruption with smaller data volumes, raising concerns about the resilience of global internet infrastructure.

A new ransomware variant called HybridPetya has emerged, demonstrating advanced capabilities that echo the destructive Petya/NotPetya attacks from 2016-2017. This malware represents a significant evolution in ransomware technology, as it can compromise UEFI-based systems and bypass Secure Boot protections by exploiting CVE-2024-7344 (CVSS 6.7) and CVE-2020-26200 (CVSS 6.8). Unlike its predecessor NotPetya, which was primarily a destructive wiper, HybridPetya functions as true ransomware, allowing victims to decrypt their data upon payment.
The malware operates through a sophisticated two-component system consisting of a UEFI bootkit and an installer. The bootkit monitors encryption status through configuration flags and employs Salsa20 encryption to target NTFS partitions, specifically encrypting the Master File Table while displaying fake disk checking status to deceive users. When the system reboots, the malware presents a ransom note and accepts a 32-character decryption key. The installer component locates the EFI System Partition on GPT disks, removes fallback loaders, and deploys encryption configurations before forcing a system crash to trigger the bootkit execution.
HybridPetya represents the fourth known UEFI bootkit capable of bypassing Secure Boot, joining the ranks of BlackLotus, BootKitty, and other advanced threats. The combination of Master File Table encryption, UEFI system compatibility, and Secure Boot bypass makes this threat particularly concerning for future cybersecurity monitoring efforts.

The latest DarkCloud Stealer campaign, has targeted financial institutions globally. The operation combines social engineering techniques with weaponized archive files, aiming to compromise sensitive financial data and systems.

The attack methodology centers on carefully crafted phishing emails containing malicious RAR archives specifically designed to exploit Windows-based systems. These emails appear to originate from legitimate sources and carry convincing subject lines and content that would naturally appeal to financial sector employees. Once recipients extract and execute the contents of these RAR files, the DarkCloud Stealer initiates its payload, establishing persistence on the compromised system and beginning its data harvesting operations. The malware demonstrates particular sophistication in its ability to evade detection while systematically collecting credentials, financial records, and other sensitive information from infected machines.

The widespread nature of this campaign indicates a well-resourced threat actor with specific knowledge of the financial sector’s operational patterns and security postures. The timing and scale of the attacks suggest careful planning and reconnaissance, with the threat actors likely conducting preliminary research on their targets before launching the phishing campaigns. While the current wave has concentrated on financial institutions, the tactics and tooling used in this operation also pose a credible threat to other industries handling valuable data, highlighting a broader risk across the enterprise landscape.

Microsoft’s September 2025 Patch Tuesday addressed multiple security flaws, including eight rated critical-severity and several important-rated issues. Notably, two publicly disclosed zero-day vulnerabilities—CVE-2025-55234 (CVSS 8.8) and CVE-2024-21907 (CVSS 7.5)—pose significant risks despite not being actively exploited in the wild. CVE-2025-55234 affects Windows SMB Server protocols and enables privilege escalation through relay attacks, whereas CVE-2024-21907 impacts JSON processing libraries in database systems, potentially causing service disruptions via crafted data inputs.

The most concerning flaw in this release is CVE-2025-55232 (CVSS 9.8), which affects high-performance computing infrastructure and allows unauthenticated remote code execution, making it potentially wormable across network environments. By exploiting this vulnerability through targeted TCP ports, attackers could achieve complete system compromise without user interaction. The combination of these vulnerabilities underscores the complexity of defending enterprise environments, where overlapping attack surfaces across critical infrastructure demand timely and coordinated patching efforts to maintain a strong security posture.

Russian intelligence-linked APT28 has deployed a sophisticated new backdoor called NotDoor, targeting multiple companies through Microsoft Outlook. The attack chain begins with a carefully orchestrated infection chain that exploits DLL side-loading techniques using the legitimate Microsoft OneDrive executable. The malicious SSPICLI.dll is loaded to install the VBA backdoor and disable macro security protections, while establishing persistence through registry modifications. Once deployed, NotDoor monitors incoming emails for specific trigger words like “Daily Report” and activates when such emails are received. The backdoor supports four primary commands: executing system commands with output capture, silent command execution, file exfiltration, and file uploads to the victim’s machine.

The malware employs custom encryption techniques and obfuscation methods to evade detection, using random alphanumeric characters prepended to Base64 strings to create the appearance of sophisticated encryption. Exfiltrated data is sent via email to attacker-controlled addresses, with files temporarily stored in system folders before transmission and deletion. The backdoor also includes verification mechanisms through DNS hooking services and webhook requests to confirm successful execution on target systems.