ThreatsDay Bulletin: DNS Poisoning Flaw, Supply-Chain Heist, Rust Malware Trick and New RATs Rising

Phishing emails containing SVG file attachments targeting Colombian, Spanish-speaking individuals with themes relating to the Attorney General’s office of Colombia have been used to deliver PureHVNC RAT. “The emails entice the user to download an ‘official document’ from the judicial information system, which starts the infection chain of executing a Hijack Loader executable that leads to the PureHVNC Remote Access Trojan (RAT),” IBM X-Force said. The activity was observed between August and October 2025. The findings are notable because this is the first time Hijack Loader has been used in campaigns targeting the region, in addition to using the loader to distribute PureHVNC.

Peter Williams, 39, an Australian national, pleaded guilty in the U.S. in connection with selling his employer’s trade secrets to a Russian cyber-tools broker. Williams pleaded to two counts of theft of trade secrets stolen from U.S. defense contractor L3Harris Trenchant between 2022 and 2025. This included national-security-focused software that included at least eight sensitive and protected cyber-exploit components that were meant to be sold exclusively to the U.S. government and select allies. “Williams sold the trade secrets to a Russian cyber-tools broker that publicly advertises itself as a reseller of cyber exploits to various customers, including the Russian government,” the U.S. Department of Justice said. The defendant received payment in cryptocurrency from the sale of software exploits and used the illicit proceeds to buy luxury watches and other items. Charges against Williams came to light last week. While the name of the exploit broker was not disclosed, evidence points to Operation Zero, which has previously offered up to $4 million for Telegram exploits and $20 million for tools that could be used to break into Android and iPhone devices. Operation Zero advertises itself as the “only Russian-based zero-day vulnerability purchase platform.” Earlier this August, another United Arab Emirates-based startup named Advanced Security Solutions also announced rewards of up to $20 million for hacking tools that could help governments break into any smartphone with a text message.

Europol has highlighted the urgent need for a coordinated, multi-faceted approach to mitigate cross-border caller ID spoofing. “Caller ID spoofing drives financial fraud and enables social engineering scams, resulting in substantial economic and societal damage, with an estimated EUR 850 million lost worldwide annually,” the agency said. “The primary attack vectors are phone calls and texts, which allow malicious actors to manipulate the information displayed on a user’s caller ID, to show a false name or number that appears legitimate and trustworthy.” The technique, which accounts for roughly 64% of reported fraud cases involving phone calls and text messages, underpins a wide range of online fraud schemes and social engineering scams, costing an estimated €850 million ($990 million) worldwide each year.

To improve the security of users, Google said it will change Chrome’s default settings to navigate only to websites that support HTTPS. “We will enable the ‘Always Use Secure Connections’ setting in its public-sites variant by default in October 2026, with the release of Chrome 154,” the tech giant said. “Prior to enabling it by default for all users, in Chrome 147, releasing in April 2026, we will enable Always Use Secure Connections in its public-sites variant for the over 1 billion users who have opted-in to Enhanced Safe Browsing protections in Chrome.” The “Always Use Secure Connections” setting was introduced in Chrome in 2022, as an opt-in feature, and was turned on by default in Chrome 141 for a small percentage of users.

A cybersecurity assessment of 21 U.S. energy providers has identified 39,986 hosts with a total of 58,862 services exposed to the internet, according to SixMap. Roughly 7% of all exposed services are running on non-standard ports, creating blind spots as traditional exposure management and attack surface management products typically inspect only the top 1,000 to top 5,000 ports. The research also found that, on average, each organization had 9% of its hosts in the IPv6 space, another area of potential risk, as these assets are not tracked by traditional exposure management tools. “A total of 2,253 IP addresses were in the IPv6 space. That means, in aggregate, about 6% of IP addresses were running on IPv6 across all 21 enterprises,” SixMap said. What’s more, a total of 5,756 vulnerable services with CVEs were identified across all exposures. “Of the 5,756 CVEs that SixMap identified, 377 have been exploited in the wild,” it added. “Among those 377 CVEs known to be exploited, 21 are in vulnerable services running on non-standard ports, which indicates a very serious level of risk.”

Avast has released a free decryptor to allow victims of the Midnight ransomware to recover their files for free. Midnight ransomware typically appends the .Midnight or .endpoint extension to encrypted files. The ransomware is assessed to be based on an older version of the Babuk ransomware. Avast says “novel cryptographic modifications” made to the Babuk codebase introduced weaknesses that made decryption possible.

The threat actor known as Cloud Atlas has been observed targeting Russia’s agricultural sector using lures tied to an upcoming industry forum. The phishing campaign, detected this month, involves sending emails containing booby-trapped Microsoft Word documents that, when opened, trigger an exploit for CVE-2017-11882 in order to deliver a dropper that’s responsible for launching the VBShower backdoor. It’s worth noting that the hacking group weaponized the same flaw way back in 2023. Cloud Atlas is assessed to be a highly adaptable threat actor active since at least 2014, while also increasing its operational tempo in 2025, particularly against targets in Russia and Belarus. Earlier this January, Positive Technologies detailed Cloud Atlas’ use of cloud services like Google Sheets as command-and-control (C2) for VBShower and another PowerShell-based backdoor named PowerShower. In recent months, Russian organizations have also been targeted by GOFFEE (aka Paper Werewolf) and PhantomCore, with the latter also dropping a new Go backdoor dubbed PhantomGoShell via phishing emails that shares some similarities with PhantomRAT and PhantomRShell. Some of the other tools in the threat actor’s arsenal are PhantomTaskShell (a PowerShell backdoor), PhantomStealer (a Go-based stealer), and PhantomProxyLite (a tool that sets up an SSH tunnel between the host and the C2 server). The group is said to have managed to take control of 181 systems in the country during the course of the campaign between mid-May and late July 2025. Positive Technologies assessed that PhantomGoShell is the work of Russian-speaking members of gaming Discord communities who may have “received the backdoor source code and guidance from a member with a more established cybercriminal background” and that the group is a low-skilled offshoot of PhantomCore.

As many as 5,912 instances have been found vulnerable to CVE-2025-40778 (CVSS score: 8.6), a newly disclosed flaw in the BIND 9 resolver. “An off-path attacker could inject forged address data into the resolver cache by racing or spoofing responses,” Censys said. “This cache poisoning enables the redirection of downstream clients to attacker-controlled infrastructure without triggering fresh lookups.” A proof-of-concept (PoC) exploit for the vulnerability has been publicly made available. It’s advised to update to BIND 9 versions 9.18.41, 9.20.15, and 9.21.14, restrict recursion to trusted clients, enable DNSSEC validation, and monitor caches.

Researchers from Synacktiv have demonstrated that it’s possible to create a “Two-Face” Rust binary on Linux, which “runs a harmless program most of the time, but will run a different, hidden code if deployed on a specific target host.” At a high level, the schizophrenic binary follows a four-step process: (1) Extract disk partition UUIDs from the host, that uniquely identifies the target, (2) Derive a key embedded in the binary with the previous host data using HKDF, producing a new key, (3) Decrypt the “hidden” encrypted embedded binary data, from the derived key, and (4) If decryption succeeds, run the decrypted “hidden” program, else run the “normal” program.

Threat actors are leveraging an unusual technique that exploits invisible characters embedded within email subject lines to evade automated security filters. This attack method utilizes MIME encoding combined with Unicode soft hyphens to disguise malicious intent while appearing benign to human readers. The technique represents another evolution in phishing attacks, with bad actors finding novel ways to sidestep email filtering mechanisms that rely on keyword detection and pattern matching.

The CERT Coordination Center (CERT/CC) has disclosed that email message header syntax can be exploited to bypass authentication protocols such as SPF, DKIM, and DMARC, allowing attackers to deliver spoofed emails that appear to originate from trusted sources. Specifically, this involves abusing From: and Sender: fields to impersonate an email address for malicious purposes. “Using specialized syntax, an attacker can insert multiple addresses in the mail header From: field,” CERT/CC said. “Many email clients will parse the From: field to only display the last email address, so a recipient will not know that the email is supposedly from multiple addresses. In this way, an attacker can pretend to be someone familiar to the user.” To mitigate the threat, email service providers are urged to implement measures to ensure that authenticated outgoing email headers are properly verified before signing or relaying messages.

Authorities from Myanmar said they have demolished parts of KK Park by explosions, weeks after the country’s army raided in mid-October 2025 what has been described as a major hub for cybercrime operations. Thailand said it has set up temporary shelters for those who have fled Myanmar. Group-IB, which has observed a surge in investment scams conducted through online platforms in Vietnam, said threat actors are making use of fake companies, mule accounts, and even stolen identity documents purchased from underground markets to receive and move victim funds, allowing them to bypass weak Know Your Customer (KYC) or Know Your Business (KYB) controls. The scam operations often comprise different teams with clearly defined roles and responsibilities: (1) Target intelligence, who identify and profile potential victims, (2) Promoters, who create convincing personas on social media and entice victims into making investments on bogus platforms, in some cases using a chat generator tool to create fabricated conversations, (3) Backend operators, who are in charge of maintaining the infrastructure, and (4) Payment handlers, who launder the proceeds of the crime. “There is a growing trend in investment scams to use chatbots to screen targets and guide deposits or withdrawals,” the cybersecurity company said. “Scam platforms often include chat simulators to stage fake conversations and admin panels for backend control, providing insight into how operators manage victims and infrastructure.”

Austrian privacy group noyb has filed a criminal complaint against facial recognition company Clearview AI and its management, accusing the controversial facial recognition company of ignoring GDPR fines in France, Greece, Italy, and the Netherlands, and continuing to operate despite facing bans. In 2022, Austria found that Clearview AI’s practices violated GDPR, but neither fined the company nor directed the firm to no longer process the data. Clearview has faced scrutiny for scraping billions of photos of E.U. citizens without their permission and using the data for a facial recognition product sold to law enforcement agencies. “Clearview AI amassed a global database of photos and biometric data, which makes it possible to identify people within seconds,” nob’s Max Schrems said. “Such power is extremely concerning and undermines the idea of a free society, where surveillance is the exception instead of the rule.”

A new stealthy RAT called Atroposia has been advertised in the wild with hidden remote desktop takeover; clipboard, credential, and cryptocurrency wallet theft; DNS hijacking; and local vulnerability scanning capabilities, the latest addition to an already long list of “plug-and-play” criminal toolkits available for low-skilled threat actors. The modular malware is priced at roughly $200 per month, $500 every three months, or $900 for six months. “Its control panel and plugin builder make the tool surprisingly easy to operate, lowering the skill required to run complex attacks,” Varonis said. “Atroposia’s affordability and user-friendly interface make it accessible even to low- and no-skill attackers.” The emergence of Atroposia continues the commodification of cybercrime, arming threat actors with an all-in-one tool to facilitate a wide spectrum of malicious actions against enterprise environments.

Threat actors are continuing to leverage ClickFix-style social engineering lures to distribute loaders for NetSupport RAT, ultimately leading to the deployment of the trojan. “NetSupport Manager is a legitimate RMM that continues to see usage by threat actors for unauthorized/full remote control of compromised machines and is primarily distributed via the ClickFix initial access vector,” eSentire said. The development coincides with a spike in phishing campaigns distributing fileless versions of Remcos RAT. “Remcos is advertised as legitimate software that can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns,” CyberProof said. “Once installed, Remcos opens a backdoor on the device/computer, granting full access to the remote user.”

Users of LinkedIn, take note. The Microsoft-owned professional social media network previously announced changes to its data use terms several weeks ago, noting that starting next week, it would start using data from “members in the E.U., E.E.A., Switzerland, Canada, and Hong Kong” to train artificial intelligence (AI) models. “On November 3, 2025, we’ll start to use some data from members in these regions to train content-generating AI models that enhance your experience and better connect our members to opportunities,” the company said. “This may include data like details from your profile, and public content you post on LinkedIn; it does not include your private messages.”

While more than 70 countries formally signed a U.N. treaty on cybercrime to collaborate and tackle cybercrime, the U.S. has been a notable exception. According to The Record, the State Department said the U.S. continues to review the treaty but has yet to sign it.

The average ransom payment during the third quarter of 2025 was $376,941, a 66% decline from Q2 2025. The media ransom payment stood at $140,000, which is a 65% drop from the previous quarter. Ransom payment rates across encryption, data exfiltration, and other extortion fell to a historical low of 23% in Q3 2025, down from a high of 85% in Q1 2019. This indicates that large enterprises are increasingly refusing to pay up, forcing “ransomware actors to be less opportunistic and more creative and targeted when choosing their victims,” Coveware said, adding “shrinking profits are driving greater precision. Initial ingress costs for the actors will increase dramatically, which forces them to target large enterprises that can pay a large ransom.” Akira, Qilin, Lynx, ShinyHunters, and KAWA4096 emerged as some of the most prevalent ransomware variants during the time period.

Major U.S. energy companies are being impersonated in phishing attacks, with threat actors setting up fake domains masquerading as Chevron, ConocoPhillips, PBF Energy, and Phillips 66. Hunt.io said it logged more than 1,465 phishing detections linked to this sector over the past 12 months. “Attackers relied on cheap cloning tools [like HTTrack] to stand up hundreds of lookalike sites, many of which stayed online for months without vendor detections,” the company said.

The threat actor tracked by QiAnXin under the moniker UTG-Q-010 has targeted Hong Kong’s financial system and high-value investors on the mainland through supply chain attacks that are designed to “steal large sums of money or manipulate the market to reap huge profits.” The supply chain attacks entail the distribution of trojanized installation packages via the official websites of Hong Kong-based financial institutions Jinrong China (“jrjr[.]hk”) and Wanzhou Gold (“wzg[.]com”) that lead to the deployment of AdaptixC2, a free and open-source C2 framework.