Daily Security Briefing 018

DjediTech
Security , Newsletter
September 22, 2025

Table of Contents

September 22, 2025 | Read Online

Iranian APT targets Europe with new malware, Stellantis suffers a data breach, Lucid PhaaS runs 17,500 phishing sites globally

Executive Summary

Cybersecurity threats continue to escalate as advanced persistent threats (APTs) expand their geographical reach and tactics, notably the Iranian group Nimbus Manticore targeting European aerospace and defense sectors. Meanwhile, major corporations like Stellantis confirm data breaches exposing customer data through third-party service vulnerabilities. The criminal ecosystem thrives on highly industrialized phishing-as-a-service platforms such as Lucid, which operate tens of thousands of fraudulent domains worldwide. Attackers are also leveraging novel exploitation techniques, including abusing Oracle Database Scheduler functionalities for stealthy corporate network infiltration. The steady discovery of vulnerabilities in widely used platforms and software underscores the persistent need for vigilance and rapid patching to curb emerging risks.

Top Articles

Iranian Threat Actor Nimbus Manticore Expands Campaigns into Europe with Advanced Malware and Fake Job Lures
Check Point Research reveals that Iranian APT group Nimbus Manticore is broadening its offensive to include European aerospace, defense, and telecom sectors. The group uses sophisticated social engineering campaigns, including fake job portals and spear-phishing, to distribute malware such as MiniJunk and MiniBrowse. These threats facilitate network infiltration and espionage while impersonating prominent organizations to deceive targets.
Checkpoint | Checkpoint

Stellantis Confirms Data Breach Affecting Citroën, Fiat, Jeep, and More
Automaker Stellantis has disclosed a data breach impacting its North American customer service platforms through unauthorized access to a third-party service provider. The breach potentially affects customers across several brands including Citroën, Fiat, and Jeep. Although the company reports limited data exposure, the incident highlights vulnerabilities arising from service provider interdependencies.
GbHackers

17,500 Phishing Sites Run by Lucid PhaaS Target 316 Brands Across 74 Countries
Netcraft researchers uncovered two large-scale phishing operations powered by Lucid and Lighthouse Phishing-as-a-Service platforms. These campaigns host over 17,500 phishing sites impersonating 316 global brands, demonstrating the industrial scale of subscription-based phishing services. Lucid’s platform uses sophisticated anti-monitoring techniques, vastly extending the reach of cybercriminal phishing infrastructure.
CyberPress

Threat Actors Exploit Oracle Database Scheduler to Infiltrate Corporate Networks
Emerging reports indicate attackers misusing Oracle Database Scheduler’s External Jobs to execute arbitrary commands on corporate servers. By exploiting the extjobo.exe executable, threat actors run encoded PowerShell scripts, establish encrypted tunnels via Ngrok, and deploy ransomware while erasing traces to evade detection. This technique facilitates covert network compromise and rapid privilege escalation.
GbHackers

Gamers Warned as BlockBlasters Patch Installs Malicious Software
The popular game BlockBlasters was removed from Steam after a late-August update was found to deliver malware capable of stealing sensitive user data. Developed by Genesis Interactive, the game had favorable reviews until the patch introduced malicious components affecting hundreds of players. This incident serves as a warning about supply chain risks in gaming software.
CyberPress

Details About Chinese Surveillance and Propaganda Companies
Leaked documents reveal the organizational complexity behind China’s Great Firewall, showing the operations resemble those in Western surveillance tech. The company Geedge collaborates with academic institutions and adapts its strategy to varying clients, repurposing competitor infrastructure to build surveillance and propaganda tools. This illuminates parallels in global surveillance ecosystems beyond government frameworks.
Schneier

ComicForm and SectorJ149 Hackers Deploy Formbook Malware in Eurasian Cyberattacks
A new hacking group named ComicForm has been conducting phishing campaigns since at least April 2025, targeting organizations in Belarus, Kazakhstan, and Russia. Their attacks focus on industrial, financial, tourism, biotechnology, research, and trade sectors, distributing Formbook malware as part of their operation chains, according to cybersecurity firm F6.
TheHackerNews

⚡ Weekly Recap: Chrome 0-Day, AI Hacking Tools, DDR5 Bit-Flips, npm Worm & More
This week’s overview highlights the accelerating pace of cyber threats where adversaries rapidly exploit freshly patched and legacy vulnerabilities alike. Topics include a recent Chrome zero-day, evolving AI-powered hacking tools, hardware-level bit-flip attacks on DDR5 memory, and a worm infecting npm packages—emphasizing continuous adaptation and innovation among attackers.
TheHackerNews

American Archive of Public Broadcasting Fixes Bug Exposing Restricted Media
A vulnerability in the American Archive of Public Broadcasting website allowed unauthorized downloading of protected media for years. The flaw was quietly patched this month, preventing further access to restricted content and highlighting a significant data risk within publicly funded media archives.
BleepingComputer

A Conversation With Harry Wetherald CO-Founder & CEO At Maze
Harry Wetherald discusses how AI is revolutionizing vulnerability management by shifting from generic reports to context-aware workflows that empower security teams and developers alike. The conversation addresses ongoing remediation challenges in vulnerability prioritization and management, showcasing Maze’s approach to modern application security.
Omny

AI Transparency: This newsletter uses AI to curate, rank, and summarize cybersecurity content from leading industry blogs. All articles link directly to original authors. Executive summaries are AI-generated based on article content. I curate the sources and deliver the digest—the original authors deserve the credit for their excellent work.

Tags :

comments powered by Disqus

Daily Security Briefing 013

September 17, 2025 | Read Online Advanced malware from MuddyWater, TA415’s novel espionage tactics, and massive Salesforce data breach dominate headlines…

Daily Security Briefing 017

September 21, 2025 | Read Online\n\nDPRK crypto job scams, Microsoft Entra ID tenant hijack flaw, European airport cyberattack disruption\n\n—\n\n## Executive Summary\n\nToday’s cybersecurity developments highlight the ongoing threat posed by nation-state actors using sophisticated social engineering and malware campaigns targeting cryptocurrency sectors. A critical vulnerability in Microsoft Entra ID could have exposed every company’s tenant to hijacking, underscoring risks in legacy infrastructure components. Additionally, a major cyberattack disrupting airport operations across Europe reveals the vulnerability of critical transportation systems to digital threats. Meanwhile, industry leader Cloudflare reflects on 15 years of internet evolution and innovation in its annual founders’ letter, signaling shifts in internet security and infrastructure.\n\n—\n\n## Top Articles\n\nDPRK Hackers Use ClickFix to Deliver BeaverTail Malware in Crypto Job Scams \nNorth Korean-affiliated threat actors have been using ClickFix-style phishing lures to target marketing and trader roles within cryptocurrency and retail companies, deploying BeaverTail and InvisibleFerret malware. Unlike previous campaigns focusing on software developers, this strategic shift aims to exploit organizational roles tied to crypto. The campaign is an example of the DPRK’s evolving tactics to infiltrate high-value sectors. \nTheHackerNews\n\nMicrosoft Entra ID flaw allowed hijacking any company’s tenant \nA critical vulnerability involving legacy components in Microsoft Entra ID was recently uncovered, which could have enabled attackers to hijack any organization’s tenant globally. This security flaw posed an extreme risk, potentially granting full access to corporate cloud environments. Microsoft has since issued patches, but the incident highlights the importance of securing legacy systems within modern identity management frameworks. \nBleepingComputer\n\nAirport Cyberattack Disrupts More Flights Across Europe \nA cyberattack targeting Collins Aerospace software systems has caused widespread disruptions to flight operations across multiple European airports. The affected systems manage passenger check-in processes, baggage tagging, and luggage dispatch, demonstrating the critical impact of cyber threats on air transport infrastructure. The incident raises concerns over the cybersecurity posture of third-party vendors supporting airport operations. \nSecurityWeek\n\nCloudflare’s 2025 Annual Founders’ Letter \nCloudflare marks its 15th anniversary with a reflective letter discussing how the internet has transformed over the years and introducing new products designed to enhance security and user experience. The letter underscores Cloudflare’s commitment to giving back to the internet community while addressing emerging challenges in internet privacy and infrastructure resilience. \nBlog.Cloudflare

Daily Security Briefing 015

September 19, 2025 | Read Online\n\nSpyware investment surges, Ivanti mobile vulnerabilities exploited, Russian hackers deploy Kazuar backdoor…\n\n—\n\n## Executive Summary\n\nToday’s cybersecurity landscape highlights increasing complexities in both state-sponsored and criminal cyber operations. The spyware market shows significant growth in U.S.-based investments, reflecting heightened interest in surveillance technology. Meanwhile, critical vulnerabilities in Ivanti Endpoint Manager Mobile have been actively exploited to deploy sophisticated malware, prompting urgent alerts from CISA. Russian hacking groups Gamaredon and Turla continue coordinated efforts against Ukrainian organizations, emphasizing persistent geopolitical cyber conflict. Additionally, significant threats have emerged targeting telecom providers, major web platforms, and the booming NFT ecosystem, underscoring the broad attack surface security teams must defend.\n\n—\n\n## Top Articles\n\nSurveying the Global Spyware Market \nThe Atlantic Council’s second annual report, “Mythical Beasts,” reveals a notable increase in U.S.-based investors participating in the global spyware market compared to last year. The detailed report dives deep into surveillance technologies, providing insights into market dynamics and emerging trends in spyware development and deployment. \nBruce Schneier\n\nCISA Alerts of Hackers Targeting Ivanti Endpoint Manager Mobile Vulnerabilities to Distribute Malware \nCyber adversaries have weaponized two critical Ivanti EPMM vulnerabilities (CVE-2025-4427, CVE-2025-4428) to deploy multi-component loaders designed to inject code and maintain persistence mainly on Apache Tomcat servers. CISA has issued warnings following evidence of increasingly sophisticated malware leveraging these flaws for ongoing attacks. \nGBHackers | BleepingComputer\n\nRussian Hacking Groups Gamaredon and Turla Target Organizations to Deliver Kazuar Backdoor \nGamaredon and Turla, linked to Russia’s FSB, have demonstrated unprecedented coordination in cyberattacks targeting Ukrainian entities. Their operations deploy the advanced Kazuar backdoor, allowing stealthy remote access and espionage, signifying continued geopolitical cyber tensions. \nGBHackers\n\nDon’t Get Rekt: The NFT Security Handbook That Could Save Your Digital Fortune \nThe burgeoning NFT market faces rising security risks where poor wallet permissions or malicious smart contracts can result in total asset loss. This handbook outlines common attack vectors and best practices to protect users from NFT theft and fraud. \nCheckpoint\n\nTop 10 Best Security Orchestration, Automation, And Response (SOAR) Tools in 2025 \nThis guide evaluates leading SOAR solutions designed to enhance security teams’ incident response capabilities by automating workflows and reducing alert fatigue, helping organizations stay ahead of growing cyber threats. \nCyberPress\n\nCritical Flaw in HubSpot Jinjava Engine Allows RCE Across Thousands of Websites \nA severe vulnerability in HubSpot’s Jinjava templating engine enables attackers to bypass sandbox controls and execute arbitrary code remotely. The flaw arises from insecure deserialization, threatening thousands of websites relying on Jinjava. Prompt remediation is critical. \nCyberPress\n\nUNC1549 Hacks 34 Devices in 11 Telecom Firms via LinkedIn Job Lures and MINIBIKE Malware \nIran-linked espionage group UNC1549 has compromised 34 devices across 11 European telecom companies by leveraging LinkedIn recruitment-themed lures and deploying MINIBIKE malware for reconnaissance and data theft. The campaign highlights continuing targeted threats to telecom infrastructure. \nTheHackerNews\n\nSystemBC Powers REM Proxy With 1,500 Daily VPS Victims Across 80 C2 Servers \nSystemBC malware fuels REM Proxy, an extensive network averaging 1,500 VPS daily victims spanning 80 command-and-control servers. This botnet supports a large proxy pool, including hijacked MikroTik routers and open proxies, posing serious risks to internet security. \nTheHackerNews\n\nMicrosoft starts rolling out Gaming Copilot on Windows 11 PCs \nMicrosoft has initiated the beta rollout of Gaming Copilot, an AI-powered assistant on Windows 11 aimed at providing real-time game guidance and optimization. The feature is currently available for users over 18, excluding mainland China residents. \nBleepingComputer\n\nA Conversation With Grant Lee CO-Founder & CEO At Gamma \nGrant Lee, CEO of Gamma, discusses how their AI-driven platform reshapes presentations by focusing first on storytelling rather than slides, automating visual and structural elements to enhance impact and clarity. \nOmny