This briefing covers security developments from Monday, September 16th, 2025, reviewing fifteen articles from 1600 to 0503 hours.
Threat Intelligence.
Chinese state-sponsored group TA415 conducted extensive spearphishing campaigns throughout July and August targeting US government, think tanks, and academic organizations focused on US-China economic relations, masquerading as officials from the Select Committee on Strategic Competition and the US-China Business Council to establish Visual Studio Code Remote Tunnels for persistent access. APT28 launched Operation Phantom Net Voxel while Mustang Panda deployed updated Toneshell backdoors and a novel SnakeDisk USB worm. North Korean threat actors shifted tactics, using ClickFix social engineering lures to target cryptocurrency and retail sector marketing and trading roles rather than their typical software developer targets, distributing compiled BeaverTail and InvisibleFerret malware executables. The RevengeHotels group intensified operations across Latin America, deploying VenomRAT against hospitality sector targets using increasingly sophisticated AI-enhanced attack methods.
Russian cybercrime networks continue expanding operations with the NoName057 group placing Spanish leader Enrique Arias Gil on Europol's most wanted list after attacks on European institutions during Spain's 2023 elections. The founder of BreachForums received a three-year prison sentence for operating one of the world's largest criminal data marketplaces. Vane Viper, operating through Cypriot holding company AdTech Holding, generated approximately one trillion DNS queries across customer networks over the past year through their malicious advertising network.
Malware.
A large-scale npm supply chain attack compromised 187 packages including those from CrowdStrike, deploying Shai Hulud worm malware that automatically harvests secrets, creates malicious GitHub repositories, and attempts to establish data exfiltration workflows through webhook endpoints.
Vulnerabilities.
The BitPixie vulnerability in Windows Boot Manager allows attackers to bypass BitLocker encryption by exploiting a PXE soft reboot flaw that fails to erase encryption keys from memory, potentially enabling privilege escalation on systems with known BitLocker PINs. Researchers demonstrated Phoenix Rowhammer attacks successfully bypassing DDR5 in-DRAM protections on all tested SK Hynix devices, achieving privilege escalation in default PC configurations within 109 seconds.
Tools.
Security researchers released hermes-dec, a new reverse engineering tool for decompiling React Native Hermes bytecode, and introduced the Sec-Gemini autonomous digital forensic agent integrated with Timesketch for automated timeline analysis and threat hunting across large log volumes.