This briefing covers security developments from Sunday, September 22nd through Monday, September 23rd, 2025, reviewing nine articles from InfoSec blue team feeds.
Threat Intelligence.
North Korean APT group Kimsuky launched sophisticated phishing campaigns in July targeting victims with fake sex offender notifications and tax documents. The attacks use ZIP archives containing password-protected decoy documents and disguised shortcut files that execute mshta.exe to download encrypted payloads from command and control servers, ultimately stealing browser data, cryptocurrency wallets, NPKI certificates, and keylogging information.
The Pseudo Hunter APT group, also known as APT-Q-12, continues targeting Asian nations including China, Korea, Japan and Singapore through VHDX file attachments in Belt and Road Initiative themed phishing emails. This Northeast Asian threat actor uses GitHub repositories to host encrypted payloads and deploys their custom NAKSOO remote access trojan, which has been actively developed since 2018 and is currently at version 3.1.14.
The Elons ransomware group, linked to Proxima and Black Shadow operations, is exploiting Oracle Database External Jobs functionality to deploy ransomware. This technique allows attackers to execute system commands directly through database vulnerabilities, representing a novel attack vector against enterprise database infrastructure.
Malware.
A Steam game called BlockBlasters received a malicious patch on August 30th that contains information-stealing malware targeting cryptocurrency wallet data. This continues a troubling trend of legitimate gaming platforms being compromised, following similar incidents with PirateFi and Chemia games earlier this year, potentially affecting hundreds of users.
SystemBC malware continues generating significant network noise and serving as a backdoor for multiple threat actors across various campaigns.
Vulnerabilities.
CVE-2025-10035 represents a critical unauthenticated remote code execution vulnerability in GoAnywhere MFT file transfer software. A new Nuclei detection template is now available that identifies vulnerable instances by extracting version numbers from login pages and matching them against affected version ranges.
Tools.
New guidance on OAuth attack defense strategies highlights the evolving threat landscape around authentication protocols. Additionally, frameworks for improving cyber threat intelligence communication and reporting have been published to help analysts deliver more actionable intelligence assessments.