This briefing covers security developments from Monday, September 23rd through Tuesday, September 24th, 2025, reviewing 16 articles from various threat intelligence sources.
Threat Intelligence.
Chinese-speaking threat actors continue expanding operations with multiple sophisticated campaigns. Operation Rewrite, tracked as CL-UNK-1037, is conducting large-scale SEO poisoning attacks using BadIIS malware to compromise IIS servers across East and Southeast Asia, redirecting traffic to gambling and adult content sites for financial gain. Meanwhile, researchers have linked the Naikon APT group to a new PlugX variant that shares code and infrastructure with RainyDay and Turian backdoors, targeting telecommunications and manufacturing sectors in Central and South Asian countries since 2022.
The RomCom malware has evolved through five distinct iterations, demonstrating increasing sophistication in operations aligned with Russian Federation interests. AttackIQ researchers have released seven new adversary emulations based on RomCom's tactics, which have expanded beyond initial Ukraine and NATO targeting to include government, defense, and humanitarian organizations. Additionally, NodeJS backdoor campaigns are delivering proxyware applications including Infatica, Honeygain, earnFM, and PacketLab through malicious installers that establish persistent scheduled tasks.
Malware.
Zscaler ThreatLabz has identified YiBackdoor, a new malware family first observed in June 2025 that shares significant code overlaps with IcedID and Latrodectus. The malware enables system information collection, screenshot capture, arbitrary command execution, and plugin deployment, though limited deployments suggest it may still be in development or testing phases. Researchers are also tracking large-scale attacks targeting Mac systems via GitHub Pages that impersonate legitimate companies to deliver stealer malware, though specific technical details remain limited.
Vulnerabilities.
Libraesva ESG email security appliances are affected by CVE-2025-59689, a command injection vulnerability triggered by malicious compressed email attachments that allows arbitrary command execution as a non-privileged user. The flaw impacts versions 4.5 and above, with automatic patches deployed to versions 5.0 through 5.5, though end-of-support 4.x versions require manual upgrades. Quarkslab researchers have detailed exploitation of CVE-2025-8061 in Lenovo's LnvMSRIO.sys driver, demonstrating how BYOVD attacks can achieve Ring-0 code execution, with versions 3.1.0.41 and above containing fixes released in September.
Tools.
Linux Kernel Runtime Guard has reached version 1.0, providing runtime integrity checking and vulnerability exploit detection for Linux kernels. Synacktiv researchers have published techniques for backdooring Chromium-based browsers through forced extension loading within Windows domains, achieving complete browser compromise. GitHub has also announced new security initiatives for the npm supply chain, though specific implementation details were not provided in the available content.