SECURITY BRIEFING SCRIPT
INTRODUCTION:
Yesterday's security developments from Thursday, September 25, 2025 include fourteen articles covering threat intelligence, malware discoveries, vulnerabilities, and detection techniques.
THREAT INTELLIGENCE.
Margin Research published analysis on recent developments in China's People's Liberation Army cyber education and training programs, providing insights into how the PLA is structuring its military cyber capabilities development. This intelligence offers blue team defenders valuable context about the institutional backing of potential Chinese state-sponsored threats.
Unit 42 documented the evolution of a threat actor from "Bookworm" to "Stately Taurus" using Palo Alto's attribution framework methodology. The research provides insights into the threat actor's tactics, techniques, and procedures that can help security teams better identify and defend against this group's activities.
Microsoft published analysis on new developments in the XCSSET malware family, which continues to evolve its capabilities and attack methods. The analysis provides updated indicators of compromise and behavioral patterns for enhanced defensive postures.
Censys researchers investigated the prevalence of publicly accessible Ollama instances on the internet. These open instances pose security risks when exposed without proper authentication, potentially allowing attackers to consume computational resources or access sensitive data.
Recorded Future reported on RedNovember, an active threat actor specifically targeting government, defense, and technology sector organizations. This appears to be a sophisticated adversary that defenders in these critical sectors should prioritize monitoring.
CISA issued Emergency Directive 25-03 instructing federal agencies to identify and mitigate potential compromises of Cisco network devices. This directive indicates an active threat targeting Cisco infrastructure requiring immediate attention from network defenders.
ESET documented the evolution of cybercriminal tactics from basic cryptocurrency theft to advanced AI-powered deception techniques. Threat actors are increasingly leveraging artificial intelligence to enhance their social engineering capabilities.
DomainTools published an in-depth analysis of Salt Typhoon, a Chinese state-sponsored APT group operating with backing from both government and corporate entities. This hybrid state-corporate threat model represents an evolution in APT operations.
The UK's National Cyber Security Centre warned of an ongoing malware campaign specifically targeting Cisco networking devices, requiring immediate attention from defenders to assess their Cisco device security posture.
MALWARE.
Koi Security researchers discovered the first malicious Model Context Protocol implementation in the wild, disguised as a legitimate Postmark email service package on NPM. This backdoor specifically targets email communications, representing a new attack vector as MCP adoption grows.
The Rust Security Response Working Group identified two malicious crates named faster_log and async_println on crates.io, Rust's official package registry, highlighting ongoing supply chain security risks in open-source package repositories.
VULNERABILITIES.
Wiz researchers discovered active exploitation of a previously unknown zero-day vulnerability involving insecure use of the pandoc document conversion tool, detected through hunting for anomalous behaviors in Instance Metadata Service traffic.
Ice0 researchers discovered over 150 misconfigured Firebase databases and storage buckets that were publicly accessible without authentication, representing a widespread configuration vulnerability affecting multiple organizations using Google's Firebase platform.
TOOLS.
Mr.Anythink published detection methodologies for hunting malicious use of PsExec.exe, a legitimate Microsoft Sysinternals tool frequently abused by attackers for lateral movement and remote code execution. The content provides hunting strategies to distinguish between legitimate administrative use and potential threat actor abuse.