INTRODUCTION:
Yesterday's security developments from Sunday, September 28, 2025. We reviewed 10 articles across threat intelligence, malware analysis, vulnerabilities, and security tools.
MAIN CONTENT:
Threat Intelligence.
Stormshield published research on threat hunting activities targeting infrastructure potentially associated with APT35, also known as Charming Kitten, an Iranian state-sponsored threat group. Their analysis included examination of the Crypt888 ransomware variant. Blue team defenders should monitor for APT35 tactics and implement detection rules for Crypt888 indicators.
Pure released analysis on Iranian cyber operations targeting Middle Eastern port facilities between 2022 and 2024. The research documents sophisticated attacks against maritime infrastructure using custom malware, spear-phishing, and SCADA system exploitation. These operations demonstrate how state-sponsored actors are targeting operational technology in strategic infrastructure.
Netresec identified Gh0stKCP, a malicious variant of the KCP UDP-based transport protocol being used by malware families including PseudoManuscrypt and ValleyRAT. This protocol allows threat actors to establish low-latency command-and-control channels over UDP, potentially evading traditional TCP-focused network monitoring. The researchers note that CapLoader can detect this protocol through statistical analysis.
Fortinet reported on phishing campaigns targeting Ukrainian organizations using SVG files that masquerade as official police notices. These campaigns deliver Amatera Stealer and PureMiner malware through fileless attack techniques, leveraging trusted government imagery to bypass detection.
Malware.
Blackpoint Cyber documented threat actors distributing Oyster malware through fake Microsoft Teams installers. The campaign uses SEO poisoning and malvertising techniques to manipulate search results and trick users into downloading malicious software disguised as legitimate applications.
Outpost24 analyzed Olymp Loader, a new Malware-as-a-Service platform that has been marketed on underground forums since June 2025. The service offers built-in stealer modules for browsers, Telegram, and crypto wallets while being advertised as fully undetectable. This lowers the barrier to entry for cybercriminals by providing ready-to-use malware capabilities.
Vulnerabilities.
Censys published analysis of CVE-2025-20352, an SNMP vulnerability in Cisco IOS and IOS XE software that allows remote code execution through stack overflow exploitation. Cisco has confirmed active in-the-wild exploitation following credential compromise, with 192,038 internet-accessible devices potentially affected. Organizations should prioritize identifying exposed SNMP services on Cisco devices and apply available patches.
Tools.
GitHub announced OmniProx, a multi-cloud HTTP proxy management tool that enables IP rotation across Azure, GCP, Cloudflare, and Alibaba Cloud platforms. While designed for legitimate testing purposes, this tool could be used by malicious actors to evade IP-based detection and geographic restrictions during reconnaissance activities.
Labs published research on automating forensic investigations of VHDX files in Virtual Desktop Infrastructure environments using Velociraptor. The approach enables incident responders to efficiently analyze user profile data containing valuable forensic artifacts without compromising forensic integrity.