Good morning. This is your security briefing for Tuesday, September 30, 2025, covering seven critical developments in the threat landscape. All attribution is by the article authors, and all article analysis is automated.
Palo Alto Networks Unit 42 researchers have identified Phantom Taurus, a previously undocumented Chinese nation-state APT group conducting espionage operations against government and telecommunications organizations across Africa, the Middle East, and Asia. The group has been active for two and a half years, targeting ministries of foreign affairs, embassies, and military operations using a newly discovered custom malware suite called NET-STAR.
Elastic Security Labs researchers have detailed FlipSwitch, a novel syscall hooking technique that bypasses Linux kernel 6.9 security changes. This technique circumvents fundamental changes to the x86-64 syscall dispatch mechanism, representing an evolution in kernel-level defense evasion tactics for Linux rootkits.
Research from diversenok examines Windows image load callback mechanisms and potential security assumptions that can be exploited. The article focuses on analyzing defensive callbacks used for monitoring DLL loading and explores techniques to bypass these security monitoring capabilities.
A security researcher demonstrates using EMBER2024, an updated machine learning dataset and model for malware classification, to evaluate red team implants through static binary analysis. The research focuses on extracting PE file features to understand what makes malware detectable and how to improve evasion capabilities.
Trend Research reports that LockBit ransomware group has released version 5.0 with variants targeting Windows, Linux, and ESXi systems. The new version features advanced obfuscation, DLL reflection loading, anti-analysis techniques, and specifically targets VMware virtualization infrastructure, representing a significant technical advancement following last February's Operation Cronos law enforcement disruption.
Akira ransomware threat actors are conducting aggressive campaigns targeting SonicWall VPN devices, successfully authenticating against compromised accounts and deploying ransomware within one hour or less. The attacks demonstrate a smash-and-grab approach with rapid exploitation and encryption timelines.
The National Cyber Security Centre has published guidance emphasizing that understanding Operational Technology environments is the foundational step for improving cybersecurity in industrial control systems. This guidance supports organizations operating critical infrastructure and industrial systems in properly assessing and mapping their OT infrastructure before implementing security controls.