Zero-click exploit in AI agents allows full enterprise compromise

A new malware campaign involving MostereRAT, a banking malware-turned-remote access Trojan (RAT), has been identified. This campaign uses sophisticated evasion techniques, including the use of an obscure programming language, disabling of security tools, and mutual TLS (mTLS) for command-and-control communications to maintain long-term access to compromised systems. The malware targets Microsoft Windows users in Japan, deploying through phishing emails and weaponized Word documents. MostereRAT's capabilities include persistence, privilege escalation, AV evasion, and remote access tool deployment. The campaign highlights the importance of removing local administrator privileges and blocking unapproved remote access tools. The malware's design reflects long-term, strategic, and flexible objectives, with capabilities to extend functionality, deploy additional payloads, and apply evasion techniques. These features point to an intent to maintain persistent control over compromised systems, maximize the utility of victim resources, and retain ongoing access to valuable data.

Threat actors are exploiting X's Grok AI to bypass link posting restrictions and spread malicious links. They hide links in the 'From:' metadata field of video ads, which Grok then reveals when queried, boosting the links' credibility and reach. This technique, dubbed 'Grokking,' leads users to various scams and malware. The abuse leverages Grok's trusted status on X, amplifying the reach of malicious ads to millions of users. Potential solutions include scanning all fields, blocking hidden links, and enhancing Grok's context sanitization to filter and check links against blocklists. The technique involves using adult content as bait to attract users. The links direct users to sketchy ad networks, pushing fake CAPTCHA scams, information-stealing malware, and other suspicious content. The domains are part of the same Traffic Distribution System (TDS). Hundreds of accounts have been engaging in this behavior over the past few days, posting non-stop until they get suspended. Grok's internal security mechanisms are less robust compared to its competitors, making it vulnerable to prompt injection attempts. X's Grok 4 model lacks fine-tuning for security and safety, prioritizing performance over security.

APT28, a Russian state-sponsored threat group, has been using a new backdoor malware called NotDoor to target Microsoft Outlook. NotDoor leverages Outlook as a covert communication, data exfiltration, and malware delivery channel. The malware is deployed via a legitimate signed binary, Microsoft's OneDrive.exe, which is vulnerable to DLL sideloading. The backdoor is triggered by specific strings in incoming emails, allowing attackers to execute commands, exfiltrate data, and upload files. NotDoor illustrates APT28's continued evolution in bypassing established defense mechanisms. The malware has been observed targeting multiple companies from different sectors in NATO member countries. NotDoor is designed as an obfuscated Visual Basic for Applications (VBA) project for Outlook that makes use of the Application.MAPILogonComplete and Application.NewMailEx events to run the payload every time Outlook is started or a new email arrives. The malware supports four different commands: cmd, cmdno, dwn, and upl. Files exfiltrated by the malware are saved in the folder, encoded using the malware's custom encryption, sent via email, and then deleted from the system. The attacks are notable for the abuse of Microsoft Dev Tunnels (devtunnels.ms) as C2 domains for added stealth. Attack chains entail the use of bogus Cloudflare Workers domains to distribute a Visual Basic Script like PteroLNK, which can propagate the infection to other machines by copying itself to connected USB drives, as well as download additional payloads.

A zero-day vulnerability in FreePBX, identified as CVE-2025-57819, is being actively exploited. The flaw allows unauthenticated access to the FreePBX Administrator, leading to arbitrary database manipulation and remote code execution. The vulnerability affects specific versions of FreePBX, and exploitation began on or before August 21, 2025. Sangoma has released emergency patches for the vulnerability. Users are advised to update to the latest versions, restrict public access to the administrator control panel, and follow additional security recommendations. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-57819 to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to apply patches by September 19, 2025.

A supply chain attack on the nx build system allowed attackers to publish malicious versions of the popular npm package and auxiliary plugins. These versions contained data-gathering capabilities that exfiltrated 2,349 credentials from GitHub, cloud, and AI services. The attack occurred on August 26, 2025, affecting multiple versions of the nx package and related plugins. The compromised packages were removed from the npm registry, and users were advised to rotate credentials and check for malicious modifications in their systems. The malicious packages scanned file systems, collected credentials, and posted them to GitHub repositories under the users' accounts. The attack exploited a vulnerable workflow introduced on August 21, 2025, which allowed for arbitrary command execution and elevated permissions. The attack took approximately four hours from start to finish, resulting in the exfiltration of around 20,000 sensitive files. The attackers used AI-powered CLI tools to dynamically scan for high-value secrets and modified shell startup files to crash the system upon terminal session opening. A second attack wave was identified on August 28, 2025, affecting over 190 users/organizations and over 3000 repositories. The second wave involved making private repositories public and creating forks to preserve data. The attack unfolded in three distinct phases affecting 2,180 accounts and 7,200 repositories. The first phase impacted 1,700 users and leaked over 2,000 unique secrets. The second phase compromised 480 accounts and exposed 6,700 private repositories. The third phase targeted a single organization, publishing an additional 500 private repositories.