Malicious Android Apps with 19M Installs Removed from Google Play

A malware campaign leveraging SVG files to deploy Base64-encoded phishing pages impersonating the Colombian judicial system has been identified. The SVG files, distributed via email, execute JavaScript payloads to inject phishing pages and download ZIP archives. The campaign involves 523 unique SVG files that have evaded detection by antivirus engines. The earliest sample dates back to August 14, 2025. The campaign highlights the evolving tactics used by threat actors to bypass security measures and target macOS systems with information stealers like Atomic macOS Stealer (AMOS). This campaign also coincides with broader trends in cyber threats targeting macOS and gamers.

APT28, a Russian state-sponsored threat group, has been using a new backdoor malware called NotDoor to target Microsoft Outlook. The malware exploits Outlook as a covert communication, data exfiltration, and malware delivery channel. NotDoor is a VBA macro that monitors incoming emails for specific trigger words. When triggered, it allows attackers to exfiltrate data, upload files, and execute commands on the victim's computer. The malware is delivered via a legitimate signed binary, Microsoft's OneDrive.exe, vulnerable to DLL sideloading. The backdoor was identified by researchers from Lab52, the threat intelligence arm of Spanish cybersecurity firm S2 Grupo. The malware has been deployed against companies in NATO member countries, using advanced techniques to evade detection and maintain persistence. NotDoor supports multiple commands for data exfiltration and file uploads, and uses Base64-encoded PowerShell commands for various operations. The malware creates a staging folder in the %TEMP% directory to store and exfiltrate files, encoding them with custom encryption before sending via email. APT28's attacks involve the abuse of Microsoft Dev Tunnels for C2 infrastructure, providing stealth and rapid infrastructure rotation. The attack chain includes the use of bogus Cloudflare Workers domains to distribute additional payloads, demonstrating a high level of specialized design and obfuscation.

A zero-day vulnerability in WhatsApp (CVE-2025-55177) was exploited in targeted attacks against fewer than 200 users. The flaw allowed unauthorized users to process content from arbitrary URLs on targeted devices. The attacks were sophisticated and involved chaining with a separate Apple vulnerability (CVE-2025-43300) affecting iOS, iPadOS, and macOS. The vulnerability was patched in WhatsApp's messaging apps for Apple iOS and macOS. The exploit could have allowed attackers to trigger the processing of content from arbitrary URLs on a target's device, potentially leading to spyware deployment. The attacks were part of a targeted spyware campaign, with WhatsApp sending in-app threat notifications to affected users. Apple has also sent multiple threat notifications since 2021, alerting users in over 150 countries about these sophisticated attacks. Apple has introduced Memory Integrity Enforcement (MIE) in the latest iPhone models to combat memory corruption vulnerabilities. The spyware market has seen an increase in U.S. investors and new entities in various countries.

A cybercrime campaign has been identified, using malvertising to deliver a new information stealer called TamperedChef. The malware is disguised as a free PDF editor, AppSuite PDF Editor, and is distributed through fraudulent websites promoted via Google ads. Once installed, TamperedChef steals sensitive data, including credentials and web cookies. The campaign began on June 26, 2025, with malicious capabilities activated on August 21, 2025. The malware operates as a backdoor, supporting various features for data exfiltration and system manipulation. The campaign leverages multiple bogus sites and Google advertising campaigns to distribute the trojanized PDF editor. The malware sets up persistence on the host system and communicates with a command-and-control (C2) server to execute various malicious actions. The campaign's timeline suggests a strategic approach to maximize downloads before activating malicious features. The campaign is part of a larger operation involving multiple apps that can download each other, some of them tricking users into enrolling their system into residential proxies. More than 50 domains have been identified to host deceiving apps signed with fraudulent certificates issued by at least four different companies. The threat actor used at least 5 different Google campaign IDs, suggesting a widespread campaign.

A threat actor, UNC6395, exploited OAuth tokens associated with the Drift AI chat agent to breach Salesloft and access customer data across multiple integrations, including Salesforce, Google Workspace, and others. The breach occurred between August 8 and 18, 2025, affecting over 700 organizations, including Zscaler, Palo Alto Networks, Cloudflare, Google Workspace, PagerDuty, Proofpoint, SpyCloud, and Tanium. The attackers targeted Salesforce instances and accessed email from a small number of Google Workspace accounts, exporting large volumes of data, including credentials and access tokens. Salesloft and Salesforce have taken steps to mitigate the breach and are advising affected customers to revoke API keys and rotate credentials. Salesloft will temporarily take Drift offline to enhance security. UNC6395 demonstrated operational security awareness by deleting query jobs, indicating a sophisticated approach. The breach highlights the risks of third-party integrations and the potential for supply chain attacks. The breach is unrelated to previous vishing attacks attributed to ShinyHunters. UNC6395 systematically exported large volumes of data from numerous corporate Salesforce instances, searching for secrets that could be used to compromise victim environments. The campaign is not limited to Salesforce customers who integrate their own solutions with the Salesforce service; it impacts all integrations using Salesloft Drift. There is no evidence that the breaches directly impacted Google Cloud customers. Organizations are urged to review all third-party integrations connected to their Drift instance, revoke and rotate credentials for those applications, and investigate all connected systems for signs of unauthorized access. The blast radius of the Salesloft Drift attacks remains uncertain, with the ultimate scope and severity still unclear. Numerous companies have disclosed downstream breaches resulting from this campaign, including Zscaler, Palo Alto Networks, Proofpoint, Cloudflare, and Tenable. Zscaler and Palo Alto Networks warned of potential social engineering attacks resulting from the campaign. Cloudflare confirmed that some customer support interactions may reveal information about a customer's configuration and could contain sensitive information like access tokens. Okta successfully prevented a breach of its Salesforce instance by enforcing inbound IP restrictions, securing tokens with DPoP, and using the IPSIE framework. Okta recommends that organizations demand IPSIE integration from application vendors and implement an identity security fabric unified across applications. Palo Alto Networks' Unit 42 recommends conducting an immediate log review for signs of compromise and rotating exposed credentials. The breach started with the compromise of Salesloft's GitHub account between March and June 2025. UNC6395 accessed the Salesloft GitHub account and downloaded content from multiple repositories, added a guest user, and established workflows. Reconnaissance activities occurred between March 2025 and June 2025 in the Salesloft and Drift application environments. Salesloft isolated the Drift infrastructure, application, and code, and took the application offline on September 5, 2025. Salesloft rotated credentials in the Salesloft environment and hardened the environment with improved segmentation controls between Salesloft and Drift applications. Salesforce restored the integration with the Salesloft platform on September 7, 2025, but Drift remains disabled. 22 companies have confirmed they were impacted by the supply chain breach. ShinyHunters and Scattered Spider were also involved in the Salesloft Drift attacks.