Lab-Dookhtegan hacktivists disrupt Iranian maritime communications

Kazakhstan's state-owned oil and gas company KazMunayGas conducted a phishing test in May 2025, which was initially misinterpreted as a cyber espionage campaign by a new threat group named Noisy Bear. The test involved phishing emails targeting KazMunayGas employees with fake documents related to internal communications and policy updates. The phishing emails were sent from a compromised internal email address and included a ZIP attachment with a Windows shortcut (LNK) downloader, a decoy document, and a README.txt file with instructions. The campaign was designed to mimic official internal communications and included themes such as policy updates, internal certification procedures, and salary adjustments. The phishing test was conducted to train employees on identifying and responding to phishing attempts. However, it was mistakenly reported as a cyber espionage campaign by Seqrite Labs, which attributed the activity to a new threat group tracked as Noisy Bear. The threat actor was believed to be of Russian origin and had been active since at least April 2025. The misinterpretation led to speculation about the involvement of a new threat group and the use of sophisticated malware, including a PowerShell loader dubbed DOWNSHELL and a DLL-based implant. The threat actor used a compromised email address belonging to a KazMunayGas finance department employee to send phishing emails. The phishing emails impersonated mundane company business, including reviewing work schedules, incentive systems, and wages. The phishing emails contained a ZIP file with a decoy document and a shortcut (LNK) file named "Salary Schedule.lnk." The LNK file downloaded a batch script, which retrieved the attackers' PowerShell loader named DownShell. DownShell consists of two scripts: one for anti-analysis by undermining the Windows Antimalware Scan Interface (AMSI), and another for CreateRemoteThread Injection to establish a reverse shell. Noisy Bear used a sanctioned Russian bulletproof hosting provider, Aeza Group, to maintain its infrastructure. The threat activity carries geopolitical implications, targeting Kazakhstan's largest oil and gas company, which is state-owned and a significant economic entity. Seqrite Labs found infrastructure and tooling overlaps across other Central Asian attacks, indicating a broader campaign. The incident highlights the importance of clear communication and coordination between cybersecurity researchers and organizations to avoid misinterpretations and ensure accurate reporting of cyber threats.

Jaguar Land Rover (JLR) experienced a cyberattack that severely disrupted its production and retail operations. The incident forced the company to shut down several systems over the weekend, including those at the Solihull plant. Customer data appears to have been affected. JLR is working to restore operations but has not provided a timeline or details about the attack. The attack occurred during the launch of new registration plates, a busy period for JLR. This is the second cyberattack JLR has suffered this year. The incident had a global impact, affecting multiple manufacturing plants in the UK. No ransomware group has officially claimed responsibility, but a group called "Scattered Lapsus$ Hunters" has claimed involvement. JLR operates under Tata Motors India and produces over 400,000 vehicles annually, employing 39,000 people.

A supply chain attack on the nx build system compromised multiple npm packages, leading to the exfiltration of 2,349 GitHub, cloud, and AI credentials. The attack unfolded in three distinct phases, impacting 2,180 accounts and 7,200 repositories. The attack exploited a vulnerable workflow in the nx repository to publish malicious versions of the nx package and supporting plugins. The compromised packages scanned file systems for credentials and sent them to attacker-controlled GitHub repositories. The attack impacted over 1,346 repositories and affected Linux and macOS systems. The nx maintainers identified the root cause as a vulnerable workflow added on August 21, 2025, that allowed for the injection of executable code via a pull request title. The malicious packages were published on August 26, 2025, and have since been removed from the npm registry. The attackers leveraged the GITHUB_TOKEN to trigger the publish workflow and exfiltrate the npm token. The malicious postinstall script scanned systems for text files, collected credentials, and sent them to publicly accessible GitHub repositories. The script also modified .zshrc and .bashrc files to shut down the machine immediately upon user interaction. The nx maintainers have rotated npm and GitHub tokens, audited activities, and updated publish access to require two-factor authentication. Wiz researchers identified a second attack wave impacting over 190 users/organizations and over 3,000 repositories. The second wave involved making private repositories public and creating forks to preserve data. GitGuardian's analysis revealed that 33% of compromised systems had at least one LLM client installed, and 85% were running Apple macOS. The attack took approximately four hours from start to finish. AI-powered CLI tools were used to dynamically scan for high-value secrets. The malware created public repositories on GitHub to store stolen data. The attack impacted over 1,000 developers, exfiltrating around 20,000 sensitive files. The malware modified shell startup files to crash systems upon terminal access. The attack was detected by multiple cybersecurity vendors. The malicious packages were removed from npm at 2:44 a.m. UTC on August 27, 2025. GitHub disabled all singularity-repository instances by 9 a.m. UTC on August 27, 2025. Around 90% of leaked GitHub tokens remain active as of August 28, 2025.

Threat actors are increasingly using social engineering tactics to bypass traditional security measures. They target help desks to gain unauthorized access to networks through MFA resets and password overrides. This approach exploits human vulnerabilities and organizational weaknesses, bypassing technical defenses. The FBI has highlighted groups like Scattered Spider as prominent actors in these campaigns. In August 2023, Scattered Spider targeted Clorox, resulting in approximately $380 million in damages. The attack involved repeated phone calls to the service desk, obtaining resets without meaningful verification, and quickly gaining domain-admin access. The incident underscores the need for robust verification processes and effective communication between help desks and security teams. Organizations must rethink their help desk operations and training to mitigate these risks. Frontline staff need to recognize red flags and escalate suspicious requests. Cultural changes are necessary to prioritize security over speed, and ongoing, relevant training is essential. Effective communication between help desks and security teams can enhance detection and response to social engineering attempts.