SentinelOne Recognized as Leader in Gartner Magic Quadrant for Endpoint Protection Platforms

A new ransomware strain named PromptLock has been identified by ESET researchers. This strain leverages AI to generate malicious scripts in real-time, making it more difficult to detect and defend against. PromptLock is currently in development and has not been observed in active attacks. It can exfiltrate files, encrypt data, and is being upgraded to destroy files. The ransomware uses the gpt-oss:20b model from OpenAI via the Ollama API and is written in Go, targeting Windows, Linux, and macOS systems. The Bitcoin address associated with PromptLock appears to belong to Satoshi Nakamoto. PromptLock uses Lua scripts generated from hard-coded prompts to enumerate the local filesystem, inspect target files, exfiltrate selected data, and perform encryption. The ransomware can generate custom ransom notes based on the type of infected machine and uses the SPECK 128-bit encryption algorithm to lock files. PromptLock is assessed to be a proof-of-concept (PoC) rather than a fully operational malware deployed in the wild.

Chinese state-sponsored Advanced Persistent Threat (APT) actors, specifically the group known as Salt Typhoon, have been conducting a sustained campaign to gain long-term access to critical infrastructure networks worldwide. This campaign targets telecommunications, transportation, lodging, and military networks, exploiting vulnerabilities in routers and taking steps to evade detection and maintain persistent access. The Cybersecurity and Infrastructure Security Agency (CISA), in coordination with the National Security Agency (NSA), Federal Bureau of Investigation (FBI), and international partners, released a joint advisory detailing this ongoing malicious activity. The advisory provides actionable guidance and intelligence to help organizations defend against these sophisticated cyber threats. The advisory builds on previous reporting and incorporates updated threat intelligence from investigations conducted through August 2025, reflecting overlapping indicators with industry reporting on various Chinese state-sponsored threat groups. Salt Typhoon has been active since at least 2019, targeting at least 600 organizations, including 200 in the U.S., and 80 countries. The Czech Republic's National Cyber and Information Security Agency (NUKIB) issued a warning about data transfers to China, highlighting concerns over the transfer of system and user data to the PRC and the remote administration of technical assets. The Czech government previously accused China of targeting its critical infrastructure through APT 31, which began in 2022. China's offensive cyber activities include large-scale telco attacks by Salt Typhoon and positioning for potential destructive cyberattacks. The advisory tracks this cluster of activity to multiple advanced persistent threats (APTs), though it partially overlaps with Salt Typhoon. The advisory details how state-backed threat actors, including Salt Typhoon, penetrate networks around the world, as well as how defenders can protect their own environments. The Czech Republic's National Cyber and Information Security Agency (NUKIB) has assessed the risk of significant disruptions caused by China at a 'High' level, indicating a high probability of occurrence. NUKIB confirmed malicious activities of Chinese cyber-actors targeting the Czech Republic, including a recent APT31 campaign targeting the Czech Ministry of Foreign Affairs. The Chinese government has access to data stored by private cloud service providers within the Czech Republic, ensuring that sensitive data is always within its reach. NUKIB warns about consumer devices, such as smartphones, IP cameras, electric cars, large language models, and even medical devices and photovoltaic converters manufactured by Chinese firms, as risky devices that can transfer potentially sensitive data to Chinese infrastructure. 45 previously unreported domains associated with Salt Typhoon and UNC4841 have been discovered, with the oldest domain registration activity dating back to May 2020.

A threat group, tracked as Storm-0501, compromised hybrid cloud environments in a campaign targeting government, manufacturing, transportation, law enforcement, schools, and healthcare sectors. The group exploited compromised credentials and overprivileged accounts to move between cloud and on-premise environments. The campaign aimed to generate revenue through a ransomware affiliate scheme. The attack highlights the challenges companies face in maintaining consistent security postures across multicloud and hybrid-cloud environments. Over 75% of companies use multiple cloud providers, exposing high-value assets to potential attacks. The incident underscores the need for unified security platforms and consistent policies to disrupt attack chains and improve visibility across environments. Storm-0501 has utilized various ransomware-as-a-service (RaaS) strains, including Embargo, Hunters International, Hive, BlackCat/ALPHV, LockBit, and Sabbath. The group has evolved its tactics to exploit weak credentials for lateral movement from on-premises to cloud environments, achieving cloud-based ransomware impact through cloud privilege escalation and exploiting visibility gaps. The group uses access brokers like Storm-0249 and Storm-0900 for initial access and exploits vulnerabilities in Zoho ManageEngine, Citrix NetScaler, and Adobe ColdFusion 2016. Storm-0501 employs Evil-WinRM and DCSync attacks for lateral movement and credential extraction, targeting non-human identities with Global Admin roles lacking MFA for privilege escalation. The group registers a threat actor-owned Entra ID tenant as a trusted federated domain to create a backdoor and initiates mass-deletion of Azure resources post-exfiltration to prevent data recovery. Microsoft has updated Entra ID and Entra Connect to mitigate Storm-0501's tactics and recommends enabling TPM on Entra Connect Sync servers for enhanced security.