Cyber Threat Intelligence Digest: Week 32

Executive Summary -
Highlights of Cyber Threat Intelligence Digest

Vulnerabilities

Threat Actors Actively Exploiting Erlang OTP SSH Vulnerability CVE-2025-32433 - Since at least May 2025, cyber threat actors have been exploiting CVE-2025-32433, a critical improper authentication vulnerability in the Erlang OTP SSH daemon. According to an 11 August 2025 report from Unit 42, exploitation has targeted organisations in the education, healthcare, agriculture, media and entertainment, and technology sectors across several countries, including Japan, the United States, the Netherlands, Ireland, Brazil, Ecuador, and France. The Erlang development team addressed the flaw in patched versions OTP-27.3.3, OTP-26.2.5.11, OTP-25.3.2.20, and later releases. The UK Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities catalogue on 9 June 2025.

The flaw arises from the Erlang OTP SSH daemon processing certain SSH connection protocol messages before completing user authentication. This weakness allows attackers to execute arbitrary code on affected systems, enabling them to compromise hosts and potentially move laterally through networks. Given its critical severity and active exploitation across diverse industries and regions, CVE-2025-32433 poses a significant security risk to unpatched systems.

RomCom Exploits CVE-2025-8088 Affecting WinRAR in Ongoing Spearphishing Campaigns Targeting European and Canadian Industries - On 11 August 2025, ESET reported that the Russia-linked threat group RomCom, also tracked by Recorded Future as the Cuba Ransomware Gang, is actively exploiting CVE-2025-8088, a WinRAR path traversal vulnerability. The campaigns target financial, manufacturing, defence, and logistics sectors in Europe and Canada, delivering multiple backdoors including the Mythic agent, a SnipBot variant, and RustyClaw. This activity is part of an ongoing spearphishing operation leveraging the flaw in unpatched versions of WinRAR to gain initial access and deploy malicious payloads.

The attack chain starts with spearphishing emails containing malicious RAR archives designed to exploit CVE-2025-8088 in WinRAR versions 7.11 and earlier. Once extracted, the archives deliver a malicious LNK file and DLL/EXE payload, with each malware variant using a different execution method. The Mythic agent variant uses COM hijacking to load a DLL from the temporary directory, executing shellcode that connects to RomCom's command-and-control server. The SnipBot variant deploys a trojanised PuTTY CAC client that runs shellcode only if certain conditions are met, before downloading additional payloads. RustyClaw, meanwhile, employs a Rust-based downloader to fetch further malicious files, including one resembling the MeltingClaw downloader, from attacker-controlled infrastructure.

CISA Adds CVE-2013-3893 and CVE-2007-0671 Affecting Microsoft IE and Excel to Known Exploited Vulnerabilities Catalogue - On 12 August 2025, the US Cybersecurity and Infrastructure Security Agency (CISA) added two older Microsoft vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalogue after confirming they are being actively exploited. CVE-2013-3893 is a use-after-free flaw affecting Internet Explorer versions 6 through 11, caused by the SetMouseCapture function in mshtml.dll accessing freed memory. An attacker could exploit it by luring a user to a malicious webpage or triggering a specially crafted ms-help: URL with embedded JavaScript, leading the browser to load hxds.dll and execute arbitrary code.

The second flaw, CVE-2007-0671, is a remote code execution vulnerability in Microsoft Office Excel 2000, XP, 2003, and 2004 for Mac. It results from improper handling of maliciously crafted Excel files, which could be sent as email attachments or hosted online. If opened, these files could allow attackers to run arbitrary code on the victim's system. Both vulnerabilities highlight the ongoing risk from unpatched legacy software, particularly where outdated applications remain in use.

Potential Threats

Threat Actors Abuse GitHub Repositories to Deliver SmartLoader - On 8 August 2025, AhnLab Security Intelligence Center (ASEC) reported a campaign in which threat actors abused GitHub repositories to distribute SmartLoader, a modular and stealthy malware loader that poses as legitimate software. The attackers uploaded malicious content to repositories disguised as genuine projects such as "game hacks", "software cracks", and "automation tools", complete with realistic README files and installation guides to evade suspicion. Victims were instructed to download ZIP archives containing SmartLoader components, including luajit.exe, a malicious batch file, a Lua interpreter, and an obfuscated Lua script. Once executed, SmartLoader established persistence via scheduled tasks, took screenshots, and collected system information, which it obfuscated before exfiltrating to a command-and-control (C2) server at 89[.]169[.]13[.]215.

ASEC's analysis revealed that SmartLoader received further instructions from its C2 server in JSON format, enabling it to download additional payloads. These included an obfuscated Lua script named adobe.lua, which maintained persistence and exfiltrated data; 64-bit and 32-bit shellcode files (_x64.bin and _x86.bin) linked to the Rhadamanthys information stealer, which targeted email, FTP, and banking credentials by injecting into legitimate Windows processes. Recorded Future's Insikt Group obtained a related ZIP archive sample, which included multiple SmartLoader components. Sandbox and static analysis of these files showed capabilities such as geolocation lookups, IP address retrieval, debugger detection, file enumeration, process termination, and the creation of scheduled tasks to maintain persistence.

Further examination of the individual components revealed varied behaviours. luajit.exe, while flagged as benign in isolation, was responsible for loading malicious Lua scripts from module.txt. lua51.dll used rundll32.exe for execution, delaying operations for evasion, detecting debuggers, and gathering system details. The malware also leveraged legitimate services, such as ip-api[.]com for IP lookups and polygon-rpc[.]com for blockchain-related queries, likely to blend in with normal network traffic. These findings highlight the sophistication of SmartLoader's delivery through seemingly trustworthy GitHub repositories and its layered approach to persistence, evasion, and information theft.

Ransomware Groups Employ New EDR Killer Tool to Disable Security Software Before Encryption - On 6 August 2025, Sophos X-Ops reported that multiple ransomware groups are using a new Endpoint Detection and Response (EDR) killer tool to disable security defences before launching encryption attacks. The tool, which replaces RansomHub's earlier EDRKillShifter, has been observed in use by at least eight ransomware operations, including Medusa, Blacksuit, RansomHub, Qilin, Dragonforce, Crytox, Lynx, and INC. Each group employs its own variant of the tool, built on a shared framework and packed with HeartCrypt - a packer-as-a-service designed to obfuscate and protect malicious payloads. The EDR killer operates early in the attack chain, ensuring that endpoint protection is disabled so ransomware can execute unimpeded.

According to Sophos, attackers deliver a HeartCrypt-packed dropper that injects itself into a legitimate process before decoding and executing an obfuscated EDR killer in memory. The tool searches for a kernel driver - with a randomly generated name and signed with stolen or expired certificates - to conduct a bring-your-own-vulnerable-driver (BYOVD) attack and gain kernel-level privileges. Once privileged, it terminates key antivirus and EDR processes, including those from Microsoft Defender, SentinelOne, Webroot, Kaspersky, and Trend Micro. If the driver is not found, the tool halts execution and sets up a dummy service to mimic expected behaviour. After security software is neutralised, the ransomware payload proceeds to encrypt files without interference.

Sophos also documented real-world use cases, such as Medusa ransomware deploying the tool via the SimpleHelp remote support platform, potentially exploiting a zero-day RCE flaw, and INC ransomware adding an extra packer layer for greater protection. Recorded Future's Insikt Group analysed samples shared by Sophos, finding they exhibited DLL injection, system reconnaissance, file enumeration, process termination, sandbox and debugger detection, and other evasion tactics. Some variants could also shut down or restart systems. These findings highlight the tool's sophistication, versatility, and growing role in coordinated ransomware campaigns.

Threat Actors Abuse Weaponized SVG Files in Phishing Campaign to Harvest Office 365 Credentials - On 7 August 2025, Seqrite reported a phishing campaign in which threat actors exploited weaponised Scalable Vector Graphics (SVG) files to steal Microsoft Office 365 credentials. These malicious SVGs were distributed via spear-phishing emails or cloud storage links, often disguised as meeting reminders or task lists. The attack circumvented standard email filters by exploiting the SVG file's XML structure and the way browsers handle such files.

The attack begins when a victim opens the SVG attachment or link, triggering embedded JavaScript within a CDATA section. This script decodes a hex-encoded payload and redirects the user to a phishing site. In one observed case, the URL passed through a Cloudflare CAPTCHA before leading to a fake Office 365 login page, where credentials were harvested. As of the report, the identities of the threat actors behind this campaign remain unknown.

General News

Wikipedia's operator loses challenge to UK Online Safety Act rules - The Wikimedia Foundation, which operates Wikipedia, has lost a legal challenge against parts of the UK's Online Safety Act that could require unverified users to stop editing or contributing content. Wikimedia brought the case pre-emptively, anticipating that it might be classified as a "category 1" platform under the law - a designation it argued would threaten the privacy and safety of its volunteer editors, increase the risk of manipulation and vandalism, and divert resources from maintaining and improving Wikipedia. The foundation warned that mandatory user verification could expose contributors to risks such as data breaches, stalking, lawsuits, or even persecution by authoritarian regimes.

The UK's High Court of Justice dismissed the case but said it could be revisited if Ofcom, the UK communications regulator, designates Wikimedia as category 1 later this year. Category 1 services, such as Facebook, X, and Google, are defined as large user-to-user platforms that employ content recommendation systems. Wikimedia argued that it differs from such companies because it is a volunteer-run nonprofit providing a digital public good, and compliance with the rules would be exceptionally burdensome. The debate comes amid broader global trends toward stricter online user verification, with similar measures expanding in the US and Europe - including a recent US Supreme Court decision upholding a Texas law requiring proof of age for access to online pornography.

While the court did not grant Wikimedia's request, the judge acknowledged the "significant value" of Wikipedia and the potential damage that a category 1 classification could cause. Justice Johnson emphasised that the ruling does not give regulators a free pass to impose requirements that would severely impede Wikipedia's operations. He also suggested that Ofcom might interpret the rules flexibly or that lawmakers could amend the act to account for platforms like Wikipedia.

EU law to protect journalists from spyware takes effect - A landmark European Union law, the European Media Freedoms Act (EMFA), came into force on Friday, aiming to shield journalists from spyware and other surveillance. While EMFA also addresses editorial independence and media ownership transparency, its original 2022 proposal included strong protections barring spyware use against journalists and their families except in rare national security cases. However, after amendments in June 2023, EU countries gained broader powers to deploy surveillance tools under the guise of safeguarding state functions such as law and order. Press freedom groups say these changes, combined with many member states' failure to align domestic laws despite having over a year to prepare, risk making EMFA's protections ineffective and limiting the ability of the European Court of Justice to hold governments accountable.

The law takes effect amid a series of spyware scandals across Europe, including confirmed cases in Spain, Greece, and Hungary, and new allegations in Italy. Italian journalists, including Francesco Cancellato, editor of a publication critical of Prime Minister Giorgia Meloni, were warned by WhatsApp in January that they had been targeted with Paragon spyware. While Meloni's government has admitted to using Paragon against migrant rights activists, it denies involvement in the journalists' cases. Paragon later cut ties with Italy after the government refused to allow independent verification of its claims. Critics argue these incidents highlight exactly why strong, enforceable protections against state surveillance of journalists are urgently needed.

Britain's M&S restores click and collect services 15 weeks after systems hacked - Marks & Spencer (M&S) has restored its click and collect service for clothing nearly four months after a cyberattack forced the retailer to suspend online orders for store collection. The 141-year-old company halted click and collect, as well as home deliveries, on 25 April, three days after revealing it was managing a "cyber incident" involving data theft. While home delivery services resumed on 10 June, click and collect only returned on 11 August, with M&S announcing the move on its website and via Instagram. The reinstatement was seen by analysts as a key sign of operations returning to normal, helping boost M&S shares by 2%, although they remain down 10% for 2025.

The hack has had a significant financial impact, with M&S estimating in May that it would cost around £300 million ($404 million) in lost operating profit for the 2025/26 financial year. The retailer expects to halve this hit through insurance claims and cost-cutting measures. As part of its response, M&S took other systems offline, reducing both clothing and food availability in stores, which further hurt sales. Competitors such as Next in clothing and Sainsbury's in food capitalised on the disruption. Despite the setback, analysts do not expect long-term damage to M&S's growth prospects, and CEO Stuart Machin previously said the company would be past the worst of the incident by August.

The ransomware attack, believed by M&S to have been carried out by the hacker group DragonForce, is under investigation by UK authorities. In July, police arrested four individuals in connection with the M&S hack and other attacks on the Co-op and Harrods. Chairman Archie Norman disclosed the suspected group behind the breach when speaking to lawmakers last month. The incident has highlighted the growing cybersecurity risks facing major UK retailers, especially as they expand online services.

Threat Actor Weekly Graph

Over the past 7 days, we have been tracking the following intent and opportunity changes within our Threat Actor Landscape.

Intent represents the potential targets of a group. When a group is observed attacking a different organisation or entity, their intent will increase.

Opportunity represents the various methods and technologies these groups may use. For example, if a group started using a new attack vector, such as a new kind of ransomware, their opportunity would increase.

Both intent and opportunity are scored out of 100 and are responsible for scoring the group's severity. These updates can be seen below.