Executive Summary -
Highlights of Cyber Threat Intelligence Digest
Vulnerabilities
Threat Actors Exploiting CVE-2025-29824 to Deploy PipeMagic Backdoor in Ongoing Campaign - On 18 August 2025, Kaspersky reported that threat actors are actively exploiting CVE-2025-29824 to deploy the PipeMagic backdoor in a global campaign. Originally identified in late 2022, PipeMagic enables remote access, acts as a network proxy, and supports a wide range of malicious operations. Recent infections were observed in Saudi Arabia and Brazil, with attackers using infrastructure hosted on Microsoft Azure.
The infection chain includes multiple loaders, such as a trojanised ChatGPT app, malicious .mshi help files executed via msbuild, and DLL hijacking using a fake googleupdate.dll. These components decrypt and inject shellcode to launch PipeMagic, which then establishes communication over named pipes and loads plugins for credential theft, payload injection, and stealthy command execution. The actor behind the campaign has not yet been publicly identified.
EncryptHub Exploits CVE-2025-26633 and Abuses Brave Support in Ongoing Social Engineering Campaign - On 13 August 2025, Trustwave revealed that the threat group EncryptHub has been orchestrating a sophisticated campaign blending social engineering, abuse of legitimate tools and exploitation of the Microsoft Management Console (MMC) vulnerability CVE‑2025‑26633. In these attacks, EncryptHub operators impersonate IT staff via phone calls and Microsoft Teams messages to convince targets into granting remote access.
Once inside, they use PowerShell to deploy both benign and malicious .msc files - the latter crafted to exploit CVE‑2025‑26633 and execute attacker-controlled code, which then retrieves further payloads from EncryptHub’s command-and-control (C2) infrastructure.
Fortinet Patches Authentication Bypass Vulnerability CVE-2025-52970 in FortiWeb; No Active Exploitation Observed - On August 12, 2025, Fortinet patched CVE-2025-52970, a high-severity authentication bypass vulnerability affecting FortiWeb versions 7.0.0 through 7.6.3. FortiWeb is Fortinet’s web application firewall (WAF) designed to protect websites and application programming interfaces (APIs). Security researcher Aviv Y first disclosed the vulnerability to Fortinet and later published a proof-of-concept (PoC) exploit on August 13, 2025.
CVE-2025-52970 stems from improper parameter validation that allows threat actors with access to sensitive device and user data to send crafted requests against targeted FortiWeb endpoints. Successful exploitation can grant administrative control over the affected device, potentially leading to full system compromise. As of this writing, there are no reports of active exploitation in the wild.
Potential Threats
Threat Actors Use Copyright Phishing Emails to Deploy Noodlophile Stealer Variant - On 18 August 2025, Morphisec reported that the Noodlophile Stealer campaign has evolved to target businesses managing Facebook Pages across the US, Europe, Baltics, and APAC. The attack begins with phishing emails posing as copyright claims, written in multiple languages and often sent from Gmail accounts. Victims are lured to a Dropbox archive containing a legitimate, signed application vulnerable to DLL side-loading, bundled with a malicious DLL.
Once executed, the malware sets persistence and runs within a trusted process. It collects browser data, credentials, and system info, using Telegram for command-and-control and in-memory execution to evade detection. Morphisec also noted evidence of .NET components designed to bypass security features like AMSI and ETW.
Threat Actors Impersonate Booking.com URL in a Phishing Campaign Using a Unicode Symbol - On 14 August 2025, BleepingComputer reported two phishing campaigns using homoglyphs and deceptive domains. The first campaign impersonated Booking[.]com, replacing parts of the URL with the Japanese character “ん” (U+3093) to visually mimic legitimate subdirectories. Victims were redirected to a fake domain, www-account-booking[.]com, which downloaded a malicious MSI installer acting as a dropper. The second campaign spoofed Intuit by replacing the letter “i” with “l” in domains like intfdsl[.]us.
When clicked through an email client, users were taken to a fake Intuit login page, but if opened directly in a browser, the link redirected to the real Intuit site. These tactics were used to bypass detection and increase phishing success rates.
Technical Blog for Phishing Campaign Using Fake Voicemail Notifications to Steal Google Credentials - On 16 August 2025, security researcher Anurag detailed a sophisticated phishing campaign targeting Google account users. The attack begins with fake voicemail alert emails sent via SendGrid, using a spoofed domain (swissklip[.]com) that bypasses SPF and DKIM but fails DMARC checks, a key sign of email spoofing. Victims are lured to a Microsoft Dynamics-hosted link, which then redirects to a CAPTCHA page and ultimately a fake Gmail login.
The phishing page closely mimics Google’s sign-in flow, collecting credentials, MFA tokens, backup codes, and recovery emails. JavaScript-based anti-debugging checks and redirection to the real Gmail login help hide the malicious activity. An obfuscated script hidden in the CAPTCHA page decrypts and executes a browser-based stealer, exfiltrating all collected data to attacker-controlled infrastructure.General News
UK telecom provider Colt says outages were due to cyber incident - UK telecom provider Colt Technology Services confirmed on 15 August 2025 that a cyber incident affecting internal systems caused outages to services including Colt Online and the Voice API platform. The company clarified that customer infrastructure was not impacted but admitted it was operating with reduced automation. Colt is continuing recovery efforts and expects to release more information. Customers were advised to use phone or email for support, though response times may be delayed. The incident follows a pattern of recent cyberattacks targeting telecom firms globally. Nation-state groups such as Salt Typhoon remain a concern for Western telecoms.
UK Firm Stock in the Channel Discloses Ransomware Attack; No Data Compromised - On August 14, 2025, UK-based technology company Stock in the Channel Ltd. disclosed via its website that it was subject to a ransomware attack that led to temporary operational disruption, including website downtime and product availability issues. STIC noted that email and phone services continued to operate during the disruption, and no customer data was compromised.
McDonald's Free Nuggets Hack Leads to Exposure of Confidential Data - On 14 August 2025, researchers revealed two separate security issues affecting McDonald’s systems. The first involved a flaw in the McDonald’s mobile app reward system that allowed users to illegitimately redeem free food items, such as nuggets, by exploiting a client-side validation weakness. The issue was responsibly disclosed by a researcher known as “BobDaHacker” and has since been patched by McDonald’s.
Further investigation uncovered significant security failings in the McDonald’s Design Hub, a platform used by staff and marketing agencies worldwide. Despite being intended for internal use, it was protected only by a client‑side password. Even after a proper login system was introduced ,access could still be granted simply by changing “login” to “register” in the URL and a password would then be emailed in plaintext. Researchers also discovered exposed API keys in JavaScript, unprotected search indexes containing personal data and “impersonation” features that allowed low‑privilege users to retrieve executive details.
Threat Actor Weekly Graph
Over the past 7 days, we have been tracking the following intent and opportunity changes within our Threat Actor Landscape.
Intent represents the potential targets of a group. When a group is observed attacking a different organisation or entity, their intent will increase.
Opportunity represents the various methods and technologies these groups may use. For example, if a group started using a new attack vector, such as a new kind of ransomware, their opportunity would increase.
Both intent and opportunity are scored out of 100 and are responsible for scoring the group's severity. These updates can be seen below.
| ● Limited Severity | ● Basic Severity | ● Moderate Severity | ● High Severity |
| Threat Actor | Severity - Increase | Opportunity | Intent | ||||||
|---|---|---|---|---|---|---|---|---|---|
| RedBravo | ● High | → | ● High | ● 81 | → | ● 79 | ● 25 | → | ● 25 |
| TAG-67 | ● Moderate | → | ● Moderate | ● 54 | → | ● 52 | ● 25 | → | ● 25 |
| HelluvaHack | NEW | → | ● Basic | NEW | → | ● 30 | NEW | → | ● 25 |
| TAG-148 | NEW | → | ● Basic | NEW | → | ● 25 | NEW | → | ● 25 |
| cnkjasdfgd | NEW | → | ● Basic | NEW | → | ● 25 | NEW | → | ● 5 |
Global Trends Powered by Recorded Future
Within each category, we have provided the current top five globally trending items. Each item is linked to how actively trending it is and is marked with a small symbol.
The spikes in references are calculated over 60 days and are normalised to ensure they aren't disproportionate when compared to bigger entities that will naturally have more baseline mentions.
▲- Spike – This indicates a large increase in reporting volume and a high diversity in the event descriptions,
▲- Rise – This indicates a small increase in reporting volume with little diversity in the descriptions.
| Attackers | Methods | Vulnerabilities | Targets | ||||
|---|---|---|---|---|---|---|---|
| Killnet | ▲ | Warlock | ▲ | CVE-2025-52970 | ▲ | Asset Management | ▲ |
| PalachPro | ▲ | TA0001 (Initial Access) | ▲ | CVE-2025-54948 | ▲ | Google Mail | ▲ |
| Draco | ▲ | Proof-of-Concept Exploit | ▲ | CVE-2025-8875 | ▲ | Business Intelligence | ▲ |
| Medusa Ransomware Group | ▲ | T1036.005 | ▲ | CVE-2025-53740 | ▲ | Workday | ▲ |
| Annalise | ▲ | TA0007 | ▲ | CVE-2025-27811 | ▲ | Internet Service Provider | ▲ |
Prominent Information Security Events
Threat Actors Use Copyright Phishing Emails to Deploy Noodlophile Stealer Variant
Source: Insikt Group | Validated Intelligence Event
IOC: Domain - hxxps://t[.]me/LoneNone
IOC: Domain - hxxps://paste[.]rs/Gc2BJ
IOC: Hash SHA256 - 844c2ee464ef5cdc79c2de52eb544c55e1f9bf7ded2c2f0e44bed263f04daa42
IOC: Hash SHA256 - d0b0551e8988a9f81b80933ec68efabb47cd12acaeffa79c42564863424a376e
On 18 August 2025, Morphisec reported that the Noodlophile Stealer campaign has evolved to specifically target businesses managing Facebook Pages across regions including the US, Europe, the Baltics, and APAC. The attack commences with phishing emails purporting to be copyright infringement claims, crafted in multiple languages to widen their reach and frequently sent from seemingly legitimate Gmail accounts.
Recipients are enticed to download a Dropbox archive containing a digitally signed legitimate application vulnerable to DLL side-loading, alongside a malicious DLL. When executed, this setup allows the malware to establish persistence by running stealthily within a trusted process, thereby evading standard security measures. The stealer harvests sensitive browser data, login credentials, and system information. Notably, the malware uses Telegram as its command-and-control (C2) channel and employs in-memory execution techniques to bypass detection.
Morphisec also observed the presence of .NET components aimed at circumventing advanced security features like the Anti-Malware Scan Interface (AMSI) and Event Tracing for Windows (ETW), highlighting the increasing sophistication of this threat.
Threat Actors Impersonate Booking.com URL in a Phishing Campaign Using a Unicode Symbol
Source: Insikt Group | Validated Intelligence Event
IOC: SHA256 - 3c123fbd4ae250a590093cbbb718ae5adee8b551681046c7622575d496c01ae5
IOC: SHA256 - b654105ab089a9311d630112c813bc4ae9c10a8f20da6ff712edcb09599bc890
IOC: Domain - www[-]account[-]booking[.]com
IOC: Domain - intfdsl[.]us
On 14 August 2025, BleepingComputer reported two phishing campaigns using homoglyphs and deceptive domains. The first campaign impersonated Booking[.]com, replacing parts of the URL with the Japanese character “ん” (U+3093) to visually mimic legitimate subdirectories in certain fonts. Victims were redirected to a fake domain, www-account-booking[.]com, which led to a malicious link hosting an MSI installer on a CDN. Analysis suggested the installer acted as a dropper, likely used to deploy infostealers or remote access trojans. The campaign demonstrated a targeted and technically subtle approach to trick recipients.
The second campaign spoofed Intuit by replacing the letter “i” with “l” in domains like intfdsl[.]us. When clicked through an email client, users were taken to a fake Intuit login page, but if opened directly in a browser, the link redirected to the real Intuit site. This conditional redirection behaviour helped the attackers evade detection by automated scanning tools, while harvesting login credentials from unsuspecting users.Remediation Actions
Following the information provided above, we recommend that the technologies mentioned be fully patched and updated. We also want to highlight and recommend applying the following patches where applicable:
- CVE-2025-29824: apply the latest Windows security updates addressing the CLFS (Common Log File System) driver. Restrict access to msbuild and other scriptable tools for non-developer users, monitor for suspicious use of msbuild.exe, and audit execution of .mshi and .dll files from user directories. Implement application allowlisting and behavioural detection for named pipe communications and shellcode injection attempts. Investigate use of trojanised applications such as fake ChatGPT clients, and block their execution where possible.
- CVE-2025-26633: To mitigate the exploitation of this Microsoft Management Console (MMC) vulnerability, ensure all systems are patched with the latest security updates from Microsoft. Limit remote access privileges and educate staff on the risks of social engineering tactics such as impersonation via phone or Microsoft Teams. Monitor PowerShell execution logs for unusual .msc file activity and use endpoint detection tools to identify and block malicious payloads related to this vulnerability.
- CVE-2025-52970: Apply Fortinet’s official patch for FortiWeb versions 7.0.0 through 7.6.3 to remediate this authentication bypass vulnerability. Organisations should upgrade to the fixed version as soon as possible and review access logs for signs of suspicious activity. Where patching is delayed, restrict access to FortiWeb management interfaces and limit exposure to trusted IP addresses.
If you are currently an Acumen Cyber Vulnerability Management customer, we will be proactively performing related searching and hunting activities within your environment.