Executive Summary -
Highlights of Cyber Threat Intelligence Digest
Vulnerabilities
Cisco Patches CVE-2025-20127 Affecting Secure Firewall ASA and FTD Software - On September 3, 2025, Cisco released security patches addressing CVE-2025-20127, a high-severity vulnerability affecting its Secure Firewall Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) Software, particularly for Firepower 3100 and 4200 Series devices. This issue originates from the improper handling of the TLS_CHACHA20_POLY1305_SHA256 cipher during Transport Layer Security (TLS) 1.3 operations. If left unpatched, the flaw could be exploited by attackers to exhaust system resources, which would prevent the firewall from accepting new SSL/TLS or VPN connections. Such an attack could cause serious disruptions, essentially creating a denial-of-service condition for organizations relying on these devices for secure connectivity.
Cisco has addressed the vulnerability by issuing fixes in updated software releases, ensuring that affected products can now handle the cipher correctly. The company emphasized that administrators should promptly apply the patches to maintain security and stability in their environments. While the vulnerability poses a significant risk if exploited, Cisco has confirmed that there are currently no reports of active exploitation in the wild. This suggests that organizations still have a window of opportunity to remediate before potential attackers attempt to take advantage of the weakness.
CVE-2025-9519 allows Remote Code Execution in the Easy Timer WordPress plugin - A high-severity security vulnerability has been designated as CVE-2025-9519 in the Easy Timer plugin for WordPress, impacting all releases up to and including version 4.2.1. The issue stems from inadequate restrictions on shortcode attributes, which creates an opportunity for authenticated attackers with Editor-level privileges or higher to exploit the weakness. By submitting specially crafted shortcodes, an attacker could execute arbitrary code directly on the server, potentially leading to full site compromise, data manipulation, or further malicious activity within the affected environment.
The vendor has issued a fix to address this flaw, and users are strongly encouraged to update without delay. Upgrading to version 4.2.2 or any newer patched release ensures that the plugin enforces proper restrictions and closes off the identified attack vector. At the time of this publication, the patch is available, and no additional complications have been reported, making prompt remediation a straightforward and effective step for administrators who rely on the plugin for WordPress functionality.
Adobe Patches Improper Input Validation Vulnerability, CVE-2025-54236, Affecting Its Commerce and Magento Open Source Platforms - On September 9, 2025, Adobe released security patches for CVE-2025-54236, a critical-severity improper input validation vulnerability impacting its Commerce, Commerce B2B, and Magento Open Source platforms. This flaw resides in the Commerce REST API and, if successfully exploited, could allow attackers to bypass built-in security mechanisms. Such an attack would give malicious actors the ability to compromise customer accounts, potentially leading to unauthorized access, data theft, or further manipulation of sensitive e-commerce environments. While the vulnerability is rated as critical due to the potential impact on online merchants, Adobe has stated that there are currently no known reports of active exploitation in the wild.
To mitigate the risk, Adobe has released hotfixes for a range of affected versions, including Commerce versions 2.4.4-p15, 2.4.5-p14, 2.4.6-p12, 2.4.7-p7, 2.4.8-p2, 2.4.9-alpha2 and earlier; Commerce B2B versions 1.3.3-p15, 1.3.4-p14, 1.4.2-p7, 1.5.2-p2, 1.5.3-alpha2 and earlier; and Magento Open Source versions 2.4.5-p14, 2.4.6-p12, 2.4.7-p7, 2.4.8-p2, 2.4.9-alpha2 and earlier. Organizations are strongly urged to apply the patches as soon as possible to ensure protection against potential exploitation attempts. Timely deployment of these updates is essential for maintaining secure online operations and safeguarding both merchants and customers from the risks posed by this vulnerability.
Potential Threats
New China-Aligned Threat Actor GhostRedirector Targets Global Windows Servers for SEO Manipulation - On September 4, 2025, ESET reported a new China-aligned threat actor called GhostRedirector, which compromised about 65 Windows servers across South America and Asia. Active since at least August 2024, the group targeted healthcare, insurance, education, retail, transportation, and technology sectors. GhostRedirector uses a mix of custom malware and public exploits, including the Rungan C++ backdoor, the Gamshen IIS trojan, and privilege escalation tools based on EfsPotato and BadPotato, to conduct large-scale search engine optimization (SEO) fraud. Attribution to China is based on linguistic markers in tooling and a digital certificate tied to a Chinese company.
The attackers gain initial access through SQL injection, executing PowerShell commands to download payloads from staging servers. They use GoToHTTP for remote access, EfsPotato and BadPotato for privilege escalation, and webshells for persistence. Final payloads Rungan and Gamshen enable command execution and manipulate search engine results by injecting backlinks into Googlebot responses, promoting gambling sites without disrupting normal traffic. While GhostRedirector’s activity overlaps with targeting seen in the DragonRank campaign, ESET found no direct technical links between the two threat groups.
APT28 Executes NotDoor Campaign Using Outlook Macros and DLL Sideloading to Target NATO Entities - On September 3, 2025, LAB52 researchers reported that APT28, overlapping with activity tracked as BlueDelta, had deployed a previously unobserved Visual Basic for Applications (VBA) backdoor dubbed “NotDoor” in a campaign targeting organisations in NATO countries via Microsoft Outlook. The report assessed with moderate confidence that the threat actor demonstrated an evolution in tradecraft, leveraging signed binaries, macro-enabled implants, and covert email-based exfiltration to support espionage objectives. This campaign highlights the continued sophistication of APT28’s operations and its focus on compromising trusted software to maintain stealth.
The malware persists by installing itself within Outlook and modifying configuration settings to ensure execution whenever the application starts or receives new messages. It monitors incoming communications for specific triggers to carry out its tasks, which include exfiltrating data and responding to commands. All communications and data transfers are encrypted, and additional obfuscation techniques are employed to hinder detection and analysis. While the backdoor supports multiple functions for command execution and file transfers, its design reflects a clear intent to operate covertly within targeted environments, maintaining both persistence and stealth over extended periods.
Security Researcher Discloses Zero-Day RCE Vulnerability in TP-Link Routers - On September 2, 2025, researcher Mehrun (ByteRay) disclosed an unpatched zero-day in TP-Link Archer AX10 and AX1500 routers, with EX141, Archer VR400, and TD-W9970 models also potentially affected. The flaw lies in TP-Link’s CWMP/TR-069 implementation and can allow remote code execution. Internet scans revealed over 4,200 exposed devices, but at the time of disclosure, the issue had no CVE identifier and no evidence of active exploitation.
The bug occurs in the CWMP routine handling SOAP SetParameterValues messages, where unchecked input overflows a 3,072-byte stack buffer. Mehrun demonstrated exploitation by redirecting devices to a rogue CWMP server and delivering a malicious SOAP message, achieving full remote control. While TP-Link has released a patch for European firmware, updates for US and global versions remain pending, leaving many devices at risk until fixes are issued.
General News
Cyberattack on Jaguar Land Rover threatens to hit British economic growth - A cyberattack on Jaguar Land Rover (JLR) has severely disrupted production and forced thousands of employees and supply-chain workers to stay home, raising alarms about the wider economic impact. JLR is responsible for around 4% of UK goods exports, and experts warn that prolonged disruption could undermine Britain’s growth targets. Analysts argue the incident highlights the risks of the government’s light-touch approach to cybersecurity regulation, which has delayed the long-promised Cyber Security and Resilience Bill despite repeated intelligence warnings. Insiders say last year’s technology secretary was briefed in a classified session about Chinese activity targeting British infrastructure, but legislative progress has stalled as ministers cite fears of over-regulation.
Cyber experts and think-tank researchers are calling for stronger supply chain controls, a clear cyber policy agenda, and faster adoption of secure-by-design principles to close systemic gaps. While the government has issued voluntary codes of practice, the lack of binding rules is fueling frustration within the UK’s cybersecurity agency. Critics argue that policymakers prioritize only catastrophic threats, leaving below-threshold attacks like the JLR breach to inflict major economic harm with little intervention. As one expert put it, “a country that can’t keep its factories running can’t keep its growth pledge,” warning that crises like this must finally push Parliament into action.
Qualys Confirms Limited Salesforce Data Exposure From Salesloft Drift Supply Chain Incident - On September 6, 2025, US cybersecurity firm Qualys reported being affected by the Salesloft Drift (SalesDrift) supply chain incident, which exposed OAuth tokens linking Drift to Salesforce. This allowed unauthorized access to certain Salesforce data, including lead and contact records. Qualys quickly disabled all Drift–Salesforce integrations and contained the incident. No customer data from Qualys Cloud Platform, Cloud Agent, or Vulnerability Scanner was impacted.
All production systems remained fully operational, and neither the codebase nor infrastructure was affected. Qualys engaged Mandiant for forensic analysis and continues monitoring for further activity. The compromise of the SalesDrift platform increases the risk of phishing, business email compromise, and pretexting attacks targeting affected employees and customers.
Hackers hijack npm packages with 2 billion weekly downloads in supply chain attack - On September 8, 2025, a significant supply chain attack compromised npm packages with over 2.6 billion weekly downloads. The threat actor gained control of developer Josh Junon's npm account through a phishing campaign using a fake npmjs.help domain. Malicious versions of popular packages, including debug and chalk, were published, containing malware designed to steal cryptocurrency wallet credentials. The malicious code was active for approximately two hours before being removed.
The attack's rapid spread was facilitated by the widespread use of the compromised packages in cloud-based environments. Researchers observed that during the brief exposure window, the malicious code reached 1 in 10 cloud environments. This incident underscores the vulnerability of the open-source ecosystem to targeted supply chain attacks and highlights the need for enhanced security measures to protect developers and users from such threats.
Threat Actor Weekly Graph
Over the past 7 days, we have been tracking the following intent and opportunity changes within our Threat Actor Landscape.
Intent represents the potential targets of a group. When a group is observed attacking a different organisation or entity, their intent will increase.
Opportunity represents the various methods and technologies these groups may use. For example, if a group started using a new attack vector, such as a new kind of ransomware, their opportunity would increase.
Both intent and opportunity are scored out of 100 and are responsible for scoring the group's severity. These updates can be seen below.
| ● Limited Severity | ● Basic Severity | ● Moderate Severity | ● High Severity |
| Threat Actor | Severity Increase | Opportunity | Intent | ||||||
|---|---|---|---|---|---|---|---|---|---|
| GhostRedirector | NEW | → | ● Basic | NEW | → | ● 35 | NEW | → | ● 30 |
| The Gentlemen Ransomware Group | NEW | → | ● Basic | NEW | → | ● 25 | NEW | → | ● 35 |
| Yurei Ransomware Group | NEW | → | ● Basic | NEW | → | ● 25 | NEW | → | ● 30 |
| momo | NEW | → | ● Basic | NEW | → | ● 30 | NEW | → | ● 25 |
| GTG-2002 | NEW | → | ● Basic | NEW | → | ● 30 | NEW | → | ● 25 |
Global Trends Powered by Recorded Future
Within each category, we have provided the current top five globally trending items. Each item is linked to how actively trending it is and is marked with a small symbol.
The spikes in references are calculated over 60 days and are normalised to ensure they aren't disproportionate when compared to bigger entities that will naturally have more baseline mentions.
▲- Spike – This indicates a large increase in reporting volume and a high diversity in the event descriptions,
▲- Rise – This indicates a small increase in reporting volume with little diversity in the descriptions.
| Attackers | Methods | Vulnerabilities | Targets | ||||
|---|---|---|---|---|---|---|---|
| Anonymous | ▲ |
Supply Chain Attack |
▲ | CVE-2025-54236 | ▲ |
Tata |
▲ |
|
KillSecurity Ransomware Group |
▲ |
Malicious Attack |
▲ | CVE-2025-48384 | ▲ |
JLR |
▲ |
|
Dark Storm Team |
▲ |
Exploit |
▲ | CVE-2025-42957 | ▲ |
Quantum Security and Computing |
▲ |
|
Embi |
▲ |
T1583.001 (Domains) |
▲ | CVE-2025-50264 | ▲ |
GitHub |
▲ |
|
Killnet |
▲ |
Phishing |
▲ |
CVE-2025-6004 |
▲ |
NPM |
▲ |
Prominent Information Security Events
New China-Aligned Threat Actor GhostRedirector Targets Global Windows Servers for SEO Manipulation
Source: Insikt Group | Validated Intelligence Event
IOC: Domain - 868id[.]com
IOC: IP - 104[.]233.210[.]229
IOC: MD5 - 28140a5a29eba098bc6215ddac8e56eacbb29b69
On September 4, 2025, ESET reported that a previously undocumented threat actor, “GhostRedirector,” compromised around 65 Windows servers across South America and Asia, targeting healthcare, insurance, education, retail, transportation, and technology sectors. Active since at least August 2024, GhostRedirector deployed novel malware, including the “Rungan” C++ backdoor and the “Gamshen” IIS trojan, alongside privilege escalation tools based on EfsPotato and BadPotato exploits to conduct SEO fraud. ESET assessed with medium confidence that the actor is China-aligned, citing linguistic artifacts and a digital certificate issued to a Chinese company.
GhostRedirector gains initial access through an unspecified SQL injection vulnerability, executing PowerShell commands from sqlserver[.]exe or CertUtil to download binaries, including EfsPotato and BadPotato, from staging server 868id[.]com. The threat actor also installs GoToHTTP to maintain remote access and uses EfsPotato/BadPotato-based tools embedded with Comdai to create or modify administrator accounts, execute binaries, and interact with the system. These tools are obfuscated with .NET Reactor or signed with certificates from TrustAsia RSA Code Signing CA G3 to Shenzhen Diyuan Technology.
For persistence, GhostRedirector deploys the Zunput webshell dropper and infostealer to enumerate IIS configurations and active websites before installing ASP, PHP, and JavaScript webshells. Rungan registers hidden HTTP endpoints for command execution, while Gamshen intercepts Googlebot requests to inject backlinks that manipulate search engine results promoting gambling sites, leaving regular traffic unaffected. Although ESET noted overlap with a prior DragonRank campaign, no direct links were found; DragonRank is a separate China-aligned threat actor previously associated with SEO fraud.
APT28 Executes NotDoor Campaign Using Outlook Macros and DLL Sideloading to Target NATO Entities
Source: Insikt Group | Validated Intelligence Event
IOC: Email Address - a[.]matti444@proton[.]me
IOC: SHA256 - fcb6dc17f96af2568d7fa97a6087e4539285141206185aec5c85fa9cf73c9193
On September 3, 2025, researchers from Lab52, the threat intelligence team at S2 Grupo, reported that the Russian state-sponsored threat group APT28 had deployed a previously unobserved Visual Basic for Applications (VBA) backdoor dubbed “NotDoor” in a campaign targeting organisations in NATO countries via Microsoft Outlook. The backdoor was named “NotDoor” due to the recurring word “nothing” found within its code. This campaign highlights the ongoing evolution of APT28, demonstrating how the threat group continues to generate new artefacts capable of bypassing established defence mechanisms.
The intrusion chain begins with abuse of the legitimate OneDrive.exe binary to perform dynamic-link library (DLL) side-loading of a malicious SSPICLI.dll. The DLL installs the Outlook VBA backdoor by dropping a file at c:\programdata\testtemp.ini. For persistence, the malware executes three Base64-encoded PowerShell commands: copying the backdoor to %APPDATA%\Microsoft\Outlook\VbaProject.OTM, performing an nslookup to webhook[.]site using the victim’s username to verify successful execution, and sending a curl request to the same domain with the username. The malware also modifies registry keys, enabling the LoadMacroProviderOnBoot subkey and disabling macro security warnings and dialog prompts under the Outlook configuration. Execution of the macro is triggered by the Application_MAPILogonComplete and Application_NewMailEx events—activating the payload when Outlook starts or receives new mail.
Once executed, the macro creates a working directory at %TEMP%\Temp, exfiltrates all files in that folder to a.matti444[@]proton[.]me, and then deletes them regardless of transmission success. To activate functionality, the malware monitors incoming emails for specific trigger strings such as “Daily Report.” When detected, the message is parsed for commands and then deleted. The backdoor supports four encrypted commands: cmd - executes a shell command and returns the output via email attachment; cmdno - executes a command without returning output; dwn - exfiltrates specified files as email attachments; upl - uploads files to the victim’s machine. Results of executed commands are returned via email with the subject line formatted as Re: . Attached files follow predefined naming conventions such as report_123.pdf or invoice_456.docx. To hinder detection and analysis, the malware prepends random alphanumeric characters to valid Base64-encoded strings, creating the appearance of encryption.
Remediation Actions
Following the information provided above, we recommend that the technologies mentioned be fully patched and updated. We also want to highlight and recommend applying the following patches where applicable:
- CVE-2025-9519: Update Easy Timer plugin for WordPress to version 4.2.2 or newer to ensure that the plugin enforces proper restrictions and closes off the attack vector.
- CVE-2025-54236: This vulnerability in Adobe products can be addressed by updating Commerce, Commerce B2B and Magento Open Source versions to the most recent patches.
- CVE-2025-7775: Citrix has released fixed versions, including 14.1-47.48, 13.1-59.22, 13.1-37.241 (FIPS/NDcPP), and 12.1-55.330 (FIPS/NDcPP). We recommend updating these as soon as possible due to the various exposed NetScaler devices observed by Shodan.
If you are currently an Acumen Cyber Vulnerability Management customer, we will be proactively performing related searching and hunting activities within your environment.