Cyber Threat Intelligence Digest: Week 37

Executive Summary -
Highlights of Cyber Threat Intelligence Digest

Vulnerabilities

Sophos Patches Authentication Bypass Vulnerability CVE-2025-10159 Affecting AP6 Wireless Access Points - On September 9, 2025, Sophos patched an authentication bypass vulnerability tracked as CVE-2025-10159, affecting AP6 Wireless Access Points versions 1.7.2562 (MR7) and earlier. Successful exploitation could allow threat actors to escalate privileges using the access point’s management IP address. At the time of writing, there are no reports of this vulnerability being exploited in the wild.

ETH Zurich Researchers Disclose VMScape (CVE-2025-40300) PoC Exploit Affecting AMD Zen CPUs and Intel CPUs in Virtualised Environments - On September 11, 2025, ETH Zurich researchers disclosed VMScape (CVE-2025-40300), a proof-of-concept (PoC) exploit that demonstrates incomplete branch predictor isolation in cloud environments.

The vulnerability affects all AMD Zen CPUs, including Zen 5, where the branch predictor cannot distinguish between host and guest execution, and also impacts older Intel CPUs lacking enhanced Indirect Branch Restricted Speculation eIBRS-based isolation. This flaw enables virtualisation branch target injection (vBTI) attacks, allowing a malicious Kernel-based Virtual Machine (KVM) guest to steal sensitive data such as encryption keys from a userspace hypervisor like QEMU.

Although Intel CPUs use eIBRS for stronger isolation, researchers confirmed they remain partially vulnerable to virtualisation branch history injection (vBHI).

CISA Releases Eleven Advisories Addressing ICS Vulnerabilities Affecting Products from Siemens, Daikin, and Schneider Electric - On September 11, 2025, the US Cybersecurity and Infrastructure Security Agency (CISA) released eleven advisories covering sixteen vulnerabilities across Siemens, Schneider Electric, and Daikin products. Siemens products accounted for the majority, with flaws ranging from improper privilege management and buffer overflows to resource consumption and sensitive data exposure.

Schneider Electric products had vulnerabilities tied to unauthorised data access, denial-of-service risks, and file accessibility issues, while Daikin’s Security Gateway was found to have a weak password recovery mechanism.

All affected vendors have released patches addressing these vulnerabilities, and CISA confirmed there have been no known exploits in the wild so far. However, successful exploitation of these flaws could lead to severe outcomes, including system compromise, data theft, denial-of-service attacks, and privilege escalation, emphasising the importance of applying the updates promptly.

Potential Threats

Threat Actors Deploy EvilAI Malware via Trojanized Applications Targeting Multiple Sectors Globally - On September 11, 2025, Trend Micro reported that unknown threat actors deployed a newly identified malware family, "EvilAI", to infiltrate systems in manufacturing, government, healthcare, and technology sectors with activity observed across India, the United States, and France. First observed in August 2025, EvilAI mimics legitimate artificial intelligence (AI) tools, abuses valid digital signatures, bundles malicious payloads with functional features, and uses AI-generated code to evade detection and enable further compromise.

The EvilAI malware is delivered through trojanized applications hosted on spoofed websites or malicious advertisements on social media platforms or forums. Once launched, the applications trigger Node[.]js (node[.]exe) to execute hidden JavaScript payloads stored in the temporary directory while presenting a functional interface to the victims. The malware establishes persistence by creating scheduled tasks disguised as system processes, placing Start Menu shortcuts, and adding Registry Run key entries to ensure execution after reboot or logon.

CyberVolk Ransomware Targets Governments and Critical Infrastructure in Japan, France, and the UK - On September 9, 2025, AhnLab published an analysis of “CyberVolk” ransomware, detailing its dual encryption structure, deceptive decryption routine, and targeting of government agencies, critical infrastructure, and scientific institutions in countries opposing Russia. First observed in May 2024, the ransomware group “CyberVolk” has claimed responsibility for attacks on organisations in Japan, France, and the United Kingdom.

CyberVolk uses Telegram as its primary communication channel for operations and victim communication. Its activity appears intended to support political and strategic disruption aligned with Russia’s geopolitical objectives. During execution, if run with user-level privileges, CyberVolk attempts to elevate its permissions by re-running with administrator rights. The ransomware excludes critical system directories and files, such as Windows, Program Files, and ProgramData, and encrypts nearly all file types, skipping those already encrypted with the CyberVolk extension.

Malvertising Campaign Abused Dangling GitHub Commits to Distribute Trojanised GitHub Desktop Client - On September 11, 2025, Palo Alto Networks Unit 42 published an analysis detailing a malvertising campaign that used dangling commits in official GitHub repositories to distribute a trojanised GitHub Desktop client. Dangling commits occur when a malicious commit in a forked repository is presented as if it were part of the legitimate upstream project, deceiving users into trusting it. 

According to Unit 42, since early August 2025, they observed at least eight cases across the US, Europe, South America, and Asia, affecting industries ranging from communications and software to tourism, e-commerce, and retail. The campaign tricks victims into downloading the trojanised client, which delivers malware in the background.

General News

Cyberattacks against schools driven by a rise in student hackers - The U.K.’s Information Commissioner's Office (ICO) warned on Thursday that student hackers motivated by dares are driving an increasing number of cyberattacks and data breaches affecting schools. It advised parents to “to have regular conversations with their children about what they get up to online” and warned that children hacking into their school’s computer systems may be setting themselves up for lives of cybercrime.

The privacy regulator said it identified “a worrying pattern” in the 215 insider threat breach reports from the education sector between January 2022 and August 2024, with 57% of incidents caused by students who were likely motivated by “dares, notoriety, financial gain, revenge and rivalries.”

The advisory comes as young, English-speaking cybercriminals have made headlines with their reported involvement in cyberattacks in recent years. In July, the National Crime Agency (NCA) arrested four individuals, three of them teenagers, on suspicion of involvement in a range of ransomware attacks targeting British retailers.

UK delays introducing new cybersecurity legislation - The British government’s much-delayed Cyber Security and Resilience Bill (CSRB) has been delayed again, according to sources with knowledge of the parliamentary schedule. It is the latest in a series of hindrances for the update of Britain’s cybersecurity regulations, despite the main provisions being finalised three years ago, potentially contributing to further disruptive attacks.

After prematurely describing the laws as “updated” in 2022, the Sunak government failed to actually timetable the introduction of its own bill to Parliament. The Starmer government’s largely identical law was set to be introduced on Wednesday to the House of Commons, but has been put on hold amid a cabinet reshuffle of senior and junior ministers. No new date for introducing the bill has been set.

It comes amid a series of high-profile cyberattacks causing disruption to British companies. Most recently, production has been halted at Jaguar Land Rover, one of the British economy’s most significant manufacturers, prompting one expert to warn the attack was “more than a company outage, it’s an economic security incident.”

FBI warns of Scattered Spider and ShinyHunters attacks on Salesforce platforms - Hackers connected to the Scattered Spider and ShinyHunters cybercriminal operations are extorting organisations for exorbitant ransoms after stealing data from Salesforce, the FBI warned. The agency released a flash notice on Friday with information about an ongoing data theft campaign that has impacted hundreds of businesses this year. The FBI refers to the hackers as both UNC6040 and UNC6395 and by their colloquial names of ShinyHunters and Scattered Spider, respectively.

After months spent breaching some of the largest companies in the world, the hackers are now attempting to extort victim organisations, threatening to leak troves of customer data, business documents and more.

The FBI did not say how many victims have received extortion emails demanding payment in cryptocurrency, but they noted that the monetary demands have varied widely and are made at seemingly random times. Some extortion incidents were initiated days after data exfiltration, while others took place months later.

Threat Actor Weekly Graph

Over the past 7 days, we have been tracking the following intent and opportunity changes within our Threat Actor Landscape.

Intent represents the potential targets of a group. When a group is observed attacking a different organisation or entity, their intent will increase.

Opportunity represents the various methods and technologies these groups may use. For example, if a group started using a new attack vector, such as a new kind of ransomware, their opportunity would increase.

Both intent and opportunity are scored out of 100 and are responsible for scoring the group's severity. These updates can be seen below.