Heroes, another exciting day. Keep watching out for social-engineering and adjacent attacks.
Remember, these phishing attacks are basically looking to fool "a smart person in a hurry". Just put an official looking, urgent, call to action in an email...and you might just overload the prefrontal cortex for long enough for the victim to approve an action--even when they know better. It's hacking the flight-or-flight response which attackers know is built into the HumanOS.
Here's a detailed look at the current cybersecurity landscape for September 9, 2025.
Date & Time: 2025-09-09T14:14:41
A sophisticated malware campaign dubbed GPUGate is leveraging malicious Google Ads and fake GitHub repositories to distribute malware targeting IT firms. The operation is notable for its novel hardware-specific evasion technique that utilizes the system's GPU, making it difficult for traditional security tools to detect and analyze. This represents a significant evolution in malware capabilities that security teams must now consider.
CVE Details: n/a
Source: The Hacker News, Security Boulevard, Reddit
Date & Time: 2025-09-09T12:11:38
On September 8, a single phishing email targeting a package maintainer resulted in one of the most damaging supply chain attacks on the npm registry. Attackers gained credentials and 2FA codes, allowing them to inject crypto-stealing malware into 18 popular JavaScript packages with a combined total of over 2.6 billion weekly downloads. This incident highlights the critical vulnerability of open-source ecosystems to social engineering and the widespread impact such compromises can have.
CVE Details: n/a
Source: strobes.co
Date & Time: 2025-09-09T12:59:42
The Amp’ed RF BT-AP 111 Bluetooth Access Point exposes its HTTP-based administrative interface without any authentication controls. This critical vulnerability, tracked as VU#763183, allows any unauthenticated remote attacker to gain full administrative access to the device. Organizations using this hardware face a severe risk of compromise, as attackers can easily take control of the device and potentially pivot into the broader network.
CVE Details: n/a
Source: CERT/CC
Date & Time: 2025-09-09T13:08:18
The digital platforms for Burger King, Tim Hortons, and Popeyes, all under Restaurant Brands International (RBI), were compromised due to what are described as easily exploitable and catastrophic security vulnerabilities. The attackers noted the company's "commitment to terrible security practices," indicating fundamental flaws in their security posture. This breach affects a massive consumer base and underscores the risks of insecure shared platforms across major brands.
CVE Details: n/a
Source: Hacker News Discussion
Date & Time: 2025-09-09T14:14:00
Threat actors are leveraging the HTTP client tool Axios in conjunction with Microsoft's Direct Send feature to create a highly effective phishing pipeline targeting Microsoft 365 users. ReliaQuest reports a 241% surge in Axios user agent activity from June to August 2025, indicating widespread adoption of this technique. The campaigns use sophisticated 2FA bypass kits to compromise accounts, posing a significant threat to organizations relying on Microsoft's cloud services.
CVE Details: n/a
Source: The Hacker News
Date & Time: 2025-09-08T15:20:44
The Chinese state-sponsored group APT41 has been observed sending malicious emails that impersonate U.S. Representative John Moolenaar. The spear-phishing campaign targeted trade groups to deliver malware, likely for intelligence gathering purposes ahead of US-China trade talks. This operation demonstrates the continued use of sophisticated social engineering and impersonation by nation-state actors for espionage.
CVE Details: n/a
Source: SecurityWeek
Date & Time: 2025-09-09T10:27:00
A new phishing campaign is distributing MostereRAT, a stealthy banking malware that has evolved into a full-featured remote access trojan (RAT). The attack chain incorporates multiple advanced evasion techniques to bypass security controls, gain complete system control, and exfiltrate sensitive information. The evolution of banking trojans into versatile RATs increases the risk to compromised organizations, enabling a wider range of post-exploitation activities.
CVE Details: n/a
Source: The Hacker News
Date & Time: 2025-09-08T13:47:56
A new international guidance document is encouraging the widespread adoption of Software Bills of Materials (SBOMs) to bolster software supply chain security. For executives and security leaders, this represents a strategic shift towards greater transparency and proactive vulnerability management. Implementing SBOM practices can significantly reduce risk from incidents like the recent npm package compromise by providing clear visibility into software components and their associated vulnerabilities.
Source: Cyble
Spotlight Rationale: Microsoft is selected due to a high-severity threat directly targeting its Microsoft 365 ecosystem. A new phishing campaign is abusing Microsoft's own 'Direct Send' feature, combined with the Axios HTTP client, to bypass traditional email security and compromise user accounts.
Threat Context: Axios Abuse and Salty 2FA Kits Fuel Advanced Microsoft 365 Phishing Attacks
Platform Focus: Microsoft 365 & Microsoft Defender for Office 365
The abuse of legitimate tools like Axios and native platform features like Direct Send makes detection challenging for standard email gateways. This technique allows attackers to craft highly convincing phishing emails that appear to originate from a trusted source, increasing their success rate in stealing credentials and bypassing MFA. Organizations must enhance their M365 security posture with specific detection logic and configuration hardening to counter this evolving threat.
Actionable Platform Guidance: Based on available intelligence, specific configuration adjustments and monitoring are recommended to mitigate this threat vector.
Source: The Hacker News
⚠️ Disclaimer: Test all detection logic in non-production environments before deployment.
1. Vendor Platform Configuration - Microsoft
# Mitigating M365 Phishing via Axios & Direct Send
# Disclaimer: This guidance is a best effort. Contact Microsoft for detailed support.
# IMMEDIATE ACTION: Create a Mail Flow Rule in Exchange Admin Center
1. Navigate to Exchange admin center > Mail flow > Rules.
2. Click 'Add a rule' and 'Create a new rule'.
3. Name the rule: "Block Anomalous User-Agent (Axios)".
4. Apply this rule if: 'A message header' > 'matches these text patterns'.
- Header name: 'User-Agent'
- Text patterns: 'axios/'
5. Do the following: 'Block the message' > 'reject the message and include an explanation' or 'delete the message without notifying anyone'.
6. Set priority and save the rule.
# VERIFICATION STEP: Monitor Mail Flow & Message Traces
1. After implementing the rule, navigate to Exchange admin center > Mail flow > Message trace.
2. Run a new trace filtering for messages that were processed by your new transport rule.
3. Verify that emails with the 'axios/' User-Agent are being blocked as expected and that no legitimate mail is impacted.
2. YARA Rule for Axios Phishing Artifacts
rule Detect_M365_Axios_Phishing_UA {
meta:
description = "Detects the Axios User-Agent string in email headers, associated with recent M365 phishing campaigns."
author = "Threat Rundown"
date = "2025-09-09"
reference = "https://thehackernews.com/2025/09/axios-abuse-and-salty-2fa-kits-fuel.html"
strings:
$ua_header = "User-Agent: axios/"
condition:
$ua_header
}
3. SIEM Query — Hunting for Anomalous User-Agent Spikes
# Splunk/QRadar/Sentinel Example
(source="m365:email" OR sourcetype="MS:O365:reporting:messagetrace") http_user_agent="axios*"
| timechart span=1h count by http_user_agent
| `comment("This query looks for email logs containing the Axios user-agent. A sudden spike is highly suspicious and should be investigated for a targeted phishing campaign.")`
4. PowerShell Script — Check for Local Phishing Artifacts
# This script is a template to search for indicators on local machines.
# It should be adapted with specific file hashes or IOCs from an active investigation.
$suspiciousFilePaths = @(
"$env:APPDATA\*.html",
"$env:TEMP\*.js"
)
$computers = "localhost"
foreach ($computer in $computers) {
if (Test-Connection -ComputerName $computer -Count 1 -Quiet) {
Write-Host "Checking $computer for phishing artifacts..."
foreach ($path in $suspiciousFilePaths) {
# Example: Search file content for known phishing kit strings
$files = Get-ChildItem -Path $path -ErrorAction SilentlyContinue
foreach ($file in $files) {
if (Select-String -Path $file.FullName -Pattern "Salty 2FA" -Quiet) {
Write-Warning "Potential phishing artifact found on $computer: $($file.FullName)"
}
}
}
}
}
This rundown should provide a solid overview of the current threat landscape. Thank you to all our cyberheroes for your diligence and hard work. Stay vigilant!