Related Posts

Lazarus Group Enhances Malware Toolkit with PondRAT, ThemeForestRAT, and RemotePE

Sep 02, 2025
Malware / Threat Intelligence

The North Korea-linked threat actor, Lazarus Group, has been linked to a social engineering campaign that distributes three new cross-platform malware variants: PondRAT, ThemeForestRAT, and RemotePE. This attack, observed by NCC Group’s Fox-IT in 2024, specifically targeted an organization within the decentralized finance (DeFi) sector, resulting in the breach of an employee’s system.

“As the actor accessed the internal network, they utilized various RATs along with other tools to collect credentials and establish proxy connections,” noted Yun Zheng Hu and Mick Koomen. “Subsequently, the attacker transitioned to a more stealthy RAT, indicating a potential progression in their attack strategy.”

The attack began with the threat actor impersonating a current employee of a trading firm via Telegram and using counterfeit websites resembling Calendly and Picktime to arrange a meeting with the target. Although the initial steps were…

Salesloft Shuts Down Drift Temporarily Following OAuth Token Theft Affecting Numerous Organizations

 
Sep 03, 2025
Data Breach / Threat Intelligence

Salesloft announced on Tuesday the temporary suspension of Drift, slated to occur “in the very near future,” due to an extensive supply chain attack impacting multiple companies. This breach has led to the widespread theft of authentication tokens linked to the marketing software-as-a-service platform. The company stated, “This action will allow us to thoroughly review the application and enhance its resilience and security before restoring full functionality.” Consequently, the Drift chatbot on customer websites will be offline, and Drift itself will not be accessible. Salesloft emphasized its commitment to preserving the integrity and security of its systems and customers’ data, collaborating with cybersecurity partners Mandiant and Coalition as part of their incident response strategy. This announcement follows a disclosure from Google Threat Intelligence Group (GTIG) and Mandiant regarding the ongoing threats.

CISA Includes TP-Link and WhatsApp Vulnerabilities in KEV Catalog Due to Ongoing Exploitation

September 3, 2025
Vulnerability / Mobile Security

On Tuesday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a critical vulnerability affecting TP-Link TL-WA855RE Wi-Fi Extender products to its Known Exploited Vulnerabilities (KEV) catalog, citing signs of active exploitation. The vulnerability, identified as CVE-2020-24363 (CVSS score: 8.8), involves a missing authentication flaw that can be exploited to gain elevated access to the device. CISA noted that “this vulnerability could enable an unauthenticated attacker on the same network to send a TDDP_RESET POST request for a factory reset and reboot,” allowing them to establish incorrect access control by setting a new administrative password. According to malwrforensics, the issue has been addressed in firmware version TL-WA855RE(EU)_V5_200731. However, it’s important to mention that this product has reached end-of-life (EoL) status, making future patches or updates unlikely. Users of the Wi-Fi range extender are therefore advised to take caution.

Cloudflare Successfully Thwarts Unprecedented 11.5 Tbps DDoS Attack

Cloudflare announced on Tuesday that it effectively mitigated a record-breaking volumetric distributed denial-of-service (DDoS) attack that peaked at 11.5 terabits per second (Tbps). In a recent post on X, the web infrastructure and security provider revealed, “In recent weeks, we’ve autonomously blocked numerous hyper-volumetric DDoS attacks, with the largest reaching peaks of 5.1 Bbps and 11.5 Tbps.” The attack, primarily a UDP flood originating from Google Cloud, lasted only about 35 seconds, highlighting the company’s robust defense mechanisms at work. Volumetric DDoS attacks aim to overwhelm a target with excessive traffic, causing server slowdowns or failures, often resulting in network congestion, packet loss, and service disruptions. Typically, these attacks are executed using botnets controlled by threat actors.