A new round of the weekly Security Affairs newsletter has arrived! Every week, the best security articles from Security Affairs are free in your email box.———————————————————————————————————————————————————–Enjoy a new round of the weekly SecurityAffairs newsletter, including the international press.[Ohio’s Union County suffers ransomware attack impacting 45,000 people](https://securityaffairs.com/182689/uncategorized/ohios-union-county-suffers-ransomware-attack-impacting-45000-people.html) [ForcedLeak flaw in Salesforce Agentforce exposes CRM data via Prompt Injection](https://securityaffairs.com/182676/hacking/forcedleak-flaw-in-salesforce-agentforce-exposes-crm-data-via-prompt-injection.html) [Microsoft uncovers new variant of XCSSET macOS malware in targeted attacks](https://securityaffairs.com/182662/malware/microsoft-uncovers-new-variant-of-xcsset-macos-malware-in-targeted-attacks.html) [Hackers exploit Fortra GoAnywhere flaw before public alert](https://securityaffairs.com/182647/hacking/hackers-exploit-fortra-goanywhere-flaw-before-public-alert.html) [UK NCSC warns that attackers exploited Cisco firewall zero-days to deploy RayInitiator and LINE VIPER malware](https://securityaffairs.com/182639/hacking/uk-ncsc-warns-that-attackers-exploited-cisco-firewall-zero-days-to-deploy-rayinitiator-and-line-viper-malware.html) [Google warns of Brickstorm backdoor targeting U.S. legal and tech sectors](https://securityaffairs.com/182609/malware/google-warns-of-brickstorm-backdoor-targeting-u-s-legal-and-tech-sectors.html) [U.S. CISA adds CISCO Secure Firewall ASA and Secure FTD flaws to its Known Exploited Vulnerabilities catalog](https://securityaffairs.com/182593/hacking/u-s-cisa-adds-cisco-secure-firewall-asa-and-secure-ftd-flaws-to-its-known-exploited-vulnerabilities-catalog.html) [Operation HAECHI VI seized $439M from global cybercrime rings](https://securityaffairs.com/182576/cyber-crime/operation-haechi-vi-seized-439m-from-global-cybercrime-rings.html) [Volvo North America disclosed a data breach following a ransomware attack on IT provider Miljödata](https://securityaffairs.com/182577/data-breach/volvo-north-america-disclosed-a-data-breach-following-a-ransomware-attack-on-it-provider-miljodata.html) [Cisco fixed actively exploited zero-day in Cisco IOS and IOS XE software](https://securityaffairs.com/182564/hacking/cisco-fixed-actively-exploited-zero-day-in-cisco-ios-and-ios-xe-software.html) [Nation-State hackers exploit Libraesva Email Gateway flaw](https://securityaffairs.com/182552/hacking/nation-state-hackers-exploit-libraesva-email-gateway-flaw.html) [SolarWinds fixed a critical RCE flaw in its Web Help Desk software](https://securityaffairs.com/182545/security/solarwinds-fixed-a-critical-rce-flaw-in-its-web-help-desk-software.html) [How threat actors breached a U.S. federal civilian agency by exploiting a GeoServer flaw](https://securityaffairs.com/182532/hacking/how-threat-actors-breached-u-s-federal-civilian-agency-by-exploiting-a-geoserver-flaw.html) [Cloudflare mitigates largest-ever DDoS attack at 22.2 Tbps](https://securityaffairs.com/182521/security/cloudflare-mitigates-largest-ever-ddos-attack-at-22-2-tbps.html) [U.S. CISA adds Google Chromium flaw to its Known Exploited Vulnerabilities catalog](https://securityaffairs.com/182509/security/u-s-cisa-adds-google-chromium-flaw-to-its-known-exploited-vulnerabilities-catalog.html) [US Secret Service dismantled covert communications network near the U.N. in New York](https://securityaffairs.com/182499/intelligence/us-secret-service-dismantled-covert-communications-network-near-the-u-n-in-new-york.html) [A suspected Scattered Spider member suspect detained for casino network attacks](https://securityaffairs.com/182490/cyber-crime/a-suspected-scattered-spider-member-suspect-detained-for-casino-network-attacks.html) [$150K awarded for L1TF Reloaded exploit that bypasses cloud mitigations](https://securityaffairs.com/182476/security/150k-awarded-for-l1tf-reloaded-exploit-that-bypasses-cloud-mitigations.html) [Canada’s RCMP closes TradeOgre, seizes $40M in country’s largest crypto bust](https://securityaffairs.com/182467/cyber-crime/canadas-rcmp-closes-tradeogre-seizes-40m-in-countrys-largest-crypto-bust.html) [Stellantis probes data breach linked to third-party provider](https://securityaffairs.com/182456/data-breach/stellantis-probes-data-breach-linked-to-third-party-provider.html) [FBI alerts public to spoofed IC3 site used in fraud schemes](https://securityaffairs.com/182449/cyber-crime/fbi-alerts-public-to-spoofed-ic3-site-used-in-fraud-schemes.html) [EU agency ENISA says ransomware attack behind airport disruptions](https://securityaffairs.com/182440/security/eu-agency-enisa-says-ransomware-attack-behind-airport-disruptions.html) [Researchers expose MalTerminal, an LLM-enabled malware pioneer](https://securityaffairs.com/182433/malware/researchers-expose-malterminal-an-llm-enabled-malware-pioneer.html) [Beware: GitHub repos distributing Atomic Infostealer on macOS](https://securityaffairs.com/182419/malware/beware-github-repos-distributing-atomic-infostealer-on-macos.html) [ESET uncovers Gamaredon–Turla collaboration in Ukraine cyberattacks](https://securityaffairs.com/182404/apt/eset-uncovers-gamaredon-turla-collaboration-in-ukraine-cyberattacks.html)**International Press — Newsletter****Cybercrime**[Threat Actors Spoofing the FBI IC3 Website for Possible Malicious Activity](https://www.ic3.gov/PSA/2025/PSA250919)[Hacking Activities of Pro-Russian Cyber Crime Group Targeting Korean Companies](https://medium.com/@nshcthreatrecon/hacking-activities-of-pro-russian-cyber-crime-group-targeting-korean-companies-8e349ae90401)[Canada dismantles TradeOgre exchange, seizes $40 million in crypto](https://www.bleepingcomputer.com/news/security/canada-dismantles-tradeogre-exchange-seizes-40-million-in-crypto/)[Scattered Spider Suspect Arrested in US](https://www.securityweek.com/scattered-spider-suspect-arrested-in-us/)[ShadowV2: An emerging DDoS for hire botnet](https://www.darktrace.com/blog/shadowv2-an-emerging-ddos-for-hire-botnet)[Feds Tie ‘Scattered Spider’ Duo to $115M in Ransoms](https://krebsonsecurity.com/2025/09/feds-tie-scattered-spider-duo-to-115m-in-ransoms/)Volvo Group Employee Data Stolen in Ransomware Attack[USD 439 million recovered in global financial crime operation](https://www.interpol.int/News-and-Events/News/2025/USD-439-million-recovered-in-global-financial-crime-operation)[Eurojust coordinates action to halt cryptocurrency fraud of over 100 million euros across Europe](https://www.eurojust.europa.eu/news/eurojust-coordinates-action-halt-cryptocurrency-fraud-over-100-million-euros-across-europe) [](https://www.securityweek.com/european-airport-cyberattack-linked-to-obscure-ransomware-suspect-arrested/)[European Airport Cyberattack Linked to Obscure Ransomware, Suspect Arrested](https://www.securityweek.com/european-airport-cyberattack-linked-to-obscure-ransomware-suspect-arrested/)[260 suspected scammers arrested in pan-African cybercrime operation](https://www.interpol.int/en/News-and-Events/News/2025/260-suspected-scammers-arrested-in-pan-African-cybercrime-operation)Ransomware attack on Ohio county impacts over 45,000 residents, employees**Malware**[Brewing Trouble — Dissecting a macOS Malware Campaign](https://medium.com/deriv-tech/brewing-trouble-dissecting-a-macos-malware-campaign-90c2c24de5dc)[Large-Scale Attack Targeting Macs via GitHub Pages Impersonating Companies to Attempt to Deliver Stealer Malware](https://blog.lastpass.com/posts/attack-targeting-macs-via-github-pages)[Malware Analysis Report RayInitiator -& LINE VIPER](https://www.ncsc.gov.uk/static-assets/documents/malware-analysis-reports/RayInitiator-LINE-VIPER/ncsc-mar-rayinitiator-line-viper.pdf)[XCSSET evolves again: Analyzing the latest updates to XCSSET’s inventory](https://www.microsoft.com/en-us/security/blog/2025/09/25/xcsset-evolves-again-analyzing-the-latest-updates-to-xcssets-inventory/)[Bearlyfy: The Evolution of a New Ransomware Group and Its Connection to PhantomCore](https://www.f6.ru/blog/bearlyfy/)[Updated BO Team Grouping Tools](https://securelist.ru/bo-team-upgrades-brockendoor-and-zeronetkit-backdoors/113536/)**Hacking**[ComicForm, start: F6 analysts have studied the phishing campaigns of a new attacker](https://www.f6.ru/blog/comicform/)[Project Rain:L1TF](https://bughunters.google.com/blog/4684191115575296/project-rain-l1tf)[Heap-based buffer overflow in Kernel Streaming WOW Thunk Service Driver — CVE-2025-53149](https://www.crowdfense.com/cve-2025-53149-windows-ksthunk-heap-overflow/)[Cloudflare mitigates new record-breaking 22.2 Tbps DDoS attack](https://www.bleepingcomputer.com/news/security/cloudflare-mitigates-new-record-breaking-222-tbps-ddos-attack/)[CISA Shares Lessons Learned from an Incident Response Engagement](https://www.cisa.gov/news-events/cybersecurity-advisories/aa25-266a)[Cisco warns of IOS zero-day vulnerability exploited in attacks](https://www.bleepingcomputer.com/news/security/cisco-warns-of-ios-zero-day-vulnerability-exploited-in-attacks/)[IMDS Abused: Hunting Rare Behaviors to Uncover Exploits](https://www.wiz.io/blog/imds-anomaly-hunting-zero-day)[Cisco Event Response: Continued Attacks Against Cisco Firewalls](https://sec.cloudapps.cisco.com/security/center/resources/asa_ftd_continued_attacks)[Technical Analysis — CVE-2025-10035](https://attackerkb.com/topics/LbA9ANjcdz/cve-2025-10035/rapid7-analysis)[It Is Bad (Exploitation of Fortra GoAnywhere MFT CVE-2025-10035) — Part 2](https://labs.watchtowr.com/it-is-bad-exploitation-of-fortra-goanywhere-mft-cve-2025-10035-part-2/)[ForcedLeak: AI Agent risks exposed in Salesforce AgentForce](https://noma.security/blog/forcedleak-agent-risks-exposed-in-salesforce-agentforce/)[SVG Phishing hits Ukraine with Amatera Stealer, PureMiner](https://www.fortinet.com/blog/threat-research/svg-phishing-hits-ukraine-with-amatera-stealer-pureminer)**Intelligence and Information Warfare**[Mapping the Infrastructure and Malware Ecosystem of MuddyWater](https://www.group-ib.com/blog/muddywater-infrastructure-malware/)[Inside Palantir: The Secretive Tech Company Helping the US Government Build a Massive Web of Surveillance](https://www.zmescience.com/future/inside-palantir-the-secretive-tech-company-helping-the-us-government-build-a-massive-web-of-surveillance/)[U.S. Secret Service dismantles imminent telecommunications threat in New York tristate area](https://www.secretservice.gov/newsroom/releases/2025/09/us-secret-service-dismantles-imminent-telecommunications-threat-new-york)[Cache of Devices Capable of Crashing Cell Network Is Found Near U.N.](https://www.nytimes.com/2025/09/23/us/politics/secret-service-sim-cards-servers-un.html)[ICE unit signs new $3M contract for phone-hacking tech](https://techcrunch.com/2025/09/18/ice-unit-signs-new-3-million-contract-for-phone-hacking-tech/)[Operation Rewrite: Chinese-Speaking Threat Actors Deploy BadIIS in a Wide Scale SEO Poisoning Campaign](https://unit42.paloaltonetworks.com/operation-rewrite-seo-poisoning-campaign/)[](https://www.securityweek.com/libraesva-email-security-gateway-vulnerability-exploited-by-nation-state-hackers/)[Libraesva Email Security Gateway Vulnerability Exploited by Nation-State Hackers](https://www.securityweek.com/libraesva-email-security-gateway-vulnerability-exploited-by-nation-state-hackers/)[Another BRICKSTORM: Stealthy Backdoor Enabling Espionage into Tech and Legal Sectors](https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign)[NCSC warns of persistent malware campaign targeting Cisco devices](https://www.ncsc.gov.uk/news/persistent-malicious-targeting-cisco-devices)[How RainyDay, Turian and a new PlugX variant abuse DLL search order hijacking](https://blog.talosintelligence.com/how-rainyday-turian-and-a-new-plugx-variant-abuse-dll-search-order-hijacking/)[DeceptiveDevelopment: From primitive crypto theft to sophisticated AI-based deception](https://www.welivesecurity.com/en/eset-research/deceptivedevelopment-from-primitive-crypto-theft-to-sophisticated-ai-based-deception/)[RedNovember Targets Government, Defense, and Technology Organizations](https://www.recordedfuture.com/research/rednovember-targets-government-defense-and-technology-organizations) [](https://www.securityweek.com/microsoft-reduces-israels-access-to-cloud-and-ai-products-over-reports-of-mass-surveillance-in-gaza/)[Microsoft Reduces Israel’s Access to Cloud and AI Products Over Reports of Mass Surveillance in Gaza](https://www.securityweek.com/microsoft-reduces-israels-access-to-cloud-and-ai-products-over-reports-of-mass-surveillance-in-gaza/)**Cybersecurity**[European airports disruption due to ransomware — EU agency](https://www.dw.com/en/european-airports-disruption-due-to-ransomware-eu-agency/a-74073365)[Auto giant Stellantis investigating data breach following ‘unauthorized access’](https://therecord.media/stellantis-investigates-cyber-incident)[Statement on AI and Cybersecurity](https://home.treasury.gov/system/files/136/G7-Cyber-Expert-Group-Statement-AI-and-Cybersecurity-2025.pdf)[European airports still dealing with disruptions days after ransomware attack](https://techcrunch.com/2025/09/23/european-airports-still-dealing-with-disruptions-days-after-ransomware-attack/)[SolarWinds Releases Hotfix for Critical CVE-2025-26399 Remote Code Execution Flaw](https://thehackernews.com/2025/09/solarwinds-releases-hotfix-for-critical.html)[CISA: ED 25-03: Identify and Mitigate Potential Compromise of Cisco Devices](https://www.cisa.gov/news-events/directives/ed-25-03-identify-and-mitigate-potential-compromise-cisco-devices)[Cyberattack on Jaguar Land Rover threatens to hit British economic growth](https://therecord.media/cyberattack-jaguar-land-rover-economic-growth-uk-government)[Statement from the Canadian Centre for Cyber Security on malware targeting global organizations through Cisco Systems](https://www.cyber.gc.ca/en/news-events/statement-canadian-centre-cyber-security-malware-targeting-global-organizations-through-cisco-systems) [](https://www.theregister.com/2025/09/26/brits_warned_as_illegal_robocallers/)[Brits warned as illegal robo-callers with offshored call centers fined half a million](https://www.theregister.com/2025/09/26/brits_warned_as_illegal_robocallers/)[Gcore Radar Attack Trends Q1-Q2 2025](https://gcore.com/resources/gcore-radar-attack-trends-q1-q2-2025)[Viral call-recording app Neon goes dark after exposing users’ phone numbers, call recordings, and transcripts](https://techcrunch.com/2025/09/25/viral-call-recording-app-neon-goes-dark-after-exposing-users-phone-numbers-call-recordings-and-transcripts/)Follow me on Twitter: [@securityaffairs](https://twitter.com/securityaffairs) and [Facebook](https://www.facebook.com/sec.affairs) and [Mastodon](https://infosec.exchange/@securityaffairs)[Pierluigi Paganini](http://www.linkedin.com/pub/pierluigi-paganini/b/742/559)([SecurityAffairs](http://securityaffairs.co/wordpress/) — hacking, newsletter)
Related Tags:
CVE-2025-10035
CVE-2025-53149
ControlX
CHROMIUM
Charcoal Typhoon
Storm-0875
Octo Tempest
Mango Sandstorm
TA450
Associated Indicators: