Singapore, Singapore, 29th September 2025, CyberNewsWire

**Singapore, Singapore, September 29th, 2025, CyberNewsWire**

*   Analyzing over 14 billion cyber-attack records daily, ThreatBook ATI is a global solution enriched with granular, local insights; and can offer organizations a truly APAC perspective.
*   Boasting low false positive rates, the solution is highly compatible with existing security stacks.
*   ThreatBook ATI provides actionable insights for threat detection and response, enabling organizations to accelerate their intelligence analysis, and make more informed decisions. 

ThreatBook, a global leader in cyber threat intelligence, detection and response, today announced the worldwide launch of ThreatBook Advanced Threat Intelligence (“ThreatBook ATI”). Spearheaded from its offices in Singapore and Hong Kong, the new service offers unique industry insights for threat intelligence platforms (TIPs), security operation centers (SOCs) and cybersecurity analysts globally.

Of note, ThreatBook ATI is able to capture new, difficult-to-detect threats emanating from within Asia, where coverage from many global vendors remains limited. It is also able to better identify Western attackers targeting Asian organizations as well. ThreatBook ATI’s capabilities are particularly timely, with 34% of cyber-attacks worldwide taking place within the Asia Pacific (APAC).

A further noteworthy feature of ThreatBook ATI are its low false positive rates. ThreatBook’s proprietary intelligence collection systems, which operate globally and in real time, employs dozens of analysis engines to deeply mine enormous raw datasets. False positives are filtered through AI-based models, followed by cross-verification by professional security analysts. ATI also applies AI to classify and label threat reports, transforming unstructured intelligence into structured insights, and features a built-in assistant that can rapidly correlate data to answer analysts’ questions. This layered process ensures the intelligence remains highly accurate and reliable. Over 14 billion attack records are identified daily, including over 80 million malicious inbound internet protocols (IPs), more than six billion malware files, over 7,000 high risk vulnerabilities, and more than 600 zero-day vulnerabilities. 

> “With several billion attack records from all corners of the world analyzed daily, ThreatBook ATI is a truly global solution enriched with granular, local insights,” said Mr. Feng XUE, Chief Executive Officer of ThreatBook.

> “We are of the opinion that Asia Pacific-centric threat intelligence matters, as tactics, techniques, and procedures (TTPs), tooling, language, command and control (C&C) infrastructure, and targeting patterns differ by region – and ATI can offer organizations a truly APAC perspective. We have a track record of exclusive discovery when it comes to cybercriminals, including advanced persistent threat (APT) groups; and at the end of the day, local context quickens threat detection and reduces dwell time.”

Integration with existing security stacks is key. Studies repeatedly find that a single unified platform, which provides a centralized view of cyber risks across the entire organization, is a priority for cybersecurity teams around the world. ThreatBook ATI is highly compatible with existing security stacks. Its output is available in both machine-readable and human-readable formats, making integration straight-forward.

Customer access is hassle-free. For TIPs, ThreatBook ATI can be purchased through platform marketplaces, or can be integrated through feeds or application programming interfaces (APIs). For SOCs, ThreatBook ATI feeds integrate easily with security information and event management (SIEM) solutions, firewalls and other security tools. While for cybersecurity analysts, ThreatBook ATI is accessible globally via a web portal.

> “High quality threat intelligence enhances existing security tools, which often rely on vulnerable rule-based signals, making them more reliable and accurate, and leading to less false positives across the stack,” added Mr. Xue. “By providing actionable insights for threat detection and response, organizations are able to accelerate their intelligence analysis, and make more informed decisions to better manage today’s myriad of cyber risks.”

ThreatBook ATI is a timely addition to the company’s acclaimed suite of cybersecurity solutions. Since 2015, thousands of enterprise organizations globally have placed their trust in Threatbook across the entire threat lifecycle — from detection to analysis, response and protection; all powered by the company’s proprietary intelligence core.

In 2025 alone, leading analyst firms have recognized ThreatBook, featuring the company in Forrester’s Network Analysis And Visibility Solutions Landscape, Q2 2025 report, and the inaugural Gartner Magic Quadrant for Network Detection and Response (NDR). In both instances, ThreatBook was one of a limited number of vendors recognized.

**About ThreatBook**

ThreatBook is a global cybersecurity company specializing in advanced threat intelligence, detection, and response. Founded in 2015, ThreatBook equips enterprises, governments, and service providers with the clarity and context needed to defend against evolving digital risks.

By combining artificial intelligence with deep threat intelligence, ThreatBook delivers real-time visibility, hyper-accurate detections, and early-warning insights against nation-state actors, cybercriminal groups, and emerging attack campaigns. With unique vantage points from across the Asia Pacific region and beyond, ThreatBook provides intelligence coverage that bridges Eastern and Western threat landscapes, offering an unmatched perspective for global defenders.

ThreatBook: Act with Intelligence that Matters. To learn more, users can visit www.threatbook.io or follow them on LinkedIn.

ThreatBook ATI is not available in mainland China.

https://www.ibm.com/thought-leadership/institute-business-value/report/2025-threat-intelligence-index

https://www.msspalert.com/native/the-strategic-shift-toward-unified-cybersecurity-platforms

**Contact**

**Belmont Communications on behalf of ThreatBook**  
**\[email protected\]**

ThreatBook Launches Best-of-Breed Advanced Threat Intelligence Solution

Medusa ransomware group claims 834 GB data theft from Comcast, demanding $1.2M ransom while sharing screenshots and file listings.

The **Medusa** ransomware group is claiming responsibility for a ransomware attack on Comcast Corporation, a global media and technology company best known for its broadband, television, and film businesses.

According to the group’s dark web leak site, they exfiltrated 834.4 gigabytes of data and are demanding $1.2 million for interested buyers to download it. The same sum has been set as ransom for Comcast if the company wants the data deleted rather than leaked or sold.

To back its claims, Medusa has posted around 20 screenshots allegedly showing internal Comcast files. The group also shared a massive file listing of 167,121 entries, suggesting access to actuarial reports, product management data, insurance modelling scripts, and claim analytics.

The sample paths include files such as Esur_rerating_verification.xlsx, Claim Data Specifications.xlsm, and Python, as well as SQL scripts related to auto premium impact analysis.

Medusa Ransomware group’s dark web leak site claiming Comcast as its victim – These claims were published on Friday, September 26, 2025 (Image credit: Hackread.com)

****Comcast and Cybersecurity****

For your information, Comcast owns NBCUniversal, which operates NBC, Telemundo, Universal Pictures, Sky (in Europe), and a wide range of TV networks, film studios, and streaming platforms like Peacock.

Although the company has not been in news over large-scale cyber attacks, a 2015 report published by Hackread.com revealed that over 200,000 Comcast user credentials were leaked on the dark web.

At the time, Comcast stated the data likely came from credential aggregation rather than a direct breach of its systems. The case underscored how previously exposed information can resurface years later, complicating efforts to separate legacy leaks from fresh intrusions.

Medusa ransomware is known for publishing file listings and partial screenshots as proof of compromise while holding back the bulk of the data to increase ransom pressure. In this case, the nature of the files points toward actuarial and financial datasets, some of which appear to involve insurance calculations, customer data processing, and claim management systems.

****Medusa Aims At Top American Firms****

Past Medusa incidents have shown that the group tends to release portions of data if demands are not met, increasing the pressure on victims to negotiate. The cyber criminal group has also been behind several high-profile attacks this year.

On April 8, 2025, the group announced it had **targeted NASCAR** with a $4 million ransom demand. That incident was later **confirmed** as a data breach in July 2025, showing the group had followed through on previous threats when negotiations failed.

At the time of writing, Comcast has not publicly confirmed or denied the breach. The company may face regulatory scrutiny if sensitive customer or financial data is involved, particularly given the sheer size of the alleged leak.

Hackread.com has reached out to Comcast for comment and will continue monitoring the situation for updates on the company’s response and any further releases from Medusa.

Medusa Ransomware Claims Comcast Data Breach, Demands $1.2M

Hackers are sending fake invoice emails with malicious Office files that install the XWorm RAT on Windows systems, allowing full remote access and data theft. Learn how the shellcode and process injection are used to steal data, and how to stay safe from this persistent threat.

A new wave of email attacks is on the rise, tricking people with fake invoice documents to install the dangerous **XWorm RAT** (Remote Access Trojan), capable of quietly stealing sensitive information from your computer, reveals the latest research from Forcepoint X-Labs.

The scam starts with an email, often pretending to be about “Facturas pendientes de pago” (Pending Invoices for Payment) from someone named Brezo Sánchez. The email includes an attached Office file that has the extension .xlam.

X-Labs researchers mention that when you open the file, it may look blank or corrupted, but the damage has already started.

Malicious Email (Source: Forcepoint)

****Understanding the Attack Chain****

As we know it, cyberattacks generally follow a chain of steps, and this one is highly detailed. Inside the attached Office file is a hidden component called oleObject1.bin, which contains an encrypted code, called shellcode. This shellcode is a small program that immediately downloads the next part of the attack.

The shellcode reaches out to a specific web address, hxxp://alpinreisan1com/UXOexe, to download the main malicious program, an executable file named UXO.exe. This program then starts the second stage- loading another harmful DLL file into the computer’s memory (DriverFixPro.dll).

This loading happens using reflective DLL injection (a sneaky way to load a harmful program directly into the computer’s memory without saving it as a regular file first). This DLL ultimately performs a process injection, which involves forcing the malicious code to run inside a normal, harmless program on your computer. This final injected code belongs to the XWorm **RAT** family.

****XWorm: A Persistent Threat****

Forcepoint’s senior researcher, Prashant Kumar, explains in the **blog post** that XWorm’s capabilities allow it to take full **remote control** over an infected system, from stealing files to logging keystrokes.

Through process injection, the malware runs secretly within a trusted application and successfully maintains persistence while avoiding detection. Lastly, the XWorm program connects to a Command & Control (C2) server, specifically 158.94.209180, to send all the victim’s stolen data to the attackers.

This important research on the multi-stage attack was shared exclusively with Hackread.com. However, it is worth noting that this is not the first time the XWorm threat has been seen this year.

In January 2025, Hackread.com **reported** an XWorm campaign that compromised over 18,459 devices globally, stealing browser passwords and Discord tokens. Then, in March 2025, Veriti’s **research** revealed that XWorm was using trusted platforms like Amazon Web Services (AWS) S3 storage to distribute its harmful files.

To protect yourself from such attacks, be cautious with attachments, especially those ending in .xlam or .bin, verify unexpected invoices by calling the sender, and regularly update your operating system and security software.

Hackers Use Fake Invoices to Spread XWorm RAT via Office Files

Bitdefender warns that the TradingView Premium ad scam now targets Google ads and YouTube, hijacking verified channels to spread spyware.

A malicious advertising campaign that has been tricking content creators and unsuspecting users into downloading harmful software by offering “free access” to TradingView Premium has dramatically expanded its operations, security researchers warn.

This ongoing campaign, tracked by Bitdefender Labs for the past year, has reportedly moved from Meta’s Facebook Ads to appear across both Google Ads and YouTube, putting many more users at risk.

This campaign was previously reported by Hackread.com for exploiting Facebook Ads using fake crypto sites and celebrity images to spread malware, but has now evolved its tactics.

****How the Scam Works****

Research reveals that the cyber criminals behind this attack are highly organised, using over 500 different website addresses and publishing thousands of malicious ads every day in different languages (mostly English, Vietnamese and Thai).

They run their ads by taking control of legitimate, verified business accounts on Google and YouTube, including the hijacked Google advertiser account of a design agency in Norway. For your information, TradingView Premium is a paid service that offers advanced tools and features for financial trading analysis.

Fake ad and the hijacked accounts used in the attack (Via Bitdefender Labs)

To appear real, the scammers hijack a verified YouTube channel, delete all its original content, and rebrand it to look exactly like the official TradingView page, including the correct logos and banner art. They even copy playlists from the real channel so that the fake one appears active, abusing the verified badge to trick users into assuming authenticity.

They then use paid ads to push special videos that are hidden from public view, called unlisted videos, to avoid detection. One such video, titled “Free TradingView Premium – Secret Method They Don’t Want You to Know,” gathered over 182,000 views in just a few days through this aggressive advertising.

However, close inspection reveals red flags, such as a different channel handle (not @TradingView) and a low overall registered view count, which would be impossible for the popular trading platform.

Attack Flow (Image Credit: Bitdefender Labs)

****The Threat****

This campaign’s core objective seems to be to get users to download a dangerous file disguised as the free premium app. This file is actually a type of spyware called Trojan.Agent.GOSL, which can remotely control a victim’s computer. This program is designed to steal highly sensitive information, including passwords, personal data, and cryptocurrency wallet details.

Shared with Hackread.com, this research warns content creators that having their business accounts compromised not only damages their reputation but also allows scammers to take over the connected, verified YouTube channel and use it as a weapon.

That’s why you should always download software from official websites. Bitdefender advises users to carefully check the channel handle and subscriber count, and consider any ad promising free premium access to an app that is normally paid a major red flag.

Google Ads Used to Spread Trojan Disguised as TradingView Premium

FortiGuard Labs exposes a high-severity phishing campaign impersonating the National Police of Ukraine to deliver Amatera Stealer (data theft) and PureMiner (cryptojacking) to Windows PCs.

Hackers are distributing malicious emails that imitate official notices from the National Police of Ukraine. This phishing campaign, identified by FortiGuard Labs, targets any organisation running **Microsoft Windows** to compromise their systems with at least two new malware strains, including Amatera Stealer and PureMiner.

The attacks start with an email that includes a malicious Scalable Vector Graphics (**SVG**) file. For your information, an SVG is a simple image format, but attackers exploit its text-based code to embed harmful content.

The messages pressure the recipient using formal, legal language, falsely claiming an appeal is under review and warning that ignoring the notice could lead to “further legal action.”

Phishing email (source: FortiGuard)

****How the Infection Spreads****

When a victim opens the SVG attachment, the file tricks them by displaying a fake screen that says, “Please wait, your document is loading…” It then immediately forces the computer to download one of several password-protected ZIP archives, including ergosystem.zip or smtpB.zip, with the password displayed to make the process seem trustworthy.

Inside the archive is a Compiled HTML Help (CHM) file, which acts as the main trigger, launching a malicious script called the CountLoader. This loader, which _Hackread.com_ previously **reported** on, is a known entry point designed to deliver multiple harmful programs.

Here, its job is to connect with a remote server, steal some basic system details, and then deliver the final malware. Researchers refer to this as a “**fileless**” threat because the payload is loaded directly into the computer’s memory, making it hard to detect.

****Double Threat of Data Theft and Hijacking****

According to FortiGuard Labs’ **blog post**, CountLoader delivers two dangerous payloads: Amatera Stealer and PureMiner. Researchers explained in a report shared exclusively with Hackread.com that the PureMiner cryptominer is delivered using DLL sideloading from ergosystem.zip, while the Amatera Stealer is deployed via a malicious **Python** script found in smtpB.zip.

Attack Chain (Source: FortiGuard)

Amatera Stealer is an information-gathering tool that first gathers basic system information (like computer name, OS details, and username) and current clipboard contents. It then aggressively targets saved information, including credentials and files, from Firefox and Chrome browsers, chat apps like Telegram and Discord, and programs like Steam, FileZilla, and AnyDesk. It also targets files from major desktop crypto wallets, including BitcoinCore, Exodus, Atomic, and Electrum, and can search up to five folders deep for these files.

On the other hand, PureMiner is a **cryptominer** that collects detailed hardware information, like video card specifications. Once installed, PureMiner allows the criminals to secretly use the victim’s own computer power (both the CPU and GPU) for their financial benefit, a process called cryptocurrency mining.

The overall impact of this attack is rated as High severity as it allows remote control, data theft, and resource hijacking. Given this threat, users are urged to maintain strong security awareness. Avoid opening unexpected attachments, and always verify urgent, unsolicited requests through a separate trusted channel before clicking links.

Fake Ukraine Police Notices Spread New Amatera Stealer and PureMiner

California-based Archer Health exposed 23GB of patient records, including SSNs, IDs, and medical files, after an unprotected database was found online.

A large cache of medical and personal information belonging to patients of Archer Health Inc. was left publicly accessible after a database was found online without encryption or password protection. Archer Health Inc., also known as Archer Home Health, is a California-based provider of in-home healthcare and palliative care services.

The exposure, first identified by cybersecurity researcher Jeremiah Fowler and reported to Website Planet, included highly sensitive files that could have put thousands of individuals at risk.

The database held more than 145,000 files, sized up to 23 gigabytes. Among the documents were patient assessments, home health certifications, care plans, discharge forms, and internal communications.

Many of these contained personal details such as names, Social Security numbers (SSN), addresses, phone numbers, patient ID numbers, and medical information. Some folders were even labelled with patient names, while others contained categories like “faxed orders” or “referrals,” further confirming the sensitive nature of the data.

The files also included screenshots of healthcare management software dashboards, showing scheduling details, provider information, and patient records. Such exposures can carry significant risks, including identity theft, fraud, and violations of medical privacy regulations like HIPAA.

One of the screenshots showing the type of data involved in the leak (Credit: Jeremiah Fowler via Website Planet)

Fowler reported the exposure directly to the company, and access to the database was restricted within hours. Archer Health acknowledged the notification, stating that it takes patient privacy seriously and that its team is investigating the issue.

It remains unclear how long the database was exposed or whether any unauthorised parties accessed the records before it was secured. However, incidents like this show the constant risks when healthcare data is stored without proper security authentication.

****Possible Legal Consequences****

While Archer Health acted quickly once informed, patients whose records were included in the exposure may face long-term consequences if their identifiers or medical histories were accessed by malicious threat actors or copied during the time the database was online.

Additionally, when a healthcare provider or related service fails to protect sensitive data, it may face serious legal exposure. In a related example, a misconfigured Amazon Web Services (AWS) bucket belonging to Florida-based **IMDataCenter was publicly exposed**, letting a hacker known as “ThinkingOne” download tens of gigabytes of records, including names, emails, addresses and even Social Security numbers.

In response, IMDataCenter is now the target of a lawsuit over the data leak. If Archer Health faces similar scrutiny, it could confront claims under privacy and data protection laws, especially laws governing health and personal information.

Archer Health Data Leak Exposes 23GB of Medical Records

Austin / TX, United States, 25th September 2025, CyberNewsWire

**Austin / TX, United States, September 25th, 2025, CyberNewsWire**

Living Security, a global leader in Human Risk Management (HRM), today announced the full speaker lineup for the Human Risk Management Conference (HRMCon 2025), taking place October 20, 2025, at Austin’s Q2 Stadium and virtually worldwide.

The announcement follows findings from the newly published **2025 State of Human Cyber Risk Report**, produced by the **Cyentia Institute in collaboration with Living Security**, which reveals that on average, organizations detect only **19% of all human risk activity**. That means the majority of risky behaviors — from credential misuse to insider threats — go unseen, leaving enterprises exposed to risks that technology or traditional awareness programs alone can’t solve.

HRMCon is a one-day event focused on the people side of cybersecurity, offered this year both in-person in Austin and virtually worldwide. The program is designed for CISOs, security leaders, risk managers, and HR professionals who are responsible for building security culture and reducing human-driven risk. Sessions will explore how to extend risk ownership beyond traditional awareness programs and the security operations center, empowering managers and employees across the business to take accountability. Attendees will gain practical strategies they can apply immediately from executives, global analysts, and peers. Participants with confirmed attendance may also request a completion certificate for Continuing Professional Education (CPE) credits for the full conference.

> “Most organizations remain blind to the majority of human-driven risk, leaving gaps that technology or traditional awareness programs alone can’t solve,” said Ashley Rose, CEO and Co-Founder of Living Security. “Closing that visibility gap requires new strategies, proven frameworks, and collaboration across functions — which is exactly what HRMCon is designed to deliver. No matter where you are in your HRM journey, you’ll walk away with practical playbooks, proven strategies, and inspiring stories you can apply immediately. This isn’t just another security event—it’s a launchpad for making human risk a managed business function, all without pulling you away from your day-to-day responsibilities.”

HRMCon 2025 will feature enterprise CISOs, Fortune 500 veterans, and leading analysts sharing research-backed strategies and real-world lessons on operationalizing human risk management.

**Speaker Highlights**

**Opening Keynote – Brett Wahlin, CISO, Aurora –** From Counterintelligence to Cybersecurity: Rethinking the Human Factor Across Industries.

Risk frameworks have shaped enterprise security for decades but often overlook the human element. Drawing on his path from counterintelligence to the CISO seat, Brett Wahlin will show where traditional frameworks succeed, where they fall short, and how Human Risk Management can integrate people into the same disciplined approach that governs technology.

**Tim Taylor, VP of Security Education and Awareness, Mastercard –** Creating Human Risk Visibility: Where to Start and How to Scale.

Tim offers a step-by-step play for creating measurable human risk visibility in 90 days. Attendees will learn how to define goals, connect data sources, and build momentum toward sustainable risk reduction.

**Ashley Atiles, Director of Identity Risk, & Alfonso Mancuso, Director of Information Security, Labcorp –** The Access Equation: Identity Meets Human Risk.

Ashley and Alfonso will explore how identity and behavior intersect as the earliest line of defense. Attendees will learn how integrating IAM signals with human risk data creates a powerful new lever for stopping threats before they escalate.

**Kelly Harward, VP of Product & Mike Siegel, President, Living Security –** Operationalizing HRM: From Frameworks and Playbooks to Goals for Adaptive Defense.

Living Security leaders show how to translate frameworks into measurable outcomes. Attendees will see real-world playbooks and a preview of the new Goals feature, which ties behavior change directly to risk reduction.

**Jinan Budge, VP & Principal Analyst, Forrester –** The Future of Human Risk Management: Market Landscape and the Role of Agentic AI.

A market-level view of how Human Risk Management is evolving from compliance to strategy. Attendees will learn about the current state of the market, where it’s headed, and how autonomous AI agents are set to reshape HRM strategies in the years ahead.

**Closing Keynote – Larry Whiteside Jr., CISO Advisor & Co-Founder, Confide –** Evolving the Role of the CISO: From Defense to Business Enabler.

A concise look at how the CISO role is shifting from technical defense to strategic business leadership. Attendees will hear how Human Risk Management can help CISOs align security with culture, accountability, and measurable business outcomes.

**HRMCon 2025 Features**

*   **Grounded in Research:** Learning real-world strategies to close the 19% human risk visibility gap.
*   **Professional Development:** Earning verifiable CPE credits with a completion certificate (confirmed attendance and upon request).
*   **Free and Flexible:** Registering at no cost and choose to attending live in Austin or virtually from anywhere.
*   **Expert-Led:** Hearing from leading CISOs, analysts, and security practitioners shaping the HRM market.
*   **Peer Insights:** Seeing how organizations are operationalizing HRM through case studies and playbooks.
*   **Immediate Takeaways:** Leaving with frameworks, tools, and strategies you can implement right away.

HRMCon 2025, hosted by Living Security, comes at a pivotal time for organizations looking to transform security culture, reduce human-driven risk, and lead in an AI-enabled world.

**Users can register today at www.livingsecurity.com/hrmcon-2025**

**About Living Security**

Living Security is the global leader in Human Risk Management (HRM), providing a risk-informed approach that meets organizations where they are—whether that’s starting with AI-based phishing simulations, intelligent behavior-based training, or implementing a full HRM strategy that correlates behavior, identity, and threat data streams.

Living Security’s Unify platform delivers 3X more visibility into human risk than traditional, compliance-based training platforms by eliminating siloed data and integrating across the security ecosystem. The platform pinpoints the 8–12% of users who pose the greatest risk and automates targeted interventions in real time—reducing exposure to human risk by over 90%. Powered by AI, human analysis, and industry-wide threat telemetry, Unify transforms fragmented signals into intelligent, adaptive defense.

Named a Global Leader in Human Risk Management by Forrester and trusted by enterprises like Unilever, Mastercard, Merck, and Abbott Labs, Living Security helps security teams move from awareness to action—driving measurable behavior change and proving impact at every stage of the journey.

**Contact**

**Living Security Media**  
**\[email protected\]**

Living Security Unveils HRMCon 2025 Speakers as Report Finds Firms Detect Just 19% of Human Risk

New Lone None Stealer uses Telegram C2 and DLL side-loading to grab passwords, credit cards, and crypto. Find out how to spot this highly evasive phishing scam.

A Vietnamese hacking group known as Lone None is running an online scam campaign that has been active since at least November 2024. The campaign focuses on stealing personal and financial information, especially cryptocurrency.

Cybersecurity research firm Cofense Intelligence has been tracking this threat actor’s movements and shared their analysis with Hackread.com.

****The Face Copyright Notice****

The attacks begin with a fake email of an official legal notice from different law firms across the world, telling the recipient to take down copyrighted content from their website or social media, sometimes even naming the recipient’s real Facebook account.

Fake Take Down notice (Image credit: Cofense Intelligence)

These messages are sent in around ten different languages, including English, French, German, and Chinese, suggesting the criminals’ aim to expand their reach. The emails contain a link that, when clicked, leads to a downloaded archive (like a ZIP file). This archive contains the malware, which is cleverly disguised as evidence documents such as PDFs or PNGs.

To execute the malware, the attackers use DLL side-loading, which allows them to abuse a legitimate, signed program (like a trusted Microsoft Word or PDF reader executable) to secretly run their malicious code and bypass standard security checks.

Attack Flow (Image credit: Cofense Intelligence)

****Malware Deployment****

The campaign delivers two types of information stealers: Pure Logs Stealer and the newer Lone None Stealer (aka PXA Stealer).  Pure Logs steals a wide range of sensitive data, including passwords, credit card numbers, session cookies, and local crypto wallet files saved in a victim’s browsers and computers.

The Lone None Stealer, however, focuses on stealing cryptocurrency. It monitors the victim’s clipboard (the place where copied text is temporarily stored) and, if a crypto-wallet address is copied, the malware quietly replaces it with the criminal’s address. This means if a victim tries to send money by copying and pasting a wallet address, the funds go straight to the hacker instead.

In its blog post, Cofense Intelligence noted that Lone None Stealer has been found in nearly a third (29%) of all recent reports involving the older Pure Logs Stealer since June 2025, indicating its growing use.

****Evasive C2****

This scam involves a unique staging technique where the actor hides the address for the next step of the attack within a Telegram bot profile page. Moreover, Lone None Stealer uses the Telegram network as its primary Command and Control (C2) channel, rapidly sending back all the collected data to the hackers.

Since this scam plays directly on the fear of an urgent legal dispute, it is important to recognise the signs of a fake email. Never click links or download files from unexpected sources, as this simple precaution remains the best security against such scams.

Vietnamese Hackers Use Fake Copyright Notices to Spread Lone None Stealer

Cybersecurity firm Noma Security reveals ForcedLeak, a critical flaw in Salesforce Agentforce that allowed data theft. Learn what companies need to do now to secure AI agents.

A vulnerability dubbed ForcedLeak was recently discovered in Salesforce Agentforce, an AI-driven system designed to handle complex business tasks within CRM environments. Noma Security identified the critical flaw, which was initially rated CVSS 9.1 and later updated to 9.4, allowing remote attackers to steal private CRM data. The firm shared its research with Hackread.com.

****How the Attack Worked****

The problem lies in the autonomous way AI agents work. Unlike simple chatbots that are “prompt-response” systems, these agents can “reason, plan, and execute complex business tasks,” making them a considerably bigger target. The core issue here was an indirect prompt injection attack, which happens when a bad instruction is secretly placed inside data that the AI system later processes.

In the case of Agentforce, attackers used the commonly enabled Web-to-Lead feature, which lets website visitors submit information that goes straight into the CRM. By putting malicious code into a large input field, like the Description box, the attacker set a trap. When an employee later asked the AI agent a normal question about that lead data, the agent would mistakenly treat the hidden instruction as part of its job.

According to Noma Security’s blog post, its researchers found that the AI could not tell the difference “between legitimate data loaded into its context versus malicious instructions.” To prove the risk, they ran a Proof of Concept (PoC), using malicious code to force the AI to grab sensitive CRM data like email addresses. The code tricked the AI into stuffing the data inside the web address for an image. When the system viewed that image, the private data was transmitted to the researchers’ server, confirming the successful theft.

****Stolen Data and Immediate Fixes****

The data at risk included sensitive information like customer contact details, sales pipeline data revealing business strategy, internal communications, and historical records. The vulnerability impacted any organisation using Salesforce Agentforce with the Web-to-Lead feature enabled, especially those in sales and marketing.

The attack also involved exploiting an outdated part of the system’s security rules (Content Security Policy, or CSP). Researchers discovered that a domain (my-salesforce-cms.com) that was still considered ‘trusted’ had actually expired and was available to purchase for just $5. An attacker could use this expired, but trusted, domain to secretly send stolen data out of the system.

After being informed about the issue on July 28th, 2025, Salesforce quickly investigated. By September 8th, 2025, the company had implemented fixes, including enforcing “Trusted URLs” for Agentforce and its Einstein AI, to stop data from being sent to untrusted web addresses, and re-securing the expired domain.

The firm advised users to immediately “enforce Trusted URLs for Agentforce and Einstein AI” and audit all existing lead data for unusual submissions. The vulnerability was made public on September 25th, 2025.

In a statement to Hackread.com, a Salesforce spokesperson said that the company is aware of the vulnerability reported by Noma and has released patches to stop Agentforce agents from sending output to untrusted URLs.

> _“Salesforce is aware of the vulnerability reported by Noma and has released patches that prevent output in Agentforce agents from being sent to untrusted URLs. The security landscape for prompt injection remains a complex and evolving area, and we continue to invest in strong security controls and work closely with the research community to help protect our customers as these types of issues surface.”_
> 
> Salesforce Spokesperson

****Why It’s Important****

The ForcedLeak flaw is particularly important to discuss in light of the massive Salesforce-linked data breaches that have surfaced this year. Salesforce sits at the heart of business operations for thousands of organisations, holding sensitive customer records, financial details, and sales strategies.

A vulnerability in its AI-powered Agentforce system means attackers could exploit a trusted platform not just to steal isolated records, but to automate large-scale data extraction through everyday business processes.

With CRM data often being the crown jewels for enterprises, combining AI vulnerabilities with already high-value Salesforce environments greatly increases the risk, making it critical for organisations to reassess their exposure and security controls.

****Expert View****

“It’s advisable to secure the systems around the AI agents in use, which include APIs, forms, and middleware, so that prompt injection is harder to exploit and less harmful if it succeeds,” said Chrissa Constantine, Senior Cybersecurity Solution Architect at Black Duck.

She stressed that true prevention is around maintaining configuration and establishing guardrails around the agent design, software supply chain, web application, and API testing.

ForcedLeak Flaw in Salesforce Agentforce AI Agent Exposed CRM Data

Urgent warning for Fortra GoAnywhere MFT users. A CVSS 10.0 deserialization vulnerability (CVE-2025-10035) in the License Servlet allows command injection. Patch to v7.8.4 immediately to prevent system takeover.

Thousands of companies using Fortra’s GoAnywhere Managed File Transfer (MFT) solution are facing an immediate threat of full system takeover. The issue, officially labelled CVE-2025-10035 and published on September 18, 2025, carries the maximum risk score of 10.0, meaning criminals could gain complete control of systems designed to handle sensitive organisational data.

****What’s the Risk?****

This critical problem is rooted in Fortra’s GoAnywhere MFT’s License Servlet, a component that deals with license checks. It is essentially a deserialization vulnerability. To put it simply, MFT solutions are used by businesses to safely and reliably move large amounts of electronic data (like customer records/financial information) between systems. The software converts complex data into a simple format for transfer (serialisation) and then converts it back (deserialization).

The flaw allows a malicious person to trick the software during the reversal (deserialization) process by using a “validly forged license response signature” to load a harmful object, Fortra’s advisory explains. This can lead to command injection, letting an attacker run their own code on the system.

For your information, GoAnywhere MFT is a high-security solution that automates and protects data exchange for enterprises, including Fortune 500 deployments. So, this flaw may let an attacker seize the entire file transfer infrastructure, risking highly sensitive corporate and government data.

According to long technical analysis from watchTowr Labs, shared with Hackread.com, highlighted the gravity of the situation, noting that there are “over 20,000 instances exposed to the Internet. A playground APT groups dream about.”

Source: watchTowr Labs

Their analysis points to a significant mystery: despite the perfect CVSS 10.0 score, exploiting the bug appears difficult on paper due to a required signature verification check. Yet, the high score, combined with the vendor deleting and updating advisories, suggests the threat is very real as “no vendor assigns a CVSS 10 to a purely theoretical bug.”

This isn’t the first time we’ve seen this; back in 2023, a similar pre-authentication command injection flaw (CVE-2023-0669) in the same product was widely exploited by the cl0p ransomware gang.

****Immediate Action Needed to Protect Data****

The good news is that Fortra has released updates in version 7.8.4 and Sustain Release 7.6.3 to fix the flaw. Organisations are strongly urged to upgrade to one of these patched versions right away.

It is worth noting that this attack relies on the system being directly connected to the public internet, a situation common for these kinds of software. Therefore, as an additional safeguard, administrators should immediately ensure the GoAnywhere Admin Console is not open to the public. Limiting access by placing the service behind a firewall or a VPN is a vital first step, along with monitoring system logs for any unusual activity.

Ryan Dewhurst, a threat intelligence expert at watchTowr, considers this extremely serious, saying, “This issue is almost certain to be weaponised for in-the-wild exploitation soon.”

“The newly disclosed vulnerability in Fortra’s GoAnywhere MFT solution impacts the same license code path in the Admin Console as the earlier CVE-2023-0669, which was widely exploited by multiple ransomware and APT groups in 2023, including LockBit,_“_ he emphasised.

“With thousands of GoAnywhere MFT instances exposed to the Internet, this issue is almost certain to be weaponised for in-the-wild exploitation soon,_“_ Ryan warned.

“While Fortra notes exploitation requires external exposure, these systems are generally Internet-facing by design, so organisations should assume they are vulnerable. Organisations should apply the official patches immediately and take steps to restrict external access to the Admin Console,” Dewhurst noted in his comments shared with Hackread.com.

Source

HackRead