**What is the version information for this release?**

Microsoft Edge Version

Date Released

Based on Chromium Version

140.0.3485.81

09/19/2025

140.0.7339.186

CVE-2025-10500: Chromium: CVE-2025-10500 Use after free in Dawn

CVE-2025-10585: Chromium: CVE-2025-10585 Type Confusion in V8

Cybersecurity researchers have discovered a new malware loader codenamed CountLoader that has been put to use by Russian ransomware gangs to deliver post-exploitation tools like Cobalt Strike and AdaptixC2, and a remote access trojan known as PureHVNC RAT.
"CountLoader is being used either as part of an Initial Access Broker's (IAB) toolset or by a ransomware affiliate with ties to the LockBit,

Cybersecurity researchers have discovered a new malware loader codenamed CountLoader that has been put to use by Russian ransomware gangs to deliver post-exploitation tools like Cobalt Strike and AdaptixC2, and a remote access trojan known as PureHVNC RAT.

"CountLoader is being used either as part of an Initial Access Broker's (IAB) toolset or by a ransomware affiliate with ties to the LockBit, Black Basta, and Qilin ransomware groups," Silent Push said in an analysis.

Appearing in three different versions – .NET, PowerShell, and JavaScript – the emerging threat has been observed in a campaign targeting individuals in Ukraine using PDF-based phishing lures and impersonating the National Police of Ukraine.

It's worth noting that the PowerShell version of the malware was previously flagged by Kaspersky as being distributed using DeepSeek-related decoys to trick users into installing it.

The attacks, per the Russian cybersecurity vendor, led to the deployment of an implant named BrowserVenom that can reconfigure all browsing instances to force traffic through a proxy controlled by the threat actors, enabling the attackers to manipulate network traffic and collect data.

Silent Push's investigation has found the JavaScript version is the most fleshed out implementation of the loader, offering six different methods for file downloading, three different methods for executing various malware binaries, and a predefined function to identify a victim's device based on Windows domain information.

The malware is also capable of gathering system information, setting up persistence on the host by creating a scheduled task that impersonates a Google update task for the Chrome web browser, and connecting to a remote server to await further instructions.

This includes the ability to download and run DLL and MSI installer payloads using rundll32.exe and msiexec.exe, transmit system metadata, and delete the created scheduled task. The six methods used to download files involve the use of curl, PowerShell, MSXML2.XMLHTTP, WinHTTP.WinHttpRequest.5.1, bitsadmin, and certutil.exe.

"By using LOLBins like 'certutil' and 'bitsadmin,' and by implementing an 'on the fly' command encryption PowerShell generator, CountLoader's developers demonstrate here an advanced understanding of the Windows operating system and malware development," Silent Push said.

A notable aspect of CountLoader is its use of the victim's Music folder as a staging ground for malware. The .NET flavor shares some degree of functional crossover with its JavaScript counterpart, but supports only two different types of commands (UpdateType.Zip or UpdateType.Exe), indicating a reduced, stripped-down version.

CountLoader is supported by an infrastructure comprising over 20 unique domains, with the malware serving as a conduit for Cobalt Strike, AdaptixC2, and PureHVNC RAT, the last of which is a commercial offering from a threat actor known as PureCoder. It's worth pointing out that PureHVNC RAT is a predecessor to PureRAT, which is also referred to as ResolverRAT.

Recent campaigns distributing PureHVNC RAT have leveraged the tried-and-tested ClickFix social engineering tactic as a delivery vector, with victims lured to the ClickFix phishing page through fake job offers, per Check Point. The trojan is deployed by means of a Rust-based loader.

"The attacker lured the victim through fake job advertisements, allowing the attacker to execute malicious PowerShell code through the ClickFix phishing technique," the cybersecurity company said, describing PureCoder as using a revolving set of GitHub accounts to host files that support the functionality of PureRAT.

Analysis of the GitHub commits has revealed that activity was carried out from the timezone UTC+03:00, which corresponds to many countries, including Russia, among others.

The development comes as the DomainTools Investigations team has uncovered the interconnected nature of the Russian ransomware landscape, identifying threat actor movements across groups and the use of tools like AnyDesk and Quick Assist, suggesting operational overlaps.

"Brand allegiance among these operators is weak, and human capital appears to be the primary asset, rather than specific malware strains," DomainTools said. "Operators adapt to market conditions, reorganize in response to takedowns, and trust relationships are critical. These individuals will choose to work with people they know, regardless of the name of the organization."

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

CountLoader Broadens Russian Ransomware Operations With Multi-Version Malware Loader

Cybersecurity researchers have discovered two new malicious packages in the Python Package Index (PyPI) repository that are designed to deliver a remote access trojan called SilentSync on Windows systems.
"SilentSync is capable of remote command execution, file exfiltration, and screen capturing," Zscaler ThreatLabz's Manisha Ramcharan Prajapati and Satyam Singh said. "SilentSync also extracts

Malware / Supply Chain Attack

Cybersecurity researchers have discovered two new malicious packages in the Python Package Index (PyPI) repository that are designed to deliver a remote access trojan called SilentSync on Windows systems.

"SilentSync is capable of remote command execution, file exfiltration, and screen capturing," Zscaler ThreatLabz's Manisha Ramcharan Prajapati and Satyam Singh said. "SilentSync also extracts web browser data, including credentials, history, autofill data, and cookies from web browsers like Chrome, Brave, Edge, and Firefox."

The packages, now no longer available for download from PyPI, are listed below. They were both uploaded by a user named "CondeTGAPIS."

*   sisaws (201 Downloads)
*   secmeasure (627 Downloads)

Zscaler said the package sisaws mimics the behavior of the legitimate Python package sisa, which is associated with Argentina's national health information system, Sistema Integrado de Información Sanitaria Argentino (SISA).

However, present in the library is a function called "gen\_token()" in the initialization script (\_\_init\_\_.py) that acts as a downloader for a next-stage malware. To achieve this, it sends a hard-coded token as input, and receives as response a secondary static token in a manner that's similar to the legitimate SISA API.

"If a developer imports the sisaws package and invokes the gen\_token function, the code will decode a hexadecimal string that reveals a curl command, which is then used to fetch an additional Python script," Zscaler said. "The Python script retrieved from PasteBin is written to the filename helper.py in a temporary directory and executed."

Secmeasure, in a similar fashion, masquerades as a "library for cleaning strings and applying security measures," but harbors embedded functionality to drop SilentSync RAT.

SilentSync is mainly geared towards infecting Windows systems at this stage, but the malware is also equipped with built-in features for Linux and macOS as well, making Registry modifications on Windows, altering the crontab file on Linux to execute the payload on system startup, and registering a LaunchAgent on macOS.

The package relies on the secondary token's presence to send an HTTP GET request to a hard-coded endpoint ("200.58.107\[.\]25") in order to receive Python code that's directly executed in memory. The server supports four different endpoints -

*   /checkin, to verify connectivity
*   /comando, to request commands to execute
*   /respuesta, to send a status message
*   /archivo, to send command output or stolen data

The malware is capable of harvesting browser data, executing shell commands, capturing screenshots, and stealing files. It can also exfiltrate files and entire directories in the form of ZIP archives. Once the data is transmitted, all the artifacts are deleted from the host to sidestep detection efforts.

"The discovery of the malicious PyPI packages sisaws and secmeasure highlight the growing risk of supply chain attacks within public software repositories," Zscaler said. "By leveraging typosquatting and impersonating legitimate packages, threat actors can gain access to personally identifiable information (PII)."

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

SilentSync RAT Delivered via Two Malicious PyPI Packages Targeting Python Developers

Google has issued a Chrome update to fix four high priority flaws including one zero-day, zero-click vulnerability.

Google has released an update for its Chrome browser to patch four security vulnerabilities, including one zero-day. A zero-day vulnerability refers to a bug that has been found and exploited by cybercriminals before the vendor even knew about it (they have “zero days” to fix it).

This update is crucial since it addresses one vulnerability which is already being actively exploited and, reportedly, can be abused when the user visits a malicious website. It probably doesn’t require any further user interaction, which means the user doesn’t need to click on anything in order for their system to be compromised.

The Chrome update brings the version number to 140.0.7339.185/.186 for Windows, Mac and 140.0.7339.185 for Linux.

The easiest way to update Chrome is to allow it to update automatically, but you can end up lagging behind if you never close your browser or if something goes wrong—such as an extension stopping you from updating the browser.

To manually get the update, click the more menu (three stacked dots), then choose **Settings** > **About Chrome**. If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is reload Chrome in order for the update to complete, and for you to be safe from the vulnerabilities.

You can find more elaborate update instructions and how to read the version number in our article on how to update Chrome on every operating system.

**Technical details on the zero-day vulnerability**

Google describes the zero-day vulnerability tracked as CVE-2025-10585 as a type confusion in V8. Reported by Google Threat Analysis Group on 2025-09-16.

Despite the short statement—Google never reveals a lot of details until everyone has had a chance to update—there are a few conclusions we can draw.

It helps to know that V8 is Google’s open-source Javascript engine.

A “type confusion” vulnerability happens when code doesn’t verify the object type passed to it and then uses the object without type-checking. So, a program mistakenly treats one type of data as if it were another, like confusing a list for a single value or interpreting a number as text. This mix-up can cause the software to behave unpredictably, creating opportunities for attackers to break in, steal data, crash programs, or even run malicious code.

Google’s Threat Analysis Group (TAG) focuses on spyware and nation-state attackers who abuse zero days for espionage purposes.

So, it stands to reason that an attacker used Javascript to create a malicious site that exploited this vulnerability and lured targeted victims to that website.

TAG reported the bug on September 16, and Google issued the patch one day later. That implies that the bug was urgent, or very easy to fix, and probably that both of those statements are true to some extent.

Usually, as more details become known or a patch gets reverse engineered, cybercriminals will start using the vulnerability in less targeted attacks.

Users of other Chromium-based browsers, such as Microsoft Edge, Brave, Opera, and Vivaldi, are also advised to keep an eye out for updates and install them when they become available.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Update your Chrome today: Google patches 4 vulnerabilities including one zero-day 

Google on Wednesday released security updates for the Chrome web browser to address four vulnerabilities, including one that it said has been exploited in the wild.
The zero-day vulnerability in question is CVE-2025-10585, which has been described as a type confusion issue in the V8 JavaScript and WebAssembly engine.
Type confusion vulnerabilities can have severe consequences as they can be

Vulnerability / Browser Security

Google on Wednesday released security updates for the Chrome web browser to address four vulnerabilities, including one that it said has been exploited in the wild.

The zero-day vulnerability in question is **CVE-2025-10585**, which has been described as a type confusion issue in the V8 JavaScript and WebAssembly engine.

Type confusion vulnerabilities can have severe consequences as they can be weaponized by bad actors to trigger unexpected software behavior, resulting in the execution of arbitrary code and program crashes.

Google's Threat Analysis Group (TAG) has been credited with discovering and reporting the flaw on September 16, 2025.

As is typically the case, the company did not share any additional specifics about how the vulnerability is being abused in real-world attacks, by whom, or the scale of such efforts. This is done to prevent other threat actors from exploiting the issue before users can apply a fix.

"Google is aware that an exploit for CVE-2025-10585 exists in the wild," it acknowledged in a terse advisory.

CVE-2025-10585 is the sixth zero-day vulnerability in Chrome that has been either actively exploited or demonstrated as a proof-of-concept (PoC) since the start of the year. This includes: CVE-2025-2783, CVE-2025-4664, CVE-2025-5419, CVE-2025-6554, and CVE-2025-6558.

To safeguard against potential threats, it's advised to update their Chrome browser to versions 140.0.7339.185/.186 for Windows and Apple macOS, and 140.0.7339.185 for Linux. To make sure the latest updates are installed, users can navigate to More > Help > About Google Chrome and select Relaunch.

Users of other Chromium-based browsers, such as Microsoft Edge, Brave, Opera, and Vivaldi, are also advised to apply the fixes as and when they become available.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

Google Patches Chrome Zero-Day CVE-2025-10585 as Active V8 Exploit Threatens Millions

New research reveals Raven Stealer malware that targets browsers like Chrome and Edge to steal personal data. Learn how this threat uses simple tricks like process hollowing to evade antiviruses and why it's a growing risk for everyday users.

A new sneaky type of malware, known as Raven Stealer, has been identified by the Lat61 Threat Intelligence Team at Point Wild. The research team, led by Onkar R. Sonawane, have found that this simple-looking program is surprisingly good at staying hidden while it steals your personal information. The research, which was shared with Hackread.com, shows that the malware is primarily spread through underground forums and bundled with pirated software.

Built using the programming languages Delphi and C++, Raven Stealer is designed to be small and quick. It works by quietly getting into your computer, where its payload (the part of the malware that does the actual harm) goes to work.

The payload targets popular web browsers like Chrome and Edge to grab things like your passwords, cookies, payment details, and other information you’ve saved. What makes it particularly tricky is that it can send this stolen information directly to a cybercriminal using a Telegram messaging bot. This means the bad guys get your data in real-time.

Attack flow, the UI of the file and the generated payload (Image Credit: Point Wild)

****How It Works****

Point Wild’s report explains that Raven Stealer uses a clever trick called process hollowing to avoid being caught by traditional antivirus programs. This means, instead of leaving a file on your computer’s hard drive, it works entirely within your computer’s memory, pretending to be a regular browser program. It’s like a car thief hollowing out a car and putting a different engine in it, so it looks normal from the outside but is used for something else entirely. This technique makes it tough for security software to spot it.

The malware’s creator used a simple builder program to create the attack file, which hides an encrypted “payload” inside and gives it a unique name to avoid detection. Once on an infected computer, it gathers a screenshot and stolen data into a ZIP file, then tries to send it to the attacker via Telegram. Although this transmission failed in testing due to a Telegram bot token problem, the threat of data theft remains.

****Protecting Yourself****

To keep your personal information safe from threats like this, always use up-to-date antivirus software with real-time protection and avoid downloading pirated programs. It’s also wise to be careful about clicking on suspicious links or attachments.

As Dr. Zulfikar Ramzan, CTO of Point Wild and Head of the Lat61 Threat Intelligence Team, explains, “Raven Stealer shows how commodity malware is evolving – stealing credentials, cookies, and payment data while hiding its tracks through in-memory execution and Telegram exfiltration. It’s a reminder that attackers are packaging advanced techniques into tools that even low-skilled actors can use.”

New Raven Stealer Malware Hits Browsers for Passwords and Payment Data

Waltham, United States, 17th September 2025, CyberNewsWire

**Waltham, United States, September 17th, 2025, CyberNewsWire**

Syteca, a global cybersecurity provider, introduced the latest release of its platform, continuing the mission to help organizations reduce insider risks and ensure sensitive data protection. Syteca 7.21 is a major update designed to enhance user privacy, simplify access management, provide seamless oversight, and improve the user experience.

With release 7.21, Syteca delivers a set of new capabilities, from masking sensitive information in real time to simplifying remote access. These new features help address the most pressing challenges faced by security teams worldwide.

**Sensitive Data Masking**

Syteca has become the first cybersecurity vendor to deliver real-time sensitive data masking. With this feature, the platform automatically detects and obscures confidential information (e.g., passwords, credit card numbers, or personal IDs) during live sessions and in recordings. By blurring this data, Syteca helps prevent exposure of private information and supports compliance with data privacy regulations like the GDPR, HIPAA, and PCI DSS.

**Web Connection Manager**

Users can now launch remote sessions (RDP for Windows or SSH for Linux/Unix) directly in web browsers (Chrome, Safari, and Edge). This means that IT teams don’t bother with installing agents, pushing updates, or troubleshooting installation issues. They just provide fast and secure access for both employees and vendors.

**Full-Motion Capture of On-Screen Activity**

The Syteca platform can now record continuous videos of user sessions, capturing every click and cursor movement. Full-motion session recordings give security teams complete visibility into user activity, which can provide more detailed audit trails and speed up incident investigations. Every session is encrypted for security. 

**Intuitive UI**

Beyond new capabilities, Syteca 7.21 introduces a redesigned user interface. The updated UI has a cleaner design while keeping familiar navigation in place. The lighter interface and reduced on-screen clutter help users find key information faster, thus streamlining daily security tasks.

> “Release 7.21 gives organizations better visibility and control over their internal security,” says Oleg Shomonko, CEO of Syteca. “Features like live data masking, full-motion session recordings, and browser-based access mean our clients can enhance the security of their assets and streamline compliance while reducing IT overhead. This update reflects our focus on solving real IT security challenges without adding complexity.”

Users interested in trying Syteca’s brand new capabilities can access the demo portal at syteca.com. 

**About Syteca**

Syteca is a comprehensive cybersecurity platform that helps organizations worldwide protect their inside perimeter. The Syteca platform combines advanced user activity monitoring (UAM) and robust privileged access management (PAM) solutions that empower organizations to govern access, mitigate insider threats, prevent data breaches, and streamline IT compliance. Syteca serves over 1,500 customers across different industries. 

**Contact**

**Chief Marketing Officer**  
**Helen Gamasenko**  
**Syteca**  
**\[email protected\]**

New in Syteca Release 7.21: Agentless Access, Sensitive Data Masking, and Smooth Session Playback

The new lightweight stealer, distributed via underground forums and cracked software, demonstrates an important evolution in the stealth of commodity infostealing malware.

Raven Stealer Scavenges Chromium Data Via Telegram

Every VPN says it’s the best, but only some of them are telling the truth.

*   **The Best VPN for Streaming**
    
    Screenshot courtesy of Scott Gilberson via NordVPN
    
    NordVPN has a long history, and it's one of the most prominent VPN services on the market. It comes with one of the largest VPN networks available, enough features to make Surfshark blush, and decent (though not the best) speeds. It's a little more expensive than I'd hoped for, but that's the price you pay for such an extensive network and feature set.
    
    Where NordVPN really excels is in media. Streaming providers like Netflix and HBO Max are privy to how VPNs circumvent geo-restrictions, and a small network means you're more likely to get blocked. The fact that NordVPN has such a large network gives it an edge in streaming and less sensitive online browsing. It really wins with its NordWhisper protocol. The company recommends using its WireGuard-based NordLynx protocol most of the time, but NordWhisper sacrifices a bit of speed to obfuscate VPN traffic further, getting around most blocks.
    
    NordWhisper isn't made for normal streaming environments, but it's great to have on restrictive networks. If you're traveling internationally and using hotel Wi-Fi, for instance, NordWhisper can help circumvent VPN blocks. The company saw a minor breach in 2018 and stirred up controversy in 2022 with a subtle change in wording regarding cooperation with law enforcement. In both cases, it responded quickly and maintained transparency, so contrary to what you may have read, NordVPN is safe to use.
    
    Specs
    
    **Number of devices:** 10
    
    **Number of servers:** 7,400+
    
    **Applications:** Windows, macOS, Linux, iOS, Android, Chrome, Firefox, Edge, Google TV, Apple TV
    
    **Features:** Kill switch, split tunneling, double-hop, dark web monitoring, P2P servers
    

**Other VPNs We’ve Tested**

**Private Internet Access (PIA)** has a long history in the VPN space, and it's maintained a track record of defending user privacy—even in the face of actual criminal activity. In 2016, a criminal complaint was filed in Florida against Preston Alexander McWaters for threats made online. McWaters was eventually convicted and sentenced to 42 months in prison. Investigators traced the online threats back to PIA's servers and subpoenaed the company. As the complaint reads, “A subpoena was sent to \[Private Internet Access\] and the only information they could provide is that the cluster of IP addresses being used was from the east coast of the United States.” McWaters engaged in several other identifying activities, according to the complaint, but PIA wasn't among them. Despite such a clear view of a VPN provider upholding its no-logging policy, PIA didn't impress me during my tests. It's slightly more expensive than a lot of our top picks, and it delivered the worst speeds out of any VPN I tested, with more than a 50 percent drop on the closest US server. (Windscribe, for context, only dropped 15.6 percent of my speed.)

**MysteriumVPN** is the go-to dVPN, or decentralized VPN, as far as I can tell. The concept of a decentralized VPN has existed for a while, but it's really gained traction over the last couple of years. The idea is to have a network of residential IP addresses that make up the network, routing your traffic through normal IP addresses to get around the increasingly common block lists for VPN servers. Mysterium accomplishes this network with MystNodes. It's a crypto node. People buy the node to earn crypto, and they're put into the Mysterium network. It's not inherently bad, but routing your traffic through a single residential IP is a little worrisome. Even without the decentralized kick, Mysterium was slow, and it doesn't maintain any sort of privacy materials, be it a third-party audit, warranty canary, or transparency report.

**PrivadoVPN** is one of the popular options to recommend as a free VPN. It offers a decent free service, with a handful of full-speed servers and 10 GB of data per month. You'll have to suffer through four—yes, four—redirects begging you to pay for a subscription before signing up, but the free plan works. The problem is how new PrivadoVPN is. There's no transparency report or audit available, and although the speeds are decent, they aren't as good as Proton, Windscribe, or Surfshark. PrivadoVPN isn't bad, but it's hard to recommend when Proton and Windscribe exist with free plans that are equally as good.

**How We Test VPNs**

Functionally, a VPN should do two things: keep your internet speed reasonably fast, and actually protect your browsing data. That's where I focused my testing. Extra features, a comfy UI, and customization settings are great, but they don't matter if the core service is broken.

Speed testing requires spot-checking, as the time of day, the network you're connected to, and the specific VPN server you're using can all influence speeds. Because of that, I always set a baseline speed on my unprotected connection directly before recording results, and I ran the test three times across both US and UK servers. With those baseline drops, I spot-checked at different times of the day over the course of a week to see if the speed decrease was similar.

Security is a bit more involved. For starters, I checked for DNS, WebRTC, and IP leaks every time I connected to a server using Browser Leaks. I also ran brief tests sniffing my connection with Wireshark to ensure all of the packets being sent were secured with the VPN protocol in use.

On the privacy front, the top-recommended services included on this list have been independently audited, and they all maintain some sort of transparency report. In most cases, there's a proper report, but in others, such as Windscribe, that transparency is exposed through legal proceedings.

Tag

#chrome