**What is the version information for this release?**

Microsoft Edge Version

Date Released

Based on Chromium Version

140.0.3485.81

09/19/2025

140.0.7339.186

CVE-2025-10500: Chromium: CVE-2025-10500 Use after free in Dawn

CVE-2025-10585: Chromium: CVE-2025-10585 Type Confusion in V8

This edition pulls the curtain aside to show the realities of the VPN Filter campaign. Joe reflects on the struggle to prevent burnout in a world constantly on fire.

Thursday, September 18, 2025 14:00

Welcome to this week’s edition of the Threat Source newsletter. 

This is gonna be a tough read. I’m sorry. Believe it or not, it’s even tougher for me to write. I want to talk about what it costs to be in the cybersecurity profession. Not money or time, but potentially your health, both mentally and physically. I want to move the curtain aside and show you an inside look at what happens to people when the pressure is high and the desire to succeed is not only essential, but sometimes even life and death. 

So, story time. 

Seven years ago, Cisco Talos disclosed a novel and new threat campaign: VPN Filter. VPN Filter was a small office/home office (SOHO) device botnet that had many new things we’d never seen before in SOHO devices: infection persistence past device reboot, modularity, victimology, and perhaps most importantly, the (later) attribution to the Russian threat actor APT28 (aka Sandworm). The platform also featured a kill switch, a module designed to cover the tracks and or destroy a device infected with VPN Filter. This could be executed en masse, if they desired. This was a methodical, clever and well-structured campaign to attack unpatched and/or vulnerable devices all over the world for state cyber operations. As I look back at that time, it was (and still is) a marvel of tradecraft and offensive cyber operations. 

Put yourself in our position at Talos. We’ve just discovered a massive campaign by a notorious threat actor. We all know what this is, who this is, and what the consequences could be — and the threat actor had a massive head start on us. We absolutely couldn’t screw this up. If we tipped our hand via our research, the threat actor might get spooked and just burn the whole thing down with the kill switch. The stakes were very high. 

We spent months reversing and analyzing the malware, the victimology, infrastructure, and understanding the scale and scope of what VPN Filter did and potentially could do. The more we peeled things back, the more ominous the implications and the harder we worked. 

As the weeks turned into months, the hours we worked grew longer and longer, and the stress began to take its toll on all of us. The raw enormity of the tasks of analyzing and responding to VPN Filter and the stress of being stealthy begin to extract a price from us personally. Attitudes grew sour, relationships frayed, and some were rent asunder completely. For me, personally, it was a very dark time and would cost me dearly – I would exit people management into an individual contributor role that I still inhabit to this day. 

In the end, the threat actor forced us to into action. We had always theorized a “break glass” moment when the threat actor might hit the gas pedal and we would have to alert the world. One day we saw a massive spike in infections in Ukraine, and we disclosed to the world VPN Filter. We still had so many unanswered questions but had no choice when we saw the spike. In a way, it was a mercy. We had long since hit our limit and were just all collectively cooked and demoralized. I know I was, and it deeply affected my relationships and career, the reverberations of which I still feel to this day.  

I’m often asked by new or potential security practitioners, “Joe, what’s a cool hacker story?!” I have plenty of those, and VPN Filter is certainly one of them. But rarely does anyone want to hear the worst days of our lives. The tales of burnout and stress. Of the long hours and constant work. There is _always_ a breach happening somewhere, your company is _always_ under attack, there is _always_ a story of a someone getting hacked and sometimes people are even hurt or killed. This cadence takes a toll – from events like VPN Filter, to being in a SOC – it’s all the same. No matter where you work, we are here to keep our customers, constituents, and communities safe from some real assholes out there. It is about fighting the good fight, and the fight never stops.  

So, what can we do about it? How can you avoid being me in the middle of VPN Filter? 

1.  **Learn and enforce boundaries.** You must make space and time for you and firmly enforce that space and time. If that means disabling after hours comms, then do so, and do so guilt free. You must look after yourself. 
2.  **Peer support.** Whether it's a therapist, a colleague, or a Slack/Discord/Bsides where you can share and vent with others in the same boat as you, you must reduce the sense of isolation this career space can give you. Others are looking for the same thing and happy to listen and share. Celebrate your wins with people who are eager to reciprocate.  
3.  **Unplugged self-care.** This is tough, and I’m not great at it. Exercise, paint, work in your garden and do something unrelated to your job. Put down the hell rectangle that is your phone and unplug from the news and social media. 
4.  **Mandatory decompression/vacation.** After an incident, be it VPN Filter or a breach, leaders: _look after your people._ Recognize burnout and push your directs into some enforced downtime so they can recover. At a minimum, rotate them into a less stressful role so they can take a break. It’s your responsibility to care for those who work hard for you. 

Responding after the event is just as important as responding to the event itself. Every breach, VPN Filter-like event, or emergency is an opportunity to reflect on the cost to your health and evaluate what you can do to help yourself and others. This is a tough gig sometimes, but it’s a calling we love. Just take care of yourself and each other, ya hear?

**The one big thing **

In Talos' latest blog post, we break down why having a Cisco Talos Incident Response (IR) Retainer is a game-changer for any organization facing today’s nonstop cyber threats. With a Talos IR Retainer, you get direct access to our expert team, 24/7 emergency support, and tailored plans that keep everyone — from IT to leadership — on the same page. You’ll also benefit from continuous threat intelligence and real-world guidance to help your organization bounce back stronger after any incident. 

**Why do I care? **

Our team helps you hunt threats before they escalate, assess your readiness and improve your security posture over time. If a cyber incident hits, having a trusted partner already in place means you’re prepared to act decisively, with clear roles, tested procedures and experts ready to back you up every step of the way. 

**So now what? **

Think about securing a Talos IR Retainer to make sure you’ve got experts on speed dial and your defenses are always up to date. Reach out to us to schedule a tabletop exercise or to talk through how prepared your organization really is.

**Top security headlines of the week **

**New VoidProxy phishing service bypasses MFA on Microsoft and Google accounts**   
An attack typically begins with a deceptive email sent from a compromised account of legitimate email service providers, like Constant Contact, Active Campaign or NotifyVisitors. (Hack Read) 

**Shai-Hulud supply chain attack: Worm used to steal secrets, 180+ npm packages hit**   
The self-spreading potential of the malicious code will likely keep the campaign alive for a few more days. To avoid being infected, users should be wary of any packages that have new versions on npm but not on GitHub, and pin dependencies. (SecurityWeek) 

**Google nukes 224 Android malware apps behind massive ad fraud campaign**   
The apps were downloaded over 38 million times and employed obfuscation and steganography to conceal the malicious behavior from Google and security tools. (Bleeping Computer) 

**Former FinWise employee may have accessed nearly 700K customer records**   
Nearly 700,000 FinWise Bank customers are being notified after a former employee may have accessed or taken personal data post-employment. The incident went undetected for over a year. (The Register)

**Can’t get enough Talos? **

*   **Alex Ryan: From zero chill to quiet confidence**   
    Discover how a Cisco Talos Incident Response expert transitioned from philosophy to the high-stakes, emotionally intense world of incident command, and the advice that she has for aspiring cybersecurity professionals. 
*   **Beers with Talos: How to ruin an APT's day**   
    The B-Team is joined by Sara McBroom from Talos’ nation-state threat intelligence and interdiction team. Sara shares her journey from a liberal arts major to tracking some of the world’s most advanced adversaries. 
*   **Tampered Chef: When malvertising serves up infostealers**   
    Imagine downloading a PDF Editor tool from the internet that works great... until nearly two months later, when it quietly steals your credentials. Nick Biasini explains how cybercriminals are investing in "malvertising" and challenges in defense.

**Upcoming events where you can find Talos **

*   LABScon (Sept. 17 – 20) Scottsdale, AZ 
*   VB2025 (Sept. 24 – 26) Berlin, Germany 
*   Wild West Hackin' Fest (Oct. 8 – 10) Deadwood, SD

**Most prevalent malware files from Talos telemetry over the past week **

**SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507**    
MD5: 2915b3f8b703eb744fc54c81f4a9c67f   
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507    
Typical Filename: executable.exe   
Claimed Product: N/A     
Example Filename:0a0dc0e95070a2b05b04c2f0a049dad8\_1\_Exe.exe    
Detection Name: Win.Worm.Coinminer::1201 

**SHA256: 41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610**    
MD5: 85bbddc502f7b10871621fd460243fbc    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610    
Typical Filename: nwx3hgsl.exe   
Claimed Product: Self-extracting archive   
Detection Name: W32.41F14D86BC-100.SBX.TG 

**SHA256: c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe**    
MD5: bf9672ec85283fdf002d83662f0b08b7    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=c0ad494457dcd9e964378760fb6aca86a23622045bca851d8f3ab49ec33978fe    
Typical Filename: werrx01USAHTML   
Claimed Product: N/A   
Detection Name: W32.C0AD494457-95.SBX.TG 

**SHA256: 96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974**    
MD5: aac3165ece2959f39ff98334618d10d9    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=96fa6a7714670823c83099ea01d24d6d3ae8fef027f01a4ddac14f123b1c9974    
Typical Filename: ~3B6A.tmp   
Claimed Product: N/A   
Detection Name: W32.Injector:Gen.21ie.1201 

**SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91**   
MD5: 7bdbd180c081fa63ca94f9c22c457376    
Talos Rep: https://talosintelligence.com/talos\_file\_reputation?s=a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
Typical Filename: img001.exe   
Claimed Product:   
Detection Name: Win.Dropper.Miner::95.sbx.tg

Put together an IR playbook — for your personal mental health and wellbeing

A pair of flaws in Microsoft's Entra ID identity and access management system could have allowed an attacker to gain access to virtually all Azure customer accounts.

As businesses around the world have shifted their digital infrastructure over the last decade from self-hosted servers to the cloud, they’ve benefitted from the standardized, built-in security features of major cloud providers like Microsoft. But with so much riding on these systems, there can be potentially disastrous consequences at a massive scale if something goes wrong. Case in point: Security researcher Dirk-jan Mollema recently stumbled upon a pair of vulnerabilities in Microsoft Azure’s identity and access management platform that could have been exploited for a potentially cataclysmic takeover of all Azure customer accounts.

Known as Entra ID, the system stores each Azure cloud customer’s user identities, sign-in access controls, applications, and subscription management tools. Mollema has studied Entra ID security in depth and published multiple studies about weaknesses in the system, which was formerly known as Azure Active Directory. But while preparing to present at the Black Hat security conference in Las Vegas in July, Mollema discovered two vulnerabilities that he realized could be used to gain global administrator privileges—essentially god mode—and compromise every Entra ID directory, or what is known as a “tenant.” Mollema says that this would have exposed nearly every Entra ID tenant in the world other than, perhaps, government cloud infrastructure.

“I was just staring at my screen. I was like, ‘No, this shouldn’'t really happen,’” says Mollema, who runs the Dutch cybersecurity company Outsider Security and specializes in cloud security. “It was quite bad. As bad as it gets, I would say.”

“From my own tenants—my test tenant or even a trial tenant—you could request these tokens and you could impersonate basically anybody else in anybody else’s tenant,” Mollema adds. “That means you could modify other people's configuration, create new and admin users in that tenant, and do anything you would like.”

Given the seriousness of the vulnerability, Mollema disclosed his findings to the Microsoft Security Response Center on July 14, the same day that he discovered the flaws. Microsoft started investigating the findings that day and issued a fix globally on July 17. The company confirmed to Mollema that the issue was fixed by July 23 and implemented extra measures in August. Microsoft issued a CVE for the vulnerability on September 4.

“We mitigated the newly identified issue quickly, and accelerated the remediation work underway to decommission this legacy protocol usage, as part of our Secure Future Initiative,” Tom Gallagher, Microsoft’s Security Response Center vice president of engineering, told WIRED in a statement. “We implemented a code change within the vulnerable validation logic, tested the fix, and applied it across our cloud ecosystem.”

Gallagher says that Microsoft found “no evidence of abuse” of the vulnerability during its investigation.

Both vulnerabilities relate to legacy systems still functioning within Entra ID. The first involves a type of Azure authentication token Mollema discovered known as Actor Tokens that are issued by an obscure Azure mechanism called the “Access Control Service.” Actor Tokens have some special system properties that Mollema realized could be useful to an attacker when combined with another vulnerability. The other bug was a major flaw in a historic Azure Active Directory application programming interface known as “Graph” that was used to facilitate access to data stored in Microsoft 365. Microsoft is in the process of retiring Azure Active Directory Graph and transitioning users to its successor, Microsoft Graph, which is designed for Entra ID. The flaw was related to a failure by Azure AD Graph to properly validate which Azure tenant was making an access request, which could be manipulated so the API would accept an Actor Token from a different tenant that should have been rejected.

“Microsoft built security controls around identity like conditional access and logs, but this internal impression token mechanism bypasses them all,” says Michael Bargury, the CTO at security firm Zenity. “This is the most impactful vulnerability you can find in an identity provider, effectively allowing full compromise of any tenant of any customer.”

If the vulnerability had been discovered by, or fallen into the hands of, malicious hackers, the fallout could have been devastating.

“We don't need to guess what the impact may have been; we saw two years ago what happened when Storm-0558 compromised a signing key that allowed them to log in as any user on any tenant,” Bargury says.

While the specific technical details are different, Microsoft revealed in July 2023 that the Chinese cyber espionage group known as Storm-0558 had stolen a cryptographic key that allowed them to generate authentication tokens and access cloud-based Outlook email systems, including those belonging to US government departments.

Conducted over the course of several months, a Microsoft postmortem on the Storm-0558 attack revealed several errors that led to the Chinese group slipping past cloud defenses. The security incident was one of a string of Microsoft issues around that time. These motivated the company to launch its “Secure Future Initiative,” which expanded protections for cloud security systems and set more aggressive goals for responding to vulnerability disclosures and issuing patches.

Mollema says that Microsoft was extremely responsive about his findings and seemed to grasp their urgency. But he emphasizes that his findings could have allowed malicious hackers to go even farther than they did in the 2023 incident.

“With the vulnerability, you could just add yourself as the highest privileged admin in the tenant, so then you have full access,” Mollema says. Any Microsoft service “that you use EntraID to sign into, whether that be Azure, whether that be SharePoint, whether that be Exchange—that could have been compromised with this.”

This Microsoft Entra ID Vulnerability Could Have Been Catastrophic

Microsoft and Cloudflare have delivered a major blow to the fastest growing Phishing-as-a-Service operation called RaccoonO365.

Microsoft and Cloudflare have disrupted a Phishing-as-a-Service operation, known as RaccoonO365.

The primary goal of RaccoonO365 (or Storm-2246 as Microsoft calls it) was to rent out a phishing toolkit that specialized in stealing Microsoft 365 credentials. They were successful in at least 5,000 cases, spanning 94 countries since July 2024.

The operation provided the cybercriminals’ customers with stolen credentials, cookies, and data which they in turn could use to plunder OneDrive, SharePoint, and Outlook accounts for information to use in financial fraud, extortion, or to serve as initial access for larger attacks.

Roughly an attack would look like this:

*   Emails were sent to victims with an attachment containing a link or QR code.
*   The malicious link led to a page with a simple CAPTCHA. This and other anti-bot techniques were implemented to evade analysis without raising suspicion from the victim.
*   After solving the CAPTCHA, the victim was redirected to a fake Microsoft O365 login page designed to harvest the entered credentials.

RaccoonO365 built its operation on top of legitimate infrastructure in an attempt to avoid detection. Leveraging free accounts, they strategically deployed Cloudflare workers to act as an intermediary layer, shielding their backend phishing servers from direct public exposure.

Reacting to this abuse of its services, Cloudflare teamed up with Microsoft’s Digital Crimes Unit (DCU). Using a court order granted by the Southern District of New York, the DCU seized 338 websites associated with RaccoonO365.

The danger of phishing kits like these is clear. Even non-technical criminals can lease a 30-day plan for $355 (to be paid in cryptocurrency) and get their hands on valid Microsoft O365 credentials. With the latest new feature of the phishing kit, users of the kit can even receive codes for certain multi-factor authentication (MFA) methods.

From there they can move forward to data theft, financial fraud, or even use the credentials to infiltrate an organization to deploy ransomware. And to give you an idea, RaccoonO365 customers were able to send emails to 9,000 targets per day. The suspected leaders of the operation had over 850 members on Telegram and have received at least US$100,000 in cryptocurrency payments.

The takedown of the websites and the attribution to a Nigerian suspect cut off the cybercriminals’ revenue streams, and significantly increased RaccoonO365’s operational costs. Besides that, the main suspect is believed to be the main coder behind the project and his apprehension by international law enforcement is likely to be a major blow to the operation.

Now, RaccoonO365 phishing kit customers can start worrying about how much of their information could be revealed in the aftermath of this disruption.

We’ll keep you posted.

**Don’t fall for phishing attempts**

In the operations run by RaccoonO365 two simple rules could have saved you from lots of trouble.

*   Don’t click on links in unsolicited attachments
*   Check if the website address in the browser matches the domain you expect to be on (eg. Microsoft.com).

Other important tips to stay safe from phishing in general:

*   Verify the sender: Always check if the sender’s email address matches what you would expect it to be. It’s not always conclusive but it can help you spot some attempts.
*   Check through an independent channel if the sender actually sent you an attachment or a link.
*   Use up-to-date security software, preferably with a web protection component.
*   Keep your device and all its software updated.
*   Use multi-factor authentication for every account you can.
*   Use a password manager. Password managers will not auto-fill a password to a fake site, even if it looks like the real deal to you.

**We don’t just report on threats – we help safeguard your entire digital identity**

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Disrupted phishing service was after Microsoft 365 credentials 

Google has issued a Chrome update to fix four high priority flaws including one zero-day, zero-click vulnerability.

Google has released an update for its Chrome browser to patch four security vulnerabilities, including one zero-day. A zero-day vulnerability refers to a bug that has been found and exploited by cybercriminals before the vendor even knew about it (they have “zero days” to fix it).

This update is crucial since it addresses one vulnerability which is already being actively exploited and, reportedly, can be abused when the user visits a malicious website. It probably doesn’t require any further user interaction, which means the user doesn’t need to click on anything in order for their system to be compromised.

The Chrome update brings the version number to 140.0.7339.185/.186 for Windows, Mac and 140.0.7339.185 for Linux.

The easiest way to update Chrome is to allow it to update automatically, but you can end up lagging behind if you never close your browser or if something goes wrong—such as an extension stopping you from updating the browser.

To manually get the update, click the more menu (three stacked dots), then choose **Settings** > **About Chrome**. If there is an update available, Chrome will notify you and start downloading it. Then all you have to do is reload Chrome in order for the update to complete, and for you to be safe from the vulnerabilities.

You can find more elaborate update instructions and how to read the version number in our article on how to update Chrome on every operating system.

**Technical details on the zero-day vulnerability**

Google describes the zero-day vulnerability tracked as CVE-2025-10585 as a type confusion in V8. Reported by Google Threat Analysis Group on 2025-09-16.

Despite the short statement—Google never reveals a lot of details until everyone has had a chance to update—there are a few conclusions we can draw.

It helps to know that V8 is Google’s open-source Javascript engine.

A “type confusion” vulnerability happens when code doesn’t verify the object type passed to it and then uses the object without type-checking. So, a program mistakenly treats one type of data as if it were another, like confusing a list for a single value or interpreting a number as text. This mix-up can cause the software to behave unpredictably, creating opportunities for attackers to break in, steal data, crash programs, or even run malicious code.

Google’s Threat Analysis Group (TAG) focuses on spyware and nation-state attackers who abuse zero days for espionage purposes.

So, it stands to reason that an attacker used Javascript to create a malicious site that exploited this vulnerability and lured targeted victims to that website.

TAG reported the bug on September 16, and Google issued the patch one day later. That implies that the bug was urgent, or very easy to fix, and probably that both of those statements are true to some extent.

Usually, as more details become known or a patch gets reverse engineered, cybercriminals will start using the vulnerability in less targeted attacks.

Users of other Chromium-based browsers, such as Microsoft Edge, Brave, Opera, and Vivaldi, are also advised to keep an eye out for updates and install them when they become available.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Update your Chrome today: Google patches 4 vulnerabilities including one zero-day 

Concurrent execution using shared resource with improper synchronization ('race condition') in Microsoft Graphics Component allows an authorized attacker to elevate privileges locally.

CVE-2025-59216: Windows Graphics Component Elevation of Privilege Vulnerability

Use after free in Microsoft Graphics Component allows an authorized attacker to elevate privileges locally.

CVE-2025-59215: Windows Graphics Component Elevation of Privilege Vulnerability

Google on Wednesday released security updates for the Chrome web browser to address four vulnerabilities, including one that it said has been exploited in the wild.
The zero-day vulnerability in question is CVE-2025-10585, which has been described as a type confusion issue in the V8 JavaScript and WebAssembly engine.
Type confusion vulnerabilities can have severe consequences as they can be

Vulnerability / Browser Security

Google on Wednesday released security updates for the Chrome web browser to address four vulnerabilities, including one that it said has been exploited in the wild.

The zero-day vulnerability in question is **CVE-2025-10585**, which has been described as a type confusion issue in the V8 JavaScript and WebAssembly engine.

Type confusion vulnerabilities can have severe consequences as they can be weaponized by bad actors to trigger unexpected software behavior, resulting in the execution of arbitrary code and program crashes.

Google's Threat Analysis Group (TAG) has been credited with discovering and reporting the flaw on September 16, 2025.

As is typically the case, the company did not share any additional specifics about how the vulnerability is being abused in real-world attacks, by whom, or the scale of such efforts. This is done to prevent other threat actors from exploiting the issue before users can apply a fix.

"Google is aware that an exploit for CVE-2025-10585 exists in the wild," it acknowledged in a terse advisory.

CVE-2025-10585 is the sixth zero-day vulnerability in Chrome that has been either actively exploited or demonstrated as a proof-of-concept (PoC) since the start of the year. This includes: CVE-2025-2783, CVE-2025-4664, CVE-2025-5419, CVE-2025-6554, and CVE-2025-6558.

To safeguard against potential threats, it's advised to update their Chrome browser to versions 140.0.7339.185/.186 for Windows and Apple macOS, and 140.0.7339.185 for Linux. To make sure the latest updates are installed, users can navigate to More > Help > About Google Chrome and select Relaunch.

Users of other Chromium-based browsers, such as Microsoft Edge, Brave, Opera, and Vivaldi, are also advised to apply the fixes as and when they become available.

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

Google Patches Chrome Zero-Day CVE-2025-10585 as Active V8 Exploit Threatens Millions

Phishing-as-a-service (PhaaS) kits have become an increasingly popular way for lower-skill individuals who want to get into cybercrime.

Tag

#microsoft