Heap-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to execute code locally.

CVE-2025-54899: Microsoft Excel Remote Code Execution Vulnerability

Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.

CVE-2025-54906: Microsoft Office Remote Code Execution Vulnerability

Untrusted pointer dereference in Microsoft Office Word allows an unauthorized attacker to disclose information locally.

CVE-2025-54905: Microsoft Word Information Disclosure Vulnerability

Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.

CVE-2025-54904: Microsoft Excel Remote Code Execution Vulnerability

CVE-2025-54903: Microsoft Excel Remote Code Execution Vulnerability

Cybersecurity researchers have detailed a new sophisticated malware campaign that leverages paid ads on search engines like Google to deliver malware to unsuspecting users looking for popular tools like GitHub Desktop.
While malvertising campaigns have become commonplace in recent years, the latest activity gives it a little twist of its own: Embedding a GitHub commit into a page URL containing

Malvertising / Encryption

Cybersecurity researchers have detailed a new sophisticated malware campaign that leverages paid ads on search engines like Google to deliver malware to unsuspecting users looking for popular tools like GitHub Desktop.

While malvertising campaigns have become commonplace in recent years, the latest activity gives it a little twist of its own: Embedding a GitHub commit into a page URL containing altered links that point to attacker-controlled infrastructure.

"Even when a link seems to point to a reputable platform such as GitHub, the underlying URL can be manipulated to resolve to a counterfeit site," Arctic Wolf said in a report published last week.

Exclusively targeted IT and software development companies within Western Europe since at least December 2024, the links within the rogue GitHub commit are designed to funnel users to a malicious download hosted on a lookalike domain ("gitpage\[.\]app").

The first-stage malware delivered using poisoned search results is a bloated 128 MB Microsoft Software Installer (MSI) that, owing to its size, evades most existing online security sandboxes, while a Graphics Processing Unit (GPU)-gated decryption routine keeps the payload encrypted on systems without a real GPU. The technique has been codenamed GPUGate.

"Systems without proper GPU drivers are likely to be virtual machines (VMs), sandboxes, or older analysis environments that security researchers commonly use," the cybersecurity company said. "The executable \[...\] uses GPU functions to generate an encryption key for decrypting the payload, and it checks the GPU device name as it does this."

Besides incorporating several garbage files as a filler and complicating analysis, it also terminates execution if the device name is less than 10 characters or GPU functions are not available.

The attack subsequently entails the execution of a Visual Basic Script that launches a PowerShell script, which, in turn, runs with administrator privileges, adds Microsoft Defender exclusions, sets up scheduled tasks for persistence, and finally runs executable files extracted from a downloaded ZIP archive.

The end goal is to facilitate information theft and deliver secondary payloads, while simultaneously evading detection. It's assessed that the threat actors behind the campaign have native Russian language proficiency, given the presence of Russian language comments in the PowerShell script.

Further analysis of the threat actor's domain has revealed it to be acting as a staging ground for Atomic macOS Stealer (AMOS), suggesting a cross-platform approach.

"By exploiting GitHub's commit structure and leveraging Google Ads, threat actors can convincingly mimic legitimate software repositories and redirect users to malicious payloads – bypassing both user scrutiny and endpoint defenses," Arctic Wolf.

The disclosure comes as Acronis detailed the ongoing evolution of a trojanized ConnectWise ScreenConnect campaign that uses the remote access software to drop AsyncRAT, PureHVNC RAT, and a custom PowerShell-based remote access trojan (RAT) on infected hosts in social engineering attacks aimed at U.S. organizations since March 2025.

The bespoke PowerShell RAT, executed by means of a JavaScript file downloaded from the cracked ScreenConnect server, provides some basic functionalities such as running programs, downloading and executing files, and a simple persistence mechanism.

"Attackers now use a ClickOnce runner installer for ScreenConnect, which lacks embedded configuration and instead fetches components at runtime," the security vendor said. "This evolution makes traditional static detection methods less effective and complicates prevention, leaving defenders with few reliable options."

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.

GPUGate Malware Uses Google Ads and Fake GitHub Commits to Target IT Firms

Phishers are abusing Apple and Microsoft infrastructure to send out call-back phishing emails with legitimate sender and return addresses.

Once again, phishers are targeting PayPal users by abusing existing legitimate infrastructure. Only this time they’re not abusing PayPal’s platform, but iCloud Calendar invites.

Our friends over at BleepingComputer unraveled a call-back phishing scam which was sent to one of their readers.

> “Pedro McCarthy invited you to ‘Purchase Invoice’.
> 
> Purchase Invoice
> 
> Hello Customer,  
> Your PayPal account has been billed $599.00  
> We’re confirming receipt of your recent payment. Below are the details:  
> Invoice ID: AFER13VD
> 
> Date: AUG 28, 2025
> 
> Amount: USD 599.00
> 
> If you wish to discuss or make changes to this payment, please contact our support team at +1 +1 (786) 902 8579”

The sender email address shows as noreply@email.apple.com which helps it pass every imaginable email security check since it actually came from an Apple server. This happens because it is an iCloud Calendar invite, with the phishing text written in the “Notes” field.

To the recipient it shows a Microsoft 365 account controlled by the phishers. When creating such an iCloud Calendar event with external people added to the invite, an email is sent from Apple’s servers from the iCloud Calendar owner’s name with the email address noreply@email.apple.com.

The Microsoft 365 account is very likely a mailing list holding the email addresses of the targets in this campaign. This method allows the phishers to use the Microsoft Sender Rewriting Scheme (SRS), a technical method used to make email forwarding work smoothly without breaking anti-spoofing protections.

Because the rewritten sender address now belongs to the forwarding domain (e.g., Microsoft 365) it doesn’t trigger any alarms. Meanwhile, the “From” address you see in your email program remains the same as the original sender, so the email looks legitimate to the recipient—especially when that address belongs to Apple.

A call-back phishing campaign is usually set up to entrap targets that decide to call the number listed in the invitation. They’ll be asked to download something under false pretences, which often turns out to be a remote desktop client or information-stealing malware—which will then be used to drain all your accounts.

**How to stay safe**

Don’t be fooled by the legitimate sender email address. Besides spoofing a sender email address, criminals are finding other ways to abuse big tech infrastructure and make it look as if an email came from a legitimate company.

The email has many of the usual signs of a phishing mail:

*   Urgency is imposed by a large amount being billed
*   Generic greetings: “Hello customer” and not your name.
*   The receiver’s email address is not yours.
*   The spelling error in the phone number (twice the +1)

What you can do:

*   Always search phone numbers and email addresses to look for associations with known scams.
*   Login directly to PayPal.com to see if there are any messages in your account.
*   Enable two-factor authentication (2FA) on your Paypal account to add an extra layer of security to your financial accounts and help prevent scammers getting in.
*   Report suspicious emails and phishing emails to phishing@paypal.com. Then delete them.

**We don’t just report on scams—we help detect them**

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

 iCloud Calendar infrastructure abused in PayPal phishing campaign 

Cybersecurity never slows down. Every week brings new threats, new vulnerabilities, and new lessons for defenders. For security and IT teams, the challenge is not just keeping up with the news—it’s knowing which risks matter most right now. That’s what this digest is here for: a clear, simple briefing to help you focus where it counts.
This week, one story stands out above the rest: the

⚡ Weekly Recap: Drift Breach Chaos, Zero-Days Active, Patch Warnings, Smarter Threats & More

Explore lessons learned from over two years of Talos IR pre-ransomware engagements, highlighting the key security measures, indicators and recommendations that have proven effective in stopping ransomware attacks before they begin.

**Stopping ransomware before it starts: Lessons from Cisco Talos Incident Response**

Monday, September 8, 2025 06:00

*   Over the past two and a half years (January 2023 through June 2025), Cisco Talos Incident Response (Talos IR) has responded to numerous engagements that we classified as pre-ransomware incidents.
*   Talos looked back to analyze what key security measures were credited with deterring ransomware deployment in each pre-ransomware engagement, finding that the top two factors were swift engagement with the incident response team and rapid actioning of alerts from security solutions (predominantly within two hours of the alert).
*   We also classified almost two dozen observed pre-ransomware indicators in these engagements, as the top observed tactics provide insight into what malicious activity frequently preempts a more severe attack. Finally, we analyzed Talos IR’s most frequent recommendations to customers to ascertain common security gaps.
*   Aggregation of this data and the follow-on analysis is intended to provide actionable guidance that can assist organizations in improving their defenses against ransomware activity. 

**What characterizes an incident as “pre-ransomware?”  **

Talos IR associates specific adversary actions with pre-ransomware activity. When threat actors attempt to gain enterprise-level domain administrator access, they often conduct a series of account pivots and escalations, deploy command-and-control (C2) or other remote access solutions, harvest credentials and/or deploy automation to execute the modification of the OS. Though the specific tools or elements in the attack chain vary by adversary, Talos IR has seen these same classic steps in practice for years. These actions, along with observed indicators of compromise (IOCs) or tactics, techniques and procedures (TTPs) that we associate with known ransomware threats without the end result of enterprise-wide encryption, lead us to categorize an incident as “pre-ransomware.” 

It is worth noting that some of the above attack techniques are also often deployed by initial access brokers (IABs) who seek to gain and sell access to compromised systems, and it is possible some of the incidents involved in this case study could have therefore been perpetrated by IABs instead of ransomware operators. While it is often challenging to determine a threat actor’s end goal, we have high confidence that all incidents involved tactics are consistently seen preceding ransomware deployment. If the adversary was instead an IAB, we have seen these types of IAB campaigns very frequently result in a ransomware attack after access has been sold, rendering the activity relevant to this analysis.

**Key security actions and measures that deter ransomware deployment **

Talos analyzed incident response engagements spanning the past two and a half years that we categorized as pre-ransomware attacks, identifying actions and security measures that we assessed were key in halting adversaries’ attack chains before encryption. An overview of our findings can be found in Figure 1, followed by a more thorough breakdown of each category to explore exactly how certain actions impeded ransomware execution.

Figure 1. Pie chart of factors hindering ransomware deployment.

**Swift engagement of Talos IR **

Engaging Talos IR within one to two days of first observed adversary activity (though we advise engagement as quickly as possible) was credited with preventing a more serious ransomware attack in approximately a third of engagements, providing benefits such as: 

*   **Extensive knowledge of the threat landscape:** In multiple engagements, Talos IR was able to correlate TTPs and IOCs on customers’ networks with other ransomware and pre-ransomware engagements we had responded to, identifying when the infection was part of a larger, widespread campaign. This insight helped Talos IR anticipate and intercept adversaries’ next steps as well as provide customers additional IOCs to block that were seen in other engagements.
*   **Actionable recommendations for isolation and remediation:** In some engagements, the customers quickly acted on Talos’ pre-ransomware security guide, which Talos IR assessed prevented more catastrophic events.
*   **Enhanced monitoring:** The Cisco Extended Detection and Response (Cisco XDR) team can provide extra vigilance in their monitoring after containment of the pre-ransomware threat to ensure full eradication.

We observed numerous incidents where Talos IR was not engaged by the customer immediately, which enabled the adversary to continue working through their attack chain and conduct data theft and/or ransomware deployment. This often results in consequences such as backup files being corrupted or encrypted, endpoint detection and response (EDR) and other security tools being disabled, disruption to day-to-day operations and more.

**EDR/MDR alert prompted security teams’ rapid containment **

Vigilant monitoring of security solutions and logs allows network administrators to act quickly when a threat is first detected, isolate the malicious activity and cut off threat actors’ ability to escalate their attack. In our case study, action from the security team within two hours of an alert from the organization’s EDR or managed detection and response (MDR) solution correlated with successful isolation of the threat in almost a third of engagements. Some of the observed alerts that prompted swift response in pre-ransomware engagements included, amongst others:

*   Attempted connections to blocked domains  
*   Brute force activity  
*   PowerShell download cradle  
*   Deviations from expected baseline activity as determined by the organization 
*   Newly created domain administrator accounts  
*   Successful connections to an unknown, outside public IP addresses  
*   Reconnaissance activity, including shell access and user discovery commands such as whoami
*   Modification of multi-factor authentication (MFA) tooling to provide bypass tokens 
*   Modification of an account to be exempt from MFA requirements

**USG and/or other partners notified on ransomware staging **

In almost 15 percent of engagements, targeted organizations were able to get ahead of the threat to their environment due to notification from U.S. government (USG) partners and representatives of their managed service provider (MSP) about possible ransomware staging in their environment. In particular, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has launched an initiative to provide early warnings about potential ransomware attacks, aiming to help organizations detect threats and evict actors before significant damage occurs. CISA’s intelligence predominately derives from their partnerships with the cybersecurity research community, infrastructure providers and cyber threat intelligence companies.

**Security solutions configured to block and quarantine malicious activity  **

In over 10 percent of Talos IR engagements, customers’ security solutions actively blocked and/or quarantined malicious executables, effectively stopping adversaries’ attack chains in their tracks.  

Talos often observes organizations deploying endpoint protection technology in a passive manner, meaning the product is producing alerts to the user but not taking other actions. This configuration puts organizations at unnecessary risk, and Talos IR has responded to multiple engagements where passive deployment enabled threat actors to execute malware, including ransomware. A more aggressive configuration impeded ransomware deployment in this case study, underscoring its importance. 

**Robust security restrictions prevented access to key resources  **

Based on our analysis, organizations’ robust security restrictions were key in impeding ransomware actors’ attack chains in nine percent of engagements. For example, in one engagement, the threat actors compromised a service account at the targeted organization, but appropriate privilege restrictions on the account prevented their attempts to access key systems like domain controllers.   

Also of note, organizations who implemented thorough logging and/or had a SIEM in place to aggregate event data were able to provide Talos with forensic visibility to determine the exact chain of events and where additional security measures could be implemented. When an organization lacks these records, it can be challenging to identify the precise security weaknesses that enabled threat activity.

**Most observed pre-ransomware indicators **

Upon categorizing TTPs observed in this case study per the MITRE ATT&CK framework, Talos found that the following in Figure 2 were most frequently seen across engagements.

Figure 2. Prevalence of pre-ransomware TTPs.

We dove deeper into some of the top attack techniques and found the following:  

*   Remote Services: Talos IR frequently saw remote services such as RDP, PsExec and PowerShell leveraged by adversaries.  
*   Remote Access Software: Frequently seen remote access software included AnyDesk, Atera, Microsoft Quick Assist and Splashtop.  
*   OS Credential Dumping: Top observed credential dumping techniques/locations included the domain controller registry, the SAM registry hive, AD Explorer, LSASS and NTDS.DIT. Mimikatz was also frequently used. 
*   Network Service Discovery: Top observed tools and commands used for network service discovery included netscan, nltest and netview.

The top observed TTPs serve as a reminder to security teams on what malicious activity often preempts a more severe attack. For example, prioritizing moderating the use of remote services and remote access software and/or securing the aforementioned credential stores could assist in limiting the majority of adversaries seen in these pre-ransomware engagements.

**Observed security gaps and prevalent Talos IR recommendations **

Talos IR crafts security recommendations for customers in each incident upon analyzing the environment and the adversary’s attack chain to help address any existing security weaknesses. Our most frequent recommendations include:  

1.  Bring all operating systems and software patching up to date.
2.  Store backups offline.
3.  Configure security solutions to permit only proven benign applications to launch and prevent the installation of unexpected software.
4.  Require MFA on all critical services, including remote access and identity access management (IAM) services, and monitor for MFA misuse.
5.  Deploy Sysmon for enhanced endpoint visibility and logging.
6.  Implement meaningful firewall rules for both inbound and outbound traffic to block unwanted protocols from being able to be used by adversaries as part of their C2 or data exfiltration actions.
7.  Implement robust network segmentation to minimize lateral movement and reduce the attack surface, ensuring valuable assets such as domain controllers do not connect directly to the internet aside from critical functions.
8.  Establish or intensify end-user cybersecurity training on social engineering tactics, including coverage of recently popularized attacks such as MFA fatigue attacks and actor-in-the-middle token phishing attacks.

Stopping ransomware before it starts: Lessons from Cisco Talos Incident Response

A list of topics we covered in the week of September 1 to September 7 of 2025

September 5, 2025 - A hacker cracked into a database of video recordings taken from Nexar-branded cameras, which are built to be placed drivers’ cars,...

September 4, 2025 - Roblox announced plans to roll out age estimation for using the communication features on the platform to help fight sexual predators.

September 4, 2025 - Today we're launching Malwarebytes Tools, a new set of free features designed to give your Windows PC a breath of fresh air.

September 4, 2025 - The Quad7 botnet is adding End-of-Life TP-Link routers to its arsenal and using them to steal Microsoft 365 accounts.

September 4, 2025 - A recent report has revealed that many VPNs might allow others to sniff your data—and they're not being honest about who's behind them.

Tag

#microsoft