Weekly Report: New Hacking Techniques and Critical CVEs 03 Sep – 09 Sep, 2025

The cybersecurity landscape during September 3-9, 2025, was dominated by several critical developments that demand immediate attention from security leaders. Most notably, a massive npm supply chain attack compromised over 18 widely-used JavaScript packages with billions of weekly downloads, while two actively exploited Android zero-day vulnerabilities (CVE-2025-38352 and CVE-2025-48543) underscored the persistent threat of mobile platform targeting. The discovery of CVE-2025-53690, a critical Sitecore vulnerability being actively exploited since December 2024, demonstrates how legacy configurations can become weaponized attack vectors. Additionally, the identification of 45 new domains linked to Chinese APT groups Salt Typhoon and UNC4841 reveals the extensive, long-term infrastructure these nation-state actors have maintained since 2020.

>>Outpace Attackers With AI-Based Automated Penetration Testing

New Hacking Techniques and Attack Methods

Advanced Supply Chain Manipulation

The npm compromise represents a sophisticated evolution in supply chain attacks, utilizing social engineering to compromise developer credentials rather than exploiting technical vulnerabilities. The attackers successfully phished the developer “qix” through a convincing two-factor authentication reset email sent from the spoofed domain npmjs[.]help, demonstrating how trust relationships in the open-source ecosystem can be weaponized.

Living-Off-The-Land APT Operations

Russian APT28 has refined its tradecraft with the introduction of NotDoor, a VBA macro-based backdoor for Microsoft Outlook that monitors incoming emails for specific trigger words. This technique represents a significant advancement in “living-off-the-land” tactics, utilizing legitimate business applications for persistent command and control without deploying obvious malware.

Watering Hole Infrastructure Evolution

APT29’s recent campaign demonstrates tactical refinement in watering hole attacks, using randomized victim selection (targeting approximately 10% of visitors to compromised websites) and sophisticated social engineering through fake Cloudflare verification pages to abuse Microsoft’s device code authentication flow.

Critical CVEs and Attack Techniques

CVE-2025-53690: Sitecore ViewState Deserialization

Incident Date: Active exploitation since December 2024
CVSS Score: 9.0 (Critical)

Overview

Google’s Mandiant discovered active exploitation of a critical deserialization vulnerability in Sitecore products, where attackers leveraged a sample machine key that had been exposed in Sitecore deployment guides from 2017 and earlier.

Technical Analysis

The vulnerability stems from the use of static ASP.NET machine keys in Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud deployments. Attackers exploited ViewState deserialization to achieve remote code execution by manipulating the machineKey validation and encryption processes. The exploitation technique involves:

1. Identifying Sitecore instances using the known static machine key
2. Crafting malicious ViewState payloads with embedded serialized objects
3. Bypassing MAC validation using the exposed machine key
4. Achieving RCE through deserialization of untrusted data

Impact/Risk

• Remote code execution on internet-facing Sitecore instances
• Complete server compromise with potential lateral movement
• Data exfiltration and persistence mechanism deployment
• Widespread impact due to common use of sample keys in production

Takeaway for CISOs

Immediately audit all Sitecore deployments for use of default or sample machine keys. This incident highlights the critical importance of secure configuration management and the risks of using documentation examples in production environments.

CVE-2025-38352 & CVE-2025-48543: Android Zero-Day Exploitations

Incident Date: Active exploitation confirmed September 2, 2025

Overview

Google patched two actively exploited zero-day vulnerabilities affecting Android devices, with evidence suggesting their use in targeted spyware campaigns against high-value individuals.

Technical Analysis

CVE-2025-38352 (CVSS 7.4): A race condition in the Linux kernel’s POSIX CPU timers component allowing local privilege escalation. The vulnerability occurs in the timer_create() system call implementation where insufficient locking mechanisms enable race conditions during timer initialization.

CVE-2025-48543: An elevation of privilege flaw in Android Runtime (ART) that enables attackers to escape application sandboxes and gain elevated system privileges. The vulnerability exploits weaknesses in the ART’s memory management and garbage collection processes.

Both vulnerabilities require no user interaction and can be chained together for comprehensive device compromise.

Impact/Risk

• Complete device compromise through privilege escalation
• Potential deployment of surveillance malware
• Bypass of Android security mechanisms including SELinux policies
• Risk to high-value targets including government officials and executives

Takeaway for CISOs

Deploy Android September 2025 security patches immediately across all organizational mobile devices. Consider enhanced mobile device management controls and monitoring for organizations with high-value personnel who may be targeted by nation-state actors.

npm Supply Chain Compromise

Incident Date: September 8, 2025
Duration: Approximately 2 hours of active compromise

Overview

Attackers compromised the npm account of developer Josh Junon (“qix”), publishing malicious versions of 18+ popular JavaScript packages with a combined 2+ billion weekly downloads.

Technical Analysis

The attack utilized a sophisticated phishing campaign targeting the developer’s two-factor authentication credentials:

1. Initial Compromise: Phishing email from npmjs[.]help requesting 2FA reset
2. Credential Harvesting: Collection of username, password, and live TOTP code
3. Malicious Code Injection: Deployment of obfuscated JavaScript targeting cryptocurrency wallets
4. Crypto Wallet Hijacking: Interception of Web3 API calls and transaction manipulation

The malicious payload specifically targeted:

• MetaMask and other wallet extensions through window.ethereum hooks
• Blockchain transactions across Ethereum, Bitcoin, Solana, and other networks
• API response manipulation using Levenshtein “nearest match” algorithms for address substitution

Impact/Risk

• Potential exposure of millions of downstream applications
• Direct financial theft through cryptocurrency transaction hijacking
• Supply chain contamination across the JavaScript ecosystem
• Trust degradation in open-source package management

Takeaway for CISOs

Implement software bill of materials (SBOM) tracking and automated dependency scanning. Establish incident response procedures for supply chain compromises and consider package pinning strategies for critical applications.

Advanced Persistent Threat Intelligence

Salt Typhoon Infrastructure Expansion

Discovery Date: September 7-9, 2025

Overview

Silent Push researchers identified 45 previously unreported domains linked to Chinese APT groups Salt Typhoon and UNC4841, with the oldest infrastructure dating back to May 2020.

Technical Analysis

The infrastructure analysis revealed:

• Domain Registration Patterns: Use of fake personas with ProtonMail addresses
• Operational Security: Shared technical infrastructure between Salt Typhoon and UNC4841
• Targeting Scope: Focus on telecommunications and government entities across 80+ countries
• Persistence Mechanisms: Long-term access maintenance through diverse C2 infrastructure

Key identified domains include communication nodes designed for:

1. Initial access vector deployment
2. Command and control communications
3. Data exfiltration channels
4. Long-term persistent access

Impact/Risk

• Extensive compromise of global telecommunications infrastructure
• Potential access to court-authorized wiretapping systems
• Intelligence gathering on government communications
• Long-term strategic espionage capabilities

Takeaway for CISOs

Organizations should immediately check DNS logs for the past five years for requests to identified Salt Typhoon domains. Telecommunications providers and government entities should assume breach and conduct comprehensive network forensics.

GhostRedirector: New Chinese Threat Actor

Discovery Date: September 3, 2025

Overview

ESET researchers discovered GhostRedirector, a previously unknown China-aligned threat actor that compromised at least 65 Windows servers primarily in Brazil, Thailand, and Vietnam.

Technical Analysis

GhostRedirector employs two custom tools:

1. Rungan: A passive C++ backdoor capable of remote command execution
2. Gamshen: A malicious IIS module designed for SEO fraud-as-a-service operations

The attack chain involves:

• Initial access through SQL injection vulnerabilities
• Deployment of privilege escalation tools (EfsPotato, BadPotato)
• Installation of multiple persistence mechanisms
• SEO manipulation to boost gambling websites’ search rankings

Impact/Risk

• Server compromise across multiple geographic regions
• SEO fraud impacting search engine integrity
• Potential for lateral movement in compromised networks
• Reputational damage to affected websites

Takeaway for CISOs

Implement comprehensive web application security scanning and SQL injection prevention measures. Monitor IIS modules and server configurations for unauthorized modifications.

Russian Cyber Operations Intensification

APT28 NotDoor Backdoor Campaign

Discovery Date: September 6, 2025

Overview

Russian APT28 deployed NotDoor, a sophisticated VBA macro backdoor targeting Microsoft Outlook across multiple NATO member countries.

Technical Analysis

NotDoor operates through:

1. Delivery Mechanism: DLL side-loading via compromised OneDrive executable
2. Persistence: Registry modifications and macro security bypass
3. Trigger Mechanism: Email monitoring for specific keywords (e.g., “Daily Report”)
4. Command Capabilities:
   • cmd: Execute commands with output via email
   • dwn: Exfiltrate files as email attachments
   • upl: Drop files to victim systems
   • cmdno: Execute commands without output

Impact/Risk

• Persistent access to corporate email systems
• Sensitive data exfiltration through legitimate email channels
• Command execution with minimal detection signatures
• Multi-sector targeting across NATO countries

Takeaway for CISOs

Disable VBA macros in Outlook where not required and implement comprehensive email security monitoring. Deploy endpoint detection capabilities that can identify DLL side-loading attacks and unusual Outlook API usage.

APT29 Credential Harvesting Evolution

Incident Date: August-September 2025

Overview

Amazon disrupted an APT29 watering hole campaign that compromised legitimate websites to harvest Microsoft 365 credentials through fake Cloudflare verification pages.

Technical Analysis

The campaign utilized:

• Obfuscated JavaScript injection into legitimate websites
• Randomized victim selection (10% of visitors)
• Cookie-based tracking to prevent repeat targeting
• Microsoft device code authentication abuse
• Multi-cloud infrastructure for resilience

Impact/Risk

• Credential theft targeting academics and government critics
• Abuse of trusted authentication mechanisms
• Potential for long-term persistent access to Microsoft 365 environments

Takeaway for CISOs

Review and potentially disable Microsoft device code authentication flows if not required. Implement conditional access policies and enhanced monitoring for suspicious authentication events.

Dark Web and Underground Activity

Hacktivist Infrastructure Targeting Escalation

Recent intelligence indicates a significant shift in hacktivist tactics, with Russian-linked groups like Z-Pentest, Dark Engine, and Sector 16 increasingly targeting critical infrastructure systems. This represents a 31% increase in Industrial Control System (ICS) attacks during Q2 2025, with Z-Pentest alone conducting 38 ICS attacks.

Key Developments:

• Coordinated Operations: Collaboration between Z-Pentest, Dark Engine, and Sector 16 groups
• Geographic Focus: Primary targeting of Italy, United States, Czech Republic, France, and Spain
• Sector Emphasis: Energy & utilities, manufacturing, transportation, and telecommunications
• Psychological Operations: Publication of ICS control panel manipulation videos for impact amplification

APT-C-36 (Blind Eagle) Campaign Evolution

Colombian government entities continue to face persistent targeting from APT-C-36, with recent campaigns adapting to exploit patched vulnerabilities through alternative techniques. The group has demonstrated rapid adaptation following Microsoft’s CVE-2024-43451 patch by shifting to malicious .url file distribution methods.

Technical Indicators:

• WebDAV-based payload delivery over HTTP port 80
• User-Agent string: ‘Microsoft-WebDAV-MiniRedir/10.0.19044’
• Geographic filtering to prevent analysis and maintain operational security
• Integration of Remcos RAT for persistent access and data exfiltration

Strategic Recommendations for CISOs

Given the escalating threat landscape observed during this reporting period, FireCompass recommends immediate implementation of comprehensive security measures encompassing supply chain protection, mobile device security, and advanced persistent threat detection capabilities.

Immediate Actions Required:

1. Supply Chain Security: Implement SBOM tracking, dependency pinning, and automated vulnerability scanning for all development pipelines
2. Mobile Security: Deploy September 2025 Android patches and enhance mobile device management controls
3. Configuration Management: Audit all Sitecore deployments and rotate any default or sample machine keys
4. Email Security: Disable unnecessary VBA macro capabilities and implement advanced email threat protection
5. Infrastructure Monitoring: Conduct historical DNS log analysis for Salt Typhoon IOCs and implement enhanced C2 detection

Takeaway for CISOs

The repeated Plex breaches demonstrate systemic security challenges in consumer streaming platforms requiring comprehensive security architecture reviews, enhanced monitoring capabilities, and proactive security investments to prevent recurring incidents that erode customer trust and platform credibility.

Outpace Attackers With AI-Based Automate Penetration Testing With FireCompass:

FireCompass is a single platform for AI-Powered Continuous Automated Red Teaming (CART), Pen Testing & NextGen Attack Surface Management 

>>FireCompass Free Trial